Bluepurple Pulse: week ending July 17th
Bluepurple Pulse: week ending July 17th
Early release due to a busy weekend ahead..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week nothing of note beyond the phishing campaign being launched under cyber security company brands.
In the high-level this week:
Taking the Elf Off the Shelf: Why the U.S. Should Consider a Civilian Cyber Defense - this feels a little like a cyber version of Finland’s whole of society approach. A good idea given the scale of the challenge.
Here's how North Korean operatives are trying to infiltrate US crypto firms - how is that insider threat programme shaping up?
Defense Firm Said U.S. Spies Backed Its Bid for Pegasus Spyware Maker - yet USG said no to the NSO takeover. Looks like a missed opportunity and the top of government not understanding the value.
CEO of Dozens of Companies and Entities Charged in Scheme to Traffic an Estimated $1 Billion in Fraudulent and Counterfeit Cisco Networking Equipment - how those supply chains looking?
Infrastructure companies must report cyberattacks within 12 hours in Australia - now this is what regulation looks like. Hot on the heels of India..
A US history of not conducting cyber attacks - context is US military, title is a little off - but an interesting read.
The insurance industry and offensive cyber operations: Slow and steady wins the race? - from a UK focused academic working group - talks about how contract clause language may be contested.
Cyber as Statecraft, Not War - presents an interesting perspective/challenge, namely - The most persistent and enduring threats from the cyber domain are best addressed through investments in law enforcement, civil infrastructure, public-private resiliency, and international coalitions—less through military superiority - that will make the people who like hacking stuff sad.
Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet - some big calls in this report - for example “Artificial intelligence (AI) and other new technologies will increase strategic instability” based on “One outcome that appears likely is that both attackers and defenders will rely on a greater degree of automation, which could have an adverse effect on strategic stability”.
This week I shared some thoughts in an piece titled The Need for Observability around the Intrinsic Security Properties of Cloud not just what is in the Cloud. In it I outline the information asymmetry we have around vulnerabilities in a cloud first world, why we need to do something about it and what that might be.
I did a interview with the Atlantic Council’s Cyber Statecraft Initiative a little bit back. The videos of which are now being released. The first of which landed this week:
Other than that you should watch this talk by Director Cyber Security, NSA also known as the legend that is Mr Joyce:
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Tuesday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Notable Droppers Emerge in Recent Threat Campaigns
A nice summary of dropper techniques used in a variety of campaigns to secure initial access by Erin Lin.
In recent threat campaigns, all droppers mentioned in the previous section are very active and used by more than one malware family. Below is the malware payload of each captured dropper.
Malware Dropper: Payload
Excel file: Emotet and Qbot
LNK file: Emotet, Qbot, and Icedid
ISO file: Qbot, Icedid, and Bumblebee
https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns
Raspberry Robin Worm Abuses Windows Installer and QNAP Devices
Criminal actors showing they are blending tradecraft between embedded NAS's and LNK files to gain initial access.
Raspberry Robin involves a worm that spreads over USB devices or shared folders, leveraging compromised QNAP (Network Attached Storage or NAS) devices as stagers. It uses an old but still effective method of using “LNK” shortcut files to lure its victims.
Raspberry Robin is a spreading threat, using specifically crafted Microsoft links (LNK files) to infect its victims. [We] observed delivery through file archives, removable devices (USB) or ISO files.
Raspberry Robin is a persistent threat. Once the malware infects a machine, it establishes persistence by running at every system startup.
[We] observed a majority of the victims being located in Europe.
Vice Society: a discreet but steady double extortion ransomware group
Reporting on a group using commodity ransomware.
Vice Society is a little-known double extortion group that joined the cybercrime ecosystem a year ago. Since then, it showed a steady activity, encrypting and exfiltrating its victim’s data and threatening their victims to leak their information to pressure them into paying a ransom. Unlike other RaaS (Ransomware-as-a-Service) double extortion groups, Vice Society focuses on getting into the victim system to deploy ransomware binaries sold on Dark web forums. This is likely a way for this group to save resources in developing its own ransomware.
https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/
From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
Scale is the thing of note here and some MFA bypass tradecraft.
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.
ABCsoup: The Malicious Adware Extension with 350 Variants
Nipun Gupta outs a criminal campaign to monetize adverts in the short term with option to further pinch data which can be sold on or used.
This family, codenamed ABCsoup, targets three popular browsers: Google Chrome, Opera, and Firefox. This Google Translate spoofing browser extensions are installed onto a victim’s machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores.
The extension’s main logic confirms that this family is an Adware campaign along with some script injection functionality which can be further abused for other malicious actions such as phishing, stealing credentials/cookies, etc.
https://blog.zimperium.com/abc-soup-the-malicious-adware-extension-with-350-variants/
SELECT XMRig FROM SQLServer
Our friends at the DFIR report show the value of honeypots once more..
In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner on a vulnerable server after successful exploitation is a common objective for threat actors, this intrusion was slightly different and therefore more interesting.
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Fake copyright complaints push IcedID malware using Yandex Forms
Lawrence Abrams outlines some tradecraft you have to admit is clever.
Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware.
For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website's contact page to send legal threats to convince recipients to download a report of the offending material.
HiveV5 keystream decryptor PoC
Brut force recovery technique to decrypt.
The proposed code reads the nonce of each keystream encryption round, determines its fingerprint and generates a list of possible key dictionaries that contain the possible private key.
To solve the problem relating to the first byte of the fingerprint which is always different from the rest of the key, I thought of doing this:
we create a dictionary of possible leading bytes, taking the unique values of the first 0x110 bytes of the generated dictionary;
we create a list of 31 bytes by taking all the possible combinations starting from the second byte of the generated dictionary;
we create combinations of the first bytes and the remaining generated 31 bytes to create the possible 32 byte private key combinations from which to derive the public key by comparing it with the one in our possession present in the keystream.
When the two public keys coincide we would have found the private key with which the second (last) round of encryption was encrypted. By iterating the operations described so far again we will have the private key to decrypt the first round of encrypted keystream and finally extract the original cleartext key.
https://github.com/reecdeep/HiveV5_keystream_decryptor
Discovery
How we find and understand the latent compromises within our environments.
How to setup a honeypot with an IDS, ELK and TLS traffic inspection
Nils Hanke shares some good tradecraft here. Interestingly we used PolarProxy too in ours.
This guide illustrates how to set up a honeypot that, next to unencrypted network traffic, is also capable of decrypting TLS traffic with the help of PolarProxy. It is part of my master's thesis that uses a version of this setup to analyze attacks on specific HTTP(S) web-based applications.
https://github.com/Nirusu/how-to-setup-a-honeypot
Threat Hunting Queries from the French Government
Windows Event Collector (WEC) server query from ANSSI.
This WEC query is based on what Microsoft proposed in this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
This file contains original Microsoft's annotations in english with no french translation
Annotations added by the ANSSI are in french and english Some event selections have been disabled (commented) when they concern too specific products but they can be uncommented if necessary Other event selections have been disabled (commented) when they have been considered not very interesting to collect
https://github.com/ANSSI-FR/guide-journalisation-microsoft/blob/main/Standard_WEC_query.xml
Threat hunting in Okta logs
David French contacted me on Twitter to share this originally. This is a really useful walkthrough of the tradecraft..
During the last year or so, I’ve been (on and off) really interested in attack and defense techniques related to Okta’s Single Sign-On (SSO) solution. Why? Because so many companies are putting their Identity & Access Management (IAM) in the cloud, not monitoring it, and if an attacker gets access to a user’s account, they have a “skeleton key” to access a ton of applications and data.
I revisited Okta logs recently to think about more security monitoring and threat detection use cases. The intention of this post is to share some threat hunting and security monitoring tips to help defensive practitioners protect their Okta environments from attack. Okta’s system log is well structured and contains a lot of detail about what’s going on in your environment, so it’s a great data source to go hunting in.
https://medium.com/threatpunter/okta-threat-hunting-tips-62dc0013d526
Detectree – data visualization for threat hunting
Defence
How we proactively defend our environments.
Microsoft Defender for Endpoint Internals 0x03
Olaf Hartong gives us the next instalment with lots of nuggets of wisdom, such as:
As mentioned before, a lot of the events have a local cap of 1 per 24 hours that get forwarded to the cloud, based on a set of distinct field values.
…
When running the exact same set of processes on multiple machines in several enterprise environments, not only the number of DLL load logs differ per machine (for the same process); also it differs per machine over time. So logs that show up today might look different tomorrow.
In short a highly recommended read.
Does "Autostart" Really Mean "Autostart"?
H. Carvey drops the wisdom.
Most DFIR and SOC analysts are familiar with the Run keys as autostart locations within the Windows Registry:
[HKLM|HKCU]\Software\Microsoft\Windows\CurrentVersion\Run
Values beneath these keys are automatically run asynchronously upon system start and user login, respectively. This is something we've know for a while, and we've dutifully incorporated these autostart locations into our "indicators of program execution" artifact category.
It turns out, that may not be the case.
http://windowsir.blogspot.com/2022/07/does-autostart-really-mean-autostart.html
OpenKAT
New vulnerability scanner from the Dutch Ministry of Health, wellbeing and sports.
OpenKAT aims to monitor, register and analyze the status of information systems. OpenKAT scans networks, analyzes vulnerabilities and creates accessible reports.
https://github.com/minvws/nl-kat-coordination
Offense
Attack capability, techniques and tradecraft.
Koh: The Token Stealer for Microsoft Windows
Will Schroeder provides a good explanation of this tradecraft, which all blue teams should confirm they are able to detect.
In this post I will introduce a toolkit called Koh that can indefinitely harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I’ll go over the motivation for this approach, the technical background of why it’s possible and what changed in 2016, and briefly show what Koh can do.
By getting back to our token abusing roots, we can generalize token theft to its logical next step and harvest access for anyone who connects. We sure as hell didn’t invent token abuse, and most of these pieces existed publicly in various states, however we feel like this approach is an elegant amalgamation of various parts.
https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6
A Diamond (Ticket) in the Ruff for Kerberos
Charlie Clark and Andrew Schwartz collaborate to educate us about Diamond tickets in a Kerberos context.
Both Golden attacks and Diamond Ticket attacks require access to the KRBTGT key. However, Diamond Ticket attacks almost certainly also require access to the AES256 key. Whereas Golden Ticket attacks take advantage of the ability to forge a ticket granting ticket (TGT) from scratch, Diamond Ticket attacks take advantage of the ability to decrypt and re-encrypt genuine TGTs requested from a domain controller (DC).
https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/
RDPHijack BOF
Chris Au is going to hell or heaven depending on your perspective. Again blue teams should be aware and ensure they can detect.
Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / Kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon
https://github.com/netero1010/RDPHijack-BOF
Vulnerability
Our attack surface.
CVE-2022-26377: Apache HTTPd AJP Request Smuggling
Chinese research on a new HTTP smuggling attack against AJP.
This article introduces a new attack method and idea for AJP, which opens up the attack surface of using Apache HTTPd as a reverse proxy
proxy_ajpfor Tomcat AJP and the product-developed AJP reverse proxy, and can also try to extend horizontally to protocols such as FastCGI. (Of course, no other protocols have been dug).
http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/
Exploitation
What is being exploited.
Just another UAC bypass using auto-elevated COM object
Filip Dragovic drops a technique which I suspect will be weaponized very quickly by organised crime if it hasn’t already.
Just another UAC bypass using auto-elevated COM object Virtual Factory for DiagCpl (12C21EA7-2EB8-4B55-9249-AC243DA8C666). This COM object can be used to create instance of DiagnosticProfile (D0B7E02C-E1A3-11DC-81FF-001185AE5E76) COM object which exposes SaveDirectoryAsCab method that can be used to move arbitrary file in system32 directory. This PoC copy user specified dll to C:\Windows\System32\wow64log.dll and trigger MicrosoftEdgeUpdate service by creating instance of Microsoft Edge Update Legacy On Demand COM object (A6B716CB-028B-404D-B72C-50E153DD68DA) which run in SYSTEM context and will load wow64log.dll
https://github.com/Wh04m1001/IDiagnosticProfileUAC
Microsoft SCCM Account Password Decryption PoC
Does what is says on the tin for Windows environments where SCCM is present. Be careful to ensure they are protected.
Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
hxxps://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1
Tooling and Techniques
Low level tooling for attack and defence researchers.
Footnotes
Some other small bits and bobs which might be of interest.
Cybersecurity Action Team Threat Horizons Report #3 - from Google
All MITRE ATT&CKcon presentations in one place - for your viewing pleasure as videos and slides are included.
ENISA Threat Landscape Methodology - also an Introduction article
English to RegEx with Natural Language Processing - This website uses GPT-3 to generate regular expressions from plain English - the future is now.
Misinformation in malware analysis - interesting perspective on how malware analysis can be weaponized for misinformation
Leaked Slides Show How Chainalysis Flags Crypto Suspects for Cops - old from Sept 2021, including using a honeypot website to see who is interested in what wallets
Submission to the United Nations Working Group on Enforced or Involuntary Disappearances - In September 2014, a group of forty-three students were forcibly disappeared in Iguala, Mexico. The devices of a group of experts subsequently investigating this mass disappearance, including for possible governmental involvement, were targeted for infection with NSO Group’s Pegasus spyware.
Vulnerability Management in the real-world - slide deck from DLA piper on the topic
That’s all folks.. until next week..