I tried to convince him he was wrong about some things. This discussion lasted from morning into the night. Some friends

So back to the day when I tried not to engage with the unteachable. I didn’t last long. I ended up in a long debate with a friend who I could once argue with positively, before he went to law school and started to argue to win instead of to argue to learn. I know better than to engage with him on certain topics, but I get hooked in.

In order to use this as a potential blocklist, we need to filter out the false positives. One easy way to differentiate likely legitimate results with malicious ones is just by looking at the server’s history. Malicious C2s are generally ephemeral; they’re coming and going quite frequently, while legitimate servers tend to stay the same for long periods of time. This is where vendors with Internet historical data really come in handy. If the server matching the Cobalt Strike JARM has had its attributes unchanged for over a year, it’s more likely a legitimate false positive, while a server matching the Cobalt Strike JARM that didn’t exist 2 months ago is much more likely to be a malicious true positive. Combine that with other server attributes like name, hosting provider, certificate authority, etc. and we have ourselves a high quality Proactive Blocklist.

http://news7.totssants.com/zwo/video-Maccabi-Tel-Aviv-Bnei-Yehuda-Tel-Aviv-v-en-gb-1fft-20.php

http://news7.totssants.com/zwo/videos-Maccabi-Tel-Aviv-Bnei-Yehuda-Tel-Aviv-v-en-gb-1lqz30122020-22.php

http://news7.totssants.com/zwo/Video-universidad-de-concepcion-v-palestino-v-es-cl-1xwg-4.php

http://news7.totssants.com/zwo/video-universidad-de-concepcion-v-palestino-v-es-cl-1rmr-9.php

http://news7.totssants.com/zwo/Video-universidad-de-concepcion-v-palestino-v-es-cl-1fox-21.php

http://news7.totssants.com/zwo/video-universidad-de-concepcion-v-palestino-v-es-cl-1bqd-7.php

http://news7.totssants.com/zwo/Video-Girona-Lugo-v-en-gb-1gny30122020-.php

http://news7.totssants.com/zwo/video-Girona-Lugo-v-en-gb-1vcm-13.php

http://news7.totssants.com/zwo/Video-Girona-Lugo-v-en-gb-1gjf-7.php

http://news7.totssants.com/zwo/Video-girona-v-lugo-v-es-es-1acz-17.php

http://news7.totssants.com/zwo/Video-girona-v-lugo-v-es-es-1dgv-6.php

http://news7.totssants.com/zwo/v-ideos-girona-v-lugo-v-es-es-1lsp-6.php

http://news7.totssants.com/zwo/v-ideos-girona-v-lugo-v-es-es-1wlk-27.php

http://news7.totssants.com/zwo/videos-Alcoyano-Huesca-v-en-gb-1jff-.php

http://go.negronicocktailbar.com/gnl/video-sporting-braga-v-maritimo-v-pt-pt-1wlx2-12.php

http://go.negronicocktailbar.com/gnl/Video-sporting-braga-v-maritimo-v-pt-pt-1rwy2-23.php

http://go.negronicocktailbar.com/gnl/videos-sporting-braga-v-maritimo-v-pt-pt-1lcm2-8.php

http://news7.totssants.com/zwo/videos-Alcoyano-Huesca-v-en-gb-1vmd30122020-23.php

http://go.negronicocktailbar.com/gnl/video-ceara-v-internacional-v-pt-br-1dez2-3.php

http://news7.totssants.com/zwo/videos-Alcoyano-Huesca-v-en-gb-1laa-3.php

these powers had pushed through? Humanity then would’ve closed its doors to further explorations of the vastness of the universe. I don’t think Neil Armstrong could have landed safely if any of these plans had gone ahead. Additionally, the children he mesmerized by his landing would’ve never been inspired to become the physicists and scientists they are today.

The topic was, of course, related to the coronavirus. He lives in Okinawa currently, and yet believes he understands what is going on in my community in the United States. He doesn’t believe quarantine has done anything to help things, the coronavirus is not as deadly as feared, and that isolation has hurt individuals in ways that the virus never could.

When taking a closer look at Cobalt Strike, a common offensive security tool used by red teams and threat actors alike, we found obvious indicators that most of the results were indeed Cobalt Strike, with server names including things like “redteam.server” “cobaltstrike” “totslegit,” as well as some of them having the default Cobalt Strike management port of 50050 open with the same JARM fingerprint. We believe that this scan found most, if not all, Cobalt Strike C2’s listening on the Internet on port 443 at the time of scan.

JARM works by actively sending 10 TLS Client Hello packets to a target TLS server and capturing specific attributes of the TLS Server Hello responses. The aggregated TLS server responses are then hashed in a specific way to produce the JARM fingerprint.

All of these factors lead to each TLS Server responding in a unique way. The combinations of factors make it unlikely that servers deployed by different organizations will have the same response.

With little to no overlap of the Alexa Top 1M Websites, it should be extremely unlikely for a host within an organization to connect to a server with these JARM fingerprints. We wanted to dive further, so our friends at SecurityTrails scanned the entire Internet, billions of IPs, over port 443 with JARM and found the following:

It is important to note that JARM is a high-performance fingerprint function and should not be considered, or confused with, a secure crypto function. We designed the JARM fingerprint to be human consumable as much as machine consumable. This means it is small enough to eyeball, share, and tweet with enough room for contextual details.

Sometimes I hate this idealism of mine because I am often disappointed in people. Still, I would far rather operate from this point of view than be someone who creates their own reality and will not ever leave it.

The 10 TLS Client Hello packets in JARM have been specially crafted to pull out unique responses in TLS servers. JARM sends different TLS versions, ciphers, and extensions in varying orders to gather unique responses. Does the server support TLS 1.3? Will it negotiate TLS 1.3 with 1.2 ciphers? If we order ciphers from weakest to strongest, which cipher will it pick? These are the types of unusual questions JARM is essentially asking the server to draw out the most unique responses. The 10 responses are then hashed to produce the JARM fingerprint.

The JARM fingerprint hash is a hybrid fuzzy hash, it uses the combination of a reversible and non-reversible hash algorithm to produce a 62 character fingerprint. The first 30 characters are made up of the cipher and TLS version chosen by the server for each of the 10 client hello’s sent. A “000” denotes that the server refused to negotiate with that client hello. The remaining 32 characters are a truncated SHA256 hash of the cumulative extensions sent by the server, ignoring x509 certificate data. When comparing JARM fingerprints, if the first 30 characters are the same but the last 32 are different, this would mean that the servers have very similar configurations, accepting the same versions and ciphers, though not exactly the same given the extensions are different.

This is not the first time we’ve worked with TLS fingerprinting. In 2017 we developed JA3/S, a passive TLS client/server fingerprinting method now found on most network security tools. But where JA3/S is passive, fingerprinting clients and servers by listening to network traffic, JARM is an active server fingerprinting scanner. You can find out more about TLS negotiation and JA3/S passive fingerprinting here.

We did, however, find false positives in the list. It’s inevitable that in the sea of billions of IPs that some legitimate servers somewhere just happen to be configured in exactly the same way as Cobalt Strike. In the list we identified that the JARM also matches Burp Collaborator, another security tool used by red teams and threat actors alike, as well as miscellaneous legitimate servers, and a point of sale system. (Point of sale systems listening on the Internet is a subject for another blog post…) So while we believe JARM identified most, if not all, Cobalt Strike C2s listening on the Internet, we also had some legitimate servers caught in the net. This is like using a large magnet to pull all needles out of a haystack but getting some pieces of hay with them.

Malware command and control (C2) and malicious servers are configured by their creators like any other server and then deployed across their fleet. These therefore tend to produce unique JARM fingerprints. For example, when scanning Trickbot Malware C2s from a list compiled by abuse.ch, 80% of the live IPs on the list produced the same JARM fingerprint. When comparing this JARM fingerprint against the Alexa Top 1 Million websites, there was no overlap.