Bluepurple Pulse: week ending October 30th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending October 30th
Happy Halloween edition🎃
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week all eyes are on the new OpenSSL vulnerability that will drop on November 1st. How bad will it be? How quickly will it be exploited? Who will exploit it? Time to roll those 🎲 and lick the lid of life..
In the high-level this week:
A Conversation with Chris Inglis and Anne Neuberger - Chris Inglis, National Cyber Director, and Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology
Tougher penalties for serious data breaches - The Albanese Government will next week introduce legislation to significantly increase penalties for repeated or serious privacy breaches in Australia
Treasury Sanctions Iranian Officials and Entities Responsible for Ongoing Crackdown on Protests and Internet Censorship - including The Ravin Academy is a school that trains individuals in cyber security and hacking, and recruits from among these trainees for the MOIS
Inter-agency Task Force to Counter Ransomware Threats announced in Singapore
BSI - Die Lage der IT-Sicherheit in Deutschland - The IT security situation in Germany in 2022 from the BSI (their national authority on cyber)
Applying The Jus Ad Bellum Framework To Cyberspace - The Israel Defence Force (IDF) allegedly detected the cyber operation during hostilities with the Palestinian militant group, Hamas. Attributing responsibility to human perpetrators operating from a compound in the Gaza Strip, the IDF launched an airstrike against it - a legal analysis.
Japan to boost cybersecurity for defense contractors - based on US standards.
Readout of Cybersecurity Executive Forum on Electric Vehicles and Electric Vehicle Charging Infrastructure Hosted by the Office of the National Cyber Director in The White House
Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity from the U.S. Government Accountability Office
Softwareleverancier gehackt, verdachte aangehouden - Software supplier hacked, teenage suspect arrested in the Netherlands
Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation behind Racoon Stealer - currently being held in the Netherlands
Hacker and Dark Market operator arraigned on federal charges - Kaye’s charges arise from his alleged operation of The Real Deal, a Dark Web market that sold, among other things, hacking tools and stolen login credentials, and his laundering of funds he received from that market.
European Parliament Committee of inquiry to investigate the use of the Pegasus and equivalent surveillance spyware - video from the session earlier this week - A European twist of what we saw play out in the US earlier this year.
The UK’s National Cyber Security Centre is seeing a changing of the guard with regards to its Technical Director (CTO) and the eminent Dr Ian Levy. He will be deeply missed and his parting legacy blog post titled So long and thanks for all the bits is a thing of wonder.
My reflections this week are twofold (and a break away from the Sino studies, at least for now). The first comes from the EU’s cyber threat landscape report and the level of activity they are detecting. Some museful insights in to what is still rather basic tradecraft for the most part and not overly targeted interestingly.
The second is around the analyst firms and their ability/willingness to invent new categories of solutions and their debatable value. The most recent example being Identity Threat Detection and Response. It is not clear to me what the value is in defining these categories for customers. Instead it instinctively feels counterproductive by over complicating the landscape, adds compliance burden (another tick box) and instead creates another category of supposed panacea solutions.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Cyber attack on state organizations of Ukraine using RomCom malware.
News from the Russia/Ukraine conflict. The point to take away is that the campaign started many months ago and that there is a continual albeit incremental evolution in tradecraft.
Possible involvement of Cuba Ransomware aka Tropical Scorpius aka UNC2596 (CERT-UA#5509)
On October 21, 2022, the government computer emergency response team of Ukraine CERT-UA discovered the fact of the distribution of e-mails, allegedly on behalf of the Press Service of the General Staff of the Armed Forces of Ukraine, with a link to a third-party web resource for downloading the "order"
https://cert.gov.ua/article/2394117
The initial "Advanced IP Scanner" campaign occurred on July 23, 2022. Once the victim installs a Trojanized bundle, it drops RomCom RAT to the system. On October 10, 2022, the threat actor improved evasion techniques by obfuscation of all strings, execution as a COM object, and others.
CISA Alert (AA22-294A): Daixin Team
Sectoral focus by organised crime on healthcare. Good insight on the initial access method in this case. So old vulnerabilities and single factor authentication is the order of the day.
Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190]. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [T1598.002].
https://www.cisa.gov/uscert/ncas/alerts/aa22-294a
APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
We are still mopping up after the Exchange vulnerabilities. Over two weeks of data exfiltration we suspect in a French incident.. Ask your ops team if they would detect it.
The first activity discovered was the exploitation of a Microsoft Exchange server using ProxyLogon vulnerabilities chain and the domains discovery performed from this server. APT27’s operators then compromised several domains in a few months, dumping credentials and gathering technical data about victim’s information system.
https://www.intrinsec.com/apt27-analysis/?cn-reloaded=1
Winnti APT group docks in Sri Lanka for new campaign
China doing regional targeting with a rather convoluted chain of capability.
In early August, [we] identified a new attack targeting government entities in Sri Lanka. The threat actors used multiple layers of protection and techniques to make analysis harder and hide their final payload.
WarHawk: the New Backdoor in the Arsenal of the SideWinder APT Group
Niraj Shivtarkar discusses an Indian operation in Pakistan using a multi-stage operation which included compromising a website to upload and distribute a payload.
In the month of September 2022, we came across an ISO File “32-Advisory-No-32.iso” hosted on the official website of the Pakistan’s National Electric Power Regulatory Authority “nepra[.]org[.]pk.” NEPRA is commissioned to provide safe, reliable, efficient and affordable electric power to the electricity consumers of Pakistan. It is possible that this ISO file was uploaded to the server due to web server compromise.
SideWinder APT campaign targets Pakistan with a new backdoor named “WarHawk”
The WarHawk Backdoor consists of four modules:
Download & Execute Module
Command Execution Module
File Manager InfoExfil Module
UploadFromC2 Module
WarHawk is commissioned to deliver Cobalt Strike as the final payload which has been downloaded and executed using the Download & Execute Module.
The custom Cobalt Strike loader used by the SideWinder APT leverages the KernelCallBackTable Process injection (a technique previously used by FinFisher and Lazarus APT) to load the Cobalt Strike beacon, along with a Time Zone check that makes sure that the loader is executed only when under Pakistan Standard Time.
The SideWinder APT makes use of ISO Files bundled with a LNK file, a decoy PDF displaying copies of cybersecurity advisories released by the Pakistan Cabinet Division (used as a lure), and the WarHawk backdoor which is executed by the LNK File.
We discovered the ISO file hosted on the legitimate website of Pakistan's National Electric Power Regulatory Authority “nepra[.]org[.]pk” which may indicate a compromise of their web server.
We were able to attribute this campaign to the SideWinder APT based on the reuse of network infrastructure that has previously been used by SideWinder for various espionage activities against Pakistan.
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections
We covered some of this activity around the APT41 noise a week or two back. Interesting that China is using information operations across a broad range of topics in this way.
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include:
Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor.
Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections.
Allegations that the U.S. was responsible for the Nord Stream gas pipeline explosions
https://www.mandiant.com/resources/blog/prc-dragonbridge-influence-elections
Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware
Lee Sebin and Shin Yeongjae discuss a North Korean campaign using new Android capability. The capability is in of itself not that notable i.e. it does all the things you would expect it and doesn’t have any capabilities which are impressive. However they did gain access to some of the underlying actors resources on the servers which provides some insight.
As a result of analyzing the APKs, we figured out that there is a significant association with the past campaigns attributed to Kimsuky group.
The FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises itself as “Hancom Office Viewer”, FastSpy is a remote access tool based on AndroSpy.
All three APKs were recently confirmed to have been developed by the Kimsuky group and FastViewer & FastSpy were actually used to attack South Koreans.
Distribution of AppleSeed to nuclear power plant-related companies
Mildly worrying that North Korea are targeting South Korean nuclear power plants.
[We] recently confirmed the distribution of AppleSeed malware to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the North Korean-related organizations, and is actively distributing targeting various companies.
The AppleSeed dropper file name confirmed by [our] team this time is as follows, and a double extension was used to deceive the user.
no**.xls.vbs
Layout_Kori Unit 2 ISI.pdf.vbs
A North Korean-linked hacking attack disguised as a Google questionnaire for the National Diplomatic Academy appears
North Korean long play here - i.e. stage one is collect the information on the people, stage two is then embark on a social engineering campaign.
This attack is disguised as inviting experts in the field of diplomacy, security, and defense to the event of an international affairs conference scheduled to be held at the Institute for Foreign Affairs and Security (IFANS) of the National Academy of Foreign Affairs on November 2nd , and asks them to fill out a Google questionnaire. We used an attack technique that attempted to steal information by inducing them to do so.
https://blog-alyac-co-kr.translate.goog/4960?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
More education sector targeting noting that the actors are using a variety of technical in order to extort victims.
In recent months, [we have] detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from BlackCat, QuantumLocker, and Zeppelin, DEV-0832’s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked. In several cases, [we] assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.
In one known intrusion, DEV-0832 operators exfiltrated hundreds of gigabytes of data by launching their PowerShell script, which was staged on a network share. The script contained hardcoded attacker-owned IP addresses and searched for wide-ranging, non-targeted keywords ranging from financial documents to medical information, while excluding files containing keywords such as varied antivirus product names or file artifact extensions.
PatchWork组织Herbminister行动武器库大揭秘 - PatchWork's arsenal of Operation Herbminister revealed
Further Indian operations detailed here against the scientific research targets. Looks like the Chinese threat intelligence team gained access to the a server of the threat actors. The irony of using MITRE tooling by the actor is not lost of me..
[We] found in the tracking of the PatchWork organization that the organization began infiltration attacks on a series of scientific research targets in many countries since last year
According to the analysis, PatchWork's arsenal uses a large number of open source red team tools, and on this basis, it carries out secondary development work. Its arsenal has multiple sets of attack methods.
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
If you thought USB was dead as a compromise vector you would be wrong. The fact the actor is also combining with Tor and the scale is the thing of note. The calling out to Tor nodes should facilitate detection.
[We have] discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
Upon insertion of the infected drive or launching of the LNK file, the UserAssist registry key in Windows—where Windows Explorer maintains a list of launched programs—is updated with a new value indicating a program was launched by Windows.
Black Basta and the Unnoticed Delivery
Evidence on more that e-mail based payloads by some organised crime groups aren’t sophisticated. They plan the number games in order to be effective.
Since May 2022, there were more than 89 cases of high-profile organizations who were extorted by the Black Basta gang. Data shows the group’s clear geo-specific focus on the US and Germany; 49% of the victims listed on the shame site are US accounts. The ransom demand in some cases exceeded 1 million USD.
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/
Treasure trove. Alive and well point-of-sale malware
Nikolay Shelekhov and Said Khamchiev outline a criminal campaign which has been targeting Point of Sale. Interesting that the US continues to be targeted in this manner still due to no pervasive use of chip and PIN.
[We] discovered a C2 server that hosted administrative panels of Treasure Hunter and MajikPOS POS malware.
[we] identified POS devices infected with MajikPOS and Treasure Hunter.
We analyzed more than 167,000 mainly US-issued compromised credit card dumps.
Malware remains active as of September, 2022.
Due to the protection mechanisms in place within the payment processing industry, POS malware has some distinctive features and limitations.
One such mechanism is data encryption implemented during major phases of the payment processing. Decryption occurs only in the Random Access Memory (RAM) of the PoS device, where sensitive payment details are stored in plain text. This has made RAM the primary target for POS malware. The process of exfiltrating sensitive card payment details is called RAM scraping.
Almost all POS malware strains have a similar card dump extraction functionality, but different methods for maintaining persistence on infected devices, data exfiltration and processing. Let’s take a closer look at the profiles of MajikPOS and Treasure Hunter.
https://blog.group-ib.com/majikpos_treasurehunter_malware
From Gozi to ISFB: The history of a mythical malware family
Benoit Ancel provides one of the most comprehensive write-ups I have read on this actor over the years. He documents the 22 year journey and the evolution of this family into an info stealer.
Discovery
How we find and understand the latent compromises within our environments.
Legitimate RATs: a comprehensive forensic analysis of the usual suspects
Théo Letailleur provides a wonderful indicators set for detections teams to leverage. This type of hyper useful artefact collection would almost benefit from a standard machine readable format to distribute.
In this article, the artefacts of four remote admin tools will be described: TeamViewer, AnyDesk, Atera, and SplashTop. Also, the focus will be on the Windows platform.
Recovering Cleared Browser History - Chrome Forensics
Lina Lau gives some hope and practical tradecraft around this forensics challenge.
How do you detect when a user deletes their chrome history and is there a way to forensically recover it? The answer is… it depends. 😈
https://www.inversecos.com/2022/10/recovering-cleared-browser-history.html
Fortinet CVE-2022-40684 vulnerability from an Incident Response perspective
Heresh Zaremand also provides something of material value to blueteams the world over. That is to how to detect the exploitation and post compromise access activity stemming from this vulnerability we know to be exploited in the wild.
The vulnerability, CVE-2022-40684, can be used to exploit FortiOS/FortiProxy and FortiSwtitchManager products. It has been exploited in the wild and the Truesec CSIRT team has already handled incidents due to this vulnerability. This blog post aims to shed some light on what affected organizations can expect to find in their logs and what conclusions are safe to be made.
When searching the web for information about this vulnerability, a log event indicating compromise is commonly shared amongst concerned IT-professionals. The log event message states: “System config file has been downloaded by user Local_Process_Access via Report Runner”.
Defence
How we proactively defend our environments.
KB5020779—The vulnerable driver blocklist after the October 2022 preview release
Microsoft fixes a bug in this feature which effectively rendered it useless.
Microsoft introduced the vulnerable driver blocklist as an optional feature in Windows 10, version 1809. The blocklist is enabled on systems that enable Hypervisor-protected Code Integrity (HVCI) or run Windows in S Mode. Starting with Windows 11, version 22H2, the blocklist is also enabled by default on all devices. You can turn it on and off using the Windows Security app.
This October 2022 preview release addresses an issue that only updates the blocklist for full Windows OS releases. When you install this release, the blocklist on older OS versions will be the same as the blocklist on Windows 11, version 22H2 and later.
Production-ready detection & response queries for osquery
Wonderful engineering here along with some case studies around efficacy.
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
At the moment, these queries are predominantly designed for execution on POSIX platforms (Linux & macOS). Pull requests to improve support on other platforms are fully welcome.
https://github.com/chainguard-dev/osquery-defense-kit
Cypherhound
Dylan Evans drops over 264 queries to help you get most from the backend graph database.
Python3 terminal application that contains 190+ Neo4j cyphers for BloodHound data sets
BloodHoundis a staple tool for every red teamer. However, there are some negative side effects based on its design. I will cover the biggest pain points I've experienced and what this tool aims to address:
My tools think in lists - until my tools parse exported
JSONgraphs, I need graph results in a line-by-line format.txtfileCopy/pasting graph results - this plays into the first but do we need to explain this one?
Graphs can be too large to draw - the information contained in any graph can aid our goals as the attacker and we need to be able to view all data efficiently
Manually running custom cyphers is time-consuming - let's automate it :)
This tool can also help blue teams to reveal detailed information about their Active Directory environments as well.
https://github.com/fin3ss3g0d/cypherhound
DCOM authentication hardening: what you need to know
David Zhu provides a practical guide for those of you brave enough to still be using Distributed COM in your Windows estates.
In this article, we'll explore how we're hardening Distributed Component Object Model (DCOM). Specifically:
The context behind hardening
What is DCOM and DCOM authentication hardening?
Addressing critical vulnerabilities and why hardening matters
When is DCOM authentication hardening happening?
Call to action:
Keep your organization protected with the latest updates
Check your compatibility solutions as needed
Utilize troubleshooting help
Is it safe to connect third-party apps to my M365/Google tenant?
Luke Jennings from PushSecurity provides some practical defensive advice and guidance around OAuth in a distributed zero-trust world.
It’s no secret that SaaS use is growing exponentially, but less has been said about third-party SaaS integrations, especially to core platforms like M365 or Google Workspace. In this article, we’ll explain what these third-party integrations are and what the security benefits vs risks of using them in your organization are. We’ll also provide some helpful tips about what you can do to remediate or at least lessen the risks.
Special identity groups on Microsoft Windows
A facet of Windows not widely appreciated. Defence in depth features for those still running on premises Active Directory.
Special identity groups are similar to the Active Directory security groups that are listed in the Active Directory Users and BuiltIn containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
Assign user rights to security groups in Active Directory.
Assign permissions to security groups to access resources.
Vulnerability
Our attack surface.
The Logging Dead: Two Event Log Vulnerabilities Haunting Windows
Dolev Taler and the marketing team go into vulnerability hype over drive in this post. That being said this one is of interest:
LogCrusher, which allowed any domain user to remotely crash the Event Log application of any Windows machine on the domain.
Combining these two functions, it's easy to understand the LogCrusher attack flow. Call the OpenEventLog function for the Internet Explorer Event Log on the victim machine:
Handle = OpenEventLog(<Victim Machine>, "internet explorer")Call the ElfClearELFW function with the handle that was returned, and NULL as the BackupFileName parameter:
ElfClearELFW(Handle, NULL)That's it! Just like that, we crashed the Event Log on the victim's machine.
https://www.varonis.com/blog/the-logging-dead-two-windows-event-log-vulnerabilities
Unprotected .git folders on the internet pose a security risk
NCSC Switzerland quantified the exposure of that .git files represented to a country. It is good that Swiss law allowed this activity to be undertaken.
A look at Swiss websites shows that insufficiently protected .git folders constitute a real risk in Switzerland.
It found 1,300 affected systems where potentially sensitive data such as source code, access data and passwords were accessible via insufficiently protected .git folders.
https://www.ncsc.admin.ch/git-en
SiriSpy - iOS bug allowed apps to eavesdrop on your conversations with Siri
Slightly contrived attack scenario by Guilherme Rambo but a fun read.
Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets. This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.
https://rambo.codes/posts/2022-10-25-sirispy-ios-bug-allowed-apps-to-eavesdrop
Offense
Attack capability, techniques and tradecraft.
Detecting Canarytokens in Files
There was a discussion on how to detect files with Canary Tokens in files. These are the work product.
gist.github.com/singe/0c334b514a9eed2792b88df1dfb766cc
gist.github.com/HackingLZ/0285d248f648f5dd216758c3fbf78c97
Exploitation
What is being exploited.
Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
Using the vulnerability of Dream Security's MagicLine4NX
CLDAP Reflectors on the Rise Despite Best Practice
Protocol arbitrage is a thing in DDoS land and this is a very good writeup of one being actively exploited to do volumetric attacks.
One of the most common UDP services in these multi-vector attacks is the Connectionless Lightweight Directory Access Protocol (CLDAP). With a high Bandwidth Amplification Factor (BAF) of 56 to 70x and common deployment onto systems provisioned with healthy bandwidth, CLDAP reflectors reliably add traffic volume to the DDoS recipe. Hopefully, the internet community can eventually clean up these exposed services. In the meantime, we can analyze and report on the span of open CLDAP reflectors on the internet today, as well as some of our findings related to the strategy and tactics behind their use in DDoS attacks.
https://blog.lumen.com/cldap-reflectors-on-the-rise-despite-best-practice/
Tooling and Techniques
Low level tooling for attack and defence researchers.
Modern Binary/Patch Diffing
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
IAPP Privacy Tech Vendor Report - This issue, the IAPP lists 364 privacy technology vendors
Exploit archaeology a forensic history of in the wild NSO Group exploits
Designing technologies with Values? Possibility - Necessity - and European story - like China, but different
Graph Neural Networks for Natural Language Processing: A Survey - from China with ❤️ (in a values led way) - 130 pages reviewing GNNs used for NLP, including applications and future directions.
That’s all folks.. until next week..