BC BUSINESS
Saved by @Mollyycolllinss

As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: https://t.co/b0ReHMa63u

 Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
The VBScript in turn runs rundll32.exe, activating the Cobalt Strike loader DLL using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution.
On the custom Cobalt Strike Loaders: we identified several second-stage malware, including TEARDROP, Raindrop, and other custom loaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in existing Windows sub-directories.
#TEARDROP, #Raindrop, and the other custom Cobalt Strike Beacon loaders observed are likely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader.
The TEARDROP variants have an export that contains the trigger for the malicious code (executed in a new thread created by the export). The malicious code attempts to open a .jpg file (festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg, confident_promotion.jpg, etc.).
Next, TEARDROP proceeds to decode & subsequently execute an embedded custom preliminary loader (likely generated using a Cobalt Strike Artifact Kit template e.g., bypass-pipe.c). In its true form, the preliminary loader is a DLL that has been transformed & loaded like shellcode.
We came across additional custom loaders for Cobalt Strike’s Beacon that unlike TEARDROP, in which the malicious code is triggered by an export function, the malicious code in these variants is triggered directly from the DLL’s entry point.
Variant 2 custom loaders also contain an attacker-introduced export (using varying names) whose only purpose is to call the Sleep() function every minute.
Additionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.
These custom loaders can be divided into two types:
Type A: Decodes/Loads CS's RL from the DLL’s DATA section (detected as Trojan:Win64/Solorigate.SC!dha)
Type B: De-obfuscates/Loads RL from the DLL’s CODE section (aka #Raindrop, detected as Trojan:Win64/Solorigate.SB!dha).
Some observations:
The custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM UTC. In one intrusion, the first 2nd stage custom loader (TEARDROP) was introduced to the environment by SolarWinds.BusinessLayerHost.exe at ~ 10:00 AM UTC.
The custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020, while the embedded reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. (synthetic compile timestamps via custom Malleable C2 profiles?)
2020? The actor did not timestamp the compile time of the custom loader DLLs? Forensic analysis of compromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to systems predated the compile timestamps of the custom loader DLLs...
Most custom loader DLLs were configured with PE version information that masquerades version information belonging to legitimate applications and files from Windows (e.g., NETSETUPSVC.DLL), 7-Zip (e.g., 7z.dll), Far Manager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), etc.
Certain development artifacts were left behind in the custom loader samples. e.g. the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager source code: c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp
Most Beacon and Reflective Loader instances discovered during our investigation were configured with a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS Idle IP, User-Agent , HTTP POST/GET transaction URI, sleep time & jitter factor
Each Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all Watermark values start with the number ‘3’.
The post-exploitation related artifacts, TTPs and MITRE ATT&CK techniques (an extensive list) are best covered/described under the "Additional attacker tactics, anti-forensic behavior, and operational security" section of the blog: https://t.co/b0ReHMrGV2
Leaving No Stone Unturned: This blog is a collaboration between multiple security, threat intelligence, product, forensic, SOC, Identity & legal teams from across Microsoft. For more information refer to our dedicated Solorigate Resource Center: https://t.co/8Swnphedko.

More from Business

Steven Edwards
Steven Edwards
@stephenwithavee
Time for #PapersThatMakeYouGoHmmm! A weekly summary of new ML papers from arXiv that make me think one or more of:

1. That looks useful!
2. That's an interesting approach!
3. A business could be built around this!
4. How did they do that?!

Argument Schemes and Dialogue for Explainable

Neural Fitted Q Iteration based Optimal Bidding Strategy in Real Time Reactive Power

A design of human-like robust AI machines in object

Single Shot Multitask Pedestrian Detection and Behavior
BUSINESS
Zikhona Valela
Zikhona Valela
@valavoosh
Should we go into the details of these 125 years?


SA is built on the exploitation of labour. That labour has functioned on alcohol unfortunately. Very few people consume liquor purely for enjoyment unfortunately. When SAB opened its doors 1895 workers were paid in alcohol- the dop/tot system. 2 years into SAB's establishment

The Prohibition Act is introduced. This means black people are barred from buying your wines, beer etc. So SAB's products are exclusively for white people. But during this period beer brewing by Black women is the norm. Ayinxilisi ncam ke this type of beer. Apparently it had some

Nutritious elements to it. Now some of the context around drinking culture during this time is migrant labour to the mines, further land dispossession, the Anglo-Boer Wars, Rhodes corruption (our first state capture commission if you will) which leads to his resignation.

This context plays a role in how our cities and small towns are constructed, how they lead to the confinement and surveillance yabantu. Traditional beer brewing is identified as a threat because buy now mining bosses have identified that there's money to be made here.
BUSINESS
Advertisement
Peoples Gazette
Peoples Gazette
@GazetteNGR
At about 19:00 hrs local time on January 26, 2021, Peoples Gazette's website (https://t.co/wkUFy0ZN63) was hit by a coordinated disruption of service across all telecommunication networks in Nigeria.


This disruption, we are increasingly learning from top federal sources, was based on a directive, from the Nigerian government to MTN, Glo Mobile and other telecom firms, that sought an immediate blacklist of our web address as well as all other alternative domain names.

Our internal assessments and notes from our readers indicate a total restriction on our website for people connecting via MTN, Glo Mobile and Airtel, i.e.: a vast majority of Nigerian Internet users.

Since our inception, we have diligently carried out our sole duty of bringing to public awareness, the rot that exists in our public and private institutions.

We have exposed the abuse of power by government officials, agencies, and cronies; corrupt practices in the public and private sectors and flagrant abuse of human rights and the rule of law by security agencies.
BUSINESS
MandMBuildings
MandMBuildings
@MandMBuildings
Apologies for tweeting about European Land so much yesterday, but this article was a significant moment for us. For more than 3.5 years we have suffered enormously and this has mostly gone under the radar in the

2/ The Times article is the first recognition of the Reubens involvement in the cladding scandal. From the time we discovered we had ACM, European Land has refused to contribute a single penny towards the remediation. Even after their own intrusive survey showed that the missing

3/ fire breaks and flammable insulation they installed were AGAINST regulations, they still refused to contribute to fix their mistakes.

4/ To make things worse, their aggressive behaviour meant they issued S20 notices against leaseholders and started billing us for millions from as early as 2018 (two years before any remediation works had even started). They then instructed their lawyers to take actions against

5/ against leaseholders and started proceedings against us if payments of £40,000-60,000 were not made within months. The stress and misery this caused us we will never forget or forgive.
BUSINESS
Brian Feroldi
Brian Feroldi
@BrianFeroldi
I own 7 stocks that are 15+ baggers (and counting)

Here are 10 traits they all have in common:

The data:

Stock / # of bags / purchase year:

$AMZN / 15+ / 2010
$FB / 15+ / 2012
$GOOG / 15+ / 2009
$MELI / 15+ / 2011
$CMG / 20+ / 2012
$NFLX / 60+ / 2010
$TSLA / 60+ / 2012

1: Founder-led

$AMZN - Bezos
$CMG - Ells
$FB- Zuck
$GOOG - Page
$MELI- Galperin
$NFLX - Hastings
$TSLA - Musk

Founders tend to be:
+Detail oriented
+Innovative
+Mission driven
+Think long-term
+Have skin/soul in the game

Look for founders!

2: Consumer-facing

All of these companies attract millions/billions of consumers

This eliminates customer concentration risk and enables long-term brand building

3: High sales growth

All of these companies were growing revenue 20%+ BEFORE I bought them

Sales growth is the engine that drives profit growth

Profit growth is the engine that drives stock appreciation

Find companies that can grow sales 20%+ for decades
BUSINESS

You May Also Like

Savitri Mumukshu - \u0938\u093e\u0935\u093f\u0924\u094d\u0930\u0940 \u092e\u0941\u092e\u0941\u0915\u094d\u0937\u0941
Savitri Mumukshu - साव...
@MumukshuSavitri
1/n
The kingdom of Sindh was ruled by its last Hindu king Raja Dahir during the 8th century. When Muhammad-bin-Qasim invaded Sindh, he decimated Sindh in his savage bloodlust. The chronicles of his advent are described in the Chachnama.


2/n
The Chachnama describes in detail how the Arabs led by butcher Qasim conquered Sindh. It tells the terrible tale of bravery, treachery, & carnage marking the entry of Islamic conquest of India’s Hindus.


3/n
When Muhammad-bin-Qasim attacked Sindh, Dahir had collected an army of 50,000 horses and marched from Brahamanabad to Rawar to face the invader. Qasim had an army that numbered in the tens of thousands with camels & horses.

4/n
Earlier Arab Alafis - Syeds from Prophet Mohammed’s own family had fled from Mecca with 500 men to Sindh and Raja Dahir had given them asylum. Trusting these Muslims would prove to be the fatal mistake for the downfall of Sindh & pave the way for Islamic invasion.

5/n
On an “auspicious day” in A.D. 711, fixed by astrologers, Mohammed Bin Qasim started for Sindh at the head of the Iraqi, Syrian, and other Arab soldiers. His horses and camels were disguised to look like lions and elephants. Rebel Jats also joined Qasim’s army.
ALL , GANDHARITIHAS
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
BANASHANKARI AMMA, NEAR BADAMI (KAR)
#bharatmandir #navratri2021

Originally built by Chalukyas in 7th century. Devi Banashankari was their family deity. This image of Banashankari Amma was installed by Jagadekamalla I in 630 AD.

Later renovations were done by Marathas.


Once, a demon Durgamasur was troubling the people of this area. Answering the prayers of Devas, Ma Parvati emerged from the yajna fire as Banashankari and killed Durgamasur.
This area has rich forests of coconut, betel nut and other trees.
@GunduHuDuGa


It is said that during a severe famine, Devi provided vegetables and fruits to the people of this area.
Hence, she is also worshipped here as Shakambhari.
In the annual festival called Banashankari jatre, a Rath yatra takes place and Devi moves around the city in the chariot.
ALL
Advertisement
Brian Armstrong
Brian Armstrong
@brian_armstrong
1/ Productivity tip: when I keep procrastinating on something I often trick myself by saying, "ok just work on it for the next 20 minutes" or some short period of time, "and then you can chill/relax guilt free" and give myself some treat (sugar, netflix, etc)

2/ Usually at the 20 minute mark (sometimes I set a timer) I'm so engrossed in what I'm doing that I don't want want to stop and end up working on it for the next hour or two. But getting started seems to be the hardest part.

3/ Key to this: you have to actually be ok with stopping after 20 minutes and being guilt free if that's how you feel. So it's not a trick, i have the option every time, I just often don't want to use it once i'm in the zone.
PRODUCTIVITY
Jig's Patel
Jig's Patel
@jigspatel1988
How to trade on Expiry day with Nifty straddle?
(System trading on Expiry)

Triple straddle is one of the best and accurate methods for expiry day

If nifty trading at 15720 then will sell three straddles above 50 points from ATM, below 50 points and ATM.

Ex.
Sell straddle 15700(ATM), 15650(ATM-50), 15750 (ATM+50)

Stoploss of 80% on every leg and run your trade till 3 PM

Once SL hit in any Leg just keep holding other leg till expiry with SL (Never or less chance to hit both SL on expiry day)

Trading timing at 9:20 the Morning
ALL , STRADDLE BACKTEST , STRADDLE
Zach Weinersmith
Zach Weinersmith
@ZachWeiner
Hey, for people interested in this stuff, here's a thread about a change we made to running our facebook account:

So, about 5 years ago, we got on facebook. Why? Well, facebook has a big audience and they like to consume on facebook. So, we started posting comics there, even though we got paid nothing and facebook made money off the free content.

Why? Because back then, once in a while, you would say "also hey, I sell books" or "hey, I'm going to be signing at this event" and your facebook followers would actually see it.

Effectively, the implicit old arrangement was "facebook lets me reach readers efficiently, and I supply facebook with free content they run ads on."

Over time, like a bad business partner, facebook basically made it impossible to reach your audience without *paying them*. Thus, you supply them free content on which they run ads, and you get nothing in exchange.
MARKETING