Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week the impact to DigitalOcean customers resulting from Mailchimp security incident became clear. Mailchimp also released their own notice on it about the targeting of crypto companies. Other than that we have been chasing APT in Europe..
In the high-level this week:
How Russia Took Over Ukraine’s Internet in Occupied Territories - how Russia diverts the Internet traffic for the areas it seizes - the modern war planners guide.
Alleged Russian Money Launderer Extradited from the Netherlands to U.S - related to Ryuk ransomware attacks and a Russian citizen - Those involved in the conspiracy laundered at least $70 million in ransom proceeds.
Arrest of suspected developer of Tornado Cash - Bitcoin mixer developer (which provides enhanced anonymisation) was arrested.
Ransomware Now Threatens the Global South - interesting piece from RUSI here where they state increased targeting of developing and middle-income countries by ransomware actors presents a challenge to political resilience, economic development and global cyber security.
SEC Charges 18 Defendants in International Scheme to Manipulate Stocks Using Hacked US Brokerage Accounts - this is real Hollywood in action.
Croatian, U.S. cyber defenders hunting for malicious actors - US deployed into Croatia as part of their Hunt Forward initiative.
Cyber-Warfare: Stop Asking About the Revolution - punchline is cyber isn’t going to replace but is rather an incremental capability.
Why Can’t Cyber Scholars Move Beyond the Basics? - says cyber geopolitics academics aren’t being bold enough and need to try harder. Quite the punchy message for sure.
State backed cyber-attack exclusions on cyber insurance for Lloyds - Sets out Lloyd’s (insurance) requirements for state backed cyber-attack exclusions in standalone cyber-attack insurance policies/
Australian policy amendment - mandates Vulnerability Disclosure Programmes - love this move..
National Defense Authorization Act for Fiscal Year 2023 - some big moves around SBOMs, no known vulnerabilities unless otherwise mitigated, ability to invest in open source security etc.
I was interested to see this Chinese analysis titled the Construction and Enlightenment of Israel's National Cyber Security Defense System. China is studying what others are doing (a well known approach of theirs - the take, improve and scale). It is very praising of Israel with highlights such as:
but the most critical is to build a multi-subject participation of government departments, intelligence agencies, the military, industry, academia, etc., to build a full life cycle of technology research and development, industrial development, and national defense. , a network security ecology that integrates technology, economy and security organically
The UK’s CyberUp campaign which is pushing for reform of the Computer Misuse Act published a new piece of work [which] establishes the current expert consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act.
Finally the Atlantic Council published a short video featuring Beau Woods, Madeline Carr and myself on the Obstacles of security IoT (its about 100 seconds long).
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday,
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Lots of activity, some tied to the region and some a bit wider.
Shuckworm: Russia-Linked Group Maintains Ukraine Focus
Russia being active with an infostealer, the initial access vector is rather basic the most novel aspect is process names without .exe extensions.
This activity was ongoing as recently as August 8, 2022 and much of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26.
The first suspicious activity [we] saw on victim systems was a self-extracting 7-Zip file, which was downloaded via the system’s default browser. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file.
We saw various parent processes with file names that had VCD, H264 and ASC extensions. A file named ntuser.dat.tmcontainer.vcd was the parent process for a Giddome backdoor variant named ntuser.dat.tm.descendant.exe that was seen on victim machines. A suspicious file named ntuser.dat.tmcontainer.h264 had a child process named ntuser.dat.tm.declare.exe, another malicious Giddome backdoor binary. Elsewhere, a file named ntuser.dat.tmcontainer.asc had a child process named ntuser.dat.tm.decay.exe.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm
Disrupting SEABORGIUM’s ongoing phishing operations
Russia going after a range of countries including Ukraine, but in this reporting also the United State and United Kingdom. Note the social engineering tradecraft in the below. Build the rapport with the victim and then send the weaponized payload.
SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries.
[We have] observed fraudulent [LinkedIn] profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest.
After registering new accounts, SEABORGIUM proceeds to establish contact with their target. In cases of personal or consumer targeting, [we have] mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It’s likely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the target replies, SEABORGIUM proceeds to send a weaponized email.
You Can’t Audit Me: APT29 Continues Targeting Microsoft 365
Douglas Bienstock explains how Russia is evidencing they know how modern cloud works and how to operate within it to frustrate cyber defenders.
[We have] observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365.
[We have] observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when.
https://www.mandiant.com/resources/apt29-continues-targeting-microsoft
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Ross Inman from NCC Group provides all the techniques, tactics and procedures showing the full attack chain for this organised criminal actor.
Below provides a summary of findings which are presented in this blog post:
Initial access via SocGholish.
Establishing persistence to run Cobalt Strike beacon.
Disabling of Windows Defender and Sophos.
Use of information gathering tools such as Bloodhound and Seatbelt.
Lateral movement leveraging RDP and Cobalt Strike.
Use of 7zip to collect data for exfiltration.
Cobalt Strike use for Command and Control.
Exfiltration of data to Mega.
Use of PsExec to push out ransomware.
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Max Groot & Ruud van Luijk from NCC Group share tradecraft on how to detect this implant on the wire. Due to flawed randomization in the implementation it ended up being surprisingly easy.
Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no server-side implementation was available for this implant, our detection engineers had very little to go on to verify whether their detection would trigger on such a communication channel. This blog documents the development of a Saitama server-side implementation, as well as several approaches taken by Fox-IT / NCC Group’s Research and Intelligence Fusion Team (RIFT) to be able to detect DNS-tunnelling implants such as Saitama.
https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-new-
RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations
The CCP showing their more sinister and oppressive side in this activity against political, government, and think tank organizations in Taiwan. The tradecraft is basic run of the mil phishing and their operating security verging on terrible - scale is the thing of note.
Over the past 3 years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government.
In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.
RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.
https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank
APT41 World Tour 2021 on a tight schedule
Nikita Rostovtsev outlines more Chinese state activity showing they are able to exploit web app vulnerabilities at scale in order to gain their initial access. The use of SQL injection makes a (nice?) change from password spraying and phishing, but also shows there is a lot of mileage. Burp Suite Enterprise Edition would likely found these SQL injection vulnerabilities prior to exploitation. Shows that low hanging fruit still provides relatively easy initial access.
4 malicious campaigns, 13 confirmed victims, and a new wave of Cobalt Strike infections
We estimate that in 2021 APT41 compromised and gained various levels of access to at least 13 organizations worldwide.
The group’s targets include government and private organizations based in the US, Taiwan, India, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK.
n the campaigns that we analyzed, APT41 targeted the following industries: the government sector, manufacturing, healthcare, logistics, hospitality, finance, education, telecommunications, consulting, sports, media, and travel. The targets also included a political group, military organizations, and airlines.
To conduct reconnaissance, the threat actors use tools such as Acunetix, Nmap, Sqlmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r.
As an initial vector, the group uses web applications vulnerable to SQL injection attacks.
We estimate that in 2021 APT41 detected and exploited SQL injection opportunities in 43 out of 86 web applications that they probed.
https://blog.group-ib.com/apt41-world-tour-2021
Reservations Requested: TA558 Targets Hospitality and Travel
Joe Wise, Selena Larson and co discuss a campaign going after the hospitality and travel sectors using a rate of implants. The initial access tradecraft involves vulnerabilities from 2017 and similar via e-mail attachments.
TA558 is a likely financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations.
Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT.
TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America.
TA558 increased operational tempo in 2022 to a higher average than previously observed.
Like other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns and adopted new tactics, techniques, and procedures.
Beware of hacking attacks from North Korea that steal the IDs of incumbent police officers! (Korea)
South Korean reporting on North Korean activity using malicious Microsoft Office documents. They also used an in country server (via compromise) as their C2 in an attempt to avoid detection of their command and control traffic.
Recently, a hacking attack disguised as an incumbent police officer investigating a hacking case from North Korea has recently appeared, requiring special attention from users.
https://blog-alyac-co-kr.translate.goog/4877?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
Mobile Malware "KeepSpy" - Become Stepping Stones for Unauthorized Access
Japanese reporting on an interesting Android sample which is distributed via SMS. Once it is on a handset the threat actors can use frp to turn the mobile device into a proxy. This is the first time I have seen a threat actor use these implants specifically to achieve proxy capabilities.
From around August 5, 2022, we have confirmed a new variant of Android malware "KeepSpy", which is infected from a fake site that is guided by SMS masquerading as a telecommunications carrier. We have confirmed that attackers can access arbitrary sites via infected terminals, in other words, it can be used as a stepping stone for unauthorized access.
Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users
Daniel Lunghi and Jaromir Horejsi describe Chinese activity in South East Asia (warning two companies use Iron Tiger to describe threat groups, one from China and one from India - this is about the China one). In this instance they distributed a backdoor (modified) version of the JavaScript based application (it uses ElectronJS) via a compromised website in a supply chain attack.
We found 13 different targets while following our sensors‘ data. The only targeted countries were Taiwan and the Philippines: five targets of HyperBro (four in Taiwan and one in the Philippines). Meanwhile, we found eight targets for rshell: six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines.
Another vendor also reported on this campaign in the same week, specifically on the macOS implant:
https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/
APT-C-35: New Windows Framework Revealed
Hido Cohen and Arnold Osipov outline a campaign which uses basic initial access tradecraft, coupled with checking for the presence for security products and adjusting its behaviour to employ subversion techniques to protect the latter phases of the payload. The result is a highly module custom C2 framework along with various browser stealing capabilities.
DoNot’s latest spear phishing email campaign used RTF documents and targeted government departments, including Pakistan’s defence sector. When the RTF document is opened, it tries to fetch a malicious remote template from its C2.
ieflagKlo.dll—Keylogger module
ieflagUl.dll—File uploader module which uploads the modules’ output
ieflagSp.dll—Screenshot module
ieflagTr.dll—File collection module
ieflagUsd.dll—Removable disk file collection module
ieflagBr.dll—Browser information stealer module
ieflagRvso.dll—Reverse shell module
https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed
Analysis on the Characteristics of New Activities of Patchwork APT in South Asia
Chinese reporting on Indian activity and two specific capabilities intended to support their operations. The thing of note here is the infection of recently opened legitimate documents on the host. A bold move but you can see how this will likely mean that through the usual course of business it will help them gain a wider footprint in a range of related organisations.
The Patchinfecter Trojan traverses the most recently opened documents on the machine and injects malicious code. If the victim shares the document with others, other contacts of the controlled machine will also become the new controllers.
Infectedloader, this file is a malicious document generated by the Patchinfecter Trojan. It uses the CVE-2021-40444 vulnerability for subsequent Trojan propagation. CVE-2021-40444 is a Microsoft MHTML remote command execution vulnerability.
How Adversaries Use Spear Phishing to Target Engineering Staff
Josh Hanrahan outlines how three threat actors they track target engineering staff related to Operational Technology. The most novel of which is the failed exam lure..
TALONITE focuses on subverting and taking advantage of trust with phishing lures focused on engineering-specific themes and concepts. In this specific example, TALONITE masqueraded as the National Council of Examiners for Engineering and Surveying (NCEES) and themed the phishing lure around the failing of an exam related to a license.
https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/
Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors
Iran winning friends in Israel using credential harvesting and phishing as their initial access vector. Their phishing routines involved fake job offers and similar.
UNC3890 uses at least two unique tools: a backdoor which we named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services that we’ve named SUGARDUMP. UNC3890 also uses multiple publicly available tools, such as the METASPLOIT framework and NorthStar C2.
https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping
Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East
Interesting reporting here in Chinese this week on an attack by a group who in February went after Bangladesh Bank and several financial and government organizations including Bangladesh Police Department and Islamic Bank. This more recent campaign focused on places such as Yemen - interesting that the group has both Windows and bought Android capabilities in the guise of SpyNoteRAT.
[We recently] discovered and captured the group's attack activities targeting both Windows and Android platforms in daily intelligence mining. The Windows side uses military economic hotspots to disguise as PDF documents and use LodaRAT to launch attacks. The Android side uses phishing websites to attack Yemeni political groups or non-profit organizations, and the attack tools begin to use the SpyNote family. Through the analysis of the attack activities, we speculate that the group is not simply for financial gain, and its motivation seems to be more inclined to information gathering and espionage.
“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches
Reporting that highlighting that the social engineering tradecraft which threat actors are willing to employ multi-stage including voice in order to achieve their aims. This is criminal groups who are willing to do this…
Stage One. The threat actor sends out a legitimate-looking email, notifying the target that they have subscribed to a service for which payment is automatic. The email gives a phone number that targets are able to call to cancel their subscription.
Stage Two. The victim is lured into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, ostensibly to help them cancel their subscription service.
Stage Three. Upon accessing the victim’s desktop, a skilled network intruder silently entrenches into the user’s network, weaponizing legitimate tools that were previously typical of Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
Stage Four. In the final stage of BazarCall, the initiated malware session yields the adversary access as an initial point of entry into the victim’s network. This initial access is then used and exploited in order to target an organization’s data.
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Brad Duncan walks through a tried and tested infection chain in this reporting on a specific organisation crime campaign. Nothing really novel but confirmation it works enough for them to continue.
https://isc.sans.edu/diary/28934
Discovery
How we find and understand the latent compromises within our environments.
Concealed code execution: Techniques and detection
Denis Nagayuk provides an impressive body of work for cyber defenders:
It covers a wide range of concealed code execution techniques and investigates the related internal mechanisms that make them possible on Windows systems in the first place. The activities throughout this research included documenting the technique's functioning, preparing sample implementations, and observing their side effects.
https://www.huntandhackett.com/blog/concealed-code-execution-techniques-and-detection
Process Behaviour Anomaly Detection Using eBPF and Unsupervised-Learning Autoencoders
Simone Margaritelli shows how to use eBPF syscall tracing and statistical analysis to highlight when a process might have been compromised. The overhead will be too high to use everywhere, but used on high risk entry points you can see the utility.
Hunting for Low and Slow Password Sprays Using Machine Learning
This will make some adversaries (and Red Teams) sob..
We have just released a new guided hunting notebook for Microsoft Sentinel which leverages machine learning to tackle the difficult problem of detecting low and slow password spray campaigns (This augments more broad-scoped password spray detection already provided via Microsoft’s Azure AD Identity Protection Integration for Sentinel
Richer Typing in Sigma
Think of it as a parser that processes the YAML and translates it into an expression tree, where the leaves are predicates with typed operands according to VAST's data model.
https://vast.io/blog/richer-typing-in-sigma
KQL query to hunt for guest invite abuse
Discovery script for Sentinel by Dirk-jan Mollema
gist.github.com/dirkjanm/814b4fcd75f0c0f13f5c05b7edbee794
Defence
How we proactively defend our environments.
Sysmon 14.0
Olaf Hartong walks through the release of Sysmon 14.0, the new file block executable event type and how to derive value from it.
Sysmon now impedes executables, based on the file header from being written to the filesystem according to the filtering criteria. This can be a very powerful feature into blocking certain programs writing malicious files to disk. As a simple example, I’ve created this configuration that will not allow PE files from being written to the downloads directory.
https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
Intune ACSC Windows Hardening Guidelines
Australian Cyber Security Centre has released their hardening guidelines as Intune policies to help you all lock down your environments to government levels.
These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.
https://github.com/microsoft/Intune-ACSC-Windows-Hardening-Guidelines
Sentinel use case for BEC365 Incident Response
All the tools needed to use Microsoft Sentinel for business e-mail compromise incident response in Office 365.
https://github.com/DATCResearch/Sentinel-UseCase-BEC365-IR
Introduction into Microsoft Defender EASM (External Attack Surface Management)
Derk van der Woude walks through how to setup and use..
Microsoft Defender EASM (External Attack Surface Management) is a new product in the Microsoft Defender family to provide and external multi-cloud (SaaS, PaaS & IaaS/on-premises) view of the attack surface of the online (internet-exposed) assets (known and unknown).
Introducing Threatest, A Go Framework For End-to-end Testing Of Threat Detection Rules
Christophe Tafani-Dereeper releases a really powerful framework to ensure that your detection systems are working as intended.
Threatest, a Go framework for end-to-end testing of threat detection rules. Threatest allows you to easily define test scenarios where you detonate an attack technique then expect an alert to have been created on an external platform.
https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/
Hijack Libs
Wietze Beukema has released a project which attempts to record publicly disclosed DLL Hijacking opportunities on Microsoft Windows. I feel this is going to be a very big list..
https://github.com/wietze/hijacklibs
Offense
Attack capability, techniques and tradecraft.
AceLdr: Cobalt Strike UDRL for memory scanner evasion
Kyle Avery provides more endpoint evasion capability to Cobalt Strike.
A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.
https://github.com/kyleavery/AceLdr
cs-token-vault: In-memory token vault BOF for Cobalt Strike
Henri Nurmi brings operational security and resilience to token stealing when using CobaltStrike in Windows environments.
This Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens allow you to:
Hot swap/re-use already stolen tokens without re-duplicating.
Store tokens for later use in case of a person log out.
https://github.com/Henkru/cs-token-vault
Process injection: breaking all macOS security layers with a single vulnerability
A likely long tail technique for macOS estates to contend with.
In October 2021, Apple fixed CVE-2021-30873. This was a process injection vulnerability affecting (essentially) all macOS AppKit-based applications. We reported this vulnerability to Apple, along with methods to use this vulnerability to escape the sandbox, elevate privileges to root and bypass the filesystem restrictions of SIP. In this post, we will first describe what process injection is, then the details of this vulnerability and finally how we abused i
Team Filtration
Melvin L released team Filtration which is is a cross-platform framework for enumerating, spraying, exfiltration and backdooring O365 Azure AD accounts
https://github.com/Flangvik/TeamFiltration
Cisco ASA Software and ASDM Security Research
Jake Baines describes how to create malicious packages and various other techniques related to ASDM on Cisco ASA. This is going to be used for implants for sure..
https://github.com/jbaines-r7/cisco_asa_research
Death from Above: Lateral Movement from Azure to On-Prem AD
Andy Robbins shows how exposed mid-migration and/or hybrid environments are.
I’ll explain how we can abuse Microsoft Endpoint Manager to move laterally from an Azure tenant to an on-prem AD domain. This abuse becomes possible when Windows devices have been Hybrid-Joined to both the Azure tenant and the on-prem Active Directory domain. Note that hybrid-joined Windows systems are not the only type of system you can target with Microsoft Intune — you can also target Azure-joined Windows systems and macOS systems that are Azure- or Hybrid-joined.
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
Vulnerability
Our attack surface.
You're M̶u̶t̶e̶d̶ Rooted
No patch available
In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root
https://speakerdeck.com/patrickwardle/youre-muted-rooted
One Bootloader to Load Them All
Secure boot.. except when it isn’t..
We have identified vulnerabilities in three different bootloaders, which have been assigned the following CVEs:
CVE-2022-34301 – Eurosoft (UK) Ltd
CVE-2022-34302 – New Horizon Datasys Inc
CVE-2022-34303 – CryptoPro Secure Disk for BitLocker
Exploiting these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux).
https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/
Exploitation
What is being exploited.
CVE-2022-27925: Mass Exploitation of (Un)authenticated Zimbra RCE
Double reporting on this activity, from US Government
CVEs currently being exploited against ZCS include:
CVE-2022-24682
CVE-2022-27924
CVE-2022-27925 chained with CVE-2022-37042
CVE-2022-30333
https://www.cisa.gov/uscert/ncas/alerts/aa22-228a
Before USG came this reporting:
In July and early August 2022, [we]worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. [Our] investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This initial CVE was patched by Zimbra in March 2022 in 8.8.15P31 and 9.0.0P24.
CVE-2021-0920 : The quantum state of Linux kernel garbage collection (Part I)
A deep dive into an in-the-wild Android exploit
https://googleprojectzero.blogspot.com/2022/08/the-quantum-state-of-linux-kernel.html
Tooling and Techniques
Low level tooling for attack and defence researchers.
Capa v4
Willi Ballenthin, Moritz Raabe, Mike Hunhoff and Anushka Virgaonkar release the latest version:
Cersion 4.0 of capa supports analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering.
https://www.mandiant.com/resources/blog/capa-v4-casting-wider-net
CyberChef - Detection Engineering, TI, DFIR, Malware Analysis Edition
I’ve nudged them to do a pull request back to the main CyberChef, they have said they will.
We've published a fork of CyberChef with some additional operations for detection engineers working with YARA and Virustotal -
to YARA strings
get all casings
VirusTotal content
https://github.com/NextronSystems/CyberChef
Footnotes
Some other small bits and bobs which might be of interest.
Mid-year Crypto Crime Update: Illicit Activity Falls With Rest of Market, With Some Notable Exceptions - Total scam revenue for 2022 currently sits at $1.6 billion, 65% lower than where it was through the end of July in 2021, and this decline appears linked to declining prices across different currencies.
Report says Ransomware Variants Almost Double in Six Months - In the past six months, [we have] seen a total of 10,666 ransomware variants, compared to just 5,400 in the previous six-month period.
SANS Ransomware summit videos - for some late night watching
Fault-Injection Countermeasures, Deployed at Scale: Intel's design, and calibration for a fault-injection detection circuit for their 12th generation Intel Core processors - glitching meets its maker
Bob Jervis’ Impact on Understanding Cyber Conflict (Summer 2022) - In this roundtable feature, Jason Healey reflects on Bob Jervis’ contributions to cyber conflict research and on their collaboration over the years
Requiring MFA on popular gem maintainers - improving security of the community
Cyber Security; Etiology and Importance - not sure what to make of this paper really..
Event - Understanding Offensive Cyber Operations, September 9th 2022
Event - Big Cyber Ideas Festival will take place on September 21 from 5-7pm CETCall for Abstracts - Cyber Escalation Lab (CEL) - Cyber Escalation in Conflict: Bridging Policy, Data, and Theory - February 23th -24th 2023
That’s all folks.. until next week..