from LearningNeon
test
Reader
Read the latest posts from Infosec Press.
Failing to Analyze Hajime Mirai
from LearningNeon
Intro (h1)
The following is my attempt in reversing and analyzing the Mirai variant, including wondering why ida wouldn’t disassemble, why upx wasn’t unpacking the malware sample, and what I learned over the process. The main reason why was I gave myself a one week crash course on malware reversing and tried a live sample MJ and I pulled from a honeypot we have setup the past few weeks ago. I have learned many things despite my failings that is presented in this blog. If you have any experience in any of these fields you will look at this thinking what was I thinking and to be frank I wasn't just trying out some new things and some shooting from the hip.
Static analysis (h2)
The first thing when I downloaded the malware sample is to run strings and hexdump. It didn’t pull any significant information no tangible words other than the fact it was an elf file for linux. Digging though I than attempted to run through IDA on linux in an attempt to reverse it into assembly and then continued to struggle wondering why it wouldn’t open this led me into an adventure into packers.
Packers, UPX, unpacking, and a continued struggle session (h2)
I ran into the detect it easy packer for linux it a really good tool that reads the hex values and detects which packer is used if one is used. I figured the reason the malware wasn’t running was the fact that it was in a packer was encoding it preventing ida from doing it’s magic. That isn’t how it works, but I was on the right track about the packer being involved with malware. After using D.I.E (detect it easy) which saw the packer UPX[LZMA, brute modified]
So, simple enough I just have to run the sample though upx and we have our malware we can analyze, or at least that what I thought.
So now I was confused for awhile now I was trying to play with LZMA part of it, but after awhile I figured I was just struggling to struggle and gave up.
Now after some googling I know Hajime was based of Mirai, but there was a lot I didn’t know about Hajime, like how it was p2p iot botnet. It accessed and issued commands based on a Distributed Hash Table. So I figured I’d try to piggy back off other peoples work and throw the hash into anyrun and got this.
Everyone trying to run this elf binary on a windows system. I don't really know the backstory if it's a automated process, but it didn't help much.
Eventually I found abuse.ch yara scanner and desided to throw it threw the yara scanner and it dumped out this.
so there is a detection against unpacking so I know I’m on the right track
I eventually gave up and removed the network card on my VM and tried to run the malware and see if I can do any dynamic analysis.
“bash: ./020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0.elf: cannot execute binary file: Exec format error”
The reason I was having such a hard time is that it’s arch was MIPS R3000 I am currently googling how to emulate MIPS R3000 on x86_64 now and trying to figure out my next step, but I wanted something to show for it, so I wrote this, hopefully you had fun reading my blunders.
Malware sample sha256: 020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0 It can be downloaded via malware bizarre https://bazaar.abuse.ch/download/020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0/
from Molly
Outside: warm, windy, Spring Inside: brooding, melancholy, gray
from beverageNotes
I've been slacking again.
This evening, I'm finishing off a Basil Hayden Toast Small Batch. It's 80 proof, “artfully aged”, but no age statement.
It starts with some toasted marshmallow and cinnamon on the nose. Leads with some carmel, cinnamon, and maybe cherry or peach. There's a hint of toasted marshmallow in the middle, but the finish is a little weak.
I like it, I think it's a fairly inexpensive bottle—this one in particular was a gift.
It's got some oaky heat that lingers after the sip. I prefer to have it with an ice cube. A splash of water is also a good choice, if you prefer the heat.
A Beginner's Guide to Political Cults - Sources and Further Reading
from Stories of Salt
- The Psychology of Political Cults by Andrewism
- Losing Reality by Robert Jay Lifton
- Age of Propaganda by Anthony Pratkanis & Elliot Aronson
- Thought Reform and the Psychology of Totalism by Robert Jay Lifton
- How to be a dictator by Frank Dikötter
- Syndicalism and the transition to communism by Ralph Darlington
from Sidney Borne
Read more...Palestine Resources
from Stories of Salt
This page will be expanded over time. Send DM's to @fauxialist_alternative on Instagram with suggested additions.
NFP's and Lobbying Groups
- PARA – Palestine Australia Relief and Action – Focuses on rehabilitation and aid for Palestinian migrants refugees in Australia. Founded and run by Palestinian immigrants.
- AFOPA – Australian Friends of Palestine Association – NFP from South Australia, primarily focused on political lobbying. Successfully delayed the Australia-Israel Free Trade Agreement in 2021. Founded and led by Palestinian immigrants.
- APAN – Australian Palestine Advocacy Network – BDS-aligned political lobby group with a focus on government divestment and sanctions.
Other good resources
- Palestine Free Trade Australia – Sydney-based NFP importing goods from Palestine. Runs a general humanitarian appeal, as well as an education project in partnership with Friends of Hebron Sydney.
from stndinq
Read more...
Risparmiare tempo
from critic
Che poi con la doccia alla sera si risparmia tempo la mattina... certo se poi quel tempo lo usi per pulire le cacche dei gatti allora torniamo al punto di partenza.
Infosec.press
from critic
Non funziona con la app di Writefreely. Sono un po’ deluso. Nonostante ciò proverò ad usarlo via browser.
Van Morrison
from critic
Conosciuto troppo tardi, amato sin da subito.
Silenzi
from critic
Non ho grandi cose da dire oggi...
When I Must Wake
from J. R. DePriest
A tickle, a nuzzle against my neck. A breath. A sigh. I can't move, but I feel the slow, steady rise and fall of my chest. My eyes stay closed. I'm suspended, hovering, hesitating as each side pulls gently. My arm slips and I feel the smooth, muscled warmth of your thigh as you wrap your legs around me from behind. Familiar. You touch my shoulders and slip your hands under my arms. Trembling, my heart thrums, spilling warmth. Smiling, I nod so slightly I'm not sure you noticed. Your exploring hands answer by reaching between my legs, your mouth answers with teeth on my neck. A moan. Not sure if yours or mine. I long to turn around, to close my eyes enough that I can see you, know you, but my arm is asleep. And I hear the fan. My breathing is fast and shallow. I'm lying on my back. Awake. Alone.
I long to see you, to know you, but my body, my mind can't stay there, in the fugue, the twilight, the in between. Do you miss me when I wake? When I sleep and dream? Do you watch from invisible crevices, hiding in shadows, hoping I will remember how to find you? Do you know my True Name? My purpose? I am incomplete. I feel it every day. Something was lost, is missing. I cannot name it or describe it, but you are part of it. Maybe all of it. You will find me and drag me down to the Deep Waters and we will love for eternity. What is one lifetime to wait? Nothing. If I were ignorant; if I didn't know. But I do know. Each touch, each time, each brief moment together fills me with joy and peace before draining me, cruelly, against my protests. I'm not done here, but I wake up empty just the same. I wake up crying and forsaken. I love again and again. I struggle and learn. I hope for meaning that will never be revealed. I make a good life here. I love, I strive, I share. I am not alone. You can see that. But it's not the same. These feelings pale to The Before and The After. Is it time I'm supposed to appreciate? And it's passage? For us, a moment was forever and the universe a drop of water. For me, here, without you, time is a prison.
#WhenIDream #Dreams #Dreaming #Dreamlands #Writer #Writing #Writers #WritingCommunity #ShortFiction #Fiction #Paranormal #NightTerrors #SleepParaylsis #HypnagogicHallucinations
CC BY-NC-SA 4.0 This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License
18. Top 5 Things to Do When You're Lifting & Shifting Workloads to the Cloud (and a bonus one)
from Hyperscale Security
Earlier this week, someone asked me for my top 5-10 things I would recommend to an organization lifting & shifting workloads to public cloud. I thought that was a good starting point. “Refactor” for cloud-native is the common answer, but the reality is that everybody lifts & shifts, so why not recognize that.
So, here are my top 5... and I'll add a sixth as a bonus.
Centralize and automate cloud account creation and billing, and ensure that all are in your public cloud Organization. This will allow you to apply policies centrally, and more easily deploy cloud-native security tooling.
Apply cloud guardrails at that Organization level to apply basic preventative controls and make your cloud accounts behave more secure-by-default. These are likely the cheapest and most effective security controls you can apply to enforce logging, encryption standards, network restrictions, MFA enforcement, etc.
Get a Cloud-Native Application Protection Platform (CNAPP). This can be deployed via Organization policy and provides broad visibility to your cloud estate, across providers and for multiple use cases, including asset discovery, CSPM and vulnerability management.
Related to that, while lifting & shifting your workloads, resist the urge to lift & shift your secure tooling from the data center. Look at what the CNAPP gives you, and see whether you may not be able to rationalize your security stack, retire point solutions you no longer need, and reduce cost.
Cloud APIs give you the opportunity to describe the infrastructure and services you want and have the cloud materialize that for you, rather than do everything yourself. It is designed for automation. Use Infrastructure-as-Code (IaC) to create your infrastructure, network and service configuration, create compute instances and deploy your VM images. IaC allows you to redeploy from known-good state, which accelerates patching, system configuration and restoration, while making deployments more predictable.
The Cloud is Metered
One bonus recommendation, given the difference between owned and rented compute, network and storage resources. Remember that everything in the cloud is metered and that your architectural choices have potential significant cost impacts. Don't size like in data centers with head room to spare. Figure out what your workload needs. Smaller instances but many of them may be cheaper than fewer large instances. If the workload is variable (seasonal, variable during the day), consider autoscaling. If the workload is static, use reserved instances at lower cost.
And after you have done all that, feel free to refactor!
from acrypthash
End of the Year Wrap Post
Greetings fellow hackers! I hope everyone had a productive and prosperous year! This blog post is going to be pretty big and all over the place as I discuss what I have been up to over the past few months. It's been quite a ride :D. I am so grateful for this year and how much I've grown.
TLDR; DailyPay Okta breach, Malvertising and it's woes, security conferences, learning, GCP security, what's to come in 2024.
The first thing we will discuss is a security event that happen with a vendor called DailyPay. For those of you who don't know, “DailyPay is an American financial services company founded in 2015, which provides payroll services such as earned wage access.” The vendor was experiencing odd API requests coming from customer tokens (insert sweaty cat here). We started seeing notifications of odd logins and reached out. Apparently this was related to the Okta breach. Ultimately we rotated tokens, assured user logins all had 2FA (which they mostly did), and sat tight. A bit anticlimactic but we managed to avoid something bad from happening. It also taught me the value of actually calling up a vendor when you suspect something odd.
Malvertising is a TTP that is difficult for end-users to understand. It's hard to identify and easy to fall for. We work hard to train and explain these things in terms that end users can understand, but to get someone to actually remember to think with security in mind for their day to day is difficult and not realistic. For our organization, we need browser level security. We are a Google Workspace shop, so we could do some management at a browser level in Chrome, but that is limited and not ideal. ZScaler or a full fledged MDM is probably going to be the solution for us. In the past month we had an end user that fell for this TTP when they googled “Amazon” and clicked on an ad that redirected them to a phishing site. The phishing site is meant to trick you into thinking you had to call “Microsoft Support”.
I have also attended several security conferences this year! – PancakesCon (virtually) – BSides Harrisburg – BSides Philadelphia – Secure World Philadelphia – Defcon 31 – JawnCon – Cybersecurity Summit – Hardford, CT
Attending all of these conferences throughout the year has been such a fun and exciting learning experience. I've networked, learned new skills, learned lockpicking, and I have even started doing talks of my own at Penn State!
I have spent a lot of time reading whitepapers and learning the granular things that comes to writing malware and exploits. I have tested these exploits against the environment at work and have learned a lot about remediation! I've learned how to program in Python, Rust, and C! I've learned the classic VirtualAllocEx –> WriteProcessMemory and why not to use it in new malware that I write. I have learned the inner workings of process injection as well. By no means am I an expert, but my understanding in all of this has dramatically increased over the last year. I plan to continue to learn more about malware, about defense evasion methods and more.
We are Google shop and with that we inherit GCP. I am quite impressed with GCP security. There are several out of the box configs that aren't super great, but you are able to lock things down pretty easily. I had implemented things like terraform scans back when I first started, but now we are ingesting a lot of really interesting data into Datadog. With Datadog, I am able to get alerts in real-time on what our K8s are doing and so much more. We have also integrated Datadog alerting into various Slack channels.
The beginning of 2024 is going to be busy. We are deploying our new phishing campaign out to end users, I am building another IR tabletop to do by the end of January, among other things. I am actually utilizing a bit of AI into building the template for my IR tabletop. Due to CitrixBleed being so popular, I think that is what our topic is going to be about.
2024 is going to be having several major projects such as: – LLM build out for IR training and input (more to come) – 2 IR tabletops (one Citrix, the other pending) – Better coding and reverse engineering skills – New training for all employees – More blog posts that have more value
I am so excited for more blog posts and projects! LETS GO!
from AnOtterCity
Test
Hello