

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending February 12th
Forced technical security debt repayment at scale becomes a thing again..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week Microsoft OneNote files are being flung around with some exuberance by a variety of actors due to lack of mark-of-the-web. Then we had an offensive how to guide released to build them. We had a forced technical debt paydown event via the mass exploitation of vulnerable / use of latent compromises of VMWare ESXi globally by a ransomware group. As I mentioned James and I wrote paper on this scenario (and others) in Software Security Austerity - Software security debt in modern software development in 2012 - financial metaphors were harmed in its production.
In the high-level this week:
Top White House cyber official set to retire next week - Chris Inglis will be missed. I would give odds on for betting who the replacement might be, but lets see..
Record-breaking 2022 for North Korea crypto theft, U.N. Security Council committee - we touched on this last week with the $1 billion number - now Reuters reporting The sanctions monitors said South Korea estimated that North Korean-linked hackers stole virtual assets worth $630 million in 2022, while a cybersecurity firm assessed that North Korean cybercrime yielded cybercurrencies worth more than $1 billion.
New York Attorney General forces commercial spyway vendor to disclose infections - 'the Spyware Product(s) will notify the Target Device Holder and/or Target Account Holder that (a) the Spyware Products have been installed on their Mobile Device and/or connected to their Target Accounts' as settlement and more.
Koepelnotitie crisiscommunicatie digitaal domein - from the Netherlands Government - In this revised version of the umbrella memorandum on crisis communication in the digital domain, we help communication professionals prepare for crisis communication
Cyberspace and Instability - Reconceptualises instability in relation to cyberspace - by Robert Chesney, James Shires, Max Smeets - This volume is a thorough investigation of instability within cyberspace and of cyberspace itself. Its purpose is to reconceptualise stability and instability for cyberspace, highlight their various dimensions and thereby identify relevant policy measures.
The UK Government published Review of the Computer Misuse Act 1990: consultation and response to call for information - this is inching along but doesn’t provide the safe harbor for security researchers / cyber threat intelligence professional sought - but we live in hope.
Joint AUKMIN Statement - Recognising that cyber security underpins our national security and economic growth and ensures our resilience and that of our international partners, Ministers committed to continuing cooperation on cyber and critical technology, collaboration on cyber deterrence, shaping the rules of cyberspace and joint cyber capacity building projects in the Indo-Pacific.
The Urgency Of International Regulation Regarding Cyber Attack With An Indication Of Aggression Crime In ASEAN - some academic work out of Indonesia and published in the Russian Law Journal.
Active Cyber Insurance: a year in review - predictably if you have a capable insurer who is carrying some of your cyber risk and then forces you to address issues they identify in your infrastructure to maintain cover you’ll end up in a better spot.
related Focus grows on fronting carrier tail risk for systemic cyber events (behind paywall) but Ari Chatterjee provided this estimate of the potential scale Cyber front writes a $100m premium. Assuming a 1% rate (which is optimistic) the total limit pledged is around $10bn. The reinsurers would cover for any losses within the first 400m after which it falls back on the fronting insurer. Hence there is a gap of $9.6bn of limits which is essentially backed by balance sheets with $150-$200m of capital in most cases.
1st EEAS Report on Foreign Information Manipulation and Interference Threats Towards a framework for networked defence - from the European Union
Joan Donovan's misinformation project at Harvard will close in 2024 - Harvard is shutting down project that studied social media misinformation
Google Cuts Company Protecting People From Surveillance To A ‘Skeleton Crew,’ Say Laid Off Workers - Jigsaw, which produces tools to protect people from surveillance and other threats, saw its staff slashed by at least a third amidst concerns its altruistic work is being shelved in favor of more profitable endeavors for Google - Its workforce of 50 has now been reduced by at least 20, according to the sources.
Practising digital osmosis: India’s role in the global splinternet - By emphasising India’s domestic capacity-building priorities and the emerging norms regarding a global internet, we argue that India is navigating towards a model of “Digital Osmosis”. India attempts to absorb the main tenets of both the capitalist-liberal internet as well as the centralised-restricted internet vision and continues to build foundations for a largely government-monitored internet which blends well with a majority of the open internet’s glocalised goods and services proliferation.
The UK has opened a Call for views on software resilience and security for businesses and organisations - and where government should seek to mitigate them - get your thinking caps on.
Acting responsibly in cyberspace - just out - From 14th-16th November 2022, Wilton Park hosted a dialogue on behalf of the United Kingdom’s Foreign, Commonwealth and Development Office entitled Acting Responsibly in Cyberspace. The dialogue included representatives from States, non-governmental organisations, industry, and academia and its objective was to analyse what constitutes the responsible, democratic exercise of (State) cyber power. This report provides a summary of the dialogue’s main sessions and complements a separate report that offers an overview of the core themes raised during the dialogue. The dialogue was conducted under the Wilton Park Protocol.
Tech standard setting cannot be left to companies or lone nations - Opinion piece in Nikkei Asia by Justin Bassi, executive director of the Australian Strategic Policy Institute and Bec Shrimpton Director of The Sydney Dialogue, the institute's annual technology policy summit. You can just feel the signaling..
Shaping In Strategic Competition: How To Win Friends And Influence People With Military Power - Podcast from the Modern War Institute at West Point - Episode 5, Season 1 of the Social Science of War podcast examines the role of military power, and the Army specifically, in shaping a favorable security environment in the context of great power competition - includes Major Kyle Wolfley a US Army strategist at US Army Cyber Command and recent assistant professor in the Department of Social Sciences at West Point.
Reflections this week come from an episode of BBC Radio 4’s Side Ways yesterday on the way back from work called Past Your Peak.
In this episode of Sideways, Matthew Syed ventures into the world of child prodigies. Often depicted as freakish talents with pushy parents, Matthew uncovers the falsehoods and fascinations associated with young brilliant minds.
Charting John Nunn’s career, from maths lecturer to chess grandmaster, Matthew explores how our performance peaks, plateaus and declines and whether age and innovation are really inextricably linked.
In short it gives all of us who didn’t have a breakthrough before we were 30 hope and that grinding our a result through our careers is indeed how some innovations / breakthroughs are achieved.
Finally on the interesting job front:
Ubisoft hiring a Game Intelligence Analyst in Cary, North Carolina, United States
Head of Cyber Operations at BAE in the UK
His Majesty’s Treasury is hiring Head of Central Bank Digital Currency in the UK
Enjoying this? don’t get via e-mail? Corporate philanthropist? subscribe either for free or donate.
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Cyber attack UAC-0050 against the state bodies of Ukraine using the program for remote control and surveillance Remcos
Reporting from the Ukrainian government, would love some data on how effective this technique actually is in practice in gaining access i.e. the multiple steps.
Mass distribution of e-mails, allegedly from JSC "Ukrtelecom", with the subject "Court claim against your personal account # 7192206443063763 dated: 06.02.2023" and an attachment in the form of RAR- archive "court letter, information on debt.rar".
The archive contains a text document "Your personal access code -254507.txt" and another RAR-archive "court letter, information on debt. pdf.rar", protected by a password. In the second archive there is an executable file "court letter, information on debt.pdf.exe", the size of which is more than 600MB.
https://cert.gov.ua/article/3804703
Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine
Further reporting on Russian tooling evolution. Nothing overly novel and it is clear that the quick reinvestment cycles being forced on Russia are in part leading to minimum viable products with overlaps to existing tooling.
The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
The earliest evidence of Graphiron dates from October 2022. It continued to be used until at least mid-January 2023 and it is reasonable to assume that it remains part of the Nodaria toolkit.
Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the ".lock" and ".trash" extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe and MicrosoftOfficeDashboard.exe
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
From Mail with Malicious Documents to Fake Websites. Group Attacking Public Institutions of Ukraine and Poland Changes Tactics
Reporting on Russian use of phishing more widely with the techniques similar to those used back in June 2022. I had a quick look and found a sample with Aperitivchick\Release\
and PDB timestamps back in 05/25/2021
and the samples appearing in June 2022.
UAC-0114 (known as WinterVivern) is a group of unidentified individuals (probably including Russian-speaking members) whose activities target European government institutions and organizations.
A recent campaign targeted Ukrainian and Polish government organizations using fake websites posing as legitimate websites of the Ministry of Foreign Affairs of Ukraine and the Polish Central Cybercrime Bureau.
The tactics, techniques and procedures used by attackers are quite well known: they use email subjects related to malware scanning to gain initial access. Analysis of the activity of recent campaigns confirms that the phishing technique remains the main attack vector. However, a phishing link is now being used instead of Microsoft Excel documents with malicious XLM macros used in previous campaigns attributed to the group. The link leads to a fake website page that hosts malware.
https://scpc.gov.ua/article/231
Malvertising
Increased reporting around this likely in part driven by focus and self feeding loop of doom i.e. intelligence reporting on successes → criminals take notice and do more → more intelligence reporting → GOTO 10
SteelClover Attacks Distributing Malware Via Google Ads Increased
Japanese reporting on the malicious use of Google Ads to deliver various loaders and exploit kits.
Since the beginning of January 2023, there has been a sharp increase in incidents of malware downloads via Google Ads at multiple Japanese companies. There are a number of attack campaigns that have been observed, such as those distributing IcedID and Aurora Stealer, but more often by a group we call SteelClover.
MalVirt | .NET Virtualization Thrives in Malvertising Attacks
Aleksandar Milenkoski provides reporting on a further separate campaign leveraging. It does really feel that advertising networks across the globe are going to have to respond given the apparent increasing volume.
[We] observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks.
The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.
MalVirt loaders are currently distributing malware of the Formbook family as part of an ongoing campaign.
To disguise real C2 traffic and evade network detections, the malware beacons to random decoy C2 servers hosted at different hosting providers, including Azure, Tucows, Choopa, and Namecheap.
We first spotted a MalVirt sample when performing a routine Google search for “Blender 3D” and examining the Ad results.
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/
Earth Zhulong Familiar Patterns Target Vietnam
Ted Lee published this report yesterday and it has since been pulled for unknown reasons, as such health warnings apply.
In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Vietnam since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology
Back in 2020, through the command and control (C&C) domain observed in our investigation, we found a lure document with a malicious macro. Once the victim opens the document, the embedded macro will be executed, injecting the shellcode into rundll32.exe. We have identified the embedded shellcode as a Cobalt Strike shellcode which will be used to build connection to a remote hacking machine. We believe this lure document is one of the approaches used by the threat actors to compromise their targets.
Summarizing the information collected from 2020 to 2022, we find that Earth Zhulong is likely to be related to a notorious hacking group in Vietnam, “1937CN” based on the code similarity and victimology aspects. In this section, we will introduce the process of attribution.
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-vietnam.html
A cached copy is available on Google
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
Reporting on Chinese use of LNK and ISO files via e-mail to support initial access against the EU. The tradecraft is sufficiently rudimentary that one hopes, indeed expects it wouldn’t work in 2022.
Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware. This switch increases the evasion against anti-malware solutions.
The Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by employing a four-stage infection chain which leverages malicious shortcut (LNK) files, triggering execution via dynamic-link library (DLL) search-order-hijacking.
Iran responsible for Charlie Hebdo attacks
Clint Watts does this attribution blending hacking an amplification.
[We are] attributing a recent influence operation targeting the satirical French magazine Charlie Hebdo to an Iranian nation-state actor. [We] call this actor NEPTUNIUM, which has also been identified by the U.S. Department of Justice as Emennet Pasargad.
Holy Souls advertised the cache of data for sale for 20 BTC (equal to roughly $340,000 at the time). The release of the full cache of stolen data – assuming the hackers actually have the data they claim to possess – would essentially constitute the mass doxing of the readership of a publication that has already been subject to extremist threats (2020) and deadly terror attacks (2015).
After Holy Souls posted the sample data on YouTube and multiple hacker forums, the leak was amplified by a concerted operation across several social media platforms. This amplification effort made use of a particular set of influence tactics, techniques and procedures (TTPs) DTAC has witnessed before in Iranian hack-and-leak influence operations.
https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/
Screentime: Sometimes It Feels Like Somebody's Watching Me
Axel F (I’ve sure they are very tired of this song) - the initial access is achieved through rudimentary access via e-mail and Microsoft Publisher files.
[We] began tracking a new threat actor, TA866.
[Our] researchers first observed campaigns in October 2022 and activity has continued into 2023.
The activity appears to be financially motivated, largely targeting organizations in the United States and Germany.
With its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via screenshots before installing a bot and stealer.
Initial threat types via email: Proofpoint has observed the following examples of malicious email campaigns. The tools used by the threat actor in the delivery stage (Traffic Distribution System (TDS), attachments, etc.) are not necessarily unique and could have been purchased from other actors:
Publisher (.pub) attachments with macros
URLs linking (via 404 TDS) to Publisher files with macros
URLs linking (via 404 TDS) to JavaScript files
PDFs with URLs linking (via 404 TDS) to JavaScript files
DoNot Team (APT-C-35) Analysis of Latest Campaign
Two bits of reporting here on this actor.
Disclosure of APT-C-35's recent attack activities
Chinese reporting on a South Asian threat actor who continues the ever tiresome theme of malicious email attachments.
In this round of attacks, the organization still uses macro documents as the malicious carrier, releases and malicious load executes the from itself, loads the remote control module through layer-by-layer downloading, and realizes the stealing operation, and the malicious code in the whole process contains Digitally sign information.
During this round of attacks, the APT-C-35 (Brainworm) organization used a large number of malicious PPT and XLS documents as carriers to carry out attacks. The following takes a malicious XLS sample as an example, and the sample information is as follows.
DoNot Team (APT-C-35) Analysis of Latest Campaign
This vendor has decided to release their report as a selection of images so you can’t copy and paste anything out. That aside this reports on the same actor who
The campaign targeted Pakistan’s defense sector and used Excel documents as a means of delivery.
The attackers used social engineering tactics, such as phishing, to trick victims into downloading and opening the malicious Excel files. The Excel files contained macros that when activated, would download and install the APT-C-35 malware on the victim’s device.
https://threatmon.io/donot-team-apt-c-35-analysis-of-latest-campaing/
The Blind Eagle’s New Weapon – Phishing Attacks Against Ecuador
Chinese reporting on potential mercenary activity in Ecuador.
In a recent Blind Eagle campaign targeting Ecuadorian groups, researchers detected a new infection chain involving a more advanced toolset. Unlike the group's usual methods, the backdoor chosen for this attack is often used for espionage.
In the past few months, most of the activities planned by Blind Eagle followed the following tactics - phishing emails suspected to come from the Colombian government. A prime example is an email purportedly from the Foreign Office threatening the recipient not to leave the country until a series of .
Such phishing emails usually contain malicious documents or malicious links, but in this case Blind Eagle included both a link and a simple PDF attachment, both of which tricked victims into visiting the same malicious link.
No Macro? No Worries. VSTO Being Weaponized by Threat Actors
Shaul Vilkomir-Preisman discusses a technique which I’ve seen some commercial Red Teams use and gives a stark warning around expected further use.
A software development toolset, VSTO is available in Microsoft’s Visual Studio IDE. It enables Office Add-In’s (a type of Office application extension) to be developed in .NET and also allows for Office documents to be created that will deliver and execute these Add-In’s.
Additionally, VSTO Add-In’s can be associated with the specific Office application they were developed for (Word, Excel, etc.) and will execute every time that application is booted, offering up an interesting persistence option on top of the code-execution ability.
VSTO Add-In’s can be packaged alongside Office documents (Local VSTO), or, alternatively, fetched from a remote location when a VSTO-Bearing Office document is opened (Remote VSTO). This, however, may require bypass of trust-related security mechanisms.
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors
APT Maha Herb Sample Analysis
Mahacao, also known as Hangover, Patchwork, White Elephant, etc is featured in this Chinese reporting use Microsoft Office files and exploits for vulnerabilities from 2017.
The first-order sample is an RTF format file. After running, the ShellCode is executed by using the CVE-2017-11882 vulnerability, and the second-order sample ("McVsoCfg.dll", "mcods.exe") is released through the ShellCode and written into the startup item.
Cl0p Ransomware Targets Linux Systems with Flawed Encryption
Antonis Terefos does wholesome work here by undertaking a detailed analysis to discover a crypt break.
[We have] observed the first Linux variant of Cl0p ransomware.
The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.
[We have] published a free decryptor for this variant
We observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems on the 26th of December 2022. The new variant is similar to the Windows variant, using the same encryption method and similar process logic.
The mentioned sample appears to be part of a bigger attack that possibly occurred around the 24th of December against a University in Colombia. On the 5th of January the cybercrime group leaked victim’s data on their onion page.The Linux variant contains a hardcoded RC4 “master-key” which, during the execution of the main function, is copied into the global variable
szKeyKey
.
Vector Stealer: A Gateway for RDP Hijacking
Criminals targeting a very specific type of file here which may allow remote access. Focusing on mass access of RDP files from unexpected processes (i.e. not Explorer etc.) across your estate in telemetry seems like a good idea to spot this. Initial access is run of the mill.
[We] spotted a malware named ‘Vector Stealer’, capable of stealing .rdp files. Stealing RDP files can enable TAs (Threat Actors) to perform RDP hijacking as these files contain details about the RDP session, including information needed for remote access.
VectorStealer surfaced in cybercrime forums in the second half of 2022. The Threat Actor (TA) behind this stealer mainly operates through a web panel and a Telegram channel.
CRIL found a phishing email that was spreading vector stealer. This phishing email is themed around spare parts with an attachment named “POM-8501” and pretends to be coming from a supplier.
When the MalDoc attachment is opened, it prompts the user to enable the macro. Enabling macros would trigger the execution of malicious activities on the victim’s computer. The image below shows the malicious document (MalDoc).
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/
New Medusa Botnet Emerging via Mirai Botnet Targeting Linux Users
Further evolution of this threat which appears to have a many model for monetization.
We uncovered a variant of the Mirai botnet that was downloading and propagating a new botnet called the “Medusa Botnet”. When run, the Mirai botnet connects to the command and control server and retrieves the “medusa_stealer.sh” file, which it then executes.
The Medusa Botnet has the ability to launch Distributed Denial of Service (DDoS) attacks on various levels of the network hierarchy, including Layer 3, Layer 4, and Layer 7.
The Medusa botnet can launch ransomware attacks on target machines using the MedusaRansomware() function.
The medusa bot can carry out bruteforce attacks on Telnet services running on internet-connected devices using the ScanWorld function.
The Medusa botnet is equipped to receive commands “FivemBackdoor” and “sshlogin”, allowing for backdoor access and SSH login attempts.
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/
A Detailed Analysis of a New Stealer called Stealerium
Vlad Pasca details this threat which given it is open source means we can expect various actors to use where they can't or don’t want to invest.
Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients.
https://resources.securityscorecard.com/research/stealerium-detailed-analysis
GuLoader: The NSIS Vantage Point
Nico Paulo Yturriaga details an on ongoing campaign with an interesting focus on two specific but very distant countries in one particular sector. Looks broadly criminal in nature.
Customers in the e-commerce industry located in South Korea and the United States were heavily targeted by the GuLoader operators. In this blog, we cover the multiple archive types used by threat actors to trick users into opening an email attachment.
GuLoader is an advanced shellcode downloader infamous for using anti-analysis tricks to evade detection and obstruct reverse engineering. As of this writing, the GuLoader campaign is aggressively ongoing.
The payload to be downloaded by GuLoader varies, and potentially it might be AgentTesla, LokiBot, NanoCore RAT, NetWire RAT or a different malware family.
In November 2021, before threat actors’ use of NSIS executable files, [we] acquired the zip file 703254254bf23f72b26f54a936cda496. The zip file contains a Word Document with a macro. The macro drops a shortcut LNK and a VBS script. The VBS script drops a PE file and then the PE file loads the GuLoader shellcode to download a payload
https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html
TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users
The use of a testing framework here to navigate / instrument the mobile device is of note.
We look into an ongoing malware campaign we named TgToxic, targeting Android mobile users in Taiwan, Thailand, and Indonesia since July 2022. The malware steals users’ credentials and assets such as cryptocurrency from digital wallets, as well as money from bank and finance apps. Analyzing the automated features of the malware, we found that the threat actor abused legitimate test framework Easyclick to write a Javascript-based automation script for functions such as clicks and gestures.
PixPirate: a new Brazilian Banking Trojan for Android
Those Brazilian web side defacers of the 90s appear to continued to mature their game over the last 25 years.
Between the end of 2022 and the beginning of 2023, a new Android banking trojan was discovered by [us]. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it PixPirate, to better track this family inside our internal Threat Intelligence taxonomy.
PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (Automatic Transfer System), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks.
PixPirate appears to have the following features, primarily achieved by abusing Accessibility Services, such as:
- Ability to intercept valid banking credentials and perform ATS attacks on multiple Brazilian banks via Pix payments
- Ability to intercept/delete SMS messages
- Preventing uninstall
- Malvertising
https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan
Discovery
How we find and understand the latent compromises within our environments.
Hunting Opaque Predicates with YARA
ςεяβεяμs provides a nice guide to using Yara in order to detect obfuscated samples.
Knowing the limitations of the halting problem and slow scanning when detecting opaque prediques with
yara
; our opaque prediqueyara
signature can still be used to hunt for interesting obfuscated samples.
https://c3rb3ru5d3d53c.github.io/2023/02/opaque-predicate-hunting-with-yara.en.md/
Hunting for Suspicious Windows Libraries for Execution and Defense Evasion
Samir Bousseaden walks us through the background and how to do this in practice. This is a valuable and exemplary bit of work on threat hunting around a very common technique.
The most commonly observed delivery techniques are the following :
Loading malicious DLLs using binary execution proxies Rundll32 and Regsvr32
Sideloading a malicious DLL from a virtual disk image (ISO/VHD files) into a convenient signed benign binary
Extracting a DLL from a malicious Microsoft Office document (i.e. Word, Excel) and immediately loading it via Visual Basic for Applications (VBA)
Downloading or extracting a DLL using a lolbin and loading it by another program
Sideloading a malicious DLL extracted from a compressed archive (zip, rar, etc) into a signed benign binary
Dropping a malicious DLL in the current directory of an existing program vulnerable to DLL sideloading (e.g. OneDrive, Slack, Teams) via one of several means
Less common but also very effective is the use of Windows Installer MSIEXEC to load a malicious DLL
Defence
How we proactively defend our environments.
A systematic method for measuring the performance of a cyber security operations centre analyst
Enoch Agyepong, Yulia Cherdantseva, Philipp Reinecke and Pete Burnap present an academic paper on a possible approach. I can only imagine the munities in various SOCs if managers tried to apply this in practice.
In this paper, we proposed a systematic method for evaluating the performance of analysts consistently and systematically by drawing on a Delphi panel and the principles of the AHP. Our work represents a potential change in direction in how analysts’ performance is evaluated. We have demonstrated that it is possible to evaluate the performance of an analyst in a systematic manner based on their task performance by proposing a weighted approach. To the best of our knowledge, this is the first empirical study to propose a systematic approach for evaluating the performance of an analyst.
https://www.sciencedirect.com/science/article/pii/S0167404822003510
Protect your Azure storage resources against blob hunting
Eitan Shteinberg provides practical guide on how to avoid your organization embarrassing itself by leaving blog storage open with incorrect permissions.
The fact there is also now Microsoft Defender for Storage makes me chuckle.. I look forward to Microsoft Defender for 3D Pinball.
Verified Security Tests Explained: How, and Why, to Move From TTPs to VSTs
Discuss if there is value in this approach and if the evolution was needed.
A VST is a production ready TTP. Tests from this repository are automatically loaded into Detect and can be run immediately on any endpoint.
https://www.preludesecurity.com/blog/verified-security-tests-explained
https://github.com/preludeorg/test
Microsoft DART ransomware approach and best practices
How Microsoft’s IR team use their own solutions to deal with ransomware.
This article content was derived from the A guide to combatting human-operated ransomware: Part 1 and A guide to combatting human-operated ransomware: Part 2 Microsoft Security team blog posts.
Detecting credential access without losing cred
Tess Mishoe walks through how various detection dumping techniques might be detected.
https://redcanary.com/blog/credential-access/
Improve identity strategy with Microsoft
Or why MFA won't protect you always.
Extract Actionable Intelligence from Text-based Threat Intel using Sentinel Notebook
Vani Asawa details this new notebook which may provide some analyst teams further value.
In this blog, we introduce the MitreMap Notebook, which lets you input a threat report and infers the most likely MITRE ATT&CK technique(s) that map to the report. Doing this allows you to unleash the value of this unstructured data by identifying the associated motivations and tools, techniques, and procedures (TTPs) used by an actor group when carrying out an attack on your enterprise’s digital infrastructure. It also adds context to the Indicators of Compromise (IoCs) in the report, which you can use to detect patterns and trends of cyber-attacks occurring across your workspace.
https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/mitremap-notebook
Incident Response in Google Cloud: Forensic Artifacts
Wesley Guerra, Itay Angi, Oren Biderman, Shani Adir and Itay Shohat provide a very pragmatic and complete guide on the topic.
Forensic data across Google Cloud can logically be organized into three categories: Identity Management, Google Workspace Apps, and Google Cloud Platform (GCP). Each category can be further broken down into four subcategories: Configurations, Logs, Reports, and Alerts.
During triage, prioritize the following evidence sources when performing incident response against Google Workspace:
Alert Center alerts > Admin reports > Identity logs > Application logs > Application data
During triage, prioritize the following evidence sources when performing incident response against Google Cloud Platform:
Alert Center alerts > Identity logs > Security and Platform logs > Service and Resource data
https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts
Vulnerability
Our attack surface.
A Year in Review 2022: 100 vulnerabilities you should prioritize
Debates about CISA’s KEV and if they are really exploited aside in a world of vulnerability prioritization this is as good a list as any with maybe the exception of missing the vulnerability prediction of those not yet exploited as seen in the likes of Phoenix Security’s platform.
The scope of this research was to identify, classify and analyze vulnerabilities from the previous year (2022) with the following characteristics:
Vulnerabilities that were zero-day (detected and disclosed to the public)
Vulnerabilities that can be found in the CISA Known Exploited Vulnerabilities (KEV) catalog (CVE-2022-*)
Vulnerabilities that were (are) exploited in the wild
https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-should-prioritize/
Analysis: 12% of online stores leak private backups
Interesting research, not sure if legal to do from the UK given the current state of the Computer Misuse Act. Love the fact the researchers had to update to say they didn’t actually breach any laws (but maybe did still breach the UK’s).
[We discovered] that one in nine online stores accidentally expose private backups. This mistake could have dire consequences. Online criminals are actively scanning for these backups, as they contain passwords and other sensitive information. Exposed secrets have been used to gain control of stores, extort merchants and intercept customer payments.
NB. Naturally, Sansec did not download any of the backups. We have reached out to merchants to verify our findings.
https://sansec.io/research/sansec-analysis-12-of-online-stores-leak-private-backups
Offense
Attack capability, techniques and trade-craft.
At the Edge of Tier Zero
Elad Shamir provides a detailed analysis but I’ll give you the tl;dr.
In this blog post, we’ll answer the question, “If I compromise a Read-Only Domain Controller, can I compromise the domain?” or, from an architectural perspective, “Do RODCs belong in Tier Zero?”
..
The answer to the question we opened with, “Do RODCs belong in Tier Zero?” is that while the RODC hosts and the credentials for their computer accounts do not belong in Tier Zero, all RODC computer objects must be protected as Tier Zero resources.
https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06
Diving Deeper Into Pre-created Computer Accounts
Garrett Foster discusses some latent technical debt likely present all over.
This article provides a high-level summary of pre-Windows 2000 machine accounts, a technical deep dive into scenarios where administrators inadvertently configure accounts with a default password, and a demonstration of how these accounts can be used to bypass restrictions to join a rogue host to a domain.
https://www.optiv.com/insights/source-zero/blog/diving-deeper-pre-created-computer-accounts
Let’s Go (VS) Code
PfiatDe outlines a technique which can expect development houses to be targeted with in 3..2.
MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.
https://badoption.eu/docs/blog/2023/01/31/code_c2.html
BypassCredGuard: Credential Guard Bypass Via Patching Wdigest Memory
From China with love and a design point that will unlikely be patched.
Team Hydra submitted a report to Microsoft about this issue and received the following response:
"After investigating this issue, we do not believe this is a Credential Guard bypass. Credential Guard is meant to protect credentials that were cached while the feature is enabled. If a privileged user disables Credential Guard, then the feature cannot protect subsequent logons. We'll update our public documentation to clarify this behavior"
Given this response, I suspect this will be a reliable method of gaining clear text credentials on systems with Credential Guard enabled for the foreseeable future.
https://github.com/wh0nsq/BypassCredGuard
Certsync
A potential detection blind spot here.
Dump NTDS with golden certificates and UnPAC the hash - certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI. It uses golden certificate and UnPAC the hash.
It works in several steps:
Dump user list, CA informations and CRL from LDAP
Dump CA certificate and private key
Forge offline a certificate for every user
UnPAC the hash for every user in order to get nt and lm hashes
https://github.com/zblurx/certsync
Building a Custom Mach-O Memory Loader for macOS
Adam Chester continues to build public macOS tradeacraft understanding. Given the relative immaturity of security tooling this is going to be a blood bath.
In this blog we’ll look at what it takes to construct an in-memory loader for Mach-O bundles within MacOS Ventura without using dyld. We’ll walk through the lower-level details of what makes up a Mach-O file, how dyld processes load commands to map areas into memory, and how we can emulate this to avoid writing payloads to disk. I also recommend reading this post alongside the code published here to fully understand the individual areas called out.
In keeping with Apple’s migration to ARM architecture, this post will focus on the AARCH64 version of MacOS Ventura and XCode targeting macOS 12.0 and higher.
https://blog.xpnsec.com/building-a-mach-o-memory-loader-part-1/
RToolZ: A Stealthy LSASS Dumper
Omri Baso uses a Process Explorer driver to dump passwords!
Can abuse ProcExp152.sys driver to dump PPL LSASS, no dbghelp.lib calls.
https://github.com/OmriBaso/RToolZ
SeeProxy: Golang reverse proxy with CobaltStrike malleable profile validation.
Filip Ceglik provides a capability which is going to make some C2 discovery techniques go dark.
The premise of this tool is to not open your teamserver to the world but to a single instance of SeeProxy instead. This way every request reaching your teamserver is a legitimate C2 traffic.
https://github.com/nopbrick/SeeProxy
BouncyGate
More pain of EDR anomaly detection.
This is a modified version of @zimawhit3's implementation of HellsGate in Nim, with additionally making sure that all syscalls go through NTDLL, by replacing the syscall instructions with a JMP to the
syscall
instruction in NTDLL that corresponds to the syscall being executed. The syscalls are then used to patch AMSI as a PoC.
https://github.com/eversinc33/BouncyGate
Is D1rkMtr mortal?
One person who is apparently a machine in reality..
UnhookingPatch
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and Syscall instructions at runtime
https://github.com/TheD1rkMtr/UnhookingPatch
NTDLLReflection
Bypass Userland EDR hooks by Loading Reflective NTDLL in memory from a remote server based on Windows ReleaseID to avoid opening a handle to NTDLL , and trigger exported APIs from the export table
https://github.com/TheD1rkMtr/NTDLLReflection
AMSI Patch
Patching AmsiOpenSession by forcing an error branching
https://github.com/TheD1rkMtr/AMSI_patch
NTDLL Unhooking Collection: Different NTDLL unhooking techniques
unhooking ntdll from disk
from KnownDlls
from suspended process
from remote server (fileless)
https://github.com/TheD1rkMtr/ntdlll-unhooking-collection
FilelessPELoader: Loading Remote AES Encrypted PE in memory , decrypt and run it
https://github.com/TheD1rkMtr/FilelessPELoader
How Adversaries Can Persist with AWS User Federation
Vaishnav Murthy and Joel Eng gives real-world insight to a technique being used by threat actors.
[We] identified a novel technique used by threat actors that escapes typical containment practices and permits persistence in victim AWS environments.
The technique requires that the adversary first obtain valid AWS API credentials with the necessary security token service (STS) and identity and access management (IAM) permissions, and then use the
sts:GetFederationToken
API call to create a federated user session.Permissions and access to the federated sign-in session survive the deactivation of the base user’s API credentials.
Responders should attach an explicit deny-all IAM policy to compromised IAM users as a containment measure. If a root API key is compromised, containment is much more challenging and may not always be possible.
Note: Creating an AWS API key (a prerequisite for this technique) for the root user is discouraged by AWS. Organizations should use the root user sparingly, and only via the AWS console.
https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
Exploitation
What is being exploited.
Feb 1, 2023 - A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT
Vendor reported not on the open Internet there was problem and it was being exploited in the wild.
https://infosec.exchange/@briankrebs/109795710941843934
Then an exploit landed in Metasploit
https://github.com/rapid7/metasploit-framework/pull/17607
Objet: Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi - Campaign to exploit a vulnerability affecting VMware ESXi
French CIRT first reported and then a flurry of other reporting.
CISA released a recovery tool
https://github.com/cisagov/ESXiArgs-Recover/blob/main/recover.sh
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers.
Porting Cycle-Based CPU Usage to ARM64
Low level observability such as this allows measurement → measurement allows profiling → profiling allows variance detection.
my story porting System Informer’s cycle-based CPU usage to ARM64. I’ll explain the difference in CPU cycle tracking on Windows ARM64, compare time-based vs cycle-based measurements, and describe how System Informer calculates and displays this information.
https://winsiderss.github.io/si-blog/2023/02/04/arm64-cycle-based-cpu.html
The technology behind GitHub’s new code search
Or how to build high speed indexes for threat intelligence / threat hunting -
Our ingest pipeline can publish around 120,000 documents per second, working through 15.5 billion documents should take about 36 hours. But delta indexing reduces that to 18 hours.
https://github.blog/2023-02-06-the-technology-behind-githubs-new-code-search/
NtDetours
For those who want to do hooking.
Detours implementation (x64/x86) which uses only ntdll import
https://github.com/rbmm/NtDetours
Injecting Code using Imported Functions into Native PE Files
Watch for those supplicant payloads..
Patching PE files is easy. Injecting new code that uses functions from external modules, however, is more complicated. In this post, we are implementing a method for rebuilding import directories, such that we can inject any type of code in an arbitrary PE file.
https://washi.dev/blog/posts/import-patching/
eSROP Attack: Leveraging Signal Handler to Implement Turing-Complete Attack Under CFI Defense
Tianning Zhang, Miao Cai, Diming Zhang & Hao Huang drop what I suspect will be a viable technique in some edge case vulnerabilities where all else fails.
Signal Return Oriented Programming (SROP) is a dangerous code reuse attack method. Recently, defense techniques have been proposed to defeat SROP attacks. In this paper, we leverage the signal nesting mechanism provided by current operating systems and propose a new variant of SROP attack called enhanced SROP (eSROP) attack. eSROP provides the ability of invoking arbitrary system calls, simulating Turing-complete computation, and even bypassing the fine-grained label-based CFI defense, without modifying the return address and instruction register in the signal frame. Because the signal returns to the interrupted instruction, the shadow stack defense can hardly detect our attack. Signal has strong flexibility which can interrupt the normal control flow. We leverage such flexibility to design a new code reuse attack. To evaluate eSROP, we perform two exploits on two real-world programs, namely Proftpd and Wu-ftpd. In our attacks, adversaries can invoke arbitrary system calls and obtain a root shell. Both attacks succeed within 10 min under strict system defense such as data execution prevention, address space layout randomization, and coarse-grained control flow integrity.
https://link.springer.com/chapter/10.1007/978-3-031-25538-0_39
TinyProcessor: A post-processing script for Tiny Tracer
Goatmilkkk provides a small work aid to enrich Tiny Tracer.
This project replaces syscall numbers & arguments in Tinytracer's .tag output w/ their actual Nt function declarations for better readability.
https://github.com/goatmilkkk/TinyProcessor
NETWIRE Dynamic Configuration Extraction
Seth Goodwin and Salim Bitam help malware analysts.
NETWIRE has shown an increase in prevalence over the last year
[We] created an extractor to pull out configuration data from NETWIRE files and memory dumps targeting the functions the malware uses to extract its encrypted data
https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
TELEGRAM – How a Messenger Turned Into a Cybercrime Ecosystem by 2023
Security and Privacy in Communication Networks - SecureComm 2022 proceedings presents the AI for Security, AIntrusion Detection, Mobile Security, Network Security, Privacy and Software Security
Draft Whitepaper: An attribution model for influence operations
UN OEWG and GGE - This page provides detailed and real-time coverage on cybersecurity and peace and security negotiations at the United Nations.
Cybersecurity and Outer Space - Vulnerabilities now exist with space systems, and these are especially pronounced in the face of cyberthreats. We now confront a volatile “space-cyber nexus,” which this essay series explores across a diverse and wide range of perspectives.
G7 Fundamental Elements for Threat-LED Penetration Testing - things I wouldn’t have predicted in my life time.
Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself
Avoiding the success trap: Toward policy for open-source software as infrastructure
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.