BC BUSINESS
Saved by @Mollyycolllinss

As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: https://t.co/b0ReHMa63u

 Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
The VBScript in turn runs rundll32.exe, activating the Cobalt Strike loader DLL using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution.
On the custom Cobalt Strike Loaders: we identified several second-stage malware, including TEARDROP, Raindrop, and other custom loaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in existing Windows sub-directories.
#TEARDROP, #Raindrop, and the other custom Cobalt Strike Beacon loaders observed are likely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader.
The TEARDROP variants have an export that contains the trigger for the malicious code (executed in a new thread created by the export). The malicious code attempts to open a .jpg file (festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg, confident_promotion.jpg, etc.).
Next, TEARDROP proceeds to decode & subsequently execute an embedded custom preliminary loader (likely generated using a Cobalt Strike Artifact Kit template e.g., bypass-pipe.c). In its true form, the preliminary loader is a DLL that has been transformed & loaded like shellcode.
We came across additional custom loaders for Cobalt Strike’s Beacon that unlike TEARDROP, in which the malicious code is triggered by an export function, the malicious code in these variants is triggered directly from the DLL’s entry point.
Variant 2 custom loaders also contain an attacker-introduced export (using varying names) whose only purpose is to call the Sleep() function every minute.
Additionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.
These custom loaders can be divided into two types:
Type A: Decodes/Loads CS's RL from the DLL’s DATA section (detected as Trojan:Win64/Solorigate.SC!dha)
Type B: De-obfuscates/Loads RL from the DLL’s CODE section (aka #Raindrop, detected as Trojan:Win64/Solorigate.SB!dha).
Some observations:
The custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM UTC. In one intrusion, the first 2nd stage custom loader (TEARDROP) was introduced to the environment by SolarWinds.BusinessLayerHost.exe at ~ 10:00 AM UTC.
The custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020, while the embedded reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. (synthetic compile timestamps via custom Malleable C2 profiles?)
2020? The actor did not timestamp the compile time of the custom loader DLLs? Forensic analysis of compromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to systems predated the compile timestamps of the custom loader DLLs...
Most custom loader DLLs were configured with PE version information that masquerades version information belonging to legitimate applications and files from Windows (e.g., NETSETUPSVC.DLL), 7-Zip (e.g., 7z.dll), Far Manager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), etc.
Certain development artifacts were left behind in the custom loader samples. e.g. the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager source code: c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp
Most Beacon and Reflective Loader instances discovered during our investigation were configured with a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS Idle IP, User-Agent , HTTP POST/GET transaction URI, sleep time & jitter factor
Each Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all Watermark values start with the number ‘3’.
The post-exploitation related artifacts, TTPs and MITRE ATT&CK techniques (an extensive list) are best covered/described under the "Additional attacker tactics, anti-forensic behavior, and operational security" section of the blog: https://t.co/b0ReHMrGV2
Leaving No Stone Unturned: This blog is a collaboration between multiple security, threat intelligence, product, forensic, SOC, Identity & legal teams from across Microsoft. For more information refer to our dedicated Solorigate Resource Center: https://t.co/8Swnphedko.

More from Business

Vijay Patel
Vijay Patel
@vijaygajera
Sarad Pawar was a director in a shell company, which have done transaction of 7 Lakh crore in cash in UK.
Company Name was SGFX FINANCIALS CO UK LIMITED. (What could be full Name of SG? Any Guess?)
Thread


According to the UK company filing database, Mr Pawar was appointed as board member of SGFX Financials Co on 13 December 2010 and left the company on 5 January 2011. The filing also notes Mr Pawar's occupation as Minister, Government of India.

This company was incorporated on 13 December 2010 and dissolved on 27 November 2012. Nature of business was ‘Other business activities’!


There were two more directors when company was incorporated
1 is Mr Sarvesh Narendra Gade and 2nd is Mrs Shahanaz Ashraf Bharde


But when this details came out in 2015, Sarad Pawar has filed a case against this couple for using his name without his knowledge! Like really?
Please see below document, which have clearly mentioned that it was authenticated!
BUSINESS
Cem Karsan \U0001f950
Cem Karsan 🥐
@jam_croissant
1/x The window we have been targeting for 2 months has officially opened... i Can not imagine a more textbook display of the power of Vanna at expiration as we saw on Friday. The capital building was overrun by an insurrection, but all that that meant was a bigger late day rally.


2/x that ended at ATH on the close. Between Gary the 🦍 & his RVol suppression & his hand off to late day Ivol compression & the Vanna index bid, the 🐻’s never had a chance... but Gary’s getting tired after 2 months battling complacency & Vanna’s 2 week vacation, 1 of her only

3/x 2 week departures of the year (a 5 week OpEx) is quickly approaching on 1/15 morning. That means she’ll be increasingly absent as she prepares for her trip. W/ a $59 1 week straddle & $50 1 day range on Friday, & another $30 overnight drop, it’s hard to see why you wouldn’t

4/x want to take a chance on a little long gamma at this juncture. Especially given the obvious warning signs coming from the steepening of the yield curve, underperformance of the Growth complex, complacency in sentiment & positioning, anecdotal signs of bubbles in BTC & TSLA,

5/x NTM the growing exuberance surrounding a fiscal stimulus deal near $2 Trillion. The wall of worry of 3 months ago is gone. The vaccine is being deployed, the election is resolved, fiscal stimulus was passed & w/2 Georgia 🍑 🍑, ever moar 🚁💰is on the way. But what happened
BUSINESS
Advertisement
Didi Kuo
Didi Kuo
@didikuo1
The American business community is speaking with a unified voice - NAM called to invoke the 25th Amendment; the Business Roundtable and Chambers of Commerce urge a peaceful transition of power; all have denounced last week's violence. What might this mean? A few implications:
1/

This isn't just PR - bad politics is bad for business. Here, the Harvard Business Review makes the business case for democracy (leading essay by

Historically, business has been a crucial ally for democracy. Mark Mizruchi shows how business helped secure democracy after WII, through organizations like the Committee for Economic Development (see also his @NiskanenCenter paper: https://t.co/xoqUUN1nCD)

3/

My book examines how business groups formed to lobby against patronage and corruption, and in favor of institutional reform, in the 19th c. (https://t.co/FnNhZUupBG)

For a summary of business’s role in American democracy over the 20th century, see

Today, corporations are cutting off PAC $$ — Wall St banks (JPMorgan Chase, Goldman Sachs, CitiGroup), big tech (Microsoft, Facebook). Many more corps have suspended donations to members of Congress who contested the certification of election results last week
5/
BUSINESS
Pat Oshaw
Pat Oshaw
@ptoshee
This is a GREAT argument to pull up when talking to people about minimum wage. Some others nested below


A large number of new jobs being created are minimum to low wage, so looking for a new job generally won’t increase pay.

Raising minimum wage helps things not directly related.

Helps Infant mortality? Yup.

Lowers Suicide? Yup.

Reduce smoking rates? You bet.

It also boosts the local economy! Minimum to low wage earners spend more % of their money, so an increase means more is spent, often in community!

Low paying jobs are often in sectors which would gain from this. More people spending money in your shop makes your business more money! Now you have more profits and increased labor costs are covered.
BUSINESS
Romeen Sheth
Romeen Sheth
@RomeenSheth
I love Twitter.

It’s truly the Town Square of the Internet.

But finding the diamond in the rough voices can be tough.

Here are 20 of my favorite people to follow:

1. Alex Lieberman - @businessbarista

Alex writes extensively about the Founder journey.

The cool part is he’s lived everything he talks about - starting from $0 and selling for $75M with hardly any outside capital raised.

My favorite piece:


2. Ryan Breslow - @ryantakesoff

Ryan is a Top 1% founder.

This guy is a machine - he’s built 2 unicorns before the age of 27.

Ryan spells out lessons on fundraising, operating and scaling.

My favorite piece:


3. Jesse Pujji - @jspujji

Jesse is who I think of when I think “bootstrapping.”

He bootstrapped his company to an 8-figure exit and now shares stories about other awesome bootstrappers.

He’s also got great insight into all things growth marketing:


4. Post Market - @Post_Market

Post puts out some of the most thoughtful investment insights on this platform.

It’s refreshing because Post cuts through the hype and goes deep into the business model.

Idk who he/she/it is, but the insights are 💣.
BUSINESS

You May Also Like

Anu Satheesh
Anu Satheesh
@AnuSatheesh5
Beautiful story of Shri Krishna, Mata Rukmini & Satyabhama which teaches the importance of Bhakthi.
Devotion is important than anything.
#bhakthi
🕉
Satyabhama, royal princess was very proud of herself. Rukmini was very humble, her devotion was pure to Shri Krishna.


One day, Rishi Narada( Kalahapriya) arrived in Dwaraka and met Sathyabhama. In between the conversation he hinted that Krishna exhibits affection more to Rukmini than her. Worried Sathyabhama asked what can should be done to gain Krishna's undivided attention.
@SriramKannan77


Narada asked Satyabhama to make a vow, that she will hand over Krishna to him as a slave, if she cannot trade wealth equivalent to Krishna's weight. Narada thus convinces Sathyabhama that Krishna will admire her for sacrificing all her wealth for him.


Sathyabhama was sure that she have enough wealth to balance Krishna.

She went to Krishna and told about her vow to Narada. Krishna patiently listened to her and accepted the challenge. Satyabhama arranged to bring large scales to weigh and brought all her precious jewels.


Krishna patiently sat on one plate of the Scales (tula). Sathyabhama started piling up the gold, jewels on the other plate. She kept adding more and more wealth, but the pan with Krishna did not even budge. Even after keeping all her jewels the scale did not move a little
RELIGION
SK
SK
@sk_diary1
A #story from #Thiruvilayadal puranam- one of divine leelas of Bhagwan Shiva

#threadseries #madurai

Koodal Kaandam

Story 21 - it is about how stone elephant came to life and ate sugarcane - When Raja Abhisheka Pandyan met Ellam Valla Siddhar

கல்யானைக்கு கரும்பருத்திய படலம்


Raja Abhisheka Pandiyan went ahead to meet Ellam Valla Siddhar on the premises of the temple.On seeing the arrival of Raja, people surrounding Siddhar moved back. Abhisheka Pandiyan introduced himself to Siddhar &asked about his whereabouts.Also his purpose of visit to Madurai.

Raja asked why he performed magical acts, does he expect anything from him or people of Madurai.

Siddhar laughed & replied to Raja that he was from Kasi. He had heard a lot about Madurai in Kashi.Also told that this place is a Mukti Kshetram,so he had come to stay here.

Siddhar asked Raja if he has the capability &power to give anything that he asks for. Siddhar told King that he has power to do things even if he think of it.Siddhar asked King to ask whatever he wants & it would be provided, whatever these people had asked, they were granted.


Abhisheka Pandyan was shocked to receive such a reply from Siddhar,& he decided to test the power of this Siddhar. By that time, Raja saw a person in crowd having Sugarcane.

Raja took Sugarcane from that person.
ALL
Advertisement
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
SRI CHAMPAKADHAMA SWAMY, BANNERGHATTA HILL, BENGALURU (KAR)
#bharatmandir

The shrine is dedicated to Sri Vishnu along with Devi Lakshmi and Bhoodevi.
It is built in an area full of Champaka trees.
As champaka flowers are offered to Sri Vishnu here, it is called Champakadhama.


It is believed that King Janmejaya had sarpa-dosha. To get rid of it, he took bath in the nearby pond. He emerged with a golden body and sarpa-dosha was also removed. The pond is called Swarnamukhi and believed to have curative powers.
Sri Vishnu murti was consecrated by him.


It is also believed that this forest area was the Dandakaranya where Sri Ram stayed in exile.
Some believe that the original shrine was built by Pandavas.
The pushkarni/pond is emptied once a year so that the rock at the bottom (which has image of Anjaneya) may be worshipped.
ALL
Anu Satheesh \U0001f1ee\U0001f1f3
Anu Satheesh 🇮🇳...
@AnuSatheesh5
Bhoga Lakshmi Narasimha Swamy Temple
#Devarayanadurga
#Karnatakatemples 🚩

Bhoga Yoga Narasimha Swamy Temple, Devarayanadurga is located near Tumkur of Karnataka. There are two temples are here for Narasimha Swamy, one is at the base of the hill which is Bhoga Narasimhar and 👇


the other on the top of  hill which is Yoga Narasimhar.

Bhoga Narasimha swamy Temple Prathista is said to be done by Maharshi Durvasa who did tapasya here. While doing tapasya Muni wished to bath in river Ganga and decided to travel to Ganga river bank,


At that time Ganga Devi appeared here and said she will remain here in the temple pond.

Yoga Narasimha swamy Prathista is believed to be done by Bhrama Deva who did tapasya here for many years.


Narasimhar appeared with Lakshmi Devi here to give darshan to Bhrama Deva here.

उग्रं वीरं महाविष्णुं ज्वलन्तं सर्वतोमुखम्।
नृसिंहं भीषणं भद्रं मृत्युमृत्युं नमाम्यहम् ॥

Om Shri Narasimha Murthaye Namah
🙏🕉🙏
ALL
UN Watch
UN Watch
@UNWatch
The UN just voted to condemn Israel 9 times, and the rest of the world 0.

View the resolutions and voting results here:

The resolution titled "The occupied Syrian Golan," which condemns Israel for "repressive measures" against Syrian citizens in the Golan Heights, was adopted by a vote of 151 - 2 - 14.

Israel and the U.S. voted 'No' https://t.co/HoO7oz0dwr


The resolution titled "Israeli practices affecting the human rights of the Palestinian people..." was adopted by a vote of 153 - 6 - 9.

Australia, Canada, Israel, Marshall Islands, Micronesia, and the U.S. voted 'No' https://t.co/1Ntpi7Vqab


The resolution titled "Israeli settlements in the Occupied Palestinian Territory, including East Jerusalem, and the occupied Syrian Golan" was adopted by a vote of 153 – 5 – 10.

Canada, Israel, Marshall Islands, Micronesia, and the U.S. voted 'No'
https://t.co/REumYgyRuF


The resolution titled "Applicability of the Geneva Convention... to the
Occupied Palestinian Territory..." was adopted by a vote of 154 - 5 - 8.

Canada, Israel, Marshall Islands, Micronesia, and the U.S. voted 'No'
https://t.co/xDAeS9K1kW
SOCIETY