Bluepurple Pulse: week ending April 30th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending April 30th
SolarWinds was found six months before anyone realized what it was and the extent.
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week Fortra released the conclusions of their investigation related to their GoAnywhere MFT solution which led to a global incident. We had PaperCut being exploited at scale by criminal actors. We then have FIN7 targeting Veeam backup servers plus the usual mele.
In the high-level this week:
Spy chief warns Cabinet of AI disinformation risks - Previous head of GCHQ (Sir Jeremy) - “warned the Cabinet that artificial intelligence (AI) language services such as ChatGPT could become vehicles for disinformation.”
The New Risks ChatGPT Poses to Cybersecurity - related and covered in the Harvard Business Review so the great and the good will now be aware.
UK NCSC warns of emerging threat to critical national infrastructure - reporting based on the week prior - “New alert from NCSC highlights risk to CNI from state-aligned groups – particularly those sympathetic to Russia’s invasion of Ukraine” - UK CNI needs to pay attention here and act accordingly.
UK Government launches new cyber security measures to tackle ever growing threats - GovAssure arrives - akin to cyber regulation of the UK public sector by the Government Security Group - “All government departments and a select number of arm’s length bodies to have their cyber security reviewed under new, more stringent measures.” - big moves here..
Biden’s order against commercial spyware is ‘upsetting the market’ - “Some of them have told me that they’re not sure they’re going to be able to stay in business,” - policy makers high-five.
How Mexico Became the Biggest User of the Pegasus Spyware - “Yet, despite ample evidence of Pegasus abuses in Mexico, the Israeli government has not ordered an end to its use in Mexico, according to four people with knowledge of the contracts for the technology.”
CCP’s increasingly sophisticated cyber-enabled influence operation - “Chinese cybersecurity company Qi An Xin (奇安信), a partly state-owned enterprise, also appears at times to be supporting the influence operation. Our research shows the company is deeply connected with Chinese intelligence, military and security services and that it might provide digital infrastructure support to Chinese Government agencies that conduct clandestine operations online.”
DOJ Detected SolarWinds Breach Months Before Public Disclosure - “THE US DEPARTMENT of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found.”
Full text of joint summit statement between Yoon, Biden - "The United States and the ROK commit to using this framework to expand cooperation on deterring cyber adversaries, increase the cybersecurity of critical infrastructure, combat cybercrime, and secure cryptocurrency and blockchain"
H.R.2866 -”To amend the Homeland Security Act of 2002 to establish Critical Technology Security Centers in the Department of Homeland Security to evaluate and test the security of critical technology, and for other purposes” - National labs start your engines..
The perilous path to a new cybercrime treaty - “The thorny debate over the treaty has been marked by Russia pushing for a treaty that expands the definition of cybercrime” … “One worry is whether a new pact might criminalize security research, an ambiguity even in U.S. law”
AI security concerns in a nutshell - Practical AI Security guide - from the German Federal Government.
J’étais en manque d’adrénaline: derrière les menaces d’attentats à l’école, d’intrigants ados surdoués - "I was in lack of adrenaline": behind the threats of attacks at school, intriguing gifted teenagers” - we are going to need to find a way to harness such talent in our free and liberal societies.
Cybersecurity Nightmare in Japan Is Everyone Else’s Problem Too - article on Japanese cyber supply chain issues and the cultural headwinds.
Existential espionage: How intelligence gathering can protect humanity - “In a section on technology, the report contained a short but remarkable description of “existential risks” or “threats that could damage life on a global scale” and lead to human extinction and civilizational collapse. The report specifically cites runaway artificial intelligence, engineered pandemics, nanotechnology weapons, and nuclear war. Other threats include extreme climate change, geoengineering, ecological collapse, supervolcanoes, and near-Earth objects.”
Cyber: towards stronger EU capabilities for effective operational cooperation, solidarity and resilience - “Today, the Commission has adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU. It will support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States.”
CISA to Continue and Enhance U.K.’s Logging Made Easy Tool - we love 🇺🇸
Sanctions and indictments
North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies - “Since 2017, as part of its cyber campaign, North Korean hackers have also executed virtual currency-related thefts to generate revenue for the regime, including through the hacking of virtual asset services providers, such as virtual currency exchanges.”
OFAC is taking action against the new Secretary of Iran’s Supreme Council of Cyberspace (SCC) - including “Seyyed Mohammad Amin Aghamiri (Aghamiri) is the new Secretary of Iran’s SCC, the centralized authority regarding policymaking in the realm of cyberspace. The SCC is responsible for Iran’s blockage of popular online news and communications platforms and has also used digital technology to spy on and harass journalists and regime dissidents.”
Escaping the Doom Loop - layout out their stall on how we break the “endless cycle of vulnerability, followed by patch, followed by vulnerability” - interesting to see industry doing this and not Government policy makers.
Mullvad VPN was subject to a search warrant. Customer data not compromised - modern law enforcement challenges summarized right here - I am going to start a book on laws being created which mandate log retention by VPN / anonymization providers.
How we fought bad apps and bad actors in 2022 - “We also continued to combat malicious developers and fraud rings, banning 173K bad accounts, and preventing over $2 billion in fraudulent and abusive transactions.”
Democratic world requires efficient mechanisms to combat russia’s cyber terrorism — Viktor Zhora - a call from Ukraine
The reflections this week come from reading the book Crack-Up Capitalism: Market Radicals and the Dream of a World Without Democracy which enlightened me as to the value of development corporations and how they have been quite pivotal at times. This then led me to wonder when and where we might see the first cyber specific one that is enabled through extraterritorial rights and what the implications might be.
On the interesting job/role front:
Research Associate - Online Safety at the Alan Turing Institute, UK
Senior Cyber Threat Intelligence Analyst at the London Stock Exchange Group, Singapore
Principal Penetration Tester at Bank of England, UK
Manager, Research at Chainalysis, Spain
Vice President- Cybersecurity Attorney at Goldman, New York, USA
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Tomiris called, they want their Turla malware back
Pierre Delcher and Ivan Kwiatkowsk outline a Russian state actor who show a propensity for disposable capability.
Tomiris focuses on intelligence gathering in Central Asia. Tomiris’s endgame consistently appears to be the regular theft of internal documents.
The threat actor targets government and diplomatic entities in the CIS. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.
It is characterized by its tendency to develop numerous low-sophistication “burner” implants in a variety of programming languages that are repeatedly deployed against the same targets, using elementary but efficient packaging and distribution techniques. Tomiris occasionally leverages commercial or open-source RATs.
Language artifacts discovered in Tomiris’s implant families and infrastructure from distinct campaigns all indicate that the threat actor is Russian-speaking.
Overall, Tomiris is a very agile and determined actor, open to experimentation – for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram).
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
Nomadic Octopus’ Paperbug Campaign
More Russian state activity which this commercial threat intelligence provider gaining what appears to be access to their control panels which allowed them to see the victimology. Noting that level of access would not be possible by the private sector in various countries due to local laws.
This report explores an operational environment which is owned by Nomadic Octopus espionage group, that has been active since 2020. According to victim analysis, the group specifically targets Tajikistan’s high ranking government officials, telecommunication services, and public service infrastructures. The types of compromised machines range from individuals’ computers to OT devices.
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf
APT29 recently used CobaltStrike to carry out attacks
This is a Chinese analysis based on the Polish reporting we have already covered. The most interesting aspect is really this Chinese firms capability on working with encrypted payloads to detect beacons.
Guancheng Kanyun (ENS) - encrypted threat intelligent detection system can detect the TLS heartbeat packet of APT29 CobaltStrike, and the AI comprehensive decision score is 92 points
https://www.viewintech.com/html/articledetails.html?newsId=35
North Korea
North Korea reporting varies this week with some 3CX and some not.
RedEyes(ScarCruft) - RokRAT malware distributed through link files (*.lnk)
Basic North Korean tradecraft is reported on here by South Korea.
RokRAT malware is a malware that can collect user information and download additional malware, and has a history of being distributed through Hangul and Word documents in the past . The LNK file identified this time contains PowerShell commands inside, and creates and executes script files along with normal files in the temp path to perform malicious actions . The confirmed LNK file name is as follows .
230407 Information Sheet .lnk
April 29 , 2023 Seminar.lnk _ _
Personal evaluation in 2023 .hwp.lnk
Selection and Dispatch of North Korean Diplomats and Overseas Missions .lnk
North Korea Foreign Policy Decision Process .lnk
China
Evasive Panda APT group delivers malware via updates for popular Chinese software
Facundo Muñoz outlines a Chinese supply chain attack being used against targets in China. This is the very definition of a hostile working environment.
Users in mainland China were targeted with malware delivered through updates for software developed by Chinese companies.
We analyze the competing hypotheses of how the malware could have been delivered to targeted users.
With high confidence we attribute this activity to the Evasive Panda APT group.
We provide an overview of Evasive Panda’s signature backdoor MgBot and its toolkit of plugin modules.
In January 2022, we discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor. During our investigation, we discovered that the malicious activity went back to 2020.
During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses.
Chinese Alloy Taurus Updates PingPull Malware
Further evolution in Chinese Linux focused tradecraft.
[We] recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
Alloy Taurus remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities. We encourage all organizations to leverage our findings to inform the deployment of protective measures to defend against this threat group.
https://unit42.paloaltonetworks.com/alloy-taurus/
Tonto Team Using Anti-Malware Related Files for DLL Side-Loading
Chinese activity in South Korea this month using rudimentary email born tradecraft.
The Tonto Team is a threat group that targets mainly Asian countries, and has been distributing Bisonal malware.
The Tonto Team’s involvement in the distribution of the CHM malware in Korea has been confirmed since 2021, and they have been changing their methods in various ways to bypass detection.
https://asec.ahnlab.com/en/51746/
Mustang Panda – PE Injection through Opera Mail
Melvin S details a Chinese campaign which appears to have a Hungarian focus. The actual tradecraft used is typical archive and LNK files to target Windows systems. The use of Opera mail for DLL sideloading is the novelty here.
Initial vector for this infection chain is a .rar file named as lydwcb.rar1, which contains a crafted LNK file that is named “2023 03 26 Vonulásos gyűlés – Körjegyzék” which translates to ‘March meeting – Circular list’. It mimics a shortcut to a PDF to deceive users.
https://labs.k7computing.com/index.php/mustang-panda-pe-injection-through-opera-mail/
Iran
MuddyWater Back with DarkBit
Sudeep details an Iranian campaign which used ISO files as the initial access vector to deliver ransomware. It is like Iran is learning from North Korean and/or Chinese actors. To give a sense they are asking for about $30,000.
HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike.
At the time of writing the blog, we were unable to get the exact DarkBit ransomware payload.
https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/
Educated Manticore - Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools
More Iranian activity with overlaps to their ransomware operations. Also using ISO files.
In this report we reveal new findings related to Educated Manticore, an activity cluster with strong overlap with Phosphorus, an Iranian-aligned threat actor operating in the Middle East and North America.
Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains. In the report we reveal Iraq-themed lures, most likely used to target entities in Israel
The actor has significantly improved its toolset, utilizing rarely seen techniques, most prominently using .NET executables constructed as Mixed Mode Assembly – a mixture of .NET and native C++ code. It improves tools’ functionality and makes the analysis of the tools to be more difficult.
The final executed payload is an updated version of the Implant PowerLess, previously tied to some of Phosphorus ransomware operations.
Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware
Martin Zugec details an dropper capability out of Iran and also discusses their quick flip of of old days. The victimology and also the the C2 mechanisms are the most interesting in this reporting.
The name used by malware developers is BellaCiao, a reference to the Italian folk song about resistance fighting. We have identified multiple victims in the United States and Europe, but also in the Middle East (Turkey) or India.
The resolved IP address is like the real public IP address, but with slight modifications that allow BellaCiao to receive further instructions. It's important to note that BellaCiao only operates with two fixed values - a hardcoded IP string (“local” IP, we will use
L1.L2.L3.L4for examples) and the IP address returned by the DNS server controlled by the threat actor (“remote” IP -R1.R2.R3.R4). The code does not contain the actual IP address; rather, it mimics its format to give the impression that the DNS requests are valid.When comparing these two IP addresses, there are three potential scenarios, depending on the last octet of an IP address:
L1.L2.L3.L4 == R1.R2.R3.(R4 - 1) – Remove all artefacts of webshell (dropped resources and running processes)
L4 == R4 - Instructions to deploy webshell
L4 != R4 – Do nothing
APT-LY-1007: Analysis of the attack activities of the new APT organization in Eastern Europe targeting the Russian army
Chinese reporting on targeting of Russian military targets. Initial access is a malicious Word document delivered via e-mail.
In addition to the Russian Ministry of Defense, the group also targeted Russian Railways. Relevant malicious documents were released under the topics of "order to postpone the call-up of the Armed Forces of the Russian Federation" and "Notice of exempting the Russian Railways from the call-up", and subsequently released a remote control Trojan horse to steal the target's confidential information.
In the initial stage, the document uses remote templates to load DOTM files containing malicious macro codes;
The macro code will get the remote file (JS script, EXE executable file) to the local;
The JS script will run the remote control Trojan Cyrillic RAT through cmd.exe;
Cyrillic RAT executes additional payloads based on C2 return instructions.
Based on the above activities and sample characteristics, we tend to believe that this threat group was born during the Russia-Ukraine cyberwar period. The main purpose of the attack is to steal Russian military secrets, and the attack weapons have been upgraded within half a year.
“Malverposting” — With Over 500K Estimated Infections, Facebook Ads Fuel This Evolving Stealer Campaign
Insight into a scaled campaign outside of the usual search engines etc.
… campaigns, linked to a Vietnamese threat actor, has been ongoing for months now gaining more traction lately using resilient deployment techniques and is estimated to surpass 500k infections worldwide so far. Yet, the initial enabler for those numbers is the abuse of Facebook’s Ads service as the first stage delivery mechanism responsible for this mass propagation.
Once victims click on those posts/links, a malicious ZIP file is downloaded to their computers. Since the “intent” of the user is relatively high because of the baity content, many proceed to extract the Zip file content:
Sidecopy Group Launches Attacks on India Using a New Trojan
Chinese reporting on Pakistani activity in India in April. As can be see the actual initial access tradecraft remains rudimentary.
[We] captured another batch of Sidecopy attack samples targeting India. In this attack campaign, the attackers mainly used a Saudi Arabian delegation visiting India as bait, disguised the downloader as a shortcut file, and sent it to victims via phishing emails. When the victim decompressed and executed the bait file, the program would download the data file from the remote server to the local machine and decrypt and execute it, ultimately loading the remote control software AckRAT.
https://ti.qianxin.com/blog/articles/Sidecopy-Group-Launches-Attacks-on-India-Using-a-New-Trojan-EN/
Indian Ministry of Defense-Themed Trojan: A SideCopy Signature
Further reporting on a slightly different campaign by the same actor. But again the initial tradecraft is not sophisticated.
In this attack, the SideCopy group used spear-phishing emails with LNK files in compressed packages as the attack entry point. The LNK file is a malicious file that accesses the command and control (C2) server using mshta.exe in the system to download and execute subsequent payloads. The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++, with the bait content related to the Indian Ministry of Defense.
https://cyberstanc.com/blog/indian-ministry-of-defense-themed-trojan-a-sidecopy-signature/
Bumblebee Malware Distributed via Trojanized Installer Downloads
Good insight into the full blended attack chain here by a criminal threat actor. Note the use of various platforms along with fake adverts etc.
[We] observed Bumblebee malware distributed via trojanized installers for popular software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Bumblebee is a modular loader, historically distributed primarily through phishing, that has been used to deliver payloads commonly associated with ransomware deployments. Trojanizing installers for software that is particularly topical (e.g., ChatGPT) or software commonly used by remote workers increases the likelihood of new infections.
One of the Bumblebee samples CTU researchers analyzed was downloaded from http: //appcisco[.]com/vpncleint/cisco-anyconnect-4_9_0195.msi. On or around February 16, 2023, a threat actor created a fake download page for Cisco AnyConnect Secure Mobility Client v4.x (see Figure 1) on the appcisco . com domain. An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site.
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Discovery
How we find and understand the latent compromises within our environments.
Velociraptor artifact to bulk hunt the loldrivers project
Matthew Green lights up the world of latent compromises which have used BYOVD with this capability.
The artifact uses AMCache to check any entries in the project with a SHA1
https://github.com/mgreen27/DetectRaptor/blob/master/vql/LolDrivers.yaml
Unsupervised attack pattern detection in honeypot data using Bayesian topic modelling
Francesco Sanna Passino, Anastasia Mantziou , Daniyar Ghani, Philip Thiede, Ross Bevington and Nicholas A. Heard evidence how far academia have come in applied cyber defence research value.
This article explores topic models for clustering terminal session commands collected from honeypots, which are special network hosts designed to entice malicious attackers. The main practical implications of clustering the sessions are two-fold: finding similar groups of attacks, and identifying outliers. A range of statistical topic models are considered, adapted to the structures of command-line syntax. In particular, concepts of primary and secondary topics, and then session-level and commandlevel topics, are introduced into the models to improve interpretability. The proposed methods are further extended in a Bayesian nonparametric fashion to allow unboundedness in the vocabulary size and the number of latent intents. The methods are shown to discover an unusual MIRAI variant which attempts to take over existing cryptocurrency coin-mining infrastructure, not detected by traditional topic-modelling approaches
https://arxiv.org/pdf/2301.02505
Hunt-Weird-Syscalls: ETW based proof of concept to identify direct and indirect syscalls
Sebastian Feldmann does it again with this capability. Will help detect various Windows non persistent implants.
This project uses
ETW, more precisely kernel based ETW providers, to monitor for IOCs.ETWproviders sitting in the kernel can effectively be leveraged, as the calltraces of emitted events contain the usermode address from where the syscall was conducted.This allows monitoring IOCs indicating direct and indirect syscalls, a technique often leveraged by threat actors:
A syscall was conducted from an untrusted module (=direct syscall)
The used syscall stub in ntdll does not match the conducted syscall (=indirect syscall)
For now, the syscalls
NtOpenThreadandNtSetContextThreadare monitored to identify IOCs indicating both direct and indirect syscalls.
https://github.com/thefLink/Hunt-Weird-Syscalls
ImpELF: Unmasking Linux Malware with a Novel Imphash Approach for ELF Binaries
We saw something similar earlier in the year. This is another implementation of the concept to help cluster binaries by David Burkett.
ImpELF is a Python-based ELF (Executable and Linkable Format) hashing utility that generates unique fingerprints for ELF binaries using their imported functions and libraries, aiding in malware analysis and similarity detection.
https://github.com/signalblur/impelf
Trawler
Joseph Avanzato releases a useful work aid.
Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more.
Currently, trawler can detect most of the persistence techniques specifically called out by MITRE and Atomic Red Team with more detections being added on a regular basis.
https://github.com/joeavanzato/Trawler
Volatility 3 2.4.1 - New Linux and Windows plugins
Update, specifically the new plugins are:
linux.sockstat
linux.iomem
linux.psscan
linux.envars
windows.drivermodule
windows.vadwalk
https://github.com/volatilityfoundation/volatility3/releases/tag/v2.4.1
Defence
How we proactively defend our environments.
A review of cyber vigilance tasks for network defenses
Oliver Alfred Guidetti, Craig Speelman and Peter Bouhlas bring some real science to how effective human SOCs can be.
The capacity to sustain attention to virtual threat landscapes has led cyber security to emerge as a new and novel domain for vigilance research. However, unlike classic domains, such as driving and air traffic control and baggage security, very few vigilance tasks exist for the cyber security domain. Four essential challenges that must be overcome in the development of a modern, validated cyber vigilance task are extracted from this review of existent platforms that can be found in the literature. Firstly, it can be difficult for researchers to access confidential cyber security systems and personnel. Secondly, network defense is vastly more complex and difficult to emulate than classic vigilance domains such as driving. Thirdly, there exists no single, common software console in cyber security that a cyber vigilance task could be based on. Finally, the rapid pace of technological evolution in network defense correspondingly means that cyber vigilance tasks can become obsolete just as quickly. Understanding these challenges is imperative in advancing human factors research in cyber security.
https://www.frontiersin.org/articles/10.3389/fnrgo.2023.1104873/full
So you think you can block Macros?
Pieter Ceelen makes the world sob just a little bit harder whilst introducing LOLdocs.
In the first part of the blog we will discuss various Microsoft Office security controls on macros and add-ins, including their subtleties, pitfalls and offensive bypasses.
In the second part of this blog the concept of LOLdocs is further explained, detailing how vulnerabilities in signed MS Office content might be abused to bypass even strictly configured MS Office installs.
https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/
macOS Security Tool: Mergen
Samet Sazak brings tooling to help those wrestling with large macOS estates and compliance.
Mergen is an open-source, native macOS application for auditing and checking the security of your Mac. It scans your system for security issues based on the Center for Internet Security (CIS) Benchmark, and checks various settings and configurations related to security and privacy.
https://medium.com/@sametsazak/introducing-my-new-macos-security-tool-mergen-e5c9a47f267
https://github.com/sametsazak/mergen
Vulnerability
Our attack surface.
cPanel CVE-2023-29489: Finding XSS in a million websites
This won’t be used much… OK, yes it will.
The impact of this vulnerability is that we are able to execute arbitrary JavaScript, pre-authentication, on almost every port of a webserver using cPanel within its default setup.
https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/
Cisco StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability
What a 56 billion dollar cyber/networking vendor wrestles with..
This vulnerability is due to insufficient validation of user-supplied credentials. An attacker could exploit this vulnerability by sending a valid low-privileged SSH key to an affected device from a host that has an IP address that is configured as the source for a high-privileged user account. A successful exploit could allow the attacker to log in to the affected device through SSH as a high-privileged user.
VMware Aria Operations for Logs Critical Vulnerability
When logging infrastructure is the cause of vulnerability.
Successful exploitation of the deserialisation vulnerability could allow an unauthenticated attacker to execute arbitrary code as root.
https://www.csa.gov.sg/alerts-advisories/alerts/2023/al-2023-052
GhostToken
This took Google 10 months to release a fix yet they hold vendors to much shorter disclosure periods for issues.
Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts
Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine
Tao Sauvage show oozes quality in this research.
Discarded, not destroyed: Old routers reveal corporate secrets
Cameron Camp and Tony Anscombe evidences once more that companies are ensuring old kit is being effectively erased.
When the ESET research team purchased a few used routers to set up a test environment, there was shock among team members when they found that, in many cases, previously used configurations had not been wiped…and worse, the data on the devices could be used to identify the prior owners along with the details of their network configurations.
Offense
Attack capability, techniques and trade-craft.
Abusing the GPU for Malware with OpenCL
Sven Rath raises the bar on EDR vendors.
Using this small program, we can offload our shellcode decryption to the GPU, potentially providing us with some additional stealth. While these PoCs are nothing outstanding, I still learned some things about GPU programming and hope that you did too. In my opinion, using the GPU is an area in malware development that can still be further explored.
https://eversinc33.com/posts/gpu-malware/
Tunnel via Cloudflare to any TCP Service
Will be interesting to see how/if Cloudflare to respond to this as the opportunity for misuse is extensive.
This article explains how to 'publish' any other service (like SSHD) and make it accessible via the cloudflared tunnel. It does so by adding a WebSocket Proxy on either side of the tunnel.
https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service
An Introduction into Sleep Obfuscation
Dylan Tran provides a lovely step-by-step guide to this implant tradecraft.
https://dtsec.us/2023-04-24-Sleep/
Evil WinRM Release v3.5
Prepare part I..
This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it.
https://github.com/Hackplayers/evil-winrm/releases/tag/v3.5
HavocFramework 0.5
Prepare part II..
socks5
improved support for redirectors
add working hours
refactored BOF loader
https://github.com/HavocFramework/Havoc/pull/310
PowerShell Obfuscation Bible
Extensive problem..
A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes.
https://github.com/t3l3machus/PowerShell-Obfuscation-Bible
Power Automate Packing
From a Japanese BSides
We implemented RC4 using only primitive functions within a single flow with the goal of encrypting Power Automate C2 payloads. Power Automate isn't supposed to work with binaries, but I showed you some hacks to make this possible and some ideas to speed up execution time.
In the RC4 implementation this time, the time taken to generate random numbers was dominant, so I think it would be practical to generate random numbers in advance and use the One-Time Pad method. Also, since Power Automate is frequently adding functions, restrictions like this one may be relaxed. I would also like to keep an eye on future trends.
Exploitation
What is being exploited.
PaperCut MF/NG vulnerability
As discussed in the opener..
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/
TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet
Pwn2own vulns get flipped..
[We] observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389,
Unauthenticated Remote Code Execution Vulnerability Exploitation in Avaya Aura Device Services - no CVE
Eric Ford details Mirai going after another vulnerability..
On 20 April 2023, [we]responded to an incident in a customer environment where we observed the exploitation of an unauthenticated remote code execution (RCE) vulnerability in Avaya Aura Device Services, which has not been assigned a CVE identifier. The vulnerability affects versions prior to 8.1.4.1.40. Over the course of several months beginning in February, several webshells were uploaded to the PhoneBackup directory.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Shinigami: A dynamic unpacking tool
Shinigami is an experimental tool designed to detect and unpack malware implants that are injected via process hollowing or generic packer routines.
The tool operates by hooking NT functions related to Process Hollowing and marking newly executable memory pages with the page guard bit. This technique allows Shinigami to detect indirect flow changes, typically caused by shellcode or unpacked code, which are often indicative of malware. Shinigami creates the target executable in a suspended state and injects a DLL library called "Ichigo". This library automatically hooks every necessary function to detect and extract the implant. Once the artefact is fully extracted, the tool will kill the process.
https://github.com/buzzer-re/Shinigami/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregated reporting
Learnings from Data Integration for Augmented Language Models
Post-Brexit divergence from GDPR: Implications for data access and scientific research in the UK
Training videos:
Upcoming events
International Conference on Cyber Security, Strategy and Law - May 2nd 2023
SPRITE+ Conference – Belfast, 28/29 June - trust, identity, privacy, and security
PEPR '23 Call for Participation - September 11–12, 2023, Santa Clara -Privacy Engineering Practice and Respect (PEPR '23)
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
