Bluepurple Pulse: week ending February 5th
Bluepurple Pulse: week ending February 5th
Ransomware operators managed to what only Iran could dream of..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the attack by Lockbit on Ion and the effects on derivatives trading is likely a watershed moment for financial services which will embolden regulators I suspect. Outside of that the world continues to smolder from ransomware more generally with the tempo of incidents remaining high.
In the high-level this week:
Joint Cyber Defense Collaborative (JCDC) announces its 2023 Planning Agenda - which outlines what it will do around Systemic risk, Collective cyber response, and High-risk communities.
Australia leads global task force to fight ransomware - The Task Force, chaired by Australia, will drive international cooperation to tackle ransomware, including through information and intelligence exchanges, sharing best practice policy and legal authority frameworks, and collaboration between law enforcement and cyber authorities.
China imposes new cybersecurity rules in Tibet - Chinese authorities imposed a new cyber law in Tibet that went into effect Wednesday, with the government announcing tougher punishments for anyone creating “public disorder by engaging in separatist acts.”
The Abraham Accords expand with cybersecurity collaboration - The arrangement, which is still developing, will involve increased sharing of information on cybersecurity threats, as well as the potential for tabletop exercises and more, among some signatories of the Abraham Accords. Department of Homeland Security Undersecretary for Strategy, Policy and Plans Rob Silvers, who traveled to Israel for the announcement and further talks, said the expansion builds on existing cyber collaboration between Israel, the United Arab Emirates and the United States to include Bahrain and Morocco.
Stop Passing the Buck on Cybersecurity: Why Companies Must Build Safety Into Tech Products - punchy article - Although the transition to safer technology is a longer-term endeavor, every organization can take steps today that will improve its cybersecurity. First and foremost, in every business, the responsibility for cybersecurity needs to be elevated from the IT department to the board, the CEO, and the senior executive level.
related there was this article in the UK’s Financial Times - The corporate world is losing its grip on cyber risk - from the end of March, there will be something it (the Lloyds market) won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare.
The Year of the Wiper - a retrospective on a trend largely driven by Russia/Ukraine and Iran/Israel/Saudi interactions etc.
Washington Halts Licenses for U.S. Companies to Export to Huawei - discuss if this will drive increased Chinese state activity in the cyber domain.
Highly intrusive spyware threatens the essence of human rights - from the EU’s Commissioner for Human Rights. Building on their focus of companies like NSO etc. Expect more focus on Cypriot exports.
From privacy to partnership The role of privacy enhancing technologies in data governance and collaborative analysis - from the UK’s Royal Society.
How Can a ‘Digital Emblem’ Help Protect Medical Facilities Against Cyber Operations? - Previously discussed here was the launch by the International Committee of Red Cross of this concept - this is their opinion piece on how it might work in practice.
related The ICRC and CRASSH at the University of Cambridge to launch new Humanitarian Action Programme - ICRC and CRASSH at the University of Cambridge delivers a new research programme exploring digital and cyber security policy, ethics and regulation.
Strengthening and Democratizing the U.S. Artificial Intelligence Innovation Ecosystem: An Implementation Plan for a National Artificial Intelligence Research Resource - This final report of the NAIRR Task Force presents a roadmap and implementation plan for a national cyberinfrastructure aimed at overcoming the access divide, reaping the benefits of greater brainpower and more diverse perspectives and experiences applied to developing the future of AI technology and its role in our society. Such a national cyberinfrastructure also presents a unique and critical opportunity to "design in" the standards for responsible AI research practices and governance processes that uphold our priority to develop and harness these groundbreaking technologies in a manner that reinforces our Nation's democratic values and Americans' personal freedoms.
The 5×5—China's cyber operations - which asks
Is there a particular example that typifies the “Chinese” model of cyber operations
What role do non-state actors play in China’s approach to cyber operations?
How do China’s cyber operations differ from those of other states in the region?
How have China’s offensive cyber operations changed since 2018?
What domestic entities, partnerships, or roles exist in China’s model of cyber operations model that are not present in the United States or Western Europe?
Cyber Dimensions of the Armed Conflict in Ukraine - Q4 2022 - This quarterly analysis report provides insights on the cyber dimensions of the armed conflict in Ukraine. The report combines analysis of data collected in the Cyber Attacks in Times of Conflict Platform #Ukraine and information gathered through OSINT research.
Academia as a target: Espionage and proliferation in the academic sector - from the Swiss government
The Administration’s Roadmap to Mitigate Cryptocurrencies’ Risks | NEC | The White House - there is poor cybersecurity across the industry that enabled the Democratic People’s Republic of Korea to steal over a billion dollars to fund its aggressive missile program - in true Hollywood 1 billllion dollars style..
Reflections this week come from one of my board roles at the University of Bristol where I got to visit Science Creates which is a ‘Deeptech’ incubator. Science Creates is in essence three things:
WeWork esq working spaces with private offices and fully delivered private scalable laboratories for science start-ups.
A venture fund
A network of investors, partners etc.
For me several aspects stood out.
Reduction in capital startup costs for a new firm due to fume hoods, liquid nitrogen, bio security etc. all being taken care of ‘as a Service’ removes much of the friction/hurdles. This results in more startups able to start and in turn allowing greater impact than they might otherwise.
Vertically integrated nature end-to-end of the start-up lifecycle de-risking various trip hazards which exist prior to Series A/B. Ensuring maximum likelihood of success if the innovation is viable.
Relentless focus on translational (applied) research/engineering using science applied to real-world problems with a sole mission focus of improving quality of life. Giving a clear sense of purpose and value..
Naturally this experience made me wonder what such facilities and eco-systems would look like for cyber specifically. This then lead to questions on if there was enough concentrated geographic demand and if it would provide any edge/value if we think beyond just software? Specifically combining hardware, software, data science and associated enablers with high capital costs to support translational research on material challenges. The answer to which I’m still mulling over, but I recognized there is a risk with too much specialism and focus it likely breaks part of the business model which enables scale and flexibility…
Finally on the interesting job front the US Treasury is hiring Policy Analysts for their Office of Cybersecurity and Critical Infrastructure Protection.
Enjoying this? don’t get via e-mail? Corporate philanthropist? subscribe either for free or donate.
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
APT activity report T3 2022
A general APT report summary providing a good sense of the activity seen by this vendor.
In the monitored timespan, Russia-aligned APT groups continued to be particularly involved in operations targeting Ukraine, deploying destructive wipers and ransomware. Among many other cases, we detected the infamous Sandworm group using a previously unknown wiper against an energy sector company in Ukraine. APT groups are usually operated by a nation-state or by state-sponsored actors; the described attack happened in October, in the same period as the Russian armed forces started launching missile strikes targeting energy infrastructure, and while we are not able to show these events were coordinated, it suggests that Sandworm and military forces of Russia have related objectives.
[We] also detected a MirrorFace spearphishing campaign targeting political entities in Japan and noticed a gradual change in the targeting of some China-aligned groups – Goblin Panda started to duplicate Mustang Panda’s interest in European countries. Iran-aligned groups continued to operate at a high volume – besides Israeli companies, POLONIUM also started targeting foreign subsidiaries of Israeli companies, and MuddyWater probably compromised a managed security provider.
In various parts of the world, North Korea-aligned groups used old exploits to compromise cryptocurrency firms and exchanges; interestingly, Konni has expanded the repertoire of languages it uses in its decoy documents to include English, which means it might not be aiming at its usual Russian and Korean targets. Additionally, we discovered a cyberespionage group that targets high-profile government entities in Central Asia; we named it SturgeonPhisher.
https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf
Ukraine / Russia
Various bits of reporting over the last little bit here
Russian hackers tried to use five malware applications to attack a Ukrainian news agency
Further high-level reporting on a topic covered last week. Note the use of legitimate utilities in the spirt of living-off-the-land.
[We] studied the cyberattack on the National News Agency of Ukraine (Ukrinform) and identified the software used by the hackers to breach information integrity and accessibility.
The experts have identified five malware samples that Russian hackers tried to use during the attack: CaddyWiper, ZeroWipe, SDelete, AwfulShred and BidSwipe.
While investigating the attack, the CERT-UA experts learned that the criminals had made an unsuccessful attempt to disrupt user workstations' normal operation by using CaddyWiper and ZeroWipe destructive malware as well as a legitimate SDelete utility (that they planned to start through “news. bat"). At the same time, a group policy object (GPO) was used for centralized malware dissemination. It enabled creation of corresponding scheduled tasks.
UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909)
Reporting from Ukraine on Russian activity against Ukrain and Poland.
[We] detected a web page which mimics the website of the Ministry of Foreign Affairs of Ukraine and lures a user to download software for "scanning infected PCs on viruses".
If a user follows the link, the BAT file "Protector.bat" will be served onto the victim's PC. Leveraging powershell.exe BAT-file would download and execute several PowerShell scripts, one of which would recursively scan the Desktop folder for files with the following extensions: .edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, .rdg, aft, as well as take screenshots and exfiltrate data using HTTP. Also, Scheduled Tasks would be created for persistence purposes.
https://cert.gov.ua/article/3761104
The Russian-sponsored UAC-0010 group (aka Gamaredon, Armageddon) continues to conduct frequent cyber attack campaigns against Ukrainian organizations
Further reporting from Ukraine on Russian activity using rather primative tradecraft.
The Russian-sponsored UAC-0010 group (aka Gamaredon, Armageddon) continues to conduct frequent cyber attack campaigns against Ukrainian organizations. Despite using mainly repeated sets of techniques and procedures, adversaries slowly but insistently evolve in their tactics and redevelop used malware variants to stay undetected. Therefore, it remains one of the key cyber threats facing organizations in our country.
The group’s recent activity is characterized with the approach of multi-stage download and deployment of malware payloads, that is used in order to maximize chances of maintaining persistence on infected hosts. These payloads represent similar variants of the same malware, designed to behave in practically analogous manner.
The Cyber Incidents Response Operational Centre of the State Cyber Protection Centre of Ukraine has found and analyzed variants of GammaLoad and GammaSteel malware being used in a recent campaign that are considered further.
Initial Access is achieved by adversaries using Phishing technique. The .RAR file named “12-1-125_09.01.2023” was distributed as an attachment to the spear-phishing email. It contains the only .LNK file named “Запит Служба безпеки України 12-1-125 від 09.01.2023.lnk” (“Request of the Security Service of Ukraine 12-1-125 dated 09.01.2023.lnk”).
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Reporting based on an incident involving North Korea from the end of 2022. The fact they continue to conduct intelligence activities outside of their financial asset campaigns is of note. Also of note are the vulnerabilities exploited and the Unix tradecraft, which they are demonstrated in various financial services intrusions.
[We] responded to a cyber-attack conducted by a threat actor that [we] have attributed with high confidence to an intrusion set referred to as Lazarus Group. Amongst technical indications, the incident observed by [us] also contained characteristics of recent campaigns attributed to Lazarus Group by other researchers. The campaign targeted public and private sector research organizations, the medical research and energy sector as well as their supply chain. The motivation of the campaign is assessed to be most likely for intelligence benefit. Previous reporting on similar campaigns highlights the targeting of technology with military implementations and [we] assess that this type of targeting continued through Q4 2022.
Initial compromise and privilege escalation was through exploitation of known vulnerabilities in unpatched Zimbra devices
Threat actor used off the shelf webshells and custom binaries, as well as abusing legitimate Windows and Unix tools (Living Off the Land)
Threat actor installed tools for proxying, tunnelling and relaying connections
C2 behavior suggests a small number of C2 servers connecting via multiple relays/endpoints. Some C2 servers appear to themselves be compromised victims
Threat actor exfiltrated ~100GB of data but took no destructive action by the point of disruption
Other observed possible victim verticals and exfiltration by the threat actor imply the motive is intelligence collection
Strong confidence that threat actor is North Korean state sponsored intrusion set LAZARUS Group
Prilex modification now targeting contactless credit card transactions
Interesting bit of reporting here on Point of Sale implants which actively try and block contactless payment to cause fall back. Shows that a threat group has research capability.
Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware—actually, the most advanced PoS threat we have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it has evolved very differently. This is highly advanced malware adopting a unique cryptographic scheme, doing real-time patching in target software, forcing protocol downgrades, manipulating cryptograms, doing GHOST transactions and performing credit card fraud—even on cards protected with the so-called unhackable CHIP and PIN technology. And now, Prilex has gone even further.
A frequent question asked about this threat was whether Prilex was able to capture data coming from NFC-enabled credit cards. During a recent Incident Response for a customer hit by Prilex, we were able to uncover three new Prilex versions capable of blocking contactless payment transactions, which became very popular in the pandemic times.
Threat actor consent phishing campaign abusing the verified publisher process
Lagged reporting on an incident from the middle of December. The sophistication, planning and execution are the points of note here against OAuth consents. The federated model of OAuth is a growing challenge and it is clear that threat actors have adapted.
On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD. The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps. This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.
All fraudulent applications have been disabled and impacted customers have been notified with an email containing the subject line “Review the suspicious application disabled in your [tenant name] tenant”. We encourage those impacted customers to investigate and confirm if additional remediation is required, and all customers take steps to protect against consent phishing.
A small plug here - this is why I personally invested in Push Security - they help organisations understand their exposure and mitigate the risk to this threat.
Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It's Biggest Gathering
An example of when threat actors target the departments in organisations who are tasked with helping people and potentially opening attachments from people they don’t know. This blog opens with a heavy sales pitch, but the tradecraft documented is worth taking note of and verifying your resilience strategies could withstand. The net result is they get these customer service reps to detonate malware in the estate.
The Modus Operadi of the attacker is to pretend to be a customer of the website with an issue, such logging in or registering, when in reality the "visitor" does not have an account. This should be the first indicator that something is not right.
The 2nd indicator is that the attacker wants to share a screenshot of his problem with the team, but instead of attaching an image, he is sending a link to download it from external websites. Those websites are fake copies impersonating the online service screenshot[.]net, usually using domain names that look like the official one by abusing several characters in the Unicode Standard, also referred to as IDN Homograph Attacks; or via DropBox links to deliver the malware to the costumer service representative.
Dark side ransomware including propagation function in AD environment
Reporting from Korea on this ransomware which uses Group Policy Objects in for propagation/execution. We’ve previously covered similar tradecraft being used by organised crime. A theme emerges..
Darkside ransomware works only when the loader and data files are present in order to bypass analysis and sandbox detection. The loader named “msupdate64.exe” (existing in the same path) reads the “config.ini” data file that stores the ransomware in an encoded state and executes the ransomware in the memory of the normal process. When executed, it is structured to operate only when certain factor values are correct, and is configured to be registered in the task scheduler and operated periodically.
APT41 Latest trends and observations
Slides are in Japanese, run through Google translate if you want to read. The summary is 500 social media posts where analyzed after October 2022 to look at APT41 information operations where they tried to spoof and/or other do disinformation on various topics. Some of this has been previously covered in English. This reporting is a Japanese view on the same campaigns relevant to their region.
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT5_jp.pdf
Demystifying the China’s Supply Chain Attack Targeting Financial Sector
Good insight from Taiwan into some recent Chinese tradecraft end-to-end. Password spraying, breached VPNs and similar are the order of the day. We’ve seen it before and they continue with the TTPs.
The local Administrator logged in via RDP and executed a suspicious file ntxn264.exe and implant the backdoor program - uNPXtssucPrx.dll The backdoor uNPXtssucPrx.dll was registered as an autorun service, allowing it to automatically start after the system reboot
Case #1: Bifrose is back
Case #2: Operation Cache Panda Vulnerability in Supplier’s Software
Case #3: Credit Card Leak
Case #4: Source Code Stolen
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_3_chan_chen_en.pdf
Fighting to LODEINFO: Investigation for Continuous Cyberespionage Based on Open Source
Slides are in Japanese building on previous reporting on malware which is Chinese in origin and suspected of being used by APT10 and/or its splinters/predesssors.
Fileless RAT used in targeted attacks against Japan
Target Sectors:
Security,
International Politics,
Diplomacy
Media
Delivered as attachments to spear phishing emails
Continuously updated from the end of 2019
Frequent update of version information inside malware p C2 server is VPS with IP Geolocation in Japan, Trends in hosting services (Vultr, CHOOPA, Linode)
Many speculate that APT10 is behind operations using this malware
Similarity to past malware (such as bisonal) (embedding version information) Similarity of
TTPs (Spear-Phishing, DLL Side-Loading)
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_6_minakawa-saika-kubokawa_jp.pdf
Track Down Stealth Fileless Injection-based Nginx Backdoor in the Attack
Very interesting reporting here of an implant for nginx which uses reflective code injection on Linux . Has a key exchange protocol which occurs over the listening HTTP server when a specific user agent string is seen. Used in Taiwan and shows a degree of sophistication.
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_4_peter-jr-wei_en.pdf
Invitation to Secret Event: Uncovering campaigns targeting East Asia by Earth Yako
Details of an espionage operation “RestyLink” by a threat actor known as “Earth Yako” targeting Taiwan and Japan. The delivery tradecraft is rather basic i.e. .zip and .iso files via email.
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_5_hara-higashi-shoji_en.pdf
Discovery
How we find and understand the latent compromises within our environments.
Antivirus Event Analysis Cheat Sheet v1.12.0
January update from Florian and co.
https://www.nextron-systems.com/2023/01/20/antivirus-event-analysis-cheat-sheet-v1-12-0/
Good Office 365 Unified Audit Log Hunting
Emily Parrish outlines how to do hunting in Office 365.
Taking a deeper dive into one of those data sources, the Office 365 Unified Audit Log (UAL). This is a key data source in any cloud investigation because it contains a record of all the activity that has occurred in Office 365 and Azure Active Directory: whether a threat actor adds a new application secret, sets up a mailbox rule, accesses an email message, or joins a Teams call, it will be logged in the UAL. If we use this resource correctly, it can help us build a full story of a threat actor’s activity in Office 365.
https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/good-ual-hunting/ba-p/3718421
OneNote Yara rule
Given our reporting on OneNote over the last couple of weeks. Here is a Yara rule from Florian to detect.
Detects suspicious OneNote attachment that embeds suspicious payload, e.g. an executable (FPs possible if the PE is attached separately)
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar
Lockbit Green Indicators of Compromises (IOCs)
IoCs from the new variant which have been shared on social media.
https://github.com/prodaft/malware-ioc/blob/master/LockBit/green.md
Defence
How we proactively defend our environments.
OSC&R - Open Software Supply Chain
Attack Reference
An open framework that provides a comprehensive, systematic and actionable way to understand attacker behaviors and techniques.
Preventing and Detecting BGP Route Leaks With the Help of RFC 9234
The Internet’s core backbone is edging closer to getting a little more resilient. As the Internet becomes more of a backbone between networks with different philosophical underpinnings initiatives such as this become ever more important.
Existing approaches to prevent route leaks rely on operators marking routes with no check that the configuration corresponds to that of the eBGP neighbor, or enforcement of the two eBGP speakers agreeing on their peering relationship.
RFC 9234 reduces this lack of coordination between neighboring autonomous systems (ASes) by adding a new configuration parameter (BGP Role) and check function (Only to Customer, OTC) to BGP OPEN messages, providing greater context and agreement as to the peering relationship on each eBGP session, and improving the prevention and detection of route leaks.
https://www.manrs.org/2023/01/preventing-and-detecting-bgp-route-leaks-with-the-help-of-rfc-9234/
Silhouette: Keep it secret, keep it safe
Gabriel Landau and Mark Mager release a lovely little proof of concept here to mitigate against various attack scenarios on Windows.
Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS. It does this in three ways:
Aggressively flush LSASS's pages from RAM to disk.
Block raw disk access within the boot volume, preventing raw copy attacks against
pagefile.sysandhiberfil.sys(e.g. Invoke-NinjaCopy).Block
FILE_READ_DATAforpagefile.sysin all Volume Shadow Copy snapshots to block access with tools like hobocopy.It is highly recommended to enable RunAsPPL before using Silhouette.
https://github.com/elastic/Silhouette
Protecting Against Malicious Use of Remote Monitoring and Management Software
Warning from US Government on legitimate remote monitoring and management software being misused. Fun times for blueteams deducing is a support rep or is a malicious actor..
Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.
https://www.cisa.gov/uscert/ncas/alerts/aa23-025a
Prevent phishing based on domain registrations
This detection assumes you have the intelligence in the first instance to detect the domain so you can then use Defender for Enpoint to block.
As long as you know the domain name you want to block access to, Microsoft Defender for Endpoint combined with custom block indicators is the way to go.
https://cloudbrothers.info/en/prevent-phishing-based-domain-registrations/
Black Basta intrusion analysis
A detailed analysis end to end of an intrusion by a criminal actor. You will see that none of the tradecraft is novel and there were numerous detection opportunities along their journey which were not leveraged.
The Threat Actor began this attack by compromising a user account at a third-party vendor (TPV). Although little is known about the compromise on the TPV, access allowed for the use of an "info@" account. The use of such an account would have allowed the Threat Actor to pose as the compromised user without creating extra "junk" in the user's inbox which could raise suspicion. Following initial phishing emails, the threat actor continued to submit additional phishing emails to the client via similar account names from different domains. Both samples reached their victims shortly after noon on the 20th of September
The phishing emails contained what was later determined to be "Qakbot," a sophisticated trojan. Following the infection, these hosts began to beacon on out to over 100 IP's using various ports. The client’s Cisco “Advanced Malware Protection” (AMP) detected a connection with one of these IP's over TCP port 2222. Although this did trigger an alert in AMP.
https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Arie Olshtein details a packer used by organised crime to evade EDR solutions. The fact that such capabilities exist should come as no surprise. The intelligence challenge is often ascertaining that a) there is a particular one in existence b) its properties and commonalties to track its usage. Arguably this is where data science could and should add value with labeled training data.
Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs.
Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.
TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names.
While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today.
Vulnerability
Our attack surface.
CVE-2023-24055 PoC (KeePass 2.5x)
Alt3kx outlines a functional hooking opportunity in KeePass to dump the decrypted passwords. There was much discussion on the subreddit if this really posed a vulnerability as it required a threat actor to be on the box and able to modify the configuration in order to exploit.
An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger
https://github.com/alt3kx/CVE-2023-24055_PoC
Offense
Attack capability, techniques and trade-craft.
Create an unsigned MSIX package for testing
When is a feature a back door?
As of Windows 11, you can install your app via PowerShell without needing to sign your package. This feature is intended to make it easier for you to quickly test your app. Don't use this feature to distribute your app widely.
…
An unsigned package must include a special OID (organization ID) value in its Identity element in the manifest file, otherwise it won't be allowed to register.
https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
Proxying DLL Loads For Hiding ETWTI Stack Tracing and Indirect Syscall is Dead! Long Live Custom Call Stacks
Chetan Nayak brings a two part series on how to evade ETW threat intelligence feed telemtary stack tracing detection.
This blog provides a high level overview on stack tracing, how EDR/AVs use it for detections, the usage of ETWTI telemetry and what can be done to evade it.
https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
Reversing several ntdll.dll functions [I] found that with a little bit of assembly knowledge and how windows callbacks work, we should be able to manipulate the callback into calling any NTAPI function.
… we will take an example of
NtAllocateVirtualMemory…
We will take an example of the same APITpAllocWorkwhich can execute a call back function. But instead of passing on a pointer to a string like we did in the case of Dll Proxying, we will pass on a pointer to a structure this time. We will also avoid any global variables this time by making sure all the necessary information goes within the struct as we cannot have global variables when we write our shellcodes.
https://0xdarkvortex.dev/hiding-in-plainsight/
hackEmbedded: This tool is used for backdoor and shellcode generation for various architecture devices
Some readers may want to signature / hunt off the back of this capability due to being Chinese in origin.
Generate backdoor programs of various architectures. The backdoor program is packaged in shellless pure shellcode and is smal,Pure static backdoor .Armv5, Armv7, Armv8, mipsel, mips,mips64,mipsel64,powerpc, powerpc64,sparc,sparc64 are now supported, and they are still being updated (PS:bash support is added to the reverse shell after version 0.3.1). If the backdoor of the reverse shell is generated with the - power parameter, the reverse shell will continue to be generated on the target machine)
Generate reverse_shell shellcode of various architectures during the exploit process, and no null bytes, which facilitates the exploitation of memory corruption vulnerabilities on embedded devices. Armv5, Armv7, Armv8, mipsel, mips, mips64, mipsel64, powerpc, powerpc64,sparc are now supported, and they are still being updated
Generate bind of various architectures bind_Shell file.
Support command line generation backdoor and shell code, Strong anti hunting ability,characterized by light, small, efficient and fast
https://github.com/doudoudedi/hackEmbedded
Various ways to execute shellcode
About 70 ways on Windows to execute shellcode via various callbacks etc.
https://github.com/Wra7h/FlavorTown/
Exploitation
What is being exploited.
Tooling and Techniques
Low level tooling for attack and defence researchers.
Scripts introduced in JSAC2023 presentation on analysis of Go language malware
Tsubasa Kuwabara released these to help with Go specific malware analysis.
This Ghidra script deobfuscates strings of Go malware with gobfuscate like ChaChi and Blackrota. The script is provided as a part of GolangAnalyzerExtension plugin, so it can be run from Ghidra's Script Manager once this plugin is installed. Please note that it will not work without this plugin.
https://github.com/FFRI/JSAC2023-GolangMalwareAnalysis
unblob: Extract files from any kind of container formats
Many containers exist and this tooling used in the pipeline can greatly accelerate getting to the artifacts.
unblob is an accurate, fast, and easy-to-use extraction suite. It parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively, and carves out unknown chunks that have not been accounted for.
https://github.com/onekey-sec/unblob
debloat: A GUI tool for removing bloat from executables
One of the techniques used by some threat actors is to create massive binaries in order to avoid EDR and similar from scanning them. This is because EDR have to make performance tradeoff decisions and this one that is common. Another great example of this is covered in the blog Preventing memory inspection on Windows.
Anyway this tool by Squiblydoo will help with the less sophisticated end of this tradecraft.
By excess garbage, I mean 300 - 800MB of junk bytes added to a binary to keep it from going into a sandbox.
Being built with Python, the code and logic is easily accessible for others to take the concepts and apply the concepts to their own tools. The program can be compiled for Windows, MacOS, Linux. The GUI removes any need for remembering commandline options and reading through CLI manuals: it is intended to be as simple as possible. The logic within the program handles the different use cases automatically.
https://github.com/Squiblydoo/debloat
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
2022 in Review from the Center for Strategic & International Affairs - Jim Lewis and Chris Painter review the evolution of cyber in 2022. In 30 minutes, they cover the year’s cyber developments as well as upcoming cyber initiatives and priorities
American Cryptology during World War I - a new book from the NSA and Betsy Rohaly Smoot.
U.S. Outbound Investment into Chinese AI Companies - The authors identify the main U.S. investors active in the Chinese artificial intelligence market and the set of AI companies in China that have benefitted from U.S. capital. They also recommend next steps for U.S. policymakers to better address the concerns over capital flowing into the Chinese AI ecosystem.
United States and India Elevate Strategic Partnership with the initiative on Critical and Emerging Technology (iCET) - no explicit mention of cyber.
CFP European Cybersecurity Seminar 2023-2024 call for papers
Cyberspace and Instability - Feb 23rd by The Hague Program of International Cyber Security - It critically examines both 'classic' notions associated with stability - for example, whether cyber operations can lead to unwanted escalation - as well as topics that have so far not been addressed in the existing cyber literature, such as the application of a decolonial lens to investigate Euro-American conceptualisations of stability in cyberspace.
2023 Cyber Stability Conference - Use of ICTs by States: Rights and Responsibilities under the UN Charter - March 3rd by the United Nations Institute for Disarmament Research (UNIDIR)
The risks and challenges of neurotechnologies for human rights from UNESCO
Finally Max Smeet interviews Yuliana Shemetovets on Collective Resistance in the Digital Domain from the Belarusian Cyber Partisans.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
