Blue Team News (BTN) Weekly is a digest of news, articles, intelligence and reports on the latest threats and industry trends that are most relevant to information security defenders, aka the Blue Team. You’ll receive links to the most relevant Internet connect, as well as an analysis by our Blue Team specialists.
BTN is sent every Sunday directly to your inbox, and is also available at [roguesecurity.ca](https://roguesecurity.ca).
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign – Microsoft Security
BlackLotus is a UEFI bootkit first seen around October, 2022, being sold on various hacking forums, and is perhaps one of the more advanced bootkits that we’ve seen in quite some time, and continues to grow.
Bootkits are especially dangerous because they are designed to bypass the various controls implemented during start-up of a host, and can allow malware to run, not just in the context of user-mode, but gives a threat actor the ability to run software in kernal-mode.
Microsoft Security has provided excellent guidance in Detection and Responding to BlackLotus, check it out here.
Who Else Is Talking About It?
- Secure Boot Security Feature Bypass Vulnerability – Microsoft MSRC
New Python-Based “Legion” Hacking Tool Emerges on Telegram – The Hacker News
A new credential harvester malware dubbed, “Legion”, is hitting the market via Telegram channels. Legion is a python-based hack tool aimed at exploiting services in order to action on an e-mail abuse objective.
According to, CADO Security, Legion is capable of enumerating vulnerable SMTP servers, conducting Remote Code Executions (RCE), exploiting vulnerable versions of Apache, and interacting with Shodan’s API to retrieve a target list, among other capabilities.
With other capabilities of exploiting content management systems, and PHP-based frameworks like Laravel, it should be expected to see this malware targeting cloud-based and SAAS products.
Who Else Is Talking About It?
- Legion: New hacktool steals credentials from misconfigured sites – BleepingComputer
- Legion: an AWS Credential Harvester and SMTP Hijacker – CADO Security
BlackGuard stealer extends its capabilities in new variant – AT&T Cybersecurity
A new variant of the BlackGuard stealer has been spotted in the wild by security analysts at AT&T Cybersecurity. First seen in 2021, Blackguard is an information stealer malware used to collect sensitive data from a wide range of applications and browsers on an infected host. This includes passwords, session cookies, and crypto keys.
A couple of new capabilities of this BlackGuard variant include the ability to propagate to shared and removable devices, process injection, and persistence mechanisms for surviving reboot by adding itself to the “Run” registry key.
E-mail header analysis – AT&T Cybersecurity
Every Blue Team Analyst who is responsible for investigating suspicious e-mail knows that importance of being able to accurately assess e-mail headers. E-mail headers contain pieces of meta data that are often required for the successful sending and receiving of e-mail.
E-mail headers also contain meta data called “Receive Headers”, which allow an Analyst to identify each host that an e-mail was processed by, including the host that the e-mail was written on.
As a defender it’s important to understand not just what each e-mail means, but also how to interpret it. This should include a very good understanding of E-mail Security mechanisms Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain Message Authentication, Reporting & Conformance (DMARC).
Who Else Is Talking About It?
- Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 – RFC-Editor
- DomainKeys Identified Mail (DKIM) Signatures – RFC-Editor
- Domain-based Message Authentication, Reporting, and Conformance (DMARC) – RFC-Editor