Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending March 26th
China popping telecommunications..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the fallout from the Fortra GoAnywhere vulnerability from early February continues to be felt. This includes Rubrik’s Response, Rio Tinto impacted and then reporting that 130 organizations has been breached with the attacks had been linked to Cl0p. This is what happens when organized crime identifies and exploit vulnerabilities at scale. Beyond that the level of activity and reporting this week is very busy..
In the high-level this week:
SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets - “requirements for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”) to address their cybersecurity risks” - sweeping!
The CEO Report on Cyber Resilience: We spoke with 37 CEOs on how they manage cybersecurity risk - with my favorite quote “This was the worst experience in my career.”
Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army - “Ukraine's government is drafting a new law to bring its volunteer hacker brigade, the IT Army, into the armed forces, aiming to put an end to uncertainty about its status in a legal gray area that has drawn pointed warnings from the Red Cross.”
Dossier Center Investigation: Prigozhin's Cyber Troops - someone systemically hacked Wagner’s IT and resulting leaks are 🤯
Cyber security strategy for health and social care: 2023 to 2030 - from the 🇬🇧, truly impressive piece of work.
Legal activity both state and private:
Two Men Charged for Breaching Federal Law Enforcement Database and Posing as Police Officers to Defraud Social Media Companies - “accessed without authorization the email account of a foreign law enforcement officer, and used it to defraud social media companies by making purported emergency requests for information about the companies’ users”.
Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer that Processed Over $3 Billion of Unlawful Transactions - “Vietnamese Operator of ChipMixer Charged with Laundering Money for Ransomware Perpetrators, Darknet Markets, Fraudsters, and State-Sponsored”
John Doe v MKS Instruments Lawsuit Complaint - This class action arises from the negligent and failure of Defendants to properly create, maintain, preserve, and/or store confidential, medical and personal information of Plaintiff and all other persons similarly situated - when employees litigate against employers for getting hacked.
Following cyberattack, US conducts first defensive Hunt Operation in Albania - against Iranian intrusions..
Committee of inquiry to investigate the use of the Pegasus and equivalent surveillance spyware - the enquiry continues and this is the latest session..
Related Meta Manager Was Hacked With Spyware and Wiretapped in Greece - Artemis Seaford, a dual U.S.-Greek national, was targeted with a cyberespionage tool while also under a wiretap by the Greek spy agency in a case that shows the spread of illicit snooping in Europe -
This Is the New Leader of Russia's Infamous Sandworm Hacking Unit - career progression in Russian cyber… another story of when technologists get forced into management.
Lloyd’s could lose ~$200mn+ cyber business following tough wordings stance - behind a pay wall - but interesting statistic.
Building a Skilled Cyber Security Workforce in Five Countries: Insights from Australia, Canada, New Zealand, United Kingdom, and United States by the OECD - interesting bit of work for countries who are earlier in their development to learn from.
Cyber Threats to Canada’s Defence Infrastructure from the standing Senate Committee on National Security, Defence and Veterans Affairs featuring amongst other rock stars Sami from the Canadian Cyber Security Centre.
CISA lays out post-EINSTEIN future with shift to ‘Cyber Analytics and Data System’ - “CISA is seeking $424.9 million in the 2024 budget for “CADS.”” - yes, half a billion…
FS-ISAC: Navigating Cyber 2023 - this is a fascinating assertion - “By far, the most significant impact on the financial services cyber threat landscape in 2022 was the Russia-Ukraine war” - supported by what appears mostly low sophistication DDoS
NATO and European Union launch task force on resilience of critical infrastructure - the love bomb between partners globally continues.
The Netherlands are running a Joint Sigint Cyber Unit summer school this year - a two week program for earlier career individuals.
The Australian Parliament just published the most comprehensive exploration yet of the CCP’s ties to TikTok - extensive bit of work here which appears to be the underpinning evidence for a number of higher level decisions.
Cybersecurity of AI and Standardisation - from the EU’s ENISA -
FCC Adopts Its First Rules Focused on Scam Texting - Singapore got here first, but this will be positive for so many reasons.
China and Russia collective security discussions - Interaction between the special services of Russia and China will be strengthened in terms of cybersecurity issues. The Chinese side will prepare and install several test system firewalls for Russia (protection against cyber attacks and complete disconnection of the Internet from the worldwide network) for deployment in major cities - Moscow, St. Petersburg, Kazan, Yekaterinburg, Vladivostok, Grozny, Rostov-on-Don, Krasnodar , Simferopol and a number of other million-plus cities - yet they don’t trust iPhones.. as covered in Kremlin tells officials to stop using iPhones
The DGSI seized after a cyberattack by “pro-Russian” and “Islamist” hackers - The French internal intelligence service is investigating with the Paris Public Prosecutor's Office about a series of cyberattacks on airports, by the hacktivist collective Anonymous Sudan. This supposedly "Islamist" group works directly with Russian hackers -
Journalist plugs in unknown USB drive mailed to him—it exploded in his face - where cyber physical becomes a thing..
Reflections this week come from the Canadian evidence session above. It is clear that political appetite in relation to the various facets of cyber are complex and evolving in various countries. There is going to be a requirement to be bolder in some areas of cyber if we want to achieve the outcomes we desire. But in order to be bolder we are going to have to take the elected officials on a journey it would appear…
Finally there was Vice / Bellingcat investigation which resulted in The US Soldiers Leaking Nuclear Secrets (or why every organization should use PushSecurity - which I am an investor in).
On the interesting job/role front:
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Substantial reporting on Russia / Ukraine this week.
Russia’s Cyber Tactics: Lessons Learned 2022
The scale is a thing of wonder..
2,194 1,148 incidents manually processed by CERT-UA in 2022 critical and high-level incidents investigated and mitigated by CERT-UA in 2022
Winter Vivern | Uncovering a Wave of Global Espionage
Tom Hegel details further Russian activity and attribution. The tradecraft is pretty run of the mill in terms of initial access. The latter stages show a degree of sophistication.
[We] conducted an investigation into Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. Our research has uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The APT has targeted a variety of government organizations, and in a rare instance, a private telecommunication organization.
The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information.
Gamaredon carried out 74 cyberattacks against Ukraine in 2022
One team was responsible for 74 for of them, as you can see below a lot of activity centered around gaining credentials. The business case for MFA right there..
Other major targets of Gamargedon for the second half of 2022 included:
Account credentials of Ukrainian Security Service officers in the Signal messaging service to access their accounts for data theft and user de-anonymization.
Communication system of the State Border Guard Service of Ukraine and the SHLIAKH system used by the Border Guard to verify the identities of those crossing the Ukrainian border.
Phishing attacks on the Ministry of Defense of Ukraine.
Defense sector contractors and manufacturers.
Bad magic: new APT found in the area of Russo-Ukrainian conflict
Leonid Bezvershenko, Georgy Kucherin and Igor Kuznetsov detail a regionalized campaign which as with previous weeks involves Phishing email → LNK file → world of hurt.
In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:
A decoy document (we discovered PDF, XLSX and DOCX versions)
A malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened
Operation Tainted Love | Chinese APTs Target Telcos in New Attacks
Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup shine a light on the evolution of Chinese tradecraft. The point of note is the selective use of thread termination in order to degrade logging.
In Q1 of 2023, [we] observed initial phases of attacks against telecommunication providers in the Middle East.
We assess that this activity represents an evolution of tooling associated with Operation Soft Cell.
While it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41, the exact grouping remains unclear.
[We] observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.
in-memory mapping of malicious images to evade EDR API hooks and file-based detections
surgically terminating Event Log threads instead of the host process to inhibit logging without raising suspicions
staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.
Earth Preta Updated Stealthy Strategies
Vickie Su, Nick Dai and Sunny Lu provide further reporting on Chinese state activity. E-mail once more and I’m going to sound like a broken record - Content Disarm & Reconstruction is an answer here..
We discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by Earth Preta.
Notorious SideCopy APT group sets sights on India's DRDO
Pakistan going after the government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces. The tradecraft being like 90% of what we see here week in and week out.
Then there is Chinese reporting on the same campaign.
Spear-phishing emails, with LNK files in compressed packages as the attack entry point;
Loading and executing subsequent payloads in memory without files;
The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++;
The bait content is related to the Indian Ministry of Defense.
Analysis of Saaiwc's attack activities against the Indonesian government
This Chinese reporting details a campaign which drops some Microsoft build tools to the victim in order to execute the latter phases.
[We discovered] multiple cyber attacks by the Saaiwc organization targeting government departments such as the Indonesian Ministry of Foreign Affairs during daily threat hunting. and release the MSBuild Project file after inducing execution, and then used the scheduled task to trigger the WINLOGON registry to start the MSBuild.exe tool to generate and load the malicious payload, thereby completing the stealing operation.
SILKLOADER : Journey of a Cobalt Strike beacon loader along the silk road
Mohammad Kazem Hassan Nejad, Bert Steppé and Neeraj Singh document an interesting criminal extension for Cobalt Strike which is being used in the wild.
During our investigations through several human-operated intrusions that resembled precursors to ransomware deployments, we came across an interesting Cobalt Strike beacon loader that leveraged DLL side-loading, which we’re tracking as SILKLOADER. By taking a closer look at the loader, we found several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.
Lots of North Korean reporting again this week and this is not all of it.
German and South Korea advisory on KIMSUKY
First the joint publications on the Hermit Kingdom continue. This is around their misuse of Google browser add-ons and similar.
The Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service (NIS) of the Republic of Korea (South Korea) publish a joint security advisory on cyber espionage activities about KIMSUKY
Scarcruft Bolsters Arsenal for targeting individual Android devices
North Korea targeting their Chinese friends through messaging platforms to get manually deployed Android implants down.
Scarcruft is strongly believed to conduct initial penetration by contacting individuals directly via messengers, such as in this case, to trick them into installing a malicious APK disguised as legitimate.
S2W Talon named "Cumulus" in reference to past samples similar to the type of malware disclosed by InterLab, and named the plugin used by Cumulus as "Clugin".
There are three types of Cumulus, depending on whether or not the Clugin is downloaded and the type of messaging service used.
We observed that the Scarcruft group updated the malware's functionality or installed China-specific applications on test devices to target users with Chinese language and Chinese-manufactured mobile devices.
The Unintentional Leak: A glimpse into the attack vectors of APT37
Ooops, bad day in the North Korean office when the developers make a GitHub mistake.
During our threat hunting research, we came across a GitHub repository which is owned by a member of the threat actor group. Due to an operational security (OpSec) failure of the threat actor, we were able to access a wealth of information about the malicious files used by this APT group along with the timeline of their activities dating as far back as October 2020.
Kimsuky group appears to be exploiting OneNote like the cybercrime group
Proof North Korea observe and adopt tradecraft of criminal actors.
We have confirmed that the Kimsuky group is distributing malware using a malicious OneNote (.ONE) file, which cybercriminals have widely used.
When viewed, the ONE file displays an image of the Institute for Peace and Democracy at Korea University and asks the target to fill out a privacy agreement document in order to pay them for participating in a survey.
The HWP file is a simple image, not a real attachment, and double-clicking on its location executes a malicious VBS script hidden behind the image to download additional malware.
While the final payload is unavailable, the Kimsuky group is believed to be behind this malicious OneNote campaign due to the parameters the group has used to distribute the Babyshark malware and its fake email disguised as a form of compensation.
When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
John Dwyer provides insight to North Korea’s tampering with security telemetry. He also provides a good tip on how to detect anomalies.
The FudModule’s attack against ETW registration handles may disable ETW monitoring providers, but [we were] not able to uncover evidence that the malware prevents new ETW registration handles from being created and used. Defenders can leverage this opportunity to register a new ETW session to an existing security-related ETW provider, create test data, and compare the telemetry between the new ETW session and the existing ETW session
Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets
Lukas Stefanko and Peter Strýček details of a North Korean operation on mobile apps intended to get crypto asset. Clippers refers to the technique of adjusting clipboard content.
[We] found the first instance of clippers built into instant messaging apps.
Threat actors are going after victims’ cryptocurrency funds using trojanized Telegram and WhatsApp applications for Android and Windows.
The malware can switch the cryptocurrency wallet addresses the victim sends in chat messages for addresses belonging to the attacker.
Some of the clippers abuse optical character recognition to extract text from screenshots and steal cryptocurrency wallet recovery phrases.
In addition to clippers, we also found remote access trojans (RATs) bundled with malicious Windows versions of WhatsApp and Telegram.
$197 Million Stolen: Euler Finance Flash Loan Attack Explained
Attribution to North Korea, how it was performed is TBC.
UNC961: Three Encounters with a Financially Motivated Threat Actor
Ryan Tomcik, Rufus Brown and Josh Fleischer document the use of old days by organized crime for initial access before the deployment of ransomware.
UNC961 takes a cost-effective approach to accessing each victim by leveraging publicly accessible exploit code from recently disclosed vulnerabilities and weaponizing them for use. We have often observed UNC961 exploit popular Internet-facing application servers, including Atlassian Confluence (CVE-2021-26084), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750), Gitlab (CVE-2021-22205) and others. After gaining access, UNC961 has commonly targeted and exfiltrated sensitive data, including network reconnaissance and credential information that could be sold or used in support of follow-on missions. In multiple instances, UNC961 intrusion activity has preceded the deployment of MAZE and EGREGOR ransomware from distinct follow-on actors.
Inside Mispadu massive infection campaign in LATAM
The scale of the bounty is of note here:
Due to a misconfiguration in the attackers’ network, Metabase Q was able to access 8 of the 20 Command and Control Servers (C2s). Most of these were compromised websites. In the files containing the stolen credentials, we discovered a total of 90,518 credentials coming from 17,595 unique websites across all industry sectors.
A look at a Magecart skimmer using the Hunter obfuscator
How we find and understand the latent compromises within our environments.
Exploit Outlook CVE-2023-23397 Yara
Yara rule from Florian et al.
CISA Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
🇺🇸 Government provide some valuable tooling for those contesting Microsoft environments.
Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).
Serverless Domain Hunting: Track Newly Registered Domains With Ease
Lovely little bit of engineering here..
In this post, we’ll leverage AWS serverless architecture and show you how to stay ahead of adversaries and keep an eye on emerging domains—with little effort and without breaking the bank.
Transformer Neural Network Engineering Techniques on System Logs for Malware Behavior Modeling
Dmitrijs Trizna takes us on an applied machine learning journey here. Also highlights the manual experimentation and tweaking such models need.
This article evaluates various Transformer engineering methodologies applied to machine data — malware behavioral logs from the Speakeasy emulator. Speculatively, the same conclusions about the Transformer engineering methods drawn in this article can be expanded to any set of system logs, for instance, operating system telemetry like Sysmon on Windows or corresponding Linux frameworks like auditd, application level logs as kube-audit events from Kubernetes API server, or access log from HTTP servers, and counting.
Through experimentation, we found that certain configurations, such as (1) input normalization, (2) “triangular” or “step” learning rate schedulers, and (3) gradient clipping around 1.0, effectively improved model performance. On the other hand, gradient accumulation does not improve performance, which is subject to further exploration.
How we proactively defend our environments.
Enduring Security Framework Guidance on Identity and Access Management
Does what it says on the tin, rational being identity and authentication are the bed rock so we need to get it right.
These recommended best practices provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management (IAM).
Deciphering Linux AuditD for Threat Detection Part 3
Third part of this awesome series.
By the end of this article, you should have some answers to the following questions
What is auditd capable of recording?
What does auditd miss to record?
How many record types does auditd generate for a given behavior?
Google Cloud Log Extraction
Megan Roddie provides a practical walk through on how to pull this off. But importantly also covers the variances between the different techniques.
In this blog post, we are going to cover three methods of extract logs:
Each method provides a quite different approach and which one is best for you will heavily depend on your use case.
Our attack surface.
CVE-2023-27532 Veeam Backup & Replication leaked credentials
Chinese walk through on the exploitation.
American walk through
Exploiting aCropalypse: Recovering Truncated PNGs
How to recover data from cropped PNGs (images) or 2023-21036. The long tail of pain from this will be quite something..
Attack capability, techniques and trade-craft.
Use of Windows event logs to "hide" payloads
Chinese discussed technique that it is likely worth building detections around.
Binary data can be included in event log fields simply by using the -RawData parameter in Write-EventLog, and the binary data must be passed to the -RawData parameter as a byte array. We can convert the hex string which contains the data into a byte array before passing it.
Aladdin bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker
Lefteris Panos will make certain security teams sob with this release 🧞. Including some patch bypass magic..
Introducing Aladdin, a new tool and technique for red teamers to bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker. Aladdin exploits a deserialisation issue over .NET remoting in order to execute code inside
addinprocess.exe, bypassing a 2019 patch released by Microsoft in .NET Framework version 4.8.
Shellcode Reflective DLL Injection
daem0nc0re has released tooling to implement various reflecting DLL injection techniques. Has utility for both good and bad.
Shells in Plain Sight - Storing Payloads in the Cloud
VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress
A technique we can expect to see adopted.
Black-Angel-Rootkit: Black Angel is a Windows 11/10 x64 kernel mode rootkit
hfiref0x arms no doubt various foreign government programs with this capability.
Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE (Driver Signature Enforcement) while maintaining its full functionality.
Clément Labro provides a proof of concept to inject code into a process which is protected process light.
This tool implements a Userland exploit chain for injecting arbitrary code into a PPL with the signer type
Windowsand elevating to the signer type
Expect reuse of this by malicious actors both of the actual binary and the underlying techniques.
This small .NET hacking tool is often deployed along side Redline Stealer and is used to disable antivirus.
Tokenizer: Kernel Mode Driver for Elevating Process Privileges
Can expect some threat actors to both leverage directly and otherwise be inspired.
Tokenizer is a kernel mode driver project that allows the replacement of a process token in
EPROCESSwith a system token, effectively elevating the privileges of the process, The driver is designed to be used with a user-mode application that sends a process ID to the driver through an
goblob: A fast enumeration tool for publicly exposed Azure Storage blobs
Threat actor use in 3..2.. and GDPR actions in 3..2..
Goblob is a lightweight and fast enumeration tool designed to aid in the discovery of sensitive information exposed publicy in Azure blobs, which can be useful for various research purposes such as vulnerability assessments, penetration testing, and reconnaissance.
Download files on Linux without cURL or wget with bash
Neat and it will be interesting to see how noisy any detections are.
What is being exploited.
TCO!Stream Asset Management
Lazarus exploiting this what was zero-day before it was patched.
TCO!Stream is an asset management solution manufactured by MLsoft in Korea. It consists of a server and a client, and an administrator can perform asset management tasks by accessing the server using a console program.
During the analysis of the customer's incident, a situation in which the TCO!Stream solution was being abused by an attacker was discovered, and by using this, the code was remotely executed on several PCs and a backdoor was installed.
Lazarus also exploiting this what was zero-day before it was patched.
VestCert is a public certificate program used when using a website , and is a Non-ActiveX module manufactured by Yetisoft in Korea .
The attacker downloaded and executed the malicious code using the vulnerability .
Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server
From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Finding “hidden” cross-references
in IDA pro
Some other small (and not so small) bits and bobs which might be of interest.
Security Threat Insights Report Q4 2022 - archives were the most popular file type for delivering malware (42%). Archive malware has risen 20% since Q1 2022 as attackers shift away from Office file formats to alternatives that do not rely on macros, such as disk image files (IMG, ISO)
Phase-based Tactical Analysis of Online Operations: A new model for analyzing online threats could help investigators detect and disrupt malicious operations more quickly — and enable them to better share their insights and understanding with one another.
JSAC 2023 Videos - from Japan in English from the recent conference
Understanding Cyber Threats in Transport - from ENISA
Embedded Sim Ecosystem, Security Risks and Measures - also from ENISA
US national cyber security strategy responses
CISA Office of the Chief Information Officer (OCIO) Industry Day 2023 - Wednesday, March 29 · 3 - 6pm BST
Chatham House Cyber 2023 - June 14th - How can governments and businesses work together to champion a global, open and secure internet?
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact firstname.lastname@example.org.