Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week we had a number of big vulnerabilities land and the scale of the intrusions into Heroku became clear (see relevant sections later). Other than that it has only taken us about a month to transfer details of a critical vulnerability to a vendor due to a slightly apathetic response their side. The fact this is a thing and there isn’t machine to machine brokerage service for vulnerability disclosure run by a CERT or similar makes me wonder if there is an opportunity to offer it “as a Service”.
the UK published New Open RAN Principles to build stronger telecoms supply chain - Open RAN is an interesting strategy to break /de-risk vendor monopolies which the US and latterly Japan employed in order to be able to compete. The fact it also adds diversity to mono-cultures from a cyber perspective is a secondary benefit.
I’ve been reflecting on this newsletter and if it remains valuable. The Internet is a wonderful thing and we are fortunate to have so much great free analysis and meta analysis these days. We now have a cadre of substacks and the Venn is growing with a number of them, their reporting is often quicker and analysis often as good if not better.
CyberWeekly - Michael Brunton-Spall - my original inspiration for doing this
In addition to these there is the ever wonderful tl;dr sec by Clint Gibler.
Anyway dear reader let me know your thoughts.. If there is value I am will happily continue, however if that value is diminishing then I can equally pivot…
CISA Update: Destructive Malware Targeting Organizations in Ukraine
USG releases an update on this threat - really an aggregation of all the reporting that others have put out and we have covered here.
This advisory has been updated to include additional Indicators of Compromise (IOCs) for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware, all of which have been deployed against Ukraine since January 2022.
Reporting on Russian and Chinese activity in the region. The Russian tradecraft is basic malicious attachments and social engineering. The tradecraft used by the Chinese actor is unclear at this time.
APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware. The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a compromised email account.
Curious Gorge, a group [we] attribute to China's PLA SSF, has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.
Mustang Panda deploys a new wave of malware targeting Europe
Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay provide further reporting on China trying to exploit the chaos that the Ukraine conflict is causing. Again more side loading in use and the usual implant families.
In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, [we] began observing the China-based threat actor Mustang Panda conducting phishing campaigns against European entities, including Russian organizations. Some phishing messages contain malicious lures masquerading as official European Union reports on the conflict in Ukraine and its effects on NATO countries. Other phishing emails deliver fake "official" Ukrainian government reports, both of which download malware onto compromised machines.
Mustang Panda has been known to use themed lures relating to various current-day events and issues, including the COVID-19 pandemic, international summits and various political topics.
While the Ukraine-related Mustang Panda developments have been reported by at least one other security firm, we identified additional samples that have not been cited in open-source reporting.
Apart from targeting European countries, Mustang Panda has also targeted organizations in the U.S. and Asia.
In these campaigns, we've observed the deployment of Mustang Panda's PlugX implant, custom stagers and reverse shells and meterpreter-based shellcode, all used to establish long-term persistence on infected endpoints with the intention of conducting espionage.
The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vate
A link here is pretty circumstantial going back to a bit of open source software used by both. Yes a strange link, but by no means a smoking gun.
during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and another malware that has recently taken part in destructive attacks against organizations and institutions in Ukraine.
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Michael Matthews and Nikolaos Pantazopoulos of NCC Group outline the full end-to-end of Lazarus during the initial access phase of their fake job campaign.
In summary, we identified the following findings:
Lazarus used LinkedIn profiles to impersonate employees of other legitimate companies
Lazarus communicated with target employees through communication channels such as WhatsApp.
Lazarus entices victims to download job adverts (zip files) containing malicious documents that lead to the execution of malware
The identified malicious downloader appears to be a variant of LCPDOT
Scheduled tasks are utilised as a form of persistence (rundll32 execution from a scheduled task)
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Reporting on Russian activity using typo squats. Related, nine years ago I co-developed and open sourced a solution to detect this type of activity called TypoSquater which latterly got re-written and turned into a SaaS called Domain Intelligence. The amount of signal I still get from it is quite amazing.
Key Judgments
[We are] confident that the identified SOLARDEFLECTION infrastructure can be attributed to the threat activity group publicly reported as NOBELIUM; this confidence is based on the use of overlapping network infrastructure previously attributed to NOBELIUM in public reporting, as well as unique variations of Cobalt Strike traditionally used by the group.
Broader themes in SOLARDEFLECTION C2 typosquats have included the misuse of brands across multiple industry verticals, particularly in the news and media industries.
Cobalt Strike servers related to SOLARDEFLECTION monitoring that were also previously linked to NOBELIUM activity used modified server configurations, likely in an attempt to remain undetected from researchers actively scanning for standard Cobalt Strike server features.
NOBELIUM has made extensive use of typosquat domains in SSL certificates and will likely continue to use deceptive techniques, including typosquat redirection, when using Cobalt Strike tooling
First the techniques, which on the face of it other than maybe the implant look like any good commercial red team in 2022.
Multi-year Cyber Espionage Intrusions: [We] investigated a sophisticated and elusive cyber espionage operation that has remained undetected since at least 2019 with the goal of stealing sensitive proprietary information from technology and manufacturing companies, mainly in East Asia, Western Europe, and North America.
Newly Discovered Malware and Multi-Stage Infection Chain: Part two of the research examines both known and previously undocumented Winnti malware which included digitally signed kernel-level rootkits as well as an elaborate multi-stage infection chain which enabled the operation to remain undetected since at least 2019.
Now the tooling, the CLFS capability / trick is the standout for me here. The active use of anti-forensics by state actors should send a shiver down the spine of blueteams across the land.
Rarely Seen Abuse of the Windows CLFS Feature: the attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations which provided them with the ability to conceal their payloads and evade detection by traditional security products.
Intricate and Interdependent Payload Delivery: the report includes an analysis of the complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components. The attackers implemented a delicate “house of cards” approach, meaning that each component depends on the others to function properly, making it very difficult to analyze each component separately. The malware from the Winnti arsenal that are analyzed in this report include:
Spyder: A sophisticated modular backdoor
STASHLOG: The initial deployment tool “stashing” payloads in Windows CLFS
SPARKLOG: Extracts and deploys PRIVATELOG to gain privilege escalation and achieve persistence
PRIVATELOG: Extracts and deploys DEPLOYLOG
DEPLOYLOG: Deploys the WINNKIT Rootkit and serves as a userland agent
Denis Legezo shows what actual fileless malware looks like. This type of technique would avoid a number of current endpoint solutions and likely fly under subvert and/or undermine various other telemetry based detection techniques.
In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
Brandan Schondorfer, Nader Zaveri, Tyler McLellan and Jennifer Brito bring us some real-world evidence of cloud first exploitation by threat actors in order to obtain access to data.
Since July 2021, [we] identified exploitation of public-facing web applications by UNC2903 to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). [We] tracked access attempts by UNC2903 to access S3 buckets and additional cloud resources using the stolen credentials. This blog post covers how UNC2903 performed exploitation and IMDS abuse, as well as related best practices on cloud hardening techniques.
February 2021, CVE-2021-21311 was published describing vulnerable database administration software called Adminer
February 2021, proof-of-concept code (PoC) was published to show how to leverage the exploit and obtain credentials in AWS applications hosting vulnerable versions
June 2021, UNC2903 exploited a server-side request forgery vulnerability, gaining access to victim Amazon Web Services secret keys and subsequently steal data
This threat actor is targeting the telecommunication sector in Central Asia, utilizing tools and TTPs commonly associated with Chinese APT actors. Joey Chen and Amitai Ben Shushan Ehrlich provide details on how they abuse security software to sideload their implants of PlugX and ShadowPad. China has for a long time employed side loading in circumvent security controls and/or benefit from the reputation of these signed binaries.
[Our] researchers are tracking the activity of a Chinese-aligned cyberespionage threat actor operating in Central-Asia, dubbed ‘Moshen Dragon’.
As the threat actor faced difficulties loading their malware against the SentinelOne agent, we observed an unusual approach of trial-and-error abuse of traditional antivirus products to attempt to sideload malicious DLLs.
Moshen Dragon deployed five different malware triads in an attempt to use DLL search order hijacking to sideload ShadowPad and PlugX variants.
Moshen Dragon deploys a variety of additional tools, including an LSA notification package and a passive backdoor known as GUNTERS.
Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan and Chris Gardner provide further evidence of sophisticated threat actors are handling the transition to cloud first intrusions quite well. The use or misuse of APIs by threat actors is a real worry due to the relative immaturity of detection & response capabilities involving them and/or coverage or inconsistency of telemetry etc.
Since December 2019, [we have] observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer programmatic methods to search and access email data across an entire organization, such as eDiscovery and the Graph API. [We have] observed threat actors use these same tools to support their own collection requirements and to target the mailboxes of individuals in victim organizations.
The standout here is a Chinese actor used a spear phishing email to deliver a beacon of a Red Team framework known as “Viper”. I personally hadn’t come across this Chinese framework, which is open source and over two years old - https://github.com/FunnyWolf/Viper.
NAIKON is the name of an APT (Advanced Persistent Threat) which is believed to originate from China. After this oversight, cybersecurity analysts suggested that Naikon APT went out of business. However, Naikon has resurfaced in the last weeks.
The attack starts with a spear phishing email containing a weaponized document. The file, written in Chinese, seems to be a reply to a call for tenders. Its title translated in English is “Tender Documents for Centralized Procurement of Web Application Firewall (WAF) Equipment of China Mobile from 2022 to 2024”.
Chinese reporting on a threat actor of unclear origin. This looks like a bit of regional tension by an actor using tradecraft which we first saw deployed by Russia (.iso files) which then contain malicious executables.
An APT group suspected of originating from South America that mainly targets Colombia.
APT-C-36 frequently uses spear-phishing attacks to send phishing emails to victims by pretending to be a government agency. Both operations covered in the report use the first-stage payload of email delivery. The first operation masqueraded as a DHL package delivery, and the subject used a shipping notice to confuse the target; the second delivery was disguised as government mail, sending malicious documents disguised as pdf files. Blind Eagle has always maintained a high degree of attention to Colombian government departments, and will also disguise itself as a relevant department for mail delivery, and at the same time impersonate government websites to conduct phishing attacks.
Christiaan Beek and Daniel Gordon provide clear evidence between North Korea and various ransomware strains. Those sanctions aren’t going to bust themselves and/or those currency liquidity requirements aren’t going to magically be addressed otherwise.
While ransomware is mostly a cybercriminal play, in March 2020, a new malware family surfaced called ‘VHD ransomware’. Another day, another ransomware family. So, what is new? Many in the industry attributed the VHD ransomware to DPRK hackers. It was distributed using the MATA framework, which has been attributed to the hermit kingdom. The ransomware itself contained enough unique artifacts to also link it to said kingdom.
Around that time, we conducted joint research with regards to code similarity in DPRK’s malware. In this blog, we continue this research by looking at the VHD ransomware’s code-similarity, artifact similarity, graph science, and Bitcoin addresses and transfers.
We suspect the ransomware families described in this blog are part of more organized attacks. Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, [we] attribute them to DPRK affiliated hackers with high confidence.
Campaign related to the North Korean 4.25 military parade
Korean reporting on what is suspected to be North Korean activity using North Korean military events as a lure. The tradecraft shows that North Korea continues to employ recognisances phases.
The distributor uploaded a malicious word document to a domestic web server that was presumed to be compromised. In addition to malicious word documents, the web server also uploaded two normal Korean documents, which were presumed to have been used by attackers to distribute malicious Korean documents in the form of OLE object attachments or EPS vulnerability methods.
Steve Miller and Silas Cutler show the value of intelligence mining from VirusTotal. The source code from this Chinese threat actor was uploaded in 2017 and these two fine researchers do a soup to nuts analysis of it.
The StrikeSuit Gift source package was submitted to VirusTotal at 2017-08-26 07:29:19 UTC.
The StrikeSuit Gift package is a 2.99MB RAR archive containing over 200 files, most of which are Visual Studio solutions or source code in a couple of programming languages. This package also includes test documents, text files, built executables, and a couple of other RAR and ZIP files.
How we find and understand the latent compromises within our environments.
A flow-based IDS using Machine Learning in eBPF
Maximilian Bachl, Joachim Fabini and Tanja Zseby provide us an academic publication on the topic. There is significant mileage in this approach:
We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF. Our solution uses a decision tree and decides for each packet whether it is malicious or not, considering the entire previous context of the network flow. We achieve a performance increase of over 20% compared to the same solution implemented as a userspace program.
Bidirectionally integrate AWS Security Hub with Jira software
Neat integration here and shows again what is possible in an API first world.
This solution supports a bidirectional integration between AWS Security Hub and Jira. Using this solution, you can automatically and manually create and update JIRA tickets from Security Hub findings. Security teams can use this integration to notify developer teams of severe security findings that require action.
elrond: Accelerating the collection, processing, analysis and outputting of digital forensic artefacts
Huge work aid and something which I deeply applaud. Organisations often don’t invest in security automation and thus miss the productivity and consistency benefits.
elrond has been created to help fellow digitial forensicators with the identification, collection, processing, analysis and outputting of forensic artefacts from a Windows E01 or VMDK, macOS DMG/E01 or VMDK, Linux dd or VMDK disk images as well as raw memory images and previously collected artefacts which can all be outputted into Splunk. I have spent many an incident repeating the same processes by mounting, collecting (mainly Windows) forensic artefacts and then attempting to correlate them together with other data sources and artefacts.
Comparison of MOTW (Mark of the Web) propagation support of archiver software for Windows
Nobutaka Mantani highlights the attack surface on Windows for attachment born threats beyond just .isos which omit the mark-of-the-web (i.e. indication that they are Internet originated - question: does that/should that concept apply in a zero-trust world?)
A question came up: "What archiver software can propagate MOTW to extracted files?" So I tested some archiver software and summarized the result.
Brandon Hall provides a great ‘uh oh, that shouldn’t be possible’ discovery tool.
SMBeagle is an (SMB) fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written. All these findings are streamed out to either a CSV file or an elasticsearch host, or both
Didier Stevens walks through how to analysis another container format which is used to malicious payload delivery.
VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server.
Hardik Manocha causes a WTF moment but describing a lolbin for process injection.
Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). A signed Microsoft binary.
Added new loaders (old loaders still available with a CMake option), containing:
improved stability of the 64 bit loader
support for the executables with TLS callbacks (callbacks are run before the Entry Point)
support DLLs (DllMain is run cleanly)
fixed preserving return values
The shellcode runner (runshc) checks if the payload has compatible bitness
Converts PE so that it can be then injected just like a normal shellcode. (At the same time, the output file remains to be a valid PE). Supports both 32 and 64 bit PEs
Adam Chester brings some reality to our defence in depth.
Technique used to disable driver signing enforcement, how VBS (Virtualization Based Security) has attempted to stop attackers from exploiting this, and how when not partnered with HVCI (Hypervisor Code Integrity), just how easy it is to bypass this security control.
Riccardo Ancarani walks through how to avoid the RPC interface in order to do scheduled tasks and thus potentially subvert endpoint detection.
Specifically, we investigated what were the minimum conditions for a task to be created, without going through the classic interfaces such as Remote Procedure Calls (RPC).
CVE-2022-1388: Allows requests to bypass the iControl REST authentication in BIG-IP
Here we go again..
F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is an advisory for CVE-2022-1388, which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system.
CVE-2021-26887: Group Policy Folder Redirection on Windows
Covering this easy to exploit but historic vulnerability.
If “Folder Redirection” has been enabled via Group Policy and the redirected folders are hosted on a network share, it is possible for a standard user who has access on this file server to access other user’s folders and files & perform code exec
CVE-2022-05-02 : Vulns in the domain name system (DNS) component of the uClibc library
Giannis Tsaraias and Andrea Palanca share details of a vulnerability which facilitate DNS response poisoning. This is going to be one long tail due the sheer amount of embedded devices.
The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.
Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. For this reason, we are not disclosing the details of the devices on which we were able to reproduce the vulnerability.
CVE-2022-23648: Kubernetes Container Escape Using Containerd CRI Plugin and Mitigation
Manoj Ahuje drops details of this vulnerability.
CVE-2022-23648, reported by Google’s Project Zero in November 2021, is a Kubernetes runtime vulnerability found in Containerd, a popular Kubernetes runtime. It lies in Containerd’s CRI plugin that handles OCI image specs containing “Volumes.” The attacker can add Volume containing path traversal to the image and use it to copy arbitrary files from the host to container mounted path.
On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account
Compromised Docker Honeypots Used For Pro-Ukrainian DoS Attack
Sebastian Walla
Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets.
Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service (DoS) attack.
Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA).
The two images have been downloaded over 150,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure.
CrowdStrike customers are protected from this threat with the CrowdStrike Falcon Cloud Workload Protection module.
CVE-2021-22054: Encrypting our way to SSRF in VMWare Workspace One UEM
Keiran Sampson, James Hebden and Shubham Shah walk through the exploitation.
With this logic, we found ourselves auditing the source code of VMWare Workspace One UEM. You may remember this software when it was named “AirWatch”, before it was acquired by VMWare.
We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body. In order to exploit this SSRF, we had to reverse engineer the encryption algorithm used by VMWare Workspace One UEM.
Some other small bits and bobs which might be of interest.
Google’s annual Ads Safety Report 2021 - Some very large numbers in here - we removed over 3.4 billion ads, restricted over 5.7 billion ads and suspended over 5.6 million advertiser accounts. We also blocked or restricted ads from serving on 1.7 billion publisher pages, and took broader site-level enforcement action on approximately 63,000 publisher sites
APT trends report Q1 2022 - One of the trends discussed is the further development of low-level implants.
