Bluepurple Pulse: week ending December 11th
Bluepurple Pulse: week ending December 11th
600k Euro fine under GDPR in France for storing passwords as MD5s without salts
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see there is a lot of reporting around Russian activity. The other key notes are that North Korea and their crypto campaigns continue and the Iranian supply chain attack used to deploy a wiper in Israel is a cause of concern.
In the high-level this week:
600k Euro fine under GDPR in France for storing passwords as MD5s without salts - I forgot to cover this last week, but it’s an interesting turn of events and will strike fear in the technical debt laden firms who fall under GDPR
Combating Cybercrime, with Bryan Smith - Podcast with Bryan Smith, chief of the FBI’s Cybercriminal Section and a 20-year bureau veteran, about the growing threat of cybercrime to both individuals and large corporations.
US National Defense Authorization Act (NDAA) for Fiscal Year 2023 (FY23) - 965 mentions of cyber, the summary mentions cyber 283 times - lots of and lots of education. Other moves include The Senate amendment contained a provision (sec. 6101) that would require the Cybersecurity and Infrastructure Security Agency to conduct a pilot program evaluating the employment of a civilian cybersecurity reserve to aid in response to significant cybersecurity incidents.
NCSC to become federal office in DDPS in Switzerland - within Federal Department of Defence, Civil Protection and Sport (DDPS) - but an important move by the Swiss.
Lessons from Russia’s cyber-war in Ukraine - in The Economist and thus I think it safe to say cyber is mainstream but the analysis is so/so. Has echos of what others have said i.e. cyber is not magic and sometimes bombs are more effective.
Albanian IT staff charged with negligence over cyberattack - although one commentator on the sub reddit said “They are not charged yet”
EU spyware probe has a problem: Spain - Political disquiet among EU members during their ongoing spyware inquiry.
RackSpace has an ongoing major incident in their hosted e-mail service - but kudos for the transparency
United States Government Accountability Office Report to Congressional Committees - Actions Needed to Better Secure Internet-Connected Devices - The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards.
NATO prepares for cyber war - More than 1,000 cyber professionals in NATO members and its allies across the globe participated in an exercise to test and strengthen cyber defences - Team work is dream work..
EU sets up a cyber lab for the Ukrainian Armed Forces - Within the simulated network, the officials of the Ukrainian Armed Forces can learn to cope under high levels of stress, locating and exploring vulnerabilities on various network systems. - I suspect they’ve experienced high levels of stress evicting Russia from their networks.
Cyber Safety Review Board to Conduct Second Review on Lapsus$ - teenagers cause event akin to an airplane crashing which warrants material review.
France’s Mr. Privacy turns cybersnooper - How the disgraced co-founder of France’s answer to Google moved into the murky world of cybersurveillance.
The use of Pegasus and equivalent surveillance spyware - The existing legal framework in EU Member States for the acquisition and use of Pegasus and equivalent surveillance spyware - a look at various legislation in various European countries which allows the use of such tooling
Amnesty International Canada target of sophisticated cyber-attack linked to China - high-level statement calling China out as the aggressor.
Destination Africa: The scramble to sell cyberweapons to dictators - spyware used against journalists, journalists then across democracies release barrage of reporting.
Reflections this week come in two parts…
The first part is that ChatGPT has been demonstrated in two valid cyber use cases within a week. The first is as a reverse engineering work aid (four released this week - see below) and the second is as an email generator which has obvious applications in phishing campaign building (also see below).
The second part comes from the book Chip War: The Fight for the World's Most Critical Technology which I recently finished and specifically around two things.
There were numerous opportunities in various countries globally to avert where we are today in terms of limited diversity and the resulting security situation. But either the pursuit for profit and/or the lack of long term impact understanding meant they were not taken. I’m also not sure if the decisions were re-run if we’d get a different outcome in all cases.
The complexity and fragility of the supply chains of semiconductor foundry equipment and materials is a thing of wonder but also a concern.
Anyway the book is a wonderful read/listen.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Callisto reporting
Multiple bits of reporting on this Russian threat actor from across the industry this week.
Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
The first provides insight around tradecraft in domain registration as well as target profiles.
Insikt Group has identified new infrastructure used by TAG-53, a group likely linked to suspected Russian threat activity groups Callisto Group, COLDRIVER, and SEABORGIUM.
The identified TAG-53 infrastructure features common traits including the use of specific domain registrars, the use of Let’s Encrypt TLS certificates, and a small cluster of autonomous systems. Most of TAG-53’s domains use a specific stylistic structure.
TAG-53 has used domains masquerading as organizations across multiple industry verticals, with a particular focus on government, intelligence, and military industries.
Blue Callisto orbits around US Laboratories in 2022
The second gives a sense of later stage tradecraft.
Since the Russo-Ukraine war began in 2022, we have observed Blue Callisto taking an increased interest in Ukraine, targeting at least one private Ukrainian company related to logistics. We assess Blue Callisto is highly likely still primarily focused on governmental organisations based in Europe and the US.
In this blog post we detail 2022 phishing activity [our] threat intelligence team attributes to Blue Callisto and list indicators for defenders to query. The activity ranges from February 2022 to October 2022. Some of the domains resolve to IPs which we assess are likely operated by Blue Callisto to service fake webpages and gather credentials as of 24th October 2022.
Calisto show interests into entities involved in Ukraine war support
The third gives a sense of the scale as well as tradecraft.
We came across domains, known to us as aligning with past Calisto activities. Further investigations led to a larger infrastructure composed of more than 80 domains, including domains typosquatting entities.
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/
Cloud Atlas reporting
Two bits of reporting on this state actor.
APT Cloud Atlas: Unbroken Threat
The first gives the history and then brings us up to date on the current targets.
[We] have been monitoring the Cloud Atlas group since May 2019. According to our data, its attacks have been targeting the government sector of the following countries:
Russia
Belarus
Azerbaijan
Turkey
Slovenia
In the third quarter of 2022, during our investigation we identified a phishing campaign targeting employees of Russian government agencies. The attackers used targeted mailing based on the professional field of the recipients, even though we found no publicly available information about them.
Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
The second gives a session of mission prioritisation that occurred within the threat actors operations. Also interestingly that they were successful in some cases.
However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova. Some evidence discovered while monitoring the group’s latest activities indicates that the group carried out a few successful intrusions and managed to gain full access to some of the targeted environments.
Abused Slack service: Analysis of APT29's attack activities against Italy
Chinese reporting on Russian activity (interestingly they don’t attribute the country) and their use of Slack C2. The use of Slack as a C2 means their TI team will have a sense of the victims etc.
CryWiper disguised as ransomware hitting Russia
On the flip side Russia getting hit with a wiper.
The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.
So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.
https://www.kaspersky.com/blog/crywiper-pseudo-ransomware/46480/
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
China in a hold my 🍺 moment, but also the fact they are using phishing..
Weapons
DLL Loaders + encrypted .dat payloads
Attack Vector
Current event-themed phishing lures
Network Infrastructure
Web based command-and-control (C2)
Targets
Mining, Education, Telecoms, Financial, CDN Companies, Internet Service Providers, Internet Security Firms, Web Hosting Companies
Analysis of network attack activities of Torii remote control organized by OceanLotus
Chinese reporting on a Vietnamese threat actor and their front line infrastructure implant framework.
[We] captured a batch of active IoT remote control Trojan horses. The attackers behind them are hiding after attacking a considerable number of Linux hosts, servers, and IoT devices in important government and enterprise units in my country, not for economic interests . The Trojan horse has rich secret stealing and command control capabilities, and the C2 backhaul link also hides the real command control server through the domestic and foreign IoT devices compromised in advance as a traffic springboard
Analysis of an Intrusion Campaign Targeting Telco and BPO Companies
Criminal activity reported here (and a massive product/service pitch). The involved social engineering is the thing of note.
[We] performed multiple investigations into an intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies.
The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity.
Initial access is varied: Social engineering using phone calls and text messages to impersonate IT personnel, and either directing victims to a credential harvesting site or directing victims to run commercial remote monitoring and management (RMM) tools.
These campaigns are extremely persistent and brazen. Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors.
Organizations should focus on identity-based security through authentication restrictions and secure multifactor authentication (MFA) configurations to most effectively disrupt this campaign.
[We have] attributed this campaign with low confidence to the SCATTERED SPIDER eCrime adversary.
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Callum Roxan, Paul Rascagneres and Robert Jan Mora discusses a North Korean campaign attempting to get access to crypto currency (a mid term trend of theirs).
Over the last few months, [we have] observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents. [Our] analysis of this campaign uncovered a live cryptocurrency-themed website with contents stolen from another legitimate website. Further technical analysis of the deployed AppleJeus malware uncovered a new variation of DLL side-loading that [we had] not seen previously documented as in the wild.
DEV-0139 launches targeted attacks against the cryptocurrency industry
More suspect North Korean activity again going after cryptocurrency.
We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies
After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
North Korea-linked hacking attack pretending to be a discussion topic at a diplomatic and security conference
South Korean reporting on North Korean activity again using their involved social engineering techniques.
This attack seems to be aimed at workers in the fields of domestic diplomacy, security, and unification, and it has been confirmed that the target of attending an upcoming academic conference or year-end event was approached by e-mail by deceiving them like schedule inquiries or data requests.
https://blog-alyac-co-kr.translate.goog/5002?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
Iran: State-Backed Hacking of Activists, Journalists, Politicians
Iran going after various targets they perceive against their interests with phishing. Resulting in Human Rights Watch to out them in glorious technical technicolour.
Hackers backed by the Iranian government have targeted two Human Rights Watch staff members and at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign, Human Rights Watch said today.
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
Adrian SCHIPOR and Victor VRABIE discuss what is suspected of being an Asian threat actor who is currently unattributed in open source. But strong suspicions of being Chinese.
APT group BackdoorDiplomacy, which has been operating at least since 2017, is known for its attacks against institutions in the Middle East and Africa as well as in the United States
The infection vector pointed to a vulnerable Exchange server, exploiting ProxyShell. Forensic evidence shows the attack started in August 2021, when the group deployed the NPS proxy tool and IRAFAU backdoor into the organization.
Starting in February 2022, the threat actors used another tool - Quarian backdoor, along with several other scanners and proxy/tunneling tools.
Artifacts reveal the use of keyloggers and exfiltration tools that link this campaign to a cyber-espionage operation.
Operation EvilPlane: APT attack using files containing personal information of domestic users
Korean reporting which is strongly attributed to North Korea. The actual technical tradecraft is a well known technique of remote template injection. The novelty is the colour techniques to entice users into doing stuff.
The attack file discovered this time is a document (docx) file, which uses Remote Template Injection technology
As a result of analyzing various indicators, ESRC concluded that the North Korean Reconnaissance General Bureau was behind the attack by the Konni organization.
The method of inducing macro execution by changing the color of the body text to arouse user curiosity is an attack method that the Kony organization has been using for a long time, and the UAC Bypass technique using the wpnprv32/64. It's one of the techniques.
https://blog-alyac-co-kr.translate.goog/5009?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism
Not sure the wisdom behind outing counter terrorism operations by what is attributed to the Pakistan state. Yet Chinese analysts have done exactly that..
[We] discovered a batch of malicious samples suspected of being attacked by APT-C-56 (Transparent Tribe) targeting terrorism. Through traceability correlation analysis, it was found that the attack activity started at least in June 2018 and is still active today. The samples used in the attack involve Android and Widows platforms.
The attackers used the remote control tools of the Android and Window platforms respectively. The Android platform attack samples used the commercial spyware SpyNote and SonicSpy, as well as the open source spy software AhMyth and Metasploit; the Windows platform used the open source remote control tool AsyncRAT.
Vice Society: Profiling a Persistent Threat to the Education Sector
Criminal actors active in the education sector as well as others some a moral compass which is clearly broken.
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/
Defcon Skimming: A new batch of Web Skimming attacks
Interesting attack here where the threat actors managed to obtain access to a legacy library which was included on an ecommerce website. They then used to inject malicious code to skim.
[We] uncovered a new technique that attackers are using to get more targets: getting control of defunct domains that formerly hosted popular JavaScript libraries. In the observed campaign, attackers managed to get control of a library and targeted e-commerce websites. We don’t know if the attackers had a special interest in these websites. Magecart cyber criminal groups mostly care about getting more payment data leaked.
The victim websites had years to remove the dead link that was leveraged by attackers but didn’t - likely due to a lack of visibility about third-party scripts running on their websites and poor security hygiene.
https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/
Fantasy – a new Agrius wiper deployed through a supply‑chain attack
Adam Burgher discusses a supply chain attack undertaken by an Iranian actor. The fact that Iran continues to experiment with such supply chain attacks will be of interest, especially considering that such compromises were then used for wiper deployments.
[We] discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is known for its destructive operations.
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
Discovery
How we find and understand the latent compromises within our environments.
THREAT/crawl, a prototypical web crawler
Michele Campobasso and Luca Allodi release this work aid for those looking to build TI capability to monitor criminal forums.
This prototype aims at showcasing the strenghts of a guided procedure to configure a general purpose crawler to scrape new adversarial underground communities within the context of cybercrime monitoring. In addition, THREAT/crawl aims at keeping operations stealthy by using browser automation to explore the content of the target communities, modelling human behaviour and offering its users margins to finely tune crawler operations to achieve the desired tradeoff between stealth and throughput
https://gitlab.tue.nl/threat-crawl/THREATcrawl/
Defence
How we proactively defend our environments.
Blowing Cobalt Strike Out of the Water With Memory Analysis
Dominik Reichel, Esmid Idrizovic and Bob Jung release a wonderful bit of research showing the methodology and results from memory analysis to detect this common implant framework.
[We] examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic.
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
Sigstore The Easy Way
A guide on how to use in the real-world to signing all the things - actual value of doing so debatable.
Sigstore is one of the projects in the community that's actively working towards resolving supply chain security issues. The internal working of sigstore components is quite complex, considering the level of protection it provides. In the following sections, we get started with sigstore in the easiest way(s) possible on container images.
https://rewanthtammana.com/sigstore-the-easy-way/index.html
Vulnerability
Our attack surface.
Visual Studio Code: Remote Code Execution
Now fixed vulnerability but shows some of the risks of browser based development environments in practice.
An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces, github.dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop.
https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m
Offense
Attack capability, techniques and tradecraft.
Certpotato
Hocine Mahtout outlines a privilege escalation path in Active Directory which will need some consideration in legacy environments.
The goal of this blog post is to present a privilege escalation I found while working on ADCS. We will see how it is possible to elevate our privileges to NT AUTHORITY\SYSTEM from virtual and network service accounts of a domain-joined machine (for example from a webshell on a Windows server) using ADCS. I want to call this attack chain “CertPotato” as homage to other *Potato tools and as a way to better remember it.
Analysis of Windows Defender memory scanning function
A detailed Chinese analysis on how memory scanning works in Windows Defender. The quality of the analysis and insight gained is very good and will provide a basis for other researchers.
How is the memory scan triggered and what is the process?
The sample for this analysis is the memory scan triggered by the module loading event. It is not ruled out that other events will also trigger the memory scan. The process is relatively complicated, and It will go through different asynchronous detection processes in the middle and finally reach the memory scanning logic.
Aikido: Turning EDRs to Malicious Wipers Using 0-day Exploits
Or Yair uses vulnerabilities in EDR to wipe most files as a low privileged user. When your country gets hit my wipers it helps frame your research interests it would appear.
Windows Defender & Windows Defender for Endpoint - CVE-2022-37971
TrendMicro Apex One - CVE-2022-45797
Avast Antivirus & AVG Antivirus - CVE-2022-4173
The wiper is implemented only for the vulnerabilities found in the Windows Defender, Windows Defender for Endpoint and SentinelOne EDR.
https://github.com/SafeBreach-Labs/aikido_wiper
Dirty Vanity: A New Approach to Code injection & EDR bypass
Eliran Nissan outlines a technique which may bypass code injection methods used by various EDR today.
Dirty Vanity makes use of forking to reflect any Allocate & Write efforts to a new process.
From the EDR perspective this process was never written to – and thus won't be flagged as injected – when eventually executed by
Fork & Execute
Ordinary Execute primitives
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf
SilentMoonwalk
The arms race for code injection hiding techniques continues.
SilentMoonwalk is a PoC implementation of a fully dynamic call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
https://github.com/klezVirus/SilentMoonwalk
WindowSpy
A selective BOF for CS that triggers functionality sparingly.
WindowSpy is a Cobalt Strike Beacon Object File meant for targeted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, VPN logins etc.
https://github.com/CodeXTF2/WindowSpy
Wiretap
From Sandia National Labs but which has dual use applications to tunnel out of networks by implants.
a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
https://github.com/sandialabs/wiretap
Living-Off-the-Blindspot
Diego Capriotti outlines how to use Python to operate in an EDR's blindspot whilst explaining why. I suspect this will apply to some hosts/environment more so than others in a typical enterprise.
Python provides some key properties that effectively creates a blindspot for EDR detection, namely:
Python’s wide usage implies that a varied baseline telemetry exists for Python interpreter that is natively running APIs depending on the Python code being run. This can increase the difficulty for EDRs’ vendor to spot anomalies coming from python.exe or pythonw.exe.
Python lacks transparency (ref. PEP-578) for dynamic code executed from stock python.exe and pythonw.exe binaries.
Python Foundation officially provides a “Windows embeddable package” that can be used to run Python with a minimal environment without installation. The package comes with signed binaries.
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
Repo Jacking: Exploiting the Dependency Supply Chain
Indiana Moreau outlines a threat scenario which is easy for attackers to find instances of. The mitigations will likely need to evolve.
Three scenarios enable GitHub repositories to be hijacked. Linking directly to them may result in malicious code injection; don’t do it.
For a project to be vulnerable, the following two things need to happen:
Your code needs to directly reference a GitHub repository (usually as a dependency).
The owner of that repository needs to then change/delete their username.
https://blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain
emailGPT
A quick and easy interface to generate emails with ChatGPT. Or Phishing as a Service in any language you choose from Lucas H. McCabe.
https://github.com/lucasmccabe/emailGPT
Exploitation
What is being exploited.
Internet Explorer 0-day exploited by North Korean actor APT37
Clement Lecigne and Benoit Sevens outlines opportunistic current affairs use to lure users in order to deploy an Internet Explorer 0-day. The delivery chain in the thing of note given the advantage it provides.
The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content. Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.
Distribution of Word File (External + RTF) Modified to Avoid Detection
This is also pretty clever i.e. using decimal IP addresses to make it look like a server on a local network and thus be able to exploit differing behaviour in the browser to try and evade analysts.
When the URL is entered into a web browser, the part of URL before the at sign (@) is deleted as shown in Figure 2, and the numbers in the URL after @ is automatically converted into an IP format.
The reason why the part of URL before @ is deleted is as follows: IE versions 3.0–6.0 allowed automatic transmission of user credentials (username:password) to websites that use the default verification method for attempts to enter a URL as shown below.
After a certain security update (MS 832894), the part of URL before @ is ignored. It is deemed that the threat actor exploited this to insert meaningful data (a decimal that can be converted to an IP address) after @. Details related to this process can be viewed in Microsoft Technical Documentation.
https://asec.ahnlab.com/en/41472/
Zerobot
Two bits of reporting on this one..
New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
Cara Lin outlines this 21 exploit wielding botnet
[We] observed a unique botnet written in the Go language being distributed through IoT vulnerabilities. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.
The DDoS family WSzero
These we have Chinese reporting on the same threat.
https://blog.netlab.360.com/new-ddos-botnet-wszeor/
Tooling and Techniques
Low level tooling for attack and defence researchers.
ChatGPT Reverse Engineering Aids
We have four releases this week which use ChatGPT to augment/accelerate reverse engineering.
https://github.com/JusticeRage/Gepetto - Gepetto: IDA plugin which queries OpenAI's ChatGPT to explain decompiled functions
https://github.com/MayerDaniel/ida_gpt - Will provide GPT with the disassembly of the subroutine and request a plain-text description. It is then added to IDA as a function comment.
https://github.com/mahaloz/DAILA - DAILA: Decompiler Artifical Intelligence Language Assistant: Use ChatGPT for a improved Decompilation Experience
https://github.com/fr0gger/IATelligence - IATelligence: IATelligence is a Python script that will extract the IAT of a PE file and request GPT to get more information about the API and the ATT&CK matrix related
Sandbox Security Tools
Security testing tools for Windows sandboxing technologies
Edge Sandbox Test Tool
The Edge Sandbox Testing Tool can be used to test code running inside the Chromium renderer process sandbox.
Supported sandboxes: Edge renderer processLaunch App Container
The LaunchAppContainer tool can be used to run applications in AppContainer or Less Privileged AppContainer (LPAC) sandboxes.
Supported sandboxes: AppContainer and Less-Privileged AppContainer (LPAC)
https://github.com/microsoft/SandboxSecurityTools
Hooking System Calls in Windows 11 22H2 like Avast Antivirus
Denis Skvortcov shows how one EDR/AV is achieving syscall hooking even with patch guard present. This work is excellent and really insightful.
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Top 10 macOS Malware Discoveries in 2022 - some great work here.
Blackhat Europe 2022 materials - slides/papers in some cases.
Preparing for a Russian cyber offensive against Ukraine this winter - long post from Microsoft with some strong views.
Foreign Information Manipulation Interference (FIMI) and Cybersecurity - The EU Agency for Cybersecurity (ENISA) and the European External Action Service (EEAS) have joined forces to study and analyse the threat landscape concerning Foreign Information Manipulation and Interference (FIMI) & disinfo
Eighteen Months On: Continued Progress on Ransomware Task Force Recommendation - self reporting on their progress.
Cyber Eagle 2022 : Cyber Defense exercise planned and conducted annually by the Air Force - Summary from Italy
An Outlook of Digital Twins in Offensive Military Cyber Operations - published at the European Conference on the Impact of Artificial Intelligence and Robotics
Collective self-understanding: A linguistic style analysis of naturally occurring text data - we then use agglomerative and k-means clustering techniques to assess how the 15 groups cluster, finding there are four behaviourally distinct group types – vocational, collective action (comprising political and ethnic/religious identities), relational and stigmatised groups, with stigmatised groups having a less distinctive behavioural profile than the other group types - likely useful in some chat analysis in criminal forums etc.
That’s all folks.. until next week..
This is one of my top Monday AM briefing sheets. Thank you.