Bluepurple Pulse: week ending March 19th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending March 19th
Many zero days died to bring us this information..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see numerous zero days that were being exploited in the wild have been patched. Firewalls, email clients and security software all exploited produced by some of the most mature software vendors - yes really. Undertaken by governments (China / Russia) and organized cyber crime. Patch patch patch..
In the high-level this week:
Wave of Stealthy China Cyberattacks Hits U.S., Private Networks - Defense contractors, government agencies, and technology and telecommunications firms appeared to be bearing the brunt of the newly discovered Beijing-linked attacks - it is almost like China are preparing for a conflict..
US Cyber Command releases first full budget - documents released by the Pentagon detail Cybercom’s operations and maintenance budget request of $332.6 million for its headquarters, a procurement budget request of $129 million and a research, development, test and evaluation budget request of $1.1 billion - militaries around the world will now use this evidence base on why they need larger budgets (I would).
2023 - 2030 - Australian Cyber Security Strategy - discussion paper as the Aussie government seeks input from from various stakeholders. It is a really interesting approach to building a strategy.. fascinated to see the final thing.
Pro-innovation Regulation of Technologies Review: Digital Technologies - thank you Sir Patrick Vallance (the UK Government’s outgoing Chief Scientific Advisor) for his support on this reform - "We recommend amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals, and would have a catalytic effect on innovation in a sector with considerable growth potential.”
Building From the 2023 National Cybersecurity Strategy: Reshaping the Terrain of Cyberspace - The NCS’s market lens offers an important new view on defending cyberspace. Yet, as above, the document falls short of realizing its admirable vision by omitting tangible commitments to action.
Interview with Andrea Enria, Chair of the Supervisory Board of the ECB - That’s why for next year we are launching a thematic stress test on cyber resilience, which will try to test how banks are able to respond to and recover from a successful cyberattack. - if the UK’s prior similar activities are anything to go by this will be valuable.
Rogue CyberSecurity Company Employee Tried To Sell Powerful, Stolen iPhone Malware For $50-Million - Israeli indictment unsealed last week against an NSO employee who disabled the security software on their machine to copy files off. Offensive cyber security company fails to implement sufficient controls that could withstand highly sophisticated internal threat actor.
Chinese firm got (UK) Covid contract despite trying to hack NHS data, minister says - The BGI Group was making multiple attempts every week to “hack” into Genomics England in 2014
A Turning Point for Cyber Insurance - behind a paywall - but a conclusion I think we all agree with..
Emerging privacy-enhancing technologies: Current regulatory and policy approaches - the OECD talking about such technologies will drive awareness and interest.
Spyware Accountability Initiative - The Ford Foundation’s Dignity and Justice Fund, fiscally sponsored by the New Venture Fund, has launched a new funding initiative for spyware accountability with a founding contribution from Apple and additional contributions from Open Society Foundations, Okta for Good, and Craig Newmark Philanthropies, and more donors are expected to join over the course of the initiative - interesting initiative noting that Apple has a commercial incentive here.
FBI Internet Crime Report 2022 - In 2022, RAT initiated the Financial Fraud Kill Chain (FFKC) on 2,838 Business Email Compromise (BEC) complaints involving domestic-to-domestic transactions with potential losses of over $590 million - yes, that is a lot of money because of poor password hygiene and/or phishing.
Mexican president slams report military spied on activist as 'made up' - "We have to do investigations, but not spying, that's different”
China’s Censors Are Afraid of What Chatbots Might Say - a slightly amusing constraint on competitiveness
SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors - “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous” - correcting the public record is critical it would seem.
The 3rd U.S.-ROK Working Group Meeting on the DPRK Cyber Threat - United States Department of State - “The United States and ROK reaffirmed our commitment to significantly expand cooperation to confront a range of DPRK cyber threats.”
ChatGPT and large language models: what's the risk? - the UK’s National Cyber Security Centre leading the charge on understanding.
Ransomware Vulnerability Warning Pilot (RVWP) - “Through the Ransomware Vulnerability Warning Pilot (RVWP), CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors” - similar to how modern cyber insurers are operating interestingly.
Between a rock and a hard(ening) place: Cyber insurance in the ransomware era -comprehensive paper here with an academic basis - the scope for cyber insurance to influence the proliferation of ransomware and its impacts at a societal level – either positively or negatively – is, in practice, limited - I won’t do the paper justice so go read.
PCAST Initiating Working Group on Cyber-Physical Resilience |The White House - The President’s Council of Advisors on Science and Technology (PCAST) has created a working group on cyber-physical resilience with the intent of consulting experts from across the public and private sectors, and academia.
Reflections this week are around complexity. You will see below that red teamers have started discussing persistence through subtle access control changes and similar. As I said elsewhere this week:
The subtle (or not so) modification of permissions in IaaS, SaaS, Active Directory, high level objects or filesystems for persistence is an orders or magnitude problem manual signatures likely won't scale to meet.
On the interesting job/role front:
Senior Analyst, Advanced Practices, Mandiant (Moogle)
Senior Policy Advisor Cyber - Northern Ireland, UK Department for Science, Innovation and Technology
UK Government Security Cyber Degree Apprenticeship (Level 6), deadline next week!
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
A Year of Russian Hybrid Warfare in Ukraine
Comprehensive high-level analysis here.
Contextualizing Cyber Components in Conventional Conflict
Slightly lagged coverage by me of Joe Slowik’s analysis which is similarly insightful.
With the above in mind and in our hearts, the Russia-Ukraine conflict has, since 2014, featured a number of (academically) interesting cyber components:
The 2014 “CyberBerkut” events linked to Ukrainian elections.
The 2015 incident targeting several Ukrainian electric distribution sites.
The 2016 Industroyer/CrashOverride event targeting Ukrainian electric transmission.
The 2017 NotPetya destructive incident, starting in and likely designed to be focused on Ukrainian institutions, although impacting multiple organizations globally.
https://pylos.co/2022/02/25/contextualizing-cyber-components-in-conventional-conflict/
NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine
This can be summarized as Phishing email → website → drop .ISO → world of hurt.
At the beginning of March, [we] observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region's politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
Espionage campaigns targeting CIS countries, Turkey, and European institutions including Embassies and a critical EU Health care Agency
This can be summarized as Phishing email → LNK file → world of hurt.
YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.
Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.
YoroTrooper’s main tools include Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.
The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations.
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia
Facundo Muñoz details a Chinese campaign which is somewhat historic against a software vendor which led to a supply chain attack. Stuff of nightmares..
[We] uncovered an attack occurring in the network of an East Asian data-loss prevention company with a customer portfolio that includes government and military entities.
[We] attribute this attack with high confidence to the Tick APT group.
The attackers deployed at least three malware families and compromised update servers and tools used by the company. As a result, two of their customers were compromised.
The investigation revealed a previously undocumented downloader named ShadowPy.
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
Alexander Marvi, Brad Slaybaugh, Dan Ebreo, Tufail Ahmed, Muhammad Umair and Tina Johnson give some details on the Chinese campaign discussed above. No real surprise this was possible, but also highlights the challenges of threat hunting with all the embedded devices around us.
In mid-2022, [we], in collaboration with Fortinet, investigated the exploitation and deployment of malware across multiple Fortinet solutions including FortiGate (firewall), FortiManager (centralized management solution), and FortiAnalyzer (log management, analytics, and reporting platform). The following steps generally describe the actions the threat actor took:
Utilized a local directory traversal zero-day (CVE-2022-41328) exploit to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access.
Maintained persistent access with Super Administrator privileges within FortiGate Firewalls through ICMP port knocking
Circumvented firewall rules active on FortiManager devices with a passive traffic redirection utility, enabling continued connections to persistent backdoors with Super Administrator privileges
Established persistence on FortiManager and FortiAnalyzer devices through a custom API endpoint created within the device
Disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files
https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
APT-C-36: from NjRAT to LimeRAT
Further details on this Columbian threat actor showing they are willing to explore and pivot to various COTS implant frameworks.
This group is characterised by the impersonation of official entities. As it can be seen, another of their characteristics is to keep a good level of appearance in the text and fake documents used in spear phishing campaigns.
https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/
A border-hopping PlugX USB worm takes its act on the road
Any relation to the countries where this is present and the strategic interests of China are entirely coincidental I am sure.
Our researchers are currently seeing localized outbreaks of a new variant of the PlugX USB worm – in locations nearly halfway around the world from each other. After first drawing attention to itself in Papua New Guinea in August 2022, the new variant appeared in January both in the Pacific Rim nation and 10,000 miles away in Ghana. Additional infections appeared in Mongolia, Zimbabwe, and Nigeria. The novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.
https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/
Dark Pink APT Group Strikes Government Entities in South Asian Countries
Dark Pink hasn’t been attributed in open source. Other than that this can be summarized as Phishing email → ISO file → decoy document → DLL side loading → world of hurt. The regional focus is likely a cause for concern.
In February 2023, [we] identified multiple KamiKakaBot malwares which are very likely used to target government entities in ASEAN (Association of Southeast Asian Nations) countries.
KamiKakaBot's primary function is to steal data stored in web browsers such as Chrome, Edge, and Firefox. This includes saved credentials, browsing history, and cookies. Additionally, the threat actors can gain initial access on infected devices to execute remote code.
https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries
North Korea
Another busy week of reporting around this threat actor from an ever diverse set of intelligence houses.
Peeking at Reaper’s surveillance operations
A spectrum of North Korean phishing tradecraft documented in this reporting. The second capability is of note.
Our first finding was phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru and 163.com. In some cases, we were able to retrieve the phishing web pages and analyse their source code.
The second one, used against iCloud, Naver and Kakao, is more complex as it can rely on four different technologies (HTTP, websockets, and real time messaging public services Ably and Pubnub) to bypass 2 factors authentication (2FA) mechanism.
The infection vectors retrieved during our investigation came from a Github repository online since 2021 and used as a staging infrastructure by Reaper.
https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/
Analysis of encrypted communication of Lazarus organization Trojanized open source software
Note the custom encryption usage tunneled inside of TLS.
The Lazarus organization recently used social platforms to carry out new types of phishing attacks, inducing victims to use open source software transformed into Trojan horses through social platforms, thereby gaining control of the victim host. [We] found that the organization used the open source software UltraVNC transformed into a Trojan horse in an attack activity. UltraVNC is an open-source remote management tool in which the Lazarus group embedded a malicious downloader. The downloader will obtain the malicious DLL from the C&C server (internet compromised host) and load it in the memory. The C&C communication with the server uses the HTTPS encryption protocol throughout, and the communication interaction data in the encrypted payload itself uses a custom encryption method for secondary processing. encryption.
https://www.viewintech.com/html/articledetails.html?newsId=32
2022 Threat Trend Report in Kimsuky (released March, 2023)
Extensive summary report on a years worth of activity by this threat actor.
https://asec.ahnlab.com/wp-content/uploads/2023/03/2022-Threat-Trend-Report-on-Kimsuky.pdf
DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection
Simon Kenin outs another malicious advertising campaign, but on one maybe less appreciated. The LNK tradecraft is a spill over from other vectors. This has bee active since October 2022, uses LNK files which are 300 MB in size in an attempt to avoid scanning by security products etc.
DUCKTAIL is the name given to a malware operation that was previously focused on targeting individuals and organizations that operate on Facebook’s Business Ads platform
The initial infection starts with a malicious LNK that executes PowerShell to download malware hosted on a public file-sharing service
The DUCKTAIL operation has changed their custom malware to be compiled as a .NET Core 5
The final payload has been changed from custom-made malware to commodity malware during the experimental phase
DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
New acronym for us all Adversary-in-the-middle (AiTM). This is arguably a commodity kit but interesting nevertheless. WebAuthn can’t land quick enough to help mitigate this type of threat.
DEV-1101 began advertising their AiTM kit around May 2022 through a Telegram channel and an advertisement in exploit[.]in, a popular cybercrime forum. The advertisement describes the AiTM kit as a phishing application written in NodeJS with PHP reverse-proxy capabilities, automated setup, detection evasion through an antibot database, management of phishing activity through Telegram bots, and a wide range of ready-made phishing pages mimicking services such as Microsoft Office or Outlook.
On June 12, 2022, DEV-1101 announced that the kit would be open source with a $100 monthly licensing fee. The actor also provided links to additional Telegram channels and a now-defunct GitHub page.
BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
More malicious Google advert usage, note the ChatGPT lure..
Throughout February 2023, [we] observed a series of newly registered websites impersonating various applications and brands. Included among these are:
ChatGPT (chatgpt-t[.]com)
Zoom (zoomvideor[.]com)
Spotify (spotify-uss[.]com)
Tableau (tableau-r[.]com)
Adobe (adobe-l[.]com)
These sites were used to host imposter download pages and all likely stem from malicious advertisements on Google Search Ads. A more complete list can be found at the end of this post.
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Pavan Karthick M details a novel campaign by organized crime who has been inspired by other industries.
Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users.
there has been a recent trend of videos featuring AI-generated personas, across languages and platforms (Twitter, Youtube, Instagram), providing recruitment details, educational training, promotional material, etc. And threat actors have also now adopted this tactic.
https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware
Xenomorph v3: a new variant with ATS targeting more than 400 institutions
At scale financially motivated campaign here.
the term ATS (Automated Transfer Systems) is used to define a set of features that allow criminals to automatically complete fraudulent transactions on infected devices.
https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html
Discovery
How we find and understand the latent compromises within our environments.
A Survey on Deep Learning Models for Cyber Threat Detection Systems
Tolulope Olufemi and Wilson Sakpere do literature review on the topic.
This study found that deep learning based algorithms can improve cyberthreat detection accuracy and reduce false positives. [Cyberthreat detection] The research contains freely accessible statistics that track evolving trends. Improving model efficacy requires simulating low-frequency assaults in a realistic situation and inventing techniques to reduce model complexity.
https://easychair.org/publications/preprint/DL2D
Windows a file-less, persistent, local privilege escalation backdoor and detection approach
Grzegorz Tworek released this tradecraft in late February which is going to be a total world of pain for all cyber defenders. That is persistence is maintained through permissions changes.
The below changes permissions for Windows Service Control Manager.
sc.exe sdset scmanager D:(A;;KA;;;WD) Detection with Velociraptor for this specific instance.
I mentioned on social media that I cover this scenario in one of the MSc lectures I give with slide - it gives a sense as to the scale of the challenge.
Uncovering Windows Events: Threat Intelligence ETW
Jonathan Johnson shows how to wring out some further value from ETW.
This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers.
https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54
Defence
How we proactively defend our environments.
AARs (After Action Reports)
I love this format on how to do post incident / event diagnostics. It is like retros for cyber operations.
twitter.com/retBandit/status/1634231260028731392
Enhanced protection when users open or download an embedded file in OneNote
In April 2023 Microsoft close out this attack surface.
Finding and Understanding Bugs in C Compilers
Xuejun Yang, Yang Chen, Eric Eide and John Regehr provide a valuable evidence base as to the value of formal verification in mitigating certain vulnerability classes / creating fuzzing resistance.
This second point is illustrated by our experience in testing CompCert [14], a verified C compiler. Using Csmith, we found previously unknown bugs in unproved parts of CompCert—bugs that cause this compiler to silently produce incorrect code.
..
The striking thing about our CompCert results is that the middleend bugs we found in all other compilers are absent. As of early 2011, the under-development version of CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying: we have devoted about six CPU-years to the task. The apparent unbreakability of CompCert supports a strong argument that developing compiler optimizations within a proof framework, where safety checks are explicit and machine-checked, has tangible benefits for compiler users.
https://users.cs.utah.edu/~regehr/papers/pldi11-preprint.pdf
Vulnerability
Our attack surface.
CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
Don’t think it will exploited in the real world to achieve RCE. But I want to be wrong..
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415
Offense
Attack capability, techniques and trade-craft.
.. nothing overly novel this week (for a change) ..
Exploitation
What is being exploited.
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
We discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical EOP vuln
Windows SmartScreen Security Feature Bypass Vulnerability
An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses - Exploitation Detected
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880
Adobe has released security updates for ColdFusion versions 2021 and 2018
Resolves critical and important vulnerabilities that could lead to arbitrary code execution and memory leak. Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting ColdFusion.
Analysis of FG-IR-22-369
Multiple IoCs have been uncovered related to the incident FG-IR-22-369 / CVE-2022-41328. The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
Benoit Sevens documents Magniber’s usage of this vulnerability in their ransomware campaigns.
[We] recently discovered usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Infra-Red, In Situ (IRIS) Inspection of Silicon
Bunnie Huang delivers a new hardware capability to the world.
This post introduces a technique I call “Infra-Red, In Situ” (IRIS) inspection. It is founded on two insights: first, that silicon is transparent to infra-red light; second, that a digital camera can be modified to “see” in infra-red, thus effectively “seeing through” silicon chips. We can use these insights to inspect an increasingly popular family of chip packages known as Wafer Level Chip Scale Packages (WLCSPs) by shining infrared light through the back side of the package and detecting reflections from the lowest layers of metal using a digital camera. This technique works even after the chip has been assembled into a finished product. However, the resolution of the imaging method is limited to micron-scale features.
https://www.bunniestudios.com/blog/?p=6712
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Global Advanced Persistent Threats (APT) 2022 Annual Report - Chinese, so a slightly different view of the world.
A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions
Microsoft Security Response Center (MSRC) BlueHat 2023 security conference videos
Adversarial Machine Learning A Taxonomy and Terminology of Attacks and Mitigations
OSCE Cyber/ICT Security Confidence-Building Measures - podcast - Jim Lewis and Chris Painter speak with Szilvia Tóth, Cyber Security Officer at the Secretariat of the Organization for Security and Co-operation in Europe (OSCE). They discuss the implementation of cyber confidence-building measures, points of contact directories, inter-regional cooperation, what’s next for the OSCE, and more.
Rolling the dice on algorithms: Increasing understanding through boardgames -
NIST CSF vs ISO 27001/2 vs NIST 800-53 vs SCF - great comparison and overview of various frameworks
Artificial Intelligence and International Conflict in Cyberspace - £130 book, apparently ot will be available online for free in some form around May.
UK The Government response to the House of Lords Fraud Committee report - The ECCTB should bring in a number of new powers to combat fraud including new powers to assist with the seizure and recovery of crypto-assets which are the proceeds of crime or are involved in illicit activity and a reformed expanded role for Companies House.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
