Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week you will see there are plethora of vulnerabilities and exploits in edge security products including reporting of mass exploitation of CVE-2022-40684 in FortiOS / FortiProxy / FortiSwitchManager. Outside of that China has been running an information operation accusing the US of hacking in response to the APT41 disclosures. Finally you see a Chinese researcher has weaponized the recent Cobalt Strike vulnerability… hold on!

In the high-level this week:

• Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities - US outline a modern framework around signals intelligence.

• We must tackle Europe’s winter cyber threats head-on - European leaders and energy operators should look to the Ukrainian experience for inspiration. Beyond simply blaming Russia, it’s Ukraine’s long-term efforts to build cyber resilience help explain the lack of highly destructive cyber activity since the start of the invasion - I deeply respect

• NCSC Netherlands has published their 2023-2026 research agenda - our Dutch colleagues outline their cyber research strategy with a big focus on sociotechnical aspects.

• India will delay its cyber reporting requirements by 3 months for small medium enterprises

• Clarifying Responsible Cyber Power: Developing Views in the U.K. Regarding Non-intervention and Peacetime Cyber Operations - op ed in response to Sir Jeremy Fleming’s RUSI speech (see below).

• The Special Competitive Studies Project - SCSP have published their first interim panel report, “The Future of Conflict and the New Requirements of Defense” - The proliferation of sensors, analytical tools, precision-guided munitions, and non-kinetic payloads (i.e., cyber, directed energy) are fundamentally altering the hider-finder contest

• Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity - The White House - once more bold moves from the US and my love affair (and jealousy) continues unabated..

• Criminal Allegations Against Israeli-linked Spyware, Ex-intel Commander in Greek Hacking Scandal - a journalist is taking Intellexa, the firm behind the Predator spyware allegedly used against him, and its owners to court.

• NIST Releases Draft NIST IR 8408: Understanding Stablecoin Technology and Related Security Considerations - do you get the sense that the digital dollar train is full steam ahead? Wonderful to see to bootstrap other central banks and their thinking..

• Securing the U.S. Electricity Grid from Cyberattacks - from the U.S’s Government Accountability Office as part of cyber security month outlining what is required.

• Ukraine enhances cooperation with the EU Network and Information Security Agency - Cooperation with the European partners includes two key vectors for our country. On the one hand, Ukrainian experience in cyberwar, confronting cyber threats from russia would definitely be beneficial for other democracies. On the other hand, having gained candidate status for EU membership, our country has to bring its national legislation in conformity with European standards.

• The UK Government indicated in parliament that Computer Misuse Act reform might be edging closer.

• German cyber chief faces sacking over Russia link - Arne Schönbohm, the head of the Federal Office for Information Security (BSI), founded an industry group called the Cyber Security Council in 2012, which, according to national media, has been compromised by Russian interests - interesting times..

Reflections this week are from the continued journey in all things Sino related and the paper What is Lost in Translation? Differences between Chinese Foreign Policy Statements and Their Official English Translations. Fascinating, yet noting that the the number of papers is relatively small, but there are sure some good examples of substantive differences between the English and Chinese versions.

Now we are all used to leadership giving subtly (and not so subtly) different narratives when at home versus when interacting diplomatically abroad. That being said it isn’t often that these leaders have a horizon stretching beyond 5 years and who have self elected themselves to a 3rd time in pursuit of a 2049 set of objectives.

Finally there was the RUSI Annual Security Lecture 2022 with Sir Jeremy Fleming, Director of GCHQ which had a heavy focus on China / Cyber etc. Note the focus of concern is not the Chinese people, but rather the state apparatus.

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Same Cloak, More Dagger: China's Cyberattack Strategy Explained

A simply massive report on Chinese cyber with 47 pages of core in total and with appendices it is 79 pages. Does a wonderful job at writing Volume I: the early years.

https://www.boozallen.com/content/dam/home/pdf/natsec/china-cyber-report.pdf

WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware

Joey Chen and Amitai Ben Shushan Ehrlich outline a regional focus by China bringing new tooling to the party.

• A new threat cluster we track as WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia.

• We assess it is highly likely this activity is espionage-related and that WIP19 is a Chinese-speaking threat group.

• The threat cluster has some overlap with Operation Shadow Force but utilizes new malware and techniques.

• WIP19 utilizes a legitimate, stolen certificate to sign novel malware, including SQLMaggie, ScreenCap and a credential dumpe

https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton detail another China originating capability. The macOS implant includes an exploit for a privilege escalation vulnerability (CVE-2021-4034) in polkit's pkexec utility.

• [We] discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.

• The Alchimist has a web interface in Simplified Chinese with remote administration features.

• The attack framework is designed to target Windows, Linux and Mac machines.

• Alchimist and Insekt binaries are implemented in GoLang.

• This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies.

https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html

DHS Bulletin: Russia Cyber Threat Overview Substantive Revision

From August 2022 but a good overview of DHS thinking from the time. Love the summary style also, but that is maybe because I consume a disproportionate amount of slides in my job.

https://publicintelligence.net/dhs-russia-cyber-threat-overview/

POLONIUM targets Israel with Creepy malware

Matías Porolli details Iranian activity with Israeli focus. While initial access unclear it is hypothesised it stems from leaked credentials.

• Focused only on Israeli targets, POLONIUM attacked more than a dozen organizations in various verticals such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.

• According to [our] telemetry, the group has used at least seven different custom backdoors since September 2021, and it is currently active at the time of writing.

• The group has developed custom tools for taking screenshots, logging keystrokes, spying via the webcam, opening reverse shells, exfiltrating files, and more.

• For C&C communication, POLONIUM abuses common cloud services such as Dropbox, OneDrive, and Mega.

https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/

Semiconductor Companies Targeted by Ransomware

Now if I were being cynical I would say this report was written because the vendor wants to sell their offerings into the sector. But lets pretend intelligence isn’t used for such purposes as the themes in reporting can’t be denied although we may wish to describe how targeted/focused the activity is. The liberal sprinkling of espionage in the reporting does make one bristle.

• A variety of TTPs were employed by ransomware threat actors in their attacks against semiconductor companies. Among them are the use of malware to encrypt data; extortion through threat of data exposure; the release of source code and intellectual properties; the use of stolen code-signing certificates to sign malware; and the possibility of selling proprietary data to industry competitors or rival nation-states.

• The motives of ransomware threat actors range from being purely financially driven, to thrill seeking, to the possibly strategic theft of intellectual property.

• While none of the cyberattacks against semiconductor companies analyzed here have direct connections to nation-state groups, industry reports uncovered state-sponsored threat actors masquerading as ransomware groups and using at least 5 ransomware variants — LockFile, AtomSilo, Rook, Night Sky, and Pandora — to conduct cyber espionage.

https://www.recordedfuture.com/semiconductor-companies-targeted-by-ransomware

Budworm: Espionage Group Returns to Targeting U.S. Organizations

Reporting on a Chinese actor being the aggressor against US interests. One could speculate that as the controls tighten around China if this type of uptick in activity is what we can expect to see.

The Budworm espionage group has mounted attacks over the past six months against a number of strategically significant targets, including the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. state legislature. The latter attack is the first time in a number of years [we have] seen Budworm targeting a U.S-based entity. Along with the above high-value targets, the group also conducted an attack against a hospital in South East Asia.

In recent attacks, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers in order to install web shells.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state

Beware of North Korean hacking attacks disguised as payment of thesis review fees

South Korean reporting on North Korean activity. The tell tale signs are the North Korean long game social engineering beyond anything else.

In the early stage of the attack, the normal content was accessed, and then the target was selected, such as replying to an e-mail, and malicious files were individually attached. In addition, it showed sophistication in carrying out follow-up attacks with staggered intervals for a certain period of time.

https://blog-alyac-co-kr.translate.goog/4946?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Lazarus Group DLL Side-Loading technique (mi.dll)

Bit of tactical intelligence out of South Korea on North Korean tradecraft on Windows hosts.

The list of normal processes exploited by the Lazarus group is as follows. Both wsmprovhost.exe and dfrgui.exe files are normal MS files.

• wsmprovhost.exe (Host process for WinRM plug-ins)

• dfrgui.exe (Microsoft Drive Optimizer)

https://asec-ahnlab-com.translate.goog/ko/39648/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Malicious WhatsApp mod distributed through legitimate apps

Dmitry Kalinin outlines a campaign using adverts to distribute a malicious WhatsApp deployment against Android. The fact that threat actors are able to invest in such distribution campaigns continues to interest.

Last year, we wrote about the Triada Trojan inside FMWhatsApp, a modified WhatsApp build. At that time, we discovered that a dropper was found inside the distribution, along with an advertising SDK. This year, the situation has repeated, but with a different modified build, YoWhatsApp version 2.22.11.75. Inside it, we found a malicious module that we detect as Trojan.AndroidOS.Triada.eq.

After discovering a new malicious WhatsApp mod, we decided to find out where it was coming from. According to statistics, the source was ads in the popular Snaptube app. After a brief check, we confirmed that you can find YoWhatsApp ads in the official Snaptube app (MD5: C3B2982854814E537CD25D27E295CEFE), and when clicking on one, the user will be prompted to install the malicious build.

https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/

Evolution of BazarCall Social Engineering Tactics

Daksh Kapur details an operation which falls into the ‘people who never do that’ if presented to some organisations as a threat.

BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html

Emotet Exposed

Ethem Bagci, Oleg Boyarchuk, Sebastiano Mariani, Stefano Ortolani, Giovanni Vigna and Jason Zhang observed new waves of Emotet attacks providing insight into the exploitation chains and inner workings of the deployed botnets.

The quality of the analysis is excellence and just highlights how enduring some criminal activity is in 2022.

https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf

The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform

Adrian McCabe and Steve Sedotto shows that one criminal actor is trying a product led growth strategy.

Unlike most PhaaS platforms, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user. Additionally, to seemingly maximize support for a variety of clientele, Caffeine also provides phishing email templates earmarked for use against Chinese and Russian targets; a generally uncommon and noteworthy feature of the platform (more on this later in the post).

https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform

Abuse of Legitimate Security Tools and Health Sector Cybersecurity

From theU.S. Department of Health & Human Services providing a sector roll up.

https://www.hhs.gov/sites/default/files/abuse-of-legitimate-security-tools-and-the-hph.pdf

Masscan/Globeimposter targeting only MS-SQL in Korea

From the Korea Internet & Security Agency’s incident response team. I also learn that Google Chrome translate (and the website) implode with Notion hosted websites.

Anyway, this reporting focuses on a campaign targeting database servers with ransomware.

https://kisa-irteam.notion.site/Masscan-bca2eff1e838469faeaa47479c6bd06e

Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike

Ian Kenefick, Lucas Silva and Nicole Hernandez once again highlight the interconnected web of loaders and criminal implant distribution. The rise of Brutel Ratel continues also aided by the leaked copy doing the rounds..

QAKBOT’s malware distribution resumed on September 8, 2022 following a brief hiatus, when our researchers spotted several distribution mechanisms on this date. The distribution methods observed included SmokeLoader (using the ‘snow0x’ distributor ID), Emotet (using the ‘azd‘ distributor id), and malicious spam that used the ‘BB’ and ‘Obama20x’ IDs.

A recent case involving the QAKBOT ‘BB’ distributor led to the deployment of Brute Ratel (detected by Trend Micro as Backdoor.Win64.BRUTEL) —  a framework similar to Cobalt Strike — as a second-stage payload. This is a noteworthy development because it is the first time we have observed Brute Ratel as a second-stage payload via a QAKBOT infection. The attack also involved the use of Cobalt Strike itself for lateral movement. We attribute these activities to the threat actors behind the Black Basta ransomware.

https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

Discovery

How we find and understand the latent compromises within our environments.

TickTock

William Burgess demonstrates a Proof-of-Concept memory scanner for enumerating timer-queue timers as used in Ekko Sleep Obfuscation on Windows.

https://labs.withsecure.com/publications/hunting-for-timer-queue-timers

https://github.com/WithSecureLabs/TickTock

Device Tracking via Linux's New TCP Source Port Selection Algorithm (Extended Version)

Moshe Kol, Amit Klein and Yossi Gilad outline a really powerful yet now mitigated technique for device tracking.

We describe a tracking technique for Linux devices, exploiting a new TCP source port generation mechanism recently introduced to the Linux kernel. This mechanism is based on an algorithm, standardized in RFC 6056, for boosting security by better randomizing port selection. Our technique detects collisions in a hash function used in the said algorithm, based on sampling TCP source ports generated in an attacker-prescribed manner. These hash collisions depend solely on a per-device key, and thus the set of collisions forms a device ID that allows tracking devices across browsers, browser privacy modes, containers, and IPv4/IPv6 networks (including some VPNs).

It can distinguish among devices with identical hardware and software, and lasts until the device restarts.
We implemented this technique and then tested it using tracking servers in two different locations and with Linux devices on various networks. We also tested it on an Android device that we patched to introduce the new port selection algorithm. The tracking technique works in real-life conditions, and we report detailed findings about it, including its dwell time, scalability, and success rate in different network types.

https://arxiv.org/abs/2209.12993

Trace Oddity: Methodologies for Data-Driven Traffic Analysis on Tor

Vera Rimmer, Theodor Schnitzler, Tom Van Goethem, Abel Rodríguez Romero, Wouter Joosen, and Katharina Kohls shows what happens when science is brought to cyber and applies to anonymisation technology.

In this work, we introduced new methodologies for datadriven end-to-end correlation attacks on Tor. We proposed a new experimental setup that allows to collect Tor traffic with more realistic timing characteristics by minimizing the additional overhead in proxy-based end-to-end measurements. Furthermore, we introduced a systematic replication strategy along with appropriate evaluation metrics to allow for a fair comparison of data-driven attacks on novel data. Our empirical results demonstrate the relevance of the suggested multiproxy design: we find that the novel end-to-end correlation dataset that contains more realistic timing measurements also presents a significantly harder learning problem.

https://petsymposium.org/popets/2022/popets-2022-0074.pdf

Deploy Sysmon and collect additional data with Sentinel and the AMA agent

Jeffery Appel explains the AMA agent deployment for Sysmon with the new ASIM parser support and additional information focused on the available configuration files.

https://jeffreyappel.nl/deploy-sysmon-and-collect-data-with-sentinel-and-the-ama-agent/

Windows 11 time rules for forensics

The rules for various aspect of how time behave on various Windows 11 artefacts.

https://www.khyrenz.com/blog/windows-11-time-rules/

Defence

How we proactively defend our environments.

Microsoft Recommend Sysmon and an EDR

Stella Aghakian and Kate Livingston from Microsoft DART at Ignite in their talk Stories from DART: Taking the ware out of ransomware

https://ignite.microsoft.com/en-US/sessions/1dad6c65-c0af-4614-b7b9-10308014b847?source=sessions

How to implement the Exchange Split Permissions Model?

Huy documents how to deploy defence in depth for those of you brave enough to still run on premises Microsoft Exchange. An a-typical deployment model but a valuable one.

The concept around Exchange Split Permissions Model is to separate the management tasks between Exchange and Active Directory objects. Permissions to create security principals in the Active Directory domain partition are completely removed from any Exchange user, service, or server. In order to allow Exchange Admins to still do their job. The permissions need to be delegated and Exchange Admins also need to start using the RSAT toolkit as well. Like for example tools such as Active Directory Users and Computers, and so on. We will be explaining this later in detail.

https://m365internals.com/2022/10/10/how-to-implement-the-exchange-split-permissions-model/

Vulnerability

Our attack surface.

pfSense Post Auth RCE

이예랑 a Korean based researcher shows why you need protect those firewall credentials if you don’t want a long term persistence problem because of this vulnerability. Note this vulnerability was via third party Secure Disclosure program.

A vulnerability in pfSense allows authenticated users to cause the product to execute arbitrary code – this in turn would allow an attacker to compromise the machine on which the pfSense is installed.

https://ssd-disclosure.com/ssd-advisory-pfsense-post-auth-rce/

CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface

Yup, lesson once more why we separate the management plane from traffic.

An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions

https://security.paloaltonetworks.com/CVE-2022-0030

CVE-2022-34689: Windows CryptoAPI Spoofing Vulnerability

Found by the UK National Cyber Security Centre (NCSC) and the National Security Agency (NSA). Amazing work resulting patches going back all the way to Windows 7 due to severity.

An attacker could manipulate an existing public x.509 certificate to spoof their identify and perform actions such as authentication or code signing as the targeted certificate.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689

CVE-2022-36067: New RCE in node.js library vm2

When sandboxes don’t sandbox

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

https://nvd.nist.gov/vuln/detail/CVE-2022-36067

The Race to Native Code Execution in PLCs

Not sure I agree on the level of innovation but a good example of the end to end pain that hardcoded crypt brings. The fact this impacts Operational Technology due further compounds the anxiety.

Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys

• [We] developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines.

• An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access level protections. 

https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographic-keys

Signature bypass via multiple root elements in node-saml

The third SAML implementation vulnerability in about 6 weeks. It is almost as if the many eyes model isn’t entirely the panacea we would hope. Be interesting to see the long tail stemming from this.

A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element.

https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7

Offense

Attack capability, techniques and tradecraft.

On Bypassing eBPF Security Monitoring

Lorenzo Stella shows that the a bit like the Force the continual struggle / game of 🐈 and 🐁between red and blue brings balance.

You can see an illustration of how we managed to bypass eBPF-based controls, along with some ideas on how red teams or malicious actors could evade these new intrusion detection mechanisms. These techniques can be generally applied to other targets while attempting to bypass any security monitoring solution based on eBPF:

https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html

Exploitation

What is being exploited.

CVE-2022-41352: Zimbra Collaboration (ZCS) 8.8.15 and 9.0 exploit

Which can be emailed and is known to be exploited in the wild.

https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis

CVE-2022-40684: FortiOS / FortiProxy / FortiSwitchManager

Exploits out and mass exploitation happening according to 3rd party reporting.

Authentication bypass on administrative interface - Fortinet is aware of an instance where this vulnerability was exploited, & recommends immediately validating your systems against the following indicator of compromise in the device's logs

https://github.com/horizon3ai/CVE-2022-40684

https://www.fortiguard.com/psirt/FG-IR-22-377

The twists and turns of the latest CobaltStrike RCE

Chinese research drops a wicked capability here.

Through this vulnerability, the data containing xss can be sent to the teamserver after capturing the attacker's beacon. After reflection, RCE is finally executed on the attacker's client.

https://mp-weixin-qq-com.translate.goog/s?__biz=MzIxNDAyNjQwNg%3D%3D&mid=2456098978&idx=1&sn=d511d5a674d84eeaf262c8e389ae0403&chksm=803c696bb74be07d8ef8e473b11ffe4dce57b58ccf82e8615ab15d9ba6bba9263360c01276a8&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Tooling and Techniques

Low level tooling for attack and defence researchers.

What can we learn from leaked Insyde's BIOS for Intel Alder Lake

BIOS source code leaked for some Intel CPUs including code signing keys this is the impact / analysis.

According to the timestamp of the github repository, an unidentified user uploaded the Insyde’s partial firmware solution (4.8GB) only for Intel Alder Lake platform, which contains Intel reference implementation, OEM implementation, IBV solution, and related documentation on September 30, 2022.

https://hardenedvault.net/blog/2022-10-08-alderlake_fw-leak/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Threat Horizons - September 2022 - from Moogle

• Threat Report T2 2022

• The 5×5—The Internet of Things and national security

• Capturing Detection Ideas to Improve Their Impact - from Florian

• Special report: When spyware turns phones into weapons - Committee to Protect Journalists

• SpaceSec23: Workshop on the Security of Space and Satellite Systems - Call for Papers - San Diego, CA, United States, February 27, 2023

• Cyber Laws and Modern Surveillance; Public Protection or Privacy Violation - opinion piece

This week you get some ANSI by Silver Rat // The Legion (1998) - if for no other reason that in a different universe it could be an APT’s logo for their implant framework and I liked the art.

That’s all folks.. until next week..