WithSecure™ Labs: With great research comes great responsibility

Essential part of most every automotive security assessment is CAN bus fuzzing. In this article, one corner case of such activities will be discussed, when fuzzing is performed during blackbox-style assessment, with minimum or no information about CAN IDs supported by the ECU. To optimize this process, using EMSCA (electromagnetic side-channel analysis) as a guidance is proposed.

This blog post provides a brief overview of SAS tokens and their structure, and describes the conditions that make it possible for a SAS token to be used even after the original resource it was associated with has been deleted.

In this report we share an overview of current and emerging threats surrounding Meta's ad ecosystem that are pre-dominantly originating out of Vietnam. Additionally, we will share an update on the infamous DUCKTAIL operation exposed in our previous reports. Lastly, we will introduce an emerging threat dubbed “DUCKPORT” which has striking similarities to DUCKTAIL, but with important and distinct functionalities, TTPs, and history.

In containerized environments, such as Kubernetes clusters, read-only filesystems are viewed as an additional layer of defense, as they allow for better control and management of containerized applications. Immutable containers are consistent and predictable, making compliance and auditing simpler, and allowing for more accurate threat detection. They are also easily replicated to ensure high availability and can be rolled back with ease when necessary. Bypassing write and execution restrictions can assist adverseries in ultimately executing arbitrary code and executable files in read-only filesystems. 

Endpoint Detection & Response systems (EDR), delivered by in-house teams or as part of a managed service, are a feature of modern intrusion detection and remediation operations. This success is a problem for attackers, and malicious actors have worked to find new ways to evade EDR detection capabilities. As with all arms races, these approaches to evading detection are creative and effective. One of the primary methods utilized in modern attack frameworks, hands on keyboard operations and even malicious binaries revolves around memory manipulation.

Memory manipulation is nothing new; most readers will be familiar with process injection, thread hijacking, process hollowing and so on. That said, some recent tools/techniques are focused less on deployment and more on circumventing EDR telemetry acquisition techniques or alerting mechanisms. Elaborate hooking and exploitation of native functionality is now employed with impressive success rates.

WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.