Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week was the disclosure of the massive Distributed Denial of Service due a property of the HTTP2 protocol which was discovered and used in the wild against numerous large platforms.

In the high-level this week:

• Cyber resilience of the UK's critical national infrastructure - UK Parliament - call for evidence in the UK

• Record $7 billion in crypto laundered through cross-chain services - Cross-chain crime refers to the swapping of cryptoassets between different tokens or blockchains – often in rapid succession and with no legitimate business purpose

• Is it legal to pay ransomware where you are? - an open source project

• The emergence of non-personal data markets - The data economy in the transport and mobility sector is one of the five fastest growing and is expected to expand to nearly €25 billion annually by 2025. Data includes dynamic information from sensors about ongoing movements as well as details of events such as accidents or traffic jams and static information about road layout, parking, and fuelling areas etc.

• $49.5 Million Multistate Settlement with Blackbaud for Data Breach Impacting Thousands of Nonprofits and Millions of Consumers - the controls and governance agreements are an indictment that as part of the settlement they were required.

• Is Cybersecurity a Public or Private Good? - Although cybersecurity is a “team sport”, this essay argues that the state needs to play an even bigger role than the users.

• Official Public Political Attribution of Cyber Operations: State of Play and Policy Options - Official public political attributions differ in how they specify the attributed actor and sometimes include a message addressed to the actor

• EU Cybersecurity requirements for ICT product certification - draft standards seeking feedback by Oct 31st - The voluntary scheme will introduce a set of security requirements for ICT security products (e.g. firewalls, encryption devices, electronic signature devices) and ICT products with an inbuilt security functionality (i.e. routers, smartphones, bank cards).

• China

  • Former Soldier Indicted for Attempting to Pass National Defense Information to People’s Republic of China - He allegedly retained a device that allows for access to secure military computer networks and offered the device to Chinese authorities to assist them in efforts to gain access

• Artificial intelligence

  • Chinese Regulators Give AI Firms a Helping Hand - Chinese firms might even have a competitive advantage over their American and European counterparts.

  • Algorithmic extremism? The securitization of artificial intelligence (AI) and its impact on radicalism, polarization and political violence

  • UNESCO, Dutch launch project to prepare for AI supervision

  • Security Weaknesses of Copilot Generated Code in GitHub - or why we will still have jobs.

• Cyber proliferation

  • Vietnam tried to hack CNN’s Jim Sciutto, Rep. Mike McCaul etc.

  • The Predator Files: European Spyware Consortium Supplied Despots and Dictators

  • Investigation: How Israeli spyware was sold to Egypt and pitched to Qatar and Saudi Arabia

  • Mercenary spyware: Defending against what's next – iMEdD International Journalism Forum 2023

  • Independently Confirming Amnesty Security Lab’s finding of Predator targeting of U.S. & other elected officials on Twitter/X

• Cyber insurers cut their premiums, but demand you do more - The good news is that that correction has taken place now. And now we’re seeing a flattening of premiums … But you need to demonstrate very strong cyber maturity to continue to have cyber insurance.

• The Cost of Inaction A CISO’s guide for getting boards of directors to invest in cybersecurity

The reflection this week is the screaming war cry for the continued need for evidenced efficacy of secure solutions. Why? Well this (credit Florian Roth). I just hope it is a joke..

On the interesting job/role front (thanks to those sending me these):

• Security Engineer at Meta Menlo Park, CA in the USA

• Policy Advisor(s)  National Security and Data Infrastructure at the Department for Science Innovation and Technology

• Cyber Engagement and Assurance Advisor at the Government Security Function in the UK

• Researcher, Cybersecurity (General) – Security and Technology Programme at the UNIDIR an autonomous institution within the United Nations

• Researcher, Cybersecurity (International Law)  – Security and Technology Programme at the UNIDIR an autonomous institution within the United Nations

• ATT&CK Cyber Threat Intelligence Task Lead at MITRE at various locations in the USA

• Head of Cyber Programme at the Department of Transport in the UK

• Deputy Chief Information Security Officer at DSTL in the UK

• Reader (Associate Professor) in Cyber Security at Loughborough University in the UK

• Professor in Cyber Security at Loughborough University in the UK

Views are my own / attribution by others etc.

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Thursday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia

Threat Actor deploys Mythic’s Athena Agent to target Russian Semiconductor Suppliers

Target is Russia in this curious case. Be interesting when attribution occurs. The threat actor used the WinRAR vulnerability for initial access.

• [We] came across a new spear phishing email targeting a leading Russian semiconductor supplier.

• In this targeted attack, we observed Threat Actors (TAs) leveraging a Remote Code Execution (RCE) vulnerability, identified as CVE-2023-38831, to deliver their payload on compromised systems.

• The objective of this attack is to gain complete control over the compromised system using a second-stage payload known as “Athena,” an agent of the Mythic C2 framework.

• The identity of the Threat Actor responsible for this attack remains unknown, and we currently cannot link it to any known APT groups.

https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/

North Korea

Assessed Cyber Structure and Alignments of North Korea in 2023

Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos and Adrian Hernandez give us an assessment on the current state of affairs in the cyber bowels of the hermit kingdom. Clearly all that crypto has allowed them to invest more. Of note and reflected in the weekly reporting is their diversification away from Windows to include macOS and Linux.

• The DPRK’s offensive program continues to evolve, showing that the regime is determined to continue using cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities.

• Latest DPRK nexus operations hint at an increase in adaptability and complexity, including a cascading software supply chain attack seen for the first time, and consistently targeting blockchain and fintech verticals.

• While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS.

https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023

The evolution of North Korean Android spyware

Ovi Liber gives us a sense of what a evolving framework based capability against Android looks like from North Korea. The fact they have a framework for an Android implant they haven’t totally had to burn due to our ability detect in a pervasive manner says something..

https://www.0x0v1.com/the-evolution-of-apt37s-rokrat-rambleon-android-spyware/

China

China explore Confluence vulnerability as zero day

So it turns our a previously indicted Chinese threat actor who also previously had ColdFusion zero-days was behind the Confluence zero-day. The vulnerability itself was trivial and a real doh! moment. All the MSFT beyond this tweet is behind paywall.

[We] observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy

https://twitter.com/MsftSecIntel/status/1711871732644970856

Stayin’ Alive - Targeted Attacks Against Telecoms and Government Ministries in Asia

China continuing their mission against telecommunication firms globally. The initial access is nothing to write home about, but a data point i.e. emailing .zips with malicious payloads in.

• “Stayin’ Alive” is an active campaign mainly targeting the Telecom industry in Asia. The targeted countries include Kazakhstan, Uzbekistan, Pakistan, and Vietnam.

• The campaign leverages spear-phishing emails to deliver archive files utilizing DLL side-loading schemes, most notably hijacking dal_keepalives.dll in Audinate’s Dante Discovery software (CVE-2022-23748).

• The threat actors behind the “Stayin’ Alive” campaign utilize multiple unique loaders and downloaders, all connected to the same set of infrastructure, linked to a Chinese affiliated threat actor most commonly referred to as “ToddyCat.”

• The functionality of the backdoors and the loaders is very basic and highly variable. This suggests the actors treat them as disposable, and likely mostly use them to gain initial access.

https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/

Iran

Nothing this week although Predatory Sparrow (who has previously operated against industrial control systems in Iran) has woken up.

Other

Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan

Not attributed to a country, but looks very Chinese in TTP terms.

There are indications that Grayling may exploit public facing infrastructure for initial access to victim machines. Web shell deployment was observed on some victim computers prior to DLL sideloading activity taking place. DLL sideloading is used to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework. 

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

Badbox

Marion Habiby, Joao Santos, Vikas Parthasarathy, Joao Marques, Adam Sell, Inna Vasilyeva, Maor Elizen, Gabi Cirlig and Zach Edwards give us stuff of nightmares (especially for incoming CTOs of NCSCs) - Found in US schools, via a supply chain and criminal in nature. Welcome to 2023 everyone! Lets be honest, not much stopping much more of this today..

A supply chain compromise to infect the firmware of more than 70,000 Android smartphones, CTV boxes, and tablet devices with Triada malware

https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf

The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages

Roman Lvovsky shows there are ingenious threat actors - why? How many automated frameworks to detect threats ignore 404s. Expect wider adoption in 5..4..3..

• [We] detected a Magecart web skimming campaign that is targeting an extensive list of websites, including large organizations in the food and retail industries.

• This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that poses unique challenges for detection and mitigation. 

• The other two obfuscation techniques showcase the evolving tactics that attackers are using to avoid detection and lengthen the attack chain. 

• As web skimming attacks become increasingly sophisticated, organizations must remain vigilant and explore advanced approaches to protect against these evolving threats.

https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer

Discovery

How we find and understand the latent compromises within our environments.

How To Develop Yara Rules for .NET Malware Using IL ByteCodes

Matthew Brennan gives the world a robust capability here.

To quickly produce a Yara rule for .NET based malware.
- Locate the Configuration function
- Switch from C# to IL view to view opcodes/bytecodes
- Copy out raw code into text editor.
- Keep OpCodes, Wildcard on Operands
- Copy bytes into a yara rule
- Test Yara rule against malware repo.

https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/

Cobalt Strike 4.9 Beacon Memory Yara

With ❤️ from a competitor.

https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/cs49.yara

Defence

How we proactively defend our environments.

KubeHound: Kubernetes Attack Graph

What Bloodhound did from Active Directory this team has done for containers.

A Kubernetes attack graph tool allowing automated calculation of attack paths between assets in a cluster

https://github.com/DataDog/KubeHound

Apple's Sonoma’s log gets briefer and more secretive

One wonders what they do internally..

Despite its many great strengths, the Unified log has suffered two problems that are limiting its usefulness in Sonoma: its diminishing period of coverage, and censorship.

https://eclecticlight.co/2023/10/07/sonomas-log-gets-briefer-and-more-secretive/

Scanner for CVE-2023-22515 - Broken Access Control Vulnerability in Atlassian Confluence

Erik Wynter removes any excuse for getting owned (further) by this vulnerability.

This is simple scanner for CVE-2023-22515, a critical vulnerability in Atlassian Confluence Data Center and Server that is actively being exploited in the wild by threat actors in order "to create unauthorized Confluence administrator accounts and access Confluence instances".

https://github.com/ErikWynter/CVE-2023-22515-Scan

Conditional Access - Common Microsoft 365 Security Mistakes Series

Ru Campbell provides a very useful guide for those getting started with conditional access.

1. Exclusions and access gaps aren’t minimized with additional policies

2. Location based policies don’t consider VPNs

3. No or poor break glass/emergency access account setup

4. Unprotected Conditional Access groups

5. No architectural framework leads to gaps and complex management

https://campbell.scot/conditional-access-common-microsoft-365-security-mistakes-series/

Incident Writeups

How they got in and what they did.

Major Cyber Incident: KA-SAT 9A - EuRepoC: European Repository of Cyber Incidents - Other incident names: Viasat, AcidRain

Mika Kerttunen, Kim Schuck and Jonas Hemmelskamp write up this incident so others can study.

Several countries and legal scholars have commented on the Viasat incident, which has been singled out as one of the largest formal attributions of a cyberattack to a nationstate in history. Nearly 20 countries accused Russia of being responsible for this hack, including a dozen EU member states and the Five Eyes countries

https://eurepoc.eu/publication/major-cyber-incident-ka-sat-9a/

Netscaler Exploitation to Social Engineering: Mapping Convergence of Adversary Tradecraft Across Victims

Matthew Brennan (again this week), Harlan Carvey, Anthony Smith, Craig Sweeney, and Joe Slowik. 

in mid-September 2023 … analysis of several recent intrusions revealed a wider pattern.

Further examination identified a link with publicly available threat intelligence information, revealing commonalities in a campaign spanning multiple organizations. While the impact of these intrusions remains unknown as activity was identified and stopped before the adversary’s intentions could become known, the identified tradecraft overlaps with various trends currently observed in the information landscape: living off the land binaries (LOLBins) and behaviors, emphasis on evasion and obfuscation, and even the use of non-standard means to induce victim personnel to interact with malicious resources.

https://www.huntress.com/blog/netscaler-exploitation-to-social-engineering-mapping-convergence-of-adversary-tradecraft-across-victims

Vulnerability

Our attack surface.

100,000 [internet] exposed industrial control systems [that have been identified so far]

Headline scary, but getting better..

https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems

Turn OFF This WatchGuard Feature - GuardLapse

Eddie Zhang gives pause for thought and an example nuance - when is by design not a vulnerability?

Picture this: a feature from a security appliance that willingly dispatches its password hashes to any device on the network. That is precisely what WatchGuard's SSO does under certain circumstances. Does a bad feature warrant filing a CVE? I'm not sure.

https://projectblack.io/blog/turn-off-this-watchguard-feature-guardlapse/

1-Click RCE on GNOME (CVE-2023-43641)

Kevin Backhouse details a delicious vulnerability we can expect to be exploited in the wild. Also when Linux starts to look a lot like its desktop cousins.

inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer:

https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

DSA-2023-283: Security Update for Dell SmartFabric Storage Software Vulnerabilities

Ideal for ransomware crews..

A remote unauthenticated attacker may exploit this vulnerability and escalate privileges up to the highest administration level.

https://www.dell.com/support/kbdoc/en-uk/000216587/dsa-2023-283-security-update-for-dell-smartfabric-storage-software-vulnerabilities

Offense

Attack capability, techniques and trade-craft.

Reflective call stack detections and evasions

Bobby Cooke and Dylan Tran provide both the offensive and the defensive aspects which is 👏.

we explored reflective loading through the lens of an offensive security tool developer, highlighting detection and evasion opportunities along the way. This time we are diving into call stack detections and evasions, and how BokuLoader reflectively loads call stack spoofing capabilities into beacon.

https://securityintelligence.com/x-force/reflective-call-stack-detections-evasions/

expose: Exposes a persistent shadow copy on Windows as a drive letter, share, or mount point

Who news this was possible.. apparently threat actors to allow them to go mooching.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/expose

Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks

Dmytro Oleksiuk gives the world more stuff of nightmares. These low level implants are just tricky, especially if there isn’t the telemetry in/on the host OS to catch the initial deployment.

In addition to the usual firmware flash image infection method as described in the article, new SMM backdoor also can be deployed with pre-boot DMA attack using PCI Express DIY hacking toolkit and industry-wide EFI SMM Core vulnerability exploitation to perform DXE to SMM execution transition. The vulnerability INTEL-SA-00144 was discovered by myself and reported to Intel PSIRT years ago, but it still remains not patched on many products that using old EDK2 derived firmware code, including whole AMI Aptio family. Latest generations of Intel machines are likely not vulnerable to this attack.

https://github.com/Cr4sh/SmmBackdoorNg

R2R stomping

Jiri Vinopal ups the detection cat and mouse game for in memory implants. I suspect threat actors to adopt this technique and few EDRs to be able to detect.

• a new method for running hidden implanted code in ReadyToRun (R2R) compiled .NET binaries, R2R stomping.

• We explain the implementation of R2R stomping with a focus on its internals.

• The resulting problems of the R2R stomping technique will affect the work of the reverse engineers and security researchers.

• CPR details techniques and tools to reverse engineer R2R stomped Assemblies and possible ways of detection.

• We did not find evidence of using the R2R stomping in the wild, but we can not fully exclude a chance of being already a part of some advanced arsenals.

https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/

Exploitation

What is being exploited.

ESP32-Sour-Apple

Uses a vulnerability crash iOS 17 devices over Bluetooth

https://github.com/RapierXbox/ESP32-Sour-Apple

Global NetScaler Gateway credential harvesting campaign

John Dwyer, Richard Emerson, Bastien Lardy and Ruben Castillo detail a really interesting campaign here. The subtly of persistence and the value it would yield the threat actor is 10/10.

attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials

https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/

Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains

Alex Delamotte & Christian Vrescak show once again the pile in which can occur for vendors when threat actors and researchers sense blood in the water. Also the fact a vendor has been found systemically wanting is a warning sign I suspect.

This active, in-the-wild exploitation marks the third wave of attacks against a Progress Software product in 2023. While exploitation is likely opportunistic, organizations in the Information Technology Managed Service Provider (IT MSP), Software and Technology, Legal Services, Engineering and Construction, Oil and Natural Gas (ONG), Healthcare, and Nonprofit sectors have been impacted.

https://www.sentinelone.com/blog/threat-actors-actively-exploiting-progress-ws_ftp-via-multiple-attack-chains/

How PROPHET SPIDER Exploits Oracle WebLogic

When criminal threat actors use vulnerabilities which are three years old to good effect. Marty where we are going we don’t need zero-days..

• [We] have observed multiple campaigns by the eCrime actor PROPHET SPIDER where the adversary has exploited Oracle WebLogic using CVE-2020-14882 and CVE-2020-14750 directory traversal Remote Code Execution (RCE) vulnerabilities.

• PROPHET SPIDER is proficient in exploiting and operating in both Linux and Windows platforms.

• It is likely PROPHET SPIDER monetizes access to victim environments by handing off access to third parties that will deploy ransomware.

https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

FASER: Binary Code Similarity Search through the use of Intermediate Representations or Cross-Architecture Function Similarity Search Model

Wonderful work by a fellow Brit Josh Collyer here.

Being able to identify functions of interest in cross-architecture software is useful whether you are analysing for malware, securing the software supply chain or conducting vulnerability research. Cross-Architecture Binary Code Similarity Search has been explored in numerous studies and has used a wide range of different data sources to achieve its goals. The data sources typically used draw on common structures derived from binaries such as function control flow graphs or binary level call graphs, the output of the disassembly process or the outputs of a dynamic analysis approach. One data source which has received less attention is binary intermediate representations. Binary Intermediate representations possess two interesting properties: they are cross architecture by their very nature and encode the semantics of a function explicitly to support downstream usage.

Within this paper we propose Function as a String Encoded Representation (FASER) which combines long document transformers with the use of intermediate representations to create a model capable of cross architecture function search without the need for manual feature engineering, pre-training or a dynamic analysis step. We compare our approach against a series of baseline approaches for two tasks; A general function search task and a targeted vulnerability search task. Our approach demonstrates strong performance across both tasks, performing better than all baseline approaches.

https://github.com/br0kej/FASER

PRoofster: Automated Formal Verification

How we bring down the cost and up the automation of formal verification is one of those hard problems. PRoofster is a step in the right direction..

Formal verification is an effective but extremely work-intensive method of improving software quality. Verifying the correctness of software systems often requires significantly more effort than implementing them in the first place, despite the existence of proof assistants, such as Coq, aiding the process. Recent work has aimed to fully automate the synthesis of formal verification proofs, but little tool support exists for practitioners.

This paper presents PRoofster, a web-based tool aimed at assisting developers with the formal verification process via proof synthesis. PRoofster inputs a Coq theorem specifying a property of a software system and attempts to automatically synthesize a formal proof of the correctness of that property. When it is unable to produce a proof, PRoofster outputs the proof-space search tree its synthesis explored, which can guide the developer to provide a hint to enable PRoofster to synthesize the proof

https://people.cs.umass.edu/~brun/pubs/pubs/Agrawal23icse-demo.pdf

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Aggregate reporting

  • Digital Defense Report 2023 - fourth annual edition of the report for the reporting period from July 2022 through June 2023.

  • H1 2023 – a brief overview of main incidents in industrial cybersecurity

  • Malware Trends Report: Q3, 2023

• Managing Cybersecurity for ICS - from the French Government

• ANSSI views on the Post-Quantum Cryptography transition (2023 follow up) - August 29, 2023 - ANSSI encourages all industries to include the quantum threat in their risk analysis and to consider including quantum mitigation in the relevant cryptographic products.

• AUSA 2023 Warriors Corner: The Special Operations Forces (SOF) Space Cyber Triad – Enhancing Large Scale Combat Operations Now and in the Future

• Reducing Cyber Risk Across Defence - a UK competition being run with £880k of funding for TRL 6 solutions to the following:

  • Novel tools that strengthen digital resilience across defence

  • Novel approaches that enable security by default

  • Novel ways to quantify Operational Technology risk

• Artificial intelligence

  • Low-Resource Languages Jailbreak GPT-4

  • promptmap is a tool that automatically tests prompt injection attacks on ChatGPT instances

  • Responsible AI Pattern Catalogue: A Collection of Best Practices for AI Governance and Engineering

  • Security and Privacy on Generative Data in AIGC: A Survey -

  • Who's Harry Potter? Approximate Unlearning in LLMs

  • Self-Taught Optimizer (STOP): Recursively Self-Improving Code Generation -

  • Large Language Models for Software Engineering: Survey and Open Problems

  • Decomposing Language Models Into Understandable Components

• Books

  • None this week

• Events

  • Journal of Cyber Policy - Call for Abstracts: Mentorship Scheme

  • Objective by the Sea v6.0 Day 1 (Live-Stream recording)

Video of wisdom here Compliance Cautions: Security Issues Associated with U.S. Digital-Security Standards