

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see a lot of Iran, Russia, China and North Korea reporting. The uptick of note is what appears to be Chinese activity against sensitive CNI targets. Read and understand the tradecraft…
In the high-level this week:
Gen. Nakasone releases US Cyber Command’s strategic priorities -
SHARPEN, our world-class force through readiness, resilience and mission improvement.
STRENGTHEN warfighting advantage throughout competition, crisis and conflict.
Execute our authorities to build and sustain a decisive advantage for national security.
UK NCSC release cyber security training packages aimed at managing supply chain risk - two new e-learning packages that will help procurement specialists, risk owners and cyber security professionals to effectively manage risks across their supply chains.
NSA and Partners Identify China State-Sponsored Cyber Actor Using Built-in Network Tools When Targeting U.S. Critical Infrastructure Sectors - Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” said Rob Joyce, NSA Cybersecurity Director. “That makes it imperative for us to work together to find and remove the actor from our critical networks.” - further technical reporting on this below - well done to the 🇺🇸🇬🇧🇨🇦🇦🇺🇳🇿
House Panel Advances Bills to Boost CISA’s Oversight of Open Source Software, Cyber Training - from 9 or so days ago.
Chinese hackers attacked Kenyan government as debt strains grew - Two of the sources assessed the hacks to be aimed, at least in part, at gaining information on debt owed to Beijing by the East African nation: Kenya is a strategic link in the Belt and Road Initiative - President Xi Jinping's plan for a global infrastructure network - when soft power becomes hard power.
Cloud Security: Selected Agencies Need to Fully Implement Key Practices - from the U.S. Government Accountability Office - The four selected agencies—the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury—varied in their efforts to implement the six key cloud security practices that GAO evaluated. Specifically, three agencies fully implemented three practices for most or all of their selected systems, while another agency fully implemented four practices for most or all of its systems. However, the agencies partially implemented or did not implement the other practices for the remaining systems
Canadian Financial System Review—2023 - The Bank remains concerned about threats to financial stability from a major cyber incident, particularly in the context of rising geopolitical tensions and Russia’s ongoing war in Ukraine. A successful cyber attack that damages activities in one part of the financial system could spread quickly, undermining the public’s confidence.
Cyber governance in Africa: at the crossroads of politics, sovereignty and cooperation - The ratification of the Malabo Convention by African member states could be apanacea for a united continent with shared norms, standards and principles, provid-ing a prior basis for a common approach to cyber governance across the region
Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities - According to a March 2023 UN Panel of Experts report, DPRK cyber actors stole more virtual currency in 2022 than in any previous year, with estimates ranging from $630 million to over $1 billion—reportedly doubling Pyongyang’s total cyber theft proceeds in 2021
Anti-abortion Group Used Cellphone Data to Target Ads to Planned Parenthood Visitors - The campaign used a common digital-advertising technology called geofencing to extract the unique device identifiers of phones carried into Planned Parenthood and other abortion providers, the people said. It then used those device IDs to target those people on popular social-networking sites such as Facebook, Instagram and Snapchat with antiabortion messaging.
The NATO CCDCOE welcomes new members Iceland, Ireland, Japan, and Ukraine - On its 15th anniversary, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) raised the flags of Iceland, Ireland, Japan, and Ukraine at its headquarters in Tallinn, welcoming four new member nations to the CCDCOE cyber defence family.
美光公司在华销售的产品未通过网络安全审查 - from the Chinese government - The review found that Micron's products have relatively serious potential network security issues, which pose a major security risk to my country's critical information infrastructure supply chain and affect my country's national security - analysis by the BBC is that it makes no sense as these components are not used typically in CNI applications so this is a flex play with little real world impact.
Our efforts to strengthen information security measures and improve system quality - Fujitsu’s response to a cyber incident in Japan - the transparency of the plan is of note.
Security analyst tries to hijack ransomware payment from employer - A 28-year-old man has been convicted of blackmail and unauthorised access to a computer with intent to commit other offences following an investigation by the South East Regional Organised Crime Unit (SEROCU). Unknown to the police, his colleagues and his employer, Liles commenced a separate and secondary attack against the company. He accessed a board member’s private emails over 300 times as well as altering the original blackmail email and changing the payment address provided by the original attacker. This was in the hope that if payment was made, it would be made to him rather than the original attacker.
UNICC - Cyber Threat Landscape Report 2022 (released May 2023 although dated April) - The major cyberattacks against the different UN agencies detected by the Common CTI team and managed by the UNICC CSIRT team were initiated through four common attack paths
Phishing
Valid credentials
External remote access services
Public-facing applications
Commercial offensive cyber
Attorney General charges 4 ex-officials in Pegasus spyware probe - in Mexico
German prosecutors file charges over illegal spyware sale to Turkey (press release) - German prosecutors have charged four people with the unauthorised sale of espionage software to Turkish security services, alleging just days before a pivotal election that it was used in an attempt to spy on the country’s opposition.
Israel torpedoed Morocco spyware deal - and NSO competitor QuaDream shut down - Quadream offered zero-click infections for iPhone. Leaked code reveals their spyware may have abused WhatsApp
The brief reflection this week comes from reading How I Re-implemented PyTorch for WebGPU . This lead to asking - When will states who can’t afford the compute hack a million WordPress sites and do a distributed learning activity through the browsers of the people who visit said sites? Answers on a postcard..
On the interesting job/role front:
Sr. Intelligence Analyst - Cloud Intelligence Mission (Remote) at CrowdStrike, Remote.
Supervision Portfolio Lead (Online Safety) at OFCOM (Regulator) in the UK.
IT Cybersecurity Specialist (INFOSEC) at the Department of Homeland Security in the US - the salary is a thing of wonder.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Russia’s Cyber Operations Groups
Anastasios Pingios provides a breakdown of the Russian cyber machinery, this is an update based on numerous Government led bits of reporting.
Since recently we had lots of additional information being released from official sources (US and UK governments), I decided to make this into a more thorough diagram.
https://xorl.wordpress.com/2021/04/16/russias-cyber-operations-groups/
CERT-UA: Espionage activity UAC-0063 in relation to Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India
Ukraine government details a run of the mill phishing campaign which appears to be Russian in origination and target a wider of set of interests.
[I]t was found that on April 18, 2023 and April 20, 2023, e-mails were sent to the department's e-mail address, supposedly from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second - reference to the same document.
Additional study of the infrastructure and related files made it possible to conclude that among the objects of interest of the group are organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, India.
https://cert.gov.ua/article/4697016
Meet the GoldenJackal APT group. Don’t expect any howls
Giampaolo Dedola interestingly loosely ties this campaign to Russia with very specific targeting. They go so far as to avoid hosts with certain security technologies deployed to protect their operations.
an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia.
control victim machines
spread across systems using removable drives
exfiltrate certain files from the infected system
steal credentials
collect information about the local system
collect information about users’ web activities
take screen captures of the desktop
The group is probably trying to reduce its visibility by limiting the number of victims. According to our telemetry, the number of targets is very low and most of them were related to government or diplomatic entities.
Despite these similarities, we assessed with low confidence that there is a connection between GoldenJackal and Turla, since neither of these is unique to either threat actor.
https://securelist.com/goldenjackal-apt-group/109677/
The number of cyberattacks against commercial sector has tripled y-t-d: Statistics
Insight and stats from the Ukraine government on what they are seeing and confirming phishing is how Russia runs a large number of its operations.
The Computer Emergency Response Team of Ukraine (CERT-UA) under the SSSCIP has manually processed over 700 cyber incidents and cyberattacks since the beginning of 2023: 151 of them happened in April.
According to the CERT-UA’s findings, government agencies and local governments remain the focus of the enemy hackers. However, the experts have also detected an increase in cyberattacks against commercial entities throughout March and April: almost twice as many as in January to February 2023.
Phishing remains Russian hackers’ favourite tactics. Their phishing campaigns are well-planned and are massive in their nature.
New tricks of APT29 – update on the CERT.PL report
The most amusing bit of this reporting is they seem to have lifted code from a SANS challenge. Outside of that it is clear they are both learning and continuing to evolve their tradecraft and techniques to frustrate detection.
This new campaign, which will be referred to as Information, contains a structure very similar to the Note campaigns shown in the CERT.PL report. The samples analyzed in that report are from March. However, we have observed a change in the operation of this type of malware since April, and in the latest analyzed samples, the injection method has varied.
Just as QUARTERRIG was the evolution of HALFRIG, in this new campaign APT29 has modified the logic of its dll loader “Applvsubsystem64.dll” to make it more sophisticated.
The fact of using legitimate random DLLs for injection instead of the process memory itself, adds another layer of complexity to the way the shellcode is loaded.
Leak Wolf's malware-free attacks - hacks Russian companies and publishes their data
Oleg Skulkin gives some insight into threat actors targeting Russia. Some of the tradecraft here is notable for its subtlety.
Contrary to the traditional hacker approaches, Leak Wolf used no popular vulnerability exploits, no malware, no phishing emails. [T]he attackers leveraged their access to the employee accounts and abused trusted relationships between the victim organizations and their IT contractors. This approach enabled Leak Wolf to remain invisible to monitoring for a long time. To avoid unwanted attention, the group leased Russia-based servers and used a VPN for remote connections. Given the spread of remote work, this sent no warning signals to the cybersecurity teams.
The perpetrators also gained unauthorized access by analyzing individual users’ data leaks. Employees often neglect the principles of digital hygiene: they use corporate email addresses to register on third-party platforms and set the same simple passwords for multiple accounts.
North Korea
Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit
Aleksandar Milenkoski and Tom Hegel detail a campaign which uses very common tradecraft - but again it shows that North Korean tradecraft isn’t all guns blazing.
[We] observed an ongoing campaign by Kimsuky, a North Korean APT group, targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations.
The campaign focuses on file reconnaissance and information exfiltration using a variant of the RandomQuery malware, enabling subsequent precision attacks.
Kimsuky distributes RandomQuery using Microsoft Compiled HTML Help (CHM) files, their long-running tactic for delivering diverse sets of malware.
Kimsuky strategically employs new TLDs and domain names for malicious infrastructure, mimicking standard .com TLDs to deceive unsuspecting targets and network defenders.
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
Lazarus Group Targeting Windows IIS Web Servers
South Korean reporting on North Korea who seem to have learnt from Chinese tradecraft.
[We] recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands. The AhnLab Smart Defense (ASD) log displayed below in Figure 1 shows that Windows server systems are being targeted for attacks, and malicious behaviors are being carried out through w3wp.exe, an IIS web server process. Therefore, it can be assumed that the threat actor uses poorly managed or vulnerable web servers as their initial breach routes before executing their malicious commands later.
https://asec.ahnlab.com/en/53132/
https://asec.ahnlab.com/ko/52829/
An APT37 attack case impersonating a North Korean human rights organization
South Korean reporting on North Korea’s more basic tradecraft utilised in phishing campaigns. Nothing really of note here other than they continue to deploy in this manner.
Spear phishing attack aimed at the representative of the North Korean human rights field by impersonating the head of a North Korean human rights organization
Malicious MS Word DOC document and Shortcut shortcut LNK file exploitation
Camouflage with image (JPG) files... using typical steganography techniques
Uses the same BaaS C2 and ROKRAT malware behind the APT37 attack
Threats using encryption and Powershell... Need for EDR-based visualization and active response
https://www.genians.co.kr/blog/threat_intelligence_report_apt37
https://www.genians.co.kr/hubfs/blogfile/threat_intelligence_report_apt37.pdf
APT-C-28 (ScarCruft) Organization Uses Malicious Documents to Deliver RokRat Attack Activity Analysis
Chinese reporting on North Korea running the same playbooks over and over.
[We] captured the APT-C-28 organization delivering RokRat malware to the target under the guise of malicious documents such as "payment application form". This attack activity is basically the same as the 2021 public threat intelligence disclosure APT -C-28 ORGANATION USES VBA SELF-DECODING
China
China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan
Daksh Kapur and Leandro Velasco provide some interesting victimology insights. It is almost as if China is preparing for a physical confrontation at some point in the future.
In the last few months, the rise in tensions between Taiwan and China have contributed to a noticeable increase in cyberattacks towards Taiwan. Our researchers have identified a worrying surge in attacks aimed at various industries in the region, with the goal of delivering malware and stealing sensitive information.
Even though various industries were targeted during the surge, the most impacted industries in the respective time frame were -
Networking/IT
Manufacturing
Logistics
CNI Targeting
Lots of reporting beyond what was released by Government here.
Chinese Malware Hits Systems on Guam. Is Taiwan the Real Target?
New York Times provides some high level reporting in the first instance.
Around the time that the Federal Bureau of Investigation was examining the equipment recovered from the wreckage of the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code that has been popping up in telecommunications systems in Guam and elsewhere in the United States.
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Then we have the technical team who uncovered it. Note the use of compromising embedded devices in order to route their malicious traffic.
To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
Finally there are some insights from a number of incident response cases related to the same activity.
On May 24, 2023, the U.S. National Security Agency (NSA) issued a joint cybersecurity advisory highlighting a cluster of activity it attributes to a People's Republic of China (PRC) state-sponsored threat group. [Our] (CTU) researchers attribute this activity to BRONZE SILHOUETTE (referred to in the advisory as Volt Typhoon) and have observed the threat group conducting network intrusion operations against U.S government and defense organizations since 2021. The tactics, techniques, and procedures (TTPs) and victimology observed during Secureworks incident response (IR) engagements suggest BRONZE SILHOUTTE targets organizations for intelligence-gathering purposes that are in alignment with the requirements of the PRC. The threat group has demonstrated careful consideration for operational security such as the use of preinstalled binaries to “live off the land,” incorporation of defense evasion techniques, and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity, and to blend in with legitimate network activity.
Iran
Fata Morgana: Watering hole attack on shipping and logistics websites
Some really interesting Iranian reconnaissance tradecraft here to leak internal IP addresses etc. via watering holes.
ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten).
This script appears to be designed to collect information about the user's system and send it to a remote server.
The data sent with the request includes several pieces of information encoded using base64:
..
"ECO": encoded list of IP addresses obtained through a WebRTC STUN request
..
https://www.clearskysec.com/fata-morgana/
Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations
Marc Salinas Fernandez and Jiri Vinopal detail the use of ransomware by a nation state to mask in part state hack and leak operations.
Iranian threat actor Agrius continues to operate against Israeli targets, masking destructive influence operations as ransomware attacks.
In recent attacks the group deployed Moneybird, a previously unseen ransomware written in C++.
Despite presenting themselves as a new group with the name– Moneybird, this is yet another Agrius alias.
The data was eventually leaked through one of Agrius previous aliases.
As demonstrated in the Moneybird attacks, Agrius’s techniques, tactics and procedures (TTP) remain largely unchanged.
Operation "Total Exchange": New PowerExchange Backdoor Discovered in the UAE
Asaf Rubinfeld, John Simmons, Luca Pugliese and Rotem Sde-Or detail suspected Iranian tradecraft and the use of email for their C2.
Last year, the [we] identified several simultaneous attacks targeting a government entity in the United Arab Emirates. Some were classified as known threats, such as JS_POWMET and AdKoob, while one remained unidentified.
This isolated case was a custom, targeted PowerShell-based backdoor we named PowerExchange. This backdoor’s C2 protocol is email-based, with the C2 server being the victim’s Microsoft Exchange server. Forensics investigation of the network revealed the backdoor on additional endpoints and multiple other implants on various servers. One implant discovered on Microsoft Exchange servers was a novel web shell, dubbed ExchangeLeech, due to its unique ability to harvest credentials.
https://www.fortinet.com/blog/threat-research/operation-total-exchange-backdoor-discovered
WINTAPIX: A New Kernel Driver Targeting Countries in The Middle East
Geri Revay and Hossein Jazi detail what is both a long running as well as a low level capability from Iran. They are signed using certificates belonging to Chinese firms interestingly.
The sample that triggered our rule was a driver called WinTapix.sys (which is why we named it WINTAPIX). Since it uses Donut, we decided to analyze it further. It turned out to be a very interesting sample that we believe is being used in targeted attacks against countries in the Middle East.
This captured sample was compiled in May 2020 but was only uploaded to Virus Total in February of this year. Pivoting from this sample, we found another variant of this driver with the same name that was compiled around the same time, but it was uploaded to Virus Total in September 2022. Pivoting again from the used certificates, we found another variant of the WINTAPIX driver with the SRVNET2.SYS name. This sample was compiled in June 2021 and was first observed in the wild in December 2021.
Based on the information we have collected so far, we now believe that this driver has been active in the wild since at least mid-2020 and, to the best of our knowledge, has not been reported before.
Observed telemetry shows that 65% of the lookups for this driver were from Saudi Arabia, indicating it was a primary target.
However, we still do not have enough information about how this driver has been distributed and who was behind these operations. Based on the victimology, we suspect an Iranian threat actor developed this driver.
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries
Analysis of the CloudWizard APT framework
Leonid Bezvershenko, Georgy Kucherin and Igor Kuznetsov issue a report where the the implication is that this threat actor is Ukrainian.
Some of these APTs have long been forgotten in the past – such as Prikormka (Operation Groundbait), discovered by ESET in 2016. While there have been no updates about Prikormka or Operation Groundbait for a few years now, we discovered multiple similarities between the malware used in that campaign, CommonMagic and CloudWizard.
https://securelist.com/cloudwizard-apt/109722/
Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices
Fyodor Yarochkin, Zhengyu Dong and Paul Pajares detail what can only be described a criminal supply chain attack. The fact they managed to pull this off should send a strong warning about embedded system supply chain security and the implications when it goes wrong.
This blog post provides a glimpse of the money-making business and monetization strategies built on top of the preinfected devices marketed and sold by one of the threat actor groups we named “Lemon Group.” It also gives an overview of how these devices were infected, the malicious plug-ins used, and the groups’ professional relationships.
We identified over 50 different images from a variety of vendors carrying initial loaders. The more recent versions of the loaders use fileless techniques when downloading and injecting other payloads.
Comparing our analyzed number of devices with Lemon Group’s alleged reach of 8.9 million, it’s highly likely that more devices have been preinfected but have not exchanged communication with the C&C server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market.
COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises
Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar and Nathan Brubaker highlight what was possibly an operational mistake which led to the discovery of this capability. Either way the fact of existence should be of note to global energy infrastructure providers.
[We] identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response
InterPlanetary File System: A Decentralized Place to Host Phishing Content
Jan Michael details the rise of IPFS and its malicious uses. Will be interesting to see how enduring this use is or if organisations simply start blocking it due to there only being downsides of allowing their endpoints to speak to it.
[We are] tracking phishing campaigns abusing InterPlanetary File System (IPFS) to deliver their payloads. From March 1 to April 30, [We have] seen a 7x increase in traffic to IPFS phishing pages. The attacks have been targeting victims mainly in North America and Asia Pacific across different segments, led by the financial services, banking, and technology sectors.
The Hunt for VENOM SPIDER PART 2
Joe Stewart and Keegan Keplinger go to town on finding the person behind the operation. I suspect Jack is going to reflect on life choices.
[We] discovered the second threat actor behind Golden Chickens self identifies as “Jack” and was born in a small Romanian town called Mizil
[We] tracked “Jack’s” Internet activities going back to 2008, when he was 15
“Jack” seems to have picked up coding at an early age, although [we] could find no evidence of any formal education. Since age 15, “Jack” has displayed a strong interest in developing malware and tools to assist in cybercrime
“Jack” has a short fuse. As early as 19, “Jack” had already gained a reputation as a “Ripper/Scammer”
In July 2022, “Jack” has a $200,000 bounty placed on his head, on Exploit.in, by a threat actor who accuses him of stealing $1 million dollars from him
Like “Chuck from Montreal”, “Jack” uses multiple aliases on forums, social media, and Jabber accounts, and goes to great lengths to disguise himself
https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2
IcedID Macro Ends in Nokoyawa Ransomware
Interesting end to end insight here from our friends at the DFIR Report - also note the Cobalt Strike watermark doesn’t appear cracked which is interesting. Should hopefully allow the vendor to understand how their KYC processes failed and/or which of their customers has a leak.
In this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
We have previously reported on IcedID intrusions that have migrated to ISO files, however, this report is one of the most recent that will focus on the traditional Excel/macro intrusion vector.
Once inside, the threat actors pivoted using Cobalt Strike and RDP before a domain wide deployment of Nokoyawa ransomware with the help of PsExec. Nokowaya ransomware is a family with ties to Karma/Nemty.
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
Android app breaking bad: From legitimate screen recording to file exfiltration within a year
Lukas Stefanko shows the crawl, walk and run phases of getting malicious apps into Google Play.
[W]e detected a trojanized app available on the Google Play Store; we named the AhMyth-based malware it contained AhRat.
Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.
The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.
The malicious app with over 50,000 downloads was removed from Google Play after our alert; we have not detected AhRat anywhere else in the wild.
I Have No Mouth, and I Must Do Crime
Weaponised Deepfakes as a Service (WDaaS) have arrived. To be expected, but good to have an evidence base.
Threat actors have begun to monetize voice cloning services, including developing their own cloning tools that are available for purchase on Telegram, leading to the emergence of voice-cloning-as-a-service (VCaaS).
https://www.recordedfuture.com/i-have-no-mouth-and-i-must-do-crime
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
Good write-up on Israeli commercial mobile capability here which is of note considering who they were selling it to.
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
A deep dive into both spyware components indicates that ALIEN is more than just a loader for PREDATOR and actively sets up the low-level capabilities needed for PREDATOR to spy on its victims.
We assess with high confidence that the spyware has two additional components — tcore (main component) and kmem (privilege escalation mechanic) — but we were unable to obtain and analyze these modules.
https://blog.talosintelligence.com/mercenary-intellexa-predator/
Gather Round the Watering Hole, We have a story to tell
Ian Ahl details end-to-end this interesting AWS credential collection campaign. Note the use of Google Ads. I suspect attacks like this will cause Amazon to mandate MFA on accounts in time.
The attacker buys ad space for certain search terms in google.
The Victim searches for a term like “AWS Console Login” in google. Google returns a list of results that include the malicious Google ad at the top.
The Victim clicks on the ad, thinking it is the legitimate AWS Console Login site. The fake site looks exactly like the normal AWS Console Login page, so the victim enters their credentials to logon.
These credentials are saved to the attacker infrastructure, and the victim is redirected to the the legitimate AWS Console Logon page.
Now at the legitimate AWS Console Logon page, the victim suspects they must have entered their username and password incorrectly, types in again, and now enters the legitimate AWS Console, not realizing they gave their credentials to attackers along the way.
The attacker now has the username and password, and assuming the victim doesn’t have MFA enabled they can immediately use the credentials. Also, since often users reuse passwords, they may try to logon to other services with the victims credentials such as their email or VPN.
https://permiso.io/blog/s/watering-hole-attack-targets-aws-users/
Discovery
How we find and understand the latent compromises within our environments.
MalwareMorphology
Jared Atkinson provides practical tradecraft on dealing with similarly in capability.
Morphology
The study of the form and structure of things.
Biology – The form and structure of living organisms (animals, plants, etc.)
Linguistics -The study of words, how they are formed.
Anatomy is one sub-discipline of biological morphology.
A primary tool used to measure the similarity of two things.
This workshop intends to demonstrate how morphological analysis of malware samples is useful in many Detection and Response disciplines.
Teach a process for morphological analysis of malware samples.
Demonstrate how to categorize samples into a hierarchical taxonomy.
Explain implications of similarity on Detection and Response
https://github.com/jaredcatkinson/MalwareMorphology
https://www.youtube.com/live/KTAeUjDBW3s?feature=share
Analysis of Amadey Bot Infrastructure Using Shodan
Matthew provides a canter through of the tradecraft used to do such discovery in practice.
Here you'll see how to use a known c2 to craft additional queries based on html content and certificate information. In total, 12 unique servers will be identified.
https://embee-research.ghost.io/amadey-bot-infrastructure/
Defence
How we proactively defend our environments.
EAT Guard
Connor McGarr provides an implementation outside of the Microsoft incarnation. Could likely be modified to provide a trip hazard and/or build a honeytoken triggering mechanism.
Implementation of an export address table protection mitigation, like Export Address Filtering (EAF)
https://github.com/connormcgarr/EATGuard
AD FS sign-ins in Azure AD with Connect Health
Observability for the win.
AD FS sign-ins can now be integrated into the Azure Active Directory sign-ins report by using Connect Health
PCAPeek
Maxime Thiebaut provides an amazing VCR playback experience used by organised crime.
A proof-of-concept re-assembler for reverse VNC traffic such as IcedID & Qakbot's VNC Backdoors.
https://github.com/0xThiebaut/PCAPeek/
Vulnerability
Our attack surface.
CVE-2023-28771: Improper error message handling in Zyxel ZyWALL/USG series firmware
Shocking vulnerability to exist in 2023.
allows an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device
https://attackerkb.com/topics/N3i8dxpFKS/cve-2023-28771/rapid7-analysis
CVE-2023-24905: Chaining DLL Hijacking and Format String to gain RCE on windows RDP Client
Dor Dali outlines tradecraft we can expect to be adopted by a range of threat actors.
By crafting a malicious DLL with harmful format strings and coupling it with a legitimate RDP file, it's possible to manipulate the memory layout of the program and even achieve Remote Code Execution (RCE) on the affected system.
To exploit this attack, all an attacker needs to do is create a maliciously crafted DLL along with a legitimate RDP file and strategically place it where the target is likely to execute it. This could be in a commonly accessed network share folder, where unsuspecting users might inadvertently launch the RDP file.
BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack
Yu Chen and Yiling He make Hollywood sort of real.
We implement BrutePrint to automate the attack, that acts as a middleman to bypass attempt limit and hijack fingerprint images. Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint
https://arxiv.org/abs/2305.10791
Near-Ultrasound Inaudible Trojan (NUIT): Exploiting Your Speaker to Attack Your Microphone
Qi Xia, Qian Chen and Shouhuai Xu make the Hollywood sequel.
In this paper, we introduce a new class of attacks, dubbed near-ultrasound inaudible trojan (NUIT). NUIT attacks achieve the best of the two classes of attacks mentioned above: they are inaudible and can be waged remotely. Moreover, NUIT attacks can achieve end-to-end unnoticeability, which is important but has not been paid due attention in the literature. Another feature of NUIT attacks is that they exploit victim speakers to attack victim microphones and their associated VCSs, meaning the attacker does not need to use any special speaker. We demonstrate the feasibility of NUIT attacks and propose an effective defense against them.
https://www.usenix.org/system/files/sec23fall-prepub-261-xia-qi.pdf
Offense
Attack capability, techniques and trade-craft.
From Theory to Reality: Explaining the Best Prompt Injection Proof of Concept
Joseph walks us through prompt injection end to end. These domain specific logic vulnerabilities are going to be really challenging imagine let alone gain assurance against in the short term.
https://rez0.blog/hacking/2023/05/19/prompt-injection-poc.html
Volatility3 Windows Plugin : KeePass
Felix Guyard implements the vulnerability to aid forensics. Watch for actors doing volatile collection.
On May 1st, 2023, vdhoney1 raised concerns about a flaw he found impacting KeePass 2.X.2. Vdhoney claimed to be able to reconstruct the master password from memory. A was later released by the researcher in dotnet, and another in python3. A POC 3 was later released by the researcher not only in dotnet but also in python34.
Today in this blog post we will describe the vulnerability and see how we can create a volatility3 plugin to help forensics investigators to retrieve passwords from memory.
https://www.forensicxlab.com/posts/keepass/
NVIDIA RTX 40 Series Graphics Cards: The Faster and More Efficient Password Recovery Accelerators
Oleg Afonin shows how far performance has come.
Other formats demonstrate similar results. A 88% performance gain on SHA256 hashes, 93% faster WPA attacks, 85% performance uptick when recovering encrypted RAR archives and 70% faster ZIP password recovery average to some 82% overall gain for the 4070 Ti vs. 3070 Ti.
postmaniac: Postman OSINT tool to extract creds, token, username, email & more from Postman Public Workspaces
Pierre Ceberio releases a tool which is going to likely be adopted at pace by some threat actors. Brace brace brace..
Postman OSINT tool to extract creds, token, username, email & more from Postman Public Workspaces.
https://github.com/boringthegod/postmaniac
A phishing technique that emulates a file archiver software in the browser while using a .zip domain
The prophecy hasn’t come quite true yet, but this is a good example of the confusion which exists.
With this phishing attack, you simulate a file archiver software (e.g. WinRAR) in the browser and use a
.zip
domain to make it appear more legitimate.
https://mrd0x.com/file-archiver-in-the-browser/
The Evolution of Covert Communication: From Domain Fronting to PaaS Redirectors
This technique will need the platforms themselves likely to detect and respond to at scale.
In the wake of domain fronting’s demise, a new technique has come to the fore: PaaS Redirecting.
PaaS redirectors leverage the infrastructure of PaaS providers to disguise the destination of network traffic. Instead of manipulating the DNS and HTTP headers, PaaS redirectors employ various services provided by PaaS providers to reroute traffic. This can be as simple as a web app hosted on the PaaS that forwards traffic to the actual destination or as complex as using serverless functions and other cloud-native services to process and redirect traffic.
One of the primary advantages of PaaS redirectors is that they can leverage the reputation of the PaaS provider to evade detection. Most PaaS providers have many legitimate customers,
Exploitation
What is being exploited.
KeePass 2.X Master Password Dumper (CVE-2023-32784)
The underlying vulnerability which enables the password recovery. Note the need for the password to be typed in.
The vulnerability was assigned CVE-2023-32784. It should be fixed in KeePass 2.54, which should come out in the beginning of June 2023. Thanks again to Dominik Reichl for his fast response and creative fix!
Clarification: the password has to be typed on a keyboard, not copied from a clipboard (see the How it works sections).
https://github.com/vdohney/keepass-password-dumper
CVE-2023-2868: Barracuda Networks Status
There we go - someone burnt a zero-day - be interesting to see if victimology is disclosed.
Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023 - "we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances"
https://status.barracuda.com/incidents/34kx82j5n4q9
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Organizational and Organized Cybercrime - cybercriminals may be parasitical on legitimate organizational structures and procedures in creating an outlook of legitimacy for concealment. Legitimate businesses may also facilitate white-collar cybercrime by providing the organizational means and resources for employees to carry out generally low-tech data breaches during their occupations (Payne, 2018). Individuals may carry out cyber-espionage on behalf of the organizations in order to gain market edge (Holt and Kennedy, 2020).
Preparing for future cyber crises: lessons from governance of the coronavirus pandemic - stakeholders must continue to create and refine preparedness strategies defining internal and external communication procedures, which account for the dynamism of contemporary ransomware threats. Secondly, given that vulnerabilities may be both social and technical, communication strategies deployed pre-, during-, and post-incident should be multi-layered in their targeting of audiences.
How I Re-implemented PyTorch for WebGPU - this is how compromised (or not) websites leverage their visitors for their AI/ML needs.
Clandestine communications in cyber-denied environments - Numbers stations and radio in the 21st century (2023, Open Access)
The Strange Story of the Teens Behind the Mirai Botnet - After wielding its power for two months, Paras dumped nearly the complete source code for Mirai on Hack Forums. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO [Get The F*** Out],” Paras wrote. With that code dump, Paras had enabled anyone to build their own Mirai. And they did.
DNS Identity - This report provides a view of authentication and verification of domain name owners in the context of domain name registration. It identifies the security challenges, good practices, security controls and associated risks in the domain name registration ecosystem.
The Quad: Carved in Code - Collaborating to Deliver the Greatest Public Good - The working paper will then critically analyse the policy merits of the pledge and find that it is necessary for uplifting software security, cyber resilience around the world and thus the fulfilment of the Quad’s commitment to tackle security challenges emanating from the cyber domain. To build on this analysis, the pledge will be justified as a driver of the internal credibility of the Quad, making the four governments coalesce around implementing it and uplifting software security.
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
Bluepurple Pulse: week ending May 28th
booYA
Heck of a busy week, great roundup.