Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending February 19th
We all want to be in Belgium and bye bye Chris Inglis
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will just see in all the reporting below it is shall we say busy..
In the high-level this week:
In State of the Union, President Biden to Outline Vision to Advance Progress on Unity Agenda in Year Ahead | The White House - "Strengthen data privacy and platform transparency for all Americans" - what will the cost to cyber defense be?
Quad Joint Statement on Cooperation to Promote Responsible Cyber Habits | The White House - We the Quad partners of Australia, India, Japan, and the United States are launching a public campaign to improve cyber security across our nations: the Quad Cyber Challenge.
UK cracks down on ransomware actors - Seven Russian cyber criminals have been sanctioned by the UK and US in the first wave of new coordinated action against international cyber crime
Korea-U.S. Joint Cyber Security Recommendation Regarding North Korean Ransomware (Korean) - Co-ordinated activity between the USA and South Korea
Block North Korea's illegal foreign currency earning using cyberspace (Korean) - The South Korean government has decided to take specific measures to counter illegal cyber activities, which are one of North Korea's main sources of funding for nuclear and missile development.
Related there has been reporting around - Has a Sanctioned Bitcoin Mixer Been Resurrected to Aid North Korea’s Lazarus Group? and Meet the Creator of North Korea’s New Favorite Crypto Privacy Service
Korea's 'strategic command' to oversee space, cyber units, F-35s, submarines: official - cyber is strategic after all.
New legal framework for reporting IT vulnerabilities in Belgium - Belgium gets legal protections for researchers working with vulnerability disclosure programs.
The Era of Coalitions: The Shifting Nature of Alignments in Asia" by Zack Cooper - ISEAS-Yusof Ishak Institute
Sir Richard Barrons on how the characteristics of war are changing - The idea that cyber would make jets, tanks and guns obsolete was always a fantasy. Countries such as Britain that cut spending on conventional armed forces to pay for cyber programmes now see that the two are needed together.
Cloud security: Where do CSP and client responsibilities begin and end? - Some providers, though — Google Cloud for example — observe what’s known as a “shared fate approach.” - this means being “active partners” as organizations deploy securely on the platform, “not delineators of where our responsibility ends.”
Government unveils new institute focused on cybersecurity in Taiwan - Taiwan’s National Institute of Cyber Security (NICS)
Russian National Charged with Bank Fraud Related to Hacking Campaign - A Russian national was charged in an indictment unsealed today in connection with a series of computer system intrusions that occurred in 2009 and 2010
The Next Cyber Phase of the Russia-Ukraine War Will Echo in Asia - Moreover, cyberattacks as a precursor to kinetic warfare are now a reality.
The State Duma proposed not to punish hackers working in the interests of Russia - Deputy Khinshtein: hackers working in the interests of Russia should be released from liability
Revealed: the hacking and disinformation team meddling in elections - A team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and automated disinformation on social media has been exposed in a new investigation.
Belgium launches new legal framework for reporting IT vulnerabilities - To clarify the situation of these people with good intentions, a new legal framework is planned to take effect on 15 February 2023. This framework describes how a natural or legal person with no fraudulent intent or intention to cause harm can detect and must report existing vulnerabilities in networks and information systems in Belgium.
Summary of the Australian Privacy Act Review - The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information
Then we had this cyber operation last Saturday in Iran which saw Iranian TV hacked with a V for Vendetta esq broadcast during a presidential address.
A brief reflections this week, simply put Content Disarm & Reconstruction really is a robust mitigation when you read the reporting week in and week out about email and malicious attachments. If more organizations deployed it I suspect the world would be materially more secure.
I released a new paper titled Digital Borders and Assets in National Cyber Resilience as a conversation starter, the preface of which is:
Governments produce quantified comparators both with itself and others often periodically to show progress against stated policy objectives. We suggest that for Governments to be effective in their cyber resilience objectives they need to be able to define where their digital borders begin and end as well those digital assets which comprise their national asset register both in and out of country across Government, Academia and the Private Sector.
In the context of cyber risk, the assets that comprise a country can be seen as analogous to the assets that comprise an organisation. Being able to define and identify such assets is considered a fundamental requirement to cyber hygiene in contemporary governance. Similarly there have been calls and proposals for the US to have a Bureau of Cyber Statistics and the UK to have an Office of National Statistics of Cyber. We suggest for such organisations to be effective would similarly require definition and identification of assets.
This paper explores the considerations around how the digital borders and assets that comprise a country may be defined.
On the interesting job front:
Beazley hiring Head of Cyber Threat Intelligence in London, England, United Kingdom
The Alan Turing Institute (UK) is looking for a new CEO (reference number 6345)
Finally the CyberPeace Institute is looking for support - to quote a recent UK Governments newsletter from what was DCMS - Does your corporation want to have a human impact in cyberspace? The CyberPeace Builders is a unique network of expert volunteers assisting humanitarian non-government organisations to manage their cyber security so they can maintain their operations. CyberPeace Builders are currently looking for organisations to support their work by providing volunteer time, sharing information about their free services for NGOs or funding their work.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Cyber threat intelligence
Who is doing what to whom and how.
Fog of war: how the Ukraine conflict transformed the cyber threat landscape
Shane Huntley gives a view of the future
We assess with high confidence that Russian government-backed attackers will continue to conduct cyber attacks against Ukraine and NATO partners to further Russian strategic objectives.
We assess with high confidence that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance – real or perceived – towards Ukraine (e.g., troop losses, new foreign commitments to provide political or military support, etc.). These attacks will primarily target Ukraine, but increasingly expand to include NATO partners.
We assess with moderate confidence that Russia will continue to increase the pace and scope of IO to achieve the objectives described above, particularly as we approach key moments like international funding, military aid, domestic referendums, and more. What’s less clear is whether these activities will achieve the desired impact, or simply harden opposition against Russian aggression over time.
Cyber attack on organizations and institutions of Ukraine using the Remote Utilities program
It is a little like Russia have given up trying or is falling back to basics.
[M]ass distribution of e-mails allegedly on behalf of the Apparatus of the National Security and Defense Council of Ukraine with the subject "RE: Critical security update" and an attachment in the form of a RAR archive "KB5017371 security system update. rar".
The mentioned file contains a decoy image "instructions Important to read.jpg" and a split archive containing the executable file "KB5017371.exe".
Running the latter will install Remote Utilities on the victim's computer.
Havoc Across the Cyberspace
Niraj Shivtarkar documents a rather crude campaign which is going after a Government in an unspecific territory.
[We] observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc.
Uncle Sow: Dark Caracal in Latin America
Cooper Quintin details further activity from this threat actor who has previously worked for governments but appears mercenary. The spill over into the US is going to likely bring a level of attention they didn’t want.
Recently we discovered a new version of the Bandook malware, which has been updated to have 148 unique commands it can send the infected computer, far more than the 120 available in previous samples. This sample and related samples seem to be part of a campaign that began in March 2022, utilizing a new command and control server (a remote computer which issues orders to the infected computers and receives data stolen from the infected computers) at the domain
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool
Regional targeting against the Pakistani government by what is suspected to be another Government. The technical tradecraft as with every other week is malicious attachments and macros.
A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims.
The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23. The document utilizes a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution.
Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign
A sense of the scale and spectrum of Chinese activity in the Korean industrial base is discussed in this Korean reporting. The reporting also intimates that the Chinese state may have a capability against a specific region specific email product.
This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the infected companies were using a certain Korean groupware solution.
TTPs $ ScarCruft Tracking Note
Firstly Notion gets a special mention for breaking automatic translation. Entirely hostile and not needed. This Korean reporting covers this North Korean threat actor’s evolution in tooling and C2 mechanisms.
For command control, a third party library called Ably was exploited to create a secret communication channel for command control, and the malicious program was written in Go language and distributed. In addition, it was confirmed that malicious codes for various command control are additionally installed in order to infiltrate the target and maintain persistence (prepare for a situation where the channel does not operate).
Nice Try Tonto Team How a nation-state APT attempted to attack Group-IB
Chinese taking a swing at a cyber security / cyber threat intelligence company. The actual tradecraft remains disappointing.
In June 2022, [we] blocked an attempt to deliver a malicious email to Group-IB’s employees.
The attackers used phishing emails to deliver malicious Microsoft Office documents created with the Royal Road Weaponizer, a tool widely used by Chinese nation-state threat actors.
During the attack, [our] researchers noticed the use of the Bisonal.DoubleT backdoor. Bisonal.DoubleT is a unique tool developed by the Tonto Team APT.
Using Geotargeting to Customize Phishing
Jeremy Fuchs provides interesting insight into the use of geo destination shaping platforms in phishing. I suspect these techniques will provide a degree of protection to the threat actors and trip up certain researchers.
In this attack, hackers redirect users via Geotargetly, a geo-targeting platform, and provide them with customized, localized phishing pages.
GeoTargetly is a legitimate website that allows advertisers to redirect users to pages and ads in their local markets. For example, a New York-based viewer would get something in English, localized to New York. Someone in France will get a page in French.
[An] email is in Spanish and was sent originally to users in Colombia.
In the above example, the original email starts in Colombia, and so if the user is in Colombia, they will be redirected to a Colombian government look-a-like page.
The trend continues with further reporting this week.
Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign
Eliya Stein details a campaign which evidences threat actor capability to research behavioral traits in specific browsers and weaponize in their campaigns.
Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little tricks that they employ in order to try and achieve some sort of positional advantage in order to optimize their impact and reach.
Today we are looking at part of a payload from a threat actor that we call D-Shortiez. A group that runs forced redirect campaigns that propel victims down familiar malicious click-chains which surface familiar scams
Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins
Tom Hegel details a campaign which will I suspect driven AWS to mandate MFA for new accounts in 3..2..
From a high level, the workflow of the malvertising campaign followed a unique pattern, providing yet another example of the evolving malvertising campaigns ongoing through Google search results. In the case of AWS credentials targeting discussed here, we perform a normal Google search for “AWS”, which returns the malicious ad among the results.
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
This article got pulled for unknown reasons so the usual health warnings apply. However it highlights potential further evidence of search engine manipulation so it is include it for completeness.
[We] observed the use of SEO poisoning techniques to place infected pages higher in internet browser search results. It is likely the higher the search engines results, the more likely victims will click on the links.
APT Bahamut Attacks Indian Intelligence Operative using Android Malware
A Iranian state campaign targeting India intelligence. The mobile tradecraft is of note here, although rather crude.
In November 2022, [we] detected a cyber-attack on an intelligence operative in India. In this attack, the threat actor was seen leveraging a strategic social engineering attack to deliver and install the .APK on the victim’s mobile. The threat actor requested the victim to share unknown files in encrypted form via an android app, which was malicious. The malicious app was instantly attached with a direct message on telegram. Upon installing, the malicious Android Package, an app with a random icon led to a dummy sign-up and login page, followed by setting up a new pattern lock.
Analysis of APT-C-56 (Transparent Tribe) Disguised Resume Attack Activities
Chinese reporting on historic Pakistani activity from 2021. The use of a resume to target an organization is of note as those who process them are meant to open emails and attachments from those they don’t know.
Various bits of North Korea reporting this week which
North Korean hacking attack disguised as a forum with the North Korean Human Rights Division of the Ministry of Unification Beware!
I found this interesting for several reasons but the standout was this legitimate behaviour which appears to setup any potential victim due to muscle memory.
Meanwhile, for security reasons, the Ministry of Unification usually attaches files in the form of encrypted HTML when sending major information e-mails, and applies a security function so that details can be viewed only after entering a separate password.
They appear to really do that, so the click here / supply a password lure behavior fits. Then
Anti-forensic techniques used by the Lazarus group
Korean reporting on Lazarus’s anti forensics tradecraft which can be summarized as:
Data hiding through encryption
Data hiding through file placement
Mylobot: Investigating a proxy botnet
Stanislas Arnoud details an implant which could cause all manner of mayhem in police investigations if present.
Mylobot is a malware that targets Windows systems, it first appeared in 2017 and until now hasn’t received much attention over the years. In this article, we'll focus on its main capability, which is transforming the infected system into a proxy.
Various bits of OneNote usage again this week with lots of reporting as a result.
Onenote Malware: Classification and Personal Notes
Qakbot OneNote Campaign Payload Delivery
A list of URLs dropped by malicious OneNotes in recent campaigns
Illuminating Large-Scale IPv6 Scanning in the Internet
Philipp Richter, Oliver Gasse and Arthur Berger released this paper in October, 2022 (which I missed) but presented it at the IETF this month (thus caught it). The take away is Chinese originating traffic appears to be responsible for ~70% of IPv6 scanning which is shall we say enlightening.
How we find and understand the latent compromises within our environments.
Bypassing MFA: A Forensic Look at Evilginx2 Phishing Kit
Carly Battaile notes the indicators from the use of this framework which will help investigators.
. One of the immediate differences between the Timeline and the raw telemetry that is available through the Advanced Hunting tab, is that this data is stored for 180 days, where the raw logs are only available for 30 days, after which they are removed from the M365 portal.will still originate from anomalous IP addresses.
All attacker activity will have the same SessionId, even if the cookie is moved off the phishing server to be imported into a browser on another system.
Initial logins from the phishing server will appear as the victim’s legitimate user agent string.
Microsoft Defender for Endpoint Internals - Timeline
Olaf Hartong (just call him the savior) highlights another data source.
One of the immediate differences between the Timeline and the raw telemetry that is available through the Advanced Hunting tab, is that this data is stored for 180 days, where the raw logs are only available for 30 days, after which they are removed from the M365 portal.
Investigating coordinated account creation using burst detection and network analysis
Daniele Bellutta and Kathleen M. Carley show that humans have frailties when they establish accounts which in turn allows identification.
Analysis of fourteen months of tweets discussing the 2020 U.S. elections revealed that accounts created during bursts exhibited more similar behavior, showed more agreement on mail-in voting and mask wearing, and were more likely to be bots and share links to low-credibility sites. In concert with other techniques for detecting nefarious activity, social media platforms could temporarily limit the influence of accounts created during these bursts. Given the advantages of combining multiple anti-misinformation methods, we join others in presenting a case for the need to develop more integrable methods for countering online influence campaigns.
Canarytokens.org welcomes Azure Login Certificate Token
Pieter documents a new addition to the family. Free, high signal and to the betterment of security.
How we proactively defend our environments.
Jonathan Johnson makes multisource telemetry sound really exotic. In this post he combines three sources to detect .NET assembly loading.
Linux Auditd for Threat Hunting [Part 2]
IzyKnows returns with the second post in this series to further uplift defensive tradecraft on Linux.
In Before The Lock: ESXi
Building on the back of the recent there some thematic reporting on a broader trend.
RDP Security Event Flowchart
Richard Davis provides some nice flow of Windows events for various RDP activities. Will be really useful to some.
Our attack surface.
GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8
A user can feed a specially crafted input to
git applyto overwrite a path outside the working tree.
This can be used to execute arbitrary commands in GitLab installations within GitLab's Gitaly environment.
ExploitLeakedHandle: Identify and exploit leaked handles for local privilege escalation on Windows
0x00Check releases some tooling which is going to chaos some local escalation privilege havoc I suspect.
ExploitLeakedHandle is a utility that identifies handles in unprivileged processes that may have been inherited from a privileged parent process and attempts to leverage them for local privilege escalation.
Attack capability, techniques and trade-craft.
ThreadlessInject: Threadless Process Injection using remote function hooking
Ceri Coburn provides some tradecraft which will highlight some gaps in various EDR solutions.
HWSyscalls: new method to execute indirect syscalls
Mor Davidovich further evolves syscall tradecraft which will trip up some EDR solutions.
using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
LdrDllNotificationHook: Hook all callbacks which are registered with LdrRegisterDllNotification
Michael Maltsev releases tooling which will blind some EDR solutions on Windows.
This project demonstrates a way to hook all DLL load notifications in a process. It hooks all callbacks which are registered with
LdrRegisterDllNotification, including callbacks which are registered after the hook is set.
The hook can be used to prevent the original callbacks from being called.
Behind the Mask: Spoofing Call Stacks Dynamically with Timers
William Burgess emerges at his new employer with this post, with him at CobaltStrike doing development we can expect some rapid advancements in capability. This technique specifically will cause some detection headaches and cause counter research to be done.
This blog introduces a PoC technique for spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its call stack with a fake one and then restore the original before resuming execution. Hence, in the same way we can mask memory belonging to our implant during sleep, we can also mask the call stack of our main thread. Furthermore, this approach avoids having to deal with the complexities of X64 stack unwinding, which is typical of other call stack spoofing approach
D1rkSleep: Improved version of EKKO
D1rkMtr returns with this refinement which will further complicate Windows detections.
Improved version of EKKO that Encrypts only Image Sections. Sleep obfuscation technique that uses CreateTimerQueueTimer Win32 API.
shellcode-plain-sight: Hiding shellcode in plain sight within a large memory region
Lloyd Davies delivers this capability inspired by technique used by Raspberry Robin's Roshtyak. This will cause some EDRs to go blind / sob.
This technique is very simple, a RW memory region 2048 the size of the shellcode is allocated. This region is then filled with randomized data data (
RtlGenRandom), the shellcode is then placed randomly somewhere within this massive region each time. This makes it hard for an AV/EDR solution, or an analyst, to simply see where the shellcode is in-memory.
What is being exploited.
CVE-2022-47986: Exploitation attempts for IBM Aspera Faspex
A file exchange application. IBM issued a patch on Feb 2 addressing this vulnerability.
Andariel - Distributed Malware Exploiting Vulnerable Innorix: Andariel
Korean reporting on a file transfer client tool exploited to distribute malicious code. It isn’t clear how the vulnerability is being exploited - but the later stages of the chain are documented.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers.
CUDA Program Intro and Reverse Engineering
Chinese research which gives a very detailed analysis of CUDA. The guide of reverse engineering will support those looking for logic vulnerabilities.
Robert S discusses a new plugin which provides a way to integrate IDA Pro into Obsidian Notes. Making team work / documentation dream work..
If you ever wanted to interrogate certificate information from other Windows drivers whilst in the kernel now you can.
SoulExtraction is a Windows driver library for extracting certificate information in Windows drivers
Defeating VMProtect’s Latest Tricks
Hendrik Eckardt details his approach and outcomes when looking to overcome these anti debugging techniques.
A colleague of mine recently came across a SystemBC sample that is protected with VMProtect 3.6 or higher. VMProtect is a commercial packer that comes with advanced anti-debugging and VM detection capabilities.
our anti-anti-debug tool of choice, was not up to the task of hiding the debugger from the packer, so we dove into the unexpectedly deep rabbit hole of figuring out what is going on
Some other small (and not so small) bits and bobs which might be of interest.
Re:vision - Munich Security Report 2023 - The use of nuclear weapons by an aggressor is down to third place in the ranking of risks among the Indians surveyed. Cyberattacks are ranked fourth.
Global Perspectives on Threat Intelligence - Findings are drawn from extensive interviews with 1,350 business and IT leaders who make security decisions for organizations with at least 1,000 employees. Respondents were based in 13 countries across three regions and in 18 sectors
NIST Digital Signature Standard (DSS) - This standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory - February 2023
Geopolitics of Cyber Attribution - A pattern of collective attribution as a strategy to overcome accuracy challenges can soon become the norm for cyber attribution. This article highlights the evolving patterns in cyber attribution, the geopolitics in cyberspace, and the takeaways for India’s policies and cyber strategy.
AI-systems: develop them securely - New brochure from NLNCSA (part of AIVD) w/overview of attacks against AI systems & how to defend
Neural parameter calibration for large-scale multiagent models - In this work, we consider multiagent models, widely used across the quantitative sciences to analyze complex systems. These often contain parameters which must be estimated from data. While many methods to do so have been developed, they can be mathematically involved or computationally expensive. We present an alternative using neural networks that addresses both these issues.
CHERIoT: Rethinking security for low-cost embedded systems - CHERIoT (Capability Hardware Extension to RISC-V for Internet of Things) builds on top of CHERI and RISC-V to provide an ISA and software model that lets software depend on object-granularity spatial memory safety, deterministic use-after-free protection, and lightweight compartmentalization exposed directly to the C/C++ language model.
Spotlight: Digital Protection - NetHope’s comprehensive Digital Protection Program supports global humanitarian nonprofits against rapidly rising sector-wide cybersecurity threats.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact email@example.com.