Bluepurple Pulse: week ending May 29th
Tempo is high on all fronts..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week was the revelation that there is a malware campaign going after the information security community again (see reporting below) coupled with various mass exploitation activities of known vulnerabilities across the Internet. Also various Python software library supply chain attacks (see reporting also).
In the high-level this week:
The First Space-Cyber War and the Need for New Regimes and Policies - from the Centre for International Governance Innovation which concludes “The space-cyber nexus is a looming risk for security, economic infrastructure, and many commercial companies and their clients”
Italy unveils its 2022 - 2026 cyber security strategy - The strategy outlines an ambitious set of 82 goals by 2026
United States-Republic of Korea Leaders’ Joint Statement - the United States and ROK announced they will significantly expand cooperation to confront a range of cyber threats from the DPRK, including but not limited to, state-sponsored cyber-attacks.
China seeks Pacific islands policing, security cooperation document - The draft communique also pledges cooperation on data networks, cyber security - how kind of China to help.
2022 Data Breach Investigations Report - 82% of breaches involved a human element, 13% increase in ransomware (more than the last 5 years combined) 62% apparently coming via partner breaches.
Suspected head of cybercrime gang arrested in Nigeria - bad guy gets arrested!
Summarized the case of illegal remittance to a North Korean IT engineer who was involved in the renovation of the local government application - terrifying reporting from Japan where a rogue IT contractor ended up coming from North Korea.
Cyberspace in a State of Flux: Regulating cyberspace through International Law - The article looks at (1) the legal status of cyberspace in domestic law is analyzed; (2) the application of the existing rules of international law to cyberspace are considered; (3)the problems with the Budapest Convention on Cybercrime are discussed; and (4) proposals for a new convention on cybersecurity at the UN level in light of the Tallinn Manual, and the Budapest Convention of Cybercrime are made - or why lawyers drive nice cars.
Cyber Persistence Theory: Redefining National Security in Cyberspace (Bridging the Gap) - A book version of a paper which has been updated and expanded - the original IDA paper from 2020 titled Cyber Persistence Theory, Intelligence Contests and Strategic Competition is available for free.
CISA Adds 34 Known Exploited Vulnerabilities to Catalogue - which means the clock starts ticking for federal agencies and others to patch.
The reflection this week comes from having recently watched The Defiant Ones on Netflix about the partnership between Jimmy Iovine and Dr. Dre. For me several things stood out:
The early music scenes have striking similarities with early technology scenes and people being there, involved and driven as they believe they are on to something great.
The insecure overachievers who assess they are mediocre and thus put in more effort but end up smashing it.
The echoes are quite profound.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
Aggregate reporting around the ongoing conflict
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
Russia continues to evolve its destroyer tradecraft to reduce detection options.
[We] spotted an updated version of the ArguePatch malware loader that was used in the Industroyer2 attack against a Ukrainian energy provider and in multiple attacks involving data wiping malware called CaddyWiper.
Now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar.
Evaluation of cyber activities and the threat landscape in Ukraine
Unironically Kaspersky gives their assessment on what is happening in Ukraine.
Summing up the above-mentioned discussion, our key takeaways are the following:
The Viasat attack is a very significant cyber event. It is hard to tell whether others will take place in the near future, but that probability increases significantly as time passes.
The recent Industroyer2 discovery indicates that there may be a desire among threat actors to conduct highly-disruptive attacks soon.
The threat campaigns observed so far have been very focused on Ukraine.
Any observed spillover to date should be interpreted as accidental, and the potential for uncontrolled malware spread has so far been non-existent.
TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
A Russian malicious documents for recognisance purposes only. That is they would simply ping back that the person opened the document.
These documents request the PNG file thanks to a remote file inclusion defined in the file /word/_rels/document.rels.xml. It is quite interesting that the request to the file is performed via the HTTP protocol and not an SMB inclusion. Therefore, this campaign does not leverage any malicious code but has been used for reconnaissance purposes only.
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
Changing up a gear we can see that Russia is being targeted. The payload is notable for using an embedded TLS library which frustrates sandbox traffic inspection.
An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.
Based on the infrastructure used we assess with low confidence that this group is a Chinese actor.
APT-C-53 (Gamaredon) new round of DDoS attack mission analysis
Chinese reporting on a Russian DDoS campaign targeting a single IP address. Message to someone?
Metastealer – filling the Racoon void
Peter Gurney from NCC Group details a new information stealer we have seen.
MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Analysts at Israeli dark web intelligence firm Kela first identified its emergence on underground marketplaces  and later as being used in a spam campaign by SANS Internet Storm Centre Handler Brad Duncan , where the initial stages and traffic were detailed. This analysis further describes the final MetaStealer payload detailing its functionality.
Significant findings include:
Heavy reliance on open-source libraries
Microsoft Defender Bypass
Scheduled Task Persistence
Hidden VNC server
Space Pirates: analyzing the tools and connections of a new hacker group
Threat actor going after the Russian aerospace sector but interestingly also Chinese financial services. The initial access tradecraft is really basic (RAR SFX archives), but the fact it worked gives a good indication as to Russian cyber resilience maturity.
We assume that Space Pirates has Asian roots, as indicated by the active use of the Chinese language in resources, SFX archives, and paths to PDB files. In addition, the group's toolkit includes the Royal Road RTF (or 8.t) builder (common among hackers of Asian origin) and the PcShare backdoor, and almost all intersections with previously known activity are associated with APT groups in the Asian region.
The group began its activity no later than 2017. The main targets of the criminals are espionage and theft of confidential information. Among the victims identified during the threat study are government agencies and IT departments, as well as aerospace and power enterprises in Russia, Georgia, and Mongolia. At least five organizations were attacked in Russia, one in Georgia, and the exact number of victims in Mongolia is unknown.
Some APT group attacks using malware were also targeted at Chinese financial companies, which suggests a monetary motivation. All potential victims were notified by the respective national CERTs.
How to Hunt for DecisiveArchitect and Its JustForFun Implant
Jamie Harris looks back at a implant from 2019 in the telecommunications sector which uses the BPFDoor implant. Knowing some of the victimology of BPFDoor I do wonder why they aren’t confident at all to indicate possible country level attribution.
On multiple occasions dating back to 2019, [we] encountered an adversary targeting global entities, in particular telecommunications companies, to obtain targeted personal user information — for example, call detail records (CDRs) or information relating to specific phone numbers.
This adversary primarily focuses on Linux and Solaris systems using a custom-built implant tracked by [us] as JustForFun (also publicly known as BPFDoor
Operation Earth Berberoka: A Multivector and Multiplatform APT Campaign Targeting Online Gambling Sites
Daniel Lunghi and Jaromir Horejsi outlines a watering hole attack targeting this sector. This tradecraft shows a degree of effort but also the loader shows they are a threat actor who knows their stuff. This my friends is not childs play..
From Dec. 12, 2020, to April 29, 2022, we noted 15 downloads of a fake Adobe Flash Player installer in China. We also saw eight redirects from certain websites to the malicious Adobe Flash Player website (five from a legitimate news website in the US and three from an unknown website, two of which were from Hong Kong and one from Malaysia), and one PlugX DLL detection in Taiwan. (In the context of this campaign, a redirect means an HTTP request to the script that redirects to the fake Adobe Flash Player installer. The script itself is hosted in a third-party server. Earth Berberoka thus compromises a website, inserts in that compromised website a redirection to a third-party website, and that third-party website redirects to the website hosting the fake Adobe Flash Player installer.
We discovered that Earth Berberoka has developed a new complex, multistage malware family, which we have dubbed PuppetLoader. This loader uses some interesting techniques: It hijacks loaded modules to launch malicious code, and hides malicious payloads and modules in modified bitmap image (BMP) files.
Attempt to attack Kimsuky by impersonating press releases on various topics
Korean reporting on a clumsy North Korean campaign where they e-mail executable files pretending to be Office or Hangul (Korean local equivalent to Office) files. Looks like a recognisance effort.
Beware of hacking attacks made by North Korea disguised as a broadcast on KTV YouTube channel under the Ministry of Culture, Sports and Tourism!
Further Korean reporting on malicious Hangul files (Korean office) being used by our friends in the Hermit Kingdom.
The attack discovered this time was disguised as an HWP document requesting an appearance in KTV's online policy journal program. In other words, the attack was carried out against experts in the North Korean field under the guise of an existing YouTube broadcast.
New malware Campaign delivers Android RAT
A large scale campaign targeting Android, but it is unclear as to the distribution method.
Based on our intelligence, we identified that this variant had surfaced frequently in the wild in the last few months. This new campaign has been active since March 2022, and we observed over 200 samples from the same variant targeting Android users.
We identified several sophisticated features in this malicious app. By leveraging these features, the app can steal data such as clipboard data, device info, SIM details, device IP, SMSs, device location, call logs, device MAC Address, etc. The application can also record video and audio, read SMS and take pictures from the camera as well.
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon
Like North Korea did a little bit back we have a situation where a threat actor is targeting penetration testers and other information security professionals with fake exploits which include implants.
Recently [our] researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500. Both the malicious samples were available on GitHub. Interestingly both repositories belong to the same profile, indicating the possibility that Threat Actor (TA) might be hosting a malware campaign targeting Infosec Community.
Reporting on Conti's demise/pivot/demerger etc
Several bits of reporting on the supposed demise of Conti.
Conti Attack on Costa Rica: Who is UNC1756?
Their next post, last edited on April 18 but likely created earlier, is selling access to "special" networks in Costa Rica. As UNC1756 tells it, "special networks are like Hacienda", aka the Ministry of Finance. This is possibly the point at which UNC1756 was privately recruited by Conti. Other posts include an enquiry about exploiting the 2020 SMBGhost vulnerability (CVE-2020-0796), a detailed response to a user seeking advice on gaining access to a CISCO network and using AdFind - a tool used by threat actors to harvest information from Active Directory and perform network reconnaissance - and a request for a list of sites from another user selling web shell access.
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
Within the short but tumultuous timeline of ransomware’s history, May 19, 2022, the day that Conti died, will leave a mark that severs the threat landscape from its past and casts a shadow on its future. However, in the grand scheme of the group’s existence, this day is not something new.
Looking back, a trail of similar marks lead from the group’s days as the organization Ryuk to their first rebranding from the collective’s Overdose division. Each mark represents a shift in the threat landscape, a series of tics that, only when viewed from a great distance, show the dramatic impact the group has made on ransomware’s very existence. However, the actors that formed and worked under the Conti name have not, and will not cease to move forward with the threat landscape—their impact will simply leave a different shape.
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Ax Sharma shows malicious software packages continue to be the soft underbelly of supply chain within public repositories.
The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python. The development follows our discovery of another typosquat targeting the Apache Kafka project from earlier this month.
PyKafka includes Python implementations of Kafka producers and consumers, and has been retrieved over 4,240,305 times by user-initiated downloads and mirrors/bots alike. By contrast, malicious 'pymafka' shows a download count of around 300 as we timely reported the finding to PyPI.
Phil Stoke also reports on this incident and correlates parts with a previous campaign. It also highlights the evolution in macOS tradecraft.
Both attacks also made use of red-teaming tools to drop a payload on macOS devices that ‘beacons’ out to an operator. In the case of ‘pymafka’, the attackers further made use of a very specific packing and obfuscation method to disguise the true nature of the Mach-O payload, so specific in fact that we’ve only seen that method used in the wild once before, as part of the OSX.Zuru campaign.
While the use of packing, obfuscation and beacons are all techniques common enough in the world of Windows attacks, they have rarely been seen used against macOS targets until now
‘ctx’ malicious Python package
Another malicious Python package documented by Ax Sharma, but not a typosquat this time but rather a compromised package via expired DNS domain.
This week, immensely popular PyPI package 'ctx' has been compromised and altered to steal environment variables from its users. Additionally, a forked PHP project 'phpass' also suffered a repo-hijacking attack with the project tainted with identical malicious payload.
The Python package 'ctx' gets over 22,000 weekly downloads on average and provides developers with a "minimal but opinionated dict/object combo."
This was then picked up in the incident handler blog:
It appears that the original maintainer's domain name had expired, and the perpetrator registered it on May 14, 2022 (same date where version 0.2.2 of ctx was uploaded). With control over the original domain name, creating a corresponding e-mail to receive a password reset e-mail would be trivial. After gaining access to the account, the perpetrator could remove the old package and upload the new backdoored versions.
How we find and understand the latent compromises within our environments.
Splunk SPL Queries for Detecting gMSA Attacks
Andrew Schwartz provides some useful detection tradecraft even if for a legacy platform.
What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘golden’ opportunity.
Yara which Detects DLL dropped by Raspberry Robin
CD_R0M_ dropped some rules which help detect the dropped artefact.
Detects DLL dropped by Raspberry Robin. More specific with pdb paths to limit FP.
The Blue team app for Office 365 and Azure
Timo Müller and others have released this really useful collection of rules for sysadmins and threat hunters.
Contains well over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment
Josh Brower with support from Seth Hanford and Fritz Ifert-Miller provides a really effective and useful tool to get double bubble from these detection rules where you can’t get sysmon deployed by can get OSQuery.
This app takes a sysmon config as input and converts the relevant process auditing filters into a SQL query that osquery can use
How we proactively defend our environments.
New SOC guidance 101
The United Kingdom’s National Cyber Security Centre has released updated guidance on how to build an appropriate SOC.
Guidance to help organisations design a SOC and security monitoring capability proportionate to the threat they face, their resources and assets.
When eBPF meets TLS
Guillaume VALADON walks through how to use eBPF to do TLS decryption. Chef kiss stuff!
Apihashes: IDA Pro plugin for recognizing known hashes of API function names
A useful IDA plugin to support reverse engineering where threat actors have used hashing techniques to reduce code size or otherwise obfuscate.
Apihashes is an IDA plugin that allows to automatically identify and mark known hash values for API function names.
A drop in replacement memory allocator which will potentially provide a means to increase resilience of legacy code against some memory corruption scenarios.
Isolation Alloc (or IsoAlloc) is a secure and fast(ish) memory allocator written in C. It is a drop in replacement for
mallocon Linux / Mac OS using
DYLD_INSERT_LIBRARIESrespectively. Its security strategy is partially inspired by Chrome's PartitionAlloc. A memory allocation isolation security strategy is best summed up as maintaining spatial separation, or isolation between objects of different sizes or types. While IsoAlloc wraps
mallocand enforces naive isolation by default very strict isolation of allocations can be achieved using the APIs directly.
A useful way to rip through and extract type information if you are building tooling from symbols.
Cross-platform tool that allows browsing and extracting C and C++ type declarations from PDB files - helps to develop defensive tooling
Attack capability, techniques and tradecraft.
Mortar Loader v2
Shows that with a little thought endpoint detection solutions can be quite easily bypassed by a competent attacker.
I released the Mortar loader a couple of months ago, and it was good results in defeating and diverting advanced AV(anti-virus) solutions.
Further evolution in the memory artefact evolution game on Windows.
A variant of Gargoyle for x64 to hide memory artefacts using ROP only and PIC.
Unlike Gargoyle and other Gargoyle-like implementations, I fully rely on ROP and do not queue any APC. DeepSleep itself is implemented as fully PIC, which makes it easier to enumerate which memory pages have to be hidden from scanners.
Spoofing Microsoft 365 Like It’s 1995 - Black Hills Information Security
Steve Borosh drops a technique which you can see will totally undermine some internal trust models on user behaviours.
With Microsoft direct send, inbound email will make it into the enterprise if that domain is trusted. So, in most cases with direct send, we can send mail from email@example.com to anyone else inside company.com since the domain will trust itself. In many cases, we’re also able to spoof external email addresses to internal users if those domains are trusted by the mail gateway — such as, “firstname.lastname@example.org” (used from Microsoft security emails) could be used as a From address.
Microsoft direct send does not allow mail to be delivered outside of the enterprise. So, no spoofing internal to external.
CdpSvcLPE: Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking)
Ready exploit for this vulnerability.
Connected Devices Platform Service (or CDPSvc) is a service which runs as
NT AUTHORITY\LOCAL SERVICEand tries to load the missing cdpsgshims.dll DLL on startup with a call to
LoadLibrary(), without specifying its absolute path. So, it can be hijack dll in the folder of Dll Search Order flow and we will get process or shell access with
NT AUTHORITY\LOCAL SERVICEif we hijack the dll in SYSTEM PATH writable place such as
Living The Age of VBS, HVCI, and Kernel CFG.
Interesting read by Connor McGarr on the power of Hypervisor-Protected Code Integrity. However it also does a good job of highlighting the patch work mitigations we rely on and why each vulnerability is not guaranteed to benefit from them.
Revisiting a Credential Guard Bypass
Clément Labro outlines whilst he was able bypass it still has value:
As for defenders, enabling Credential Guard should not refrain you from enabling LSA protection as well. We all know that it can be completely bypassed, but this operation has a cost for an attacker. It requires to run code in the Kernel or use a sophisticated userland bypass, which both create avenues for detection.
Our attack surface.
On The Vulnerability of Anti-Malware Solutions to DNS Attacks
Asaf Nadler, Ron Bitton, Oleg Brodt, Asaf Shabtai deliver some excellent research on the impact of using an unencrypted stateless protocol for security products.
An attacker capable of tampering with DNS queries, gains the ability to alter the classification of scanned files, without presence on the scanning machine
Zyxel security advisory for multiple vulnerabilities of firewalls, AP controllers, and APs
Four vulnerabilities highlighting the levels of technical debt in this product line.
Zyxel is aware of multiple vulnerabilities reported by security consultancies and advises users to install the applicable firmware updates for optimal protection.
Most serious is
An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.
Security Advisory for Multiple Security Vulnerabilities on Netgear BR200 and BR500, PSV-2021-0286
Did someone loose the source code or the code signing key? Not the line in a bulletin you want to read.
Due to technical limitations outside of our control, we are unable to fix these vulnerabilities.
Rakuten Casa, a small base station (femtocell)
2022 people.. 2022.. and telecommunications equipment.
provided by Rakuten Mobile Co., Ltd., has been found to have a vulnerability related to the use of hard-coded authentication information.
Pre-hijacking Attacks on Web User Accounts
we show that there exists a whole class of account pre-hijacking attacks. The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account. Assuming a realistic attacker who knows only the victim's email address, we identify and discuss five different types of account pre-hijacking attacks.
What is being exploited.
Cisco IOS XR Software Health Check Open Port Vulnerability
Exploited in the while on big networking iron.
In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild
Being exploited by ransomware
[We] recently detected a new attack by the DEADBOLT Ransomware. According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series . QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet.
Trivial vulnerability to exploit..
Spring Security RegexRequestMatcher Authentication Bypass Vulnerability Analysis (CVE-2022-22978)
Chinese research on a vulnerability in the Spring framework
Spring Security is a security management framework in the Spring family.
.Applications using RegexRequestMatcher with Spring Security regular expressions may be vulnerable to authorization bypass. The affected versions are as follows:
5.5.x prior to 5.5.7 5.6.x prior to 5.6.4 earlier unsupported versions
VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive
Exploits out.. shields up..
POC for CVE-2022-22972 affecting VMware Workspace ONE, vIDM, and vRealize Automation 7.6.
Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
Serious active exploitation happening.. CISA have been good enough to include detection rules.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388.
Some other small bits and bobs which might be of interest.
Threat Group Naming Schemes In Cyber Threat Intelligence - opinion piece of the topic
Ransomware in Q1 2022 - Our telemetry showed that during this three-month span, we detected and blocked a total of 4,439,903 ransomware threats across email, URL, and file layers. This is a 36.6% increase in overall ransomware threats from the previous quarter (the fourth quarter of 2021), and a 4.3% year-on-year rise (from the first quarter of 2021).
Finally I agreed to buy a piece of art this week called Portrait of a Digital Weapon by Mac Pierce. I do love that our world is influencing contemporary art..
Before it gets shipped to the UK you can go and see it at Bert Fine Art at 8 S Michigan Ave Suite 620 Chicago IL 60603 in the exhibition “To Byte the Hand That..." by Mac Pierce
That’s all folks.. until next week..