Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week you will see there is a lot of reporting. The standout continues to be revelations in the 3CX case where the supply chain attack they enabled was in part caused by another supply chain attack. I’m not sure I agree with the all the headlines about this being the first second order supply chain attack. The first detected? the first publicly reported? maybe..

In the high-level this week:

• Eight Chinese Government Officials Charged with Directing Employee of a U.S. Telecommunications Company to Remove Chinese Dissidents from Company's Platform - insider threat from those who can be compelled by the state is real.

• Crypto-assets: green light to new rules for tracing transfers in the EU - crypto assets are no longer going to be what cypherpunk’s hoped it would be at least in Europe.

• World's largest cyber defense exercise Locked Shields brings together over 3000 participants - fascinating the scale this has got to.

• Cybersecurity and Infrastructure Security Agency Director at Government Tech Summit - “We still are not at a level where we have a sustainable approach to securing our nation” - couldn’t agree more, see last weeks reflections.

• NSA, U.S. and International Partners Issue Guidance on Securing Technology by Design and Default - Five Eyes release - this is the buying signal of what is going to be expected.

• International approaches to reform: Belgium’s new legal safe harbor for ethical hackers - UK Computer Misuse Act campaign reform analysis of what has happened in Belgium. As I noted this week the new UK Justice Secretary has previously been pro-CMA reform so it is interesting times.

• The Joint Committee on the National Security Strategy will take evidence on Ransomware - the next interaction of this is happening this coming Monday in the UK

• Joe Cuddeford appointed Director for the UK’s £60 million Digital Footprints program - the actual program is fascinating and will have wider value.

• Philippines to partner with US, India to construct digital public infrastructure - this is an indication of India’s future role in the a world where China is not.

• Evaluating the National Cyber Force’s ‘Responsible Cyber Power in Practice’ -

• Commercial offensive capability - there was pay walled reporting on Russian commercial exploit capability teams pushing into the Middle East. This is likely sub optimal - outside of this we then had:

  • UK warns of attacks from new ‘Wagner-like’ Russian cyber hackers - ideological private military contractors come to cyber.. what a time..

  • Cyber experts warn of rising threat from irresponsible use of commercial hacking tools over the next five years - the UK’s National Cyber Security Centre released a report from Assessment (the independent team which does such things on behalf of Government for cyber). It was great to see the report go public in this way, it is a really great bit of work.

  • Citizen Lab's research was the last nail: Israeli Quadream is closing - when the fragility of your vulnerability research and exploit development capability is high don’t build a company around it and export to bad people is the lesson here.

  • Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains - the other end of the same spectrum.

• Time to Designate Space Systems as Critical Infrastructure - fascinating we need to put labels on things to drive appropriate responses in 2023. The fragility that requiring this creates can’t be underestimated.

  • Related - Space Threat Assessment by the Aerospace Security Project at the Center for Strategic and International Studies (CSIS)

• Russia / Ukraine - various high-level analysis this week on the war and cyber from learnered think thanks.

  • The Cyber Dimensions of the Russia-Ukraine War - from the European Cyber Conflict Research Initiative

  • Integrating Cyber Into Warfighting: Some Early Takeaways From the Ukraine Conflict - from the Carnegie Endowment for International Peace

  • Cyber Operations in Russia’s War against Ukraine - from The German Institute for International and Security Affairs (SWP)

  • One Year of Hostilities in Ukraine: Nine Notes on Cyber Operations - from the European Repository of Cyber Incidents

  • Cyberwarfare: Russia vs Ukraine : Russian Cyber Units - from the Center for Strategic Cyberspace + International Studies

• Hackers Inc: Chasing the cybercrime syndicates attacking Australia - Aussie investigative reporting on organized cyber crime which caused one of Australia’s largest breaches.

• United States Cyber Command Legal Conference happened (Day 1 / Day 2) - for a cyber nerd one of the more alternatively interesting conferences happened.

  • Keynote remarks - I love the fact that legal interoperability is a thing between governments.

  • Reflections on the DoD General Counsel’s Cyber Law Address - Lieber Institute West Point - analysis by West Point on the conference - “[i]ncreased transparency enhances legitimacy and predictability by helping to develop and strengthen expectations surrounding State behavior, as well as possible responses, in the rapidly evolving cyber domain.”

The reflections this week come from using the same line in various conversations whilst at CyberUK and on Friday back in London. Namely that the privacy debates which are had today are often polarized. Privacy is a slider where tradeoffs exist for enablers. Total privacy at one end and total lack of at the other. The important point is that total privacy isn’t without consequences and nor is it its counter bedfellow. As a cyber defender it is an interesting time as we navigate various issues where these tradeoffs need to be made to retain security capabilities. In the IETF discussion on our soon to be RFC Indicators of Compromise (IoCs) and Their Role in Attack Defence it came up numerous times and aggressively so by some without acceptance that there might be negative impacts from total privacy on cyber defence. Somewhat related the FBI is able to start building an evidence base on volume of investigations negatively impacted by encryption. We likely need to move the conservation on to being more balanced.

On the interesting job/role front:

• Technologist at Amnesty International focused on offensive cyber

• Sr. Anti-Cheat Engineer at Electronic Arts in Texas

• Head of Operations at the National Cyber Crime Unit, UK

• Sr. Director Analyst, Vulnerability Management and Penetration Testing at Gartner, UK - you can help the world buy some cyber.

• Technical Skills Trainer – Digital & Cyber - UK College of Policing

• Historian at US Cyber Command at Forte Mead - the salary is amazing by UK comparators.

• Senior Researcher and Managing Editor at The European Cyber Conflict Research Initiative (ECCRI)

Finally we have this segment from the BBC this week which will help with wider public understanding and debate (similar to the Aussie segment above).

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Saturday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia

Ukraine remains Russia’s biggest cyber focus in 2023

A broad set of reporting here from TAG.

FROZENBARENTS continues to exploit EXIM mail servers globally and use these compromised hosts as part of their operational network, a trend going back to at least August 2019. These compromised hosts have been observed accessing victim networks, interacting with victim accounts, sending malicious emails and engaged in information operations (IO) activity.

https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/

Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28

When doxing of senior intelligence officers responsible for offensive cyber becomes a thing.

Some of the relatively recent technical documents found in Morgachev’s mail include files with notes regarding patches for Cobalt Strike, a platform used by hackers for cyberattacks:

• Patch Cobalt Strike 4.0 (PDF)

• Patch Cobalt Strike 4.0 Stage X64 Bugs (PDF)

https://informnapalm.org/en/hacked-russian-gru-officer/

Summary of Q1 2023 attacks seen by Ukraine Gov

High-level summary reporting from the Ukraine government.

In general, during the 1st quarter of 2023, 7 million suspicious information security events were detected using the means of the System for detecting vulnerabilities and responding to cyber incidents and cyber attacks (during the initial analysis); processed 34,000 critical information security events (potential cyber incidents detected by filtering suspicious IS events and secondary analysis); recorded and processed directly by security analysts 202 cyber incidents.

https://cip.gov.ua/ua/news/systematicity-and-intensity-of-russia-s-cyberattacks-remain-high-report

https://cip.gov.ua/services/cm/api/attachment/download?id=53657

Jaguar Tooth, non-persistent malware that targets Cisco IOS routers

UK Government and friends reporting on Cisco IOS router implants using 6 year old vulnerabilities. The second title for this reporting was APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers

• Jaguar Tooth is non-persistent malware that targets Cisco IOS routers.

• Collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP). • Enables unauthenticated backdoor access.

• It is deployed and executed via exploitation of the patched Simple Network Management Protocol (SNMP) vulnerability CVE-2017-6742.

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf

https://www.ncsc.gov.uk/files/Advisory_APT28-exploits-known-vulnerability.pdf

Exposed Web Panel Reveals Gamaredon Group's Automated Spear Phishing Campaigns

Arda Büyükkaya provides an interesting insight into the functional elements of this groups infrastructure. Debate if they had explicit authorization as required under the UK’s Computer Misuse Actor and the US’s Computer Fraud and Abuse Act.

On February 09, 2023, [we] identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and Security Service of Ukraine (SSU). Analysts identified a publicly exposed Simple Mail Transfer Protocol (SMTP) server and assess with high confidence that the threat actor used the SMTP server to craft and deliver phishing emails.  

The SMTP server contained a web panel designed to create and distribute spear phishing emails. It enables the email to have a malicious attachment and leverages email spoofing techniques to make it appear from a legitimate source.

https://blog.eclecticiq.com/exposed-web-panel-reveals-gamaredon-groups-automated-spear-phishing-campaigns

North Korea

North Korea reporting varies this week with some 3CX and some not.

APT43: An investigation into the North Korean group’s cybercrime operations

Vicente Díaz uses their data to identify trends around this threat actors samples, where they come from and how detections have evolved etc. If you want a graph which shows the fragility around detecting malware as your defense this will do it.

https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html

Kimsuky: Infamous Threat Actor Churns Out More Advanced Malware

Nico Chiaravio & Gianluca Braga provide a good summary of the some of the mobile tradecraft. You’ll just need to forgive the over magic amulet product placement in the post.

https://www.zimperium.com/blog/kimsuky-infamous-threat-actor-churns-out-more-advanced-malware/

North Ransomware Related Bitcoin Address Transaction Tracking

Park Hyun-jae provides a quick analysis of the 43 bitcoin addresses disclosed by USG and South Korea. This was an interesting throwaway line..

Of the 43 publicly available Bitcoin addresses, transaction records were found in a total of 9 addresses. In addition, it was confirmed that all nine addresses for which transaction records were confirmed sent bitcoins without leaving them. In addition, the two bitcoin addresses marked in red in the table above are judged to be addresses in the wrong format, as data is not retrieved.

https://blog-plainbit-co-kr.translate.goog/cisa-northkorea-ransomware/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Uncovering nation state watering hole credential harvesting campaigns targeting human rights activists by APT threat group UCID902

South Korean reporting on North Korean activity on two very recently campaign. The use of legitimate websites for staging is of note as are the victimology. The actual operational tradecraft beyond that is pretty typical.

• On 2023-03-17, [We] received a sample from an NGO that supports North Korean refugees. We found that this phishing campaign used a KISA Security Notification email as a lure, synonymous with historical campaigns. In addition, the phishing page mimicked that of a Naver login page, which was hosted on a legitimate Law Firm’s website, resulting in a watering hole attack. The same web server IP, hosting the Law Firm’s website, was also seen mimicking a Naver login page on 2023-01-27 on a Child Education website; which we saw involved in a targeted credential harvesting campaign against a Korean University professor. Both these sites were developed by the same developer and hosted on that developer’s webserver. The web developer was a company based in Seoul.

• On 2023-01-25, [We] received a sample from an activist based in South Korea who works on North Korean human rights. This campaign used a Naver alert message as an email lure, and directed the victim to a fake Naver login page hosted on a legitimate Medical Research Institutions website, indicating a watering hole attack. The server IP of this website was also seen on three other separate watering hole attacks we tracked. All three occasions saw credential harvesting campaigns targeting victims related to the MO of UCID902. These campaigns were also hosting Naver login pages. The websites used in the watering hole attacks described above were four differing Medical Research Institutions, which all shared the same web development company and server IP address.

https://interlab-or-kr.translate.goog/archives/18979?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

'RustBucket' malware targets macOS

Ferdous Saljooki and Jaron Bradley discuss in the wild North Korea, the initial distribution mechanism is not known. Not signed or anything.. be interesting to understand how effective it is in the real-world.

discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. We track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor. The APT group called BlueNoroff is thought to act as a sub-group to the well-known Lazarus Group and is believed to be behind this attack.

https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

3CX

Various bits of reporting continue on this incident.

Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found

Agathocles Prodromou, Chief Network Officers for 3CX (amazing title), provides a summary of their suppliers findings.

[The] identified the source of our internal network compromise began in 2022 when an employee installed the Trading Technologies X_TRADER software on the employee’s personal computer. Although the X_TRADER installation software was downloaded from the Trading Technologies website, it contained VEILEDSIGNAL malware, which enabled the threat actor (identified as UNC4736) to initially compromise and maintain persistence on the employee’s personal computer.

https://www.3cx.com/blog/news/mandiant-security-update2/

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible

Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu and Daniel Scott then provide the detail behind the above

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack

Peter Kálnai and Marc-Etienne M.Léveillé discover a campaign which shows Linux users are a target by NK. Very interesting to see the attack chain here in action..

[We] have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.

Additionally, this discovery helped us confirm with a high level of confidence that the recent 3CX supply-chain attack was in fact conducted by Lazarus.

https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/

ICONICSTEALER | CISA - This variant of malware was utilized in the supply chain attack on the commercial software 3CXDesktopApp

Malware analysis from CISA.

https://www.cisa.gov/news-events/analysis-reports/ar23-110a

Supply Chain Attack Against 3CXDesktopApp - link roundup

Link aggregation, albeit not comprehensive.

https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp

China

Attacks using FlowCloud originating from USB memory - by targeted attack groups such as Mustang Panda

Japanese reporting on Chinese state activity which shows both enduring use. The point of note from this reporting is their Windows Kernel rootkit works on Windows 11.

In this driver, the offset value for build number 22000 was added, and it was confirmed that it supports Windows 11 Version 21H2 . 

As well as the attack chain:

https://insight--jp-nttsecurity-com.translate.goog/post/102id0t/usbflowcloud?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Daggerfly: APT Actor Targets Telecoms Company in Africa

Active telco compromise in Africa by China. Someone should Reach out and touch someone..

A telecommunications organization in Africa appears to be among the latest targets for the Daggerfly (aka Evasive Panda, Bronze Highland) advanced persistent threat (APT) group, with the group’s most recent campaign using previously unseen plugins from the MgBot malware framework.

The first indications of malicious activity on this victim’s network were seen in November 2022, but there are indications the activity is likely still ongoing.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot

Iran

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

Pretty robust reporting on the change of targeting here. The tradecraft is n-days and phishing though so..

From late 2021 to mid-2022, this Mint Sandstorm subgroup moved from reconnaissance to direct targeting of US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity potentially in support of retaliatory destructive cyberattacks.

https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

SimpleHarm: Tracking MuddyWater’s infrastructure

This reporting highlights Iran’s use of legitimate remote administration/support tooling in their operations. Looking for these is likely wise and if you use them in your estate you likely need to be mindful.

In the last few years, the group has been using legitimate remote control tools such as ScreenConnect, RemoteUtilities, and Syncro.

we discovered that MuddyWater used another similar tool, SimpleHelp

https://www.group-ib.com/blog/muddywater-infrastructure/

Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign

Tejaswini Sandapolla provides reporting of Pakistan activity in India. Again interesting Linux was the target here.

Transparent Tribe used the Kavach authentication tool as a cover to deliver the Poseidon payload. Kavach is a two-factor authentication (2FA) solution provided by the Indian government for secure access to their email services. Transparent Tribe created a backdoored version of Kavach to target Linux users working for Indian government agencies.

https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware

Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan

Patriotic hackers is like the China of old but with modern day tooling and capabilities.

The threat actor group Xiaoqiying (aka Genesis Day, Teng Snake) is a primarily Chinese-speaking threat group that conducted website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. More recently, its affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Based on the analysis of the group’s Telegram channels, postings on special-access forums, and its presence on a clearnet website, we conclude that this is a hacktivist group primarily motivated by patriotism toward China, and it will likely conduct similar cyberattacks against Western and NATO targets, as well as any country or region deemed hostile to China.

Per its Telegram channel chat logs, the threat group likely exploits vulnerabilities in internet-facing devices and remote access tools to gain initial access. In addition, allegedly “cracked” versions of penetration tools, including Cobalt Strike, Brute Ratel, Burp Suite, as well as proof-of-concept code (POC) for exploits and other malware, were shared across the threat group’s Telegram channels

https://go.recordedfuture.com/hubfs/reports/cta-2023-0420.pdf

APT-C-36 (Blind Eagle) Group Deploys LimeRAT Components Against Columbia Region

Chinese reporting on a Columbian threat actor targeting its own region once more likely as part of their global south play. The takeaway is their tradecraft hasn’t changed and uses the typical phishing flows.

[We] discovered and captured the Blind Eagle's attack on the Columbia region , the organization uses harpoon attacks, using PDF files as the entry point, and inducing users to click the link the document to download the RAR archive file. The compressed package file needs to enterthe prompt password in the decoy document to decompress it. After decompression, it is a VBS script disguised as a PDF file icon. After the script is clicked and executed by the user, it will start a complex and multi-stage fileless attack chain, and finally load the LimeRAT remote control Trojan, instead of using the previous AsyncRAT and NjRAT remote control Trojans, which shows that the organization has rich and diverse attack weapons, Different attack Trojans .

https://mp-weixin-qq-com.translate.goog/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247492492&idx=1&sn=5cfd1606d6a3349c8cf0d8e1edba5c84&chksm=f9c1d085ceb65993c5e925e7eaeb91a9318a284573a42c36276f8c6c283ee10032e67fb4f47f&scene=178&cur_album_id=1955835290309230595&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Attack campaign distributing malware using fake Google Chrome error screens from defaced websites

Japanese reporting on an interesting campaign here. It’s really both simple and really quite clever.

Since around November 2022, [we have] been observing an attack campaign distributing malware from a web page disguised as a Google Chrome error screen. It became active from around February 2023, and malware downloads have been confirmed in a very wide range, so it is necessary to be careful. This article provides an overview of the attack campaign and the malware.

The origin of this attack campaign is a compromised legitimate website. SOC has confirmed that multiple legitimate websites have been defaced.

The EXE file contained in the ZIP file is a Monero miner. It has the following functions.

• Copy itself to C:\Program Files\Google\Chrome under the name updater.exe

• Launch legitimate conhost.exe and process injection

• Persisted using task scheduler and registry

• Windows Defender exclusion settings

• Stop services related to Windows Update

• Interfering with communication of security products by rewriting the Hosts file

https://insight--jp-nttsecurity-com.translate.goog/post/102ic6o/webgoogle-chrome?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Tax day marketing

So much Tax day related reporting this year, marketing teams in overdrive.

Tax firms targeted by precision malware attacks

Andrew Brandt is out of the blocks first. The point of note in this reporting is the fact they enter into discourse with the victim before deploying the malicious aspects of the campaign. Proper social engineering if you will, almost has if they have learnt from North Korea.

Financial accountant firms and CPAs are in the crosshairs this tax season, as a threat actor is targeting that industry with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader.

At least two organizations in that industry, reported the unusual attack to us in late February and early March, as tax preparers are entering the busiest part of the season in the United States. (The tax filing deadline this year is April 17, 2023.)

The attack begins with an email that purports to solicit business from the tax preparation firm. The initial message to the target is benign, with a subject line of Prospective Client Enquiries containing nothing more than an introduction and a request for information about “onboarding new clients.”

https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/

Additional reporting on the same campaign under the title GuLoader Targeting the Financial Sector Using a Tax-themed Phishing Lure

https://www.esentire.com/blog/guloader-targeting-the-financial-sector-using-a-tax-themed-phishing-lure

Threat actors strive to cause Tax Day headaches

Different campaign here with clumsy tradecraft..

The campaign uses lures masquerading as tax documentation sent by a client, while the link in the email uses a legitimate click-tracking service to evade detection. The target is then redirected to a legitimate file hosting site, where the actor has uploaded Windows shortcut (.LNK) files.

https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/

From Google Ads Abuse to a Massive Spear-Phishing Campaign Impersonating Spain’s Tax Agency

This reporting is interesting has it indicates it is likely the same threat actor running two campaigns.

Since the beginning of January 2023, [we have] been following two parallel malicious campaigns that use the same infrastructure but have different purposes.

The first campaign is related to a malvertising Google Ads Platform campaign which began several months ago and distributed fake versions of legitimate software products like AnyDesk (remote desktop software), Libre Office (an open-source office productivity software suite), TeamViewer (remote access and remote-control software), and Brave (a free and open-source web browser) among others. The threat actors cloned the websites of these real products and then registered similar-sounding domains. Their goal is to seed malware on the endpoints of users who were hoping to download these products.

Some of the malware families we observed distributing these fake packages are Vidar and IcedID. We also encountered other infostealer malware families.

The second campaign [our] researchers have been tracking during our continuous threat hunting activities is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency (the Agencia Estatal de Administración Tributaria, or AEAT), with a goal of harvesting the email credentials of companies in Spain. IcedID and Vidar were not involved in this second campaign.

https://blogs.blackberry.com/en/2023/04/massive-spear-phishing-campaign-impersonating-spain-tax-agency

Patchwork organization update technology makes a comeback, launching another attack on domestic education and scientific research units

Chinese reporting on an Indian threat actor using run of the mill tradecraft.

During this attack, we detected that Patchwork used phishing emails to attack universities and scientific research institutions. The email attachments related to this incident were titled "Guiding Opinions on the Protection of Women's Rights and Interests Revised by the All-China Women's 2023 Federation" in , "Advanced Notice on 2023 Project Application Guidelines for 4 Key Special Projects including Structure and Composite Materials", "Changjiang Design Group Co., Ltd. 2023 Recruitment Announcement".

The content of the email lures users to open the compressed file with a password on the grounds of sexual harassment incidents in the workplace or project declaration notices. The compressed file contains a malicious lnk file, which is used to download the second stage of BADNEWS remote control. Through analysis, we found that the organization has updated the BADNEWS used in the past, improved the calling order and method of key functions, replaced the control instructions and adjusted the implementation of corresponding functions, and replaced some key strings.

https://translate.google.com/translate?sl=auto&tl=en&hl=en&u=https://mp.weixin.qq.com/s/Nk2zml2d0HtK0hszyKW2Dw&client=webapp

Lockbit

Bit of a damp squid.

The LockBit ransomware (kinda) comes for macOS

Patrick Wardle provides the first bit of reporting with a damning conclusion on real-world efficacy.

g. And while this may be the first time a large ransomware group created ransomware capable of running on macOS, it worth nothing that this sample is far from ready for prime time. From it’s lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users.

https://objective-see.org/blog/blog_0x75.html

LockBit for Mac

Phil Stokes was not to be outdone which I will summarize with this line:

Are the big game hunters coming to a macOS endpoint near you? Not yet

https://www.sentinelone.com/blog/lockbit-for-mac-how-real-is-the-risk-of-macos-ransomware/

Discovery

How we find and understand the latent compromises within our environments.

srum-dump: System Resource Usage Monito

Mark Baggett delivers a valuable tool for Windows forensics.

SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet.

The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations!

https://github.com/MarkBaggett/srum-dump

MemProcFS Version 5.5

Ulf Frisk has released an enriched version of this increasingly valuable tool.

• Findevil: New thread-based detections. Findevil is now forensic mode only.

• Jupyter Notebook example

• Yara support in forensics mode and search.

https://github.com/ufrisk/MemProcFS/releases/tag/v5.5

Defence

How we proactively defend our environments.

EDR Telemetry Tracking for Windows - project aims to compare and evaluate the telemetry of various EDR products

Kostas brings a valuable evidence base to Windows EDR - this will hopefully smoke out the snakoil.

This repo provides a list of telemetry features from EDR products and other endpoint agents such as Sysmon broken down by category. The main motivation behind this project is to enable security practitioners to compare and evaluate the telemetry potential from those tools while encouraging EDR vendors to be more transparent about the telemetry features they do provide to their users and customers.

https://github.com/tsale/EDR-Telemetry

https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit#gid=1993314609

mac-monitor: an advanced, stand-alone system monitoring tool tailor-made for macOS security research

macOS gets some new tooling which will help given the relative maturity in both offense and defense. Great work by Brandon Dalton, Matt Graeber and Todd Gaiser who I suspect will receive job offers from Apple in 3..2..

https://github.com/redcanaryco/mac-monitor

Investigate security events by using AWS CloudTrail Lake advanced queries

Rodrigo Ferroni and Eduardo Ortiz Pineda from AWS drop some wisdom on the pactical approaches here.

how to use AWS CloudTrail Lake capabilities to investigate CloudTrail activity across AWS Organizations in response to a security incident scenario. We will walk you through two security-related scenarios while we investigate CloudTrail activity. The method described in this post will help you with the investigation process, allowing you to gain comprehensive understanding of the incident and its implications. CloudTrail Lake is a managed audit and security lake that allows you to aggregate, immutably store, and query your activity logs for auditing, security investigation, and operational troubleshooting.

https://aws.amazon.com/blogs/security/investigate-security-events-by-using-aws-cloudtrail-lake-advanced-queries/

These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers

How to do this in one SIEM vendors eco-system.

https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html

An analysis of syscall usage in Cobalt Strike Beacons

Good technical analysis of how this works in practice.

https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md

A Comparative Analysis of Threat Detection Capability of IoT Safeguards

Some more science / evidence on the topic by Anna Maria Mandalari, Hamed Haddadi, Daniel J. Dubois and David Choffnes

Consumer Internet of Things (IoT) devices are increasingly common in everyday homes, from smart speakers to security cameras. Along with their benefits come potential privacy and security threats. To limit these threats a number of commercial services have become available (IoT safeguards). The safeguards claim to provide protection against IoT privacy risks and security threats. However, the effectiveness and the associated privacy risks of these safeguards remains a key open question. In this paper, we investigate the threat detection capability of IoT safeguards for the first time. We develop and release a methodology that relies on automated safeguards experimentation to reveal their response to common security threats and privacy risks. We perform thousands of automated experiments using popular commercial IoT safeguards when deployed in a large IoT testbed. Our results indicate that not only these devices may be ineffective in preventing risks, but also their cloud interactions and data collection operations may introduce privacy risks for the households that adopt them.

https://iotrim.github.io/safeguards.html

Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints

This is a little older by Marcus Botacin but I felt valuable to highlight. I’m not entirely sold on the practical nature, but having this capability in real-world silicon would be interesting / valuable I suspect for a whole host of reasons.

https://marcusbotacin.github.io/publication/2022-01-01-paper-coproc-number-21

Vulnerability

Our attack surface.

CVE-2023-28808: in some Hikvision Hybrid SAN/Cluster Storage products

From Singaporean government - Remember that Israel company selling offensive CCTV capability? I doubt related specifically but likely the type of issue they might exploit..

Hikvision has released an update to address a critical vulnerability (CVE-2023-28808) in some Hikvision Hybrid SAN/Cluster Storage products used by organizations to store video security data.

Successful exploitation of the access control vulnerability could allow an attacker to obtain the admin permission to send crafted messages to the affected devices and gain access to the stored video security data.

https://www.csa.gov.sg/alerts-advisories/alerts/2023/al-2023-048

JVNVU#98434809: Multiple mobile printing apps for Android vulnerable to improper intent handling

Japanese reporting on this Android attack surface. Kyocera, TA Triumph-Adler and Olivetti affected.

When a malicious app is installed on the victim user's Android device, the app may send an intent and direct the affected app to download malicious files or apps to the device without notification.

https://jvn.jp/en/vu/JVNVU98434809/

We Really Need to Talk About Session Tickets

Sven Hebrok provides a moment of eek which is interesting as this hasn’t had much coverage.

We recently published the paper “We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers with TLS Session Tickets“ 

In this paper, we analyze the security of TLS session ticket implementations and deployed servers. Many servers used guessable keys to encrypt session tickets, allowing attackers to decrypt TLS traffic or to impersonate the server.

The presented issues allowed to decrypt TLS session tickets. This allows a passive adversary to decrypt all resumed sessions. In TLS 1.2 this even allows decrypting the session where the ticket was issued, even if it was never resumed. TLS 1.3 mitigates parts of this issue by deriving the keys for the new session using a one-way function instead of plainly reusing them.

https://upb-syssec.github.io/blog/2023/session-tickets/

Offense

Attack capability, techniques and trade-craft.

Fiber: Using fibers to run in-memory code in a different and stealthy way

Kurosh Dabbagh Escalante provides a capability which uses pseudo thread mechanism to achieve code execution on Windows.

• First, we have a loader, which will use DInvoke to manually map the dll that contains our payload.

• After that, the loader will turn the current thread into a fiber (known from now on as the control fiber). The control fiber will enjoy of a "normal" stack since the loader is being run from a PE on disk.

• The loader will then create a new fiber to run the run() function exported by the manually mapped dll. This fiber will be known as the payload fiber from now on.

• The control fiber will switch to the payload fiber, which will execute whatever code the payload contains. Once the payload needs to enter on an alertable state (for example, when a call to Sleep is required), the payload fiber switches back to the control fiber, hiding its stack (which may contain several IOC os malicious activity).

• The control fiber performs the call to Sleep. When the call returns, it will switch again to the payload fiber so it can continue its execution.

https://github.com/Kudaes/Fiber

ScareCrow v5

Updated open source C2 framework from a security consultancy.

• Removed the binary mode template

• Rebuilt the loader and structure files to be more modular

• Introduced 4 shellcode templates -Exec that can be used for any type (.exe, cpl. dll, js)

• Added 2 new encryption methods (RC4 and LZMA)

• Introduced -encryptionmode command line argument to choose either RC4, LZMA, or AES encryption for the Shellcode

• Added -obfu command line argument to toggle the -literals flag on Garble

• Removed IoC for Garble for certain well-known Anti-Malware products

• Added additional unhook technique KnownDlls

• Added -Evasion command line argument to choose the type of EDR unhooking technique

• Added Remote ETW patching for process injection mode

• Added random extentions for Wscript side-loading

• Added -clone command line argument to clone a certificate from a file

https://github.com/optiv/ScareCrow/releases/tag/v5.0

Exploitation

What is being exploited.

CVE-2023-29084 Command injection in ManageEngine ADManager Plus

Post authentication first up and the 90s called.

The specific flaw exists within the ChangePasswordAction function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account.

https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/

CVE-2023-25135: Pre-authentication RCE targeting vBulletin

Vulnerability from January, exploit released - intelligence from forums of ill repute sourced by activitists coming up in 3..2..

https://github.com/ambionics/vbulletin-exploits

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

patch-diffing-in-the-dark: Leveraging patch diffing to discover new vulnerabilities

Real-world end-to-end here showing bug surging in action i.e. where one vulnerability is found, it attracts researchers which then leads to many more..

A series of blog posts leveraging CVE analysis and patch diffing to discover new vulnerabilities.

As revealed in the blog posts, the following 4 CVEs came from the in-depth study of CVE-2021-1657.

https://github.com/VulnerabilityResearchCentre/patch-diffing-in-the-dark

Running SunOS 4 in QEMU (SPARC)

I used to run Solaris SPARC honeypots, now Gen Z can have the same fun..

https://john-millikin.com/running-sunos-4-in-qemu-sparc

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Aggregated reporting

  • M-Tends 2023

  • 2022 APT Activity Analysis Report - Chinese perspective on the threat landscape

  • 2022 Zero Days in the Wild Year in Review

  • DDoS threat report for 2023 Q1

  • Threat Horizon April 2023

  • China also targeted by cyberattacks - Japanese analysis of “in this paper, we will focus on the resources written in Chinese that are published by Chinese security companies and the government.” on cyber attacks happening in China

• New Initiatives to reduce the risk of vulnerabilities and protect researchers

  • Hacking Policy Council

  • Security Research Legal Defense Fund

  • Exploitation transparency

• Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

• Conference material

  • Shmoocon 2023 : ShmooCon videos

  • CyberUK 2023

• Mapping Cyber Policy in Latin America: The Brazilian Case

• Coalition Launches New Cyber Solution CoalitionAI Chatbot for Brokers and Businesses - cyber insurance company bringing “Sorry Dave I can’t do that” to the world of brokers.

This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.