Skip to content

Blog

All Your Go Binaries are Belong to Us

The skillset of performing binary analysis may to some appear to be limited to a few undeadly souls. While it may look like a form of dark arts when someone can read data structures in a raw hex dump, it shouldn’t even qualify as a party trick. To quote @BizTheDeveloper’s mother, “…reading a hex dump is not that hard…” Now, the goal of this post is not to turn the reader into a hex dump magician. Instead, I want to show that binary analysis is all about data parsing. If you are a Go developer and are not interested in the analysis of Go binaries, this post will still have something for you. Did you know that “Go binary analysts” know if you organize your source code neatly or just dump everything into one file? In this post, we will see how we can extract some of the available hidden metadata in the binaries produced by the Go compiler. With the extracted data, we will see a few use cases including how it can be used to determine if the application uses a vulnerable dependency. The goal is to be able to perform this on “production builds” so we are targeting support for stripped binaries. This means we can’t depend on debug information or symbols that normally are included in binaries produced by the compiler. This may look like something we would need but in fact, we actually don’t. Finally, let’s limit us to only using the standard library and optionally a “golang x” package.

Read more →

December 2, 2021

New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk

Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin tools. The nature of transitive trust between open-source security (OSS) makes this technique highly difficult to defend at the developer level using open-source software.

Read more →

November 16, 2021

Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server

GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a user’s GitLab server. After the user installed a sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit shellcode named gitlab.elf, which occurred a few days prior to the installation of the sensor. Several hours later another alert was triggered, this time upon the execution of an XMRig Miner. The malware was also executed several days before the sensor was installed. We notified the user and began our own investigation with the goal of understanding how the attacker got into the system and what the scope of the incident was. Consistent with our findings, news broke later that day that attackers were exploiting a GitLab unauthenticated remote code execution (RCE) vulnerability. In this post we describe the investigation process conducted by Intezer’s research and engineering teams using the runtime security sensor installed on the victim’s host.

Read more →

November 4, 2021

Exposed Prefect Workflows Could Lead to Disruptive Attacks

Introduction Workflow management platforms are powerful tools for automating and managing complex tasks. Integrating workflow platforms can help companies coordinate and ease their business processes as well as increase the productivity of their teams. When the instances are misconfigured, they can expose the systems to potential attacks and data loss. This is why it’s crucial to properly set up these instances. Companies recently learned this the hard way when misconfiguring popular open-source workflow platforms Argo and Airflow. This post will focus on misconfigurations in the Prefect workflow platform. We have identified hundreds of misconfigured Prefect instances which could be the target of disruptive attacks. By using Prefect’s web UI and API function, attackers can potentially modify and delete workflows, tasks, and agents, including the history logs of previous executions, belonging to companies with exposed instances. Disruptive attacks can cause data loss and business delays affecting teams that integrate workflows into their daily routines and the clients that depend on these workflows functioning properly. We did not find any evidence of Prefect users having their information leaked as of yet. Prefect users should verify that their instances are not exposed to the internet and enable multi-factor authentication.

Read more →

October 26, 2021

Misconfigured Airflows Leak Thousands of Credentials from Popular Services

This research refers to misconfigured Apache Airflow managed by individuals or organizations (‘users’). As a result of the misconfiguration, the credentials of users are exposed, including their own credentials to the different platforms, applications and services mentioned in this article. This article doesn’t refer to exposed credentials of the entities behind the development of the platforms, applications and services themselves. Apache Airflow is the #1 starred open-source workflows application on GitHub Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow internet-wide access make these platforms ideal candidates for exploitation by attackers.

Read more →

October 4, 2021

Teaching Capa New Tricks: Analyzing Capabilities in PE and ELF Files

Introduction When analyzing malware, one of the goals in addition to identifying what malware it is, is to understand what it does when it runs on a machine. There are multiple ways of achieving this by either manual analysis, which requires reverse engineering skills, or automated analysis. With Intezer Analyze we provide a tool that aids both advanced reverse engineers and entry-level analysts with the task of analyzing any suspicious file. Earlier this year we announced a new feature in Intezer Analyze that extracts the capabilities of a file. From the capabilities, you can map these to known Tactics, Techniques, and Procedures (TTPs). Under the hood, the functionality is powered by an open-source project from FireEye called capa. Capa analyzes Windows portable executable (PE) files and matches the findings against a rule set to determine a file’s capability. Intezer Analyze is not limited to PE files. It can also detect code reuse between Executable and Linkable Format (ELF) files. With this in mind, we wanted to provide similar information for ELF files. To achieve this, we extended capa support to ELF files and also created rules for Linux ELFs. Since capa is an open-source project, we submitted the changes to the capa project to allow not only users of Analyze to take advantage of this new functionality but also users of capa. So let’s explore how we can use these new features in Intezer Analyze when investigating both PE and ELF files.

Read more →

September 15, 2021

Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike

Key Findings Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratch Linux malware is fully undetected by vendors Has IoC and technical overlaps with previously discovered Windows DLL files Highly targeted with victims including telecommunications, government and finance Cobalt Strike is a popular red team tool for Windows which is also heavily used by threat actors. At the time of this writing, there is no official Cobalt Strike version for Linux.

Read more →

September 13, 2021

How to Detect Cobalt Strike

Intro Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular in red team activities and used for malicious purposes by threat actors. Cobalt Strike is popular due to its range of deployment options, ease of use, ability to avoid detection by security products, and a number of capabilities it has. It is for these reasons that threat actors like Cobalt Strike. Since Cobalt Strike is widely used by a range of actors, its lack of exclusivity makes attribution harder. Companies still struggle to detect Cobalt Strike also due to the various defensive techniques it has.

Read more →

August 18, 2021

Guide to Digital Forensics Incident Response in the Cloud

Enterprises today rely on a wide range of cloud services—infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), and more—to meet their business needs. But the growing popularity of cloud has also led to an increase in attacks on cloud infrastructure, and thus the need for companies to develop strong security and incident response skills. Before we dive into incident response in the cloud, however, it’s important to distinguish between the responsibility of the cloud service provider (CSP) and that of the cloud consumer. According to the “shared responsibility model,” the CSP is responsible for securing the cloud, while security in the cloud falls on the customer. This means it’s the client’s job to protect their workloads (including applications, systems, and code) running on the CSP’s platform. With this responsibility placed on the customer, how they respond to an attack can have a significant impact on the mitigation of security breaches. But incidents in the cloud, such as those involving your EC2s, differ from those occurring on-premises (e.g., involving endpoints). This poses new challenges for incident response teams and requires different approaches. In this blog, we cover the differences between cloud forensics and forensics in on-premises systems. We also take a look at the incident response process for a real attack that was spotted in the wild.

Read more →

August 11, 2021

New Attacks on Kubernetes via Misconfigured Argo Workflows

Key Points Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. Attackers are already taking advantage of this vector as we detected operators dropping cryptominers using this method in the wild. We have identified infected nodes and there is the potential for larger scale attacks due to hundreds of misconfigured deployments. We have detected exposed instances of Argo Workflows that belong to companies from different sectors including technology, finance and logistics. Argo Workflows is an open-source, container-native workflow engine designed to run on K8s clusters. Argo Workflows instances with misconfigured permissions allow threat actors to run unauthorized code on the victim’s environment. Overview Kubernetes (K8s) is revolutionizing the cloud computing environment, having become the most popular platform for container orchestration. It is also one of the most popular repositories on GitHub, with over 100,000 commits and over 3,000 contributors. Each year there is a steady increase in enterprises using Kubernetes and the number of clusters they deploy. According to the Cloud Native Computing Foundation (CNCF) 2020 survey, 91% of respondents are using Kubernetes, compared to 78% in 2019 and 58% in 2018. In the same survey, it was reported that among the top challenges of using and deploying containers were complexity, security and lack of training.

Read more →

July 20, 2021