Bluepurple Pulse: week ending June 5th
It is always the holidays in cybertopia..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week has primarily focused on the Microsoft Office feature also known as CVE-2022-30190 which was first known to be used in targeting of Belarus. This was just in time for memorial weekend in the USA. Then today (Friday) we had a remote vulnerability disclosed as being exploited in the wild in Confluence (CVE-2022-26134) just in time for the Jubilee weekend in the UK.
In the high-level this week:
In the world of press headlines we had some standouts this week:
Law enforcement is ‘failing to protect governments against ransomware’ - made by an ex UK government official, not sure that is how you win friends in law enforcment.
Military-made cyberweapons could soon become available on the dark web, Interpol warns - Jurgen Stock, the international police agency’s secretary general, said he’s concerned state-developed cyberweapons will become available on the darknet — in a “couple of years.” - I’ll let you decide if this is happening / has happened already and not on the ‘dark web’.
Israeli private detective used Indian hackers in job for Russian oligarchs, court filing says - we have covered this case already, only seems to be going in the wrong direction.
The Whitehouse Press Secretary (not mine) said ‘Offensive cyber abilities against Russia don't violate the US policy of avoiding a direct military conflict with Moscow’
FBI released an alert on Compromised US Academic Credentials Identified Across Various Public and Dark Web Forums - The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publically accessible forums
The United State Senate Committee on Homeland Security & Government affairs released a report on Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns - in doing so they flagged the lack of data on ransomware attacks and cryptocurrency payments - oh yes they did.
Takedown of SMS-based FluBot spyware infecting Android phones - big 👏 to Eurpol - a complex investigation involving law enforcement authorities of Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States
China's draft cybersecurity rules pose risks for financial firms, lobby group warns - The draft rules seek to make it mandatory for investment banks, asset managers, and futures companies with operations in China to share data with CSRC, allow regulator-led testing, and help set up a centralised data backup centre - fascinating.
Cyber Arms Watch - An Analysis of Stated & Perceived Offensive Cyber Capabilities - by the Hague Center for Security Studies - it is like the league table of cyber where everyone wants to keep their capability hidden but yet somehow be at the top.
Amnesty Tech (part of Amnesty International) is offering their inaugural Digital Forensics Fellowship - its a sign of the times where this is both needed and a wonderful thing.
Australia appointed its first minister for cyber security in the guise of Clare 'O’Neil who is Minister for Home Affairs and Minister for Cyber Security - elevating cyber to the cabinet as its own portfolio.
Ukraine took part in meeting of the Steering Committee of the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) for the first time.
NSO’s cash dilemma: miss debt repayment or sell to risky customers - Interesting article in the UK’s Financial Times - showing the real tussle behind the scenes and why offensive cyber might not be an investors dream when looking for unencumbered growth without political headaches. Doesn’t look like the company imploded, but it looks like continued turbalance.
A new book was published titled No Shortcuts: Why States Struggle to Develop a Military Cyber-Force - the power of Amazon has it on its way to me..
Reflection this week is around our now over four year campaign to reform the Computer Misuse Act (CMA) for England and Wales. This is our version of the US’s Computer Fraud and Abuse Act.
For those not from the UK it might surprise some of you that the UK’s computer crime law is over 30 years old. It was created in response to two individuals gaining access to the pre-Internet electronic mail of Prince Phillip (RIP) and a UK telco in the 1980s. Anyway no laws existed which covered the crime, so they created and passed a law in 1990. As a reminder this is pre mass Internet (I got Internet in circa 1993/94). Suffice to say a law for which there is no defence (i.e. intent does not need to be proven) that says to access a computer you need the owners authorisation - what does this even mean in the era of the Internet and cloud only deities know - is no longer fit for purpose.
We birthed a campaign called CyberUp and have been pushing with anyone who will listen for reform of this law to make it sensible in an era of the Internet, security research, threat intelligence, public & private partnership in cyber defence and globalisation. It really does cause paralysis and risk aversion by all due to lack of legal clarity i.e. no one wants to be the test case.
Anyway long narrative. Punchline is we are running survey to get views on what activities should be defensible under law when any reform happens. You can find it here - https://www.surveymonkey.co.uk/r/ZJNBS6C.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
China exploiting CVE-2022-30190
The Microsoft Office vulnerability (further reporting below) was quick flipped by a Chinese state threat actor.
TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app
twitter.com/threatinsight/status/1531688214993555457
Hacker group "Ocean Lotus" combat weapon "Buni" latest exposure, targeting Linux platform
Chinese reporting on Vietnamese activity who have rekindled their Linux implant.
At first analysts thought Buni was the predecessor of the "Double-headed Dragon", a weapon no longer used by APT32, but recently it was discovered that this Linux backdoor is active again. The hard-coded C2 in the Buni backdoor utilizes some compromised IoT devices and controls a large number of hosts.
Operation DARKCASINO
Chinese reporting on this criminal threat actor (which we touched on last week) going after the gambling sector. However they are using .pifs, .scrs and .lnks (yes really) as their initial actor vectors..
Evilnum is an APT group discovered in 2018, active in the UK and EU countries, mainly targeting financial technology companies, with the purpose of stealing corporate or personal account funds by stealing transaction credentials.
The analysis found that the victims of Evilnum's operation were mainly distributed in European countries in the Mediterranean region and related countries such as Canada, Singapore, and the Philippines. Its direct attack targets included online casino platforms, consumers in various countries using such platforms, and online casinos. other persons involved in the above transactions.
Zero-Day Exploitation of Atlassian Confluence
Chinese state actors exploiting a zero day in Confluence (more reporting below).
[We have] reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China.
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
SideWinder.AntiBot.Script
India going after Pakistan in this reporting from Nikita Rostovcev and Alexander Badaev. Still using LNK and exploits for vulnerabilities in RTF parsers from 2017.
[We] have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04 and APT-C-17), a threat actor that is believed to be originating from India and primarily targeting Pakistan. The newly discovered custom tool, codenamed SideWinder.AntiBot.Script, is being used in the gang’s phishing attack against Pakistani targets.
https://blog.group-ib.com/sidewinder-antibot
Conti Targets Critical Firmware
Proof Conti does have skills (other than Erlang) and aren’t afraid to use them.
Notably, these leaked chats exposed a new front in the ongoing evolution of firmware-based attacks. In addition to classical attacks that target UEFI/BIOS directly, attackers are now targeting the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME).
Leaked conversations indicate that the Conti group had already developed proof-of-concept code for these methods nine months ago.
https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/
Distribution of AppleSeed disguised as Internet router installation file
North Korea trying something different in their South Korean targeting.
[We] caught the situation where the AppleSeed malware was disguised as a router firmware installer on May 26th. AppleSeed, known so far, was mainly distributed by disguising normal document files or picture files. The dropper malware that creates AppleSeed uses a script format such as JS (Java Script) and VBS (Visual Basic Script), or even an executable file has a pif extension disguised as a document file
https://asec.ahnlab.com/ko/34883/
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
When you don’t have your own tooling you can blend in with the noise. This is what this threat actor is doing to evade sanctions.
Previously, we have observed UNC2165 deploy HADES ransomware. Based on the overlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using exclusive ransomware variants to LOCKBIT—a well-known ransomware as a service (RaaS)—in their operations, likely to hinder attribution efforts in order to evade sanctions.
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
XLoader Botnet: Find Me If You Can
Alexey Bukhteyev & Raman Ladutska show that a threat actor has employed techniques designed to drain defensive human resource capacity and thus reduce our overall efficacy by introducing lots of noise.
In this article, we describe the changes malware authors applied to XLoader to obscure the C&C infrastructure – more than anything we saw before. Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen. We explain how we got to the essence and identified the real C&C nodes in the evolving botnet.
https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/
SocGholish Campaigns and Initial Access Kit
Jason Reaves and Joshua Platt provide further insight into this threat actors capabilities.
Most public reporting on SocGholish revolves around the usage of fake software updates either through drive-by downloads or through links in email spam. However as we will demonstrate in this report they have the ability to do specific campaigns throughout the year. We will link a previously unattributed campaign to this threat group by using both our own private research and third-party public research. At the end, we will also demonstrate a way to pivot on the SocGholish NetSupport RAT configs which can lead to other revelations including the discovery of a publicly available zip file linking one of our discovered RAT configs to a SocGholish campaign.
https://medium.com/walmartglobaltech/socghh-campaigns-and-initial-access-kit-4c4283fea8ee
Iranian Threat Actor Continues to Develop Mass Exploitation Tools
They are using mostly old days at scale - which whilst a concern means organisations need to be better. The product pitches in this content are persistent just like the threat actor they describe.
We describe threat actor activity related to PHOSPHORUS, an Iranian APT actor active from at least 2020.
The threat actor is known to exploit Fortinet CVE-2018-13379, Exchange ProxyShell, and the log4j vulnerabilities.
Our analysis indicated that PHOSPHORUS continues in its automated scanning and exploitation process in order to widely gain access to multiple vulnerable organizations.
https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools
Clipminer Botnet Makes Operators at Least $1.7 Million
Shows you don’t need to be smart to make a million dollars, just have persistence and gumption.
Clipminer is likely spread via Trojanized downloads of cracked or pirated software. The malware arrives on compromised computers as a self-extracting WinRAR archive that drops and executes a downloader in the form of a packed portable executable DLL file with CPL file extension (although it does not follow the CPL format). The dropped file connects to the Tor network to download Clipminer’s components.
The malware includes a total of 4,375 unique addresses of wallets controlled by the attacker. Out of these, 3,677 addresses are used for just three different formats of Bitcoin addresses. Investigating just Bitcoin and Ethereum wallet addresses, we found that they, at the time of writing, contained approximately 34.3 Bitcoin and 129.9 Ethereum. However, some funds had also been transferred to what appear to be cryptocurrency tumblers, also known as cryptocurrency mixing services. These services mix potentially identifiable funds with others, so as to obscure the trail back to the fund's original source. If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone.
Karakurt Data Extortion Group
US’s The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released a joint advisory on this threat actor. They appear to exploit old days and use intrusion (their language - ours is access) brokers.
Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
ChromeLoader: a pushy malvertiser
Aedan Russell shows there is an evolution in capability in the criminal underground. Then outlines possible, yet speculative, future risks.
ChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into executing it by posing as a cracked video game or pirated movie or TV show. It eventually manifests as a browser extension.
Like most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search queries and redirects traffic to an advertising site. However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools).
https://redcanary.com/blog/chromeloader/
GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need
Life imitating art with this threat group who want to be modern day Robin Hoods. Is there such a thing as ideological ransomware ops? Is this a modern face of hacktivism?
The ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.
The group’s multiple-paged ransom note suggests that victims perform three socially driven activities to be able to download the decryption key.
CloudSEK researchers have identified certain artefacts of the threat group that indicate direct attribution to India.
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices
Ofer Caspi highlights that old days are being quick flipped by this criminal group. Sounds more terrifying than it is as I’m not sure doing what they are doing requires you to be well-resourced.
Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
Discovery
How we find and understand the latent compromises within our environments.
You Cannot Detect Techniques in the Execution Tactic! And What To Do Instead
Tareq Alkhatib gives his view and recommendations on on detecting this aspect of MITRE ATT&CK.
There is a difference between a rule detecting a technique vs detecting a lower tier on the pyramid of pain that might be related to a technique. As an attack medium, techniques in the Execution tactic are closer to Data Sources than other ATT&CK Techniques. This means that Execution techniques can only be detected directly by banning them, with the exception of whitelisted source
In summary, we need a method of distinguishing between rules that detect a technique and those that detect lower level tiers in the pyramid of pain but are still related to certain techniques. Execution techniques can only be detected if they are effectively banned except for a few whitelisted sources.
Using Python to unearth a goldmine of threat intelligence from leaked chat logs
Walk through on how to use this Python library from Microsoft’s MSTIC to extract further value from the Conti chat logs.
This blog provides a workflow for deeper data analysis and visualization using Python, as well as for extraction and analysis of indicators of compromise (IOCs) using MSTICPy. Data sets from the February 2022 leak of data from the ransomware-as-a-service (RaaS) coordinated operation called “Conti” is used as case study.
Defence
How we proactively defend our environments.
AWS Threat Detection with Stratus Red Team and SumoLogic
Soumyadeep Basu brings us a repository containing his documentation of his adventures with Stratus Red Team. It is a wonderful walk through for any team considering using it (and you should) to refine their own detection capabilities.
https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection
Blocking ISO mounting on Windows
Mubix "Rob" Fuller walks through how to achieve this in practice. You will be familiar with the number of threat actors using .iso files to bypass Mark of the Web based on previous reporting.
https://malicious.link/post/2022/blocking-iso-mounting/
How to Detect Apps and Services using LDAP instead of LDAPS
Sander Berkouwer helps us answer this question using techniques which don’t require Microsoft Defender for Identity.
But how do you get insights in what accounts on what hosts communicate using plain LDAP and not LDAPS using built-in tools?
Using Microsoft Defender for Identity, detecting apps and services using LDAP instead of LDAPS is simple, as there is a built-in detection. However the license requirements for Microsoft Defender for Identity may be considered too steep to answer just this one question.
https://dirteam.com/sander/2022/05/30/howto-detect-apps-and-services-using-ldap-instead-of-ldaps/
Auditd for the recently threatened
Presentation by Tim Brown on how to detect some recent Linux capabilities with auditd.
Discovering MISP Workflows
Presentation on how to automate in MISP..
Offense
Attack capability, techniques and tradecraft.
COM-hunter
A COM Hijacking persistence tool written in C# which is going to make the game of whack-a-mole even more challenging.
Finds out entry valid CLSIDs in the victim's machine.
Finds out valid CLSIDs via Task Scheduler in the victim's machine.
Finds out if someone already used any of those valid CLSIDs in order to do COM persistence (LocalServer32/InprocServer32).
Finds out if someone already used any of valid CLSID via Task Scheduler in order to do COM persistence (LocalServer32/InprocServer32).
Tries to do automatically COM Hijacking Persistence with general valid CLSIDs (LocalServer32/InprocServer32).
Tries to do automatically COM Hijacking Persistence via Task Scheduler.
Tries to use "TreatAs" key in order to refere to a different component.
https://github.com/nickvourd/COM-Hunter
A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation
From China in English and Chinese show both how complex Linux’s security model has become and also how if you understand the OS and bug better than others you win.
CVE-2021-3560 is an underestimated vulnerability. I think it is because the vulnerability discover is not particularly familiar with the mechanisms of D-Bus and PolicyKit, so he missed the features of authentication agent and built a more restrictive PoC. I dare not say that I am proficient in D-Bus and PolicyKit, but in the recent vulnerability discovery and research, I have referred to amount of documents, historical vulnerability analysis, and read a lot of code before I realized that the use of authentication agent to possibility of exploit.
http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation/
UPnProxyChain: a Tool to Exploit Devices Vulnerable to UPnProxy
Valtteri Lehtinen provides a capability which we can expect various threat actors to use in order to masquerade their real infrastructure behind said vulnerable devices.
Flawed implementations of UPnP allow external attackers to use devices as proxies without any authentication. Such devices are vulnerable to UPnProxy. Various malicious actors have been using this vulnerability to commit crimes.
During penetration tests, I have multiple times encountered such devices on the public IP address space of the clients. No suitable tooling exists to exploit them, so I decided to create some.
The result is UPnProxyChain, which allows you to use vulnerable devices as SOCKS proxies.
https://shufflingbytes.com/posts/upnproxychain-a-tool-to-exploit-devices-vulnerable-to-upnproxy/
Finding Passwords With Deep Learning
A walk through on applied machine learning from Will Schroeder to discover password candidates in large datasets that a threat actor may have access to.
One of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies from environment to environment, there is one common target that everyone’s always interested in: passwords.
https://posts.specterops.io/deeppass-finding-passwords-with-deep-learning-4d31c534cd00
https://github.com/GhostPack/DeepPass
Vulnerability
Our attack surface.
2nd RCE and XSS in Apache Struts 2.5.0 - 2.5.29
Chris McCown shows that bug surging works i.e. where there is blood in the water from one vulnerability there are likely others. We’ve seen these with numerous products / components over the years.
In early April 2021 I disclosed a 0day on Apache Struts 2.5.0-2.5.29 here after responsibly disclosing it and eventually getting permission from Apache Struts. However, I decided to keep digging and found a second, new RCE caused by double OGNL evaluation via a different vector which I'll be describing here.
https://mc0wn.blogspot.com/2022/05/2nd-rce-and-xss-in-apache-struts-before-2530.html
Elastic Stack 7.17.4 and 8.2.1 Security Update
The Java crypto vulnerability for a little back is the gift which keeps on giving.
A vulnerability (CVE-2022-21449) affecting the implementation of Elliptic Curve Digital Signing Algorithm (ECDSA) based signatures verification in Java JDK versions 15 and later was published on April 19, 2022. This vulnerability affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK.
https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530
Exploitation
What is being exploited.
CVE-2022-30190: Microsoft Office
Original disclosure:
Microsoft Sentinel Query for process detection:
DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe"
| where InitiatingProcessFileName has_any (@"WINWORD.EXE", @"EXCEL.EXE", @"OUTLOOK.EXE")
Microsoft Sentinel Query for network activity
DeviceNetworkEvents
| where InitiatingProcessFileName == "sdiagnhost.exe"
| where ActionType == "ConnectionSuccess" and RemoteUrl !endswith ".visualstudio.com" and RemoteUrl !endswith ".microsoft.com"
Mitigations:
Exploits:
Various reporting:
https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina/
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Old days being used to deploy crypto miners.
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
npm security update: Attack campaign using stolen OAuth tokens
Post mortem from Github on the stolen OAuth tokens from Heroku and Travis CI which lead to the npm compromise. This is a just a compromise scenario from hell and worth a read. Slight silver lining is this:
Since the attacker had access to S3 resources that store npm package contents, we also investigated the integrity of these packages on the npm registry. Based on log and event analysis as well as package hash verification run on all versions of all packages, GitHub is currently confident that the actor did not modify any published packages in the registry or publish any new versions to existing packages.
The sad news was however
Approximately 100k npm usernames, password hashes, and email addresses from a 2015 archive of user information.
All private package manifests and metadata as of April 7, 2021.
Names and the semVer of published versions of all private packages as of April 10, 2022.
Private packages from two organizations.
https://github.blog/2022-05-26-npm-security-update-oauth-tokens/
Footnotes
Some other small bits and bobs which might be of interest.
Chinese threats in the Quantum era - paper outlining what might be.
US Army Cyber Defence Review, Spring 2022 - Fascinating perspective that US Army has on the world.
An Empirical Study on the Effectiveness of Static C Code Analyzers for Vulnerability Detection - conclusion - broadly useless, which I am sure any users can testify to when they’ve been drowned with false positives.
Retrofitting Temporal Memory Safety on C++ - Anton Bikineev, Michael Lippautz and Hannes Payer from the Chrome security team bring us an article which summarizes their journey of experimenting with quarantines and heap scanning in Chrome.
The Coming Storm: Insights from Ukraine about Escalation in Modern War - for the Center for Strategic & International Studies, the headline conclusions of which are:
There will be more crises like Ukraine that pull in great powers, spark escalation risks based on fear and uncertainty, and test the viability of integrated deterrence.
The longer a conflict such as Ukraine lasts, the less likely it will be confined to one state.
The national security community will need to develop tools and techniques for assessing competition, escalation tendencies, and risk attitudes among foreign leaders that combine old concepts from political psychology with new capabilities afforded by data science and natural language processing.
I.T. Specialist Charged in Cyber Intrusion of Suburban Chicago Health Care Company
Man Sentenced for Transnational Cybercrime Enterprise - 14th conviction related to the case.
Beautiful Basics - Series - Mubix "Rob" Fuller brings us 11 lessons learned over his career that contradict some of the edicts that are well known in the Cyber Security space.
That’s all folks.. until next week..