Bluepurple Pulse: week ending January 15th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending January 15th
Further regulation is coming..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week there has been a literal torrent of mainstream news reporting on incidents. From ship management software affecting 7,000 ships, Britain’s Royal Mail with a unspecified cyber incident, DDoS attacks on the Danish central banks and seven private banks as the tip of the iceberg. Let alone theories and hyperbole around the US FAA outages. Below you will see variety of reporting both high and low level which indicate the tempo is not reducing.
In the high-level this week:
The Biden national cyber strategy is unlike any before it - Washington Post covering Chris Inglis’s office work - the big takeaway for me is the US has historically been hesitant to regulate widely on cyber matters - this hesitancy seems to be subsiding.
Kyiv argues Russian cyberattacks could be war crimes - war time evidence collection in support of future prosecution of those involved.
The Cyber Threat from Pyongyang - academic analysis from Singapore and its School of International Studies - North Korea is more likely to continue with its cyber operations, which have been disruptive.
Russian hackers targeted U.S. nuclear scientists - reporting via Reuters of a private sector supported investigation.
Insurer Beazley launches first catastrophe bond for cyber threats - The $45mn private bond will pay out to Beazley if total claims from a cyber attack on its clients exceed $300mn — a structure intended to give some protection to the insurer’s balance sheet from “remote probability catastrophe and systemic events” - looking like someone got nervous on potential exposure for the firm and wanted to offset.
Advancing JADC2: Second SITE Summit Includes FVEY Partners - reporting on an event in December around Zero Trust and the fact that FVEY partners were included also.
FCC Proposes Updated Data Breach Reporting Requirements - this can be looked at in a similar vein to the UK’s Telecommunications Security Act but arguably the first phase i.e. the need to report. This evidence will then likely inform further policy / regulatory decisions.
US supreme court denied dismissal in NSO Group Technologies Limited, et al., Petitioners v. WhatsApp Inc - Going to be an interesting case, so get the 🍿
The French article The ethical bankruptcy of the NGO “Hackers Without Borders” - claims that an NGO which provided “cyber negotiation” services was involved with ransomware somehow
German Financial Regulator issued a warning about malware targeting banking and crypto applications - notable because this is the first time to my knowledge they have done this.
Taking over a Dead IoT Company - this is a technical read but the essence is important for our current/future world - IoT company went defunct, its Internet domain name was bought which then allowed the compromise of IoT devices. Thankfully this time by a nice researcher..
VALL-E - can be used to synthesize high-quality personalized speech with only a 3-second enrolled recording of an unseen speaker as an acoustic prompt - voice biometrics for the win! Or not..
Fermat Factorization in the Wild - academic and not high-level, but the takeaway is applied cryptoanalysis against RSA from a specific library which resulted in the discovery that two major printer OEMs were found vulnerable.
How 2022 Crypto Sanctions Affected Crypto Crime - which can be summarized with its key takeaway which implies sanctions are not a panacea - Impact of crypto sanctions depends on jurisdiction and technical constraints
How Finland Is Teaching a Generation to Spot Misinformation - from the longitudinal impact analysis over the next 3 to 5 years I also wonder if there will be a net positive around phishing susceptibility etc. in this population.
World Economic Forum published their Global Risks Report 2023 - cyber # 8 on the 2 and 10 year horizons.
Floridi to Lead New Digital Ethics Center at Yale - founding director of its Digital Ethics Center. Clear that the ethics discussion is only going to get richer as we automate..
European Parliament published their decision to establish the Digital Decade Programme 2030 - cybersecurity is called out as one of three key areas of focus.
Reflections this week stem from Flipper Zero (see the Wired article - “Hands On With Flipper Zero, the Hacker Tool Blowing Up on TikTok” and the vulnerability discovery/exploitation it is enabling in RF from those who might not be able to otherwise within the population. To quote the Wikipedia description:
Flipper Zero is a portable Tamagotchi-like multi-functional device developed for interaction with access control systems. The device is able to read, copy, and emulate radio-frequency tags, radio remotes, and digital access keys.
Now those of you who grew up in the 90s may remember the Casio CMD-40 TV Remote Control Digital Wristwatch. The havoc these caused in Schools/Colleges across the UK was a sign of things to come.
The impact of the commoditisation of knowledge in the guise of tooling across a broad spectrum of science and technology around security shouldn’t be underestimated. Nor can the assumed norms (such as co-ordinated disclosure) in a world of social likes and quick news cycles by a population which isn’t immersed or educated on how such things are usually dealt with …
In short the real-world experiment impact stemming from Flipper Zero is going to be interesting as like the Casio it is again a sign of things to come.
..
Outside of that, interesting and wholesome jobs this week include:
Cybersecurity Policy Advisor at the International Committee of the Red Cross in Luxemburg
PhD scholarship at the Department of Political Science, University of Copenhagen (UCPH)/ /ERC RITUAL DETERRENCE - RITUAL DETERRENCE investigates deterrence through the lens of ritual theory, to understand its political and psychological effects in international relations.
Enjoying this? don’t get via e-mail? Corporate philanthropist? subscribe either for free or with cash:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
New forces in Southeast Asia
Two bits of reporting on the same actor here. The first is Chinese reporting on this suspected Southeast Asian APT which is using exploits in Wordpad/Microsoft Office from 2017.
Analysis of the attack activities of the new APT organization Saaiwc Group targeting the military, finance and other departments in Southeast Asia
The attack mainly uses the ISO file as the initial malicious payload. After running, the Powershell command is added to the local registry, and finally the Powershell backdoor PowerDism is loaded to steal local information and execute arbitrary commands.
Andrey Polovinkin provides a far more complete English reporting on the same actor:
Dark Pink launched seven successful attacks against high-profile targets between June and December 2022.
Dark Pink’s first activity, which we tie to a Github account leveraged by the threat actors, was recorded in mid-2021, and the first attack attributable to this APT group took place in June 2022. Their activity peaked in the final three months of 2022 when they launched four confirmed attacks.
Dark Pink’s victims are located in five APAC countries (Vietnam, Malaysia, Indonesia, Cambodia, Philippines) and one European country (Bosnia and Herzegovina).
Victims included military bodies, government and development agencies, religious organizations, and a non-profit organization.
One unsuccessful attack was launched against a European state development agency based in Vietnam in October 2022.
Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers.
Dark Pink’s core initial vector was targeted spear-phishing emails that saw the threat actors pose as job applicants. There was evidence to suggest that the threat actors behind Dark Pink scanned online job vacancy portals and crafted unique emails to victims that were advertising vacancies.
Almost all the tools leveraged by the threat actors were custom and self-made, including TelePowerBot and KamiKakaBot, along with the Cucky and Ctealer stealers. During our investigation, we noticed only one public tool: PowerSploit/Get-MicrophoneAudio.
Dark Pink APT utilized a rarely seen technique, termed Event Triggered Execution: Change Default File Association, to ensure launch of malicious TelePowerBot malware. Another technique leveraged by these particular threat actors was DLL Side-Loading, which they used to avoid detection during initial access.
The threat actors created a set of PowerShell scripts to carry out communication between victim and threat actors’ infrastructure, facilitate lateral movement and network reconnaissance.
All communication between infected infrastructure and the threat actors behind Dark Pink is based on Telegram API.
https://blog.group-ib.com/dark-pink-apt
SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
Criminal actor is bringing vulnerable yet signed Windows Kernel drivers so that they can then exploit in order to disable endpoint security products. It is clear that criminal capability continues to be inspired by public reporting.
[We] prevented a novel attempt by SCATTERED SPIDER to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.
The activity exploits a well known and pervasive deficiency in Windows security that enables adversaries to bypass Windows kernel protections with the Bring-Your-Own-Vulnerable-Driver tactic.
[We] observed the actor attempting to bypass other endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne using more traditional defense evasion techniques targeting Windows registry hives.
StrongPity espionage campaign targeting Android users
Lukas Stefanko details a Turkish state campaign against Android. Interesting that the vendors telemetry has been unable to identify any victims. Google TAG will likely have a better grasp of the scale / victimology. The initial access tradecraft is in effect phishing through impersonation..
Only one other Android campaign has been previously attributed to StrongPity.
This is the first time that the described modules and their functionality have been documented publicly.
A copycat website, mimicking the Shagle service, is used to distribute StrongPity’s mobile backdoor app.
The app is a modified version of the open-source Telegram app, repackaged with StrongPity backdoor code.
Based on similarities with previous StrongPity backdoor code and the app being signed with a certificate from an earlier StrongPity campaign, we attribute this threat to the StrongPity APT group.
StrongPity’s backdoor is modular, where all necessary binary modules are encrypted using AES and downloaded from its C&C server, and has various spying features.
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/
APT organization "GroupA21" attacks Pakistan through official government documents
Chinese reporting on Indian state activity against Pakistan using majoritively open source implant frameworks. The initial access tradecraft is run of the mill phishing.
The attacker uses the normal PDF file of the official website as a bait, and carries a malicious LNK file in the file to start the bait and a Trojan file.
The final payloads used by the attackers are WarHawk self-developed Trojans and public Trojans such as NetWire and CobaltStrike. In addition, we also found a C2 server deploying Sliver.
SideCopy organization's latest attack weapon disclosure
Chinese reporting on a Pakistani state actor who are using similar tradecraft (see previous report) to that they are being subjected to. A story of Phishing, malicious archives, LNK and HTA files.
The reflectively loaded DLL will feed back the execution process of the program to the server, that is, whether the main function is successfully executed, and if it fails, it will feedback an exception;
Malicious files are hosted on Google Drive, and their download links are spread through Google mailboxes, which is extremely confusing;
In actual operations, it was rarely found that the organization used the Golang language-based Windows platform Trojan Spark RAT.
Malicious code disguised as plaintiff solicitation (for security workers)
North Korea continues with its phishing campaigns involved malicious Microsoft Office documents that leverage template injection. Of note is the reconnaissance script (again) which is used before any latter payloads are deployed.
[We] confirmed the distribution of document-type malware disguised as a solicitation letter to security workers. The secured malicious code executes additional malicious macros through the external object in the word document.
After normal document execution, the information leakage script is downloaded and executed, and the function of the script leaks the following information to the C&C server.
Infected PC system information
List of recently opened word documents
Download folder path information in the system
Modifying IE-related registry keys
Registering Task Scheduler for C&C Server Connection Persistence
Antivirus information installed on your system
The modified Hive enters the field of black and gray production
Chinese reporting on a modified version of a implant framework which had its source code leaked by Wikileaks in 2017. Unclear who or why, intent to false flag or otherwise.
xdr33 is a backdoor Trojan born out of the Hive project. Its main purpose is to collect sensitive information and provide a foothold for subsequent intrusions. From the perspective of network communication, xdr33 uses XTEA or AES algorithm to encrypt the original traffic, and uses SSL with Client-Certificate Authentication mode to further protect the traffic; in terms of function, there are
beacon,triggertwo main tasks, among which beacon is Periodically report device sensitive information to the hard-coded Beacon C2 and execute the instructions issued by it, while the trigger monitors the traffic of the network card to identify the specific message that hides the Trigger C2.
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources
William Gamazo and Nathaniel Quist show what cloud compute fraud at scale looks like in 2022. When people can monetize any compute by crypto mining it creates an interesting challenge for the freemium based product led business models. Of note in this case is the image analysis for captcha bypass.
Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.
In order to take advantage of the limited resources offered by free trials, the actors heavily leveraged DevOps automation techniques such as continuous integration and continuous delivery (CI/CD). They accomplished this by containerizing user account creations on cloud platforms and through automating their cryptomining operations.
We collected more than 250 GB of container data created for the PurpleUrchin operation and discovered that the threat actors behind this campaign were creating three to five GitHub accounts every minute during the peak of their operations in November 2022.
We also found that some of the automated account creation cases bypassed CAPTCHA images using simple image analysis techniques. We also identified the creation of more than 130,000 user accounts created on various cloud platform services like Heroku, Togglebox and GitHub.
We found evidence of unpaid balances on some of these cloud service platforms from several of the created accounts. This finding suggests that the actors created fake accounts with stolen or fake credit cards.
With this finding, we assess that the actors behind PurpleUrchin operations stole cloud resources from several cloud service platforms through a tactic Unit 42 researchers call “Play and Run.” This tactic involves malicious actors using cloud resources and refusing to pay for those resources once the bill arrives.
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
From IcedID to Domain Compromise
With IcedID it is rare to get a detailed end-to-end analysis, but we have one here.
Fast Moving: The attacker went from initial infection to lateral movement in less than an hour. The Active Directory domain was compromised in less than 24 hours.
Standardized Attack Flow: Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host. This activity is explained in more detail in the Lateral Movement section below.
Techniques Borrowed From Other Groups: Several of the TTPs we observed have also been found in attacks attributed to Conti, Lockbit, FiveHands, and others. Not only does this show a trend towards attackers sharing ideas across groups, but this also demonstrates how the ability to detect the techniques and tactics of one group can be applied to detecting others.
Change of Initial Infection Vector: In previous campaigns, attackers delivered IcedID through phishing with malicious macros in documents. With the recent changes Microsoft has implemented, attackers are using ISO and LNK files to replace macros. The behavior illustrated in this article confirms that trend.
Quick to Exfiltrate: Exfiltration in the customer environment started two days after initial infection.
https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
Gootkit Loader Actively Targets Australian Healthcare Industry
Hitomi Kimura, Ryan Maglaque, Fe Cureg and Trent Bessell detail a criminal campaign which is using Search Engine Optimization poisoning. When you think about it targeting subsectors in less populated regions is likely cheaper than broad country wide highly populated campaigns. I suspect this very specific targeting also complicates detection by third party malvertising threat intel providers.
We analyzed the infection routine used in recent Gootkit loader attacks on the Australian healthcare industry and found that Gootkit leveraged SEO poisoning for its initial access and abused legitimate tools like VLC Media Player.
InkySquid: The Missing Arsenal
Paul Rascagneres discusses a macOS port of RoKRAT used by North Korea.
InkySquid (aka Group123, APT37) is an infamous threat actor linked to North Korea that has been active for at least 10 years. This actor is known to use social engineering in order to breach targets and exploit n-day vulnerabilities in Hangul Word Processor (HWP), as well as browser-based technologies.
https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal/
OPWNAI : Cybercriminals Starting to Use ChatGPT
Tip of the iceberg territory here of what will come, interesting that is actually happening and not merely being hypothesised by the industry. Or the Scooby-Doo moment is where this turns out this is a TI provider trying to coax criminals to engaging on the topic or something.
On December 29, 2022, a thread named “ChatGPT – Benefits of Malware” appeared on a popular underground hacking forum. The publisher of the thread disclosed that he was experimenting with ChatGPT to recreate malware strains and techniques described in research publications and write-ups about common malware. As an example, he shared the code of a Python-based stealer that searches for common file types, copies them to a random folder inside the Temp folder, ZIPs them and uploads them to a hardcoded FTP server.
https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/
Discovery
How we find and understand the latent compromises within our environments.
Leveraging the Power of KQL in Incident Response
Danielle Veluz provides a guide on how to utilize KQL across endpoint and 3rd party sources during incident response.
KQL allows for speed and flexibility when working with large datasets during incident response engagements. The built-in functions that are used to parse various pieces of data allow for analysts to work with what matters to them, rather than spending additional time trying to manually parse and process data. Custom functions provide users a method for taking a query and turning it into a sharable and repeatable action. KQL is further leveraged by enabling users to use scripting languages, such as R and Python, as another way to work with data.
Advanced KQL for Threat Hunting: Window Functions
Mehmet Ergene also gives some practical advice on some features of KQL which provide value to threat hunting scenarios specifically by being able to slice data effectively.
Window functions are one of the powerful methods for data analysis. While they are primarily used in finance and business analytics, they can also be used in threat hunting and DFIR and solve complicated use cases. In this post, I will briefly explain two KQL(Kusto Query Language)window functions, prev() and next(), and how to use them for threat hunting.
https://posts.bluraven.io/advanced-kql-for-threat-hunting-window-functions-part-1-14ac09353ad3
Detecting Fake Events in Azure Sign-in Logs
Lina Lau walks through how to detect fake logs which are used to create make busy work for blue teams. Yes, it really is happening..
Threat actors can create and populate fake logs in the Azure sign-in logs that look like legitimate events
The parameters they can spoof in the logs include (and are not limited to):
Timestamp of when the events are generated
User account
IP addresses
Network location type
https://www.inversecos.com/2023/01/detecting-fake-events-in-azure-sign-in.html
Detecting Manual Syscalls from User Mode
Jack Ullrich provides this from 2021 but given all the [Hells|Gates] tradecraft on Windows for doing manual system calls to subvert EDRs this is a useful resource.
All syscalls which do not transition from the kernel back to usermode at a known valid location, are in fact crafted for evasive purposes.
The plan now becomes clear. Find out if the syscall returns back to usermode at a known location. This address could be an exported function in ntdll.dll or win32u.dll (I’m sure there are more callbacks). It may not be a memory page in the .text section an unknown module.
https://winternl.com/detecting-manual-syscalls-from-user-mode/
A LAPS(e) in Judgement - detecting LAPS dumping
Megan Nilsen provides an excellent end-to-end walkthrough on how to detect LAPS dumping by adversaries. Another strong signal opportunity in detection engineering..
LAPS is a great tool to control and mitigate issues with local Admin password reuse. However, like most security enhancing tools, it can be abused by attackers performing AD reconnaissance or an internal employee with excessive privileges. Having detections geared towards reviewing abnormal LAPS requests could help identify malicious behavior earlier and provide additional baseline information of who may be querying LAPS within an organization.
https://www.trustedsec.com/blog/a-lapse-in-judgement/
100 Days of Yara
This year has kicked of with a continuation of a theme from last year. Various people from across the industry are contributing various bits of Yara trade-craft. Well done everyone - 👏 and much ❤️ from everyone in defence - keep it up!
bpfdscan: A BPFDoor scanner
Vesselin Bontchev provides this scanner to identify hosts infected with the BPFDoor backdoor which was discussed at length last year.
https://gitlab.com/bontchev/bpfdscan
Defence
How we proactively defend our environments.
Updated whitepaper available: AWS Security Incident Response Guide
Anna McAbee release an update to THE AWS whitepaper on the topic.
Related is this training on Responding to an attack in AWS
https://invictus-ir.medium.com/responding-to-an-attack-in-aws-9048a1a551ac
Automating Malware Analysis Operations (MAOps)
Great work here from the Japanese CERT on how they built their analysis pipelines.
I believe that automating analysis is a challenge that all malware analysts are working on for more efficient daily incident investigations. Cloud-based technologies (CI/CD, serverless, IaC, etc.) are great solutions that can automate MAOps efficiently. In this article, I introduce how JPCERT/CC automates malware analysis on the cloud, based on the following case studies.
https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html
Amazon S3 now automatically encrypts all new objects
For those that have a ‘data at rest is encrypted’ box to tick.
https://aws.amazon.com/about-aws/whats-new/2023/01/amazon-s3-automatically-encrypts-new-objects/
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
Francis Guibernau and Ken Towne walk through their tradecraft and highlight the detection opportunity for some of the Hermit Kingdoms operatives.
eBPF: A new frontier for malware
Dave Bogle provides some practical tips on how to minimize eBPF being used to for malicious purposes by reducing the attack surface.
Make sure unprivileged eBPF is disabled. Nowadays, to install an eBPF program, you typically need root—or at least CAP_SYS_ADMIN and/or CAP_BPF. This was not always the case. Unprivileged eBPF was introduced around kernel 4.4. Be sure to check this config option by running:
# sysctl kernel.unprivileged_bpf_disabled
Disable features you don’t need. Admins can programmatically disable things like kprobes:
# echo 0 > /sys/kernel/debug/kprobes/enabled
Create firewall filters on external firewalls to block suspicious packets
Build kernels without support for kprobes, eBPF based TC filters, or eBPF entirely (although that may not be an option for many)
Ensure
CONFIG_BPF_KPROBE_OVERRIDEis not set unless absolutely necessary
https://redcanary.com/blog/ebpf-malware/
Detection Engineering Automation: ChatGPT
Ashish Bansal rides the wave of interest around applying ChatGPT to cyber problems. Obviously ChatGPT can get somethings terribly wrong so it feels a little optimistic to rely on it today.
https://systemweakness.com/detection-engineering-automation-chatgpt-a84ea5b044a1
BRC4 Unpacker
Matthieu Walter provider an unpacker for Brute Ratel (BRC4) stager and configuration extractor.
https://github.com/matthw/malware_analysis/tree/main/brc4
Vulnerability
Our attack surface.
Can You Trust Your VSCode Extensions?
Ilay Goldman shows how soft our developer underbelly really is. This is terrifying scale and quick..
We uploaded a POC extension, which is shown above, masquerading as Prettier, one of the top ten most installed extensions in the Marketplace... In just under 48 hours, we got more than a thousand installs by active developers from all around the world!
https://blog.aquasec.com/can-you-trust-your-vscode-extensions
Offense
Attack capability, techniques and trade-craft.
WalkerGate: Find Syscall
A method to find system calls by memory parsing of NTDLL in an attempt to avoid EDR looking for code doing this.
https://github.com/DallasFR/WalkerGate
HTML Smuggling: Recent observations of threat actor techniques
Alfie Champion provides a useful summary techniques
https://blog.delivr.to/html-smuggling-recent-observations-of-threat-actor-techniques-74501d5c8a06
Alcatraz: x64 Windows binary obfuscator
This is a complete obfuscator which employs various techniques, namely:
Obfuscation of immediate moves
Control flow flattening
ADD mutation
Entry point obfuscation
Lea obfuscation
Anti disassembly
Import obfuscation
In short, some old code just got a whole new lease of life.
https://github.com/weak1337/Alcatraz
Unhooking Patch
Saad Ahla shows how to remote detection hooks by EDR.
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and Syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
DNS Key Gen
Askar provides a turn key solution to make implant sandbox detonation and/or later analysis more challenging.
DNSKeyGen is a Python-based open-source tool designed to facilitate the exchange of command and control (C2) beacon/implant decryption keys through DNS records, including A, AAAA, and TXT records.
This tool creates a DNS server that responds to requests for a specified domain by returning the requested decryption key in the response. The user has the option to specify a specific key or to have the tool generate one based on the DNS record being used.
https://github.com/mhaskar/DNSKeyGen
Forensia: Anti Forensics Tool For Red Teamers
Paul Norman releases a framework for erasing footprints on Windows in the post exploitation phase.
Capabilities
Unloading Sysmon Driver.
Gutmann Method File Shredding.
USNJrnl Disabler.
Prefetch Disabler.
Log Eraser and Event log Disabler.
User Assist Update Time Disabler.
Access Time Disabler.
Clear Recent Items
Clear Shim Cache
Clear RecentFileCache
Clear ShellBag
File Melting Capabilities.
https://github.com/PaulNorman01/Forensia
Exploitation
What is being exploited.
CVE-2022-44877: Centos Web Panel 7 Unauthenticated Remote Code Execution
This is now being exploited in the wild.
https://github.com/numanturle/CVE-2022-44877
CVE-2022-46169: Unauthenticated Command Injection in Cacti
This also is being exploited in the wild.
https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
CVE-2022-42475: Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd
Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong provide an analysis of the vulnerability that was disclosed as being exploited in the wild mid-December.
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
0day Lexmark printer exploit
Printer zero-day for enterprises to contend with.
This is all still "0day" at the time of writing (2023-01-10, tested against firmware CXLBL.081.225)
https://github.com/blasty/lexmark
SugarCRM: January 5, 2023: Security vulnerability update and FAQ
https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update
Scanned every package on PyPi and found 57 live AWS keys
Tom Forbes shows sometimes all it takes is to go looking to find your initial access.
After inadvertently finding that InfoSys leaked an AWS key on PyPi I wanted to know how many other live AWS keys may be present on Python package index. After scanning every release published to PyPi I found 57 valid access keys from organisations like:
Amazon themselves 😅
Intel
Stanford, Portland and Louisiana University
The Australian Government
General Atomics fusion department
Terradata
Delta Lake
And Top Glove, the worlds largest glove manufacturer 🧤
https://tomforb.es/i-scanned-every-package-on-pypi-and-found-57-live-aws-keys/
Tooling and Techniques
Low level tooling for attack and defence researchers.
Z3 Solver Simplifying String Decryption
SMT solvers applied to real world analysis problems..
Z3 Solver aids in simplifying deobfuscation techniques. This post covers 2 example use cases where a convoluted string decryption routine is broken down and simplified into a single
XORoperation. Z3 is used to prove that the extra parts of the decryption routine cancel each other out.
https://blog.xorhex.com/blog/z3-simplify-obfuscation/
BugChecker: SoftICE-like kernel debugger for Windows 11
Vito Plantamura has just reduced my AWS bills (I have two VMS with one kernel debugging the other) with the release of this.
BugChecker is a SoftICE-like kernel and user debugger for Windows 11 (and Windows XP as well: it supports Windows versions from XP to 11, both x86 and x64). BugChecker doesn't require a second machine to be connected to the system being debugged, like in the case of WinDbg and KD.
https://github.com/vitoplantamura/BugChecker
substation: Substation is a data pipeline and transformation toolkit
There will be massive utility here in some analytics pipelines.
Substation provides three unique data handling capabilities:
modular, cloud native data pipelines that support 100s of unique designs
event-driven ingest, transform, load (ITL) applications that evaluate, process, and deliver data in real-time
Go packages for creating custom data processing applications
https://github.com/brexhq/substation
Hermit: Deterministic Linux for Controlled Testing and Software Bug-finding
Ryan Rhodes Newton discusses a release which will help vulnerability discovery folk.
https://developers.facebook.com/blog/post/2022/11/22/hermit-deterministic-linux-testing/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Issue ACIG 2022; 1 (1) - Applied Cybersecurity & Internet Governance journal - broad range of papers, including:
Artificial Intelligence for Cybersecurity: Offensive Tactics, Mitigation Techniques and Future Directions
The Cybersecurity Obligations of States Perceived as Platforms: Are Current European National Cybersecurity Strategies Enough?
Digital Sovereignty Strategies for Every Nation
The (Il) legitimacy of Cybersecurity. An Application of Just Securitization Theory to Cybersecurity based on the Principle of Subsidiarity
Digital Threats: Research and Practice - similarly broad range of papers, yet more technical:
Emerging Cybersecurity Capability Gaps in the Industrial Internet of Things
Are We Skilful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures
Vulnerability Forecasting: Theory and Practice
Risk Explorer for Software Supply Chains - a taxonomy of known attacks and techniques to inject malicious code into open-source software projects
SP 1800-35 (Draft), Implementing a Zero Trust Architecture - (2nd Preliminary Draft) - comments due February 2
No Water’s Edge: Russia’s Information War and Regime Security
Artificial Intelligence Ethics Framework for the Intelligence Community
That’s all folks.. until next week..
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
