Ian Costa

@[email protected]
129 Followers
342 Following
40 Posts
Twitterhttps://twitter.com/Ian_Costa18
Show threadIan CostaMay 10, 2023
@jehna That's what I've heard it used as. But someone can be a breaker in a blue team (testing rules and security controls being built) and a builder in a red team (creating C2 infrastructure, building red team tools, purple teaming/assisting the blue team/client on how to fix issues found)
Show threadIan CostaMay 10, 2023
@jehna Most likely: do you "build" security infrastructure/tools (SOC, endpoint detection, etc.) vs "break" into the security systems (pentesting, malware/red team tool developer, maybe risk assessment)
Ian CostaDec 22, 2022
splinter_codeDec 22, 2022

Excited to share my latest research about the #ViceSociety #Ransomware group and the growing #threat of custom-branded ransomware! ๐Ÿ”ฅ

A thread ๐Ÿงต

The #PolyVice ransomware variant used by the Vice Society group has a robust encryption scheme using #NTRUEncrypt and ChaCha20-Poly1305 algorithms.

We examine the connections between the Vice Society payload and other ransomware strains and variants.
Our analysis reveals that the codebase for the PolyVice variant has been used to build custom-branded payloads for other threat groups as well.

This is significant because it suggests that the Vice Society group is not developing their own ransomware payloads, but rather outsourcing its development.

One of the most rewarding parts was diving into the reversing process and trying to understand the logic of the PolyVice variant's code.

It's an interesting locker implementation.

More juicy details here ๐Ÿ‘‡

https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/

Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development

New PolyVice ransomware is likely in use by multiple threat actors building re-branded payloads with the same custom encryption scheme.

SentinelOne
Ian CostaDec 19, 2022
alissaDec 19, 2022
Good morning to everyone ๐ŸŒž
Today is a great day to turn on 2FA
Ian CostaDec 16, 2022
@malanalysis I completely agree that a VPN would get around it, but unless you're using a split VPN, which I don't think is easy to set up on most phones, you have to deal with all of your traffic going through the tunnel. A normal user doesn't want to have to turn it off when a website like Netflix blocks the VPN's IP, or they are forced to do a CAPTCHA every time they do a Google search. Plus other issues like having to change default languages when a website thinks you speak German because that's what you've set your IP to.
Ian CostaDec 16, 2022
@malanalysis Interesting thought, but I doubt most of TikTok's users would want to go through the trouble of setting up a VPN just for the one app. If TikTok gets banned, the only viable alternative currently is YouTube Shorts, which would provide a lot more user data to Google
Ian CostaDec 14, 2022
Show threadHal PomeranzDec 14, 2022

Yesterday's Linux DFIR command line trivia asked what you can do to escalate privilege if you have sudo access to the vim text editor. The constraints are that shell escapes are disabled (see the "noexec" option to sudo) and your final privilege escalation path must not use sudo (because logging, y'all). Several people checked in with good ideas!

@steve and @millert (who knows a little something about sudo-- look it up) jumped in with a classic. Simply edit /etc/passwd and make your regular account UID 0 (or make yourself a new UID 0 account you can su into). Any account with UID 0 has root privs. You will need to log out and log back in again after making this change.

@millert and @timb_machine suggested setting up a root cron job to execute whatever commands you want-- just drop a new script into /etc/cron.hourly. For example, you could run commands as root to give you a set-UID copy of the shell:

cp /bin/bash /tmp/evil-bash
chown root:root /tmp/evil-bash
chmod 4555 /tmp/evil-bash

@rkervell went for editing a file like /etc/ld.so.conf and setting up an LD_PRELOAD style rootkit. Google "Linux LD_PRELOAD rootkit" for more background and some working examples.

@timb_machine checked in with a bunch of good ideas. For example, adding your own SSH public key to /root/.ssh/authorized_keys. You might also need to modify the "PermitRootLogin" setting in /etc/ssh/sshd_config, but once you have your key in authorized_keys you should be able to HUP the SSH server remotely to pick up the config change.

He also suggested making changes to other start-up files for the root user. For example, /root/.bashrc which will execute on every root shell execution (like the commands suggested for the evil cron job above). You might have to wait a bit for this to trigger though.

Tim also suggested using vim to overwrite an existing set-UID binary. For example, once you run "sudo vim" you could:

:r /bin/bash
:w! /usr/bin/chfn
:q

Then you should be able to execute "/usr/bin/chfn -p" and get your root shell.

That's a bunch of good ideas so far. One other idea I can think of is to modify the system PAM configuration. I'd have to fully research this idea, but you should be able to modify /etc/pam.d/su to remove the authentication requirement.

So the takeaway here is never give anybody root access to a text editor. Even if they don't directly shell escape, there's a lot of evil they can do!

#Linux #DFIR #CommandLine #Trivia

Ian CostaDec 8, 2022
@smeg I know absolutely nothing about S3 but ChatGPT seems to think adding --recursive to that command would fix it
Show threadIan CostaDec 7, 2022
@MrMeritology If I was a teacher, I'd have a hard time telling that apart from any other student's essays. Wonder what's going to happen once all school essays can be completed by copy-pasting the prompt into an AI
Ian CostaDec 7, 2022
Can't wait to see if ChatGPT passes a blind turing test