Bluepurple Pulse: week ending June 26th
CISA says it must adopt a 311-like experience that acts as a security lifeline.
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week nothing of note, just the usual rumble of activity but nothing standout.
In the high-level this week:
Geopolitics Reshaping the Internet in East Asia: How digital trade agreements and cyber infrastructure resiliency will hold the key to regional competition between the U.S. and China - what we all know, but good summary analysis nevertheless
Now China wants to censor online comments - A draft update of rules that would dramatically increase the power of China’s censorship machine, but platforms will pay the price - this is next level total control.
Pegasus used by at least 5 EU countries, NSO Group tells lawmakers -
Related (behind a paywall) was the revelation this week that the the former French ambassador to the United States Gérard Araud worked for several companies including the cybersecurity company NSO Group.
California Man Known As “icloudripper4you” Sentenced To Nine Years In Federal Prison For Stealing Nude Photographs And Images From Apple iCloud Accounts - from the 2014 iCloud breaches - the scale is of note - he maintained approximately 3.5 terabytes of victim data on cloud and physical storage, containing content attributable to more than 500 victims.
Sovereignty requirements remain in cloud certification scheme despite backlash - The draft Cybersecurity Certification Scheme for Cloud Services (EUCS), seen by EURACTIV, includes sovereignty requirements on European data localisation and foreign law immunity in spite of strong opposition from some member states and the private sector - lobbying doesn’t seem to working in Europe by US big tech and/or Europe is just resolute on this outcome.
Russian military intelligence service probably hijacked NATO computers that are used to plan future air combat - German reporting on APT28 and the fact that the German Federal Public Prosecutor has obtained an arrest warrant for Russian hacker Nikolaj Kozachek from the Federal Court of Justice for 2017 incursions - this taking a leaf out the US playbook of indictment - also known as the non-extradition holiday destination chooser.
Cyber Attacks in Times of Conflict - How different countries have been impacted by cyberattacks relating to the armed conflict in Ukraine.
EU 2022 Strengthened Code of Practice on Disinformation - monster expectations from Europe on disinformation management - you can hear platforms start to sob - then realise there is an as-a-Service opportunity here for someone to develop a play for for all the small platforms to leverage.
Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands - The criminal group contacted victims by email, text message and through mobile messaging applications. These messages were sent by the members of the gang and contained a phishing link leading to a bogus banking website.
Under the microscope: Delegates get into the details as UN cybercrime negotiations move forward - diplomats diplomating.
Wyden, Lummis, Whitehouse (not me), Rubio and Hagerty Introduce Bipartisan Legislation to Protect Americans’ Private Data from Hostile Foreign Governments - interesting take here in the US - also considering that US big tech wants to take the worlds data back to the US - this is a growing trend across all geographies.
The UK launched its Defence Artificial Intelligence Strategy - Our vision is that, in terms of AI, we will be the world’s most effective, efficient, trusted and influential Defence organisation for our size - UK showing 💪
In Canada there was the first reading of An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts in parliament - where the UK and others have led Canada is doing similar - requires designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions - more regulation is coming.
In the USA CISA released a draft reporting to their director titled ‘Transforming the Cyber Workforce’ - with a whole host of recommendations and bold moves.
New book released titled ‘Internet Diplomacy: Shaping the Global Politics of Cyberspace’
This week I was fascinated by the proposal in the CISA draft report mentioned above for a 311 of Cyber (NHS of Cyber for Brits) with this statement:
CISA must adopt a 311-like experience that acts as a security lifeline. If a small business or member of a local community believes they need support due to a security breach, compromise, or attack, where can they turn? “311 National” envisions locally managed support structures across the nation that are staffed with security response personnel who can assist those in need by providing education, guidance, and real incident response efforts. This will serve as a 311 helpline for information security issues.
This free at point of use cyber response service model is something I have wrestled with on and off over the years. Beyond ‘advice only’ or third-sector approach (i.e. local charity) the advent of remote delivery mechanisms means it is increasingly becoming a possibility to provide orchestrated playbooks/hands on keyboard in a cost sustainable way to very large populations. Today NCC Group provides an advice line for an insurer - the killer will be we when and CISA like organisations evolve into providing action to victims at hyper scale remotely. It will happen, just a case of when…
Equally interesting this week was were NATO Principal Threat Analysis Dan Black said:
The idea that Russia's cyber program is tied down in Ukraine isn't true and is giving a lot of folks a false sense of security A friendly reminder that Moscow is capable of sustaining global operations and that more than one service has a destructive program waiting in the wings
I personally would value gaining insight into the evidence that underpins this assessment.
I have also been enjoying what I can only describe as the rise of the first ‘cyber-anti-think-tank’ - namely the organisation that is the The Glasshouse Center. Having cyber professionals with decades of individual hands on technical experience come together and challenge policy publications (among other things) is a refreshing reality check.
WARNING: if there are little ears around there is some profanity.
Finally this video from INTERPOL is pretty Hollywood:
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Cyber threat intelligence
Who is doing what to whom and how.
Cyberattack by APT28 using CredoMap malware
Russian continues their trade in Ukraine.
The meta-data indicate a modification of the document on June 9, 2022, and therefore its distribution could have been carried out on June 10, 2022.
According to the set of characteristic features, we consider it possible to associate the detected activity with the activity of the APT28 group.
CALISTO continues its credential harvesting campaign
Based originally on reporting by others an analysis of this Russia-nexus threat actor who targets Western NGOs, think tanks and the defense sector.
It’s worth mentioning that CALISTO operators just followed the Github README of the EvilGinx project, creating default redirection for some of their VPS to the Youtube Rick’roll video. Additional servers redirect to the New York Times home page, these two OPSEC fails allowing us to find more servers easily.
By digging deeper a phishing domain (file-milgov[.]systems) targeting the Ukrainian MOD drew our attention. Unlike the previous CALISTO domains, this one uses a webpage written in PHP to capture credentials.
The IT Army of Ukraine: Structure, Tasking and Ecosystem
Stefan Soesanto provides an academic look at the mechanics of the Ukrainian aligned offensive capability.
The IT Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts. On the public side, the IT Army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent DDoS activities against Russian government and company websites. As of 7 June 2022, this includes 662 targets. On the non-public side, the IT Army’s in-house team likely maintains deep links to – or largely consists of – the Ukrainian defense and intelligence services
Defending Ukraine: Early Lessons from the Cyber War
An extensive publication from a cloud hyper scaler on their experience which will no doubt we referenced everywhere. It also contains a glimmer of hope for us all:
A defining aspect of these destructive attacks so far has been the strength and relative success of cyber defenses. While not perfect and some destructive attacks have been successful, these cyber defenses have proven stronger than offensive cyber capabilities
Chinese actor takes aim, armed with Nim Language and Bizarro AES
Israeli reporting on Chinese activity by Tropic Trooper, Pirate Panda,
APT 23, Iron, KeyBoy, Bronze Hobart and Earth Centaur. The fact they are collecting information on local wireless networks is the call out.
The infection chain includes a previously undescribed loader (dubbed “Nimbda”) written in Nim language.
This loader was observed bundled with a Chinese language greyware “SMS Bomber” tool that is most likely illegally distributed in the Chinese-speaking web.
A new variant of the ‘Yahoyah’ Trojan focused on collecting information about local wireless networks.
Carefully modified AES cipher shows cryptographic know-how on part of attackers.
Insights on the campaign infrastructure.
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
Interesting reporting suggesting that ransomware operations were a cover for standard espionage activities by a Chinese APT.
The victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest that BRONZE STARLIGHT’s main motivation may be intellectual property theft or cyberespionage rather than financial gain. The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.
BRATA is evolving into an APT
Organised crime evolving their capabilities, demonstrating once more they have got game and technical research and development capabilities.
Threat Actors behind BRATA, now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them.
A new phishing technique that is in charge of mimicking a login page of the targeted bank;
Brand new classes in charge to acquire GPS, overlay, SMS and device management permissions;
Sideloading a piece of code (second stage) downloaded from its C2 to perform Event Logging
ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia
Giampaolo Dedola outlines a new(ish) APT which can’t be attributed but victimology was initially Vietnam and Taiwan.
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.
Backdoor via XFF
Charles Lomboni, Venkat Rajgor and Felipe Duarte cover a novel set of techniques which allowed the bypass of certain content delivery network features to punch through to hit their webshell.
We found that the attackers used a known bypass technique abusing the X-FORWARDED-FOR (XFF) HTTP header to manipulate Cloudflare barriers, escape detection, and access a forbidden service that was supposed to be exposed only to selected ranges
MuddyWater’s “light” first-stager targeting Middle East
A detailed look at an Iranian campaign running from November 2020 to January 2022 which always started with a compressed file wrapping a malicious Word document containing VBA macros.
Lyceum suicide drone
Another Iranian campaign using different and similarly clumsy tradecraft.
The downloaded file is a reverse shell that impersonates an Adobe update. The group has previously used this method
The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure PDF document and an executable designed to establish persistence.
There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as Phosphorus was previously observed using the same method .
Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar document previously employed by SiameseKitten .
Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US
This threat actor decided to target a cyber security company so Sudeep Singh drops the goods on them. It is the audaciousness of the campaign more than anything coupled with the mixed media/transport tradecraft.
In this new instance of the campaign, the threat actor has targeted users in US-based organizations in specific verticals including software security, US military, security solution providers, healthcare / pharmaceutical, and the manufacturing supply chain.
Voicemail-themed phishing campaigns continue to be a successful social engineering theme used by this threat actor to lure victims in opening a malicious attachment.
Multiple key industry verticals in the US such as military, software security vendors, healthcare, pharmaceuticals, and the manufacturing supply chain were targeted by this threat actor.
The goal of the threat actor is to steal credentials of Office365 and Outlook accounts, both of which are widely used in large enterprises.
A CAPTCHA is used by the threat actor to guard the final credential phishing page from automated URL analysis algorithms.
Each URL is specifically crafted for the targeted individual and the targeted organization.
The campaign is active at the time of publishing this report.
Spyware vendor targets users in Italy and Kazakhstan
I suspect the techniques used here will lead to changes in Apple iOS in the short to mid term to stop the misuse of the enterprise app features.
All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.
Client-side Magecart attacks still around, but more covert
Interesting point here is that moving to the client risk blinding the threat intelligence community’s current tradecraft.
One thing we know is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight. This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it.
For now we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.
APT-C-56 (Transparent Tribe) Disguised Tracking Briefing of Indian Defense Ministry Mail Attack
Chinese reporting on a Pakistani government threat actor targeting India using maldocs.
The malicious document title masquerades as a data table, enticing the target to open it.
The document contains macro code. Once the user inadvertently clicks the start macro function, the malicious macro code hidden inside runs automatically.
Matanbuchus: Malware-as-a-Service with Demonic Intentions
Useful if for no other reason than to understand the price point such malware-as-a-service goes for.
In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500
Malicious PowerShell Targeting Cryptocurrency Browser Extensions
A PowerShell infostealer script was identified by Xavier Mertens which targets crypto-currency browser apps or extensions. It targets numerous browsers in the guise of Chrome, Brave, and Edge.
King Fishers — APT-Q-2 (Kimsuky)
Chinese report on North Korean activity, covering various operations they have run. We have covered them extensively and this reporting can be seen as an aggregation but doesn’t provide any new material insights.
New IceXLoader 3.0 – Developers Warm Up to Nim
Joie Salvio and Roy Tay detail the evolution of developer technologies in use by this organised threat actor. The likely motivation is to frustrate detection and analysis due to it relative newness coupled with a Venn with the developer community supporting other Russian criminal groups.
IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.
How we find and understand the latent compromises within our environments.
Discovering A Forensic Artefact
Didier Stevens documents the process of identifying a previously undocumented forensic artefact in RTF documents. These hooks can be terribly useful - my advice is read, learn and apply.
A deep dive into Sigma rules
Hardik Manocha drops the wisdom here
.. and how to write your own threat detection rules
Detecting UnPACing and shadowed credentials
Henri Hambartsumyan shares some keens insights on how to develop robust detection tradecraft through research.
When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in Certipy, I wanted to build as many solid detections as possible — essentially revisiting our earlier work on ADCS abuse detection. The rabbit hole started when I began looking into the KDC options, their meaning and how they were used in these tools.
I managed to squeeze out quite some high-fidelity detections, of which I want to share two today.
Netstat with Timestamps
A useful tool by Grzegorz Tworek to use during volatile collection. The technique will likely be incorporated into other tooling now it is public knowledge.
Somewhat like netstat, but with timestamps for connections.
Detecting Linux Anti-Forensics Log Tampering
Lina Lau provides some practical tradecraft to detect log erasing on Linux.
In this post, I will walk through two methods of removing and tampering with these aretfacts to delete the malicious logins you want to hide. The first method removes the log line completely from the file through overwriting the binary file, the second method focuses on altering the hex of the file but is more obvious to detect. I will then walk through a simple way of detecting both methods based on timestamps that you can check. If timestamps are king – then I’ll be his queen!
Detecting the DFSCoerce attack
Gianni Castaldi shows how to detect DFSCoerce in Microsoft Windows environments. DFSCoerce is where MS-DFSNM is used to coerce authentication using NetrDfsRemoveStdRoot. One wants to coerce authentication to elicit NTLM hashes.
How we proactively defend our environments.
Attack Surface Reduction Dashboard for Microsoft Sentinel
Daniel Chronlund gives us some management dashboards to appease the PowerPoint gods.
Today I’m happy to announce my new Attack Surface Reduction Dashboard. This dashboard helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The dashboard can filter on rules in Audit mode and Block mode.
Establish security boundaries in your on-prem AD and Azure environment
Jonas Bülow Knudsen gives us
content led marketing for a BloodHouse Enterprise some solid advice on how to practically not end up with total compromise between our legacy and cloud environments.
This blog post provides a high-level explanation of how to implement security boundaries in an on-prem AD and Azure environment to protect your critical assets based on the principle of tiered administration, including how BloodHound Enterprise can help you in the process. Finally, we will cover how to organize your AD objects and Azure resources in a structure that reflects your security boundaries.
Attack capability, techniques and tradecraft.
Ekko: Sleep Obfuscation
On June 8th I posted this question
Then unrelated something akin (albeit smaller/more focused) was published and is super tricky to detect cost effectively today.
A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation
Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep
Austin Hudson does some analysis on one of the newer Cobalt Strike challengers.
Over the last year and a half, I’ve often seen mentions of a self-proclaimed “next generation malware” of the name NightHawk. Ordinarily, I’d know most of those claims tend to be nothing more than hubris, and choose to ignore it, but, I get bored. As such, I’ve chosen to start analyzing and tearing about the malware based on samples I acquired via VirusTotal, a hub which contains a plethora of commercial, closed-source, and open source samples. This research is done on my own time, and is not associated with anyone other than myself. I’ve torn about other similiar malware such as Beacon from Cobalt Strike.
TLDR: A very simple, yet effective technique. Can this be replicated with ease? Yes! Was it something new? Fortunately, no. A little dissapointed? A bit.
Oh my API
Askar documents Abusing TYK cloud API management to hide your malicious C2 traffic through yet another cloud service.
Hiding your malicious C2 traffic through legitimate channels is challenging nowadays, especially while CDN providers block all known techniques to use domain fronting to hide your malicious traffic.
For that reason, I was looking for a service that I can (ab)use to forward and hide my malicious C2 traffic using their domains without exposing my original attack infrastructure, and I came across tyk.io which is a Cloud-native API management platform used by a lot of applications worldwide to manage their API calls via the cloud.
Norbert Tihanyi makes EDR vendors sob.
A list of useful Powershell scripts with 100% AV bypass (At the time of publication).
Relaying to ADFS Attacks
Adam Crosser brings credential relaying to the ☁️
During red team engagements over the last few years, I’ve been curious whether it would be possible to authenticate to cloud services such as Office365 via a relay from New Technology Lan Manager (NTLM) to Active Directory Federation Services (ADFS). If possible, this would unlock an entirely new attack surface for NTLM relaying attacks as it would allow an attacker to pivot to cloud-hosted applications and services. In this article, I detail the process I used for investigating the feasibility of these attacks, share the ultimate result, and discuss the inner workings of NTLM and extended protection for authentication. Praetorian also has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
Arsenal Kit Update: Thread Stack Spoofing
Greg Darwin documents a new feature in Cobalt Strike which will frustrate some EDR vendors… why Greg.. why.. 😭
AV and EDR detection mechanisms have been improving over the years and one specific technique that is used is thread stack inspection. This technique determines the legitimacy of a process that is calling a function or an API.
NlsCode Injection Through Registry
Novel persistence technique on Windows which blue teams should be aware of.
Dll injection through code page id modification in registry. It requires administrator privileges.
Our attack surface.
CVE-2022-32158 Splunk Enterprise deployment servers code execution
This is one of numerous vulnerabilities recently patched in Splunk.
Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.
Does Acrobat Reader Unload Injection of Security Products?
Adobe observed unloading EDR injections in their processes.. not cricket..
However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of the following security products:
CMC Internet Security
Samsung Smart Security ESCORT
Miracle - One Vulnerability To Rule Them All
Remember the Unbreakable marketing campaign?
Deep-dive into pre-auth RCEs in Oracle Fusion Middleware-based products, fixed in April 2022 CPU
What is being exploited.
Novel Exploit in Mitel VOIP Appliance
Zero-day caught being exploited in the wild
A novel remote code execution exploit [was] used by the threat actor to gain initial access to the environment.
Some other small bits and bobs which might be of interest.
Password policies of most top websites fail to follow best practices - We can debate what is best practice and what is evidenced to actually work - either way some useful work from Princeton.
Addressing Cybersecurity Challenges in Open Source Software: The current state of open source software security and methods to address and improve your cybersecurity posture
Building a launchpad for satellite cyber-security research: lessons from 60 years of spaceflight -
Damn Vulnerable DeFi - Damn Vulnerable DeFi is a wargame to learn offensive security of DeFi smart contracts
‘Unpacking’ technical attribution and challenges for ensuring stability in cyberspace -
Improving AI-based defenses to disrupt human-operated ransomware - primarily content led marketing for a product, discussed three primary techniques
A time-series and statistical analysis of alerts to look for anomalies at the organization level
Graph-based aggregation of suspicious events across devices within the organization to identify malicious activity across a set of devices
Device-level monitoring to identify suspicious activity with high confidenc
A closer look at CVSS scores - Reviewing version 3.1 with a high level of rigour
The hateful eight: [A] guide to modern ransomware groups’ TTPs - good summary of TTPs.
Sandworms and Computer Worms: An Assessment of American Critical Infrastructure Cyber Vulnerabilities and the Russian Federation's Growing Offensive Capabilities - Honours Thesis from April of this year.
Live Incident Response with Velociraptor - great video on how how to use this wonderful open source product.
Finally they may look like a quant trading outfit but they are instead an organised crime outfit who decided to have a team photo taken. These are the administrators of the RSOCKS proxy botnet which was taken down by the United States, Germany, the Netherlands and the U.K. - the below photo comes from reporting by Brian Krebs in his article Meet the Administrators of the RSOCKS Proxy Botnet
That’s all folks.. until next week..