UK Civil nuclear cyber security strategy 2022 - After the UK’s National Strategy (2021) and then the Government Strategy (2022) the UK released its Civil Nuclear - it is interesting to see the evolution and interlink between them all.
Chinese Concepts and Opportunities in Information Warfare: China-US Rivalry in Cyberspace - Russian academic paper looking at US Sino cyber - the data point here is that Russian academics are studying what is going on, the conclusions are also stake - “China continues to develop the strategic course aimed at using information warfare to achieve its national political and economic goals. Beijing is progressively developing the concept of introducing the information warfare in order to attract excessive attention from the world community, which has already named it the “Cyber Dragon”
Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act - New guidance from the DoJ - The policy for the first time directs that good-faith security research should not be charged - but again it is only guidance - can still be arrested, investigated and then hope they follow the guidance. Still needs primary legislation reform for the CFAA and also the UK’s Computer Misuse Act - as employers we need certainty.
In terms of reflections this week, nothing material other than cyber is busy on almost every level, as evidenced by the content below. It does concern me that as an industry we still don’t really have strong evidence bases for what works in practice in a lot of cases. What evidence we do have is also hard to find at times.
On the offensive side our evidence base says a team of 5 and a budget of £$ 5 - 10 million can really get into most organisations in 2022.
Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis
Hossein Jazi and Jérôme Segura detail a speculative campaign against Germany which is basic and broad.
a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.
Onur Mustafa Erdogan details what they saw in March around this Russian threat actor and provide some concrete indicators of compromise for defenders to search back on.
The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine
Alden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor and Ryan Serabian detail information operations from anti-western forces.
[We have] identified activity that we attributed to information operations campaigns conducted by actors we judge to be operating in support of the political interests of nation-states such as Russia, Belarus, China, and Iran, including ongoing campaigns that we have tracked for years. This report examines a slice of this activity, highlighting significant information operations Mandiant has observed in our work responding to the invasion and presenting our early analysis of those events.
Killnet Cyber Attacks Against Italy and NATO Countries
Alessandro Brucato details a possible pro-Russian campaign against Italy to cause disruption.
On May 11, several Italian institutional websites, including the Italian Senate, the Ministry of Defense, and the National Institute of Health, were taken offline and unreachable for a few hours. This was day one of a multiday cyber attack, which targeted other Italian websites as well as other countries. The pro-Russian hacker groups Killnet and Legion claimed the attacks through their Telegram channels, killnet_channel and legion_russia using the Mirai malware to perform their DDoS (distributed denial-of-service) attacks to Italian websites.
Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior
DDoS as a service from Russia and some good open source sleuthing.
One, involving comments around a squirrel statue in Almaty, Kazakhstan may have affected the reporting on a BBC story. As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc. An instance of the SANA system appears to be up at https://sana.0day[.]llc . Nisos assesses that this is possibly a testing or demo instance, and is not currently used by the FSB. Nisos researchers conducted open source research to discover 0day is known as 0Dt, full name Zeroday Technologies LLC (0Дт, OOO ЗИРОУДЭЙ ТЕХНОЛОДЖИС) based at Ulitsa Profsoyuznaya, D. 125, Etazh Tsokolnyi Pomesht. I, Kom. 14 Moscow; Moscow; Postal Code: 117647
Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes
What happens when your best friend starts a fight when you are busy waging a war? This!
a targeted campaign against at least two research institutes in Russia, whose primary expertise is the research and development of highly technological defense solutions. Research suggests that another target in Belarus, likely also related to the research field, received a similar spear-phishing email claiming that the US is allegedly spreading a biological weapon.
The defense research institutes that we identified as targets of this attack belong to a holding company within the Russian state-owned defense conglomerate Rostec Corporation. It is Russia’s largest holding company in the radio-electronics industry and the specific targeted research institutes’ primary focus is the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations and means of state identification.
This campaign is a continuation of what [we] believe to be a long-running espionage operation against Russian-related entities that has been in operation since at least June 2021. The operation may still be ongoing, as the most recent activity was observed in April 2022.
This activity was attributed with high confidence to a Chinese threat actor, with possible connections to Stone Panda (aka APT10), a sophisticated and experienced nation-state-backed actor, and Mustang Panda, another proficient China-based cyber espionage threat actor. CPR named this campaign Twisted Panda to reflect the sophistication of the tools observed and the attribution to China.
The hackers use new tools, which have not previously been described: a sophisticated multi-layered loader and a backdoor dubbed SPINNER. These tools are in development since at least March 2021 and use advanced evasion and anti-analysis techniques such as multi-layer in-memory loaders and compiler-level obfuscations.
Sophisticated threat actors clearly want better return on investment from their development. A modular backdoor from China used by a number of threat actors, takeaways include:
Pangolin8RAT could be the next gen PlugX/ShadowPad
Tianwu might operate as: a collaborator of APT41, a subgroup of APT41, or a digital quartermaster of Chinese APTs
Colson Wilhoit,Alex Bell,Rhys Rustad-Elliott and Jake King drop their analysis along with some solid detection trade-craft.
The first area of opportunity we witnessed while testing was the behavior we observed during the initial execution of the malware, specifically its working directory, in a shared memory location /dev/shm. This is a native temporary filesystem location in Linux that uses RAM for storage, and a binary executing from it let alone generating network connections is fairly uncommon in practice.
During execution, BPFDoor removes existing files from /dev/shm and copies itself there prior to initialization. A detection for this would be any execution of a binary from this directory as root (you have to be root to write to and read from this directory).
Cozy Smuggled Into the Box: APT29 Abusing Legitimate Software for Targeted Operations in Europe
Russia going after European targets with an implant a number of us have seen over the last while.
The misuse of legitimate webservices is in attempt to evade the detection from automatic analysis software. Recently, third-party researchers have also reported it used Trello and its REST API to simulate a first-level Command & Control server. In addition to this evasion attempt, as we are going to discuss later, the side-loaded DLL tries to unhook the windows libraries loaded in the process memory to evade possible EDRs.
To maximize the chances of success, Nobelium,in at least two cases, sent spear-phishing emails from spoofed or compromised government addresses. As initial access we identified the following attack vectors:
The first approach involves the distribution of an IMG file which, when mounted, contains an LNK shortcut and the signed software with the other DLLsand a decoy PDF as hidden files. This attack vector lures the user through a masquerading technique by changing the LNK file icon to a folder icon in order to convince the user to click on it. In fact, once triggered, the cmd.exe utility is invoked to run the signed executable and to start the side-loading of the malicious DLL (i.e. AcroSup.dll).
The second approach involves the usage of the EnvyScout dropper that is basically an HTML file with an embedded JavaScript designed to decode and drop the next-stage payload (HTML Smuggling). In fact, once the HTML file is executed, the JavaScript code decodes a bytes array and saves the result under an archive in the Download directory. In this case, the user is responsible to unzip the archive (that contains the signed software, the relative DLL’s and the lure PDF) and to run manually the executable to start the chain (even if the JavaScript code contains unused snippet for automating the process).
The EnvyScout dropper was used by this threat actor in different campaigns. From mid-January 2022 weinternally reported different Nobelium-linkedcampaigns against European entities that leveraged fairly complex kill-chain started with EnvyScout as well.
HUI Loaderの分析 - Analysis of HUI Loader as used by APT10
Japanese reporting on a Chinese threat actor and their malicious code loader which has been in use since 2015 and still in use today! APT sweating the asset.
HUI Loader is a loader that has been used for a long time while being updated little by little from around 2015. It is expected that it will continue to be used in the future.
What happens if you are a Cyber Threat Intelligence company in Switzerland and Turkey? Well you get to produce this report apparently by gaining ‘visibility’ into adversary infrastructure.
We obtained visibility into critical elements of the group’s infrastructure and collected vital data on its kill chain, as shown below
Our infrastructure analysis revealed a great deal of exclusive, never-before-seen information regarding the group and its technical infrastructure, in addition to the following information :
Highly-secret credentials/documents for at least 30+ victims.
400+ different binaries including BazarLoader, Qbot, PowerShell scripts, Cobalt Strike beacons, executable files, exploits, and custom toolkits.
VPN and file transfer tool’s configurations files.
750+ victim’s kerberos tickets, domain admin passwords, hashes, etc. • Anonymous credentials used for operational needs.
5 bitcoin addresses likely owned by a threat actor who plays a role processing victim payments.
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Xiaopeng Zhang documents file less malware which is an Excel file which uses VBA, which accesses a remote .htm file using mshta which has JavaScript within. So not entirely file less in reality.
We captured a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, they are able to steal sensitive information from that device.
..
[which] obtains three fileless malware in a huge downloaded PowerShell file to bypass detection, and how these are later deployed and executed inside the target processes through Process Hollowing. These three fileless malware are AveMariaRAT / BitRAT / PandoraHVNC.
filesyncshell.dll hijacking? Briefing on the latest APT-C-24 Rattlesnake attack activity
Chinese reporting on an Indian threat actor against China itself. The quality assurance processes meant it didn’t detonate successfully in the target.
We recently captured a slightly unusual incident of attack activity. The attack was launched by the APT-C-24 (Sidewinder) organization, which changed the previous attack framework and used a new attack method and process. Interestingly, in this attack activity, due to the software version, the attack activity could not be completed normally according to the normal code execution logic. It seems that our old friend Sidewinder APT organization is not completely synchronized with the Chinese environment in the code testing environment.
The BlackByte ransomware group is striking users all over the globe
Useful trade craft insight and clear usage of living off the land binaries.
[We have] been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.
The attack usually starts with a network entry point, either a previously compromised host or a software vulnerability which is exploitable from the network. The former compromised host elevates local and domain account privileges and moves laterally by using standard penetration testing and legit administrator tools (LoLBins). In most incidents, they like to use the AnyDesk remote management software to control victim machines.
Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware
Juan Andrés Guerrero-Saade provides details on a software library repository supply chain attack. The contagion risk to the upstream of this style of attack is vast and one that I sense we really haven’t got a full handle on today.
[We] investigated a supply-chain attack against the Rust development community that we refer to as ‘CrateDepression’.
On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository.
The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines.
Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework, Mythic.
Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected.
We suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.
Mars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its predecessor Oski Stealer was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and extensions, is multi-functional, and avoids detection. In addition, it’s low price on the malware market has generated significant attention from threat actor(s) who are looking to add the effective malware into their arsenal.
Mars Stealer is the latest version of Oski Stealer, which was discontinued in June 2020.
NetSupport RAT (Remote Access Tool), or client32.exe, was embedded in a ChromeSetup.exe file and used by an attacker to gain access to a victim’s workstation for further deployment of tools needed to plant Mars Stealer.
An executable with the original filename 3uAirPlayer was used to deploy obfuscated AutoIt scripts with Mars Stealer embedded inside and a renamed version of AutoIt to evade detections.
The persistence mechanism was created to make sure the attacker(s) maintain access to NetSupportManager as a backdoor.
Mars Stealer can self-delete itself after successfully exfiltrating the victim’s data, leaving no trace behind.
A closer look at Eternity Malware - Threat Actors Leveraging Telegram To Build Malware
Cyber crime adopts chat bots to build malware. How very customer focused!
Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary. The TAs provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.
Further malicious activity targeting macOS which looks like it is pay-per-install on behalf of various actors.
The newly discovered Swift-based dropper exhibits many of the characteristics of typical dropper malware, including some minor system fingerprinting, endpoint registration and persistence. The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks — from malware to spyware, to adware.
[We] identified 2 ransomware payloads, identified as Yashma and ONYX, that containreused code strains from Chaos ransomware, which was first reported in 2021.
Recently, threat actors deploying ONYX posted news on their intrusion into 6 organizations.
After further assessment, [we] have moderate confidence that these payloads were codedthrough builder tools and lack sophistication of other strains. There is a risk of new variants appearing in the coming months.
Gergely Revay and Shunichi Imano outline that a ransomware group has sided with the Russian state. Turns out it isn’t ransomware - but a wiper dressed up to look like one.
[We] recently came across a variant of the Chaos ransomware that appears to side with Russia. This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.
The Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of providing a decryption tool or file recovery instructions for its victims to recover their affected files.
The Goot cause: Detecting Gootloader and its follow-on activity
I have been covering these Search Engine Optimization (SEO) attacks to distribute malware for the last few weeks, turns out this week is no exception. This is a great analysis of the end-to-end attack chain by Tony Lambert.
We’ve increasingly observed Gootloader operators using search engine optimization (SEO) poisoning tactics to gain access to victims’ environments and initiate multi-pronged intrusions involving follow-on payloads such as Cobalt Strike and Gootkit.
Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
Linux focused threat using SSH brute forcing as the initial access vector and then deploying a modular implant. Tim will have happy this week! (Hi Tim!).
In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.
XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy. Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.
H. Carvey revisits USB forensics on Windows 10 which highlights a configuration change may be required to have the most impact.
Also, in researching information for this topic, I found that the EMDMgmt key in the Software hive, which is associated with ReadyBoost and provided insight into USB-connected devices, is no longer available either.
From a forensic perspective, if you're interested in tracking USB devices connected to systems, I'd recommend enabling the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log, forwarding those event records off of the system (for processing via a SIEM).
A new player has entered (against Microsoft Sysmon for Linux and others..) but also container aware.
Tetragon detects and is able to respond in real time to security-significant events, such as
Process execution events
Changes to privileges and capabilities
I/O activity including network & file access
When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, it understands Kubernetes identities such as namespaces, pods and so-on - so that security event detection can be configured in relation to individual workloads.
UNSW-NB15: a comprehensive data set for network intrusion detection systems
To train those machines or make IDS bleed..
UNSW-NB15 is a network intrusion dataset. It contains nine different attacks, includes DoS, worms, Backdoors, and Fuzzers. The dataset contains raw network packets. The number of records in the training set is 175,341 records and the testing set is 82,332 records from the different types, attack and normal.
A STIX 2.1 Extension Definition for the Course of Action (COA) object type
You can see the potential value in this, but also wonder if it is too complex / risky to really use. I do however hope COA or similar grow as if shared they are really valuable to less capable blueteams.
This repository includes a STIX 2.1 nested property extension that augments the Course of Action (COA) STIX Domain Object (SDO) type to enable describing, embedding, storing, and sharing machine-readable security playbooks and orchestration workflows.
Alex Reid outlines how XLL files can be used in phishing campaigns. We have seen a number of commercial Red Teams use these.
With Microsoft's recent announcement regarding the blocking of macros in documents originating from the internet (email AND web download), attackers have began aggressively exploring other options to achieve user driven access (UDA).
XLL's are DLL's, specifically crafted for Microsoft Excel. To the untrained eye they look a lot like normal excel documents.
PPID Spoofing & BlockDLLs with NtCreateUserProcess
Rasta Mouse provided minimum code to avoud CreateProcess and yet still achieve Parent Process ID (PPID) spoofing.
This week, Capt. Meelo released a great blog post on how to call the NtCreateUserProcess API as a substitute for the typical Win32 CreateProcess API. This post will build upon Meelo’s, so I highly encourage you to read it first.
Security Notice: SMA 1000 Series Unauthenticated Access Control Bypass
The SonicWall Product Security & Incident Response Team (PSIRT) has verified and patched the following vulnerabilities that impact Secure Mobile Access (SMA) 1000 series products (see product list and impacted firmware versions below).
Unauthenticated access control bypass
Use of hard-coded/shared cryptographic key
URL redirection to an untrusted site (open redirection)
We expected it and now it is happening.. who and for what purpose will become evidence in the fullness of time.
As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability in the wild.
Observed exploit techniques include a large number of file requests, credential stuffing, and admin user creation.
Download the latest list of IPs trying to exploit this vulnerability here, for use in analysis and temporary blocking
Exploiting Cisco RV340 router at Pwn2Own Austin 2021
If there were any left unpatched they will be compromised pretty soon..
At the 2021 Pwn2Own Austin, our offensive research team, Team Orca, successfully exploited the Cisco RV340 router. In this article, we will go into the details of the vulnerabilities we identified.
Clement Lecigne and Christian Resell detail three in the wild campaigns against Android. Shows that such chains exist, some are sold etc.
The first campaign, detected in August 2021, used Chrome on a Samsung Galaxy S21 and the web server immediately replied with a HTTP redirect (302) pointing to the following intent URL. This URL abused a logic flaw and forced Chrome to load another URL in the Samsung Browser without user interaction or warnings.
We assess with high confidence this vulnerability was sold by an exploit broker and probably abused by more than one surveillance vendor.
..
In September 2021, TAG detected a campaign where the exploit chain was delivered to a fully up-to-date Samsung Galaxy S10 running the latest version of Chrome. We recovered the exploit used to escape the Chrome Sandbox, but not the initial RCE exploit.
..
In October 2021, we detected a full chain exploit from an up-to-date Samsung phone running the latest version of Chrome.
The chain included two 0-day exploits:
CVE-2021-38003: A Chrome renderer 0-day in JSON.stringify allowing the attacker to leak TheHole value and fully compromise the renderer.
CVE-2021-1048: Unlike the previous campaign, the sandbox escape used a Linux kernel bug in the epoll() system call. This system call is reachable from the BPF sandbox and allows the attacker to escape the sandbox and compromise the system by injecting code into privileged processes. More information can be found in this RCA by Jann Horn.
Artificial Intelligence and Cybersecurity - CEPS (a leading think tank and forum for debate on EU affairs) launched a Task Force on Artificial Intelligence and Cybersecurity in the autumn of 2019, to consider the technical, ethical, market and governance challenges posed by the intersection of AI and cybersecurity.
