This week, we are joined by Jon Williams, Vulnerability Researcher from Bishop Fox, discussing "Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware." Bishop Fox researchers reverse-engineered the encryption protecting SonicWall SonicOSX firmware, enabling them to access its underlying file system for security research.
They presented their process and findings at DistrictCon Year 0 and released a tool called Sonicrack to extract keys from VMware virtual machine bundles, facilitating the decryption of VMware NSv firmware images. This research builds upon previous work, including techniques to decrypt static NSv images and reverse-engineer other encryption formats used by SonicWall.
The research can be found here:
Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
22:21
Excel-lerating cyberattacks.
This week, we are joined by Tom Hegel, Principal Threat Researcher from SentinelLabs research team, to discuss their work on "Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition." The latest Ghostwriter campaign, linked to Belarusian government espionage, is actively targeting Ukrainian military and government entities as well as Belarusian opposition activists using weaponized Excel documents.
SentinelLabs identified new malware variants and tactics, including obfuscated VBA macros that deploy malware via DLL files, with payload delivery seemingly controlled based on a target’s location and system profile. The campaign, which began preparation in mid-2024 and became active by late 2024, appears to be an evolution of previous Ghostwriter operations, combining disinformation with cyberattacks to further political and military objectives.
The research can be found here:
Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
26:43
The ransomware clones of HellCat & Morpheus.
Jim Walter, Senior Threat Researcher on SentinelLabs research team, to discuss their work on "HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code." Over the past six months, new ransomware groups like FunkSec, Nitrogen, and Termite have emerged, while established threats such as Cl0p and LockBit 4.0 have resurfaced. Two prominent Ransomware-as-a-Service (RaaS) operations, HellCat and Morpheus, have gained traction, with research indicating that affiliates of both are using nearly identical ransomware payloads.
Despite similarities in their encryption techniques and ransom notes, there is no conclusive evidence linking HellCat and Morpheus to the Underground Team, though shared tools or affiliates may be involved.
The research can be found here:
HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
21:40
Botnet’s back, tell a friend.
This week we are joined by Silas Cutler, Principal Security Researcher at Censys, asking the important question of "Will the Real Volt Typhoon Please Stand Up?" The FBI's disruption of the KV Botnet in December 2023, attributed to the Chinese threat group Volt Typhoon, targeted infected systems but did not affect the botnet's control infrastructure.
Despite law enforcement efforts and technical exposure, the botnet's infrastructure has remained largely stable, with only changes in hosting providers, raising questions about whether another party operates the botnet. Censys scanning data from 2024 shows a shift in the botnet's control servers, indicating a response to disruption attempts, while the botnet's operators have shown limited efforts to obscure their infrastructure.
The research can be found here:
Will the Real Volt Typhoon Please Stand Up?
Learn more about your ad choices. Visit megaphone.fm/adchoices
--------
22:47
Caught in the contagious interview.
This week we are joined by Phil Stokes, threat researcher at SentinelOne's SentinelLabs, discussing their work on "macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed." Apple recently pushed an update to its XProtect tool, blocking several variants of the DPRK-linked Ferret malware family, which targets victims through the "Contagious Interview" campaign.
The malware uses fake job interview processes to trick users into installing malicious software, and new variants, including FlexibleFerret, remain undetected by XProtect. SentinelOne's research reveals a deeper investigation into this malware, which uses social engineering to expand its attack vectors, including targeting developers through platforms like GitHub.
The research can be found here:
macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
Learn more about your ad choices. Visit megaphone.fm/adchoices
Portugal