

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending July 23th
North Korea and their supply chain attacks Part [number]..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week JumpCloud issued their incident writeup which has been potentially linked to North Korea and a whole rash of vulnerabilities we would prefer didn’t exist in Microsoft Office, Microsoft Outlook and more (see reporting below)..
In the high-level this week:
Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers - “U.S. Cyber Trust Mark” is the latest in a series of actions President Biden and the Biden-Harris Administration have taken to protect hard-working families.
Fact Sheet: Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations - request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity. The RFI builds on the commitment the Administration made in the National Cybersecurity Strategy to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.”
EU Cyber resilience act: member states agree common position on security requirements for digital products - essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes
The UK Released its Intelligence and Security Committee of Parliament report on China - GCHQ judges that, while campaigns around cyber security (for instance, not clicking links or downloading attachments) have been successful in increasing user awareness, the substantial rise in home working means that there are now more opportunities to get into an organisation as people use different technologies to connect remotely to a network.
US adds two “European” mercenary spyware firms to export control list - Cytrox & Intellexa, the notorious proliferators of Predator spyware - The ERC determined to add Intellexa S.A., under the destination of Greece, Cytrox Holdings Zrt., under the destination of Hungary, Intellexa Limited, under the destination of Ireland, and Cytrox AD, under the destination of North Macedonia, to the Entity List for trafficking in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide
Australian Cyber strategy has cost Home Affairs $2.8 million so far - on consulting costs.
Court temporarily dunks USA water sector cybersecurity initiative - A U.S. court placed a temporary hold on an Environmental Protection Agency rule intended to better safeguard public water systems against hackers, dealing a setback to the Biden administration’s cybersecurity regulatory agenda and a win to GOP state attorneys general challenging federal power.
France Opinion | Cybersécurité : mieux orienter les dépenses - basically says French businesses are not listening to their IT security leaders enough.
UK National Strategic Assessment of Serious and Organised Crime 2023 - Russian-language criminals operating ransomware as a service continue to be responsible for most high profile cyber crime attacks against the UK.
Personal debts said to scuttle nomination of Biden’s acting cyber director - as someone who made their own way I find this such a sad story given the benefits of diverse backgrounds in Government.
Critical step from MIT: Cyber Intelligence Presidency established: from Türkiye -a change in the National Intelligence Organization (MIT). The unit, which has just started operating under the name of Cyber Intelligence Directorate,
Is the UK data protection authority giving free pass to big tech giants? -
Chinese Interim Measures for the Management of Generative Artificial Intelligence Services - Adhere to the core values of socialism, and must not generate incitement to subvert state power, overthrow the socialist system, endanger national security and interests, damage national image, incite secession, undermine national unity and social stability, promote terrorism, extremism etc.
Microsoft Email Hack Shows Greater Sophistication, Skill of China’s Cyberspies -
Senate panel wants to green-light US military cyber ops against Mexican cartels - A provision in the Senate Armed Services Committee’s version of the fiscal 2024 National Defense Authorization Act would allow the secretary of defense, along with other federal agencies and in consultation with the Mexican government, to “conduct detection, monitoring, and other operations in cyberspace to counter Mexican transnational criminal organizations that are engaged” in a variety of activities that cross the southern U.S. border.
Strategy on China of the Government of the Federal Republic of Germany - Chinese cyber actors are engaged in economic and academic espionage in an attempt to gain access to German corporations’ trade and research secrets. These activities are particularly focused on high-tech companies and global leaders in industrial technology. As part of its economic security initiative, the Federal Government advises German companies and research institutions on cyber, hybrid and physical security risks.
Man jailed for more than three years for attempting to extort money from the company he worked for - Liles was IT Security Analyst
Typo leaks millions of US military emails to Mali web operator - due to typing .ml and not .mil - Millions of US military emails have been misdirected to Mali through a “typo leak” that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers.
No reflection from me this week, instead you get to watch this 45 minute presentation by Alex Gantman in Measuring Security Outcomes which was recommended by Josiah Dykstra, Senior Fellow in the Office of Innovation at NSA.
On the interesting job/role front (thanks to those sending me these):
Agency Chief Information Security Officer (ACISO) - Government Technology Agency (GovTech), Singapore
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Various tactical reporting omitted this week which can be found on the subreddit.
Cyber Operations during the Russo-Ukrainian War
Grace B. Mueller , Benjamin Jensen , Brandon Valeriano , Ryan C. Maness , and Jose M. Macias provide a unique empirical analysis of Russian cyber operations. I suspect this evidence base and analysis will be of use to a number of readers.
https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war
Diplomats Beware: Cloaked Ursa Phishing With a Twist
Good pre-text game here by Russia and a lesson for anyone dealing with non-technical colleagues and providing them protective advice. I am not sure if I was a diplomat if I would not have fallen foul of this.
Russia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0029, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:
Notes verbale (semiformal government-to-government diplomatic communications)
Embassies’ operating status updates
Schedules for diplomats
Invitations to embassy events
We observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv. While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (APT) that the United States and the United Kingdom publicly attribute to Russia’s Foreign Intelligence Service (SVR).
One of the most recent of these novel campaigns that Unit 42 researchers observed appeared to use the legitimate sale of a BMW to target diplomats in Kyiv, Ukraine, as its jumping off point.
https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
Targeted Turla attacks (UAC-0024, UAC-0003) using CAPIBAR and KAZUAR malware (CERT-UA#6981)
Russian commodity capability continues to get thrown around.
In the initial compromise stage, in addition to sending e-mails with an attachment as a macro document, attackers can modify documents (for example, on an internal public network resource) by adding a few lines of code to the structure of a legitimate macro that will cause PowerShell to run.
https://cert.gov.ua/article/5213167
Malicious campaigns target government, military and civilian entities in Ukraine, Poland
Vanja Svajcer details further activity in Ukraine which overlaps with some other recent reporting. Malicious Microsoft Office for all of Ukraine.
[We] discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.
The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government.
The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats. This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult.
The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.
https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/
Spy, get out: the XDSpy group attacked Russian organizations using bait of the Ministry of Emergency Situations
We do not often get visibility in to threat actors operating inside of Russia, but here is a glimpse. The actual tradecraft is phishing, ZIP files with LNKs etc. - so rather basic.
XDSpy is one of the most mysterious and little-studied cyber-espionage groups. It was first spotted in February 2020 by the Belarusian CERT, although the group itself has been active since at least 2011. The majority of XDSpy's targets are located in Russia - they are government, military, financial institutions, as well as energy, research and mining companies. But despite the fact that XDSpy appears on the radar with enviable regularity, international experts have not decided in the interests of which country this hack group is working.
Spearphishing Campaign Targets Zimbra Webmail Portals of Government Organizations
Arda Büyükkaya builds on prior reporting on this activity to give insights into the victimology.
The actor probably exploited vulnerabilities in the Zimbra and Roundcube webmail portals. The portals are publicly accessible and at the time of reporting are running outdated versions.
The webmail portals were used to distribute spearphishing emails targeting other government organizations.
Analysis of email headers indicates that the threat actor successfully circumvented anti-spam filters of targeted government organizations. These findings suggest that the threat actor employed evasive tactics throughout the operation.
According to “Originating-IP” email header section in the observed emails, the threat actor very likely used VPN services to hide its real identity.
The threat actor abused legitimate web services like Google Firebase, MailChimp, chilipepper.io, and webflow.io to collect email credentials.
The campaign has been underway since as early as January 2023 and has mostly targeted government entities in Ukraine, but also Spain, Indonesia, and France.
North Korea
Various tactical reporting omitted this week which can be found on the subreddit.
The Lazarus attack group attacking Windows servers and using them as malware distribution servers
Sanseo details an attack campaign where a product vulnerability was used by our Hermit Kingdom friends to turn a third party into part of their attack chain.
Although the INITECH vulnerability has already been patched, exploits targeting unpatched systems have been made until recently. After the Lazarus group attacked the IIS web server and seized control, it was used as a server for the purpose of distributing malware used to exploit the INITECH vulnerability.
JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity
Tom Hegel provide some possible attribution for JumpCloud here.
It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.
China
Beautiful Bauhinia: "HKLeaks" – The Use of Covert and Overt Online Harassment Tactics to Repress 2019 Hong Kong Protests
Alberto Fittarelli and Lokman Tsui provide some evidence of possible Chinese hack and leak operations.
In August 2019 a wave of websites and social media channels, called “HKLEAKS,”
began “doxxing” the identities and personal information of pro-democracy activists in Hong Kong. While the creators of these sites and channels claimed that HKLEAKS was the product of local volunteer communities, several indicators suggest a coordinated information operation conducted by professional actors in alignment with Chinese state interests.
The core campaign employed strong operational security measures, going to great lengths, and using significant skills and resources, to hide the identity of its actors.
Active maintenance of the operation stopped by mid 2021, once most of the campaign’s targets had been arrested or exiled, with almost all the linked assets ceasing their activity or changing their focus. This, combined with other suspicious signals we have detected, is characteristic of an artificial campaign and not of an organic, community-driven effort, which typically trails off gradually.
This operation is a clear example of a multi-faceted approach to information operations, that not only disseminates content designed to influence opinions, but also uses intimidation tactics — such as doxxing — intended to suppress the targets’ activities.
While a conclusive attribution cannot be attained at this stage, we identify circumstantial evidence that suggests the campaign operators held links to mainland China.
Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad
Daniel Lunghi provides some mixed reporting in a case of did they / didn’t they? Either way shows intent on behalf of a likely Chinese threat actor against Pakistan.
We recently found that an MSI installer of the Pakistani government app E-Office delivered a Shadowpad sample, suggesting a possible supply-chain attack.
As of July 17, the Pakistani government agency in question has found no compromise of its build environment. As the MSI installer file is not signed, we cannot remove the possibility that the threat actor obtained the legitimate installer and modified it to add the malicious files found in our analysis, and that users were lured to run this Trojanized version via social engineering attacks. They are currently carrying out a detailed forensic analysis of their systems to thoroughly investigate this incident.
Analysis of Storm-0558 techniques for unauthorized email access
Microsoft provide some further detail behind the attack against Exchange Online using stolen encryption keys.
[We] assess with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence that Storm-0558 operates as its own distinct group.
Chinese State-Linked Information Operation Revealed Social Media Account Takeover Potential
Sandra Quincoses shine a light on some of the information operation maturity of China and how it being applied in South America. Whilst the the Global North might be all over it (info ops) there is a question how we protect more vulnerable nations.
[Our] investigators identified a network of pro-Beijing Twitter accounts likely engaged in state-backed information operation targeting audiences in various countries in Latin America, including Paraguay, Costa Rica, Chile, and Brazil. Some of the accounts promote strategic Chinese state media-linked news content in both Spanish and Portuguese.
The network is linked to China News Service and shows signs of coordinated inauthentic behavior, with accounts posting similar or identical content related to China at close time intervals. This indicates they are likely organized through a common operator echoing content mainly from Chinese state-linked media outlets, in an attempt to improve China’s image and enhance its policy and diplomatic efforts.
https://www.nisos.com/research/chinese-info-ops-account-takeover/
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
A summary of Chinese tactics evolution and how they have evolved into a global player. It is clear the game is afoot my friends ..
Use of botnets, proxying traffic in a compromised network, and targeting edge devices are not new tactics, nor are they unique to Chinese cyber espionage actors. However, during the last decade, we have tracked Chinese cyber espionage actors’ use of these and other tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations. We suggest that the military and intelligence restructure, evidence of shared development and logistics infrastructure, and legal and institutional structures directing vulnerability research through government authorities point to long term investments in equipping Chinese cyber operators with more sophisticated tactics, tools, and exploits to achieve higher success rates in gaining and maintaining access to high value networks. The examples highlighted here indicate that these investments are bearing fruit.
https://www.mandiant.com/resources/blog/chinese-espionage-tactics
WyrmSpy and DragonEgg: Attributes Android Spyware to China’s APT41
Kristina Balaam and Justin Albrecht attribute a Android focused campaign which likely uses social engineering to land on the handsets.
[We attribute] WyrmSpy and DragonEgg to infamous Chinese espionage group APT41, which has not slowed down since recent indictments by the U.S. government.
APT41 is known to target a wide range of public and private sector organizations, including nation-state governments, software development companies, computer hardware manufacturers, telecommunications providers, social media companies, and video game companies.
An established threat actor like APT41 turning their focus to mobile devices shows that mobile endpoints are high-value targets with coveted data.
WyrmSpy and DragonEgg use modules to hide their malicious intentions and avoid detection.
https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
Space Pirates: a look into the group's unconventional techniques, new attack vectors, and tools
Further reporting from within Russia which alludes to the threat actor being Chinese. Friends apparently they are not entirely..
The Space Pirates group is relentlessly stepping up activity targeting Russian companies: the number of attacks has increased manifold. The hackers are working on new malware that implements unconventional techniques, such as voidoor, and modifying their existing malware. In addition, we have seen a drastic reduction in the use of other backdoors characteristic of the group and an increase in attacks that employ Deed RAT.
The Space Pirates group uses a large number of publicly available tools for navigating networks. The hackers also use Acunetix to reconnoiter infrastructures it targets. Meanwhile, the group’s tactics have hardly changed.
Iran
Nothing this week
Routers from the Underground: Exposing AVrecon
The scale of the compromise is the aspect of note here.
[We] identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.” Apart from a single reference to AVrecon in May 2021, the malware has been operating undetected for more than two years.
[We] determined the composition of a network that has infiltrated more than 70,000 machines, gaining a persistent hold in more than 40,000 IPs in more than 20 countries.
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
Discovery
How we find and understand the latent compromises within our environments.
Detecting BPFDoor Backdoor Variants Abusing BPF Filters
Fernando Merces provides advice around detection and analysis of this Linux backdoor. Wonder what Türkiye did to deserve this.
ShellSweep: ShellSweeping the evil
Michael Haag provides a useful work aid for those hunting on all platforms for Chinese (and other) web shells. Especially appliance like solutions e.g. Citrix etc.
ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells.
https://github.com/MHaggis/ShellSweep
LolDriverScan
Find that Windows privilege escalation attack surface.
LolDriverScan is a golang tool that allows users to discover vulnerable drivers on their system. This tool fetches the loldrivers.io list from their APIs and scans the system for any vulnerable drivers This project is implemented in Go and does not require elevated privileges to run.
https://github.com/FourCoreLabs/loldriverscan
Artifacts || PsExec Execution
Raj Upadhyay provides some forensic artifacts from running Psexec which might of use to some.
https://upadhyayraj.medium.com/artifacts-psexec-execution-b8b9a8baa074
Defence
How we proactively defend our environments.
Phishing versus Defence-in-Depth
Joel Samuel provides a powerful post full of wisdom on how to think about phishing and adjacent..
Hacking off end-users is counter-productive to security in the long term. Even if phishing exercises are done well, end-users who ‘fall’ for these exercises won’t feel good about, will loathe any training they are sent on, and may be less likely to engage with security teams in the future.
https://joelgsamuel.medium.com/what-i-mean-by-defence-in-depth-cybersecurity-6ac07f89ad89
Linux Forensics Workshop
All materials free and online - case used involved a compromised Hadoop cluster with compromised accounts, EoP, lateral movement, & diff persistent mechanisms
https://linuxdfir.ashemery.com/Workshops/DFRWS_USA_2023/
Vulnerability
Our attack surface.
Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute
Ramin Yazdani , Yevheniya Nosyk , Ralph Holz, Maciej Korczynski , Mattijs Jonker and Anna Sperotto show how easy traffic amplification continues to be for volumetric denial of service.
We quantify the problem of echoing resolvers in the wild. We identify thousands of such resolvers on the Internet and show how some reply on the order of tens of thousands of times to a single query, further escalating the potential of R&A DDoS attacks. We analyze the cause of response repetition, study behavioral differences among echoing resolvers, and categorize resolvers on the basis of the underlying causes of the observed behavior. We show how the interplay between DNS traffic and the traversed networks is responsible for echoing resolvers. In particular, we identify IP broadcasting as a cause of echoing resolvers, on top of phenomena already described in the literature (e.g., routing loops). Furthermore, we show that using sensitive labels in queries can lead to a more powerful echoing effect while using different query types does not significantly affect echoing behavior. Finally, seeing how some underlying causes of response repetition also affect or can be turned against authoritative nameservers, we quantify the potential impact of echoing resolvers on these as well.
https://tma.ifip.org/2023/wp-content/uploads/sites/12/2023/06/tma2023-final12.pdf
Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability
Less than ideal and symptomatic of a failure in test driven development.
A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.
Ghostscript Remote Code Execution Vulnerability
Dave Truman provides details one of those vulnerabilities and risks being exploited against various client software via e-mail attachment.
Vulnerability disclosed in Ghostscript prior to version 10.01.2 leads to code execution.
Exploitation can occur upon opening a file.
Ghostscript is used heavily in Linux and is often installed by default.
Windows Open-Source productivity and creativity tools such as Inkscape use the Ghostscript windows port.
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
Unauthenticated remote code execution in certain configurations.
Offense
Attack capability, techniques and trade-craft.
TeamsPhisher: Send phishing messages and attachments to Microsoft Teams users
Alex Reid provides a capability which I suspect will cause a product/service level response in part from Microsoft.
TeamsPhisher is a Python3 program that facilitates the delivery of phishing messages and attachments to Microsoft Teams users whose organizations allow external communications.
https://github.com/Octoberfest7/TeamsPhisher
Strip personal compile information from Exe Files
Sheng-Hao Ma provides a capability which will make cyber threat intelligence etc. harder.
gist.github.com/aaaddress1/76f3ded4c72d1b095fe8084157f6a96a
HadesLdr
D1rkMtr and Zak Clifford make certain EDR vendors sob with this capability.
Shellcode Loader Implementing Indirect Dynamic Syscall , API Hashing, Fileless Shellcode retrieving using Winsock2
https://github.com/CognisysGroup/HadesLdr
Query-Free Evasion Attacks Against Machine Learning-Based Malware Detectors with Generative Adversarial Networks
Daniel Gibert, Jordi Planes, Quan Le and Giulio Zizzo hint at the arms race we are in with this work.
This work presents a novel query-free approach to craft adversarial malware examples to evade ML-based malware detectors. To this end, we have devised a GAN-based framework to generate adversarial malware examples that look similar to benign executables in the feature space. To demonstrate the suitability of our approach we have applied the GAN-based attack to three common types of features usually employed by static ML-based malware detectors: (1) Byte histogram features, (2) API-based features, and (3) String-based features. Results show that our model-agnostic approach performs on par with MalGAN, while generating more realistic adversarial malware examples without requiring any query to the malware detectors. Furthermore, we have tested the generated adversarial examples against state-of-the-art multimodal and deep learning malware detectors, showing a decrease in detection performance, as well as a decrease in the average number of detections by the anti-malware engines in VirusTotal.
https://arxiv.org/abs/2306.09925
Exploitation
What is being exploited.
Comprehensive analysis of initial attack samples exploiting CVE-2023-23397
Eeek.
From a technical point of view, the vulnerability is a critical EoP that is triggered when an attacker sends an Outlook object (task, message, or calendar event) within an extended MAPI property that contains a UNC path to an SMB share on a threat actor-controlled server, resulting in a Net-NTLMv2 hash leak. No user interaction is required. The NTLM leak occurs when the reminder window is displayed, not just when the message is received. However, an already expired reminder will be fired immediately upon receipt of the object!
https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/
CVE-2023-36884: Office and Windows HTML Remote Code Execution Vulnerability
Eeek II.
Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
Security Update for Zimbra Collaboration Suite Version 8.8.15
This was/is being exploited in the wild.
https://blog.zimbra.com/2023/07/security-update-for-zimbra-collaboration-suite-version-8-8-15/
Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities
Caitlin Condon provides a painful read including incomplete patches.
Massive Targeted Exploit Campaign Against WooCommerce Payments Underway
Ram Gall details this at scale campaign which has the potential to have real scaled impact.
[We have] been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
YAMME: a YAra-byte-signatures Metamorphic Mutation Engine
Antonio Coscia, Vincenzo Dentamaro, Stefano Galantucci, Antonio Maci and Giuseppe Pirlo have released an academic paper.
YAMME, a post-processing mechanism usable to strengthen YARA-rules against metamorphic malware capable of evading YARA-byte-signatures by employing general obfuscation techniques. Based on the results obtained, it was found that YAMME is effective in improving YARA-rules detection rate against metamorphic malware.
..
YAMME rules have been evaluated on MWOR, G2, NGVCK, and MetaNG datasets, resulting in a better detection rate than that achieved by YARA-rules generated through AutoYara.
https://ieeexplore.ieee.org/abstract/document/10177752
A Novel Approach to Identify Security Controls in Source Code
Ahmet Okutan, Ali Shokri, Viktoria Koscinski, Mohamad Fazelinia and Mehdi Mirakhorli have for now released their paper, sans code.
The results derived from the first two experiments show that fine-tuned BERT models and TD are able to achieve high Precision, Recall and FMeasure values while identifying whether security controls are implemented in a given code snippet or not. With BERT, the average F-Measure scores for the first two experiments are 0.97 and 0.96, respectively
https://arxiv.org/abs/2307.05605
binsec: BINSEC binary-level open-source platform
A team effort here.
BINSEC is an open-source toolset to help improve software security at the binary level. It relies on cutting-edge research in binary code analysis, at the intersection of formal methods, program analysis, security and software engineering. It is powered up by state-of-the-art techniques such as binary-level formal methods, symbolic execution, abstract interpretation, SMT solving and fuzzing.
https://github.com/binsec/binsec
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Reconsidering Vehicle Data Interpretation in Insurance Claims - interesting forensics source here.
US Covert Action and Clandestine Activities of the Intelligence Community: Selected Congressional Notification Requirements - - Section 3093 of Title 50, U.S. Code sets out how the congressional intelligence committees are to be informed of covert actions, to include the use of cyber capabilities when employed in a covert action.
NIST A Preliminary Update from the Internet of Things Federal Working Group -
AI/ML
Books:
Events etc.
2nd ENISA Cybersecurity Market Analysis Conference - 28th and 29th of September
Call for Paper Journal of Cybersecurity and Privacy - Special Issue Cloud Security and Privacy"
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.