Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week periods of high alert around the US visit to Taiwan, but nothing material seems to of come of it yet. We have seen an uptick in ransomware activity from a range of actors based on CIRT inbounds. Aside from that the world continues to turn…
In the high-level this week:
Japan, U.S. agree on 'rules-based order' in 1st economic 2-plus-2 talks - Tokyo will establish a new research and development hub for advanced semiconductors this year. Chip production could begin in Japan in 2025.
White House’s U.S. Digital Service found Thousands of lives depend on a transplant network in need of ‘vast restructuring’ - “We request you take immediate steps to secure the national Organ Procurement and Transplantation Network system from cyber-attacks,” - pretty strong ‘tell’ and not ask there also terrifying implications on human life.
U.S. Justice Department probing cyber breach of federal court records system - unclear who or why, but interesting if you think about indictments and sealed cases etc.
United States and Ukraine Expand Cooperation on Cybersecurity - training, joint exercises and information exchanges is the cooperation.
SSU shuts down million-strong bot farm that destabilized situation in Ukraine and worked for one of political forces (video) - the scale is the impressive aspect in the video.
“Win the War Before the War?”: A French Perspective on Cognitive Warfare -It is 2050, and society is divided into an archipelago of community-based alternative reality zones. The French armed forces are tasked with “securing reality” in the face of an adversary capable of modifying collective behavior on a large scale through actions of deception and subversion- fun bit of futures work..
The Subversive Trilemma in Cyber Conflict and Beyond - We can speculate about a lot of possible cyberattacks that might be successful in different ways, yet the empirical record of their actual use documents their strategic limitations - interesting when combined with the recent “You can’t cyber your way across a river.” line from Chief of the General Staff General Sir Patrick Sanders from the UK’s Ministry of Defence.
A Frontier Without Direction? The U.K.’s Latest Position on Responsible Cyber Power - Ciaran Martin (ex CEO of the UK’s National Cyber Security Centre) and Dr Andrew Dwyer give a rather direct analysis of the current legal interpreations and opportunity as they see it.
CISA Adds One Known Exploited Vulnerability to Catalog - Clock starts ticking for Zimbra Collaboration (ZCS) Command Injection Vulnerability (see below in the vulnerability section for the technical details).
Reflection this week is from this discussion with Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology at the National Security Council in the US facilitated by Center for a New American Security (CNAS). Simply put it is fascinating. Lots of subtleties as well as overt notes which are worth closely listening to e.g. North Korea gets 1/3 of its funds from cyber, US domestic cyber diplomacy is a thing with the private sector and the role of OpenRAN etc.
In think tank job land the Australian Security Policy Institute is looking for a International Cyber Policy Centre Coordinator.
Finally on China / Taiwan I was recommended the book Inseparable Separation: The Making of China's Taiwan Policy. It has been enlightening as to the real complexities that underpin what results in firing of ballistic missiles into the sea.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday,
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Flying in the clouds
APT31 renews its attacks on Russian companies through cloud storage in this reporting from Russia on Chinese state activity. When friends attack friends you have to ask are they really?
[We] detected an attack on a number of Russian media and energy companies that used a malicious document called «list.docx» to extract a malicious payload packed with VMProtect. Having analyzed the network packet, we found it to be identical to the one we studied in our report on APT31 tools, suggesting that these may belong to one and the same group.
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/
Woody RAT: A new feature-rich malware spotted in the wild
Ankur Saini and Hossein Jazi detail a campaign targeting Russian aerospace and defence. The actual initial access techniques are not anything note worthy if you have mitigated CVE-2022-30190.
The threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called “Information security memo” which provide security practices for passwords, confidential information, etc.
This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.
Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Asheer Malhotra outs a new post compromise framework from China akin to Cobalt Strike etc. The plethora of these frameworks is making the game of whack-a-mole ever more complex for defenders who focus on detecting the tool and not the technique.
[We] discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.
The implants for the new malware family are written in the Rust language for Windows and Linux.
A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.
We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia
Ideologically motivated cyber attack group. Always interesting where these groups both appear and have impact. It is clear cyber is not just the domain of states and criminals. What happens when right/left wing extremism adopt or similar? Feels a little close to being a very real threat..
[We] discovered a Tweet posted by the Malaysian hacktivist group, DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
The group’s primary objective of the attack was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
Since then, the group and its supporters have compromised more than 3,000 government and non-government organizations, military websites, and private entities.
The compromised entities include BJP (the ruling party of India), Army veteran websites, academic institutes, etc.
Green Stone
Isabelle Quinn documents a maldoc campaign apparently targeting Iran. Other than the victimology nothing more really of note in terms of technical sophistication.
A few days ago we discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran
https://inquest.net/blog/2022/07/27/green-stone
North Korean hacking organization conducts APT attack targeting South Korean defense and security experts
Korean reporting on North Korean activity. Again nothing of real note beyond victimology and North Korea cybering like they just don’t care.
The attacker used a typical e-mail-based spear phishing attack technique to dazzle the recipient as if it were a draft detailed plan for an upcoming event and a document review word (DOC) file.
This attack used not only malicious DOC documents but also HWP document attacks with OLE inserted.
https://blog-alyac-co-kr.translate.goog/4860?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
How Threat Actors Are Adapting to a Post-Macro World
Microsoft has started disabling macros by default in Office. This reporting from Selena Larson and Daniel Blackford explores how threat actors are adapting. If you have been following any of the Mark of the Web (MotW) activity in my weekly reporting none of it will be a surprise.
Nice to have some quantification of the impact of Microsoft’s positive moves.
In response to Microsoft’s announcements that it would block macros by default in Microsoft Office applications, threat actors began adopting new tactics, techniques, and procedures (TTPs).
Threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in campaigns to distribute malware.
[We] observed the use of VBA and XL4 Macros decrease approximately 66% from October 2021 through June 2022, based on campaigned data
https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world
Pro-PRC “HaiEnergy” Information Operations Campaign
Ryan Serabian and Daniel Kapellmann Zafra explore an at scale information operation. Makes the French scenario outlined in the high level section above seem all that more plausible.
[We have] identified an ongoing information operations (IO) campaign leveraging a network of at least 72 suspected inauthentic news sites and a number of suspected inauthentic social media assets to disseminate content strategically aligned with the political interests of the People’s Republic of China (PRC). The sites present themselves primarily as independent news outlets from different regions across the world and publish content in 11 languages. Based on technical indicators we detail in this blog, we believe these sites are linked to Shanghai Haixun Technology Co., Ltd (上海海讯社科技有限公司), a Chinese public relations (PR) firm (referred to hereafter as “Haixun”).
https://www.mandiant.com/resources/pro-prc-information-operations-campaign-haienergy
IPFS: The New Hotbed of Phishing
Karla Agregado and Katrina Udquin evidence that threat actors are as quick to adopt new Software as a Service platforms for their operations where they add an edge as much as legitimate users. Makes the detection whack-a-mole game “exciting”.
IPFS was created in 2015 and is a distributed, peer-to-peer file-sharing system for storing and accessing files, websites, applications, and data.
We have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/
Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations
Luke Jenkins, Emiel Haeghebaert, Alice Revelli and Ben Read providing reporting on ever evolving technical and operational tradecraft by Iran. The normalisation of wiper usage by the likes of Iran and Russia is a worry.
[We] identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July 2022.
A previously unknown backdoor CHIMNEYSWEEP and a new variant of the ZEROCLEAR wiper may also have been involved.
CHIMNEYSWEEP malware distribution data and decoy content, the operation’s timing and politically themed content, and the possible involvement of the ZEROCLEAR wiper indicate an Iranian threat actor is likely responsible.
This activity is a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests.
Deception at a scale
Vicente Díaz provides real quantification around the scale of the challenge we face as defenders. Just look at those numbers and how they employ trust or trusted infrastructure against victims.
We focused on different techniques used by malware to bypass defenses and make social engineering attacks more effective.
Ten percent of the top 1,000 Alexa domains have distributed suspicious samples.
0.1 percent of legitimate hosts for popular apps have distributed malware.
87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature.
In a growing social engineering trend, 4,000 samples either executed or were packed with legitimate apps installers.
There has been a steady increase in the number of malware visually mimicking legitimate applications, with Skype, Adobe Acrobat, and VLC comprising the top three.
98% of samples, including legitimate installers in their PE resources, were malicious.
https://blog.virustotal.com/2022/08/deception-at-scale.html
LofyLife: malicious npm packages steal Discord tokens and bank card data
Igor Kuznetsov and Leonid Bezvershenko out a criminal operation designed to steal payment information via malicious code embedded in Node libraries. I do wonder how effective this is in getting what they are after?
We identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”.
The JavaScript malware we dubbed “Lofy Stealer” was created to infect Discord client files in order to monitor the victim’s actions. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA) and adds new payment methods, including complete bank card details.
https://securelist.com/lofylife-malicious-npm-packages/107014/
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec detail a complex and resilient platform play intended for criminal use. Again shows further diversification in the C2 eco-system which defenders need to contend with.
Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.
It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.
Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.
Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
https://blog.talosintelligence.com/2022/08/dark-utilities.html
IcedID leverages PrivateLoader
Joshua Platt and Jason Reaves poses a conundrum with no clear answer. Maybe threat actors are being forced to co-exist with some wider actors because of the need to rebuild and/or contention in the supply chain?
PrivateLoader is not new to having some bigger names leveraging it as previous research indicates it being leveraged by TrickBot, Qakbot, DanaBot and Dridex previously. The more pressing question is why these groups would leverage a system that is actively stealing data and dropping ransomware on top of their bots?
https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f
ljl Backdoor
True example of vendor gore this. Three PDFs for one campaign behind a registration wall. Anyway..
The first PDF covers the intrusion techniques etc.
CVE-2022-26134 was highly likely exploited to gain initial access.
After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment. Additionally, the threat actors used RAR and 7zip to archive files and folders from multiple directories, including registry hives. Network logs suggest TAC-040 exfiltrated around 700MBs of archived data before the victim took the server offline.
The second PDF covers the implant framework itself.
“ljl Backdoor”, we suspect is never-before-seen and includes capabilities such as:
Reverse proxy
Query whether the victim is active or idle
Exfiltrate files/directories
Load arbitrary and remotely downloaded .NET assemblies as “plugins”
Get user accounts
Get the foreground window and window text
Get victim system information, such as: cpu name, gpu name, hardware id, bios manufacturer, mainboard name, total physical memory, LAN IPaddress, and mac address
Get victim geographic information, such as: asn, isp, country name, country code, region name, region code, city, postal code, continent name, continent code, latitude, longitude, metro_code, timezone, and datetime
The third PDF explains a coiner miner was dropped
Examining New DawDropper Banking Dropper and DaaS on the Dark Web
The onslaught against the mobile app stores continues in this reporting. Also the fact that the distribution channel due to the increasing need for technical sophistication is resulting in an as-a-Service model once more.
Malicious actors have been surreptitiously adding a growing number of banking trojans to Google Play Store via malicious droppers this year, proving that such a technique is effective in evading detection. Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals disseminate their malware on Google Play Store, resulting in a dropper-as-a-service (DaaS) model.
Stealthy Quasar Evolving to Lead the RAT Race
45 pages on an implant known to be used by actors including those from China. A comprehensive bit of work showing it evolution etc.
Quasar RAT is a full featured remote administration tool that has been open source since at least 2014
The .NET executable has its communication encrypted through HTTPS which uses a TLS1.2 protocol
Quasar RAT features provide techniques related to persistence, injection, and defense mechanisms
The RAT has been actively leveraged by various APT groups such as APT10 to achieve its malicious objectives
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
Brad Duncan shows how multi-stepped the infection chains have become in 2022 in organised crime operations. The benefit is that there are many discrete steps which provide detection opportunities.
Among the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim. Projector Libra has been reported as an initial access broker with ties to Conti ransomware.
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Joseph Edwards shows both that CVE-2022-30190 is being used more widely than just in Russia. The real takeaway is the increasing detection challenges because of ever advanced live-off-the-land techniques and the risk of noise conflation.
[We] analyzed three malicious payloads circulating online that have been linked to use of the newly discovered Follina exploit in Microsoft’s Support Diagnostic Tool (MSDT). [We] analyzed three attack chains that used the Follina exploit to gain a foothold within target systems. Our research revealed that the Follina exploit is being used to deliver a range of common exploitation and persistence tools including Cobalt Strike, Mimikatz (a credential harvesting utility) as well as PowerShell scripts used to obtain persistent access and harvest data and credentials from victim networks.
Additionally, we discovered attacks using novel methodologies, including the use of syscalls to obfuscate malicious payloads and avoid API monitoring technologies; use of the "net use" command with a username and password to execute the payload on a mounted network share; and deployment of novel, as-yet unidentified malware.
https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks
Inside Matanbuchus: A Quirky Loader
Ben Cohen touches another criminal supply chain which reduces the initial defence evasion cost for the initial access by outsourcing to the loader supply chain.
Matanbuchus is a Malware-as-a-Service loader that has been sold on underground markets for more than one year. Matanbuchus is considered to be a loader type of malware used to download and execute malware payloads on the targeted environments. The Matanbuchus loader consists of two stages, while only the first stage was analyzed in-depth and published.
https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
Technical Analysis of Industrial Spy Ransomware
Atinderpal Singh and Brett Stone-Gross discuss a new(ish) ransomware group which is using a diversified means of distribution. The many channel approach is almost as if they are running a business with a multi-channel go to market strategy.
Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases they encrypt, exfiltrate and ransom data.
The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.
The ransomware utilizes a combination of RSA and 3DES to encrypt files.
Industrial Spy lacks many common features present in modern ransomware families like anti-analysis and obfuscation.
The threat group is consistently adding roughly two to three victims per month on their data leak portal.
There are two primary executables associated with Industrial Spy. The first binary does not implement any destructive functionality, while the second performs file encryption. The former has been mainly distributed using cracks, adware and other malware loaders.
https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware
Top of the Pops: Three common ransomware entry techniques
Michael Mathews from NCC Group’s Cyber Incident Response team provides reflections on three of the more common network breach techniques we see in our ransomware cases from the last six months.
Proxy Shell
Insecure Perimeter Infrastructure
Exposed Remote Desktop (other VDI solutions)
https://research.nccgroup.com/2022/08/04/top-of-the-pops-three-common-ransomware-entry-techniques/
So RapperBot, What Ya Bruting For?
Joie Salvio and Roy Tay show the Internet is still fertile ground for actors looking to exploit insecure credentials in embedded devices to build large scale botnets via password brute forcing. This is going to be a long tail..
[We] been tracking a rapidly evolving IoT malware family known as “RapperBot” since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
Discovery
How we find and understand the latent compromises within our environments.
Collect Memory Dump: Automated Creation of Windows Memory Snapshots for DFIR
Martin Willing provides a useful work aid to Windows IR teams..
Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).
Features:
Checks for Hostname and Physical Memory Size before starting memory acquisition
Checks if you have enough free disk space to save memory dump file
Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture and WinPMEM
Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
Collects BitLocker Recovery Key
Checks for installed Endpoint Security Tools (AntiVirus and EDR)
Enumerates all necessary information from the target host to enrich your DFIR workflow
Creates a password-protected Secure Archive Container (PW: IncidentResponse)
https://github.com/evild3ad/Collect-MemoryDump
Volatile Data Collector
For Microsoft Windows by the increasingly infamous Grzegorz Tworek
During my Incident Response engagements, I have realized that dumping volatile data is always done bad (or at least in a way different than the best one). Additionally, the data is never in the same format, which makes the analysis harder (if not impossible) to automate.
https://github.com/gtworek/VolatileDataCollector
Script to Detect the Stealthy Nation-State BPFDoor
Harshal Tupsamudre releases to the world what threat intelligence teams were coveting (NCC Group’s included).
YARA - Following FALLCHILL's E8 Call
This is some elegant tradecraft stretching Yara..
This article covers how to follow a near relative call instruction,
0xE8
in YARA.
https://blog.xorhex.com/blog/yarafollowingfallchills_e8_call/
Defence
How we proactively defend our environments.
Macros from the internet will be blocked by default in Office
Microsoft are doing it.
https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
Azure Policy Test Framework
A command line tool to test Azure Policy relying on Terraform + Golang
https://github.com/microsoft/AzurePolicyTestFramework
Protections Artefacts
1,000 Yara rules and 200 endpoint behaviour rules released for free by those wholesome people at Elastic.
https://github.com/elastic/protections-artifacts
MITRE Cloud Analytics
Includes a foundational set of detection analytics for key TTPs, implemented as Sigma rules, along with their adversary emulation plans implemented with CALDERA framework
While significant open-source cyber analytics exist for on-premises environments, the same does not exist for cloud platforms. As such, many defenders struggle to achieve similar levels of visibility in the cloud as they have on-prem. To address this problem, the Center for Threat-Informed Defense (Center), along with Citigroup Technology, Inc., CrowdStrike, Inc., Fujitsu, Google, LLC, HCA-Information Technology & Services, Inc., Microsoft Corporation, Siemens AG, Splunk, Inc., and Verizon Business Services launched the Cloud Analytics project, which researched and developed best practices to help defenders improve their ability to detect adversary behaviors in today’s complex cloud environments.
https://medium.com/mitre-engenuity/research-partnership-explores-cloud-analytics-6dddebbac807
Public Suffix List
Useful to understand which suffixes could be hosting attacker infrastructure.
A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.
How To Objectively Measure A Detection Rule’s Strength
Tareq Alkhatib drops some wisdom around quantification of efficacy of rules.
Rule strength is a function of the level of control the attacker has over the rule fields, blacklisting vs. whitelisting, data source coverage, host coverage, and data volume.
Offense
Attack capability, techniques and tradecraft.
Death Sleep
This is a neat technique involving Return Orientated Programming and threads pools on Windows.
A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
Interestingly I asked a related question on this back in June:

For this one I outlined a detection strategy theory:


https://github.com/janoglezcampos/DeathSleep
On Detection: Tactical to Functional
Jared Atkinson does some exquisite work here highlighting why detection is difficult.
https://posts.specterops.io/on-detection-tactical-to-functional-37ddcd75234b
Manipulating Windows Tokens with Go
Aarush Ahuja has released a library to work with Windows security tokens which will accelerate some stuff.
Wintoken abstracts away windows token manipulation functions with functions you are more likely to use. The library exposes easy-to-use functions to steal tokens, enable/disable privileges, and grab interactive and linked tokens.
https://fourcore.io/blogs/manipulating-windows-tokens-with-golang
https://github.com/FourCoreLabs/wintoken
Windows QueueUserAPC Trampoline
More Return Orientated Programming (ROP) use in malicious payloads.
https://github.com/rad9800/misc/blob/main/QueueUserAPC-Trampoline.c
NimicStack
This technique being ported to Nim will mean it gets picked up by some malicious code.
NimicStack is the pure Nim implementation of Call Stack Spoofing technique to mimic legitimate programs
https://github.com/frkngksl/NimicStack
Creating Processes Using System Calls
Santiago Pecin showing how to do it and also the limitations..
https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
Living Off Windows Defender
Julio Dantas, James Haughom and Julien Reisdorffer show how organised crime used DLL side loading to co-opt Defender for their malicious intent.
In this post, we follow up on that incident by describing the use of another legitimate tool used to similar effect by a LockBit operator or affiliate, only this time the tool in question turns out to belong to a security tool: Windows Defender. During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool
MpCmdRun.exe
to decrypt and load Cobalt Strike payloads.
Reversing and Evasions with Sentinel One and Brute Ratel C4
A great video and walk through on how Sentinel One works but also how Brute Ratel subverts it.
Vulnerability
Our attack surface.
I 💗Malvuln
John Page has been doing vulnerability research against various bits of malicious code and the findings don’t disappoint. For any budding vulnerability researchers out there it seems like implant writers don’t yet embrace secure software development principles. So fertile ground to practice your trade..
A sample of their findings are below (but there are many many more)
Backdoor.Win32.Destrukor.20 - Vulnerability: Unauthenticated Remote Command Execution
https://www.malvuln.com/advisory/c790749f851d48e66e7d59cc2e451956_B.txt
Backdoor.Win32.Eclipse.h Vulnerability: Weak Hardcoded Credentials
https://www.malvuln.com/advisory/8b470931114527b4dce42034a95ebf46.txt
Builder XtremeRAT v3.7 Vulnerability: Insecure Crypto Bypass
https://www.malvuln.com/advisory/7f314e798c150aedd9ce41ed39318f65_B.txt
PAN Firewall master key and padding oracle
Some neat vulns and associated exploitation scripts here..
gist.github.com/rqu1/6175cb2972291fc9ac96ef18f72b792c
gist.github.com/rqu1/9c00e66ab30fac3a1160513dcf159c09
Exploitation
What is being exploited.
CVE-2022-27924 | Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0
The technique is the most valuable thing as much as the underlying specific vulnerability.
Allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries
https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924
CVE-2022-26712: The POC for SIP-Bypass Is Even Tweetable
System Integrity Protection (SIP), aka rootless, is the last line to protect macOSfrom malware.
I found some new attack surfaces in the macOS PackageKit.framework, and successfully disclosed 15+ critical SIP-Bypass vulnerabilities. Apple has addressed 12 of them with CVE assigned so far. There are still some reports in the Apple’s processing queue. All of them are interesting logic issues, and of course each has a successful exploit demonstration.
https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/
CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE
Chinese reporting on exploiting this vulnerability.
https://xz-aliyun-com.translate.goog/t/11578?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
CVE-2021-3060: Pal Alto Network FireWall RCE
End-to-end exploit showing how to achieve RCE when combined with the master key above.
gist.github.com/rqu1/8ed4f51fd90dd82fc89111340e26a756
Tooling and Techniques
Low level tooling for attack and defence researchers.
dotnetfile Open Source Python Library: Parsing .NET PE Files
Yaron Samuel has released a work aid to those working with .NET malware and similar.
Dotnetfile facilitates the extraction of vital information from .NET Portable Executable (PE) files. In addition to basic parsing, several advanced features are implemented by dotnetfile, which may help both automatic and manual analysis tasks. We also describe a new original fingerprinting technique called MemberRef Hash that is included in the library.
https://unit42.paloaltonetworks.com/dotnetfile/
Cutter 2.1.0
A free and open-source reverse engineering platform powered by rizin - this release includes a plugin for creating Yara rules
https://github.com/rizinorg/cutter/releases/tag/v2.1.0
Footnotes
Some other small bits and bobs which might be of interest.
Traffic Light Protocol (TLP) - TLP version 2.0 is authoritative from August 2022 onwards - revised and updated - discuss if it should of really added support for PAP (Permissible Actions Protocol) rather than confusing people further.
CISA 2021 Top Malware Strains - released August 4th, 2022 - see if you were lucky enough to catch the top strains.
Meta’s Adversarial Threat Report, Second Quarter 2022 - various states misusing their platforms.
ENISA Threat Landscape for Ransomware Attacks - big report from ENISA on the topic
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Cyber Intelligence: Strategic Warning Is Possible - Governments and private security firms have studied many intelligence aspects of cyberconflict, but the public literature has not described the existence of a strategic cyber warning function or addressed the question of whether strategic warning of significant cyberattacks is possible. This article argues that it is, but technical characteristics of cyberspace and the rapidly evolving nature of cyber-related conflict make cyber warning more difficult than traditional strategic warning
The SSO Wall of Shame - A list of vendors that treat single sign-on as a luxury feature, not a core security requirement
The Evolving Face of Cyber Conflict and International Law: A Futurespective - videos now available (needs an account)
Cyber Peace & Security Monitor, Vol. 2, No. 7 - Editorial: Consensus, multilateralism, and cyber peace—the marathon continues for the UN’s cyber working group - basically it is hard because some states like ambiguity.
Behind the rise of ransomware - Atlantic Council thought piece.
Cyber Resilience for Development: A Luncheon Side Event on the Global Conference on Cyber Capacity Building - summary of said luncheon.
Conferences:
CTIS-2022 Call for Papers - a 2-day summit gathering all the experts, analysts, users and contributors to cyber and threat intelligence at large in Luxembourg (October 19 - 20 2022).
2022 FIRST Cyber Threat Intelligence Symposium - in Berlin (November 1 - 2 2022).
That’s all folks.. until next week..
again a great newsletter olly. Thanks for all the work!