Bluepurple Pulse: week ending March 5th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending March 5th
US goes large on its new national cyber security strategy
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly standout but as you’ll see below there is no sign of a slowdown.
In the high-level this week:
FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy - Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future and Forge International Partnerships to Pursue Shared Goals – lets be honest this is the singly likely the most impactful line Shifting liability for software products and services to promote secure development practices;
IST Reviews the 2023 National Cybersecurity Strategy: Analysis and Next Steps - interesting assertion here - To achieve success, implementation must be collaborative. For example, the first attempt at extending regulatory frameworks in the wake of the 2021 Colonial Pipeline attack failed because the frameworks were reactive, created without consulting regulated companies, and overly prescriptive.
Russian Malware Developer Arrested And Extradited To The United States - Pankov developed a malicious software program named “NLBrute.” The powerful malware was capable of compromising protected computers by decrypting login credentials, such as passwords. Pankov used NLBrute to obtain the login credentials of tens of thousands of computers located all over the world. - the story behind the headline is the individual left Russia to go to Georgia and was then arrested.
Florida Cybersecurity Grant - Florida has made historic investments in cybersecurity funding, including $30 Million for a competitive grant to equip local governments with cybersecurity capabilities.
Australia plans to reform cyber security rules, set up agency - said it planned to overhaul its cyber security rules and set up an agency to oversee government investment in the field and help coordinate responses to hacker attacks.
Targeting Key Sectors, Evasion Efforts, and Military Supplies, Treasury Expands and Intensifies Sanctions Against Russia - now includes Russian disinformation service providers.
Public-Public Partnerships: Cyber Intelligence Coordination Within the Department of Homeland Security - opinion piece - To harness the specialized skills of CISA, ICE/HSI, and USSS—in addition to the expertise of enabling components like the Department of Homeland Security’s intelligence arm, the Office of Intelligence and Analysis, and its Science and Technology arm—the department should embrace the formation of “strategic intelligence hubs” within its field offices to improve safety in cyberspace for the American public.
A NATO Minnow Reels From Cyberattacks Linked to Iran - Albania the victim.
EU Council clarifies Cyber Resilience Act’s interplay with AI Act, product safety - In relation to the General Product Safety Regulation, the text clarifies that its obligations for economic operators, market surveillance provisions, enforcement, and international cooperation apply to connected devices not covered by the new cybersecurity law or other EU harmonisation legislation.
News Corp - Notice of data breach - News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts in the affected system, some of which contained personal information - the sheer length of compromise is of note.
Building Effective Governance Frameworks for the Implementation of National Cybersecurity Strategies - This study is focusing on the good practices around the set-up and deployment of a governance framework to support the implementation of the NCSS in the EU. The objective is to systematically review existing governance models relevant to the deployment of a NCSS and to identify and select the most relevant instances, lessons learned, and good practices from the EU Member States. - moving beyond vision to the science of implementation
Belgium’s cyber security agency links China to attack on MP - Samuel Cogolati, a Belgian MP, was named by authorities last month as being the subject of a cyber attack around January 2021 when he wrote a resolution to warn of “crimes against humanity” against Uyghur Muslims in China.
Makings of the Market: Seven perspectives on offensive cyber capability proliferation - with input from yours truly.
SOLAR SUNRISE After 25 Years: Are We 25 Years Wiser? - In February 1998, 25 years ago this month, the United States suffered a series of cyber intrusions known as SOLAR SUNRISE that then-Deputy Secretary of Defense John Hamre called “the most organized and systematic [cyber] attack the Pentagon has seen to date.” - what have we learnt since?
What does setting the theater look like for Army Cyber Command? - Army Cyber has also recently joined with other globally focused Army units to develop a new concept it has dubbed the triad, harkening to the nuclear triad. This new concept is a partnership between Army Cyber Command, Army Special Operations Command and Army Space and Missile Defense Command to combine their unique capabilities and deliver more options to commanders in an integrated fashion.
Understanding Ransomware Using Data Science - a survivor analysis of the ransom payments for DeadBolt ransomware attacks showed that among the victims who paid, over 50% did so within 20 days, while 75% paid within 40 days.
Reflections this week stem from reading the book Restarting the Future: How to Fix the Intangible Economy, the new US cyber strategy and the EU announcing its governance framework for national strategies. All of these hint at the increasingly complex set of intangibles we are contending with in and outside of cyber. As such it is not clear if today we have the structures and capabilities at national and trans-national levels to be effective in reality. In short I think we could be rolling the 🎲, how it ends 🤷
On the interesting job/role front:
Director, Cyber Security Operations at the UK’s His Majesty’s Revenue and Customs
Research Scientist, Security at DeepMind - OK, probably one of the coolest jobs on the planet in one of the best cities right now..
Digital Frontiers Digital Development and Cybersecurity Program Director - DAI implements the $90 million USAID-funded Digital Frontiers project. This is a global impact role…
Trio of NATO Roles
Academia
Research Fellow developing a risk/resilience profile for Australia’s communication sector.
UK IC Postdoctoral Research Fellowships - Towards Antifragility is one of the topics.
Master in Cyber Policy & Strategy starts in autumn/fall 2023 at Kings College London
Doctoral Training Programme in Cyber at Queens University Belfast
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
A year of wiper attacks in Ukraine
Reporting on the evolution of the wipers used in the conflict. In short it is clear that wipers form part of the Russian standard operations handbook.
https://www.welivesecurity.com/2023/02/24/year-wiper-attacks-ukraine/
The Ghostwriter campaign as a multivector information operation
Great analysis to come out of UK academia on these Russian originating campaigns. The duration and scale of the operations along with the uptick immediately before and during the conflict are of note.
Based on open-source data, Ghostwriter has impacted thousands of email users, has hacked dozens of social media accounts and media websites, published hundreds of false blogposts and other falsified content, and impersonated multiple government officials, NATO representatives and journalists in Europe
https://www.cardiff.ac.uk/__data/assets/pdf_file/0005/2699483/Ghostwriter-Report-Final.pdf
Cyber Attacks on Data Center Organizations
The initial indicators of this activity were identified in September 2021 with the victims in China and Singapore. This is really interested due to the CNI nature of the firms in involved.
[We] identified several actors in the Dark Web potentially originating from Asia, they managed acquired access to the “customer” records and exfiltrated them from one or multiple databases related to specific applications and systems which are leveraged by several data-center organizations. In one of the cases reported to CNCERT/CC, it’s likely the initial access was gained via a vulnerable helpdesk or ticket management module having integration with other applications and systems, and based on our assessment could allow them to perform lateral movement in one of the observed episodes.
https://www.resecurity.com/blog/article/cyber-attacks-on-data-center-organizations
Materials Research Targeting
Two bits of reporting around this specific sectoral targeting. One attributed to China and one unattributed. The clustering around this sector will be of concern due to the implications in terms of military industrial complex impact.
A hitherto unknown attack group has been observed targeting a materials research organization in Asia. The group, which [we call] Clasiopa, is characterized by a distinct toolset, which includes one piece of custom malware (Backdoor.Atharvan). At present, there is no firm evidence on where Clasiopa is based or whom it acts on behalf.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research
The Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property.
WinorDLL64: A backdoor from the vast Lazarus arsenal?
Vladislav Hrčka provides an update capability in this reporting related to North Korea. The staged payloads and use of encryption to hide the payloads is of note.
[We] discovered one of the payloads of the Wslink downloader that we uncovered back in 2021. We named this payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. As the wording suggests, a loader serves as a tool to load a payload, or the actual malware, onto the already compromised system. The initial Wslink compromise vector has not been identified.
https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/
"Rattlesnake" recent attack activities disclosed, aiming at domestic colleges and universities for phishing
Chinese reporting on a Indian state attributed actor who attacked a Chinese university using rudimentary tradecraft of phishing emails, ZIP attachments and LNK files.
The attacker launched a network attack on a university in [China] through phishing emails, and executed malicious codes by attaching malicious attachments in the emails, and the attacker left the packaged files in the process of packaging the compressed package. Through the packaged files, a A group of people belonging to the same organization can be associated with other attack samples.
In addition to the attacks against [China], the attackers also used template injection to deliver malicious documents and launched attacks on the Pakistani government, military and other units. out subsequent attacks.
Analysis of Attack Activities of APT-C-61 (Tengyun Snake) Organization in 2022
Chinese reporting on a threat actor known to target Pakistan and Bangladesh. They appear to have adopted the full collection of email based tradecraft. From phishing emails and OneDrive links to various combinations of attachments to bypass mark of the web.
Embed the short link of the OneDrive document in the email, and induce the user to click the link to download the file through the content of the email.
Similar to the DDE vulnerability document, the compressed package contains PDF and Word documents to induce users to click and execute, and then download the subsequent payload through remote template injection in the Word document.
The Tengyun Snake organization packs remote template injection documents or DDE vulnerability documents into ISO files, making the files confusing to users, increasing the credibility of the files and the probability of being executed.
Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities
A suspected Columbian threat actor using phishing against a wide range of targets. The breadth of the campaign across both South America and Spain is of note.
On Feb. 20, [we] witnessed a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.
Based on the infector vector and payload deployment mechanism, we also uncovered campaigns targeting Ecuador, Chile, and Spain.
https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia
BlackLotus UEFI bootkit: Myth confirmed
Martin Smolár outlines a criminal persistent implant capability which can be bought. It undermines Windows secure boot using a BIOS implant. The fact this is being developed and distributed within criminal networks will be a cause of concern.
we present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022.
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
Buddy Tancio, Jed Valderama and Catherine Loveria detail operational use by a Chinese state actor of further side loading supplicants.
[We] discovered that a file called x32dbg.exe was used (via the DLL Search Order Hijacking or T1574.001 technique) to sideload a malicious DLL we identified as a variant of PlugX (Trojan.Win32.KORPLUG.AJ.enc). This file is a legitimate open-source debugger tool for Windows
MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
Alexandre Côté Cyr details a new backdoor from China. We can expect a surge of commercial reporting now this has been outed.
[We] have analyzed MQsTTang, a new custom backdoor that we attribute to the Mustang Panda APT group. This backdoor is part of an ongoing campaign that we can trace back to early January 2023. Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.
We have seen unknown entities in Bulgaria and Australia in our telemetry. We also have information indicating that this campaign is targeting a governmental institution in Taiwan. However, due to the nature of the decoy filenames used, we believe that political and governmental organizations in Europe and Asia are also being targeted.
SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
Alberto Pellitteri shows have threat actors have adapted their tradecraft to successfully operate in a cloud environment.
The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. They also attempted to pivot using a Terraform state file to other connected AWS accounts to spread their reach throughout the organization.
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
RIG Exploit Kit: In-Depth Analysis
This vendor continues to go to places in threat actor infrastructure where others can’t. The insight gained is again explosive.
The exploits of RIG EK are delivered to unsuspecting victims in two ways. Either via malvertising, where users are redirected to online advertising pages that are tricked to execute the RIG exploits on their browser. Or when they visit sites that were compromised and the exploit kit’s javascript was injected. In either way, the users hardly every notice that anything malignant has ever occurred on their systems and go on with their daily browsing activities. Due to the very limited interaction and non-disrupting nature of this process, this technique can be deemed T1189, Drive-by Compromise
https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf
Lazarus attack group attack case using public certificate software vulnerability widely used in public institutions and universities
South Korean reporting on an event which happened in October/November last year. The fact that North Korea are throwing around zero-days evidences once again their R&D capabilities. Combine with further reporting on their anti-forensics and we have a deliciously horrible combination.
Lateral movement using the 0-Day vulnerability of company A’s accredited certificate program
Incapacitating antivirus via BYOVD attack
anti forensic
timestamp manipulation
Randomly change the file name and delete it
Deleting execution artifacts
Use the same file name as the system file name
Analysis Of Recent Phishing Attacks Against The Indian Government By The APT Organization Sidecopy
Chinese reporting on a Pakistani threat actor. Once again really rudimentary tradecraft.
[We] detected a malicious macro document named "Cyber Advisory 2023.docm" (Network Security Notice 2023). After analysis, it was confirmed that the document was delivered by SideCopy, an APT organization in Pakistan. The purpose is to lure the target to open it for reading and download the ReverseRAT Trojan horse at the same time, so as to receive C&C instructions for stealing activities.
TA569: SocGholish and Beyond
Andrew Northern discusses this criminal threat actor highlighting the complexity and capability of the distribution supply chain.
TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.
In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service
TA569 may remove injections from compromised websites only to later re-add them to the same websites.
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
PureCrypter targets government entities through Discord
Abhay Yadav details a threat actor who looks to be of a certain vintage (who uses FTP in 2023?).
[We uncovered] an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities. The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control (C2) to deliver a secondary payload. The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.
https://www.menlosecurity.com/blog/purecrypter-targets-government-entities-through-discord/
Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API
Jérôme Segura details how criminals are creating a GDPR compliance headache for themselves.
We recently spotted a Magecart skimmer that collects the current victim's IP address and browser user-agent in addition to their email, address, phone number and credit card data. Because the victim already filled in their home address, we believe this is a fingerprinting effort much like what is done in traditional malware campaigns.
Twice around the dance floor - PIPEDANCE backdoor
Daniel Stepanic details a new Windows implant which in time will be interesting to see where it pops up.
[We] identified PIPEDANCE, a previously unknown Windows backdoor used to enable post-compromise and lateral movement activities
Built for stealthy operations through named pipes, PIPEDANCE employs capabilities for interactive terminals, discovery/file enumeration, process injection, and data exfiltration checks
PIPEDANCE was observed deploying Cobalt Strike
By leveraging PIPEDANCE, the adversary is able to:
Disguise activity through a custom function that randomly injects into a hard-coded list of Windows programs
Perform discovery by enumerating files and processes
Leverage standard backdoor capabilities such as running commands, writing files
Check different network protocols for exfiltration
Launch additional payloads through process injection techniques
https://www.elastic.co/security-labs/twice-around-the-dance-floor-with-pipedance
EXFILTRATOR-22 - An Emerging Post-Exploitation Framework
A new post compromise framework which is in places ‘sophisticated’. The growing number of these frameworks is an interesting trend. Often developed by a single developer who can make not bad income as a result, as such we can expect more of these.
[A] preliminary analysis of a new post- exploitation framework called EXFILTRATOR-22 a.k.a. EX-22. After analyzing the available information, it is moderately certain that the individuals responsible for creating the malware are operating from North, East, or South-East Asia (possible countries include China, Taiwan, Hong Kong, Malaysia, Singapore, Philippines, etc.). These individuals possess a thorough knowledge of defense evasion and anti-analysis techniques.
They have utilized leaked source code from post-exploitation frameworks to develop their own post-exploitation-framework-as-a-service model.
https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting
Daniel Lunghi details a Chinese threat actor (unhelpfully Iron Tiger is used by different vendors to reference China and Iran - this one is China). Anyway their Windows capability continues to evolve and there is a new Linux capability on the scene.
Iron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade. In 2022, we noticed that they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.
While investigating SysUpdate’s infrastructure, we found some ELF files linked to some C&C servers. We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform. The ELF samples were also written in C++, made use of the Asio library, shared common network encryption keys, and had many similar features.
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
R3NIN Sniffer Toolkit – An Evolving Threat to E-commerce Consumers
A rapidly evolving skimmer toolkit here to keep an eye on. Again goes back to the single developer point made above.
The sniffer toolkit is offered for an introductory price of USD 1,500 but was later revised to a pricing range of USD 3,000 to USD 4,500.
On January 13, 2023, version 1.1 was released, which included improved functionalities for better Cross-Origin Resource Sharing (CORS) bypass and added a new functionality, ‘Extractor’.
On January 15, version 1.2 was released, which included features to fully obfuscate malicious scripts and hide URLs of the Command and Control (C&C) server.
On January 26, another update was announced for adding a keylogger in the sniffer module that can log inputs from multiple input fields, i.e., ‘inputs’, ‘selects, ‘textareas’, in a compromised website.
On January 30, support for the inline frame (iFrame) in the existing sniffer module was introduced.
https://blog.cyble.com/2023/02/28/r3nin-sniffer-toolkit-an-evolving-threat-to-e-commerce-consumers/
Technical Analysis of Rhadamanthys Obfuscation Techniques
Nikolaos Pantazopoulos and Sarthak Misraa shows what one person is able to produce in the stealer space. The encryption mistake allow network decryption is of note.
Rhadamanthys is an information stealer that consists of two components, the loader and the main module (responsible for exfiltrating collected credentials).
The malware implements complex anti-analysis techniques by using a public open source library.
Rhadamanthys is capable of extracting credentials of various applications such as Keepass and cryptocurrency wallets.
One of the detected loaders uses a virtual machine (based on Quake III) in order to protect several parts of its code.
Rhadamnthys uses a variation of the Hidden Bee format, which has been already described to a great extent by Malwarebytes.
Rhadamnthys has its own file system, which includes an additional set of embedded modules.
Both the loader and the main module network communications can be decrypted due to an implementation flaw in their code.
Discovery
How we find and understand the latent compromises within our environments.
Detecting Cobalt Strike Fork&Run
Yasser Alhazmi outlines a really quite lovely detection due to a pattern of behaviours. The beauty of combining these weak signals is so elegant..
This sequence of events can be translated into the following detection
// P1: beacon process
// P2: sacrificial child process
// NP1: Named pipe created for inter-process communication
Sequence of events
Process P1 Creates Child Process P2
Process P1 Access Process P2
Process P2 Creates named pipe NP1
Process P1 Connects to NP1
Process P1 connects to an external IP address
Note that the time window and sequence are key factors here. The entire chain occurs in less than five seconds and always occurs in the same sequence.
https://blog.yaxser.io/blue/detecting-cobalt-strike-fork-and-run
TelemetrySource
Jonathan Johnson created a map pf functions responsible for triggering events from various telemetry sources. A really useful resource..
https://github.com/jsecurity101/TelemetrySource
Defence
How we proactively defend our environments.
Decider
From CISA with 💖
A web application that assists network defenders, analysts, and researcher in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
https://github.com/cisagov/decider
STARS
Artur Marzano provides a capability to catch holdover cloud infrastructure which would present a challenge if exploited.
⭐ STARS ⭐ is a multi-cloud DNS record scanner that aims to help cybersecurity/IT analysts identify dangling CNAME records in their cloud DNS services that could possibly lead to subdomain takeover scenarios.
https://github.com/Macmod/STARS
Evasion-Escaper
Veli Tekin provides a work aid for those contesting with sandbox evasion malware at scale.
The primary objective of this project is to evade the various checks that malicious software employs to identify if it's running in a virtual environment or sandbox, and to pass all such checks with success. To accomplish this, a novel approach has been adopted that leverages a DLL to effortlessly track the DLLs loaded on the system, access their addresses, and modify them as required. As a reference and test case, "Al-Khaser by LordNoteworthy" has been utilized. The ultimate goal of this project is to overcome the controls that malicious software implements in a sandbox or virtual machine environment to conceal its malicious activities.
https://github.com/vvelitkn/Evasion-Escaper
Vulnerability
Our attack surface.
All on 🔥as per normal
Offense
Attack capability, techniques and trade-craft.
MemFiles: A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk
Alex Reid provides an anti-forensics capability to CobaltStrike users. It will be interesting to see how widely this gets deployed.
MemFiles is a toolkit for CobaltStrike that enables Operators to write files produced by the Beacon process into memory, rather than writing them to disk on the target system. It has been successfully tested on Windows 7, 10, and 11; corresponding server versions should work without issue. MemFiles is restricted to x64 Beacons.
It accomplishes this by hooking several different NtAPI's within NTDLL.dll and redirecting calls to those API's to functions that have been injected into the Beacon process memory space.
https://github.com/Octoberfest7/MemFiles
Kraken: a modular multi-language webshell
In use by your favourite threat actors in 3..2..
PHP (php):
5.4, 5.5, 5.6
7.0, 7.1, 7.2, 7.3, 7.4
8.0, 8.1, 8.2
JAVA (jsp):
6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17
.NET (aspx):
3.5
4.0
4.5, 4.5.1, 4.5.2
4.6, 4.6.1, 4.6.2
4.7, 4.7.1, 4.7.2
4.8
https://github.com/kraken-ng/Kraken
AtomLdr: A DLL loader with advanced evasive features
From a Lebanese researcher which is interesting in of itself.
CRT library independent.
The final DLL file, can run the payload by loading the DLL (executing its entry point), or by executing the exported
"Atom"function via the command line.DLL unhooking from \KnwonDlls\ directory, with no RWX sections.
The encrypted payload is saved in the resource section and retrieved via custom code.
AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered.
Aes Key & Iv Encryption.
Indirect syscalls, utilizing HellHall with ROP gadgets (for the unhooking part).
Payload injection using APC calls - alertable thread.
Payload execution using APC - alertable thread.
Api hashing using two different implementations of the
CRC32string hashing algorithm.The total Size is 17kb + payload size (multiple of 16).
https://github.com/NUL0x4C/AtomLdr
BreakChain: Breaks parent / child relationships on Windows
Grzegorz Tworek provides a capability which results in werfault.exe being the parent - something to build some detections around.
Simple PoC for self-breaking own parent-child process chain
https://github.com/gtworek/PSBits/blob/master/Misc/BreakChain.c
bootlicker: A generic UEFI bootkit
An open source project which will likely be repurposed by others.
bootlicker is a legacy, extensible UEFI firmware rootkit targeting vmware hypervisor virtual machines. It is designed to achieve initial code execution within the context of the windows kernel, regardless of security settings configured.
https://github.com/realoriginal/bootlicker
Exploitation
What is being exploited.
Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
No surprise, but worth paying attention to.
Starting on January 20 2023, [We] started to notice a global increase in attacks using the ManageEngine exploit CVE-2022-47966. This Remote Code Execution (RCE) vulnerability (CVSSv3 critical score 9.8) allows full takeover of the compromised system by unauthenticated threat actors. A total of 24 different products from Zoho ManageEngine are vulnerable.
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Vectorized Emulation
Hardware accelerated taint tracking at 2 trillion instructions per second - this whole series by Brandon Falk from 4/5 years ago is exquisite.
https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_emulation.html
https://gamozolabs.github.io/fuzzing/2018/11/19/vectorized_emulation_mmu.html
https://gamozolabs.github.io/fuzzing/2019/10/07/vectorized_emulation_condbranch.html
A tale of Phobos - how we almost cracked a ransomware using CUDA
Jarosław Jedynak and Michał Praszmo from the Polish CERT show the near potential. Either way great research and kudos for sharing what didn’t work and why as much as what did.
For the past two years we've been tinkering with a proof-of-concept decryptor for the Phobos family ransomware. It works, but is impractical to use for reasons we'll explain here. Consequently, we've been unable to use it to help a real-world victim so far. We've decided to publish our findings and tools, in hope that someone will find it useful, interesting or will continue our research. We will describe the vulnerability, and how we improved our decryptor computational complexity and performance to reach an almost practical implementation.
https://cert.pl/en/posts/2023/02/breaking-phobos/
pe-bear 0.6.5: various new features and bug fixed
Hasherezade has issued a new release of this wonderful tool.
updated Capstone (switched to the active branch
next)added a wizard for adding imports
added undo for resize operations
show all the matched signatures in the General Panel (not only one of them)
load signatures from the current directory, as well as from User Data Directory (UDD)
added filtering to signatures listing window
allow to export disassembly of the section into a file
allow to dump sections, or export disassembly from all opened files at once
show info about the atypical PE features as a tool-tip in a tree view
https://github.com/hasherezade/pe-bear/releases/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
2023 Global Threat Report - Throughout 2022, cloud-conscious actors primarily obtained initial access to the cloud by using existing, valid accounts, resetting passwords or placing webshells or reverse shells for persistence after exploiting public-facing applications such as web servers
2022 Annual Report - 2022 was the year of “as-a-service”, as we identified the presence of new phishing-as-a-service (PaaS) offerings in the threat landscape, the continued success of the ransomware-as-a-service (RaaS) model, and the development and use of new strains of malware-as-a-service (MaaS) offerings.
Meta’s Adversarial Threat Report, Fourth Quarter 2022 - We took down three CIB networks — in Serbia, Cuba and Bolivia — targeting people in their own countries across many services across the internet and linked to governments or ruling parties in each state.
NSA Releases Best Practices For Securing Your Home Network - "Spearphishing, malicious ads, email attachments, and untrusted applications can present concerns for home internet users. NSA not only shows teleworkers how to secure their home networks, but also provides tips for staying safe online."
Exploring the Economics of Social Network Account Hijacking - an active malware distribution campaign that abuses social media by taking over users’ Facebook and YouTube accounts. Once in control of the compromised accounts, the malware uses them to boost view counts on social media.
What is Synthetic Data? The Good, the Bad, and the Ugly - When it comes to privacy, it is unlikely that synthetic data will provide a silver bullet to sanitize sensitive data or safely share confidential information across the board. Instead, there could be specific use cases where training a generative model provides better flexibility and privacy protection than the alternatives.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
