

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending January 22nd
China going after African Managed Services Providers with Firewall exploits..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week CircleCI provided an update with indicator of compromise. DataDog then provided an update on the impact of the CircleCI breach on their agent. Beyond that you will see below there is extensive activity on all fronts.
In the high-level this week:
CISA Year in Review 2022 - Extensive report on their achievements.
The questions of the French general staff in the face of American cyber operations in Europe - an article where French military leadership questions US hunt forward.
This is how you protect the Netherlands against online threats - Interview with the head of NCSC-NL on its evolution.
World Economic Forum Global Cybersecurity Outlook 2023 - no real purpose, more a pulse on the mood of business leaders more than anything.
Ukraine calls for ‘Cyber United Nations’ amid Russian attacks - a call from the Head of Ukraine’s State Service of Special Communications and Information Protection.
Polish Cyber Defenses and the Russia-Ukraine War - think tank paper - The government needs to prepare for any escalation in cyberspace by protecting important logistical networks.
ISO 31700-1: Consumer protection - Privacy by design for consumer goods and services - launching in Feb 2023.
Advancing Cyber Norms Unilaterally: How the U.S. Can Meet its Paris Call Commitments - Student Paper from Harvard Kennedy School Belfair Centre. Reminds us what the Paris cyber norms call outlines and how the US might meet them.
New US General Records Schedules (GRS) - GRS 3.2 Information Systems Security Records - full packet capture data must be kept for at least 72 hours and cybersecurity event logs must be kept for up to 30 months. As one of the Subreddit members noted Relevant detail is that this is derived from OMB M-21-31, wherein packet capture is required as part of L2 log maturity (which should be achieved within 18 months of memo issuance, which was… last October)
US’s Securities and Exchange Commission has opened a case against Covington and Burling (a very expensive law firm) to get details of which client’s data the Chinese APT that compromised them got hold of.
P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk - pretty damming report but lets be honest not unique.
Study: Relations between cyberattacks, conventional attacks and information attacks in Ukraine are in line with the Russian concept of “hybrid warfare” - from the Ukrainian government and provides a good analysis e.g. Doctrinally, Russia often considers cyber and information dimensions as a single "information confrontation" domain… Cyber attacks, like conventional attacks of the Russian Federation, do not recognize any rules - infrastructure, humanitarian organizations, and private and state-owned companies are under attack
No Privacy in the Electronics Repair Industry - we dropped rigged devices for repair at 16 service providers and collect data on widespread privacy violations by technicians, including snooping on personal data - yes they really did, also wont come as a surprise.
Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes - Consolidated negotiating document on the general provisions with China predictably trying to blunt.
Coding protection: ‘cyber humanitarian interventions’ for preventing mass atrocities - academic paper which highlights - almost no attention has been afforded to the question of whether proactive cyberspace operations might be used for human protection purposes—specifically, to prevent genocide, war crimes, crimes against humanity and ethnic cleansing - we all know the answer that they can in certain circumstances.
Reflections this week come from reading the book South Korea: The Price of Efficiency and Success and the revelation (to me) of the Meister High School System which compromise over 50 vocational teaching high schools. Now that doesn’t sound that special until you learn they cover topics such as semiconductors, nano convergence, electronics, robotics, bio, automation equipment etc.
If we just look at the Korea Nano Meister High School we see it has three departments:
Electronics department
Department of New Renewable Energy and Electricity
Nano Fusion Department
To say I am somewhat envious as an individual, parent and citizen because of this initiative is an understatement.
Enjoying this? don’t get via e-mail? Corporate philanthropist? subscribe either for free or donate.
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO
Tom Hegel and Aleksandar Milenkoski outline a spill over campaign related to Russia / Ukraine. The real value here is the follow-up infrastructure mapping..
Pro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure.
NoName057(16) was responsible for disrupting services across the financial sector of Denmark this week. Other recent attacks include organizations and businesses across Poland, Lithuania and others.
On January 11th, we observed NoName057(16) begin targeting 2023 Czech presidential election candidates’ websites.
[We] identified how the group operates over public Telegram channels, a volunteer-fueled DDoS payment program, a multi-OS supported toolkit, and GitHub.
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
Team Cymru then picked up the torch and mapped out the upstream infrastructure.
Kasablanka Group Probably Conducted Compaigns Targeting Russia
Chinese reporting on a suspected Moroccan threat group going after Russia. Interesting to see tradecraft used by Russia reversed in this manner. The actor shows a degree of capability / sophistication by virtue of ensuring zero detections of their payloads prior to deployment. Also worth nothing two implants were deployed, one being commercial.
When combing through the recently uploaded vhdx files we found that from September to December 2022, Kasablanka group is suspected of attacking Russia, and its targets include the Russian Federal Government Cooperation Agency, the Ministry of Foreign Communications of the Astrakhan Region of Russia, etc., and the detection rate of some samples is always 0.
Analyzing and organizing the captured samples, the Kasablanka group used a socially engineered phishing email as the entry point for the attack, with a virtual disk image file attached, which nested a variety of next-stage payload executions including lnk files, zip packages, and executables. In the early stages of the attack the final execution was the commercial Trojan Warzone RAT, in the later stages of the attack we observed that the executed Trojan changed to Loda RAT.
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/
Chinese Playful Taurus Activity in Iran
Chinese capability caught and outed showing they continue to invest in their implant evolution. But interestingly some of their operational tradecraft gets a D-.
Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that routinely conducts cyber espionage campaigns.
[It was] reported that this group had upgraded their tool kit to include a new backdoor called Turian.
This backdoor remains under active development and we assess that it is used exclusively by Playful Taurus actors.
Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus.
https://unit42.paloaltonetworks.com/playful-taurus/
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
Peter Girnus and Aliakbar Zahravi outline a campaign using CAB files as the container to subvert detection. Tradecraft is rather basic but the lure is compelling.
While threat hunting, we found an active campaign using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign we have labeled Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
The malicious file is hidden inside a Microsoft Cabinet (CAB) archive file masquerading as a “sensitive” audio file, named using a geopolitical theme as a lure to entice victims to open it.
EyeSpy - Iranian Spyware Delivered in VPN Installers
Janos Gergo SZELES and Bogdan BOTEZATU show that the rush to VPNs in order subvert government controls has been an enabler for Iranian state cyber campaigns.
[We] discovered a malware campaign that uses components of SecondEye - a legitimate monitoring application - to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers.
EyeSpy has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto-wallets, and passwords.
The campaign started in May 2022, but detections peaked in August and September. Most of these detections originate from Iran, with a small pool of victims in Germany and the US.
https://www.bitdefender.com/blog/labs/eyespy-iranian-spyware-delivered-in-vpn-installers/
Crypto-inspired Magecart skimmer surfaces via digital crime haven
Jérôme Segura shines further light on the level of sophistication employed in modern skimmers. He also highlights the overlap with other crime and villainous activities in a way the inhabitants of Mos Eisley would be proud.
Digging further into the skimmer's infrastructure on Russian-based hosting provider DDoS-Guard, we came across a digital crime haven for cryptocurrency scams, Bitcoin mixers, malware distribution sites and much more.
We saw an e-commerce website that was injected with a link to an external website named after American Entrepreneur and BTC supporter Michael J. Saylor.
Example analysis of APT organization Bitter network espionage attack activities
Chinese reporting on Indian state activity using very old days.
[We] analyzed the organization's recent attack on Bangladeshi military institutions. The attacker exploited the vulnerability of Office's formula editor component (EQNEDT32.EXE) to deliver malicious decoy documents and intermediate malware to deploy Remote access Trojans for cyber espionage.
360 APT Annual Research Report 2022 (Chinese)
This is an extensive report in Chinese and provides some reporting not seen elsewhere and distinctly Chinese view of the cyber threat landscape. Some highlights include in the wild exploitation of Cobalt Strike by Ocean Lotus and Darkhotel use of of a Firefox 0day exploit.
Malicious code analysis report distributed through Microsoft OneNote
South Korea reporting on the material uptick on activity using malicious OneNote files. We covered this tradecraft when it first emerged and it seems to a caught on.
[We] confirmed the distribution trend of OneNote malware, which has increased rapidly since November of last year, and divided them according to the degree of sophistication based on the screen when the file was actually executed. That is, it was classified into '1) a type that conceals a malicious object with a simple block image' and '2) a more elaborately crafted malicious OneNote type' .
North Korean Activity
Suspected APT-C-26 (Lazarus) organization conducts attack activity analysis through cryptocurrency wallet promotion information
North Korea learning from the wider in the wild tradecraft shift around mark of the web subversion through alternative container formats. Wider North Korea continue to pursue crypto assets which has been subject to extensive wider reporting.
[We] detected an attack suspected that APT-C-26 (Lazarus) organization delivered a malicious ISO file with the theme of cryptocurrency wallet promotion information. The attacker packed a malicious shortcut (.lnk ) file, when the user opens the shortcut file, the powershell.exe process will be invoked to find data from its own file, release 3 files and execute the malicious DLL files (decoy PDF, loader DLL, ciphertext file), after executing The backdoor software finally decrypted after the DLL loader is suspected to be the backdoor of the NukeSped family organized by Lazarus.
Kimsuky organization, Kakao phishing attack in progress
North Korean using fear-of-missing-out (FOMO) social engineering techniques. Nothing sophisticated but the pre-plan and customization is likely worth noting.
The phishing email found this time was distributed under the subject of '[Urgent] Please change your password right now.'
In the body of the email, it is suspected that the recipient's account information has been stolen, and a hyperlink is included along with content encouraging the recipient to change their password.
https://blog-alyac-co-kr.translate.goog/5043?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
A Look at eSIMs and Number Hijacking
As we move to virtual SIMs operator procedures and email security become ever more paramount.
[We] looked at one provider’s procedure for setting up an eSIM via its mobile app. Before issuing the eSIM, the provider would send a six-digit code over SMS, which then had to be entered into the app to proceed. This is prudent since it verifies that the person requesting the number port already controls the number. However, the interface also allowed someone to get the code via email, which does open up possibilities for fraud.
https://intel471.com/blog/a-look-at-esims-and-number-hijacking
GhostSec Makes Big Claims on “RTU” ICS Hack
Ron Fabela (CTO of a company selling solutions to said problem) provides some insight into the organized criminal interest around industrial control. It is a predictable evolution, the reality of the threat and on which horizon likely needs further unbiased evidence however.
Early morning on January 11, 2023, the group “GhostSec” made some pretty wild claims on their Telegram channel regarding an ICS hack where they were the first to encrypt an RTU (remote terminal unit).
Whether technically true or not, groups like GhostSec, the Cl0p gang, and others continue to research and discover OT attacks and ICS hacks.
https://synsaber.com/ghostsec-claim-rtu-ics-hack/
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks
Junestherry Dela Cruz highlights how some organized crime groups are making investments in protecting their capabilities against detection.
Batloader is associated with an intrusion set that we have dubbed “Water Minyades.” The actors behind Water Minyades are known for delivering other malware during the last quarter of 2022, such as Qakbot, RaccoonStealer, and Bumbleloader via social engineering techniques.
[W]e discuss notable Batloader campaigns that we’ve observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.
Discovery
How we find and understand the latent compromises within our environments.
Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 1 – Setting up Msticpy with MDE
Rob Lowery provides the firs part of a two part series.
Tracking an adversary in real-time using Velociraptor
I have not hidden my love for Velociraptor and Jos Clephas shows us how to extract some further value from it.
https://docs.velociraptor.app/blog/2023/2023-01-13-tracking-an-adversary-in-realtime/
Sliver C2 Implant Analysis
Michael Koczwara continues his journey in ground and pound of adversaries with this end-to-end analysis of an in the wild Sliver implant.
I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. I will perform some basic reverse engineering with IDA and finally analyse the Threat Actor infrastructure.
https://michaelkoczwara.medium.com/sliver-c2-implant-analysis-62773928097f
Following the LNK metadata trail
Guilherme Venere will upset some researchers by discussing this tradecraft. A useful guide to those that didn’t / don’t know.
Adversaries’ shift toward Shell Link (LNK) files, likely sparked by Microsoft’s decision to block macros, provides the opportunity to capitalize on information that can be provided by LNK metadata.
[We] analyzed metadata in LNK files and correlated it with threat actors tactics techniques and procedures, to identify and track threat actor activity. This report outlines our research on Qakbot and Gamaredon as examples.
[We] used LNK file metadata to identify relationships among different threat actors. In this report we demonstrate this by using metadata to connect Bumblebee with IcedID and Qakbot respectively.
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
Defence
How we proactively defend our environments.
Microsoft MDE Introducing tamper protection for exclusions
Josh Bregman discusses how MSFT heard quite clearly that end users should not be able to adjust exclusions which allowed second stage delivery.
Tamper protection is a feature of Microsoft Defender for Endpoint that prevents antivirus tampering and misconfiguration by malicious apps and actors. Microsoft Intune and Microsoft Defender for Endpoint integrate to allow enterprises to selectively enable and disable tamper protection in their environment.
We received customer feedback to expand protections. One of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft Defender team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune.
Introducing Python and Jupyter Notebooks Support in Microsoft Teams
Leif Brenne highlights why every SOC/TI team will want access to Teams Education edition as they train their padawans.
Today we are excited to announce the native integration of both Python and Jupyter files into the Teams Education edition. Educators will now be able to assign, view, edit, and run Python files (.py) and Python Notebooks (.ipynb) directly in Assignments in Teams for Education.
Security Drone: scaling continuous security at Revolut
Krzysztof Pranczk outlines how they delivered continuous security in a fintech 🦄
https://medium.com/revolut/security-drone-scaling-continuous-security-at-revolut-862bcd55956e
Open SESAME: Fighting Botnets with Seed Reconstructions of Domain Generation Algorithms
Nils Weissgerber, Thorsten Jenke, Elmar Padilla and Lilli Bruckschen from one of my favorite commercial labs summon the power of data science to deliver these detection techniques.
With our approach, we were able to distinguish unknown DGAs, versions and campaigns, as well as, sets of hard-coded domains from known DGAs. After analysing 232 days of DNS-logs from malware sandbox runs, we identified 64 suspicious malware samples, possibly utilizing entirely new DGAs. Some of these contain multiple versions and/or multiple campaigns. While 15 samples require further reverse engineering, we were already able to discover 17 DGAs and 32 malware samples with hard-coded domains. Thus, we were able to break down 153,472 analysed malware samples to 64, which had to be reverse engineered, to confirm that our system works as intended.
https://arxiv.org/pdf/2301.05048.pdf
Vulnerability
Our attack surface.
MSI's (in)Secure Boot
Dawid Potocki outlines when Secure Boot is not always secure boot i.e. when you have a second level operation/option which makes it insecure boot.
https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/
related Dawid also raised this issue.
https://github.com/Foxboron/sbctl/issues/181
Bad things come in large packages: .pkg signature verification bypass on macOS
Research showing that macOS is still fertile hunting ground for edge case vulnerabilities.
Code signing of applications is an essential element of macOS security. Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root.
https://sector7.computest.nl/post/2023-01-xar/
Offense
Attack capability, techniques and trade-craft.
Cobalt Strike Beacon Generation for iOS Attacks
Chinese capability which delivers Apple iOS Cobalt Strike Beacons.
Restoring Dyld Memory Loading (on macOS)
Adam Chester brings back memory in loading to macOS to frustrate forensics.
https://blog.xpnsec.com/restoring-dyld-memory-loading/
TROJANPUZZLE: Covertly Poisoning Code-Suggestion Models
Some evidence by Hojjat Aghakhani , Wei Dai, Andre Manoel , Xavier Fernandes , Anant Kharkar , Christopher Kruegel , Giovanni Vigna , David Evans , Ben Zorn , and Robert Sim on why training data integrity is really going to matter.
I promise I haven’t been seeding Gitlab, Github and Stackoverflow with vulnerable code for the last decade on purpose.
Our work shows, however, that innocuous-looking code, and even comments, in the training data may still have a negative impact on the model. Specifically, we show that by injecting maliciously crafted data only into out-of-context regions such as docstrings, the COVERT attack can trick code-suggestion models into recommending insecure code completions.
https://arxiv.org/pdf/2301.02344.pdf
Using LNK Files To Bypass Applocker
The fact this researcher uses the moniker Assume Breach seems apt.
In this post we’re not going to be doing anything with VHD files or ISOs (maybe we’ll look at that in the future), but we will be doing a few things highlighted below.
Bypass default Applocker rules
Bypass Microsoft Windows Defender/Defender for Endpoint (out of box trial configuration)
Bypass Smart Screen Protections
Utilize a Powershell shellcode runner
Bypass AMSI
Convert an EXE to shellcode with Donut
Get a beacon back to Havoc C2
Exploitation
What is being exploited.
Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)
Scott Henderson, Cristiana Kittner, Sarah Hawley and Mark Lechtik show that Chinese are pressing hard on the accelerator of this vulnerability before the patch is deployed by going after part of the African MSP supply chain.
[We] tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
Incident report: stolen AWS access keys
Myles Satterfield, Tyler Wood, Teauna Thompson, Tyler Collins, Ian Cooper and Nathan Sorrel outline a real world breach stemming from an API key in a development artifact.
The attacker gained access to the customer environment through the use of stolen long-term access keys. Scoping surrounding activity for the AWS account, we saw that the attacker was attempting to use seven different access keys and accounts. How were the AWS keys compromised? During the initial triage, we didn’t find evidence of any exploited services. We turned to open-source intelligence gathering and performed some simple Google searches to see if there were any obvious candidates for exposure. Using patterns observed in the affected IAM account names, we came across a publicly exposed Postman server with access key credentials stored in the project’s variables.
https://expel.com/blog/incident-report-stolen-aws-access-keys/
Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”
Jin Lee highlights conflation of the term zero day as opposed to typo squatting.
[We] discovered a new 0-day attack embedded in three PyPI packages (Python Package Index) called ‘colorslib’, ‘httpslib’, and “libhttps”. They were found on January 10, 2023, by monitoring an open-source ecosystem. The Python packages “colorslib” and “httpslib” were published on January 7, 2023, and “libhttps” was published on January 12, 2023. All three were published by the same author, ‘Lolip0p’, as shown in the official PyPI repository. ‘Lolip0p’ joined the repository close to the publish date.
Tooling and Techniques
Low level tooling for attack and defence researchers.
polar: A LLDB plugin which queries OpenAI's davinci-003 language model to explain the disassembly
Chaithu shows that large language models continue to evidence some of their work aid value.
LLDB plugin which queries OpenAI's davinci-003 language model to speed up reverse-engineering. Treat it like an extension of Lisa.py, an Exploit Dev Swiss Army Knife.
At the moment, it can ask
davinci-003
to explain what the current disassembly does.
https://github.com/ant4g0nist/polar
C2-Hunter: Extract C2 Traffic
From Morocco with 💖
C2-Hunter is a program designed for malware analysts to extract Command and Control (C2) traffic from malwares in real-time. The program uses a unique approach by hooking into win32 connections APIs.
With C2-Hunter, malware analysts can now intercept and analyze communication in real-time, gaining valuable insights into the inner workings of cyber threats. Its ability to track C2 elements of malware makes it an essential tool for any cyber security team.
https://github.com/ZeroMemoryEx/C2-Hunter
Introducing RPC Investigator
Aaron LeMasters releases a very powerful tool for Windows which will make certain previously deep bugs/vulnerabilities very shallow. Hold on…
We built on this concept in developing RPC Investigator (RPCI), a .NET/C# Windows Forms UI application that provides a visual interface into the existing core RPC capabilities of the
NtApiDotNet
platform:
Enumerating all active ALPC RPC servers
Parsing RPC servers from any PE file
Parsing RPC servers from processes and their loaded modules, including services
Integration of symbol servers
Exporting server definitions as serialized .NET objects for your own scripting
https://blog.trailofbits.com/2023/01/17/rpc-investigator-microsoft-windows-remote-procedure-call/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
You Move, They Follow: Uncovering Iran’s Mobile Legal Intercept System
Selling Surveillance - great paper of commercial intrusion software
Embedded System Ransomware and the Meaning of Criminal Operations
DensePose From WiFi - our model can estimate the dense pose of multiple subjects (people), with comparable performance to image-based approaches, by utilizing WiFi signals as the only input - that is Batman’s sonic vision for real.
IARPA - ReSCIND - The IARPA ReSCIND program aims to improve cybersecurity by developing a new set of cyberpsychology-informed defenses that leverage attacker’s human limitations, such as innate decision-making biases and cognitive vulnerabilities.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.