Research Saturday
Recent Episodes
Targeting your browser bookmarks?
David Prefer from SANS sits down with Dave to discuss how a new covert channel exfiltrates data via a browser's built-in bookmark sync. David goes on to describe how this research will "describe how the ability to synchronize bookmarks across devices introduces a novel vector for data exfiltration and other misuses." In the research, he shares how he tested his said hypothesis and goes on to describe how the interesting find was tested on multiple browsers including Chrome, Edge, Brave and Opera. In his research, he found that bookmarks are able to keep data and synchronize it, making it easier to infiltrate and extract data from. David shares the rest of his findings, as well as what organizations and browser developers can do to work on this new threat.
TranscriptKeeping an eye on RDS vulnerabilities.
Gafnit Amiga, Director of Security Research from Lightspin, joins Dave to discuss her team's research "AWS RDS Vulnerability Leads to AWS Internal Service Credentials." The research describes how the vulnerability was caught and right after it was reported, the AWS Security team applied an initial patch limited only to the recent Amazon Relational Database Service (RDS) and Aurora PostgreSQL engines, excluding older versions. They followed by personally reaching out to the customers affected by the vulnerability and helped them through the update process. The research states "Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension."
TranscriptAn increase in bypassing bot management?
Sam Crowther, CEO of Kasada, joins Dave to discuss their work on "The New Way Fraudsters Bypass Bot Management." Kasada researchers recently discovered a new type of bot called Solver Services, which is used and created by malicious actors to bypass the majority of bot management systems. The research states "Now it’s easier than ever for mainstream bot operators to scrape content, take over accounts, hoard inventory, and commit other forms of automated fraud against organizations using legacy bot management solutions." Attackers are able to buy these “Solver” bots, APIs, and services for less than $500 per month to make a profit.
TranscriptEvilnum APT returns with new targets.
Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT attack campaign that uses the document template on MS Office Word to inject a malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures. Researchers have been closely monitoring Evilnum APT’s activity. They say ThreatLabz identified several domains associated with the Evilnum APT group, which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time."
TranscriptLockBit's contradiction on encryption speed.
Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a whitepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings. The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late.
Transcript
