Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week the standout event was a motherboard OEM (MSI) being compromised and then advising to only install firmware from trusted sources (i.e. them). It was perpetrated by organized crime.

In the high-level this week:

• US, S.Korea, Japan concerned over N.Korea's 'malicious' cyber activities - this article whilst interesting is more so as it links to the US Treasury Releases 2023 DeFi Illicit Finance Risk Assessment - you can almost see UST cracking its knuckles and neck before addressing this form of illicit finance.

• Inside the international sting operation to catch North Korean crypto hackers - new term of us all in this reporting cryptocurrency espionage

• Ukrainian hackers say they have compromised Russian spy who hacked Democrats in 2016 - “In a message posted to Telegram on Monday, a group calling itself Cyber Resistance said it had stolen correspondence from Lt. Col. Sergey Morgachev, who was charged in 2018 with helping organize the hack and leak of emails from the Democratic National Committee (DNC) and the Clinton campaign.”

• Americans now fear cyberattack more than nuclear attack - the behind this headline is this Gallup poll - Americans are more likely to regard cyberterrorism as a “critical threat” to U.S. vital interests than to say this about 10 other international matters.

• Tackling Software Supply Chain Security: A Toolbox for Policymakers - to save you reading it - the Instruments of the toolbox policymakers for increasing software supply chain security:

  • Quality assurance instruments.

  • Secure software development practices. 

  • Coordinated vulnerability disclosure (CVD).

  • Software bill of materials (SBOM).

  • Product liability.

• Cyber attack leaves irrigation systems in Upper Galilee dysfunctional - Water controllers for irrigating fields in the Jordan Valley were damaged, as were control systems for the Galil Sewage Corporation - tell us Iran has ICS capabilities without telling us (hasn’t been attributed in reality)

• Standing up for democratic values and protecting stability of cyberspace: Principles to limit the threats posed by cyber mercenaries - in short they have signed up to a number of principals

  • Take steps to counter cyber mercenaries’ use of products and services to harm people;

  • Identify ways to actively counter the cyber mercenary market;

  • Invest in cybersecurity awareness of customers, users, and the general public;

  • Protect customers and users by maintaining the integrity and security of products and services;

  • Develop processes for handling valid legal requests for information.

• Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers - we developed indicators that enabled us to identify at least five civil society victims of QuaDream’s spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Victims include journalists, political opposition figures, and an NGO worker.

• Addressing the Security Risks of AI - We also note that there are other steps government should take within existing authorities: Public efforts to promote AI research should more heavily emphasize AI security, including through funding open-source tooling that can promote more secure AI development. And government should provide testbeds or enable audits for assessing the security of AI models.

• New Data Architectures in Brazil, China, and India: From Copycats to Innovators, towards a post-Western Model of Data Governance - 4D Chess just got a fifth dimension.

• Slovakian ministry of foreign affairs suffers breach from China - It turned out that the two servers were communicating with servers from numerous ministries of foreign affairs across Europe and Slovenia

The reflections come from sitting in a hotel all week and thus having time to think about possible responses to near universal vulnerability in places. If we work on the basis that vulnerability is in places going to grow at a rate or to a level greater than our ability to make the underlying technology invulnerable, due to cost or complexity, what does our strategy become? This scenario doesn’t seem entirely theoretical, nor do I have an answer...

Then finally this week we have A Conversation on Cybersecurity with NSA’s Rob Joyce - I strongly recommend you watch it to understand how far NSA has come and Rob’s wisdom on strategy. To tease the below led to this headline - ‘Russian hackers ‘target security cameras inside Ukraine coffee shops’ in the British press

On the interesting job/role front:

• Chief Digital, Data and Technology Officer (CDDTO) - with the London Metropolitan Police Service

• Head of Intelligence Analysis as the UK’s Serious Fraud Office

• Specialist – Cryptocurrency, Cyber Intelligence Support Team, Digital Support Unit, EuroPol

• Security Engineering Manager - SIEM Detection Engineering at Tesco, UK

• Cyber Threat Detection Engineering Manager at NationWide, UK

• Director, Technology and Cyber Risk at OakNorth, UK

• Threat Analyst at Google Cloud, Remote

• Head of the Department of Computer Science at City University of London

• Role from Director to Specialist at U.S. Army Cyber Command

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Thursday and see some of you at CyberUK next week.

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia / Ukraine

Substantial reporting on Russia / Ukraine this week.

Espionage campaign linked to Russian intelligence services

The tradecraft in this reporting from Polish government follows the pattern reported here week in and week out. The notables are the use of Brute Ratel (a commercial implant framework) and the fact that Russia continues to develop new payloads in order to avoid detection.

https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

Use of unlicensed Microsoft Office programs as a vector of primary compromise of ICS (CERT-UA#6322)

Don’t copy that floppy and you wouldn’t steal a car - in short some threat actors are using pirated software to deploy DarkCrystal RAT.

In March 2023, the Government Computer Emergency Response Team of Ukraine CERT-UA received information regarding the identification of signs of unauthorized access to the information and communication system (ICS) of one of the utility companies.

It was found that the primary compromise of the computer took place on 19.01.2023 as a result of the installation of an unlicensed version of the software product Microsoft Office 2019, the BitTorrent file for downloading which ("Microsoft.Office-x64.v2019.x.iso.torrent", MD5: f2b0c6b3e7794d3f3d3b2bba5709c672, creation date: 2022-09-13 08:48:58) was obtained from the Torrent-Toloka tracker

https://cert.gov.ua/article/4279195

Overview of the Russian-speaking infostealer ecosystem: the distribution

Whilst criminal and not Ukraine specific there is spillover risk thus covering here.

identified SEO poisoning leveraged to deploy several loader malware families, including BatLoader, GootLoader, PrivateLoader or NullMixer, as well as widespread infostealers such as Redline, Raccoon and Vidar

Multiple threat actors with heterogeneous levels of skills share similar techniques, tools and social engineering schemes with the aim of compromising large numbers of victims.

https://blog.sekoia.io/overview-of-the-russian-speaking-infostealer-ecosystem-the-distribution/

Malware Disguised as Document from Ukraine's Energoatom Delivers Havoc Demon Backdoor

Regional campaign using the standard tradecraft flow. The point of note is the use of the Havoc C2 framework. It is one of the very many open-source post-exploitation toolkits.

[we] encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.

https://www.fortinet.com/blog/threat-research/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor

North Korea

North Korea reporting varies this week with some 3CX and some not.

Security Update Mandiant Initial Results from 3CX

Pierre Jourdan the CISO of 3CX shares initial findings. The takeaway is some capabilities not previously discussed in the later phases of the operation where deployed against the vendor.

In this case, after decrypting and loading the shellcode contained within the file <machine hardware profile GUID>.TxR.0.regtrans-ms was a complex downloader which Mandiant named COLDCAT. It is worth noting, however, this malware differs from GOPURAM

https://www.3cx.com/blog/news/mandiant-initial-results/

Ironing out (the macOS) details of a Smooth Operator (Part II)

Patrick Wardle provides further detail on the macOS payloads. The redownloading on each execution is the point of note here.

You can also see that WhatsYourSign has determine that though UpdateAgent is signed, its signature is adhoc (and thus not notarized). You can confirm this with macOS’s codesign utility as well.

Also worth recalling that each time the 1^st-stage payload was run, it would (re)download and (re)execute UpdateAgent …meaning at any time the Lazarus group hacker’s could for targets of interest, update/swap out the UpdateAgent’s code, perhaps for a persistent, fully featured implant.

https://objective-see.org/blog/blog_0x74.html

Following the Lazarus group by tracking DeathNote campaign

Seongsu Park provides reporting which appears to stop last summer. The fact it wasn’t just the Western military industrial complex but also the African which was targetted, which they were successful against is of note. When I see North Korea and Africa I’m reminded of the excellent BBC series The Mole: Infiltrating North Korea

we dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.

In July 2022, we observed that the Lazarus group had successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via the Skype messenger. After executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory.

https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

BlueNorOff targeting

This South Korean reporting on North Korea is only really notable as it is about the team which has historically done financial services targeting.

https://wezard4u-tistory-com.translate.goog/6412?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia

The commercial spyware vendor covered above under the Citizen Lab reporting is royally burnt here by Microsoft. Cyprus continues to be an enabler in the sale of these capabilities.

an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.  

Furthermore, Citizen Lab was able to identify operator locations for QuaDream systems in the following countries: Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan.

QuaDream did not sell REIGN directly to customers but instead did so through a Cypriot company.

https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/

MERCURY and DEV-1084: Destructive attack on hybrid environment

Iran pretending to be a ransomware operator to destroy environments. Ensure that backup strategy applies to all your cloud assets i.e. have Infrastructure as a Code.

a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.

MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.

https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/

DragonForce Malaysia: OpsPetir

The new news to me in this reporting was that there are pro-Palestinian groups in Malaysia. The threat is more akin to the 100 duck-sized horses conundrum. Other than that the reporting includes speculation, due to a screenshot, around their ChatGPT usage.

DragonForce Malaysia, a pro-Palestinian hacktivist group located in Malaysia, returns for a third year with rebranded operations targeting Israel.

DragonForce Malaysia is not considered an advanced or persistent group. Where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information. After years of growth, their forum contains dozens of tutorials and guides on how to install tools and launch various attacks.

https://www.radware.com/security/threat-advisories-and-attack-reports/dragonforce-malaysia-opspetir/

Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector

Aleksandar Milenkoski provides reporting on a threat actor covered here numerous times previously. The sectoral targeting is of note whilst the tradecraft is 🥱

• [We have] been tracking a cluster of malicious documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe).

• We assess that this activity is part of the group’s previously reported targeting of the education sector in the Indian subcontinent.

• We observed APT36 introducing OLE embedding to its typically used techniques for staging malware from lure documents and versioned changes to the implementation of Crimson RAT, indicating the ongoing evolution of APT36’s tactics and malware arsenal.

https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/

Operation Triple Tiang

Reporting on malware collected in South Korea between January and August 2022 by this Chinese threat actor also known as Bronze Butler, RedBaldNight and Stalker Panda.

The Tick group has been active mainly in Korea and Japan since 2014, attacking aerospace, military, defense industry, heavy industry, electronics, telecommunications, government agencies, and foreign affairs.

Tick ​​Group has been targeting government agencies, military and various industries in Korea and Japan for over 10 years. It is highly likely that they are still secretly active.

https://asec-ahnlab-com.translate.goog/ko/51150/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Distributing Qakbot malware in Korea through email hijacking

Tradecraft seen in other regions makes it to Korea.

[We] confirmed the distribution of the Qakbot malware by attaching a malicious PDF file in the form of using (replying/forwarding) an existing e-mail.

Distributed e-mails take the form of intercepting normal e-mails and replying to users with malicious files attached as follows .

It was confirmed that the original emails were sent from 2018 to 2022, showing very different aspects, and that the emails were not recent.

https://asec-ahnlab-com.translate.goog/ko/51109/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Phishing From QuickBooks

Points of originality here. Where every SaaS that can send things to email becomes a possible bit of offensive tradecraft.

In this attack, hackers are sending fake invoices from a legitimate Quickbooks domain. 

This email comes directly from Quickbooks. It has a QuickBooks email address, meaning it will pass all SPF checks, domain checks and more. There’s nothing inherently wrong with the text, no malicious links.

Remember, it's super easy to create and send invoices using free accounts in Quickbooks. Here's one we put together in a few minutes.

https://www.avanan.com/blog/phishing-from-quickbooks

Chinese fraudsters: evading detection and monetizing stolen credit card information

Strawberry Donut (awesome name) gives a detailed overview of Chinese organized cyber enabled crime operations.

They also show a degree of opsec sophistication.

To carry out these activities, Chinese fraudsters establish a value chain for CNP fraud, starting with setting up a secure environment. They anonymize IDs, falsify IP addresses, change time zones and language settings, alter MAC addresses and device IDs, modify user agents, and clear cookies to evade detection by security researchers and bypass various security measures.

https://cybersecurity.att.com/blogs/security-essentials/chinese-fraudsters-evading-detection-and-monetizing-stolen-credit-card-information

Google Play threat market: overview of dark web offers

Interesting insight into the economics of this eco-system.

• The price of a loader able to deliver a malicious or unwanted app to Google Play ranges between $2,000 and $20,000.

• To keep their activities low-profile, a large percentage of attackers negotiate strictly through personal messages on forums and messengers, for example, in Telegram.

• The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners and even dating apps.

• Cybercriminals accept three main kinds of payment: a percentage of the final profit, subscription or rent, and one-time payment.

• Cybercriminals offer to launch Google ads to attract more people to download malicious and unwanted apps. The cost of ads depends on the target country. Ads for users from the USA and Australia cost the most — up to about $1 (US).

https://securelist.com/google-play-threats-on-the-dark-web/109452/

Discovery

How we find and understand the latent compromises within our environments.

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign

Forensic tradecraft to discover the use of this bios level bootkit which we have previously covered.

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

Automating Qakbot detection at scale :: Velociraptor

Matt Green just gives more reasons for us all to love this tool. The more of the community who get behind this the more cost we impose on our adversaries whilst enabling access to world class tooling to many.

I have recently released Windows.Carving.Qakbot which leverages a PE dump capability in Velociraptor 0.6.8 to enable live memory analysis. The goal of the artifact was to automate my decoding workflow for a generic Qakbot parser and save time for a common analysis.

https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/

Practical CTI Analysis Over 2022 ITW Linux Implants: Extending Detection Over Blind Spots

I missed this when it came out a few months ago, but I felt it important to cover as Linux as a target only continues and our tradecraft is less developed. Great work here by Joseliyo Sanchez Martinez and Pedro Drimel.

Our presentation will share different framework deliverables to detect the most recent 2022 cybercrime and TA threat actors' implants. In addition, we will also share detection rules for the families covered in our talk.

https://github.com/blackberry/threat-research-and-intelligence/tree/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023

使用FirmAE 对zyxel路由器固件仿真实践 - Use FirmAE to simulate the firmware of zyxel routers

Chinese walkthrough on how to do this. Now the ability to do this has various use cases from vulnerability research through to ours of honeypots, but with various challenges which had to be overcome.

Through FirmAE, some IoT firmware can be automatically simulated, and it is also convenient for reverse engineering and dynamic debugging, which greatly facilitates security research. This article shares a case of firmware that was not successfully simulated automatically, and the idea to solve the problem. In addition, those who are interested in the implementation of FirmAE and other functions of FirmAE can read the project source code and papers.

https://www-anquanke-com.translate.goog/post/id/288053?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Catching Threat Actors using honeypots! (Part1)

Mateo Mrvelj provides a high-level overview of the off the shelf honeypots.

https://burningmalware.com/Catching-Threat-Actors-using-honeypots!-(Part1)/

Defence

How we proactively defend our environments.

Purpleteam: Purpleteam scripts - trigger events for SOC detections

I’m a big fan of passing signal through SOCs to validate they are performing as expected. Some useful capabilities here by an author I failed to find the real name of.

Scripts I made to trigger events for SOC detections (MITRE ATTACK associated techniques mapping)

Detection and simulation are essential components of any security operations center (SOC). Detection enables quick and accurate identification of potential threats, while simulation allows the SOC to test and refine detection strategies and incident response plans, as well as identify potential blind spots or gaps in security posture.

https://github.com/mthcht/Purpleteam

MISP to Sentinel integration

Koen Van Imp provides a practical guide on how to get the value of MISP into Sentinel.

It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.

https://www.vanimpe.eu/2023/04/03/misp-to-sentinel-integration/

Microsoft Graph Activity Logs

New log source released closing off one of the blind spots.

Microsoft Graph Activity Logs provide details of API requests made to Microsoft Graph for resources in the tenant.

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs

By popular demand: Windows LAPS available now

We're very happy to announce that new LAPS capabilities are coming directly to your devices starting with today's April 11, 2023 security update for the following Windows editions:

• Windows 11 Pro, EDU, and Enterprise

• Windows 10 Pro, EDU, and Enterprise

• Windows Server 2022 and Windows Server Core 2022

• Windows Server 2019

but I am sure this won’t be abused by anyone, ever, anywhere.

Retrieves stored passwords via Microsoft Graph

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747

Create indicators - Microsoft having issues with custom indicator alerting with Microsoft Defender for Endpoint

This is quite the health warning, but good on them for the transparency.

Customers may experience issues with alerts for Indicators of Compromise. The following scenarios are situations where alerts may not be created or may be created with inaccurate information. Each of these issues are being investigated by our engineering team and will be resolved in an upcoming update.

• Block indicators – Generic alerts with informational severity only will be fired. Custom alerts (i.e. custom title and severity) will not be fired in these cases.

• Warn indicators – Generic alerts and custom alerts are possible in this scenario, however, the results are not deterministic due to an issue with the alert detection logic. In some cases, customers may see a generic alert, whereas a custom alert may show in other cases.

• Allow – No alerts are generated (by design).

• Audit - Alerts will be generated based on the severity provided by the customer.

• In some cases, alerts coming from EDR detections may take precedence over those stemming from AV blocks, in which case an information alert will be generated.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators#known-issues-and-limitations

ClientInspectorV2

Morten Knudsen shows off how to get some material value out of the Microsoft eco system around endpoint security posture.

ClientInspector is free to the community - built to be a cool showcase of how you can bring back data from your clients using Azure Log Ingestion Pipeline, Azure Data Collection Rules, Azure LogAnalytics; view them with Azure Monitor & Azure Dashboards - and get "drift-alerts" using Microsoft Sentinel.

https://github.com/KnudsenMorten/ClientInspectorV2

He has also published other excellent works such as:

• Understanding Azure logging capabilities in depth - https://mortenknudsen.net/?p=1433

• Collecting System & Application events using Azure Monitor Agent - https://mortenknudsen.net/?p=1446

Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores

A useful walkthrough on how to do this if you need to deal with a SAN.

https://www.iblue.team/esxi-forensics/identification-acquisition-and-examination-of-iscsi-luns-and-vmfs-datastores

Vulnerability

Our attack surface.

Hacking Ham Radio: WinAPRS

Nice series by Rick Osgood who shows that legacy tech is wonderfully vulnerable in ways we didn’t know because no one had got around to looking.

• https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part1

• https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part-2

• https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part-3

• https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part-4

Malicious Microsoft Teams Invite: NTLM Relay and Drive By Download Attack

Now fixed.. but terrifying..

Due to a lack of server-side validation of Microsoft Teams meeting URLs, Microsoft Teams meeting invites were able to be injected with crafted URLs. When someone received a Teams Meeting invite, and they clicked “Join” either from the email they received to their Outlook inbox, or from Teams directly, they could have fallen victim to an NTLM relay/SMB hash hijacking attack or a drive-by-download attack. Microsoft released a fix for this vulnerability and issued a High severity — spoofing bounty under the M365 Bounty program in 2022.

https://medium.com/@bobbyrsec/malicious-microsoft-teams-invite-ntlm-relay-and-drive-by-download-attack-265821e3da9e

Offense

Attack capability, techniques and trade-craft.

JNDI-Injection-Exploit-Plus tool

Chinese framework for exploiting this vulnerabilities. Exploitable via the likes of fastjson and others.

JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.

Using this tool allows you get JNDI links, you can insert these links into your POC to test vulnerability.

https://github.com/cckuailong/JNDI-Injection-Exploit-Plus

WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches

Jianhao Xu, Luca Di Bartolomeo , Flavio Toffalini , Bing Mao and Mathias Payer provide a novel exploitation technique showing that our countermeasures are not panaceas.

In this work, we propose a new attack vector, called WarpAttack, that exploits compiler-introduced double-fetch optimizations to mount TOCTTOU attacks and bypass codereuse mitigations. We study the mechanism underlying this attack and present a practical proof-of-concept exploit against the last version of Firefox. Additionally, we propose a lightweight analysis to locate vulnerable double-fetch code (with 3% false positives) and conduct research over six popular applications, five operating systems, and four architectures (32 and 64 bits) to study the diffusion of this threat. Moreover, we study the implication of our attack against six CFI implementations.

https://nebelwelt.net/files/23Oakland3.pdf

Let Me Unwind That For You: Exceptions to Backward-Edge Protection

Victor Duta, Fabian Freyer, Fabio Pagani, Marius Muench and Cristiano Giuffrida provide another novel exploitation technique which undermines current mitigations.

In this paper, we present exceptions to this assumption and show attacks based on backward-edge control-flow hijacking without the direct hijacking are possible. Specifically, we demonstrate that stack corruption can cause exception handling to act as a confused deputy and mount backward-edge controlflow hijacking attacks on the attacker’s behalf. This strategy provides overlooked opportunities to divert execution to attacker controlled catch handlers (a paradigm we term Catch Handler Oriented Programming or CHOP) and craft powerful primitives such as arbitrary code execution or arbitrary memory writes. We find CHOP-style attacks to work across multiple platforms (Linux, Windows, macOS, Android and iOS). To analyze the uncovered attack surface, we survey popular open-source packages and study the applicability of the proposed exploitation techniques. Our analysis shows that suitable exception handling targets are ubiquitous in C++ programs and exploitable exception handlers are common

https://download.vusec.net/papers/chop_ndss23.pdf

DPAPISnoop: A C# tool to output crackable DPAPI hashes from user MasterKeys

Lefteris Panos drops this little tool.

A C# tool to output crackable DPAPI hashes from user MasterKeys.

MasterKeys are encrypted with the domain password of the user. Cracking such a key can lead to the compromise of other domain accounts.

https://github.com/leftp/DPAPISnoop

Exploitation

What is being exploited.

Nokoyawa ransomware attacks with Windows zero-day

Boris Larin provides the reporting on this recently patched vulnerability. Interesting that Microsoft hasn’t gone over this code with a fine tooth comb given they have CodeQL etc.

[We] detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known Common Log File System (CLFS) driver exploits that we analyzed previously, but we decided to double check and it was worth it – one of the exploits turned out to be a zero-day, supporting different versions and builds of Windows, including Windows 11. The exploit was highly obfuscated with more than 80% of the its code being “junk” elegantly compiled into the binary, but we quickly fully reverse-engineered it and reported our findings to Microsoft. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of April Patch Tuesday.

https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/

Sandbox Escape in VM2

This JavaScript/Node Sandbox is used in a lot of places. Be interesting to see how painful this PoC becomes.

vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv

CVE-2023-21839 WebLogic Server RCE分析-安全客 - CVE-2023-21839 WebLogic Server RCE Analysis

Chinese walk through on this vulnerability that seems to have gone under reported in the west.

WebLogic has a remote code execution vulnerability, which allows unauthenticated remote attackers to access and damage vulnerable WebLogic servers through the T3/IIOP protocol network. Successful exploitation of this vulnerability may lead to Oracle WebLogic server takeover or sensitive information disclosure. The principle of the vulnerability is actually to support the remote binding object bind to the server through the Weblogic t3/iiop protocol. When the remote object inherits from OpaqueReference, when the lookup views the remote object, the server calls the getReferent method of the remote object, and the remoteJNDIName parameter is controllable, resulting in Attackers can use the rmi/ldap remote protocol for remote command execution.

https://www-anquanke-com.translate.goog/post/id/287753?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

casr: Collect crash reports, triage, and estimate severity

Originally released 6 months ago but being updated for use on Linux.

CASR is a set of tools that allows you to collect crash reports in different ways. Use casr-core binary to deal with coredumps. Use casr-san to analyze ASAN reports. Try casr-gdb to get reports from gdb. Use casr-python to analyze python reports and get report from Atheris.

https://github.com/ispras/casr

dark-knowledge: A curated library of research papers and presentations for counter-detection

The techniques outlined here could be used against threat actors similarly.

https://github.com/prescience-data/dark-knowledge

MinHash-based Code Relationship & Investigation Toolkit (MCRIT)

Wide number of use cases for this tooling on both original source and decompiled I suspect. Great work by Daniel Plohmann and Manuel Blatt.

MCRIT is a framework created to simplify the application of the MinHash algorithm in the context of code similarity. It can be used to rapidly implement "shinglers", i.e. methods which encode properties of disassembled functions, to then be used for similarity estimation via the MinHash algorithm. It is tailored to work with disassembly reports emitted by SMDA.

https://github.com/danielplohmann/mcrit

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• The Energy sector 2022 cyber threat landscape - China-affiliated intrusion sets continued targeting energy entities, notably entities operating in the South China Sea, including involved European stakeholders.

• Quarterly Sigma Project Update Q1/2023 - update from Florian et al.

• Tactics, Threats & Targets: Modeling Disinformation and its Mitigation - While related work has developed similar frameworks for conducting analyses and assessment, our work is distinct in providing the means to thoroughly consider the attacker side, their tactics and approaches. We demonstrate the applicability of our framework on several examples of recent disinformation campaigns.

• African cyberthreat assessment report cyberthreat trends - from InterPol

• Rebalancing responsibility: Implementing the National Cybersecurity Strategy (Video) - on the US Strategy with an impressive cast

• AI's Inhuman Advantage - what can be applied in the physical world likely has applications in our cyber world.

• Careers in cyberpsychology - in conversation with Dr Claire Sutherland

• Brain-Computer Interfaces Webinar Series, Part 2: BCIs in the Context of International Security: Military Uses, Applications and Risks - BCIs can have a highly disruptive impact for the future of warfare, with significant legal and ethical consequences that deserve closer analysis.

• Events / Conferences etc.

  • Ransomware Task Force: Gaining Ground - an event in May

  • Hexacon23 Call for Papers currently open

This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.