Posts

Threat Hunting as a Proactive Security Measure in the Energy Sector

The situation in the European energy sector is tense: there is uncertainty about the supply, winter is just around the corner and the sector is being strategically and repeatedly attacked both in physical terms (e.g. Nord Stream or Ukrainian energy supply ), through disinformation campaigns and cyber attacks by actors close to Russia. Cyber ​​attacks in particular could increasingly hit Europe's energy sector in the coming months in order to further aggravate the supply situation, fuel fears of a loss of control in Europe and thereby maintain credible deniability. It is warned that critical systems such as the energy sector may already be compromised. Proactive "threat hunting" is therefore repeatedly brought into play by different parties as an additional necessary security measure. But what exactly is behind the concept, which preconditions must be met and how can an effective "threat hunting" program be set up even by less mature IT security teams. Th...

The Rise of LNK Files (T1547.009) and Ways To Detect Them

Image
Microsoft Office macros have historically posed a significant threat as the preferred method of delivering malicious payloads, accounting for almost half of all deliveries. The reason is simple: Microsoft Office products are highly prevalent and macros are mostly either enabled or easily enabled through a single mouse click. With Microsoft’s decision to block macros by default, threat actors have adapted their delivery techniques towards macro alternatives (e.g., Emotet ). One of those alternatives are Microsoft shortcuts , which have, in comparison to zero days or other fancy exploits, generally not received the attention they (sh|c)hould . In what follows, I will first provide a brief introduction to why and how macros were blocked as well as how to bypass the protections that were put in place. I will then give an overview of LNK files, one common alternative to macros, show how they are used in the wild, and finally discuss various ways for detection. Microsoft's decision to...

Trust is good, testing is better: How to pentest Flutter apps

Image
Recently, during a weekend, Daniel and myself stumbled across Flutter-based apps that were not testable out-of-the-box due to Flutter-specific security decisions. Furthermore, we found that, despite the popularity of the framework, there is little information on how to best test such apps. We thus decided to dive deeper into the framework and came up with a blog post that first sheds some light on Flutter from a security perspective and then provides a step-by-step guide on how to test such apps. In total, it will provide four different approaches. With the increasing popularity of the framework and developers relying on Flutter-intrinsic security features, it is especially important to continue challenging them and equip more testers with the required skills to conduct tests. What is Flutter and what makes it important? Flutter is an open-source UI SDK created by Google. Like React Native, it is used to develop cross platform applications for Android, iOS, Linux, macOS, Windows, Googl...

Wiper Malware: Purposes, MITRE Techniques, and Attacker's Trade-Offs

Image
Following recent events in Ukraine, various cybersecurity agencies such as CISA or BSI have warned of potential data wiping attacks spillover to organisations in other countries. While destructive malware such as wipers are still rare and more targeted compared to malware focused on espionage and financial gains, there are reasons for believing that this wipers will become more prevalent: If hybrid warfare operations continue and/or intensify, it must be assumed that (destructive) cyber operations will increasingly be used alongside kinetic weapons despite the fact significant impact has not yet been observed in the current war. Sanctions and/or support for Ukraine by other countries may also increase the risk for Russian retaliatory cyber attacks against those countries. The increasing number of (sophisticated) hacktivists that support either Russia or Ukraine for ideological reasons (e.g., IT Army of Ukraine counts ~300,000 people in their Telegram group) may lead to more s...