BC BUSINESS
Saved by @Mollyycolllinss

As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: https://t.co/b0ReHMa63u

 Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
The VBScript in turn runs rundll32.exe, activating the Cobalt Strike loader DLL using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution.
On the custom Cobalt Strike Loaders: we identified several second-stage malware, including TEARDROP, Raindrop, and other custom loaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in existing Windows sub-directories.
#TEARDROP, #Raindrop, and the other custom Cobalt Strike Beacon loaders observed are likely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader.
The TEARDROP variants have an export that contains the trigger for the malicious code (executed in a new thread created by the export). The malicious code attempts to open a .jpg file (festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg, confident_promotion.jpg, etc.).
Next, TEARDROP proceeds to decode & subsequently execute an embedded custom preliminary loader (likely generated using a Cobalt Strike Artifact Kit template e.g., bypass-pipe.c). In its true form, the preliminary loader is a DLL that has been transformed & loaded like shellcode.
We came across additional custom loaders for Cobalt Strike’s Beacon that unlike TEARDROP, in which the malicious code is triggered by an export function, the malicious code in these variants is triggered directly from the DLL’s entry point.
Variant 2 custom loaders also contain an attacker-introduced export (using varying names) whose only purpose is to call the Sleep() function every minute.
Additionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.
These custom loaders can be divided into two types:
Type A: Decodes/Loads CS's RL from the DLL’s DATA section (detected as Trojan:Win64/Solorigate.SC!dha)
Type B: De-obfuscates/Loads RL from the DLL’s CODE section (aka #Raindrop, detected as Trojan:Win64/Solorigate.SB!dha).
Some observations:
The custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM UTC. In one intrusion, the first 2nd stage custom loader (TEARDROP) was introduced to the environment by SolarWinds.BusinessLayerHost.exe at ~ 10:00 AM UTC.
The custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020, while the embedded reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. (synthetic compile timestamps via custom Malleable C2 profiles?)
2020? The actor did not timestamp the compile time of the custom loader DLLs? Forensic analysis of compromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to systems predated the compile timestamps of the custom loader DLLs...
Most custom loader DLLs were configured with PE version information that masquerades version information belonging to legitimate applications and files from Windows (e.g., NETSETUPSVC.DLL), 7-Zip (e.g., 7z.dll), Far Manager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), etc.
Certain development artifacts were left behind in the custom loader samples. e.g. the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager source code: c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp
Most Beacon and Reflective Loader instances discovered during our investigation were configured with a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS Idle IP, User-Agent , HTTP POST/GET transaction URI, sleep time & jitter factor
Each Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all Watermark values start with the number ‘3’.
The post-exploitation related artifacts, TTPs and MITRE ATT&CK techniques (an extensive list) are best covered/described under the "Additional attacker tactics, anti-forensic behavior, and operational security" section of the blog: https://t.co/b0ReHMrGV2
Leaving No Stone Unturned: This blog is a collaboration between multiple security, threat intelligence, product, forensic, SOC, Identity & legal teams from across Microsoft. For more information refer to our dedicated Solorigate Resource Center: https://t.co/8Swnphedko.

More from Business

Lillian Li
Lillian Li
@lillianmli
1) Let's talk about how Alibaba has achieved the holy grail of big data - a holistic view of the consumer - through a plethora of product offerings and investment.

This is their overarching moat. And Amazon's got nothing on them.

2) To the outsider, Alibaba's product range is confusing af. It's all over the place and there seems to be no core competency they are focusing on.

A few divisions - Taobao (B2C marketplace), Tmall (High-end B2C marketplace), Alibaba (B2B marketplace, Cainiu(logistics)..

3) ...Elema (Food delivery), Autonavi (maps), Youku (streaming) and Feizhu(travel booking)

Also the promotional strategy is weird, In the lead-up to singles day, half the time they were promoting some cat rearing in-app mini game.

Wtf?

4) When we view Alibaba's strategy as working to create a full view of a consumer's life, including their preferences, social network and spending capacity (and ability). Then everything starts to make sense.

4) Whether a consumer buys on Tmall or Taobao tells Ali about their preferences and budget, delivery address for packages and food lets Ali know where they live and where they work (also cross-referenced with property data to infer wealth level + occupation).
BUSINESS , BUSNIESS
George Yury Revutsky
George Yury Revutsky
@george_revutsky
1/An interesting thing happened tonight. I was scrolling through clubhouse and found WileyCEO, Godfather of Grime (kicked off Twitter in July for antisemitic tweets) speaking. So I tweeted this (and included a screen shot, later deleted as I found out TOS don't allow it ...


2/ ... and several folks also asked me to remove it which I promptly did afterwards).... Coming into the CH room, I fully intended to confront him about how hurtful his comments in July were. But as I listened to the folks in the room, I decided to go a different direction ....

3/ the conversation jumped around, covered many topics and there were between 8-14 people up on stage. But a recurring thread was discussion of racism, bigotry, comparison of it in the US vs UK vs elsewhere.

4/ when I got a chance to speak, I had 5 bullets written down: a) we should harness technology and capitalism to make reparations for what America did to Black people. I gave https://t.co/SlrW8zCd58 (a project a couple friends co-started) as an example) ...

5/ b) capitalism and product know-how and technology can be harnessed for social justice c) historically oppressed minorities need to stick together and lastly, d) "Wiley, how could you say such hurtful things about Jews as a people?" That's what I had ready to say, anyway.
BUSINESS
Advertisement
Vijay Patel
Vijay Patel
@vijaygajera
Sarad Pawar was a director in a shell company, which have done transaction of 7 Lakh crore in cash in UK.
Company Name was SGFX FINANCIALS CO UK LIMITED. (What could be full Name of SG? Any Guess?)
Thread


According to the UK company filing database, Mr Pawar was appointed as board member of SGFX Financials Co on 13 December 2010 and left the company on 5 January 2011. The filing also notes Mr Pawar's occupation as Minister, Government of India.

This company was incorporated on 13 December 2010 and dissolved on 27 November 2012. Nature of business was ‘Other business activities’!


There were two more directors when company was incorporated
1 is Mr Sarvesh Narendra Gade and 2nd is Mrs Shahanaz Ashraf Bharde


But when this details came out in 2015, Sarad Pawar has filed a case against this couple for using his name without his knowledge! Like really?
Please see below document, which have clearly mentioned that it was authenticated!
BUSINESS
WAKE UP AUSTRALIA WAKE UP
WAKE UP AUSTRALIA WAKE...
@WakeAustralia
Facebook originally a CIA program called "LifeLog".
LifeLog, via DARPA, terminated on Feb 4th, 2004.
Facebook was launched on Feb 4th, 2004.
Many of the LifeLog team became execs at FB.
Zuckerberg is a figurehead.
CIA allowed Cambridge to help Trump win

https://t.co/enzOXDCogV


Pentagon Kills LifeLog
BUSINESS
Claire Wardle
Claire Wardle
@cward1e
The question of how TV news amplifies disinformation is often discussed but we have little concrete research on this subject. So we partnered w/ @r_macdonald & @kalevleetaru to understand how cable TV amplified Trump’s tweets. The results are interesting.

Between Jan 1 2020 and Jan 8 2021, CNN, Fox News and MSNBC spent 32 hours showing Trump’s tweets on screen, eg. blowing them up full size. This doesn’t include when anchors and correspondents mentioned things Trump had tweeted.


We then focused on the ways in which the three networks broadcast Trump’s tweets that falsely claimed the election would be fraudulent (before Nov 3) and was actually stolen (after the election).

In the weeks after the election, the cable news networks broadcast nearly three times as many Trump tweets about election fraud than they had in the nine months leading up to it. They even broadcast Trump’s old tweets after he was removed from Twitter in January.

4 points: 1) there was a drumbeat of tweets undermining the election throughout the summer. Many were broadcast & there were no labels from Twitter until middle of Sept. We need more research to understand how a foundation supporting the false narrative was laid by platforms & TV
BUSINESS

You May Also Like

Cole Escola
Cole Escola
@ColeEscola
If you know me, you know I don't like broadcasting details about my personal life on this website, but I have been getting asked why I'm not doing Christmas this year so I just wanna put this whole mess to bed. First of all, I don't agree with gay marriage... (1 of 4,625)

... full of dog food and she said, "I'm pretending this is ice cream! Treat me like a baby!" and proceeded to hump her own arm and I thought, "something tells me this isn't the real Norah Jones"... (117 of 4,625)

...cost me $7,000. I had to put it on two separate credit cards! It wasn't 'til I got to my car that I realized "that's way too expensive for one onion." But I didn't have time. Amanda Seyfried was begging to change my diaper... (1,001 of 4,625)

...another Christmas miracle. Mistletoe, stockings, sleigh bells, snow! All these things I have put up my ass. The taste of coffee... (2,974 of 4,625)

...I felt a *very* cold finger on my cheek and I turned around and I said, "Grandma?" and she goes, "Surprise, I'm alive and I work at Sears!" I said, "okay"... (3,047 of 4,625)
SOCIETY
\u0936\u094d\u0930\u0940\u092e\u093e\u0932\u0940 \u0939\u093f\u0924\u0947\u0936 \u0905\u0935\u0938\u094d\u0925\u0940
श्रीमाली हितेश अवस्थी...
@HiteshAwasthi89
#Thread
Benefits of writing SRI RAMA Jayam!!!

Writing Sri Rama Jayam is known as Likitha Japam- Writing Meditation. This gives one a complete sense of surrender to an inner conscience and peace while writing or chanting the mantras.

#Sri_Rama_Jayam #RamaNavami

Cont 👇

You can write this in any language of your choice. It is the connecting chords with the divine and your inner self.

Below are some points that we came across on the benefits :

Cont 👇

1. Vedas tell that as the sun dispels the darkness, the chanting of Rama Nama dispels all evil and obstacles of life. It is a way of liberation and salvation of human suffering.

2. When you think, that all roads are blocked to walk away from day to day problems..

Cont 👇

writing ‘Sri Ram Ram Ram’ gives you the most needed clarity of thoughts to find away out of odd situations.

3. It was told that a calmness engulfs as one indulges in writing the Sri Rama Jayam bringing in more clarity of mind, tolerance & strength to withstand obstacles in life.

4. Devotion of service of life and its varied forms is devotion to God. So there is no right or wrong way of writing this. The very thought and process to write is a connection with god and finds a inner meaning.

Cont 👇
ALL
Advertisement
Elon Musk\u2019s Meme \U0001f171\ufe0fot
Elon Musk’s Meme 🅱️ot...
@theMemesBot
Thats a gg, Satan
FUN
Vibhu Vashisth
Vibhu Vashisth
@VIBHU_Tweet
AGAMA SHASTRA:THE SCIENCE BEHIND THE MARVELS OF HINDU ARCHITECTURE

Agama Shastra is a Sanskrit word that means the manual for worship, temple building, rituals etc in Hindu Tradition.From Sanskrit,agama means handed down by tradition and Shastra means a commentary or treatise.


Therefore, Agama Shastra is a collection of ideas that drafts the rules for worship, temple construction, spirituality and rituals. It has been a guideline for many Hindus from ancient times. It's a collection of Sanskrit, Tamil and Grantha scriptures that mostly contains...


...methods of temple construction, idol creation, philosophical doctrines and meditative practices. It came into being after years of assimiliation and from a variety of sources. Some parts of it are pre-vedic while some are post-vedic.


Hindu Temples are not just temples, they are the pride and identity of Hindus. They are the symbols of Hindu unity and their religious aspirations. Temples are the places of spiritual healing and are our connection with the creator almighty.


Temples are the priceless treasure of our History, Heritage ,Art & Architecture. Architecture that mesmerises and spell bounds you. And Agama Shastra is that very text which is responsible for such a mesmerising and spell binding quality and beauty of our Hindu Temples.
ALL
\U0001f1fa\U0001f1f8I Support Our Military & Law Enforcement\U0001f1fa\U0001f1f8
🇺🇸I Support Our Milita...
@TheWiseOwl_AZ
1. There are more people added on the list of arrests and executions of famous people but no further intel is available at this time.

ARRESTS and EXECUTIONS OF FAMOUS PEOPLE 2020 UPDATED
Explanation of the latest military tribunal arrests and executions of famous people in 2020.

2. The tribunals are arresting these people in plain clothes. We saw the Obama’s arrest, although we didn’t know it was an arrest at the time. The arrest was done nonchalantly so as to not get noticed by the public.
All arrests of these famous people were done this way.

3. If the person is convicted of child sex trafficking, crimes against humanity or treason, they will be executed.
If the person arrested has evidence on someone else to help their prosecution, or is willing to help Trump, & they want to cooperate, they may be allowed to do so.

4. A sentence of execution down to life in prison may be accepted if their evidence is worth anything.
When a plea deal is done, the defendant must present evidence they have to make their sentence lighter. This information is given to the prosecution, defense, and to the judge.

5. If evidence is accepted, they are presented the plea deal. They will have to make a guilty plea to the crime with a video confession & written statement. That is how all plea deals work.

All famous people arrested were either treasonous or involved in satanic worship rituals.
CRIME