2020 was full of major cyber events. Here is an end of year #ff thread of some of the most impactful people and research that I leveraged in my work this year

I’ve said it before - but cyber is a team sport and we are better when we share and collaborate
The year started off “with a bang” when CVE-2019-19781 was weaponized prior to patches being available. It felt like every threat actor under the sun was exploiting any Internet facing system and sorting out the wheat from the chaff later.
I didn’t know much about Citrix or Freebsd forensics - but @SecShoggoth and @hal_pomeranz’s work was helpful

https://www.sans.org/blog/freebsd-computer-forensic-tips-tricks/ https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
NetScaler Remote Code Execution Forensics | TrustedSec

TrustedSec's blog is an expert source of information on information security trends and best practices for strategic risk management.

https://www.sans.org/blog/freebsd-computer-forensic-tips-tricks/
We took the learnings from the CVE-2019-19781 investigations and @williballenthin and @MadeleyJosh help turn that into a public tool release In what felt like a land speed record from concept to prototype to testing and finally publishing https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html
FireEye and Citrix Tool Scans for Indicators of Compromise Related to CVE-2019-19781

To help organizations identify compromised systems associated with CVE-2019-19781, FireEye and Citrix worked together to release a new tool.

https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html
APT28/STRONTIUM’s use of OAuth apps in 2016 got me interested in the novel technique. When I started on the #MSTIC team @MsftSecIntel I spent a bunch of research time on the topic and leveraged @doughsec and @MDSecLabs research

https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/

https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-on-oauth-abuse-with-pwnauth.html
Introducing the Office 365 Attack Toolkit - MDSec

During our red team operations, we frequently come in contact with organisations using Office 365. The present tooling targeted at this environment is somewhat limited meaning that development is...

https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/
This resulted in #AzureSentinel detections that are tool specific & others that are tool agnostic. @ashwinpatil’s help as I learned KQL was invaluable here

There are other improvements that aren’t as public but are moving the needle at protecting orgs

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AuditLogs
CVE-2020-5902 (F5 BIG-IP) was weaponized in a similarly broad fashion as CVE-2019-19781.

@buffaloverflow’s research and also observations from honeypots in both incidents was invaluable. https://www.mdsec.co.uk/2020/01/deep-dive-in-to-citrix-adc-remote-code-execution-cve-2019-19781/
Deep Dive in to Citrix ADC Remote Code Execution, CVE-2019-19781 - MDSec

Last month, a critical vulnerability in Citrix ADC and Citrix Gateway was published under CVE-2019-19781. The vulnerability caught our attention as it suggested that an unauthenticated adversary...

https://www.mdsec.co.uk/2020/01/deep-dive-in-to-citrix-adc-remote-code-execution-cve-2019-19781/
Here’s the link for @buffaloverflow and @NCCGroupInfosec research https://research.nccgroup.com/2020/10/09/rift-f5-cve-2020-5902-and-citrix-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-honeypot-data-release/
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data...

NCC Group is today releasing three months of honeypot web traffic data related to the F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 exploitation events from earlier in …

https://research.nccgroup.com/2020/10/09/rift-f5-cve-2020-5902-and-citrix-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-honeypot-data-release/
I’ve spent time on human operated ransomware research and there are so many blogs and researchers who give insight into the rapidly evolving landscape

@TheDFIRReport
@kyleehmke @smoothimpact

Just to name a few https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
Ryuk Speed Run, 2 Hours to Ransom - The DFIR Report

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read...

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
Speaking of human operated ransomware - this @MsftSecIntel blog from earlier in the year summarizes a number of attacker TTPs as well as recommended mitigation actions organizations can take to be more resilient to these kind of attacks https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
Human-operated ransomware attacks: A preventable disaster - Microsoft Security

In human-operated ransomware attacks, adversaries exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to...

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
In August a patch was released for CVE-2020-1472 (ZeroLogon), in September technical details were released by @SecuraBV. @GossiTheDog @ashwinpatil and I worked on detecting someone leveraging the CVE to conduct a DCSync attack

https://www.secura.com/blog/zero-logon  https://twitter.com/gossithedog/status/1308148096237436928?s=21
In October @CISAgov warned of imminent ransomware attacks targeting US Healthcare

This was all-hands on deck moment @microsoft & across industry. Most people won’t know details but a number of orgs were saved. Super proud of my teammates & industry peers

https://us-cert.cisa.gov/ncas/alerts/aa20-302a
@SElovitz @doughsec @jshilko @anthomsec and the rest of the team @Mandiant put out a great blog encapsulating a years worth of TTPs & IOCs of UNC1878 intrusions - many of which led to Ryuk ransomware deployments https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware.

https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
And if all of that wasn’t enough for 2020 - @FireEye identified a sophisticated threat actor compromising the software supply chain of SolarWinds & conducting post compromise activities leveraging multiple novel techniques

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims...

We have discovered a global intrusion campaign, and we are tracking the actors behind this campaign as UNC2452.

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Golden SAML tokens, compromised AAD Global Admin accounts, creds added to cloud application service principals, new/modified federation trusts, TTPs to evade detection👻, sophisticated OPSEC, this one had it all

It was great to collaborate w/ @ItsReallyNick Solid rundown here 👇 https://twitter.com/itsreallynick/status/1338382939835478016
@msftsecurity has put out a ton of content on the various techniques observed. As new blogs/findings are released - they are being aggregated here:

#ff @Alex_T_Weinert @JohnLaTwC @MSSPete @n0x08 @DeltaTangoTwo @jepayneMSFT

https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/
This blog has some EDR technical details that may have been overlooked including:
-renamed adfind
-lateral movement via winrm & scheduled tasks
-remote execution of tools via WMI + rundll32 w/legitimate named files in C:\\Windows\\* & unique name per system https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how...

We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with...

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
@Volexity & @stevenadair Dark Halo blog discusses similarly interesting TTPs including:
-bypassing MFA after stealing the Duo integration secret key
-PowerShell to access the EWS API for email theft
-staging data for exfil on internet facing mail servers
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
OPSEC examples: “each compromised device receives unique binary hash, unique local filesystem path, pseudo-unique export & unique C2 domain” & variety of persistence mechanisms

Makes single detection harder to identify other backdoors & reduces utility of sharing hashes/domains
There are a number of resources you can leverage to learn about the Golden SAML, OAuth abuse & federation trust abuse

@Mandiant & @Microsoft’s DART team collaborated on blog about Azure Active Directory backdoors

Backdoor #2 is particularly relevant

https://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html
@DrAzureAD’s blog and associated tools like AAD Internals are a wealth of knowledge about using/abusing functionality of Azure Active Directory and Office365 https://o365blog.com/aadinternals/ 
AAD Internals

AAD Internals PowerShell module

https://o365blog.com/aadinternals/
A number of TTPs of the Solorigate/SOLARBURST attacks mirror TTPs that @_dirkjan researched and discussed at conferences including @WEareTROOPERS & @defcon 27

Highly recommended reading

https://troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf

https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Dirk-jan-Mollema-Im-in-your-cloud-pwning-your-azure-environment.pdf
If you want to learn how to secure various aspects of your security architecture @PyroTek3 & @TrimarcSecurity have some useful material including:
Securing ADFS
Securing AD Connect

https://www.hub.trimarcsecurity.com/post/securing-microsoft-azure-ad-connect

https://adsecurity.org/?p=3782 
Securing Microsoft Azure AD Connect

With more and more organizations moving to the cloud, specifically Azure Active Directory/Microsoft 365 (formerly Office 365), Trimarc has seen a large increase in the number of Azure AD Connect...

https://www.hub.trimarcsecurity.com/post/securing-microsoft-azure-ad-connect
You can follow @cglyer.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.