Bluepurple Pulse: week ending July 24th
Busy week of Russia/Ukraine reporting..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week reporting around two campaigns (one historic) using web browser zero-days should be of concern - technical details are below - including on one “North East Asian” threat actor. The other one originated from a commercial outfit so was available to potentially numerous customers.
In the high-level this week:
Announcement of White House National Cyber Workforce and Education Summit - US held a high-level summit on what they are going to do about their 700,000 open cybersecurity positions. Whilst here in the UK the government released its Mapping informal cyber security initiatives for young people aged 5-19.
China’s new spy army has invaded — and we’re not fighting back - warnings from the US’s FBI and UK’s MI5, includes a high-level analysis of cyber operations including these killer stats - FBI believes that China has about 30,000 military cyberspies and 150,000 informal hackers it can call on, and is nurturing a new generation of “patriotic hackers” to target futuristic technologies in which China wants to lead the world - in the great words of Ben Kenobi that is no moon!
Chinese cyber operations resulted in the Belgium government issuing a
Russian cyber operations resulted in Declaration by the High Representative on behalf of the European Union on malicious cyber activities conducted by hackers and hacker groups in the context of Russia’s aggression against Ukraine
Is It Possible to Reconcile Encryption and Child Safety? - from the UK’s National Cyber Security Centre and GCHQ. Along with it is a paper which is intended to encourage debate around privacy and total security trade-offs.
Japan and Australia strengthen cooperation on telecommunications resilience and somewhat related U.S. needs $3 billion more to remove Huawei, ZTE from U.S. networks.
House panel's bill would block U.S. buyers of foreign spyware - designed to stem the proliferation / funding of foreign spyware that may then latterly be used against US and ally targets. The irony that federal funds went to NSO which was then used to target the US is likely not lost on USG.
Hacktivist Group Reveals Identities Of Several Iran Revolutionary Group Hackers - turns out two companies "Naji Technology" and "Afkar System" were their employers.
Google published Transparency in the Shadowy World of Cyberattacks - adapted from remarks delivered by Kent Walker, President of Global Affairs, at the International Conference on Cyber Security - “we believe cybersecurity is one of the most important issues we face.”
Mapping Major Milestones in the Evolution of North Korea’s Cyber Program -
This week no reflections from me as coming back from vacation has meant the inevitable fire hose. Instead you get two videos on Russia / Ukraine.
The first is by ‘the grugq’ on the ‘The Dynamics of Russian Cyberwar’
The second is a moderately titled piece from CNBC titled ‘Could Russia’s war on Ukraine escalate into a global cyberwar?’
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday,
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine/Russia
After a little lull in public reporting we have had a resurgence this week.
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Mike Harbison and Peter Renals discuss a campaign which used generally commodity capability against government targets. The use of third party services for data exfiltration is similarly well understood by offensive attacks both in nations as well as commercial Red Teams.
The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador. These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.
https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Details emerging of the malicious documents used in order to gain initial access by two groups working for aligned by different governments.
The intrusion attempts detailed below share a tactic, however they are the work of two separate cyber espionage groups.
UNC1151 is a group [we] assesses are sponsored by Belarus and have frequently used the access and information gained by their intrusions to support information operations tracked as “Ghostwriter.” Mandiant released a blog last year detailing our assessments on UNC1151, and they have continued to be very active in targeting Ukraine since the start of the Russian invasion, paralleling Belarus’s government’s enablement of Russia’s invasion.
UNC2589 is believed to act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine. Notably, we assess UNC2589 is behind the January 14th disruptive attacks on Ukrainian entitles with PAYWIPE (WHISPERGATE). Following the disruptive attack, UNC2589 has primarily targeted Ukraine, but has also been active against NATO member states in North America and Europe.
https://www.mandiant.com/resources/spear-phish-ukrainian-entities
Cyber National Mission Force discloses IOCs from Ukrainian networks
USG then released all of of the indicators for these campaign.
Continued cyber activity in Eastern Europe
Billy Leonard gives a summary overview of activity they have seen related to the conflict. The Android malware aspects are arguably the most novel. This tradecraft we have historically seen a lot in South Asia and the middle-east, but as noted by Billy not historically used by Russia.
Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule.
Attackers target Ukraine using GoMet backdoor
Jaeson Schultz documents a reuse of malware previously seen in 2020 and the F5 BIG-IP hacks. The implication that it might also be another supply chain attack is interesting for all the reasons.
Working jointly with Ukrainian organizations, [we have] discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful
https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html
Ghostwriter - Development of UNC1151 / Ghostwriter group attack techniques
Polish reporting on this Belarussian state aligned actor. The interesting this to note here is the “Browser in the Browser” technique. It is a devastating technique which I had the fortune of seeing a Red Team use this technique with devastating effect.
As our observations show, despite the passage of time, the activity of this group has not decreased, and the techniques they use are constantly changing. Recently, we have observed the use of the Browser in the Browser technique . This technique can be extremely dangerous and easy to overlook.
One of the most commonly used methods of attack by the UNC1151 group is sending phishing emails, which are designed to obtain login details to mailboxes. The hijacked mailboxes are then searched to gain access to sensitive documents and used to hijack associated social media accounts and spread disinformation.
https://cert.pl/posts/2022/07/techniki-unc1151/
Abused Slack Service: Analysis of APT29's Attack on Italy
Chinese reporting on this Russian state actor showing that “friends” have no problem outing each others cyber operations. Slack as the C2 is the thing of note here. It is lovely to see the full attack chain was also identified and disclosed.
Recently, [we] captured the EnvyScout attack sample in the daily threat hunting. The ISO file released by the sample contains LNK file and PE file with the file hidden attribute set, and the normal EXE in it is started through the LNK file. , which in turn executes the malicious DLL by sideloading. The malicious DLL uses the team collaboration communication service Slack as a C&C channel to obtain subsequent payloads and execute them.
…
Foreign security researchers further discovered phishing emails and PDF lure documents related to the EnvyScout attack sample . Both the email and the PDF are in Italian, and the content is a notification requiring agency personnel to complete the COVID-19 vaccination. The phishing email is disguised using the Italian government domain name, so it can be assumed that the target of this attack is located in Italy. Combined with the analysis of homologous samples, we found that the campaign started at least mid-June.
The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Sam Hanson shows that a threat actor is applying some psychology to their cyber operations. I suspect, like me, a number of you have been in a situation where you have lost a password/encryption key and end up thrashing around looking for tools to provide a solution. Well it appears nightmares do come true..
Multiple accounts across a variety of social media websites are advertising Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project file password cracking software. Buyers can retrieve forgotten passwords by running an executable provided by the seller that targets a specific industrial system.
Troy called in [us] to reverse engineer the password “cracking” software and determined it did not crack the password at all, rather, it exploited a vulnerability in the firmware which allowed it to retrieve the password on command. Further, the software was a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet.
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware
Ryan Robinson documents a sophisticated implant framework for Linux which is going to raise an eyebrow of two. Modular frameworks such as this have a tendency to hint at nation state, but time will tell.
The framework consists of a downloader and core module, with a number of plugins.
The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration.
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/
Ongoing Roaming Mantis smishing campaign targeting France
Chinese organised crime going after French targets.. learning from their Russian “friends”.
Observed modus operandi during the ongoing campaign targeting French mobile phone users is congruent with past observed Roaming Mantis’ activities documented by multiple security vendors. The campaigns distributing MoqHao in Japan, South Korea, Taiwan, Germany, France, the UK and the US, have similar techniques. Our investigation shows that this campaign widely impacts France and possibly results in around 70,000 Android device compromises.
MoqHao (aka Wroba, XLoader for Android) is an Android Remote Access Trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS. It is attributed to Roaming Mantis, assessed to be a financially motivated Chinese threat group.
https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/
A look at the CloudMensis macOS spyware
Marc-Etienne M.Léveillé documents a macOS implant this time which is using SaaS as its C2.
[We] discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.
We still do not know how victims are initially compromised by this threat. However, we understand that when code execution and administrative privileges are gained, what follows is a two-stage process (see Figure 1), where the first stage downloads and executes the more featureful second stage. Interestingly, this first-stage malware retrieves its next stage from a cloud storage provider.
https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
Analysis of a trojanized jQuery script: GootLoader unleashed
Sasja Reynaert provides a detail technical analysis of a web based loader service used by various criminal groups to get their implants down on to hosts. Note the level of end-to-end sophistication here. This isn’t someone’s first rodeo and the fact this is a criminal operation (as opposed to state) should be noted in the context of our ability to stem it.
In this blog post, we will perform a deep analysis into GootLoader, malware which is known to deliver several types of payloads, such as Kronos trojan, REvil, IcedID, GootKit payloads and in this case Cobalt Strike.
In our analysis we’ll be using the initial malware sample itself together with some malware artefacts from the system it was executed on. The malicious JavaScript code is hiding within a jQuery JavaScript Library and contains about 287kb of data and consists of almost 11,000 lines of code.
The analysis of the trojanized jQuery JavaScript confirms the initial analysis of the artifacts collected from the infected machine and confirms that the trojanized jQuery contains malicious obfuscated code to download a payload from the Internet. This payload is designed to filelessly, and with boot-persistence, instantiate a Cobalt Strike beacon.
https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
Confirmed a campaign to infect Red Line Stealer from a fake site
Japanese reporting outlining a regional version of what we have seen in the west. Watering hole attacks are used to push the fake browser updates.
From the fake update request screen disguised as Chrome of the browser, we have confirmed in Japan an attack that attempts to infect Red Line Stealer, which is a type of information theft malware. If you download and execute a fake update file, you may be infected with malware.
Around April 2022, we confirmed a case where some Japanese sites (JP domain) that seemed to have been tampered with were directed to a site that distributes RedLine Stealer. If you accidentally download and execute a fake update file from a fake update request screen disguised as Chrome, you may be infected with malware and the information may be stolen.
Luna Moth
Two bits of reporting on this threat actor this week.
The Actors Behind the Recent False Subscription Scams
Oren Biderman, Tomer Lahiyani and Noam Lifshitz outline
Over the last few months, [our] Incident Response team has been methodically tracking the 'Luna Moth' ransom group. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom.
KEY POINTS
[We have] identified a relatively new threat group, which has been operating since the end of March 2022. [we] refer to this threat actor as 'Luna Moth' or TG2729.
'Luna Moth' focuses on Data Breach extortion attacks, threatening to leak stolen information if the demanded ransom is not paid.
The initial compromise is achieved by deceiving victims in a phishing campaign under the theme of Zoho MasterClass and Duolingo subscriptions, leading to the installation of an initial tool on the compromised host.
The group uses commercial remote administration tools (RATs) and publicly available tools to operate on compromised devices and maintain persistency, demonstrating once more the simplicity and effectiveness of ransom attacks.
The group acts and operates in an opportunistic way: even if there are no assets or devices to compromise in the network, they exfiltrate any data that is accessible; this emphasizes the importance of managing sensitive corporate information.
https://blog.sygnia.co/luna-moth-false-subscription-scams
Report on Luna and Black Basta ransomware
Marc Rivero, Jornt van der Wiel and Dmitry Galov touch on the same family in a little less detail.
As one can see from the advertisement, the malware is written in Rust and runs on Windows, Linux and ESXi systems.
Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust.
https://securelist.com/luna-black-basta-ransomware/106950/
Discovery
How we find and understand the latent compromises within our environments.
Russian Ransomware C2 Network Discovered in Censys Data
This is a big advert for Censys to the US Federal customers, but a good end-to-end walk through of the tradecraft.
On or about 24 June 2022, out of over 4.7 million hosts Censys observed in Russia, Censys discovered two Russian hosts containing an exploitation tool, Metasploit, and Command and Control (C2) tool, Deimos C2. Historical analysis indicated one of these Russian hosts also used the tool PoshC2. These tools allow penetration testers and hackers to gain access to and manage target hosts.
Censys then used details from the PoshC2 certificate to locate, among hosts elsewhere in the world including the US, two additional Russian hosts also using the PoshC2 certificate. Censys data showed these two Russian hosts possessing confirmed malware packages, one of which included a ransomware kit and a file that indicated two additional Russian Bitcoin hosts.
Additionally, Censys located a host in Ohio also possessing the Deimos C2 tool discovered on the initial Russian host and, leveraging historical analysis, discovered that the Ohio host possessed a malware package with software similarities to the Russian ransomware hosts possessing PoshC2 mentioned above, in October 2021.
Hunting for APT Abuse of Exchange
Lina Lau provides some practical threat hunting methodology for those of you lucky enough to still be tasked with defender on premises Microsoft Exchange.
I’m going to show you specifically some key areas you can focus on when hunting for malicious behaviour. This guide will not cover the entire attack map of what happens in an APT case where Exchange is abused, it will only cover key areas to hunt on Exchange.
https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html
Threat Hunting Series
Kostas from the the DFIR Report gives us his threat hunting series - thank you Kostas!
Part 1: https://kostas-ts.medium.com/threat-hunting-series-the-basics-cccadac830c6
Part 2: https://kostas-ts.medium.com/threat-hunting-series-what-makes-a-good-threat-hunter-e2b1d0d07e8c
Part 3: https://kostas-ts.medium.com/threat-hunting-series-the-threat-hunting-process-f76583f2475b
Defence
How we proactively defend our environments.
Establish security boundaries in your on-prem AD and Azure environment
Jonas Bülow Knudsen provides useful defence in depth tradecraft for those dealing with sprawling AD forests. AD can really be a jungle (dad jokes are free btw).
This blog post provides a high-level explanation of how to implement security boundaries in an on-prem AD and Azure environment to protect your critical assets based on the principle of tiered administration, including how BloodHound Enterprise can help you in the process. Finally, we will cover how to organize your AD objects and Azure resources in a structure that reflects your security boundaries.
Cross-tenant access settings for secure collaboration now generally available in Azure
Robin Goldstein outlines why a world of federated cloud identity is coming and the value it provides.
Analyzing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data
Joelson Soares, Buddy Tancio, Erika Mendoza, Jessie Prevost and Nusrath Iqra provide an end-to-end analysis of various pentesting tools used by criminal actors and the attack chains to aid those of you tasked with detection.
We uncovered two Python tools, Impacket and Responder, in our latest investigation. While the two are not new, they are nonetheless worth noting since both are normally used for penetration testing. Knowing that cybercriminals often upgrade their tactics, techniques, and procedures (TTPs) to broaden their scope and stay competitive, system defenders these days have come to expect attackers’ crafty use of legitimate tools for nefarious ends.
Offense
Attack capability, techniques and tradecraft.
PlugX DLL Side-Loading Technique
Chinese technique used against Microsoft Windows detailed in glorious detail.
CobaltStrike Malleable PE - from China with Love
Chinese tutorial on CobaltStrike malleable PE profiles which might help a defender or two detect Chinese misuse.
The literal translation of Malleable PE is expandable PE. Generally speaking, many students will avoid killing the Loader when they do the killing, and will not consider avoiding killing the beacon, which leads to a lot of anti-software/EDR memory protection. It can detect and kill the default beacon. C2Profile provides a good way to operate beacon. C2Profile can not only customize the communication properties of beacon (such as uri, header, etc.), but also operate beacon, so as to achieve the purpose of avoiding killing.
AddExeImport
Matthew shows how to add a hardcoded DLL dependency to any EXE on Windows to facilitate persistence.
https://www.x86matthew.com/view_post?id=add_exe_import
Subdomain Discovery Through RNN (Recurrent Neural Network)
Applying machine learning to attack surface discovery.
https://phoenix-sec.io/2022/07/12/RNN-Subdomain-Discovery.html
MS-Interloper: On the Subject of Malicious MSIs
Walk through on this offensive techniques i.e. how to build and use them.
https://notes.huskyhacks.dev/notes/ms-interloper-on-the-subject-of-malicious-msis
NiCOFF: COFF and BOF (Beacon Object File) Loader written in Nim
Complicating the detection strategies.
https://github.com/frkngksl/NiCOFF
Vulnerability
Our attack surface.
CVE-2022-30333 - UnRAR directory traversal vulnerability
https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis
CVE-2022-2185 - Gitlab Project Import RCE Analysis
https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-2022-2185/
Multiple Atlassian Vulnerabilities
CVE-2022-26136 and CVE-2022-26137
Exploitation
What is being exploited.
ShadowTiger: The Tiger of the Forest on Foyan Mountain
Chinese reporting on a multi year browser 0-day campaign. Significant IoCs released from across the previous years. I suspect Kaspersky will now follow-up on this in English. The implication from the reporting is it might be Japan (I don’t know who else a Northeast Asia APT Organisation might be otherwise)..
Update after publication: Could be Korea / Dark Hotel - I should get an Atlas (didn’t realise it was so North).
The gang used multiple browser 0-day vulnerabilities in the three years from 2019 to 2021, and used a variety of attack methods to infiltrate the target.
Tracking code name APT-Q-11, we have maintained high-intensity tracking for the following years. The gang used multiple browser 0-day vulnerabilities in the three years from 2019 to 2021, and used a variety of attack methods to infiltrate the target. , and the attack methods captured by the Qi Anxin big data platform are as follows:
Common spear phishing
Browser 0day + spear mail
Intranet watering hole attack
Intranet 0day lateral movement
The Return of Candiru: Zero-days in the Middle East
Jan Vojtěšek outs a campaign from using capability from the Israeli commercial spyware provider Candiru. Some capability at that as well..
We recently discovered a zero-day vulnerability in Google Chrome (
CVE-2022-2294
) when it was exploited in the wild in an attempt to attack Avast users in the Middle East. Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties.The vulnerability was a memory corruption in WebRTC that was abused to achieve shellcode execution in Chrome’s renderer process. We reported this vulnerability to Google, who patched it on July 4, 2022.
We’ve seen it return with an updated toolset in March 2022, targeting Avast users located in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome. We believe the attacks were highly targeted.
https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
Digium Phones Under Attack: Insight Into the Web Shell Implant
Lee Wei, Yang Ji, Muhammad Umer Khan and Wenjun Hu show that IoT devices continue to be targeted and this time it is VoIP phones. The ability for threat actors to flip around disclosed vulnerabilities and exploit at scale should be noted.
In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server. Recently, [we] observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP). In terms of the timeline, the web shell appears to be correlated to the remote code execution (RCE) vulnerability CVE-2021-45461 in the Rest Phone Apps (restapps) module.
As of this writing, we have witnessed more than 500,000 unique malware samples of this family over the period spanning from late December 2021 till the end of March 2022. The malware installs multilayer obfuscated PHP backdoors to the web server's file system, downloads new payloads for execution and schedules recurring tasks to re-infect the host system.
https://unit42.paloaltonetworks.com/digium-phones-web-shell/
Account hijacking using "dirty dancing" in sign-in OAuth-flows
Frans Rosén outlines a real-world exploitation technique which is almightily painful in a federated identity web world. Finding all of these are going to be a total 🐷.
TL;DR Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers.
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
Tooling and Techniques
Low level tooling for attack and defence researchers.
Footnotes
Some other small bits and bobs which might be of interest.
The Threat Report: Summer 2022 - “Cobalt Strike was the malware tool used in 32% of top-10 U.S. ransomware queries in Q1 2022, reaching a prevalence equal to RCLONE (12%), BloodHound (10%), and Bazar Loader (10%) combined” - yee ha!
APT41: A Case Study - a Chinese state team who appear they might have been conducting their own off hours operations - “APT41 stands out due to its prolific use of non-public malware outside of working hours.”
Civilian Cyber Workers in the U.S. Department of Defense - Demographics, Retention, and Responsiveness to Training Opportunities - paid for paper which provides some obvious conclusions
Assess Russia’s Cyber Performance Without Repeating Its Past Mistakes - a long read by Gavin Wilde is a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace.
Cyber Criminals Create Fraudulent Cryptocurrency Investment Applications to Defraud US Investors - “The FBI is warning financial institutions and investors about cyber criminals creating fraudulent cryptocurrency investment applications (apps) to defraud cryptocurrency investors”
Using cybercrime as cover: How Conti operators are lying low
Unit 42 Threat Group Naming Update - more entries on the Rosetta Stone
That’s all folks.. until next week..