Research Saturday
Recent Episodes
Ryan from Bishop Fox joins to describe their work on "Building an Exploit for FortiGate Vulnerability CVE-2023-27997." After Lexfo published details of a pre-authentication remote code injection vulnerability in the Fortinet SSL VPN, Bishop Fox worked up a proof of concept demo. This research share how they were able to create that proof-of-concept exploit, step by step. The researchers state "Our debugging environment consisted of a FortiGate 7.2.4 virtual machine which we modified to disable some self-verification functionality. After bypassing these integrity checks, we were able to install an SSH server, BusyBox, and debugging tools such as GDB."
The malicious YoroTrooper in disguise.
Asheer Malhotra from Cisco Talos discussing their research and findings on "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan." Cisco Talos' research team, released research attributing the work of the espionage-focused threat actor, YoroTrooper, to individuals based in Kazakhstan. The research states "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region." They also found that the YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites.
Sandman doesn't slow malware down.
Aleksandar Milenkoski and JAGS from SentinelOne sits down to share their work on "Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit." After observing a new threat activity cluster by an unknown threat actor in August of this year, SentinelLabs dubbed it Sandman. The research states "Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent." Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, they call this malware "LuaDream," which exfiltrates system and user information, paving the way for further precision attacks.
No rest for the wicked HiatusRAT.
Danny Adamitis from Lumen's Black Lotus Labs sits down to discuss their work on "No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action." Last March Lumen's Black Lotus Lab researchers discovered a novel malware called HiatusRAT that targeted business-grade routers. The research states "In the latest campaign, we observed a shift in reconnaissance and targeting activity; in June we observed reconnaissance against a U.S. military procurement system, and targeting of Taiwan-based organizations." This shift in information gathering and targeting preference exhibited in the latest campaign is synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment.
AMBERSQUID hides in the depths.
Sysdig's Alessandro Brucato and Michael Clark join Dave to discuss their work on "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." Attackers are targeting what are typically considered secure AWS services, like AWS Fargate and Amazon SageMaker. This means that defenders generally aren’t as concerned with their security from end-to-end. The research states "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances." This poses additional challenges targeting multiple services since it requires finding and killing all miners in each exploited service.