Bluepurple Pulse: week ending July 17th - Part Deux
Operation Disney Land was a success.
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
You get a second edition for last week as I was on vacation for the latter half. In order to manage the volume and timeliness it warranted a second part.
In the high-level in the remainder of last week:
International Law and Cybersecurity Governance publication from a research seminar that gathered international law scholars in January 2022 - numerous topics covered and worth a read.
China published their ‘Data Exit Security Assessment Measures’ which will come into force on September 1 2022 - these are the measures which stem from "Measures for Security Assessment of Data Exports"
European Central Bank head targeted in hacking attempt - covered in various parts of the press.
Rep. Eshoo and Senator Wyden Urge FTC to Address Deceptive Data Practices by VPN Providers - who new claimed security benefits peddled by VPN providers so they can monetize the data might not actually be true.
U.S. Cybersecurity Strategy as One of the Main Directions of National Security Policy of the Country - published in the Journal of Humanities - so likely intended to educate that readership (to manage expecations).
Europe’s PegasusGate: Countering spyware abuse | Report from the European Parliamentary Research Service (EPRS) - As the Pegasus revelations shed light on the adverse effects of trade in and abuse of cyber-surveillance technologies, policymakers are seeking adequate responses - it will be interesting to see what they do.
related GeckoSpy: Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement - No doubt will go a long way to appease the European Union and any response they were planning.
In defense of offense: information security research under the right to science -I then conclude that states must recognise a right to research information security vulnerabilities, but that this right comes with a duty of researchers to disclose their findings in a way which strengthens information security - what we all know, but a valuable academic paper which can be cited nevertheless
Ransomware Task Force Year Two: New Map; New Data - we estimate that in 2021 there were well over 4,000 documented ransomware incidents involving at least 60 ransomware “families”, impacting organizations in 109 countries - some big numbers
CISA Cyber Safety Review Board - Review of the December 2021 Log4j Event - looks like cyber is increasingly inspired by the lessons learnt from transport etc. before it. Some valid observations.
Ex-CIA engineer convicted in massive theft of secret info - which lead to the Vault7 leaks.
The Cyber Resilience Index: Advancing Organizational Cyber Resilience - from the World Economic Forum, don’t expect an ‘index’ - it is the methodology.
Interesting article on immigration policy and technology - sub plot is a Turkish student in the US couldn’t get an academic appointment or funding - so looked to China - Huawei stepped up - then 5G patents followed. A painful lesson for us all.
Hack Global, Buy Local: The Inefficiencies of the Zero-Day Exploit Market - I missed this article last month, dubious data, access to the market and conclusions. Dangerous article if used by policy markets to make material decisions.
More generally there are some think tank jobs doing the rounds at the moment which are worth calling out. First is Deputy Director, Cyber Statecraft Initiative for the Atlantic Council (DC/remote 🇺🇸). The second is a Research and Analysis Specialist, Centre for Cybersecurity at the World Economic Forum in (Geneva 🇨🇭). Both worthy / impactful causes.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Monday,
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine
Malware detected by the SSSCIP in Q2 2022 (Ukraine)
Analysis from the Ukraine government with some statistics showing the shift they’ve seen in the first part of the conflict.
During the II quarter of 2022, 19 billion events were processed with the Vulnerability Detection and Cyber Incidents/Cyber Attacks System. The number of registered and processed cyber incidents increased from 40 to 64. The main goal of hackers remains cyberespionage, disruption of the availability of state information services and even destruction of information systems with the help of wipers. In the second quarter of 2022, we saw a significant increase in the activity of hacker groups in the distribution of malware, which includes both data stealing and data destruction programs. Comparing to the statistics for the 1st quarter of 2022, the number of IS events in the "Malicious code" category increased by 38%.
Tracing State-Aligned Activity Targeting Journalists, Media
Crista Giering, Joshua Miller and Michael Raggi provide insights into the targeting of the media sector. When the source of truth and/or those who might be sitting on stories which could be used for leverage become a target it all seems a little multi-dimensional.
Those involved in media make for appealing targets given the unique access, information, and insights they can provide on topics of state-designated import.
[We] have observed APT actors since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives.
The identified campaigns have leveraged a variety of techniques from using web beacons for reconnaissance to sending malware to establish initial access into the target’s network.
The focus on media by APTs is unlikely to ever wane, making it important for journalists to protect themselves, their sources, and the integrity of their information by ensuring they have an accurate threat model and secure themselves appropriately.
Suspected India-based Sidewinder APT successfully cyber attacks Pakistan military focused targets
In true Streisand effect fashion I am sharing this post although it appears to have been deleted. I am guessing due to the mis-attribution / potential for false flag?
During May 2022, several malware samples and two encrypted files, related to the attack were uploaded to Virus Total. After decrypting the encrypted files, [we] saw that one of them is a .NET DLL related to an APT group called “Sidewinder” that is attributed to India and known to target entities in Pakistan. The malware utilized in this espionage operation is an information stealer malware, exclusively used by this APT, usually leveraged to steal documents from the following types: .docx .doc .xls .xlsx .pdf .ppt .pptx .rar .zip.
North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
North Korea using ransomware in one of the more ill prepared segments of business in order to run ransomware ops. Tradecraft looks like an other ransomware operation.
A group of actors originating from North Korea that [we track] as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.
Confucius: The Angler Hidden Under CloudFlare
Chinese reporting on improving operational security from this Indian state threat actor.
[We found] an attack by Confucius against the Pakistani government and military institutions.
The attackers used the following methods to evade detection:
Deliberately forging the timestamps of C# downloader Trojans and C# stealing Trojans into unreal time to counter time zone analysis.
Using encrypted malicious macro code documents, the password is usually located in the body of the email, the body of the PDF and the page of the phishing website. By encrypting the malicious macro document, the attacker ensures that when the non-target group obtains the malicious macro document, the malicious macro document cannot be opened and analyzed without the password.
The domain names all use the CDN acceleration service of CloudFlare (US Content Delivery Network and DDoS Mitigation Company), which can effectively hide the real IP address of the server to which the domain name resolves.
Using the CloudFlare firewall function to filter the address location of the access IP, only when the access IP is located in a specific country, the access page will jump to the real malicious macro document download page.
Targeted attack on Government Agencies
Sushant Kumar Arya and Mohsin Dalla outline a basic campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the United States since 2021
Attacker used politics as a lure to trick users into clicking on a malicious link. The email used for this phishing attack contains an attachment or a weaponized URL that delivers an Excel sheet. Upon opening the Excel sheet, Excel executes an embedded malicious macro which then decrypts and installs a Remote Access Trojan (AysncRAT & LimeRAT) and maintains persistence. Once the Remote Access Trojan is installed on the victim machine, it establishes communication with a Command-and-Control server used to exfiltrate victim data. The Remote Access Trojan is capable of taking screenshots, capturing keystrokes, recording credentials/confidential information, and adding infected systems to botnets.
GhostSec Raising the Bar
Hacktivists going after ICS/SCADA? Is this a first?
In June 2022, [we] observed a new hacktivist campaign targeting multiple Israeli organizations and enterprises coordinated via different social media platforms. The campaign is led by hacktivists originating in a group called GhostSec.
GhostSec was first identified in 2015 and was initially founded to attack ISIS in the cyber realm as part of the fight against Islamic extremism. In past years, the group participated in several campaigns against several counties including Nigeria, Colombia, Lebanon and South Africa. From the start of the Russian-Ukrainian war, the group sided with Ukraine and published mainly Russian-related leaks, DDOS, and content under the campaign #OpRussia.
At the end of June 2022, the group declared it was joining the #OpIsrael campaign. Immediately after their announcement, the group pivoted from their regular operations and started to target multiple Israeli companies, presumably gaining access to various IoT interfaces and ICS/SCADA systems, which led to possible disruptions.
https://cyberint.com/blog/research/ghostsec-raising-the-bar/
Transparent Tribe begins targeting education sector in latest campaign
Nick Biasini discusses a Pakistan state threat actors campaign against Indian education institutions. The adversary is targeting students of universities and colleges in India.
[We have] been tracking a new malicious campaign operated by the Transparent Tribe APT group.
This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary's typical focus on government entities.
The attacks result in the deployment of CrimsonRAT, Transparent Tribe's malware of choice for establishing long-term access into victim networks.
We assess with high confidence that a Pakistani web hosting services provider "Zain Hosting" was used for deploying and operating components of Transparent Tribe's infrastructure. This is likely one of many third parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation.
https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html
APT-C-26 (Lazarus) Organization Forged Analysis Report on E-commerce Component Attack Activities
Some very specific targeting by North Korea here. The target is a security software producer in Korea.
[We] discovered an attack activity from the Lazarus organization. This attack activity disguised itself as an Alibaba-related component to attack. The payload component is related to the NukeSped family. It is inferred that it is an attack against a specific field or group of people. This attack is highly targeted and concealed. At present, the recruited users are related to the Korean software company Hancom Secure .
Climbing Mount Everest: Black-Byte Bytes Back?
NCC Group’s Michael Mullen and Nikolaos Pantazopoulos provide actionable TTPs on this ransomware operator who looks like a pentest.
In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.
In summary, we identified the following key TTPs:
Lateral Movement through Remote Desktop Protocol (RDP)
Gathering of internal IP addresses for hosts on the network
Local LSASS dumps
NTDS.dit dumps
Installation of Remote Access Tools for persistence
https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
An Analysis of Infrastructure linked to the Hagga Threat Actor
Walk through / product placement by Kyle Krejci on what you can do when you have netflow from some public Internet backbones and can map threat actor infrastructure.
This blog will describe how we were able to pivot in threat telemetry, using these IOCs as seeds, to identify several other C2s used by this threat actor, ultimately leading us to a backend MySQL server.
Dropper malware disguised as firmware update
Korean reporting on a North Korean where they disguised their malicious payload as a firmware update. We’ve previously covered this campaign before, but this is the first detailed technical analysis.
https://hauri.net/security/security_view.html?intSeq=40&page=1&keyfield=&key=
ChromeLoader: New Stubborn Malware Campaign
Nadav Barak shows that threat actors will evolve to side loading browser extensions once more in order to get some real scale in their campaigns.
In January 2022, a new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was discovered. Despite using simple malicious advertisements, the malware became widespread, potentially leaking data from thousands of users and organizations.
Instead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload. The browser extension serves as adware and an infostealer, leaking all of the user’s search engine queries. We discovered significant changes and additions of capabilities throughout this campaign's evolution, and we predict further changes as this campaign continues.
In this article, we examine the technical details of this malware, focus on the evolution between its different versions and describe changes in its infection process. This article also reviews new variants that have not yet been publicly reported.
https://unit42.paloaltonetworks.com/chromeloader-malware/
The Kit That Wants It All: Scam Mimics PayPal’s Known Security Measures
Larry W. Cashdollar and Aline Eliovich again evidence once more that criminal actors are becoming increasingly operational security aware in order to avoid detection. This tradecraft requires researchers to increasingly exit from residential IPs in the required geographies.
[We] discovered evidence of an attacker parasitizing benign WordPress sites to execute a comprehensive PayPal phishing scam.
The threat actor brute forces into existing, non-malicious WordPress sites and injects their Phishing kit into them as a way of maintaining evasion.
The kit attempts to gain substantial access to a victim’s identity and information by mimicking new security practices: requiring users to submit government documents and photographs of the victim, in addition to their banking information and email passwords.
The kit employs various social engineering techniques to fool victims and lead them down a rabbit hole of providing more and more sensitive information.
One of the unique aspects of this phishing kit is its attempts to directly evade security companies by providing multiple different checks on the connecting IP address to ensure that it doesn’t match specific domains or originate from security organizations.
The threat actor behind this site uses a file management plugin to upload the phishing kit. Interestingly, this mechanism allows for further exploitation of the WordPress site.
The phishing kit author uses htaccess to rewrite the URLs to not have .php at the end of the URL. This gives the phishing page a more polished and professional look.
https://www.akamai.com/blog/security/paypal-phishing-scam-mimics-known-security-measures
Discovery
How we find and understand the latent compromises within our environments.
Workshop: Velociraptor: Digging Deeper (4 Hours)
A wonderful workshop by Mike Cohen on this fabulous tool.
Slides: https://docs.velociraptor.app/presentations/2022_dfrws_us/
akvorado: Net Flow collector, hydrater and visualizer
Vincent Bernat provides valuable tooling to industrialise netflow usage within organisations.
receives flows (currently Netflow/IPFIX), hydrates them with interface names (using SNMP), geo information (using MaxMind), and exports them to Kafka, then ClickHouse
https://github.com/vincentbernat/akvorado
Hello IPv6 Scanning World!
Good tradecraft overview on how one does this in practice.
In recent months, [we have] been systematically rolling out IPv6 scanning of services. Blindly scanning the full IPv6 space is of course, completely unfeasible. Total IPv6 space is about 3.4×10^38 unique addresses (that’s 340 trillion trillion trillion addresses). With our current capabilities, it would take roughly 2×10^25 years to scan the entire IPv6 space. Compare that to scanning all of IPv4 space (only about 4.3 billion, out of which we scan 3.7 billion addresses), which nowadays typically takes us minutes!
We chose to conduct our IPv6 scanning based on hitlists of IPv6 addresses observed being used in the wild. We compile such a list of /128 addresses from various internal and external sources, which include:
DNS AAAA records (passive DNS)
Certificate transparency streams
The IPv6 hitlist
Sinkholes
Other lists sourced from partners
https://www.shadowserver.org/news/hello-ipv6-scanning-world/
I should also call out https://www.sixmap.io/ - who has also been doing something similar. There are also various academic papers (Sixmap has its own roots in a PhD) on how to approach the IPv6 scanning challenge.
Building a Simple HTTP Honeypot
Jon Heise walks through step by step for all you how want to get started.
https://medium.com/evilcouncil/building-a-simple-http-honeypot-3cd9540078c4
Month of PowerShell - Working with the Event Log
Joshua Wright walks through a coupled of worked examples on how to use PowerShell to do event processing for a various of Microsoft Windows sources.
https://www.sans.org/blog/working-with-event-log-part-1/
https://www.sans.org/blog/powershell-working-with-log-files/
https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-message-elements/
Defence
How we proactively defend our environments.
Windows Autopatch has arrived for customers with Windows Enterprise E3 and E5 licenses
Lior Bela (HE/HIM) announces this feature which will only be a great thing for SME/SMB organisations.
What Is Autopatch? In case you missed the public preview announcement, Windows Autopatch automates updating of Windows 10/11, Microsoft Edge, and Microsoft 365 software. Essentially, Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf. The service creates testing rings and monitors rollouts-pausing and even rolling back changes where possible.
Fast and easy generation of IOC queries tuned for maximum performance
How to give all your indicators to a third party in a mutual value exchange.
Insert your IOCs, get queries on the fly, and drill down to hunt
SBOM Tool
I wonder if Github will automatically use this increasingly for repos where CI/CD pipelines exist? Feels like it probably should..
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artefacts.
The build components path is usually your source folder, we will scan this folder to search for project files like *.csproj or package.json to see what components were used to build the package. The package name and version represent the package the SBOM is describing.
https://github.com/microsoft/sbom-tool
macOS API changes
Patrick Wardle shares this nugget:
macOS malware often (ab)uses APIs such as NSCreateObjectFileImageFromMemory, NSLinkModule etc) to execute in-memory payloads. Apple has recently updated dyld3 (+these APIs), such that the in-memory payload is now first/always written out to disk
Code change:
Offense
Attack capability, techniques and tradecraft.
Persistence Information for Microsoft Windows
Grzegorz Tworek shares a catalogue of how and where you can persist on Microsoft Windows. Useful reference to hunt teams..
The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
https://persistence-info.github.io/
Grzegorz Tworek shares from the above Another Windows Autorun location as an example.
Didn't described it precisely so far:
If you put 'mpnotify' value into the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, your exe will be launched by winlogon.exe when user logs on. After 30s the process will be terminated.
https://persistence-info.github.io/Data/mpnotify.html
Abusing Duo Authentication Misconfigurations in Windows and Active Directory Environments
Good overview of the gotchas from Thomas Zuk which cyber defence teams will get value from validating in their environments.
https://www.mandiant.com/resources/abusing-duo-authentication-misconfigurations
Chisel-Strike: A .NET XOR encrypted cobalt strike aggressor implementation for Chisel
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH and this more commodity yet cyber defence headache causing capability.
A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel.
https://github.com/m3rcer/Chisel-Strike
Recreating an ISO Payload for Fun and No Profit
Sunggwan Choi walks through step by step. For threat actors who didn’t know how to do this in order to side step Mark of the Web (MoW), they do now.
This post contains my personal best effort to recreate the initial access payload shown in the PaloAltoNetworks Unit42's (hereinafter PAN) blog post. Specifically, the payload consists of an ISO file that contains on-disk shellcode, DLL sideloading payloads, and a LNK file to trigger the DLL sideloading.
https://blog.sunggwanchoi.com/recreating-an-iso-payload-for-fun-and-no-profit/
Vulnerability
Our attack surface.
Retbleed: Arbitrary Speculative Code Execution with Return Instructions
I’m a fan of the research COMSEC produces. COMSEC is the computer security group of the Department of Information Technology and Electrical Engineering (D-ITET) at ETH Zürich. COMSEC is led by Prof. Kaveh Razavi. Kaveh is clearly a bar raiser..
Retbleed (CVE-2022-29900 and CVE-2022-29901) is the new addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions. This means a great deal, since it undermines some of our current Spectre-BTI defenses.
https://comsec.ethz.ch/research/microarch/retbleed/
Footnotes
Some other small bits and bobs which might be of interest.
Digital Authoritarianism in the Middle East - A probing study of how the Gulf’s authoritarian regimes hoodwink citizens across the world in digital propaganda wars - new book is out.
NSA Publishes Guidance on Characterizing Threats, Risks to DoD Microelectronics - NSA share their insights and threat models around hardware security.
Cybersecurity Threats and Their Mitigation Approaches Using Machine Learning - A Review - dubious academic contribution here. It highlights the gap in academia as the world is significantly on from this point.
CIS Software Supply Chain Security Guide - does what it says on the tin.
The Next Generation of Info Stealers - summary of the underground eco-system around information stealers and its recent evolutions.
Who is Trickbot? - detailed overview based on all the leaks etc.
New Ransomware Groups on the Rise - a summary overview
Why organizations should (and should not) worry about KillNet - the DDoS team working in support for Russia.
That’s all folks.. until next week later this week..