Bluepurple Pulse: week ending November 13th
Bluepurple Pulse: week ending November 13th
EU starting to tie itself in knots on back of spyware scandal ..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing of note other than what feels like an uptick in vulnerabilities which rock our very foundations.
In the high-level this week:
Joint statement of intent from the for Agile Nations Working Group on Cyber Security for Consumer Connected Products - UK, Canada and Singapore get alignment
Related Google also published their Principles for IoT Security Labelling
OFAC-OFSI Enhanced Partnership - financial sanctions are a powerful tool for a variety of cyber and not cyber related purposes. The UK and US confirm their partnership with further enhancements.
somewhat related this CIA paper which was declassified in 2011 titled Economic Sanctions: A Historical Analysis is worth a flick through
Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware released (or had released) its draft report.
then there was a Statement by the PEGA Chair on 8 November - The rapporteur presented a first draft of the report. It is not a final version and it can -at this point- not be understood as the conclusions or the position of the PEGA Committee as a whole.
Japan was officially admitted to participate in the NATO Cyber Defense Cooperation Center
U.S. Attorney Announces Historic $3.36 Billion Cryptocurrency Seizure And Conviction In Connection With Silk Road Dark Web Fraud - hack of Silk Road fund withdrawal system ends by writing a plot for a movie.
Caught on camera: confessions of the hackers for hire - India based hackers for hire helping companies across the globe.
Former U.S. military pilot arrested in Australia listed same Beijing address as Chinese hacker - Not entirely clear why other than maybe a Government accommodation building
On October 28, 2022, SolarWinds entered into a binding settlement term sheet with respect to the previously disclosed consolidated putative class action lawsuit - i.e. the post breach class action
Ukraine Cyber Project | National Security Archive - this project makes my respect for the The William and Flora Hewlett Foundation go from strength to strength - A subset of the National Security Archive's Cyber Vault, the Ukraine Project aims to identify, aggregate, and curate a wide array of resources that will help experts and students alike to understand and assess the cyber component of this conflict.
The reflections this week centre around the European spyware ‘events’. It is clear that the response from the EU could easily over rotate.
The Grugq has had some things to say
and Dave Aitel have dropped various bits of wisdom on the topic:
Anyway, it is clear that the ‘outrage’ felt at the political level is going to struggle to reconcile with the technical nuances of reality let alone cultural differences and capabilities in the EU. Be a lesson to everyone how this plays out..
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
ORKL - Search Engine for Threat Intel Reports
An amazing project, especially as the body of knowledge grows. Tagged data such as this is so invaluable and one of the things I envy certain companies (competitors) for having internally.
This project has been created to serve the needs of the international Cyber Threat Intelligence community for a library of their collective past achievements in the realm of CTI reporting. Over time, the goal is to collect a complete corpus of all publicly released CTI reports to be used as a reference in scientific research and CTI reporting.
Ukraine - Cyber attack of the UAC-0010 group: sending e-mails, apparently, on behalf of State Special Communications
Ukrainian reporting on the Russian state actor known as Gamaredon Group, Winterflounder, Primitive Bear, BlueAlpha, Blue Otso, Iron Tilden,
Armageddon, SectorC08, Callisto, Shuckworm, Actinium etc. The tradecraft is so very basic it is like they aren’t really trying.
Since 07.11.2022, the Government Computer Emergency Response Team of Ukraine CERT-UA has been recording e-mail mailings, allegedly on behalf of the State Special Communications Service, with a malicious link. If the link is followed on a computer, an HTML file containing JavaScript code will be downloaded, which will create a RAR archive on the victim's computer, for example "08.11.2022.rar".
The mentioned archive contains a shortcut file "TDI tools that have an expert opinion on compliance with the requirements of technical information protection.lnk", opening which will lead to the download and launch of the HTA file, which, in turn, will cause the creation of a scheduled task and the subsequent launch of VBScript - the code.
https://cert.gov.ua/article/2681855
APT-36 Uses New TTPs and New Tools to Target Indian Governmental Organizations
Sudeep Singh details Pakistani state activity in India. The fact they are geo-locking their implants to just Indian keyboard layouts does show a degree of operational security awareness. It will be fascinated to see the insights that Google TAG can shed on this given the use of Google Ads also..
APT-36 group is a Pakistan-based advanced persistent threat group which has specifically targeted employees of Indian government related organizations.
APT-36 has evolved their tactics, techniques and procedures (TTPs) incorporating new distribution methods and new tools.
The threat actor registered multiple new domains hosting web pages masquerading as the official Kavach app download portal.
They abused the Google Ads paid search feature to push the malicious domains to the top of Google search results for users in India.
Beginning August 2022, the group started using a new data exfiltration tool which we have named Limepad. This tool was previously undocumented.
While most binaries used by APT-36 in this campaign will execute only if the user’s machine is configured with India time zone (IST), we also found 2 binaries using the same code base which included a time zone check for both - India and Sri Lanka. Since both India and Sri Lanka have the same time zone, we consider this check redundant.
Credential harvesting attacks were used to spoof the National Informatics Center’s Kavach login page with the goal of stealing credentials of government employees.
Several instances involved malicious binaries compiled using PyInstaller and sent packaged inside VHDX archives.
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
Hara Hiroaki and Ted Lee discuss Chinese state activity. It is interesting that this state tool apparatus is going after their domestic banking sector. If I were a multinational bank security team with entities in China this would be an interesting revelation.
Since it first started being active in 2020, Earth Longzhi’s long-running campaign can be divided into two based on the range of time and toolset. During its first campaign deployed from 2020 to 2021, Earth Longzhi targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China. In its second campaign from 2021 to 2022, the group targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.
Both campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware. The attacker embeds the malware in a password-protected archive or shares a link to download a malware, luring the victim with information about a person. Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader.
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
Thibault Van Geluwe de Berlaere provides insight into some nuanced Russian tradecraft here against Active Directory.
In early 2022, [we] detected and responded to an incident where APT29 successfully phished a European diplomatic entity and ultimately abused the Windows Credential Roaming feature. The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting.
The queried LDAP attributes relate to usual credential information gathering (e.g. unixUserPassword); however, one attribute in particular stood out:
{b7ff5a38-0818-42b0-8110-d3d154c97f24}, ormsPKI-CredentialRoamingTokens, which is described by Microsoft as ‘storage of encrypted user credential token BLOBs for roaming’. Upon further inspection, [we] identified that this attribute is part of a lesser-known feature of Active Directory: Credential Roaming.The use of Credential Roaming in an organization allows attackers (and Red Teams) to abuse the saved credentials for the purposes of privilege escalation. The author identifies the following situations that could allow an attacker to abuse Credential Roaming:
An organization has not applied the September 2022 patch to each system where Credential Roaming is used.
An attacker gained Domain Administrator privileges in an organization where Credential Roaming is in use or was used in the past without proper clean-up.
An attacker has access to the cleartext password of a user where Credential Roaming is in use or was in use in the past.
An attacker has read access to the
msPKIDPAPIMasterKeysattribute on a victim account, but does not have the cleartext password of the victim user.
https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
King Kong Elephant Group uses fake social chat software to launch phishing attack on Pakistani military personnel
Chinese reporting on an Indian threat actor using malicious Android communication apps to entice users to installing. Again, the use of Google cloud means that Google TAG should be able to get insight into the victimology and disrupt etc.
In July 2022, the [we] discovered an attack against the Pakistani military from April 2022 based on the Antiy Tema monitoring and early warning system, with a total of more than ten victims, including Pakistani special personnel Protection Units (spu), Pakistan Special Forces (ssg), Pakistan Army Cavalry Regiment, Pakistan Air Force, Pakistan Navy and Pakistan Tank Manufacturers (HIT); in addition, the victims also include Indian and Nepalese personnel, excluding Chinese users.
The current attack platform of King Kong Elephant Group is mainly the Android platform, and its earliest attack activities can be traced back to June 2021. The group's attack weapons are mainly disguised as social chat applications, and usually use erotic words to induce the installation of designated bait chat applications to launch attacks after identifying the target.
The attack weapon sample is an advanced customized version of Ahmyth (customized L3mon open source Trojan), which includes common spy Trojan functions and uploads the stolen user data to Google cloud storage space.
Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
An unknown threat actor is going after developer hosts via Python package registry type squatting. This isn’t the first and it won’t be the last. This is just one example of why software supply chain management, especially package import into an enterprise environment, is a critical hygiene factor in 2022.
[We detected] suspicious activity in dozens of newly published PyPI packages. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious __import__
The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22. Our system did, however, detect a small number of packages from July of 2022 that show similar IOC’s. The assumption is that this was an early POC effort, that is just now being executed in this fashion.
There are dozens of packages actively being published on PyPI with benign-sounding names (some are typosquats) that blatantly copy existing legitimate packages and tries to sneak in a small snippet of malicious code.
The malicious code is a hidden
__import__statement in the package’ssetup.py,__init__.py, or we’ve even seen it injected into custom error classes. Regardless, it contains a Base64 encoded string that gets executed. Sometimes instead of the import directly in these files, it could just be anos.system()call thatpip installs one of their other malicious packages.Decoded, that Base64 encoded string contains a Python script that is written to a temporary file that is executed.
That temporary file contains code that reaches out to any number of URLs.
From each URL it pulls lightly obfuscated Python code that executes a compressed byte object.
Decompressed, that byte object contains the W4SP Stealer malware that is deployed on the system.
Alert on resurgence of Emotet malware infection in Japan
Reporting from Japan which echos western reporting that Emotet has awoken from its slumber. The tradecraft is however rather basic.
Since mid-July 2022, no emails leading to Emotet infection have been observed in Japan, but the distribution of emails has been observed since November 2nd. The basic attack method remains the same, and the email contains a malicious xls file or a password-protected ZIP file containing XLS files.
Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
Edmund Brumaghin highlights the challenges we are going to have with a decentralised web and cyber defence. It makes it like whack and mole on level HARD. Realistically we aren’t going to be able to block all the top level domains and in time not have stuff break.
The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
[We have] observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
IPFS is often used for legitimate purposes, which makes it more difficult for security teams to differentiate between benign and malicious IPFS activity in their networks.
Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks.
Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them.
https://blog.talosintelligence.com/ipfs-abuse/
ShortAndMalicious: StrelaStealer aims for mail credentials
Johann Aydinbas and Axel Wauer document a stealer which is unattributed. There is a degree of refinement (comparatively, although still rather basic) in this campaign that when compared to the reporting of Russian capability against Ukraine makes you wonder.
We take a brief look at an undocumented custom malware we have been analysing under the moniker “StrelaStealer” (“Стрела” == arrow) which appears to be purpose-built to steal mail login data.
[We] first discovered StrelaStealer early November 2022 distributed via ISO files with what appears to be Spanish targets based on used lure documents. It is unclear at this point in time if StrelaStealer is part of a targeted attack.
StrelaStealer samples are distributed in ISO files with varying content. In one instance, StrelaStealer uses a renamed msinfo32.exe to sideload StrelaStealer as slc.dll. Another, more interesting variant distributes StrelaStealer as a DLL/HTML polyglot.
Polyglots files are files that are valid as two or more different file formats. In this case, StrelaStealer uses a file that is both valid as a DLL as well as an HTML page.
New Laplas Clipper Distributed via SmokeLoader
Someone is on the hunt for crypto currency despite BTC taking a fall recently. The point of note is the volume of samples - we can debate if these are being programmatically generated or not.
[We] observed a malware strain known as SmokeLoader, which carries popular malware family samples such as SystemBC and Raccoon Stealer 2.0, along with a new clipper malware dubbed Laplas Clipper that targets cryptocurrency users.
Through our research, we have identified more than 180 different samples related to the clipper malware in the last two weeks, indicating that the malware has been widely deployed in recent weeks. Our intelligence indicates that the incidents of Laplas Clipper infection are on the rise, as shown below.
https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/
Hacktivists Use of DDoS Activity Causes Minor Impacts
FBI throwing shade at Russian DDoS actors.
The FBI defines hacktivism as a collective of cyber criminals who conduct cyber activities to advance an ideological, social, or political cause. Historically, hacktivist collectives conducted and advocated for cyber crime activity following high-profile political, socioeconomic, or world events. Coinciding with the Russian invasion of Ukraine, the FBI is aware of Pro-Russian hacktivist groups employing DDoS attacks to target critical infrastructure companies with limited success. Hacktivists provide tools and guidance on cyber attack methodology and techniques to anyone willing to conduct an attack on behalf of their cause. DDoS attacks of public facing websites, along with web page and social media profile defacement, are a preferred tactic for many operations. These attacks are generally opportunistic in nature and, with DDoS mitigation steps, have minimal operational impact on victims; however, hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service.
https://www.ic3.gov/Media/News/2022/221104.pdf
Abusing Microsoft Customer Voice to Send Phishing Links
Jeremy Fuchs outlines an interesting campaign where a Microsoft service is being leveraged for traditional phishing. The use of such services will make it harder to block.
Dynamics 365 Customer Voice is a Microsoft product that is used primarily to gain feedback from customers.
It can be used for customer satisfaction surveys, to track customer feedback and to aggregate data into actionable insights.
It can also be used to interact with customers via phone, with the data being collected for more customer input.
In this attack, hackers are leveraging legitimate links from Microsoft notifications to send credential harvesting pages. [We have] seen hundreds of these attacks in the last few weeks.
Vector: Email
Type: Credential Harvesting
Techniques: Social Engineering, Impersonation
Target: Any end-user
https://www.avanan.com/blog/abusing-microsoft-customer-voice-to-send-phishing-links
Discovery
How we find and understand the latent compromises within our environments.
Tales of Windows detection opportunities for an implant framework
I gave a ⚡this week 'Tales of Windows detection opportunities for an implant framework'.
It covers some of the signals which aren't today readily collected / exposed by EDR that detection engineering teams might want to explore.
Detecting Indirect Syscalls from Userland, A Naive Approach
Rad is back with another excellent blog post, showing how hardware breakpoints might be used. I feel Rad is being hard on the approach, it is a good innovation and raises the game once more between attack and defence.
We'd set a hardware breakpoint on the syscall (or, equivalently, the ret) instruction. The indirect syscall will then jmp/call our instruction. It would then hit our breakpoint where we'd single step while our static count is != 0. We'd single step once to end up at the ret instruction and once more to take that ret. When we take that ret, we end up either in the indirect syscall function OR the indirect syscall, depending on how the program invoked the call. If this is a legitimate function, it should originate from one of the DLLs: e.g., Kernel32/Kernelbase.
https://fool.ish.wtf/2022/11/detecting-indirect-syscalls.html
Sigma Rules for the 2022 RedCanary Threat Detection Report
Micah Babinski gives us Sigma rules for all the tradecraft originally outlined in the report.
https://github.com/mbabinski/Sigma-Rules/tree/main/2022_RedCanary_ThreatDetectionReport
Open Source Forensics Tool for Siemens PLCs
Interesting tooling for the modern era of ICS cyber defence reality from the team at Microsoft.
ICS Forensics Tools is an open source forensic toolkit for analyzing Industrial PLC metadata and project files. [It] enables investigators to identify suspicious artifacts on ICS environment for detection of compromised devices during incident response or manual check. [It] is open source, which allows investigators to verify the actions of the tool or customize it to specific needs, currently support Siemens S7 via Snap7.
https://github.com/microsoft/ics-forensics-tools
Defence
How we proactively defend our environments.
TiEtwAgent: PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
I missed this when it was published two years ago but it is worth calling out. In short they use the `Microsoft-Windows-Threat-Intelligence ETW feed to detect memory operations which might be a sign of code injection.
This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.
https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection
https://github.com/xuanxuan0/TiEtwAgent
Vulnerability
Our attack surface.
CVE-2022-39328 Grafana Unauthorized access to arbitrary endpoints
Concurrency is hard in pools we learn from this vulnerability.
An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints.
CVE-2022-27510: Citrix Gateway and Citrix ADC Unauthorized access to Gateway user capabilities
Compare the previously vulnerability description and this one. We’ll have to wait for the 3rd party research team to publish their blog (I did check and couldn’t see anything relevant - https://research.securitum.com/)
Unauthorized access to Gateway user capabilities
CVE-2022-0902: ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access
Proof that path input validation is still challenging in 2022. Bonus points for being in industry control systems..
A path traversal vulnerability can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to pre-authenticated remote code execution in root context.
..
To mitigate this vulnerability the ABB device should only be connected to a network segment that restricts access to authorized users. The vulnerability is only exposed when the attacker has access to the network where the ABB device is running Totalflow TCP protocol.
Samsung Galaxy Store Applications Installation/Launching without User Interaction
State of mobile security in 2022. The interesting thing is that this vulnerability was disclosed via a third party disclosure / brokering / payment service in Korea.
A vulnerability in the Galaxy Store allows attackers through an XSS to cause the store to install and/or launch an application, allowing remote attackers to trigger a remote command execution in the phone.
Offense
Attack capability, techniques and tradecraft.
Lessons Learned from Cloning Windows Binaries and Code Signing Implants
Capt. Meelo gives shocking insight that they gained a 50% improvement of endpoint detection by signing a binary with an untrusted code signing certificate. What a time to be alive!
Based on the scan result, the detection rate improved from 6/26 to 3/26. This signifies that code signing works (or simply fools some AVs) even with an invalid certificate.
https://captmeelo.com/redteam/maldev/2022/11/07/cloning-signing.html
Confusing .NET Decompilers: The Call OpCode
Washi shows that with a bit of effort all our tools are fragile.
Even though C# may present itself as a mostly type-safe language, CIL definitely is not. We have seen that we can abuse the subtle differences between
callandcallvirtto fool decompilers and reverse engineers. By cleverly specifying the right operands in ourcallinstructions, we were able to trick the decompiler into outputting code that once recompiled yields different results from the original code. Furthermore, we also have seen some hints of how complicated making an accurate emulator for the CIL language really is, making the development of automatic deobfuscators a very complex task.So far we only looked into the
callopcode extensively. However, as it turns out, this is not the only opcode that has some interesting unintended implementation details. In a future post, we will be taking another deep dive and look at the inner workings of thecallvirtopcode as well, and exploit some of the design choices that the .NET runtime team have made.
https://washi.dev/blog/posts/confusing-decompilers-with-call/
Canary Hunter
Does what it says on the tin..
While executing multiple red team engagements over the past few years there have been multiple times where I have run up against Canary Tokens which could potentially alert the SOC to actions taken. As such I spent some time running down the rabbit hole discovering if there were ways to detect these canaries within files present within the environment. Canary Hunter was formed to quickly check for Common Canaries in various formats generated for free on canarytokens.org
https://github.com/C0axx/CanaryHunter
Exploitation
What is being exploited.
CVE-2022-41049: Exploring ZIP Mark-of-the-Web Bypass Vulnerability
Kuba Gretzky walks through the vulnerability end to end leading to a ‘doh!’
Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet.
https://breakdev.org/zip-motw-bug-analysis/
CVE-2022-3699: Lenovo Diagnostics Driver Escalation of Privilege
State of third party driver security in 2022 on Windows.
Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.
https://github.com/alfarom256/CVE-2022-3699/
Compromising Plesk via its REST API
Adrian Tiron shows when CSRF burns due to a misconfigured CORS policy. You can see how this could be exploited via malicious advertising and similar.
https://fortbridge.co.uk/research/compromising-plesk-via-its-rest-api/
Tooling and Techniques
Low level tooling for attack and defence researchers.
EMOTET Dynamic Configuration Extraction
Remco Sprooten provides an emulator to support extraction..
The EMOTET developers have changed the way they encode their configuration in the 64bit version of the malware.
Using code emulation we can bypass multiple code obfuscation techniques.
The use of code emulators in config extractors will become more prevalent in the future.
https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Quantifying Cyber Conflict: Introducing the European Repository on Cyber Incidents
The cyber strategy and operations of Hamas: Green flags and green hats
The DoD Cybersecurity Policy Chart - if we designed it, it wouldn't look like this - time for a refactoring to pay down some policy debt
Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector - from NIST’s National Cybersecurity Center of Excellence
Journal of Information Security from October 2022 - including The Role of Social Engineering in Cybersecurity and Its Impact, Meta-Review of Recent and Landmark Honeypot Research and Surveys and Systematic Review of Graphical Visual Methods in Honeypot Attack Data Analysis
Australasian Information Security Conference (AISC 2023) Call for Papers
TrustCor Systems verifies web addresses, but its address is a UPS Store - reporting on this company implying it might not be all it seems.
That’s all folks.. until next week..