Mastodawn

Ian Costa Dec 22, 2022

splinter_code Dec 22, 2022

Excited to share my latest research about the #ViceSociety #Ransomware group and the growing #threat of custom-branded ransomware! 🔥

A thread 🧵

The #PolyVice ransomware variant used by the Vice Society group has a robust encryption scheme using #NTRUEncrypt and ChaCha20-Poly1305 algorithms.

We examine the connections between the Vice Society payload and other ransomware strains and variants.
Our analysis reveals that the codebase for the PolyVice variant has been used to build custom-branded payloads for other threat groups as well.

This is significant because it suggests that the Vice Society group is not developing their own ransomware payloads, but rather outsourcing its development.

One of the most rewarding parts was diving into the reversing process and trying to understand the logic of the PolyVice variant's code.

It's an interesting locker implementation.

More juicy details here 👇

https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/

Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development

New PolyVice ransomware is likely in use by multiple threat actors building re-branded payloads with the same custom encryption scheme.

SentinelOne

Ian Costa Dec 19, 2022

alissa Dec 19, 2022

Good morning to everyone 🌞
Today is a great day to turn on 2FA

Ian Costa Dec 14, 2022

Show thread

Hal Pomeranz Dec 14, 2022

Yesterday's Linux DFIR command line trivia asked what you can do to escalate privilege if you have sudo access to the vim text editor. The constraints are that shell escapes are disabled (see the "noexec" option to sudo) and your final privilege escalation path must not use sudo (because logging, y'all). Several people checked in with good ideas!

@steve and @millert (who knows a little something about sudo-- look it up) jumped in with a classic. Simply edit /etc/passwd and make your regular account UID 0 (or make yourself a new UID 0 account you can su into). Any account with UID 0 has root privs. You will need to log out and log back in again after making this change.

@millert and @timb_machine suggested setting up a root cron job to execute whatever commands you want-- just drop a new script into /etc/cron.hourly. For example, you could run commands as root to give you a set-UID copy of the shell:

cp /bin/bash /tmp/evil-bash
chown root:root /tmp/evil-bash
chmod 4555 /tmp/evil-bash

@rkervell went for editing a file like /etc/ld.so.conf and setting up an LD_PRELOAD style rootkit. Google "Linux LD_PRELOAD rootkit" for more background and some working examples.

@timb_machine checked in with a bunch of good ideas. For example, adding your own SSH public key to /root/.ssh/authorized_keys. You might also need to modify the "PermitRootLogin" setting in /etc/ssh/sshd_config, but once you have your key in authorized_keys you should be able to HUP the SSH server remotely to pick up the config change.

He also suggested making changes to other start-up files for the root user. For example, /root/.bashrc which will execute on every root shell execution (like the commands suggested for the evil cron job above). You might have to wait a bit for this to trigger though.

Tim also suggested using vim to overwrite an existing set-UID binary. For example, once you run "sudo vim" you could:

:r /bin/bash
:w! /usr/bin/chfn
:q

Then you should be able to execute "/usr/bin/chfn -p" and get your root shell.

That's a bunch of good ideas so far. One other idea I can think of is to modify the system PAM configuration. I'd have to fully research this idea, but you should be able to modify /etc/pam.d/su to remove the authentication requirement.

So the takeaway here is never give anybody root access to a text editor. Even if they don't directly shell escape, there's a lot of evil they can do!

#Linux #DFIR #CommandLine #Trivia

Ian Costa Dec 7, 2022

Can't wait to see if ChatGPT passes a blind turing test

Ian Costa Nov 30, 2022

Santa Claus Nov 30, 2022

HO HO HO! The people have spoken!

Despite offering alternative options, you have overwhelmingly voted in favour of me breaking in, eating your food, and dumping the presents under a tree in the middle of the night.

I wonder if complex global issues aren’t best solved with a poll on social media?

#elonmusk #twitter

Ian Costa Nov 23, 2022

Alyssa Miller 🛩️

Nov 23, 2022

As a leader, I don't know of many better feelings than that of telling someone you're giving them a promotion.

#leadership #management

Ian Costa Nov 23, 2022

seadev Nov 23, 2022

The author of Brute Ratel @NinjaParanoid is offering #Nighthawk samples to #BlueTeam members and vendors seeking to build detections against the strain after the samples available on #VirusTotal were removed at the request of MDSec.
#malware #infosec #threatintel

Ian Costa Nov 22, 2022

Deviant Ollam Nov 21, 2022

Earlier this year, I was invited down to Texas by folk who asked me: "Do you think you could teach our assorted group of blind, low vision, and neurodiverse folk about lockpicking?"

Their results were terrific. 😁👍 This video was captured that day...

https://youtu.be/2tVpNzX963g

...and we are jointly publishing it as a way of sharing this lesson plan with you all in the hopes that more classes like this can be replicated by others. 🔓

Learning Lockpicking while Blind, Divergent, and More

YouTube

Ian Costa Nov 21, 2022

dynaptik Nov 21, 2022

If you are looking for Black Friday deals in the #infosec realm, go have a look at https://github.com/0x90n/InfoSec-Black-Friday or open an issue to add to the list :)

GitHub - 0x90n/InfoSec-Black-Friday: All the deals for InfoSec related software/tools this Black Friday

All the deals for InfoSec related software/tools this Black Friday - 0x90n/InfoSec-Black-Friday

GitHub

Ian Costa Nov 16, 2022

National Security Agency

Nov 16, 2022

Did you know: #Linux is a comon gateway operating system to #Unix!

Unix is only used by evil hackers, as seen in #TheMatrix.

Don't be like Neo. Use Windows by @Microsoft.