Bluepurple Pulse: week ending November 27th
Bluepurple Pulse: week ending November 27th
Rumblings around commercial offensive cyber capabilities rumble on..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see below that the tit for tat between Russia and the world continues to create friction. Outside of that nothing beyond the usual background noise, which I note is still material.
In the high-level this week:
MEPs discuss technical vulnerabilities related to spyware with experts - good to see this happens and the level of technical insight provided.
India has released the Digital Personal Data Protection Bill, 2022 - You can see that India is rapidly accelerating in terms of governance on a related set of matters around cyber and similar.
How the FBI Stumbled in the War on Cybercrime - a long read which is likely unsympathetic to getting anything done in any organisation.
Multi-stakeholder Governance of Cyberspace – Merely a Myth? - bit of a moan more than anything about lack of inclusion of non-state entities, but interesting as a perspective.
US to prohibit the use of commercial spyware that presents a counter intelligence risk by federal agencies - naturally the fall out of foreign supplied commercial capabilities continues.
Related NSO went to the US Supreme court to get their case against WhatsApp/Meta thrown out arguing they are immune as their customers are governments - this is the legal brief - get the 🍿
Offshore Oil and Gas: Strategy Urgently Needed to Address Cybersecurity Risks to Infrastructure - the U.S. Government Accountability Office smashes the panic button.
NIS Investments 2022 - third iteration of ENISA's NIS Investments report - it collects data on how Operators of Essential Services (OES) and Digital Service Providers (DSP) identified in the EU's directive on security of network and information systems (NIS Directive) invest their cybersecurity budgets.
A ruling in Google’s legal case against the Glupteba botnet - hyperscalers get litigious - Our legal team also filed a case in the Southern District of New York to hold the botnet operators accountable. We made the explicit decision to name the criminal actors behind Glupteba as defendants in the suit, to expose them and their various shell companies - given the WhatsApp / NSO above - we can only imagine that big tech will increasingly employ litigation to protect the integrity of their services.
US Cyber Review Punts on Russian Hack, Hinting at Limitations - The inaugural report from the US’s new cyber review board was supposed to assess the massive SolarWinds hack, instead it looked at another incident.
Cyber-enabled financial crime: USD 130 million intercepted in global INTERPOL police operation - all the assets seized were virtual.
Stakeholder-Specific Vulnerability Categorization - augments the Common Vulnerability Scoring System (CVSS) - been out for a while but CISA recently started to amplify.
MIT Technology Review: The Cyber Defence Index - A benchmark of the digital security preparedness of enterprises across the threat landscapes of the world’s top economies - 2022/2023 edition.
World Economic Forum: Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable - paper from WEF on systemic risk in cyber - the scariest type.
European Parliament declares Russia to be a state sponsor of terrorism - then it got Denial of Serviced by Killnet which the European Parliament President claimed to be sophisticated
Reflections this week have been around ransomware as I prepare to head off to the UK’s Parliament on Monday to give oral evidence to the Joint Committee on the National Security Strategy on the topic.
We know that various actors are utilising ransomware for criminal and state intent and often indiscriminately. Criminal intent and tradecraft are clear, if not evolving. State is more nuanced as its intent for ransomware usage can include sanctions busting to get access to financing to disruption whilst trying to appear criminal among various others.
When we think about the smallest victim organisations (my child’s school as an example) I keep coming back to what good help looks like both proactively and in response to incidents. In the case of incidents we do not have the equivalent of universal health care for cyber in any country I am aware of.
So small organisations have to muddle through mostly at their cost or with the support of their insurer. Whilst the advent of insurance is a welcome thing, it does instinctively seem like alternate models are waiting to be discovered beyond what we have today.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations
High-level analysis of how China may use cyber as part of any hostile takeover of Taiwan.
China very likely views the use of cyber capabilities as an option for compelling the Taiwanese government or public to cease perceived pro-independence activities or deterring perceived moves toward Taiwanese independence.
If China decides to use force against Taiwan, cyber capabilities would almost certainly be used to seek information dominance as part of joint landing or blockade campaigns.
China’s network forces available for use in coercion and war include armed forces units, the personnel of civilian government organizations, and civilians in technology enterprises, and likely also “hobbyists” or patriotic hackers.
China almost certainly views the full range of cyber attack and technical network investigation tools found in the military and civilian spheres as applicable in coercion and war.
Network weapons and talent development pipelines in China include military weapons development and training programs, civilian educational programs and recruitment, and national efforts to build cyber ranges.
China very likely views network reconnaissance, including network inspection and espionage, as an ever-present form of struggle, and has considerable capabilities for carrying out such activity.
Based on observed cases, China’s approach to cyber-enabled espionage prioritizes targeting mid-level and high-level telecommunications infrastructure from which threat actors can collect data on a range of more specific targets.
China’s objectives for cyber war and coercion almost certainly include disrupting, damaging, or destroying the function of military and civilian information systems and critical infrastructure, as well as shocking Taiwanese decision-makers and weakening their will to fight.
Analysis of Ukrainian Network Vulnerability from the Perspective of Cyberspace Mapping
Chinese analysis of the situation in Ukraine. The thing I really took from this is that a Chinese private sector firm are able to and are monitoring/analysing the cyber posture of an entire country for ten months. Even if only the exposed web estate..
Nine months of conflict, more than half of government websites shut down, cyberspace mapping exposes the Achilles heel of Ukraine's network
From January to October 2022, [we] monitored a total of more than 15.222 million various network assets in Ukraine, involving about 2.552 million IP addresses. Among them, there are about 5.795 million web assets, about 38% for accounting.
Among all these web properties in Ukraine, a total of 36,582 government websites were found. Through the comparison of continuous monitoring data, it was found that at least 20,219 Ukrainian government websites were shut down after the outbreak of the Russian actraincount for Ukraine about 55.3% of the total number of Ukrainian government websites.
Earth Preta Spear-Phishing Governments Worldwide
Nick Dai, Vickie Su and Sunny Lu out a Chinese state campaign against a broad set of interests. The spear phishing tradecraft is substantially behind any more modern red team. The scale of the campaign is of note.
We have been monitoring a wave of spear-phishing attacks targeting the government, academic, foundations, and research sectors around the world. Based on the lure documents we observed in the wild, this is a large-scale cyberespionage campaign that began around March. After months of tracking, the seemingly wide outbreak of targeted attacks includes but not limited to Myanmar, Australia, the Philippines, Japan and Taiwan. We analyzed the malware families used in this campaign and attributed the incidents to a notorious advanced persistent threat (APT) group called Earth Preta (also known as Mustang Panda and Bronze President).
In our observation of the campaigns, we noted that, Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links.
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Mustang Panda based in China has targeted attacks with malware "Claimloader", may affect Japan
Japanese reporting on Chinese activity targeting both the Philippines and Japan. Again rather rudimentary tradecraft.
The attack used an archive file disguised as a document related to The US-Japan-Philippines Security Triangle: Enhancing Maritime Security, Shared Strategic Outlooks, and Defense Cooperation ( *1 ). Judging from the content of the conference, it is possible that similar attacks have been carried out on Japanese organizations, so this time we will introduce a series of attacks deployed from this archive file.
Espionage in Yemen suspected by a Middle Eastern intelligence service
Chinese reporting on what can only be described as a rather clumsy operation in Yemen by a middle eastern state.
The attack activities discovered this time mainly revolve around the "Riyadh consultation" incident, and carried out espionage activities against Yemeni journalists and media personnel who participated in the meeting. Attackers use SpyNote commercial spy software on the Android out attack side to groups of people through WhatsApp, text messages, emails, etc. to carry out espionage activities. Through open source intelligence, we learned that the attacker is suspected to be an intelligence agency of a country in the Middle East.
..
Through in-depth analysis of the attack process, we found that the WhatsApp registered mobile number used by the attacker belongs to Saudi Arabia.
..
In addition, we found that the Android attack samples used in the two attack incidents have the following common features:
Belongs to the SpyNote family of commercial espionage
Attack sample masquerading targets are all related to Yemen
C&C uses ddns.net dynamic domain name
Domain name resolution IP is located in Yemen
Both use the Mediafire storage platform
Bahamut cybermercenary group targets Android users with fake VPN apps
Lukas Stefanko outlines quite the multistep campaign to get on to target devices. Implies various social engineering techniques are employed.
This campaign has been active since January 2022 and malicious apps are distributed through a fake SecureVPN website that provides only Android apps to download.
The app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut spyware code that the Bahamut group has used in the past.
We were able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained.
The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps.
We believe that targets are carefully chosen, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users.
We do not know the initial distribution vector (email, social media, messaging apps, SMS, etc.).
Cybercrime Group Expands Cryptocurrency Phishing Campaign
The takeaway from this reporting is the use of multi-factor authentication code relaying in a criminal campaign. We have see this technique be used by more and more threat actors. This is I suspect in part driven by the availability of the commodity frameworks offering it.
[We continue] to track an active criminal group operating four campaigns targeting the users of cryptocurrency exchanges and wallets. The scammers will use an in-browser chat window to initiate a remote desktop session on the victims device, approve their own device as valid to access the users account, and then drain cryptocurrency from the victims wallet.
On the new domains associated with the campaign, the 2-Factor relay interception tactic is again in use.
https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation/
WatchDog Continues to Target East Asian Cloud Service Providers
Matt Muir discusses a crypto mining campaign which is only really notable because of the regional provider focus coupled with disabling of monitoring tools.
WatchDog are an opportunistic and prominent threat actor, who are known for routinely carrying out cryptojacking attacks against resources hosted by various Cloud Service Providers.
As is common with this type of attack, the script begins with a number of commands designed to weaken the compromised system and remove monitoring tools.
Moving further down the script, we can see the threat actor has included code to remove monitoring agents native to East Asian Cloud Service Providers. This suggests targeting of these CSPs.
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps/
DUCKTAIL: An infostealer malware targeting Facebook Business accounts
Mohammad Kazem Hassan Nejad discusses a campaign by a Vietnamese threat actor against the business side of Facebook accounts. More evolution by this threat actor than revolution.
Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.
[We]cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook's existing security features and hijacking businesses. However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.
The chain of evidence suggests that the threat actor’s motives are financially driven, similar to the SilentFade campaign that was discovered by Meta .
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
Alexander Rausch discusses a commercial C2 framework from the United Kingdom. Indeed, we have seen this framework a few times being used by commercial red teams. We have however not seen it used by criminal or adversarial state threat actors. Either way this post led to some wider industry discussions due to samples being removed from VirusTotal.
Nighthawk is an advanced C2 framework intended for red team operations through commercial licensing.
Proofpoint researchers observed initial use of the framework in September 2022 by a likely red team.
We have seen no indications at this time that leaked versions of Nighthawk are being used by attributed threat actors in the wild.
The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code.
Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.
The vendor issued the following response ‘Nighthawk: With Great Power Comes Great Responsibility’:
https://www.mdsec.co.uk/2022/11/nighthawk-with-great-power-comes-great-responsibility/
In response to the samples being identified various Yara rules were released
https://raw.githubusercontent.com/fboldewin/YARA-rules/master/nighthawk.yar
https://github.com/StrangerealIntel/Orion/blob/main/Malware/MAL_Nighthawk_Nov_2022_1.yara
https://github.com/embee-research/Yara/blob/main/Rules/Nighthawk.yar
Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
The Qakbot campaign is of note due to active deployment of techniques designed to hinder any recovery beyond the initial ransomware deployment. This type of activity is of concern as many recovery playbooks don’t cater for such events.
[We] describe one attack scenario that started from a QBot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware. To make the recovery more difficult, the threat actor also locked the victim out of the network by disabling DNS services. We observed this tactic used on more than one victim.
Widespread QBot campaign targeting U.S.-based companies: Threat actors leveraging the QBot loader casted a large net targeting mainly on U.S.-based companies and acted quickly on any spear phishing victims they compromised. In the last two weeks, we observed more than 10 different customers affected by this recent campaign.
Network lockout: Among the many Qakbot infections we identified, two allowed the threat actor to deploy ransomware and then lock the victim out of its network by disabling the victim’s DNS service, making the recovery even more complex.
Black Basta deployment: One particularly fast compromise we observed led to the deployment of Black Basta ransomware. This allowed us to tie a link between threat actors leveraging Qakbot and Black Basta operators.
Get a Loda This: LodaRAT meets new friends
Chris Neal outlines a campaign where a threat actor is throwing various commodity capabilities together to execute their campaigns. It is somewhat interesting we have threat actors who will just glue discrete families together in order to gain the functionality they wish as they don’t have the development capabilities themselves.
LodaRAT is written in AutoIt, a well known scripting language typically used to automate administrative tasks in Windows. AutoIt scripts can be compiled into standalone binaries, allowing them to be executed on a Windows machine whether or not AutoIt is installed on the host.
LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
[We] identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
Changes in these LodaRAT variants include new functionality allowing proliferation to attached removable storage, a new string encoding algorithm and the removal of “dead” functions
A relatively unknown VenomRAT variant named S500 has been observed deploying LodaRAT.
During our research, we observed a previously undocumented VenomRAT variant named S500 (or S500RAT) dropping LodaRAT. Like VenomRAT, S500 is a .NET commodity malware with Hidden Virtual Network Computing (HVNC) capabilities, which allows the attacker to run hidden desktop environments on infected hosts.
During our research into LodaRAT’s activities, we identified an instance of LodaRAT bundled in a single payload with the RedLine and Neshta malware families. While it’s unclear why the threat actor is deploying LodaRAT alongside a more advanced information-stealer like RedLine, a possible explanation is that LodaRAT is preferred by the attacker for performing a particular function.
https://blog.talosintelligence.com/get-a-loda-this/
WASP Attack on Python — Polymorphic Malware Shipping WASP Stealer; Infecting Hundreds Of Victims
Jossef Harush builds on a previously discussed campaign. By using techniques which would be likely illegal in the United Kingdom under the Computer Misuse Act i.e. getting inside the attacker’s “hall of fame”. The calamity of operational security by the threat actor which allowed the identification of their Steam account is also wonderful.
Our team was able to get inside the attacker’s “hall of fame,” where we could see hundreds of successful infections.
As we continued to track and investigate this malicious user and the malicious packages it was uploading, it was discovered that the attacker was using polymorphic malware (the payload changes with every install), reboot persistent, using steganography to hide code inside packages, building a fake GitHub reputation.
The malware is targeted at stealing all the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other interesting files on the victim’s PC, sending them back to the attacker through a hard-coded Discord webhook address.
MS Office normal URL disguised as a word document that is being distributed
Reporting from South Korea on North Korean operations. The thing of note is the use of template injection (still).
All of the above files are word documents in OOXML (Office Open XML) format and the template injection function was used for the attack
Through the properties of some of the collected word documents, it was confirmed that they were indiscriminately produced and distributed over several days at short intervals as shown below.
Discovery
How we find and understand the latent compromises within our environments.
Brute Ratel C4 Badger analysis and detection
Chinese reporting on detecting Brute Ratel. Interesting that they are actively asking for a copy of the latest version to be sent to them.
Making Cobalt Strike harder for threat actors to abuse
Greg Sinclair helps the community out by providing a comprehensive set of detection rules for Cobalt Strike in Yara form. Greg, if you read this, it is amazing work - thank you - 👏.
https://github.com/chronicle/GCTI/tree/main/YARA/CobaltStrike
Detection notes: In-memory Office application token theft
Interesting first stab at this problem, although the outlined techniques seem rather brittle.
https://www.sumologic.com/blog/threat-labs-detection-notes-office-token-theft/
WonkaVision is a proof of concept
Charlie Clark releases a tool to analyse Kerberos tickets and attempt to determine if they are forged. This is a neat anomaly detection approach for sure - great first principles work.
https://github.com/0xe7/WonkaVision
Uncovering Window Security Events
Jonathan Johnson discusses a new open source project he is working on and in doing so discusses how some aspects of Windows work. Useful for understanding the possible root causes for certain Windows security events by passing them back to the API responsible.
Project created to map functions responsible for triggering events from various telemetry sources.
https://posts.specterops.io/uncovering-window-security-events-ab72e1ec745c
https://github.com/jsecurity101/TelemetrySource
Kerberos Event ID 27
Steve Syfuhs does a good job of showing a) how complex Kerberos really is b) why this event gets generated.
There's been a bunch of questions from folks about Event 27 after the [Windows] 11B changes. The presence of this event is not an indicator of another bug. It is the result of a fix to one of the vulnerabilities in 11B. Let's decode what this is saying.
https://syfuhs.net/kerberos-event-id-27
An End to KASLR Bypasses?
Yarden Shafir outlines some changes in Windows 11 which provides ew ETW events which will be generated. These events may be an indication of a threat actor trying to bypass Kernel ASLR - but also a wider range of malicious behaviours.
In
23H2preview builds, Microsoft is introducing a new ETW event, this time aimed at NT APIs that could point at various suspicious behaviours.Windows 11
23H2adds a new ETW event to the Threat Intelligence channel –THREATINT_PROCESS_SYSCALL_USAGE. This ETW event is generated to indicate that a non-admin process has made an API call to an API + information class that could indicate some unusual (and potentially malicious) activity. This event will be generated for information classes in two APIs:
NtQuerySystemInformation
NtSystemDebugControl
https://windows-internals.com/an-end-to-kaslr-bypasses/
Defence
How we proactively defend our environments.
Comparison table of MOTW propagation support
Nobutaka Mantani provides an update on Mark Of The Web propagation support as of 21 November 2022. Critical to know as if you use some of the alternate archiving tools you organisation may be exposed.
https://github.com/nmantani/archiver-MOTW-support-comparison/
Azure Arc Custom Script Extension for Windows
Kaido Järvemets outlines some very powerful functionality which will have various defensive use cases but also likely offensive persistent use cases.
In this post, I focus only on the Custom Script Extension for Windows Extension and how to execute the script from different places. I will show how to execute the scripts from:
Azure Blob Storage
Internal File Share
GitHub
https://www.kaidojarvemets.com/azure-arc-custom-script-extension-for-windows/
Vulnerability
Our attack surface.
Tapping into Format Oracles in Email End-to-End Encryption
Fabian Ising, Damian Poddebniak, Tobias Kappert and Christoph Saatjohann outline an interesting if not widely applicable attack. Wonderful research for sure..
S/MIME and OpenPGP use cryptographic constructions repeatedly shown to be vulnerable to format oracle attacks in protocols like TLS, SSH, or IKE. However, format oracle attacks in the End-to-End Encryption (E2EE) email setting are considered impractical as victims would need to open many attacker-modified emails and communicate the decryption result to the attacker. But is this really the case? In this paper, we survey how an attacker may remotely learn the decryption state in email E2EE. We analyze the interplay of MIME and IMAP and describe side-channels emerging from network patterns that leak the decryption status in Mail User Agents (MUAs). Concretely, we introduce specific MIME trees that produce decryption-dependent network patterns when opened in a victim’s email client. We survey 19 OpenPGP- and S/MIME-enabled email clients and four cryptographic libraries and uncover a sidechannel leaking the decryption status of S/MIME messages in one client
https://www.usenix.org/system/files/sec23summer_217-ising-prepub.pdf
ProxyNotRelay - An Exchange Vulnerability Encore
Rich Warren drops the goods and goes for gold by walking through the latest Exchange zero day. The powerful message is the first line below, it’s also like deny lists don’t work for input validation..
Do not rely on the mitigations!
In this blog post we will dive into the latest Microsoft Exchange 0-day vulnerability, dubbed #ProxyNotShell, how it relates to other Exchange vulnerabilities and finally demonstrate how ProxyRelay can combined with ProxyNotShell, even with Extended Protection and IIS rewrite rules enabled.
https://rw.md/2022/11/09/ProxyNotRelay.html
Cisco Secure Manager Appliance jwt_api_impl Hardcoded JWT Secret Elevation of Privilege
How prevalent do we think this class of issue will be across other appliances, containers and virtual machine images? Cisco’s 51 billion dollars of revenue appear to still preclude it from getting product security entirely right.
The issue results from the usage of a static secret key to generate JWT tokens.
Offense
Attack capability, techniques and tradecraft.
The Art of Bypassing Kerberoast Detections with Orpheus
Ben Mauch outlines why signatures aren’t useful and can be bypassed. Instead he suggest that Honey SPN account should be used to enable detection.
https://www.trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus/
Unwinder
Kurosh Dabbagh Escalante provides capability which will aid in the bypass of some Windows EDR techniques to detect code injection and similar.
a PoC of how to parse PE's UNWIND_INFO structs in order to achieve "proper" thread stack spoofing from the point of view of the x64 calling convention.
https://github.com/Kudaes/Unwinder
RtlQueueWorkItemLoadLibrary
Rad’s first release this week around techniques detailed in the Proofpoint release on NightHawk. Will be useful for those looking to see if they can detect such techniques.
Loads a DLL by queuing a work item (RtlQueueWorkItem) with the address of LoadLibraryW and a pointer to the buffer on Windows
https://github.com/rad9800/misc/blob/main/WorkItemLoadLibrary.c
etw-amsi-llex-patch
Second release from Rad, again useful to detect what signals exist on Windows hosts where it is used.
ETW/AMSI/DLL load patch-less hooks using hardware breakpoints on Windows
https://github.com/rad9800/misc/blob/main/etw-amsi-llex-patch.c
UnregisterAllLdrRegisterDllNotification
Final release from Rad, again useful to detect what signals exist on Windows hosts where it is used.
LdrRegisterDllNotification by located the head of the doubly-linked list in the .data section of NTDLL and then walking it and removing each link entry.
https://github.com/rad9800/misc/blob/main/UnregisterAllLdrRegisterDllNotification.c
laZzzy
Meelo provides a capability which will be useful in understanding what signals exist if used by implants.
Ashellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
Exploitation
What is being exploited.
Bypassing Intel DCM’s Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)
Julien Ahrens demonstrates once more it is the researcher who gets first exposure to a product who gets the glory. It sounds like this product is critical in data centre terms but given that there is a barrier to entry in getting access to it by the research community. Proof once more that everything is vulnerable and it is clear that no one with any capability has looked at this product previously…
Intel’s Data Center Manager Console is a real-time monitoring and management all-in-one console that allows you to manage your entire data centre.
This small series of two blog posts covers an entire vulnerability chain to go from unauthenticated user to full remote code execution against Intel’s Data Center Manager (up to version 4.1.1.45749). All described issues were found purely based on a source code review of the decompiled application.
The chain’s first vulnerability bypasses DCM’s entire authentication process if the application is configured to allow authentication from Active Directory groups with publicly known SIDs. Since Intel’s DCM only relies on the SID and there’s no validation of the given active directory service, it is trivially easy to force the application to communicate with an arbitrary Kerberos/LDAP server. The arbitrary server then answers the authentication requests from Intel’s DCM by simply returning a successful authentication, including a known/matching SID. This ultimately allows authenticating using any user with any password and any Active Directory domain.
Tooling and Techniques
Low level tooling for attack and defence researchers.
A Virtual FIDO2 USB Device
This is going to be super useful to vulnerability researchers.
Virtual FIDO is a virtual USB device that implements the FIDO2/U2F protocol (like a YubiKey) to support 2FA and WebAuthN.
Support for both Windows and Linux through USB/IP (Mac support coming later)
Connect using both U2F and FIDO2 protocols for both normal 2FA and WebAuthN
Store credentials in an encrypted format with a passphrase
Store credential data anywhere (example provided: a local file)
Generic approval mechanism for credential creation and login (example provided: terminal-based)
https://github.com/bulwarkid/virtual-fido
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Meta Quarterly Adversarial Threat Report - including where they identified a US Government operation
Department of Defense Releases Zero Trust Strategy and Roadmap
Infrastructure Resilience Planning Framework (IRPF) - v1.1 - November 2022 - from CISA
Threat actor deep dives
Investigating the impact of DDoS atacks on DNS infrastructure
Training videos
Advances in Digital Forensics through Artificial Intelligence - Journal call for papers
Finally you get Bletchley Park Mathematicians and National Security - a legitimately interesting chat held at Wadham College Oxford this week.
That’s all folks.. until next week..