Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending May 21st
Azerbaijan shows the world how it is done when dealing with government departments who aren't secure enough.
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week Chinese activity reporting is up with some insights into their more advanced capabilities both in terms of implants and C2 infrastructure. Outside of that criminals continuing to be criminals.
In the high-level this week:
“Shared threats, shared understanding”: U.S., Canada and Latvia conclude defensive Hunt Operations - During the three-month long operation, the U.S. team worked with CERT.LV, the Information Security Incident Response Institution of the Republic of Latvia – on a defensive cyber threat hunting operation focused on the Latvian critical infrastructure.
New DOD doctrine officially outlines and defines 'expeditionary cyberspace operations' - hunt forward falls in here but is also wider e.g. Gain access through a low-power, point-to-point radio frequency (RF) link.
Evolving Cyber Operations and Capabilities - As part of the UK National Cyber Security Centre’s efforts to shape debate and discussion around cybersecurity issues, this collection of essays examines the war in Ukraine, with a view to the wider debate around the role and value of cyber capabilities.
Federal Appeals Court Gets It: Fair Use Protects Security Research Tools - Corellium and Apple case comes to conclusion with wider implications for security researchers and © - positively for once.
U.S. Cyber Command Releases New Guide to Technical Challenge Questions - Chinese analysis of the US 2023 problem set.
Activity of 6 state information resources was suspended by the Ministry of Information Security because they did not meet the requirements of information security - Azerbaijan shows the world how it is done.
Confronting Hamas as a Cyber Espionage Powerhouse - well, not quite a power house, but still an emergent player
Take a Deep Breath and Tell Me All About It: An Experimental Study on the Effect of Breathing on Privacy Decisions - fascinating research - The results reveal that participants in the box breathing condition disclosed the most personal information, followed by those in the coherent breathing condition, and the least disclosure in the control condition.
Treasury Sanctions Russian Ransomware Actor Complicit in Attacks on Police and U.S. Critical Infrastructure - U.S. Department of State announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev under its Transnational Organized Crime Rewards Program - how cyber Boba Fett is born.
Enhancing the Battleverse: The People’s Liberation Army’s Digital Twin Strategy - The People’s Liberation Army (PLA) also sees major value in digital twin technology as they continue to enhance their capabilities in the “battleverse.” ii In recent PLA media and Chinese tech coverage there have emerged six main applications of digital twin technology that they believe will provide advantage on the battlefield.
Towards ecosystems of connected digital twins to address global challenges - Through digital twins, we can develop unprecedented capabilities for understanding, manipulating and managing complex systems.
Integrated Deterrence and Cyberspace - collection of essays on the topic.
Deterring China isn’t all about submarines. Australia’s ‘cyber offence’ might be its most potent weapon - Australia has been much more guarded in discussing cyber offence than the US, but the two allies are in step. Canberra is in the process of tripling the size of its offensive cyber forces under Project Redspice, announced last year.
Australia’s $23M Cyber Wardens Program - Australian small businesses and their employees will take a leading role in the nation’s defence against global cyber crime, with a $23.4 million investment in the national Cyber Wardens program in this week’s federal budget.
Up to 100 cases taken over HSE cyberattack, judge told - Up to 100 people whose personal data was accessed during a major ransomware cyberattack on the [Irish] Health Service Executive’s information technology systems are suing for damages.
Unlocking Data Protection by Design and by Default: Lessons from the Enforcement of Article 25 GDPR - Our analysis determines that European DPAs diverge in how they interpret the preventive nature of Article 25 GDPR. Some are reluctant to find violations in cases of isolated incidents or where Article 5 GDPR principles are not violated, while others apply Article 25 preventively before further GDPR breaches or even planned data processing.
Brazil publishes their draft version of its National Cybersecurity Policy - the global south starts to awaken.
Commercial offensive cyber capabilities:
Pegasus : Florence Parly a été ciblée par le logiciel espion quand elle était ministre des armées - Pegasus: Florence Parly was targeted by spyware when she was Minister of the Armed Forces
Spyware firm NSO Group continues lobbying efforts to resume business-as-usual in the U.S - Since 2020, NSO Group has paid foreign agents more than $2.9 million for foreign influence and lobbying operations in the U.S.
From the USA, a Warning for Democracies - Although autocracies are more likely to purchase commercial spyware technologies, democracies have also contributed to market demand
Ghost in the network - How a Swiss tech expert runs a global phone surveillance system - Our investigation shows how Fink has built a surveillance apparatus that he has put at the disposal of governments and companies around the world – including Israel’s Rayzone Group, a top-tier cyber intelligence company.
Surveillance Company Turns Ad Data Into Government Tracking Tool - A product called Echo, made by the Israel-based Rayzone Group, is using information intended for marketers to help authorities track people through their mobile phones.
Large AI language models - Opportunities and risks for industry and authorities - from the German federal government.
No reflections this week as I’ve been super busy and thus you are getting this on a Saturday.
On the interesting job/role front:
No.10 Innovation Fellowships for the UK Government.
SOC Senior Analyst at the UK’s National Crime Agency
Security Engineer at VirusTotal in Spain
Software Engineer, Infrastructure Integrator at VirusTotal in Spain
Chief Information Officer at NATO Defence Innovation Accelerator for the North Atlantic (DIANA) in the UK
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Cyber threat intelligence
Who is doing what to whom and how.
The Five Bears: Russia's Offensive Cyber Capabilities
Oscar Rosengre provides a high-level overview of the machinery of Russian offensive cyber capabilities.
However, even though at the forefront of war-fighting capabilities in the digital environment, the 2022 war in Ukraine suggests a limited significance of offensive cyber operations than estimated. Cyber operations alone have yet to prove sufficient to gain strategic advantages on the physical battlefield. Still, since the digital environment does not know state borders, the Russian APT actors make up an evolving threat on a global scale not only in terms of espionage but physical disturbance calling for proportionate counter- and preventive measures among nations in both peacetime and war.
APT28 leverages multiple phishing techniques to target Ukrainian civil society
Felix Aimé and team provide evidence of Russian use of the browser in browser technique we have previously covered red teams using.
These techniques include using HTTP webhook services such as as Pipedream and Webhook, as well as compromised Ubiquiti routers to steal victims’ credentials. On one occasion, APT28 was seen using the “Browser in the Browser” technique to display a fake login page to the victim, purporting to decrypt a document.
Kimsuky group using Meterpreter to attack web servers
Some insight in to North Korean post access tradecraft using a mixture of both off the shelf and custom implants in recent times.
Kimsuky installed Metasploit Meterpreter backdoor malware after successful attack, and a history of installing proxy malware developed in Go language is also confirmed.
Andariel’s “Jupiter” malware and the case of the curious C2
Reporting which indicates that North Korea targeted the National Institute of Virology of India. Interesting for several reasons not least Indian victimology and then the bio nature of the targeting. Note the use of very large files in an attempt to not get scanned by EDRs.
The new sample, functionally unchanged, contained a very interesting Command & Control server, suggesting that the threat actors behind it might have managed to compromise the web server for the National Institute of Virology of India
If a download target path is specified in the response, the malware will write the payload to the specified path and copy
Explorer.exe’s timestamps to it in order to disguise the file. In case the downloaded file is an EXE file it will also pad the executable with 40,000,000 (~40MB) random bytes on disk, likely to exceed some security software’s file limits and/or generate a unique hashsum for downloaded binaries.
Lazarus Word malware believed to be targeting to EU
A sample from April which appears to be intended for EU targets. Maldocs and macros is the order to the day. So other than the lure content nothing of note.
Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in Golang
New implant from North Korea which is a rewrite of an existing family. Likely done in part in an attempt to avoid detection.
In the hunted malware, the cookie value required for Naver login is inserted into the malware, and login is performed with ChromeDP, a client program that supports the use of the Chrome Devtools protocol.
[We] named this malware “ AlphaSeed ” because the path name “E:/Go_Project/src/alpha/naver_crawl_spy/” was included in the malware.
We assume that AlphaSeed is the Go language version of the AppleSeed malware previously used by the Kimsuky group, and it has also been confirmed that the Kimsuky group is implementing malware in the Go language .
In the past, the Kimsuky group inserted ID and password into malicious code to deliver commands to the mail service, but instead of ID and password, login was implemented with cookie value, and then information stealing and command execution functions were performed.
There are similarities between AppleSeed malware and file encryption method, mail transmission thread, mailbox name used, etc., and the Kimsuky group has a history of executing commands using Naver mail with a malicious code called NavRAT in the past. It is evaluated as High-Confidence because it is believed to be the group behind this AlphaSeed malware.
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor ups its Game
Shaul Vilkomir-Preisman and Eliran Nissan out the next itteration of this Chinese implant. This upgrade shows that Chinese threat actors are clearly reading western reporting on them and adjusting accordingly.
[We] observed and analyzed a previously undocumented and fully undetected new variant of BPFdoor.
One of the most significant differences compared to the previous variant lies in the removal of many of its hardcoded indicators, making the newer version more difficult to detect. Since first seen on VirusTotal in February 2023, the new variant remained undetected and is still undetected as of this writing.
APT32 Burn Notice
Intrusion Truth does what they do best by shining a light on the darker corners of the Chinese offensive cyber military industrial complex in this four part series. Some bad days were likely had in the office.
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Chinese APT campaign detailed here including importantly the potentially the initial access tradecraft. The exploiting of network edge devices seems to be the flavor of the day.
The targets in this most recent activity, which began in mid-2022 and continued into 2023, are based in South and Southeast Asia, in sectors including government, aviation, education, and telecoms.
In this more recent activity, the initial infection vector was not entirely clear. We saw some indications of what the initial infection vector may have been in two victims, though this was not conclusive.
In one of the government sector victims, there were indications that the initial infection vector may have been SSH brute forcing. Multiple open-source sources associate one of the IP addresses used by the threat actors in this activity with SSH brute forcing, indicating that the initial infection vector was possibly SSH brute forcing.
In another victim, a file path (Csidl_program_files\loadbalancer\ibm\edge\lb\servers\bin) indicates a load balancer may have been exploited for access, indicating that the initial infection vector may have been an exposed public-facing server.
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant
Itay Cohen, Radoslaw Madej and team detail Chinese tradecraft around an obfuscation network.
[We have] monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.
Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.
Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules
Jaromir Horejsi and Joseph C Chen highlight once against the complex multi-step attack chains that criminals are employing to execute against their objectives. The use of rootkits is also noteworthy. This appears to have a regional Chinese focus interestingly.
Since 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed CopperStealer malware via pay-per-install (PPI) networks. The threat actor has upgraded and modified the malware multiple times for different purposes, such as injecting network advertisements, acquiring personal information, and stealing cryptocurrency. We believe that they are associated with the threat campaign reported as “Scranos” in 2019.
Vietnam Hailianhua APT’s Email Phishing Techniques and Tactics against Mainland China
Chinese reporting on Vietnamese phishing activity and associated tradecraft. The actual tradecraft is run of the mill e.g. exploits for vulnerabilities from 2017, maldocs and masquerading apps. The use of the steganography is likely the one rarity.
This is an OceanLotus sample captured by a foreign security team. Using image steganography technology to hide the core code of the Trojan shellcode in the cartoon picture of Kaito Kidd , the OceanLotus malicious program will download this PNG image, extract the shellcode backdoor from the image and run it. cause the computer to be charged.
SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
From the “this would never happen in the real-world bucket” showing once again criminal actors will employ blended operations.
UNC3944 is a financially motivated threat actor which Mandiant has been tracking since May of 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts.
OilAlpha: A Likely Pro-Houthi Group Targeting Entities Across the Arabian Peninsula
Once again a surprising insight into groups who you may not expect to have offensive cyber capabilities. The Android tradecraft as in Iran, India etc. is the leading edge.
The group is highly likely to have targeted entities associated with the non-governmental, media, international humanitarian, and development sectors. It is almost certain that the entities targeted shared an interest in Yemen, security, humanitarian aid, and reconstruction matters. The group’s operations have reportedly included targeting persons attending Saudi Arabian government-led negotiations; coupled with the use of spoofed Android applications mimicking entities tied to the Saudi Arabian government, and a UAE humanitarian organization (among others). As of this writing, we suspect that the attackers targeted individuals the Houthis wanted direct access to.
Deep & Dark web User Profiling @Mont4na
A Rolling Stone like profile on a criminal supplier.
Mont4na users are professional Access Brokers that sell website vulnerabilities and leaked information from various countries including Korea, and mainly sell database access information and web shell privileges
SideCopy Disguises Registration Invitation Forms for Attacks
Chinese reporting on Pakistani activity who are still using exploits for Microsoft Office from 2017 (CVE-2017-11882).
Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
Phil Stokes and Dinesh Devadoss provides further evidence that macOS capabilities are evolving and being deployed at an increasing rate. Note however the lack of signing and notarization on the samples.
Analysis of the payloads we have observed on VirusTotal suggests that what appears to have changed is the popularity of two Geacon forks developed by an anonymous Chinese developer using the handle “z3ratu1”.
The first Mach-O Geacon payload was submitted to VirusTotal not long after, on November 10 last year.
Fake system update drops Aurora stealer via Invalid Printer loader
Jérôme Segura details a malicious advertising campaign which has a novel twist by targeting security updates. This attack chain concludes with a information stealer.
A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft.
The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines.
Review and analysis of fake Trezor cryptowallet
Stanislav Golovanov goes back in time a little to do a tear down on this complex attack which weakened the security related to crypto wallets.
The original bootloader and wallet firmware received only three modifications:
First, the bootloader-checks for protection mechanisms and digital signatures were removed, thus getting rid of the “red screen” problem during the firmware originality check at startup.
Second, at the initialization stage or when resetting the wallet, the randomly generated seed phrase was replaced with one of 20 pre-generated seed phrases saved in the hacked firmware. The owner would begin using it instead of a new and unique one.
Third, if the user chose to set an additional master-seed protection password, only its first symbol (a…z, A…Z, 0…9 or ! for any special character) was used, which, together with the no-password option, gave just 64 possible combinations. Thus, to crack a given fake wallet, only 64*20=1280 variants were to be considered.
Squiblydoo does an excellent job of showing the scale of the misuse of Authenticode Certificates on Windows.
lessons learned from studying and documenting the Authenticode Certificates used by the SolarMarker malware actor. The research looks over 2 years and 50 Authenticode certificates that I personally documented and reported for revocation.
From the 698 binaries and 50 certificates reviewed, no legitimate files belonging to the organization listed on the certificate were ever observed. Further providing evidence that the certificates were not stolen.
How we find and understand the latent compromises within our environments.
How To Detect SYSVOL Enumeration Exploits
Amanda Berlin provides a very neat honeypot technique here to detect threat actors mooching around Windows networks.
To detect this directory scanning we must first create two honeyfiles in the SYSVOL directory.
Run the PowerShell script found in our github. This will create a the datasources.xml and registry.xml files in the “C:\Windows\SYSVOL\domain\Policies” directory.
This allows Windows Event ID 5145 to be generated
For your Domain Controllers, enable “Success” and “Failure” in the following Group Policy Setting.
Hunt-Weird-ImageLoads: Tool to play with IOCs caused by Imageload events
Sebastian Feldmann is back once again with tooling which allow us to verify we can detect the tradecraft widely in use.
This project was created to play with different IOCs caused by Imageload events.
It leverages ETW to monitor for ImageLoad events and walks the callstack to identify some possible IOCs, such as:
Hunting Malicious Infrastructure using JARM and HTTP Response
Michael Koczwara provides a practical lesson on this widely used discovery tradecraft against QBot C2 and Brute Ratel C4.
Permhash — No Curls Necessary
Jared Wilson provides some novel tooling to allow the discovery of malicious Chrome extensions.
Permhash is an extensible framework to hash the declared permissions applied to Chromium-based browser extensions and APKs allowing for clustering, hunting, and pivoting similar to import hashing and rich header hashing.
How we proactively defend our environments.
YARA rule generator for LOLDrivers
Florian Roth does what he does best with this release to automatically generate Yara signatures for the LOLDrivers project as organizations look to do battle with the Bring Your Own Vulnerable Driver style attacks.
The generator processes the input samples and extract specific 'VersionInfo' values from the driver's PE headers. This includes e.g., the company name, file version, product version, description and other values. It then creates YARA rules that look for these specific values.
These YARA rules can then be used to:
detect known vulnerable drivers that have a different hash (additional coverage); we'd run a retrohunt on Virustotal to find more of these drivers
apply YARA rules in cases in which a hash calculation is not possible or feasible
use a less strict version of the rules (see
--strictflag) to detect the vulnerable drivers embedded in other files or loaded into memory
Our attack surface.
1+ Million (WordPress) Sites Affected by Critical Privilege Escalation Vulnerability in Essential Addons for Elementor Plugin
My goodness is likely the only appropriate response here. The enabler for all manner of threat actors and their endeavors can not be underestimated. The long tail clean up here is going to be immense.
The plugin Essential Addons for Elementor (versions >= 5.4.0 and <= 5.7.1, free version), which has over 1 million active installations, is known as the most popular Elementor addons plugins in WordPress.
This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.
It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account.
Intel Issues New CPU Microcode Going Back To Gen8 For New, Undisclosed Security Updates
Happened Friday before last .. we have to wait to learn what the vulnerability is
Well, this is a bit strange... Intel just published Friday afternoon CPU microcode updates for all supported processor families back to Coffee Lake "Gen 8" for undisclosed security updates.
Earlier this week was Patch Tuesday and Intel issued a round of new security advisories for various -- mostly software -- security issues. Of this month's security advisories, there was nothing pertaining to CPU microcode explicitly nor any "Intel Processor" advisories this month.
But hitting this Friday afternoon now for the Intel Linux CPU microcode repository are a new set of firmware binaries... The mentioned change is "Security updates for [INTEL-SA-NA]." The ID format is for the Intel Security Advisory (SA) and presumably NA is for "Not Available." Given it's dropping a few days past Patch Tuesday, it would appear to be for some new and not publicly disclosed issue.
Ignore Previous Prompt: Attack Techniques For Language Models
A window into the future which isn’t entirely wonderful as we consider the wider security implications for Large Language Models etc.
By proposing PROMPTINJECT, a prosaic alignment framework for mask-based iterative adversarial prompt composition, we examine how GPT-3, the most widely deployed language model in production, can be easily misaligned by simple handcrafted inputs. In particular, we investigate two types of attacks -- goal hijacking and prompt leaking -- and demonstrate that even low-aptitude, but sufficiently ill-intentioned agents, can easily exploit GPT-3’s stochastic nature, creating long-tail risks.
Discovering a Gatekeeper bypass exploit with Mac Monitor
Brandon Dalton shows that even Apple with its many billions is still wrestling with logic vulnerabilities. A lovely bug..
The “quarantine flag” (
com.apple.quarantine) is an extended attribute whose data is stored in resource forks. After digging in for a short while, we came across an interesting bit of code from the “virtual file system” implementation: darwin-xnu/bsd/vfs/vfs_xattr.c
This same concept shows up elsewhere in the code. Naturally, we wanted to know what would happen if we crafted a Mach-O binary named with the prefix of a resource fork file,
._. So we compiled a simple Mach-O with that prefix, compressed it into an archive, downloaded it with Safari (a File Quarantine-aware app), and immediately noticed the file was not quarantined—but in fact, readily executable.
CS:GO: From Zero to 0-day
Felipe and Alain shing a light on the squidgy soft underbelly that is video game security.
We identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to our malicious python CS:GO server.
Attack capability, techniques and trade-craft.
Cobalt Strike and YARA: Can I Have Your Signature?
William Burgess and team up the anti in the Cobalt Strike arms race.
OPSEC considerations when using Beacon with respect to in-memory YARA scanning and suggest a malleable C2 profile which should give robust evasion against these types of defensive techniques.
What is being exploited.
Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
We’ve covered the exploitation and this is the details of the how and who.
This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity.
Gabriel Landau exploits a lovely vulnerability which allows access to protected processes (light) on Windows. Shows again that the logic bugs are a pain for vendors to identify at scale.
Exploits a TOCTOU in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
NSA released a new version.
snapchange: Lightweight fuzzing of a memory snapshot using KVM
AWS bring some scale to fuzzing which will likely be the cause of some threat models being adjusted.
Snapchange provides the ability to load a raw memory dump and register state into a KVM virtual machine (VM) for execution. At a point in execution, this VM can be reset to its initial state by resetting the dirty pages found by KVM or pages manually dirtied by a fuzzer.
Xyrem is a high school student and this is a world class capability.
HyperDeceit is the ultimate all-in-one library that emulates Hyper-V for Windows, giving you the ability to intercept and manipulate operating system tasks with ease.
VMProtect-Source: Source of VMProtect (NOT OFFICIALLY)
They had a partial source code leak, some key bits are missing.
Some other small (and not so small) bits and bobs which might be of interest.
Global Conference on Cyber Capacity Building (GC3B) - November 29th-30th in Ghana
Book Launch - Artificial Intelligence and International Conflict in Cyberspace - June 5 from 16:00-17:30 inUtrecht
LABScon 2023 CFP - June 15, 2023
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact firstname.lastname@example.org.