The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity and authenticity.

It processes input data in fixed-size chunks of 512 bits (64 bytes) and produces a unique 256-bit (32-byte) hash.

This property allows for incremental hashing, where data is processed in smaller chunks without requiring the entire dataset to be loaded into memory.

Such functionality is particularly beneficial for systems with limited resources, such as embedded devices or when handling large files.

Incremental hashing works by maintaining an internal state that updates with each chunk of data processed.

This state ensures that the final hash value remains consistent regardless of whether the data is hashed all at once or in smaller segments.

The algorithm’s design makes it impossible to combine partial hashes into a complete one, preserving its security against length-extension attacks.

Technical Workflow of SHA256

The input message undergoes preprocessing to ensure its length is a multiple of 512 bits.

Padding is applied, starting with a single ‘1’ bit followed by zeros, and the original message length is appended as a 64-bit value.

This ensures compatibility with the algorithm’s block-based processing.

According to the researchers, each 512-bit chunk is divided into 16 words of 32 bits each.

These words are expanded into 64 using logical operations such as bitwise shifts and XORs.

The algorithm then performs 64 rounds of computations using these words, constants derived from prime numbers, and eight working variables initialized with predefined values.

The operations include:

• Logical functions like AND, OR, XOR, and NOT.
• Modular addition to ensure results fit within 32 bits.
• Right rotations and shifts to introduce non-linearity.

At the end of each round, the working variables are updated based on the results of these operations.

If multiple chunks are processed, the output hash values from one chunk serve as the input for the next.

After all chunks are processed, the eight working variables are concatenated to produce the final 256-bit hash value.

This value serves as a digital fingerprint of the input data and cannot be reversed to reveal the original content.

Applications and Advantages

Incremental hashing is particularly useful in scenarios where memory constraints or large datasets make it impractical to process all data at once.

Examples include:

• Verifying file integrity during streaming or transmission.
• Hashing firmware updates in embedded systems.
• Blockchain applications where transactions are hashed incrementally.

Libraries implementing SHA256 typically provide functions like update for processing chunks and finalize for generating the final hash.

This approach ensures efficiency and consistency across various use cases.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

QR codes, once a symbol of convenience and security in digital interactions, have become a significant target for cybercriminals.

The Rise of Fake QR Code Scams

A new form of cyberattack, dubbed “quishing,” involves the use of counterfeit QR codes to deceive users into visiting fraudulent websites, downloading malware, or surrendering sensitive information.

This emerging threat has gained traction due to the widespread adoption of QR codes in daily life, particularly during the pandemic when contactless exchanges became the norm.

Quishing attacks exploit the inherent trust many users place in QR codes.

Scammers embed malicious codes in emails, invoices, flyers, or even physical surfaces like restaurant menus and movie tickets.

When scanned, these codes redirect users to phishing websites designed to harvest login credentials or financial data.

In some cases, scanning the code initiates malware downloads that compromise devices and corporate systems.

Techniques and Implications of Quishing

Cybersecurity experts have identified several methods employed by attackers to execute quishing schemes.

One common tactic involves embedding fake QR codes in email attachments or documents that appear legitimate.

These emails often impersonate trusted entities such as banks or service providers to trick recipients into scanning the code.

Another prevalent technique includes replacing genuine QR codes in public spaces with fraudulent ones, luring unsuspecting victims into clicking malicious links.

Financial losses are a primary risk, as fake QR codes can redirect users to counterfeit payment pages that transfer funds directly to scammers.

Additionally, quishing enables data breaches by capturing personal and financial information entered on phishing sites.

Malware infections triggered by these attacks can further compromise sensitive data and disrupt operations, posing significant financial and legal risks for businesses.

According to Tripwire Report, hackers are continuously refining their strategies, leading to the emergence of “quishing 2.0.”

This advanced form of attack combines multiple layers of deception to bypass traditional security measures.

For instance, attackers may use legitimate platforms like SharePoint or trusted QR-scanning services as intermediaries before redirecting victims to malicious sites.

These layered redirects add an air of authenticity to the scam, making it harder for users to detect foul play.

To mitigate the risks posed by quishing, organizations must adopt proactive measures. Regular staff training is essential to raise awareness about identifying suspicious QR codes and verifying their legitimacy.

Implementing multi-factor authentication (MFA) adds an extra layer of security, ensuring that even if credentials are compromised, critical accounts remain protected.

Advanced email security systems equipped with dynamic URL analysis and computer vision technology can detect malicious QR codes embedded in phishing emails.

Businesses should also bolster physical security by inspecting public QR codes for tampering and encouraging manual logins over QR-based transactions when possible.

As quishing continues to evolve as a sophisticated attack vector, fostering a culture of cybersecurity awareness and vigilance is crucial for safeguarding individuals and organizations against this growing threat.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique known as Bring Your Own Trusted Binary (BYOTB).

This method leverages legitimate, trusted binaries to evade detection by advanced security measures such as Endpoint Detection and Response (EDR) systems and firewalls.

The findings, presented by cybersecurity researcher David Kennedy of Jumpsec Labs, shed light on how attackers are increasingly exploiting trusted tools to conduct covert operations.

Exploiting Trusted Tools for Malicious Purposes

The BYOTB technique capitalizes on the inherent trust placed in legitimate binaries, such as Cloudflare’s cloudflared and OpenSSH utilities.

These binaries, often digitally signed and widely used for legitimate purposes, are repurposed by attackers to bypass security controls.

For instance, Kennedy demonstrated how the cloudflared binary can be used to tunnel SSH traffic over HTTPS (port 443), effectively bypassing network restrictions and evading detection by security tools like CrowdStrike EDR.

By employing commands such as cloudflared tunnel run --token YourTokenHere, attackers can establish encrypted tunnels that appear benign.

These tunnels can then be used for reverse port forwarding or SOCKS proxying, enabling attackers to exfiltrate data or maintain persistent access to compromised systems.

OpenSSH binaries were also highlighted as a means to establish remote access by deploying them alongside necessary dependencies like libcrypto.dll.

Advanced Techniques and OPSEC Considerations

Kennedy further elaborated on advanced techniques, including the use of Cloudflare’s WARP client as an alternative to traditional SSH tunneling.

This approach acts like a VPN, allowing attackers to access target networks without relying on SSH or Proxychains.

Additionally, a “double tunnel” method was described, where attackers reroute traffic through multiple layers of tunnels to evade firewall rules that block specific ports.

Despite the effectiveness of these methods, Kennedy emphasized the importance of operational security (OPSEC) for attackers.

According to the Jumpsec Labs, overloading trusted binaries with excessive traffic or failing to conceal their presence could trigger alerts, compromising the attack.

To mitigate the risks posed by BYOTB attacks, organizations must adopt proactive monitoring and detection strategies:

• Process Telemetry: Monitor command-line arguments for suspicious keywords like “tunnel” or “access,” which may indicate misuse of binaries like cloudflared.
• DNS Logging: Track queries to domains associated with tunneling tools (e.g., argotunnel.com) to identify potential abuse.
• Firewall Rules: Restrict outbound traffic on non-essential ports and monitor for anomalies in port usage.
• File Monitoring: Detect unauthorized downloads of trusted binaries from platforms like GitHub by verifying file hashes against approved lists.

These measures, combined with regular updates to endpoint security solutions and employee awareness training, can help organizations defend against BYOTB tactics.

The rise of BYOTB attacks underscores the evolving tactics of threat actors who exploit trusted tools for malicious purposes.

By leveraging legitimate binaries, attackers can blend into normal network activity, making detection significantly more challenging.

As these techniques gain traction among cybercriminals, it is imperative for organizations to enhance their defensive capabilities and remain vigilant against emerging threats.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free