Bluepurple Pulse: week ending October 2nd
Only one Stock Exchange mail server was disclosed as being breached this week..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the new attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server which was shared late Thursday was the bow wave. Some excellent first party and second party reporting on the vulnerabilities and aftermath. Outside of that you will see below that the breadth of depth of campaigns is very real..
In the high-level this week:
Lindy Cameron discussed the cyber dimension of the Russia-Ukraine - a take away is one doesn’t just create a National Cyber Security Centre in isolation - the blended capability of Government is critical.
Patriotic Hacking’ Is No Exception - mix of ‘opinion piece’ and a ‘framework for analysing how patriotic hacking fits with various normative guidelines in cyber’ based around the Ukrainian IT Army and what they have been up to.
Energy, Finance and Telecoms Corporations Test Their Cyber Mettle - interesting case study of the US of private sector self organisation with the apparently first tri-industry exercise around cyber defence. Bar has been raised..
the US FCC’s Communications Security, Reliability, and Interoperability Council VIII - specifically it included a report on security vulnerabilities in HTTP/2 and a report on recommended best practices to improve communications supply chain security. What fascinates me is that a high-level regulator goes down to protocol level vulnerabilities in 2022, what a time to be alive!
Taiwanese citizens prepare for possible cyber war - training people in open source intelligence and similar funded by a patriotic tech tycoon.
Chinese university’s ‘metaverse engineering’ major draws scepticism amid fading enthusiasm for the concept - feels we are at the point in the hype cycle where humans wobble - China’s long term strategic view on matters should be noted.
Downrange: A Survey of China’s Cyber Ranges - China is rapidly building cyber ranges that allow cybersecurity teams to test new tools, practice attack and defense, and evaluate the cybersecurity of a particular product or service - another example of learning from Western approaches and then doing it bigger / better.
Portman, Peters Introduce Bipartisan Legislation to Help Secure Open Source Software in the USA - some more big swings in the senate.
The Russian hacker, arrested in Bansko, asked to be extradited to the USA -
Various governments issue warnings about increased risk from cyber attacks due to the Russia/Ukraine conflict:
Ukraine - The occupiers are preparing massive cyberattacks on the critical infrastructure of Ukraine and its allies
Finland - The threat of intelligence gathering and influence operations to Finland’s critical infrastructure has increased in both the physical and cyber environments as a result of the Russian war of aggression and Finland’s NATO accession process
Norway - NSM encourages Norwegian businesses, particularly within the oil and gas sector, and other critical societal actors to exercise increased vigilance
National Cyber Power Index 2022 - UK is #4 overtaken by Russia this year - when you go full cyber you move up the league table apparently.
Quad Foreign Ministers’ Statement on Ransomware - statement of intent from Australia, India, and Japan and the United States.
My reflections this week come from my continued Sino studies and the book The Long Game: China's Grand Strategy to Displace American Order (Bridging the Gap). I have to say it has been a bit of an extensional moment in my understanding of China, international relations and their approach. When I look at how we operate in the West it does feel we are somewhat disadvantaged due to aspects of our systems of government which reflect our principles. Not that we should compromise, but enduring multi decade strategic moves we aren’t renowned for.
Anyway the revelation is the concept of “blunting”. I can summarise it as being an asymmetric technique where you become an absolute pain in forums by being contrary and similar. Instead of either idly watching, not engaging and denouncing. In short get involved and bring the chaos.
A better summary comes in from the abstract of Chapter 5.
Chapter 5 considers the political and multilateral components of China’s grand strategy to blunt American power in Asia. It demonstrates that the “traumatic trifecta” at the end of the Cold War led China to reverse its previous opposition to joining regional institutions. Beijing feared Asian regional forums might be used by Washington to build liberal regional order or even an Asian NATO, so China joined them to blunt American power. It stalled institutionalization in regional organizations that included the United States; wielded institutional rules to constrain US freedom of manoeuvre; and hoped its own participation would reassure wary neighbours otherwise tempted to join a US-led balancing coalition. China also worked with Russia to erect regional institutions in Central Asia to guard against US influence within the region.
Anyway every day is a school day as they say..
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants
Russia ran a campaign at the start of year leveraging a feature/bug/vulnerability that has since been patched.
This is a threat group attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. The lure document is a PowerPoint file that exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.
Doppelganger - Media clones serving Russian propaganda
Alexandre Alaphilippe, Gary Machado, Raquel Miguel and Francesco Poldi out an at scale information operation.
Today, EU DisinfoLab exposes a Russia-based influence operation network that has been operating in Europe since at least May 2022 and is still ongoing. Doppelganger, the name we gave to this campaign, uses multiple “clones” of authentic media (at least 17 media providers, including, Bild, 20minutes, Ansa, The Guardian or RBC Ukraine) and targets users with fake articles, videos and polls. To do so, the malicious actors behind it bought dozens of Internet domain names similar to the ones of authentic media and copied their designs.
Removing Coordinated Inauthentic Behavior From China and Russia
Ben Nimmo and David Agranovich again out not a tiny operation on behalf of these two states. If you wondered if there was an enduring unpeace in the information space as well as the cyber space then I think it is safe to say yes there is.
We took down two unconnected networks in China and Russia for violating our policy against coordinated inauthentic behavior.
The Chinese-origin influence operation ran across multiple social media platforms, and was the first one to target US domestic politics ahead of the 2022 midterms and Czechia’s foreign policy toward China and Ukraine.
The Russian network — the largest of its kind we’ve disrupted since the war in Ukraine began — targeted primarily Germany, France, Italy, Ukraine and the UK with narratives focused on the war and its impact through a sprawling network of over 60 websites impersonating legitimate news organizations.
Solarmarker: May 2022 Updates on Persistence
Just unpack what is going on here before looking at the new persistence technique. Look at all of those combined techniques, this group knows what they are doing..
Solarmarker malware is downloaded by victims by accidental web downloads. The actor behind Solarmarker has used SEO Poisoning in order to trick users into downloading the malware. The malware is usually signed with a valid Authenticode certificate and is 260MB in size. The large size prevents some detection engines from scanning it and prevents upload to most sandboxes.
BGP Hijacking in the real world
I think these two reads are fascinating. Firstly real world BGP attacks are always fun (Mudge/the L0pht told us it was possible in 1998). Secondly just let it it sink in that it is being used to steal money.
On August 17, 2022, Celer Network Bridge dapp users were targeted in a front-end hijacking attack which lasted approximately 3 hours and resulted in 32 impacted victims and $235,000 USD in losses. The attack was the result of a Border Gateway Protocol (BGP) attack
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
William Backhouse, Michael Mullen and Nikolaos Pantazopoulos from NCC Group detail a Chinese intrusion we dealt with a few weeks back.
Initial access via CVE-2022-29464.
Successive backdoors installed – PoisonIvy, a previously undocumented backdoor and finally ShadowPad.
Establishing persistence via Windows Services to execute legitimate binaries which sideloads backdoors, including ShadowPad.
Use of information gathering tools such as ADFind and PowerView.
Lateral movement leveraging RDP and ShadowPad.
Use of 7zip for data collection.
ShadowPad used for Command and Control.
Exfiltration of data.
Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto
Dinesh Devadoss and Phil Stokes provides an update of macOS targeting by North Korea. The tradecraft cross over between Windows and macOS is of note, but as is the fact that more macOS targeting by our favourite Hermit Kingdom is happening.
While those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic. Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends in August 2022, with indications that the campaign dated back at least a year. Last week, [we] observed variants of the malware using new lures for vacancies at Crypto.com.
ZINC weaponizing open-source software
More Lazarus reporting building on the previous note on the use of PuTTY. The blended use of social engineering and weaponized open source with gifts is quickly becoming a trademark.
Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.
MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022.
Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors
D. Iuzvyk, T. Peck and O. Kolesnikov out a campaign using basic capability thrown at an interesting target is the real note here.
[We] recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mostly employed the use of PowerShell and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code.
Credential Phishing Targeting US Government Contractors Evolves Over Time
Credential phishing campaign against some of the US supply chain.
The campaigns targeted companies across a variety of sectors but focused most heavily on the energy and professional services sectors, including construction companies. The attackers likely targeted companies which could credibly receive invitations to bid from the relevant government department. The emails spoofed the U.S. Departments of Labor, Commerce, or Transportation.
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
Mark Lim details a case of a very real attempt to evade endpoint detection. Shows organised crime read the Internet and learn from the wider community, if indeed there was any doubt.
[We] recently observed a polyglot Microsoft Compiled HTML Help (CHM) file being employed in the infection process used by the information stealer IcedID. We will show how to analyze the polyglot CHM file and the final payload so you can understand how the sample evades detection.
Prilex: Brazilian Point of Sale malware evolution
So a family of Point of Sale malware that has been under active development for 6 years. Puts a different spin on Advanced Persistent Threat…
Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that were used in these ATMs before the big heist.
Their first PoS malware was spotted in the wild in October 2016. The first two samples had 2010/2011 as the compilation date, as shown on the graph below. However, we believe that invalid compilation dates were set due to incorrect system date and time settings. In later versions, the timestamps corresponded to the times when the samples were discovered. We also noticed that in the 2022 branch, the developers started using Subversion as the version control system.
Poseidon’s Offspring: Charybdis and Scylla
Ad fraud is a big business and this is but one example. They use Apps to drive the advertising SDKs in an authenticate ways to derive ad revenue..
[We] discovered an operation we’re calling Scylla (pronounced SILL-uh). It’s the third wave of an attack we first reported in August 2019; the second wave, which we’re calling Charybdis (pronounced kuh-RIB-diss), cropped up in late 2020.
The attacks target a number of advertising SDKs within apps available via both Google’s Play Store and Apple’s App Store.
Apps associated with the Scylla operation have been downloaded 13+ million times.
The Scylla operation featured 75+ Android apps and 10+ iOS apps committing several flavors of ad fraud. These apps generated 13+ million downloads in total before they were taken down.
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
Chetan Raghuprasad and Vanja Svajcer outline a campaign using vulnerabilities from 2017… 2017 people!
[We] discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
The attack involves a multistage and modular infection chain with fileless, malicious scripts.
The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.
APT41 and Recent Activity - September 2022
US Department of Health and Human Services provide a summary of activity by this Chinese threat actor with a focus on the health care sector. Interestingly the provide context on why health care and the Chinese year planning cycles..
Agent Tesla RAT Delivered by Quantum Builder With New TTPs
Niraj Shivtarkar discuss an evolution in criminal activity - again shows they (cyber criminal groups) can both read and errr weaponize..
User Account Control Bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary in order to execute the final payload with administrative privileges, and to perform Windows Defender Exclusions
Utilizing a Multi-Staged Infection Chain integrating various attack vectors involving LOLBins
Execution of PowerShell scripts in-memory in order to evade detection
Execution of decoys in order to distract the victims post-infection.
Beware of Konni hacking threat disguised as cryptocurrency business alliance issue
More North Korean crypto currency related activity with an opsec mistake. The actual tradecraft is basic..
The malicious file found this time was circulated as a word document file name with the file name 'Coinone_Bit monopolized system in partnership with Cabin [Weekly Coin Review] - The Economist', and the file name and contents were actually published on September 3 cited.
It seems that the user with the name 'TigerHunter' finally saved it on September 25, 2022 at 21:53 (UTC), and using the 'Remote Template Injection' technique, the attacker It connects to a remote host and downloads a dotm file , a document template file containing layouts, settings and macros, to the user's system
Bad VIB(E)s: Investigating Novel Malware Persistence Within ESXi Hypervisors
Alexander Marvi, Jeremy Koppen, Tufail Ahmed and Jonathan Lepore outline a relatively sophisticated campaign which allowed a threat actor to exist under the hypervisor.
Earlier this year, [we] identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:
Maintain persistent administrative access to the hypervisor
Send commands to the hypervisor that will be routed to the guest VM for execution
Transfer files between the ESXi hypervisor and guest machines running beneath it
Tamper with logging services on the hypervisor
Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
I am going to just say two words here… Stock Exchange …
The Witchetty espionage group (aka LookingFrog) has been progressively updating its toolset, using new malware in attacks on targets in the Middle East and Africa. Among the new tools being used by the group is a backdoor Trojan (Backdoor.Stegmap) that employs steganography, a rarely seen technique where malicious code is hidden within an image.
In attacks between February and September 2022, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation. The attackers exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers.
How we find and understand the latent compromises within our environments.
Tracking BlackTech Infrastructure
Opsec upends this threat actor - a nice walk through in terms of tradecraft.
BlackTech has built a reputation relying on (much to the delight of defenders) tech-themed domains and predictable registration patterns. Recent reporting linking malicious domains to the actor suggests these patterns may be fading, at least for the time being signifying a departure from the previous infrastructure configuration.
Failure to redact email addresses within WHOIS records (mitsumori.gb@gmail[.]com, wufi2011@gmail[.]com, siraiya128@gmail[.]com, senotice@gmail[.]com) leads to dozens more domains likely linked to the actor(s).
BlackTech prefers dynamic DNS services, with most of the domains’ registrars being GoDaddy, paired with domaincontrol[.]com name servers (NS).
Domain naming conventions centered around technology/target (recent intrusion reporting shows this pattern may change).
Configuration Extraction with YARA
This is really quick neat. By using console.log in Yara rules you can build implant config extractors.
Detecting the Manjusaka C2 framework
A good practical walk through of the methodology of building detections for a C2 framework applied to a worked example.
Detecting Mimikatz with Busylight
Balazs Bucsay from NCC Group released this great research after we kicked the idea around.
As detailed, the PoC driver was implemented as UMDF 2 , which means it could be only used on Windows 8.1 or newer. Support for older operating systems could be done by porting the driver to UMDF 1 for example.
The detection of this PoC was tested against several publicly available mimikatz versions. (Un)fortunately Metasploit’s and Cobalts Strike’s mimikatz binaries were not compiled with the busylight module, therefore detection this way was not possible.
Original version of Mimikatz since 8th of October 2015 (Detected)
Original compiled into DLL (Detected)
Original compiled into PowerShell (Invoke-Mimikatz) (Detected)
PowerSploit – Invoke-Mimikatz (Detected)
CrackMapExec – Invoke-Mimikatz (Detected)
Metasploit kiwi module (NOT Detected)
Cobalt Strike (NOT Detected)
Pypykatz (NOT Detected)
How we proactively defend our environments.
SMB authentication rate limiter now on by default in Windows Insider
Ned Pyle shows adding a little friction to a user journey adds a lot of cost to an attackers.
With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum.
Forensic artefacts in Office 365 and where to find them
Emily Parrish provides the new go to reference.
Announcing public preview of SSO and passwordless authentication for Azure Virtual Desktop
David Belanger shows the death of the password will be in our lifetime thanks to FIDO2.
Today we’re announcing the public preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). With this preview, you can now:
Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts when using the Windows and the web clients
Use passwordless authentication to sign in to the host using Azure AD
Use passwordless authentication inside the session when using the Windows client
Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host
Our attack surface.
Microsoft Releases Out-of-Band Security Update for Microsoft Endpoint Configuration Manager
A spoofing vulnerability..
Layer 2 network security bypass using VLAN 0, LLC/SNAP headers and invalid length
Showing low level network tradecraft still has value in a virtualised world..
Microsoft Hyper-V / OpenStack / LXD:
Microsoft Hyper-V: CVE-2021-28444 / CVE-2022-21905
Attack capability, techniques and tradecraft.
EvilGoPhish adds SMS campaign support via Twilio
Yes really.. Although Twilio should be able to choke point and disrupt.
Cronos: PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners
Ido Veltzman releases the pain for EDR..
PoC for a new sleep obfuscation technique (based on Ekko) leveraging waitable timers to RC4 encrypt the current process and change the permissions from RW to RX to evade memory scanners.
Freeze: Freeze is a payload toolkit for bypassing EDRs
More EDR pain
Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
What is being exploited.
RCE in Sophos Firewall (CVE-2022-3236)
Oooof.. but thankfully the vendor gets the telemetry so they know..
Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region
FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers
Secure them database servers..
[We] recently discovered the distribution of FARGO ransomware that is targeting unsecured MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets unsecured MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.
Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware
Sunil Bharti shows that cryptominers have been quick with this one..
We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining
Tooling and Techniques
Low level tooling for attack and defence researchers.
Quokka: A Fast and Accurate Binary Exporter
Tres bon …
Quarkslab is open-sourcing Quokka, a binary exporter to manipulate a program's disassembly without a disassembler. This blog post introduces the project, details some parts of its inner workings, and showcases some potential usages. Quokka enables users to write complex analyses on a disassembled binary without dealing with the disassembler API.
YARI: A New Era of YARA Debugging
Matej Kašťák provides some practical tradecraft..
Some other small (and not so small) bits and bobs which might be of interest.
Communication in a world of pervasive surveillance - PhD thesis which outlines Counter-strategies against pervasive surveillance architecture.
On the Road to Designing Responsible AI Systems in Military Cyber Operations - from June, but some interesting considerations.
Trusted Threat Intelligence Sharing in Practice and Performance Benchmarking through the Hyperledger Fabric Platform - a system no one will ever build but interesting.
1 Key for 1 Lock: The Chinese Communist Party’s Strategy for Targeted Propaganda - more information operations..
That’s all folks.. until next week..