Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week spill over from the MSI BIOS and other leaked code signing keys continues. In addition the previous Microsoft Outlook password hash leakage patch was found wanting and re-exploited - requiring another. Outside of that the new normal continues - which is a lot!

In the high-level this week:

• Conversation with Sami Khoury: How Canada has built a single unified cybersecurity center for its citizens - The Canadian government has been increasing its investment in cybersecurity, allocating an additional 850 million dollars to the digital safety budget last year

• Why more transparency around cyber attacks is a good thing for everyone - from the UK’s National Cyber Security Centre - we are increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones.

• Risk managers warn cyber insurance could become ‘unviable product’ - The Federation of European Risk Management Associations, an umbrella body representing 22 trade associations, said the cyber insurance market is “evolving in isolation from the industries it serves”.

• US Spies Should Tap Private AI Models, NSA’s Research Chief Says - A top US spy official said intelligence agencies should use commercially available AI to keep up with foreign adversaries that will do the same — while being sure to address the risks to privacy and broader concerns about misuse of the fast-developing technology.

  • FACT SHEET: Biden-Harris Administration Announces New Actions to Promote Responsible AI Innovation that Protects Americans’ Rights and Safety | The White House

  • UK CMA (Competition Markets Authority) launches initial review of artificial intelligence models

• Introduction of the Online Criminal Harms Bill - Singapore - how it plans to deal with online scams.

• U.S. Sanctions Drive Chinese Firms to Advance AI Without Latest Chips - A review of research papers and interviews with employees found that Chinese companies are studying techniques that could allow them to achieve state-of-the-art AI performance with fewer or less powerful semiconductors. They are also researching how to combine different types of chips to avoid relying on any one type of hardware - scarcity driving innovation

• FACT SHEET: Biden-Harris Administration Announces National Standards Strategy for Critical and Emerging Technology | The White House - The actions laid out in the Strategy align with principles set forth in the National Security Strategy, the National Cybersecurity Strategy, and ANSI’s United States Standards Strategy

• Ex Uber security chief Joe Sullivan is sentenced - The Washington Post - Former Uber security chief Sullivan avoids prison in data breach coverup. He is the first corporate executive convicted of a crime related to a data breach by outsiders

• May 2023 Progress Report: Ransomware Task Force: Gaining Ground - Institute for Security and Technology - progress report which is largely positive

• On Breaking Things: Melding Cyber and Kinetic in Conflict - A panel discussion on lethal outcomes of cyber operations, coordination between cyber and kinetic forces, and integration of cyber options in future warfare within the context of larger intelligence and military behaviors.

• China's Grand Strategy For Global Data Dominance - Under Beijing’s new data hierarchy, all companies are forced to integrate into a centralized national data infrastructure controlled by the Party

• GDPR: the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data - That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data, if that is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR

• the UK the cross-Government Secure by Design approach - The cross-Government Secure by Design approach will be mandatory for central government and arm's-length bodies (ALBs)

• The risks commercial spyware poses to journalists, activists and government officials - spyware is thriving and has already targeted journalists, dissidents and politicians around the world.

  • Related and if by magic Dominican Republic: Pegasus spyware discovered on prominent journalist’s phone - A high-profile woman journalist in the Dominican Republic has been targeted with NSO Group’s Pegasus spyware, in the first confirmed case in the country, Amnesty International reveals in a new investigation

  • Spyware: MEPs sound alarm on threat to democracy and demand reforms | News | European Parliament

    • Spyware was used to monitor, intimidate and discredit opponents, journalists and civil society

    • Spyware should only be allowed when strict conditions are fulfilled

    • Uniform definition of national security needed

    • An EU Tech Lab could help with research, investigations and forensic analysis

  • Branching Out: Factors Motivating Nondemocratic Use of Commodity Spyware - The findings within this article offer a broad overview of the factors predilecting state use of commodity spyware, with general applications for both nondemocratic and democratic states

  • Global surveillance: The secretive Swiss dealer enabling Israeli spy firms - The international mobile system is exposed and a loophole allows hackers, cybercriminals and states to geolocate targets and even hijack email and web accounts. Israelis can be found among the victims - and the attackers

• NATO and Article 5 in Cyberspace - NATO designated cyberspace as a domain of warfare & recognized that an adversarial cyber campaign could trigger the Alliance’s collective defense mechanism under Article 5 - Given the complexities of cyberattacks it's unknown whether & what kind attacks get a response

• U.S. Department of State Announces Reward Offers for Information Leading to the Arrest and/or Conviction of a Russian Cybercriminal and Identification of Key Leaders of a Transnational Organized Crime Group - $10 million!

• Federal Authorities Seize 13 Internet Domains Associated with ‘Booter’ Websites that Offered DDoS Computer Attack Services

• African countries reach data, digital ID interoperability deal to foster growth - African countries including Ghana, Gabon, Guinea, Rwanda, Tunisia and Zimbabwe have signed a declaration on data and digital identity interoperability to advance their digital and economic integration and prosperity objectives - be interesting to see how supply chains are ensured and assured

• Publicly solicit opinions on four mandatory national standards including "Technical Requirements for Vehicle Information Security" - China going after vehicle information security big time - what do they know?

The reflections this week come from learning about Notch.one (a UK/Finish company which does clever math’s to support amazing live events graphics). I originally learnt of them through an interview on the Fairlight channel (an old school scene demo outfit) and then another interview given by Matt (one of the founders( to his old UK University. Couple of things from these interviews stood out.

1. his throw away line “do you want to build a startup or a business” - I 💖 this

2. the journey from hobby to business i.e demo coder for Fairlight → develops tooling to support that activity over a decade → brief interlude of 9 years as a Sony R&D engineering → MVP of Notch. This journey is reminiscent of various journeys that hackers turn coders turn successful product CEOs/CTOs have taken. The takeaway I took is do a job, feel the pain and see where the optimization/value is from coding a solution.

On the interesting job/role front:

• Process Manager - Cyber Security at Bentley (but you get an Audi/VW company car)

• Situational Awareness Assistant, Cyber Threat Analysis Branch at NATO

• Senior Expert AppSec Engineer at Activision (video games), remote

• Lecturer in War Studies (Cyber Security) at Kings College London

• Professor in Defence and Security (Education and Research) at University of Exeter

• Cyber Policy and Strategy Masters at Kings College London

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Thursday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia

Cyber Dimensions of the Armed Conflict in Ukraine – Q1 2023

The CyberPeace Institute provides a useful summary of everything they have tracked.

The threat actors that were the mostactive in targeting Ukrainian entities were the hacktivist collectives People’s CyberArmy (99), NoName057(16) (40) and Anonymous Russia (26). Sandworm (19) and DEV-0586 (12) have had the most attacks attributed to them among Russia’s state-sponsored threat actors.

https://cyberpeaceinstitute.org/news/publications/cyber-dimensions-of-the-armed-conflict-in-ukraine-q1-2023/

2022 Annual Report on Dynamic Surveying and Mapping of the Battlefield of Russia-Ukraine Conflict

Interesting insight into Chinese commercial approach, capability and visibility of how they do Internet scanning based monitoring etc.

https://mp-weixin-qq-com.translate.goog/s/vRLtrxVxwjLj64qWuty20g?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Snake

FIVEEYES release details of an implant framework used by Russia for over 20 years.

Hunting Russian Intelligence “Snake” Malware

CISA drop the advisory with various Suricata and Volatility detections.

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a

UK and allies expose Snake malware threat from Russian cyber actors

The UK’s National Cyber Security Centre paints the partner picture in glorious detail along with a call to action by all concerned.

“The advisory lifts the lid on a highly sophisticated espionage tool used by Russian cyber actors, helping to expose the tactics and techniques being used against specific targets around the world.

“We strongly encourage organisations to read the technical information about Snake malware and implement the mitigations to help detect and defend against this advanced threat.”

https://www.ncsc.gov.uk/news/uk-and-allies-expose-snake-malware-threat-from-russian-cyber-actors

Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by Russia's Federal Security Service

The big revelation was by the Department of Justice and the fact a search warrant was used to cause the implant to overwrite itself. Interesting application of a search warrant and one other countries may explore as a result.

the FBI pursuant to a search warrant issued by United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York, which authorized remote access to the compromised computers

https://www.justice.gov/usao-edny/pr/justice-department-announces-court-authorized-disruption-snake-malware-network

ruleAPTSnake.yar: a memory-focused YARA rule based on the Volatility plugin published at the end of the Snake Malware report

Matt Suiche provides further value by providing signatures for memory scanners.

gist.github.com/msuiche/8c8fd278430dda0292b4cfdfc549ca2d

Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020

Roberto Santos and Hossein Jazi detail a set of five conflict related operations by a previously unknown or otherwise unattributed APT. The actual initial access tradecraft is what we have seen time and time again i.e. phishing.

There is also some comedy.

Finally, we have 2 victims named TstSCR and TstVM. It turns out that attackers, at some point, infected their own machines in order to carry out some testing, or by mistake.

they leaked a screenshot from their own machine

the operational pattern is as you would expect.

https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger

Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE

Sam Hanson details a rather modest Russian Industrial Control System capability. The tool feels like the work product of a Friday in the lab.

Open Platform Communications Unified Architecture (OPC UA) is a popular industrial protocol allowing for data communication between various devices and systems.

..

MOUSEHOLE is one of five modules in PIPEDREAM, the seventh known industrial control systems (ICS)-specific malware. MOUSEHOLE is a Python program that functions as an OPC UA client application. It is designed for easy interaction with OPC UA servers from the command line and contains various capabilities, including:

• Scanning a network for an OPC UA server

• Brute forcing the authentication mechanism

• Reading the structure of a server

• Reading and writing to specific node attributes

• Setting various security settings such as security mode, policies, certificates, and private keys

https://www.dragos.com/blog/pipedream-mousehole-opcua-module/

North Korea

Attack trends related to the attack campaign DangerousPassword

Interesting reporting on the Hermit Kingdom from Japan. The macOS capability (as we saw with 3CX) is of note.

This time, we will introduce the following four attack patterns.

• Attacks that send malicious CHM files from Linkedin

• Attacks using OneNote files

• Attacks using virtual hard disk files

• Attacks targeting macOS

https://blogs-jpcert-or-jp.translate.goog/ja/2023/05/dangerouspassword.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

China

New Mustang Panda’s campaing against Australia

A Chinese campaign was found after the fact which is rather rudimentary but with a regional focus. One would likely infer this was sent via e-mail to targets.

[We] found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.

The zip drops two files. On the one hand, the legitimate application for process pdf files  Solid PDF Creator, renamed as “Biography of Senator the Hon Don Farrell/Biography of Senator the Hon Don Farrell.exe”, on the other hand, we have seen a malicious payload named SolidPDFCreator.dll. Persistence is done through a Dll Side Loading by the stager.

https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/

What’s Cracking at the Kerui Cracking Academy?

APT31 personas outed by Intrusion Truth.

Alongside the Kerui Cracking Academy, Qian runs a side-hustle as the owner of the Kerui Reverse Technology Company, also founded in 2007. The homepage makes clear that the company has provided ‘technical services for many projects of the Ministry of Public Security and the Ministry of State Security’.

https://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy/

Iran

Iranian dissidents disrupt over 210 regime Foreign Ministry websites and servers

Matin Karim details an operation done to Iran via unknown methods. The impact is clear - this is what regional conflict looks like with a cyber flavor.

Iranian dissidents have been able to take control over 210 websites, software applications, servers, data banks, and other aspects of the regime’s Ministry of Foreign Affairs (MFA) on Sunday. The front pages of these 210 websites and software apps associated to the mullahs’ Foreign Ministry and their embassies across the globe were defaced and replaced with images of the Iranian Resistance leadership and slogans calling for the regime’s overthrow.

The leaked documents also include at least 158 pages of MFA personnel and their organizational status, and especially those in MFA representative office in foreign countries. Details of at least 10,878 personnel have also been published.

https://english.mojahedin.org/news/iranian-dissidents-disrupt-over-210-regime-foreign-ministry-websites-and-servers/

Deep Dive Into DownEx Espionage Operation in Central Asia

Martin Zugec shows the value of delayed reporting and the protection of intelligence equities. The regional focus will also be of interest to some even if the initial access tradecraft hasn’t been confirmed.

In late 2022, [we] detected a cyberattack targeting foreign government institutions in Kazakhstan. While investigating this incident, it was revealed that this was a highly targeted attack designed to exfiltrate data. We decided to postpone publishing our findings and monitored the region for other similar attacks. This effort was rewarded, when we detected another attack in Afghanistan and collected additional samples and observations. 

While the initial infection vector remains unclear, we expect that threat actors used social engineering techniques to deliver a spear-phishing email with a malicious payload. The attack used a simple technique of using an icon file associated with .docx files to masquerade an executable file as a Microsoft Word document.

https://www.bitdefender.com/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia/

Clean Rooms, Nuclear Missiles, and SideCopy, Oh My!

James Slaughter and Shunichi Imano detail a Pakistani operation likely targeted at India. The tradecraft is still wonderfully effective i.e. phishing.

The initial infection vector is suspected to be a phishing e-mail. However, that information was not available to [us] at the time of our investigation. That said, we do have access to a Zip file that would have been the likely attachment to an e-mail.

The file is named “DRDO-K4-Missile-Clean-room.zip”. When the name’s meaning is fully parsed, it becomes quite interesting. “DRDO” refers to India’s Defence Research and Development Organisation. “K-4” refers to the intermediate-range SLBMs (Submarine-Launched Ballistic Missiles) housed in their Arihant class of nuclear-powered ballistic missile submarines. And “clean room” refers to the facility required to assemble sensitive components or perform intensive maintenance on these missiles.

https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy

SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials

Other side of the border reflected in this reporting however there is marked difference and notable operational security tradecraft even if the exploits are 6 years old.

[We] discovered a new malware campaign by the SideWinder group. This campaign utilized a server-side polymorphism technique. The use of this technique allows the threat actor to potentially bypass traditional signature-based antivirus (AV) detection to deliver the next stage payload.

the threat group exploited the CVE-2017-0199 vulnerability (remote template injection). 

The next stage payload “file.rtf”, a rich text document file, can only be downloaded by users in the Pakistani IP range.

https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

Backdoored RAT in China

Chinese reporting on a campaign where someone was distributing a backdoored RAT in China which had Cobalt Strike embedded in it. Github project first appeared last Feb and is now nuked.

https://www.freebuf.com/articles/network/364647.html

Xjquery Wave of WordPress SocGholish Injections

Denis Sinegubko details a criminal operation to build up among other things a traffic distribution network through mass website compromises. This near constant exploitation of Wordpress plugins at scale makes you wonder what the solution should be.

By the end of March, 2023, we started noticing a new wave of SocGholish injections that used the intermediary domain. It appeared to be another evolution of the same malware.

This time, however, attackers were using the same tricks in a different way. Instead of zip, they used the zlib compression — and instead of storing the SocGholish payload in wp-options table, they started storing the name of the fake image file containing the PHP code that injects the script into WordPress pages.

The more complex variant appears to be a modified version of the zTDS script. zTDS is a Russian traffic direction system (TDS) that can filter traffic based on multiple parameters such as browser, device, geo location, IP address, language support, and referrer, etc. It can also block bots and other unwanted visitors (e.g. recurring visits, no referrer or empty IP).

https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-injections.html

Uncovering drIBAN fraud operations

This is what financial cyber crime looks like in 2023 - the understanding of the business processes is of note.

The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account (дропы, “drops” in Russian) controlled by themself or affiliates, which are then responsible for handling and laundering the stolen funds.

Using web injects is a common technique used by various TAs during banking fraud operations since they can change the behavior of a targeted web page (on a client’s side) by adding malicious code and intercepting all the HTTP requests and responses from the server.

The key component of those frauds operations is drIBAN, a web inject kit with a powerful ATS engine (Automatic Transfer System), leveraged by TA for successfully bypass identity verification mechanisms, such as MFA and SCA adopted by banks and financial institutions during login and payment’s authorization phases.

https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1

Analysis on legit tools abused in human operated ransomware

A wonderful summary presentation by Keisuke Tanaka, Yoshihiro Nakaya and Toru Yamashige. Their focus is commercial remote administration tools such as AnyDesk, Splashtop, Rclone(MEGA) etc.

This provides evidence once more that threat actors will co-opt such tools to fly under the radar of known bad signature based detections.

https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf

Discovery

How we find and understand the latent compromises within our environments.

Fantastic Rootkits and Where to Find Them

A two part series by Rotem Salinas with the most recent part posted in the last week. Rootkits are not dead on Windows is the takeaway by any stretch and the countermeasures can be bypassed.

We have seen that rootkits have evolved from Hooking and DKOM-based techniques, which we covered in the last blog, to other techniques like file-system filter drivers and signed drivers by stolen certificates to avoid triggering PatchGuard and “bypass” DSE mitigations, as well as EDR (endpoint detection and remediation) solutions.

https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-1

https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-2

The Art of Clipboard Forensics Recovering Deleted Data

Hazem Hisham provides a really useful source of clipboard forensic data. Watch stealers going after this file now..

By reversing the previous DLLs, I discovered a file called tokens.dat in the %ProgramData%\Microsoft\Windows\ClipSVC folder. This file contains encrypted data related to the Clipboard.

https://xret2pwn.github.io/The-Art-of-Clipboard-Forensics-Recovering-Deleted-Data/

APT-Hunter

Ahmed Khlief provides a Chainsaw like tool..

APT-Hunter is Threat Hunting tool for Windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of Windows event logs to decrease the time to uncover suspicious activity

APT-Hunter use pre-defined detection rules and focus on statistics to uncover abnormalities which is very effective in compromise assessment . the output produced with timeline that can be analyzed directly from Excel , Timeline Explorer , Timesketch , etc...

https://github.com/ahmedkhlief/APT-Hunter

Honeypot Moments: Accidentally Getting a VPN Providers

How Honeypots have unintended consequences by Darren Martyn.

In conclusion here, what seems to have happened is the IP I was assigned for my honeypot at a certain cloud provider, is an IP address that was previously being used by these VPN providers.

And it seems these providers never pushed out updates to their customers, leaving me in the weird position where their customers are trying to proxy through my honeypot, leaving me in a position for "upstream collection" if I was so inclined.

https://www.fullspectrum.dev/honeypot-moments-mr-cronjob-in-tehran/

Defence

How we proactively defend our environments.

BlockNonMSModules

Saad Ahla provides some interesting defensive capability for which the underlying API SetProcessMitigationPolicy could be co-opted in a tool such as WindowsJobLock which I appear to have written 10 years ago.

Set the process mitigation policy for loading only Microsoft Modules, and block any userland 3rd party modules

https://github.com/TheD1rkMtr/BlockNonMSModules

Token protection in Azure AD Conditional Access

Tokens bound to hardware in Windows this is where the Zero Trust rubber hits the road and vision starts to be realized.

Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection

Some example code in also in the guise of KeyProtectionExample which creates machine bound keys in Virtualization Based Security Enclave on Windows

gist.github.com/dwizzzle/a1c4cf4b669053dbeda4a4b24a9aca0f

Azure AD Certificate-Based Authentication (CBA) on Mobile now Generally Available!

This is also pretty massive from a defensive perspective.

At Ignite 2022, we announced the general availability of Azure Active Directory (Azure AD) Certificate-Based Authentication (CBA) as a part of Microsoft’s commitment to Executive Order 14028, Improving the Nation’s Cybersecurity.  Now, we’re thrilled to announce the general availability of Azure AD CBA support on mobile. 

We support both on-device certificates and external hardware security keys, like YubiKeys over USB or NFC on iOS and Android devices. With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant multi-factor authentication (MFA) on mobile without having to provision certificates on the user’s mobile device. 

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-certificate-based-authentication-cba-on-mobile-now/ba-p/1144695

Microsoft Sentinel automated responses

Automation is the way of the future so learning how to do it with Microsoft Sentinel is very wise to have machine speed response to high confidence events.

Microsoft Sentinel includes many ready-to-use playbooks, including playbooks for these uses:

• Block an Azure Active Directory (Azure AD) user

• Block an Azure AD user based on an approve or reject email

• Post a message on the Microsoft Teams channel about an incident or alert

• Post a message on Slack

• Send an email that has incident or alert information

• Send an email that has a formatted incident report

• Confirm that an Azure AD user is at risk

• Send an adaptive card via Microsoft Teams to confirm that a user is compromised

• Isolate an endpoint on Microsoft Defender for Endpoint

This article shows an example of implementing a playbook to respond to a threat. The playbook blocks an Azure AD user that's compromised by suspicious activity.

https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/microsoft-sentinel-automated-response

Vulnerability

Our attack surface.

Cisco Security Advisory: Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability

End of life, no fix and an implant in the wrong place waiting to happen.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API

Ben Barnea found the first patch wasn’t quite complete so we all get to patch again.

• The vulnerability causes a Windows API function — MapUrlToZone — to incorrectly think that a remote path is a local one.

• MapUrlToZone is commonly used as a security measure. In particular, it was used to mitigate the critical Outlook vulnerability CVE-2023-23397 patched in the March Patch Tuesday.

• An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server. This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction.

• All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable. However, according to Microsoft, Exchange servers with the March update omit the vulnerable feature, thus preventing vulnerable clients from being exploited.

• The issue was responsibly disclosed to Microsoft and addressed in May 2023 Patch Tuesday.

https://www.akamai.com/blog/security-research/important-outlook-vulnerability-bypass-windows-api

Leaked and Detected In-The-Wild Intel Keys from Lenovo/LCFC/AlderLake Leak

This MSI firmware signing key leak continues to go from bad to worse. Levono and Supermicro products impacted. The implant opportunities here are rife, so suggest you develop signatures for these keys.

https://github.com/binarly-io/SupplyChainAttacks/blob/main/Lenovo:LCFC/IntelKeysImpactedDevices.md

Offense

Attack capability, techniques and trade-craft.

Living Off The Land Drivers 1.0 Release

Michael Haag and team drop the 1.0 - lots of defensive and offensive value in this list. If you are blocking their use then you likely should be.

the project aims to provide a comprehensive and well-maintained repository of drivers with known vulnerabilities or malicious behaviors.

https://medium.com/magicswordio/living-off-the-land-drivers-1-0-release-95af7d59fb89

Bypassing antivirus detection: old-school malware, new tricks

Efstratios Chatzoglou, Georgios Karopoulos, Georgios Kambourakis and Zisis Tsiatsikas provide a worrying evidence base on real-world EDR efficacy.

Our experiments exploit a blend of seven traditional AV evasion techniques in 16 executables built in C++, Go, and Rust. Furthermore, we conduct an incipient study regarding the ability of the ChatGPT chatbot in assisting threat actors to produce ready-to-use malware. The derived results in terms of detection rate are highly unexpected: approximately half of the 12 tested AV engines were able to detect less than half of the malware variants, four AVs exactly half of the variants, while only two of the rest detected all but one of the variants.

https://arxiv.org/abs/2305.04149

Backdooring Electron Applications

Expect these techniques to be utilized in repackaged apps more regularly e.g. Slack etc.

All the methods proposed in this blog post (DLL Hijacking, Remote Debugging Protocol, Beemka) are not new and have already been extensively documented elsewhere. But as it took me a long time to recompile a current list of possible methods, i wanted to provide one reference point for Electron post-exploitation for persistence.

https://text.tchncs.de/ioi/backdooring-electron-applications

GetLAPSPassword: A LAPS dumper written using the impacket library

Tyler given new offensive capability that supports both NTLM and Kerberos auth to get saved passwords.

https://github.com/dru1d-foofus/GetLAPSPassword/

PendingFileRenameOperations.cmd : a Windows persistence mechanism

Grzegorz Tworek gives a good toy example of why this should be monitored for.

https://github.com/gtworek/PSBits/blob/master/Misc/PendingFileRenameOperations.cmd

SCCMHunter

Garrett Foster and Benjamin provide a tool worth signaturing the use of for anyone who still runs legacy on premises AD.

a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.

https://github.com/garrettfoster13/sccmhunter

Freeze.rs

Rust being used increasingly offensive tooling.

Freeze.rs is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze.rs utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

https://github.com/optiv/Freeze.rs

Exploitation

What is being exploited.

CVE-2023-0386 privilege escalation on Ubuntu 22.04

Next vulnerability and exploit from China.

https://github.com/xkaneiki/CVE-2023-0386

PaperCut Exploitation - A Different Path to Code Execution

PaperCut can be exploited in more ways than are currently being appreciated.

This report shows that detections that focus on one code execution method, or that focus on a small subset of techniques used by one threat actor, are doomed to be useless in the next round of attacks.

https://vulncheck.com/blog/papercut-rce

Uncovering CVE-2022-37985: A Unique Information Disclosure Vulnerability in Windows Graphics Component

Bing Sun documents how to exploit this vulnerability via Word documents to leak RAM fragments over WebDav. Again it worth signaturing this vulnerability.

https://www.trellix.com/en-us/about/newsroom/stories/research/the-art-of-information-disclosure.html

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

Introducing TritonDSE: A framework for dynamic symbolic execution in Python

Robin David and Christian Heitman drop capability which will be inherently useful to offensive security researchers.

TritonDSE is a Python library built atop the existing Dynamic Symbolic Execution(DSE) framework Triton to provide more high-level program exploration and analysis primitives. The whole exploration can be instrumented using a hook mechanism that allows the user to run custom code on various events, like address, mnemonic, new input generated, each iteration, a branch to be solved, etc. It can be seen as a symbolic unicorn-like framework as it is not an off-the-shelf program, but a toolkit to build dedicated and specific analyses. Still, it is able to perform some exploration on its own and provides ways to customize it. It was partly designed to build a whitebox fuzzer now integrated into PASTIS. The framework is still experimental, thus any feedback or issue reports are appreciated.

https://blog.quarkslab.com/introducing-tritondse-a-framework-for-dynamic-symbolic-execution-in-python.html

Leveraging Microsoft eXtended Flow Guard (XFG) to help with reverse engineering

Michael Maltsev shows how practically it helps to understand flow from indirect calls.

It took me a while to notice what now seems to be obvious - the indirect call XFG signature can be used to identify the possible target functions that may be called.

https://m417z.com/Leveraging-XFG-to-help-with-reverse-engineering/

Send My: Arbitrary data transmission via Apple's Find My network

From 2021 low bit rate exfiltration opportunity OR canary for iPhones where they shouldn't be due to the bridge being present

https://positive.security/blog/send-my

Intel Linear Address Masking "LAM" Merged Into Linux 6.4

Variety of offensive and defensive use cases enabled by this release.

Since 2020 Intel engineers have been working on Linear Address Masking (LAM) as a feature similar to Arm's Top Byte Ignore (TBI) for letting user-space store metadata within some bits of pointers without masking it out before use. This can be of use to virtual machines, profiling / sanitizers / tagging, and other applications. The Intel LAM kernel support has finally been merged with Linux 6.4.

https://www.phoronix.com/news/Intel-LAM-Merged-Linux-6.4

EaDumper

Dump Windows NTFS file extended attributes

https://github.com/daem0nc0re/TangledWinExec/tree/main/Misc/EaDumper

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Aggregated reporting

  • Q1/2023 Threat Report - APT groups continue to pose a significant risk to organizations and governments worldwide. One such group is Gamaredon, group primarily targets Ukrainian government and military entities, as well as other organizations in the country. The group utilizes spear-phishing to gain initial access to their victims, and the use of Telegram and Telegra.ph services as a distribution channel for Command-and-Control IPs is a common practice for the group.

  • APT Activity Report Q4 2022­–Q1 2023 - China, India, Iran, North Korea and Russia are all covered.

• Summit on Modern Conflict and Emerging Threats - videos from last week available

• Engineering a Formally Verified Automated Bug Finder - This paper presents a systematic approach for engineering provably sound and complete symbolic execution-based bug finders by relating a programming language's operational semantics with a symbolic semantics.

• Getting Started with Windows Malware Development - from Rad

• The 5×5—Cryptocurrency hacking's geopolitical and cyber implications - five featured experts answer five questions

• NIST Drafts

  • NIST Revises SP 800-171 Guidelines for Protecting Sensitive Information -

  • NIST CSF 2.0 Core - Discussion Draft - NIST is updating the Cybersecurity Framework (CSF) which is widely used to help organizations better understand, manage, reduce, and communicate cybersecurity risks.

• Finding Neurons in a Haystack: Case Studies with Sparse Probing - In this work, we seek to understand how high-level human-interpretable features are represented within the internal neuron activations of LLMs - useful to understand what sourced were used I suspect.

• Upcoming books available for pre-order

  • Battlefield Cyber: How China And Russia Are Undermining Our Democracy And National Security

• Upcoming events

  • Cycon (NATO) - May 31st, 2023

  • USENIX Security '24 Preliminary Call for Papers

This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.

For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.