

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week has been taken up with further fall out of MOVEit (including new vulnerabilities) and Fortinet vulnerabilities in their VPN devices that were exploited in the wild. The speed with which the Fortinet vulnerabilities were patch diffed by researchers and exploits developed whilst the industry worked in a vacuum was likely sub optimal over the weekend.
In the high-level this week:
The Axe Files: with Jen Easterly - If China decided to invade Taiwan, they would pair it with significant attacks against our critical infrastructure.
New bill would give CISA greater cyber outreach responsibilities - The Cybersecurity Awareness Act would direct the agency to launch a new public-private campaign promoting cyber best practices across small businesses and underserved communities.
US (CISA) Binding Operational Directive 23-02 - requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.
Germany’s new National Security Strategy - We are continuing to focus our cybersecurity research on technological revolutions, such as artificial intelligence, quantum computing, quantum cryptography and speech recognition. The Federal Government is researching current and future challenges in IT security research through the research framework programme Digital.Souverän.Sicher (Digital.Sovereign.Secure).
Romanian National Who Operated “Bulletproof Hosting” Service That Facilitated The Distribution Of Destructive Malware Sentenced To Three Years In Prison
Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit - In the context of this case, we conclude that when a company in the computer security business describes a competitor's software as 'malicious' and a 'threat' to a customer's computer, that is more a statement of objective fact than a non-actionable opinion.
Lessons Lost: Incident Response in the Age of Cyber Insurance and Breach Attorneys - as someone said in the Subreddit “insurance claim reports aren't a great way to study after action reports. Lawyers don't make great IR analysts.”
2023 State of Humanitarian and Development Cybersecurity Report - in 2022, nearly half of the nonprofit respondents reported they had experienced a security breach in the past 12 months (45%).
Russian Nationals Charged With Hacking One Cryptocurrency Exchange And Illicitly Operating Another - Bilyuchenko, Verner, and their co-conspirators used their unauthorized access to Mt. Gox’s server to fraudulently cause bitcoins to be transferred from Mt. Gox’s wallets to bitcoin addresses controlled by Bilyuchenko, Verner, and their co-conspirators.
Russia passes law to allow confiscation of property from cybercriminals -
Now in this list - illegal access to computer information protected by law, if this act entailed "destruction, blocking, modification or copying of computer information, causing major damage or committed out of selfish interest, committed by a group of persons by prior agreement or an organized group."
Russia plans to create domestic vulnerability scanning service and limit foreign services - Roskomnadzor is creating a domestic trusted scanning system that will identify vulnerabilities in Russian information resources, making it possible to quickly eliminate them. In order to protect Russian systems, it is also planned to take measures to limit scanning by foreign services of the Russian segment of the Internet.
US The Department of the Interior could improve its cybersecurity programs and practices, including those at offshore facilities. A cyberattack on one of these facilities could do significant damage and disrupt oil and gas supplies.
US Cyber Command conducts 'hunt forward' mission in Latin America for first time, official says - By policy and for operational security, we do not discuss cyber operations, plans or intelligence. USCYBERCOM prioritizes partnerships. No defend forward operation is publicly disclosed without the partner nation’s consent
How North Korea’s Hacker Army Stole $3 Billion in Crypto, Funding Nuclear Program - the recruiter was part of a vast North Korean operation aimed at bringing in funds to the cash-poor dictatorship. And the document was a Trojan Horse, malicious computer code that gave the North Koreans access to the engineer’s computer and allowed hackers to break into Sky Mavis. Ultimately they stole more than $600 million—mostly from players of Sky Mavis’s digital pets game, Axie Infinity.
Netherlands International Cyber Strategy: Cabinet presents international commitment to an open, free and secure digital domain
Dawn of the Cyberwars - from BBC Ulster featuring a Mr Ciaran Martin
Fact sheet on the work of the UK Government's Counter-Disinformation Unit and Rapid Response Unit
Dutch government to screen Chinese tech students on security risks
Still poles apart: UN Cybercrime Treaty negotiations -Efforts to bridge divisions between the opposing poles will be needed. States seeking a permissive treaty have already staked positions as far to their side as possible, and received some compromise from the other group, such as on scope of crimes for which electronic evidence can be collected.
How the US is pushing China out of the internet’s plumbing - Experts say the subsea cable market is in danger of dividing into eastern and western blocs amid fears of espionage and geopolitical tensions
The reflections this week come from how far we still have to go in relation to handling vulnerabilities well. The MOVEit and Fortinet are just two examples of where pain was felt at martial scale. We are going to have to deal with increasingly rapid release and exploitation cycles and also situations where criminal mass exploitation happens pre-discovery. These event challenge a lot of approaches utilized by organizations today, in short I don’t know the answer but it is clear that cyber norms approaches may do little to curtail criminal endeavors and they are becoming more capable and aggressive with regards vulnerability research/exploitation.
On the interesting job/role front:
Cloud Security Operations Analyst at Microsoft’s Cloud SOC in Cheltenham, UK
Research Analyst Emerging Technologies at RUSI in the UK
Professor in Cyber Security at University of Southampton, UK
Joint Intelligence Organisation - Head of Open Source Insights at Cabinet Office in the UK
Foreign Affairs Officers at the Bureau Cyberspace and Digital Policy in the USA
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Cadet Blizzard emerges as a novel and distinct Russian threat actor
A new cyber team in Russian intelligence is formally anointed. The fact this team is the cyber equivalent of 'demolitions’ is likely of note.
[We assess] that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM). While [we] constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free Civilian”.
Ukraine’s IT Army
A look at the other side of the conflict. It will be interesting to see post conflict how demobilization is handled.
The IT Army of Ukraine is unlike any other cyber-threat actor. Created by the Ukraine Ministry of Digital Transformation two days after the Russian invasion, it has gathered, trained and directed thousands of people from inside and outside Ukraine to participate in persistent DDoS campaigns against Russian civilian infrastructure. In its current form, the IT Army is neither civilian nor military, neither public nor private, neither local nor international. Notably, whether it is lawful or unlawful remains unclear. Given its apparent adaptability and its continuing ability to recruit participants and mount cyber campaigns, it is positioned to become an advanced persistent threat.
https://www.tandfonline.com/doi/abs/10.1080/00396338.2023.2218701
North Korea
RedEyes group wiretapping individuals (APT37)
Evolution in hermit kingdom capability and the use of the ABLY platform which provides real-time data transfer and messaging, and can perform Pub/Sub messaging, push notifications, real-time queries, and state synchronization etc. The initial access tradecraft is as you would expect i.e. CHM and the follow on chains.
The attacker delivered the command to the Golang backdoor using the Ably service, and stored the API key value required for command communication in the Github repository. The corresponding API key value is required for communication with the attacker's channel, and anyone who knows the key value can subscribe. Therefore, at the time of analysis, we were able to identify some commands used by the attacker.
Tracking Kimsuky Bitcoin Address
An interesting walk through showing where the crypto currency flows went.
When looking at the Peel Chain graph to some extent, the addresses to which the funds were mainly sent were identified as owned by the bitzlato or whitebit exchanges. Apart from that, we saw funds sent to clusters such as paxful, ftx, and discus_fish. discus_fish is the largest mining pool in China, also known as f2pool.
bitzlato is an exchange located in Hong Kong and is known to have a loose KYC policy. It was reported to have handled more than $700 million in illicit funds from 2018 to 2022, and was subject to a law enforcement shutdown in January 2023, resulting in the website being seized and the founders arrested for running an unlicensed money transfer business.
China
VPX Gon' Give It to Ya: VMware ESXi Zero-Day Used by Chinese Espionage Actor to Bypass Authentication Checks and Perform Privileged Guest Operations
Alexander Marvi, Brad Slaybaugh, Ron Craft and Rufus Brown detail what happens when a country whose inhabitants evolve from winning vulnerability for cash competitions to deploying on behalf of the state.
Harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance
Exploiting a zero-day vulnerability (CVE-2023-20867) that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs
Deploying backdoors on ESXi hosts using an alternative socket address family, VMCI, for lateral movement and continued persistence. This address family enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place.
Continuing to tamper with and disable logging services on impacted systems, presenting additional challenges to investigating UNC3886 in a compromised environment.
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass
ChamelGang and ChamelDoH: A DNS-over-HTTPS implant
Interesting Chinese use of DNS over HTTP causing those who rely on passive DNS to go blind. Who knew threat actors would employ privacy enhancing technologies to mask their infrastructure and C2 traffic from detection.
[We] recently identified various tools used in intrusions by ChamelGang, a sophisticated threat actor with a nexus to China. ChamelGang has previously been observed targeting energy, aviation, and government organizations in Russia, the United States, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania, and Nepal.
ChamelDoH encrypts its communication using AES128 and base64 encodes the result so that it can be prepended as a subdomain.
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/
SPECTRALVIPER: a previously-undiscovered backdoor malware family
Cyril François, Daniel Stepanic and Seth Goodwin out Vietnamese capability showing they are by know means a minor division player. Initial access is not covered in this reporting.
The REF2754 intrusion set leverages multiple PE loaders, backdoors, and PowerShell runners
SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities
We are attributing REF2754 to a Vietnamese-based intrusion set and aligning with the Canvas Cyclone/APT32/OceanLotus threat actor
https://www.elastic.co/security-labs/elastic-charms-spectralviper
A Truly Graceful Wipe Out
The DFIR team doing wholesome work with this summary from a recent compromise. The fact this concluded with a destructive operation is of note and not an encryption event.
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of the MBR Killer wiper. The threat actors deployed the wiper within 29 hours of initial access.
https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
Asylum Ambuscade: crimeware or cyberespionage?
Matthieu Faou details an unattributed actor who has been chugging along for a while with a clear financial incent. The blend into espionage is also of note considering they are identified as a criminal group - maybe hack for hire?
Asylum Ambuscade has been operating since at least 2020.
It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe.
Asylum Ambuscade also does espionage against government entities in Europe and Central Asia.
Most of the group’s implants are developed in script languages such as AutoHotkey, JavaScript, Lua, Python, and VBS.
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/
Analysis of attack activities targeting the financial departments of Chinese companies disguised as red teams
An unknown threat actor who is causing mischief in China (imposing cost?) using phishing and multistage payloads via email.
[We] tracked a number of targeted attacks against the financial departments of Chinese enterprises. The attacks are highly disguised as attacks by the red team (attacker) of offensive and defensive drills from various aspects. It uses customized unknown Trojan horses to launch attacks on relevant target companies After nearly two months of continuous attacks, until June 8, 2023, we can still observe the emergence of newly generated Trojan horses. The most accurate attack evidence that can be observed so far is still email attacks and a large number of malicious payloads. A large number of IPs linked back by the Trojan horse are located in the United States, mainland China, and Hong Kong, China.
DoubleFinger delivers GreetingGhoul cryptocurrency stealer
The 1990s called for this threat actor and want its .pif file extensions back. Really basic tradecraft here, fascinating that it works at all in 2023.
One of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
Analysis of recent attack methods of APT-C-36 (Blind Eagle)
Our favorite Columbian threat actor is subject to this Chinese reporting. An evolution in capability but still basic malicious LNK files for initial access.
[We] discovered that APT-C-36 organization recently used encrypted self-extracting compressed packages and LNK files to carry out spear phishing attacks on target groups. After further analysis and tracing, it was found that APT-C-36 organization For a long time, multiple open-source RAT backdoor software has been distributed using multiple platforms to deliver phishing files against South American countries. The results show that the organization is constantly updating its arsenal and attack process .
Discovery
How we find and understand the latent compromises within our environments.
How to Create F.L.I.R.T Signature Using Yara Rules for Static Analysis of ELF Malware
The Japanese CERT provide a really used applied guide here for when dealing with ELF based binaries.
It has been observed that ELF malware removes symbol information during its build. This creates extra work in malware analysis to identify each function name because you do not know them. In addition, in IDA, an analysis tool, existing F.L.I.R.T signatures [1] (hereafter abbreviated as FLIRT signatures in this article) are often not applicable to ELF malware functions, making analysis difficult when right signatures are not found.
https://blogs.jpcert.or.jp/en/2023/06/autoyara4flirt.html
Defence
How we proactively defend our environments
Addressing Visibility Challenges with TLS 1.3
The general narrative within the IETF of encryption at all costs is leading to counter productive outcomes such as this.
Transport Layer Security (TLS) 1.3, can disrupt current approaches to observing and monitoring internal network communications within enterprise data centers and hybrid cloud environments. Reduced visibility can impact an organization’s ability to protect its data and systems.
https://www.nccoe.nist.gov/addressing-visibility-challenges-tls-13
Rule Metadata & Exploit Signature Difficulties
James gives a sense of some of the real world challenges here and how they try and address.
when a signature is created for an exploit, we apply a confidence level in metadata for the signature based on several factors. One of the major factors here is how dynamic the exploit may be. To better explain this factor, consider the following brief comparison of buffer overflows and use-after-free vulnerabilities from a network detection perspective.
https://ozuriexv.github.io/rule-metadata-and-exploit-signature-difficulties/
Use natural language processing libraries to parse a Blog summarise and extract IoCs
Michael Haag supplies a script to do what many a multi-million dollar funded start-up tries. Real-world efficacy feedback we would be interested in.
https://github.com/MHaggis/notes/blob/master/utilities/NLPxTract.py
Vuln4Cast: A collection of data fetchers, and simple quarterly and yearly CVE forecasting models
We can likely debate the accuracy of forecasting using this type of approach. Interesting set of tooling nevertheless. It will be interesting to see how this evolves further i.e. do we get to a level akin to economic forecasting for vulnerabilities?
the code that uses NVD data to demonstrate that it is possible to forecast vulnerabilities with reasonable accuracy both quarterly and yearly. We believe this is foundational rather than an end result. In other words, this forecasting will enable other research to be performed that might not have existed before. We encourage you to make more accurate forecasts, or extend the lookahead window, or make sub-forecasts for specific vendors.
https://github.com/FIRSTdotorg/Vuln4Cast
VelociDeploy-o-Matic: Scripts to for ready-to-use Velociraptor instance deployment in Azure
Wessel Hissink provides a valuable work aid here for teams looking to deploy Velociraptor at scale and quickly within a MSFT heavy environment.
Quick n scaleable Velociraptor deployment using Azure VPN.
I set the following criteria, although it is probably not compliant with all ISO/CIS/whatever standards, it works and you can consider for yourself if you find this safe enough to use or not:
The GUI (Analyst interface) of Velociraptor may not be exposed to the internet.
Authentication should be done via Azure AD SSO.
Endpoints (Customer machines) should be able to connect from all over the world.
The server/VM IP should be fixed (for firewall reasons).
There should be a separation of data for instances/engagement.
There should be an easy overview of costs per ‘instance/engagement’
Deployment (and destroying) should be easy.
https://github.com/WesSec/VelociDeploy-o-Matic
https://blog.wesselhissink.nl/networking/velocideploy-o-matic-the-story/
Vulnerability
Our attack surface.
Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures
Does not apply to macros, but does have all manner of disinformation, phishing and other social engineering opportunities.
we present a universal signature forgery attack that allows the attacker to create an arbitrary document and apply a signature extracted from a different source, such as an ODF document or a SAML token. For the victim, the document is displayed as validly signed by a trusted entity.
https://www.usenix.org/conference/usenixsecurity23/presentation/rohlmann
CVE-2023-20107: Randomness of random in Cisco ASA
Great research and oof, all your RSA ASA VPNs belong to us.
After some statistics and blackbox keys recovery, it continued by analyzing multiple firmwares for those hardware devices and virtual appliances to unveil the root causes of these collisions. It ended up with keygens to recover RSA keys, ECDSA keys and signatures nonces.
https://www.sstic.org/2023/presentation/randomness_of_random_in_cisco_asa/
Fortinet FortiGate VPN-SSL
Fortinet and their FortiGate continue to be the gift which keeps on giving with this pre-auth vulnerabilities. Lots of reporting including a pre-advisory and opaque notices from the vendor which lead to a chaotic weekend.
Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.
https://www.fortiguard.com/psirt/FG-IR-23-097
https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
https://www.cert.europa.eu/static/SecurityAdvisories/2023/CERT-EU-SA2023-038.pdf
MOVEit Transfer and MOVEit Cloud Vulnerability
Further vulnerabilities here. To say the world out loud - all products which resemble MOVEit should be carefully assessed by competent vulnerability researchers pro-actively. We can only assume now that criminal actors (and state) are doing the same given the rash of these.
June 9, 2023, In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers. As part of these code reviews, [we] uncover[ed] additional vulnerabilities that could potentially be used by a bad actor to stage an exploit. These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023.
https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
ImageMagick: Shell command injection vulnerability
Wowzers a lesson in root cause analysis and variance hunting right here. That is similar vulnerability in a different part of the code base was fixed but a comprehensive assessment for variances was not performed.
a shell command injection vulnerability in encoding/decoding VIDEO files, which very much resembles CVE-2020-29599.
In commit cc4638d, extra options are supported in VIDEO decode delegate execution, and through later commits, ImageMagick supports user-defined options
video:vsync
andvideo:pixel-format
, with their values concatenated into delegate command executed viaExternalDelegateCommand
.
https://github.com/ImageMagick/ImageMagick/issues/6338
Offense
Attack capability, techniques and trade-craft.
Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
Dirk-jan Mollema provides a overview of this cloud to on-premises attack path. Or why you should look to deprecate on premises ASAP.
This attack path assumes the following starting prerequisites:
The attacker has obtained Global Admin privileges in Azure AD.
The attacker has network connectivity to at least one Domain Controller of the on-premises Active Directory.
The Cloud Kerberos Trust feature is set up and working properly
https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/
nbutools: Tools for offensive security of NetBackup infrastructures
Jean-Romain Garnier and team provide useful looking to assess this under appreciated attack surface. Utilized by criminal ransomware groups in 3..2..
nbutools
is a Python toolbox that aims to assist security audits and analysis of NetBackup infrastructures. It provides tools to map out the exposed attack surface, to collect deployment information (e.g. configuration values, accessible services, etc.) and more. It also includes a set of utilities to help study NetBackup services relying on custom protocols and "beginner's guides" to using native NetBackup tools relevant for offensive activities.
https://github.com/airbus-seclab/nbutools
jMG(Java Memshell Generator) is a highly customizable java memory shell generator
Older but from China, included to encourage detection engineering efforts around it.
jMG
(Java Memshell Generator) is a highly customizable java memory shell generator tool, which can be used as a plug-in for woodpecker, providing memory shell injection support for common middleware.
Exploitation
What is being exploited.
acme.sh runs arbitrary commands from a remote server
This is terrifying. A CA was apparently using a vulnerability to run arbitrary commands.
You may already be aware of this, but HiCA is injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine. I am not sure if this is intentional, expected by users, or safe/unsafe. But I'm documenting my findings for the public to be aware of with this CA.
https://github.com/acmesh-official/acme.sh/issues/4659
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
yara-ttd: YARA rules on Time Travel Debugging traces
Alexandre Tullot releases an amazing capability to leveraging a dynamic analysis techniques and Yara.
The idea behind
yara-ttd
is to use the trace files recorded by TTD withyara
itself to defeat packers.Because
yara
cannot scan the packed binary itself,yara-ttd
provides a way to analyze the trace file that contains all the runtime information, including the unpacking process.
https://github.com/airbus-cert/yara-ttd
Smashing VPTRs on the Heights of Mount Elbrus - Exploring the Russian Elbrus Architecture
Great research on a Russian specific CPU architecture with a class of C++ vulnerability.
https://github.com/evm-sec/SmashingVptrs/blob/main/Elbrus-RECON_final.pdf
ebpfmon
For those living in a world of EBF, a work analysis for various analysis and research use cases.
ebpfmon is a tool for monitoring eBPF programs. It is designed to be used with bpftool from the Linux kernel. ebpfmon is a TUI (terminal UI) application written in Go that allows you to do real-time monitoring of eBPF programs.
https://github.com/redcanaryco/ebpfmon
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Artificial Intelligence and International Conflict in Cyberspace - the chapters in the volume focus on three broad themes, namely: (1) technical and operational, (2) strategic and geopolitical and (3) normative and legal.
A Peek Behind the Curtain: Examining the Dimensions of a National-level Cyber Program
Video-LLaMA: An Instruction-tuned Audio-Visual Language Model for Video Understanding
Google goes level 11 charm offensive on it’s cyber security public policy
Upcoming events
Cyber impacts on the US/PRC military balance - July 6th
Cyber Security Governance in Southeast Asia - July 7th
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
Bluepurple Pulse: week ending June 18th
ok. thank you.
is your cycle Thurs-Thurs Ollie or Sunday-Sat? I have our CISO reading as his weekly round up, just clarifying for him.