Ben Reardon
Bright Ideas Blog

Finding SolarWinds / SUNBURST backdoors with Zeek, Suricata, & Corelight

Detecting CVE-2021-31166 – HTTP vulnerability

| | Accept-Encoding, Corelight Labs, CVE-202131166, GitHub, http, http.log, HTTP.sys, Network Security, network security monitoring, network traffic analysis, network visibility, SOAP, SolarWinds, SUNBURST, WinRM, Zeek
By Ben Reardon, Corelight Security Researcher In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced many such responses over the last year (see Appendix A), and this one is a good demonstration of ... Read More
Bright Ideas Blog
Detect C2 ‘RedXOR’ with state-based functionality

Detect C2 ‘RedXOR’ with state-based functionality

| | C2, Corelight Labs, http, Intezer, Linux, RedXOR, Zeek
By Ben Reardon, Corelight Security Researcher Recently a very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. As usual there is a set of simple network-based IOCs in the form of domains and IPs that organizations can search against their Zeek dns.log, http.log and conn.log ... Read More
Bright Ideas Blog
Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

| | Corelight Labs, DFIR, encrypted traffic, Industry, Solarigate, SolarWinds, SUNBURST, TLS, Zeek, zeek logs
Ben Reardon – Corelight Labs Researcher The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software within the SolarWinds package. The contents of the C2 communications are encrypted and obfuscated, but there are still ... Read More
Bright Ideas Blog
Community detection: CVE-2020-16898

Community detection: CVE-2020-16898

| | Bad Neighbor, Corelight Labs, CVE-2020-16898, DoS, ESNET, GitHub, ICMP, IPv6, mcafee, Microsoft, pcap, PoC, REC, Remote Code Execution, RFC4443, RFC8106, TCP, Windows, Zeek, ZeekWeek
By Ben Reardon, Corelight Security Researcher This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to the severity and wide scope, we in Corelight Labs immediately set about preparing a Zeek package with the ... Read More
Bright Ideas Blog

Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

| | BIG-IP, cisa, Corelight Labs, CVE-2020-5902, CVE10, f5, GitHub, http, HTTPS, NCC Group, open source, rce, Remote Code Execution, Sigma, Suricata, Uncategorized, Zeek
By Ben Reardon, Corelight Security Researcher Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad… Not being able to detect when a threat actor attempts and/or succeeds in compromising that device? That’s definitely bad… Recently the US Cybersecurity and Infrastructure Security Agency ... Read More
Bright Ideas Blog

Ripple20 Zeek package open sourced

| | Corelight Labs, GitHub, ICS, iot, JSOF, open source, Open Source Community, Ripple20, TReck, Zeek
By Ben Reardon, Corelight Security Researcher Recently, security research group JSOF released 19 vulnerabilities related to the “Treck” TCP/IP stack. This stack exists on many devices as part of the supply chain of many well known IoT/ICS/device vendors. Think 100s of millions/billions of devices and you are in the right ... Read More
Bright Ideas Blog