Bluepurple Pulse: week ending August 6th
When is a breach considered detected? SEC clocks start ticking then..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note just the usual tempo of activity.
In the high-level this week:
The UK has published its National Risk Register 2023 - lots of cyber discussed.
CISA Released its Cybersecurity Strategic Plan - has three enduring goals
Address Immediate Threats
Harden the Terrain
Drive Security at Scale
US Senate passes annual defense bill, teeing up showdown with House - directs the Defense Department to ask the National Academy of Public Administration to assess establishing a seventh, cyber-specific military service.
FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent - a first-of-its-kind comprehensive approach aimed at addressing both immediate and long-term cyber workforce needs
Cyber security skills in the UK labour market 2023 - There were 160,035 cyber security job postings in the last year. This is an increase of 30% on the previous year. 37% of vacancies were reported as hard-to-fill (down from 44% in 2022, but same as 2021).
U.S. Hunts Chinese Malware That Could Disrupt American Military Operations -American intelligence officials believe the malware could give China the power to disrupt or slow American deployments or resupply operations, including during a Chinese move against Taiwan.
Cyber Insurance and the Ransomware Challenge: A study examining the role of cyber insurance in addressing the threats posed by ransomware - from RUSI - This paper does not advocate for an outright ban on ransom payments or for stopping insurers from providing coverage for them. Instead, it makes the case for interventions that would improve market-wide ransom discipline so that fewer victims pay ransoms, or pay lower demands.
US DoD has updated it Law of War manual - Various aspects related to cyber have been updated for the first time since 2015.
How Ukraine’s cyberwarriors are upending everyday life in Russia - “We can’t hit their military infrastructure because it’s isolated and well protected. But we can hit the industries the military uses. When we attack their railways, it affects both their civilian and military trains,”
Jordan adopts cybercrime law seen as threat to free speech - empowering the government to control more online content
US Army officially creates new offensive cyber and space program office - While Cybercom will inherit new budgeting authorities in October that will put it in charge of all aspects of the cyber force and capabilities, it is still maturing and thus will still look to the services and their expertise to continue building these platforms for them on a reimbursable basis.
Growth in cyber mission leads to new PM Office at PEO IEW&S - this is the press release for the above - To support the expanding cyber, information warfare and tactical space missions, Project Management Cyber and Space (PM C&S), was created as a new project management office within Program Executive Office Intelligence, Electronic Warfare and Sensors (PEO IEW&S).
US Air Force building new tactical teams for 'cyber-enabled air superiority' - provides operationally integrated cyber capabilities to the air component to help assure the projection of air power against the adversary in future operating environments.
Cyber Experience on Boards Still Seen as Critical in New SEC Rules - The U.S. Securities and Exchange Commission proposed regulations in March 2022 that would have required companies to disclose which, if any, of their board directors had significant knowledge of or experience in cybersecurity. The SEC dropped that provision in the final version of the rule adopted.
What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession - Report material cybersecurity incidents within four business days from the time that a breach is determined by the registrant to be “material”.
US SEC adopts new cyber rule, unveils brokerage AI proposal - voted to propose requiring broker-dealers to address conflicts of interest in the use of artificial intelligence in trading, a reform partly influenced by the events of the 2021 "meme stock" rally when officials found robo-advisers and brokers used AI and game-like features to drive user behavior - you can see the possible market stability risks.
Ministers Richmond and Calleary launch Ireland’s AI Standards and Assurance Roadmap - Ireland outlines their vision, although I note no timelines we immediately evident - the complexity is of note.
Strengthening Resilience to AI Risk - Effectively addressing the most serious risks will depend upon trust and at times collaboration between government, industry, and civil society on an international scale. The current landscape presents a valuable opportunity for the UK to assume a leading role as an international convener on the topic of AI risk.
Digital Tokens: A Legal Perspective - from the International Monetary Fund - If tokens are to achieve their full potential, there is a need for a set of fundamental legal rules that integrate tokens within the existing legal fabric, providing solid responses for the issues tokens raise.161 Among these questions, the law should recognize and define DLT and smart contracts to include them within existing legal mechanisms and recognize their effects in transferring tokens and generating rights for parties.
Chinese Lawfare in the Maritime, Aviation, and Information Technology Domains - a really nice summary including the use of cyber and law to achieve their national security aims.
AI and Intelligence
Human-centred ways of working with AI in intelligence analysis - written by the Defence Science and Technology Laboratory (DSTL) to help the people we work with think about AI and human-centric intelligence analysis, moving AI and the Lab to the user
Large Language Models and Intelligence Analysis - While LLMs can now complete many complex text-based tasks rapidly and effectively, they cannot be trusted to always be correct. This has important implications for national security applications and our ability to provide well considered and trusted insights.
ESRB proposes facial age estimation technology for parental consent - interesting for a whole host of reasons.
The INtelligent Generation Of Tools for Security (INGOTS) program seeks to semi-autonomously reverse engineer and reconstruct recently patched software vulnerabilities in a software supply chain in order to develop tools and techniques to generate exploit chains for cyber hardened enterprise software. INGOTS will also use data from this process to develop a new metrology for assessing the exploitability of chained vulnerabilities, enabling defenders to quantify the risk posed by vulnerabilities in blue networks and to prioritize rapidly fixing the most exploitable issues before an attacker can leverage them.
This feels like a ‘big swing’ in cyber terms - I am a fan of the DARPA Grand Challenge approach to drive game changing breakthroughs. When we look at the inherent challenges and those things we wished we could what else do we aim for? One of my biggest objectives still remains the ability to understand and see how and what data flows through an even modestly complex system made up of numerous black boxes in real-time to help validate they work in the ways we think they do.
On the interesting job/role front (thanks to those sending me these):
Senior Capability Developer - Threat Intelligence at Dragos in the USA
Incident Response Lead at Coalition Inc in the UK
Lecturer / Senior Lecturer / Associate Professor in Cyber Security at the University of Bristol in the UK
Associate Director for Analytic Capabilities at the Cybersecurity and Infrastructure Agency (CISA) National Risk Management Center (NRMC) in the USA
Deputy Director - Digital Conflict at The Centre for Humanitarian Dialogue in Geneva, Switzerland (or remote)
Deputy Director, Cybersecurity at Nethope (a global consortium of nearly 60 global nonprofit organizations that specializes in improving IT connectivity among humanitarian organizations in developing countries and areas affected by disaster) - Global
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Cyber threat intelligence
Who is doing what to whom and how.
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
Russia, along with a number of other actors, continue to explore the modern world for opportunities to both deliver and otherwise enable their cyber operations. The fact we now have an acronym for these systems - legitimate internet services (LIS) - hints at the trend.
[We have] been monitoring the activities of Russian state actors who are intensifying their efforts to hide command-and-control network traffic using legitimate internet services (LIS) and expanding the range of services misused for this purpose.
The group's misuse of LIS is an ongoing strategy, as they have used various online services such as Trello, Firebase, and Dropbox to evade detection. BlueBravo appears to prioritize cyber-espionage efforts against European government sector entities, possibly due to the Russian government's interest in strategic data during and after the war in Ukraine.
Midnight Blizzard conducts targeted social engineering over Microsoft Teams
A lesson in why Small Medium Enterprise security is important even if not the primary target. The trust and validity they provide in second order operations is worth something to an increasing range of cyber actors.
To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack.
From 0 to 100: a story of the escalation of Threat Actors
An analysis up until June which paints an interesting picture of a complex environment with a spectrum of activity by numerous actors. This is modern cyber conflict it would seem..
Russian organised crime and Ransomware as a Service: state cultivated cybercrime
Hannah Gately’s Masters Thesis which has just been published which outlines some rationality as to why we are in the situation we are with regards ransomware/hack and leak etc. Albeit a rather sobering analysis..
As argued by Vaksberg (1991), corruption blurs the lines between the state and organised crime, and through their corrupt actions, the Russian state has become deliberately involved with organised cybercrime groups, including RaaS. This research project highlighted that the Russian state created a unique environment that has allowed RaaS to flourish due to its ongoing connection with organised crime, which would develop into a relationship with RaaS groups. Throughout the evolution of Russian-based ransomware and Russian organised crime, the state has played a continual influential role which due the political-criminal nexus and the benefits that the relationship provided to the political elites. Furthermore, the politicalcriminal nexus emphasised the significant role that Russia’s corrupt landscape has played in the development of RaaS within the state with the nexus providing cybercriminals an unprecedented level of protection.
Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures
Den Iuzvyk, Tim Peck and Oleg Kolesnikov outline a campaign which they hypothesize uses phishing as the initial access method. Outside of the use of an ecommerce website as the intermediary stage there is little of note.
An interesting new ongoing attack campaign which lures its victims using US military related documents to run malware staged from legitimate compromised Korean websites has been identified
IRS mail delivery notification impersonation attack (Konni APT Campaign)
South Korean reporting on North Korean activity. Other than the lure narrative there is little of note.
Disguise as a delivery notification service for the National Tax Service mail center and deliver a ZIP file to request submission of explanatory materials
Use of LNK malicious code with the file name 'List of explanatory data (Enforcement Rules of the National Tax Collection Act).hwp.lnk'
There is a method of using CHM malicious files by disguising as a payroll ledger from a specific company sent by the tax office.
A number of reports of similar threats, such as the Fair Trade Commission’s written fact-finding investigation, prior notice and notice notice, etc.
Consistent with Konni APT threat campaign and TTPs, various variants of attacks are continuously deployed in Korea
Distributing malware disguised as coin and investment related content (DPRK)
South Korean reporting which hints at North Koreas continued pursuit for crypto assets. The scale of the North Korean crypto asset acquisition really is a thing of wonder and one of which we should be minded of as different digital asset classes emerge.
[We] recently confirmed that malicious codes disguised as coin exchange and investment-related contents are being distributed. Malicious code is distributed in the form of executable files and word documents, and is presumed to have been produced by the Kimsuky group judging from the User-Agent name used in the malicious code.
Reptile Malware Targeting Linux Systems
China deriving capability from open source..
Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub
After becoming publicly available on GitHub as open-source, Reptile has been used consistently in attacks. For example, a recent report by Mandiant confirmed that a threat group based in China used Reptile in their ongoing attack using the zero-day vulnerability in Fortinet products.
It should be noted that ICMP Shell was also used in the attack cases in Korea.
[There are] similarities with the Mélofée malware cases based on the installation paths or disguised directory names of the malware.
Ransomware Command-and-Control Providers Unmasked
An Iranian hosting provider is assessed as being used by various criminal and state cyber operators. They aren’t unique here but it does pose an interesting problem as these providers may not recognize the requests of western authorities. You can predict over time with Russian influence in Africa we might see similar western-hostile hosting providers emerge there also. Fun times..
Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.
Inside the IcedID BackConnect Protocol (Part 2)
Some excellent analysis here based on netflow. This really shows what skilled commercial analysts are able to achieving in 2023.
The overall quantity of BC C2s has increased.
A total of 34 medium and high confidence IcedID BC C2 servers were identified since 23 January 2023, up from 11 we observed from July 2022 until the end of the year.
The average life cycle for a BC C2 has decreased.
The average uptime of a BC C2 decreased from 28 days to eight days, and concurrently active servers increased from two to a maximum of four.
Additional management infrastructure has been identified.
Management activity continues to be sourced from two static VPN nodes, with other common management peers observed.
Management-related activity has evolved from our last blog post.
Management activity now varies from C2 to C2, we do not always observe connections from the same management IPs.
Observed management activity is likely a mix of IcedID operator and affiliate access.
Victims can communicate with multiple BC C2 servers over time.
A possible connection between BC-infected victims and spamming activity was identified.
CISA Releases Malware Analysis Reports on Barracuda Backdoors
When Firewalls get targeted .. a comprehensive writeup here by US Government on what they have seen.
Barracuda Exploit Payload and Backdoor – The payload exploits CVE-2023-2868, leading to dropping and execution of a reverse shell backdoor on ESG appliance. The reverse shell establishes communication with the threat actor’s command and control (C2) server, from where it downloads the SEASPY backdoor to the ESG appliance. The actors delivered the payload to the victim via a phishing email with a malicious attachment.
SEASPY – SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service. SEASPY monitors traffic from the actor’s C2 server. When the right packet sequence is captured, it establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the threat actors to execute arbitrary commands on the ESG appliance.
SUBMARINE – SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup. CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement.
Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
Kelsey Merriman and Pim Trouerbach detail a criminal commercial offering that has a degree of technical sophistication in order to provide a degree of longevity.
[We] identified a new malware we call WikiLoader.
It has been observed delivered in multiple campaigns conducted by threat actors targeting Italian organizations.
The malware uses multiple mechanisms to evade detection.
It is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the string “The Free” in the contents.
It is likely the use of this malware is available for sale to multiple cybercriminal groups.
[Our] researchers observed a high-volume malicious email campaign targeting companies in Italy, which began with emails containing a Microsoft Excel attachment spoofing the Italian Revenue Agency. The Microsoft Excel attachments contained characteristic VBA macros which, if enabled by the recipient, would download and execute a new unidentified downloader that Proofpoint researchers eventually dubbed WikiLoader. This campaign was attributed to TA544.
The "Blade of Picture Poor" gang poisoned a variety of software SEO for domestic users
Chinese reporting on their own wrestling match with organized crime who are purchasing search engine adverts to distribute implants.
By purchasing search engine advertisements, the gang put multiple fake software download pages at the top of the search results for specified keywords
The initial sample is an MSI file, which contains a normal installation package and a Trojan loader. The Trojan loader loads the Trojan in various ways, and finally reads the image file, decodes it through base64 + LZNT1 or XORs + adds the specified byte And operation to decrypt FatalRAT.
How we find and understand the latent compromises within our environments.
Leveraging osquery to examine the XProtect Behavioral Service DB
Chris Long provides a quick guide on how to use osquery to extract information from Apple’s XProtect sqlite database. For anyone running a macOS fleet this is something which should be considered.
I had assumed all XProtect detections were signature based, but it sounds like Apple may be testing some behavioral-based rules to flag suspicious process executions in newer versions of MacOS.
Anomaly detection in certificate-based TGT requests
Alexander Rodchenko provides a great example of what defensive research can yield. He analyzed the attack, the tooling used to perform it and correlated with the available artifacts.
I identified several signs of such attacks inside the network and developed a Proof-of-Concept utility capable of finding artifacts in AD, as well as a number of detection logic rules that can be added to SIEM.
How we proactively defend our environments.
Preventing Web Application Access Control Abuse
Web vulnerabilities continue to plague which has resulted in the Australian Cyber Security Centre, CISA and NSA releasing a joint advisory. There are no quick wins here, it will require software developers to understand, assess for presence and then mitigate. PortSwigger’s Web Academy has a section on Insecure direct object references (IDOR) and guide on how to test for the presence of such vulns using Burp Professional.
IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.
Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access
Dynamic Detection and Classification of Persistence Techniques in Windows Malware
Jorik Jaromir van Nielen has released their Masters thesis which does a wonderful job in summarizing this rather knotty and complex area (see Appendix A).
Our attack surface.
CVE-2023-35081: Remote Arbitrary File Write
This product is currently subject to a ‘bug surge’ that is numerous others are starting to pile in, so this wont be the last.
CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable).
Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.
As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.
CVE-2023-38633: Arbitrary file read when xinclude href has special characters - / librsvg · GitLab
I suspect this will be a deep vulnerability that will be exploited in novel and interesting ways via SVG files.
A library to render SVG images to Cairo surfaces. GNOME uses this to render SVG icons. Outside of GNOME, other desktop environments use it for similar purposes. Wikimedia uses it for Wikipedia's SVG diagrams.
CP2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format)
The sad thing about this vulnerability is the likely reduced recycling which will result from it and the corresponding negative environmental impact. Some organizations will like over rotate and start to destroy all printers / embedded devices to err on the side of caution.
Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process.
Attack capability, techniques and trade-craft.
KRBUACBypass: UAC Bypass By Abusing Kerberos Tickets
Chinese researcher weaponizes some James Forshaw research.
By adding a
KERB-AD-RESTRICTION-ENTRYto the service ticket, but filling in a fake MachineID, we can easily bypass UAC and gain SYSTEM privileges by accessing the SCM to create a system service.
Hook, Line, and Phishlet: Conquering AD FS with Evilginx
Daniel Underhay provides an end-to-end walk through on how to Phish where an organization has AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. FIDO2/Webauthn can not come soon enough!
Abusing the AWS SSM Agent as a Remote Access Trojan
Ariel Szarf and Or Aspir highlight that the opportunity for persistence and implants can exist in numerous living off the land system components.
[We] discovered a new potential post-exploitation technique in AWS (Amazon Web Services): running AWS’s Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on both Linux and Windows machines, controlling the endpoint using another AWS account.
Using a couple of simple bash commands, the SSM agent can communicate and execute commands from different AWS accounts than the original AWS account where the EC2 instance is hosted. Through these actions, we also obtained the ability to run more than one SSM agent process in one endpoint, making our rouge agent process to work with our AWS account while the other process to continue working with the original AWS account without any interference.
What is being exploited.
Threat Actors Exploiting Ivanti EPMM Vulnerabilities
We touched on one of these above, this the in-the-wild exploitation advisory.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.
Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.
Redis P2Pinfect - the variant they encountered was delivered via exploitation of CVE-2022-0543
Nate Bill and Matt Muir detail in the wild exploitation of a LUA sandbox escape by a worm.
Attempts multiple Redis exploits for initial access
Utilises Rust for payload development, making analysis tricky
Uses multiple evasion techniques to hinder dynamic analysis
Conducts internet scanning for Redis and SSH servers
Self-replication in a worm-like manner
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
SCARF: A Low-Latency Block Cipher for Secure Cache-Randomization
Federico Canale, Tim Güneysu, Gregor Leander, Jan Philipp Thoma, Yosuke Todo, and Rei Ueno released an academic paper which is intended to complicate exploitation of cache based side channel attacks through the introduction of entropy. The key to its success will be implementation by the silicon vendors - it will be interesting if the next phase of this research is the implement in something like risc5.
Randomized cache architectures have proven to significantly increase the complexity of contention-based cache side-channel attacks and therefore present an important building block for side-channel secure microarchitectures. By randomizing the address-to-cache-index mapping, attackers can no longer trivially construct minimal eviction sets which are fundamental for contention-based cache attacks. At the same time, randomized caches maintain the flexibility of traditional caches, making them broadly applicable across various CPU types. This is a major advantage over cache partitioning approaches. A large variety of randomized cache architectures has been proposed. However, the actual randomization function received little attention and is often neglected in these proposals. Since the randomization operates directly on the critical path of the cache lookup, the function needs to have extremely low latency. At the same time, attackers must not be able to bypass the randomization which would nullify the security benefit of the randomized mapping. In this paper, we propose SCARF (Secure CAche Randomization Function), the first dedicated cache randomization cipher which achieves low latency and is cryptographically secure in the cache attacker model. The design methodology for this dedicated cache cipher enters new territory in the field of block ciphers with a small 10-bit block length and heavy key-dependency in few rounds.
Intel VT-rp - Part 2. paging-write and guest-paging verification
Satoshi Tanda demonstrates what world class low level reverse engineering looks like.
This is the 2nd part of the series about the Intel VT Redirection Protection (VT-rp) technology. This post focuses on two of its features: paging write (PW) and guest-paging verification (GPV). We will also discuss how other protection mechanisms complement Intel VT-rp to defend the system against kernel-mode exploits.
The addition of Intel VT-rp is one of the latest examples of how processors and hypervisors evolve and play significant roles in the security scenes. It is also interesting to think about how many machines lack some of those protections, given that it was only in late 2020 when Intel CET was released with 11th gen and AMD shadow-stack was released with Ryzen 3.
Some other small (and not so small) bits and bobs which might be of interest.
Introduction to ‘Artificial intelligence in failure analysis of transportation infrastructure and materials' - fascinated if there is lateral application to cyber.
Tyre Examinations in Vehicle Systems Forensics - Inaccurate or mismatched tyre data can have repercussions on the accuracy of speed calculations and other safety-related systems. When the actual tyre size and condition do not match what the ECU is programmed to expect, the speed calculations can be skewed, leading to errors in reported speeds. - stuff of nightmares.
Computing on Encrypted Data - We discuss the progress in four technologies which enable this: Trusted Execution Environments, Fully Homomorphic Encryption, Multi-Party Computation and Zero-Knowledge Proofs.
What are influence operations and why are we investigating them? by the The Bureau of Investigative Journalism
UK NCSC and SANS CyberThreat 2023 - Call for Presentations - 20-21 November 2023 - London UK - deadline is Monday 7th of August
Finally my copies of CNE for Babies arrived from the US this week.