Bluepurple Pulse: week ending July 10th
Bluepurple Pulse: week ending July 10th
China moves to information ops on cyber firms...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week the most amusing thing was the information operation attempt by China who were trying to pump the FOXACID reporting they released (old alleged western capability). They e-mailed our CIRT team address with a bunch of random gmail addresses to reach out to learn more about it.
In the high-level this week:
NATO have announced a rapid response force - We will significantly strengthen our cyber defences through enhanced civil-military cooperation. We will also expand partnership with industry. Allies have decided, on a voluntary basis and using national assets, to build and exercise a virtual rapid response cyber capability to respond to significant malicious cyber activities.
Chinese hackers kept up hiring drive despite FBI indictment - Hainan Tengyuan, a Chinese technology company, was actively recruiting English language translators in March according to job adverts seen by the Financial Times - nine months after US law enforcement agencies accused Beijing of setting up such companies as a “front” for spying operations against western targets - we get to debate efficacy of dissuasion now I guess?
The Geopolitics of Digital Standards - this is a thing and this paper from the Belfer Center for Science and International Affairs, Harvard Kennedy School does a good job outlining the challenges with China et al.
Related the UK has just published Encoding values: Putting tech at the heart of UK foreign policy - which touches on some of the defence in practice.
Cyberspace Administration of China issued a draft (for comment allegedly) Standard Contractual Clauses to regulate the activities of personal information going abroad. This is how they propose to ensure data sovereignty.
How mercenary hackers sway litigation battles - Indian cyber mercenaries hacking parties involved in lawsuits around the world – showing how hired spies have become the secret weapon of litigants seeking an edge - yup, let the international norm setting and/or indictments begin (technical reporting below).
HackerOne published their incident report - where a rogue insider was taking vulnerabilities disclosed through their programmes and tried to sell them on to the companies directly.
The $100 Million Horizon Hack: Following the Trail Through Tornado Cash to North Korea - Our analysis of the hack and the subsequent laundering of the stolen cryptoassets also indicates that it is consistent with activities of the Lazarus Group - North Korean still using cyber for asset liquidity collection.
Outsourcing the Cyber Kill Chain: Reinforcing the Cyber Mission Force and Allowing Increased Contractor Support of Cyber Operations - discusses how to mechanism for risk management exist to allow the private sector in the US to undertake offensive cyber activities.
North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector - which has been used by North Korean state-sponsored cyber actors since at least May 2021 (technical reporting below). .
The UK’s Information Commissioner’s Office and the National Cyber Security Centre have sent a clear message with this post titled ICO and NCSC stand together against ransomware payments being made -
Solicitors are today being asked to play their part in keeping the UK safe online by helping to tackle the rise in organisations paying out to ransomware criminals.
The National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have been told that some firms are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement. This is incorrect.
Reflection this week are rather shallow having spent most of it in meetings and more than one 4am start. Anyway I was told about the book The Rules of Contagion: Why Things Spread - and Why They Stop and the potential to apply similar concepts to the cyber world, which on the face of it seems pretty epic.
Also I’ve made not secret of my admiration and wonderment for Jim Simons (the book The Man Who Solved the Market: How Jim Simons Launched the Quant Revolution is a recommended read). Anyway, there are few renowned people I would love to have a cup of tea with with but Jim is one. I similarity enjoyed this chat with him:
Advanced notice.. maybe no newsletter next week.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine
Cyber attack on state organizations of Ukraine using Cobalt Strike Beacon
Microsoft PowerShell defence bypasses in use in this otherwise basic tradecraft operation in Ukraine. All of the knowledge however has been cobbled together from open source materials produced by various red teams.
The resulting PowerShell script, in addition to bypassing AMSI and disabling event logging for PowerShell, will decode and decompress the data into the following PowerShell script, which in turn will execute the Cobalt Strike Beacon malware.
https://cert.gov.ua/article/619229
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
The full capability of Russia has been deployed here apparently, including their criminals. We suspected this might happen but good to have evidence that a proxy war is also potentially occurring in practice.
[We have] uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns — two of which have been discovered by X-Force — against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter.
https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine/
Countering hack-for-hire groups
As touched on above India is becoming a hot-bed of for-hire cyber capabilities. Both in this hack-for-hire but also technical capabilities used in the operations of others. Not China/Russia/Iran/North Korea but also not entirely observant of international norms. The new world is shall we say challenging..
The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets. A recent campaign from an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel.
https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
When friends aren’t really friends and one is just going to take advantage. Standard modus operandi from China, but interesting that they continue to run such ops against an “allay”. Wider, it is clear there are espionage tensions between the countries as reported in Russia arrests scientist for alleged collaboration with Chinese secret services
[We] identified a new cluster of threat activity targeting Russian organizations.
We assess with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).
The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
[We] also identified associated activity targeting telecommunication organizations in Pakistan leveraging similar attack techniques.
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
Suspected Chinese implant being used on Microsoft Exchange servers and others.
In early 2022, we investigated one such IIS backdoor: SessionManager. In late April 2022, most of the samples we identified were still not flagged as malicious in a popular online file scanning service, and SessionManager was still deployed in over 20 organizations.
SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021. Because of the similar victims, and use of a common OwlProxy variant, we believe the malicious IIS module may have been leveraged by the GELSEMIUM threat actor, as part of espionage operations.
https://securelist.com/the-sessionmanager-iis-backdoor/106868/
Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs
Evidence that the cyber criminal eco-system is getting murkier with code being borrowing which will in time potentially complicate attribution.
ReversingLabs recently discovered of a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks. Our analysis suggests that the threat actor responsible for this campaign likely obtained the underlying code for AstraLocker 2.0 from a leak of the Babuk ransomware in September 2021. Links between the two campaigns include shared code and campaign markers, while a Monero wallet address listed for ransom payment is tied to the Chaos Ransomware gang.
Xloader Returns with New Infection Technique
The complexity is the thing to note here. The multiple stages and various in memory techniques will frustrate some investigations for sure if the original file isn’t retained.
The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique. Additionally, The malware uses steganography to hide its malicious content in a bitmap file.
Upon opening a PDF file, it drops the embedded XLSX file named “has been verified. However PDF, JPG, Docx, .xlsx” into the “Temp” location. It then uses multiple extensions of different file formats to trick the user.
https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/
YamaBot malware used by the attack group Lazarus
Japanese/English reporting by Shusei Tomonaga on a North Korean Linux/Windows implant. Of note is that the implant is in use and multi-OS. So if you find it on one OS in an estate worth looking wider.
The Linux OS-targeted malware YamaBot shared in the above research report (referred to as Kaos in the material, but referred to as YamaBot in this blog) has recently been identified as targeting the Windows OS. YamaBot is malware written in the Go language, and its functions are slightly different between the malware written for each platform. In addition to YamaBot, the attack group Lazarus uses multiple multi-platform malware such as VSingle .
https://blogs.jpcert.or.jp/ja/2022/06/yamabot.html
https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
AppleSeed dissemination under the guise of an order or letter of intent
Korean reporting on North Korean activity the only material thing of note is the use of JSE (JScript Encoded File) files as the initial payload.
The JSE (JScript Encoded File) file is in JavaScript, and when executed, the AppleSeed backdoor body (DLL file) and the order form PDF file, which is the bait document file, are dropped to the %ProgramData% path as shown in The file is automatically executed.
https://asec.ahnlab.com/ko/35781/
Beware of North Korea-linked hacking attacks
Further Korean reporting on North Korean activity. The interesting thing about this campaign is it is uses the North Korean tradecraft of trying to start a relationship in order to latterly get to them do whatever they desire to achieve compromise.
This attack was sent to a large number of unspecified professors working in the fields of defense, diplomacy, security and politics under the title of 'Request for Advisory by the National Assembly Legislative Investigation Office'. The e-mail does not do any malicious action, it simply induces the recipient to reply and searches for the target of the attack.
Maui ransomware: Threat report
Silas Cutler provides an analysis of ransomware which has been attributed to North Korea. Looks like it does full file encryption - so remember have a really large dummy file to keep it busy to give yourself a fighting chance.
Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts
https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf
New macOS 'covid' Malware Masquerades as Apple, Wears Face of APT
Phil Stokes and Dinesh Devadoss shows how macOS continues to get some focus with various bits of tradecraft. Of note is the use of Sliver which is an open source framework released by an US based cyber security company.
Apparently unremarkable, further analysis showed that the disk image contained an application bundle called ‘vpn.app’, an application built with Platypus, an open-source toolkit that allows developers to turn scripts into Mac applications.
Static analysis of the malicious
softwareupdated[the second stage] shows it to be a Sliver implant.
Suspected APT-C-23 (two-tailed scorpion) tissue camouflage Threema communication software attack analysis
Chinese reporting on a Gaza based threat actor who has co-opted open source and social engineering as the next evolution in their tradecraft and capability.
This attack directly disguised the commercial RAT as Threema to induce users to click to open it. Threema is a paid open source end-to-end encrypted instant messaging developed in Switzerland. The final load and execution is the backdoor program QusarRAT , which is highly obfuscated. Quasar is a remote management tool written in C# [and open source]
Bitter APT continues to target Bangladesh
Suspected Indian threat actor going after Bangladesh targets. The tradecraft isn’t overly novel, the initial access mechanism is maldocs and user clicky clicky.
[We] identified a recent attack consistent with the campaign targeting Bangladesh conducted by the advanced persistent threat group “Bitter”, also known as T-APT-17.
Bitter employs malicious document files as lures containing different implementations of the so-called “Equation Editor exploits” to download following malware stages.
The second stage consists of a Loader, which gathers information about the infected system and retrieves the third stage from a remote server.
The third stage of a Bitter attack can feature different types of Malware e.g. Keyloggers, Stealers or Remote Access Trojans (RATs). We analyzed one of the newer utilized RATs, which we refer to as “Almond RAT”.
Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors
Ever get the feeling you are being trolled by Russia? Well Mike Harbison and Peter Renals show that Russian actors might just be trying out every Red Team framework they can to make defensive teams work harder.
The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated.
This unique sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications.
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
IconBurst: NPM software supply chain attack grabs data from apps, websites
Karlo Zanki documents yet another open source developer library supply chain attack. It is the scale which is terrifying more than anything.
[We] have uncovered a widespread campaign to install malicious NPM modules that are harvesting sensitive data from forms embedded in mobile applications and websites.
Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of NPM packages containing jQuery scripts designed to steal form data from deployed applications that include them. While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites. In one case, a malicious package had been downloaded more than 17,000 times.
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
Nicole Fishbein documents Linux targeted capability which employs a couple of less commonly used techniques to get execution within its host processes. It is like threat actors read phrack articles from the later 90s/early 2ks or something.
The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.
Unlike other threats that hijack shared libraries by modifying the environment variable LD_PRELOAD, this malware uses 2 different ways to load the malicious library. The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
LockBit 3.0: "Making the ransomware great again"
Novelty here is less about the technology and more around the monetization strategies. Variable payment plans in a ransomware eco-system - who had that in their predictions?
Until now, these victims were given a well-defined period of time to pay the requested ransom. In project 3.0 the collective seems to have included new possibilities for negotiations; Indeed, by paying a specific fee is now possible to extend the timer by 24 hours, destroy all data from the website, or download all data right away.
https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/
Malware VSingle that retrieves C2 server information from GitHub
Unclear what this buys them over a standard domain generation algorithm is unclear, but they did this so 🤷
Recently, the malware VSingle feature used by attack group Lazarus has been updated to retrieve C2 server information from GitHub.
https://blogs.jpcert.or.jp/ja/2022/07/vsingle.html
Teng Snake (a.k.a. Code Core)
South Korean health department compromised allegedly..
A user named uteus, who claimed to be White Dawn team, uploaded a post on an underground forum titled “South Korean health department invades” that was selling AD server privileges from an association.
https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a
Discovery
How we find and understand the latent compromises within our environments.
Making YARA better: Authenticode, .NET, Telfhash
Further meta data added which can be used in signatures.
Recently we’ve made large contributions to YARA, which further improve its malware identification capabilities:
PE signature parsing and verification.
Reconstruction of .NET user-defined types.
Calculation of telfhash value available on VirusTotal.
https://engineering.avast.io/making-yara-better-authenticode-net-telfhash/
Displaying the full historical process tree in a nicely walkable form from Sysmon data
A neat little bit if PowerShell which:
Shows a process history tree with data extracted from a Sysmon/Operational log
https://github.com/gtworek/PSBits/blob/master/DFIR/Get-SysmonTree.ps1
Velociraptor Threathunting - Quick Introduction
Asger Strunk provides a wonderful introduction to threat hunting with Velociraptor.
https://fiskeren.github.io/posts/velothreathunt/
A deep dive into Ubuntu thumbnails
Panagiotis Nakoutis provides some novel Linux forensics tradecraft. They document how GNOME image thumbnails work in a variety of situations on Ubuntu.
https://medium.com/@pnakouti/dear-reader-3a74ed9d0b94
TAPIR
Solal Jacob has dropped a multi-user, client/server, incident response framework for the world to benefit from.
https://github.com/tap-ir/tapir
bin2json
From the above framework but a useful standalone binary for those doing things with malware etc. Extracts recursively file, directory of files (or disk dump) metadata to json
https://github.com/tap-ir/bin2json
Defence
How we proactively defend our environments.
Microsoft Defender for Endpoint Internals 0x02
Olaf Hartong proves once again is a god in a land of MSFT mortals.
Check your audit policy settings for all of the OUs that are set to system groups where you have MDE deployed. You might have unintentional blind spots and don’t gain the full advantage from your EDR.
Secure authentication method provisioning with Temporary Access Pass
This is pretty epic, passwords can’t die quick enough..
TAP is a time-limited passcode that allows users to register passwordless authentication methods and recover access to their account without needing a password. You can also use a TAP to set up Windows devices, whether your users are directly setting up their own devices or they’re using Windows AutoPilot, joining devices to Azure AD, or even setting up Windows Hello for Business.
Offense
Attack capability, techniques and tradecraft.
Push Comes To Shove
Exploring the attack surface of SCCM Client Push Accounts
TripleCross: A Linux eBPF rootkit
Marcos S. Bajo demonstrating once one that if you threat model doesn’t include a single computer science student unleashing a complete eBPF rootkit you are doing it wrong.
Rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
https://github.com/h3xduck/TripleCross
pamspy: Credentials Dumper for Linux using eBPF
Sylvain Peyrefitte equally shows the power of eBPF for yet-an-other password dumper. It is like what Doug Song’s dsniff was to networks to on host via eBPF.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication like:
sudo
sshd
passwd
gnome
x11
and many other ...
https://github.com/citronneur/pamspy
Using YouTube as a free file hosting service
Yep, really, can be used to host second stages as a result. Neat work from Florian, lets see how quickly it gets used by malicious threat actors and/or Google stamp on it as a technique.
https://github.com/MeViMo/youbit
Abusing Cloudflare Workers
Christophe Tafani-Dereeper walks us through an under appreciated offensive technique. Would you look for a backdoor in your Cloudflare configuration?
Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data.
The techniques we discuss here have been used in the wild, but largely flew under the radar. Red teamers, read on to learn about offensive uses of Cloudflare Workers. Blue teamers, keep reading to learn why securing access to your Cloudflare account is so critical.
https://blog.christophetd.fr/abusing-cloudflare-workers/
Vulnerability
Our attack surface.
Numerous vulnerabilities in Jenkins plugins
Over 20 different plugins impacted by various plugins. It is like WordPress said hold my beer..
https://www.jenkins.io/security/advisory/2022-06-30/
OpenSSL: AES OCB fails to encrypt some bytes CVE-2022-2097
Unlikely to happen in the real-world often but a neat bug:
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.
https://www.openssl.org/news/secadv/20220705.txt
Exploitation
What is being exploited.
2022 0-day In-the-Wild Exploitation…so far
Maddie Stone shares some stark data..
As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests. On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.
https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html
Get root on macOS 12.3.1
Proof-of-concepts for Linus Henze’s CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763)
https://worthdoingbadly.com/coretrust/
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes and Melvin Singwa show that organised crime are pulling through open source exploits into their operations even if they are a little dated.
We recently caught it using the banking trojan QakBot as a means of entry and movement, and taking advantage of the PrintNightmare vulnerability (CVE-2021-34527) to perform privileged file operations.
Footnotes
Some other small bits and bobs which might be of interest.
2022 Workshop on Human Centric Software Engineering and Cyber Security is happening Mon 10 – Fri 14 October 2022.
Cyber Security Assessment Netherlands 2022 - NCTV: Risk of disruption greater due to imbalance between threat and resilience.
Canada’s national police force admits use of spyware to hack phones -
International Law Applicable to Cyberspace. Dialogue with OAS Member States -
The Gozi group: A criminal firm in cyberspace? - Academic analysis of this criminal threat actor.
Practical Attacks on Machine Learning Systems - NCC Group’s Chief Scientist dropped the wisdom based on five years of literature review, replication, research and infield experience attacking machine learning systens.
Regional state consultations on international humanitarian law and cyber operations during armed conflicts - consultation.. report pending..
Toll fraud malware: How an Android application can drain your wallet - overview of this class of threat.
Art of the week award goes to SNDBOX who commissioned this wonderful ANSi art. Once upon a time before the Internet we used Bulletin Board Systems and this was our art..
That’s all folks.. until next week..