Bluepurple Pulse: week ending December 18th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending December 18th
What gift will Santa give the industry this year? Apparently multiple in the wild exploited zero days and we still have 10 days to go..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week it has been about the vulnerabilities (zero days) exploited in the wild in the guise of Citrix and Fortinet by state and criminals actors. Edge device product security quality continues to plague.
In the high-level this week:
China’s internet censors target deepfake tech to curb online disinformation - Just like in Bladerunner where they could track the source of the synthetic snake - “Deep synthesis providers and users are required to make sure any doctored content is explicitly labelled and can be traced back to its source”
How the Global Spyware Industry Spiraled Out of Control - The New York Times long article which is good for broader understanding.
related The Autocrat in Your iPhone: How Mercenary Spyware Threatens Democracy - NSO getting some over and Rwanda raised once more - but also “In November 2022, Sir Jeremy Fleming, a top British intelligence official, warned that the proliferating use of mercenary spyware and “hackers for hire” by by countries and malefactors “will increase the future threat to UK cybersecurity.”
related Israel’s NSO bets its future on Netanyahu’s comeback - “However, co-founder Shalev Hulio believes that Netanyahu’s imminent comeback will provide much-needed political cover for the beleaguered company to begin conducting deals with nations crucial to Israeli foreign policy, according to people familiar with his thinking.”
Announcement of government joint advisory on North Korean IT personnel -"domestic companies strengthen caution and identity verification to prevent hiring North Korean IT personnel who disguised their nationality and identity. " - from the South Korean Ministry of Korean Affairs (in Korean) - or when supply chains go very wrong - remember that time a local government outsourced development to North Korea?
Japan to upgrade cyber defense, allowing preemptive measures - “The government aims to make legislative changes so it can begin monitoring potential attackers and hack their systems as soon as signs of a potential risk are established.”
Cyber Operations in Ukraine: Russia’s Unmet Expectations - various hypothesis put forward, but we don’t really have a strong evidence base in open source.
Analyzing Russian SDK Pushwoosh and Russian Code Contributions - Pushwoosh has presented itself as a US-based company but, in the reporters’ words, “is headquartered in the Siberian town of Novosibirsk - despite Pushwoosh’s claims to the contrary, the vast majority of contributions to Pushwoosh’s GitHub code base since February 2022 appear to have come from Russian time zones.
FBI InfraGard Member Data Breached - contact information on more than 80,000 members go up for sale on an English-language cybercrime forum
EU cyber-resilience act - Briefing note from the European Parliamentary Research Service - “According to one industry forecast, the total number of internet of things (IoT) connected devices worldwide is set to more than double from 14.6 billion in 2022 to 30.2 billion by 2030” and “The EU would become the international point of reference on cybersecurity of connected devices in the way that the General Data Protection Regulation did for privacy. Indeed, non-EU companies might find it more convenient to apply the proposed CRA rules − mandatory to access the EU single market with their digital products − as a default framework for their global operations than to create different products or processes for different markets” - market forces in action
Hague Centre for Strategic Studies (HCSS) Annual Report 2022 - The emergence of cyberspace provides small and medium powers with a strategic weapons capability that historically has been beyond their reach - pretty stark.
No real reflections this week other than tempo of threat actor activity and capability development/deployment “feel” high, but whether or not this becomes the new normal we will have to see.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Malicious Yet Signed Microsoft Kernel Drivers
Various reporting on the abuse of Microsoft’s processes to get kernel drivers signed by both state and criminal actors.
MSFT: Guidance on Microsoft Signed Drivers Being Used Maliciously ADV220005 https://msrc.microsoft.com/update-guide/vulnerability/ADV220005
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/
Signed driver malware moves up the software trust chain https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/
SophosX: NEW: Signed driver malware moves up the software trust chain https://infosec.exchange/@SophosXOps/109507832693251843
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
Dominik Breitenbacher details a campaign launched by China in the weeks leading up to the Japanese House of Councillors election in July 2022. Tradecraft is rather standard even if some of the tooling is novel in places.
At the end of June 2022, MirrorFace launched a campaign, which we have named Operation LiberalFace, that targeted Japanese political entities.
Spearphishing email messages containing the group’s flagship backdoor LODEINFO were sent to the targets.
LODEINFO was used to deliver additional malware, exfiltrate the victim’s credentials, and steal the victim’s documents and emails.
A previously undescribed credential stealer we have named MirrorStealer was used in Operation LiberalFace.
Cyber attack on government organizations using the theme of Iranian Shahed-136 kamikaze drones and DolphinCape malware
Ukrainian reporting on Russian activity going after the Ukrainian railway and other state agencies. The tradecraft is basic although there is some attempt to provide protection of the payload resulting in an intelligence loop as to the victim source should the filename be shared in reporting (such as this).
In the attachment to the letter is a RAR archive "shahed-136.rar" containing a PPSX document "shahed.ppsx", which in turn contains VBScript code designed to create a scheduled task, as well as decrypt, create on computer and launch the PowerShell script. At the same time, the cryptographic transformation of data is carried out using the RC4 algorithm, and the key is a string resulting from the concatenation of the value of the "Manager" property and the name of the document ("Trigubenko Serhiy Georgiyovych|shahed.ppsx").
https://cert.gov.ua/article/3192088
TA453 Refuses to be Bound by Expectations
Joshua Miller and Crista Giering discuss an Iranian actor who uses phishing but appears to have either received some new tasking and/or is planning to buy a foreign holiday home.
TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
From at least late 2020 and through 2022, TA453 has engaged in campaigns that deviate from the group's expected phishing techniques and target victimology.
In these campaigns, TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
[We] assess with moderate confidence that this activity reflects a flexible mandate to the Islamic Revolutionary Guard Corps' (IRGC) intelligence requirements.
Further, a sub-cluster of TA453 activity demonstrates a possible directive to support covert, and even kinetic, operations of the IRGC.
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
Drokbk Malware Uses GitHub as Dead Drop Resolver
Further reporting on Iran and an implant which uses GitHub for C2 solution and is related to Log4J intrusions. Again GitHub/Microsoft will understand the victimology. The fact they are using cloud services to provide a degree or resilience and dynamism is of note here.
Drokbk is deployed post-intrusion alongside other access mechanisms as an additional form of persistence within the victim's environment. COBALT MIRAGE's preferred form of remote access uses the Fast Reverse Proxy (FRPC) tool. While COBALT MIRAGE Cluster A uses a modified version of this tool known as TunnelFish, Cluster B favors the unaltered version. The only public mention of Drokbk.exe is in a March third-party report describing activity that exhibits signs of a Cluster B intrusion. In that instance, the malware used the C2 domain activate-microsoft . cf, which is known to be associated with Cluster B.
The February intrusion that Secureworks incident responders investigated began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). Forensic artifacts indicated Drokbk.exe was extracted from a compressed archive (Drokbk.zip) hosted on the legitimate transfer . sh online service. The threat actors extracted the file to C:\Users\DomainAdmin\Desktop\ and then executed it.
https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver
DeathStalker targets legal entities with new Janicab variant
Further dead drop resolvers used by an actor who is unattributed yet suspected to be a group of mercenaries offering hacking-for-hire services who have been seen active in Argentina, China, Cyprus, India, Israel, Jordan, Lebanon, Russia, Switzerland, Taiwan, Turkey, UAE and UK.
While hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.
Interestingly, the threat actor continues to use YouTube, Google+, and WordPress web services as DDRs. However, some of the YouTube links observed are unlisted and go back to 2015, indicating a possible infrastructure reuse.
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/
A Custom Python Backdoor for VMWare ESXi Servers
Asher Langton details an unattributed and previously unknown implant. There is a and elegance which comes from the simplicity.
In October 2022, [we] discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compromised host we investigated, we can’t be sure which vulnerability allowed hackers access to the server. Nevertheless, the implanted backdoor is notable for its simplicity, persistence and capabilities, and to our knowledge has not been publicly documented until now.
The Python script launches a simple webserver that accepts password-protected POST requests and can be used in two ways: it can run arbitrary remote commands and display the results as a webpage, or it can launch a reverse shell to the host and port of the attacker’s choice.
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Pilfered Keys Free App Infected by Malware Steals Keychain Data
Luis Magisa and Qi Sun issue reporting originally released in November yet I missed at the time. It is notable as the code is focused on stealing macOS keychain (the inbuilt password manager) data and associated passwords. Stealers such as these are rarer for sure on macOS, so it is interesting to observe actors develop tradecraft. It is unclear if this was deployed in the wild or in the development phase.
The password typed in by the user of the infected device will be encrypted and sent to the C&C server via HTTP POST command. The collected password may be used to decrypt the user's Keychain.
Breaking the silence - Recent Truebot activity
Tiago Pereira provides details of exploitation of a vulnerability in an IT auditing product by what is suspected to be organised crime. This incident evidences once more that organised crime groups do have technical capability to exploit old day vulnerabilities to good effect. Going after an IT auditing product and the data it holds is also an interesting twist.
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.
We saw a small number of attacks that exploited a recent remote code execution vulnerability in Netwrix auditor. In October, a larger number of infections leveraged Raspberry Robin, a recent malware spread through USB drives, as a delivery vector
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
Trojanized OneNote Document Leads to Formbook Malware
Rodel Mendrez, Phil Hay and Diana Lopera discusses an instance of phishing which has various novel or less common aspects and thus is note worthy. It is clear that threat actors continue to see value of phishing due to its ubiquity, thus are investing
Once the OneNote attachment is opened, an image lure is displayed. When the user clicks on the ‘View Document’ part of the image, a security warning appears.
One of the unpacked components is a Windows Script File (WSF), which is overlaid on the ‘View Document’ part of the image. When a user clicks on the 'View Document" part of the image, this causes the WSF file to be executed, and triggers a standard security alert that a file is being opened from the OneNote application.
Also, it is interesting that the filename of the WSF itself has some deception, likely an attempt to fool scanners. The filename contains a right-to-left override character (U+202E) after 'invoice', which causes the text that follows to be displayed in reverse. So, instead of displaying 'docx.wsf' some applications may display 'fsw.xcoD'.
HTML smugglers turn to SVG images
Adam Katz and Jaeson Schultz provides further evidence of the above with this evolution in phishing tradecraft by a criminal threat group.
[We have] witnessed Qakbot attackers using a relatively new technique that leverages Scalable Vector Graphics images embedded in HTML email attachments.
https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/
Discovery
How we find and understand the latent compromises within our environments.
IIS modules: The evolution of web shells and how to detect them
Microsoft provide some threat hunting tips around malicious IIS modules and other anomalous activity.
Hunting for timer-queue timers on Windows
William Burgess provided this in October, which I missed it at the time. This hunting technique is important due to the use of such techniques by various malicious tooling (see later reporting).
More recent techniques have leveraged the Windows thread pool API to line up a sequence of callbacks (via timer-queue timers) to obfuscate injected code, sleep for a period, and then restore its execution.
https://labs.withsecure.com/publications/hunting-for-timer-queue-timers
Defence
How we proactively defend our environments.
DISTDET: A Cost-Effective Distributed Cyber Threat Detection System
From some Chinese academics for when you have China scale challenges. False positive rates not discussed however.
Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, ∼1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5× reduction), memory usages from 364MB to 5.523MB (66× reduction), and storage from 1.47GB to 130.34MB (11.6× reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.
https://www.usenix.org/system/files/sec23summer_8-dong-prepub.pdf
Moobot Uses a Fake Vulnerability
Jacob Baines highlights the challenge of solely relying on the mere existence of CVEs.
On September 8, 2022, CVE-2022-28958 was added to CISA's Known Exploited Vulnerability Catalog. A report published a couple days prior said the vulnerability was being exploited by Moobot, a Mirai-like botnet. However, this vulnerability has never been exploited in the wild, because CVE-2022-28958 isn’t a real vulnerability.
https://vulncheck.com/blog/moobot-uses-fake-vulnerability
System Integrity Protection: The misunderstood setting
Mykola Grymalyuk in his own words Developers and users don’t understand what System Integrity Protection really is. Thus in today’s blog post, I want to clear up some misconceptions about this setting in macOS and propose better ways for developers to manage this setting.
System Integrity Protection, generally abbreviated as SIP, is an OS-level setting in macOS that controls many security aspects. Introduced in OS X 10.11, El Capitan, the goal of this setting was to reduce the abuse seen with root level access, namely protected task tracking, arbitrary driver loading and protected filesystem edits. Instead, users are required to manually reboot into macOS’s recovery environment and disable SIP before performing sensitive tasks in the OS.
SIP sits on the kernel level, specifically handled by XNU’s Configurable Security Restriction stack (abbreviated as CSR)
https://khronokernel.github.io/macos/2022/12/09/SIP.html
CVE-2013-3900 - WinVerifyTrust Signature Validation Vulnerability
Summary
The signature block meta data on a Windows binary can't be protected itself by the signature in its current design. As such it is possible to have two Windows binaries with valid signatures that have different hashes and behave differently. This is possible because of data added to the PKCS7 block.
This issue has been known since 2013, the mitigation is however not enabled by default.
Details
Will Dormann does an excellent job in summarising the issue here in this recent thread on Twitter:
Microsoft response/mitigation:
Vulnerability
Our attack surface.
Practically-exploitable Cryptographic Vulnerabilities in Matrix
Martin R. Albrecht, Sofía Celi, Benjamin Dowling and Daniel Jones provide various breaks in Matrix implementations. Matrix is heavily used across Europe including Germany’s national healthcare system and the French government secure communication system.
We report several practically-exploitable cryptographic vulnerabilities in the end-to-end encryption in Matrix and describe proof-of-concept attacks exploiting these vulnerabilities. When relying on implementation specific behaviour, these attacks target the Matrix standard as implemented by the
matrix-react-sdkandmatrix-js-sdklibraries.1 These libraries provide the basis for the flagship Element client. The vulnerabilities we exploit differ in their nature (insecure by design, protocol confusion, lack of domain separation, implementation bugs) and are distributed broadly across the different subprotocols and libraries that make up the cryptographic core of Matrix.
https://nebuchadnezzar-megolm.github.io/
Unusual Cache Poisoning between Akamai and S3 buckets
Tarunkant G introduces an interesting cache poisoning issue between Akamai and S3 buckets which can’t be fixed without co-ordination.
Akamai was observed to load pages from a different origin (i.e., malicious host) than what is specified in the Akamai configuration.
For example, let’s sayredacted.example.comis mapped toredacted.s3.ap-south-1.amazonaws.comin Akamai; now using this issue an attacker can forceredacted.example.comto serve a response of malicious host such astarunkant.s3.ap-south-1.amazonaws.com. And if caching is enabled for such hosts then the malicious response will be cached and it can be served to victim users for exploitation purposes
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
Offense
Attack capability, techniques and tradecraft.
SilentMoonwalk: Implementing a dynamic Call Stack Spoofer
A further evolution of this technique which will trip some analytics.
The idea behind this stack spoofing technique is to find suitable stack frames to use as ROP gadgets, in order to both desync the unwinding information from the real control flow, and to hide the real origin of the call.
https://klezvirus.github.io/RedTeaming/AV_Evasion/StackSpoofing/
Vulpes: Obfuscating Memory Regions with Timers
Per the previous point around why we need to be able to hunt timers.
https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
Practical EDR Bypass Methods in 2022
Precious Gemstones: The New Generation of Kerberos Attacks
Oz Soprin and Shachar Roitman provide some detection capability based on a technique previously covered here. The arms race is real..
[We] show new detection methods that help improve detection of a new line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. The most well-known example of this is the Golden Ticket attack, which allows threat actors to forge a ticket to masquerade as a high-privileged user.
These two newer attacks extend the Golden Ticket attack in that the forged tickets are not created from scratch, but instead based on modifying an existing ticket to include high-privileged access. We’ll discuss the difference between these three types of attacks, to explain why the newer ones are harder to detect.
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
Exploitation
What is being exploited.
Faille-VPN-SSL-Fortigate - 0 day FortiGate VPN-SSL flaw - CVE-2022-42475
The original French reporting which came out on December 9th
The Fortiguard reporting which came a number of days later which confirmed it was being exploited in the wild.
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
https://www.fortiguard.com/psirt/FG-IR-22-398
APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments (“Citrix ADCs”)
NSA provides threat hunting tips around for APT5, also known as UNC2630 and MANGANESE and their Citrix capabilities. This is strongly believed to be in response to CVE-2022-27518.
https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
Citrix released their advisory on December 13th for CVE-2022-27518.
A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.
Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
Security Flaw in Atlassian Products (Jira, Confluence,Trello, BitBucket) Affecting Multiple Companies
Sparsh Kulshrestha details a flaw around cookie expiration in the cloud instances of these products. You have to wonder how prevalent this type of issue is in SaaS globally.
On 6th Dec 2022, [we]disclosed a cyber attack directed at the company. During the course of investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to an employee’s Jira account, using Jira session cookies present in stealer logs being sold on the darkweb.
Following further investigation, it was found that for Atlassian products (Jira, Confluence, and BitBucket), cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days. They only expire when the user logs out, or after 30 days.
RedGoBot - DDoS botnet written in the new Go language
Reporting from China on a botnet exploiting a vulnerability in a network video recorder.
An unknown family exploited the Vacron NVR RCE vulnerability to spread
Tooling and Techniques
Low level tooling for attack and defence researchers.
Shoggoth: Asmjit Based Polymorphic Encryptor
Furkan Göksel releases a capability that will make certain detection techniques wither.
Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically. Shoggoth will generate an output file that stores the payload and its corresponding loader
https://github.com/frkngksl/Shoggoth
System profiling that unwinds stack without frame pointers and symbols
Sean Heelan, Thomas Dullien and Israel Ogbole detail a technique which will have wider applications in detection engineering. I’ve discussed before how observability is the biggest general game changer.
A sampling profiler instructs the operating system to be run “periodically,” usually N times per second (in our case, 20 times per second per core). Each time the profiler gets control, it performs a “stack walk”: Starting from the location where the CPU core is currently executing, it analyzes the call stack in order to identify the code path that was taken to get to the currently executing instruction.
The profiler thus tries to answer the questions of “Where are we currently spending our time?” and “How did we get here?”
https://www.elastic.co/de/blog/universal-profiling-frame-pointers-symbols-ebpf
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Reassessing cyberwarfare. Lessons learned in 2022 - Kaspersky covering themselves - "This report does not make the assumption that the Russian military would use, could use, or has ever used wiper malware. US-CERT however went on the record on this exact subject."
Monthly Threat Actor Group Intelligence Report, October 2022 (Korean) - released in December
Zoom. Enhance!: Finding Value in Macro-level ATT&CK Reporting - data analytics applied to ATT&CK reporting
Wargaming to find a safe port in a cyber storm - maritime related and pun laden for war gaming.
Human-Machine Teaming in Intelligence Analysis: Requirements for developing trust in machine learning systems - Research Report
On the Use and Strategic Implications of Cyber Ranges in Military Contexts: A Dual Typology - We thus ask, why do states establish sovereign cyber ranges ‘on top’ of being involved in collaborative ones? Why and how do they differ? To answer such questions, this paper delves into both the crucial technical components that support each CRiMC type and their implications by offering exemplars from five states (Lithuania, Norway, Slovenia, the Netherlands, and the USA)
NSA Releases Series on Protecting DoD Microelectronics From Adversary Influence - all around Field Programmable Gatearrays (FGAs)
Research methods applied to cybersecurity - as we inch towards cyber security as a science / the science of cyber security this academic paper is a good reminder how far many vendors have to go in their proof of efficacy.
That’s all folks.. until next week..