BC BUSINESS
Saved by @Mollyycolllinss

As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: https://t.co/b0ReHMa63u

 Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
The VBScript in turn runs rundll32.exe, activating the Cobalt Strike loader DLL using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution.
On the custom Cobalt Strike Loaders: we identified several second-stage malware, including TEARDROP, Raindrop, and other custom loaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in existing Windows sub-directories.
#TEARDROP, #Raindrop, and the other custom Cobalt Strike Beacon loaders observed are likely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader.
The TEARDROP variants have an export that contains the trigger for the malicious code (executed in a new thread created by the export). The malicious code attempts to open a .jpg file (festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg, confident_promotion.jpg, etc.).
Next, TEARDROP proceeds to decode & subsequently execute an embedded custom preliminary loader (likely generated using a Cobalt Strike Artifact Kit template e.g., bypass-pipe.c). In its true form, the preliminary loader is a DLL that has been transformed & loaded like shellcode.
We came across additional custom loaders for Cobalt Strike’s Beacon that unlike TEARDROP, in which the malicious code is triggered by an export function, the malicious code in these variants is triggered directly from the DLL’s entry point.
Variant 2 custom loaders also contain an attacker-introduced export (using varying names) whose only purpose is to call the Sleep() function every minute.
Additionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.
These custom loaders can be divided into two types:
Type A: Decodes/Loads CS's RL from the DLL’s DATA section (detected as Trojan:Win64/Solorigate.SC!dha)
Type B: De-obfuscates/Loads RL from the DLL’s CODE section (aka #Raindrop, detected as Trojan:Win64/Solorigate.SB!dha).
Some observations:
The custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM UTC. In one intrusion, the first 2nd stage custom loader (TEARDROP) was introduced to the environment by SolarWinds.BusinessLayerHost.exe at ~ 10:00 AM UTC.
The custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020, while the embedded reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. (synthetic compile timestamps via custom Malleable C2 profiles?)
2020? The actor did not timestamp the compile time of the custom loader DLLs? Forensic analysis of compromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to systems predated the compile timestamps of the custom loader DLLs...
Most custom loader DLLs were configured with PE version information that masquerades version information belonging to legitimate applications and files from Windows (e.g., NETSETUPSVC.DLL), 7-Zip (e.g., 7z.dll), Far Manager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), etc.
Certain development artifacts were left behind in the custom loader samples. e.g. the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager source code: c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp
Most Beacon and Reflective Loader instances discovered during our investigation were configured with a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS Idle IP, User-Agent , HTTP POST/GET transaction URI, sleep time & jitter factor
Each Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all Watermark values start with the number ‘3’.
The post-exploitation related artifacts, TTPs and MITRE ATT&CK techniques (an extensive list) are best covered/described under the "Additional attacker tactics, anti-forensic behavior, and operational security" section of the blog: https://t.co/b0ReHMrGV2
Leaving No Stone Unturned: This blog is a collaboration between multiple security, threat intelligence, product, forensic, SOC, Identity & legal teams from across Microsoft. For more information refer to our dedicated Solorigate Resource Center: https://t.co/8Swnphedko.

More from Business

Didi Kuo
Didi Kuo
@didikuo1
The American business community is speaking with a unified voice - NAM called to invoke the 25th Amendment; the Business Roundtable and Chambers of Commerce urge a peaceful transition of power; all have denounced last week's violence. What might this mean? A few implications:
1/

This isn't just PR - bad politics is bad for business. Here, the Harvard Business Review makes the business case for democracy (leading essay by

Historically, business has been a crucial ally for democracy. Mark Mizruchi shows how business helped secure democracy after WII, through organizations like the Committee for Economic Development (see also his @NiskanenCenter paper: https://t.co/xoqUUN1nCD)

3/

My book examines how business groups formed to lobby against patronage and corruption, and in favor of institutional reform, in the 19th c. (https://t.co/FnNhZUupBG)

For a summary of business’s role in American democracy over the 20th century, see

Today, corporations are cutting off PAC $$ — Wall St banks (JPMorgan Chase, Goldman Sachs, CitiGroup), big tech (Microsoft, Facebook). Many more corps have suspended donations to members of Congress who contested the certification of election results last week
5/
BUSINESS
Lillian Li
Lillian Li
@lillianmli
1) Let's talk about how Alibaba has achieved the holy grail of big data - a holistic view of the consumer - through a plethora of product offerings and investment.

This is their overarching moat. And Amazon's got nothing on them.

2) To the outsider, Alibaba's product range is confusing af. It's all over the place and there seems to be no core competency they are focusing on.

A few divisions - Taobao (B2C marketplace), Tmall (High-end B2C marketplace), Alibaba (B2B marketplace, Cainiu(logistics)..

3) ...Elema (Food delivery), Autonavi (maps), Youku (streaming) and Feizhu(travel booking)

Also the promotional strategy is weird, In the lead-up to singles day, half the time they were promoting some cat rearing in-app mini game.

Wtf?

4) When we view Alibaba's strategy as working to create a full view of a consumer's life, including their preferences, social network and spending capacity (and ability). Then everything starts to make sense.

4) Whether a consumer buys on Tmall or Taobao tells Ali about their preferences and budget, delivery address for packages and food lets Ali know where they live and where they work (also cross-referenced with property data to infer wealth level + occupation).
BUSINESS , BUSNIESS
Advertisement
Braveheart
Braveheart
@FreeedomPerson
Parler is gone, but the evidence is not. Current @Microsoft employee & fmr Snoqualmie city council candidate Kevin Ostrem (1/26) @parlertakes


Parler is gone, but the evidence is not. Current @Microsoft
employee & fmr Snoqualmie city council candidate Kevin Ostrem @parlertakes (2/26)


Parler is gone, but the evidence is not. Current @Microsoft employee & fmr Snoqualmie city council candidate Kevin Ostrem @parlertakes (3/26)


Parler is gone, but the evidence is not. Current @Microsoft employee & fmr Snoqualmie city council candidate Kevin Ostrem @parlertakes (4/26)


Parler is gone, but the evidence is not. Current @Microsoft employee & fmr Snoqualmie city council candidate Kevin Ostrem @parlertakes (5/26)
BUSINESS
Brian Feroldi
Brian Feroldi
@BrianFeroldi
I own 7 stocks that are 15+ baggers (and counting)

Here are 10 traits they all have in common:

The data:

Stock / # of bags / purchase year:

$AMZN / 15+ / 2010
$FB / 15+ / 2012
$GOOG / 15+ / 2009
$MELI / 15+ / 2011
$CMG / 20+ / 2012
$NFLX / 60+ / 2010
$TSLA / 60+ / 2012

1: Founder-led

$AMZN - Bezos
$CMG - Ells
$FB- Zuck
$GOOG - Page
$MELI- Galperin
$NFLX - Hastings
$TSLA - Musk

Founders tend to be:
+Detail oriented
+Innovative
+Mission driven
+Think long-term
+Have skin/soul in the game

Look for founders!

2: Consumer-facing

All of these companies attract millions/billions of consumers

This eliminates customer concentration risk and enables long-term brand building

3: High sales growth

All of these companies were growing revenue 20%+ BEFORE I bought them

Sales growth is the engine that drives profit growth

Profit growth is the engine that drives stock appreciation

Find companies that can grow sales 20%+ for decades
BUSINESS
Randall Hunt
Randall Hunt
@jrhunt
General Warning: don’t work for or hire @IanMmmm - he’s a zero-integrity-self-serving manipulator. He destroyed an entire org at AWS.

He’s the reason I left @awscloud. He’s not just incompetent, he’s dishonest in the extreme. You’re throwing away your career working with him.

Also, pro-tip: record every call you have with a manager that you suspect is lying to you.

Here's what happened: I lost my shit when I didn't get promoted, because I was a child. That's on me. I had worked my ass off for 3 years and Ian said that if I moved to Seattle and signed a non-compete then I would get my promotion. I did those things - I didn't get promoted.

What does losing my shit mean? I sent a message to Ian and others that said "Fuck you, I'm not moving to the depressive hell hole that is Seattle. I'm not signing a non-compete. I'm going to stop working 100 hours a week for a company that doesn't give a shit about me."

Later, I found out that Ian had never actually reached out to anyone about my promo document. He just lied. He just ignored it until the last second because he was too focused on taking credit for my work for his own promo document. He got promoted.
BUSINESS

You May Also Like

Vibhu Vashisth \U0001f1ee\U0001f1f3
Vibhu Vashisth 🇮🇳...
@VIBHU_Tweet
VEDIC COSMOLOGY, also known as Hindu Cosmology, and cosmography are both interesting and inspiring. Today’s “modern” Vedic texts originated around 3,000 B.C.E. This is the oldest scientific and the oldest religious doctrine known to the human race.


Our current astronomy of the solar system and universe has its roots in Vedic knowledge. It only shows that man had advanced knowledge of astronomy way before our current civilization came into existence.
We are here to talk about the Vedic version of the planetary system,

starting at the top from the eternal planets to the temporary planetary system within innumerable universes in the material world.

Talking about “cosmic manifestation,” we need to incorporate both spiritual and material existence.


The spiritual realm of the planets is everlasting, and this will forever be beyond what the material universe can encapsulate. The spiritual realm belongs to the “super dimensional” or “anti-material” dimension. It means that it is beyond what we can perceive,


beyond time as a linear dimension, and the space of our vision and perception.

There are innumerable planets, all indestructible and forever lasting. That is what the Vedas say about the spiritual planets. Our concentration here is more towards the material side of things.
ALL
Jeet Heer
Jeet Heer
@HeerJeet
1. Now that Stan Lee is being eulogized far and wide, it's important to remember how marginal Stan Lee and his collaborators (Jack Kirby and Steve Ditko) were in the 1950s and 1960s.

2. Marvel Comics (before that Atlas) was just a cog in the machine of a bottom pulp publisher run by Martin Goodman, the husband of one of Lee's cousins. It was the lowest of the low in the publishing world.

3. Now Mario Puzo (not yet the author of the Godfather) shared offices with Stan Lee in the 1950s and 1960s. Puzo wrote for garrish men's adventure magazines and, like Lee, dreamed of writing a novel & breaking out. But Puzo looked down on Lee.

4. Flo Steinberg, 1960s secretary at Marvel: "They were always making jokes about us. They'd come in and giggle. mario Puzo would look in and would see us all working on his way to the office and say, 'Work faster, little elves. Christmas is coming.'"

5. When JFK was killed, the whole office of Magazine Management was stunned and quiet. Except Lee. He continued working. "He was still working on the comic books," Puzo said. "Like that was the most important thing in the world."
CULTURE
Advertisement
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
SRI KUMARIAMMAN, KANYAKUMARI (TN)
#bharatmandir #navratri2021

Created by Maharshi Parasurama and also one among the 108 Shakthi Peethas in the world. The name Kanyakumari stands for Kanya(Virgin) and Kumari(girl).
Devi took this form to vanquish the demon Banasura
@GunduHuDuGa


Once, Banasura(grand son of Mahabali) obtained a boon from Shiva that he could be vanquished only by a virgin.
So, Devi took the form of a kumari and started meditating with the desire to marry Shiva at Suchindram.
Pleased Shiva fixed the midnight hour for marriage with Devi.


Devarshi Narada knew that the marriage would end the chance of killing Banasura. So, he assumed the form of a cock and crowed. Shiva returned back to Suchindram thinking that it was dawn.
Angered, Devi cursed that all food and articles meant for wedding turn into sand and shells


When Banasura heard about Devi’s beauty, he tried to take her by force. Devi, then, killed him and granted the wish of Devas to remain there always protecting them.
The murti of Devi stands with a rosary in hand. Her diamond nose-ring is said to be visible even from the sea.


Once an ancient mariner mistook it for a lighthouse and sailing towards it, his ship wrecked upon the Kanya Kumari rocks. In order to prevent such a tragedy from happening again, the eastern door of the shrine is opened only on five special occasions throughout the year.
ALL
Chris Herd
Chris Herd
@chris_herd
The 2020s will be known as the Remote Work decade

A few predictions of what is likely to emerge

[ a thread ] 💻🏠🌍

🏦Third Space: Office and Working from Home will be joined by somewhere close by that a number of people will use

Supermarkets or local bank branches should emerge as a convenient ubiquitous location option – if they are smart

⏰Asynchronous Work: Offices are instantaneous gratification distraction factories where synchronous work makes it impossible to get stuff done

Tools that enable asynchronous work are the most important thing globally remote teams need. A lot of startups will try to tackle this

⚽️Hobbie Renaissance: Remote working will lead to a rise in people participating in hobbies and activities which link them to people in their local community

This will lead to deeper, more meaningful relationships which overcome societal issues of loneliness and issolation

🚜Rural Living: World-class people will move to smaller cities, have a lower cost of living & higher quality of life

These regions must innovate quickly to attract that wealth. Better schools, faster internet connections are a must
REMOTE WORK
UN Watch
UN Watch
@UNWatch
The UN just voted to condemn Israel 9 times, and the rest of the world 0.

View the resolutions and voting results here:

The resolution titled "The occupied Syrian Golan," which condemns Israel for "repressive measures" against Syrian citizens in the Golan Heights, was adopted by a vote of 151 - 2 - 14.

Israel and the U.S. voted 'No' https://t.co/HoO7oz0dwr


The resolution titled "Israeli practices affecting the human rights of the Palestinian people..." was adopted by a vote of 153 - 6 - 9.

Australia, Canada, Israel, Marshall Islands, Micronesia, and the U.S. voted 'No' https://t.co/1Ntpi7Vqab


The resolution titled "Israeli settlements in the Occupied Palestinian Territory, including East Jerusalem, and the occupied Syrian Golan" was adopted by a vote of 153 – 5 – 10.

Canada, Israel, Marshall Islands, Micronesia, and the U.S. voted 'No'
https://t.co/REumYgyRuF


The resolution titled "Applicability of the Geneva Convention... to the
Occupied Palestinian Territory..." was adopted by a vote of 154 - 5 - 8.

Canada, Israel, Marshall Islands, Micronesia, and the U.S. voted 'No'
https://t.co/xDAeS9K1kW
SOCIETY