Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending October 2nd

bluepurple.binaryfirefly.com

Bluepurple Pulse: week ending October 2nd

Only one Stock Exchange mail server was disclosed as being breached this week..

Ollie
Sep 30, 2022
3
Share this post

Bluepurple Pulse: week ending October 2nd

bluepurple.binaryfirefly.com

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week the new attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server which was shared late Thursday was the bow wave. Some excellent first party and second party reporting on the vulnerabilities and aftermath. Outside of that you will see below that the breadth of depth of campaigns is very real..

In the high-level this week:

  • Lindy Cameron discussed the cyber dimension of the Russia-Ukraine - a take away is one doesn’t just create a National Cyber Security Centre in isolation - the blended capability of Government is critical.

  • Patriotic Hacking’ Is No Exception - mix of ‘opinion piece’ and a ‘framework for analysing how patriotic hacking fits with various normative guidelines in cyber’ based around the Ukrainian IT Army and what they have been up to.

  • Energy, Finance and Telecoms Corporations Test Their Cyber Mettle - interesting case study of the US of private sector self organisation with the apparently first tri-industry exercise around cyber defence. Bar has been raised..

  • the US FCC’s Communications Security, Reliability, and Interoperability Council VIII - specifically it included a report on security vulnerabilities in HTTP/2 and a report on recommended best practices to improve communications supply chain security. What fascinates me is that a high-level regulator goes down to protocol level vulnerabilities in 2022, what a time to be alive!

  • Taiwanese citizens prepare for possible cyber war - training people in open source intelligence and similar funded by a patriotic tech tycoon.

  • Chinese university’s ‘metaverse engineering’ major draws scepticism amid fading enthusiasm for the concept - feels we are at the point in the hype cycle where humans wobble - China’s long term strategic view on matters should be noted.

  • Downrange: A Survey of China’s Cyber Ranges - China is rapidly building cyber ranges that allow cybersecurity teams to test new tools, practice attack and defense, and evaluate the cybersecurity of a particular product or service - another example of learning from Western approaches and then doing it bigger / better.

  • Portman, Peters Introduce Bipartisan Legislation to Help Secure Open Source Software in the USA - some more big swings in the senate.

  • The Russian hacker, arrested in Bansko, asked to be extradited to the USA -

  • Various governments issue warnings about increased risk from cyber attacks due to the Russia/Ukraine conflict:

    • Ukraine - The occupiers are preparing massive cyberattacks on the critical infrastructure of Ukraine and its allies

    • Finland - The threat of intelligence gathering and influence operations to Finland’s critical infrastructure has increased in both the physical and cyber environments as a result of the Russian war of aggression and Finland’s NATO accession process

    • Norway - NSM encourages Norwegian businesses, particularly within the oil and gas sector, and other critical societal actors to exercise increased vigilance

  • National Cyber Power Index 2022 - UK is #4 overtaken by Russia this year - when you go full cyber you move up the league table apparently.

  • Quad Foreign Ministers’ Statement on Ransomware - statement of intent from Australia, India, and Japan and the United States.

My reflections this week come from my continued Sino studies and the book The Long Game: China's Grand Strategy to Displace American Order (Bridging the Gap). I have to say it has been a bit of an extensional moment in my understanding of China, international relations and their approach. When I look at how we operate in the West it does feel we are somewhat disadvantaged due to aspects of our systems of government which reflect our principles. Not that we should compromise, but enduring multi decade strategic moves we aren’t renowned for.

Anyway the revelation is the concept of “blunting”. I can summarise it as being an asymmetric technique where you become an absolute pain in forums by being contrary and similar. Instead of either idly watching, not engaging and denouncing. In short get involved and bring the chaos.

A better summary comes in from the abstract of Chapter 5.

Chapter 5 considers the political and multilateral components of China’s grand strategy to blunt American power in Asia. It demonstrates that the “traumatic trifecta” at the end of the Cold War led China to reverse its previous opposition to joining regional institutions. Beijing feared Asian regional forums might be used by Washington to build liberal regional order or even an Asian NATO, so China joined them to blunt American power. It stalled institutionalization in regional organizations that included the United States; wielded institutional rules to constrain US freedom of manoeuvre; and hoped its own participation would reassure wary neighbours otherwise tempted to join a US-led balancing coalition. China also worked with Russia to erect regional institutions in Central Asia to guard against US influence within the region.

Anyway every day is a school day as they say..

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants

Russia ran a campaign at the start of year leveraging a feature/bug/vulnerability that has since been patched.

This is a threat group attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. The lure document is a PowerPoint file that exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.

https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/

Doppelganger - Media clones serving Russian propaganda

Alexandre Alaphilippe, Gary Machado, Raquel Miguel and Francesco Poldi out an at scale information operation.

Today, EU DisinfoLab exposes a Russia-based influence operation network that has been operating in Europe since at least May 2022 and is still ongoing. Doppelganger, the name we gave to this campaign, uses multiple “clones” of authentic media (at least 17 media providers, including, Bild, 20minutes, Ansa, The Guardian or RBC Ukraine) and targets users with fake articles, videos and polls. To do so, the malicious actors behind it bought dozens of Internet domain names similar to the ones of authentic media and copied their designs.

https://www.disinfo.eu/doppelganger

Removing Coordinated Inauthentic Behavior From China and Russia

Ben Nimmo and David Agranovich again out not a tiny operation on behalf of these two states. If you wondered if there was an enduring unpeace in the information space as well as the cyber space then I think it is safe to say yes there is.

  • We took down two unconnected networks in China and Russia for violating our policy against coordinated inauthentic behavior.

  • The Chinese-origin influence operation ran across multiple social media platforms, and was the first one to target US domestic politics ahead of the 2022 midterms and Czechia’s foreign policy toward China and Ukraine.

  • The Russian network — the largest of its kind we’ve disrupted since the war in Ukraine began — targeted primarily Germany, France, Italy, Ukraine and the UK with narratives focused on the war and its impact through a sprawling network of over 60 websites impersonating legitimate news organizations.

https://about.fb.com/news/2022/09/removing-coordinated-inauthentic-behavior-from-china-and-russia/

Solarmarker: May 2022 Updates on Persistence

Just unpack what is going on here before looking at the new persistence technique. Look at all of those combined techniques, this group knows what they are doing..

Solarmarker malware is downloaded by victims by accidental web downloads. The actor behind Solarmarker has used SEO Poisoning in order to trick users into downloading the malware. The malware is usually signed with a valid Authenticode certificate and is 260MB in size. The large size prevents some detection engines from scanning it and prevents upload to most sandboxes.

https://squiblydoo.blog/2022/05/26/solarmarker-may-2022-persistence/

BGP Hijacking in the real world

I think these two reads are fascinating. Firstly real world BGP attacks are always fun (Mudge/the L0pht told us it was possible in 1998). Secondly just let it it sink in that it is being used to steal money.

On August 17, 2022, Celer Network Bridge dapp users were targeted in a front-end hijacking attack which lasted approximately 3 hours and resulted in 32 impacted victims and $235,000 USD in losses. The attack was the result of a Border Gateway Protocol (BGP) attack

https://www.coinbase.com/blog/celer-bridge-incident-analysis

https://www.kentik.com/blog/bgp-hijacks-targeting-cryptocurrency-services/

A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion

William Backhouse, Michael Mullen and Nikolaos Pantazopoulos from NCC Group detail a Chinese intrusion we dealt with a few weeks back.

  • Initial access via CVE-2022-29464.

  • Successive backdoors installed – PoisonIvy, a previously undocumented backdoor and finally ShadowPad.

  • Establishing persistence via Windows Services to execute legitimate binaries which sideloads backdoors, including ShadowPad.

  • Use of information gathering tools such as ADFind and PowerView.

  • Lateral movement leveraging RDP and ShadowPad.

  • Use of 7zip for data collection.

  • ShadowPad used for Command and Control. 

  • Exfiltration of data.

https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/

Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

Dinesh Devadoss and Phil Stokes provides an update of macOS targeting by North Korea. The tradecraft cross over between Windows and macOS is of note, but as is the fact that more macOS targeting by our favourite Hermit Kingdom is happening.

While those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic. Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends in August 2022, with indications that the campaign dated back at least a year. Last week, [we] observed variants of the malware using new lures for vacancies at Crypto.com.

https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/

ZINC weaponizing open-source software

More Lazarus reporting building on the previous note on the use of PuTTY. The blended use of social engineering and weaponized open source with gifts is quickly becoming a trademark.

Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.

MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022. 

Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors

D. Iuzvyk, T. Peck and O. Kolesnikov out a campaign using basic capability thrown at an interesting target is the real note here.

[We] recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mostly employed the use of PowerShell and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code.

https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/

Credential Phishing Targeting US Government Contractors Evolves Over Time

Credential phishing campaign against some of the US supply chain.

The campaigns targeted companies across a variety of sectors but focused most heavily on the energy and professional services sectors, including construction companies. The attackers likely targeted companies which could credibly receive invitations to bid from the relevant government department. The emails spoofed the U.S. Departments of Labor, Commerce, or Transportation.

https://cofense.com/blog/credential-phishing-targeting-government-contractors-evolves-over-time

More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID

Mark Lim details a case of a very real attempt to evade endpoint detection. Shows organised crime read the Internet and learn from the wider community, if indeed there was any doubt.

[We] recently observed a polyglot Microsoft Compiled HTML Help (CHM) file being employed in the infection process used by the information stealer IcedID. We will show how to analyze the polyglot CHM file and the final payload so you can understand how the sample evades detection.

Multiple attack groups such as Starchy Taurus (aka APT41) and Evasive Serpens (formerly tracked as OilRig, also known as Europium) have abused CHM files to conceal payloads written using PowerShell or JavaScript. Here, we describe an interesting attack that allows attackers to avoid the need for long lines of code, which can make it easier for malicious files to evade detection by security products. Polyglot files can be abused by attackers to hide from anti-malware systems that rely on file format identification. The technique involves executing the same CHM file twice in the infection process. The first execution exhibits benign activities, while the second execution stealthily carries out malicious behaviors.

https://unit42.paloaltonetworks.com/polyglot-file-IcedID-payload/

Prilex: Brazilian Point of Sale malware evolution

So a family of Point of Sale malware that has been under active development for 6 years. Puts a different spin on Advanced Persistent Threat…

Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that were used in these ATMs before the big heist.

Their first PoS malware was spotted in the wild in October 2016. The first two samples had 2010/2011 as the compilation date, as shown on the graph below. However, we believe that invalid compilation dates were set due to incorrect system date and time settings. In later versions, the timestamps corresponded to the times when the samples were discovered. We also noticed that in the 2022 branch, the developers started using Subversion as the version control system.

https://securelist.com/prilex-atm-pos-malware-evolution/107551/

Poseidon’s Offspring: Charybdis and Scylla

Ad fraud is a big business and this is but one example. They use Apps to drive the advertising SDKs in an authenticate ways to derive ad revenue..

  • [We] discovered an operation we’re calling Scylla (pronounced SILL-uh). It’s the third wave of an attack we first reported in August 2019; the second wave, which we’re calling Charybdis (pronounced kuh-RIB-diss), cropped up in late 2020.

  • The attacks target a number of advertising SDKs within apps available via both Google’s Play Store and Apple’s App Store.

  • Apps associated with the Scylla operation have been downloaded 13+ million times.

  • The Scylla operation featured 75+ Android apps and 10+ iOS apps committing several flavors of ad fraud. These apps generated 13+ million downloads in total before they were taken down.

https://www.humansecurity.com/learn/blog/poseidons-offspring-charybdis-and-scylla

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

Chetan Raghuprasad and Vanja Svajcer outline a campaign using vulnerabilities from 2017… 2017 people!

  • [We] discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.

  • Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.

  • The attack involves a multistage and modular infection chain with fileless, malicious scripts.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html

APT41 and Recent Activity - September 2022

US Department of Health and Human Services provide a summary of activity by this Chinese threat actor with a focus on the health care sector. Interestingly the provide context on why health care and the Chinese year planning cycles..

https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf

Agent Tesla RAT Delivered by Quantum Builder With New TTPs

Niraj Shivtarkar discuss an evolution in criminal activity - again shows they (cyber criminal groups) can both read and errr weaponize..

  • User Account Control Bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary in order to execute the final payload with administrative privileges, and to perform Windows Defender Exclusions

  • Utilizing a Multi-Staged Infection Chain integrating various attack vectors involving LOLBins

  • Execution of PowerShell scripts in-memory in order to evade detection

  • Execution of decoys in order to distract the victims post-infection.

https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps

Beware of Konni hacking threat disguised as cryptocurrency business alliance issue

More North Korean crypto currency related activity with an opsec mistake. The actual tradecraft is basic..

The malicious file found this time was circulated as a word document file name with the file name 'Coinone_Bit monopolized system in partnership with Cabin [Weekly Coin Review] - The Economist', and the file name and contents were actually published on September 3 cited. 

It seems that the user with the name 'TigerHunter' finally saved it on September 25, 2022 at 21:53 (UTC), and using the 'Remote Template Injection' technique, the attacker It connects to a remote host and downloads a dotm file  , a document template file containing layouts, settings and macros, to the user's system

https://blog-alyac-co-kr.translate.goog/4935?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Bad VIB(E)s: Investigating Novel Malware Persistence Within ESXi Hypervisors

Alexander Marvi, Jeremy Koppen, Tufail Ahmed and Jonathan Lepore outline a relatively sophisticated campaign which allowed a threat actor to exist under the hypervisor.

Earlier this year, [we] identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:

  1. Maintain persistent administrative access to the hypervisor

  2. Send commands to the hypervisor that will be routed to the guest VM for execution

  3. Transfer files between the ESXi hypervisor and guest machines running beneath it

  4. Tamper with logging services on the hypervisor

  5. Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor

https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

I am going to just say two words here… Stock Exchange …

The Witchetty espionage group (aka LookingFrog) has been progressively updating its toolset, using new malware in attacks on targets in the Middle East and Africa. Among the new tools being used by the group is a backdoor Trojan (Backdoor.Stegmap) that employs steganography, a rarely seen technique where malicious code is hidden within an image.

In attacks between February and September 2022, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation. The attackers exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Discovery

How we find and understand the latent compromises within our environments.

Tracking BlackTech Infrastructure

Opsec upends this threat actor - a nice walk through in terms of tradecraft.

BlackTech has built a reputation relying on (much to the delight of defenders) tech-themed domains and predictable registration patterns. Recent reporting linking malicious domains to the actor suggests these patterns may be fading, at least for the time being signifying a departure from the previous infrastructure configuration.

  • Failure to redact email addresses within WHOIS records (mitsumori.gb@gmail[.]com, wufi2011@gmail[.]com, siraiya128@gmail[.]com, senotice@gmail[.]com) leads to dozens more domains likely linked to the actor(s).

  • BlackTech prefers dynamic DNS services, with most of the domains’ registrars being GoDaddy, paired with domaincontrol[.]com name servers (NS).

  • Domain naming conventions centered around technology/target (recent intrusion reporting shows this pattern may change).

https://cyberandramen.net/2022/09/24/so-long-godaddy-tracking-blacktech-infrastructure/

Configuration Extraction with YARA

This is really quick neat. By using console.log in Yara rules you can build implant config extractors.

https://devilinside.me/blogs/configuration-extraction-yara

Detecting the Manjusaka C2 framework

A good practical walk through of the methodology of building detections for a C2 framework applied to a worked example.

https://corelight.com/blog/detecting-manjusaka-c2-framework

Detecting Mimikatz with Busylight

Balazs Bucsay from NCC Group released this great research after we kicked the idea around.

As detailed, the PoC driver was implemented as UMDF 2 , which means it could be only used on Windows 8.1 or newer. Support for older operating systems could be done by porting the driver to UMDF 1 for example.

The detection of this PoC was tested against several publicly available mimikatz versions. (Un)fortunately Metasploit’s and Cobalts Strike’s mimikatz binaries were not compiled with the busylight module, therefore detection this way was not possible.

Tested variants:

  • Original version of Mimikatz since 8th of October 2015 (Detected)

  • Original compiled into DLL (Detected)

  • Original compiled into PowerShell (Invoke-Mimikatz) (Detected)

  • PowerSploit – Invoke-Mimikatz (Detected)

  • CrackMapExec – Invoke-Mimikatz (Detected)

  • Metasploit kiwi module (NOT Detected)

  • Cobalt Strike (NOT Detected)

  • Pypykatz (NOT Detected)

https://research.nccgroup.com/2022/09/30/detecting-mimikatz-with-busylight/

Defence

How we proactively defend our environments.

SMB authentication rate limiter now on by default in Windows Insider

Ned Pyle shows adding a little friction to a user journey adds a lot of cost to an attackers.

With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum.

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-authentication-rate-limiter-now-on-by-default-in-windows/ba-p/3634244

Forensic artefacts in Office 365 and where to find them

Emily Parrish provides the new go to reference.

thumbnail image 1 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Forensic artifacts in Office 365 and where to find them

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/forensic-artifacts-in-office-365-and-where-to-find-them/ba-p/3634865

Announcing public preview of SSO and passwordless authentication for Azure Virtual Desktop

David Belanger shows the death of the password will be in our lifetime thanks to FIDO2.

Today we’re announcing the public preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). With this preview, you can now:

  • Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts when using the Windows and the web clients

  • Use passwordless authentication to sign in to the host using Azure AD

  • Use passwordless authentication inside the session when using the Windows client

  • Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host

https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-public-preview-of-sso-and-passwordless-authentication/ba-p/3638244

Vulnerability

Our attack surface.

Microsoft Releases Out-of-Band Security Update for Microsoft Endpoint Configuration Manager

A spoofing vulnerability..

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37972

Layer 2 network security bypass using VLAN 0, LLC/SNAP headers and invalid length

Showing low level network tradecraft still has value in a virtualised world..

  • Microsoft Hyper-V / OpenStack / LXD:

  • Microsoft Hyper-V: CVE-2021-28444 / CVE-2022-21905

  • Cisco CBS350-8T-E-2G

https://blog.champtar.fr/VLAN0_LLC_SNAP/

Offense

Attack capability, techniques and tradecraft.

EvilGoPhish adds SMS campaign support via Twilio

Yes really.. Although Twilio should be able to choke point and disrupt.

https://github.com/fin3ss3g0d/evilgophish/commit/d6cb733ffb3517e5f8a14ed1e7c621fb35bac5a5

Cronos: PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners

Ido Veltzman releases the pain for EDR..

PoC for a new sleep obfuscation technique (based on Ekko) leveraging waitable timers to RC4 encrypt the current process and change the permissions from RW to RX to evade memory scanners.

https://github.com/Idov31/Cronos

Freeze: Freeze is a payload toolkit for bypassing EDRs

More EDR pain

Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

https://github.com/optiv/Freeze

Exploitation

What is being exploited.

RCE in Sophos Firewall (CVE-2022-3236)

Oooof.. but thankfully the vendor gets the telemetry so they know..

Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

Secure them database servers..

[We] recently discovered the distribution of FARGO ransomware that is targeting unsecured MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets unsecured MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.

https://asec.ahnlab.com/en/39152/

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware

Sunil Bharti shows that cryptominers have been quick with this one..

We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining

https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html

Tooling and Techniques

Low level tooling for attack and defence researchers.

Quokka: A Fast and Accurate Binary Exporter

Tres bon …

Quarkslab is open-sourcing Quokka, a binary exporter to manipulate a program's disassembly without a disassembler. This blog post introduces the project, details some parts of its inner workings, and showcases some potential usages. Quokka enables users to write complex analyses on a disassembled binary without dealing with the disassembler API.

https://blog.quarkslab.com/quokka-a-fast-and-accurate-binary-exporter.html

YARI: A New Era of YARA Debugging

Matej Kašťák provides some practical tradecraft..

https://engineering.avast.io/yari-a-new-era-of-yara-debugging/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

  • Communication in a world of pervasive surveillance - PhD thesis which outlines Counter-strategies against pervasive surveillance architecture.

  • On the Road to Designing Responsible AI Systems in Military Cyber Operations - from June, but some interesting considerations.

  • Trusted Threat Intelligence Sharing in Practice and Performance Benchmarking through the Hyperledger Fabric Platform - a system no one will ever build but interesting.

  • 1 Key for 1 Lock: The Chinese Communist Party’s Strategy for Targeted Propaganda - more information operations..

That’s all folks.. until next week..

Share this post

Bluepurple Pulse: week ending October 2nd

bluepurple.binaryfirefly.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing