Bluepurple Pulse: week ending April 17th 🐰🥚🐤
Bluepurple Pulse: week ending April 17th 🐰🥚🐤
Happy Easter
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week we continued to work with a number of CERTs globally to mop up the Chinese intrusions. It is interesting to see the variances in capability around being able to take IoCs and victims and then follow-up, confirm intrusion and remediate. Beyond that the headlines have driven the tactical responses (ICS intrusions and North Korea etc.) .
In the high-level this week:
US launched its full arsenal of legal tools against North Korea in response to the $620 million dollar Ronin Bridge crypto asset heist.
US Dept of Treasury added Lazarus to its sanctions list - interestingly they include the ETH address to try and stem crypto flows through US exchanges or anyone else supporting USD.
FBI put out a statement in a ‘we are watching you’ manner.
Then the analysis of the crypto currency movement in an article titled North Korea’s Lazarus Group Identified as Exploiters Behind $540 Million Ronin Bridge Heist (note the variances in amounts).
US led on the seizure of RaidForums which was one of the largest forums for the trade in illicitly stolen data and accesses. the US Eastern District of Virginia, EuroPol and the UK’s National Crime Agency all put out press releases outlining their involvement.
21 year old from Portugal arrested in the UK in January
another administrator (I think), a 21 year-old from Croydon (UK), who the NCA arrested at his home in March - Croydon is famous for many things, not least its Member of Parliament saying it had an image problem - this will help.
numerous copycats already exist - e.g. nulled, cracked dot io, pompur and breached dot co. Let the games of whack-a-mole begin.
Singapore opens its licensing regime for applications by Penetration Testing firms and Security Operations Centres who need cybersecurity service provider licenses. They have the concept of licensable cybersecurity services which we can only imagine will expand overtime.
NSO Group looks like it may of have ended up being a case study for when offensive cyber investments can go bad due to ethical dubiousness and poor governance. The article in the UK’s Financial Times this week opened with “Israel’s NSO Group has been deemed worthless to its private equity backers, just three years after it bought the maker of the notorious Pegasus spyware at a $1bn valuation.” - in reality this is a legal tussle between funds and their investors - demand for the tooling is still there as is the quality but the taint is real.
Also related this week Senior EU officials were targeted with Pegasus spyware - thus their investigation no doubt.
Switzerland announced (in German, French and Italian) an overhaul to its entire approach in a paper on cyber within its military - it cites Ukraine/Russia and goes deep presenting various options which at their core include data skills en masse.
Finally the old adage of where there is war there is money to be made has been embraced in Russia. A Russian cyber security firm is offering Russian organisations to replace western DCAP- (Varonis, Imperva, Netwrix, etc.) and SIEM-systems (ArcSight, QRadar, Splunk, etc.) with their domestic equivalent. This is how monocultures are born..
My only philosophical observation this week is that in 2022 we have western technology companies who generate $40 billion dollars in revenue and $10 billion dollars in profit and yet they still struggle with ensuring that authentication works as intended on management interfaces (see the vulnerability section).
I am fascinated on the root cause. Questions I have include how from a governance and corporate culture and capabilities perspective this came to be. How is product security run over first line and second line responsibilities that results in this outcome. etc etc.
Enjoying this? don’t get via e-mail? then subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine / Russia
Continued aggregate reporting around the ongoing conflict.
Cyberattack on state organizations of Ukraine using the malicious program IcedID (CERT-UA # 4464)
Has Russian organised crime been mobilised against Ukraine specifically or is it just opportunism on behalf of the criminals?
Mass distribution among citizens of Ukraine XLS-documents called "Mobilization Register.xls".
It was found that if you open the document and activate the macro, the macro will download and run the executable file. The downloaded EXE file will decrypt and run the GzipLoader malware on your computer, which in turn will download, decrypt and run the IcedID malware. This malware (also known as BankBot) belongs to the class of "banking Trojans" and, among other things, provides theft of authentication data.
https://cert.gov.ua/article/39609
Cyberattack by Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER
Electrical distribution disruption which has been used by Russia before apparently deployed in Ukraine. At least one sample is available on VirusTotal under the hash d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00
The idea of the attackers involved the decommissioning of several infrastructural elements of the object of attack, namely:
high-voltage electrical substations - using the malicious program INDUSTROYER2; moreover, each executable file contained a statically specified set of unique parameters for the respective substations (file compilation date: 23.03.2022);
electronic computers (computers) running the Windows operating system (user computers, servers, as well as automated workstations ACS TP) - using the malicious program-destructor CADDYWIPER; in this case, the decryption and launch of the latter involves the use of the ARGUEPATCH loader and the TAILJUMP silkcode;
server equipment running Linux operating systems - using malicious destructive scripts ORCSHRED, SOLOSHRED, AWFULSHRED;
active network equipment.
https://cert.gov.ua/article/39518
Industroyer2: Industroyer reloaded
Further confirmation of the crossover with previous campaigns and capability with attribution to Sandworm. Sandworm had a book written about them in 2019 by Andy Greenberg which was actually OK titled Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers Hardcover.
The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
We assess with high confidence that the APT group Sandworm is responsible for this new attack
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
IoCs and Yara for Industroyer2
Matt Muir released some IoCs and Yara rules for the associated family related to the campaign.
https://github.com/cado-security/DFIR_Resources_Industroyer2
ICS Targeting
Aggregate reporting due to numerous releases on around this event this week.
APT Cyber Tools Targeting ICS/SCADA Devices
This event will likely lead to three responses if history has taught us anything
More start-ups with investment money
Slight over functioning by governments and regulators globally
General fear mongering
That being said the capability does exist, it does what it says on the tin and the threat actor is currently unknown.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.
https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)
The first technical reporting (a sample of LAZYCARGO at least is on VirusTotal under the hash 69296ca3575d9bc04ce0250d734d1a83c1348f5b6da756944933af0578bd41d2). Whilst the ICS aspects are interesting the fact that LAZYCARGO brings its own vulnerable driver shows the value of the Microsoft Vulnerable drivers ASR rule to terms of defence against this type of issue.
PIPEDREAM is the seventh known industrial control system (ICS)-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt and Rob Caldwell bring further insight.
In early 2022, [we], in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools—which we call INCONTROLLER (aka PIPEDREAM)—built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.
https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
Lazarus Targets Chemical Sector Continuation of Operation Dream Job
North Korea-linked APT target organisations in espionage campaign against the chemical sector. This seems an expansion of operations for NK. The activity stems from January and the maldoc tradecraft is basic (i.e. HTM files and DLLs etc.)
[We have] observed the North Korea-linked advanced persistent threat (APT) group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed Operation Dream Job, which was first observed in August 2020. [We track] this sub-set of Lazarus activity under the name Pompilus.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Snow abuse and gluttony: Analysis of suspected Lazarus attack activities against Korean companies
Chinese reporting on the Hermit Kingdom, again using really basic tradecraft.
Recently, [we have] captured a large number of spear-phishing attack samples targeting Korean companies. It infects documents or CHM files with vulnerabilities, distinguishes the current operating system bitness, and executes the macro code corresponding to the system bitness to achieve the best attack effect.
https://mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA
North Korea goes Phishing
Two bits of reporting on what seems overlapping or the same activity.
DPRK-Nexus Adversary Targets South-Korean Individuals In a New Chapter of Kitty Phishing Operation
My goodness North Korea have been busy and sloppy for the third bit of technical reporting this week on their activities. Once more basic tradecraft with success being driven by volume of activity.
[We] traced a recent activity that started in the first days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing Korean-based malicious documents with different lures to compromise its victims.
The lures used in the malicious Word documents of this campaign are very different from each other. They vary from the impersonation of the Korea Internet Information Center (KRNIC) to the impersonation of various south-korean Internet Security firms (e.g., AhnLab, Menlo Security, SaniTOX) or Cryptocurrency firms (e.g., Binance).
The target of this campaign seems generic and aimed to steal data from the south-korean individuals. In most of identified infections, indeed, the victims were users having a mail registered on naver dot com, a South Korean web platform that includes free email boxes, news, and search engine functionality.
https://cluster25.io/2022/04/11/dprk-nexus-adversary-new-kitty-phishing/
Malicious word document disguised as product introduction
There also appeared to be what seemed Korean reporting on the same campaign.
[We] confirmed the same type of word document as the malicious word for information stealing purpose disguised as a design modification request document posted in December of last year . The title of the word document confirmed this time is ' Product Introduction.doc' , and it is presumed to be an attack targeting logistics and shopping related companies as it contains descriptions of specific products inside.
https://asec.ahnlab.com/ko/32532/
Malware Campaigns Targeting African Banking Sector
Given the Indian banking breach I wrote about last week this is interesting for similar regional sectoral maturity points. Patrick Schläpfer doesn’t attribute and the resulting payload is a remote access tool known as Remcos. This literally could be one of so many threat actors in 2022 but looks like Russian/Eastern European cyber crime.
[We] detected a targeted malware campaign against an employee of an African bank. The campaign caught our attention because of its targeted nature and how the threat actor attempted to deliver malware using HTML smuggling, a technique for sneaking malicious email attachments past gateway security controls.
In early 2022, an employee of a West African bank received an email purporting to be from a recruiter from another African bank with information about job opportunities there. The domain used to send the email was typosquatted and does not belong to the legitimate mimicked organization. A WHOIS request reveals the domain was registered in December 2021.
https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/
Old Gremlins, new methods
Ivan Pisarev details a Russian-speaking ransomware gang OldGremlin has resumed attacks in Russia. I also love the fact that Group-IB stress that are definitely a Singaporian company these days (and not Russian). Basic maldocs as an entry mechanism followed by DNS tunnelling and use of Dropbox etc.
A new OldGremlin's attack was detected on March 22, 2022. Before the campaign, on March 2, the attackers registered the domain mirfinance[.]org with namecheap, set it up with the public email service Yandex.Mail and sent malicious emails to Russian companies. The use of public legitimate email service sometimes allows the attackers to bypass traditional security systems.
This time the emails were allegedly sent by a senior accountant of a financial organization in Russia who warned the recipients about new sanctions that would completely suspend operations of Visa/Mastercard payment systems. Notably, the phishing emails were sent two weeks after Visa and Mastercard announced they would suspend operations in Russia.
https://blog.group-ib.com/oldgremlin_comeback
FFDroider Stealer is Targeting Social Media Platforms
Looks like an Initial Access Broker is in harvesting mode with this campaign documented by Avinash Kumar and Niraj Shivtarkar. With MFA etc. the value to threat actors of cookies and other similar session tokens will only increase. The user experience and security trade-offs is evident here.
[We] identified a novel Windows based malware creating a registry key as FFDroider. Based on this observation, [We] named this new malware the Win32.PWS.FFDroider. Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”.
[We] observed multiple campaign related to FFDroider stealer in our cloud which arrived via the compromised URL download.studymathlive[.]com/normal/lilay.exe and are all connected by a malicious program embedded into cracked version of installers and freeware.
Key features of this attack
Steals cookies and credentials from the victim’s machine.
Targeting social media platforms to steal the credentials and cookies.
The stealer signs into victims' social media platforms using stolen cookies, and extracts account information like Facebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to steal personal information..
Leverages inbound whitelisting rules in Windows Firewall allowing the malware to be copied at desired location.
Attacker uses iplogger.org to track the infection counts.
Orion Threat Alert: Flight of the BumbleBee
Kindra Cantrell documents a new tool in use by various Initial Access Brokers (IAB). The ISO tradecraft we saw originally in use by the Russian state, but it has truly bled into the criminal toolbox who continue to be able to invest and innovate in their tooling.
BumbleBee is a custom new loader that is used by different IAB groups. This malware was observed injecting Cobalt Strike shellcodes in memory and using several tactics, techniques, and procedures (TTPs) in order to compromise the victim’s environment.
As part of the campaign, the threat actors abuse spoofed companies’ identities (like fake employee email addresses, fake websites, etc.) and use legitimate public storage services to deliver the malicious ISO image file. The ISO image file is responsible for luring the victim to execute the BumbleBee malware.
Threat Analysis Group (TAG) shared observations on the financially motivated threat actor, EXOTIC LILY, that use the BumbleBee malware. In addition, TAG mentioned an interesting point of collaboration between EXOTIC LILY and the WIZARD SPIDER threat group.
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
Recent attacks by Bahamut group revealed
Chinese reporting on a fake chat app being distributed in the Middle East as well as South Asia. The threat actor is suspected of being Indian.
Bahamut is an advanced threat group targeting the Middle East and South Asia. It was disclosed and named by Bellingcat in 2017
Recently, we observed a suspected mobile terminal attack activity of this group. This attack activity started in January and used phishing websites to deliver mobile RAT samples. The RAT used in the attack belongs to a new family that has not been disclosed, and we speculate that it belongs to the group's unique attack weapon.
https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw
Tarrask malware uses scheduled tasks for defense evasion
Reporting on a Chinese state threat actor doing arguably ‘proper’ APT stuff in terms of zero-day usage and novel persistence mechanisms against sectors we really do care about.
[We] continue to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. [We] identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog.
[We] observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring 2021.
Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
Good disruption here, but the paid malicious ads we have touched on in recent weeks is called out here. Will this force digital advertisers to do KYC due to sanctions etc?
In more recent campaigns, ZLoader has shifted away from using email as a means of delivery and instead used malicious ads on search engines such as Google to trick users into visiting malicious sites.
SystemBC Being Used by Various Attackers
Criminal actors getting great ROI from the use of SystemBC.
SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past.
In March 2022, it was found that SystemBC was being installed as an additional payload by Emotet. Emotet is a banking malware that installs additional modules or malware strains to steal credentials from the infected system. Normally, the attackers install Cobalt Strike through Emotet to dominate the infected system, but recently, SystemBC is also being distributed.
https://asec.ahnlab.com/en/33600/
New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
Shimi Cohen, Inbal Shalev and Irena Damsky document a campaign which isn’t using paid adverts but is using SEO. Again this looks like it might be an Initial Access Broker looking to amass product.
Recently, we've identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.
Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.
https://unit42.paloaltonetworks.com/solarmarker-malware/
Enemybot: A Look into Keksec's Latest DDoS Botnet
Joie Salvio and Roy Tay outline a DDoS botnet running on embedded devices. The contested nature of this space does make you wonder how many devices have multiple bots on them.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
SPM55: Ascending the Ranks of Indonesian Phishing As A Service Offerings
Commercial Phishing from Indonesia with ❤️ - or what happens when cybercrime enacts an offshore model with a highly customer centric approach to service.
Although SPM55 is a relative newcomer to the Indonesian cybercrime community, a marked uptick in activity and known customers over the last several months suggests this group seeks to scale their business operation, possibly in response to the collapse of competing Indonesia-based phishing vendors.
SPM55 offerings target a number of popular services, technology companies, and financial institutions. Some examples include Coinbase, Netflix, Amazon, and Ebay. Another noteworthy characteristic of SPM55 is their willingness to pivot rapidly based on customer feedback and expand their customer base by releasing new phishing kits quickly.
https://www.domaintools.com/resources/blog/spm55-ascending-the-ranks-of-indonesian-phishing-as-a-service-offerings
[PYSA] Ransomware Group In-Depth Analysis
The insight gained here is deep via means that would not be legal in the United Kingdom today.
[We] detected and gained visibility into PYSA’s ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
One of our investigation’s most important findings is a publicly available .git folder managed by PYSA operators. This is an obvious operational security mistake that is nonetheless common among cybercriminals. Our team found sufficient evidence to show that this public folder is not an intentional decoy, but a genuine tool forgotten by a careless PYSA team member.
https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf
Discovery
How we find and understand the latent compromises within our environments.
Windows telemetry: CIT aka Customer Interaction Tracker
Erik Schamper from NCC Group’s Netherlands business Fox-IT details a previously undocumented source of forensic data that is present till at least Windows 7.
Windows version up to at least version 7 contained a telemetry source called Customer Interaction Tracker
The CIT database can be parsed to aid forensic investigation
Finally, we also provide code to parse the CIT database yourself. We have implemented all of these findings into our previously mentioned investigation framework, which enables us to use them on all types of evidence data that we encounter.
Sentinel Queries: Email Events - Find Users Who Read Malicious Email
Neat KQL query for Microsoft Sentinel from Matt Zorich.
When a malicious email is received, list all the users who received it and all the users who read it.
Release T-Pot 22.04.0 honeypot framework
Big release of what is likely one of the most mature and maintained honeypot networks.
Distributed Installation with HIVE and HIVE_SENSOR
ARM64 support for all provided Docker images
GeoIP Attack Map visualizing Live Attacks on a dedicated webpage
Kibana Live Attack Map visualizing Live Attacks from different HIVE_SENSORS
Blackhole is a script trying to avoid mass scanner detection
Elasticvue a web front end for browsing and interacting with an Elastic Search cluster
Ddospot a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
Endlessh is a SSH tarpit that very slowly sends an endless, random SSH banner
HellPot is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
qHoneypots 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
Redishoneypot is a honeypot mimicking some of the Redis' functions
SentryPeer a dedicated SIP honeypot
Index Lifecycle Management for Elasticseach indices is now being used
https://github.com/telekom-security/tpotce/releases/tag/22.04.0
Defence
How we proactively defend our environments.
Detecting malicious artifacts using an ETW consumer in kernel mode
Alonso Candado outlines an approach to detect some of the more novel syscall calling techniques used on Windows to bypass EDRs.
In this blog post, we show an experimental way to consume syscalls-related ETW events from kernel mode to detect artifacts in memory that are using direct syscalls or manual mapping of code.
Automatically extracting static antivirus signatures
Vladimir Meier provides tooling to extract signatures used by EDR vendors.
Most antivirus engines rely on strings or other bytes sequences, function exports and big integers to recognize malware. This project helps to automatically recover these signatures.
https://github.com/scrt/avdebugger
https://blog.scrt.ch/2022/04/05/automatically-extracting-static-antivirus-signatures/
Offense
Attack capability, techniques and tradecraft.
Make phishing great again. VSTO office files are the new macro nightmare?
Daniel Schell documents an evolved maldoc phishing technique which we have seen used in the wild.
Visual Studio Tools for Office (VSTO) has the capability to export an Add-In which is embedded inside an Office document file (such as a Word DOCX). If this document is delivered in the right way (to avoid some inbuilt mitigations) it provides rich capabilities for attackers to phish users and gain code execution on a remote machine through the installation of a word Add-In.
Invisibility Cloak
This tool by Brett Hawkins automates some opsec elements which may hinder some threat intelligence activities.
Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio project.
Change the tool name
Change the project GUID
Obfuscate compatible strings in source code files based on obfuscation method entered by user
Removes one-line comments (e.g. // this is a comment)
Remove PDB string option for compiled release .NET assembly
https://github.com/xforcered/InvisibilityCloak
Bypassing Cortex XDR
mr.d0x makes Palo Alto’s product security team likely table flip.
It’s important for security solutions to implement adequate tamper protection to avoid being targeted by attackers. Furthermore, it shouldn’t be trivial to obtain credentials or privileges that can disable the security solution.
https://mrd0x.com/cortex-xdr-analysis-and-bypass/
CVE-2022-20685: Blinding Snort to Network Attacks
How to cause a Denial of Service in OT protective monitoring based on Snort. Be interesting to see how many expensive boxes magically appear to be running Snort in the OT solution space.
An integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while-loop.
https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/
Coercing NTLM Authentication from SCCM
Chris Thompson outlines a terrifying attack against SCCM from a client/endpoint which could easily lead to total Windows Domain compromise.
tl;dr: Disable NTLM for Client Push Installation
When SCCM automatic site assignment and automatic client push installation are enabled, and PKI certificates aren’t required for client authentication, it’s possible to coerce NTLM authentication from the management point’s installation and machine accounts to an arbitrary NetBIOS name, FQDN, or IP address, allowing the credentials to be relayed or cracked. This can be done using a low-privileged account on any Windows SCCM client.
To prevent the attack techniques noted in this blog post, disable the “Allow connection fallback to NTLM” client push installation setting, which is enabled by default in SCCM.
https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a
Vulnerability
Our attack surface.
Cisco Wireless LAN Controller Management Interface Authentication Bypass Vulnerability
My opening point.. they have generate $10 billion in profit yet struggle with the basics.
A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass authentication controls and log in to the device through the management interface
Addressing Security Weaknesses in the NGINX LDAP Reference Implementation
Details of the zero-day which appears nuanced with unclear impact.
https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
VMWare RCE and Authentication Bypass in Certain Products
2 x RCE and 1 x Auth bypass in VMware Workspace ONE Access (Access), Identity Manager (vIDM), Automation (vRA), Cloud Foundation and Suite Lifecycle Manager
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
NotGitBleed
This vulnerability got a name and a logo.
Due to configuration errors or human error, significant numbers of people may have accidentally checked GitHub credentials into GitHub commits as metadata, most commonly a username as the author name and a password in the email address field.
Exploitation
What is being exploited.
CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability by the Mirai Botnet
Deep Patel, Nitesh Surana and Ashish Verma document active exploitation.
[We] observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965, which allows malicious actors to weaponize and execute the Mirai botnet malware. The exploitation allows threat actors to download the Mirai sample to the “/tmp” folder and execute them after permission change using “chmod”.
We began seeing malicious activities at the start of April 2022. We also found the malware file server with other variants of the sample for different CPU architectures.
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
Some data on flash to bang here.
When we looked back at our data, our threat hunting honeypot System[2] had already captured activities related to this exact vulnerability. After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability.
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/
Footnotes
Some other small bits and bobs which might be of interest.
Subversion Inc. The Rise of Private Intelligence - a short paper on the topic.
Threat Group Cards: A Threat Actor Encyclopaedia from ETDA (was ThaiCERT) - new URL for this great resource.
The State of Stalkerware in 2021 (published April 2022) - a broad overview of the state of the market - useful to any governments thinking about regulation.
Analysis report on TLS Certificate expiration status of Russian sites - when sanctions bite and you need to have your own Certificate Authority
That’s all folks.. until next week..