Bluepurple Pulse: week ending June 19th
Everything is awesome... Everything is cool when you're part of a team...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week nothing overly of note beyond an uptick in some criminal actor activity. Other threat actors continue business-as-usual including leveraging various recently disclosed vulnerabilities.
In the high-level this week:
Former Nato chief calls for economic version of Article 5 defence pledge - Proposal is intended to counter commercial coercion by countries such as Russia and China - if economic activity is considered below threshold / grey zone activity it will be interesting to see what the cyber version of this might be.
US defence group L3Harris is allegedly in talks to buy NSO Group’s Pegasus spyware - wash those prior sins away..
NSO v. WhatsApp: Should the Solicitor General Recommend Allowing Foreign Corporations to Claim Immunity? - A week ago Monday, the Supreme Court called for the views of the Solicitor General in NSO Group Technologies Ltd. v. WhatsApp Inc. The Ninth Circuit held that NSO Group Technologies Ltd and Q Cyber Technologies Ltd (collectively, NSO) could not claim immunity from suit under federal common law for alleged violations of federal and state law because the Foreign Sovereign Immunities Act (FSIA) deals comprehensively with the immunity of corporations and occupies the field. - what happens when you use SaaS to run cyber operations against victims and then get litigated.
Russian Botnet Disrupted in International Cyber Operation - The U.S. Department of Justice, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, have dismantled the infrastructure of a Russian botnet known as RSOCKS which hacked millions of computers and other electronic devices around the world - 💥by the 🇺🇸 🇩🇪 🇳🇱 and 🇬🇧
Router security report 2021 - During 2020 and 2021, more than 500 router vulnerabilities were found - are we only scratching the surface?
European Cyber Agora driven by Microsoft was held. Some might ask why vendors operate in this space, one reason is that offensive cyber at scale causes expenditure which might not otherwise be. For this meeting they had four focuses:
Strengthen Multi-stakeholder Policy Input
Protect Fundamental Freedoms in Cyberspace
Improve Public-Private Cooperation
Advance EU Leadership in the world
It was announced U.S. Cyber Command will provide joint level advanced training across the various arms of the US. Also that the US Army’s active component growth in the force structure for Cyber Mission Force teams and Electronic Warfare companies and platoons will increase the authorized strength of the Cyber Corps from just over 3,000 [personnel] to just over 6,000 by 2030
Six cybersecurity challenges for Australia’s new government - analysis on some of the challenges the Aussie government faces - this is an interesting proposal - One big initiative the cybersecurity minister could champion is mutual recognition of security assessments like IRAP (Infosec Registered Assessors Program) across AUKUS countries, so that companies that pass security assessments here can instantly sell into US and UK markets.
Harvard Kennedy School has launched a new Cyber Policy podcast in the guise of Cyber.RAR
Rubicon Volume 2: New Forms of Warfare - published in French - a number of papers - including Are New and Emerging Technologies a Game Changer for Small Powers? - cyber implies yes it is…
I have started investing in UK cyber companies at the seed stage. One of which is Push Security (a UK / South African start-up) being run by the team that is Adam Bateman , Jacques Louw and Tyrone Erasmus. A slightly amusing story is that Tyrone and I managed to co-author a book together (along with two others) in 2014 and yet speak for the first time about 7 years after - strange world the Internet.
Anyway, they have just launched their SaaS Discovery feature which is a novel take on the problem of shadow IT discovery & security in a SaaS first world. The neat bit is they don’t just tell the poor security team what the problem is but then use ChatOps to nudge and guide the individual to resolve it. Their vision of this type of scaled solution is why I invested. Discovery and remediation of issues by co-opting everyone to be part of the solution is my thesis of what it is going to take in order to meet the cyber resilience challenge in reality.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
Massive cyber attack on media organizations of Ukraine using the malicious program CrescentImp
Russia using the recently disclosed Microsoft Office / URL handler vulnerability against Ukraine.
Attackers continue to exploit vulnerability CVE-2022-30190 and are increasingly resorting to emails from compromised government emails.
In case of detection of signs of compromise on the provided indicators, please inform immediately.
And the activity is tracked by the identifier UAC-0113 (with a medium level of confidence associated with the group Sandworm).
GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
New Chinese implant outed and targeting of ‘friends’ in the guise of Russia but also Australia. The ICMP transport while unreliable provides exfil of last resort.
[We] recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa.
GALLIUM is likely a Chinese state-sponsored group.
Over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities. During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.
PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2). While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks.
Malicious Korean documents including BAT scripts that are being actively distributed (North Korea/Defense/Broadcasting
Korean reporting on Korean Microsoft Office equivalent known as Hangul being targeted by our friends in the hermit kingdom. Beyond that the tradecraft is 🥱
The malicious Hangul document operates by executing an OLE object (batch file) inserted into the Hangul document, and then injecting the shellcode into a normal process through PowerShell. At this time, the attacker mainly inserts a phrase that induces the user to click the body so that the OLE object (batch file) can be executed
Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials
Iran doing proper long game social engineering against targets in Israel. This approach has echos of what North Korea do also.
[We] uncovered a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties. To establish deeper trust with new targets, the threat actors performed an account takeover of some victims’ inboxes , and then hijacked existing email conversations to start attacks from an already existing email conversation between a target and a trusted party and continue that conversation in that guise.
Lyceum .NET DNS Backdoor
More Iranian activity who have shown they can take open source tooling, customize and deploy against regional targets.
[We] recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool.
The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool “DIG.net”
The malware leverages a DNS attack technique called "DNS Hijacking" in which an attacker- controlled DNS server manipulates the response of DNS queries and resolve them as per their malicious requirements.
The malware employs the DNS protocol for command and control (C2) communication which increases stealth and keeps the malware communication probes under the radar to evade detection.
Comprises functionalities like Upload/Download Files and execution of system commands on the infected machine by abusing DNS records, including TXT records for incoming commands and A records for data exfiltration.
SeaFlower 藏海花: A backdoor targeting iOS web3 wallets
Taha Aka "lordx64" details a suspected Chinese threat actor going after crypto. It will be interesting with the various market crashes if there remains this level of interest. Again this campaign shows that search engines using Search Engine Optimisation (SEO) are the distribution means.
SeaFlower is a cluster of activity that we identified earlier this year in March 2022. We believe SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group.
As of today, the main current objective of SeaFlower is to modify web3 wallets with backdoor code that ultimately exfiltrates the seed phrase.
For iOS, SeaFlower is using provisioning profiles. Once installed, the iOS apps are then sideloaded to the victim's phone and installed.
Android Spyware Deployed in Kazakhstan
Italian NSO competitor has had their implants discovered in Kazakhstan and is being deployed by the government itself. Great work by Justin Albrecht and Paul Shunk.
[We] have uncovered enterprise-grade Android surveillanceware used by the government of Kazakhstan within its borders.
Based on our analysis, the spyware, which we named “Hermit,” is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company.
Our analysis suggests that Hermit has not only been deployed to Kazakhstan, but that an entity of the national government is likely behind the campaign
Analysis of Malware Android Software Spread by Sidewinder (APT-Q-39) Using Google Play
India playing with 🔥by getting their Android implants hosted in the Google Play Store. It is almost like they want Google TAG to out in the public domain all their operations, developers etc.
[We recently] captured a batch of suspected Android-side attack samples of the SideWinder organization during the daily hunting of high-value samples. According to the tracking analysis of Red Raindrop researchers, this attack has the following characteristics:
The sample is hosted on the Google Play Store, disguised as Secure VPN (VPN encrypted communication software), Supereme Allah, Z Cleaner (mobile phone cleaning software), Secure browser (browser software), and the number of installations exceeds 1K+ .
Enhanced C2 address concealment, including hard coding in samples, encrypted storage in Google Play installation link parameters, and C2 delivery through firebase background.
Hydra Android Malware Distributed Via Play Store
Criminal actors doing similar shenanigans with an banking trojan. Google TAG reporting coming in 3..2…
The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia. Hydra Android Banking Trojan was discovered in early 2019; since then, it has frequently changed its distribution campaign.
The malware currently pretends to be the Document Manager app and has gained over 10,000 downloads in a short period. According to the Play Store statistics, the app was updated on May 30, 2022, and released on June 3, 2022.
Beware of North Korean-linked hacking disguised as a presentation at the Unification Policy Forum to commemorate the June 15 North-South Joint Declaration
More Hangul documents being e-mailed around by North Korea and more 🥱 tradecraft.
This attack is disguised as content related to the Unification Policy Forum prepared to diagnose the new government's policy toward North Korea and seek peace between the two Koreas. Using a typical email phishing technique, the attacker configured the screen as if the document 'New Geopolitics of Northeast Asia and Korea's options.
Smilodon Credit Card Skimming Malware Shifts to WordPress
Ben Martin details the evolution of criminal activity in the WordPress eco-system. According to the authors this is a trend on behalf of these actors, which is interesting of itself. Warning: product placement is strong in the post.
This webshell also contains brute force functionality for use in dictionary attacks. Since this malware is already present in a compromised environment it’s likely that this very feature-rich webshell is used to try to spread further throughout the environment and possibly attack other websites.
Exposing HelloXD Ransomware and x4k
Daniel Bunce and Doel Santos out pseudonyms of who they believe is potentially the developer: x4k, also known as L4ckyguy, unKn0wn, unk0w, _unkn0wn and x4kme. They’ll make you famous!
HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.
Unit 42 performed an in-depth analysis of the ransomware samples, the obfuscation and execution from this ransomware family, which contains very similar core functionality to the leaked Babuk/Babyk source code.
. It was also observed that one of the samples deployed MicroBackdoor, an open-source backdoor allowing an attacker to browse the file system, upload and download files, execute commands, and remove itself from the system. We believe this was likely done to monitor the progress of the ransomware and maintain an additional foothold in compromised systems.
Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver
From Feb 2022 - but good for the public record that threat actors are.bringing legitimate Windows Kernel drivers from AV vendors in order to kill AV. There is some novelty in the tradecraft.
While the use of kernel drivers to target and kill AV and EDR solutions prior to encryption has been known and discussed for some time, the abuse of a signed and valid driver from an Antivirus vendor2 was surprisingly effective and ironic.
A self-contained PowerShell script, dropped alongside the Avast driver, that installs and loads the driver and executes a small number of functions to control the driver.
An executable that unpacks and loads in memory a small executable to control the driver. Within this blog, we refer to this executable as the controller. Additional tools are used to install and load the Avast driver in the infected system.
A batch script that installs a service to load the Avast kernel driver, then launches a PowerShell script to decode, load and execute the controller in memory.
Inside a Redline InfoStealer Campaign
Akshat Pradhan provides a monster of report inside this information stealer campaign going after wallets, FileZilla credentials, Steam and then various VPN providers (Nord, Open and Proto). In a world where you want truly anonymous VPN access stealing that access is a logical next step.
Recently we identified a new Redline InfoStealer campaign that spreads via fake cracked software hosted on Discord’s content delivery network. The campaign was actively observed from the end of January to March 2022 and utilized commercial malware families. Redline has become one of the most widely used infostealers due to its wide range of capabilities and the thriving underground Malware-as-a-Service market.
There is overlap in this reporting with this from Romain Dumont
PureCrypter is a fully-featured loader being sold since at least March 2021
The malware has been observed distributing a variety of remote access trojans and information stealers
The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products
PureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format
Raccoon Stealer is Back with a New Version
More cracked software being used as distribution mechanism for another information stealer campaign. Looks like the hyper inflation affecting us mere mortals is also causing criminals to up their prices.
Currently, it is distributed in the same way as V1, disguised as Cracked Software, but as it is updated to V2, continuous monitoring is required to see if there is any change in the distribution method in the future.
The pricing policy for the new version is as follows.
$275 for 1 month of use ($75 increase over V1)
$125 for 1 week of use ($50 increase over V1)
Panchan’s Mining Rig: New Golang Peer-to-Peer Botnet Says “Hi!”
The interesting thing here is the access obtained by Stiv Kupchik’s team to the administration panel. Also that the threat actor is Japanese, I can’t recall many Japanese criminal cyber threat actors previously.
[We] discovered Panchan, a new peer-to-peer botnet and SSH worm that emerged in March 2022 and has been actively breaching Linux servers since.
Panchan is written in Golang, and utilizes its built-in concurrency features to maximize spreadability and execute malware modules.
In addition to the “basic” SSH dictionary attack that is commonplace in most worms, this malware also harvests SSH keys to perform lateral movement.
[We] were able to gain access to the malware’s communication protocol and its administration panel, and use them to analyze the infection scope of the malware.
How we find and understand the latent compromises within our environments.
Mixed reviews in the Subreddit on the performance, but interesting and way for them to build their own file store akin to VirusTotal.
YARAify is a project from abuse.ch that allows anyone to scan suspicious files such as malware samples or process dumps against a large repository of YARA rules.
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild
David Álvarez and Jan Neduchal document further Linux targeting with this rootkit. The magic packets approach to remote control is also of note.
Adore-Ng is a relatively old, open-source, well-known kernel rootkit for Linux, which initially targeted kernel 2.x but is currently updated to target kernel 3.x. It enables hiding processes, files, and even the kernel module, making it harder to detect. It also allows authenticated user-mode processes to interact with the rootkit to control it, allowing the attacker to hide many custom malicious artifacts by using a single rootkit.
early 2022, we were analyzing a rootkit mostly based on
Adore-Ngthat we found in the wild, apparently under development. After obtaining the sample, we examined the
.modinfosection and noticed it is compiled for a specific kernel version.
Instead of continuously running the payload, it is remotely started or stopped on demand by sending specially crafted network traffic packets.
These are known as
magic packetsbecause they have a special format and special powers. In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, ‘magically’ executed in the system.
How we proactively defend our environments.
SIEMCraft - Security detection monitoring using Minecraft
Bit of fun this week, if you SIEM ran in MIMECRAFT this would be the result
Alert when a group is added to a sensitive Active Directory group
Gerson Levitz shows the power of the Microsoft eco system and automation when protecting legacy estates.
In this blog, we will take things further by:
Updating the advanced hunting query to focus on groups that are added to a sensitive group.
Validating that the query works as expected.
Creating a custom detection policy based on the advanced query.
Testing out the custom detection policy.
Incident report: Spotting an attacker in GCP
Girish Mukhi, Oscar De La Rosa and David Blanton provide a practical walkthrough of how to detect malicious activity within GCP
ecapture: capture SSL/TLS text content without CA cert using eBPF
Using eBPF in this way is pretty neat.
SSL/TLS text context capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
bash audit, capture bash command for Host Security Audit.
mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.
Attack capability, techniques and tradecraft.
BokuLoader: Cobalt Strike User-Defined Reflective Loader written in Assembly & C
Bobby Cooke has dropped the next version of this which turns on all the advanced evasion features by default..
For advanced evasion capabilities - BokuLoader now uses its best evasion features out of the box, +ASM Caesar cipher string obfuscation, +bug fixes, and +code enhancements
Naroid provides Laz-y templates
Laz-y project compatible C# templates for shellcode injection.
Lazy-y is for
Automating payload generation for OSEP labs and exam. This tool generates x86 and x64 HTTPS staged meterpreter shellcodes, injects them in your CS templates, and generate binaries using mcs. It supports ROT encoding, and soon XOR encoding.
OUs and GPOs and WMI Filters, Oh My
A novel technique from Rasta Mouse that is missed by some automated tooling. Showing if you know more you still win.
You may be familiar with this representation, where a machine is a member of an OU and a GPO is linked to that OU. If you could therefore modify the GPO, you can push policies and configuration changes to the machine to compromise it.
There’s an aspect to GPOs that BloodHound is blind to – WMI Filters.
A WMI filter provides a further means of filtering the targets of a GPO, and are typically created in GPMC. This example query should make sense to anyone familiar with the WMI query language (it’s very reminiscent of SQL). It will essentially only return computers whose name contains the string “WIN”.
The Attackers Guide to Azure AD Conditional Access
Daniel Chronlund starts out with this bombshell
In almost every tenant I see out there, there are holes in the Conditional Access design because the designers put too much focus on what use cases they want to allow, not what should be blocked. Conditional Access policies are often designed backwards, and that leaves the tenant vulnerable to attacks.
Of course, the best way of attacking Conditional Access is to never trigger it at all, to avoid it. There are some common weak spots in almost every organisation that can be abused.
Exclusion Group Abuse
Missing Block Policies
Access Control Abuse
ProcEnvInjection - Remote code injection by abusing process environment strings
Matthew returns from the wilderness to drop some further Windows techniques. I can hear EDR vendors sobbing already.
This method allows us to inject custom code into a remote process without using WriteProcessMemory - we will be using the lpEnvironment parameter in CreateProcess to copy our code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code. However, there are various issues that we will need to work around in order for this to work reliably
Our attack surface.
Zimbra Email - Stealing Clear-Text Credentials via Memcache injection
Simon Scannell identifies another vulnerability which we can be expected to be exploited in the wild in 3..2
This blog post describes a new vulnerability that allows an unauthenticated attacker to steal cleartext credentials from a Zimbra instance without any user interaction. We will learn how Memcache Injection vulnerabilities work and how attackers can exploit them. Due to the severity of this issue and previous exploitation of Zimbra instances, we urge Zimbra users to upgrade their installations immediately.
Defused That SAN Flag!
An interesting post about Microsoft's recent security updates
A domain controller with May updates applied will check that SID attribute when a user or machine logs on with a mapped certificate. For now, also the old certificates – without SID – are still considered valid, but a warning is logged in the system event log. Next year in May, so-called Full Enforcement mode will be turned on, and logon certificates without SID will not be considered good enough. So, the big impact of this updates is: If you use certificate for logon of AD users or computers: Renew all logon certificates before May 2023 (E.g. by using the
Re-enroll all certificate holdersfunction of a certificate template).
Likely to be exploited in the wild at scale… never
Intel/AMD power management exploit that can leak cryptographic keys from remote servers.
Public Travis CI Logs (Still) Expose Users to Cyber Attacks
Cloud scale vulnerability here..
[We] found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. Attackers can use this sensitive data to launch massive cyberattacks and to move laterally in the cloud.
What is being exploited.
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
China exploiting zero-days in Sopho Firewalls - what a time to be alive. But it demonstrates they will find them and use them in anger in a multi-staged attack.
Earlier this year, Volexity detected a sophisticated attack against a customer that is heavily targeted by multiple Chinese advanced persistent threat (APT) groups. This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.
Tooling and Techniques
Low level tooling for attack and defence researchers.
HyperDbg’s One Thousand and One Nights
Overview of the power of this approach by Saleh Monfared, and Mohammad Sina Karvandi
HyperDbg is an open-source, hypervisor-assisted debugger that can be used to debug both user-mode and kernel-mode applications. The closest similar product available to HyperDbg is WinDbg. HyperDbg provides unique abilities, enabled by exploitation of the latest features of modern processors, to assist you in your reversing journey.
The design principles employed in HyperDbg make for an OS-independent debugger with a unique architecture, offering exclusive, brand-new features.
SLSA: Securing the Software Supply Chain
A real-world lived experience of SLSA compliance..
This document details how SUSE, as a long-time champion and expert of software supply chain security, prepares for SLSA L4 compliance
Some other small bits and bobs which might be of interest.
The Active Adversary Playbook 2022: Cyberattacker behaviors, tactics and tools seen on the frontline of incident response during 2021
The trend of cyber espionage aiming at Japan 2021 - Japanese reporting from two local teams on the threats they witnessed last year.
Minimum Viable Secure Product - initiative from the likes of Salesforce, Slack, Okta and Google.
SLSA: Securing the Software Supply Chain - This document details how SUSE, as a long-time champion and expert of software supply chain security, prepares for SLSA L4 compliance
SBOM in Action: finding vulnerabilities with a Software Bill of Materials - SBOM journey from Google
India legal journal covering cyber - including
Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices - We found that many popular mobile devices are essentially operating as tracking beacons for their users, transmitting hundreds of BLE beacons per second. We discovered that it is indeed feasible to get fingerprints of the transmitters of BLE devices, even though their signal modulation does not allow for discovering of these imperfections at decoding time. We developed a tool that automates recovering these features in transmitted packets
Patriotic Hackers in Cyberspace Operations: Independent or Sponsored Cyber Actors? - conclusions: they don’t know
DevSecCon24 - 2022 - videos for those that missed it.
That’s all folks.. until next week..