Read Time:7 Second
A group of cryptographers have analyzed the eiDAS 2.0 regulation (electronic identification and trust services) that defines the new EU Digital Identity Wallet.
Daily Archives: June 27, 2024
US Charges Russian Individual for Pre-Invasion Ukraine Hack
Read Time:6 Second
The US government is offering up to $10m for information on Amin Timovich Stigal’s location or his malicious cyber activity
USN-6857-1: Squid vulnerabilities
Read Time:56 Second
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS. (CVE-2021-28651)
It was discovered that Squid incorrectly handled SSPI and SMB
authentication. A remote attacker could use this issue to cause Squid to
crash, resulting in a denial of service, or possibly obtain sensitive
information. This issue only affected Ubuntu 16.04 LTS. (CVE-2022-41318)
Joshua Rogers discovered that Squid incorrectly handled HTTP message
processing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49285)
Joshua Rogers discovered that Squid incorrectly handled Helper process
management. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49286)
Joshua Rogers discovered that Squid incorrectly handled HTTP request
parsing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service.
(CVE-2023-50269, CVE-2024-25617)
USN-6852-2: Wget vulnerability
Read Time:18 Second
USN-6852-1 fixed a vulnerability in Wget. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that Wget incorrectly handled semicolons in the userinfo
subcomponent of a URI. A remote attacker could possibly trick a user into
connecting to a different host than expected.
Memory Dump Analysis: Using LiME for Acquisition and Volatility for Initial Setup
Read Time:3 Minute, 10 Second
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Memory dump analysis is a crucial aspect of digital forensics, offering a snapshot of a system’s volatile memory at a specific point in time. This can uncover critical evidence such as running processes, open network connections, and in-memory malware execution that disk analysis might miss. In a previous blog, we learnt how to use fmem for volatile memory acquisition. In this blog, we will explore how to create memory dumps using LiME (Linux Memory Extractor) and how to further begin with our analysis process using volatility framework in our upcoming blogs.
What is LiME?
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
Why is Memory Dump Analysis Important?
Memory dump analysis is vital in digital forensics for several reasons:
Uncovering Hidden Data: RAM contains transient data not stored on disk, such as encryption keys and in-memory malware.
Understanding System State: Memory dumps provide a snapot of active processes, open files, and network connections.
Detecting Malicious Activity: Analysis can reveal the presence and behavior of malware that operates primarily in memory.
Installing and Setting Up LiME
To use LiME, you’ll need to build it from source. Follow these steps to install and set up LiME:
Clone the LiME Repository: To clone into LiME Repository, you can use git clone:
git clone https://github.com/504ensicsLabs/LiME.git
Ensure you have the Linux kernel headers and build tools installed.
To install build essentials, you can use: sudo apt install build-essential
Now, navigate into src subdirectory under Lime directory:
cd LiME/src
Compile the LiME Module:
Now, use make to compile the LiME module:
make
Load the Module:
Use insmod to load the module into the kernel.
Specify the path and format for the memory dump:
sudo insmod lime.ko “path=/path/to/dump.mem format=raw”
LiME allows you to create memory dumps in various formats and save them either locally or over a network. Here’s how to do it:
Save to a File:
sudo insmod lime.ko “path=/path/to/dump.mem format=raw”
You can check by going to path directory, you will see a .mem file.
Save Over a Network:
sudo insmod lime.ko “path=tcp:192.168.1.2:4444 format=lime”
Replace 192.168.1.2 with the IP address of the receiving machine and 4444 with the desired port.
Analyzing Memory Dumps with Volatility Framework
Volatility is an advanced open-source memory forensics framework for incident response and malware analysis. It supports a wide range of memory dump formats and offers various plugins for analyzing different aspects of memory dumps.
Install Volatility: git clone
https://github.com/volatilityfoundation/volatility3.git
Navigate to Volatility3 directory and install required dependencies.
After installing the dependencies, you can use command python3 vol.py -followed by argument
In the below screenshot we wanted to see the help section, so we gave the -h argument.
Memory dump acquisition using LiME and analysis using Volatility Framework is a powerful technique in digital forensics, uncovering valuable insights from a system’s volatile memory. By following this guide, you can effectively capture memory dumps, enhancing your digital forensics knowledge on various ways to acquire a memory dump. We will look further into volatility framework in our next blog.
USN-6856-1: FontForge vulnerabilities
Read Time:25 Second
It was discovered that FontForge incorrectly handled filenames. If a user or an
automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to perform a command injection.
(CVE-2024-25081)
It was discovered that FontForge incorrectly handled archives and compressed
files. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to perform
command injection. (CVE-2024-25082)
IT Leaders Are Fifty-Fifty on Using GenAI For Cybersecurity
Read Time:6 Second
Corelight study claims many IT leaders see benefit of GenAI but similar share are concerned about data exposure
US charges four FIN9-linked hackers after $71 million cybercrime spree
Read Time:13 Second
Four alleged members of the FIN9 cybercrime gang have been charged in relation to a series of hacks that caused over US $71 million of losses for companies across the United States.
Read more in my article on the Hot for Security blog.
Chinese State Actors Use Ransomware to Conceal Real Intent
Read Time:5 Second
A new report warns that Chinese APT groups are using ransomware to conceal cyber-espionage activity
Polyfill.io Supply Chain Attack
Read Time:43 Second
What is the attack?Over 100,000+ sites have been impacted by a supply chain attack involving the Polyfill.io service. Polyfill is a popular tool used for enhancing browser capabilities by hundreds of thousands of sites to ensure that all website visitors can use the same codebase for unsupported functionality. Earlier this year, the polyfill.io domain was purchased, and the script was modified to redirect users to malicious and scam sites.What is the recommended Mitigation?Given the confirmed malicious operations, owners of websites using polyfill.io are advised to remove it immediately and search their code repositories for instances of polyfill.io. Users are also advised to consider using alternate services provided by Cloudflare and Fastly.What FortiGuard Coverage is available?FortiGuard Labs’ research team is investigating the coverage and has blocked all the known Indicators of compromise (IoCs).