Bluepurple Pulse: week ending May 1st
Bluepurple Pulse: week ending May 1st
If this analysis was TLP RED everyone would read it..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
It is a long analysis this week - apologies - a lot of valuable information has been shared and thus needed including.
Operationally this week nothing really standout, but the general tempo in terms of actor activity does feel high across the board. The recent events around organised crime (i.e. doxings, arrests, indictments) along with ongoing geo political interventions against state actors don’t appear to have materially caused a slowdown as yet.
In the high-level this week:
The US is offering $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government against Critical National Infrastructure.
In the UK the call for reform of the over 30 year old Computer Misuse Act has moved to Parliament primetime - there was a debate held which was recorded along with press coverage.
U.S.-China Technological “Decoupling”: A Strategy and Policy Framework - A partial “decoupling” of U.S. and Chinese technology ecosystems is well underway. Without a clear strategy, Washington risks doing too little or—more likely—too much to curb technological interdependence. A good summary of the challenge on when too much science & technology decoupling can become damaging for a variety of trade, influence and other national interests. Fine line here..
UK and India commit to a cyber partnership - both via a statement and further news coverage - this can be seen as a defence against the likes of China and I suspect a way to ensure that India’s tech sector doesn’t result in a 100 NSOs etc.
US DOE Announces $12 Million (for academic research) to Enhance Cybersecurity of America's Energy Systems - lots of comments of how relatively little this is in US terms.
CISA adds seven known exploited vulnerabilities to its catalogue - that clock starts ticking for affected bodies/agencies etc. to eradicate these.
Netherlands proposes a law change to allow its NCSC-NL to share information more widely with non-government, non-critical infrastructure organisations. This is a shift for the Dutch and a good move.
A French hospital was compromised by a criminal group in this high-level French language alert.
I’ve just finished the book Team of Teams by Major Stanley McChrystal, which I enjoyed for a management book. In it he talks about resilience thinking as a response to complexity (which he stresses should not be confused with complicated - indeed, a valid point). He describes how managers should aim to accept they will inevitably have to contend with unpredictable threats. Rather than erect strong and specialized defences they design systems which as he says “can roll with the punches”. He then goes on to describe anti-fragile systems as outlined by Nassim Nicholas Taleb in his book Antifragile. This concept is similar to what Netflix taught us with Chaos Engineering and latterly Security Chaos Engineering introduced. I share this pearl because the strong and specialized defences model is a reflection of where cyber is today for lots of organisations as opposed to an organisation which are resilient to the unpredictable. We have a way to go but cyber isn’t a snowflake.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Sunday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine
Most the reporting this week was around Industroyer 2.
INDUSTROYER.V2: Old Malware Learns New Tricks
Reporting by Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden and Nathan Brubaker which shows an originally highly customised tool is morphing into a configurable framework for effects in energy systems.
INDUSTROYER.V2 is similar to its predecessor, however this variant contains more targeted functionality. Unlike the original INDUSTROYER, which was a framework that leveraged external modules to implement four different OT protocols, this variant is self-contained and only implements the IEC 60870-5-104 (IEC-104) communications protocol. IEC-104 is used for power system monitoring and control over TCP and is mainly implemented in Europe and the Middle East.
Most importantly, the new malware variant enables the actor to embed customized configurations that modify the malware’s behavior to specific intelligent electronic devices (IEDs) (e.g., protection relays, merging units, etc.) within the target environment. The design change to embed custom configurations in INDUSTROYER.V2 reduces the effort required by the actor to reproduce the attack against different victim environments and enables the actor to contain the impact to specific targeted IEDs.
https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks
Industroyer2 in Perspective
Analysis by Joe Slowik of both the technical and non-technical implications of this effects campaign.
Overall, the evolution of operations in Russia’s invasion of Ukraine show that many assumptions surrounding the use of cyber capabilities as part of a conventional conflict require revision – but at the same time, we should also note that cyber has been far from absent as part of hostilities. While paling in comparison to Russia’s physical brutality, cyber operations appear to form a continuing area of interest and investment for Russia in attempting to achieve its goals in Ukraine.
https://pylos.co/2022/04/23/industroyer2-in-perspective/
Industroyer2 IEC-104 Analysis
Erik Hjelmvik provides further analysis but importantly includes the PCAPs of the network traffic.
Upon popular demand we've decided to release three PCAP files with IEC-104 traffic from our own sandbox execution of the Industroyer2 malware. Please feel free to use these capture files to verify our findings using any tool of your choice.
https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis
The hybrid war in Ukraine
Extensive bit of reporting from the armies of MSTIC. It’s a good reference piece with quantification as to the scale of the events.
A report detailing the relentless and destructive Russian cyberattacks we’ve observed in a hybrid war against Ukraine.
Starting just before the invasion, we have seen at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine – including destructive attacks that are ongoing and threaten civilian welfare.
https://blogs.microsoft.com/on-the-issues/2022/04/27/hybrid-war-ukraine-russia-cyberattacks/
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
SolarWinds get attributed by a second source.
[We have] gathered sufficient evidence to assess that the activity tracked as UNC2452, the group name used to track the SolarWinds compromise in December 2020, is attributable to APT29.
This conclusion matches attribution statements previously made by the U.S. Government that the SolarWinds supply chain compromise was conducted by APT29, a Russia-based espionage group assessed to be sponsored by the Russian Foreign Intelligence Service (SVR).
https://www.mandiant.com/resources/unc2452-merged-into-apt29
More Malicious Google Ads
We have covered over recent months the rise of malicious adverts on a variety of platforms. This campaign is being used to distribute fake Windows 11 installers pushing InnoStealer
Purpose:
Information Stealer Targets Crypto Wallets Via Fake Windows 11 Update
Original Reporting:
Leading to:
https://bazaar.abuse.ch/sample/d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6/
https://bazaar.abuse.ch/browse/tag/roseannmortali-com%20backspinnews-com
https://app.any.run/tasks/5cc9b70d-ada7-4f12-8d93-01a51e465d5d/
LAPSUS$: Recent techniques, tactics and procedures
David Brown, Michael Matthews and Rob Smallridge from NCC Group’s Global Cyber Incident Response Team document the tradecraft we have seen in the field being employed by LAPSUS$.
Our findings can be summarised as below:
Access and scraping of corporate Microsoft SharePoint sites in order to identify any credentials which may be stored in technical documentation.
Access to local password managers and databases to obtain further credentials and escalate privileges.
Living of the land – tools such as RVTools to shut down servers and ADExplorer to perform reconnaissance.
Cloning of git repositories and extraction of sensitive API Keys.
Using compromised credentials to access corporate VPNs.
Disruption or destruction to victim infrastructure to hinder analysis and consume defensive resource.
https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures
BlackTech Targeted Attack Analysis
Japanese reporting on a Chinese threat actor known as BlackTech, Circuit Panda,
Radio Panda, Palmerworm, TEMP.Overboard and T-APT-03. A takeaway from this reporting is the use of branch office intrusions before going upstream internally to the head office.
Targeted attack group BlackTech has been active since at least around 2012 and is an East Asian organization, especially Taiwan and Japan.
It is believed that the purpose is to steal confidential information from the target organization.
BlackTech uses various malware families. Bifrose and Gh0st RAT. We also use publicly available malware such as TSCookie and PLEAD. It also uses Ginal malware. BlackTech also continues to create new malware
It has been increasing rapidly since around the year, and repeatedly attacks multiple organizations in Japan's communications, defense, and media. Is observing that is being done. In the attacks we observed, Japanese companies were from overseas. These intrusion points are often the starting point of attacks, and from there the infringement spreads to important systems at the head office.
Japanese companies are likely to be exposed to his BlackTech attacks in the future, including overseas bases.
https://jp.security.ntt/resources/BlackTech_2021.pdf
BRONZE PRESIDENT targets Russian speakers with updated PlugX
Reporting on Chinese activity targeting Russia with some rather rudimentary capability and tradecraft. Shows “friends” sometimes don’t get on and it is “complicated”.
In March 2022, CTU™ researchers analyzed a malicious executable file masquerading as a Russian-language document. The filename is Благовещенск - Благовещенский пограничный отряд.exe ("Blagoveshchensk - Blagoveshchensk Border Detachment.exe"), but the default settings on Windows system do not display the .exe file extension. The file uses a portable document file (PDF) icon for credibility. Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.
https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
Daniel Lunghi and Jaromir Horejsi describe what is suspected to be a Chinese organised crime group with some technical muscle.
We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). Based on our analysis, this group targets gambling websites. Our investigation has also uncovered that Earth Berberoka targets the Windows, Linux, and macOS platforms, and uses malware families that have been historically attributed to Chinese-speaking individuals.
Bumblebee
Numerous bits of reporting on Bumblebee.
Adventures in the land of BumbleBee – a new malicious loader
Mike Stokkel, Nikolaos Totosis and Nikolaos Pantazopoulos from NCC Group provide technical insights into BumbleBee’s evolution and functionality.
BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. The key points are:
BUMBLEBEE is statically linked with the open-source libraries OpenSSL 1.1.0f, Boost (version 1.68). In addition, it is compiled using Visual Studio 2015.
BUMBLEBEE uses a set of anti-analysis techniques. These are taken directly from the open-source project.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection.
BUMBLEBEE has been observed to download and execute different malicious payloads such as Cobalt Strike beacons.
https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/
This isn't Optimus Prime's Bumblebee but it's Still Transforming
Kelsey Merriman and Pim Trouerbach provide reporting which confirm some of the same aspects and provides further insights.
[We have] tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.
Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee. BazaLoader has not been seen in data since February 2022.
Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization.
Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).
[We] observed Bumblebee dropping Cobalt Strike, shellcode, Sliver, and Meterpreter.
Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns.
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
Eli Salem concludes the reporting this week with some further insights as to the links to Conti etc.
In late March 2022, a new malware dubbed “Bumblebee” was discovered, and reported to be distributed in phishing campaigns containing ISO files which eventually drop DLL files that contained the Bumblebee malware itself.
This malware deployment technique is not new, and several other malware has already been observed using it, most notably: BazarLoader, and IcedID. Also, similar to the aforementioned malware, Bumblebee too was observed delivering the Cobalt-Strike framework.From a threat research perspective, what makes this malware interesting is the fact that it was associated with the Conti ransomware group as one of the group's threat loaders.
Oh North Korea
So the bad boys and girls of North Korea have been busy and the reporting reflects it.
New malware from the Lazarus attack group that exploits the INITECH process
Korean reporting on the size of the intrusion set they have been seeing along with the root cause and technical analysis.
About 47 companies and institutions, including defense companies, are being infected with the malicious code distributed by Lazarus Group in the first quarter of 2022, and seriously judges this situation.
It was confirmed that malicious behaviour was generated by the INITECH process (inisafecrosswebexsvc.exe) in the affected companies.
https://asec.ahnlab.com/ko/33706/
A "Naver"-ending game of Lazarus APT
Sahil Antil and Sudeep Singh break down an evolving campaign from our friends in the Hermit Kingdom including providing details of the full attack chains.
[We have] been closely monitoring a campaign targeting users in South Korea. This threat actor has been active for more than a year and continues to evolve its tactics, techniques, and procedures (TTPs); we believe with high confidence that the threat actor is associated with Lazarus Group, a sophisticated North Korean advanced persistent threat (APT) group.
In 2021, the main attack vector used by this threat actor was credential phishing attacks through emails, posing as Naver, the popular South Korean search engine and web portal.
In 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC (Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as Binance, and others
https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt
Lazarus arsenal update: analysis of recent Andariel attack samples
Chinese reporting on the evolution of North Korean capability and why they may use Go to develop some of their implants.
The Andariel gang is classified by the Korean Financial Security Institute as a subgroup of the Lazarus APT group. The group mainly attacks South Korean organizations, especially financial institutions, for financial gain and cyber espionage.
Recently, the [We] captured a batch of Andariel-related attack samples in daily threat hunting, all of which are PE executable files. According to the time when this batch of samples uploaded VT, it can be seen that the related attack activities have been launched since at least February this year.
Attack samples can be divided into two categories: one is a loader that decrypts and loads subsequent payloads in memory, and the loaded content includes backdoors and browser stealing programs; the other is a downloader written in Go language, which sends back to the C2 server The collected host information then downloads the PE file and executes it. Most Go downloaders currently still have low single-digit detections on VT, which may be one reason why attackers choose Go to develop their malware.
https://mp.weixin.qq.com/s/QfbzuIKUPTXE4GdpBMsGbQ
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
Interesting insights in our final bit of North Korean reporting this week showing they have a very specific focus to some of their campaigns.
The North Korean-linked Stonefly group is continuing to mount espionage attacks against highly specialized engineering companies with a likely goal of obtaining sensitive intellectual property.
Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment. Virtually all of the technologies it appears to be interested in have military as well as civilian uses and some could have applications in the development of advanced weaponry.
Trello From the Other Side: Tracking APT29 Phishing Campaigns
John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian and Anders Vejlby detail Russian activity using a variety of new tradecraft and capability in order to attempt to avoid detection by traditional defence mechanisms.
Since early 2021, [we have] been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. Our recent observations are related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29’s efforts to evade detection through retooling and abuse of Atlassian's Trello service.
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
Alexandre Côté Cyr and Matthieu Faou discuss the recent activity of this Chinese threat actor who seems to have the keys to the Chinese cyber armoury using some of their most advanced capabilities.
[We] have documented and analyzed TA410 activity going back to 2019. TA410 is a cyberespionage umbrella group loosely linked to APT10, known mostly for targeting US-based organizations in the utilities sector, and diplomatic organizations in the Middle East and Africa. TA410 has been active since at least 2018 and was first publicly revealed in August 2019 in LookBack blogpost. A year later, the then-new and very complex malware family called FlowCloud was also attributed to TA410.
We provide a detailed profile of this APT group, including its modus operandi and toolset that includes a new version of FlowCloud
TA410 is an umbrella group comprised of three teams [we] named FlowingFrog, LookingFrog and JollyFrog, each with its own toolset and targets.
Telemetry shows victims all around the world, mainly in the governmental and education sectors.
TA410 had access to the most recent known Microsoft Exchange remote code execution vulnerabilities, e.g., ProxyLogon in March 2021 and ProxyShell in August 2021.
[We] found a new version of FlowCloud, a complex and modular C++ RAT. It has several interesting capabilities, including:
Controlling connected microphones and triggering recording when sound levels above a specified threshold volume are detected.
Monitoring clipboard events to steal clipboard content.
Monitoring file system events to collect new and modified files.
Controlling attached camera devices to take pictures of the compromised computer’s surroundings.
FlowCloud deploys a rootkit to hide its activity on the compromised machine.
The LookBack backdoor utilized by TA410 uses a custom network protocol, which can function over HTTP or raw TCP, for C&C server communications.
TA410 is one of the users of the Royal Road malicious document builder
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/
An Overview of the Increasing Wiper Malware Threat
Gergely Revay provides a nice summary and history lesson as it relates to Wiper Malware Threats
In parallel with the war in Ukraine, cybersecurity researchers have witnessed a sudden increase in the number of wiper malware deployments. Although these haven't been officially attributed to Russian state-sponsored threat actors, their goals align with the Russian military's. It is widely theorized that these cyberattacks are intentionally being launched in concert with the invasion.
https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat
Attacks by the Manlinghua organization using the authorized Pakistan and Bangladesh government mailboxes
Chinese reporting on Indian activity against Pakistan. The actual tradecraft is phishing, malicious CHM files and maldocs. So 2005 phoned and wants is tradecraft back.
[We] captured several samples of cyber attack activities that were suspected to be launched by the Manlinghua organization using the authorized Pakistan and Bangladesh government mailboxes. This batch of samples is very similar to the previous attack activities of the organization in terms of attack methods or weapon codes, and continues its consistent attack characteristics.
https://ti.dbappsecurity.com.cn/blog/articles/2022/04/24/bitter-attack-bd/
Malware analysis report on SparrowDoor malware
Detailed reporting by the UK’s National Cyber Security Centre of Chinese activity detected in the United Kingdom.
The variant was found on a UK network in 2021 and contains additional functionality - threat actor behind it is FamousSparrow which is not attributed to a country in open source - although overlaps with China-linked SparklingGoblin and DRBControl
https://www.ncsc.gov.uk/report/mar-sparrowdoor
Study of an APT attack on a telecommunications company in Kazakhstan
Chinese activity outed by a Russian cyber company around some deep intrusions in to a sector you don’t want them.
In October 2021, one of Kazakhstan’s telecommunication companies had suspicion of malware in the corporate network. During the investigation, we found out that the company has been compromised since 2019
That said, we also found victims from other countries, including:
Egyptian government agency
Italian airport
USA marketing company
Canadian transport and woodworking companies
Based on the tools, methods, and infrastructure used, we conclude that the Calypso APT hacker group is behind the attack.
https://st.drweb.com/static/new-www/news/2022/march/telecom_research_en.pdf
Quantum Ransomware - under four hours the threat actors went from initial access, to domain wide ransomware
Our friends at the DFIR report show that ransomware ops have become speed running competitions.
In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an IcedID payload delivered via email.
https://thedfirreport.com/2022/04/25/quantum-ransomware/
"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
Brad Duncan breaks down the attack chain used to deliver Qakbot and then DarkVNC. Nothing to worry about here in terms of initial access tradecraft.
Email --> link --> downloaded zip archive --> extracted Excel file --> enable macros --> HTTPS traffic for Qakbot DLL files --> Qakbot C2 activity --> DarkVNC traffic
https://isc.sans.edu/forums/diary/aa+distribution+Qakbot+Qbot+infection+with+DarkVNC+traffic/28568/
GOLD ULRICK continues Conti operations despite public disclosures
Being doxed is but a flesh wound it would appear for Russian organised cyber crime.
The Conti leak site listed an average of 43 victims per month in 2021. Despite a drop following the Colonial Pipeline attack and a peak of 95 victims listed in November, the rate of naming victims was fairly consistent. The decreased activity in December 2021 and January 2022 across all name-and-shame ransomware groups was likely due to a holiday break. The number of victims added to the Conti leak site increased in February 2022. On February 27, the @ContiLeaks Twitter persona began leaking GOLD ULRICK data and communications. Despite these public disclosures, the number of Conti victims posted in March surged to the second-highest monthly total since January 2021 (see Figure 1).
https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures
Emotet Tests New Delivery Techniques
Axel F documents a criminal threat actor assessing the efficacy of a new delivery mechanism.
[We] identified low-volume Emotet activity that drastically differed from typical Emotet threat behaviors.
The activity occurred while Emotet was on a “spring break,” not conducting its typical high volume threat campaigns. The threat actor has since resumed its typical activity.
[We] assess that the threat group distributing Emotet is likely testing new tactics, techniques, and procedures (TTPs) on a small scale before adopting them in broader campaigns or to deploy them in parallel with the broad campaigns.
The messages contained OneDrive URLs that hosted a zip archive containing XLL files dropping Emotet malware.
This activity is attributed to TA542.
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
Don’t 🤮 on the product placement in this content led marketing. A useful overview however of the end to end chain used for distribution.
Masquerading malware: Infections with SocGholish start by end-users executing JavaScript scripts with filenames that relate to known browsers and browser updates, such as Opera.Update.js and Firefox.js. Infections with Zloader start by end-users executing a fake installer of a popular application, such as TeamViewer.
Intensive reconnaissance and data exfiltration: SocGholish operators conduct intensive reconnaissance activities and redirect the output of executed commands to files with the filename extension .tmp for exfiltration.
A Deep Dive into Zloader - the Silent Night
A technical walkthrough on how to analyse Zloader from start to finish.
We will provide detailed analysis and techniques that Zloader uses, including:
How to unpack to dump Zloader Core Dll.
The technique that Zloader makes difficult as well as time consuming in the analysis process.
Decrypt strings used by Zloader by using both IDAPython and AppCall methods.
Apply AppCall to recover the Windows API calls.
Process Injection technique that Zloader uses to inject into the msiexec.exe process.
Decrypt configuration information related to C2s addresses.
How Zloader collects and saves information in the Registry.
The Persistence technique.
https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html
Hive0117 Continues Fileless Malware Delivery in Eastern Europe
Melissa Frydrych co-authored by Claire Zaboeva , David Bryant document a “fileless” malware which seems to involve an awful lot of files in reality.
[We] identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors. The activity predates and is not believed to be associated with the Russian-led invasion of Ukraine.
X-Force assesses that it is possible the targeting of telecommunication providers and their industry adjacent suppliers may be intended as ultimately serving to enable illegal access to numerous distributed clients and end-users.
DarkWatchman is a malicious Remote Access Trojan (RAT) based on JavaScript, using command and control (C2) mechanisms for fileless persistence, as well as other capabilities.
https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
James Haughom, Júlio Dantas, and Jim Walter show how after the Chinese state organised criminal groups have taken to using side loading to subvert cyber defences which rely on uncommon or unsigned process executable detection on Windows.
The VMware command line utility
VMwareXferlogs.exeused for data transfer to and from VMX logs is susceptible to DLL side-loading.During a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas) side-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.
The threat actor uses PowerShell to download the VMware xfer logs utility along with a malicious DLL, and a
.logfile containing an encrypted Cobalt Strike Reflective Loader.The malicious DLL evades defenses by removing EDR/EPP’s userland hooks, and bypasses both Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).
There are suggestions that the side-loading functionality was implemented by an affiliate rather than the Lockbit developers themselves (via vx-underground), likely DEV-0401.
Dissecting Saintstealer
Stealers as a service being provided to initial access brokers it would be appear.
During our routine threat-hunting exercise, [we] came across a C# .NET-based information stealer developed by the Saint gang. The activities of Saintstealer can be traced back as far as November 2021. The file is not packed and has multiple functionalities to steal credentials and system information.
During our routine threat-hunting exercise, Cyble Research Labs came across a C# .NET-based information stealer developed by the Saint gang. The activities of Saintstealer can be traced back as far as November 2021. The file is not packed and has multiple functionalities to steal credentials and system information.
https://blog.cyble.com/2022/04/27/dissecting-saintstealer/
Free malware - what gives
When cyber criminals embrace the freemium model to revenue generation we end up in this situation.
We discovered and announced Ginzo stealer[1] on March 24, 2022. A Youtube video, discovered by @3xp0rtblog, showcases the first release. It was uploaded on 4th of March.
The description below the video states that the stealer is provided for free, which is most likely a marketing technique to get criminal buyers hooked.
https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware
Discovery
How we find and understand the latent compromises within our environments.
Defence Evasion Technique: Timestomping Detection – NTFS Forensics
Lina Lau provides insight to the methods and detection techniques around timestomping.
Forensic analysts are often taught two methods for detecting file timestomping that can lead to blind spots in an investigation. The two most well-taught methods for analysts to detect timestomping are:
Compare the $STANDARD_INFORMATION timestamps vs the $FILE_NAME timestamps in the Master File Table (MFT)
Look for nanoseconds in a timestamp matching “0000000” as this often shows the use of an automated tool (i.e. Metasploit)
These two detection methods are based on two fallacies that I will explore in this blog post:
Myth 1: $FILE_NAME timestamps cannot be timestomped
Myth 2: Attacker tools cannot alter nanoseconds in a timestamp
https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
Defence
How we proactively defend our environments.
badkeys.info: Checking cryptographic public keys for known vulnerabilities
Useful service from Hanno Böck but also open source to allow application in other environments.
The badkeys service checks for these vulnerabilities:
Debian OpenSSL bug (CVE-2008-0166)
Common prime factor vulnerability ("Mining Your Ps and Qs", 2012)
Return of Coopersmith's attack / ROCA (CVE-2017-15361)
keypair / Gitkraken bug (CVE-2021-41117)
Fermat Attack (CVE-2022-26320)
Various "Public Private Keys"
Step-by-step guide to implementing a DevSecOps program for any size organization
Paul McCarty get a Blurple MVP award for releasing this.
This playbook will help you introduce effective DevSecOps practices in your company, regardless of size. We provide explicit guidance and actionable steps to introduce security controls, measure their effectiveness, and demonstrate value for money to your business leaders. Following this playbook will help teams build materially more secure applications, and that in the end, is the intent.
https://github.com/6mile/DevSecOps-Playbook
Microsoft Defender for Endpoint Workbook for Microsoft Sentinel
Rod Trent highlights this release.
There’s a new Workbook available in the Microsoft Sentinel console that I’m pretty sure you’ll overlook because it’s been released without much fanfare.
The Workbook displays information for things like tables, data flow, the devices being managed by Defender for Endpoint, and much more.
Azure AD: You Should Disable This Legacy MFA Setting
Eric W highlights a feature some might want to consider disabling, although it led to some discussion in the comments that it might result in a less security environment and higher risk of authentication bombing.
Under remember multi-factor authentication on trusted device, Allow users to remember multi-factor authentication on devices they trust.
https://ericonidentity.com/2022/04/26/azure-ad-you-should-disable-this-legacy-mfa-setting/
AWS compliance auditing with SQL
David Boeke, Bob Tordella, Jon Udell, and Nathan Wallace show us compliance Reporting as Code (tm) (I just made that up) - thank me later.
In this post we’ll explore how Steampipe’s Compliance “mod” uses that query infrastructure to check for compliance with regulatory frameworks. It provides 448 controls and 233 named queries that deliver comprehensive support for these standards:
AWS Audit Manager Control Tower Guardrails
CIS v1.3.0
CIS v1.4.0
AWS Foundational Security Best Practices
General Data Protection Regulation (GDPR)
HIPAA
NIST 800-53 Revision 4
NIST Cybersecurity Framework (CSF) v1.1
PCI v3.2.1
RBI Cyber Security Framework
SOC 2
https://aws.amazon.com/blogs/opensource/compliance-auditing-with-steampipe-and-sql/
OWASP Amass
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
https://github.com/OWASP/Amass
Control Validation Compass
Not entirely sure what problem this solves, but interesting nevertheless.
Pointing cybersecurity teams to 9,000+ publicly-accessible technical and policy controls and 2,100+ offensive security tests, aligned with over 500 common attacker techniques
Instantly identify relevant controls directly aligned with threats that matter to you
https://controlcompass.github.io/risk
Annotating Malware Disassembly Functions Using Neural Machine Translation
Philip Tully, Sunil Vasisht, Omar Sardar and Jay Gibble provide the results of some interesting experiments of using human produced annotations to trains machine learning models. Really early days but there is some potential of promise if there exists the discipline in teams to produce the training sets.
Using machine learning models previously applied to translate between languages like English and French, we frame malware function annotation as a neural machine translation task.
Our approaches utilizing a model trained on over a decade’s worth of analyst annotations and based on abstract syntax tree and control flow graph representations generalize well to annotate new malware disassembly functions.
Later in the blog post, we show how a function assigned a dummy name like
sub_401337by a disassembler can be accurately annotated by our model as something more descriptive of its purpose like[‘self’, ‘delete’].Such automated natural language annotations can help guide reverse engineering, reduce the time and effort spent during malware analysis, and fuel downstream use cases like binary similarity, triage, and hunting.
https://www.mandiant.com/resources/annotating-malware-disassembly-functions
Offense
Attack capability, techniques and tradecraft.
KrbRelayUp - a universal no-fix local privilege escalation in Windows domain environments
Mor Davidovich drops capability where LDAP signing is not enforced (the default settings) it ends up being a bad day in Active Directory land.
https://github.com/Dec0ne/KrbRelayUp
Then a detection technique got dropped.
OSRipper: AV evading OSX Backdoor and Crypter Framework
macOS doesn’t have malware, remember that when reading this release from SubGlitch1
OSripper is a fully undetectable Backdoor generator and Crypter which specialises in OSX M1 malware.
https://github.com/SubGlitch1/OSRipper
Engineering antivirus evasion (Part III)
Vladimir Meier continues to document the process of taking an engineering led approach to EDR/AV detection evasion.
This one provides an additional layer of obfuscation to target another kind of detection mechanism used to monitor a program’s activity, i.e userland hooks.
It comes with two additional niceties:
A multithreaded Python script to obfuscate the entire Meterpreter codebase.
A self-contained, position independent C source code to dynamically fetch syscalls numbers on Windows.
https://blog.scrt.ch/2022/04/19/3432/?s=09
Vulnerability
Our attack surface.
A few clarifications about CVE-2022-21449 - Psychic Signatures in Java ECDSA
Neil Madden provided some useful further attack surface information on this vulnerability. I won’t list them all but they include:
Although an all-zero signature value is the simplest way to exploit this, there are several alternative values that exhibit the same bug. As previously mentioned, Project Wycheproof has an excellent selection of test vectors for this bug and many variations on it, in different signature formats, and for different elliptic curves.
On a related note, some JWT libraries were initially assumed to be unaffected because a quirk of re-encoding raw (IEEE P1363) format signatures into ASN.1 format rejected zero values. But, as pointed out above, there are other invalid values that are not rejected by this conversion that still trigger the bug. Either upgrade your JVM, or your JWT library, and ideally both.
https://neilmadden.blog/2022/04/25/a-few-clarifications-about-cve-2022-21449/
VPN Products installing trusted CAs
Without user permission on Windows potentially allowing MitM of traffic. Affected services:
Surfshark
TurboVPN
VyprVPN
VPN Proxy Master
Atlas VPN
Sumrando VPN
Original research (search for "Trusted Root Certificate" in the Search box):
https://customer.appesteem.com/deceptors
Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability
You can MitM SSH connections to the virtual appliance as a result. Billions of dollars remember gets you here..
Exploitation
What is being exploited.
Redis Sandbox Escape RCE (CVE-2022-0543) - Exploited in the wild
Metasploit plugin for a vulnerability being exploited to build a Botnet
his module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. This has been exploited in the wild.
https://github.com/rapid7/metasploit-framework/pull/16504
VMWare Identity Manager Attack: New Backdoor Discovered
Numerous bits of reporting on actors trying to exploit this vulnerability.
[We] identified exploitation attempts for a week-old VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability.
Due to indicators of a sophisticated Core Impact backdoor, [we] believe advanced persistent threat (APT) groups are behind these VMWare identity manager attack events.
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
Footnotes
Some other small bits and bobs which might be of interest.
Cyber Threats 2021: A Year in Retrospect (published April 28th 2022) and then a technical annex
Le groupe cybercriminel FIN7 - FIN7 is a Russian-speaking cybercriminal group initially specializing in for-profit attacks against banking information systems. He targeted various sectors in the United States, United Kingdom, Australia and France - French government reporting
2021 Top Routinely Exploited Vulnerabilities: This joint Cybersecurity Advisory (CSA) - was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom
That’s all folks.. until next week..