Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending February 19th

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending February 19th

We all want to be in Belgium and bye bye Chris Inglis

Ollie
Feb 16
3
Share this post

Bluepurple Pulse: week ending February 19th

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week you will just see in all the reporting below it is shall we say busy..

In the high-level this week:

  • In State of the Union, President Biden to Outline Vision to Advance Progress on Unity Agenda in Year Ahead | The White House - "Strengthen data privacy and platform transparency for all Americans" - what will the cost to cyber defense be?

  • Quad Joint Statement on Cooperation to Promote Responsible Cyber Habits | The White House - We the Quad partners of Australia, India, Japan, and the United States are launching a public campaign to improve cyber security across our nations: the Quad Cyber Challenge.

  • UK cracks down on ransomware actors - Seven Russian cyber criminals have been sanctioned by the UK and US in the first wave of new coordinated action against international cyber crime

    • US reporting and more here also photos of the individuals from the UK’s National Crime Agency.

  • Korea-U.S. Joint Cyber ​​Security Recommendation Regarding North Korean Ransomware (Korean) - Co-ordinated activity between the USA and South Korea

    • StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities -

    • Block North Korea's illegal foreign currency earning using cyberspace (Korean) - The South Korean government has decided to take specific measures to counter illegal cyber activities, which are one of North Korea's main sources of funding for nuclear and missile development.

    • Related there has been reporting around - Has a Sanctioned Bitcoin Mixer Been Resurrected to Aid North Korea’s Lazarus Group? and Meet the Creator of North Korea’s New Favorite Crypto Privacy Service

  • Korea's 'strategic command' to oversee space, cyber units, F-35s, submarines: official - cyber is strategic after all.

  • New legal framework for reporting IT vulnerabilities in Belgium - Belgium gets legal protections for researchers working with vulnerability disclosure programs.

  • The Era of Coalitions: The Shifting Nature of Alignments in Asia" by Zack Cooper - ISEAS-Yusof Ishak Institute

  • Sir Richard Barrons on how the characteristics of war are changing - The idea that cyber would make jets, tanks and guns obsolete was always a fantasy. Countries such as Britain that cut spending on conventional armed forces to pay for cyber programmes now see that the two are needed together.

  • Cloud security: Where do CSP and client responsibilities begin and end? - Some providers, though — Google Cloud for example — observe what’s known as a “shared fate approach.” - this means being “active partners” as organizations deploy securely on the platform, “not delineators of where our responsibility ends.”

  • Government unveils new institute focused on cybersecurity in Taiwan - Taiwan’s National Institute of Cyber Security (NICS)

  • Russian National Charged with Bank Fraud Related to Hacking Campaign - A Russian national was charged in an indictment unsealed today in connection with a series of computer system intrusions that occurred in 2009 and 2010

  • The Next Cyber Phase of the Russia-Ukraine War Will Echo in Asia - Moreover, cyberattacks as a precursor to kinetic warfare are now a reality.

  • The State Duma proposed not to punish hackers working in the interests of Russia - Deputy Khinshtein: hackers working in the interests of Russia should be released from liability

  • Revealed: the hacking and disinformation team meddling in elections - A team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and automated disinformation on social media has been exposed in a new investigation.

  • Belgium launches new legal framework for reporting IT vulnerabilities - To clarify the situation of these people with good intentions, a new legal framework is planned to take effect on 15 February 2023.  This framework describes how a natural or legal person with no fraudulent intent or intention to cause harm can detect and must report existing vulnerabilities in networks and information systems in Belgium.

  • Summary of the Australian Privacy Act Review - The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information

Then we had this cyber operation last Saturday in Iran which saw Iranian TV hacked with a V for Vendetta esq broadcast during a presidential address.

Twitter avatar for @IranIntl_En
Iran International English @IranIntl_En
Iranian hacktivist group Edalat-e Ali on Saturday hacked the Islamic Republic of Iran Broadcasting (IRIB) while the state-run TV was broadcasting President Ebrahim Raisi's speech at the regime’s Revolution Anniversary, displaying images with the slogan "Death to Khamenei”.
9:36 AM ∙ Feb 11, 2023
1,002Likes322Retweets

A brief reflections this week, simply put Content Disarm & Reconstruction really is a robust mitigation when you read the reporting week in and week out about email and malicious attachments. If more organizations deployed it I suspect the world would be materially more secure.

I released a new paper titled Digital Borders and Assets in National Cyber Resilience as a conversation starter, the preface of which is:

Governments produce quantified comparators both with itself and others often periodically to show progress against stated policy objectives. We suggest that for Governments to be effective in their cyber resilience objectives they need to be able to define where their digital borders begin and end as well those digital assets which comprise their national asset register both in and out of country across Government, Academia and the Private Sector.

In the context of cyber risk, the assets that comprise a country can be seen as analogous to the assets that comprise an organisation. Being able to define and identify such assets is considered a fundamental requirement to cyber hygiene in contemporary governance. Similarly there have been calls and proposals for the US to have a Bureau of Cyber Statistics and the UK to have an Office of National Statistics of Cyber. We suggest for such organisations to be effective would similarly require definition and identification of assets.

This paper explores the considerations around how the digital borders and assets that comprise a country may be defined.

On the interesting job front:

  • UK’s Cabinet Office Deputy Director, Cyber Operations and Assurance, Government Security Group (GSG)

  • Beazley hiring Head of Cyber Threat Intelligence in London, England, United Kingdom

  • The Alan Turing Institute (UK) is looking for a new CEO (reference number 6345)

  • ICRC is looking for a Cybersecurity Community Coordinator

Finally the CyberPeace Institute is looking for support - to quote a recent UK Governments newsletter from what was DCMS - Does your corporation want to have a human impact in cyberspace? The CyberPeace Builders is a unique network of expert volunteers assisting humanitarian non-government organisations to manage their cyber security so they can maintain their operations. CyberPeace Builders are currently looking for organisations to support their work by providing volunteer time, sharing information about their free services for NGOs or funding their work.

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Thursday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Fog of war: how the Ukraine conflict transformed the cyber threat landscape

Shane Huntley gives a view of the future

  • We assess with high confidence that Russian government-backed attackers will continue to conduct cyber attacks against Ukraine and NATO partners to further Russian strategic objectives.

  • We assess with high confidence that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance – real or perceived – towards Ukraine (e.g., troop losses, new foreign commitments to provide political or military support, etc.). These attacks will primarily target Ukraine, but increasingly expand to include NATO partners.

  • We assess with moderate confidence that Russia will continue to increase the pace and scope of IO to achieve the objectives described above, particularly as we approach key moments like international funding, military aid, domestic referendums, and more. What’s less clear is whether these activities will achieve the desired impact, or simply harden opposition against Russian aggression over time.

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

Cyber ​​attack on organizations and institutions of Ukraine using the Remote Utilities program

It is a little like Russia have given up trying or is falling back to basics.

[M]ass distribution of e-mails allegedly on behalf of the Apparatus of the National Security and Defense Council of Ukraine with the subject "RE: Critical security update" and an attachment in the form of a RAR archive "KB5017371 security system update. rar".

The mentioned file contains a decoy image "instructions Important to read.jpg" and a split archive containing the executable file "KB5017371.exe".

Running the latter will install Remote Utilities on the victim's computer.

https://cert.gov.ua/article/3863542

Havoc Across the Cyberspace

Niraj Shivtarkar documents a rather crude campaign which is going after a Government in an unspecific territory.

[We] observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc.

https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace

Uncle Sow: Dark Caracal in Latin America

Cooper Quintin details further activity from this threat actor who has previously worked for governments but appears mercenary. The spill over into the US is going to likely bring a level of attention they didn’t want.

Recently we discovered a new version of the Bandook malware, which has been updated to have 148 unique commands it can send the infected computer, far more than the 120 available in previous samples. This sample and related samples seem to be part of a campaign that began in March 2022, utilizing a new command and control server (a remote computer which issues orders to the infected computers and receives data stolen from the infected computers) at the domain deapproved[.]ru.

A world map color coded by the number of infections in each country. The highest number of infections is found in the Dominican Republic, followed by Venezuela, and a number of other Central and South American countires, the US, Canada, and UK also saw infections.

https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america

NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool

Regional targeting against the Pakistani government by what is suspected to be another Government. The technical tradecraft as with every other week is malicious attachments and macros.

A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims.

The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23. The document utilizes a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution.

https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool

Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign

A sense of the scale and spectrum of Chinese activity in the Korean industrial base is discussed in this Korean reporting. The reporting also intimates that the Chinese state may have a capability against a specific region specific email product.

This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the infected companies were using a certain Korean groupware solution.

https://asec.ahnlab.com/en/47455/

TTPs $ ScarCruft Tracking Note

Firstly Notion gets a special mention for breaking automatic translation. Entirely hostile and not needed. This Korean reporting covers this North Korean threat actor’s evolution in tooling and C2 mechanisms.

For command control, a third party library called Ably was exploited to create a secret communication channel for command control, and the malicious program was written in Go language and distributed. In addition, it was confirmed that malicious codes for various command control are additionally installed in order to infiltrate the target and maintain persistence (prepare for a situation where the channel does not operate).

https://thorcert.notion.site/TTPs-ScarCruft-Tracking-Note-67acee42e4ba47398183db9fc7792aff

Nice Try Tonto Team How a nation-state APT attempted to attack Group-IB

Chinese taking a swing at a cyber security / cyber threat intelligence company. The actual tradecraft remains disappointing.

  • In June 2022, [we] blocked an attempt to deliver a malicious email to Group-IB’s employees.

  • The attackers used phishing emails to deliver malicious Microsoft Office documents created with the Royal Road Weaponizer, a tool widely used by Chinese nation-state threat actors.

  • During the attack, [our] researchers noticed the use of the Bisonal.DoubleT backdoor. Bisonal.DoubleT is a unique tool developed by the Tonto Team APT.

https://www.group-ib.com/blog/tonto-team/

Using Geotargeting to Customize Phishing

Jeremy Fuchs provides interesting insight into the use of geo destination shaping platforms in phishing. I suspect these techniques will provide a degree of protection to the threat actors and trip up certain researchers.

In this attack, hackers redirect users via Geotargetly, a geo-targeting platform, and provide them with customized, localized phishing pages. 

GeoTargetly is a legitimate website that allows advertisers to redirect users to pages and ads in their local markets. For example, a New York-based viewer would get something in English, localized to New York. Someone in France will get a page in French.

[An] email is in Spanish and was sent originally to users in Colombia.

In the above example, the original email starts in Colombia, and so if the user is in Colombia, they will be redirected to a Colombian government look-a-like page.

https://www.avanan.com/blog/using-geotargeting-to-customize-phishing

Malicious Adverts

The trend continues with further reporting this week.

Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign

Eliya Stein details a campaign which evidences threat actor capability to research behavioral traits in specific browsers and weaponize in their campaigns.

Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little tricks that they employ in order to try and achieve some sort of positional advantage in order to optimize their impact and reach.

Today we are looking at part of a payload from a threat actor that we call D-Shortiez. A group that runs forced redirect campaigns that propel victims down familiar malicious click-chains which surface familiar scams

https://blog.confiant.com/malvertiser-d-shortiez-abuses-webkit-back-button-hijack-in-forced-redirect-campaign-6b57f91ee737

Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins

Tom Hegel details a campaign which will I suspect driven AWS to mandate MFA for new accounts in 3..2..

From a high level, the workflow of the malvertising campaign followed a unique pattern, providing yet another example of the evolving malvertising campaigns ongoing through Google search results. In the case of AWS credentials targeting discussed here, we perform a normal Google search for “AWS”, which returns the malicious ad among the results.

Google Malvertising AWS Phishing Workflow

https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/

GootLoader - SEO Poisoning and Large Payloads Leading to Compromise

This article got pulled for unknown reasons so the usual health warnings apply. However it highlights potential further evidence of search engine manipulation so it is include it for completeness.

[We] observed the use of SEO poisoning techniques to place infected pages higher in internet browser search results. It is likely the higher the search engines results, the more likely victims will click on the links. 

https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise

APT Bahamut Attacks Indian Intelligence Operative using Android Malware

A Iranian state campaign targeting India intelligence. The mobile tradecraft is of note here, although rather crude.

In November 2022, [we] detected a cyber-attack on an intelligence operative in India. In this attack, the threat actor was seen leveraging a strategic social engineering attack to deliver and install the .APK on the victim’s mobile. The threat actor requested the victim to share unknown files in encrypted form via an android app, which was malicious. The malicious app was instantly attached with a direct message on telegram. Upon installing, the malicious Android Package, an app with a random icon led to a dummy sign-up and login page, followed by setting up a new pattern lock.

https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/

Analysis of APT-C-56 (Transparent Tribe) Disguised Resume Attack Activities

Chinese reporting on historic Pakistani activity from 2021. The use of a resume to target an organization is of note as those who process them are meant to open emails and attachments from those they don’t know.

https://mp-weixin-qq-com.translate.goog/s/xU7b3m-L2OlAi2bU7nBj0A?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

North Korea

Various bits of North Korea reporting this week which

North Korean hacking attack disguised as a forum with the North Korean Human Rights Division of the Ministry of Unification Beware!

I found this interesting for several reasons but the standout was this legitimate behaviour which appears to setup any potential victim due to muscle memory.

Meanwhile, for security reasons, the Ministry of Unification usually attaches files in the form of encrypted HTML when sending major information e-mails, and applies a security function so that details can be viewed only after entering a separate password.

They appear to really do that, so the click here / supply a password lure behavior fits. Then

https://blog-alyac-co-kr.translate.goog/5071?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Anti-forensic techniques used by the Lazarus group

Korean reporting on Lazarus’s anti forensics tradecraft which can be summarized as:

  • Data hiding through encryption

  • Data hiding through file placement

  • File wiping

  • Timestamp stomping

https://asec-ahnlab-com.translate.goog/ko/47820/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Mylobot: Investigating a proxy botnet

Stanislas Arnoud details an implant which could cause all manner of mayhem in police investigations if present.

Mylobot is a malware that targets Windows systems, it first appeared in 2017 and until now hasn’t received much attention over the years. In this article, we'll focus on its main capability, which is transforming the infected system into a proxy.

https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet

OneNote

Various bits of OneNote usage again this week with lots of reporting as a result.

Onenote Malware: Classification and Personal Notes

https://marcoramilli.com/2023/02/04/onenote-malware-classification-and-personal-notes/

Qakbot OneNote Campaign Payload Delivery

https://github.com/jreegun/Researches/blob/master/Malware%20researches/Qakbot/Qakbot_OneNote_Campaign_Payload_Delivery.txt

A list of URLs dropped by malicious OneNotes in recent campaigns

https://github.com/jreegun/Researches/blob/master/Malware%20researches/Campaigns/OneNote/OneNote_Payload_Deliveries.txt

Illuminating Large-Scale IPv6 Scanning in the Internet

Philipp Richter, Oliver Gasse and Arthur Berger released this paper in October, 2022 (which I missed) but presented it at the IETF this month (thus caught it). The take away is Chinese originating traffic appears to be responsible for ~70% of IPv6 scanning which is shall we say enlightening.

Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-maprg-illuminating-large-scale-ipv6-scanning-in-the-internet-00

Paper: https://dl.acm.org/doi/10.1145/3517745.3561452

Discovery

How we find and understand the latent compromises within our environments.

Bypassing MFA: A Forensic Look at Evilginx2 Phishing Kit

Carly Battaile notes the indicators from the use of this framework which will help investigators.

  1. . One of the immediate differences between the Timeline and the raw telemetry that is available through the Advanced Hunting tab, is that this data is stored for 180 days, where the raw logs are only available for 30 days, after which they are removed from the M365 portal.will still originate from anomalous IP addresses.

  2. All attacker activity will have the same SessionId, even if the cookie is moved off the phishing server to be imported into a browser on another system.

  3. Initial logins from the phishing server will appear as the victim’s legitimate user agent string.

https://www.aon.com/cyber-solutions/aon_cyber_labs/bypassing-mfa-a-forensic-look-at-evilginx2-phishing-kit/

Microsoft Defender for Endpoint Internals - Timeline

Olaf Hartong (just call him the savior) highlights another data source.

One of the immediate differences between the Timeline and the raw telemetry that is available through the Advanced Hunting tab, is that this data is stored for 180 days, where the raw logs are only available for 30 days, after which they are removed from the M365 portal.

https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x04-timeline-3f01282839e4

Investigating coordinated account creation using burst detection and network analysis

Daniele Bellutta and Kathleen M. Carley show that humans have frailties when they establish accounts which in turn allows identification.

Analysis of fourteen months of tweets discussing the 2020 U.S. elections revealed that accounts created during bursts exhibited more similar behavior, showed more agreement on mail-in voting and mask wearing, and were more likely to be bots and share links to low-credibility sites. In concert with other techniques for detecting nefarious activity, social media platforms could temporarily limit the influence of accounts created during these bursts. Given the advantages of combining multiple anti-misinformation methods, we join others in presenting a case for the need to develop more integrable methods for countering online influence campaigns.

https://www.springeropen.com/epdf/10.1186/s40537-023-00695-7

Canarytokens.org welcomes Azure Login Certificate Token

Pieter documents a new addition to the family. Free, high signal and to the betterment of security.

https://blog.thinkst.com/2023/02/canarytokens-org-welcomes-azure-login-certificate-token.html

Defence

How we proactively defend our environments.

Telemetry Layering

Jonathan Johnson makes multisource telemetry sound really exotic. In this post he combines three sources to detect .NET assembly loading.

https://posts.specterops.io/telemetry-layering-89185b5348ba

Linux Auditd for Threat Hunting [Part 2]

IzyKnows returns with the second post in this series to further uplift defensive tradecraft on Linux.

https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f591e8

In Before The Lock: ESXi

Building on the back of the recent there some thematic reporting on a broader trend.

https://www.recordedfuture.com/in-before-the-lock-esxi

RDP Security Event Flowchart

Richard Davis provides some nice flow of Windows events for various RDP activities. Will be really useful to some.

https://www.13cubed.com/downloads/rdp_flowchart.pdf

Vulnerability

Our attack surface.

GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8

Eeeek.. patch

A user can feed a specially crafted input to git apply to overwrite a path outside the working tree.

This can be used to execute arbitrary commands in GitLab installations within GitLab's Gitaly environment.

https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/

ExploitLeakedHandle: Identify and exploit leaked handles for local privilege escalation on Windows

0x00Check releases some tooling which is going to chaos some local escalation privilege havoc I suspect.

ExploitLeakedHandle is a utility that identifies handles in unprivileged processes that may have been inherited from a privileged parent process and attempts to leverage them for local privilege escalation.

https://github.com/0x00Check/ExploitLeakedHandle

Offense

Attack capability, techniques and trade-craft.

ThreadlessInject: Threadless Process Injection using remote function hooking

Ceri Coburn provides some tradecraft which will highlight some gaps in various EDR solutions.

https://github.com/CCob/ThreadlessInject

HWSyscalls: new method to execute indirect syscalls

Mor Davidovich further evolves syscall tradecraft which will trip up some EDR solutions.

using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.

https://github.com/Dec0ne/HWSyscalls/

LdrDllNotificationHook: Hook all callbacks which are registered with LdrRegisterDllNotification

Michael Maltsev releases tooling which will blind some EDR solutions on Windows.

This project demonstrates a way to hook all DLL load notifications in a process. It hooks all callbacks which are registered with LdrRegisterDllNotification, including callbacks which are registered after the hook is set.

The hook can be used to prevent the original callbacks from being called.

https://github.com/m417z/LdrDllNotificationHook

Behind the Mask: Spoofing Call Stacks Dynamically with Timers

William Burgess emerges at his new employer with this post, with him at CobaltStrike doing development we can expect some rapid advancements in capability. This technique specifically will cause some detection headaches and cause counter research to be done.

This blog introduces a PoC technique for spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its call stack with a fake one and then restore the original before resuming execution. Hence, in the same way we can mask memory belonging to our implant during sleep, we can also mask the call stack of our main thread. Furthermore, this approach avoids having to deal with the complexities of X64 stack unwinding, which is typical of other call stack spoofing approach

https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/

D1rkSleep: Improved version of EKKO

D1rkMtr returns with this refinement which will further complicate Windows detections.

Improved version of EKKO that Encrypts only Image Sections. Sleep obfuscation technique that uses CreateTimerQueueTimer Win32 API.

https://github.com/TheD1rkMtr/D1rkSleep

shellcode-plain-sight: Hiding shellcode in plain sight within a large memory region

Lloyd Davies delivers this capability inspired by technique used by Raspberry Robin's Roshtyak. This will cause some EDRs to go blind / sob.

This technique is very simple, a RW memory region 2048 the size of the shellcode is allocated. This region is then filled with randomized data data (RtlGenRandom), the shellcode is then placed randomly somewhere within this massive region each time. This makes it hard for an AV/EDR solution, or an analyst, to simply see where the shellcode is in-memory.

https://github.com/LloydLabs/shellcode-plain-sight

Exploitation

What is being exploited.

CVE-2022-47986: Exploitation attempts for IBM Aspera Faspex

A file exchange application. IBM issued a patch on Feb 2 addressing this vulnerability.

twitter.com/Shadowserver/status/1625031735460208642?t=F_EjVETw4l-jgQpPjIBUoQ&s=34

Andariel - Distributed Malware Exploiting Vulnerable Innorix: Andariel

Korean reporting on a file transfer client tool exploited to distribute malicious code. It isn’t clear how the vulnerability is being exploited - but the later stages of the chain are documented.

https://asec-ahnlab-com.translate.goog/ko/47751/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers.

CUDA Program Intro and Reverse Engineering

Chinese research which gives a very detailed analysis of CUDA. The guide of reverse engineering will support those looking for logic vulnerabilities.

https://bbs.kanxue.com/thread-275989.htm

Heimdallr

Robert S discusses a new plugin which provides a way to integrate IDA Pro into Obsidian Notes. Making team work / documentation dream work..

http://www.interruptlabs.co.uk/articles/heimdallr-a-way-to-integrate-ida-pro-into-obsidian-notes

Driver-SoulExtraction

If you ever wanted to interrogate certificate information from other Windows drivers whilst in the kernel now you can.

SoulExtraction is a Windows driver library for extracting certificate information in Windows drivers

https://github.com/gmh5225/Driver-SoulExtraction

Defeating VMProtect’s Latest Tricks

Hendrik Eckardt details his approach and outcomes when looking to overcome these anti debugging techniques.

A colleague of mine recently came across a SystemBC sample that is protected with VMProtect 3.6 or higher. VMProtect is a commercial packer that comes with advanced anti-debugging and VM detection capabilities.

..

our anti-anti-debug tool of choice, was not up to the task of hiding the debugger from the packer, so we dove into the unexpectedly deep rabbit hole of figuring out what is going on

https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

  • Hi-Tech Crime Trends 2022/2023

  • Q4/2022 Threat Report

  • Re:vision - Munich Security Report 2023 - The use of nuclear weapons by an aggressor is down to third place in the ranking of risks among the Indians surveyed. Cyberattacks are ranked fourth.

  • Global Threat Report Breakdown: Defense Evasion

  • Global Perspectives on Threat Intelligence - Findings are drawn from extensive interviews with 1,350 business and IT leaders who make security decisions for organizations with at least 1,000 employees. Respondents were based in 13 countries across three regions and in 18 sectors

  • Deepfake It Till You Make It - Pro-Chinese Actors Promote AI-Generated Video Footage of Fictitious People in Online Influence Operation

  • NIST Digital Signature Standard (DSS) - This standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory - February 2023

  • Defanging Disinformation’s Threat to Ukrainian Refugees -

  • Geopolitics of Cyber Attribution - A pattern of collective attribution as a strategy to overcome accuracy challenges can soon become the norm for cyber attribution. This article highlights the evolving patterns in cyber attribution, the geopolitics in cyberspace, and the takeaways for India’s policies and cyber strategy.

  • AI-systems: develop them securely - New brochure from NLNCSA (part of AIVD) w/overview of attacks against AI systems & how to defend

  • Neural parameter calibration for large-scale multiagent models - In this work, we consider multiagent models, widely used across the quantitative sciences to analyze complex systems. These often contain parameters which must be estimated from data. While many methods to do so have been developed, they can be mathematically involved or computationally expensive. We present an alternative using neural networks that addresses both these issues.

  • CHERIoT: Rethinking security for low-cost embedded systems - CHERIoT  (Capability Hardware Extension to RISC-V for Internet of Things) builds on top of CHERI and RISC-V to provide an ISA and software model that lets software depend on object-granularity spatial memory safety, deterministic use-after-free protection, and lightweight compartmentalization exposed directly to the C/C++ language model.

  • Spotlight: Digital Protection - NetHope’s comprehensive Digital Protection Program supports global humanitarian nonprofits against rapidly rising sector-wide cybersecurity threats.

Twitter avatar for @ncdinglis
Chris Inglis @ncdinglis
Today I am stepping down from my role as the Nation’s inaugural National Cyber Director at @ONCD. I do so with the utmost gratitude to @POTUS, @VP, and Congress for giving me the opportunity to serve in this Administration.
8:33 PM ∙ Feb 15, 2023
590Likes88Retweets

This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.

Share this post

Bluepurple Pulse: week ending February 19th

bluepurple.binaryfirefly.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing