Bluepurple Pulse: week ending March 27th
Hot takes they might be - but I can't find the evidence to refute
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week Lapsus$ drove activity both in actual breaches within clients but also secondarily with their big hacks causing wider concern. Beyond that a number of organisations with exposure to Russian business have made adjustments due to the rising threats from the likes of Anonymous. We also published Mining data from Cobalt Strike beacons where we released just over three years worth of over 128,000 beacons from over 24,000 active Cobalt Strike Team Servers to help defenders and researchers.
In the high-level this week:
The White House (not me): Statement by President Biden on our Nation’s Cybersecurity - basically says get on with it - “This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience.” (so in fact could be me).
United States Senate Committee on Homeland Security and Governmental Affairs report titled America’s Data Held Hostage: Case Studies in Ransomware Attacks on American Companies - Another great example of legislators getting educated.
US Federal Commissions Commission added Kaspersky (and China Mobile and China Telecom) to List of Equipment and Services Covered By Section 2 of The Secure Networks Act
FBI IC3 annual report released - estimated potential losses totalling $6.9 billion — a 64% increase from 2020 - eeek.
The UK, together with the US and other allies, has exposed historic malign cyber activity of Russia's Federal Security Service (FSB) - FSB’s Centre 16 conducted a malign programme of cyber activity and got indicted by the FBI for targeting the systems controlling the Wolf Creek nuclear power plant in Kansas, US in 2017
Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide - two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.
Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector - US’s CISA gives technical advice to mitigate this threat - although Robert M Lee the went to town unpicking it on practical points in the real-world of ICS.
FBI: Igor Dekhtyarchuk is wanted for allegedly operating a cyber-criminal marketplace that sold thousands of login credentials - Igor is not going on holiday to anywhere but non US extradition countries - but again example of the US using indictments to pursue and dissuade.
The UN norms of responsible state behaviour in cyberspace: Guidance on implementation for Member States of ASEAN - the result of a multi-year cyber capacity-building program by ASPI in partnership with the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade (Cyber and Critical Technology Cooperation Program).
The Okta breach this week resulted in many hot takes such as “Zero Trust is insecure”, “Don’t outsource your authentication to a SaaS provider” etc etc. All very interesting and made doubly amusing by this shade:
Behind the hot takes there is likely something which is worth a longer discussion. How do we know empirically if Zero Trust or a SaaS is more or less secure than the alternative? I often use a 1800s medicine analogy and primary evidence that came from double blind trials etc. One of the challenges I see with cyber security solutions is we still can’t evidence accurately (for the most part) when they work, against which threats, with what efficacy and when that efficacy will degrade. In short hot takes they might be, but I’d struggle to find the primary evidence to refute them.
Enjoying this? don’t get via e-mail? then subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine
Aggregate reporting on this conflict. You have to admire the output from CERT-UA during these unstable times.
Cyberattack on Ukrainian enterprises using the DoubleZero destructor program
Ukrainian reporting on a wiper.
On March 17, 2022, the government team responding to computer emergencies in Ukraine CERT-UA discovered several ZIP archives, one of which was called "Virus ... extremely dangerous !!!. Zip". Each of the archives contains an obfuscated .NET program. As a result of the analysis, the identified programs are classified as DoubleZero - a malicious destructor program developed using the C # programming language.
https://cert.gov.ua/article/38088
Cyberattack on state organizations of Ukraine using the malicious program Cobalt Strike Beacon
Further Ukrainian reporting on Russian activity, again using basic archive wrappers.
CERT-UA found RAR-archive "Saboteurs.rar", which contains RAR-archive "Saboteurs 21.03.rar", which, in turn, contains SFX-archive "Saboteurs filercs.rar "(to mask the extension, the file name contains the right-to-left override (RTLO) character).
The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program "dhdhk0k34.com". As a result, the computer will be affected by the malicious program Cobalt Strike Beacon. Note that the date of compilation of the injector "inject.exe" - 15.03.2022
https://cert.gov.ua/article/38155
Cyberattack Using HeaderTip Malware
Further Ukrainian reporting by a threat actor using basic staged tradecraft which has been attributed to China 🇨🇳 .
CERT-UA found the RAR-archive "On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar", which contains the EXE-file of the same name. Running the executable file will create a lure document "# 2163_02_33-2022.pdf" on the computer (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header "officecleaner.dat" and the BAT file "officecleaner" removed. .bat ", which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency.
The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.
https://cert.gov.ua/article/38097
Chinese Threat Actor Scarab Targeting Ukraine
After the nudges and winks from Intrusion Truth last week and beyond the above Ukrainian CERT reporting we get the following from Tom Hegel giving the specifics and attribution links.
Ukraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is associated with the suspected Chinese threat actor known as Scarab.
The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began.
Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip.
While technical specifics vary between campaigns, the actor generally makes use of phishing emails containing lure documents relevant to the target, ultimately leading to the deployment of HeaderTip.
https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
IsaacWiper Continues Trend of Wiper Attacks Against Ukraine
This vendor felt compelled to produce an analysis building on another vendors blog from the start of the month. The risk of circular reporting in cyber is ever real.
Following recent wiper attacks against Ukrainian organizations involving the WhisperGate and HermeticWiper malware, a new destructive wiper, IsaacWiper, was observed on February 24, 2022. Although no direct attribution for IsaacWiper or the other wiper malware found targeting Ukraine has been made by researchers, the timing of these destructive attacks in conjunction with tensions and kinetic conflict in Ukraine suggests they are Russian in origin.
https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf
Analysis: HermeticWiper & PartyTicket
This vendor similarly built on prior reporting of these two components covered in prior weeks.
[We have] performed a technical malware analysis on HermeticWiper and PartyTicket. This technical analysis provides a detailed breakdown of how HermeticWiper fulfills its objective of accessing the Physical Drives and encrypting the targeted filetypes in the host device and network.
Operation Dragon Castling: APT group targeting betting companies
Jan Holman documents a suspected Chinese threat actor who is going after betting companies. Criminal enterprise or government looking for tax evaders or both?
We recently discovered an
APT
campaign we are callingOperation Dragon Castling
. The campaign is targeting what appears to be betting companies inSouth East Asia
, more specifically companies located inTaiwan
, thePhilippines
, andHong Kong
. With moderate confidence, we can attribute the campaign to aChinese speaking APT group
, but unfortunately cannot attribute the attack to a specific group and are not sure what the attackers are after.We identified a new vulnerability (CVE-2022-24934) in the WPS Office updater wpsupdate.exe, which we suspect that the attackers abused.
Countering threats from North Korea
North Korea throwing some Chrome zero days around in early February with a US targeting focus. Lets say this out loud - a heavily sanctioned country, indeed a pariah of the world, managed to get Chrome zero days i.e. in software produced by one of the most capable and well financed software vendors on the planet. Yes it is all still too easy.. When does Rust Chrome arrive?
On February 10, [we] discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.
We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
https://blog.google/threat-analysis-group/countering-threats-north-korea/
APT Attack Using Word Files About Cryptocurrency (Kimsuky)
At the other end of the capability spectrum, this time North Korea going after those with cryptocurrency - guess those Chrome zero days aren’t going to pay for themselves.
On March 21st, [we] discovered the Kimsuky group’s APT attacks that use Word files containing information about cryptocurrency. A total of three Word files were discovered that were used as baits for the attacks. The macro’s author and its execution flow are identical to that which was introduced in the blog post on March 17th (Title: Malicious Word Files Disguised as Product Introduction)
https://asec.ahnlab.com/en/32958/
Mustang Panda’s Hodur: Old tricks, new Korplug variant
Alexandre Côté Cyr documents a basic set capabilities on behalf of China.
[We] have discovered Hodur, a previously undocumented Korplug variant spread by Mustang Panda, that uses phishing lures referencing current events in Europe, including the invasion of Ukraine
As of March 2022, this campaign is still ongoing and goes back to at least August 2021.
Known victims include research entities, internet service providers, and European diplomatic missions.
The compromise chain includes decoy documents that are frequently updated and relate to events in Europe.
The campaign uses a custom loader to execute a new Korplug variant.
Every stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation, which sets it apart from other campaigns.
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain
France being targeted in this campaign documented by Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson. The first stage is basic maldocs followed up with something a little more novel.
[We] observed new, targeted activity impacting French entities in the construction and government sectors. The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package installer.
[We] identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor.
The attack targeted French entities in the construction, real estate, and government industries.
The attacker used a resume themed subject and lure purporting to be GDPR information.
The attacker used steganography, including a cartoon image, to download and install the Serpent backdoor.
The attacker also demonstrated a novel detection bypass technique using a Scheduled Task.
Objectives are currently unknown however based on the tactics and targeting observed it is likely an advanced, targeted threat.
DirtyMoe: Worming Modules
Martin Chlumecký details an interesting worm module from a malware family distributed initially via both exploit kits and malicious installers. The self propagation element is interesting for internal networks should that crunchy exterior be jumped.
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction.
The analysis showed that the worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows Privilege Escalation. Another important discovery is a dictionary attack using Service Control Manager Remote Protocol (SCMR), WMI, and MS SQL services. Finally, an equally critical outcome is discovering the algorithm that generates victim target IP addresses based on the worming module’s geographical location.
https://decoded.avast.io/martinchlumecky/dirtymoe-5/
The Attack of the Chameleon Phishing Page
Homer Pacag documents some level adaptive behaviour on the attackers behalf. We are guessing this is to increase automation and impact whilst reducing work effort.
Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials.
What is Arid Gopher?
Simon Kenin and Asaf Gilboa out that Gaza are developing new malware and they apparently like watching HBO. They embed a Word document icon in their Windows executable and really long filenames in an attempt to obfuscate it is an exe.
[We] found a new, undocumented malware developed in Golang - a novel variant of the Micropsia
The malware is attributed to APT-C-23 (Arid Viper)
Further research revealed additional, previously unseen second-stage payloads
https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant
APT-C-53 (Gamaredon) new changes in recent attacks
Russia active in Eastern Europe? A shock I tell you.. this Chinese reporting outlines some of their tradecraft including weirdly what looks like PII of someone in the comments of their VBS macro.
APT-C-53, also known as Gamaredon, has long been active in Eastern Europe. Since this year, we have observed many times that APT-C-53 has adjusted and optimized its own attack weapons during attack activities, while increasing the operating frequency of attack activities.
The organization prefers to use VBS scripts as one of the means of downloader, dropper and sustainable control.
https://mp.weixin.qq.com/s/YsyeLQDR_LQLfKhigSm2_Q
LAPSUS$
Apparently the kids who did - i.e. Samsung, Ubisoft, LG, Nvidia, Microsoft, Okta etc. This is what happens when you hone your tradecraft in social engineering getting your friend’s house raided by the SWAT team. Anyway lots of reporting on this threat actor this week in both high-level news and technical reporting. Also helps that various members fell out and then some got doxed.
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction (Lapsus)
First up we have some technical reporting.
[We] have been actively tracking a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.
The activity we have observed has been attributed to a threat group that [we] track as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors.
Threat Actor Profile - LAPSUS$
Further reporting on their tradecraft in this report showing that humans were the key method of entry. Reminds me of the time NCC Group’s Red Team developed a relationship with a target in the client who read out their MFA code each day over the phone.
The group’s tactics include
SIM-swapping to facilitate account takeover.
Phone-based social engineering.
Buying stolen credentials from underground forums and searching dumps for credentials that can be exploited to gain access to accounts.
Accessing personal email accounts of employees at target organizations.
Paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval.
Exploiting public-facing Remote Desktop Protocol (RDP).
Deploying phishing emails to gain access to accounts and networks.
https://www.overtoperator.com/p/threat-actor-profile-lapsus?s=r
Footsteps of the LAPSUS$ hacking group
Korean reporting on them providing a good summary of teenage hackers.
The LAPSUS$ hacking group is believed to have been active on deep web forums since at least May 15, 2021.
These are not the ransomware operator (RaaS) organizations that are being discussed recently, but are identified as an attack group that specializes in data theft.
In the past, they uploaded posts about victimized companies and threatened them on deep/dark web forums such as RaidForums and Exploit.in, but from December 10, 2021, they created their own telegram channel to promote and promote.
Telegram, starting with the first data breach for Brazil's Ministry of Health, recently uploaded key data on NVIDIA and Samsung, as well as data on LG, Microsoft, and Okta, attracting global attention and attention.
VPNs and MFAs are the most difficult areas for them to access inside large enterprises, mainly mobile-based social engineering attacks to bypass MFA, sim swapping, helpdesk contact, access to employee email accounts, and credentials from insiders or associates. Tried various strategies such as buying, etc.
The group's main purpose, which is estimated to be composed of at least 5 members, is money, and cases of hacking unrelated companies for their own fun have also been confirmed.
https://medium.com/s2wblog/footsteps-of-the-lapsus-hacking-group-73a8a143c375
Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS
Damien Cash, Steven Adair, Thomas Lancaster catch Chinese macOS capability in the wild.
Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis.
This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK.
GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels. The newly identified macOS variant is written primarily in Objective C, with Windows versions written in both .NET and Delphi.
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
Tiago Pereira with contributions from Caitlin Huey out a Ransomare as a Service targeting primarily the USA but also parts of Europe, Australia, India and China.
BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months.
There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter).
[We have] observed at least one attacker that used BlackMatter was likely one of the early adopters of BlackCat. In this post, we'll describe these attacks and the relationship between them.
https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
Indicators of Compromise Associated with AvosLocker Ransomware
FBI reporting..
AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors. AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets. As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion
https://www.ic3.gov/Media/News/2022/220318.pdf
Conti
Again aggregate reporting due to everyone doing analysis due to the leaks.
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Josh Hanrahan outs a Conti campaign using netflow and the leaks to understand which companies were speaking to their C2s.
Three of the world’s top automakers
A key domestic supplier to one of the world’s top automakers
An automotive component manufacturer
Analysis of Leaked Conti Intrusion Procedures
A quick analysis based on the leaks of their tradecraft which could help operational blue teams detect any splinter groups.
There is a heavy reliance on Offensive Security Tooling (OST) such as Cobalt Strike, Mimikatz, Powerview, and known attack techniques throughout the intrusion phases.
Dual-use tools such as 7zip, AnyDesk, Rclone, and living-off-the-land Windows utilities have been used to reduce exposure.
Tooling is augmented with using scripts to facilitate deployment and use. For example, Cobalt Strike is augmented with using known resources like C2Concealer and scripts compiled from public research.
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Someone produced an org chart based on the Conti leaks. Accuracy we will I suspect never know. Looks like a cyber consultancy start-up.
https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships
Vidar Malware Launcher Concealed in Help File
Diana Lopera document some interesting tradecraft which builds on what we have seen some state actor use but in this case for criminal purposes.
Appending a malicious file to an unsuspecting file format is one of the tricks our adversaries use to evade detection. Recently, we came across an interesting email campaign employing this technique to deliver the info stealer Vidar malware.
Second, the email contains only one attachment named “request.doc”, which is actually an ISO file. ISO is a disk image file format that cybercriminals repurpose for use as a malware container. In this campaign, the ISO attachment holds two files – a Microsoft Compiled HTML Help (CHM) file “pss10r.chm” and an executable “app.exe.” Once the attacker tricks the recipient into extracting the contents of “request.doc” and then executes either one, the system can be compromised.
New JSSLoader Trojan Delivered Through XLL Files
Hido Cohen shows the evolved tradecraft by this criminal threat actor. XLL files we have seen used by some Red Teams, although in those cases they code signed them. These examples are not.
[We] observed a new wave of JSSLoader infections this year. We’ve tracked JSSLoader activity since December 2020 and published a thorough report on the Russian criminal hacking group FIN7’s JSSLoader. JSSLoader is a small, very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration, persistence, auto-updating, additional payload delivery, and more.
Attackers are now using .XLL files to deliver a new, obfuscated version of JSSLoader. We explain how this new malware variant utilizes the Excel add-ins feature to load the malware and inspect the changes inside
https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files
Discovery
How we find and understand the latent compromises within our environments.
Understanding Your Okta Logs to Hunt for Evidence of an Okta Breach
Given the Okta breach which came to light Dan Abramov and Lionel Saposnik come to the rescue.
We advise focusing on the following events in Okta System Log:
user.account.reset_password
user.mfa.factor.update
system.mfa.factor.deactivate
user.mfa.attempt_bypass
user.session.impersonation.initiate
https://www.mitiga.io/blog/all-the-information-you-need-to-know-to-understand-your-okta-logs-today
Defence
How we proactively defend our environments.
Enhanced iFrame Protection
Neat defensive technique, we just need this to be rolled in to the browsers natively.
Enhanced iFrame Protection (EIP) is a lightweight extension to automatically detect and provide verbose warnings for embedded
iframe
elements in order to protect against Browser-In-The-Browser (BITB) attacks.
https://github.com/odacavo/enhanced-iframe-protection
Update Microsoft Sentinel VIP Users Watchlist from Azure AD group using playbooks
Benjamin Kovacevic shows us what the future is like which this neat Sentinel feature to allow dynamic alerting based on VIPs.
GoodHound
Andi Morris turns BloodHound in Active Directory to the light side.
GoodHound operationalises Bloodhound by determining the busiest paths to high value targets and creating actionable output to prioritise remediation of attack paths.
https://github.com/idnahacks/GoodHound
Offense
Attack capability, techniques and tradecraft.
Windows Event Log Evasion via Native APIs
Lina Lau walks us through the technique and how to detect.
Using native APIs to install services instead of the standard API calls allow threat actors to bypass security controls and event logging. This technique was utilised in the infamous Stuxnet malware sample created by the alleged US and Israeli government to target the Iranian nuclear program.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
Payload Download Cradles
Daniel Feichter gives us capability to assess EDR download cradle efficacy.
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections. Notice, removing or obfuscating signatures from your download cradle is only one piece of the puzzle to bypass an AV/EPP/EDR. Depending on the respective product you have to modify your payload which should be downloaded by the cradle to bypass API-Hooking, Callbacks, AMSI etc.
https://github.com/VirtualAlllocEx/Payload-Download-Cradles
Apple TCC (Transparency, Consent, and Control) Click Jacking
Ron Masas brings some web tradecraft to macOS’s trust framework.
TCC (Transparency, Consent, and Control) restricts and control application access to certain features. This can include things such as camera, microphone, location services, contacts, photos, Downloads/Desktop/Documents folders, and a bunch more.
The ability to bypass TCC can sometimes be the difference-maker in red team engagements. ClickJacking is a fairly simple attack that can trick most users into giving away full control over their TCC database.
https://github.com/breakpointHQ/TCC-ClickJacking
Cronos Rootkit
From Poland with love..
Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
https://github.com/XaFF-XaFF/Cronos-Rootkit
Vulnerability
Our attack surface.
CVE-2022-27226: CSRF to RCE in iRZ Mobile Routers through 2022-03-16
Not sure if this will actually be exploited in the wild, but a nice demo chain nevertheless from John Jackson and Chris Mack with help from Stephen Chavez and
Robert Willis
A CSRF issue on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel.
https://johnjhacking.com/blog/cve-2022-27226/
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
NCC Group’s Exploit Development Group (the exploit tool smiths for our consultants) detail this vulnerability from pwn2own. Western Digital removed the vulnerable component entirely.
Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others.
Exploitation
What is being exploited.
Large-scale npm attack targets Azure developers with malicious packages
Andrey Polkovnychenko and Shachar Menashe walk through yet another attack against an open source registry.
Two days ago, several of our automated analyzers started alerting on a set of packages in the npm Registry. This particular set of packages steadily grew over a few days, from about 50 packages to more than 200 packages (as of March 21st).
After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope. Currently, the observed malicious payload of these packages were PII (Personally identifiable information) stealers.
The attacker seemed to target all npm developers that use any of the packages under the @azure scope, with a typosquatting attack.
In addition to the @azure scope, a few packages from the following scopes were also targeted – @azure-rest, @azure-tests, @azure-tools and @cadl-lang.
https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/
Footnotes
Some other small bits and bobs which might be of interest.
The Intelligent Process Lifecycle of Active Cyber Defenders - this showcases the main cyber defence disciplines and how, if false positives events are classified in a systematic manner for each service, this information can afterwards be used to identify improvement areas.
A Sneak Peek into the Forbidden State: Exploring the CyberSpace of North Korea - What happens when someone wants to cyber survey a country.
An Empirically Comparative Analysis of Ransomware Binaries - some interesting work to empirically evaluate the encryption speed of common ransomware families across a variety of operating systems and hardware specifications. Based on their median results, their findings indicated a total loss of data via ransomware encryption occurs in under 43 minutes.
Next Steps for the EU: Building on the Paris Call and EU Cybersecurity Strategy - big policy paper from a number of esteemed authors.
Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations - tying marketing hacker group names to intelligence/military units within North Korea.
ELI Principles on the Use of Digital Assets as Security - Not cyber, but financial - The ELI Principles seek to provide this guidance by setting out key concepts relevant to the use of digital assets as security. In particular, the Principles focus on situations where security providers secure the performance of their obligations vis-à-vis security takers by using digital assets as collateral under the terms of a security agreement.
That’s all folks.. until next week..