Bluepurple Pulse: week ending August 28th
VERY HIGH threat assessment in Denmark
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week nothing really of note, usual tempo for the most part although organised crime does continue to be busy. Outside of that Lastpass did a sterling job on their own breach disclosure in terms of transparency. Also how Mailchimp etc. got compromised (phishing) has come to light and the fall out of which continues to be clearer (see below in the reporting under the Okta sections).
In the high-level this week:
High Court gives green light to Pegasus spyware case in London against Kingdom of Saudi Arabia - The High Court has today ruled the KSA does not have immunity under the State Immunity Act 1978 in relation to a case brought against it by satirist and human rights activist Ghanem Al-Masarir for its alleged use of spyware to infiltrate his mobile phones - fascinating legal judgement and may make states think twice. Well states except China, Iran, Russia and North Korea that is..
The SBU exposed an underground server center in Kyiv that Russian hackers used for cyberattacks against Ukraine - Dilyka served more than 100 "subscribers", the vast majority of whom are hackers from the Russian Federation.
The Cyber Threat Against Denmark - Denmark’s own threat assessment - VERY HIGH on espionage and cyber crime - The threat from cyber espionage is VERY HIGH. This persistent threat mainly stems from Russia and China and continues to lead to cyber attacks against targets in Denmark.
Unheard Voice - Stanford Internet Observatory collaborated with Graphika to analyse a large network of accounts removed from Facebook, Instagram, and Twitter - an information operation likely originated in the United States
The hidden threat of cyber-attacks – undermining public confidence in government - This paper argues that the primary threat posed by cyber-attacks is not cataclysmic physical destruction - but rather more insidious societal risks such as reduced trust in government - interesting meta perspective on the impact of cyber events on government. Something civil contingency planners will likely sit up and take notice of.
Cyber.RAR - Series 2 is now being released from the Harvard Kennedy School students - covering the US’s Chips and Science Act in the first episode.
Cyber Defence Review: An Offensive Future? - from the US’s Cyber Army Institute - a broad range of topics including the article The Role of Reinsurance in Offensive Cyber which states This paper argues that by reducing and responding to risks and unintended consequences of offensive cyber operations with reinsurance, a state’s offensive cyber strategy may receive a more favourable reception from society. This reduces the risk that an offensive cyber strategy may delegitimise the state. - in short insurer of last resort by the government
Reflections this week have been I get terribly motivated by science & technology evolution and exploring the technical, business and societal opportunities. That and the realisation I have been working for 25 years, so I was feeling extra reflective.
Anyway, a week or so ago I read this article Synthetic genetic circuits could help plants adapt to climate change after hearing one of the researchers interviewed on the BBC World Service. The paper states:
We developed a collection of synthetic transcriptional regulators for plants that can be compiled to create genetic circuits. These circuits control gene expression by performing Boolean logic operations and can be used to predictably alter root structure. This work demonstrates the potential of synthetic genetic circuits to control gene expression across tissues and reprogram plant growth.
So they have proven synthetic genetic Boolean logic which can control how an organism responds through its genes - that is amazing! Now it doesn’t take much to jump to a world where static genetic code review becomes a career (akin to what we do today for computer code) and formal verification becomes a tooling requirement. Fast forward a decade (or 5 years) and we have a Tamarin esq tool (a tool for doing formal verification) being applied to these new genetic circuit designs..
… isn’t the future exciting!
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday,
Cyber threat intelligence
Who is doing what to whom and how.
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
Russia showing they know how to attack and persist in cloud hybrid environments.
[We] have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia.
NOBELIUM was able to deploy MagicWeb by first gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system. This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary.
Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus
Ryan Soliven and Hitomi Kimura detail how organised crime are now bringing their own vulnerable drivers in order to disable and tamper with endpoint protection solutions. This type of tradecraft has been used by nation state actors such as Russia for a number of years, but the capability bleed to organised crime has happened.
There have already been reports on code-signed rootkits like Netfilter, FiveSys, and Fire Chili. These rootkits are usually signed with stolen certificates or are falsely validated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware. Security teams and defenders should note that mhyprot2.sys can be integrated into any malware.
Switching side jobs: Links between ATMZOW JS-sniffer and Hancitor
However, based on a specific obfuscation technique used by the group, we can track its activities back to 2015 as "Magento Guruincsite malware". Moreover, one of the first domain names, used by the group, was created in 2016.
ATMZOW has successfully infected at least 483 websites belonging to the domain zones of Italy, Germany, France, UK, Australia, India, Brazil etc. since the beginning of 2019.
New APT Mulun Shark targets Turkish Navy
Chinese reporting on a threat focused on Turkish Navy. Malicious Microsoft Office documents delivering Cobalt Strike seems the order of the day.
In the second quarter of 2022 , [we] detected a series of cyberattacks against Turkey. After analysis, researchers confirmed that this round of attacks came from Actor 210426 , a new threat entity identified in April 2021 .
Based on the activity area and recent attack target of this threat entity (Turkish Navy project "MÜREN" ), [We] named it as MurenShark , which corresponds to the Advanced Threat Organization as APT-N-04 .
In the monitoring activities, the main target areas of the Mullen shark include Turkey and Northern Cyprus, and the attack range covers many sensitive targets in the fields of universities, research institutes and the army, especially showing obvious interest in military projects, and has implemented successful Cyber espionage.
The main attack methods of Murren Shark include delivering phishing documents and attacking online services. The direct purpose includes expanding attack resources, infiltrating target networks, and stealing key data.
Turkish reporting on what appears to be the same campaign.
A Tale of PivNoxy and Chinoxy Puppeteer
Shunichi Imano and Fred Gutierrez outline a campaign using vulnerabilities in Microsoft Office from 2018 coupled with a regional interest. I find it interesting that there are some full court presses by adversaries going on in South Asia..
Suspicious RTF attachment sent to a telecommunications agency in South Asia - The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.
.. the threat group we are after has a particular interest not only in South-East Asia but also in South and Central Asia and potentially Mexico. Or at the least, they have a relationship with an attacker with interests there.
The attack against a telecommunications agency in South Asia began with a simple email that initially appeared to be a standard malicious spam email message. However, the attached Word doc was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798)
They get their own little sub heading due to two bits of notable reporting this week.
New Iranian APT data extraction tool
First Ajax Bash (amazing name) burns some of their post compromise tooling. How an actual copy was obtained may remain a mystery for a little bit (or until Ajax reads this and tells me). But either way clear that Iran does have capabilities to research and developer basic post compromise capabilities. Neat trick the old browser spoofing to enable an HTML view which allowed the scraping..
In December 2021, TAG discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials. We have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development.
It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail.
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
Iran demonstrating they can pull through exploits into operational capability and use it against regional adversaries. Sounds like a basic commercial Red Team for sure..
[We] detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now. After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.
North Korea / Hermit Kingdom
Lots of North Korean reporting this week so they get their little heading for us to celebrate.
Kimsuky’s GoldDragon Cluster and its C2 Operations
Seongsu Park in this reporting states:
While tracking the Kimsuky group’s endless operations, however, we discovered server-side scripts related to the above infection chain
They got access to the server side source code which allowed them to stitch it all together. In the UK this activity would potentially be illegal under the Computer Misuse Act today, but the intelligence benefit is clear.
North Korean hacking organization attacks defense industry during joint South Korea-U.S. exercise
Amazingly clumsy tradecraft here, feels like they took the new team for a spin.
At first, it was discovered in the form of an executable file (.EXE) disguised as a computer's IP and address search program, and when the file is executed, the actual computer network information is output, but in the background, a malicious DLL module with a backdoor function is planted without the user's knowledge to collect internal information and external deodorization.
After that, it switched to a script (JSE, VBS) attack method that added double extensions to make it look like a PDF or XLSM document, and an attack method using an executable file (PIF) extension, which is often seen as a shortcut (LNK) icon, is also used.
Malicious word documents targeting specific people related to North Korea
More shoddy North Korean maldoc tradecraft in this reporting
Malicious Hangul document disguised as happy birthday content
Loads of indicators for further North Korean activity in here. Use of cutting edge tools such as curl etc.
Detecting Scatter Swine: Insights into a relentless phishing campaign
Further analysis and fallout from the Twilio breach. But it shows that the threat actors achieved what they clearly set out to do.
Twilio recently identified unauthorized access to information related to 163 Twilio customers, including Okta. Access was gained to internal Twilio systems, where data of some Okta customers was accessible to a threat actor (detailed below).
Okta has determined that a small number of 1) Mobile phone numbers and 2) Associated SMS messages containing one-time passwords (“OTPs”) were accessible to the threat actor via the Twilio console.
Okta has notified any customers where a phone number was visible in the console at the time the console was accessed.
Roasting 0ktapus: The phishing campaign going after Okta identity credentials
Roberto Martinez and Rustam Mirkasymov the broader Okta phishing camapaign which appears to be the genesis. Again they gained access to the server side source code. Again a lot of what they did likely would not of been possible from the United Kingdom due to the Computer Misuse Act, although the intelligence and harm reduction value is clear.
Over 130 organizations have been compromised in a sophisticated attack using simple phishing kits
Bumblebee Loader – The High Road to Enterprise Domain Control
The take away from this is block LNK files.
User-Driven Execution: The majority of the infections with Bumblebee we have observed started by end-users executing LNK files which use a system binary to load the malware. Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee.
Intensive Reconnaissance and Data Exfiltration: Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
Active Directory Compromise: The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement. The time it took between initial access and Active Directory compromise was less than two days.
Under Active Development: [we have] observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors.
EvilCoder Project Selling Multiple Dangerous Tools Online
Various criminal capabilities being sold for $150 or less..
Escanor Malware delivered in Weaponized Microsoft Office Documents
The exploit builder is the thing of note in this reporting.
[We] identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.
Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts
FBI alert on the use of proxies, not sure of the value to most. The punchline is enable MFA etc.
The FBI is highlighting significant details about proxies and configurations used by cyber criminals to mask and automate credential stuffing attacks on US companies, resulting in financial losses associated with fraudulent purchases, customer notifications, system downtime and remediation, as well as reputational damage.
How we find and understand the latent compromises within our environments.
IoC for Manjusaka
Manjusaka is web based imitation of the Cobalt Strike framework and here are some robust indicators of compromise to help you detect it. We covered Manjusaka specific reporting when it was originally released.
YaraNG: Reinventing the YARA Scanner
Avast fork Yara and get some massive performance benefits.
In the end, we achieved an improvement on our scanning hardware. Our regular scanner took around 20 minutes while the new scanner took around 13 minutes, which is a 35% improvement. Overall, CPU utilization was lowered, so with the new scanner, there was still headroom when it comes to the CPU utilization.
A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.
Help you detect the use of this tool.
These KQL queries are designed to find use of the abuses in the BloodHound BARK toolkit in your Azure AD tenant. These queries are not designed to detect the use of BARK itself, just the behaviour that BARK simulates.
Rapidly Search and Hunt through Windows Event Logs from James D
How to Detect OAuth Access Token Theft in Azure
Lina Lau explains how the attack works and how to detect. Detection can be up to a four step process.
Stealing access tokens to gain access to a user’s account in Azure is a technique that’s been actively used by threat groups over the past few years. I’ve observed this technique in several engagements across the past few years from Chinese APT groups. Generally, this is done through a spear phishing / phishing email with a link that requires a user to grant access to a malicious application through OAuth’s authorization code flow. This enables the attacker-controlled application to access the user’s data.
I’ve broken the blog into two components:
A Jupyter notebook to triage infrastructure using the Virustotal API
Eric makes analysts go ‘yay’
Report on Active Directory Container permissions using PowerShell
Harm Veenstra continues to pump out the value in Active Directory security.
In a previous blog post I showed a way to create a report on OU (Organizational Unit) permissions. One of the replies I got about that was: How about the Container permissions, those are important too
And that’s correct, they are! In this blog post, I will show you how to create a report on those (Script is based on the OU report)
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
I’m sure the cyber security company behind Sliver is so very proud. The blog is good as it shows the analytical tradecraft as much as anything when working on detection strategies for a new C2 framework.
Microsoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in intrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors to evade detection.
Among its adopters is the prolific ransomware-as-service (RaaS) affiliate DEV-0237. More recently, we’ve seen cybercrime actors historically tied to human-operated ransomware now deliver Sliver and various post-compromise tools using Bumblebee malware (also known as COLDTRAIN) as an initial access loader.
In this blog, we share how the researchers analyzed Sliver and used both lab-simulated attacks and real-world threat activity to create hunting queries to surface Sliver and other C2 frameworks.
How we proactively defend our environments.
whids: Open Source EDR for Windows
For Windows and built on the Sysmon driver, overall excellent stuff, strengths described as:
Relies on Sysmon for all the heavy lifting (kernel component)
Very powerful but also customizable detection engine
Built by an Incident Responder for all Incident Responders to make their job easier
Low footprint (no process injection)
Can co-exist with any antivirus product (advised to run it along with MS Defender)
Designed for high throughput. It can easily enrich and analyze 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.
Easily integrable with other tools (Splunk, ELK, MISP ...)
Import custom and third party partner ADMX templates in Microsoft Intune
Help with capability distribution.
You can import custom and third party/partner ADMX and ADML templates into the Endpoint Manager admin center. Once imported, you can create a device configuration policy using these settings, and then assign the policy to your managed devices.
Continuous access evaluation
Fabian Bader provides some defence in depth knowledge here and how you might undermine conditional access.
At my companies bootcamp, a few colleagues and I did research on the different Azure Active Directory tokens and authentication flows. At the end of the week one question remained unanswered
How does the usage of continuous access evaluation (CAE) and the extended lifetime of the access token impact security?
So, after I returned home, I started digging into this topic to answer the question.
Based on the observed behavior in my testing, there definitely are security implications.
Depending on your Conditional Access Policy you have additional protection out of the box. If you restrict access to certain IP ranges, this is definitely a win for you.
If you use Azure AD Plan 2 the user risk based triggers are a great way to minimize impact as well.
However, there are some caveats.
The Rise of LNK Files (T1547.009) and Ways To Detect Them
Julian-Ferdinand Vögele provides some tradecraft if you can’t block LNK files (dear good why can’t you?).
In what follows, I will first provide a brief introduction to why and how macros were blocked as well as how to bypass the protections that were put in place. I will then give an overview of LNK files, one common alternative to macros, show how they are used in the wild, and finally discuss various ways for detection.
Public preview of Azure Workbooks for Update Compliance
David Mebane walks through this new feature which will help numerous organisations.
Azure Workbooks for Update Compliance reporting is now available! You can now easily monitor Windows Updates and patch compliance by enabling this newly available public preview.
Scans SBoMs for security vulnerabilities
CACAO JSON Schemas
JSON schemas for validating CACAO Security Playbooks.
More information about the CACAO Security Playbooks Standard
Generate your own hash sets with HashR
Attack capability, techniques and tradecraft.
Modern Peer-to-Peer Cross-Platform Over TOR
Etw Session Hijacking
A PoC on blocking Procmon from monitoring network events
Tangled Win Exec
C# PoCs for investigation of Windows process execution techniques investigation
Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion
From Bohops and useful to defenders to try and detect.
Our attack surface.
Thousands of Hikvision Cameras are still vulnerable
…. and can be potentially exploited, but not proof they have been.
CVE-2022-36804: Bitbucket Server and Data Center - Command injection vulnerability
Time to upgrade those Atlassian systems again..
CVE-2022-31789: Firebox Unauthenticated Buffer Overflow Vulnerability
Yes, it really is 2022.
An integer overflow in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious request to exposed management ports
What is being exploited.
CVE-2022-24521: private 1-day exploits used for attacking Windows 7-11
Data point on criminal exploit pull through
Cybercriminals have the capabilities to create so-called 1-day exploits within a matter of day(s) after the vulnerability is reported or fixed. This is the reason why many security professionals urge system admins and users to install security patches as soon as possible.
One such example is CVE-2022-24521, an arbitrary pointer dereference in the Common Log File System (CLFS) driver, which has a long history of vulnerabilities. CVE-2022-24521 allows an attacker to gain system privileges on the infected device and is exploited in different ways by various actors. Although this time, it must be said it took the criminals a little bit longer than usual to develop an exploit: two weeks after the vulnerability was disclosed. We did, however, find an exploit with a PE-timestamp dated about one week after the patch was released, indicating that a working exploit might have been available even earlier.
CVE-2022-27925: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0
Exploit is out… brace brace brace..
has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
Bitcon ATM flaw
This whole vulnerability and what is was powering is a travesty in 2022. Should be criminal to write software this bad (joke/not joke).
attacker was able to create an admin user remotely via CAS (Crypto Application Server) admin interface via a URL that is used for the default installation on the server and creating the first administration user. This vulnerability has been present since version 20201208.
Tooling and Techniques
Low level tooling for attack and defence researchers.
Hypervisor from Scratch
Source code of a multiple post series of tutorials about the hypervisor. This is an amazing resource for anyone looking to develop their own for cyber defence / research purposes.
The Hypervisor From Scratch tutorial is completely revised in August 2022. Codes from all parts are updated, unnecessary details are removed, and new explanations and materials are added to the tutorial.
RPCMon: RPC Monitor tool based on Event Tracing for Windows
Will come in use in both offense and defence use cases.
A GUI tool for scanning RPC communication through Event Tracing for Windows (ETW). The tool was published as part of a research on RPC communication between the host and a Windows container.
Some other small bits and bobs which might be of interest.
How to Stand Up a Major Cyber Incident Investigations Board - A guide for independent organizations and state and local governments to develop a sustainable mechanism for investigating and drawing lessons-learned from cyber incidents both in the immediate aftermath of a cyber incident and long-term
Detection Engineering with MITRE Top Techniques & Atomic Red Team -
The 2022 Velociraptor Conference - The first annual VeloCON summit will be held Thursday Sept 15th, 2022 with times oriented to the continental USA timezones
Computable Contracts and Insurance with CodeX, the Stanford Center for Legal Informatics - This paper provides a conceptual overview, explaining how computable contracts, coupled with automation, can drive innovation in the insurance business - etc. when you look at the tyre fire that as De-Fi and smart contracts it makes me nervous..
A Cyber Threat Intelligence Self-Study Plan
European Union Commission staff working document on foreign interference in higher education and R&D organisations - shows how the world in changing..
That’s all folks.. until next week..