Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week the fallout from the Fortra GoAnywhere vulnerability from early February continues to be felt. This includes Rubrik’s Response, Rio Tinto impacted and then reporting that 130 organizations has been breached with the attacks had been linked to Cl0p. This is what happens when organized crime identifies and exploit vulnerabilities at scale. Beyond that the level of activity and reporting this week is very busy..

In the high-level this week:

• SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets - “requirements for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”) to address their cybersecurity risks” - sweeping!

• The CEO Report on Cyber Resilience: We spoke with 37 CEOs on how they manage cybersecurity risk - with my favorite quote “This was the worst experience in my career.”

• Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army - “Ukraine's government is drafting a new law to bring its volunteer hacker brigade, the IT Army, into the armed forces, aiming to put an end to uncertainty about its status in a legal gray area that has drawn pointed warnings from the Red Cross.”

• Dossier Center Investigation: Prigozhin's Cyber ​​Troops - someone systemically hacked Wagner’s IT and resulting leaks are 🤯

• Cyber security strategy for health and social care: 2023 to 2030 - from the 🇬🇧, truly impressive piece of work.

• Legal activity both state and private:

  • Two Men Charged for Breaching Federal Law Enforcement Database and Posing as Police Officers to Defraud Social Media Companies - “accessed without authorization the email account of a foreign law enforcement officer, and used it to defraud social media companies by making purported emergency requests for information about the companies’ users”.

  • Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer that Processed Over $3 Billion of Unlawful Transactions - “Vietnamese Operator of ChipMixer Charged with Laundering Money for Ransomware Perpetrators, Darknet Markets, Fraudsters, and State-Sponsored”

  • United States v. Fitzpatrick, 7:23-cr-02171 - ‘BreachForums’ Operator "Pompompurin” - extensive..

  • John Doe v MKS Instruments Lawsuit Complaint - This class action arises from the negligent and failure of Defendants to properly create, maintain, preserve, and/or store confidential, medical and personal information of Plaintiff and all other persons similarly situated - when employees litigate against employers for getting hacked.

• Following cyberattack, US conducts first defensive Hunt Operation in Albania - against Iranian intrusions..

• Committee of inquiry to investigate the use of the Pegasus and equivalent surveillance spyware - the enquiry continues and this is the latest session..

  • Related Meta Manager Was Hacked With Spyware and Wiretapped in Greece - Artemis Seaford, a dual U.S.-Greek national, was targeted with a cyberespionage tool while also under a wiretap by the Greek spy agency in a case that shows the spread of illicit snooping in Europe -

• This Is the New Leader of Russia's Infamous Sandworm Hacking Unit - career progression in Russian cyber… another story of when technologists get forced into management.

• Lloyd’s could lose ~$200mn+ cyber business following tough wordings stance - behind a pay wall - but interesting statistic.

• Building a Skilled Cyber Security Workforce in Five Countries: Insights from Australia, Canada, New Zealand, United Kingdom, and United States by the OECD - interesting bit of work for countries who are earlier in their development to learn from.

• Cyber Threats to Canada’s Defence Infrastructure from the standing Senate Committee on National Security, Defence and Veterans Affairs featuring amongst other rock stars Sami from the Canadian Cyber Security Centre.

• CISA lays out post-EINSTEIN future with shift to ‘Cyber Analytics and Data System’ - “CISA is seeking $424.9 million in the 2024 budget for “CADS.”” - yes, half a billion…

• FS-ISAC: Navigating Cyber 2023 - this is a fascinating assertion - “By far, the most significant impact on the financial services cyber threat landscape in 2022 was the Russia-Ukraine war” - supported by what appears mostly low sophistication DDoS

• NATO and European Union launch task force on resilience of critical infrastructure - the love bomb between partners globally continues.

• The Netherlands are running a Joint Sigint Cyber Unit summer school this year - a two week program for earlier career individuals.

• The Australian Parliament just published the most comprehensive exploration yet of the CCP’s ties to TikTok - extensive bit of work here which appears to be the underpinning evidence for a number of higher level decisions.

• Cybersecurity of AI and Standardisation - from the EU’s ENISA -

• FCC Adopts Its First Rules Focused on Scam Texting - Singapore got here first, but this will be positive for so many reasons.

• China and Russia collective security discussions - Interaction between the special services of Russia and China will be strengthened in terms of cybersecurity issues. The Chinese side will prepare and install several test system firewalls for Russia (protection against cyber attacks and complete disconnection of the Internet from the worldwide network) for deployment in major cities - Moscow, St. Petersburg, Kazan, Yekaterinburg, Vladivostok, Grozny, Rostov-on-Don, Krasnodar , Simferopol and a number of other million-plus cities - yet they don’t trust iPhones.. as covered in Kremlin tells officials to stop using iPhones

• The DGSI seized after a cyberattack by “pro-Russian” and “Islamist” hackers - The French internal intelligence service is investigating with the Paris Public Prosecutor's Office about a series of cyberattacks on airports, by the hacktivist collective Anonymous Sudan. This supposedly "Islamist" group works directly with Russian hackers -

• Journalist plugs in unknown USB drive mailed to him—it exploded in his face - where cyber physical becomes a thing..

Reflections this week come from the Canadian evidence session above. It is clear that political appetite in relation to the various facets of cyber are complex and evolving in various countries. There is going to be a requirement to be bolder in some areas of cyber if we want to achieve the outcomes we desire. But in order to be bolder we are going to have to take the elected officials on a journey it would appear…

Finally there was Vice / Bellingcat investigation which resulted in The US Soldiers Leaking Nuclear Secrets (or why every organization should use PushSecurity - which I am an investor in).

On the interesting job/role front:

• Director Data & Cyber Security UK Health Security Agency

• Board members, The Centre for Long-Term Resilience (CLTR)

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia / Ukraine

Substantial reporting on Russia / Ukraine this week.

Russia’s Cyber Tactics: Lessons Learned 2022

The scale is a thing of wonder..

2,194 1,148 incidents manually processed by CERT-UA in 2022 critical and high-level incidents investigated and mitigated by CERT-UA in 2022

https://cip.gov.ua/services/cm/api/attachment/download?id=53466

Winter Vivern | Uncovering a Wave of Global Espionage

Tom Hegel details further Russian activity and attribution. The tradecraft is pretty run of the mill in terms of initial access. The latter stages show a degree of sophistication.

• [We] conducted an investigation into Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. Our research has uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.

• Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The APT has targeted a variety of government organizations, and in a rare instance, a private telecommunication organization.

• The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information.

https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/

Gamaredon carried out 74 cyberattacks against Ukraine in 2022

One team was responsible for 74 for of them, as you can see below a lot of activity centered around gaining credentials. The business case for MFA right there..

Other major targets of Gamargedon for the second half of 2022 included:

• Account credentials of Ukrainian Security Service officers in the Signal messaging service to access their accounts for data theft and user de-anonymization.

• Communication system of the State Border Guard Service of Ukraine and the SHLIAKH system used by the Border Guard to verify the identities of those crossing the Ukrainian border.

• Phishing attacks on the Ministry of Defense of Ukraine.

• Defense sector contractors and manufacturers.

https://cip.gov.ua/en/news/gamaredon-carried-out-74-cyberattacks-against-ukraine-in-2022

Bad magic: new APT found in the area of Russo-Ukrainian conflict

Leonid Bezvershenko, Georgy Kucherin and Igor Kuznetsov detail a regionalized campaign which as with previous weeks involves Phishing email → LNK file → world of hurt.

In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:

• A decoy document (we discovered PDF, XLSX and DOCX versions)

• A malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened

https://securelist.com/bad-magic-apt/109087/

Operation Tainted Love | Chinese APTs Target Telcos in New Attacks

Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup shine a light on the evolution of Chinese tradecraft. The point of note is the selective use of thread termination in order to degrade logging.

• In Q1 of 2023, [we] observed initial phases of attacks against telecommunication providers in the Middle East.

• We assess that this activity represents an evolution of tooling associated with Operation Soft Cell.

• While it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41, the exact grouping remains unclear.

• [We] observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.

…

• in-memory mapping of malicious images to evade EDR API hooks and file-based detections

• surgically terminating Event Log threads instead of the host process to inhibit logging without raising suspicions

• staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.

https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/

Earth Preta Updated Stealthy Strategies

Vickie Su, Nick Dai and Sunny Lu provide further reporting on Chinese state activity. E-mail once more and I’m going to sound like a broken record - Content Disarm & Reconstruction is an answer here..

We discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by Earth Preta.

https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html

Notorious SideCopy APT group sets sights on India's DRDO

Pakistan going after the government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces. The tradecraft being like 90% of what we see here week in and week out.

https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/

Then there is Chinese reporting on the same campaign.

1. Spear-phishing emails, with LNK files in compressed packages as the attack entry point;

2. Loading and executing subsequent payloads in memory without files;

3. The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++;

4. The bait content is related to the Indian Ministry of Defense.

https://ti.qianxin.com/blog/articles/Analysis-of-SideCopy-Group's-Recent-Attacks-Using-Indian-Ministry-of-Defense-Documents-as-Lures-EN/

Analysis of Saaiwc's attack activities against the Indonesian government

This Chinese reporting details a campaign which drops some Microsoft build tools to the victim in order to execute the latter phases.

[We discovered] multiple cyber attacks by the Saaiwc organization targeting government departments such as the Indonesian Ministry of Foreign Affairs during daily threat hunting. and release the MSBuild Project file after inducing execution, and then used the scheduled task to trigger the WINLOGON registry to start the MSBuild.exe tool to generate and load the malicious payload, thereby completing the stealing operation.

https://mp-weixin-qq-com.translate.goog/s/_WMljf41eTsBrQDa3BjFTQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

SILKLOADER : Journey of a Cobalt Strike beacon loader along the silk road

Mohammad Kazem Hassan Nejad, Bert Steppé and Neeraj Singh document an interesting criminal extension for Cobalt Strike which is being used in the wild.

During our investigations through several human-operated intrusions that resembled precursors to ransomware deployments, we came across an interesting Cobalt Strike beacon loader that leveraged DLL side-loading, which we’re tracking as SILKLOADER. By taking a closer look at the loader, we found several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.

https://labs.withsecure.com/content/dam/labs/docs/withsecure-silkloader.pdf

North Korea

Lots of North Korean reporting again this week and this is not all of it.

German and South Korea advisory on KIMSUKY

First the joint publications on the Hermit Kingdom continue. This is around their misuse of Google browser add-ons and similar.

The Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service (NIS) of the Republic of Korea (South Korea) publish a joint security advisory on cyber espionage activities about KIMSUKY

https://www-verfassungsschutz-de.translate.goog/SharedDocs/kurzmeldungen/DE/2023/2023-03-20-sicherheitshinweis-zu-cyberaktivitaeten.html?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

https://www.ncsc.go.kr:4018/main/cop/bbs/selectBoardArticle.do?bbsId=SecurityAdvice_main&nttId=25266&pageIndex=1#LINK

Scarcruft Bolsters Arsenal for targeting individual Android devices

North Korea targeting their Chinese friends through messaging platforms to get manually deployed Android implants down.

• Scarcruft is strongly believed to conduct initial penetration by contacting individuals directly via messengers, such as in this case, to trick them into installing a malicious APK disguised as legitimate.

• S2W Talon named "Cumulus" in reference to past samples similar to the type of malware disclosed by InterLab, and named the plugin used by Cumulus as "Clugin".

• There are three types of Cumulus, depending on whether or not the Clugin is downloaded and the type of messaging service used.

• We observed that the Scarcruft group updated the malware's functionality or installed China-specific applications on test devices to target users with Chinese language and Chinese-manufactured mobile devices.

https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab

The Unintentional Leak: A glimpse into the attack vectors of APT37

Ooops, bad day in the North Korean office when the developers make a GitHub mistake.

During our threat hunting research, we came across a GitHub repository which is owned by a member of the threat actor group. Due to an operational security (OpSec) failure of the threat actor, we were able to access a wealth of information about the malicious files used by this APT group along with the timeline of their activities dating as far back as October 2020.

https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

Kimsuky group appears to be exploiting OneNote like the cybercrime group

Proof North Korea observe and adopt tradecraft of criminal actors.

• We have confirmed that the Kimsuky group is distributing malware using a malicious OneNote (.ONE) file, which cybercriminals have widely used.

• When viewed, the ONE file displays an image of the Institute for Peace and Democracy at Korea University and asks the target to fill out a privacy agreement document in order to pay them for participating in a survey.

• The HWP file is a simple image, not a real attachment, and double-clicking on its location executes a malicious VBS script hidden behind the image to download additional malware.

• While the final payload is unavailable, the Kimsuky group is believed to be behind this malicious OneNote campaign due to the parameters the group has used to distribute the Babyshark malware and its fake email disguised as a form of compensation.

https://medium.com/s2wblog/kimsuky-group-appears-to-be-exploiting-onenote-like-the-cybercrime-group-3c96b0b85b9f

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

John Dwyer provides insight to North Korea’s tampering with security telemetry. He also provides a good tip on how to detect anomalies.

The FudModule’s attack against ETW registration handles may disable ETW monitoring providers, but [we were] not able to uncover evidence that the malware prevents new ETW registration handles from being created and used. Defenders can leverage this opportunity to register a new ETW session to an existing security-related ETW provider, create test data, and compare the telemetry between the new ETW session and the existing ETW session

https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/

Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets

Lukas Stefanko and Peter Strýček details of a North Korean operation on mobile apps intended to get crypto asset. Clippers refers to the technique of adjusting clipboard content.

• [We] found the first instance of clippers built into instant messaging apps.

• Threat actors are going after victims’ cryptocurrency funds using trojanized Telegram and WhatsApp applications for Android and Windows.

• The malware can switch the cryptocurrency wallet addresses the victim sends in chat messages for addresses belonging to the attacker.

• Some of the clippers abuse optical character recognition to extract text from screenshots and steal cryptocurrency wallet recovery phrases.

• In addition to clippers, we also found remote access trojans (RATs) bundled with malicious Windows versions of WhatsApp and Telegram.

https://www.welivesecurity.com/2023/03/16/not-so-private-messaging-trojanized-whatsapp-telegram-cryptocurrency-wallets/

$197 Million Stolen: Euler Finance Flash Loan Attack Explained

Attribution to North Korea, how it was performed is TBC.

https://blog.chainalysis.com/reports/euler-finance-flash-loan-attack/

UNC961: Three Encounters with a Financially Motivated Threat Actor

Ryan Tomcik, Rufus Brown and Josh Fleischer document the use of old days by organized crime for initial access before the deployment of ransomware.

UNC961 takes a cost-effective approach to accessing each victim by leveraging publicly accessible exploit code from recently disclosed vulnerabilities and weaponizing them for use. We have often observed UNC961 exploit popular Internet-facing application servers, including Atlassian Confluence (CVE-2021-26084), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750), Gitlab (CVE-2021-22205) and others. After gaining access, UNC961 has commonly targeted and exfiltrated sensitive data, including network reconnaissance and credential information that could be sold or used in support of follow-on missions. In multiple instances, UNC961 intrusion activity has preceded the deployment of MAZE and EGREGOR ransomware from distinct follow-on actors.

https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

Inside Mispadu massive infection campaign in LATAM

The scale of the bounty is of note here:

Due to a misconfiguration in the attackers’ network, Metabase Q was able to access 8 of the 20 Command and Control Servers (C2s). Most of these were compromised websites. In the files containing the stolen credentials, we discovered a total of 90,518 credentials coming from 17,595 unique websites across all industry sectors.

https://www.metabaseq.com/mispadu-banking-trojan/

A look at a Magecart skimmer using the Hunter obfuscator

Jérôme Segura details the use of JavaScript obfuscation by organized crime.

a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.

https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer

Discovery

How we find and understand the latent compromises within our environments.

Exploit Outlook CVE-2023-23397 Yara

Yara rule from Florian et al.

https://github.com/Neo23x0/signature-base/blob/master/yara/expl_outlook_cve_2023_23397.yar

CISA Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments

🇺🇸 Government provide some valuable tooling for those contesting Microsoft environments.

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

https://github.com/cisagov/untitledgoosetool

Serverless Domain Hunting: Track Newly Registered Domains With Ease

Lovely little bit of engineering here..

In this post, we’ll leverage AWS serverless architecture and show you how to stay ahead of adversaries and keep an eye on emerging domains—with little effort and without breaking the bank.

https://cyberandramen.net/2023/03/18/serverless-domain-hunting-track-newly-registered-domains-with-ease/

Transformer Neural Network Engineering Techniques on System Logs for Malware Behavior Modeling

Dmitrijs Trizna takes us on an applied machine learning journey here. Also highlights the manual experimentation and tweaking such models need.

This article evaluates various Transformer engineering methodologies applied to machine data — malware behavioral logs from the Speakeasy emulator. Speculatively, the same conclusions about the Transformer engineering methods drawn in this article can be expanded to any set of system logs, for instance, operating system telemetry like Sysmon on Windows or corresponding Linux frameworks like auditd, application level logs as kube-audit events from Kubernetes API server, or access log from HTTP servers, and counting.

Through experimentation, we found that certain configurations, such as (1) input normalization, (2) “triangular” or “step” learning rate schedulers, and (3) gradient clipping around 1.0, effectively improved model performance. On the other hand, gradient accumulation does not improve performance, which is subject to further exploration.

https://towardsdatascience.com/transformer-neural-network-engineering-techniques-on-system-logs-for-malware-behavior-modeling-c79f83f1ae69

Defence

How we proactively defend our environments.

Enduring Security Framework Guidance on Identity and Access Management

Does what it says on the tin, rational being identity and authentication are the bed rock so we need to get it right.

These recommended best practices provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management (IAM).

https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-and-nsa-release-enduring-security-framework-guidance-identity-and-access-management

https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3336001/esf-partners-nsa-and-cisa-release-identity-and-access-management-recommended-be/

Deciphering Linux AuditD for Threat Detection Part 3

Third part of this awesome series.

By the end of this article, you should have some answers to the following questions

• What is auditd capable of recording?

• What does auditd miss to record?

• How many record types does auditd generate for a given behavior?

https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d5173706b3f

Google Cloud Log Extraction

Megan Roddie provides a practical walk through on how to pull this off. But importantly also covers the variances between the different techniques.

In this blog post, we are going to cover three methods of extract logs:

• gcloud CLI

• Logs Explorer

• Pub/Sub

Each method provides a quite different approach and which one is best for you will heavily depend on your use case.

https://www.sans.org/blog/google-cloud-log-extraction/

Vulnerability

Our attack surface.

CVE-2023-27532 Veeam Backup & Replication leaked credentials

Chinese walk through on the exploitation.

https://y4er-com.translate.goog/posts/cve-2023-27532-veeam-backup-replication-leaked-credentials/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

American walk through

https://attackerkb.com/topics/ALUsuJioE5/cve-2023-27532/rapid7-analysis

Exploiting aCropalypse: Recovering Truncated PNGs

How to recover data from cropped PNGs (images) or 2023-21036. The long tail of pain from this will be quite something..

https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html

Offense

Attack capability, techniques and trade-craft.

Use of Windows event logs to "hide" payloads

Chinese discussed technique that it is likely worth building detections around.

Binary data can be included in event log fields simply by using the -RawData parameter in Write-EventLog, and the binary data must be passed to the -RawData parameter as a byte array. We can convert the hex string which contains the data into a byte array before passing it.

https://mp-weixin-qq-com.translate.goog/s/ggB_XarThtTA_tI44k054w?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Aladdin bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker

Lefteris Panos will make certain security teams sob with this release 🧞. Including some patch bypass magic..

Introducing Aladdin, a new tool and technique for red teamers to bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker. Aladdin exploits a deserialisation issue over .NET remoting in order to execute code inside addinprocess.exe, bypassing a 2019 patch released by Microsoft in .NET Framework version 4.8.

https://labs.nettitude.com/blog/introducing-aladdin/

Shellcode Reflective DLL Injection

daem0nc0re has released tooling to implement various reflecting DLL injection techniques. Has utility for both good and bad.

https://github.com/daem0nc0re/TangledWinExec/tree/main/sRDI

Shells in Plain Sight - Storing Payloads in the Cloud

Uses steganography..

https://www.trustedsec.com/blog/shells-in-plain-sight-storing-payloads-in-the-cloud/

VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress

A technique we can expect to see adopted.

https://adepts.of0x.cc/vba-exports-runtime/

Black-Angel-Rootkit: Black Angel is a Windows 11/10 x64 kernel mode rootkit

hfiref0x arms no doubt various foreign government programs with this capability.

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE (Driver Signature Enforcement) while maintaining its full functionality.

https://github.com/XaFF-XaFF/Black-Angel-Rootkit

PPLmedic

Clément Labro provides a proof of concept to inject code into a process which is protected process light.

This tool implements a Userland exploit chain for injecting arbitrary code into a PPL with the signer type Windows and elevating to the signer type WinTcb.

https://github.com/itm4n/PPLmedic

Healer AVKiller

Expect reuse of this by malicious actors both of the actual binary and the underlying techniques.

This small .NET hacking tool is often deployed along side Redline Stealer and is used to disable antivirus.

https://research.openanalysis.net/healer/avkiller/dotnet/trustedinstaller/2023/03/15/healer-avkiller.html

Tokenizer: Kernel Mode Driver for Elevating Process Privileges

Can expect some threat actors to both leverage directly and otherwise be inspired.

Tokenizer is a kernel mode driver project that allows the replacement of a process token in EPROCESS with a system token, effectively elevating the privileges of the process, The driver is designed to be used with a user-mode application that sends a process ID to the driver through an IOCTL.

https://github.com/ZeroMemoryEx/Tokenizer

goblob: A fast enumeration tool for publicly exposed Azure Storage blobs

Threat actor use in 3..2.. and GDPR actions in 3..2..

Goblob is a lightweight and fast enumeration tool designed to aid in the discovery of sensitive information exposed publicy in Azure blobs, which can be useful for various research purposes such as vulnerability assessments, penetration testing, and reconnaissance.

https://github.com/Macmod/goblob

Download files on Linux without cURL or wget with bash

Neat and it will be interesting to see how noisy any detections are.

https://pastebin.com/H0EJLdjc

Exploitation

What is being exploited.

TCO!Stream Asset Management

Lazarus exploiting this what was zero-day before it was patched.

TCO!Stream is an asset management solution manufactured by MLsoft in Korea. It consists of a server and a client, and an administrator can perform asset management tasks by accessing the server using a console program.

During the analysis of the customer's incident, a situation in which the TCO!Stream solution was being abused by an attacker was discovered, and by using this, the code was remotely executed on several PCs and a backdoor was installed.

https://asec.ahnlab.com/ko/49560/

VestCert

Lazarus also exploiting this what was zero-day before it was patched.

VestCert is a public certificate program used when using a website , and is a Non-ActiveX module manufactured by Yetisoft in Korea .

The attacker downloaded and executed the malicious code using the vulnerability .

https://asec.ahnlab.com/ko/49561/

Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server

Multiple actors..

From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

Finding “hidden” cross-references

in IDA pro

https://hex-rays.com/blog/igors-tip-of-the-week-132-finding-hidden-cross-references/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Security Threat Insights Report Q4 2022 - archives were the most popular file type for delivering malware (42%). Archive malware has risen 20% since Q1 2022 as attackers shift away from Office file formats to alternatives that do not rely on macros, such as disk image files (IMG, ISO)

• Red Canary 2023 Threat Detection Report

• Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace

• Phase-based Tactical Analysis of Online Operations: A new model for analyzing online threats could help investigators detect and disrupt malicious operations more quickly — and enable them to better share their insights and understanding with one another.

• JSAC 2023 Videos - from Japan in English from the recent conference

• Understanding Cyber Threats in Transport - from ENISA

• Embedded Sim Ecosystem, Security Risks and Measures - also from ENISA

• Ukraine’s Cyber Defense Offers Lessons for Taiwan -

• US national cyber security strategy responses

  • Building a shared lexicon for the National Cybersecurity Strategy

  • IST’s Stifel: Time is right to re-examine incentives under new national cyber strategy -

• Malware analysis reports of from UK NCSC

• Events

  • CISA Office of the Chief Information Officer (OCIO) Industry Day 2023 - Wednesday, March 29 · 3 - 6pm BST

  • Chatham House Cyber 2023 - June 14th - How can governments and businesses work together to champion a global, open and secure internet?

• Hope of Delivery: Extracting User Locations From Mobile Instant Messengers

This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.