Bluepurple Pulse: week ending May 7th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending May 7th
When a criminal breach leads to the root of trust in 57 computing products from one vendor to be 🔥
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see below there is a lot going on. The callout is likely the data from the MSI breach being released. (a PC OEM and motherboard maker). This release of data included Firmware Image Signing Keys for 57 products and Intel BootGuard BPM/KM Keys for 166 products. That is the root of trust gone for devices with those products in (more below).
In the high-level this week:
Rob Joyce (Director of Cyber Security for NSA) features in this podcast (starts at 19:40) discussing co-operation/collaboration with industry via the NSA’s Cyber Collaboration Centre etc. and the epiphanies they’ve had along the way - I also like think the UK’s i100 has inspired a little.
Related - Partnerships Power Cyber Readiness - how the DoD CIO, NSA Director and Defense Information Systems Agency Director collaborate daily - at 7am I may add.
Merck’s Insurers On the Hook in $1.4 Billion NotPetya Attack, Court Says - sense prevails.
Statement from Secretary Mayorkas on the Cyber Safety Review Board’s Review of Inaugural Proceedings and the Biden-Harris Administration’s Legislative Proposal to Codify the Board - Codifying the Board into law will guarantee that the Board remains a permanent fixture in our cybersecurity ecosystem and continues its work to strengthen the cybersecurity of critical infrastructure owners and operators, no matter their size, location, or sector.
Mind the Gap in Standardisation of Cybersecurity for Artificial Intelligence - The European Union Agency for Cybersecurity (ENISA) published an assessment of standards for the cybersecurity of AI and issues recommendations to support the implementation of upcoming EU policies on AI
Securing the 2024 Election - from the The Brennan Center for Justice. Outlines their recommendations for the upcoming 🇺🇸 elections. The recommendations are on the whole sensible and could be adopted by various other democratic countries at both national and local levels.
Starting gun fired on preparations for new product security regime in the 🇬🇧 - The world-leading Product Security and Telecommunications Infrastructure (Product Security) Regime will come into effect one year from today on 29 April 2024
Chinese hackers outnumber FBI cyber agents by 'at least 50 to 1': FBI director - To give you a sense of what we’re up against, if each one of the FBI’s cyber agents and intel analysts focused exclusively on the China threat — on nothing but China — Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1
Cyberattacks increased in Japan ahead of G7 meeting about AI risks, digital infrastructure - South China Morning Post
G7 should adopt 'risk-based' AI regulation, ministers say -
Related the full-text Ministerial Declaration The G7 Digital and Tech Ministers’ Meeting 30 April 2023 - It is also important to extend secure and resilient digital infrastructure to like-minded partners, including developing and emerging economies. Developing secure and resilient digital infrastructure globally requires awareness raising of network security, data protection and cloud resilience and thus it is important to strengthen our collective effort to support developing countries in promoting network security including through capacity building.
Continuity or change? The role of cyberspace in future armed conflicts - The second observation is that the assistance of Western allies, including private companies, played a significant role in limiting the effectiveness of Russian cyberattacks.
Japan Boosting Efforts to Increase Cyber Defense Personnel - Japan's Defense Ministry is boosting efforts to increase cyber defense personnel at the Self-Defense Forces to some 20,000 over the next five years. - wowsers that is some scale.
US Navy Cyberspace Superiority Vision - from October, but I missed it then - We envision a Navy and Marine Corps performing joint operations in the cyber domain and achieving cyberspace superiority at a combatant commander’s designated time and place.
Boards Are Having the Wrong Conversations About Cybersecurity - a high-level article which by virtue of the publication will be read. It is wisdom which can be summarized as the below point. I also learnt anyone can submit to HBR:
Board interactions with the CISO are lacking
Boards focus on protection when they need to focus on resilience
Boards view cybersecurity as a technical topic, but it has become an organizational and strategic imperative
The composition of most boards today creates additional vulnerability when it could create stronger oversight
Failing to show that cybersecurity is a priority for the board sends an unwanted message
Digital platform services inquiry - March 2023 interim report - from 🇦🇺 - discusses security concerns via platforms such as Tiktok and similar.
Jeb Bush’s private equity group held talks over selling NSO technology in US - The discussions between Bush’s firm Finback Investment Partners and NSO’s owners Novalpina Capital took place in 2020
China Spy Law Adds to Chilling Effect of Detentions - One concern for foreign executives is that the revised law allows authorities to inspect the facilities and electronic equipment of organizations as well as digital devices such as smartphones and laptops belonging to individuals suspected of spying - for any organizations operating in country this will need to be a key consideration.
U.S. Army Cyber Command supports first workshop with Kenya Defense Forces - Representatives of U.S. Army Cyber Command were part of a 13-member U.S. delegation that supported U.S. Africa Command’s first Kenyan Cyber Workshop at the Kenyan Military Intelligence Corps Headquarters - this is what the race for the Global South looks like in cyber resilience terms.
Privacy commissioner role separated once more, needs ‘double funding’ to do job well - from 🇦🇺 - Attorney-general Mark Dreyfus announced the government has opened recruitment for a standalone privacy commissioner, a role previously held as a dual role by the Australian information commissioner - very interesting that 🇦🇺 are clearly splitting these roles.
UK’s new Fraud Strategy - interesting as it calls on the UK’s Cyber Security Centre in various guises e.g. NCSC's new national "Share and Defend" hub will stop millions of fraud attempts from ever reaching consumers.
India blocks 14 apps in Jammu and Kashmir for spreading terror - Crypviser, Enigma, Safeswiss, Wickrme, Mediafire, Briar, BChat, Nandbox, Conion, IMO, Element, Second line, Zangi, Threema among others.
The reflections this week come from reading the book Striking Back: The End of Peace in Cyberspace - And How to Restore It: How the West is Failing on National Security and the role of international laws and norms. The book highlights how we (the West) adhere to various constraints set by them yet our adversaries are not, whilst we try to impose cost for doing so. In response some nation states expand definitions in such forums to justify their un-peace activities. I am no international relations person but this appears to be 4D chess on level: hard. The book is a good summary and the journey we have been on. Although I am not sure I agree exploiting four zero-days in an operation is that technically impressive given pwn2own/Pegasus etc. The punchline suggestion of the book is punctuated deterrence - basically punishment via cyber operations for stepping out of line..
On the interesting job/role front:
Cybersecurity Researcher Consultant - at the International Telecommunications Union, Remote.
Cyber Threat Intelligence Analyst at Delta, Atlanta Georgia
Senior Cyber Threat Intelligence Analyst at Paramount (the movie people), remote
Senior Cyber Threat and Vulnerability Analyst at the UK Home Office
Lead Threat Intelligence Analyst - at BAE, UK
Bhutan: Advisory Support on National Cyber Security Strategy Development and CII Protection - more a contract - advertised by the World Bank
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
WinRAR as a "cyberweapon". Destructive cyberattack UAC-0165 (probably Sandworm) on the public sector of Ukraine using RoarBat
Destructive operation which started with a VPN that required only single factor authentication.
Access to the IKS of the object of the attack was allegedly obtained by connecting to a VPN using compromised authentication data.
https://cert.gov.ua/article/4501891
APT28 cyberattack: distribution of emails with "instructions" on "updating the operating system
Masquerading of sysadmins specifically in the spoof emails shows a degree of reconnaissance capability on behalf of the Russian state.
During April 2023, the government computer emergency response team of Ukraine CERT-UA recorded cases of the distribution of e-mails with the subject "Windows Update" among government bodies of Ukraine, sent, apparently, on behalf of system administrators of departments. At the same time, e-mail addresses of senders created on the public service "@outlook.com" can be formed using the employee's real surname and initials.
https://cert.gov.ua/article/4492467
Bitcoin in War: OP_RETURN Callouts of Russian Military Bitcoin Addresses
In a now deleted article analysis was performed around the claims of bitcoin addresses used by various parts of Russian intelligence. Of note is how much the team who burnt all these addresses spent doing so.
The fact that the OP_RETURN messages appear to have been accurate for three of the addresses lends credibility to the claims against the others as well.
However, our OP_RETURN sender included substantial sums in most of these transactions, burning over $300,000 worth of Bitcoin in total.
Irregular Warfare Podcast: The Digital Bear in Ukraine
A higher level discussion around everything which has gone on by some qualified individuals.
Gavin Wilde is a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace and a former director for Russia, Baltic, and Caucasus affairs at the National Security Council. And Jason Kikta served for over twenty years in the United States Marine Corps, including seven years at United States Cyber Command designing and managing the national counter-APT and counter-ransomware missions.
https://mwi.usma.edu/irregular-warfare-podcast-the-digital-bear-in-ukraine/
North Korea
Analysis of APT37's stealing activities against RokRAT issued by the Ministry of Foreign Affairs of South Korea
Chinese reporting on North Korea activity, the actual trade-craft is the same we report on week in and week out. The use of pCloud is the novelty.
[We discovered] that the APT37 organization used ISO files to steal secrets against South Korean diplomatic agencies. Its initial attack payload contains two LNK files filled with a large amount of invalid data. After run ning, it releases the HWP decoy file and BAT file on the local machine, executes the Powershell command to download the subsequent payload, finally decrypts RokRAT, communicates with the legal cloud service pCloud, and delivers malicious The instruction is executed.
RokRAT: Chair reaction missing link
English reporting on the same threat and the evolution of the threat. It is a nice summary of both the evolution in tradecraft as well as various stages of infection.
ROKRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains. This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources. The first sample we will discuss below was first discovered in July 2022, the same month that Microsoft began enforcing this new rule.
The lures used as part of the ROKRAT infections are largely focused on South Korean foreign and domestic affairs. Most of those lures are in Korean, suggesting the targets are Korean-speaking individuals.
Our findings suggest that various multi-stage infection chains used to eventually load ROKRAT were utilized in other attacks, leading to the deployment of additional tools affiliated with the same actor. Those tools include another custom backdoor, GOLDBACKDOOR, and the commodity malware Amadey.
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
Tom Hegel evidences once again the Hermit Kingdom knows how to play long game operations. Initial access tradecraft is still however phishing..
[We] observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe.
Ongoing campaigns use a new malware component we call ReconShark, which is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.
ReconShark functions as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a wider set of activity we confidently attribute to North Korea.
For the deployment of ReconShark, Kimsuky continues to make use of specially crafted phishing emails. Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target. This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users. Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject such as Political Scientists.
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
DPRK Facilitators Charged and Sanctioned, Shedding Light on North Korean Crypto Money Laundering Processes
Showing how North Korea washed its digital currencies through blockchain analysis. It should be noted that Government indictments provided the insights which allowed this analysis to be performed.
DPRK actors leveraged mixing services to obfuscate the origin of ill-gotten funds, as well as decentralized exchanges. These funds then went to Wu’s and Sim’s wallets, and other OTC markets.
https://blog.chainalysis.com/reports/ofac-dprk-north-korea-sanctions-april-2023/
China
Attack on Security Titans: Earth Longzhi Returns With New Tricks
Ted Lee and Hara Hiroaki detail the latest Chinese campaign. Note that their initial access is not via phishing but instead exploiting Exchange and IIS servers. We have reported on some of these techniques previously, but is shows they continue to yield.
We discovered a new campaign by Earth Longzhi (a subgroup of APT41) that targets organizations based in Taiwan, Thailand, the Philippines, and Fiji. This recent campaign, which follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack. We also found that Earth Longzhi uses a new way to disable security products, a technique we’ve dubbed “stack rumbling” via Image File Execution Options (IFEO), which is a new denial-of-service (DoS) technique.
The Rise of the Chinese Dark Web: Deepmix to Chang'an
Or Shichrur and Yuval Shnitzer provides some insight into the dark web in China. It’s very high-level and you can imagine various Western cyber threat intelligence companies now pilling into this platforms.
The monitoring on Western Forums could be the catalyst for a shift of non-Chinese speakers towards the Chinese dark web. This shift could lead to a change in which victims are being targeted, with an increasing likelihood of Eastern victims being targeted.
Western agencies’ lack of regulation and oversight on the Chinese dark web trading market offers a “safe” ecosystem for Western Threat Actors to carry out their activities.
We delve into the current rivalry between two of the leading Chinese underground dark web forums, Deepmix (in Chinese: 暗网中文论坛) and Chang’an (in Chinese: 长安不夜城). Both forums allegedly prioritize the safety and anonymity of their users, while simultaneously accusing each other of fraud and theft.
https://cyberint.com/blog/research/the-rise-of-the-chinese-dark-web-deepmix-to-changan/
Iran
Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy
Kyle Schmittle, Alemdar Islamoglu, Paul Shunk and Justin Albrecht provide an interesting insight into Iranian mobile targeted operations. Of note is the fact that side loading was likely used to install the implants. The implants themselves seem half rushed / not designed to withstand Western cyber threat intelligence researchers.
Based on our analysis of exfiltrated data from C2 servers for the spyware, BouldSpy has victimized more than 300 people, including minority groups such as Iranian Kurds, Baluchis, Azeris, and possibly Armenian Christian groups. The evidence we have gathered implies that the spyware may also have been used in efforts to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol.
We believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to further monitor the target on release. In our research, we obtained and reviewed a large quantity of exfiltrated data that included photos and device communications, such as screenshots of conversations, recordings of video calls, as well as SMS logs.
https://security.lookout.com/blog/iranian-spyware-bouldspy
Rinse and repeat: Iran accelerates its cyber influence operations worldwide
Cyber enabled information operations by Iran continue and this reporting gives a sense as to the scale. We was reported last week China is also doing cyber enabled IOs and Russia has a long history. This blended tradecraft seems the chef kiss of state cyber craft at the moment (also see the analysis in the footnotes).
Though Iran’s techniques may have changed, its targets have not. These operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries. More broadly speaking, Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.
Iranian cyber actors have been at the forefront of cyber-enabled IO, in which they combine offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives. The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens.
Iran has also adopted cyber-enabled IO to undercut the momentum of nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or to expose their “corrupt” relationships.
The 1877 Team - A Kurdish Hacker Group on the Rise
Fascinating insight into a threat actor which is under reported, albeit their initial access tradecraft is rather basic. But most countries in the modern started in this way and it interesting even groups you wouldn’t be able to organize to execute cyber operations are in 2023.
The 1877 Team focuses on two simple techniques to gain access to foreign infrastructure:
scans of web pages for particular vulnerabilities;
brute-forcing administrator credentials.
Targets include political entities and popular software/services. Their attacks often involve website defacements, DDoS attacks, and leaks of sensitive information.
https://www.silentpush.com/blog/the-1877-team-a-kurdish-hacker-group-on-the-rise
LOBSHOT, an hVNC malware family spreading through Google Ads
Daniel Stepanic details a campaign which is using malvertising with some success for criminal purposes.
Adversaries continue to abuse and increase reach through malvertising such as Google Ads by impersonating legitimate software
Elastic Security Labs is shedding light on an undiscovered hVNC malware that has been quietly collecting a large install base
This malware we are calling LOBSHOT appears to be leveraged for financial purposes employing banking trojan and info-stealing capabilities
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
Magecart threat actor rolls out convincing modal forms
Jérôme Segura gives insight into the precision and technical capabilities some cyber criminals have in their fraud enabling campaigns.
We identified a compromised online website for a Parisian travel accessory store running on the PrestaShop CMS. A skimmer we previously identified as Kritec, was injected and loading malicious JavaScript that altered the checkout process.
The malicious modal is built very cleanly and contains an animation that displays the store's logo in the middle and then moves it back up.
We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script. It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
SparkRAT, which is included in domestic VPN installation files and is being distributed
South Korean reporting on a surprise gift in a VPN installer. Further evidence that some VPN operators are shady.
[We] confirmed that SparkRAT is included in the installer of a certain VPN program and is being distributed. SparkRAT is a Remote Administration Tool (RAT) developed in Go language that, when installed on a user's system, executes remote commands, collects information about infected systems including screenshots, controls files and processes, and downloads additional payloads. can be done
Breach Report Collection
Will does a great job pulling this together. 17 reports currently, a large collection of these would be super useful.
A collection of companies that disclose adversary TTPs after they have been breached
Useful for analysis of intrusions launched by adversaries with measurable effects and impact
https://github.com/BushidoUK/Breach-Report-Collection
Discovery
How we find and understand the latent compromises within our environments.
Detecting and decrypting Sliver C2 – a threat hunter's guide
Kevin Breen drops the wisdom in this walk through on how to detect and analyze Sliver.
[We have] taken a closer look at Sliver and identified some methods that incident responders can use to detect Sliver through file, memory, and network artifacts.
This report details these technical findings and the detection engineering process we used to discover them.
https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/
RATs Race: Detecting remote access tools beyond pattern-based indicators
Alex Teixeira provides a practical guide on how to detect legitimate remote access tools which may be deployed by threat actors in your estate.
This is a post to highlight the importance of rich telemetry and how it serves well for strengthening alert signals when coupling static pattern with behavioral & anomaly based indicators to detect RAT and RMM tools.
Procedural Detections to Uncover PsExec Style Lateral Movement
Ankith Bharadwaj provides very useful detection engineering which will disrupt a number of threat actors tradecraft.
In this post, I propose several procedural detections that can help uncover the multitude of tools and frameworks that mimic PsExec style lateral movement behavior. As we’ll be operating at the highest level of the Pyramid Of Pain, this could in-turn help detect novel or custom tools that exhibit such behavior in the future.
Defence
How we proactively defend our environments.
The Dual LLM pattern for building AI assistants that can resist prompt injection
Simon Willison wrestles with the prompt injection class of vulnerability but with some real practical caveats.
So, if it turns out we can’t solve this class of vulnerabilities against the design of existing Large Language Models, what’s a safe subset of the AI assistant that we can responsibly build today? I have a proposal for this.
..
You may have noticed something about this proposed solution: it’s pretty bad!
Building AI assistants in this way is likely to result in a great deal more implementation complexity and a degraded user experience.
https://simonwillison.net/2023/Apr/25/dual-llm-pattern/
AIMOD2
A high-level framework for threat hunting. Conceptually interesting, the actual application it will be interesting to hear the case studies of.
Adversarial Interception Mission Oriented Discovery and Disruption Framework, or AIMOD2, is a structured threat hunting approach to proactively identify, engage and prevent cyber threats denying or mitigating potential damage to the organization.
https://github.com/darkquasar/AIMOD2
Introducing HASH: The HTTP Agnostic Software Honeypot framework
Eslam Salem and team drop a capability which will be materially useful for quickly emulating vulnerable HTTP services. It will be interesting to see how this is used in practice and how configurations are shared.
We developed a framework to make it easy to mimic HTTP-based software with just a couple of YAML files.
https://securitylabs.datadoghq.com/articles/hash-honeypot-framework/
Understanding Windows Lateral Movements Remake!
Daniel López Jiménez and Manuel León update this presentation on various lateral movement techniques. A useful reference guide for cyber defense teams.
https://attl4s.github.io/assets/pdf/Understanding_Windows_Lateral_Movements_2023.pdf
Want to discover the full extent of your SaaS sprawl? Embrace browser extensions
Luke Jennings discusses the tradeoffs in approach.
https://pushsecurity.com/blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser/
Vulnerability
Our attack surface.
MSI (motherboard OEM) announced a significant data breach and data now public
Covered at the top, this is the detail of the impacted devices.
a vast number of private keys that could affect numerous devices - Firmware Image Signing Keys: 57 products and Intel BootGuard BPM/KM Keys: 166 products
https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/ImpactedDevices.md
CVE-2023-28771: Zyxel security advisory for OS command injection vulnerability in firewalls
Just terrifying really..
Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVE-2023-21707: Microsoft Exchange Powershell Remoting Deserialization leading to RCE
Nguyễn Tiến Giang (Jang) walks through the exploitation of this vulnerability and the fact it was a variant of a previously discovered one.
Despite the persistence of the underlying bug, the implementation of the
ProxyNotShellpatch has effectively neutralized the SSRF vulnerability previously present at the autodiscover entrypoint. Consequently, the previous method of sending payloads is no longer viable.Following several days of investigation, I have discovered that it is still possible to access the /powershell entrypoint remotely, albeit with a restriction that limits access exclusively to the HTTP protocol.
CVE-2023-29411: APC by Schnieder Easy UPS Online Monitoring Software vulnerabilities
UPS control software, an offensive cyber target here..
Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface
Illumina Universal Copy Service
in a DNA sequencer of all things.
Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01
Offense
Attack capability, techniques and trade-craft.
BlockOpenHandle
Saad Ahla provides a capability which will blind some EDRs.
Block any Process to open HANDLE to your process , only SYTEM is allowed to open handle to your process ,with that you can avoid remote memory scanners
https://github.com/TheD1rkMtr/BlockOpenHandle
StackCrypt
Saad Ahla provides another capability which also will blind some EDRs.
Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads
https://github.com/TheD1rkMtr/StackCrypt/
OskSniffer
Grzegorz Tworek shows that ETW can be used for bad as well as good.
Windows on screen keyboard sniffer using ETW
https://github.com/gtworek/PSBits/blob/master/ETW/OskSniffer.c
PE-Obfuscator
Saad Ahla back again with more EDR blinding.
PE obfuscator with Evasion in mind
https://github.com/TheD1rkMtr/PE-Obfuscator
nanodump
Santiago, Antonio Cocomazzi and team are back with an update which will subvert Protected Processes Light migitations.
The swiss army knife of LSASS dumping now supports the PPLMedic exploit meaning you can dump LSASS on an up-to-date system with PPL enabled
https://github.com/fortra/nanodump
DCVC2
An example of why C2 detection can be so terribly challenging if threat actors so desire.
A Golang Discord C2 unlike any other. DCVC2 uses RTP packets over a voice channel to transmit all data leaving no operational traces in text chats.
https://github.com/3NailsInfoSec/DCVC2
Spoofcall
Unknown author provides a worked example of of spoofing call stacks on Microsoft Windows which will confuse some EDR telemetry.
jmp_rbx_0 shellcode -> _spoofer_stub.fixup -> test_function -> _spoofer_stub -> MessageBoxA -> jmp_rbx_0 shellcode
https://github.com/helloobaby/spoofcall
Bitlocker attacks
Rairii provides a summary of all the known attacks which is are useful to validate
A list of public attacks on BitLocker
https://github.com/Wack0/bitlocker-attacks
ETWHash - "[They] who listens, shall receive"
Lefteris Panos is in with a second installment this week of why ETW can be bad as well as good. Novel work here..
ETWHash is a small C# tool used during Red Team engagements, that can consume ETW SMB events and extract NetNTLMv2 hashes for cracking offline, unlike currently documented methods.
https://labs.nettitude.com/blog/etwhash-he-who-listens-shall-receive/
Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB
Christophe Tafani-Dereeper details a technique to be aware of it. It use will also be a useful indicator of bad mojo.
In this post, we take a look at an anti-forensics technique that malware can leverage to hide injected DLLs. We dive into specific details of the Windows Process Environment Block (PEB) and how to abuse it to hide a malicious loaded DLL.
https://blog.christophetd.fr/dll-unlinking/
Exploitation
What is being exploited.
Increased exploitation of PaperCut drawing blood around the Internet
Paul Jaramillo builds on the reporting last week with further details of the in the wild exploitation.
Low-level Extraction for iOS < 15.6
Local privilege escalation vulnerabilities being leveraged in forensic tooling.
the extraction agent is an app that, when installed on an iOS device, attempts privilege escalation by attempting to exploit one or more vulnerabilities in the operating system.
https://blog.elcomsoft.com/2023/05/low-level-extraction-for-ios-15/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
VDM LUA Extractor
Justin Elze provides tooling to extract defender VDMs to get LUA ASR rules
gist.github.com/HackingLZ/65f289b8b0b9c8c3a675aa26c06dfe09
VSS Carver
Minoru Kobayashi provides a useful tool to carve out volume shadow copy catalogs which are sometimes delete prior to ransomware deployment.
Carves and recreates VSS catalog and store from Windows disk image - VSS being Volume Shadow Copy which gets deleted by some Ransomware crews before deployment
https://github.com/mnrkbys/vss_carver
A Wireshark/Tshark dissector for the Apple BLE Advertising Beacon protocol known as "Continuity"
We can now all learn what is happening..
https://github.com/netspooky/dissectors/blob/main/acble.lua
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregated reporting
Adversarial Threat Report, First Quarter 2023 - took action against three separate cyber espionage operations in South Asia linked to a group of hackers known in the security industry as Bahamut APT, another group known as Patchwork APT and a state-linked group in Pakistan.
2022 Data Security Incident Response Report - The 2022 DSIR features insights and metrics from more than 1,270 incidents that members of the firm’s Digital Assets and Data Management Practice Group helped clients manage in 2021 - released Apr 2023
Big Game Hunting is back despite decreasing Ransom Payment Amounts - payment amounts till down quarter on quarter
Request for Comment on Secure Software Self-Attestation Common Form - CISA
The 2022 Innovations Dialogue: AI Disruption, Peace and Security (Conference Report) - While it is apparent that AI technologies can augment human capabilities, they present significant ethical, legal, safety and security concerns. These range from issues related, but not limited, to transparency, reliability, predictability, understandability, accountability, bias and discrimination, and technical robustness - simple then!
The Luring Test: AI and the engineering of consumer trust - from an Attorney in the FTC Division of Advertising Practices - an insight into both the opportunity and also a dystopian future which will no doubt come with various risks around cyber resilience - firms are starting to use them in ways that can influence people’s beliefs, emotions, and behavior. Such uses are expanding rapidly and include chatbots designed to provide information, advice, support, and companionship.
Tencent Cloud announces a small-sample digital Homo sapiens production platform, which can make digital humans by itself at a cost of 1,000 yuan ($144) - 3 minutes of video and 100 sentences of voice material and 24 hours - at scale deep fakes for social engineering / information operations is now a thing.
Upcoming books available for pre-order
Upcoming events
Ethical Considerations in Digital Forensic Science event is May 30th
Ransomware Summit - Free and virtual - June 27th
The 2nd International Fuzzing Workshop (FUZZING) 2023 Call For Papers - event is July 17th
Hack.lu Security Conference and the CTI-Summit - Call For Papers - event is October 16th to 17th
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
Bluepurple Pulse: week ending May 7th
here's a good one for the week: https://www.vanderbilt.edu/modern-conflict/