BC BUSINESS
Saved by @Mollyycolllinss

As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: https://t.co/b0ReHMa63u

 Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
The VBScript in turn runs rundll32.exe, activating the Cobalt Strike loader DLL using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution.
On the custom Cobalt Strike Loaders: we identified several second-stage malware, including TEARDROP, Raindrop, and other custom loaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in existing Windows sub-directories.
#TEARDROP, #Raindrop, and the other custom Cobalt Strike Beacon loaders observed are likely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader.
The TEARDROP variants have an export that contains the trigger for the malicious code (executed in a new thread created by the export). The malicious code attempts to open a .jpg file (festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg, confident_promotion.jpg, etc.).
Next, TEARDROP proceeds to decode & subsequently execute an embedded custom preliminary loader (likely generated using a Cobalt Strike Artifact Kit template e.g., bypass-pipe.c). In its true form, the preliminary loader is a DLL that has been transformed & loaded like shellcode.
We came across additional custom loaders for Cobalt Strike’s Beacon that unlike TEARDROP, in which the malicious code is triggered by an export function, the malicious code in these variants is triggered directly from the DLL’s entry point.
Variant 2 custom loaders also contain an attacker-introduced export (using varying names) whose only purpose is to call the Sleep() function every minute.
Additionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.
These custom loaders can be divided into two types:
Type A: Decodes/Loads CS's RL from the DLL’s DATA section (detected as Trojan:Win64/Solorigate.SC!dha)
Type B: De-obfuscates/Loads RL from the DLL’s CODE section (aka #Raindrop, detected as Trojan:Win64/Solorigate.SB!dha).
Some observations:
The custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM UTC. In one intrusion, the first 2nd stage custom loader (TEARDROP) was introduced to the environment by SolarWinds.BusinessLayerHost.exe at ~ 10:00 AM UTC.
The custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020, while the embedded reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. (synthetic compile timestamps via custom Malleable C2 profiles?)
2020? The actor did not timestamp the compile time of the custom loader DLLs? Forensic analysis of compromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to systems predated the compile timestamps of the custom loader DLLs...
Most custom loader DLLs were configured with PE version information that masquerades version information belonging to legitimate applications and files from Windows (e.g., NETSETUPSVC.DLL), 7-Zip (e.g., 7z.dll), Far Manager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), etc.
Certain development artifacts were left behind in the custom loader samples. e.g. the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager source code: c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp
Most Beacon and Reflective Loader instances discovered during our investigation were configured with a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS Idle IP, User-Agent , HTTP POST/GET transaction URI, sleep time & jitter factor
Each Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all Watermark values start with the number ‘3’.
The post-exploitation related artifacts, TTPs and MITRE ATT&CK techniques (an extensive list) are best covered/described under the "Additional attacker tactics, anti-forensic behavior, and operational security" section of the blog: https://t.co/b0ReHMrGV2
Leaving No Stone Unturned: This blog is a collaboration between multiple security, threat intelligence, product, forensic, SOC, Identity & legal teams from across Microsoft. For more information refer to our dedicated Solorigate Resource Center: https://t.co/8Swnphedko.

More from Business

Javier Ruiz
Javier Ruiz
@javierruiz
WTO e-commerce #digitaltrade consolidated draft leaked by @bilaterals_org Some interesting things (1/n)

(2/n) Intermediary liability is included without brackets, normally meaning there is some agreement. The text is based on US proposals but has more extensive caveats and exceptions than existing US trade deals


(3/n) No agreement on cross-border data flows at WTO #digitaltrade consolidated text


(4/n) FWIW The UK's (and US) position on WTO #digitaltrade exceptions to the liberalisation of cross-border data flows vs the EU's. Guess which one is which


(5/n) Financial data may be included in the ban on forced localisation of computing facilities, but with many caveats. US regulators had pushed against this in the past but they seem to be losing the battle. Several alt texts. UK to bring more proposals.
BUSINESS
George Yury Revutsky
George Yury Revutsky
@george_revutsky
1/An interesting thing happened tonight. I was scrolling through clubhouse and found WileyCEO, Godfather of Grime (kicked off Twitter in July for antisemitic tweets) speaking. So I tweeted this (and included a screen shot, later deleted as I found out TOS don't allow it ...


2/ ... and several folks also asked me to remove it which I promptly did afterwards).... Coming into the CH room, I fully intended to confront him about how hurtful his comments in July were. But as I listened to the folks in the room, I decided to go a different direction ....

3/ the conversation jumped around, covered many topics and there were between 8-14 people up on stage. But a recurring thread was discussion of racism, bigotry, comparison of it in the US vs UK vs elsewhere.

4/ when I got a chance to speak, I had 5 bullets written down: a) we should harness technology and capitalism to make reparations for what America did to Black people. I gave https://t.co/SlrW8zCd58 (a project a couple friends co-started) as an example) ...

5/ b) capitalism and product know-how and technology can be harnessed for social justice c) historically oppressed minorities need to stick together and lastly, d) "Wiley, how could you say such hurtful things about Jews as a people?" That's what I had ready to say, anyway.
BUSINESS
Advertisement
Chris Herd
Chris Herd
@chris_herd
I spoke to 1,000+ companies over the last 6 months about their plans for remote work going forward

Here are a few things I've learned

[ a thread ] 💻🏠🌍

🏢 HQ's are finished: companies will cut their commercial office space by 40-70%

The will allow every worker to work from home 2-4 days a week, and come into the office 1-2 days a

🎡 home-office setup: Companies who cut their office spend will use that money to provide world-class setups for their teams at home

Companies who don't will lose people to companies who do

🌍 Fully distributed: ~30% of the companies we talk to are getting rid of the office entirely and going remote-first

Companies doing this have seen their workers decentralize rapidly, leaving expensive cities to be closer to family

⭐️ Access talent: The first reason they are going remote-first is simple – it lets them hire more talented people

Rather than hiring the best person in a 30-mile radius of the office, they can hire the best person in the world for every role
BUSINESS
Eric Rego
Eric Rego
@EricRego8
@this_the_burner @typesfast Yes. Worked for a company who leased floor space to a supplier so they could put in a cage to hold inventory. When the goods passed through the door in the cage to the assembly line, the supplier was paid.
BUSINESS
Ezra Klein
Ezra Klein
@ezraklein
So I'd recommend reading this thread from Dave, but I thought about some of these policies, and how they fit into the whole, a lot, and want to offer a different interpretation.


I think California is world leading on progressivism that doesn't ask anyone to give anything up, or accept any major change, right now.

That's what I mean by symbolically progressive, operationally conservative.

Take the 100% renewable energy standard. As @leahstokes has written, these policies often fail in practice. I note our leadership on renewable energy in the piece, but the kind of politics we see on housing and transportation are going foil that if they don't change.

Creating a statewide consumer financial protection agency is great! But again, you're not asking most voters to give anything up or accept any actual changes.

I don't see that as balancing the scales on, say, high-speed rail.

CA is willing to vote for higher taxes, new agencies, etc. It was impressive when LA passed Measure H, a new sales tax to fund homeless shelters. And depressing to watch those same communities pour into the streets to protest shelters being placed near them. That's the rub.
BUSINESS

You May Also Like

\u0939\u0920\u092f\u094b\u0917\u0940
हठयोगी...
@hathyogi31
#3/thread on Angkor wat

Christianity and islam may be the largest religion of today’s world but Sanatan dharm has the largest religious monument in the world in the form of Angkor wat. It is situated in combodia and spread across over 400 acres / 1.6 km².


It was listed as a UNESCO World Heritage Site in 1992, which encouraged an international effort to save the complex.
It was originally built as a Hindu temple dedicated to the god Vishnu. In Khmer, the Cambodian language, Angkor means "city" and Wat means "temple grounds".


So Angkor Wat means "Temple City". Its original name was Vrah Vishnuloka or Parama Vishnuloka, meaning the sacred dwelling of Vishnu in Sanskrit.
But, it gradually turned into a Buddhist temple towards the end of the 12th century & is still used for worship today.


Angkor Wat was initially designed and constructed in the first half of the 12th century, during the reign of Suryavarman II, as the king’s state temple and capital city. It was built without the aid of any machinery, as there was no machinery available at that time.


Evidence for these dates comes in part from inscriptions, which are vague, but also from the architectural design and artistic style of the temple and its associated sculptures.

Another aspect is that the five central towers of Angkor Wat symbolize the peaks of Mount Meru,
HISTORY
foone
foone
@Foone
You want to know something about how bullshit insane our brains are?
OK, so there's a physical problem with our eyes: We move them in short fast bursts called "saccades", right? very quick, synchronized movements.
The only problem is: they go all blurry and useless during this

having your vision turn into a blurry mess every time you move your eyes is obviously not a good idea, so our brains hide it from us. Now, imagine you're an engineer and you have this problem.

You've got some obvious solutions you could do.
1. make the vision go black during movement. (Some VR games do this!)
2. just keep showing the last thing we saw prior to movement

both are good options with different downsides, but OH NO. this is assuming everything makes sense and is chronological and (regular) logical.
Your brain does neither of these options, really.

first, it basically puts your visual system on "pause". You're not seeing blackness or even nothing, you're just not seeing period.
then when you finish your saccade, it shows you what you now see at the new position. and then it pretends it can time travel.
ALL
Advertisement
KENYAN\U0001f1f0\U0001f1ea HISTORY\U0001f1f0\U0001f1ea
KENYAN🇰🇪 HISTORY🇰🇪...
@historykenya101
Have you ever wondered why the sons and daughters of the colonial chiefs and guards who were collaborators live a good life while those of the MAU MAU fighters live in abject poverty?

***THREAD***


It should be known that the colonialists reached a point that they knew they had 2 leave Kenya since they couldn't handle the Mau Mau war & the world was moving toward accepting independent Africa.However,the colonialists devised an evil scheme that still eats Kenya upto this day

Under this scheme, the colonial state came up with a plan that saw the first crop of chiefly “big men” being empowered financially to take their children to schools and eventually have those children go to England for further studies...

...and eventually providing a ready-made socio-economic & political class whom state power could be entrusted in the post-colonial era.This explains why their children & grandchildren still hold majority of important positions in govt or in the private sector supported by state.

This also explains why children and grandchildren of these homeguards are always given preferential treatment when it comes to government appointments. Wewe na masomo yako you are always asking why you can never get a job in government...yet you're qualified..now you know.
HISTORY
Erik Torenberg
Erik Torenberg
@eriktorenberg
1/“What would need to be true for you to….X”

Why is this the most powerful question you can ask when attempting to reach an agreement with another human being or organization?

A thread, co-written by @deanmbrody:


2/ First, “X” could be lots of things. Examples: What would need to be true for you to

- “Feel it's in our best interest for me to be CMO"
- “Feel that we’re in a good place as a company”
- “Feel that we’re on the same page”
- “Feel that we both got what we wanted from this deal

3/ Normally, we aren’t that direct. Example from startup/VC land:

Founders leave VC meetings thinking that every VC will invest, but they rarely do.

Worse over, the founders don’t know what they need to do in order to be fundable.

4/ So why should you ask the magic Q?

To get clarity.

You want to know where you stand, and what it takes to get what you want in a way that also gets them what they want.

It also holds them (mentally) accountable once the thing they need becomes true.

5/ Staying in the context of soliciting investors, the question is “what would need to be true for you to want to invest (or partner with us on this journey, etc)?”

Multiple responses to this question are likely to deliver a positive result.
LIFE
Raman Shalupau
Raman Shalupau
@ksaitor
Maker movement is doing to startups what startups did to corporations.

Here is why 👇

Startups fixed the problem of innovation, that corporations lack.

In big, slow corporations, innovation is a RISK and distraction from the core $$$ profitable business.

Agile startups could launch, iterate fast and eventually stumble upon new growing market opportunities.

However,

When a startup reaches product-market-fit, it has to 🚀 "grow at all costs" and reach market dominance before some giant corporation can replicate their new product and distribute it to their existing giant customer base.

Startup's "growth at all costs" often means growth at the expense of charging customers $$$ money.

Hence, to be sustainable, startups have to constantly chase investor money.

Startup teams spend more time finding and pleasing investors, than finding and pleasing customers.

95% of startups die because they run out of (investor) money + no business model + crazy investor expectations.

Same way corporations die, when unable to adjust to new technology and market shifts.
MAKERS