Sunday, January 28, 2024

New Malware Used By SolarWinds Attackers Went Undetected For Years

 


The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years.

According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.

Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

The malicious activities have since been attributed to a Russian state-sponsored actor called APT29 (also known as The Dukes and Cozy Bear), a cyber espionage operation associated with the country's Foreign Intelligence Service that's known to be active since at least 2008.

GoldMax (aka SUNSHUTTLE), which was discovered by Microsoft and FireEye (now Mandiant) in March 2021, is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with a remote server to execute arbitrary commands on the compromised machine.

Mandiant also pointed out that Dark Halo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been tampered with malware designed to drop post-compromise implants against thousands of its customers.

In September 2021, Kaspersky revealed details of a second variant of the GoldMax backdoor called Tomiris that was deployed against several government organizations in an unnamed CIS member state in December 2020 and January 2021.

The latest iteration is a previously undocumented but functionally identical Linux implementation of the second-stage malware that was installed in victim environments in mid-2019, predating all other identified samples built for the Windows platform to date.


Also delivered around the same timeframe was TrailBlazer, a modular backdoor that offers attackers a path to cyber espionage, while sharing commonalities with GoldMax in the way it masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests.

Other uncommon channels used by the actor to facilitate the attacks include —

  • Credential hopping for obscuring lateral movement
  • Office 365 (O365) Service Principal and Application hijacking, impersonation, and manipulation, and
  • Theft of browser cookies for bypassing multi-factor authentication

Additionally, the operators carried out multiple instances of domain credential theft months apart, each time leveraging a different technique, one among them being the use of Mimikatz password stealer in-memory, from an already compromised host to ensure access for extended periods of time.

"The StellarParticle campaign, associated with the Cozy Bear adversary group, demonstrates this threat actor's extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and their patience and covert skill set to stay undetected for months — and in some cases, years," the researchers said.

Related news
  1. Pentest Tools Windows
  2. Tools Used For Hacking
  3. Hack App
  4. Pentest Tools For Ubuntu
  5. Github Hacking Tools
  6. Hack Tools For Mac
  7. How To Hack
  8. Pentest Tools Download
  9. Hacking Tools Hardware
  10. Pentest Tools Website
  11. Pentest Tools Framework
  12. Hacking App
  13. Hacking Tools Online
  14. Pentest Tools Review
  15. Hack Tools For Mac
  16. Bluetooth Hacking Tools Kali
  17. Hacker Search Tools
  18. Hacker Tools For Windows
  19. Hacker Tools Linux
  20. Pentest Tools Linux
  21. Hacking Tools And Software
  22. Pentest Tools Android
  23. Hacking Tools Mac
  24. Hack Tools For Pc
  25. Hack And Tools
  26. Hacking Tools Usb
  27. Pentest Tools For Mac
  28. Hack Tools Download
  29. Hacker
  30. Pentest Tools Linux
  31. Hack Tool Apk No Root
  32. Hacking Tools Windows 10
  33. Hack Tools For Ubuntu
  34. Pentest Reporting Tools
  35. Kik Hack Tools
  36. Nsa Hacker Tools
  37. Hacking Tools 2020
  38. Pentest Tools List
  39. Hack And Tools
  40. Hackrf Tools
  41. Hacker Tools Software
  42. Best Hacking Tools 2019
  43. Hacking Tools Windows
  44. Pentest Reporting Tools
  45. Pentest Tools
  46. What Is Hacking Tools
  47. What Are Hacking Tools
  48. Hackrf Tools
  49. Best Pentesting Tools 2018
  50. Hacking Tools Hardware
  51. Tools For Hacker
  52. Hacker Tools For Mac
  53. How To Install Pentest Tools In Ubuntu
  54. Easy Hack Tools
  55. Pentest Tools Tcp Port Scanner
  56. Hack Tools Pc
  57. Pentest Tools Windows
  58. Hack Tools For Pc
  59. Pentest Tools List
  60. Growth Hacker Tools
  61. Blackhat Hacker Tools
  62. Hacking Tools For Windows 7
  63. Pentest Tools Port Scanner
  64. Best Hacking Tools 2019
  65. Hacking Apps
  66. Pentest Tools Online
  67. Hacker Tools List
  68. Growth Hacker Tools
  69. Best Hacking Tools 2020
  70. How To Install Pentest Tools In Ubuntu
  71. Hacking Tools For Beginners
  72. Hacker Tools 2019
  73. Hack And Tools
  74. Computer Hacker
  75. Pentest Tools Online
  76. Nsa Hack Tools
  77. Hack And Tools
  78. Hacker
  79. Pentest Tools Alternative
  80. Pentest Tools Find Subdomains
  81. Hack Apps
  82. Hacking Tools 2019
  83. New Hack Tools
  84. Nsa Hacker Tools
  85. Hacker Tool Kit
  86. Hacking Tools 2020
  87. Pentest Tools For Mac
  88. Hacker Tools Hardware
  89. Pentest Tools Windows
  90. Pentest Tools
  91. World No 1 Hacker Software
  92. Hack Apps
  93. How To Install Pentest Tools In Ubuntu
  94. Hacker Tools List
  95. Wifi Hacker Tools For Windows
  96. Hack And Tools
  97. Ethical Hacker Tools
  98. Wifi Hacker Tools For Windows
  99. Best Hacking Tools 2019
  100. Hacker Tools Online
  101. Hack Tools
  102. Pentest Tools Tcp Port Scanner
  103. Hack Tools Github
  104. Pentest Recon Tools
  105. Best Pentesting Tools 2018
  106. Hacking App
  107. Bluetooth Hacking Tools Kali
  108. Bluetooth Hacking Tools Kali
  109. Hacking Tools Software
  110. Pentest Tools Windows
  111. Free Pentest Tools For Windows
  112. Blackhat Hacker Tools
  113. Blackhat Hacker Tools
  114. Hacker Tools Linux
  115. Pentest Tools List
  116. Hacker Techniques Tools And Incident Handling
  117. Best Pentesting Tools 2018
  118. Tools Used For Hacking
  119. Nsa Hack Tools
  120. Pentest Tools Android
  121. Hacker
  122. Tools 4 Hack
  123. Hackers Toolbox
  124. Hacker Tools Online
  125. New Hacker Tools
  126. Nsa Hack Tools Download
  127. Beginner Hacker Tools
  128. Hacking App
  129. Hacking Tools 2020
  130. Hacking App
  131. Pentest Tools Framework
  132. Black Hat Hacker Tools
  133. Tools Used For Hacking
  134. Wifi Hacker Tools For Windows
  135. Pentest Tools Github
  136. Pentest Tools Free
  137. Hacking Tools Windows
  138. Hacking Tools Mac
  139. Hack Tools
  140. Tools 4 Hack
  141. Tools Used For Hacking
  142. Hacking Tools Mac
  143. Usb Pentest Tools
  144. Hack Tools 2019
  145. How To Hack
  146. Hackers Toolbox
  147. Hacker Tools 2019
  148. Hacker Tools Linux
  149. Hack Tool Apk No Root
  150. Pentest Tools Online
  151. Hacker Tools Windows
  152. Hacker Tools 2020
  153. Easy Hack Tools
  154. Hack Tools Download
  155. Best Pentesting Tools 2018
Posted by at No comments:

Water Softener for Well Water: A Comprehensive Guide

What is a Water Softener and How Does it Work?

A water softener is a device that removes hardness from water, typically by exchanging calcium and magnesium ions for sodium ions. This process, known as ion exchange, occurs within a resin bed, which is composed of small, porous beads made of a material called ion-exchange resin.

Why is a Water Softener Needed for Well Water?

Well water often contains high levels of dissolved minerals, including calcium and magnesium, which cause hardness. Hard water can create several problems, such as:

  1. Scale Buildup: Hard water can cause scale buildup in pipes, appliances, and fixtures, reducing their efficiency and lifespan.
  2. Soap Scum: Hard water can make it difficult to create a lather with soap, resulting in soap scum buildup on surfaces.
  3. Dry Skin and Hair: Hard water can strip away natural oils from skin and hair, leading to dryness and irritation.
  4. Reduced Detergent Effectiveness: Hard water can reduce the effectiveness of detergents, making it harder to clean clothes and dishes.
How to Choose the Right Water Softener for Well Water:
  1. Water Hardness Level: The first step in choosing a water softener is to determine the hardness level of your well water. There are several ways to do this, including purchasing a water test kit or sending a sample of your water to a laboratory for analysis.
  2. Flow Rate: Consider the flow rate of your well water system when selecting a water softener. The flow rate is measured in gallons per minute (GPM) and determines the size of the water softener you need.
  3. Grain Capacity: The grain capacity of a water softener refers to its ability to remove hardness from water. The grain capacity is measured in kilograins (KGR) and determines how much hardness the water softener can remove before it needs to be regenerated.
  4. Type of Water Softener: There are two main types of water softeners: salt-based and salt-free. Salt-based water softeners use a process called ion exchange to remove hardness from water, while salt-free water softeners use a different process, such as template-assisted crystallization.
  5. Brand and Reputation: Consider the brand and reputation of the water softener manufacturer when making a purchase. Look for brands that are known for their quality, reliability, and customer service.
How to Install and Maintain a Water Softener for Well Water:
  1. Proper Installation: It is important to have a water softener installed by a qualified professional. Improper installation can lead to leaks, damage to the water softener, or ineffective water softening.
  2. Regular Regeneration: Water softeners need to be regenerated regularly to maintain their effectiveness. The frequency of regeneration depends on the hardness of your water and the size of the water softener.
  3. Salt Replenishment: Salt-based water softeners require regular replenishment of the salt supply. The frequency of replenishment depends on the hardness of your water and the size of the water softener.
  4. Maintenance: Water softeners should be inspected and maintained regularly to ensure proper operation and longevity. This may include cleaning the resin bed, checking for leaks, and replacing any worn or damaged parts.
Benefits of Using a Water Softener for Well Water:
  1. Improved Water Quality: Treated water has a reduced mineral content, improving the taste, smell, and appearance of the water.
  2. Reduced Scale Buildup: This can save you money by extending the lifespan of your appliances.
  3. Softer Skin and Hair: Softened water can help to improve the health of your skin and hair.
  4. More Effective Laundry and Dishwashing: Softened water can improve the performance of detergents and soaps.
  5. Increased Energy Efficiency: Softened water can help to improve the efficiency of water heaters and other appliances that use water.
Conclusion:

A water softener can be a valuable investment for well water users, providing numerous benefits and improving overall water quality. By choosing the right water softener and properly installing and maintaining it, you can enjoy the advantages of softened water throughout your home.

--
You received this message because you are subscribed to the Google Groups "Broadcaster" group.
To unsubscribe from this group and stop receiving emails from it, send an email to broadcaster-news+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/broadcaster-news/9aa09de1-81fa-4c7e-ad67-17431e4b7165n%40googlegroups.com.
Posted by at No comments:

Hashdb-Ida - HashDB API Hash Lookup Plugin For IDA Pro


HashDB IDA Plugin

Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service.


Adding New Hash Algorithms

The hash algorithm database is open source and new algorithms can be added on GitHub here. Pull requests are mostly automated and as long as our automated tests pass the new algorithm will be usable on HashDB within minutes.


Using HashDB

HashDB can be used to look up strings that have been hashed in malware by right-clicking on the hash constant in the IDA disassembly view and launching the HashDB Lookup client.


Settings

Before the plugin can be used to look up hashes the HashDB settings must be configured. The settings window can be launched from the plugins menu Edit->Plugins->HashDB.


 

Hash Algorithms

Click Refresh Algorithms to pull a list of supported hash algorithms from the HashDB API, then select the algorithm used in the malware you are analyzing.


Optional XOR

There is also an option to enable XOR with each hash value as this is a common technique used by malware authors to further obfuscate hashes.


API URL

The default API URL for the HashDB Lookup Service is https://hashdb.openanalysis.net/. If you are using your own internal server this URL can be changed to point to your server.


Enum Name

When a new hash is identified by HashDB the hash and its associated string are added to an enum in IDA. This enum can then be used to convert hash constants in IDA to their corresponding enum name. The enum name is configurable from the settings in the event that there is a conflict with an existing enum.


Hash Lookup

Once the plugin settings have been configured you can right-click on any constant in the IDA disassembly window and look up the constant as a hash. The right-click also provides a quick way to set the XOR value if needed.



Bulk Import

If a hash is part of a module a prompt will ask if you want to import all the hashes from that module. This is a quick way to pull hashes in bulk. For example, if one of the hashes identified is Sleep from the kernel32 module, HashDB can then pull all the hashed exports from kernel32.


 

Algorithm Search

HashDB also includes a basic algorithm search that will attempt to identify the hash algorithm based on a hash value. The search will return all algorithms that contain the hash value, it is up to the analyst to decide which (if any) algorithm is correct. To use this functionality right-click on the hash constant and select HashDB Hunt Algorithm.


 

All algorithms that contain this hash will be displayed in a chooser box. The chooser box can be used to directly select the algorithm for HashDB to use. If Cancel is selected no algorithm will be selected.



Dynamic Import Address Table Hash Scanning

Instead of resolving API hashes individually (inline in code) some malware developers will create a block of import hashes in memory. These hashes are then all resolved within a single function creating a dynamic import address table which is later referenced in the code. In these scenarios the HashDB Scan IAT function can be used.


 

Simply select the import hash block, right-click and choose HashDB Scan IAT. HashDB will attempt to resolve each individual integer type (DWORD/QWORD) in the selected range.


Installing HashDB

Before using the plugin you must install the python requests module in your IDA environment. The simplest way to do this is to use pip from a shell outside of IDA.
pip install requests

Once you have the requests module installed simply copy the latest release of hashdb.py into your IDA plugins directory and you are ready to start looking up hashes!


Compatibility Issues

The HashDB plugin has been developed for use with the IDA 7+ and Python 3 it is not backwards compatible.

More info
Posted by at No comments:

Saturday, January 27, 2024

Smuggler - An HTTP Request Smuggling / Desync Testing Tool


An HTTP Request Smuggling / Desync testing tool written in Python 3


IMPORTANT

This tool does not guarantee no false-positives or false-negatives. Just because a mutation may report OK does not mean there isn't a desync issue, but more importantly just because the tool indicates a potential desync issue does not mean there definitely exists one. The script may encounter request processors from large entities (i.e. Google/AWS/Yahoo/Akamai/etc..) that may show false positive results.


Installation
  1. git clone https://github.com/defparam/smuggler.git
  2. cd smuggler
  3. python3 smuggler.py -h

Example Usage

Single Host:

python3 smuggler.py -u <URL>

List of hosts:

cat list_of_hosts.txt | python3 smuggler.py

Options

 
usage: smuggler.py [-h] [-u URL] [-v VHOST] [-x] [-m METHOD] [-l LOG] [-q]
                   [-t TIMEOUT] [--no-color] [-c CONFIGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL with Endpoint
  -v VHOST, --vhost VHOST
                        Specify a virtual host
  -x, --exit_early      Exit scan on first finding
  -m METHOD, --method METHOD
                        HTTP method to use (e.g GET, POST) Default: POST
  -l LOG, --log LOG     Specify a log file
  -q, --quiet           Quiet mode will only log issues found
  -t TIMEOUT, --timeout TIMEOUT
                        Socket timeout value Default: 5
  --no-color            Suppress color codes
  -c CONFIGFILE, --configfile CONFIGFILE
                        Filepath to the configuration file of payloads

Smuggler at a minimum requires either a URL via the -u/--url argument or a list of URLs piped into the script via stdin. If the URL specifies https:// then Smuggler will connect to the host:port using SSL/TLS. If the URL specifies http:// then no SSL/TLS will be used at all. If only the host is specified, then the script will default to https://

Use -v/--vhost <host> to specify a different host header from the server address

Use -x/--exit_early to exit the scan of a given server when a potential issue is found. In piped mode smuggler will just continue to the next host on the list

Use -m/--method <method> to specify a different HTTP verb from POST (i.e GET/PUT/PATCH/OPTIONS/CONNECT/TRACE/DELETE/HEAD/etc...)

Use -l/--log <file> to write output to file as well as stdout

Use -q/--quiet reduce verbosity and only log issues found

Use -t/--timeout <value> to specify the socket timeout. The value should be high enough to conclude that the socket is hanging, but low enough to speed up testing (default: 5)

Use --no-color to suppress the output color codes printed to stdout (logs by default don't include color codes)

Use -c/--configfile <configfile> to specify your smuggler mutation configuration file (default: default.py)


Config Files

Configuration files are python files that exist in the ./config directory of smuggler. These files describe the content of the HTTP requests and the transfer-encoding mutations to test.

Here is example content of default.py:

def render_template(gadget):
	RN = "\r\n"
	p = Payload()
	p.header  = "__METHOD__ __ENDPOINT__?cb=__RANDOM__ HTTP/1.1" + RN
	# p.header += "Transfer-Encoding: chunked" +RN	
	p.header += gadget + RN
	p.header += "Host: __HOST__" + RN
	p.header += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36" + RN
	p.header += "Content-type: application/x-www-form-urlencoded; charset=UTF-8" + RN
	p.header += "Content-Length: __REPLACE_CL__" + RN
	return p


mutations["nameprefix1"] = render_template(" Transfer-Encoding: chunked")
mutations["tabprefix1"] = render_template("Transfer-Encoding:\tchunked")
mutations["tabprefix2"] = render_template("Transfer-Encoding\t:\tchunked")
mutations["space1"] = render_template("Transfer-Encoding : chunked")

for i in [0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF]:
	mutations["midspace-%   02x"%i] = render_template("Transfer-Encoding:%cchunked"%(i))
	mutations["postspace-%02x"%i] = render_template("Transfer-Encoding%c: chunked"%(i))
	mutations["prespace-%02x"%i] = render_template("%cTransfer-Encoding: chunked"%(i))
	mutations["endspace-%02x"%i] = render_template("Transfer-Encoding: chunked%c"%(i))
	mutations["xprespace-%02x"%i] = render_template("X: X%cTransfer-Encoding: chunked"%(i))
	mutations["endspacex-%02x"%i] = render_template("Transfer-Encoding: chunked%cX: X"%(i))
	mutations["rxprespace-%02x"%i] = render_template("X: X\r%cTransfer-Encoding: chunked"%(i))
	mutations["xnprespace-%02x"%i] = render_template("X: X%c\nTransfer-Encoding: chunked"%(i))
	mutations["endspacerx-%02x"%i] = render_template("Transfer-Encoding: chunked\r%cX: X"%(i))
	mutations["endspacexn-%02x"%i] = render_template("Transfer-Encoding: chunked%c\nX: X"%(i))

There are no input arguments yet on specifying your own customer headers and user-agents. It is recommended to create your own configuration file based on default.py and modify it to your liking.

Smuggler comes with 3 configuration files: default.py (fast), doubles.py (niche, slow), exhaustive.py (very slow) default.py is the fastest because it contains less mutations.

specify configuration files using the -c/--configfile <configfile> command line option


Payloads Directory

Inside the Smuggler directory is the payloads directory. When Smuggler finds a potential CLTE or TECL desync issue, it will automatically dump a binary txt file of the problematic payload in the payloads directory. All payload filenames are annotated with the hostname, desync type and mutation type. Use these payloads to netcat directly to the server or to import into other analysis tools.


Helper Scripts

After you find a desync issue feel free to use my Turbo Intruder desync scripts found Here: https://github.com/defparam/tiscripts DesyncAttack_CLTE.py and DesyncAttack_TECL.py are great scripts to help stage a desync attack


License

These scripts are released under the MIT license. See LICENSE.



Related links


Posted by at No comments:
Subscribe to: Posts (Atom)