Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending August 21st

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending August 21st

Hollywood and cyber continue to converge..

Ollie
Aug 19, 2022
54
Share
Share this post

Bluepurple Pulse: week ending August 21st

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).

Operationally this week the impact to DigitalOcean customers resulting from Mailchimp security incident became clear. Mailchimp also released their own notice on it about the targeting of crypto companies. Other than that we have been chasing APT in Europe..

In the high-level this week:

  • How Russia Took Over Ukraine’s Internet in Occupied Territories - how Russia diverts the Internet traffic for the areas it seizes - the modern war planners guide.

  • Alleged Russian Money Launderer Extradited from the Netherlands to U.S - related to Ryuk ransomware attacks and a Russian citizen - Those involved in the conspiracy laundered at least $70 million in ransom proceeds.

  • Arrest of suspected developer of Tornado Cash - Bitcoin mixer developer (which provides enhanced anonymisation) was arrested.

  • Ransomware Now Threatens the Global South - interesting piece from RUSI here where they state increased targeting of developing and middle-income countries by ransomware actors presents a challenge to political resilience, economic development and global cyber security.

  • SEC Charges 18 Defendants in International Scheme to Manipulate Stocks Using Hacked US Brokerage Accounts - this is real Hollywood in action.

  • Croatian, U.S. cyber defenders hunting for malicious actors - US deployed into Croatia as part of their Hunt Forward initiative.

  • Cyber-Warfare: Stop Asking About the Revolution - punchline is cyber isn’t going to replace but is rather an incremental capability.

  • Why Can’t Cyber Scholars Move Beyond the Basics? - says cyber geopolitics academics aren’t being bold enough and need to try harder. Quite the punchy message for sure.

  • State backed cyber-attack exclusions on cyber insurance for Lloyds - Sets out Lloyd’s (insurance) requirements for state backed cyber-attack exclusions in standalone cyber-attack insurance policies/

  • Australian policy amendment - mandates Vulnerability Disclosure Programmes - love this move..

  • National Defense Authorization Act for Fiscal Year 2023 - some big moves around SBOMs, no known vulnerabilities unless otherwise mitigated, ability to invest in open source security etc.

I was interested to see this Chinese analysis titled the Construction and Enlightenment of Israel's National Cyber ​​​​Security Defense System. China is studying what others are doing (a well known approach of theirs - the take, improve and scale). It is very praising of Israel with highlights such as:

but the most critical is to build a multi-subject participation of government departments, intelligence agencies, the military, industry, academia, etc., to build a full life cycle of technology research and development, industrial development, and national defense. , a network security ecology that integrates technology, economy and security organically

The UK’s CyberUp campaign which is pushing for reform of the Computer Misuse Act published a new piece of work [which] establishes the current expert consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act.

Finally the Atlantic Council published a short video featuring Beau Woods, Madeline Carr and myself on the Obstacles of security IoT (its about 100 seconds long).

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday,

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia / Ukraine

Lots of activity, some tied to the region and some a bit wider.

Shuckworm: Russia-Linked Group Maintains Ukraine Focus

Russia being active with an infostealer, the initial access vector is rather basic the most novel aspect is process names without .exe extensions.

This activity was ongoing as recently as August 8, 2022 and much of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26.

The first suspicious activity [we] saw on victim systems was a self-extracting 7-Zip file, which was downloaded via the system’s default browser. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file.

We saw various parent processes with file names that had VCD, H264 and ASC extensions. A file named ntuser.dat.tmcontainer.vcd was the parent process for a Giddome backdoor variant named ntuser.dat.tm.descendant.exe that was seen on victim machines. A suspicious file named ntuser.dat.tmcontainer.h264 had a child process named ntuser.dat.tm.declare.exe, another malicious Giddome backdoor binary. Elsewhere, a file named ntuser.dat.tmcontainer.asc had a child process named ntuser.dat.tm.decay.exe.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm

Disrupting SEABORGIUM’s ongoing phishing operations

Russia going after a range of countries including Ukraine, but in this reporting also the United State and United Kingdom. Note the social engineering tradecraft in the below. Build the rapport with the victim and then send the weaponized payload.

SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries.

[We have] observed fraudulent [LinkedIn] profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest.

After registering new accounts, SEABORGIUM proceeds to establish contact with their target. In cases of personal or consumer targeting, [we have] mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It’s likely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the target replies, SEABORGIUM proceeds to send a weaponized email.

https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/

You Can’t Audit Me: APT29 Continues Targeting Microsoft 365

Douglas Bienstock explains how Russia is evidencing they know how modern cloud works and how to operate within it to frustrate cyber defenders.

[We have] observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365.

[We have] observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when.

https://www.mandiant.com/resources/apt29-continues-targeting-microsoft

Back in Black: Unlocking a LockBit 3.0 Ransomware Attack 

Ross Inman from NCC Group provides all the techniques, tactics and procedures showing the full attack chain for this organised criminal actor.

Below provides a summary of findings which are presented in this blog post:

  • Initial access via SocGholish.

  • Establishing persistence to run Cobalt Strike beacon.

  • Disabling of Windows Defender and Sophos.

  • Use of information gathering tools such as Bloodhound and Seatbelt.

  • Lateral movement leveraging RDP and Cobalt Strike.

  • Use of 7zip to collect data for exfiltration.

  • Cobalt Strike use for Command and Control. 

  • Exfiltration of data to Mega.

  • Use of PsExec to push out ransomware.

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/

Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study

Max Groot & Ruud van Luijk from NCC Group share tradecraft on how to detect this implant on the wire. Due to flawed randomization in the implementation it ended up being surprisingly easy.

Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no server-side implementation was available for this implant, our detection engineers had very little to go on to verify whether their detection would trigger on such a communication channel. This blog documents the development of a Saitama server-side implementation, as well as several approaches taken by Fox-IT / NCC Group’s Research and Intelligence Fusion Team (RIFT) to be able to detect DNS-tunnelling implants such as Saitama.

https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-new-

RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations

The CCP showing their more sinister and oppressive side in this activity against political, government, and think tank organizations in Taiwan. The tradecraft is basic run of the mil phishing and their operating security verging on terrible - scale is the thing of note.

Over the past 3 years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government.

  • In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.

  • RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.

https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank

APT41 World Tour 2021 on a tight schedule

Nikita Rostovtsev outlines more Chinese state activity showing they are able to exploit web app vulnerabilities at scale in order to gain their initial access. The use of SQL injection makes a (nice?) change from password spraying and phishing, but also shows there is a lot of mileage. Burp Suite Enterprise Edition would likely found these SQL injection vulnerabilities prior to exploitation. Shows that low hanging fruit still provides relatively easy initial access.

  • 4 malicious campaigns, 13 confirmed victims, and a new wave of Cobalt Strike infections

  • We estimate that in 2021 APT41 compromised and gained various levels of access to at least 13 organizations worldwide.

  • The group’s targets include government and private organizations based in the US, Taiwan, India, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK.

  • n the campaigns that we analyzed, APT41 targeted the following industries: the government sector, manufacturing, healthcare, logistics, hospitality, finance, education, telecommunications, consulting, sports, media, and travel. The targets also included a political group, military organizations, and airlines.

  • To conduct reconnaissance, the threat actors use tools such as Acunetix, Nmap, Sqlmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r.

  • As an initial vector, the group uses web applications vulnerable to SQL injection attacks.

  • We estimate that in 2021 APT41 detected and exploited SQL injection opportunities in 43 out of 86 web applications that they probed.

https://blog.group-ib.com/apt41-world-tour-2021

Reservations Requested: TA558 Targets Hospitality and Travel

Joe Wise, Selena Larson and co discuss a campaign going after the hospitality and travel sectors using a rate of implants. The initial access tradecraft involves vulnerabilities from 2017 and similar via e-mail attachments.

  • TA558 is a likely financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations.

  • Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT.

  • TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America.

  • TA558 increased operational tempo in 2022 to a higher average than previously observed. 

  • Like other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns and adopted new tactics, techniques, and procedures. 

https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

Beware of hacking attacks from North Korea that steal the IDs of incumbent police officers! (Korea)

South Korean reporting on North Korean activity using malicious Microsoft Office documents. They also used an in country server (via compromise) as their C2 in an attempt to avoid detection of their command and control traffic.

Recently, a hacking attack disguised as an incumbent police officer investigating a hacking case from North Korea has recently appeared, requiring special attention from users. 

https://blog-alyac-co-kr.translate.goog/4877?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Mobile Malware "KeepSpy" - Become Stepping Stones for Unauthorized Access

Japanese reporting on an interesting Android sample which is distributed via SMS. Once it is on a handset the threat actors can use frp to turn the mobile device into a proxy. This is the first time I have seen a threat actor use these implants specifically to achieve proxy capabilities.

From around August 5, 2022, we have confirmed a new variant of Android malware "KeepSpy", which is infected from a fake site that is guided by SMS masquerading as a telecommunications carrier. We have confirmed that attackers can access arbitrary sites via infected terminals, in other words, it can be used as a stepping stone for unauthorized access.

https://www-trendmicro-com.translate.goog/ja_jp/research/22/h/emerging-domestic-mobile-malware-threats.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users

Daniel Lunghi and Jaromir Horejsi describe Chinese activity in South East Asia (warning two companies use Iron Tiger to describe threat groups, one from China and one from India - this is about the China one). In this instance they distributed a backdoor (modified) version of the JavaScript based application (it uses ElectronJS) via a compromised website in a supply chain attack.

We found 13 different targets while following our sensors‘ data. The only targeted countries were Taiwan and the Philippines: five targets of HyperBro (four in Taiwan and one in the Philippines). Meanwhile, we found eight targets for rshell: six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines.

https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

Another vendor also reported on this campaign in the same week, specifically on the macOS implant:

https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/

APT-C-35: New Windows Framework Revealed

Hido Cohen and Arnold Osipov outline a campaign which uses basic initial access tradecraft, coupled with checking for the presence for security products and adjusting its behaviour to employ subversion techniques to protect the latter phases of the payload. The result is a highly module custom C2 framework along with various browser stealing capabilities.

DoNot’s latest spear phishing email campaign used RTF documents and targeted government departments, including Pakistan’s defence sector. When the RTF document is opened, it tries to fetch a malicious remote template from its C2.

  • ieflagKlo.dll—Keylogger module

  • ieflagUl.dll—File uploader module which uploads the modules’ output

  • ieflagSp.dll—Screenshot module

  • ieflagTr.dll—File collection module

  • ieflagUsd.dll—Removable disk file collection module

  • ieflagBr.dll—Browser information stealer module

  • ieflagRvso.dll—Reverse shell module

https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed

Analysis on the Characteristics of New Activities of Patchwork APT in South Asia

Chinese reporting on Indian activity and two specific capabilities intended to support their operations. The thing of note here is the infection of recently opened legitimate documents on the host. A bold move but you can see how this will likely mean that through the usual course of business it will help them gain a wider footprint in a range of related organisations.

The Patchinfecter Trojan traverses the most recently opened documents on the machine and injects malicious code. If the victim shares the document with others, other contacts of the controlled machine will also become the new controllers.

Infectedloader, this file is a malicious document generated by the Patchinfecter Trojan. It uses the CVE-2021-40444 vulnerability for subsequent Trojan propagation. CVE-2021-40444 is a Microsoft MHTML remote command execution vulnerability.

https://mp-weixin-qq-com.translate.goog/s/egG0nORZFvo_rCY_zmTgVQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=zh-CN&_x_tr_pto=wapp

How Adversaries Use Spear Phishing to Target Engineering Staff

Josh Hanrahan outlines how three threat actors they track target engineering staff related to Operational Technology. The most novel of which is the failed exam lure..

TALONITE focuses on subverting and taking advantage of trust with phishing lures focused on engineering-specific themes and concepts. In this specific example, TALONITE masqueraded as the National Council of Examiners for Engineering and Surveying (NCEES) and themed the phishing lure around the failing of an exam related to a license.

https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/

Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors

Iran winning friends in Israel using credential harvesting and phishing as their initial access vector. Their phishing routines involved fake job offers and similar.

UNC3890 uses at least two unique tools: a backdoor which we named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services that we’ve named SUGARDUMP. UNC3890 also uses multiple publicly available tools, such as the METASPLOIT framework and NorthStar C2.

https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping

Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East

Interesting reporting here in Chinese this week on an attack by a group who in February went after Bangladesh Bank and several financial and government organizations including Bangladesh Police Department and Islamic Bank. This more recent campaign focused on places such as Yemen - interesting that the group has both Windows and bought Android capabilities in the guise of SpyNoteRAT.

[We recently] discovered and captured the group's attack activities targeting both Windows and Android platforms in daily intelligence mining. The Windows side uses military economic hotspots to disguise as PDF documents and use LodaRAT to launch attacks. The Android side uses phishing websites to attack Yemeni political groups or non-profit organizations, and the attack tools begin to use the SpyNote family. Through the analysis of the attack activities, we speculate that the group is not simply for financial gain, and its motivation seems to be more inclined to information gathering and espionage.

https://mp-weixin-qq-com.translate.goog/s/mstwBMkS0G3Et4GOji2mwA?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches

Reporting that highlighting that the social engineering tradecraft which threat actors are willing to employ multi-stage including voice in order to achieve their aims. This is criminal groups who are willing to do this…

  • Stage One. The threat actor sends out a legitimate-looking email, notifying the target that they have subscribed to a service for which payment is automatic. The email gives a phone number that targets are able to call to cancel their subscription.

  • Stage Two. The victim is lured into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, ostensibly to help them cancel their subscription service.

  • Stage Three. Upon accessing the victim’s desktop, a skilled network intruder silently entrenches into the user’s network, weaponizing legitimate tools that were previously typical of Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.

  • Stage Four. In the final stage of BazarCall, the initiated malware session yields the adversary access as an initial point of entry into the victim’s network. This initial access is then used and exploited in order to target an organization’s data.

https://www.advintel.io/post/bazarcall-advisory-the-essential-guide-to-call-back-phishing-attacks-that-revolutionized-the-data

Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike

Brad Duncan walks through a tried and tested infection chain in this reporting on a specific organisation crime campaign. Nothing really novel but confirmation it works enough for them to continue.

https://isc.sans.edu/diary/28934

Discovery

How we find and understand the latent compromises within our environments.

Concealed code execution: Techniques and detection

Denis Nagayuk provides an impressive body of work for cyber defenders:

It covers a wide range of concealed code execution techniques and investigates the related internal mechanisms that make them possible on Windows systems in the first place. The activities throughout this research included documenting the technique's functioning, preparing sample implementations, and observing their side effects.

https://www.huntandhackett.com/blog/concealed-code-execution-techniques-and-detection

Process Behaviour Anomaly Detection Using eBPF and Unsupervised-Learning Autoencoders

Simone Margaritelli shows how to use eBPF syscall tracing and statistical analysis to highlight when a process might have been compromised. The overhead will be too high to use everywhere, but used on high risk entry points you can see the utility.

https://www.evilsocket.net/2022/08/15/Process-behaviour-anomaly-detection-using-eBPF-and-unsupervised-learning-Autoencoders/

Hunting for Low and Slow Password Sprays Using Machine Learning

This will make some adversaries (and Red Teams) sob..

We have just released a new guided hunting notebook for Microsoft Sentinel which leverages machine learning to tackle the difficult problem of detecting low and slow password spray campaigns (This augments more broad-scoped password spray detection already provided via Microsoft’s Azure AD Identity Protection Integration for Sentinel

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-low-and-slow-password-sprays-using-machine-learning/ba-p/3592052

Richer Typing in Sigma

Think of it as a parser that processes the YAML and translates it into an expression tree, where the leaves are predicates with typed operands according to VAST's data model.

https://vast.io/blog/richer-typing-in-sigma

KQL query to hunt for guest invite abuse

Discovery script for Sentinel by Dirk-jan Mollema

gist.github.com/dirkjanm/814b4fcd75f0c0f13f5c05b7edbee794

Defence

How we proactively defend our environments.

Sysmon 14.0

Olaf Hartong walks through the release of Sysmon 14.0, the new file block executable event type and how to derive value from it.

Sysmon now impedes executables, based on the file header from being written to the filesystem according to the filtering criteria. This can be a very powerful feature into blocking certain programs writing malicious files to disk. As a simple example, I’ve created this configuration that will not allow PE files from being written to the downloads directory.

https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e

Intune ACSC Windows Hardening Guidelines

Australian Cyber Security Centre has released their hardening guidelines as Intune policies to help you all lock down your environments to government levels.

These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.

https://github.com/microsoft/Intune-ACSC-Windows-Hardening-Guidelines

Sentinel use case for BEC365 Incident Response

All the tools needed to use Microsoft Sentinel for business e-mail compromise incident response in Office 365.

https://github.com/DATCResearch/Sentinel-UseCase-BEC365-IR

Introduction into Microsoft Defender EASM (External Attack Surface Management)

Derk van der Woude walks through how to setup and use..

Microsoft Defender EASM (External Attack Surface Management) is a new product in the Microsoft Defender family to provide and external multi-cloud (SaaS, PaaS & IaaS/on-premises) view of the attack surface of the online (internet-exposed) assets (known and unknown).

https://derkvanderwoude.medium.com/introduction-into-microsoft-defender-easm-external-attack-surface-management-3fdee6ccf256

Introducing Threatest, A Go Framework For End-to-end Testing Of Threat Detection Rules

Christophe Tafani-Dereeper releases a really powerful framework to ensure that your detection systems are working as intended.

Threatest, a Go framework for end-to-end testing of threat detection rules. Threatest allows you to easily define test scenarios where you detonate an attack technique then expect an alert to have been created on an external platform.

https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/

Hijack Libs

Wietze Beukema has released a project which attempts to record publicly disclosed DLL Hijacking opportunities on Microsoft Windows. I feel this is going to be a very big list..

https://github.com/wietze/hijacklibs

https://hijacklibs.net/

Offense

Attack capability, techniques and tradecraft.

AceLdr: Cobalt Strike UDRL for memory scanner evasion

Kyle Avery provides more endpoint evasion capability to Cobalt Strike.

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.

https://github.com/kyleavery/AceLdr

cs-token-vault: In-memory token vault BOF for Cobalt Strike

Henri Nurmi brings operational security and resilience to token stealing when using CobaltStrike in Windows environments.

This Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens allow you to:

  • Hot swap/re-use already stolen tokens without re-duplicating.

  • Store tokens for later use in case of a person log out.

https://github.com/Henkru/cs-token-vault

Process injection: breaking all macOS security layers with a single vulnerability

A likely long tail technique for macOS estates to contend with.

In October 2021, Apple fixed CVE-2021-30873. This was a process injection vulnerability affecting (essentially) all macOS AppKit-based applications. We reported this vulnerability to Apple, along with methods to use this vulnerability to escape the sandbox, elevate privileges to root and bypass the filesystem restrictions of SIP. In this post, we will first describe what process injection is, then the details of this vulnerability and finally how we abused i

https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/

Team Filtration

Melvin L released team Filtration which is is a cross-platform framework for enumerating, spraying, exfiltration and backdooring O365 Azure AD accounts

https://github.com/Flangvik/TeamFiltration

Cisco ASA Software and ASDM Security Research

Jake Baines describes how to create malicious packages and various other techniques related to ASDM on Cisco ASA. This is going to be used for implants for sure..

https://github.com/jbaines-r7/cisco_asa_research

Death from Above: Lateral Movement from Azure to On-Prem AD

Andy Robbins shows how exposed mid-migration and/or hybrid environments are.

I’ll explain how we can abuse Microsoft Endpoint Manager to move laterally from an Azure tenant to an on-prem AD domain. This abuse becomes possible when Windows devices have been Hybrid-Joined to both the Azure tenant and the on-prem Active Directory domain. Note that hybrid-joined Windows systems are not the only type of system you can target with Microsoft Intune — you can also target Azure-joined Windows systems and macOS systems that are Azure- or Hybrid-joined.

https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d

Vulnerability

Our attack surface.

You're M̶u̶t̶e̶d̶ Rooted

No patch available

In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root

https://speakerdeck.com/patrickwardle/youre-muted-rooted

One Bootloader to Load Them All

Secure boot.. except when it isn’t..

We have identified vulnerabilities in three different bootloaders, which have been assigned the following CVEs:

  • CVE-2022-34301 – Eurosoft (UK) Ltd

  • CVE-2022-34302 – New Horizon Datasys Inc

  • CVE-2022-34303 – CryptoPro Secure Disk for BitLocker

Exploiting these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux).

https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/

Exploitation

What is being exploited.

CVE-2022-27925: Mass Exploitation of (Un)authenticated Zimbra RCE

Double reporting on this activity, from US Government

CVEs currently being exploited against ZCS include: 

  • CVE-2022-24682 

  • CVE-2022-27924 

  • CVE-2022-27925 chained with CVE-2022-37042 

  • CVE-2022-30333

https://www.cisa.gov/uscert/ncas/alerts/aa22-228a

Before USG came this reporting:

In July and early August 2022, [we]worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. [Our] investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This initial CVE was patched by Zimbra in March 2022 in 8.8.15P31 and 9.0.0P24.

https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

CVE-2021-0920 : The quantum state of Linux kernel garbage collection (Part I)

A deep dive into an in-the-wild Android exploit

https://googleprojectzero.blogspot.com/2022/08/the-quantum-state-of-linux-kernel.html

Tooling and Techniques

Low level tooling for attack and defence researchers.

Capa v4

Willi Ballenthin, Moritz Raabe, Mike Hunhoff and Anushka Virgaonkar release the latest version:

Cersion 4.0 of capa supports analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering.

https://www.mandiant.com/resources/blog/capa-v4-casting-wider-net

CyberChef - Detection Engineering, TI, DFIR, Malware Analysis Edition

I’ve nudged them to do a pull request back to the main CyberChef, they have said they will.

We've published a fork of CyberChef with some additional operations for detection engineers working with YARA and Virustotal -

  • to YARA strings

  • get all casings

  • VirusTotal content

https://github.com/NextronSystems/CyberChef

Footnotes

Some other small bits and bobs which might be of interest.

  • Mid-year Crypto Crime Update: Illicit Activity Falls With Rest of Market, With Some Notable Exceptions - Total scam revenue for 2022 currently sits at $1.6 billion, 65% lower than where it was through the end of July in 2021, and this decline appears linked to declining prices across different currencies. 

  • Report says Ransomware Variants Almost Double in Six Months - In the past six months, [we have] seen a total of 10,666 ransomware variants, compared to just 5,400 in the previous six-month period.

  • SANS Ransomware summit videos - for some late night watching

  • Fault-Injection Countermeasures, Deployed at Scale: Intel's design, and calibration for a fault-injection detection circuit for their 12th generation Intel Core processors - glitching meets its maker

  • Bob Jervis’ Impact on Understanding Cyber Conflict (Summer 2022) - In this roundtable feature, Jason Healey reflects on Bob Jervis’ contributions to cyber conflict research and on their collaboration over the years

  • Requiring MFA on popular gem maintainers - improving security of the community

  • Cyber Security; Etiology and Importance - not sure what to make of this paper really..

  • Event - Understanding Offensive Cyber Operations, September 9th 2022
    Event - Big Cyber Ideas Festival will take place on September 21 from 5-7pm CET

  • Call for Abstracts - Cyber Escalation Lab (CEL) - Cyber Escalation in Conflict: Bridging Policy, Data, and Theory - February 23th -24th 2023

That’s all folks.. until next week..

54
Share
Share this post

Bluepurple Pulse: week ending August 21st

bluepurple.binaryfirefly.com
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing