I'm planning to write an updated homelab guide on my blog this year but I think I'm about to rebuild some parts for a new purpose 😅
It might be time to try out OpenCTI given what I do in my lab should be representative of what I do during < dayjob >. That also means I need to tear down Wazuh and configure an ELK stack instead (resource constraint). #Homelab#ELK#CTI#ThreatIntel#elasticsearch
A recent advisory from the Dutch #MIVD & #AIVD has exposed a new threat lurking within #FortiGate appliances: the #COATHANGER malware, a remote access trojan (RAT) that's as elusive as it is persistent. Here are the highlights taken from their released TLP-CLEAR advisory:
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances.
refer to the malware as COATHANGER based on a string present in the code.
It hides itself by hooking system calls that could reveal its presence.
It survives reboots and firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
high confidence that the malicious activity was conducted by a statesponsored actor from the People’s Republic of China
The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
initial access occurred through exploitation of the CVE-2022-42475 vulnerability
Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices.
MIVD & AIVD refer to this RAT as COATHANGER. The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’.
Please note that second-stage malware like COATHANGER are used in tandem with a vulnerability: the malware is used for persistence to a victim network after the actor gained access.
The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It does so by replacing them for any process that is forced to load preload.so.
Section 3.2 of the PDF has a detailed description of how COATHANGER malware behaves and interacts.
Communication to the C2 server is done over a TLS tunnel. COATHANGER first sends the following request to the HTTP GET request to the C2 server: GET / HTTP/2nHost: www.google.comnn
The COATHANGER malware drops the following files;
/bin/smartctl or /data/bin/smartctl<br></br>/data2/.bd.key/authd<br></br>/data2/.bd.key/httpsd<br></br>/data2/.bd.key/newcli<br></br>/data2/.bd.key/preload.so<br></br>/data2/.bd.key/sh<br></br>/lib/liblog.so<br></br>
Several methods have been identified to detect COATHANGER implants. A script was released by them for automated detection HERE These include a YARA-rule, a JA3-hash, different CLI commands, file checksums and a network traffic heuristic.
Two YARA rules are provided for detection on the COATHANGER samples.
The COATHANGER implant communicates to the C2 server using TLS. This TLS connection is fingerprintable using the following JA3-hash: 339f6adf54e6076d069dcaac54fddc25
With access to the CLI of a FortiGate device, the presence of COATHANGER can be detected in three ways.
Check if the files /bin/smartctl or /data/bin/smartctl exist and inspect the timestamps of smartctl and other files in the same directory. If smartctl was modified later than the majority of other files or is not a symlink, it is likely that the smartctl binary was tampered with.
Use the following command:
fnsysctl ls -la /bin<br></br>fnsysctl ls -la /data/bin<br></br>
The following command shows a list of active TCP sockets. Whenever the FortiGate device has internet access and the malware is active, the outgoing connection will appear in the results. Check the reputation of all outgoing contection IP's.diagnose sys tcpsock
The specific version of COATHANGER that this report describes uses the process name 'httpsd' to obfuscate itself. Therefore, any suspicious outgoing connections to external IP addresses from a process called httpsd is a strong indicator of the presence of COATHANGER:
The specific version of COATHANGER that this report describes uses the process name httpsd to obfuscate itself. All active processes can be listed using the following command:fnsysctl ps
Running the following command returns all PID's named 'httpsd'
diagnose sys process pidof httpsd<br></br>
Using the retrieved process IDs from the previous command yields process information for the processes named httpsd.
diagnose sys process dump <PID><br></br>
When the process has a GID set to 90, the device is infected with COATHANGER.
Remember when we all migrated here for greener pastures? It feels like it was just last year but time has flown. I never really did an intro post, and at this point I’m too afraid to ask lol. Either way, here it goes!
If you’re just now seeing my toots, welcome. If you’ve been around, then it’s great to have you here! I go by many names but we’ll stick to trojan foxtrot here because it’s just easier.
My background is all over the place but right now it’s intelligence and cybersecurity, and has been for a good chunk of life. Most of my free time is spent either wrenching on cars, traveling with my family, or reading just about anything related to cognitive psychology, intelligence analysis, human thinking, and self-development.
I’m also a veteran. I served from 2008-2020 across two branches and two career fields. The latter half of my military career was spent in military intelligence. I guess that makes me an IC veteran as well but who’s keeping track, right? Over the years, I’ve concentrated my specialization in the field of intelligence. Having been an IC all-source analyst really shifted my career into the direction of cyber threat intelligence. I often talk about making that transition, and the mental switch that’ll smoothen it out.
I don’t like to consider myself well-read, but I can definitely hold my own across many topics of discussion, and I know my limits of my knowledge. I’m not embarrassed to say I don’t know about something because it creates a learning opportunity for me. I think that makes conversation so much more fulfilling and enriching.
I like to talk about anything but I try to keep it security focused or intelligence focused here. Sometimes that doesn’t always work and I’ll occasionally shitpost. Either way, you are free to keep scrolling on by or engage!
Anyway, if you made it all the way to the end of this boring and unexciting introduction, I hope you figure out what my name means. If not, check out my bio!
Proofpoint Threat Research recently identified a campaign with emails from various senders that included subjects such as “RFQ”. They contained a OneDrive URL that triggered the download of a VHD when clicked. The campaign began on 1/17 and continued through 1/18 to include over 1,300 messages.
I’m looking to hire a Principal Threat Intelligence Analyst here at @huntress . You’ll get to build a new program focused on the small business space (those that fall below the cybersecurity poverty line). Please feel free to reach out to me if you have questions or think you might be a good fit:
New @FortiGuardLabs Outbreak Alert: Adobe ColdFusion Access Control Bypass Attack (Critical-level detections in the wild) ⮕ ftnt.net/61103ryCs3
FortiGuard Labs observed critical level of continued attacks on Adobe Coldfusion with IPS detections reaching up to 50,000+ unique detections. Users of Adobe ColdFusion are advised to apply patches as per vendor guidelines as soon as possible to mitigate any risk completely, if not already done.
Hi, Mastadon, I’m a Sr. Security Engineer with more than 15 Years of experience building reliable telecommunication infrasturcutre at global scale.
I’m looking for work one of these domains.
Cyber Threat Intelligence (CTI)
Detection Engineering
Jr. Software Engineering
Pre-sales engineer (B2B SaaS)
The FortiGuard Labs team recently analyzed the new #ransomware group, #Rhysida, and found that it attacks Windows machines through VPN devices and RDP, and is targeting industries such as education and manufacturing. 📚 🦾
I finally had time to finish Applied Network Defense course Practical Packet Analysis by Chris Sanders and I can wholeheartedly recommend it to everyone involved in security forensic investigations for the purpose of both incident response and threat intelligence.
I picked the course mainly because through my career I dealt mostly with host indicators and forensic artifacts and wanted to make sure that I'm equally capable on the network side of things. And the course definitely delivers with clear explanation of underlying protocols and network operations as well as effective work with packet analysis tooling that prepares for wide range of scenarios. Even more importantly, the totality of skills that you will get from lectures and lab exercises provides a baseline that can be applied to any network data analysis situation, not just examples presented - and this is particularly important for security practitioners.
Besides listening to loads of cool talks, #hacklu is also about what the name implies - a bunch of hackers getting together hacking away at stuff. Huge shoutout to https://infosec.exchange/@aaronkaplan and @mokaddem for the past 2 days, we have something really cool coming to @misp#cti
The agenda for this year's @firstdotorg Cyber Threat Intelligence Conference looks super impressive. I'm really proud and humbled to be part of this line-up and it motivates me to work even harder on my presentation. Hope you will find my breakdown of how OSINT sources can be not so open and what to do about it useful.
As with every event equally to the content I'm looking forward to catching up with friends and meeting new ones :) Feel free to ping me in the meantime if you would like to meet and chat onsite. #FIRSTCTI23#threatintelligence#CTIhttps://www.first.org/conference/berlin2023/program