Bluepurple Pulse: week ending November 20th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending November 20th
A love letter to 🇦🇺 and their response to cybercrime.. never pick a fight with an Aussie
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week various vulnerabilities continue to appear in edge appliances, be it Citrix, Big-IP and others. Outside of that the Infosec Mastodon server fell to a vulnerability - interesting times as the world in part rapidly pivots away from Twitter. In short expect more..
In the high-level this week:
French National Strategic Review published - cyber features a lot - this line is the killer - the application of a deterrent approach in cyberspace that would force any attacker to restrain himself against France is illusory
Cyber Norms in the Context of Armed Conflict - Kurt Sanger (ex DoD) and Peter Pascucci (Fleet Judge Advocate for Cyber Command / U.S. 10th Fleet / U.S. Navy Space/ Joint Force Headquarters Cyber) drops the wisdom here.
Man Charged for Participation in LockBit Global Ransomware Campaign - it is like law enforcement is playing the long game.
US Government Accountability Office published two reports on the status of cyber in two government departments:
Cyprus MPs launch inquiry into spyware development on the island - interesting that the Government is taking interest in its onshore eco-system.
Greek State and spyware vendor Intellexa: they are acquainted after all - Greek political fallout from buying ransomware continues
North Korean hacker attack on Israeli crypto firm said thwarted -
Cybersecurity Threats Fast-Forward 2030: Fasten your Security-Belt Before the Ride! - ENISA using entirely non hyperbolic language to describe their threat forecast
Rapid capabilities generation and prompt effects in offensive cyber operations - it’s like agile in offensive cyber has been discovered - We explore understudied factors enabling potential rapid capabilities generation across multiple offensive program types, and consider outcomes from prompt effects delivered under several scenarios.
Evaluating the International Support to Ukrainian Cyber Defense - a summary of the support given and questioning on if it is a model for the future
The rise of cyber surveillance and the Access-as-a-Service industry - no surprise, but Atlantic Council shine a light.
2022 Annual Report to Congress from the US-China economic and security review commission - readers will want to look at Chapter 3, Section 2 - China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States
The reflections this week are why I married an Australian. Simply put this response to cybercrime. Funny that Russia didn’t predict this might happen if they picked a fight with an Aussie.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Information on cyberattacks of the group UAC-0118 (FRwL) using the Somnia malware
Reporting from Ukraine on malware used in country. The use of Telegram is semi interesting. Other than that the tradecraft is basic..
As it turned out, the victim's Telegram was used to transfer VPN connection configuration files (including certificates and authentication data) to users. Given the lack of two-factor authentication when establishing a VPN connection, attackers were able to gain an unauthorized connection to the corporate network.
Having gained remote access to the organization's computer network using a VPN, the attackers conducted reconnaissance (in particular, used Netscan), launched the Cobalt Strike Beacon program, and also exfiltrated data, as evidenced by the use of the Rсlone program. Additionally, there are signs of Anydesk and Ngrok launching.
https://cert.gov.ua/article/2724253
Analysis of XDSpy APT Group's Recent Attacks Against the Russian Ministry of Defense
Reporting from China on a threat targeting Russia. The threat actor shows a good degree of operational discipline. The threat actor behind it was only outed in 2020, remain unattributed in open source but operational since 2011. Theories on a postcard, but has a whiff of a nation sufficiently mature to do recon and to build guard rails.
This attack only targets users with specific usernames, and non-target users will not trigger malicious code execution;
The Windows API functions, DLL libraries, strings, etc. used to perform malicious behaviors in the sample are all encrypted, and the sample includes relatively complete anti-sandbox, anti-virtual machine, and anti-antivirus detection;
Subsequent payloads are modular malware whose main function is to execute other malicious components returned by C2.
Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
US Government warning on Iran. Not a lot of new reporting, more summarising the various aspects of this operations.
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.
https://www.cisa.gov/uscert/ncas/alerts/aa22-320a
Operation(Đường chín đoạn) typhoon
Three zero days and various n days used in this operation. A Linux implant too!
In the end, the attacker implanted a linux Trojan horse based on the arm architecture, which is convenient for long-term control, and then forwarding will be set according to the business direction. Recently, we observed that OceanLotus changed the forwarding software from tinyPortMapper to Gost.
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Chinese state activity reported on here. Note the use of malvertising..
Recent activity from the threat actor that [we] track as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.
DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. In the past few months, [ou] researchers observed the following tweaks in the group’s delivery methods:
Use of contact forms on targeted organizations’ websites to deliver phishing links
Hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and
Expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic
Fangxiao: a Chinese threat actor
Reporting on a Chinese actor with a convoluted journey initial access plan. The one in (n) deployment strategy must work for them which is interesting.
Users arrive at a Fangxiao-controlled site through a link sent in a WhatsApp message, which in turn sends them to a landing domain impersonating a well-known, trusted brand: over 400 organisations are currently being imitated, with that number continuing to rise. Companies affected include Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr.
Victims are then redirected to a main survey domain. When they click the link, they are sent through a series of advertising sites to one of a set of constantly changing destinations. A click on the “Complete registration” button with an Android user-agent will sometimes result in a download of the Triada malware. As victims are invested in the scam, keen to get their “reward”, and the site tells them to download the app, this has likely resulted in a significant number of infections.
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/
PRC's used of Uyghur Mobile Surveillance
Fascinating look at a mobile campaign by the Chinese state against this minority which has been going on for 10 years! Also look at that scale.. one in three apps distributed in the Uyghur-language forums were malicious! It’s almost like China has a vendetta.
https://github.com/chmodxx/CYBERWARCON/blob/master/Uyghur_Mobile_Surveillance_Slides.pdf
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
China going after a range of victims. This isn’t the first certificate authority compromised, nor the first in Asia. It’s often overlooked that 2 days before SolarWinds happened that a Vietnamese government CA was compromised. As actors understand the value of these roots of trust we can expect more.
State-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted.
[We were able] to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug (aka Lotus Blossom, Thrip) is a long-established advanced persistent threat (APT) group that is believed to have been active since at least 2009.
A Muddy, Advanced Persistent Teacher
An Iranian industrials supply base element outed.
Ravin Academy is an Iranian company incorporated in 2019, that purports to provide cyber security education and training in both defensive and offensive fields. It also conducts vulnerability research, as well as specialized research into “advanced persistent (APT) teams.” [Our] analysts identified the following incorporation records of Avayeh Hooshmand Ravin. We assess that this is the name that Ravin Academy was incorporated under.
Ocean Lotus APT sample (MacOS) analysis report
Vietnam had macOS capability in 2018 is the takeaway, but the initial access vector was a malicious document with macros.
After the sample is started, the content of the document is as follows to induce users to enable macros.
The malicious document first judges the system version. If the system is 32-bit, it will try to load the exported function system in "libc.dylib" to execute system commands. If it is a 64-bit system, set the text of the document to white and hide the text, pretending to be a blank document to confuse the victim.
Adobe Commerce merchants to be hit with TrojanOrders this season
A tale of seven competing groups, escalating attacks, massive under patching and exploit kits for sale. Pervasive technology which isn’t a household name but is known by threat actors is likely underappreciated.
November is on track to see more Magento 2 template attack probes than the previous ten months combined. There is a big uptick in attacks using the mail template vulnerability in Magento 2 from February 2022 (CVE-2022-24086). [We] estimate that at least a third of all Magento and Adobe Commerce stores have not been patched so far.
https://sansec.io/research/trojanorder-magento
PNG Steganography Hides Backdoor
A threat actor applying their MSc in information security to their implant development. The edges of the attack aren’t overly novel and will provide the detection mechanisms beyond the use of steganography.
The steganographic embedding relies on one of the more common steganographic techniques called least-significant bit (LSB) encoding. In general, this method embeds the data in the least-significant bits of every pixel. In this specific implementation, one pixel encodes a nibble (one bit per each alpha, red, green, and blue channel), i.e. two pixels contain a byte of hidden information. While this method is very easy to detect by a simple statistical analysis, such change in pixel value is hardly perceivable by the naked eye.
https://decoded.avast.io/martinchlumecky/png-steganography/
How LNK Files Are Abused by Threat Actors
Nicole Fishbein provides a soup to nuts analysis of LNK files. A lot of this knowledge is out there, but it is a comprehensive pull together resource.
We will cover the file format to understand better how threat actors use LNK files in the different stages of attacks. By getting familiar with the LNK (Shell Link) file format and its capabilities, we will present open-source tools and methods to inspect and detect malicious LNK files in incident response and threat-hunting processes.
Emotet used this technique in a phishing email they sent to the victims, including a password-protected zip file that contained an LNK file disguised as a Word document that executes a VBS script which downloads malware.
Bumblebee, a new and advanced loader, uses an LNK file as part of the attack flow. So far, it has two versions, one delivered ISO file and the latter a VHD. In both cases, an LNK file is included.
https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/
Prigozhin interests and Russian information operations
Tina Tong and Toni Gidwani provide insight into Russian Information Operations. It is almost like IO folk have learnt from content led marketers.
In this post, [we] highlight four case studies involving Russian IO tied to the Internet Research Agency (IRA) and its financier, Russian oligarch Yevgeny Prigozhin. In several cases, those campaigns served the dual purpose of promoting Russia’s agenda and Prigozhin’s business interests.
https://blog.google/threat-analysis-group/prigozhin-interests-and-russian-information-operations/
SocGholish
Two bits of reporting on this threat this week.
Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
Aleksandar Milenkoski is first off the blocks outlining how the infrastructure operations side of the house has been scaling out. Just to make the game of whack-a-mole a little harder.
Since mid-2022, SocGholish operators have been significantly diversifying and expanding their infrastructure for staging malware with new servers. This helps the operators to counter defensive operations against known servers and scale up their operation.
SocGholish operators have been introducing on average 18 new malware-staging servers per month, with varying server uptimes. This marks an increase of 334% relative to the same average calculated over the first half of 2022.
The majority of the new servers have been located in Europe, with the Netherlands, the United Kingdom, and France at the top of the list.
Malware Variant Uses Zip Compression & Evasive Techniques
Ben Martin provides insight as to the scale of compromises as well as giving amazing insight from the server side components.
Since the beginning of 2022, [we have] detected different variations of SocGholish malware over 54,000 times. An overwhelming majority of detected sites were found to be using WordPress at the time of infection. And while the number of SiteCheck detections is significant, it’s important to keep in mind that for every infected website there could be hundreds or possibly thousands of victims not yet accounted for.
Overall, the malware affects the following files and database tables:
wp-content/themes/<theme-name>/functions.php – This theme file loads a malicious zipped template.
wp-content/themes/<theme-name>/<theme-name>-template – This malicious zipped template contains a backdoor. It also injects the SocGholish script stored in WordPress database into web pages.
wp-content/plugins/<theme-name>template-plugin – This fake plugin loads a malicious zipped template.
wp_options.<theme-name>-template-plugin – This database record found in the wp_options table stores the encoded SocGholish script.
A Comprehensive Look at Emotet’s Fall 2022 Return
Pim Trouerbach and Axel F (no, not the song - but maybe?) confirm what a number of other parties have been reporting. Emotet is back… in sanctioned Russia in winter there must be less to do than normal.
Emotet returned to the email threat landscape in early November for the first time since July 2022. It is once again one of the most high-volume actors observed by Proofpoint, distributing hundreds of thousands of emails per day.
Proofpoint observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.
Emotet was observed dropping IcedID.
The new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.
New operators or management might be involved as the botnet has some key differences with previous deployments.
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Dtrack expands its operations to Europe and Latin America
Jornt van der Wiel provides some reporting on North Korea. In doing so they evidence their ability to hit a broad range of targets in sectors we would prefer they didn’t
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.
According to KSN telemetry, we have detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States, indicating that DTrack is spreading into more parts of the world. The targeted sectors are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.
https://securelist.com/dtrack-targeting-europe-latin-america/107798/
Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks?
Andréanne Bergeron provides some data on what threat actors are up to with regard to RDP and password spraying. Whilst the where the attacks are coming from in terms of IP geography is of less interest the usernames and passwords most used commonly are. There is some mileage in renaming the administrator account after all.
Massive Black Hat Redirect Malware Campaign
Ben Martin is back for the second time this week with a fascinating insight into search engine optimisation manipulation. The sophistication and scale are the thing of note here. It is almost like there is a ‘battle of the algorithms’ going on.
Since September 2022, our research team has tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Rise of Banking Trojan Dropper in Google Play
Himanshu Sharma and Viral Gandhi detail how VeneerWare (I just made that up) is used to fly under the radar of the app stores to deploy banking trojans among other things. Scale is at the smaller end but again shows a concerted effort on behalf of the threat actors.
[We] recently discovered the Xenomorph banking trojan embedded in a Lifestyle app in the Google Play store. The app is “Todo: Day manager,” and has over 1,000 downloads. This is the latest in a disturbing string of hidden malware in the Google Play store: in the last 3 months, ThreatLabz has reported over 50+ apps resulting in 500k+ downloads, embedding such malware families as Joker, Harly, Coper, and Adfraud.
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Discovery
How we find and understand the latent compromises within our environments.
Detecting Active Directory Data Collection
Gijs Hollestelle provides various detection techniques for those looking to detect threat actors mooching around AD.
Detection method 1 — Client-side LDAP query logging
Detection method 2 — Domain controller LDAP query logging via Microsoft Defender for Identity
Detection method 2 — Domain controller object access logging via SACLs and audit policies.
Threat and Vulnerability Hunting with Application Server Error Logs
Moti Harmats provides a simple yet effective suggestion for SecOps teams to up their proactive game. As we move to more data driven approaches this type of signal extraction is hyper valuable. Also should help detect precursor activity.. Yara rules for errors which indicate vulnerability anyone?
By monitoring specific runtime exceptions (e.g. “SQL syntax error'') we are able to easily identify applications exposing exploitable vulnerabilities already running in production. This monitoring process generates effective alerts with a very minimal false positive rate.
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Defence
How we proactively defend our environments.
Token tactics: How to prevent, detect, and respond to [Azure] cloud token theft
Threat actors evolving their tradecraft to side step MFA. Here are practical steps on how to detect and mitigate the threat. For regular readers this should come as no surprise as we have seen various tooling released which extracts said tokens from memory on endpoints.
As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, [we have] seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.
About multiple administrative approvals in Intune - Microsoft Intune
Love that double-lock is a thing, so stopping one compromised administrative account bringing the whole house down around our ears. This should make threat actors have to work just a little harder and thus provide greater detection opportunities.
To help protect against a compromised administrative account, use Intune access policies to require that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA).
https://learn.microsoft.com/en-us/mem/intune/fundamentals/multi-admin-approval
Defender for Endpoint - Implementing ASR Rules
Nathan McNulty provides a practical guide for Attack Surface Reduction rule deployment within Microsoft environments. Also covers some known bypasses.
https://blog.nathanmcnulty.com/defender-for-endpoint-implementing-asr-rules/
Vulnerability
Our attack surface.
Beyond GPU unified memory: fully unified address spaces
Longhorn outlines a technology evolution in CPU/GPU memory addressing/access which will inevitably create a greater attack surface and I suspect one day be exploited for badness from the GPU.
https://threedots.ovh/blog/2022/11/beyond-gpu-unified-memory-fully-unified-address-spaces/
Offense
Attack capability, techniques and tradecraft.
Bypassing AV/EDR Hooks via Vectored Syscall - Proof of Concept
John Shercha outlines an evasion technique that EDR vendors on Windows will want to adapt to. I suspect there is something to be done around shadow stack here and similar on modern CPUs that will facilitate detection.
It’s common to unhook any AV/EDRs hook in order to bypass them. However to unhook the AV/EDRs hook we need to call a famous Win32 API VirtualProtect which eventually ended up calling NtVirtualProtectMemory inside ntdll.dll and that might also be hooked by most of the AV/EDRs. Then there comes a technique called Direct Syscall to rescue us from this situation in which the syscall doesn’t go through the ntdll module so the hooks placed in the ntdll module are untouched during the syscall. However, syscalls not originating from ntdll or other known modules are considered suspicious. Direct syscalls can be detected using a technique called hooking nirvana in which instrumentation callback is used.
Due to the fact that RIP instruction is checked to detect manual syscall, it can be bypassed by jumping indirectly to the ntdll address space where the syscall instruction is located. However, we’re not going to do that, instead we’ll leverage the VEH (Vectored Exception Handler) to modify the context, especially RIP register to take us to the syscall address.
https://www.cyberwarfare.live/blog/vectored-syscall-poc
Dumping LSASS Process Memory In Different Ways
Chinese reporting on the possible ways to dump LSASS memory.
https://tttang-com.translate.goog/archive/1810/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
From SPI (Service Provider Interface) mechanism to JDBC backdoor implementation
Chinese reporting on how to misuse this Java feature to build an effective backdoor. Incident responders should likely take note and add to their playbooks.
https://tttang-com.translate.goog/archive/1819/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
Exploitation
What is being exploited.
ProxyNotShell-PoC: Working PoC for CVE-2022-41040 and CVE-2022-41082 (A.K.A ProxyNotShell)
aka Exchange in the wild 0day which is post authentication.
https://github.com/testanull/ProxyNotShell-PoC
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
Maddie Stone provides a retrospective on an exploit chain found in the wild last year which is suspect of coming from the commercial sector. Yes, other vendors that NSO do exist in this space.
The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later.
.. [we believe] belonged to a commercial surveillance vendor
Windows Kernel: Exploit CVE-2022-35803 in Common Log File System
Proof that vulnerability surging is a thing. That is where a component is evidenced to be vulnerable and exploitable with some degree celebration it will cause other researchers to look and find more vulnerabilities.
Earlier this year, I analyzed some past vulnerabilities in clfs.sys, and saw a sample of a in-the-wild vulnerability (CVE-2022-24481) fixed this year. Through the research on the sample and the patch for this vulnerability, I found that the patch of Microsoft for it was incomplete, then I bypassed the patch by a type confusion issue. Through some tricks of exploit, I completed the EoP on Windows Kernel in May, and planned to use this vulnerability in the competition in the second half of this year. However, due to the cancel of the competition and other reasons, this vulnerability has been shelved until it was disclosed in September 2022 Patch Tuesday(Duplicated).
CobaltStrike Xss2Rce CVE-2022-39197 Analysis and Reproduction
Chinese end to end walkthrough on exploiting the CobaltStrike vulnerability.
Exploiting Java's XML Signature Verification
We’ve been covering the vulnerabilities that Felix Wilhelm has been finding as they have been patched. This writeup comes with a stark warning we should all take heed of:
While the vulnerability discussed in this post has been patched , vendors and users should expect further vulnerabilities in SAML.
https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java-xml.html
Tooling and Techniques
Low level tooling for attack and defence researchers.
Hyper V Plugin for Volatility
https://github.com/gerhart01/Hyper-V-Tools/tree/main/Plugin_for_volatility
Chinese conference material on eBPF
See the PPT/ sub directory - use Google translate to translate the page and then the materials.
https://gitee.com/linuxkerneltravel/ebpf-conference/tree/master
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
2022 Aspen Cyber Summit - a recording of the session which is worth a watch.
Securing the Software Supply Chain - US Government Guide
Framework Proposal to Regulate Lawful Hacking by Police within Criminal Investigations - PhD dissertation, lots of countries have such frameworks already.
Rapid capabilities generation and prompt effects in offensive cyber operations
That’s all folks.. until next week..
Bluepurple Pulse: week ending November 20th
the comment about 0569...you mention China in the same summary as 0569 reporting from MSFT. Are you intimating that 0569 is using China-like tradecraft? Maybe I'm misunderstanding
This is an awesome resource. cheers