Social Items

Mariana Trench (MT) is a tool used internally by Facebook to spot and prevent security and privacy bugs in Java and Android applications.

Now, the company has open-sourced MT to support security engineers not just at Facebook, but across the industry. While server-side code can easily be updated instantaneously for web apps, however, mitigating a security bug in an app relies on every user updating the application on the device level.

It therefore behooves on app developers to put systems in place to help in thwarting such vulnerabilities from making it into mobile app releases.

What Open-sourcing of Mariana Trench App Debugging tool means for Developers?



MT is built for analyzing Java and Android applications, which a developer can specifically require MT to show flows by defining rules. The rule could also be specified, for instance, to finding issues that allow attackers to intercept sensitive data by defining a rule that shows all traces from “user-controlled” sources to an “intent redirection” sink.



It achieves this by computing a model for each Java method in the codebase, with the models computed using a static analysis technique called abstract interpretation.

A typical scenario is whereby a security engineer would start by broadly defining the boundaries of the data flows in scanning the codebase, defining a rule connecting the two is not enough. Therefore an engineer also has to review the identified issues and refine the rules until the results are sufficiently high-signal.

MT was built through close collaboration between security and software engineers at Facebook who trains MT to look at code and analyze how data flows through it. The analyzing of data flows is useful as many security and privacy issues can be modeled when data flow into a wrong place.

How to get Started with Mariana Trench App Debugging tool?



MT is currently available on GitHub, and a binary distribution has been released on PyPI. You can also find a short tutorial to help get you started here.

Facebook teams will actively continue to develop and improve MT, with developers who are interested in collaborating in building the project, recommended to open an issue or reach out on GitHub.

Facebook Open-sources its in-house Mariana Trench App Debugging tool

Google-developed web framework, Angular is set for a host of improvements with the expected release of Angular 13, ranging from improved error messages to pure annotations, better integration with deployment providers.

While Angular 12 was released on May 12, bringing updated version of Ivy language service to provide improved type checking and tearing down of the test module and environment after every test, which significantly improved test speed. Angular 13, latest beta releases published as of September 24, shows major areas of improvements such as the core, router, and service workers.

Several other new changes are still expected as the framework nears release, besides the router performance improvements, which change proposal is to fix a situation in where the default URL serializer drops everything afterward, including question mark in query parameters.

What's New in Angular 13 Update?



Angular 13 will debut a new type which serves as a union of all possible status strings for form controls, FormControlStatus. And AbstractControl.status will be narrowed from string to FormControlStatus.



Some key changes available in latest Angular 13 betas are as follows:

  • Service worker cache is now cleared in the safety worker ensuring stale or broken contents aren't served in future requests.
  • Behavior of the SpyLocation employed by the RouterTestingModule now matches the behavior of the browsers.
  • Pure annotations have been added to static property initializers, with class properties with initializers that cause code execution having side effects at module evaluation, similar in effect to module level code.
  • Platform-browser error message has been improved for missing animation trigger.


Furthermore, most applications should be able to consume the new types introduced seamlessly, hybrid apps relying on navigationId to the router should subscribe to NavigationCancel events and carry out the location.replaceState to add navigationId to the router state.

What is Angular 13 Release Date and How to Get Started with Angular 13?



As Angular releases are targeted for every six months, it makes the release date of version 13 this November, with latest version the Angular 12 released on May 12.

Angular 13 version is still in pre-release state, therefore it is strongly recommended that if you want to update to the latest version (from Angular 10 or 11), you should update your application to Angular 12 before upgrading to Angular 13.

Angular 13 Update: What's New and the Final Release date?

Microsoft WPBT (Windows Platform Binary Table) is an ACPI table that was first introduced in Windows 8 and originally intended to give the operating system more control, such as allowing the boot firmware to provide the platform binary without modifying the Windows image on disk.

According to researchers at Eclypsium, there is a yet to be patched bug in WPBT affecting all Windows-based devices from Windows 8 up that could potentially be exploited to install a rootkit that would lead to the compromising of the integrity of Windows devices. The Eclypsium research team identified a weakness in Microsoft’s WPBT capability that could allow attackers to run malicious code with kernel privileges when a device boots up.

The WPBT functionality was intended to let OEMs include important files, drivers, or executables for the system without the need to modify the Windows image on disk, which technology is used by a number of vendors including Lenovo, ASUS, and many others.

How Microsoft WPBT Bug Could allow attackers Easily Install a Rootkit?



The WPBT feature allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content.



Now, the bug stems from the fact that though Microsoft requires a WPBT binary to be signed, it accepts an expired or revoked certificate. What this means is that an attacker can sign a malicious binary with a readily available expired certificate. And this process can enable an attacker to install a rootkit compromising the integrity of the device.

The issue affects all Windows-based devices from Windows 8 when the WPBT feature was first introduced, and the attack scenario has been successfully demonstrated on modern, Secured-core PCs that are running the latest boot protections.

How to Mitigate against the Microsoft Windows Platform Binary Table (WPBT) Bug?



Microsoft has recommended that customers should use Windows Defender Application Control (WDAC) policy to tightly restrict what binaries can be permitted to run on the devices, in order to mitigate against the WPBT Bug.

The researchers, however, advices organizations to employ a layered approach to security to ensure that all available bug fixes are applied and to identify any potential compromises to their devices.

Microsoft WPBT Bug Affecting All Windows-based Devices up from Windows 8

Windows Subsystem for Linux (WSL) was introduced by Microsoft in 2016 as a supplemental feature that runs Linux image in a near-native environment on Windows, without the over-head of a virtual machine.

According to Black Lotus Labs, several malicious files written in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system, has been recently identified targeting WSL. These malicious files act as loaders running a payload that's retrieved from a remote server and then injected into a running process using Windows API calls.

While this approach was not particularly a novelty, but it marks the first instance where threat actors have been found to abuse WSL to install payloads; and using an ELF loader for the WSL environment makes the technique rather evasive to security detection.

How the Malware Evade Detection on Windows Subsystem for Linux?



The researchers at Black Lotus Labs identified a series of samples uploaded every two to three weeks, from as early as May 3, through to August 22, 2021, that target the WSL environment.



And these samples are compiled with Python 3.9 using PyInstaller for the Debian operating system version 8.3.0-6. With some containing lightweight payloads which could have been generated from open-source tools such as MSFVenom or Meterpreter.

While the Meterpreter framework is well known in the industry, that hasn't helped to stop cybercrime and ransomware groups from using it in the past. And it would be rather easy for the operator to swap out the Meterpreter payload for more advanced tools such as Cobalt Strike or a custom agent.

The ELF to Windows binary file execution path was different in various files, for some, PowerShell was used to inject and execute the shellcode; and for others, Python ctypes was used to resolve Windows APIs. The malicious files attempted to download shellcode from a remote C2 and uses ctypes to call Windows APIs, in addition to employing PowerShell to perform subsequent actions on the host machine.

As the boundaries between operating systems continue to narrow down, threat actors will definitely take advantage of the new attack surfaces. Therefore, it is advised that users should enable WSL to ensure proper logging in order to detect this type of threats.

Windows Subsystem for Linux targeted in New Malware Attacks

The third point version of Kali Linux 2021 series, Kali Linux 2021.3 has been released, with a number of major improvements along with some new tools.

Kali Linux 2021.3 comes with a bevy of new hacking tools and updated core packages, and also makes the experience of virtualization even more seamless when setting up a virtual environment. The information domain Kali-Tools has also be refreshed with a clean interface, to provide a concise overview of tools and faster system.

Kali didn't forget about KDE, as one of its favorite desktop environments; Kali Linux 2021.3 brings improvement to the layout for Xfce and Gnome editions.

What's New in Kali Linux 2021.3 Release?



Aside from the updated core packages, with Kali Linux 2021.3, OpenSSL has now been configured for wider compatibility to allow Kali to talk to as many services as possible.



While legacy protocols such as TLS 1.0 and TLS 1.1 and older ciphers are now enabled by default, which will help to improve Kali’s ability to talk to older, obsolete systems and servers that are still using these older protocols. And among the Kali Tools added to Kali Linux 2021.3 Release fleet are:

  • Subjack: Subdomain takeover
  • RouterKeygenPC: Generate default WPA/WEP Wi-Fi keys
  • WPA_Sycophant: Evil client portion of EAP relay attack
  • HostHunter: Recon tool for discovering hostnames using OSINT techniques
  • EAPHammer: Targeted evil twin attacks against WPA2-Enterprise Wi-Fi networks
  • CALDERA: Scalable automated adversary emulation platform
  • Berate_ap: Orchestrating MANA rogue Wi-Fi Access Points


Furthermore, Kali has partnered with Ampere to have its ARM package building machines running on Ampere’s hardware, which means that Kali will benefit from the burst in speed.

How to Download or Upgrade to Kali Linux 2021.3



For those who are new to Kali, simply grab the new Kali 2021.3 ISO images which are now available for download with support for several platforms.

If you’re an existing Kali Linux user and want to upgrade from the previous version to Kali Linux 2021.3, you can easily upgrade your system by following the updating Kali guide.

Kali Linux 2021.3 Release: Brings Improvements to Kali Live VM Support

MSHTML (also known as Trident) is a proprietary browser engine for the Windows version of Internet Explorer, developed by Microsoft.

According to Microsoft Threat Intelligence Center (MSTIC), a number of attacks have attempted to exploit a remote code execution vulnerability in MSHTML, which vulnerability is tracked as CVE-2021-40444, using specially crafted Microsoft Office documents.

As part of an initial campaign that distributed custom Cobalt Strike Beacon loaders, these attackers communicated with an infrastructure that Microsoft associates with multiple cyber-criminal campaigns, including human-operated ransomware.

How Windows MSHTML Zero-Day was Exploited to Deploy Cobalt Strike Beacon in targeted systems?



The attack vector relies on a malicious ActiveX control which could be loaded by MSHTML using a malicious Office document.



Microsoft customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in the attacks. The attackers leveraged on the vulnerability to access entry point devices to run highly-privileged code, with the secondary actions taken by the attackers relying on stealing credentials that could result organization-wide impact.

Again, this attack illustrates the importance of implementing attack surface reduction, credential hygiene, and lateral movement mitigations.

How to Mitigate against the MSHTML Zero-Day Exploit



Microsoft has already rolled out a fix for the MSHTML vulnerability as part of its Patch Tuesday updates on September 14.

Therefore, customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability. Also, Microsoft has confirmed that the attack surface reduction rule blocks activity associated with exploitation of the MSHTML Zero-Day.

MSHTML Zero-Day Exploited to deploy Cobalt Strike Beacon in targeted Windows machine

Azure Container Instances (ACI) service allows users to run containers directly in a serverless cloud environment, requiring no virtual machines or clusters.

While Palo Alto Networks' Unit 42 threat intelligence team has disclosed a vulnerability in ACI service that could have been exploited by an attacker to access other customers' information. The vulnerability dubbed "Azurescape" involves how a malicious actor can leverage the cross-tenant technique to escape a rogue ACI container, escalate privileges, and take over an impacted containers by executing malicious code.

Microsoft, however, has issued a patch shortly after the disclosure and there is no known information on Azurescape exploit in the wild.

How Azurescape could have been exploited by a Malicious actor to access customers' information?



Azure Container Instances (ACI) offers a Container-as-a-Service (CaaS) that enables customers to run containers on Azure without managing the underlying servers.



The CaaS offering is notoriously hard to access, and users are only exposed to their container environment, and local network access is disabled through firewalls. But the researchers created WhoC, a container image that reads the container runtime executing it. It's based on a rarely discussed design flaw in Linux containers that allow them to read the underlying host's container runtime.

Deploying WhoC to ACI, enabled the researchers to retrieve the container runtime used in the platform and unsurprisingly, they were able to find runC, the industry standard container runtime.

RunC v1.0.0-rc2 which was released in 2016, was vulnerable to at least two container breakout CVEs. The presence of this old version of runC in ACI, allowed the researchers to successfully broke out of their container and gained a reverse shell running as root on the underlying host, which turned out to be a Kubernetes node.

Albeit, the node's Kubelet only allowed anonymous access, the researchers tried to access Kubelets on neighboring nodes, but all attempted requests to access neighboring nodes timed out, probably due to a firewall configuration that prevented communication between worker nodes. The researchers deployed a few breakout containers which landed on different Kubernetes clusters, with unique cluster IDs ranging between 1-125 and these cluster IDs indicated that each location (e.g. West Europe) hosted a few dozen clusters.



As ACI was hosted on clusters running either Kubernetes v1.8.4, v1.9.10 or v1.10.9, which versions were released between November 2017 and October 2018 and are vulnerable to multiple publicly known vulnerabilities. The researchers started going over past Kubernetes issues, searching for ones that would allow their compromised node to escalate privileges or gain access to other nodes and CVE-2018-1002102 was identified as promising.

The CVE-2018-1002102 marks a security issue in how the api-server communicated with Kubelets, it accept redirects. And by redirecting the api-server's requests to another node's Kubelet, a malicious Kubelet can spread in the cluster.

Again, this discovery highlights the need for cloud users to take a 'defense-in-depth' approach to securing their cloud infrastructure that includes continuous monitoring for threats, inside and outside the cloud platform.

Azurescape Vulnerability: Cross-Account Container takeover in Azure Container Instances

There is an ongoing malware campaign spearheaded by a network of websites that acts as a “dropper as a service” which serves up a variety of unrelated malware together in a single dropper.

According to Sophos, these networks employ search engine optimization to push a “bait” webpage to the first page of search results for queries seeking “crack” versions of popular software products; and a variety of information stealers, including clickfraud bots and other malware were delivered through the sites.

These network of sites targets those seeking “cracked” versions of popular software packages with link that redirect the victims to the payload designed for their platform.

How Popular Pirated software are used as lure to serve up Malware droppers?



On clicking the bait pages, victims are directed to a download site that hosts a packaged archive containing malware, while others are steered to browser plugins or applications that fall in a potentially unwanted grey area.



The downloads contained a variety of potentially unwanted applications and malware, including Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners in addition to Raccoon Stealer. Several of the malware campaigns that hosted the “cracked” software were powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.

The researchers also found a number of other such services that, instead of offering their own malware delivery networks, act as "go-betweens" to established malvertising networks that pay website publishers for traffic.

Many of these services advertise on the same boards where criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers.



All of these delivery methods dropped packages with same basic characteristics; the download was a .zip archive file named after the alleged “cracked” product sought by the target and inside, the archives contained an additional .zip archive and a file with “password” in its name.

As the malicious payloads are in password-protected archives–and in formats that cannot be opened natively by Windows Explorer, they cannot be scanned by endpoint security tools during download.

Dropper packages and the malware delivery platforms have been around for a long time, and they continue to thrive because of the same sort of market dynamics as those that make stealers as a service so profitable.

Popular Pirated software used as lure to serve up Malware droppers

GCToolkit is a set of libraries for analyzing Java garbage collection (GC) log files, that parses log files into discrete events and offers an API for aggregating data from the events.

Microsoft’s Java Engineering Group announced the open-sourcing of GCToolkit, and the availability on GitHub, offered under the MIT license. While the tool comprises of three Java modules including the API, garbage collection log file parsers, and a message backplane based on the Vert.x toolkit for building apps on the JVM.

The API serves as the entry point into the toolkit, concealing the details of using the parser to analyze a garbage collection log file into a method calls; with the parser module as a collection of regular code developed to be a robust garbage collection log parser.

How the open-sourcing of GCToolkit will impact the Development ecosystem?



As GCToolkit parses GC log files into discrete events and provides an API for aggregating data from those events, it allows developers to create arbitrary and complex analyses of the state of managed memory in the Java Virtual Machine (JVM).



The management of memory in the JVM comprises of 3 main pieces, namely: memory buffers also known as Java heap, allocators which works on getting data into Java heap, and garbage collection (GC).

GC is responsible for recovering memory in Java heap that is no longer in use, which term is often used as a euphemism for memory management and tuning GC or tuning the collector are used with the understanding of tuning the JVM’s memory management subsystem.

How to Get Started with Microsoft GCToolkit?



GCToolkit is currently aailable on GitHub and offered under the MIT license, if you're interested in contributing.

But if you only want to follow along, you can join the community discussions at github.com/microsoft/gctoolkit/discussions.

Microsoft open-sources GCToolkit Java garbage collection analyzer

FIN7, a Russian advanced persistent threat group which has primarily targeted the U.S. since 2015 is using Windows 11 Alpha-Themed Docs to drop JavaScript backdoor against retail and hospitality sectors located in the U.S.

According to Anomali Threat Research, six malicious Windows 11 Alpha-themed Word documents with Visual Basic macros are being used to drop JavaScript payloads, including a JavaScript backdoor. While the attack vector for this activity remains unknown, it strongly suggests an email phishing or spearphishing campaign.

The activity likely took place around late-June to late-July 2021, based on the file names in this campaign observed by the researchers.

How FIN7 ATP Group is Using Windows 11 Themed Documents to drop Javascript Backdoor?



Anomali Threat Research analysis conducted on malicious Microsoft Word documents themed after Windows 11 Alpha, disclosed with moderate confidence that the Word documents were part of a malware campaign conducted by the threat group FIN7.



The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. And on analyzing the file, it was discovered to be a VBA macro populated with junk data as comments. Given that junk data is a common tactic used by threat actors to impede analysis, but once this junk data is removed, we are left with a VBA macro.

The VBScript will take encoded values from a hidden table inside the .doc file, an after deobfuscating the VBA macro, language checks carried out. If these languages are detected, the function me2XKr is called which deletes the table and stops running, also the script checks for Virtual Machines, which if detected it stops running as well.

Interestingly, the attack stops after detecting Russian, Ukrainian, or several other Eastern European languages, albeit there is no solid attribution, but the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file.

The reason is not far-fetched, as it is an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone if they do not target interests or individuals within the respective borders, thus the VBA macro checking the target system language against a list including common CIS languages will terminate the infection when found to match.

However, the addition of Serbian, a minority German Slavic language, Estonian, Slovenian and Slovak remains unusual as these are not languages considered for exclusion but maybe would be considered as a ‘fair game.’

Windows 11 Alpha-themed Word docs used to drop malicious payloads

Subscribe to: Posts (Atom)