Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending November 6th

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending November 6th

Guy Fawkes edition and not in the V for Vendetta sense...

Ollie
Nov 4, 2022
4
Share this post

Bluepurple Pulse: week ending November 6th

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week was the damp squid that was the OpenSSL vulnerability mentioned last week. Outside of that seeing a ticking over of ransomware activity and also some potential bleed into European heavy industry from the Ukraine/Russia conflict.

In the high-level this week:

  • FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021

  • Digitalizing the Red Cross, Red Crescent and Red Crystal Emblems - humanitarian effort identifiers which indicate they are not to be targeted in conflicts - the idea of a red cross in the digital domain to indicate hackers should in the spirit of humanitarianism stay away. Interesting, but I feel only those observing norms would adhere.

  • Norms vs. Realities: Cyber at the UN - OEWG stagnation is evidence of a further fracturing geopolitical environment, as tensions mount between Russia and the West

  • Band Of Cybercriminals Responsible For Computer Intrusions Nationwide Indicted For RICO Conspiracy That Netted Millions - distinctly reminiscent of the downfall of Al Capone.

  • Germany electricity supplier hit by cyber attack - I am sure entirely unrelated to the current conflict.

  • National Cyber Threat Assessment 2023-2024 - from Canadian Centre for Cyber Security

  • ACSC Annual Cyber Threat Report, July 2021 to June 2022 - released November from Australia

  • Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape

  • Cyber Operations Enabling Expansive Digital Authoritarianism - Office of the Director of National Intelligence

  • More Evil Markets - How it has never been easier to buy initial access to compromised networks

  • Darknet marketplace: Alleged administrator arrested The 22-year-old is said to have operated the “Germany on the Deep Web ” platform since November 2018

  • ANSSI publishes (French Government), in partnership with the Directorate General for Enterprise (DGE), the Confederation of Small and Medium Enterprises (CPME) and France Num, a new guide intended for VSEs and SMEs (small businesses)

  • Various countries supporting Ukraine in the cyber domain = makes you proud

    • Inside a US military cyber team’s defence of Ukraine

    • British cyberwarriors defend Ukraine

  • How we handled a recent phishing incident that targeted Dropbox - 130 private source code repositories copied

  • DeFi Hacks Analysis - Root cause from over 100 hacks

  • The UK’s National Cyber Security Centre published details of why/how they are scanning parts of the Internet 👏🏽

Reflections this week come from the International Counter Ransomware Initiative Summit which is a proper attempt at cohering governments and industry who are values aligned into an aligned set of actions. Long time in coming and good muscle memory to develop as it won’t be last time in the digital domain we need to do this.

The result was the International Counter Ransomware Initiative 2022 Joint Statement which summarises the multifront approach that was agreed which a cut down version is.

  • Hold ransomware actors accountable for their crimes and not provide them safe haven;

  • Combat ransomware actors’ ability to profit from illicit proceeds

  • Disrupt and bring to justice ransomware actors and their enablers

  • Collaborate in disrupting ransomware by sharing information

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom

Domain doppelgangers are the tradecraft of choice here.

The threat actor known as RomCom is running a series of new attack campaigns that take advantage of the brand power of SolarWinds, KeePass, and PDF Technologies.

In preparation for an attack, the RomCom threat actor performs the following simplified scheme: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one, Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims, or in some instances, using additional infector vectors, which we will go into in more detail below.

https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass

The Internet of Things botnet Torii operated by the "Ocean Lotus" organization

Chinese reporting on Vietnamese activity using IoT to mask their infrastructure and/or use as a temporary routing etc.

Since 2020, "Ocean Lotus" has used lost IoT devices at home and abroad to transfer traffic

The Torii trojan has a very rich set of features for (sensitive) information theft, structured traffic capable of multiple layers of encrypted communication, and can infect various devices and provide support for various target architectures (the advantages of Linux trojans, Cross-compilation can specify any architecture), including MIPS, ARM, x86, x64, PowerPC, SuperH, etc.

https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en

Opera1er: Playing god without permission

Details of a financially motivated operator active in Africa and wider. The fact they have the capability to target and operate SWIFT gateways is the thing of note. $30 million from over 30 operations is interesting given the relatively small size. Also special 🏅to the vendor of this report with one of the darkest patterns possible to demand personal information to read something.

https://explore.group-ib.com/opera1er-eng/report-opera1er-eng

Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign

Believed to be an intelligence operation by an unattributed threat actor. The point of of note is that the log files themselves are used as the command channel, in essence meaning by default there is no new direct network listening surface.

[We] discovered a previously undocumented dropper that is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs.

The dropper (Trojan.Geppei) is being used by an actor [we call] Cranefly to install another piece of hitherto undocumented malware (Trojan.Danfuan) and other tools. The technique of reading commands from IIS logs is not something [our] researchers have seen being used to date in real-world attacks.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan

APT-Q-36: Analysis of the recent iterative update of the arsenal of the South Asian Maha grass organization

Chinese reporting reporting on an Indian state aligned threat actor which has been active for over 13 years. The actor is now using stolen code signing certificates and evolving their tooling. It is almost as if they have learnt from some of their Chinese adversaries.

[We] captured several recent targeted attack samples of the organization against surrounding countries and regions. Based on the data we have collected in recent months, the organization is updating and iterating on its arsenal, and using stolen signatures to disguise attack samples, we conclude that the organization's recent Trojan characteristics are as follows:

  1. Introduce open source encryption library to update encryption algorithm;

  2. Most of the attack samples are marked with stolen signatures, reducing the risk of exposure on the host;

  3. Shellcode bypasses the monitoring of key API calls by some security products;

  4. Develop new injectors and use mimikatz to steal victim host keys;

https://mp-weixin-qq-com.translate.goog/s/IwcxY3TqkmyY-pBxnXuM1A?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Not a dream job: Hunting for malicious job offers from an APT

Alexey Firsh expands the reporting on the fake job campaign being used by North Korea. This campaign has been going on for a while and it is interesting to see the non military industrial base brands. With the rise of technical assessments in recruitment processes it was only a matter of time.

As a result of this quick research we identified additional samples that seem to be part of the same campaign, in this case expanding the scheme behind its distribution to, apparently, Dell and IBM in addition to Amazon. Submissions of the identified samples are observed between June and September 2022. 

https://blog.virustotal.com/2022/11/not-dream-job-hunting-for-malicious-job.html

Analysis Of Suspected Lazarus Attacks Against South Korea

Chinese reporting on North Korean activity against South Korea. Good insight into the full initial access chain. All rather basic and known, but good confirmation they haven’t evolved too much.

The attack flow of this attack is roughly as follows:

1. Using template injection, wait for the decoy document to be opened and download the malicious template constructed by the attacker to the host for execution.

2. The macro code in the template requests the specified URL, downloads the malicious payload and injects it into WINWORD.exe for execution.

3. The downloaded malicious payload is mainly used to release the download tool IEUpdate.exe and execute it, and add it to the registry RUN for persistence.

4. After IEUpdate.exe is executed, it sends a message to obtain the C2 used for subsequent communication, and downloads different malicious payloads for execution according to the returned information.

5. There are two known payloads, hvncengine.dll and shellengine.dll, which are used to communicate with C2 for remote control.

https://www-antiy-cn.translate.goog/research/notice&report/research_report/20221101.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Where is the Origin QAKBOT Uses Valid Code Signing

Hitomi Kimura highlights criminal use of valid (stolen?) code signing certificates. We have historically seen organised crime get code signing certificates through subterfuge. This isn’t ruled out in this case, but may be closer to the victim organisations than we have seen previously.

Checking the modules related to QAKBOT shows multiple samples that have been signed with multiple valid code signing certificates. A look at the abused certificates also reveals that they were not issued to non-existent organizations for abuse, but rather valid certificates issued to real existent organizations through proper process.

Infection Timeline

https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html

Fake Hungarian Government Email Drops Warzone RAT

Gergely Revay outlines a criminal campaign targeting a region with a malware-as-a-service payload. It highlights more than anything that in 2022 you really don’t need to own all the capability to be effective.

[We] discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it. A few days after our initial discovery, the Hungarian National Cyber Security Center issued a warning about this attack. This post provides a detailed analysis.

Using the Warzone RAT as the final payload also supports cyber criminals' growing reliance on MaaS services.

https://www.fortinet.com/blog/threat-research/fake-hungarian-government-email-drops-warzone-rat

Black basta ransomware - Attacks deploy custom EDR evasion tools tied To FIN7 threat actor

FIN7 a name we know and love and being associated with a more modern criminal incarnation. It was inevitable there is scarcity of supply of talent and said talent will bring their old code / tooling with them causing taint. You can almost see the DoJ indictment being written for this individual.

• [We] assess it is highly likely the Black Basta ransomware operation has ties with FIN7.
• Black Basta maintains and deploys custom tools, including EDR evasion tools.
• [We] assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7.
• Black Basta attacks use a uniquely obfuscated version of ADFind and exploit
PrintNightmare, ZeroLogon and NoPac for privilege escalation

https://assets.sentinelone.com/sentinellabs22/SentinelLabs-BlackBasta

A technical analysis of Pegasus for Android – Part 3

Further analysis of Pegasus’s Android capability including what looks like a sandbox escape via a media player vulnerability. Payload however not captured.

In this last part, we’re presenting the WAP Push messages that could be used to autoload content on the phone without user interaction, the C2 communication over the MQTT protocol, the exploitation of a vulnerability in MediaPlayer that was not disclosed before, and the ability of the spyware to track phone’s locations.

https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/

Discovery

How we find and understand the latent compromises within our environments.

Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)

Takahiro Haruyama issues reporting on Chinese tooling and how to do active discovery of the C2. You have to wonder the more reporting like this how much it will force a step away from these types of protocols.

ShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS. In this research, TAU focuses on TCP/HTTP(S)/UDP protocols as others like SSL and DNS are not likely utilized by the recent ShadowPad samples.

https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html

Bold-Falcon

An open source malware analysis system from China.

Open source automated malware analysis system. It is used to automate and analyze files and collect comprehensive analysis results outlining what the malware does when running in a standalone operating system

https://github.com/PowerLZY/Bold-Falcon

Defence

How we proactively defend our environments.

DASTardly from Burp Suite

From the team over at PortSwigger enabling the discovery of seven vulnerability classes in web apps via dynamic application security testing within CI/CD pipelines.

a Dynamic Application Security Testing tool for CI/CD pipelines that completes within 10 minutes or less

https://portswigger.net/blog/free-dastardly-from-burp-suite

Attack surface reduction rules reference

If you wanted a lesson in how complex ASR is Microsoft Defender for Endpoint. Using GUIDs like this must be one of the least user friendly ways to achieve this functionality.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix

Attestation: A necessity for Zero Trust

Prakhar Srivastava discusses one of the fundamentals of ZT and how to actually do it in practice within the Microsoft eco-system including Linux.

One of the overlooked tools in TTP for any IT admin, Sec Operations admin, security researcher, app developer is device attestation and how it can help detect and respond to some of these attacks. To help our customers and partners be more secure we are now releasing an update to our existing Azure Attestation service to start supporting Key attestation along with support for Integrity Measurement Architecture for Linux.

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/attestation-a-necessity-for-zero-trust/ba-p/3667604

AutomatedLab

One of the most amazing work aids here for at scale environment creation to test a variety of scenarios in offense and defence.

AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2022, some Linux distributions and various products like AD, Exch

https://github.com/AutomatedLab/AutomatedLab

Vulnerability

Our attack surface.

CVE-2022-3602: The OpenSSL punycode vulnerability

The damp squid.

Overview, detection, exploitation, and remediation

Frederic Baguelin, Jeremy Fox, Nick Frichette and Eslam Salem provide a wonderful analysis and supporting guidance.

https://securitylabs.datadoghq.com/articles/openssl-november-1-vulnerabilities/

Why CVE-2022-3602 (The OpenSSL vuln) was not detected by fuzz testing

Alexander Tarasikov then shows why it wasn’t found in the first place through fuzzing.

Short answer: the code is not reachable by the current corpus and harness. As there exists an X.509 fuzzer, perhaps developers and other folks assumed it could theoretically reach all parsers, but this is not the case.

https://allsoftwaresucks.blogspot.com/2022/11/why-cve-2022-3602-was-not-detected-by.html

CVE-2022-22241: Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities

The 1990s called and want their web vulnerabilities back in their edge security appliances.

https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/

Visual Studio Code Jupyter Notebook RCE

Luca Carettoni does a wonderful job of explaining the exploitation of a Cross-Site Scripting (XSS) vulnerability affecting the VSCode built-in support for Jupyter Notebook (.ipynb) files using multiple chained techniques. If you ever had doubt you need in a PhD in web hacking (also known as a Burp Certified Practitioner) then this was it.

https://blog.doyensec.com/2022/10/27/jupytervscode.html

Offense

Attack capability, techniques and tradecraft.

Exploitation in the era of Formal Verification

This video from DEF CON 30 was published this week featuring Adam Zabrocki and Alex Tereshkin. With the advent of these languages many predict the end of vulnerability research and exploitation in them. This publication gives us some hope.

AdaCore/SPARK is a formally defined programming language intended for the development of high integrity software used in systems where predictable and highly reliable operation is crucial. The formal, unambiguous, definition of SPARK allows a variety of static analysis techniques to be applied, including information flow analysis, proof of absence of run-time exceptions, proof of termination, proof of functional correctness, and proof of safety and security properties.

In this talk we will dive-into AdaCore/SPARK, cover the blind spots and limitations, and show real-world vulnerabilities which we met during my work and which are still possible in the formally proven software. We will also show an exploit targeting one of the previously described vulnerabilities.

TerraLdr: A Payload Loader Designed With Advanced Evasion Features

Orca keeps the releases coming to make EDR vendors sob.

  • no crt functions imported

  • syscall unhooking using KnownDllUnhook

  • api hashing using Rotr32 hashing algo

  • payload encryption using rc4 - payload is saved in .rsrc

  • process injection - targetting 'SettingSyncHost.exe'

  • ppid spoofing & blockdlls policy using NtCreateUserProcess

  • stealthy remote process injection - chunking

  • using debugging & NtQueueApcThread for payload execution

https://github.com/ORCx41/TerraLdr

StopDefender: Stop Windows Defender programmatically

Does what it says on the tin - no real way to mitigate this as it needs to be able to happen in order to allow updates.

Stop Windows Defender programmatically creating a new token using TrustedInstaller and Windefend service accounts.

TI2.png

https://github.com/lab52io/StopDefender

Exploitation

What is being exploited.

urlscan.io's SOAR spot: Chatty security tools leaking private data

From Russia with love.

  • Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable on urlscan.io, a security tool used to analyze URLs

  • Part of the data has been leaked in an automated way by other security tools that accidentally made their scans public (as did GitHub earlier this year)

  • Users of such misconfigured Security Orchestration, Automation and Response (SOAR) tools have a high risk of their accounts being hijacked via manually triggered password resets

  • We are in no way affiliated with urlscan.io and just want to inform the public of its risk and potential in offensive security

https://positive.security/blog/urlscan-data-leaks

Tooling and Techniques

Low level tooling for attack and defence researchers.

ariadne: Ariadne: Binary Ninja Graph Analysis Plugin

Work aid for reverse engineers.

Ariadne is a Binary Ninja plugin that serves a browser-based interactive graph visualization for assisting reverse engineers. It implements some common static analysis tasks including call graph analysis, and can integrate block coverage information. This enables users to build interactive graphs and see exactly what they are interested in.

https://github.com/seeinglogic/ariadne

Recovery of function prototypes in Visual Basic 6 executable

Yes, VB6 is still relevant.

https://decoded.avast.io/davidzimmer/recovery-of-function-prototypes-in-visual-basic-6-executables/

Spartacus: Spartacus DLL Hijacking Discovery Tool

When a process that is vulnerable to DLL Hijacking is asking for a DLL to be loaded, it's kind of asking "WHO IS VERSION.DLL?" and random directories start claiming "I AM VERSION.DLL" and "NO, I AM VERSION.DLL". And thus, Spartacus.

https://github.com/Accenture/Spartacus

Defeating Guloader Anti-Analysis Technique

[We] recently discovered a Guloader variant that contains a shellcode payload protected by anti-analysis techniques, which are meant to slow human analysts and sandboxes processing this sample. To help speed analysis for this sample and others like it, we are providing a complete Python script to deobfuscate the Guloader sample that is available on GitHub.

In early September 2022, we discovered a Guloader variant with low VirusTotal detection. Guloader (also known as CloudEye) is a malware downloader first discovered in December 2019.

https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/

Open-Obfuscator

A free and open-source obfuscator for mobile applications

https://www.romainthomas.fr/post/22-10-open-obfuscator/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

  • APT trends report Q3 2022

  • TAG Bulletin: Q3 2022

  • DNS Threat Report Q3 2022

  • Information Risk Insights Study 2022 - The new study analyzes 77,000 cyber events, $57 billion in reported losses, and 72 billion compromised records

  • PrivacyCon 2022 - hosted by the US’s Federal Trade Commission - videos / materials available

  • USENIX Security '22 Technical Sessions - videos now available

  • CISA Cross-Sector Cybersecurity Performance Goals

  • Securing Water and Wastewater Utilities from NIST

  • European Journal of Risk Regulation latest edition - including the article Artificial Intelligence Risks and Algorithmic Regulation

  • The Iran Firewall - A preliminary report

  • CVElk: Autoconfigured ELK Stack That Contains All EPSS and NVD CVE Data

  • Post-Quantum Cryptography - Integration study

  • The Geopolitics of Microchips and Semiconductors

Your humour this week comes from the below which led to the most ever comments in the subreddit outside of the big breach events 🙄.

r/blueteamsec - Cyber is hard

That’s all folks.. until next week..

Share this post

Bluepurple Pulse: week ending November 6th

bluepurple.binaryfirefly.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing