-
How To: Mitigating The New Intel Management Engine Vulnerability
Background On November 20, 2017, Intel published INTEL-SA-00086, a security advisory detailing local and remote exploits in the Intel Management Engine. The Intel Management Engine (ME) has three vulnerable modules in this advisory: The Active Management (AMT) module The Trusted Execution Engine (TXE) module The Server Platform Services (SPS) module The only module of the three that can be exploited remotely is the AMT module. Interestingly, this same module was the subject of a May 1, 2017 advisory for INTEL-SA-00075 as well.…more
-
How To: Building A Dark Web Scraper
In a previous post, I demonstrated a way to run Linux command-line tools through Tor. Let’s take it a step further, and come up with a way to scrape sites on the dark web. This will allow us to hunt for mentions of various pieces of information we may want to be alerted to, such as the presence of company names, email addresses, etc. We’re going to need some code. Let’s start with importing all the modules we’ll need, and grabbing a URL from the command line:…more
-
How To: Get Started In Cybersecurity
Cybersecurity is a broad field that encompasses many disciplines. So broad, in fact, that no one person can master everything. Where do you start? Where to start First and foremost, you’ll need a solid understanding of computer and network fundamentals. However, even that is a multi-faceted statement. You’ll need to understand the various components of a computer, and how they all work together at a low level: how the CPU, memory, storage, peripherals, and network connectivity all function as an interconnected whole.…more
-
How To: Using Tor From The Command Line
If you’re going to be doing work in the “dark web”, it’ll be useful to understand how to quickly and easily run commands via Tor. First, assuming you’re using Linux, install Tor: sudo apt install tor Next, edit /etc/tor/torrc: sudo vi /etc/tor/torrc Find the line containing the following: #ControlPort 9051 …and uncomment it. Next, find the following line: #CookieAuthentication 1 Uncomment it, and change 1 to 0. Finally, restart the tor service:…more
-
DIY Threat Intel: Mining Spam For Malware
If you use email, you already have a wonderful resource available to you for doing some quick and dirty threat intelligence work: your spam folder. Every day, people receive anywhere from dozens to hundreds of spam emails, ranging from plain vanilla unsolicited emails, to unwanted content, to phishing attempts and malware. There’s a wealth of information to be mined from your spam folder. Right now, we’ll focus on extracting URLs and attachments from your spam emails and automatically analyzing them.…more
-
Analyst Tip: Testing Firewall Egress
A quick tip for testing available TCP egress, using nc, bash, and allports.exposed: for i in {1..1023}; do nc -vz -w 1 allports.exposed $i; done This will use nc with the -v, -z, and -w switches to attempt to connect to allports.exposed on TCP ports 1 through 1023. -v requests verbose output, -z puts nc in scanning mode, and -w 1 tells nc to time out after one second. You may need to adjust the value supplied with -w according to the anticipated latency of the network you’re on.…more
-
Simple Check For OptionsBleed vulnerability
Shortly after CVE-2017-9798 (a.k.a. “OptionsBleed”) was announced, the good folks over at The Fuzzing Project posted a great write-up, including a quick check for the vulnerability. I adapted it to check a list of sites, as analysts often have more than one web property to test. for j in `cat domains.txt`; do for i in {1..20}; do curl -sI -X OPTIONS https://www.$j/| grep -i "allow:"; done >optionsbleed-https-www.$j.out ;done This will run through a list of domains in the file domains.…more
-
Analyst Tip: Researching IPs, Domains, And URLs From The Shell
In the course of an average day, an analyst needs to look up various bits of information about IPs, domain names, and URLs. Various workplace tools may do some of this enrichment automatically, but every now and then the analyst needs a quick, effective way to either get this information for a single indicator, or for a large list of them. Tools While there are numerous websites that can be used to obtain this information, in my opinion, nothing beats the flexibility of command-line tools.…more
-
Hunting For Insecure Amazon S3 Buckets
Breaches caused by insecurely-configured Amazon S3 buckets are not new. Researchers have been sounding the alarm since 2013. However, S3-related breaches continue to make the news. Last Friday (20170901), researchers announced the discovery of records for four million Time Warner Cable customers due to an improperly secured Amazon S3 bucket. Amazon has been proactive in raising awareness of this issue. However, the problem persists, and is widespread. Let’s be clear: The problem here isn’t just one of potential exposure of PII.…more
-
Analyst Tip: Spotting Botnet Members
You suspect one or more hosts in your network may have unwittingly been recruited into a botnet. How can you tell? There are several indicators you can hunt for, including: A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question Attempted connections to known command-and-control (C2) servers DNS queries for known C2 fully-qualified domain names A sudden spike in outbound traffic on TCP port 25 (relative to normal) The presence of one or more of these indicators may warrant further investigation.…more