Bluepurple Pulse: week ending June 4th
Future science and technology skills of use are evident - how do we mobilize vocational learning and development at scale to address?
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note but you will also see there is no abating in the number of threat actors who are taking a swing.
In the high-level this week:
Ciaran Martin argues that cyberspace is finally, if unevenly, getting safer - there are lessons for the latest panic over artificial intelligence (ai). The current apocalyptic warnings of the wholesale destruction of jobs, truth and even human life itself are eerily reminiscent of the peak “cybergeddon” period in the early part of this century.
GCHQ’s Jeremy Fleming: ‘Xi doesn’t want to see Putin humiliated’ - So far, GCHQ has not seen evidence of Chinese cyber assistance to Russia. “The risk is, as it is on more traditional munitions and military support, that the Chinese state in some of those areas decides that they want to support President Putin’s Russia,” says Fleming.
Canada to set up cyber security certification for defence contractors - Canada will work with the United States to draft a cyber security certification framework for defence contractors that will be identical for both countries as incidents of malicious hacking increase
US officials believe Chinese hackers may still have access to key US computer networks - “I think the difference here is how brazen it is in scope and scale,” Joyce told CNN.
Delaware Supreme Court Sides with SolarWinds in Shareholder Suit Related to 2020 Cyber Attack - The Delaware Supreme Court upheld the Chancery Court’s dismissal of the suit, holding that the Company and its executives were not liable for negligence or for the breach of their fiduciary duties - arguably why the US has pushed on the software liability aspect.
Fact Sheet: 2023 DoD Cyber Strategy - I’m going on a 10,000 mile campaign - see you tomorrow.
The Department will maximize its cyber capabilities in support of integrated deterrence, employing cyberspace operations in concert with other instruments of national power.
The Department will campaign in and through cyberspace below the level of armed conflict to reinforce deterrence and frustrate adversaries.
Finally, the Department recognizes that the United States’ global network of Allies and partners represents a foundational advantage in the cyber domain that must be protected and reinforced.
Cross-border cooperation vital for Asia's cyber defense - written by Google - Restricting data flows across borders may not be the most effective defense against cyberthreats. Such moves can make the internet less secure and our economies less innovative. They can also render some of the information flows and tools we have to detect, respond and recover from attacks less timely and effective. - clear self interest in this positioning.
Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity - behind a paywall - Previous research has explored the ethics and implications of this dilemma, but no study has investigated public opinion regarding zero-day exploits. We present results from a survey experiment testing whether conditions identified as important in the literature influence respondents’ support for disclosing or stockpiling zero-day vulnerabilities. Our results show that respondents overwhelmingly support disclosure, a conclusion only weakly affected by the likelihood that an adversary will independently discover the vulnerability. Our findings suggest a gap between public preferences and current U.S. policy.
A sliding scale of secrecy: toward a better understanding of the role of publicity in offensive cyber operations - This paper offers a conceptual framework for understanding why attackers and defenders might choose publicity over secrecy, and analyzes the possible outcomes of choosing each. The framework is examined through a series of mutual cyberattacks and intrusions between Iran and Israel during 2020–2021 serving as an illustrative case study.
Pathways to Crypto-Asset Regulation: A Global Approach - from the World Economic Forum - This white paper sets out to understand and highlight the needs and challenges in developing a global approach to crypto-asset regulation. In doing so, it delves into the various regulatory approaches being adopted by different jurisdictions. The result of multistakeholder consultations with experts from the Digital Currency Governance Consortium, comprising experts from public authorities, regulators, policy-making bodies, industry and academia, the paper explores pathways to creating a responsible crypto-asset ecosystem globally.
We’ve been getting cyber wrong for years, new book claims - the book Cyber Persistence Theory: Redefining National Security in Cyberspace, argue that the cyber domain functions differently than existing domains of war - The “winner” in the cyber domain is the side that shapes the strategic environment.
Key Shortcomings When Large Language Models Analyze Non-English Languages - various trip hazards outlined.
The New Rules for Business Travel to China - From burner phones to inquisitive border agents, the WSJ has consulted experts on the do’s and don’ts in an era of heightened tensions
Quad Cybersecurity Partnership: Joint Principles for Secure Software - The Quad Senior Cyber Group reaffirms our commitment to collectively improve software security by establishing minimum cybersecurity guidelines for governments to guide their development, procurement, and use of software.
Ondernemersloket Economische Veiligheid - The Economic Security Business Desk is the government's central point of contact for Dutch SMEs that are active in the international world of knowledge-intensive fields and key technologies - a serious approach from the Dutch government.
Disinformation / Information operations
The disinformation landscape in Belgium - interesting assessment around susceptibility and resilience.
Venezuelan deepfakes and propaganda - a podcast which provides a window into a rather dystopian set of practices and behaviours along with active campaigns
The Case for TikTok: Social Media Ownership has Little Impact in Security Breaches - If officials are concerned with privacy, then there would need to be something that applies to all information technology companies,” he said. “Cybersecurity threats from other countries have not come from the websites or services they own, but instead from direct online attacks using shared infrastructure and software. - this misses the point somewhat, it is a yes - but I suspect..
WPP partners with NVIDIA to build generative AI-enabled content engine for digital advertising - powerful dual use partnership here.
Commercial offensive cyber
Armenia spyware victims: Pegasus hacking in war - Anna Naghdalyan, a former Armenia Foreign Ministry Spokesperson and current NGO worker — was infected with Pegasus
Spying in Mexico Strikes a New Victim: the President’s Ally - While looking into abuses by the armed forces, the country’s top human rights official was targeted with Pegasus, the world’s most notorious spyware, The Times found.
Israel Police purchased new surveillance software without AG approval - Israel Police recently purchased new surveillance software from the Israeli cyber intelligence company Rayzone.
Swiss company sells spy software to Arab intelligence services - In The Cyber is involved in spying on cell phones and computers. It is supported by the Ticino University of Applied Sciences and Arts, as well as the federal government
Wyden Demands Answers About the International Trade Administration’s Promotion of Surveillance Technology to Foreign Markets and Governments - U.S. Senator Ron Wyden, D-Ore., called on the International Trade Administration (ITA) to answer questions about its promotion of dangerous surveillance technology in foreign markets, and explain what steps it is taking to prevent such technology sales from harming human rights.
Cyberweapon manufacturers plot to stay on the right side of US - According to four of those people, the US Drug Enforcement and Administration Agency is among the top customers for Paragon’s signature product nicknamed Graphite.
The brief reflection this week come from reading Artificial Intelligence and the Future of Teaching and Learning and Follow the Money: How much does Britain cost? and how reactive we are to applied skills development at least here in the UK. We have an amazing opportunity (in the case of the first) which is not fully supported by an applied skills strategy (the second). Vocational aspects of learning and development (as South Korea shows us and I have discussed before) can and should likely form a critical part and be mobilized quickly across a spectrum of S&T areas to put the west in a strong position to fully capitalize.
On the interesting job/role front:
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Cyberattack UAC-0006: Distribution of SmokeLoader using emails and "accounts" theme
Reporting on a broad campaign by someone likely in Russia - state aligned or not it isn’t cricket. The tradecraft is what we see every week.
legitimate compromised mailboxes are used to send e-mails, and SmokeLoader is delivered to computers in several ways, including:
EML -> ZIP -> HTML (JavaScript) -> ZIP -> JavaScript (Loader) -> EXE -> SmokeLoader
EML -> RAR -> VHDX -> JavaScript (loader) -> EXE -> SmokeLoader
EML -> RAR -> VHD -> JavaScript (loader) -> EXE -> SmokeLoader
For reference: as a result of the attack on 05/05/2023, the SmokeLoader malware successfully infected about 1,100 computers.
https://cert.gov.ua/article/4755642
Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals
Feike Hacquebord, Stephen Hilt, Fernando Merces and Lord Alfred Remorin discuss a criminal actor in Russia who appears to have pivoted to supporting state activity. The mobilization of a nation’s cyber capacity outside of the state apparatus should likely be a consideration for the future.
Void Rabisu, a malicious actor believed to be associated with the RomCom backdoor, was thought to be driven by financial gain because of its ransomware attacks. But in this blog entry, we discuss how the use of the RomCom backdoor in recent attacks shows how Void Rabisu's motives seem to have changed since at least October 2022.
Trend Micro’s telemetry and research corroborates that the RomCom backdoor has been used in geopolitically motivated attacks since at least October 2022, with targets that included organizations in Ukraine’s energy and water utility sectors. Targets outside of Ukraine were observed as well, such as a provincial local government that provides help to Ukrainian refugees, a parliament member of a European country, a European defense company, and various IT service providers in Europe and the US.
North Korea
Reverse Engineering RokRAT: A Closer Look at APT37's Onedrive-Based Attack Vector
A technical summary of this implant used by North Korea which we have previously covered. Not much which is super insightful other than the list of cloud vendors used for exfiltration.
To communicate with the server, multiple cloud providers are being used. Additionally, the localhost address is left for testing purposes.
Localhost
Yandex Cloud
PCloud
Dropbox
China
SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations
Nothing novel in this tradecraft but rather punchy by China to go after this group in this manner. Shows a broadening of the remit of the actor outside of their usual target set also.
The infection process initiates through a spam email comprising an attached MS Office document named “[FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx.” These emails, with the subject line “[Sending Finalized Text] G7+Partners FASS Meeting,” are distributed to multiple employees within government entities across G20 countries, as shown in the figure below.
The emails contain weaponized versions of seemingly genuine official documents, which employ the remote template injection method to retrieve the next stage of the malware from the TA’s Command-and-Control (C&C) server.
Iran
Operation Red Deer
Igal Lytzki details an interesting campaign by this unattributed threat actor who has previously been seen selling or loaning malware to lower-level Nigerian actors. In this campaign they have had a regional focus using very run of the mill tradecraft.
Operation Red Deer has successfully unveiled a sustained and clandestine operation perpetuated by the Aggah threat group. This wide-reaching operation targeted numerous organizations from diverse industries, all united by their geographical location – Israel.
The phishing email has an attached .zip archive containing the .html file
The smuggle delivers again an .iso image instead of a .zip archive
In previous incidents the fetched masqueraded powershell script was executing a .vbs script for the AsyncRAT execution, but in this campaign it executes a powershell script (etoqvpm.ps1)
https://perception-point.io/blog/operation-red-deer/
Subgroup of the Blind Eagle? Analysis of recent attack activities from the Hagga organization
Chinse reporting related to the above which shows a degree of overlap which could be because a variety of reasons. Blind Eagle is suspect of being Columbian and this specifically deals with a typical attack flow which results in commercial RATs.
After analyzing the new payload, we found that it is still a common C# injector used by the Blind Eagle group. However, on the same day, we saw a new phishing email related to this IP. According to the content, it was suspected to be a harpoon attack on a Chinese company. However, whether it is the content of the email or the fit of the content of the bait attachment, it looks quite rough, so that it is more like an ordinary hacker group than a professional APT organization.
Although there is no strong evidence to prove the relationship between the Hagga organization and the Blind Eagle organization, we guess that the Hagga organization and the Blind Eagle organization may be complementary. One mainly attacks Colombia, and the other builds a botnet to attack some global organizations.
GobRAT malware written in Go language targeting Linux routers
Reporting from Japan on what looks like human operated router compromises. The actors ultimate intent is unclear but it does once again highlight the targeting of embedded systems outside of the Mirai use case.
JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023.
Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
PatchWork Organization New Attack Weapon Report - EyeShell Weapon Disclosure
Chinese reporting on an Indian threat actor and their new implant. Detection will come from instances of cmd being parented to processes you don’t expect in your estate.
In the past 2 years, [we] repeatedly discovered in advance & immediately that the organization has launched attacks against key domestic universities, research institutes, scientific research institutes and other related research organizations, and has successfully warned many times.
Recently, during the continuous tracking of PatchWork, [we] found a streamlined backdoor developed by .NET in its arsenal. The target framework is .NET Framework 4. BADNEWS appeared together, so we have reason to guess that the backdoor is used together with BADNEWS. The namespace used by the backdoor is Eye. In order to facilitate follow-up tracking and identification, we call this backdoor EyeShell according to the namespace.
The main content of interactive initialization is to create a cmd.exe process and create an OutputData Received event, redirect the standard output stream through the OutputHandler event delegation, and writethe TCPStream to the interface, so as to redirect the standard output stream to the server.
Microsoft Encrypted Restricted Permission Messages Deliver Phishing
Phil Hay and Rodel Mendrez detail how security functionality is being misused by threat actors in order to evade detection. Clever really, if not deeply frustrating similarly.
Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message. At this stage, we are exploring and uncovering different aspects of this campaign and will share here some of our observations to date.
It starts with an email that originated from a compromised Microsoft 365 account, in this case from Talus Pay, a payments processing company. The recipients were users in the billing department of the recipient company. The message shows a Microsoft encrypted message. In the email, the From: and To: email address displayed in the header were the same, but the message was delivered to various third party recipients
Cloud-Based Malware Delivery: The Evolution of GuLoader
Alexey Bukhteyev and Arie Olshtein detail how this organized criminal threat actor has evolved their tradecraft in order to avoid detection effectively.
GuLoader is a prominent shellcode-based downloader that has been used in a large number of attacks to deliver a wide range of the “most wanted” malware.
GuLoader has been active for more than three years and is still undergoing further development. The latest version integrates new anti-analysis techniques, which results in it being significantly challenging to analyze. New GuLoader samples receive zero detections on VirusTotal, ensuring its malicious payloads also remain undetected.
GuLoader’s payload is fully encrypted, including PE headers. This allows threat actors to store payloads using well-known public cloud services, bypass antivirus protections, and keep payloads available for download for a long period of time.
Earlier versions of GuLoader were implemented as VB6 applications containing encrypted shellcode. Currently, the most common versions are based on the VBScript and the NSIS installer. The VBScript variant stores the shellcode on a remote server.
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/
Bitter Organization New Attack Weapon Analysis Report-ORPCBackdoor Weapon Analysis
Chinese reporting on what is suspected of being an Indian threat actor. The scale of their campaigns is likely of note. This reporting specifically deals with a Microsoft Outlook specific implant which has a whiff of learning from other threat actors TTPs.
Last year, we captured 200+ phishing attacks related to this organization, and captured 60+ counterfeit induced documents. According to the capture situation last year, the organization's attacks continued to be similar to the previous normalized hotspot attacks . The Bitter organization mainly focuses on aerospace, military industry, large enterprises, national government affairs, and some universities.
According to the existing information, the newly discovered backdoor is very likely to target the Outlook user group. In order to facilitate follow-up tracking and identification, we named it ORPC Backdoor based on this feature.
Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections
We’ve covered this threat before and this is an update - that is legitimate (?) VPN software which also comes with a free value added implant.
However, there have been recent cases indicating the resurgence of malware distributing SparkRAT through the installer of the same VPN company. The malware distribution had ceased for a certain period, but the similar attack flow and the use of SparkRAT during the attack process suggest the involvement of the same threat actor.
This post will cover the recent attack cases, highlighting the differences between the recent and past incidents. Differences include a dropper developed with GoLang being used instead of a packer developed with .NET, and how the MeshAgent of MeshCentral was installed for additional remote desktop features.
https://asec.ahnlab.com/en/53267/
Detailed Analysis of CloudDon, Cloud Data Breach of Korea e-commerce company
A detailed end-to-end walk through of both the working back from the advert offering access to the root cause due to a collection of security missteps in the cloud.
Around January 2023, a donjuji user on the Breached forum uploaded a post selling member information of company A, an online shopping mall , and analyzed the infringement accident of the victim company to determine the exact details of the leak.
S2W Talon named the operation name “CloudDon” in that it is an attack on the cloud infrastructure of the attacker 'Donjuji'
As a result of the analysis, it was identified that the environment variable page of company A's development server was exposed to the outside , and cloud authentication information such as AWS IAM credentials was exposed.
DeltaBoys : Black Hats On The Rise
This reporting shows the aggression with which new players can enter the scene. Reminiscent of a new cyber security services start-ups staffed by experienced and/or talented hands. Will be interesting to see how this plays out in the mid-term given the enabling aspect of their business model.
[We have] identified a new threat actor group on the rise with the moniker; DeltaBoys. We have assessed this unknown threat actor to be both financially and geopolitically motivated: they have targeted Israeli infrastructure for ideological purposes but will also indiscriminately attack other infrastructure for financial exploitation. Furthermore, they provide private hacker training sessions, which include access to zero-days, and a web-application vulnerability scanner license for the buyer. The rate at which they are defacing websites is accelerating rapidly, which shows that DeltaBoys are increasing their capacity, sophistication, and capability, and as such we highly recommend that organizations in Israel – particularly those in critical infrastructure sectors – implement enhanced security measures, including regular assessments, patch management, employee awareness training, and multi-factor authentication.
https://www.cyfirma.com/outofband/deltaboys-black-hats-on-the-rise/
Dark Pink. Episode 2
The point of note in this reporting is the expansion of targeting by this threat actor to Europe and Belgium specifically. This group has not been attributed in open source.
In early January, [we] published a detailed report which described the techniques and tools used by a new APT (Advanced Persistent Threat) group codenamed Dark Pink. This threat actor has been operating since mid-2021, mainly in the Asia-Pacific region. The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails. Once the attackers gain access to a target’s network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system.
As shown on the updated attack timeline below, overall, [we] identified 13 organizations targeted by the group. Our previous analysis uncovered 8 attacks on entities based in the Asia-Pacific region and 1 organization based in Europe, including one unsuccessful attack. According to the latest findings, 5 new victims have been identified, which suggests that the actual scope of the attacks could be even broader. Dark Pink has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium.
https://www.group-ib.com/blog/dark-pink-episode-2/
Discovery
How we find and understand the latent compromises within our environments.
Hunting for 'Snake'
Ryan Saridar and Francesco Iulio build on last weeks reporting which some practical activities to discover latent compromises.
Multiple Snake components can be detected running in the system using different Indicators of Compromise. For example, the Covert Store generated by the implant, can present the following hardcoded encryption key (not always, depending on the malware operator):
A1 D2 10 B7 60 5E DA 0F A1 65 AF EF 79 C3 66 FA
And the same key can be retrieved from the following Windows Registry path when stored:
SECURITY\Policy\Secrets\n
https://labs.jumpsec.com/hunting-for-snake/
Finding Evil WMI Event Consumers with Disk Forensics
Chad Tilbury walks through how to discover this widely utilized persistence mechanism.
WMI event consumers will continue to be abused in the wild as long as organizations fail to discover and remediate them. While live collection and analysis is preferable to scale efforts across a network, this post covered disk-based artifacts and tools available for use during deeper forensic investigations. A KAPE target exists to collect the required files for offline analysis, making it an easy check to perform during incident response forensic investigations.
https://www.sans.org/blog/finding-evil-wmi-event-consumers-with-disk-forensics/
Defence
How we proactively defend our environments.
gato: GitHub Self-Hosted Runner Enumeration and Attack Tool
Adnan Khan, Mason Davis and Matthew Jackoski released this a while ago but I thought worth covering given the value. Reducing the blast radius of compromises is how we build resilience.
Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.
The tool also allows searching for and thoroughly enumerating public repositories that utilize self-hosted runners. GitHub recommends that self-hosted runners only be utilized for private repositories, however, there are thousands of organizations that utilize self-hosted runners.
https://github.com/praetorian-inc/gato
CVE Prioritizer
Streamline vulnerability patching with CVSS, EPSS, and CISA's Known Exploited Vulnerabilities or for when you admit you can’t patch everything.
CVE_Prioritizer leverages the correlation between CVSS and EPSS scores to enhance vulnerability remediation efforts. While CVSS captures the fundamental properties of a vulnerability, EPSS offers data-driven threat information, enabling you to better prioritize patching.
https://github.com/TURROKS/CVE_Prioritizer
Vulnerability
Our attack surface.
macOS vulnerability, Migraine, could bypass System Integrity Protection
The fact major vendors come across such vulnerabilities in each others technologies is interesting. This looks like the byproduct of developing EDR and is material in terms of undermining platform trust.
A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023.
Offense
Attack capability, techniques and trade-craft.
Blackout: kill anti-malware protected processes using BYOVD
Shows the pain vulnerable drivers are going to present and why deploying mitigations via WDAC is increasingly important.
leveraging gmer driver to effectively disabling or killing EDRs and AVs.
it bypass HVCI fluently
https://github.com/ZeroMemoryEx/Blackout
EDR bypassing via memory manipulation techniques
Connor Morley has released an extensive technical paper on this area which is useful to defenders and their vendors. These games of cat and mouse are the modern arms race.
This paper is broken down into three parts; the first will explain some of the memory techniques readily used by attackers to avoid detection in today’s landscape, and will explain how they work and why they may be chosen. The second and third parts will focus on methods to detect the utilization of such covert mechanisms, where telemetry for detection may be acquired, and some of the difficulties that may be encountered during the integration of these solutions.
https://labs.withsecure.com/publications/edr-bypassing-via-memory-manipulation-techniques
The curious case of ♪ and ◙
Brian Maloney gives us the punchline that ◙ is interpreted as LF (Line Feed) and ♪ as CR (Carriage Return) which means he could build effective command lines which would not otherwise be possible. This will have both good and evil uses, thus I’ve included here so people can signature its use proactively.
I have a script that automates the collection and parsing of KAPE that uses WMI event consumers and filters. The problem was, I needed a way to pass parameters to the the encrypted PowerShell script in the consumer. I found some information about putting the parameters in a file and reading the file to get the parameters. The problem with this solution is I needed the parameters to be dynamic. So what does one do in this case? This is where ♪ and ◙ come into play.
https://malwaremaloney.blogspot.com/2023/05/the-curious-case-of-and.html
EPI: Process injection through entry points hijacking
Kurosh Dabbagh Escalante releases another technique which will keep EDR vendors on their toes. I suspect there are some memory scanning techniques which should be able to spot these anomalies rather easily.
EPI (Entry Point Injection) is a tool that leverages a new threadless process injection technique that relies on hijacking loaded dll's entry points. To achieve this goal, EPI patches the target process' PEB such that one of the already loaded dll's entry point is redirected to a injected shellcode (which by default is the Loader previously converted to sRDI). Once a new thread is naturally spawned by the process or whenever a running thread exits, all loaded modules' entry points will be called which includes our injected shellcode.
HiddenDesktop: HVNC for Cobalt Strike
Kyle Avery releases a Cobalt Strike plugin which we can expect to be adopted by various threat actors to run GUI applications in victim environments in 3..2..
Hidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience. This Cobalt Strike BOF implementation was created as an alternative to TinyNuke/forks that are written in C++.
https://github.com/WKL-Sec/HiddenDesktop
Hot Pixels: Frequency, Power, and Temperature Attacks on GPUs and ARM SoCs
Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin and Yuval Yarom show how academia is going from strength to strength in their applied offensive research. Given the proposals around browser Cookies at the moment one can imagine the value of these such techniques will rise and potentially be more widely applied.
Given the rise in popularity of both Arm SoCs and GPUs, in this paper we investigate the susceptibility of these devices to information leakage via power, temperature and frequency, as measured via internal sensors. We demonstrate that the sensor data observed correlates with both instructions executed and data processed, allowing us to mount software-visible hybrid side-channel attacks on these devices.
To demonstrate the real-world impact of this issue, we present JavaScript-based pixel stealing and history sniffing attacks on Chrome and Safari, with all side channel countermeasures enabled. Finally, we also show website fingerprinting attacks, without any elevated privileges.
https://arxiv.org/abs/2305.12784
Tampering with Conditional Access Policies Using Azure AD Graph API
Good research here which led to platform improvements. It does also however highlight the lack of maturity in places even of the larger platforms and the exposure this creates.
In May 2022, [our] researchers investigated which APIs allow editing of CAP settings and identified three: the legacy Azure AD Graph (also known as AADGraph), Microsoft Graph, and an undocumented Azure IAM API. AADGraph was the only API that allowed modification of all CAP settings, including the metadata. This capability lets administrators tamper with all CAP settings, including the creation and modification timestamps. Modifications made using AADGraph are not properly logged, endangering integrity and non-repudiation of Azure AD policies.
[our] researchers shared these findings with Microsoft on May 26, 2022. Microsoft confirmed the findings a month later but stated that it is expected behavior. On May 11, 2023, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.
The dusk of g_CiOptions: circumventing DSE with VBS enabled
Daniil Nababkin (a Ukrainian Offensive Security Specialist) explores this offensive tradecraft which we can expect to be combined with various vulnerable drivers to allow rootkit loading on modern Windows.
we explore the concept of bypassing Driver Signature Enforcement (DSE) in the Virtualization Based Security (VBS) era with only a write-what-where exploit primitive.
The general method description and implementation hints are mentioned at The Swan Song for Driver Signature Enforcement Tampering. Notably, we need to find the
CiValidateImageHeader
entry in thent!SeCiCallbacks
structure and replace it with the pointer to a function that always returns 0 and takes no arguments.
Bypassing Intel CET with Counterfeit Objects
Matteo Malvica outlines by Control Flow Guard is not a panacea. We can expect commercial implant developers and others to adopt these techniques. A focus on the in memory detection of vfgadgets and also vtable overwrites I suspect will be prudent.
At first, the advent of CET painted a bleak picture future for exploit developers and their reliance on ROP-based techniques. However, in 2015, a new code-reuse technique named Counterfeit Object-Oriented Programming (COOP) has been formulated in a paper which seemed quite promising in defeating Control-Flow Integrity (CFI) defenses.
In this blog, we’ll briefly cover how CFI mitigations works, including CET, and how we can leverage COOP to effectively bypass Intel CET on the latest Windows releases.
Intel CET provides yet another strong defensive mechanism that surely steps up the exploit development game. Nonetheless, new attack pathways such as COOP can be adopted to circumvent this mitigation. As we learned so far, COOP vfgadgets are inherently allowed by CFG and so, in a real-world scenario they could be chained together to circumvent Intel CET and possibly other CFI mitigations.
https://www.offsec.com/offsec/bypassing-intel-cet-with-counterfeit-objects/
Exploitation
What is being exploited.
Barracuda Email Security Gateway Appliance (ESG) Vulnerability
This continues to go from bad to worse, interesting also they are hosting this page under their legal section based on the URL.
The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.
Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.
Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.
Malware was identified on a subset of appliances allowing for persistent backdoor access.
Evidence of data exfiltration was identified on a subset of impacted appliances.
https://www.barracuda.com/company/legal/esg-vulnerability
From Office bait to tasteless RCE
Chinese walkthrough of this exploit chain which may inspire others and thus be worth understanding.
Introduce Office file bait and principle
Office SSRF-like vulnerabilities
Windows URI scheme protocol vulnerability
Construct RCE utilization chain
Expanded attack surface
Vulnerability Repair and Defense
Future directions to explore
Ghost Sites: Stealing Data From Deactivated Salesforce Communities
Nitay Bachrach outlines an interesting attack surface which risks existing in numerous other SaaS.
[We] discovered that improperly deactivated and unmaintained Salesforce "ghost sites” remain accessible and vulnerable to risk. By manipulating the host header, threat actors can gain access to sensitive PII and business data.
https://www.varonis.com/blog/salesforce-ghost-sites
More malicious extensions in Chrome Web Store
The whack-a-mole game moves to other store mechanisms. I wonder when the major store vendors (Google, Apple etc.) will just mandate that source code be provided in order to help with their defensive activities. Likely some PET style techniques that could help with this also..
Two weeks ago I wrote about the PDF Toolbox extension containing obfuscated malicious code. Despite reporting the issue to Google via two different channels, the extension remains online. It even gained a considerable number of users after I published my article.
A reader tipped me off however that the Zoom Plus extension also makes a request to serasearchtop[.]com. I checked it out and found two other versions of the same malicious code. And I found more extensions in Chrome Web Store which are using it.
So now we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively.
https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
SectorC: A C Compiler in 512 bytes
Not this will be used malicious but it is neat.
SectorC (github) is a C compiler written in x86-16 assembly that fits within the 512 byte boot sector of an x86 machine. It supports a subset of C that is large enough to write real and interesting programs. It is quite likely the smallest C compiler ever written.
https://xorvoid.com/sectorc.html
A Bayesian Framework for Automated Debugging
Sungmin Kang, Wonkeun Choi and Shin Yoo outline a proposal which will be interesting to watch as it moves on from the lab. Has a variety of use cases in engineering, attack and defense.
Despite intensive research on these subjects, we are unaware of a theoretic framework that highlights the principles behind automated debugging and allows abstract analysis of techniques. Such a framework would heighten our understanding of the endeavor and provide a way to formally analyze techniques and approaches. To this end, we first propose a Bayesian framework of understanding automated repair and find that in conjunction with a concrete statement of the objective of automated debugging, we can recover maximal fault localization formulae from prior work, as well as analyze existing APR techniques and their underlying assumptions.
As a means of empirically demonstrating our framework, we further propose BAPP, a Bayesian Patch Prioritization technique that incorporates intermediate program values to analyze likely patch locations and repair actions, with its core equations being derived by our Bayesian framework. We find that incorporating program values allows BAPP to identify correct patches more precisely: when applied to the patches generated by kPAR, the rankings produced by BAPP reduce the number of required patch validation by 68% and consequently reduce the repair time by 34 minutes on average.
https://arxiv.org/abs/2212.13773
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Botconf 2023 Topics Express - Chinese trip report of Botconf topics
Feasibility Study Report on the Application of Large Models in Threat Intelligence
Space Odyssey: An Experimental Software Security Analysis of Satellites
The 5×5—Cross-community perspectives on cyber threat intelligence and policy
17th Workshop On Offensive Technologies (WOOT '23) - papers/slides etc.
Upcoming Events
Wargaming Week 2023 - this actually happened, included as a point of interest that such things happen.
Exploring the Security, Privacy, and Ethics of Female-Oriented Technology - 19 June – 10 September 2023
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.