Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week there were further details of in the wild zero-days exploited in Microsoft Exchange due to mitigation bypasses (see later), LastPass provided an update on their breach plus Okta confirmed its source code repositories were stolen. All of which have implications for various operational blue teams across the globe as they assess the risk and respond accordingly.

In the high-level this week:

• NSA Cyber Security Year in Review 2022 - discussions of supply chain attacks by China and then a broad summary of mission impact from NSA 👏.

• The Evolution of Cyber: Newest Subordinate Unified Command is Nation’s Joint Cyber Force - “The Cyber National Mission Force officially became the Department of Defense’s newest subordinate unified command, CNMF supports U.S. Cyber Command and national priorities such as election security, ransomware, cyber espionage, and other crisis and contingency operations.” - where the US leads others will follow.

• Two Men Arrested For Conspiring With Russian Nationals To Hack The Taxi Dispatch System At JFK Airport - “Beginning in 2019, ABAYEV and LEYMAN explored and attempted various mechanisms to access the Dispatch System, including bribing someone to insert a flash drive containing malware into computers connected to the Dispatch System” - how is your insider threat programme?

• U.S. targeted adversary cyber infrastructure to safeguard midterm vote - more public discussion around offensive operations from the US. Logically making this type of offensive yet defensive operation narrative the norm is a lot of sense in the court of public opinion.

• Former Cybercom lawyer says Americans are extremely vulnerable to foreign cyber attacks  - Kurt provides his insights including targeting of the water system in the US. The 5 minute video is worth a quick watch, also of note is the mainstream media nature of this reporting.

• Organisation for Economic Co-operation and Development (OECD) - an intergovernmental organisation with 38 member countries to stimulate economic progress and world trade - launched a set of four Recommendations within security for the digital environment - note worthy as this will arguably carry weight in some of those 38 countries.

  • Digital Security Risk Management

  • National Digital Security Strategies

  • Digital Security of Products and Services

  • Treatment of Digital Security Vulnerabilities

• Recapping Our 2022 Coordinated Inauthentic Behaviour Enforcements - reporting from Meta - “The United States was the most targeted country by global CIB operations we’ve disrupted over the years, followed by Ukraine and the United Kingdom”.

• Unpacking 'commercial surveillance': The state of tracking - from the European Parliamentary Research Service, you can see the privacy lens through which this was written.

• 30-year-old arrested for hacking wall pad and filming secretly in apartment living room - reporting from Korea - “Wall pads for 638 apartment complexes and 400,000 households” - the scale and home invasion nature makes this noteworthy.

• Cyber Posture Trends in China, Russia, the United States and the European Union - from the Stockholm International Peace Research Institute - the conclusions section is likely worth a skim - in short everyone is similar, mostly.

• Whatever Happened to Russia’s Vaunted Cyberoffensive? - analysis on why we didn’t see cybergeddon

• Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications - related analysis from the Carnegie Endowment for International Peace.

• United States Government Accountability Office published its report on Military Cyber Personnel - A wonderfully detailed report including pay incentivises - “Beginning in fiscal year 2020, Cyber Assignment Incentive Pay ranged from $250 to $600 per month for Cyber Mission Force work roles. However, for critical work roles, such as ION, this pay ranged from $1,000 to $1,500 per month.”

• Ransomware Business Models: Future Pivots and Trends - nice bit of work showing the evolution and then a future look at what might be.

• Mass Exploitation Report for 2022. Big data on the big vulnerabilities of the year -some really good independent data of what is actually seen in the wild with regards to CISA’s Known Exploited Vulnerabilities Catalogue.

• Digital Switzerland Strategy 2023 - naturally ‘Security and trust’ feature, also a useful model / example for emerging economies as a strategy template.

  • Related China’s Digital Policies in Its New Era - “maps and contextualises the most recent developments in Chinese digital policymaking, shedding greater light on their motivations, institutional embedding and extent of implementation”

• Potential Federal Insurance Response to Catastrophic Cyber Incidents - from the Department of the Treasury and from September, I highlight as it is a valuable insight given all the discussion around active risk transfer in cyber via the likes of insurance. Understanding what happens at a Government level when one of those often talked about systemic events happens is useful.

• UK Information Commissioners Office Tech Horizons Report - a future look at technology by the UK’s privacy regulator. It is great to see these sorts of proactive highly tech literate products being produced by Government.

• The UK Government Resilience Framework - How a Government approaches the national risk register. For anyone who has worked in corporate governance a nice compare/contrast resource.

Reflections this week stem from moving on from NCC Group’s operational business as Group CTO, a company I’ve been with for over a decade. In doing so I have had more time and reflect on various outstanding challenges…

Firstly during a lovely meal with a friend who works in offensive engineering we discussed that the capability gap between offense and defence tradecraft is still considerable and growing. Even with well financed ‘next generation’ software companies there doesn’t on the whole seem to be the ‘pushing the edge at pace’ mindset we see in offensive research and development in defence (with a few notable exceptions). The resulting disconnect with regards to in field performance of solutions is stark and is one of those areas that will need some challenge to address.

Secondly there is the question on how do we truly scale cyber defence and response to meet the demands of the small organisation. It is clear that the solutions for large enterprises don’t work and the economics at the smaller end of the market are challenged. Today in the UK we have charities operating in this space such as the The Cyber Helpline, but it feels instinctively this whole area would benefit from some focus by governments, academia, charitable sector and industry to get the required breakthroughs and scale to achieve something workable and fit for purpose.

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Finally, some of you have asked how you might support/reward/recognise the weekly analysis through your obviously massive corporate budgets that you are struggling to spend. I must stress all the content will remain free to anyone forever. But for those corporations / governments who benefit and want to pay it forward you now can via optional subscriptions. But again, no one will ever have to pay - but if your organisation wants to then thank you.

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia / Ukraine

Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine

Reporting on the ongoing conflict, which interestingly slightly contradicts some of the reporting mentioned in the high-level section as it shows activity if not success.

• An unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation on Aug. 30.

• An individual who appears to be involved with Trident Ursa threatened to harm a Ukraine-based cybersecurity researcher immediately following the initial invasion.

• Multiple shifts in their tactics, techniques and procedures (TTPs).

https://unit42.paloaltonetworks.com/trident-ursa/

Cyber ​​attack on DELTA system users using FateGrab/StealDeal malware

Reporting from the Ukrainian CERT detailing an Ukraine MoD compromise which was then used to attempt a further operations by using military system updates as a lure.

.. distribution by means of e-mail (using a compromised e-mail address of one of the employees of the Ministry of Defense), as well as messengers , a message about the need to update certificates in the "DELTA" system. At the same time, the attachments in the form of PDF documents imitate legitimate digests of the ISTAR unit of the Zaporizhzhia Police Department, but contain a link to a malicious ZIP archive.

If you follow the link, the "certificates_rootca.zip" archive containing the "certificates_rootCA.exe" executable file protected by VMProtect will be downloaded to your computer (the file was compiled and digitally signed on 12/15/2022).

https://cert.gov.ua/article/3349703

Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government

Reporting on warez being used to distribute backdoored operating system installations. It is interesting that in countries where piracy is rife the opportunity for low cost supply chain attacks such as this exist. When piracy becomes a national security issue!

• [We] identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.

• Threat activity tracked as UNC4166 likely trojanized and distributed malicious  Windows Operating system installers which drop malware that conducts reconnaissance and deploys additional capability on some victims to conduct data theft.

• The trojanized files use the Ukrainian language pack and are designed to target Ukrainian users. Following compromise targets selected for follow on activity included multiple Ukrainian government organizations.

• At this time, [we do not] not have enough information to attribute UNC4166 to a sponsor or previously tracked group. However, UNC4166’s targets overlap with organizations targeted by GRU related clusters with wipers at the outset of the war.

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

FIN7 Unveiled

Detailed analysis of this crime group with insight obtained in ways that likely wouldn’t be possible in a lot of countries due to their respective computer misuse laws.

A deep dive into notorious cybercrime gang - [we] obtained visibility into the inner workings of the FIN7 threat group and managed to gain information about their organizational structures, identities, attack vectors, infrastructures, proof-supported affiliations etc.

https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf

Information Operations Targeting 2022 U.S. Midterm Elections Include Trolling, Narratives Surrounding Specific Races, Politicians

Alden Wahlstrom, Jess Xia, Alice Revelli and Ryan Serabian provide reporting on low grade election interference activity in the run up to the US mid terms. Reflecting it seems the activity had less impact / success than prior elections. It will be interesting in the washup if the proactive intervention by the platforms and US Government’s operations are the reason for that.

• Detected operations were limited to moderate in scale; and in multiple operations, ongoing information operations campaigns pivoted to promote election related narratives as part of their broader activity targeting the U.S., including audiences on both sides of the political spectrum.

• Some activity appeared intended to “troll” defenders, potentially to generate the perception of foreign influence while investing limited resources in the effort.

• Other narratives we identified attempted to exploit controversial issues to widen existing political divisions within the country, or alternatively targeted specific contested election races, which are likely to receive the highest degree of attention.

https://www.mandiant.com/resources/blog/information-operations-2022-midterm-elections

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

Samir Bousseaden, Andrew Pease, Daniel Stepanic, Salim Bitam, Seth Goodwin and Devon Kerr discuss a recent intrusion involving Exchange in South East Asia for intelligence collection. The details of the various implants will be use to cyber defence teams who have to contend with likely Chinese threats.

• Likely multiple threat actors are accessing and performing live on-net operations against the Foreign Affairs Office of an ASEAN member using a likely vulnerable, and internet-connected, Microsoft Exchange server. Once access was achieved and secured, the mailboxes of targeted individuals were exported.

• Threat actors deployed a custom malware backdoor that leverages the Microsoft Graph API for command and control, which we’re naming SiestaGraph.

• A modified version of an IIS backdoor called DoorMe was leveraged with new functionality to allocate shellcode and load additional implants.

The threat actor appeared to focus priority intelligence collection efforts on personnel and positions of authority related to the victim's relationship with ASEAN (Association of Southeast Asian Nations). 

https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry

The DPRK delicate sound of cyber

A year in review of North Korean activity which you dear readers will all be keenly sensitised to from the weekly reporting. The campaigns / activities broadly speaking appear broken down into intelligence and finance acquisition.

• All known Intrusion Sets associated to the Democratic People’s Republic of Korea (DPRK) were reported being active over the year, Lazarus and Kimsuky activities being the most reported on.

• Kimsuky, Bluenoroff, and Lazarus mandates continue to overlap, and Lazarus, Bluenoroff and Andariel keep on conducting dual objectives operations pertaining to revenue generation (AppleJeus, SnatchCrypto) and cyberespionage (DreamJob), in line with Pyongyang strategic interests.

• DPRK associated Intrusion Sets continued demonstrating efforts to update their TTPs and expand their toolset (Lazarus’use of the BYOVD technique and Kimsuky’s Sharpext malware) further contributing to these groups’ stealthiness and goals achievement.

• [Our] analysts assess cyber malicious campaigns orchestrated by Pyongyang will almost certainly continue in the short-term.

https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/

SentinelSneak: Malicious PyPI module poses as security software development kit

Karlo Zanki discusses an interesting supply chain attack of sorts in the public Python library registry. The blog is a massive product pitch, but the operation is of note and interesting. Attribution will be interesting, but also for internal cyber defence teams when the hunters become the hunted once more there are likely questions to be asked around managing these types of threats/risks.

A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.

The malicious functionality in the library does not execute upon installation, but waits to be called on programmatically before activating — a possible effort to avoid detection. ReversingLabs is calling this campaign "SentinelSneak."

https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk

XLLing in Excel - threat actors using malicious add-ins

Vanja Svajcer provides deep thematic reporting on this particular Microsoft Office tradecraft often sent via e-mail.

• Microsoft is phasing out support for executing VBA macros in downloaded Office documents.

• Although XLL files were supported since early versions of Excel, including Excel 97, malicious actors started using it relatively recently.

• Currently, a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.

https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/

Malicious WhatsApp in China

Reporting from China on a malicious WhatApps installs being used to steal crypto assets. Be interesting to see who is it latterly attributed too i.e. North Korea or criminal?

Through communication with the victim, the Android mobile phone they used, and after searching the WhatsApp software from Baidu, downloaded the software directly from a third-party website and installed it.

• On December 6, 2022, more than $80,000 was stolen due to the use of malicious WhatsApp;

• On November 21, 2022, more than 1.4 million US dollars were stolen due to the use of malicious Whatsapp;

• On October 6, 2022, more than 13,000 US dollars were stolen due to the use of malicious WhatsApp;

https://mp-weixin-qq-com.translate.goog/s/fGaDBlcBJX_b0KnA4_3jXA?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Backdoor Targets FreePBX Asterisk Management Portal

Krasimir Konov outs the implant from a campaign which is likely criminal in nature and intended to steal telephony services via soft PBXs to be monetised. For those with Netflow access it will be interesting to see if this campaign is attributed.

During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file.

• It checks the user’s IP to ensure that it matches 178.162.201.166 (which happens to belong to a network for Leaseweb Deutschland GmbH

• It checks whether the user made a request with a password value that matches the provided md5 hash:

https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html

Inside the IcedID BackConnect Protocol

Great analysis here using Netflow to go upstream and map out the threat actors infrastructure. Shows the real value of this data to cyber defenders.

• Eleven BC C2s identified since 01 July 2022, managed via two VPN nodes.

• Operators likely located in Moldova and Ukraine managing distinct elements of the BC protocol.

• Evidence of malicious use of the SpaceX Starlink network identified.

• Exposure of several tools and processes utilized by the operators, including temporary SMS messaging, file sharing, cryptocurrency wallets, and a favorite local radio station.

https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol

MCCrash: Cross-platform DDoS botnet targets private Minecraft servers

When kids develop cyber capabilities such that parents sob.

Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet over the three months from the time of this analysis also revealed that most of the devices were in Russia:

https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/

GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites

Eduardo Altares, Joie Salvio and Roy Tay detail a threat that readers will see the value in. We know from reporting this year that Wordpress compromises have been used for numerous campaigns be it skimmers, watering hole and/or C2 staging. The fact that an actor is trying to do these compromises at scale in this manner means it could be an enabler for any of these.

[We] recently encountered a previously unreported Content Management System (CMS) scanner and brute forcer written in the Go programming language (also commonly referred to as Golang). We took a closer look at this malware because it was being described in several online forums as being installed in compromised WordPress sites, but there were no publicly available analysis reports.

https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites

Discovery

How we find and understand the latent compromises within our environments.

wanderer: An open-source process injection enumeration tool for Windows

Tristram provides a tool which demonstrates a valuable technique which I would implore all EDR vendors to implement similarly to high such risks proactively.

Wanderer is an open-source program that collects information about running processes. This information includes the integrity level, the presence of the AMSI as a loaded module, whether it is running as 64-bit or 32-bit as well as the privilege level of the current process. This information is extremely helpful when building payloads catered to the ideal candidate for process injection.

https://github.com/gh0x0st/wanderer

Detecting Azure AD Account Takeover Attacks

Mehmet Ergene provides a Sentinel KQL query on how to detect such attacks.

Cloud account takeover(ATO) is an attack where attackers gain access to cloud identities by using methods like social engineering, device code phishing, etc. Detecting these attacks can sometimes be difficult. In this blog, I’ll explain how we can develop a generic detection that covers almost any, if not all, methods for Azure AD(Well, the method can be applied to other identity providers, too).

Below query detects if a user signs in from an IP address that has not been observed in the last X days AND the sign-in happens in close proximity of the user's latest sign-in time.

https://posts.bluraven.io/detecting-azure-ad-account-takeover-attacks-b2652bb65a4c

https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Credential%20Access/Potential%20Cloud%20Account%20Takeover.md

How to Detect Malicious OAuth Device Code Phishing

Lina Lau discusses and provides pragmatic detection advice around this threat. You’ll see that detection is a little tricky.

In this brilliant blog by DrAzureAD, he introduced a method of phishing M365 accounts that threat actors can leverage by abusing device code authentication

The reason I am writing about this technique is that it’s significantly more difficult to detect than OAuth abuse for malicious application registrations. The reason for this is, the entire premise of the phish occurs within the microsoftonline.com namespace and does not redirect the user to any third-party website and there is no need for any 3rd party application authorization/registration. This method of phishing also bypasses MFA requirements as the attacker gains access to the user’s refresh and access token.

I wanted to revisit this technique and blog about a detection for this type of attack. As usual, I’ve broken this blog post into two sections:

• Attack overview

• Detection Methodology

https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html

Guide to Use Sigma EVTX Checker

Florian Roth provides a step by step guide on how to use.

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

gist.github.com/Neo23x0/9eb505a00f7ba591645a6246fa6c5246

What child is this? | Primer on Process Reparenting in Windows

Yarden Shafir provides a very useful breakdown on how process reparenting works in Windows and how what we believe to be true can be manipulated.

Process reparenting is a technique used in Microsoft Windows to create a child process under a different parent process than the one making the call to CreateProcess. Malicious actors can use this technique to evade security products or break process ancestry ties, making detection more challenging. However, process reparenting is also used legitimately across the operating system, for example during execution of packaged or store applications. Like many features, process reparenting can confuse both security products and security teams, leading to either missed detections or false positives on otherwise-innocent applications.

https://blog.trailofbits.com/2022/12/20/process-reparenting-microsoft-windows/

Defence

How we proactively defend our environments.

(Re)building Threat Detection and Incident Response at LinkedIn

Sagar Shah and Jeff Bollinger detail the journey they went on at LinkedIn which is a wonderful lesson for many organisations. I suspect many Blueteams will drool in envy at being able to undertake this level of transformation.

https://engineering.linkedin.com/blog/2022/-re-building-threat-detection-and-incident-response-at-linkedin

IRM: Incident Response Methodologies 2022

In English, French, Spain and Russian.

CERT Societe Generale with the collaboration of CERT aDvens provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields in which a CERT team can be involved. One IRM exists for each security incident we're used to dealing with.

https://github.com/certsocietegenerale/IRM

Introducing PEACH, a tenant isolation framework for cloud applications

Amitai Cohen and team attempt to define the standard language for the industry around tenant isolation.

• Privilege hardening 

• Encryption hardening 

• Authentication hardening 

• Connectivity hardening 

• Hygiene 

https://www.wiz.io/blog/introducing-peach-a-tenant-isolation-framework-for-cloud-applications

https://github.com/wiz-sec/peach-framework

Vulnerability

Our attack surface.

Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability

Vendor on vendor product vulnerability hunting and then the detail writeups has always felt a little point scoring-esq. I’m not sure there is a better way, but this quite the vulnerability.

On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.

https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/

Offense

Attack capability, techniques and tradecraft.

linux_injector: A simple ptrace-less shared library injector for x64 Linux

Namazso provides some detection engineering headaches on Linux.

For control flow hijacking, this program needs a hijacking candidate. The code presented here uses malloc, this can be changed by editing FUN_NAME and recompiling. Make sure the hooked function can run under 100ms, so that it won't be overwritten while it executes.

https://github.com/namazso/linux_injector

In-Memory Execution in macOS: the Old and the New

Manish Bhatt demonstrates how under reported on macOS offensive tradecraft is and highlights likely numerous gaps in current EDRs.

There are a few APIs that can be used for in-memory execution of code in macOS. The most well known is an API in dyld, NSCreateObjectFileImageFromMemory, which is heavily documented but has become less effective since it started to leave file artifacts on disk in dyld3. However, there are two more APIs that can still be used for this purpose but aren’t well documented, NSCreateObjectFileImageFromFile and CFBundleCreate.

In this writeup, we touch on all 3 aforementioned APIs and then create a PoC loader which uses NSCreateObjectFileImageFromFile and CFBundleCreate to load a bundle from disk and execute it.

https://rtx.meta.security/post-exploitation/2022/12/19/In-Memory-Execution-in-macOS.html

Venom: Venom is a library that meant to perform evasive communication using stolen browser socket

Ido Veltzman provides capability which will no doubt dance past various Windows EDR solutions. This type of subtle repurposing really does highlight the complexity of the challenge.

Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and won't raise suspicious) and stealing one of its sockets to perform the network operations.

https://github.com/Idov31/Venom

Exploitation

What is being exploited.

Microsoft Exchange

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Vitaly Morgunov provides updated coverage on these threats which were originally detailed by the Vietnamese company GTSC.

At the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability – CVE-2022-41082. The second vulnerability, in turn, allows remote code execution (RCE) when MS Exchange PowerShell is accessible to the attacker. As noted in the GTSC report, both vulnerabilities were exploited together in the wild to create a backdoor on a vulnerable server, and perform lateral movement.

https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364/

CVE-2022-41080, CVE-2022-41082: Observed Exploitation of `OWASSRF` in Exchange for RCE

Glenn Thorpe covers the same detailing the mitigations could be bypassed.

Beginning December 20, 2022, [we] responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).

Patched servers do not appear vulnerable, servers only utilizing Microsoft’s mitigations do appear vulnerable.

https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/

OWASSRF: New Method for Bypassing ProxyNotShell Mitigations

Erik Iker, Sean Palka, Brian Pitchford and Nicolas Zilio detail the same threat.

https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

They also release the Rps_Http ClientInfo IOC search PowerShell script to check for signs of exploitation

Analysis of ClientInfo value in Rps_Http logs indicated that attempted # exploitation via proxied requests would result in an entry with the TA UserAgent for the# ClientInfo value. Normal usage would have predictable ClientInfo value of '',# 'Microsoft WinRM Client', or 'Exchange BackEnd Probes'. # The original external IP is often included in this log entry, and so the script will # identify the network path from original source and subsequent proxied hosts used# to target the vulnerability.

https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1

Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication

For those seeking ransomware resilience this reporting will be of concern, especially given the potential links to ransomware affiliates.

• Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:

  • CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8

  • CVE-2022-26504 with a CVSS V3 score of 8.8

• A successful exploitation of the above-mentioned CVEs can lead to:

  • Copying files within the boundaries of the locale or from a remote SMB network

  • RCE without authorization ('Network Service' rights)

  • RCE/LPE without authorization ('Local System' rights)

https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/

Tooling and Techniques

Low level tooling for attack and defence researchers.

iOS kernel heap memory profiler

From ten months ago, but worth highlighting.

This is a kernel heap memory profiler built onto xnuspy that allows you to trace kernel heap allocations and freeing done through some of the (not all) allocator/freeing functions.

https://github.com/parsdefense/ios-kernel-heap-profiler

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• 2022 Adversary Infrastructure Report

• ESF Members NSA and CISA Provide Threat Assessment, Best Practices for 5G Network Slicing

• Of Ships and Cyber: Transposing the Incidents at Sea Agreement

• Visualizing Multi Cloud IAM Concepts

• Sub-Optimal Strategies in Cyberspace: Tracing the Source of Strategic Preferences

• Cyber-Attacks on Digital Infrastructures in HealthCare: The Secured Approach

• Inside-out and backwards: a retrospective look at how measurement research really happens

• What Do Think Tanks Think? Proximity to Power and Foreign Policy Preferences

That’s all folks.. until next week..