Category Archives: infrastructure

Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal

Posted on by

VirusTotal has incorporated a powerful new tool to fight against
malware: JA4 client fingerprinting. This feature allows
security researchers to track and identify malicious files based
on the unique characteristics of their TLS client communications.



JA4: A More Robust Successor to JA3

JA4,
developed by
FoxIO, represents a significant
advancement over the older JA3 fingerprinting method. JA3’s
effectiveness had been hampered by the increasing use of TLS
extension randomization in https clients, which made
fingerprints
less consistent. JA4 was specifically designed to be
resilient to this randomization, resulting in more stable and
reliable fingerprints.


Unveiling the Secrets of the Client
Hello

JA4 fingerprinting focuses on
analyzing the
TLS Client Hello packet, which is sent unencrypted from
the client to the server at the start of a TLS connection.
This packet contains a treasure trove of information that can
uniquely identify the client application or its underlying
TLS library. Some of the key elements extracted by JA4
include:

  • TLS
    Version: The version of TLS supported by the
    client.
  • Cipher
    Suites: The list of cryptographic algorithms the client can
    use.
  • TLS
    Extensions: Additional features and capabilities supported
    by the client.
  • ALPN
    (Application-Layer Protocol Negotiation): The
    application-level protocol, such as HTTP/2 or HTTP/3, that
    the client wants to use after the TLS
    handshake.


JA4 in Action: Pivoting and Hunting on
VirusTotal

VirusTotal has integrated JA4
fingerprinting into its platform through the behavior_network
file
search modifier. This allows analysts to quickly
discover relationships between files based on their JA4
fingerprints.

To find the JA4 value, navigate to the “behavior” section of
the desired sample and locate the TLS subsection. In addition
to JA4, you might also find JA3 or JA3S there.

Example Search: Let’s say you’ve encountered a suspicious
file that exhibits the JA4 fingerprint
“t10d070600_c50f5591e341_1a3805c3aa63” during VirusTotal’s
behavioral analysis.

You can click on this JA4 to pivot using the
search query
behavior_network:t10d070600_c50f5591e341_1a3805c3aa63
finding other files with the same fingerprint This search
will pivot you to additional samples that share the same JA4
fingerprint, suggesting they might be related. This could
indicate that these files are part of the same malware family
or share a common developer or simply share a common TLS
library.


Wildcard Searches

To broaden your search, you can
use wildcards within the JA4 hash. For instance, the search:

behaviour_network:t13d190900_*_97f8aa674fd9

Returns files that match the
JA4_A and JA4_C components of the JA4 hash while allowing
for variations in the middle section, which often corresponds
to the cipher suite. This technique is useful for identifying
files that might use different ciphers but share other JA4
characteristics.



YARA Hunting Rules: Automating JA4-Based
Detection

YARA hunting rules using the
“vt” module can be written to
automatically detect files based on their JA4 fingerprints.
Here’s an example of a YARA rule that targets a specific JA4
fingerprint:

This rules will flag any file submitted to VirusTotal that
exhibits the matching JA4 fingerprint. The first example only
matches “t12d190800_d83cc789557e_7af1ed941c26” during
behavioral analysis. The second rule will match a regular
expression /t10d070600_.*_1a3805c3aa63/, only matching JA4_A
and JA4_C components, excluding the JA4_B cipher suite. These
fingerprints could be linked to known malware, a suspicious
application, or any TLS client behavior that is considered
risky by security analysts.

JA4: Elevating Threat
Hunting on VirusTotal

VirusTotal’s adoption
of JA4 client fingerprinting will provide users with an
invaluable tool for dissecting and tracking TLS client
behaviors, leading to enhanced threat hunting, pivoting, and
more robust malware identification.

Happy Hunting.

Continue reading Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal

Interplanetary shock wave angles are key to infrastructure threat

Posted on by

Giant shock waves emanating from the Sun can give us some breathtaking auroras here on Earth. They can also cause energy surges that can damage our infrastructure, says a new study that looks at how their angles of impact shape their consequences.Conti… Continue reading Interplanetary shock wave angles are key to infrastructure threat

Water facilities warned to improve cybersecurity

Posted on by

United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity. Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this […]

The post Water facilities warned to improve cybersecurity appeared first on Security Intelligence.

Continue reading Water facilities warned to improve cybersecurity

Forget AI: Physical threats are biggest risk facing the 2024 election

Posted on by

November’s vote has been called the “AI election,” but officials are most worried about the physical safety of election workers and infrastructure. 

The post Forget AI: Physical threats are biggest risk facing the 2024 election appeared first on CyberScoop.

Continue reading Forget AI: Physical threats are biggest risk facing the 2024 election

45% of China’s urban land is rapidly sinking due to manmade development

Posted on by

A perfect storm is brewing for China’s most densely populated areas due to rising sea levels and subsiding land that has been accelerated beyond normal fluctuations. Scientists have sounded the alarm that, without intervention, urban areas below sea le… Continue reading 45% of China’s urban land is rapidly sinking due to manmade development

Backdoor in XZ Utils That Almost Happened

Posted on by

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it…

Continue reading Backdoor in XZ Utils That Almost Happened

Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed

Posted on by

It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol:

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations.

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and ­ if known ­ the attacker’s identity…

Continue reading Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed