Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending August 13th
US doing what it does best... going big... on cyber on all fronts...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note, the usual cyber conga lines moves on and on..
In the high-level this week:
the above announces DARPA’s AI Cyber Challenge (AIxCC)
Biden-Harris Administration Launches New Efforts to Strengthen America’s K-12 Schools’ Cybersecurity - up to $200 million over three years to strengthen cyber defenses in K-12 schools and libraries in tandem with other federal agencies that have deep expertise in cybersecurity.
DHS Announces Additional $374.9 Million in Funding to Boost State, Local Cybersecurity - a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country to help them strengthen their cyber resilience
MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts - what happens when organised crime groups get a zero-day - they don’t observe cyber norms it would appear.
New York State to Debut First Cybersecurity Strategy - including plans to modernize government networks, provide digital defenses at the county level and regulate critical infrastructure - I wonder if other global cities will follow.
Two US lawmakers raise security concerns about Chinese cellular modules - Two U.S. lawmakers on Tuesday asked the Federal Communications Commission (FCC) to address questions about potential security concerns involving cellular modules made by Chinese companies including Quectel and Fibocom Wireless.
Australian Government warned to assess cyber risk in foreign-made solar panel technology - I am interested in what the real-world risk is here.
Pro-China group may be behind breach of Japan govt. cybersecurity center - The center says its investigation found that some data related to emails, sent and received between early October last year and mid-June, may have been leaked.
China hacked Japan’s sensitive defense networks, officials say - In the fall of 2020, the National Security Agency made an alarming discovery: Chinese military hackers had compromised classified defense networks of the United States’ most important strategic ally in East Asia.
Notice of the Cyberspace Administration of China on the Public Solicitation of Comments on the "Administrative Measures for Compliance Auditing of Personal Information Protection - China warming up with regards to how it ensures the protection of personal information.
Notice of the State Internet Information Office on the Public Solicitation of Comments on the "Guidelines for the Construction of the Mobile Internet Minor Model" - How China is proposing to protect its young.
Goal 1: Execute consistent capability assessment and analysis processes to stay ahead of force needs.
Goal 2: Establish an enterprise-wide talent management program to better align force capabilities with current and future requirements.
Goal 3: Facilitate a cultural shift to optimize Department-wide personnel management activities.
Goal 4: Foster collaboration and partnerships to enhance capability development, operational effectiveness and career broadening experiences.
Artificial Intelligence: Overview, Recent Advances, and Considerations for the 118th Congress by the Congressional Research Service - what US policy makers are seeing.
German Federal Government SBOM requirements - Europe’s demand single has been singled..
A Call to Action: Bolster UEFI Cybersecurity Now by CISA - a technical call to arms for hardware OEMs and others to address one of the lower levels aspects of the chain of trust.
The Proposed United Nations Cybercrime Convention - podcast by The Center for Strategic and International Studies (CSIS)
What is the UN cybercrime treaty and why does it matter? - on the same topic from Chatham House
The first reflection this week comes from the Call for proposals: Machine Learning Model Vulnerabilities by the UK’s Alan Turing Institute. You will also see below that we are only getting started with regards understand the intrinsic vulnerabilities. An an example show me a vector database and I will show you an attack surface which has yet to be materially explored.
The second comes reading the paper Digital Traces of the Mind: Using Smartphones to Capture Signals of Well-Being in Individuals. If we take this as an input and then imagine a world where security guard rails are dynamic due to the level stress the user is exhibiting and thus the inference they need more support, we could end up in a an amazing place on the sociotechnical side of cyber.
On the interesting job/role front (thanks to those sending me these):
UN Multistakeholder Advisory Body on Artificial Intelligence - public call for nominations
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Cyber threat intelligence
Who is doing what to whom and how.
The SBU exposed the attempts of the Russian special services to break into the electronic system for planning the operations of the Armed Forces
A lesson around the threat when you loose physical control of your endpoints. The digital enabled battlefield adds a whole new dimension to the attack surface. I suspect MFA is not the answer and reminds me of the auto erase feature we had on BlackBerry when the battery charge got below a certain level (for those feeling nostalgic it was the Secure Wipe if Low Battery IT policy).
As a result of the investigation, cyber specialists of the SBU established that in order to spread "viruses" in the system, the enemy made the main "bet" on capturing Ukrainian tablets on the battlefield. In the future, they planned to use the accesses and programs available on these devices to penetrate the system.
Come for the memes, stay for the Kremlin propaganda
Information operations in countries which are being contested for influence are only going to increase. How we help those countries (where they aren’t using IOs for their own benefit) whilst also getting the platform providers to help (which may not in the future all be Western aligned) is going to require some effort.
Nearly all of the Kremlin’s information operations in African countries leverage social media, and Facebook in particular, as an unregulated vector for swiftly and covertly influencing millions. This report presents evidence for the Kremlin’s large-scale and continuous manipulation of Meta’s products in Francophone Africa. Building on Reset’s extensive monitoring and analysis of Kremlin information operations, we examine the form and impact of a “bait-and-switch” disinformation distribution strategy employed by proKremlin actors since early March 2023 as well as the insufficiency of Meta’s actions to prevent the spread of such campaigns.
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
Tom Hegel and Aleksandar Milenkoski detail how friends aren’t always friends in the cyber domain. When you don’t have many friends this seems unwise, especially if they are bankrolling you somewhat.
[We] identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.
Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
A very large Chinese operation outed here which will impose some cost on the operators as they look to pivot. Note the use of Cobalt Strike.
[Our] research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a nexus of cyber talent and operations in Chengdu.
[We] observed probable victim organizations in Afghanistan, Bangladesh, Cambodia, Czechia, Bhutan, Hong Kong, India, Laos, Malaysia, Nepal, Palestine, Pakistan, the Philippines, Thailand, Taiwan, the US, and Vietnam communicating with known RedHotel C2 infrastructure, with the group displaying a particular regional focus within Southeast Asia by volume of victims observed. These organizations spanned academia, aerospace, government, media, telecommunications, and research and development sectors. Of particular note, in July 2022, we observed the probable compromise of a US state legislature, which was observed communicating to ShadowPad and Cobalt Strike C2 IP addresses operated by the group.
Iranians tried to hack state employees and researchers, Shin Bet says
Iranian state using social media to deliver malicious documents. We have reported on similar before and it is very similar to North Korean tradecraft.
Security agency says operatives contacted Israelis via LinkedIn and email, sent infected documents that would hand them control of targets’ computers
Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations
Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet and Eilon Bendet detail a very large campaign using phishing. The seniority of the victimology is of note as shown in the below chart.
Over the last six months, [our] researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies.
Over 100 organizations were targeted globally, collectively representing 1.5 million employees.
Threat actors utilized EvilProxy - a phishing tool based on a reverse proxy architecture, which allows attackers to steal MFA-protected credentials and session cookies.
This rising threat combines sophisticated Adversary-in-the-Middle phishing with advanced account takeover methods, in response to the growing adoption of multifactor authentication by organizations.
Demystifying Mysterious Team Bangladesh: Analysis of a highly active hacktivist group with global reach
The metrics are of note as is the ideology.
Mysterious Team Bangladesh carried out over 750 DDoS and 70+ website defacements within a year.
Group members allege that the gang was created in 2020, although the bulk of their activity has taken place since June 2022.
The group most frequently attacks logistics, government, and financial sector organizations in India and Israel.
The group is primarily driven by religious and political motives.
The gang initiates multi-wave campaigns focused on specific countries rather than individual companies.
Before conducting a full-scale attack the group carries out a short “test attack” to check their targets’ resistance to DDoS attacks
The hacktivist group most often exploits vulnerable versions of PHPMyAdmin and WordPress.
Mysterious Team Bangladesh relies on open-source utilities for conducting DDoS and defacement attacks.
A Telegram user under the nickname D4RK_TSN is believed to be the founder of Mysterious Team Bangladesh
Beyond Donations: How Hacktivist Groups Fund Their Operations
When ideology needs cash you need to have a hustle and this is theirs. The Venn between low grade cyber criminality and hacktivism is interesting.
[We] identified that in 2023 and the latter part of 2022, hacktivist groups have been seen using different methods to source income, including:
Selling stolen data, accesses, and logs
Selling training courses
Attempting to extort ransoms from their victims
Selling botnet licenses
Looking for investor funding for their projects
Selling advertisement spaces
Providing hack-for-hire services
Tunnel Vision: CloudflareD AbuseD in the WilD
Nic Finn details how Zero Trust technology is being used for evil. Something to go hunting for in estates..
[We] have responded to multiple engagements involving a relatively new, legitimate tool being used by TAs: Cloudflare Tunnel, also known by its executable name, Cloudflared … the key point is that Cloudflared reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes. These changes are managed through Cloudflare’s Zero Trust dashboard and are used to allow external sources to directly access important services, including SSH, RDP, SMB, and others.
How we find and understand the latent compromises within our environments.
Detecting DPAPI Backup Key Theft
Michael Grafnetter details how to approach this practically at the domain controller and endpoint level.
C2 Server Hunting: Empowering Threat Intelligence with Nuclei Templates
An example of how to at scale C2 discovery for those who don’t want to build their own scanning framework whilst scanning the Internet.
We cover three ways of identifying C2 servers with Nuclei:
Default SSL Certificates: Identifying C2 servers through default SSL certificates
Body Hash: Calculating cryptographic hashes of response bodies to detect known C2 server signatures.
JARM: Analyzing server fingerprints generated during the TLS handshake to uncover C2 servers.
Hunting C2 Beaconing at Scale in the Modern Age
Mehmet Ergene shows how to use time delta and data size analysis using network traffic flows.
Sniffing Out SharpHound on its Hunt for Domain Admin
Details of their experience to detect the use of SharpHound at a network and event log levels. Punchline is there are detections opportunities…
Peeking at User Notification Events in iOS 15
Geraldine Blay and Alexis Brignoni provide a useful guide, why Apple did away with this file it unclear given its forensics value.
iOS Notifications allow users to peek at content that could be important to them without having to access the app. For us forensic examiners, Notifications can be a goldmine, potentially showing content that is not present in the phone anymore. In this post, we take a look at notification logs stored in private/var/mobile/Library/DuetExpertCenter/streams/userNotificationEvents/local.
How we proactively defend our environments.
Enhancing Chromium’s Memory Safety with Armv9
Richard Townsend shows why exploitation of memory corruption is about to get harder on Arm in the real world. Fascinated to learn of the real world performance.
Arm's CE-Software team is delighted to announce the release of Chromium M115, with experimental support for Arm’s Memory Tagging Extension (MTE). M115 represents over five years of work by Arm's engineering teams to enable this breakthrough technology, bringing better spatial and temporal memory safety to existing C and C++ codebases. Approximately 70% of Chromium’s serious security bugs are related to memory safety problems, so enabling it experimentally is an important first step for end-user security.
bootloaders.io: a curated list of known malicious bootloaders for various operating systems
Michael Haag, Jose Hernandez and Jose Hernandez do their version of Avengers Assemble to bring us a very long list of EFIs we don’t want floating around our enterprises.
Pixel Binary Transparency: verifiable security for Pixel devices
Jay Hou details an interesting application of Merkle Trees. I will be interested to see how this style of herd integrity verification gets adopted more broadly and/or is offered as a service by the likes of foundries.io.
RogueSliver: A suite of tools to disrupt campaigns using the Sliver C2 framework
‘Effects’ against the Sliver C2 framework, highly illegal except for the few and that likely isn’t you..
A suite of tools to disrupt campaigns using the Sliver C2 framework.
Our attack surface.
Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping
Jeffrey Knockel, Zoë Reichert, and Mona Wang detail a vulnerability which put an entire population at risk. Don’t roll your own crypto is once again the lesson..
We analyzed Tencent’s Sogou Input Method, which, with over 450 million monthly active users, is the most popular Chinese input method in China.
Analyzing the Windows, Android, and iOS versions of the software, we discovered troubling vulnerabilities in Sogou Input Method’s custom-designed “EncryptWall” encryption system and in how it encrypts sensitive data.
We found that network transmissions containing sensitive data such as those containing users’ keystrokes are decipherable by a network eavesdropper, revealing what users are typing as they type.
We disclosed these vulnerabilities to Sogou developers, who released fixed versions of the affected software as of July 20, 2023 (Windows version 13.7, Android version 11.26, and iOS version 11.25).
These findings underscore the importance for software developers in China to use well-supported encryption implementations such as TLS instead of attempting to custom design their own.
CVE-2022-40982, enables a user to access and steal data from other users who share the same computer
Daniel Moghimi breaks every Intel from the 6th Skylake to (including) the 11th Tiger Lake generations. Microarchitectural issues like this and AMDs last week are not done yet..
Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.
The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible.
Unauthenticated Log Injection In Splunk SOAR
Splunk as an attack route..
In Splunk SOAR versions 6.0.2 and earlier, a maliciously crafted request to web endpoint through Splunk SOAR can inject ANSI (American National Standards Institute) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in malicious code execution in the vulnerable application. This attack requires a Splunk SOAR user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable application. The attack further requires the terminal user to execute the code.
Indirect Prompt Injections - Intrinsic Vulnerability in Application-Integrated AI Language Models
German Federal government alert around this class of vulnerability.
In this case, LLMs are vulnerable to so-called indirect prompt injections: attackers can manipulate the data in these sources and place unwanted instructions for LLMs there. If LLMs access this data, the unwanted instructions may be executed. Attackers can thereby manipulate the behaviour of LLMs in a targeted manner. The potentially malicious commands can be encoded or hidden and may not be recognizable by users. In simple cases, this could be text on a web page with font size zero or hidden text in the transcript of a video.
However, it is also possible to encode instructions so that they are still easily interpreted by LLMs but are difficult to read by humans (e.g., for example using ASCII code or similar). It might also be that a web server answers requests from chatbots with different content than human users receive from browser requests due to different call parameters.
The manufacturer OpenAI also points out this vulnerability in connection with the use of plugins in the ChatGPT product on 13th June 2023: “However, there are still open research questions. For example, a proofof-concept exploit illustrates how untrusted data from a tool’s output can instruct the model to perform unintended actions.”
Don’t you (forget NLP): Prompt injection with control characters in ChatGPT
Mark Breitenbach , Adrian Wood , Win Suen , and Po-Ning Tseng released this is June which I missed. We have much to do..
As part of this work, we recently observed some unusual behavior with two popular large language models from OpenAI, in which control characters (like backspace) are interpreted as tokens. This can lead to situations where user-controlled input can circumvent system instructions designed to constrain the question and information context. In extreme cases, the models will also hallucinate or respond with an answer to a completely different question.
In the Line of Fire: Risks of DPI-triggered Data Collection
Ariana Mirian, Alisha Ukani, Ian Foster, Gautam Akiwatem, Taner Halicioglu, Cynthia T. Moore, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage detail an interesting side channel attack against security products to reveal their existence in targets.
In this paper, we explore one such subtle situation that arises from an intelligence gathering feature present in FireEye’s widely-deployed passive deep-packet inspection appliances. In particular, FireEye’s systems will report back to the company Web requests containing particular content strings of interest. Based on these reports, the company then schedules independent requests for the same content using distributed Internet proxies. By broadly scanning the Internet using a known trigger string we are able to reverse engineer how these measurements work. We show that these side-effects provide a means to empirically establish which networks and network links are protected by such appliances. Further, we also show how to influence the associated proxies to issue requests to any URL.
Attack capability, techniques and trade-craft.
Abusing Amazon VPC CNI plugin for Kubernetes
Once again evidence the modern cloud is hyper complex from a security perspective.
Would you expect an Amazon EKS cluster to be able to manipulate the networking of other EC2 instances, unrelated to the cluster, even those in other VPCs? While considering the attack surface exposed for Amazon EKS, we investigated the Amazon VPC CNI plugin for Kubernetes, and identified methods to abuse the plugin to manipulate networking to our advantage. This allows an attacker with a foothold in an EKS cluster to expose and potentially exploit services in other VPCs.
A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards
Joshua Harrison, Ehsan Toreini and Maryam Mehrnezhad bring Hollywood to the real world. Waiting for the first in the wild report of an implant doing this..
With recent developments in deep learning, the ubiquity of micro-phones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever. This paper presents a practical implementation of a state-of-the-art deep learning model in order to classify laptop keystrokes, using a smartphone integrated microphone. When trained on keystrokes recorded by a nearby phone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model. When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms. We discuss a series of mitigation methods to protect users against these series of attacks.
Evasive Phishing Tactic Utilizes Google AMP
Dylan Duncan details misuse of Google’s services in order to deliver a phishing campaign. The good news is Google should be able to intervene and help put a stop to it. The bad news is similar services will likely be next..
A new tactic employed by threat actors utilizes Google AMP URLs as links embedded within their phishing emails. These links are hosted on trusted domains and have proven to be successful at reaching enterprise-level employees.
Google AMP URLs used in phishing recently emerged during May of 2023 and have continued to be disseminated since the time of this writing, targeting employee login credentials.
“PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing
Oleg Zaytsev and Nati Tal a further example of the above. A now fixed vulnerability in a combination of platforms which was being misused by a threat actor.
[Our] research team has uncovered an actively exploited vulnerability enabling threat actors to craft targeted phishing emails under the Salesforce domain and infrastructure. Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook’s web games platform.
What is being exploited.
CVE-2023-3519: RCE exploit
These Citrix devices don’t have ASLR and thus we get this.. already widely exploited.
This exploit uses addresses and shellcode for Citrix VPX 13.1-48.47.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
IDA Plugin - MinHash-based Code Relationship & Investigation Toolkit (MCRIT)
Daniel Plohmann provides a powerful tool for both malware analysts and vulnerability researchers.
When thinking about how to make 1:N code-similarity information useful in a tool like IDA, one goal for me is to increase the context for what an analyst is currently looking at.
When matching a whole binary, there is a lot of potential matches, which can be overwhelming and the scope is possibly also different from what you want when doing in-depth analysis.
In my opinion, it would likely make more sense to just provide information for all possible matches for a given, currently viewed function, or even for a single basic block.
Identification of API Functions in Binaries
Tim Blazytko introduces a new technique calls Frequently Called Functions which goes beyond signature matching and cross-referencing with known libraries.
Cartographer: A Ghidra plugin for mapping out code coverage data
Austin Peavy provides a work aid to revere engineers that will at least allow the identification of hot (and not so hot) code.
Cartographer simplifies the complexities of reverse engineering by allowing researchers to visually observe which parts of a program were executed, obtain details about each function’s execution, compare different runs of the same program, and much more.
Breaking Fortinet Firmware Encryption
Jon Williams makes Fortinet sob and incurs a wonderful response..
On the other hand, they promptly locked down access to firmware downloads, limiting each account to products with active licenses. As a trial user, you can now only download virtual machine images.
Some other small (and not so small) bits and bobs which might be of interest.
Catching up on the weird world of LLMs - My goal was to help people who haven’t been completely immersed in this space catch up to what’s been going on.
AgentBench: Evaluating LLMs as Agents - We present AgentBench, a multi-dimensional evolving benchmark that currently consists of 8 distinct environments to assess LLM-as-Agent's reasoning and decision-making abilities in a multi-turn open-ended generation setting. Our extensive test over 25 LLMs (including APIs and open-sourced models) shows that, while top commercial LLMs present a strong ability of acting as agents in complex environments, there is a significant disparity in performance between them and open-sourced competitors.
Methodology of identifying customary international law applicable to cyber activities - What is striking about recent scholarship on the application of customary international law to cyber activities is how little has been dedicated to the preliminary question of how one identifies the applicability of existing rules of customary international law to cyber operations. Yet, the answer to this preliminary question holds the key to answering many of the questions which arise regarding whether existing rules of customary international law apply to cyber activities.
What Makes an Influence Operation Malign? - Three criteria can help democratic governments assess whether an influence operation is acceptable or unacceptable.
Space Odyssey: An Experimental Software Security Analysis of Satellites - In this paper, we first provide a taxonomy of threats against satellite firmware. We then conduct an experimental security analysis of three real-world satellite firmware images.
None this week as everyone is in Vega