

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending April 2nd
Government commercial spyware counter proliferation activities begin at scale ..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week there was only one thing on everyone’s lips and that was 3CX, the intrusion suspected of being North Korea into a VoIP software provider leading to an event reminiscent of SolarWinds (see the reporting below). Beyond this some DDoS overspill from Russia/Ukraine, ransomware and then you will see that is all just hyper busy.
In the high-level this week:
Ukraine War Shows Difficulty of Large-Scale Cyberattacks, NSA Director Says
Russia Supplies Iran With Cyber Weapons as Military Cooperation Grows - Russia’s PROTEI Ltd has begun providing internet-censorship software to Iranian mobile-services provider Ariantel
Government response to commercial spyware
Use of commercial spyware and why the above is important:
Cyber proliferation and why it is only going to get worse unless addressed:
NCA infiltrates cyber crime market with disguised DDoS sites - amazing campaign by the UK’s National Crime Agency - “However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators.”
The Ukrainian Cabinet has approved a Resolution regulating introduction of independent audits of information security systems at critical infrastructure facilities - the impressive nature with which the normal aspects of the government policy machine continue to work even during war.
FTC Seeks Comment on Business Practices of Cloud Computing Providers that Could Impact Competition and Data Security - Agency staff seek comment on cloud computing impact on specific industries including healthcare, finance, transportation, e-commerce and defense
ECCC - ENISA welcomes its new Advisory Group - 33 candidates were selected ‘ad personam’, meaning on the basis of their own specific expertise and merits to form the new Advisory Group of ENISA.
Cybercrime as a Peace Risk - Why International Cooperation Concerns Us All - Germany making an argument here - “After all, almost every offence nowadays leaves digital traces. It is therefore all the more important that human rights obligations and procedural standards based on the rule of law are enshrined in the draft treaty.”
Think ransomware gangs won't thrive this year? Think again, experts say - “A big majority of the expert group, 67 percent, expected ransomware to take off again in this calendar year.”
The criminal use of ChatGPT – a cautionary tale about large language models | Europol - outlining their concerns
The US Military Cyber Professionals Associatian calls for the creation of a US Cyber Force
S.933 - Federal Data Center Enhancement Act of 2023 - cloud data centers could get oversight from Uncle Sam.
Cybersecurity Rules: Only 15 Entities Reported Incidents Within The Stipulated 6 Hours, RTI Reveals - from India on how the adjustment to their mandatory cyber incident legislation is going.
The Military Strategic Effects of the Russian National Segment of the Internet - This thesis argues that the structural cyber asymmetry caused by the creation of a national segment of the internet sets significant premises and frames of reference on the states’ use of force in cyberspace
We had Dave Aitel firing shots in his indomitable style.
At some level, STIX and TAXII and the whole CTI market are about passing around information on what someone _might_ have used to hack something, at some point in the _distant past_. It's a paleontology of hackers past - XML schemas about huge ancient reptiles swimming in the tropical seas of your networks, the taxonomies of extinct orders we now know only through a delicate finger-like flipper bone or a clever piece of shellcode
The reflections this week come from watching HyperNormalisation (2016) by Adam Curtis which explores the shallowness / falseness of modern life as humanity wrestles with its complexities. We see the complexity of cyber leads us to a similar model as the gritty reality is challenging to confront.. But we are going to have to!
On the interesting job/role front:
United Nations International Computing Centre Youth Cybersecurity Rotation Program - paid 6 month internship
Information Security Engineer / Administrator at Amnesty International
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Substantial reporting on Russia / Ukraine this week.
Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
Michael Raggi and the band report on this suspected Russian threat actor going after US elected officials and wider. This is a crunchy campaign using n-days (i.e. patched vulnerabilities which haven’t been).
[We have] observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern.
TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe.
TA473 recons and reverse engineers bespoke JavaScript payloads designed for each government targets’ webmail portal.
[We] concur that TA473 targeting superficially aligns with the support of Russian and/or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.
Pro-Russian Hacktivists: A Reaction to a Western Response to a Russian Aggression
Pascal Geenens provides a summary of the of the various groups supporting Russia with low level campaigns.
The emergence of pro-Russian hacktivists is a reaction to the western cyber response against the aggression of Russia’s invasion of Ukraine. Western hackers volunteering for the IT Army of Ukraine started conducting attacks against Russian targets, joined by factions of Anonymous under their battle tag #OpRussia, on the first day following the invasion by Russia. As a reaction, several opposite groups formed, amongst them a faction of Anonymous calling itself ”Anonymous Russia.” Soon a cluster of pro-Russian hacktivist allies and affiliates started to form around a group called Killnet.
Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan
Alden Wahlstrom, Gabby Roncone, Keith Lunden and Daniel Kapellmann Zafra pour of the leaked information from a Russia contractor who was supporting Russian intelligence.
The documents detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team. These projects include tools, training programs, and a red team platform for exercising various types of offensive cyber operations, including cyber espionage, IO, and operational technology (OT) attacks.
https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan
North Korea
Lee North Korean reporting this week unless you consider their 💥operation greater or less than the typical weekly reporting.
Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations
Michael Barnhart, Michelle Cantos, Jeffery Johnson, Elias fox, Gary Freas and Dan Scott go big on the organization chart of North Korean government cyber capabilities.
https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government
APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
Fred Plan, Van Ta, Michael Barnhart, Jeff Johnson, Dan Perez and Joe Dobson say ‘arise APT43’ as a new number is assigned, football jerseys are printed and PR machines mobalised.
APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.
In addition to its espionage campaigns, we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence.
The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure.
APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.
https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
Hacking attacks exploiting North Korea’s financial security certification S/W vulnerabilities
Report from South Korean government which highlights the limitations of Google translates capabilities.
3CX Breach
This is the big breach which resulted in Windows and macOS binaries being backdoored and in memory payloads being delivered. The full ramifications of this attack are going to take a little while to be understood fully.
Vendor statements:
https://www.3cx.com/blog/news/desktopapp-security-alert-updates/
https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/
CISA alert:
Security industry goes:
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack
https://blog.talosintelligence.com/3cx-softphone-supply-chain-compromise/
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
The takeaway here is they had another Linux implant.
We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.
We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.
The Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show constant innovation and development.
The capabilities offered by Mélofée are relatively simple, but may enable adversaries to conduct their attacks under the radar. These implants were not widely seen, showing that the attacker are likely limiting its usage to high value targets.
https://blog.exatrack.com/melofee/
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets
Further reporting on Chinese Linux implant C2 infrastructure.
[We] identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group.
RedGolf used a Linux version of the custom, modular backdoor KEYPLUG to target US state government entities during 2021 and 2022. [We] identified a wider cluster of KEYPLUG samples and infrastructure used by RedGolf from at least 2021 to 2023. We track this malicious infrastructure using the term GhostWolf. Alongside KEYPLUG, we also identified RedGolf using Cobalt Strike, PlugX, and Dynamic DNS (DDNS) domains, all of which are commonly used by many Chinese state-sponsored threat groups. [We] identified multiple infrastructure overlaps between publicly reported APT41/BARIUM campaigns across the GhostWolf infrastructure cluster.
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
Earth Preta’s Cyberespionage Campaign Hits Over 200
Deep insight in to a Chinese campaign and the supporting capabilities and operations which is global in nature. The breadth of industries and countries will be of interest to some.
While not exhaustive of the entire study’s findings due to security and confidentiality concerns, we determined the following findings key to the entire research:
A hierarchical structure. Earth Preta has a centralized development unit that produces the implants and tools, and disseminates them to other operational groups responsible for penetration and implantation. This is evident in the Earth Preta group as it appears that multiple sub-operational groups use the same toolset with different techniques.
A management of expertise. The different operational groups manage their own methods of entry and privilege escalation, demonstrating a high degree of specialization within each group.
A change in targets. Towards the end of 2022, there were changes in how information was collected. The latest active targets were related to maritime, shipping, border control, and immigration agencies. Prior to this shift, most of the data collection efforts were aimed at academic institutions, ore and material refineries, specialized fabrication plants, financial institutions, and energy production and distribution.
We found that some operational part of the collective group were focused on stealing intellectual property and sensitive business information, while others targeted government and diplomatic entities. We also found the operations having specific geographical regions for which they tailored their collection requirements.
Phishing Campaign Targets Chinese Nuclear Energy Industry
Ryan Robinson provides reporting on a campaign which targeted Chinese Nuclear Energy Industry by an actor suspected of being Indian in origination. Other than the interesting sector the actual tradecraft is typical phishing as you can see from the below flow.
https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/
Malicious JavaScript Injection Campaign Infects 51k Websites
Shehroze Farooqi, Billy Melicher, Brody Kutt and Alex Starov evidence the scale of a particular organized crime campaign. Let the numbers sink in…
[We] have been tracking a widespread malicious JavaScript (JS) injection campaign that redirects victims to malicious content such as adware and scam pages. This threat was active throughout 2022 and continues to infect websites in 2023.
We detected the injected JS code on more than 51,000 websites, including hundreds of websites in Tranco’s top 1 million website ranking list. The presence of affected websites in Tranco indicates that this campaign could have impacted a large number of people.
https://unit42.paloaltonetworks.com/malicious-javascript-injection/
Be wary of the new illegal "Silver Fox" large-scale social workers attacking finance, government and enterprise, education and other industries
Chinese reporting on Search Engine Optimization (SEO) being deployed for malicious purposes. This is very similar to what we saw in the campaigns against Western search engines.
In the early stage, the organization used SEO website optimization to make relevant phishing websites rank first in the search rankings, and then spread tools containing malicious Trojans. After successfully obtaining host permissions, they spread further vthrough WeChats, a wide ca
The organization disguises phishing Trojans as the names of various common tools, WeChat chat records, or financial-related news to reduce victims' awareness of prevention;
Fork in the Ice: The New Era of IcedID
Pim Trouerbach, Kelsey Merriman and Joe Wise document a reinvigoration of this criminal implant framework.
[We are] tracking new variants of IcedID used by at least three threat actors.
Initial analysis suggests this is a forked version with potentially a separate panel for managing the malware.
While much of the code base is the same, there are several key differences.
One key difference is the removal of banking functionality such as web injects and backconnect.
Proofpoint researchers hypothesize the original operators behind Emotet are using an IcedID variant with different functionality.
https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid
MacStealer: New macOS-based Stealer Malware Identified
Shilpesh Trivedi details a Python based macOS capability. Really basic, but further evidence the platform is garnering interest from criminals.
[We] discovered a macOS stealer that also controls its operations over Telegram.
The stealer exhibits the following capabilities:
Collect the passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers
Extract files (".txt", ".doc", ".docx", ".pdf", ".xls", ".xlsx", ".ppt", ".pptx", ".jpg", ".png", ".csv", ".bmp", ".mp3", ".zip", ".rar", ".py", ".db")
Extract KeyChain database (base64 encoded)
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
Discovery
How we find and understand the latent compromises within our environments.
Guidance for investigating attacks using CVE-2023-23397
Guidance from Microsoft on how to investigate exploitation of the Outlook vulnerability.
Memory Forensics R&D Illustrated: Detecting Hidden Windows Services
Some neat Windows tradecraft here which demonstrates a new memory-forensics technique to detect hidden services in a smear-resistant manner. As Andrew Case says:
Given the number of malware samples that hide services from the live system, as well as the danger posed by these services, it is essential that malware can be detected in a reliable manner.
Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online
A positive use of friction to drive upgrades / vulnerability resolution. Likely something to learn from this approach if it works.
As we continue to enhance the security of our cloud, we are going to address the problem of email sent to Exchange Online from unsupported and unpatched Exchange servers.
To address this problem, we are enabling a transport-based enforcement system in Exchange Online that has three primary functions: reporting, throttling, and blocking. The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked.
We don’t want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service. We also want to get the attention of customers who have unsupported or unpatched Exchange servers and encourage them to secure their on-premises environments.
Defence
How we proactively defend our environments.
Demystifying SIGMA Log Sources
Sigma continues to mature..
Today we’re introducing a new contribution to the SIGMA project called log-source guides. The idea behind it is to provide specific guides on configuring a system’s audit policies so that the system actually creates the logs needed by the rules. An adequate audit policy is a crucial dependency often overlooked when deploying Sigma rules.
https://www.nextron-systems.com/2023/03/24/demystifying-sigma-log-sources/
sigmatau: An extension of the sigma standard to include security metrics
A valuable contribution which will help SOCs/MDR functions understand rule efficacy.
Security operation teams have a hard time managing alert volumes and tracking the quality of signature detections over time. The quality of signature and ML based systems can be assessed with a solid mathematical framework from the field of data science and machine learning.
This standard is an extension to the excellent work of Sigma which enables security teams to include performance metrics in their signature database.
https://github.com/priamai/sigmatau
Dismantling a Crappy Malware Operation
A step by step walk through on what it takes to disrupt..
https://mrbruh.com/dismantling_malware_operation/
Vulnerability
Our attack surface.
Offense
Attack capability, techniques and trade-craft.
PatchGuardBypass: Bypassing PatchGuard on modern x64 systems
Adam Oron’s work in the progress with ‘Evade’ the most functional.
Evades PatchGuard detection by reverting patches prior to the PG check times.
https://github.com/AdamOron/PatchGuardBypass
Attacking Visual Studio for Initial Access
Wonderful, so nothing you download from Git* will be trustworthy from this point forward.
In this blog post we will demonstrate how compiling, reverse engineering or even just viewing source code can lead to compromise of a developer’s workstation. This research is especially relevant in the context of attacks on security researchers using backdoored Visual Studio projects allegedly by North Korean actors
https://outflank.nl/blog/2023/03/28/attacking-visual-studio-for-initial-access/
Disabling AV With Process Suspension
Christopher Paschen describes what is possible and the caveats. Unlikely to be used in the real world without significant risk of the operation going awry, but not before they get the password hashes.
With that said, it seems highly effective and is difficult to mitigate without vendors closing gaps in their own products. The primary purpose of this post is to raise awareness of said security gap and encourage vendors to examine if they truly intended to allow suspension of their products.
https://www.trustedsec.com/blog/disabling-av-with-process-suspension/
Bypassing Microsoft Defender for Endpoint device isolation with no log evidence
Yes, really..
It is possible to bypass device isolation in defender for endpoints by using Microsoft Subsystem for Linux (WSL)
Bypassing PPL in Userland (again)
Clément Labro undermines Protected Processes Light on Windows in glorious detail in this blog post. This is probably the most interesting bit of the tradecraft.
Once we have generated a faked cached signature for our DLL, we can start
WerFaultSecure.exe
as a PPL with the signer typeWinTcb
and thus inject arbitrary code into it.
https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/
Heap Crypt
More offensive tradecraft in open source to avoid memory scanners.
Encypting the Heap while sleeping by hooking and modifying Sleep with our own function that encrypts the heap , sleeps for a moment then decrypts the heap.
https://github.com/TheD1rkMtr/HeapCrypt
ZwProcessHollowing
Even more in a similar vein to the above..
ZwProcessHollowing is a x64 process hollowing project which uses direct systemcalls, dll unhooking and RC4 payload decryption
https://github.com/XaFF-XaFF/ZwProcessHollowing
Hardware Call Stack
Combining hardware breakpoints and call stack spoofing. Thankfully detecting the use of hardware breakpoints is cheap and easy.
I decided to make the entire process work within a single thread. To achieve this, I use a hardware breakpoint (hence the name of the technique) to prevent the thread from crashing while trying to return.
In a nutshell, the technique works like this:
Create the fake call stack
Set a hardware breakpoint at the “ret” instruction after the syscall
Set all the syscall parameters
Set the RSP register to the fake call stack
Jump to the “syscall” address
Once the syscall is done and the hardware breakpoint handler is hit, restore the stack and instruction pointers
Remove the hardware breakpoint
Profit
https://www.coresecurity.com/blog/hardware-call-stack
ROPfuscator
This is going to ‘fun’ as it develops and becomes cross platform and pervasive. But nice work..
ROPfuscator is a fine-grained code obfuscation framework for C/C++ programs using ROP (return-oriented programming).
Limitations
Linux 32-bit x86 binaries are the only supported target (as of now)
For detailed limitations, see limitation.md.
https://github.com/ropfuscator/ropfuscator
Chaos Rootkit
Does what it says on the tin for Windows.
X64 ring0 Rootkit with Process Hiding and Privilege Escalation Capabilities
https://github.com/ZeroMemoryEx/Chaos-Rootkit
HardHatC2: A C# Command & Control framework
Will be misused, get those detections ready..
HardHat is a multiplayer C# .NET-based command and control framework.
Designed to aid in red team engagements and penetration testing. HardHat aims to improve the quality of life factors during engagements by providing an easy-to-use but still robust C2 framework.
It contains three primary components, an ASP.NET teamserver, a blazor .NET client, and c# based implants.
https://github.com/DragoQCC/HardHatC2
Exploitation
What is being exploited.
CVE-2023-27532: POC for Veeam Backup and Replication
https://github.com/horizon3ai/CVE-2023-27532
CVE-2023-27326: VM Escape for Parallels Desktop <18.1.1
https://github.com/Impalabs/CVE-2023-27326
Active Exploitation of IBM Aspera Faspex CVE-2022-47986
Joomla! CVE-2023-23752 to Code Execution
https://vulncheck.com/blog/joomla-for-rce
Pinduoduo - CVE-2023-20963 and a leaked potentially compromised signing key
Chinese shopping app deployed LPE 0day when distributed via some channels.
Confused situation.. expect more to follow
Analysis
News:
Spyware vendors use 0-days and n-days against popular platforms
Clement Lecigne is back with this reporting on the use of Spanish developed capability in the UAE.
In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Setting up KDNET over USB EEM for Bootloader and Hyper-V debugging
Satoshi Tanda drops the goods for those wanting to do Hyper-V research..
This post notes how to enable a debugger for winload, tcblaunch and Hyper-V on a physical device over USB EEM. This instruction may be helpful when a target device cannot be debugged with any of other debugging interfaces like traditional KDNET and USB3.
BREAD: BIOS Reverse Engineering & Advanced Debugging
Davidson Francis brings joy to real mode debugging of BIOSs.
BREAD emerged from many failed attempts to reverse engineer legacy BIOS. Given that the vast majority -- if not all -- BIOS analysis is done statically using disassemblers, understanding the BIOS becomes extremely difficult, since there's no way to know the value of registers or memory in a given piece of code.
Despite this, BREAD can also debug arbitrary code in real-mode, such as bootable code or DOS programs too.
https://github.com/Theldus/bread
IDARustDemangler: Rust Demangler & Normalizer plugin for IDA
The open of this user on Github is:
I'm a highschool student, and reverse engineer in the free time.
Then
This project provides a script that demangles Rust function names and normalize it for IDA, making it easier to read and understand the code.
The kid is going to be alright..
https://github.com/timetravelthree/IDARustDemangler
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
2022 Ads Safety Report - after all reports this year of malverts an interesting read.
Monthly Threat Actor Group Intelligence Report, February 2023 (Korean)
Geopolitical Cyber Event Prediction Using Reverse Attack Surface Analysis (RASA)
The psychological drivers of misinformation belief and its resistance to correction
RWC 2023 program - International Association for Cryptologic Research
malicious-software-packages-dataset: An open-source dataset of malicious software packages found in the wild, 100% vetted by humans
2023 Conference on International Cyber Security: War and Peace. Conflict, Behaviour and Diplomacy in Cyberspace - Call for Papers
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
Bluepurple Pulse: week ending April 2nd
I put a duff in link which is now fixed in the above - for those looking for the India story it is - https://archive.ph/beDzA