Bluepurple Pulse: week ending July 31st
North Korea is being terribly naughty..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week you will see there is significant reporting in all guises. Significant amounts of North Korean (6 discrete reports) as well as numerous annual, bi-annual, quarterly and monthly aggregate reporting etc. Outside of that the usual operational tempo…
In the high-level this week:
Cost of a Data Breach Report 2022 - as one of the subreddit readers Melesee noted “There was a specifically interesting data point in there on how companies with an IR team and an IR plan spent about 2.2 million less per breach on average.”
US’s Transportation Security Administration revises and reissues cybersecurity requirements for pipeline owners and operators - segmentation, detection & response and patching are a focus to save you wading through it.
US’s Office of the National Cyber Director Announces Camille Stewart Gloster as Deputy National Cyber Director for Technology and Ecosystem Security - when supply chains get an senior owner within Government. This is a great move by the US, expect other countries to replicate.
Reporting from Greece on Complaint for attempted monitoring of Nikos Androulakis’s mobile phone with the Supreme Court - Cytrox Predator (NSO Pegasus competitor) was used against the head of the Greek socialist party - only found when the European Parliament did their wider investigation.
National Cyber Workforce and Education Summit from The White House - this is what I deeply love and respect about the US. This is a bold response and a good collection of public and private sector activity in response to the fundamental issue of skills.
US DHS Readout of Inaugural Cyber Incident Reporting Council Meeting - Secretary of Homeland Security Alejandro N. Mayorkas convened the Cyber Incident Reporting Council (CIRC) - a new Council composed of federal agencies with a Congressional mandate to coordinate, deconflict, and harmonize etc. In the great words of Jackie Moon ‘everybody love everybody’.
Results of Bilateral Meeting Between the United States and the Kingdom of Saudi Arabia - President Biden welcomed the signing of two bilateral agreements on cybersecurity with Saudi Arabia’s National Cybersecurity Authority – one with the Federal Bureau of Investigations and the other with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) - cyber defence soft power as work.
The Jerusalem U.S.-Israel Strategic Partnership Joint Declaration - their support for increased collaboration on operational cyber exchange and on combatting cybercrime - infer from that what you will on what that means for the private companies delivering offensive cyber.
The Law of Cyber Conflict: Quo Vadis? - from the Lieber Institute at West Point. A summary of topic covered in Lieber Studies volume The Future Law of Armed Conflict, which was published 27 May 2022. Headline is applying extant international law in the cyber context is a work in progress - aka it is complicated and our adversaries aren’t tying themselves in the same legal knots.
How the cyberwar between Iran and Israel has intensified - article in the Washington Post which also covers some of the international law aspects of activity happening between these two countries.
Hong Kong’s New Cybercrime Law Consultation - “consultation” - but they recognise the need for reform and their proposals are sensible. Similar to what CyberUp Campaign has been doing in the UK to educate law markets for not dissimilar reasons.
House Intelligence Committee Open Hearing on Commercial Cyber Surveillance - this was an interesting watch. The best suggestion in my opinion was put forward by Senator Hines - that is to deny US aid funding to those countries that buy this technology from commercial providers, especially if those countries then use the technology against the US. Written evidence was also published.
In think tank land the UK’s Royal United Services Institute (RUSI) has a role open for a Research Fellow, Cyber, Technology and National Security.
No reflections this week, just a revelation (to me). You can use YouTube to auto translate the closed captions of videos. Useful whilst watching the Russian video below on Chinese APT incursions into Russia.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday,
Cyber threat intelligence
Who is doing what to whom and how.
Interestingly not much reporting this week publically.
For 12 Hours, Was Part of Apple Engineering’s Network Hijacked by Russia’s Rostelecom?
Personally the headline I would have written “is Russia weaponizing BGP as part of their conflict strategy?”. Either way interesting data point.
For a little over 12 hours on 26-27 July, a network operated by Russia’s Rostelecom started announcing routes for part of Apple’s network. The effect was that Internet users in parts of the Internet trying to connect to Apple’s services may have been redirected to the Rostelecom network. Apple Engineering appears to have been successful in reducing the impact, and eventually Rostelecom stopped sending the false route announcements.
Probably a lesson in here on not to annoy Intrusion Truth if you do offensive cyber on behalf of a state.
The old school hackers behind APT41
In an FBI indictment released in 2020, it reported five hackers with substantiated links to APT41: all criminal hackers based in Chengdu, Sichuan province. Seems Chengdu is getting somewhat of a hacker reputation.
The middle act
A number of the indicated APT41 actors have attended Sichuan University (a university known to be linked to Chinese hacking campaigns as previously noted in 2012 through its links to the Lucky Cat campaign) and appear to have remained involved ever since, forming part of the alumni...
The people behind Chengdu 404
The penultimate instalment.
In the previous articles, we touched upon Chengdu 404 as a front company. This article serves to focus on the individuals behind the company who have been named by the US as cyber criminals. The indicted trio are: Qian Chuan (钱川), Jiang Lizhi (蒋⽴志), and Fu Qiang (付强).
Chinese APTs: Interlinked networks and side hustles
The finale 🎆
Remember Mr. Zeng Xiaoyong (aka envymask)? As readers will know, we named Zeng as a member of APT17 back in July of 2019. We evidenced his connections to the Chinese hacker group ph4nt0m, his birth place of Sichuan and his university of Nanjing Science and Engineering, where he met and later worked with MSS Officer of the Jinan SSD – Guo Lin. And it appears Zeng Xiaoyong has connections that go even further…
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
Nation state or skilled criminal? Anyway, China showing it has skills.
In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. One of our industry partners, Qihoo360, published a blog post about an early variant of this malware family in 2017.
Although we were unable to discover how the victim machines were infected initially, an analysis of their hardware sheds light on the devices that CosmicStrand can infect. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.
Old cat, new tricks, bad habits:
Krystle Reid documents how an Iranian actor made operational security mistakes allowing good insight into some of their capability. But also how they continue to evolve their. In summary just because you are sanctioned doesn’t mean you can’t cyber.
OPSEC mistakes associated with Yellow Garuda operations in late 2021 resulted in the discovery of new tool used to enumerate data from targeted Telegram accounts. We also identified an alias tied to early Iran-based operations and a surveillance report likely written by a Yellow Garuda operator. Additionally, [our] analysts have observed the threat actor’s use of macro-enabled template files as recently as March 2022, a new TTP not previously associated with Yellow Garuda.
DUCKTAIL: An infostealer targeting Facebook business accounts
Mohammed Kazem Hassan Nejad discusses a criminal operation looking to gain financial benefit from an intermediary platform. Interesting that these stores of value are being identified and targeted.
[We have] been tracking an operation dubbed “DUCKTAIL” that targets individuals and organizations that operate on Facebook’s Business/Ads platform.
The operation consists of a malware component, which performs information stealing as well as Facebook Business hijacking. Based upon analysis and gathered data, we have determined that the operation is conducted by a Vietnamese threat actor.
The chain of evidence suggests that the threat actor’s motives are financially driven, similar to the SilentFade campaign that was discovered by Meta
Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits
When a private sector company allegedly delivers surprise Red Teams to victims but doesn’t conceal their identity. Either way sub optimal for all concerned.
[We] found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.
This blog details [our] analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers.
Russian presentation on Chinese state attacks against Russia
Oleg Shakirov provides the following bulleted analysis:
While Russian officials are largely silent about cyber threat from China — especially when compared to their rhetoric about the United States and the West — Russian infosec industry doesn't shy away from talking about it at all
Nonetheless the gov't is also very much aware of this. There're a couple of very specific examples in this video Remember in May 2021 Rostelecom Solar & NCIRCC (national CERT, part of the FSB) published a report on attacks against RU gov't agencies?
Back then deputy head of NCIRCC said the group behind the attacks was on par with a foreign special service. But no specific state was mentioned - Some speculated that it was the U.S., but [others] suggested a Chinese origin
Turns out Russian researchers came to the same conclusion. Although this was left out of the public report last year, in this presentation on Chinese APTs Zalevskiy briefly mentions Mail-O, Webdav-O malware (20 min mark) used in those attacks
The 2nd example is from spring 2022: Solar discovered that Chinese actors were exploiting security flaws in ViPNet Client (VPN software from a Russian firm) and informed the vendor & NCIRCC
p.s.: In theory, Russia could probably invoke Article 4 of the 2009 Shanghai Cooperation Organization Agreement on Cooperation on International Information Security which states that parties shall not attack each other's information resources & shall assist to protect those
Malicious IIS extensions quietly open persistent backdoors into servers
Microsoft felt compelled to discuss this implant class in detail.
Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.
Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities
When De-Fi gets attacked Bryan Campbell, Pim Trouerbach, Selena Larson and team discuss a campaign first spotted in late 2021. The tradecraft is basic and well understood for initial access and not unique to this actor. If you have put mitigations in place against the likes of Russia and organised crime groups initial access tradecraft you are well placed.
TA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi).
EvilNum is a backdoor that can be used for data theft or to load additional payloads.
The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.
The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads.
North Korea Special
Six bits of North Korean reporting this week… 💥
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
Paul Rascagneres and Thomas Lancaster outs a new implant capability from our friends in the Hermit Kingdom which works in the browser to exfiltrate mail.
SHARPEXT differs from previously documented extensions used by the "Kimsuky" actor, in that it does not try to steal usernames and passwords. Rather, the malware directly inspects and exfiltrates data from a victim's webmail account as they browse it. Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system. It supports three web browsers and theft of mail from both Gmail and AOL webmail.
Distribution of AppleSeed to specific military base maintenance companies - North Korean activity
South Korean reporting on North Korean activity targeting their military supply chain. Initial access is via a Microsoft Excel malicious document.
[We] recently caught a circumstance of distributing AppleSeed malware to specific military base maintenance companies.
King of Phishing
Chinese reporting on North Korean activity using Hangul Office (regional Microsoft Office competitor) for initial access resulting in PowerShell payloads.
Analysis of Kimsuky's recent spear phishing attacks targeting South Korea with multiple topics
Word document (Kimsuky) provided as an external link when replying to an attacker's email
South Korean reporting on North Korean activity using Microsoft Office for initial access but only when interaction is confirmed.
It was confirmed that a malicious URL to download a word document was inserted and replied only when the user responded positively to the e-mail without directly attaching the word document to the e-mail.
STIFF#BIZON investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries
D. Iuzvyk, T. Peck and O. Kolesnikov document a North Korean campaign targeting parts of Europe. Initial access tradecraft is malicious documents. Lots of useful detection TTPs in this reporting.
The new Konni-based malware was embedded into a phishing document as a compressed file attachment. Inside the archive are the files “missile.docx” “_weapons.doc.lnk”
Beware of hacking Thermits NFT reward impersonation behind North Korea for the purpose of earning foreign currency!
Korean reporting on North Korean activity to collect information from users.
Recently, North Korea-linked hacking attacks disguised as non-fungible token (NFT) compensation notices for SUMMITZ coin victims.
This attack was confirmed as part of the so-called KGH campaign linked to North Korea, including an attack on a domestic terrestrial broadcasting station in February.
Old wine in new bottle
Chinese reporting on Vietnamese activity showing they are evolving their tradecraft in an attempt to avoid detection.
The Trojan captured this time has the following three new features that were not found in the previous attack activity:
Open source loader NimPacket written in Nim language
The buggy process acquisition method of the original NimPacket is not used, and the process is acquired through the custom createprocess method, indicating that the organization's research on nimpacket is not simple to use
Shellycoat is added to the NimPacket loader by default, which is used for unhook security soft AV/NGAV/EDR/Sandboxes/DLP, etc., so as to avoid killing.
Stealthy OpenDocument Malware Deployed Against Latin American Hotels
Further reporting on a previously reported campaign.
[We] isolated an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware. OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, including Microsoft Office, LibreOffice and Apache OpenOffice.
Amid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants
The restaurant sector continued to be targeted in skimming attacks.
Recently, we identified 2 separate ongoing Magecart campaigns that have injected e-skimmer scripts into the online ordering portals of restaurants using 3 separate platforms: MenuDrive, Harbortouch, and InTouchPOS. Across all 3 platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis.
Atlas Intelligence Group (A.I.G)
Shmuel Gihon shows that the supply chain for talent is ever diversifying
Over the past couple of months, a new group has emerged named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army. What makes this group unique compared to all the other groups we’ve seen lately, is its recruitment of cyber-mercenaries to do specific job
Amadey Bot Being Distributed Through SmokeLoader
Incremental reporting on distribution strategies by organised crime.
The team has recently discovered that Amadey is being installed by SmokeLoader. SmokeLoader is a malware that has continuously been distributed during the last few years, taking up high proportion in the recent ASEC statistics. It is recently distributed by having users download the malware that is disguised as software cracks and serial generation programs from websites for distribution.
SmokeLoader provides various additional features related to info-stealing as plug-ins. It is normally used to install additional malware strains as a downloader. When SmokeLoader is run, it injects Main Bot into the currently running explorer process (explorer.exe). This means Bot that performs actual malicious behaviors operates inside the explorer process. The figure below shows AhnLab’s ASD log of SmokeLoader, which has been injected into explorer, downloading Amadey.
Bots for Stealing One-Time Passwords Simplify Fraud Schemes
Interesting use of automation
Over the past year, threat actors have increasingly developed, advertised, and used bots to automate the theft of OTPs, making it easier and cheaper for threat actors to bypass OTP protections at scale. Because OTP bypass bots require little technical expertise and minimal language skills to operate, OTP bypass bots also increase the number of threat actors capable of bypassing OTP protections. OTP bypass bots typically function by distributing voice calls or SMS messages to targets, requesting the targets to input an OTP, and, if successful, sending the inputted OTP back to the threat actor operating the bot.
Cryptominers & WebAssembly in Website Malware
A historic trend of compromising websites to use the browser to mine continues…
Luca Stealer Source Code Leaked on a Cybercrime Forum
From one of our dear readers we know the location is:
Someone has now been good enough to replicate to Github
On the FootSteps of Hive Ransomware
How we find and understand the latent compromises within our environments.
Maldoc: non-ASCII VBA Identifiers
Good tradecraft lesson for detection engineers..
How we proactively defend our environments.
Cloud Security Wiki
Resources for securing & assessing Azure, AWS, DevOps tooling & SaaS
IoN - Indicators of Normality
AWS Lambda announces support for a new IAM condition key, lambda:SourceFunctionArn
The security controls rabbit hole gets ever deeper.
AWS Lambda announces support for lambda:SourceFunctionArn. A new IAM condition key that can be used for IAM policy conditions that specify the ARN of the function from which a request is made. Starting today, when a function is invoked, Lambda will automatically add the new lambda:SourceFunctionArn condition key to the request context of all AWS API calls made by function code. You can use the Condition element in your IAM policy to compare the lambda:SourceFunctionArn condition key in the request context with values that you specify in your policy.
Useful release for testing and training.
Azure Red Team Attack and Detect Workshop - This is a vulnerable-by-design Azure lab, containing 2 x attack paths with common misconfigurations. If you would like to see what alerts your attack path vectors are causing, recommend signing up for a Microsoft E5 trial
The End of PPLdump
Patched on Windows 10, so protected process dumping using this technique is no longer possible.
Combined registration for SSPR and Azure AD Multi-Factor Authentication
Making security simpler
Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Multi-Factor Authentication and SSPR.
Rods and Cones, and EDR "blindness"
Good discuss piece
I ran across an interesting post recently regarding blinding EDR on Windows systems, which describes four general techniques for avoiding EDR monitoring. Looking at the techniques, I've seen several of these techniques in use on actual, real world incidents.
the take-away here is that EDR by-passes or blind spots are something to be understood, not feared.
Attack capability, techniques and tradecraft.
Start your detection engineering engines..
RedGuard is a C2 front flow control tool to avoid Blue Teams, AVs and EDRs etc.
AlanFramework: A C2 post-exploitation framework now open source
Now open sourced, expect increased actor usage in 3..2..
Matthew continues to deliver the goods
Earlier this year, I released a proof-of-concept project called "EmbedExeLnk" - this tool would generate a Windows link (.lnk) file containing an embedded EXE payload. I have taken this concept further and created a tool that generates a Windows registry (.reg) file containing an EXE payload.
Our attack surface.
Filewave MDM Security Vulnerabilities
Mobile Device Management platform providing evidence that technical security debt is pervasive. 1,100 internet-exposed instances, exploitation in 3..2..
[We] uncovered and disclosed two critical vulnerabilities, CVE-2022-34907 and CVE-2022-34906, in FileWave’s mobile device management (MDM) system.
The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices.
CVE-2022-34907, an authentication bypass flaw exists in FileWave MDM before version 14.6.3 and 14.7.x, prior to 14.7.2. This vulnerability is similar in nature to the vulnerability that was recently identified in F5 BIG-IP WAF.
CVE-2022-34906, a hard-coded cryptographic key, exists in FileWave MDM prior to version 14.6.3 and 14.7.x, prior to 14.7.2.
During our research, we found thousands of vulnerable internet-facing FileWave servers in numerous industries, including government agencies, education, and large enterprises.
FileWave has addressed these vulnerabilities in a recent update, and users are urged to apply the update. FileWave has also written a blog about its resolution of these vulnerabilities.
What is being exploited.
Vulnerability on PrestaShop Websites
SQL injection being actively exploited - 300,000 shops need to upgrade apparently.
While investigating this attack, we found a previously unknown vulnerability chain that we are fixing. At the moment, however, we cannot be sure that it’s the only way for them to perform the attack. To the best of our understanding, this issue seems to concern shops based on versions 188.8.131.52 or greater, subject to SQL injection vulnerabilities. Versions 184.108.40.206 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.
Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography
Alfredo Oliveira and David Fiser identify a campaign where OSS storage of others are being used to house payloads.
This time, we have identified a malicious campaign using the object storage service (OSS) of Alibaba Cloud (also known as Aliyun) for malware distribution and illicit cryptocurrency-mining activities. OSS is a service that allows Alibaba Cloud customers to store data like web application images and backup information in the cloud. Unfortunately, this is not the first time that we’ve seen malicious actors targeting Alibaba Cloud: Earlier this year, we detailed how malicious actors disabled features inside Alibaba Cloud for cryptojacking purposes.
Tooling and Techniques
Low level tooling for attack and defence researchers.
TLS-Anvil, a fully automated TLS testsuite for client and servers - a test suite for the evaluation of RFC compliance of Transport Layer Security (TLS) libraries using combinatorial testing (CT).
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Nice training walk through on one of our applied problems.
I will explain how I reverse engineered a Cobalt Strike dropper and obtained its payload. The payload is a custom executable file format based on DLL. The dropper decrypts, loads, and executes the payload. Initially, I thought this must not be a PE executable at all, but I gradually realized it was. Much of the effort was spent on fixing the file so it could be loaded by Binary Ninja for further analysis.
Some other small bits and bobs which might be of interest.
Collecting of annual, half yearly, quarterly, monthly reporting on trends
Attackers Move Quickly to Exploit High-Profile Zero Days: Insights From the 2022 Incident Response Report
Monthly Threat Actor Group Intelligence Report, June 2022 (Korea) - a regional perspective on the threat.
June 2022 review of virus activity on mobile devices - apps pose as image-editing tools, virtual keyboards, system optimizers, wallpaper changers, and more. However, their underlying functionality is to push intrusive ads, subscribe users to premium services, and steal victims' social media accounts
Cyber Resiliency Approaches and Controls to Mitigate Adversary Tactics, Techniques, and Procedures (TTPs) - Mapping Cyber Resiliency to the ATT&CK® Framework, Revision 2
Using Social Network Analysis for Cyber Threat Intelligence - no innovation here, but a useful document on The methodology leverages the discipline of social network analysis and the diamond model, a model used for intrusion analysis, to produce cyber threat intelligence,
Red Team Data Collection and Analysis for the Cyber Assessment Program - Over the past five years, IDA has helped the Department of Defense define standards for the content and form of an action map — a data product produced as part of mission assurance and cyber operations assessments for the Cyber Assessment Program. They introduce potentially useful action map analysis techniques with a focus on the potential for using automated techniques. Such techniques can streamline the more time-consuming and error-prone aspects of map creation and analysis and aid in research reproducibility.
Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors - from the Atlantic Council
Rebuttal / analysis from Dave Aitel on the May 2022 policy piece titled ‘Goodbye Cyberwar: Ukraine as Reality Check’ - personally I deeply enjoy that Dave has chosen to way in on policy issues with his technical background.
Burned and Blinded: Escalation Risks of Intelligence Loss from Countercyber Operations in Crisis - Amazing title with a teasing abstract - The article explores the parallels to other strategic early warning and intelligence capabilities, surfacing distinctions based on the unique dynamics of cyberconflict to identify scenarios in which counter cyber operations successes may prove potentially destabilizing and lead to greater escalation risk - not an evidenced paper but instead a perspective one.
Untangling Accountability in Cyberspace - trying to drive governments to take account across technology, law and politics. What one would expect from a think tank.
That’s all folks.. until next week..