IronNet’s top 10 predictions for 2021

It’s December, so you know what that means: Predictions for what’s to come for cyber in 2021. We brought together a number of IronNet experts, from executives to researchers, to speculate on what the Year of the Ox has in store for the cyber world.   

Obfuscation Techniques in MARIJUANA Shell “Bypass”

Attackers are always trying to come up with new ways to evade detection from the wide range of security controls available for web applications. This also extends to malware like PHP shells, which are typically left on compromised websites as a backdoor to maintain unauthorized access.

MARIJUANA is the name of a PHP shell that we have been tracking since last year. The author has a GitHub page which promotes a claim that the shell possesses a “stealth” mode, which can be used to bypass website security services like web application firewalls (WAFs).

Obfuscation with Hexadecimal Values

In an attempt to evade signature-based scanners (and other security controls), attackers often take advantage of code obfuscation techniques. Sometimes, the entire file’s code will be obfuscated, whereas, other times only specific sections of the code will be impacted.

In the case of this MARIJUANA shell, specific sections have been obfuscated — primarily PHP functions known to be suspicious or used in many types of malware.

Instead of just using PHP functions in their plaintext form, the author chose to obfuscate them by storing the functions in an array of hexadecimal values.

$Array = ['7068705f756e616d65', '70687076657273696f6e', '6368646972', '676574637764', '707265675f73706c6974', '636f7079', '66696c655f6765745f636f6e74656e7473', '6261736536345f6465636f6465', '69735f646972', '6f625f656e645f636c65616e28293b', '756e6c696e6b', '6d6b646972', '63686d6f64', '7363616e646972', '7374725f7265706c616365', '68746d6c7370656369616c6368617273', '7661725f64756d70', '666f70656e', '667772697465', '66636c6f7365', '64617465', '66696c656d74696d65', '737562737472', '737072696e7466', '66696c657065726d73', '746f756368', '66696c655f657869737473', '72656e616d65', '69735f6172726179', '69735f6f626a656374', '737472706f73', '69735f7772697461626c65', '69735f7265616461626c65', '737472746f74696d65', '66696c6573697a65', '726d646972', '6f625f6765745f636c65616e', '7265616466696c65', '617373657274', ]; $___ = count($Array); for ($i = 0;$i < $___;$i++) { $GNJ[] = uhex($Array[$i]); } ... function uhex($y) { $n = ''; for ($i = 0;$i < strlen($y) - 1;$i += 2) { $n .= chr(hexdec($y[$i] . $y[$i + 1])); } return $n; }

The Marriage of IoT and Human Identities

Why Tying the Knot Between IoT and Users Is a Three-Layer Wedding Cake

Is your Internet of Things (IoT) project stuck in device registration mode with seemingly no way to get out? Or have you been able to “break out” to realize greater business value by “marrying” your IoT to your human user profiles?

Enforce your AWS Network Firewall protections at scale with AWS Firewall Manager

As you look to manage network security on Amazon Web Services (AWS), there are multiple tools you can use to protect your resources and keep your data safe. Amazon Virtual Private Cloud (Amazon VPC), security groups (SGs), network access control lists (network ACLs), AWS WAF, and the recently launched AWS Network Firewall all offer points of protection for your AWS workload. Managing these security controls directly works well when everything is in a single or small number of accounts. However, if you’re part of a security team managing controls on a larger number of accounts, or part of a compliance team whose responsibility includes auditing and remediating application configurations owned by other teams, managing these controls at scale could become cumbersome. To make sure that it doesn’t become so for you, we’re going to walk you through how to manage the new AWS Network Firewall at scale using AWS Firewall Manager.

Secure Network Analytics (Stealthwatch) Then, Now and Beyond – Part 2: Behavioral Analytics Has its Day

(2012-2020)

In part 1 of this series, we looked at the world we defended back in 2001 and how that shaped our initial product release. While the threat landscape of yesteryear was different in so many ways to the world we defend today, our objectives remain the same. This time, we will dive into the time period between 2012 and today (2020). The strategic bets we made early on are starting to pay off and several mega-trends in computing would help to make Cisco Secure Network Analytics (formerly Stealthwatch) mandatory to an effective security program.

How to avert an evil-maid attack

An evil-maid attack is just about the most primitive type of attack there is, but it’s also one of the most unpleasant. Preying on unattended devices, the “evil maid” tries to steal secret information or install spyware or remote access tools to gain access to the corporate network. Here’s how to stay safe from intruder actions.

This Week in Security: iOS Wifi Incantations, Ghosts, and Bad Regex

I hope everyone had a wonderful Thanksgiving last week. My household celebrated by welcoming a 4th member to the family. My daughter was born on Wednesday morning, November 25th. And thus explains what I did last week instead of writing the normal Hackaday column. Never fear, we shall catch up today, and cover the news that’s fit to be noticed.