

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending January 29th
Insurers exploring if they can get a government safety net for cyber policies..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week Riot games disclosed they were comprised via social engineering which resulted in updates being suspended. Mailchimp disclosed another security incident. GoTo provided an update on their breach from November.
In the high-level this week:
Readout of Office of the National Cyber Director Meetings with Cybersecurity Researchers - “To ensure that their voices are reflected in Federal initiatives, officials agreed that they would continue to engage the broader cybersecurity research community in the development and implementation of cybersecurity policy.”
Ransomware Revenue Down As More Victims Refuse to Pay - “2022 was an impactful year in the fight against ransomware. Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before.”
Joint Statement by United States Secretary of Homeland Security Mayorkas and European Union Commissioner for Internal Market Breton on Cyber Resilience -
“Today, we discussed the initial deliverables, which include:
Deepening structured information exchanges on threats, threat actors, vulnerabilities, and incidents to support a collective response to defend against global threats to include crisis management and support of diplomatic responses.
Finalizing a working arrangement between ENISA and CISA to foster cooperation and sharing of best practices.
Collaborating on the topic of cyber incident reporting requirements for critical infrastructure, including guidelines and templates.
Collaborating on the cybersecurity of software and hardware.
Exploring how we can work together to better protect civilian space systems.
U.S. Department of Justice Disrupts Hive Ransomware Variant - victims didn’t have to pay, awards will be given for this operation I suspect.. Well done all involved!
Europol released Cybercriminals stung as HIVE infrastructure shut down related to this activity.
FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft
Panorama de la cybermenace 2022 - Cyber Threat Panorama 2022 - annual report from CERT FR, it notes a focus on the supply chain - “This peripheral targeting is transposed also in entity type attacked and confirms the interest attackers for service providers, suppliers, subcontractors, supervisory bodies and the ecosystem
wider of their final targets.”
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users - We have been reporting on this rise for a while, this is the US Government all points bulletin on the topic.
Insurers in talks on adding state-backed cyber to UK reinsurance scheme - “Insurers have held discussions with the UK government over whether its terrorism reinsurance scheme should cover state-backed cyber attacks, amid growing concern over holes in the safety net provided by the private sector” - makes sense to have the discussion, although free market aspects likely need to be considered i.e. is too big to fail valid?
A Federal Cyber Insurance Backstop Is Premature - from the US, but the same discussion which highlights the point above around is too big to fail warranted in this case. “There is no evidence that firms are halting online economic activity because of either low cyber insurance limits or the introduction of new war clauses.”
NSO Group’s Pegasus Spyware Focus of US, EU Investigations - Bloomberg largely reporting what has been discussed by others for several months, but its reporting will raise awareness in the mainstream.
CERT Polska verifies the cybersecurity of Polish organizations - Polish CERT outline how they are mass vulnerability scanning the organizations they are authorized to.
No reflections this week other than don’t get food poisoning.
Enjoying this? don’t get via e-mail? Corporate philanthropist? subscribe either for free or donate.
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Cyber attack on the Ukraine information and communication system
Russia continues low grade activity against Ukraine as evidenced in this reporting. The point of note is the use of Group Policy as the launch mechanism for the wiper.
In the Telegram channel "CyberArmyofRussia_Reborn" on 17.01.2023 at around 12:39, information was published about the violation of the normal functioning of several elements of the information and communication system (hereinafter - ICS) of the Ukrainian National Information Agency "Ukrinform".
At the Agency's request, the Government Computer Emergency Response Team of Ukraine CERT-UA initiated measures to investigate a cyberattack on January 17, 2023.
According to preliminary data, the CaddyWiper malicious program was launched centrally in order to violate the integrity and availability of information using Group Policy (GPO).
https://cert.gov.ua/article/3639362
BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware
Further reporting here on Russian use of US Software-as-a-Service as C2 in order to avoid detection / disruption.
BlueBravo is a threat group tracked by Recorded Future’s Insikt Group that overlaps with the Russian advanced persistent threat (APT) activity tracked as APT29 and NOBELIUM. APT29 and NOBELIUM operations have been previously attributed to Russia’s Foreign Intelligence Service (SVR), an organization responsible for foreign espionage, active measures, and electronic surveillance.
Similar to the use of Trello for data exchange by BEATDROP, we have found that GraphicalNeutrino uses the United States (US)-based, business automation service Notion for its C2. The use of the Notion service by BlueBravo is a continuation of their previous tactics, techniques, and procedures (TTPs), as they have employed multiple online services such as Trello, Firebase, and Dropbox in an attempt to evade detection.
We have identified new malware used by BlueBravo, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
Identified staging infrastructure continues the trend of using compromised websites to deliver BlueBravo malware within archive files. The delivery of these files uses the same HTML smuggling technique as EnvyScout.
The malware also takes advantage of DLL search order hijacking for execution, helping to evade detection on the host.
A change to Notion as the initial C2 from Trello, Firebase, and Dropbox demonstrates BlueBravo’s broadening but continued use of legitimate Western services to blend their malware traffic to evade detection.
Though no second-stage malware, follow-on C2 server, or victims were identified, the initial lure page suggests BlueBravo’s targeting was related to unknown embassy staff or an ambassador.
Embassy-related information is likely considered high value intelligence, especially in the midst of the Russian war in Ukraine.
https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware
Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations
Further reporting on Russian activity. Initial access tradecraft relies on malicious documents which utilize remote template injection (CVE-2017-0199).
Telegram is one of the most popular messaging applications used in both Ukraine and Russia. The Gamaredon Group relies on its infrastructure to bypass traditional network traffic detection techniques without raising obvious flags. Their multi-staged approach, which first confirms the victims’ location and then leads them to the final payload, means that security researchers must work harder to track the whole attack flow and to find the final payload.
Each Telegram account periodically deploys new IP addresses. In an interesting twist, our findings confirm that this only happens during regular working hours in Eastern Europe. This indicates that this is very likely a human-operated activity rather than an automated one.
https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations
A Blog with NoName: Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations
We touched on this campaign last week, here is the blog. A good mitigation opportunity arises due to the consistent sources.
NoName057(16) is a pro-Russian hacktivist operator / group, which has claimed responsibility for repeated Distributed Denial of Service (DDoS) attacks against entities in perceived anti-Russian countries since March 2022.
NoName057(16) back-end infrastructure is hosted in Russia and likely operated by individual(s) with experience in systems design / maintenance.
DDoS attack targeting instructions include timestamps that align with Moscow Standard Time.
Recent targets have included entities with infrastructure hosted in Czechia, Denmark, Estonia, Germany, Slovakia, and Slovenia.
The majority of DDoS attack infrastructure used in NoName057(16) campaigns is assigned to two interlinked hosting providers; MIRhosting and Stark Industries.
A limited number of netblocks are used in the DDoS attacks, providing a potential mitigation / defense opportunity
https://www.team-cymru.com/post/a-blog-with-noname
SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest
UK’s National Cyber Security Centre released this reporting on spear-phishing tradecraft from Iran and Russia with a specific target set in the United Kingdom. Note the focus on personal email addresses as their initial target meaning the security overcoat of the enterprise will have no visibility until it is potentially too late.
The Russia-based SEABORGIUM (Callisto Group/TA446/COLDRIVER/TAG-53) and Iran-based TA453 (APT42/Charming Kitten/Yellow Garuda/ITG18) actors continue to successfully use spear-phishing attacks against targeted organisations and individuals in the UK, and other areas of interest, for information gathering activity.
SEABORGIUM and TA453 have predominantly sent spear-phishing emails to targets’ personal email addresses, although targets’ corporate or business email addresses have also been used. The actors may use personal emails to circumvent security controls in place on corporate networks.
https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest
TA444: The APT Startup Aimed at Acquisition (of Your Funds)
Greg Lesnewich provides further reporting on North Korea’s ongoing criminal activity to obtain financial instruments (for some definition of). Lots of phishing and mark of the web bypasses are the headlines. Note this blog is largely a product pitch.
TA444 is a North Korea state-sponsored threat actor that tested numerous infection methods in 2022 with varying degrees of success.
TA444 is a unicorn among state-aligned actors as its primary operations are financially motivated, and their infection chains are often a microcosm of the cybercrime threat landscape at large.
While TA444 has been active in its current form of targeting cryptocurrencies since at least 2017, the group has adopted an upstart mentality during the latter stages of 2022.
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
Chinese PlugX Malware Hidden in Your USB Devices?
Mike Harbison and Jen Miller-Osborn describe some interesting Chinese tradecraft here with regards to USB devices for data exfiltration. Unclear on the full operating model employed and theories abound if this was used to jump an air gap or two.
The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into.
This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post. This means the malicious files can only be viewed on a Unix-like (*nix) OS or by mounting the USB device in a forensic tool.
We also discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.
The technique used by the PlugX malware to hide files in a USB device involves using a certain Unicode character. This hinders Windows Explorer and the command shell (cmd.exe) from displaying the USB directory structure and any files, concealing them from the victim.
The Unicode character used by this PlugX malware for the directories is 00A0 (a whitespace character called a no-break space). The whitespace character prevents the Windows Operating System from rendering the directory name, concealing it rather than leaving a nameless folder in Explorer.
To achieve code execution of the malware from the hidden directory, a Windows shortcut (.lnk) file is created on the root folder of the USB device.
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
Abraham's Ax Likely Linked to Moses Staff
Iranian hack and leak operations linked, with Abraham’s Ax focused on Saudi Arabia.
Analysis indicates that Abraham's Ax is another hacktivist group persona operated by the Iranian COBALT SAPLING threat group.
Rather than attacking Israel directly, Abraham's Ax attacks government ministries in Saudi Arabia. They published sample data allegedly stolen from attacks on the Ministry of the Interior, along with a video that purportedly presents intercepted phone conversations between Saudi Arabian government ministers. The group may be attacking Saudi Arabia in response to Saudi Arabia's leadership role in improving relationships between Israel and Arab nations. In June 2022, media reports described secret talks regarding potential air defense collaborations, which Iran perceived as a significant threat to its interests in the region. Progress on normalization of relations between Saudi Arabia and Israel is fragile, and Iran may see these attacks as a way to discourage those efforts.
https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
Interesting campaign capability here which compromises the users Android device via malicious apps and then uses that behind the router/firewall access as a mean to target the local gateway, compromise it and then modify its configurations. The number of LAN side vulnerabilities published is only increasing, so it makes me wonder if this trend will only increase given the successes documented here.
Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.
[W]e observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
Govand Sinjari and Andy Morale discuss BANANAS in PAJAMAS and similarly impenetrable terms. Joking aside they provide a detailed end-to-end walk through of the infection chain. The first three steps of which you will see as literally person goes to door, unlocks and holds open for the threat actor..
We currently only attribute GOOTLOADER malware and infrastructure to a group we track as UNC2565, and we believe it to be exclusive to this group.
Beginning in 2022, UNC2565 began incorporating notable changes to the tactics, techniques, and procedures (TTPs) used in its operations. These changes include the use of multiple variations of the FONELAUNCH launcher, the distribution of new follow-on payloads, and changes to the GOOTLOADER downloader and infection chain, including the introduction of GOOTLOADER.POWERSHELL. These changes are illustrative of UNC2565’s active development and growth in capabilities.
[Our] observation of post-compromise GOOTLOADER activity has largely been limited to internal reconnaissance, as these intrusions have been quickly detected and mitigated.
GOOTLOADER infections begin with the user searching for business-related documents online, like templates, agreements, or contracts. The victim is lured into visiting a compromised website and downloading a malicious archive that contains a JavaScript file known as GOOTLOADER.
Successful execution of the GOOTLOADER file will download additional payloads, FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that will be stored in the registry. These payloads are executed via PowerShell in the later stages.
The user visits an UNC2565-compromised site (usually related to business documents) and downloads a malicious ZIP archive.
The malicious ZIP file is saved to the user's Downloads folder.
The user opens the ZIP file and clicks the .JS file inside. This is a trojanized JavaScript library containing an obfuscated JScript file, which will ultimately execute GOOTLOADER.POWERSHELL. Recently observed trojanized JavaScript libraries include jQuery, Chroma.js, and Underscore.js.
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network
We have reported in various prior weeks the trend of mass WordPress exploitation through various third-party plugins. This reporting gives a sense of the true scale that this can yield and what in this one particular their intent was. Fascinating..
Since late December, our team has been tracking a new spike in WordPress website infections related to [a specific domain].
PublicWWW results show over 5,600 websites impacted by this malware at the time of writing, while urlscan.io shows evidence of the campaign operating since December 26th, 2022.
ShareFinder: How Threat Actors Discover File Shares
Our friends at the DFIR report shows the value of ensuring you detection capability detects ShareFinder. The rampant use of this tooling means it provides a potential strong TTP.
ShareFinder was originally part of the PowerView module of the PowerSploit framework. However, now it has been included in various other projects and is in wide use across both red teams and many threat actors.
..
In the past year, we have reported on it being used in around 40% of our reported intrusion cases.
https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
QR Code Phishing Attempts to Steal Credentials from Chinese Language Users
James Slaughter outlines a campaign which utilizes the fact that QR codes are commonly used in parts of Asia.
[We] recently discovered an interesting phishing campaign using a variety of QR codes to target Chinese language users. It aims to steal credentials by luring users into entering their data into a phishing website owned by the threat actor.
The e-mail attempts to spoof the Chinese Ministry of Finance.
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
The value of netflow in helping understand threat actor infrastructure continues to be evidenced in this reporting.
Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor.
Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks.
The analysis indicates that Vidar operators have split their infrastructure into two parts; one dedicated to their regular customers and the other for the management team, and also potentially premium / important users.
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
Aleksandar Milenkoski outlines a campaign which strong hints to being Chinese in origin. Note the use of techniques designed to hinder static analysis.
We observed compromises of web servers and MySQL database servers exposed to the Internet as initial indicators of the DragonSpark attacks
[We] assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks.
The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT.
The threat actors use Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation.
The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.
The Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled. This is a technique for hindering static analysis and evading detection by static analysis mechanisms.
Traffic signals: The VASTFLUX Takedown
Nico Agnese, Maor Elizen, Marion Habiby, Ryan Joye, Vikas Parthasarathy, Adam Sell and Mikhail Venkov discuss what can only be described as an enormous campaign here. This is the very definition or organized cyber crime..
an expansive malvertising operation in which the bad actors injected JavaScript into ad creatives they issued, and then stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device.
The name VASTFLUX is derived from the concept of “fast flux”, an evasion technique used by cybercriminals, and VAST, the Digital Video Ad Serving Template that was abused in this operation.
VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views.
At its peak, VASTFLUX accounted for more than 12 billion bid requests a day. More than 1,700 apps and 120 publishers were spoofed, and the scheme ran inside apps on nearly 11 million devices.
The fraudsters behind the VASTFLUX operation have an intimate understanding of the digital advertising ecosystem; they evaded ad verification tags, making it harder for this scheme to be found.
https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown?hsLang=en-us
Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022
Zak Butler and Jonas Taege discuss a campaign which in of itself is notable. Also notable is the fact that this campaign was detected and disrupted will likely be used as a defense on why further regulation is not required for some aspects of big-tech and why they should be trusted to govern their own businesses.
In 2022, [we] disrupted over 50,000 instances of DRAGONBRIDGE activity across YouTube, Blogger, and AdSense, reflecting our continued focus on this actor and success in scaling our detection efforts across Google products. We have terminated over 100,000 DRAGONBRIDGE accounts in the IO network’s lifetime. Despite their scale and profuse content production, DRAGONBRIDGE achieved practically no organic engagement from real viewers — in 2022, the majority of DRAGONBRIDGE channels had 0 subscribers when [we] disrupted them, and over 80% of DRAGONBRIDGE videos had fewer than 100 views.
Discovery
How we find and understand the latent compromises within our environments.
The Key to Identify PsExec
Fabian Mendoza details a forensics artefact which is almost as if it were by design to help blue teams.
The focus of this blog is to bring attention to a relatively new method of identifying the source host from which PsExec was executed from.
Starting with PsExec v2.30 (which was released in early 2021), anytime a PsExec command is executed, a key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the
C:\Windows
directory.
https://aboutdfir.com/the-key-to-identify-psexec/
Finding Truth in the Shadows
I discussed the potential for technique in Tales of Windows detection opportunities for an implant framework in November.
ROP detection strategies will likely be more involved, but not impossible including CFG variances, shadow stack comparison, stack analysis and similar
Gabriel Landau makes using Hardware Stack Protection shadow stack on Windows to detect call stack manipulation a reality this week. This is excellent applied research..
The shadow stack provides an interesting detection opportunity. Adversaries can use techniques demonstrated in ThreadStackSpoofer and CallStackSpoofer to obfuscate their presence against thread stack scans (e.g.
StackWalk64
) and inline stack traces like Sysmon Open Process events.By comparing a traditional stack walk against its shadowy sibling, we can both detect and bypass thread stack spoofing. We present ShadowStackWalk, a PoC that implements CaptureStackBackTrace/StackWalk64 using the shadow stack to catch thread stack spoofing.
https://www.elastic.co/security-labs/finding-truth-in-the-shadows
Defence
How we proactively defend our environments.
Enforcing Device AuthN & Compliance at Pinterest
Armen Tashjian provides a really valuable summary of real world experience on how this type of mitigation is done in practice.
Pinterest has enforced the use of managed and compliant devices in our Okta authentication flow, using a passwordless implementation, so that access to our tools always requires a healthy Pinterest device.
Following the phishing-based attacks against our peers in the tech industry, Pinterest decided to take a two pronged approach to defend against similar attacks. We decided to:
Require a managed and healthy Pinterest device be used to access all Pinterest resources, even when in the possession of valid credentials
Require FIDO2 credentials for user authentication
In this post, we’ll be focusing on how we required the use of Pinterest managed devices in our Okta authentication flow.
https://medium.com/pinterest-engineering/enforcing-device-authn-compliance-at-pinterest-a74938cb089b
Analyzing Malicious OneNote Documents
Didier Stevens releases the initial version of a metadata dumper for OneNote files given its increasing usage in campaigns.
https://blog.didierstevens.com/2023/01/22/analyzing-malicious-onenote-documents/
LODEINFO Triage Tools
Artifact analysis tools for LODEINFO malware which is used by a subset of Chinese state actors.
https://github.com/nflabs/aa_tools/tree/main/lodeinfo
Vulnerability
Our attack surface.
Zero days in common identity manager system
Various vulnerabilities which on their own would have likely sat in the backlog until the product was end of life. However in this instance they were chained into a glorious end-to-end attack. A lesson to all vendors who only prioritize critical and highs.
Using either the XSS present in the application, or the induced XSS possible from the response splitting vulnerability, an XSS payload could be crafted that exploited the LDAP information disclosure. This provides attackers with a ‘one-click’ avenue to gain access to the hash of a victim’s password. An attacker would still need to crack this hash for it to be useful, but if the victim had a weak password that could be cracked by the attacker, this would provide an avenue for the attacker to gain persistent access to the victim’s account.
https://blog.cybercx.com.au/zero-day-vulnerability-symantec-identity-manager
Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation on Windows
Not quite as novel as made out, but an interesting vulnerability class.
We have take the wraps off a new bug class in Microsoft Windows, which we call activation context cache poisoning. Successful exploitation generally results in privilege escalation, as achieved in the wild by the KNOTWEED group. The vulnerabilities recently disclosed as the “CSRSS” vulnerabilities all fall into this new bug class. Though Microsoft has now released a general mitigation, corner cases remain that fall outside the mitigation’s scope. It remains an open research question whether Microsoft’s specific patches for the known vulnerabilities are sufficient to make activation contexts safely cacheable across processes.
Offense
Attack capability, techniques and trade-craft.
APCLdr: Payload Loader With Evasion Features for Windows
More turn key offensive tradecraft here from a researcher who claims to be in Lebanon.
no crt functions imported
indirect syscalls using HellHall
api hashing using CRC32 hashing algorithm
payload encryption using rc4 - payload is saved in .rsrc
Payload injection using APC calls - alertable thread
Payload execution using APC - alertable thread
Execution delation using MsgWaitForMultipleObjects - edit this
the total size is 8kb + the payload size
compatible with LLVM (clang-cl) Option
https://github.com/NUL0x4C/APCLdr
Inline-Execute-PE Execute unmanaged Windows executables in CobaltStrike Beacons
Alex Reid provides a powerful capability which will cause further forensic artefact challenges.
Inline-Execute-PE is a suite of Beacon Object Files (BOF's) and an accompanying Aggressor script for CobaltStrike that enables Operators to load unmanaged Windows executables into Beacon memory and execute them, retrieving the output and rendering it in the Beacon console.
https://github.com/Octoberfest7/Inline-Execute-PE
Bypassing Applocker, UAC and Getting Administrative Persistence
Now, technically this does what it says on the tin… but by dropping a DLL instead.
We’re going to bypass UAC and gain administrative persistence on a target without dropping EXEs to disk.
Malicious Inheritance, is Domain Expiration Insight a Countermeasure
In short John talks about looking at the leaks, finding expired domains, registering those domains and doing account takeovers.
It is clear that providers of online services are going to have to consider this scenario. The mitigation may vary, you are already foresee a SaaS ‘intelligence provider’ offering an altering service for domains used by your user base if they change ownership etc.
https://thecontractor.io/blog/malinheritance/
Bounce the Ticket and Silver Iodide on Azure AD Kerberos
Dor Segal demonstrates cloud equivalent vulnerabilities for on premises cousins. Interesting that these could not have been fully mitigated due to likely inherent design elements.
Microsoft has recently announced general availability of Azure AD Kerberos, a cloud-based implementation of Kerberos. When reviewing it, we found that despite some attempts to make it more secure than the on-prem implementation of Kerberos, Azure AD Kerberos can be attacked with similar techniques. In this white-paper we introduce these two techniques - Bounce the Ticket, and Silver Iodide – the cloud-based versions of Pass-the-Ticket and Silver-Ticket.
Exploitation
What is being exploited.
CVE-2022-34689: Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI
Tomer Peled and Yoni Rozenshein provide a capability that will be exploited in 3..2..
Also note the scale of enduring vulnerability reported in the numbers below.
Akamai Security Research recently analyzed a critical vulnerability in Windows CryptoAPI that was disclosed by the National Security Agency (NSA) and the National Cyber Security Center (NCSC) to Microsoft.
The vulnerability, assigned CVE-2022-34689, has a CVSS score of 7.5. It was patched in August 2022, but was publicly announced in the October 2022 Patch Tuesday.
According to Microsoft, the vulnerability allows an attacker to masquerade as a legitimate entity.
The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free. Since 2009, MD5’s collision resistance is known to be broken.
The attack flow is twofold. The first phase requires taking a legitimate certificate, modifying it, and serving the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate’s subject.
We have searched for applications in the wild that use CryptoAPI in a way that is vulnerable to this spoofing attack. So far, we found that old versions of Chrome (v48 and earlier) and Chromium-based applications can be exploited. We believe there are more vulnerable targets in the wild and our research is still ongoing.
We found that fewer than 1% of visible devices in data centers are patched, rendering the rest unprotected from exploitation of this vulnerability.
In this blog post, we provide a detailed explanation of the potential attack flow and consequences, as well as a proof of concept (PoC) that demonstrates the complete attack. We also provide an OSQuery for detecting vulnerable versions of the CryptoAPI library.
CVE-2022-47966: Observed Exploitation of Critical ManageEngine Vulnerability
Glenn Thorpe provides some reporting on the real-world exploitation and exploitability of this vulnerability.
[We are] responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Patches were released in October and November of 2022; the exact timing of fixed version releases varies by product.
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
The scale of exploitation is the point of note in this reporting.
As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing.
Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices. This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world.
CVE-2021-35394 affects almost 190 models of devices from 66 different manufacturers. We believe that this vulnerability attracted so many attackers because supply chain issues can make it difficult for the average user to identify the affected products that are being exploited.
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
Proxy*Hell Exploit Chains in the Wild
Real-world exploitation continues, here are the exploit chains to hunt for in your logs.
At the end of November 2022, [we] started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on Microsoft Exchange servers are some of the most popular and routinely exploited vulnerabilities. We decided to release a technical advisory describing these attacks, but also documenting some of the recent attacks that we’ve detected in the wild.
https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild
Sliver Malware with BYOVD Distributing Due to Sunlogin Vulnerability Attack
Novel because of the Chinese software focus with reporting coming from Korea. Note Bring Your Own Vulnerable Driver continues to be used.
The software targeted for exploitation of the vulnerability is a remote control program developed in China called Sunlogin. Last year, the remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) and the code to exploit it were disclosed, and Sunlogin has been a constant target of vulnerability attacks until recently.
Here, we first summarize the brief information about the Sliver penetration testing tool. Finally, as recently confirmed attack cases, we will finally summarize the attack cases that install Sliver and BYOVD malware.
Tooling and Techniques
Low level tooling for attack and defence researchers.
Statistical Analysis to Detect Uncommon Code
Tim Blazytko provides a nice applied example of data science in a software reverse engineering context.
In the following, we first familiarize ourselves with the foundations of n-gram analysis and its use cases. Then, we discuss how to perform statistical analysis of assembly code and develop a heuristic to identify uncommon instruction sequences. Afterward, we explore some similarities and differences between the most common CPU architectures. Finally, we evaluate the heuristic by identifying and analyzing obfuscated functions in malware, a Windows kernel module, an anti-cheat software and a mobile DRM system.
https://synthesis.to/2023/01/26/uncommon_instruction_sequences.html
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Forecasting Potential Misuses of Language Models for Disinformation Campaigns and How to Reduce Risk
NSA Publishes Internet Protocol Version 6 (IPv6) Security Guidance
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.