Blog

Mo' Shells Mo' Problems - Network Detection

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments.  Since we value our client's privacy and interests, some data has been redacted or sanitized.

In previous posts of this “Mo’ Shells Mo’ Problems” blog series we discussed web shells with specific Deep Panda adversary examples as well as how to detect them within your enterprise using file stacking and web log analysis. This blog entry completes the series with related methodology for...

3 weeks 5 days ago | MORE

Mo' Shells Mo' Problems - Web Server Log Analysis

Disclaimer: CrowdStrike derived this information from investigations in unclassified environments.  Since we value our clients’ privacy and interests, some data has been redacted or sanitized.

Web shells epitomize the hacking tenant of hiding in plain sight.  In a previous post, we showed how a web shell could hide as a single file among thousands present on a web server and as a single line of code in an otherwise legitimate page on a site. The best web shells are not detected by anti...

1 month 5 days ago | MORE

*NEW* Community Tool: CrowdResponse

At the 2014 RSA Conference in San Francisco, CrowdStrike CTO Dmitri Alperovitch and I presented the security community with a demo of CrowdResponse during the Hacking Exposed: Day of Destruction talk. As many of you who have been to my Hacking Exposed: Live presentations know, I like to demo a unique hack or release a new community tool during these presentations (this goes back to my days at Foundstone).

This year was no different. CrowdResponse is a modular Windows console...

1 month 1 week ago | MORE

Mo' Shells Mo' Problems - File List Stacking

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments.  Since we value our clients’ privacy and interests, some data has been redacted or sanitized.

In our first blog post, “Mo’ Shells Mo’ Problems: Deep Panda Web Shells - Part 1”, we discussed two web shells leveraged by a Chinese threat group we call Deep Panda.  In case you forgot, a web shell is a file containing backdoor functionality written in a web scripting language such ASP, ASPX...

1 month 2 weeks ago | MORE

The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity

Two weeks ago, news broke about strategic web compromise (SWC) activity on the website for the U.S. organization, Veterans of Foreign Wars (VFW). This activity leveraged exploit code for a zero-day vulnerability now identified as CVE-2014-0322 and ultimately infected victims with ZxShell malware. CrowdStrike Intelligence attributed this attack to the AURORA PANDA adversary; however, the discovery of additional indicators revealed that another adversary was leveraging the same vulnerability...

1 month 3 weeks ago | MORE

Details about Apple SSL vulnerability and iOS 7.0.6 patch

On February 21st, 2014 Apple pushed out an emergency SSL security update for iOS (7.0.6). John Costello, CrowdStrike's Sr. SDET Engineer, and myself reverse engineered the binary patches in order to analyze the vulnerability and its full impact. Given the fact that the patches are not yet available for all impacted systems, we are not yet publishing full technical details of this vulnerability so as not to make life easier for attackers. However, we decided to release some...

2 months 23 hours ago | MORE

Mo' Shells Mo' Problems - Deep Panda Web Shells

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments.  Since we value our client's privacy and interests, some data has been redacted or sanitized.

Crowdstrike presents “Mo’ Shells Mo’ Problems” - A four part series featuring two unique web shells used by a Chinese threat group we call Deep Panda. The series will culminate with a CrowdCast in April 2014 detailing a case study of the incident response investigation conducted to identify...

2 months 2 days ago | MORE

Post-Snowden Forensics

It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage.  Worldwide trust in United States tech companies has undoubtedly been shaken.   Cisco Systems blamed a ten percent revenue drop on fallout from the leaks.  Microsoft is offering the ability for foreign customers to have their data stored outside of the United States.   And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable...

2 months 1 week ago | MORE

Native Java Bytecode Debugging without Source Code

At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be...

2 months 1 week ago | MORE