Bluepurple Pulse: week ending April 3rd
Bluepurple Pulse: week ending April 3rd
Ukraine is the Chuck Norris of Cyber
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week there were a couple of vulnerabilities in the Spring web framework (we ran live posts on the sub reddit) that distracted but otherwise the usual volume of criminal incident response cases. We also continue to research and work on investigations related to the Chinese intrusions mentioned a couple of weeks back. There was also some work around organised crime with good results around infrastructure discovery. Finally we got to see some North Korean Lazarus targeting used for an initial compromise via social media in a victim org.
In the high-level this week:
UK Cyber Security Breaches Survey 2022 - in the last 12 months, 39% of UK businesses identified a cyber attack (those that responded) - biggest highlight here is the ‘haves’ vs ‘have nots’ in relation to cyber incident response capabilities.
The UK’s National Cyber Security Technical Director put out advice on the Use of Russian technology products and services following the invasion of Ukraine - punch line is its complicated.
A UK Member of Parliament Dr Jamie Wallis secured a debate in Parliament on reform of the Computer Misuse Act on April 19th, 2022.
the campaign for reform CyberUp has been a joy to watch grow
FBI put out a request information on LAPSUS$ - When you become famous in a way you might not want… then…
FBI released a notification on Ransomware Attacks Straining Local US Governments and Public Services
US’s CISA added 66 Known Exploited Vulnerabilities to its Catalog - the clock starts ticking for Federal agencies. Then they added another 7 for good measure a week or so later. I guess this is one way you get patch management sorted in federal agencies. The good ‘old ground and pound approach..
US DoJ brought to justice a Cybercriminal Connected to Multimillion Dollar Ransomware Attacks Sentenced for Online Fraud Schemes - An Estonian man was sentenced to 66 months in prison, they were apprehended in Latvia and extradited to the United States for a five and half year holiday.
Russian FSB officers involved in the criminal activities of the aggressor country in Europe were outed - Ukrainian reporting - a list of FSB officers who aren’t going on Holiday to Salisbury Cathedral any time soon.
Mitigating Attacks Against Uninterruptable Power Supply Devices - US Government outline the risk that uninterruptable power supplies pose.
Chinese Cyberwarfare - a French documentary on Chinese cyberwar activities - bonne!
Putin’s hackers gained full access to Hungary’s foreign ministry networks, the Orbán government has been unable to stop them - what can happen to you when you aren’t a cyber Chuck Norris like Ukraine.
Companies Gave User Data to Hackers Who Used Forged Legal Requests - eeek! Bad day in the compliance department, also showing the risk and impact from concerted social engineering.
Enjoying this? don’t get via e-mail? then subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine
Aggregate reporting on this conflict.
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
A little bit of a lag in the reporting but it gives a sense of the scale of the events seen in Ukraine by its CERT.
During March 15 - 22, the Ukrainian infrastructure underwent cyber attacks (according to the classification of the CERT-UA state response command):
UAC-0056 (Pandora hVNC, RemoteUtilities, GrimPlant, GraphSteel)
UAC-0051 aka unc1151 (Cobalt Strike Beacon, MicroBackdoor)
UAC-0010 (GammaLoad, GammaDrop, HarvesterX)
UAC-0082 (HermeticWiper, IsaacWiper, CaddyWiper)
UAC-0088 (DoubleZero)
UAC-0035 (LoadEdge)
UAC-0041 (AgentTesla, XLoader)
UAC-0020 aka Vermin (SPECTR)
UAC-0028 aka APT28
UAC-0026 (HeaderTip)
UAC-0086 (QuasarRAT)
UAC-0084 aka TA416 (PlugX)
UAC-0064 (SunSeed)
UAC-0033 aka XDSpy (JobDrop, StepDrum)
Tracking cyber activity in Eastern Europe
Two groups reported on in what is a rather comedic caricature of ‘the badies’ in the guise of China and Russia. Both active in Eastern Europe and associated. Further evidence China is really being quite opportunistic and aggressive here.
Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations.
COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
A Modem Wiper Rains Down on Europe
This was the big news of the week. The technical details of the Vissat modems which got nuked during the conflict came out thanks to Juan Andres Guerrero-Saade and Max van Amerongen. The technical analysis showed cross over with Russian capability used against routers and other embedded devices. This is what destruction at scale and spill over look like.
On Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine.
Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.
Viasat’s statement on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete description of the attack.
Our researchers discovered new malware that we named ‘AcidRain’.
AcidRain is an ELF MIPS malware designed to wipe modems and routers.
We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government
AcidRain is the 7th wiper malware associated with the Russian invasion of Ukraine.
Update: In a statement disseminated to journalists, Viasat confirmed the use of the AcidRain wiper in an attack against their modems.
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
UAC-0056 cyberattack on Ukrainian authorities using GraphSteel and GrimPlant malware
A rather clumsy operations using basic maldoc capabilities.
Distribution of e-mails on the topic "Wage arrears" among government agencies of Ukraine. Attached to the letter is the document "Wage arrears.xls", which contains legitimate statistics and macros. At the same time, hex-coded data has been added to the mentioned document as an attachment. The macro, after activation, will decode the data, create the EXE-file "Base-Update.exe" on the computer and execute it.
This file is a downloader developed using the GoLang programming language. The program will download and run another bootloader, which, in turn, will download and run malware GraphSteel and GrimPlant on your computer.
https://cert.gov.ua/article/38374
Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks
Further basic email born capability being thrown around.
Recently, we identified a maldoc named “Ukraine Conflict Update 16_0.doc” with a creation time 2022-03-16 and whose content appears to be retrieved directly from the Institute for the Study of War website. Due to the creation time, the maldoc was generated with the latest information updated since the most recent information published by this website is from March 23 (considering it at this point in time).
Conti-nuation: methods and techniques observed in operations post the leaks
NCC Group’s Global Cyber Incident Response Team and Research documented post leak activity we have seen involving Conti. In short they haven’t stopped.. Great work by Nikolaos Pantazopoulos, Alex Jessop and Simon Biggs here.
In February 2022, a Twitter account which uses the handle ‘ContiLeaks’, started to publicly release information for the operations of the cybercrime group behind the Conti ransomware. The leaked data included private conversations between members along with source code of various panels and tools.
Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware. This post describes the methods and techniques we observed during recent incidents that took place after the Conti data leaks.
EMBER BEAR
A new Russian nexus threat actor has been named and given an avatar.
EMBER BEAR (aka UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is an adversary group that has operated against government and military organizations in eastern Europe since early 2021, likely to collect intelligence from target networks. EMBER BEAR appears primarily motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations.
https://www.crowdstrike.com/blog/who-is-ember-bear/
PlugX: A Talisman to Behold
Chinese implant variant documented by Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil. This looks like a more strategic set of targeting due to trade and core intelligence targets.
Talisman is a newly discovered PlugX variant which follows the usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities. Unlike other versions, the malware’s internal configuration’s signature is different, as well as other minor changes within the code.
The victims were in South Asia in the Telecommunication and Defense sectors, and align with China’s geopolitical interests. One such initiative is the Belt and Road Initiative, via which China aims to establish strong social economical relationships across Europe, Asia, and Africa via trade.
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Transparent Tribe campaign uses new bespoke malware to target Indian government officials
Asheer Malhotra and Justin Thattil with contributions from Kendall McKay document recent escapades by Pakistani nexus threat actor known as APT36, Transparent Tribe, ProjectM, Mythic Leopard and Operation C-Major etc. They are investing in their capabilities and it is obviously working for them…
[We] observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using new stagers and implants.
This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic.
Based on our analysis of Transparent Tribe operations over the last year, the group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims.
Notably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be easily modified, likely to enable quick and agile operations.
https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
We covered an aspect of Purple Fox last week. However this analysis Sherif Magdy, Abdelrhman Sharshar and Jay Yaneza sheds light on the distribution mechanism and initial entry method.
This most recent investigation covers Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. Our data shows that users’ machines are targeted via trojanized software packages masquerading as legitimate application installers. The installers are actively distributed online to trick users and increase the overall botnet infrastructure.
Lazarus Trojanized DeFi app for delivering malware
North Korea continues to try and acquire digital assets via cyber means. What is interesting is the tradecraft mentioned in this post which has been attributed to the Hermit Kingdom and the one after hasn’t, yet instinctively feels quite similar.
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. This malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the Lazarus group.
https://securelist.com/lazarus-trojanized-defi-app/106195/
Crypto malware in patched wallets targeting Android and iOS devices
Lukas Stefanko documents a much broader campaign than the one above which is trying to achieve similar aims using not dissimilar tradecraft. The sheet volume of apps and infrastructure is impressive. Demonstrating one more organised crime (state or not) is indeed organised.
Starting in May 2021, our research uncovered dozens of trojanized cryptocurrency wallet apps. We found trojanized Android and iOS apps distributed through websites mimicking legitimate services . These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey.
[We] identified over 40 copycat websites of popular cryptocurrency wallets. These websites target only mobile users and offer them the download of malicious wallet apps.
The main goal of these malicious apps is to steal users’ funds and until now we have seen this scheme mainly targeting Chinese users.
We were able to trace the distribution vector of these trojanized cryptocurrency wallets back to May 2021 based on the domain registration that was provided for these malicious apps in the wild, as well as the creation of several Telegram groups that started to search for affiliate partners.
Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, and Shai Tilias show offensive research capability we covered in this very newsletter (week ending February 27th in the guise of novel AV bypass mechanisms ) is quite quickly seen in the wild.
The samples in question are 64-bit Windows Portable Executables, each containing an obfuscated payload used to deliver an additional implant. The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the RtlIpv4StringToAddressA function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode.
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
New Conversation Hijacking Campaign Delivering IcedID
Joakim Kennedy and Ryan Robinson provide insights as to the targeting and methods used by this criminal threat actor. I did see a good discussion on do users need to be able to mount .isos from e-mail and if so why…
In the new IcedID campaign we have discovered a further evolution of the threat actors’ technique. The threat actor now uses compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from. The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user. With regards to targeting, we have seen organizations within energy, healthcare, law, and pharmaceutical sectors.
https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/
Discovery
How we find and understand the latent compromises within our environments.
Okta System Log queries for attempted account takeover
Guidance from Okta themselves on which logs to query post their little misshap.
AnyDesk Remote Access
As seen in a real case - how to detect etc.
AnyDesk was downloaded and executed, without installation on a Windows 10 instance as well as an Ubuntu 20.04 instance. A number of files were transferred from one party to another.
https://www.iblue.team/incident-response-1/anydesk-remote-access
Defence
How we proactively defend our environments.
Swish Responder Bot
Matt Suiche released a Discord bot which helps with incident response involving Discord breaches.
A Discord Incident Response Bot. Protecting Discord communities. Use this bot after being hacked to collect the required information for your investigation and understand what happened.
https://github.com/msuiche/SwishResponderBot
What to look for when reviewing a company's infrastructure
Marco Lancini walks through how to assess a modern infrastructure for security issues.
Early last year, I wrote “On Establishing a Cloud Security Program”, outlining some advice that can be undertaken to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based offering. The result can be found in a micro-website which contains the list of controls that can be rolled out to establish such cloud security program: A Cloud Security Roadmap Template.
Following that post, one question I got asked was: “That’s great, but how do you even know what to prioritize?”
https://www.marcolancini.it/2022/blog-cloud-security-infrastructure-review/
Safer Viewer
Simon Baker released a tool which allows macOS users to shuffle their attachments off to Google Drive before using a browser based viewer. The value is it is stops end users getting popped via native apps.
This utility is a Mac application which you can 'drag and drop' files onto, as a safer way to open them avoiding using applications on your host machine. It is intended for end users to preview documents, such as those attached to emails. Note, this is only of use to you if you are already hooked into using Google Docs for your organisation. Of course, you could re-implement the concept to suite your use case.
https://github.com/PortSwigger/SaferViewer
No Direct IP
Ollie JC released a browser extensions which stops you from visiting an IP address when you wanted to search for it instead.
This browser extension blocks external or public IP v4 and v6 addresses.
https://github.com/OllieJC/no-direct-ip
Offense
Attack capability, techniques and tradecraft.
DLLirant
Yann F provides a tool to automate the discovery of DLL high-jacking vulnerabilities on Microsoft Windows.
DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
https://github.com/Sh0ckFR/DLLirant
Vulnerability
Our attack surface.
Container Breakout Vulnerabilities
Rory McCune, Noel Georgi, Moritz and Timothée Ravier are keeping a running list of vulnerabilities which support breakouts. Demonstrating once more why containers are not a security boundary in reality.
https://www.container-security.site/attackers/container_breakout_vulnerabilities.html
RCE in Sophos Firewall (CVE-2022-1040)
An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
Splunk Indexer denial-of-service via malformed S2S request
Denial of Service of your eyes and ears is never a good thing.
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic.
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html
GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7
Well this probably couldn’t be much worse.
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
Exploitation
What is being exploited.
CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera
Successful exploitation of this vulnerability can lead to the leak of user's secrets stored inside a system environment variables. A security bug was found in Chromium 92 version and patched in 97 version.
https://github.com/Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera
CVE-2022-1096 Chrome Exploit in the Wild
This was used by North Korea - Version 99.0.4844.84 for Windows, Mac and Linux address it also Edge 99.0.1150.55
To quote Google:
Google is aware that an exploit for CVE-2022-1096 exists in the wild.
Suspected Patch:
Chrome:
Edge:
Russian ISP Announced Twitter's Address Space via BGP on Monday for 45 minutes
Original event where a Russian ISP announced Twitter’s address space:
Analysis:
News
Footnotes
Some other small bits and bobs which might be of interest.
Smart Contract Security Verification Standard - Smart Contract Security Verification Standard (v1.2) is a 14-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
11 Strategies of a World-Class Cybersecurity Operations Center, new ‘book -
List of RSS feeds for government CERTs - by MITRE YMMV.
Microtargeted Propaganda by Foreign Actors - we’ve covered this topic before but updated reporting on this topic.
That’s all folks.. until next week..