

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week week nothing out of the ordinary except Wagner apparently taking down the DoZor satellite provider, which serves Russian state critical infrastructure facilities.. the ying/yang of cyber continues.
In the high-level this week:
US Cyber Investment Priorities - the counter ransomware being the most interesting -
prioritize staff to investigate ransomware crimes and disrupt ransomware infrastructure and actors;
prioritize staff to combat the abuse of virtual currency to launder ransom payments; and
ensure participation in interagency task forces focused on cybercrime
US fiscal 2024 National Defense Authorization Act (NDAA) - requires the Defense Department to study the viability of creating a separate, uniformed Cyber Force
Australia names air force veteran as cybersecurity chief amid rise in data breaches - Air Marshal Darren Goldie, a 30-year veteran, will become the national cybersecurity coordinator, Prime Minister Anthony Albanese said.
Netherlands collapses its cyber functions into one organisation - This organization includes the National Cyber Security Center (NCSC) of the Ministry of Justice and Security (JenV), the Digital Trust Center (DTC) and the Computer Security Incident Response Team for digital service providers (CSIRT-DSP), both of the Ministry of Economic Affairs and Climate Policy (EZK).
Summary of 28 cases in China fined for violating the "Data Security Law" from 2021 to 2023 - this is what enforcement looks like in China
Irish Ministers Ryan and Smyth Launch the National Cyber Security Strategy 2019-2024 Mid-Term Review - Review sets out 18 new strategic actions to be implemented within the lifetime of the strategy. Investment in building NCSC capacity and addressing cyber security skills gap are priorities.
To pay or not to pay? Ransomware attacks are the new kidnapping - Policymakers are right that too many organisations pay, and often pay too much, when there are legitimate alternatives available.
The cyber argument for regulating AI - Senate Majority Leader Charles E. Schumer (D-N.Y.) unveiled a plan for developing rules for AI, citing issues including security risks and threats to elections.
North Korea's Hackers Prioritize Espionage Over Cryptocurrency - The Hermit Kingdom doesn’t just steal cryptocash; it steals state secrets—especially from neighbors.
EU-supported cybersecurity exercise enhances Moldova’s resilience against cyber threats - A three-day cybersecurity exercise was held from 14 to 16 June in Chișinău, to enhance the cybersecurity preparedness of governmental officials and critical service providers of Moldova.
SolarWinds CISO and CFO subject to action - the Company’s Chief Financial Officer and Chief Information Security Officer, received “Wells Notices” from the SEC staff, each in connection with the Investigation. The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.
China’s cyberspace chief raises concerns over the power of generative AI - Zhuang Rongwen, director at the Cyberspace Administration of China, wants to ensure chat bot technology is ‘reliable and controllable’ - The CAC has published a list of 41 generative AI algorithms which have been ‘registered’, a pre-screening step before being officially licensed
National Artificial Intelligence Advisory Committee Releases First Report - The report recommends steps the U.S. government can take to maximize the benefits of AI technology, while reducing its harms. This includes new steps to bolster U.S. leadership in trustworthy AI, new R&D initiatives, increased international cooperation, and efforts to support the U.S. workforce in the era of AI.
Commission welcomes political agreement on new rules to boost cybersecurity in EU institutions, bodies, offices and agencies - The key elements of the proposal for all EU institutions, bodies, offices and agencies are the following:
Have a framework for governance, risk management and control in the area of cybersecurity;
Conduct regular maturity assessments;
Implement cybersecurity measures addressing the identified risks;
Put in place a plan for improving their cybersecurity;
Share incident-related information with CERT-EU without undue delay.
Council adopts EU laws on better access to electronic evidence - E-evidence refers to digital data, such as emails, text messages and traffic data, that is used to investigate and prosecute criminal offences. The new rules will make it easier for the police and judicial authorities to obtain such evidence.
Switzerland’s Security Strategy - The war in Ukraine represents a threat with partially global implications for critical infrastructure. Critical infrastructure outside the war zone could also be affected, at least indirectly
Record numbers looking to kickstart new careers in cyber - almost half of applications come from women with more than 50% from outside London and the South East
Cyber Essentials scheme process evaluation - The most common reasons for adopting Cyber Essentials are reactive rather than proactive, risking the scheme being perceived as a “hoop to jump through” in order to fulfil contract requirements - otherwise known as commercial imperatives / incentives.
U.K. Citizen Sentenced To Five Years In Prison For Cybercrime Offenses - “PlugwalkJoe,” a U.K. citizen, was sentenced today to five years in prison for his role in a wide array of cybercrime offenses .. relating to O’Connor’s role in the July 2020 hack of Twitter, computer intrusions related to takeovers of TikTok and Snapchat user accounts, and cyberstalking two separate victims (the “NDCA Case”).
How Israel Invested in Spyware at Heart of Greek Scandal, EU Inquiry - Six years ago, the state-owned defense contractor Israel Aerospace Industries (IAI) announced it was investing millions in two promising foreign firms: One registered in the Netherlands providing “cutting-edge cybersecurity solutions,” the other registered in Hungary and focusing on “cyberintelligence” for government - , documents show the two firms - Inpedio and Cytrox - were actually set up by the same Israeli nationals that were involved in developing and then later selling the spyware known as Predator.
No reflections this week as I have been running around, but a few of things I have been involved in were released this week:
RUSI State Threats Taskforce: ‘Assessing the Responses’ - the second report from the activity we took part in - was chaired by Lord Evans of Weardale.
BChecks for Burp Suite Professional got released - allows you to quick extend the scanning engine. I went for nostalgia and implemented a check for the old Cisco level 16 vulnerability.
For Burp Suite Enterprise Edition I released an updated set of power tools for the GraphQL API.
On the interesting job/role front (thanks to those sending me these):
Developer in Amnesty Tech's Security Lab working on the Mobile Verification Toolkit
UK Policy and Partnerships Lead at OpenAI
Research Fellow - Cyber at the Royal United Services Institute in the UK
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Following NoName057(16) DDoSia Project’s Targets
Amaury G. and Charles M. gives an overview of this capability which is having impact in places.
The administrators of the group as well as the community are very active. They were notably observed conducting DDoS attacks against European, Ukrainian, and U.S. websites of government agencies, media, and private companies. Regularly, the group posts messages claiming successful attacks.
https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
North Korea
Lots of tactical reporting omitted this week as again there was so much. Can be found on the subreddit.
North Korea’s Cyber Strategy
Extensive summary report here of their activity, this is a wonderful bit of analysis. The scale and breadth of their operations is of note.
A quantitative analysis of 273 cyberattacks attributed to North Korean state-sponsored threat actors reveals that the regime primarily engages in cyber espionage and financial theft activities. While it has the capability to conduct disruptive or destructive cyberattacks, it rarely does so. South Korea and the United States are the most common targets, but North Korean threat actors have a global reach, targeting entities in at least 29 countries. Cryptocurrency heists are on the rise, but espionage remains the primary goal of North Korean cyberattacks.
https://www.recordedfuture.com/north-koreas-cyber-strategy
Smooth Operator
The UK’s National Cyber Security Centre provides further insight into the 3CX macOS capabilities used. Note the efforts they went to in order that their C2 traffic would blend in even if TLS interception was present.
Smooth Operator malware targets macOS.
Smooth Operator was distributed to victims as part of the 3CX supply chain attack.
The infected software package was signed by 3CX and notarized by Apple.
Malicious code inserted into a dynamic library (dylib) packaged with the 3CX software downloads and runs a second-stage payload.
HTTPS is used as a C2 channel, with an additional custom encoding algorithm used to obfuscate exfiltrated data.
Smooth Operator randomises the C2 server it communicates with. The 3CX website is included in the list of C2 Servers it can beacon to.
The observed second-stage Smooth Operator payload is lightweight and was likely meant to determine which victims to pursue with further stages. Usage of an extensive encoding mechanism for the C2 channel would make traffic appear legitimate, even if a TLS interception proxy was in use.
Kimsuky Attack Group Abusing Chrome Remote Desktop
The novelty here is the use of Chrome’s Remote Desktop feature which I didn’t even knew existed.
Recently, in a slightly upgraded form, malicious code that steals account information stored in Microsoft Edge or Naver Whale web browsers in addition to Google Chrome is being used. For reference, the malicious code was identified for the first time last year, and it is characterized by the fact that the same malicious code, not a similar type, is continuously used.
Recently, cases of exploiting Google Chrome's remote desktop function for remote control have also been confirmed.
Kimsuky using a 42.5mb .lnk file
In an attempt to avoid AV/EDR scanning. The file is on VirusTotal.
https://wezard4u.tistory.com/6482
Analysis of attack activities of APT-C-26 (Lazarus) organization using fake VNC software
Chinese reporting on North Korean activity here. Actual initial access tradecraft whilst in part novel is also rather basic
The APT-C-26 organization used fake ComcastVNC malware to launch attacks. The initial sample we found was a compressed file, and once the malware was executed by the user, the BlindingCan malware was dropped to steal user information.
The first samples we captured were compressed files, which contained ISO files. However, combined with public threat intelligence, compressed files or ISO files are more likely to be delivered through social software through social engineering.
The DPRK strikes using a new variant of RUSTBUCKET
Salim Bitam, Ricardo Ungureanu, Colson Wilhoit, Seth Goodwin and Andrew Pease provide a good end-to-end understanding of the delivery used by this North Korean actor against macOS.
The RUSTBUCKET malware family is in an active development phase, adding built-in persistence and focusing on signature reduction.
REF9135 actors are continually shifting their infrastructure to evade detection and response.
The DPRK continues financially motivated attacks against cryptocurrency service providers.
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
China
Nothing this week…
Iran
Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
Ankur Saini and Charlie Gardner provide good insight into this Iranian threat actors trade-craft end to end. The rapport building is very North Korean..
[We] assesses that the phishing operator was following a common playbook for phishing operations:
Establish contact with the target, posing as a real individual with an easily verifiable public profile, and build a basic rapport with the target.
The sender email resembles the personal account of the impersonated individual and uses a generally trusted webmail provider.
The initial email lacks any malicious content, and as a result there is no reason for the email to be filtered by security software or raise any concerns for the recipient.
Once the target responds, send another email asking a series of questions.
This further builds rapport and trust between the attacker and the victim.
Additionally, any answers to these questions can be used in phishing emails against third-party targets.
After a response from the target, or if they fail to respond for a period of time, send an additional email, this time containing a malicious, password-protected attachment.
Sending the password separately hinders automated attachment extraction and scanning.
PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
Simon Kenin got insight into the server side source code due to an operational security failure on behalf of the actor which allowed him to deployed a .zip.
The C2 framework is custom made, continuously in development, and has been used by the MuddyWater group since at least 2021
The framework is named PhonyC2 and was used in the attack on the Technion Institute
PhonyC2 is currently used in an active PaperCut exploitation campaign by MuddyWater
PhonyC2 is similar to MuddyC3, a previous C2 framework created by MuddyWater
Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor
Ian Ahl and Daniel Bohannon discuss a cloud campaign with the sole purpose of getting access to compute.
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
The Trickbot/Conti Crypters: Where Are They Now?
Charlotte Hammond and Ole Villadsen show what happens when cyber groups who grew up together splinter. It is almost a parallel to what happened with the first generation of cyber consultancies when they finally imploded.
ITG23-related factions, including Quantum, Royal, Zeon, and BlackBasta, continue to use many of the same crypters — plus a few new ones — with their tools and malware, highlighting the ongoing cooperation between former members of the syndicate and their continued access to wider resources available to the post-ITG23 collective.
Our research into the crypters uncovered several new malware families in use by former ITG23 members and their factions, reflecting the new relationships established with other criminal gangs over the past year.
https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/
Discovery
How we find and understand the latent compromises within our environments.
Detecting Popular Cobalt Strike Malleable C2 Profile Techniques
Durgesh Sangvikar, Matthew Tennis, Chris Navarrete, Yanhui Jia, Yu Fu and Nina Smith provide some tradecraft that will adjusted for by some threat actors.
[Our] researchers identified two Cobalt Strike Team Server instances hosted on the internet and uncovered new profiles that are not available on public repositories. We will highlight the distinct techniques attackers use to exploit the Cobalt Strike platform and circumvent signature-based detections.
We identified Team Server instances connected to the internet that host Beacon implants and provide command-and-control (C2) functionality. We have also extracted the Malleable C2 profile configuration from the Beacon binary to help us understand the various methods used to evade conventional detections.
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/
Using Cutting Edge ML to Detect Interesting Command Lines for Hunters
Gal Braun and Dean Langsam bring some applied data science to cyber defence in this talk.
Defence
How we proactively defend our environments.
CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments
I have seen Red Teams have a lot of fund in CI/CD environments, it is a good shout by NSA and CISA to release this guide.
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this cybersecurity information sheet (CSI) to provide recommendations and best practices for improving defenses in cloud implementations of development, security, and operations (DevSecOps). This CSI explains how to integrate security best practices into typical software development and operations (DevOps) Continuous Integration/Continuous Delivery (CI/CD) environments, without regard for the specific tools being adapted, and leverages several forms of government guidance to collect and present proper security and privacy controls to harden CI/CD cloud deployments
Sysmon 15.0 — File executable detected
Olaf Hartong details the killer new event type to land in Sysmon 15. Detect binaries written to disk.. evasions in 3..2..
This new event is called FileExecutableDetected and relies on the minifilter drivers to detect new files being written to disk. It is essentially the non-active or non-impacting counterpart to EventId 27 FileBlockExecutable. Similar to EventId 23 (FileDelete) and 26 (FileDeleteDetected).
https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts
Alex Marvi, Greg Blaum and Ron Craft provide some valuable detection tradecraft to detect Chinese TTPs.
we focus on the artifacts, logging options, and hardening steps to detect and prevent the following tactics and techniques seen being used by UNC3886:
Both ESXi host and guest machine level logging options for Guest Operations
vpxuser behavior indicative of anomalous usage
Identifying open VMCI ports on ESXi hosts
Multiple vCenter and ESXi containment and hardening recommendations to help deter future activity
https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening
Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights
Jay Jacobs, Sasha Romanosky, Octavian Suciu, Benjamin Edwards and Armin Sarabi released v2 of this paper.
The Exploit Prediction Scoring System (EPSS) SIG consists of more than 170 experts from around the world and across all industries, providing crowd-sourced expertise and feedback. Based on these collective insights, we describe the design decisions and trade-offs that lead to the development of the next version of EPSS. This new machine learning model provides an 82% performance improvement over past models in distinguishing vulnerabilities that are exploited in the wild and thus may be prioritized for remediation.
https://arxiv.org/abs/2302.14172
Vulnerability
Our attack surface.
CVE-2023-26258 - Remote Code Execution in ArcServe UDP Backup
Juan Manuel Fernandez and Sean Doherty make backup administrators, CISOs, CIOs and CROs sob with this disclosure. Ever get than sinking feeling? 0days in minutes..
[We] carried out a detailed analysis of the software used to perform backups (ArcServe UDP). Within minutes of analysing the code, a critical authentication bypass was discovered that allowed access to the administration interface.
https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
FortiNAC - Just a few more RCEs
Frycos shows the level of effort to find further pre-auth remotes
https://frycos.github.io/vulns4free/2023/06/18/fortinac.html
Zyxel security advisory for pre-authentication command injection vulnerability in NAS products
Mirai exploitation in 3..2..
The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
RowPress: Amplifying Read Disturbance in Modern DRAM Chip
Haocong Luo, Ataberk Olgun, A. Giray Yağlıkçı, Yahya Can Tuğrul, Steve Rhyner Meryem Banu Cavlak, Joël Lindegger, Mohammad Sadrosadati and Onur Mutlu show that physics and cyber security continue to be fun and bitflips can be achieved. It will be interesting to see if this can be exploited in practice.
We demonstrate in a real DDR4-based system with RowHammer protection that 1) a user-level program induces bitflips by leveraging RowPress while conventional RowHammer cannot do so, and 2) a memory controller that adaptively keeps the DRAM row open for a longer period of time based on access pattern can facilitate RowPress-based attacks. To prevent bitflips due to RowPress, we describe and analyze four potential mitigation techniques, including a new methodology that adapts existing RowHammer mitigation techniques to also mitigate RowPress with low additional performance overhead.
https://people.inf.ethz.ch/omutlu/pub/RowPress_isca23.pdf
Grafana authentication bypass using Azure AD OAuth
Interesting OAuth vulnerability class which I suspect will exist in other authentication use cases implemented by other applications.
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
https://grafana.com/security/security-advisories/cve-2023-3128/
Offense
Attack capability, techniques and trade-craft.
Sliver Release v1.5.40
Interesting this vulnerability that could be used by those of you with full packet capture.
This release fixes a vulnerability (CVE-2023-34758) in the Sliver Key Encapsulation Mechanism (KEM), where improper use of Nacl Box (libsodium) could allow a MitM attacker with a copy of the implant binary to recover the session key and arbitrarily encrypt/decrypt C2 message
https://github.com/BishopFox/sliver/releases/tag/v1.5.40
Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution
msys-2.0.dll (in green), inside Visual Studio 2022 Community has a RWX section worryingly, until fixed that is. Look for loading of it..
Jormungandr
Ido Veltzman provides a capability which may be leveraged, note the mitigation of Virtualization-based security.
Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel. The only supported type of COFF is an x64 kernel COFF (meaning, a COFF that uses functions from either NTOSKRNL or SSDT). This project is not supported to run with VBS enabled because it is using pools with execute permissions but this project should work for any version of Windows starting from Windows 7.
https://github.com/Idov31/Jormungandr
USB Injection
Robbie Dumitru provide a capability which will be a challenge to detect.
A USB device capable of injecting upstream communications on behalf of other connected USB devices. Under the provided configurations the injector can send keystrokes on behalf of a victim keyboard device while presenting itself as a mouse device. The injector can also block genuine inputs sent by the victim.
https://github.com/0xADE1A1DE/USB-Injection
RIDS - Remote ID Spoofer
Tai Jun Jet released a capability which will be a headache for those doing counter drone operations which rely on this data.
An ESP8266/NodeMCU Drone RemoteID Spoofer.
This spawns 16 different fake drones broadcasting RemoteID, with them all flying in random directions around a particular GPS location.
https://github.com/jjshoots/RemoteIDSpoofer
Exploitation
What is being exploited.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Revamping Binary Analysis with Sampling and Probabilistic Inference
Zhuo Zhang and their Masters thesis.
In this dissertation, we address the inherent uncertainty in binary analysis by developing a novel probabilistic analysis methodology, founded upon program sampling and probabilistic inference principles. Additionally, we introduce an iterative refinement architecture to enhance the effectiveness of the proposed probabilistic analysis when applicable to downstream applications. By employing the proposed methodology, we demonstrate its efficacy through three prominent binary analysis tasks: binary program dependence analysis, variable and data structure recovery, and effective and efficient binary-only fuzzing. Our methodology yields promising results in each of these tasks.
To address the challenge of binary dependence analysis, we introduce BDA, a practical and scalable technique featuring a novel unbiased whole-program path sampling algorithm and per-path abstract interpretation. Given certain assumptions, our technique provides a probabilistic guarantee for disclosing dependence relations. Experimental results demonstrate that our technique substantially advances the state-of-the-art, such as value set analysis, and improves performance.
In order to recover variables and data structures from stripped binaries, we devise a novel probabilistic analysis technique based on BDA. This technique employs random variables to denote the likelihood of recovery results, enabling the organic integration of numerous hints while considering inherent uncertainty. We develop a customized and optimized probabilistic constraint solving technique to address these constraints. Our experiments reveal that our technique significantly outperforms the state-of-the-art and enhances two downstream analyses.
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Interestingly we head to summer in the northern hemisphere none this week.
The 5×5—Cyber conflict in international relations: A scholar's perspective
Responsible Behaviour in Cyberspace: Global narratives and practice
National Cybersecurity Center of Excellence (NCCoE) Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems
Conference material
Papers of the 15th International Conference on Cyber Conflict (CyCon 2023): Meeting Reality
Conference Program / 35th Annual FIRST Conference - slide materials in a lot of cases are a click behind the talk titles
Events etc.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.