Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending May 15th

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending May 15th

Thank you for all the feedback...

Ollie
May 13, 2022
1
Share this post

Bluepurple Pulse: week ending May 15th

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).

Operationally this week the big thing was the next F5 Big-IP vulnerability - it was disclosed, exploited and then used to start wiping devices. That is a radical means of technical debt reduction across the globe. Unclear who or why - is this a new style of cyber Robin Hood to protect organisations and the Internet from even worse consequences?

In the high-level this week:

  • UK sanctioned Russian technology firms including Baikal Electronics and MCST (Moscow Center of SPARC Technologies) who are enabling the destabilising of Ukraine through things like chip production.

  • US State Department has put up Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice - two bounties put up at $10 million and $5 million.

  • The Chinese Offensive Cyber Landscape - sponsored by DARPA, an overview of the Chinese eco-system for offensive cyber.

  • PHMSA Issues Proposed Civil Penalty of Nearly $1 Million to Colonial Pipeline Company for Control Room Management Failures - What happens when your business continuity plans aren’t up to the standard you need? Punchline you get a $1 million dollar fine - The NOPV alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.

  • U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats - USG using the full court press to disrupt the cyber operations of North Korea by going after those who are helping obfuscate destination through sanctions.

  • Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union - the EU has attributed the Viasat hack to Russia. The EU isn’t renowned for attribution in the cyber domain, I for one ❤️ the new emboldened EU in this regard.

  • South Korea's spy agency joins NATO cyber defense group - first Asian member to join. NATO breaking out of its geographic constructs in the digital era. NATO in Spaaaaaaace next I guess?

  • Protecting Against Cyber Threats to Managed Service Providers and their Customers - FIVEEYE’s are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and they expect this trend to continue.

  • NIST released a Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators - who am I kidding, this isn’t high-level but it is a useful body of work for those orgs who are considering Zero Trust.

So not much time for reflection as this week has been busy with CyberUK (the UK’s National Cyber Security Centre annual conference) and then various ancillary activity. I left my home country (England) for the first time since the pandemic (to Wales). The Celtic Manor Resort was amazing and the ICC Wales a wonderful venue.

This week I do want to say a big thank you. I received some truly lovely notes from you dear readers over e-mail, Slack, LinkedIn and in person whilst in Wales as to the value you get from this newsletter. So we push on and rest assured I’ll keep doing whilst you keep reading..

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Ukraine

Aggregate reporting on the region.

Mass distribution of the JesterStealer malware using the topic of chemical attack

Basic tradecraft but using in-country domains (.ua) as well as Tor. This threat actor did employ various techniques to try and avoid detection at a technical level in the malware as well as the command & control operations.

Mass distribution of e-mails on the topic of "chemical attack" and a link to an XLS-document with a macro.

A stealer that steals authentication and other data from Internet browsers, MAIL / FTP / VPN clients, cryptocurrency wallets, password managers, messengers, game programs and more. Stolen data through statically defined proxy addresses (including in the TOR network) is transmitted to the attacker in the Telegram

https://cert.gov.ua/article/40135

Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine

Michael Leardi, Joey Fitzpatrick, and Brent Eskridge show the value of longitudel datasets and pivoting when tracking threat actor activity. It has long be known the value of C2 profile tracking and this is a really good example.

On April 18, 2022, CERT-UA published alert #4490, which describes a malicious email campaign targeting Ukraine. The email attempts to deploy a Cobalt Strike beacon on the victim's system through the use of a MS Office macro. In the alert, CERT-UA provides a list of indicators of compromise (IoCs), including a list of IP addresses and domains used in the attack that are known to be Cobalt Strike command and control (C2) servers.

This report provides an analysis of this data in an attempt to inform the community on the observed patterns of these IoCs and other indicators that may be related to those referenced in the alert.

The timeseries of activity is really quite interesting:

observed-get-uris-by-date-2022

https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine

Welcome “Frappo”

Much like the cyber security industry parts of the offensive life-cycle are becoming commoditised. We have seen this with initial access brokers and this is at least the second example where the phishing phase can be outsourced.

The new Phishing-as-a-Service used by Cybercriminals to attack customers of major financial institutions and online-retailers

“Frappo” enables cybercriminals the ability to host and generate high-quality phishing pages which impersonate major online-banking, e-commerce, popular retailers, and online-services to steal customer data.

Most recently, it provided phishing pages for over 20 financial institutions (FIs), online-retailers and popular services such as Uber.

https://resecurity.com/blog/article/welcome-frappo-the-new-phishing-as-a-service-used-by-cybercriminals-to-attack-customers-of-major-financial-institutions-and-online-retailers

Search Engine Optimisation Poisoning - A Gootloader Story

We have covered malicious adverts on search engines in recent weeks. This report from our friends at the DFIR report shows there are others who don’t pay and use search engine manipulation to get their initial access happening. We have responded to at least one case involving this technique.

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.

The threat actors utilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of certain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared driveway agreement?”

When the user searches for these phrases and clicks on one of the top results, they are left with a forum looking web page where the user is instructed to download a file, which they accidently execute (double click to open)

The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity. During the post-exploitation phase, the threat actors used RDP, WMI, Mimikatz, Lazagne, WMIExec, and SharpHound. The threat actors then used this access to review sensitive documents.

https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

APT34 targets Jordan Government using new Saitama backdoor

Iran using some malicious documents and other basic tradecraft in regional targeting. But they do have a new implant..

On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor APT34.

Also known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is an Iranian threat group that has targeted Middle Eastern countries and victims worldwide since at least 2014

https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/

Operation RestyLink: Targeted attack campaign targeting Japanese companies

Ryu Hiyoshi outlines a campaign against Japanese targets which they attribute with low confidence to South Korea. The actual tradecraft is shockingly basic and I would have expected much better from South Korea.

Since mid- April 2022 , multiple organizations have been observing targeted attack campaigns targeting Japanese companies. This attack campaign is believed to have been active in March 2022 , and it is possible that a related attack was also underway in October 2021 . For this reason, it is possible that attacks will continue in the future, rather than short-term, one-off attack campaigns. 

We consider the possibility of being DarkHotel more than other candidates

https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink

The tip of the iceberg - the algorithm fraud industry

A fascinating analysis of a really complex operation in the Facebook eco-system. It shows a degree or planning and execution capability by what appears to be a set of interlinked commercial actors.

This report is the result of a six months long investigation that started to back trace a DDoS attack, but ended up tracing and uncover a large network of Vietnamese fraudsters using Facebook infrastructure and residential proxies to build and control large Facebook bots, that are used to monetize on Facebook services and carry out malicious activities.

https://www.qurium.org/alerts/the-tip-of-the-iceberg/

Bitter APT adds Bangladesh to their targets

A suspected to be threat actor from India doing regional targeting using exploits in Microsoft Office from 2017 and 2018 (yee ha!).

  • We have observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.

  • As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.

  • Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.

This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine.

https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

A Sticky Situation Part 1: The Pervasive Nature of Credit Card Skimmers

Speaking of commoditisation, it is fascinating that you can buy in 2022 a skimmer for $2,000 for a lifetime subscription (their lifetime, not yours).

CaramelCorp is a Russian-language credit card skimming service with a significant cybercrime forum presence. They appear to screen prospective customers carefully and are reluctant to interact with non-Russian speakers. Like other cautious cybercrime services, CaramelCorp appears to use fluency and familiarity with modern idiomatic language and cultural references as an initial vetting mechanism. Further, CaramelCorp generally refuses to sell licenses to inexperienced carders, likely in order to mitigate potential exposure arising from customer incompetence.

A lifetime subscription for Caramel sells for 2,000 USD, provided CaramelCorp agrees to sell.

CaramelCorp marketing materials include unverified claims that Caramel can bypass certain services from Akamai, Cloudflare, and Incapsula, among others. Further, CaramelCorp claims to provide easily deployable gateways to receive skimmed data and capabilities to monitor them for downtime.

https://www.domaintools.com/resources/blog/a-sticky-situation-part-1-the-pervasive-nature-of-credit-card-skimmers

A brief analysis of Lyceum's attacks on the high-tech chip industry

Chinese reporting on Iran going after Tunisia by the threat actor known as Hexane, Lyceum, Cobalt Lyceum, Siamesekitten and ATK 120. Interestingly as with North Korea they are using job adverts as part of their social engineering campaign.

Lyceum is a rarely exposed threat group, primarily targeting the Middle East and Africa in only a few disclosures of attacks. The group's activities can be traced back to April 2018, and it has gradually been discovered due to attacks on oil and gas and telecommunications companies in the Middle East.

An analysis of its recent activity revealed that Lyceum conducted a focused information theft primarily against Tunisia. At the same time, we also found that Lyceum is highly similar to Iranian threat groups such as APT34.

We previously captured a malicious document containing a job posting. The job description was related to chip PC products, programs, and systems. The job postings included three positions: sales manager, HR, and technical support . The content of malicious documents is carefully prepared and highly confusing to the target.

https://mp.weixin.qq.com/s/yjcCYJNUQq6smc3YsBmYhA

COBALT MIRAGE conducts ransomware operations in U.S.

Iranian ransomware operations documented here. Note the use of Exchange for initial access, the analysis in this reporting is really quite excellent and worth a read just to see what good looks like.

In January 2022, COBALT MIRAGE used access obtained through ProxyShell exploitation, possibly conducted in late 2021, to enter the network of a U.S. philanthropic organization. On January 6, the threat actors created and accessed a web shell named aspx_okqmeibjplh.aspx. The format of this filename matches an established pattern associated with COBALT MIRAGE ransomware operations

https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us

Security advisory: malicious crate rustdecimal

Typo squatting for Rust crates .. eeesh!

The Rust Security Response WG and the crates.io team were notified on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained malware. The crate name was intentionally similar to the name of the popular rust_decimal crate, hoping that potential victims would misspell its name (an attack called "typosquatting").

https://blog.rust-lang.org/2022/05/10/malicious-crate-rustdecimal.html

BPFDoor - an active Chinese global surveillance tool

Kevin Beaumont discusses a Chinese eBPF implant, although Tim Brown noted that on Solaris it is a libpcap filter. Not the first, not the last but this type of traffic tunnelling for C2 communication is on the more advanced end of the spectrum and does create detection headaches.

BPFDoor is interesting. It allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the existing port 443, and the implant can be reached over the webapp port (even with the webapp running). This is because it uses a BPF packet filter.

https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques

A small campaign of ~100 messages is documented Andrew Northern, Pim Trouerbach, Tony Robinson and Axel F (no not the the song by Harold Faltermeyer from Beverly Hills Cop). The payload does keylogging and screen capture.

  • [We have] analyzed a novel malware variant which utilizes significant anti-analysis and anti-reversing capabilities.

  • The malware, written in the Go programming language, uses multiple open-source Go libraries for conducting malicious activities.

  • The malware, called Nerbian remote access trojan (RAT) leverages COVID-19 and World Health Organization themes to spread.

The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries. It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis. Go is an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use. 

https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques

Operation (Dragon) EviLoong: Electronic Party for Hackers Without Borders

Chinese reporting on a sophisticated campaign going after specific sectors. They note in the reporting crossover with a previous campaign “Operation EICAR (APT-Q-28): Targeted Hunting Activities for the Securities and Financial Industry”. The actual initial payload is a really basic signed executable pretending to be a document - this shows that initial access continues to be challenging yet they can steal code signing certificates. Real contradiction in terms of capability..

[We] found a gang specifically targeting game companies, pharmaceutical industry, blockchain, Internet finance, corporate finance, operation and maintenance personnel, etc., and stole the white certificates of many companies, and the sample was large. Part of it is protected by the VMP shell. During the execution process, the driver sample with the signature will be loaded into the kernel to provide protection for the sample of the three rings. The attack method is extremely superb, and it has 0day/Nday attack capability. Because the sample has a white signature, the whole process is avoid detection, more difficult to find. We named the gang's corresponding number as APT-Q-29.

https://mp-weixin-qq-com.translate.goog/s/K1uBLGqD8kgsIp1yTyYBfw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en

Info-stealer Campaign targets German Car Dealerships and Manufacturers

Sectoral targeting in the German auto sector, attribution unclear and using more .iso files with malicious .hta files inside to avoid mark of the web.

It started with a seemingly benign email, dealing with the purchase of a vehicle, and ended in a reveal of a months’ long campaign targeting German organizations. Most of the targets are related to the German auto-industry sector and the attacks were designed to deploy various types of info-stealing malware

  • Dedicated campaign targeting German companies with a focus on German car dealerships and manufacturers.

  • Extensive infrastructure designed to look like existing German car dealerships and manufacturers.

  • Emails with receipts and contracts in German, designed to instill confidence and lure recipients were sent to carefully selected targets.

  • The main malware hosting site is an Iranian hosted non-governmental website with a double connection to the campaign.

We found certain connections to Iranian non-state entities but it is unclear whether they were legitimate sites that were compromised or have a more substantial connection to this operation.

https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/

Raspberry Robin gets the worm early

Lauren Podber and Stef Rand discuss a threat which is gaining initial access via USB sticks in 2022. The clustering on victims is also the call out here. As is the use of QNAP devices for C2. This whiffs a bit of nation state but is not attributed.

A worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.

We first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.

To date, we’ve observed Raspberry Robin in organizations with ties to technology and manufacturing, though it’s not yet clear if there are other links among victims.

https://redcanary.com/blog/raspberry-robin/

REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence

REvil is back on the pitch and here is the evidence to confirm it. In times of war it appears all capabilities may be mobilised.

The March 22 sample contains artifacts in its configuration that indicate a likely link to a victim published to the REvil leak site in April. Despite a version value of 1.00, the sample has a compile timestamp of 2022-03-11 14:30:49 and includes functionality from a version 2.08 sample identified by CTU™ researchers in October 2021.

https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence

Unsigned macOS oRAT Malware Gambles For The Win

Dinesh Devadoss and Phil Stokes discuss a basic capability from a new threat actor against macOS. The interest in the platform is clearly growing as the prevalence of macOS devices continues to increase globally.

Researchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware recently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims.

The oRAT malware targets macOS users using a combination of custom-written code and public Golang repos. The developers are clearly familiar with using sophisticated features of Go for networking and communications, but due to the simplistic way the malware dropper was packaged, unsigned and with no observable install to distract the victim, it would seem they are less experienced with the challenges of infecting Mac users.

https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/

Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains

And finally for the threat sector this week, the Pound Land (a discount retail shop in the UK where everything costs £1 - well nearly) of cyber has arrived.

Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.

https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

Discovery

How we find and understand the latent compromises within our environments.

CobaltStrike Metadata Encoding and Decoding

Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia and Siddhart Shibiraj provide training on how CobaltStrike metadata can be analysed along with its various encoding mechanisms. This will aid detection engineering teams.

In this blog post, we will go through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild. In doing so, we demonstrate how the encoding and decoding algorithm works during the C2 traffic communication, and why this versatility makes Cobalt Strike an effective emulator for which it is difficult to design traditional firewall defenses.

https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/

Windows Event ID 5379 to Detect Malicious Password-Protected File unlock

Bala Ganesh provides a neat detection mechanism for when users might be opening password protected zips. Given that this tradecraft is used quite often to avoid detection by threat actors it is a really useful tip.

https://www.socinvestigation.com/windows-event-id-5379-to-detect-malicious-password-protected-file-unlock/

Hash Lookup Forensic Analyser

Alexandre Dulaunoy and Mohammadreza Sarayloo provide a wonderful work aid to help weed out the known good.

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service or the Bloom filter from CIRCL hashlookup. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

https://github.com/hashlookup/hashlookup-forensic-analyser

Defence

How we proactively defend our environments.

Witness: a pluggable framework for supply chain security

Neat idea, be interesting to see the offsec community now take this for a spin and see where the gaps are and/or how it can be subverted.

Witness prevents tampering of build materials and verifies the integrity of the build process from source to target. It works by wrapping commands executed in a continuous integration process. Its attestation system is pluggable and offers support out of the box for most major CI and infrastructure providers. Verification of Witness metadata and a secure PKI distribution system will mitigate against many software supply chain attack vectors and can be used as a framework for automated governance.

Witness is an implementation of the in-toto spec including ITE-5, ITE-6, ITE-7 with an embedded rego policy engine.

https://github.com/testifysec/witness

Sophos Firewall CVE-2022-1040 (RCE) One-liner mass checker

Mass checker for this vulnerability…

https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker

Evicting the Adversary: guidance to kick out an active attacker in your environment

Dray Agha walks through the eviction process end to end in this post. It’s always fun this type of activity and Dray provides a practical walkthrough on how one achieves the adrenaline rush..

In this blog, I’ll sketch out a number of things that’ll help the next time you catch an attacker. We’ll look at…

  • What the attack looks like from the perspectives of the defender and the attacker

  • How to dig deeper and find data that illuminates the adversaries’ activities 

  • Some commands that will allow you to evict the adversary

https://www.huntress.com/blog/evicting-the-adversary

Offense

Attack capability, techniques and tradecraft.

Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services

Documented examples of CDN abuse to masquerade C2s.

https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services/

Azure AD Cross-tenant attacks via multi-tenant implants (servicePrincipals)

Joosua Santasalo drops the wisdom on a Azure specific attack scenario:

Any Service Principal registered in your tenant, in this case enterprise applications created after an user / or admin registers multi-tenant app in your tenant, are permitted to get access tokens for any app in your tenant not requiring user assignment

While my example relies on admin or user consenting to new app. This attack applies to any existing multi-tenant app in your tenant, which is owned by malicious party, or has been victim to supply-chain-compromise (check any large tenant, there might be thousands of these there, how often you check if they are requesting tokens for themselves while only having user permissions?)

https://securecloud.blog/2022/05/05/cross-tenant-attacks-via-multi-tenant-implants-serviceprincipals/

DDexec

Yago shows how to execute arbitrary code on Linux with dd and a few friends:

This script depends on the following tools to work.

dd
bash | zsh | ash (busybox)
head
tail
cut
grep
od
readlink
wc
tr
base64

https://github.com/arget13/DDexec

MalSCCM

In use by ransomware actors in 3..2..

This tool allows you to abuse local or remote SCCM servers to deploy malicious applications to hosts they manage. To use this tool your current process must have admin rights over the SCCM server.

Typically deployments of SCCM will either have the management server and the primary server on the same host, in which case the host returned from the locate command can be used as the primary server.

If that is not the case you will need to compromise the management host returned with locate so that you can then run locate again on that host and get the primary server hostname. Once you have that and admin access you are good to go!

https://github.com/nettitude/MalSCCM

Introducing pyCobaltHound

Adriaan Neijzen bring Bloodhound for Active Directory to Cobalt Strike. At least we have something to signature off as this goes loooouuuuud.

pyCobaltHound strives to assists red team operators by:

  • Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials.

  • Automatically marking compromised users and computers as owned.

  • Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users.

https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/

Vulnerability

Our attack surface.

Key Overwriting (KO) Attacks against OpenPGP

Some great work here, even if not a bit eeek. Does make you wonder if this was ever exploited in the Protonmail use case.

OpenPGP stores private keys in Secret Key (or Subkey) packets. These packets are composed of public, non-encrypted fields (e.g. the public key parameters) and private, encrypted fields (e.g. the actual private key material). While the encrypted fields are integrity protected to some extent, OpenPGP has no mechanism to programmatically detect corruption of the public fields. The result is that, in a KO attack scenario, the correct private key material can end up being used in conjunction with corrupted public key parameters. This can lead to leakage of the private key.

https://www.kopenpgp.com/

Fuzzing ClamAV with real malware samples

Take vx-underground sample set, fuzz, profit.. Yes it really is 2022.

tl;dr: Fuzzing ClamAV using real malware samples results in 10 bugs discovered including one buffer overflow and three DoS vulnerabilities.

https://mmmds.pl/clamav/

Unauthorized gem takeover for some gems

A thankfully now fixed vulnerability. Our security is really built on sand..

Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so.

https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79

CVE-2022-30525: Zyxel security advisory for OS command injection vulnerability of firewalls

No CVSS, no clear explanation if pre or post auth thank you Zyxel.

https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml

You have to read the researchers advisory to learn:

The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface.

https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/

CVE-2022-27588: Vulnerability in QNAP VS Series NVR running QVR

Similarly terrible vulnerability..

A vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands.

https://www.qnap.com/en/security-advisory/qsa-22-07

Exploitation

What is being exploited.

CVE-2022-1388: F5 Big-IP iControl REST Vulnerability Updates

Being exploited to wipe devices

Public exploit available

Scanners:

  • https://github.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed

  • https://github.com/jheeree/CVE-2022-1388-checker/blob/main/CVE-2022-1388.sh

Massive WordPress JavaScript Injection Campaign Redirects to Ads

An ongoing mass Wordpress compromise campaign.

This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.

https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html

Footnotes

Some other small bits and bobs which might be of interest.

  • Avast Q1/2022 Threat Report

  • NIST Publishes Review of Digital Forensic Methods

  • Online Panel - Cyber Offense Uncovered: Introducing the Cyber Arms Watch - from The Hague Centre for Strategic Studies

  • Inside Russia's Biggest Ransomware Operation - Podcast

  • Where to begin? Prioritizing ATT&CK Techniques - somewhere between breakfast and lunch I suspect.

  • The 5×5—Addressing the global market for offensive cyber capabilities - five featured experts answer five questions on a common theme

  • Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission - what happens before you press enter - probably what we would consider not what should happen.

  • Lifting the veil a look at Microsoft Defender for Endpoint under the hood

  • Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself - content led marketing at its finest.

  • Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK® matrix evaluation for defenders - slightly eroding the independence but I get it - MITRE want to make some cash.

  • Data as a Weapon: Psychological Operations in the Age of Irregular Information Threats - a plea to the PSYSOP community to evolve their tradecraft in the modern world.

That’s all folks.. until next week..

Share this post

Bluepurple Pulse: week ending May 15th

bluepurple.binaryfirefly.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing