Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending January 8th

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending January 8th

The holiday season is but a faint memory as cyber goes full steam ahead into 2023..

Ollie
Jan 6, 2023
142
Share
Share this post

Bluepurple Pulse: week ending January 8th

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week has been driven by the CircleCI breach alert and the warning to cycle all secrets that CircleCI had access to. This breach is suspected of being the enabler for various Github repository breaches towards the end of 2022. This incident is a wonderful advert for the value of the Thinkst Canary and specifically the deploy and forget model as a high signal source. Just look at what Daniel said:

Twitter avatar for @sanitybit
Daniel Hückmann | 🦣 @sanitybit@infosec.exchange @sanitybit
CircleCI was compromised over the holidays. I've been investigating the use of a @ThinkstCanary AWS token that was improperly accessed on December 27th and suspected as much. Now we have confirmation from the vendor.
Image
2:43 AM ∙ Jan 5, 2023
150Likes96Retweets

Outside of this there was the compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022 - which was allegedly a bug bounty which went awry.

In the high-level this week:

  • The (Australian) Commonwealth Cyber Security Posture in 2022 - this report informs Parliament on the implementation of cyber security measures across the Commonwealth government, for the period January 2021 to June 2022. Comprised 97 of non-corporate Commonwealth entities, 71 corporate Commonwealth entities (CCEs) & 17 Commonwealth companies. If other countries followed suite it could be quite interesting..

  • Current Status and Issues of North Korean Cyber ​​Attacks (Korean) from the Korean National Assembly Research Service - Korean government high-level reporting - “North Korea's cyber attack is emerging as a security issue in the international community. North Korea's cyber attacks, which began in 2009, have evolved from stealing information to earning foreign currency since 2016. Accordingly, the international community believes that North Korea is raising funds for nuclear and missile-related development through attacks on financial assets and cryptocurrency, and is actively working to prevent it.”

  • The Republic of Poland’s position on the application of international law in cyberspace - Ministry of Foreign Affairs Republic of Poland outlines their position which is summarised below. Also related is the So much for a ‘world without borders’? Countries are marking their territory in cyberspace - from Alix Desforges and Aude Géry and the Atlantic Council.

    • The existing international law, including the Charter of the United Nations, applies to cyberspace. Therefore, states are required to adhere to international law in cyberspace

    • The principle of sovereignty applies to cyberspace

    • Actions in cyberspace may constitute unlawful intervention in affairs falling under the domestic jurisdiction of a state

    • In certain circumstances actions in cyberspace may constitute a violation of the prohibition of the use of force

    • A cyberattack may be qualified as an armed attack. The right to self-defence applies to cyberspace

    • A state is responsible for actions in cyberspace that violate international law

    • International human rights law applies to cyberspace

    • Retorsion and countermeasures as a response to harmful actions in cyberspace

  • Russian cyberattacks in Poland - a high-level alert from the Polish government of Russian cyber activity in country.

  • On the proposal of the Prime Minister, Vincent Strubel, was appointed head of the National Information Systems Security Agency (ANSSI) on January 4, 2023 by the Council of Ministers - France’s new head of their cyber agency announced.

  • South Korea announces The 'heart' of public-private partnership - National Intelligence Service 'National Cyber ​​Security Cooperation Center' also discusses the 1.2 billion dollar in thefts by North Korea of state currency assets as well as crypto.

  • Ohio Supreme Court says insurance policy (for physical loss) does not cover ransomware attack on software (as loss of data isn't physical loss) - should have had a cyber or sufficient business interruption policy instead is my takeaway.

  • Factoring integers with sublinear resources on a superconducting quantum processor - Chinese researchers published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA - Schneier’s analysis which got the world excited then Scott Aaronson’s analysis which largely debunked it.

    • Related is H.R.7535 - Quantum Computing Cybersecurity Preparedness Act - signed into US law in December

  • The State of Ransomware in the US: Report and Statistics 2022 - some statistics - although the trends stated seem to buck the general consensus around 2022 being a down year compared to 2021 for ransomware.

  • Cyber Insurance Themes to Look Out for in 2023 - summary

    • Rates stabilize and underwriting discipline continues

    • Regulators sharpen their focus on systemic risk

    • The trend away from quota share reinsurance will continue

    • Analytics will become increasingly integrated into all aspects of the cyber insurance value chain

    • Insecure linked securities investors will (finally) meet their match with (re)insurers

  • In November, the UN’s Ad Hoc Committee released its first consolidated negotiating draft for a ‘cybercrime treaty’, to be discussed at the committee’s fourth session in Vienna in January 2023 - reporting from mid-December on a meeting January 9 - 20th in Vienna which will discuss - “Consolidated negotiating document on the general provisions and the provisions on criminalization and on procedural measures and law enforcement of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes”

  • US FY23 Spending Bill agreed by the US House and Senate Appropriations Committee amends the Federal Food, Drug and Cosmetics Act - mandates cyber security requirements for medical devices in section 3305.

  • UAE introduces its Personal Data Protection Law - has been passed.

Reflections this week stem from the paper Nobel and novice: Author prominence affects peer review and this headline:

“We found clear evidence for bias. More than 20% of the reviewers recommended “accept” when the Nobel laureate was shown as the author, but less than 2% did so when the research associate was shown. Our findings contribute to the debate of how best to organize the peer-review process”

This type of gatekeeping is prevalent. The challenge is how to enable researchers with new ideas and evidence to break through both in terms of roles but also in terms of platform.

Outside of that there are some interesting roles floating about:

  • Ten-week Chevening Western Balkans Cyber Security Fellowship Hosted by Cranfield University and funded by the Foreign, Commonwealth and Development Office in the UK - The Chevening Western Balkans Cyber Security Fellowship is aimed at mid-career professionals with demonstrable leadership potential in the field of cyber security or cyber policy in the Western Balkans.

  • Nonresident Fellow, Cyber Statecraft Initiative at the Atlantic Council

Enjoying this? don’t get via e-mail? Corporate philanthropist? subscribe either for free or with cash:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Turla: A Galaxy of Opportunity

Sarah Hawley, Gabby Roncone, Tyler McLellan, Eduardo Mattos and John Wolfram detail a fascinating case where latent compromises were reactivated/reengaged by re-re-registering expired C2 DNS domains. I doubt many organisations today consider this threat and actively monitor for it - that is how many blueteams look for C2s resolutions from expired/previous campaigns?

In September 2022, [we] discovered a suspected Turla Team operation, currently tracked as UNC4210, distributing the KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware victims in Ukraine. Mandiant discovered that UNC4210 re-registered at least three expired ANDROMEDA command and control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022.

Timeline of ANDROMEDA to Turla Team intrusion

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa

Continuation of a campaign previously reported on. It is clear that ANSSI, SWIFT and others are likely going to be busy supporting these institutions. The focus on developing countries and their financial sector is the point of note here - the actual tradecraft is rather basic.

Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.

The activity observed appears to be a continuation of activity documented in a November 2022. The activity documented from mid-2019 to 2021, and it said that during that period this group, which it called OPERA1ER, stole at least $11 million in the course of 30 targeted attacks.

The initial infection vector is unknown, but the earliest malicious files found on victim networks had French-language, job-themed file names. These likely acted as lures. In some cases, the malware was named to trick the user into thinking it was a PDF file, e.g.:

  • fiche de poste.exe ("job description")

  • fiche de candidature.exe ("application form")

  • fiche de candidature.pdf.exe ("application form")

It’s most likely these files were delivered to victims via a spear-phishing email

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

Analysis Of APT Organization Confucius's Cyber Attack Against IBO Anti-terrorism Operations In Pakistan

Chinese reporting on Indian activity aimed at Pakistan’s security forces and diplomatic entities. The novelty in the below for me was the breaking of the execution chain from the original malicious document by using a scheduled task. This indirect execution I suspect would go missed by some.

In this cyber attack incident, the Confucius attackers constructed a phishing document named "IBO_Lodhran.doc" (Intelligence-Based Operations in the Lodland Region) and a phishing document named "US_Dept_of_State_Fund_Allocations_for_Pakistan.doc" (United States Alloc State Department of State Fund) , targeting Pakistan's security forces and diplomatic government departments respectively.

https://blog-nsfocus-net.translate.goog/aptconfuciuspakistanibo/?_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Analysis of APT-C-56 (Transparent Tribe) Using Foreign Trade Links to Disguise Document Attacks

Chinese reporting on Pakistani activity against India. Other than the geo political tit-for-tat the point of note is the implant used which appears new.

[We] detected samples of transparent tribes using foreign trade-themed links to carry out attacks. The sample is disguised as a scr table file, and at the same time releases the persistent component and RAT to continuously monitor the users. The RAT used this time is neither its exclusive Trojan CrimsonRAT nor the commonly used ObliqueRAT. We associate this attack with Transparent Tribe through the similar characteristics of persistent components.

https://translate.google.com/translate?sl=auto&tl=en&hl=en&u=https://mp.weixin.qq.com/s/PTWzKIPsO92XCP4-pXRDgg?&client=webapp

Analysis of the "ferry" Trojan horse organized by CNC for the military industry and education industry

Chinese reporting on APT-C-48 (CNC) the main target of which is the China Military industry and education industry. These two new samples show an evolution rather than revolution in capability.

[We] discovered two downloaders used by the CNC organization when sorting out the attack activities . One of the downloaders has the ability to ferry attacks, using mobile storage devices as One downloader steals files of interest to the ; another downloader communicates using a deceptive C2 node with an untrusted digital certificate.

The CNC organization is currently known to have been discovered as early as 2019. At that time, the organization was named CNC because the PDB path information of the remote control Trojan it used contained cnc_client. The organization mainly targets military and education industries.

https://mp-weixin-qq-com.translate.goog/s/uEjNpw-rtpjGGPacJS19WQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

BlindEagle Targeting Ecuador With Sharpened Tools

The reporting here shows that criminal groups are employing in some cases operational security to preclude security researcher / automated system interrogation. The initial access tradecraft is rather basic.

  • APT-C-36, also known as Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018.

  • In a recent campaign targeting Ecuador based organizations, [we] detected a new infection chain that involves a more advanced toolset.

  • The backdoor chosen for this campaign is typically used by espionage campaigns, which is unusual for this group

Such emails usually feature either a malicious document or a malicious link, but in this case, the attackers said “why not both?” and included both a link and a terse attached PDF directing the unfortunate victim to the exact same link.

n both cases, the link in question consists of a legitimate link-shortening service URL that geolocates victims and makes them communicate with a different “server” depending on the original country. If the incoming HTTP request originates from outside Colombia, the server aborts the infection chain, acts innocent and redirects the client to the official website of the migration department of the Colombian Ministry of Foreign Affairs.

https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/

Kimsuky Mobile Malicious Campaign Targets Director of National Security at Korea Institute of East Asian Studies

North Korea showing that they have diversity in their arsenal even if largely based based on open source. The mobile targeting element is somewhat interesting. If it is yielding for them or not only flow analysis will tell.

[We discovered] three new types of Android malware targeted at Koreans by the Kimsuky organization.

1. FastFire -- a malicious APK developed by the Kimsuky group, which pretends to be a Google security plugin. It receives commands from Firebase, a Google-backed application development platform, instead of receiving commands from the C&C via HTTP/S communication like traditional methods.

2. FastViewer -- The malware disguises itself as "Hancom Viewer," a mobile viewer program that can read Korean documents (.hwp) used in South Korea and steal information from infected devices before Download other malware.

3.FastSpy -- This malicious module is downloaded and executed by FastViewer, and receives commands from the attacker's server through the TCP/IP protocol. FastSpy is developed based on the source code of AndroSpy, an open source Android device remote control tool.

https://mp-weixin-qq-com.translate.goog/s/EQ8nrfE3tkfg4nB8F49VLA?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

North Korean phishing campaign active in Korean

South Korean reporting here on a North Korean campaign which by virtue of how it worked allowed the victimology to be ascertained. The desire by the threat actors to make the flow seamless was an opsec oopsie.

[We] recently identified a situation in which an attempt was made to obtain account information from a specific person by disguising Kakao's login page. Although the exact inflow path through which the user initially accesses the page has not been confirmed, it is presumed that the web login was induced from the page accessed through the phishing mail.

The estimated information for some accounts auto-completed on the login screen is as follows.

  • a***d: University professor

  • ya***2 : Broadcasting reporter

  • sh***her : North Korea project support group

https://asec-ahnlab-com.translate.goog/ko/45204/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Pupy RAT hiding under WerFault’s cover

Saikumaravel Thangarajavel details in the wild usage of living of the land binaries. It is these situations where analytics and company wide visibility are going to be required to spot the anomalies. That is WerFault loading a non standard sized/signed DLL for example.

Recently we came across an ISO image, recent inventory & our specialties.iso from a twitter feed. The ISO contains four files, a legitimate WerFault.exe,a malicious DLL named faultrep.dll, a shortcut file named recent inventory & our specialties.lnk and a XLS file named File.xls. The shortcut file has the same name as the ISO image. When the victim opens that shortcut file, it uses scriptrunner.exe LOLBin via cmd to execute WerFault.exe from the ISO. 

https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/

Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe

A criminal actor showing both tenacity and a degree of technical sophistication by virtue of the anti analysis trade-craft usage.

The forensics investigation showed that a 7zip file downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into taking action.

Once the modules are installed, all traffic is routed through Tor.

In this case, we started our investigation with a suspicious ZIP file downloaded by the user from Microsoft Edge, probably through a malicious advertisement campaign.

  • Raspberry Robin is targeting the financial sector in Europe.

  • Victimology focuses on Spanish and Portuguese speaking organizations.

  • Attackers have begun collecting more victim machine data.

  • Downloader mechanism was updated with new anti-analysis capabilities.

  • The same QNAP server is being used for several rounds of attacks, but victim data is no longer in plain-text. It is RC4 encrypted.

https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe

Adversaries Infrastructure-Ransomware Groups, APTs, and Red Teams

Michael Koczwara released this post which details some of his tradecraft to discover threat actor infrastructure. Some will dislike it because of the tradecraft being discussed openly whilst others will benefit greatly from seeing how such craft can yield solid results.

I have scanned the internet on a daily/weekly basis with Shodan, Censys, Nmap, and my python scripts and I would like to share my intel/research.

I will very briefly explain how different Threat Actors work, what kind of infra and tools are used to perform the attacks, and how bad they are in opsec.

Threat Actors Profiles:

  • Ransomware Groups based in Russia

  • Threat Actors based in China

  • Red Teamers

…

PS: Red Teamers please don't set up a postcode password with your company initials for your Cobalt Strike Team Server!

https://michaelkoczwara.medium.com/adversaries-infrastructure-ransomware-groups-apts-and-red-teams-7a6dd761c50e

Discovery

How we find and understand the latent compromises within our environments.

New Windows 11 Pro (22H2) Evidence of Execution Artifact

Andrew Rathbun walks through a new forensics artifact that may be missed in anti-forensics and thus yield some value to incident response teams. The need to continually monitor operating system changes in order to gain the blue edge is largely unappreciated. This post serves as a good example of why such activities and dissemination of knowledge are valuable.

PCA stands for Program Compatibility Assistant, which has been around since at least Windows 8. However, the artifacts covered in this blog post haven’t always existed.

PcaAppLaunchDic.txt contains a file path and timestamp value pair of data which provides the last time of execution of a given application. For instance, a sample entry in this file looks like this:

C:\Program Files\Everything\Everything.exe|2022-12-28 16:06:24.212

https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

modreveal: Utility to find hidden Linux kernel modules

Hikmat Jafarli evidences that Azerbaijan has some native talent. It works by comparing the output of lsmod and the contents of the Linux kernel structure module_kset

modreveal is a small utility that prints the names of hidden LKMs if any exists.

Demo

https://github.com/jafarlihi/modreveal

Release YARA v4.3.0-rc1

Release candidate of Yara with some new features that will help with rule optimisation.

  • Added a not operator for bytes in hex strings. Example: {01 ~02 03}.

  • for statement can iterate over sets of literal strings (e.g. for any s in ("a", "b"): (pe.imphash() == s)) .

  • of statement can be used with at (e.g. any of them at 0)

  • Added the --print-xor-key (-X in short form) command-line option that prints the XOR key for xored strings.

  • Implement the --skip-larger command-line option in Windows

  • Add parsing of .NET user types from .NET metadata stream in "dotnet" module.

  • Improve certificate parsing and validation in "pe" module .

  • Add telfhash() function to "elf" module.

  • Add to_int() and to_string() functions to "math" module..

https://github.com/VirusTotal/yara/releases/tag/v4.3.0-rc1

Defence

How we proactively defend our environments.

How attackers compromise Azure organizations through SaaS apps

Johann Scheepers walks through the attack paths in Azure and how the detect.

This article covers common ways an app could lead to compromise in Microsoft Azure.

  • Consent phishing

  • Unverified apps

  • Apps with excessive privileges

  • Hijackable urls and implicit grant flow

https://pushsecurity.com/blog/how-attackers-compromise-azure-organizations-through-saas-apps/

Switching to Key Vault Secrets usage for Function App based Microsoft Sentinel Data Connectors

Prateek Taneja shows that with supply chain breaches how to tighten up security around the access that the monitoring infrastructure has. The real net benefit here is the ability to rotate secrets easily.

Microsoft Sentinel’s REST – API based data connectors a lot of times use secrets and keys that customers would prefer to keep secured in a vault from where they can effectively manage (retrieve, update, delete, manage access, etc.) these secrets and keys. In this article, we’ll talk about securing API secrets and keys using an Azure Key Vault. 

Content Hub solution when deployed may not necessarily deploy the Azure Key Vault resources as a part of the solution deployment to account for varied usage of Azure Key Vaults. However, Azure Function apps can use keys stored in AKV using AKV references without any changes in the Azure Function App code. 

Integrating with AKV is a three – step process: 

  1. Ensure the Function App & Key Vault have the right permissions 

  2. Create the secrets in the Key Vault 

  3. Add Key Vault References in the Function App 

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/switching-to-key-vault-secrets-usage-for-function-app-based/ba-p/3707181

Configure advanced security for Microsoft Sentinel playbooks

Further defence in depth advice for Sentinel Playbooks.

How to define an access restriction policy for Microsoft Sentinel Standard-plan playbooks, so that they can support private endpoints. Defining this policy will ensure that only Microsoft Sentinel will have access to the Standard logic app containing your playbook workflows.

https://learn.microsoft.com/en-us/azure/sentinel/define-playbook-access-restrictions

Tarpit for NTFS

Grzegorz Tworek presents an interesting concept from 3 years ago which I share for that reason. This will likely have some niche use cases but likely won’t be suitable for at scale production due to the side effects on anything which indexes the filesystem.

https://github.com/gtworek/PSBits/tree/master/TarpitFS

Vulnerability

Our attack surface.

CVE-2022-43931: Synology-SA-22:26 VPN Plus Server

More edge security vulnerability with a CVSS of 10.0

A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.

https://www.synology.com/en-global/security/advisory/Synology_SA_22_26

CVE-2022-41912: CrewJAM SAML Signature bypass via multiple Assertion elements

Felix Wilhelm continues to destroy SAML implementations with yet another authentication bypass.

Signature bypass via multiple Assertion elements - The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.

https://bugs.chromium.org/p/project-zero/issues/detail?id=2368

CVE-2022-47523: Important security fix released for ManageEngine Password Manager Pro

ManageEngine, which was the root cause of various compromises last year, has yet another vulnerability disclosed.

An SQL Injection vulnerability (CVE-2022-47523) was discovered in Password Manager Pro, PAM360 and Access Manager Plus.

https://pitstop.manageengine.com/portal/en/community/topic/manageengine-security-advisory%E2%80%94important-security-fix-released-for-manageengine-password-manager-pro-2-1-2023

Offense

Attack capability, techniques and trade-craft.

Loading PHP extensions from memory

A technique that incident response teams dealing with server breaches should be aware of. No tooling exists which will enumerate such tradecraft today..

We will explain a way to keep a PHP extension loaded on the server without it being backed up by a file on disk.

https://adepts.of0x.cc/dlopen-from-memory-php/

Anti-Disassembly - Unprotect Project

Nice summary reference of anti-disassembly techniques..

https://unprotect.it/category/anti-disassembly/

phishim: Phishim depends very heavily on Puppeteer

Jack Michalak provides a phishing framework which uses an instrumented browser. Once against Webauthn will help mitigate these types of techniques..

Phishim is a phishing tool which reduces configuration time and bypasses most types of MFA by running a chrome tab on the server that the user unknowingly interacts with.

While this approach has been tested for many of the most common MFA approaches such as SMS, authenticator apps, in-app notifications, and the like, any MFA approach which involves authenticating the URL in the browser will succeed in protecting the user. For example, WebAuthn uses a different key pair per website which would prevent Phishim from using the data received on the impersonated host.

https://github.com/jackmichalak/phishim

Exploitation

What is being exploited.

Linux backdoor malware infects WordPress-based websites

It exploits 30 vulnerabilities in a number of plugins and themes for this platform. The mass weaponization of such vulnerabilities does create a whack-a-mobile situation if these get co-opted for skimmers, watering holes or plain old C2.

  • WP Live Chat Support Plugin

  • WordPress – Yuzo Related Posts

  • Yellow Pencil Visual Theme Customizer Plugin

  • Easysmtp

  • WP GDPR Compliance Plugin

  • Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)

  • Thim Core

  • Google Code Inserter

  • Total Donations Plugin

  • Post Custom Templates Lite

  • WP Quick Booking Manager

  • Faceboor Live Chat by Zotabox

  • Blog Designer WordPress Plugin

  • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)

  • WP-Matomo Integration (WP-Piwik)

  • WordPress ND Shortcodes For Visual Composer

  • WP Live Chat

  • Coming Soon Page and Maintenance Mode

  • Hybrid

https://news.drweb.com/show/?i=14646

Zerobot capabilities

Embedded devices being targeted by a collection of n-days.

Zerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet

CVE-2017-17105 Zivif PR115-204-P-RS

CVE-2019-10655 Grandstream

CVE-2020-25223 WebAdmin of Sophos SG UTM

CVE-2021-42013 Apache

CVE-2022-31137 Roxy-WI

CVE-2022-33891 Apache Spark

ZSL-2022-5717 MiniDVBLinux

https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/

Fortinet Devices Exploited to Spread Ransomware within Corporate Environments

Proof once more that criminals are able to employ old days in their breach activities. The point of note is Fortinet disclosed the vulnerability on October 10th, on October 13th a security vendor released a proof of concept and then five or so weeks after we have evidence of operational use. In addition we can see from this reporting that bulk access was being sold to Fortinet devices for between $5,000 and $7,000.

In mid and late November 2022, [we] detected [attempts] to infect two customers, a Canadian-based college and a global investment firm, with ransomware. traced the attack to vulnerable Fortinet VPN devices

The exploitation operation appeared to include the exploitation of older vulnerabilities, such as CVE-2018-13374, as out-of-date Fortinet devices were not vulnerable to the 2022 vulnerability.

https://www.esentire.com/blog/hackers-exploit-fortinet-devices-to-spread-ransomware-within-corporate-environments-warns-esentire

Tooling and Techniques

Low level tooling for attack and defence researchers.

gpt-wpre: Whole-Program Reverse Engineering with GPT-3

Brendan Dolan-Gavitt provides a proof of concept on what might be in terms of applying large language models recursively to de-compilation.

This is a little toy prototype of a tool that attempts to summarize a whole binary using GPT-3 (specifically the text-davinci-003 model), based on decompiled code provided by Ghidra. However, today's language models can only fit a small amount of text into their context window at once (4096 tokens for text-davinci-003, a couple hundred lines of code at most) -- most programs (and even some functions) are too big to fit all at once.

GPT-WPRE attempts to work around this by recursively creating natural language summaries of a function's dependencies and then providing those as context for the function itself. It's pretty neat when it works! I have tested it on exactly one program, so YMMV.

https://github.com/moyix/gpt-wpre

Pre-Auth RCE with CodeQL in Under 20 Minutes

How CVE-2022-4223 a post authentication issue was found in a primarily automated manner. Really whoever scales this tradecraft in either offence or defence is going to have the edge.

Our target? pgAdmin. Or to be more precise, the web interface if you run pgAdmin in server mode.

https://frycos.github.io/vulns4free/2022/12/02/rce-in-20-minutes.html

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

  • January 2023 Threat Horizons Report

  • The Mac Malware of 2022: A comprehensive analysis of the year's new malware

  • Cyber ​​Threat Trends Report (H2 2022) in Korean (translated page) - covers Korean domestic trends as well as their view of international trends.

  • Monthly Threat Actor Group Intelligence Report, November 2022 (Korean) -

  • IARPA - REASON aims to develop novel technologies that will enable intelligence analysts to substantially improve the evidence and reasoning in draft analytic reports

  • Open-CyKG: An Open Cyber Threat Intelligence Knowledge Graph - originally published in December 2021

  • Survey of security mitigations and architectures, December 2022 - summarizes and compares some of the exciting approaches in our journey to memory safety

  • Advancing Cyber and Information Security Cooperation in ASEAN - a view from Muhammad Faizal Bin Abdul Rahman based at the Institute of Defence and Strategic Studies of the S. Rajaratnam School of International Studies, NTU

  • Building a Quantitative Cyber Risk Program Based on FAIR - Tyler Britton video on the topic he is the Quantitative Cyber Risk Manager at Dropbox

  • How Netflix Learned Cloud Security - a podcast featuring Jason Chan

  • NATO as a Global Cybersecurity Power - a Turkish academic paper from May 2022

  • The Illicit Ecosystem of Hacking: A Longitudinal Network Analysis of Website Defacement Groups - academic work with some conclusions I think are a little lightweight

As a treat dear readers our favourite ANSi art group Lazarus (no relation) drops this wonderful homage - by MaDDoG // Lazarus (2023)

May be an illustration of text

That’s all folks.. until next week..


This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

142
Share
Share this post

Bluepurple Pulse: week ending January 8th

bluepurple.binaryfirefly.com
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing