Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending October 22nd
When video game developer security and real-world attacks become a thing..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week multiple developers had their Steam accounts compromised and the games backdoored resulting in Valve introducing mandatory SMS MFA in response. Then we had the rather large router compromise (see below).
In the high-level this week:
Secure-by-Design - we’ve gone big here - no turning back!
New Commander of the UK’s National Cyber Force appointed - Air Vice-Marshal Tim Neal-Hopes OBE has been appointed
UN cybercrime treaty: A menace in the making - article covering the below.
UN Cybercrime Treaty Talks End Without Consensus on Scope And Deep Divides About Surveillance Powers - It became apparent that many nations, including Russia, Eritrea, Burundi, Sierra Leone, Zimbabwe, Ghana, Korea, and others, were vying to expand the proposed treaty's surveillance scope to cover practically any offense imaginable where a computer was involved, both at home and abroad.
Japan, U.S., EU hold cyber defense drill with India - Japan's Information-technology Promotion Agency, which is overseen by METI, opened part of the exercise to the public on Thursday. Participants practiced responding to an attack on the control system of robotic arms at a factory.
Finland faces growing Russian online threat, Finnish security services say -Russia’s espionage attempts towards us have increased during the war, mainly in the cybersphere,
Russian Government and business are discussing the introduction of mandatory insurance against cyber attacks - or how to cripple an regional insurance sector when they don’t understand the liability.
Cyber risks and operational resilience: getting prepared − speech by Elisabeth Stheeman from the Bank of England
Lloyd’s finds major hack of a payments system could cost $3.5tn - Lloyd’s of London has warned that a major cyber attack on a global payments system could cost the world economy $3.5tn, as insurers and companies worry about the systemic threat from hackers and whether the risks are insurable.
California signs the Data broker registration: accessible deletion mechanism into law.
US Water Industry, GOP Allies Defeat Government's Push To Protect Water Supply From Hackers - The EPA is eliminating its new requirement for states to inspect water utilities’ cyber defenses, a major victory for the water industry and the Republican-led states that sued the agency over the rule.
Moldovan Charged, Arrested, And Extradited For Administration Of Site Involved In The Illicit Sale Of Compromised Computer Credentials - Diaconu faces a maximum penalty of 20 years in federal prison.
Equifax fined £11m over ‘entirely preventable’ major cyber-security breach - it only disclosed this in September and vastly underplayed the number of customers impacted – 400,000 when in fact 13.8 million were at risk of financial crime after having their personal details exposed.
The ICRC reinvents its cyber future, but not in Switzerland - the ICRC is setting itself up as a global laboratory for technical innovation and has chosen Luxembourg as the place to do it
Interventions to strengthen cyber resilience - EUR 15 million on offer in Italy
Singapore Police launch their one stop shop on Ransomware.
Major international operation against the Ragnar Locker ransomware group with Eurojust support - the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.
China proposes blacklist of training data for generative AI models - The committee proposes conducting a security assessment of each body of content used to train public-facing generative AI models, with those containing "more than 5% of illegal and harmful information" to be blacklisted.
Examining Chinese citizens’ views on state surveillance - Presenting an analysis of more than 1,700 PRC government procurement documents, the platform encouraged participants to engage with, critically evaluate and share their views on that information. The research platform engaged more than 55,000 PRC residents.
Introducing The Foundation Model Transparency Index - A new index rates the transparency of 10 foundation model companies and finds them lacking.
EU Data Protection Supervisor - Opinion 42/2023 on the Proposals for two Directives on AI liability rules
State of AI Report 2023 - AI startups focused on generative AI applications (including video, text, and coding), raised over $18 billion from VC and corporate investors.
Mercenary hackers stole data that Exxon later cited in climate lawsuits - Prosecutors stopped short of stating a connection between the Israeli private eye – former policeman Aviram Azari – and Exxon, and the memo did not identify any of his clients. Victims say that leaves a key question unanswered.
Sandvine Scraps Plan to Market Tool in US That Tracks Encrypted Messages - Computer networking company lays off 50 employees, including many of those working on ‘Digital Witness’
Unmasking the Term 'Dual Use' in EU Spyware Export Control - Unmasking how the term transposes a conceptually flawed, deceptive and empty duality to the spyware context, this article shows that the very concept of dual use may undermine human rights safeguards in spyware export control.
No reflections this week but some great news - we have agreed that I will continue to write a weekly note once I’ve joined the UK’s National Cyber Security Centre next week in this format. The URL will change but I will be sure to send a note with the new Substack address when it is up and running next week.
On the interesting job/role front (thanks to those sending me these):
Research Fellow - CyberAI at the Center for Security and Emerging Technology
Head of Data Platforms - Cyber Security at Tesco in the UK
Cyber Security Operations Manager at Formula 1 in the UK
Director of Science and Innovation-Fundamental Research at The Alan Turing Institute in the UK
Views are my own / attribution by others etc.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
The number of recorded cyber incidents more than doubled in H1 2023
Reporting from Ukraine on the sheer volume they are contending with.
The SSSCIP has recorded 762 cyber incidents over H1 2023 (excluding SOC incidents). It means a daily average of four to five attack attempts against Ukrainian information and communication systems made by the enemy hackers. By contrast, only 342 incidents (excluding SOC incidents) were recorded throughout H1 2022 (1–2 a day in average).
This is covered in the SSSCIP Analytical Report “Russian Cyber Operations: how Russian government-controlled hacking groups shift their tactics, objectives and capacities.”
At least 23 Russian cyber terrorist groups act against Ukraine
Further insight as to the scale that Ukraine is being subjected to by Russia.
The experts report continued activity by at least 23 russian cyber terrorist hacking groups over H1 2023. All of them pursue various goals, including military-related ones, by attacking both public and private sectors.
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
In a world of single factor authentication there will continue to be value in running these operations to collect credentials.
The lure file consists in a PDF document, contained in the archive, that shows a list of Indicator of Compromise (IoCs) with domain names and hashes related to different malware, including SmokeLoader, Nanocore RAT, Crimson RAT and AgentTesla. Due to the vulnerability, the click on the PDF file causes a BAT script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker the access to the targeted machine and a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers.
Then we have the Google reporting on the same topic
Operation HideBear: Russian Threat Actors Targeting East Asia and North America
Chinese reporting on an unattributed Russian operation with a complex chain,
[We] observed an unknown threat actor group towards the end of 2022. They were impersonating some common software download pages and buying Google search ranking to deploy these fake websites ahead of official websites. Their aim was to induce victims into downloading installation packages that had unofficial but valid signatures, repackaged using Inno Setup.
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Feike Hacquebord and Fernando Merces detail some very specific targeting by this threat actor.
Void Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures (TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated primarily by espionage goals. For example, Void Rabisu has been signing malware with certificates most likely bought from a third-party service provider that other cybercriminal groups are also using. The threat actor has also employed malicious advertisements on both Google and Bing to generate search engine traffic to their lure sites, which contain malicious copies of software often used by system administrators.
Sticky Werewolf spies attack government organizations in Russia and Belarus
Not Russia, but affecting Russia which in of itself is interesting.
[We] discovered a new group that uses conditionally legitimate software to interfere with the work of government organizations. A characteristic feature of this criminal community, called Sticky Werewolf, is the use of fairly popular, commercially available tools that are easy to detect and block.
Government organizations in Russia and Belarus remain a popular target for espionage attackers.
When attacking many government organizations, attackers manage to effectively use even popular RAT-
class malware to gain initial access.
To increase the effectiveness of popular malware, attackers use protectors, such as Themida, which makes it difficult to analyze their activity.
Operation Dream Magic
South Korean reporting on North Korean activity using compromised websites as watering holes once again.
The vulnerability of the program exploited in this watering hole has been changed to Magic Line, but the watering hole process is the same as the past IniSafe case.
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
Interesting that North Korea are breaking in to CI/CD environments. Considering they have run software supply chain attacks before this could get a little, shall we say exciting!
[We] observed two North Korean nation-state threat actors - … – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.
Updated MATA attacks industrial companies in Eastern Europe
Initial access is phishing and malicious documents is the take away here. Well that and a little bit of Linux tradecraft.
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents via email until the end of September 2022. Overall, the campaign remained active over 6 months, until May 2023.
ToddyCat: Keep calm and check logs
The exfiltration tradecraft by this Chinese threat actor will be of interest to defense teams.
once the target of interest has been identified, the collection phase begins. The threat actor usually collects files from many different hosts and stores them in archives that are then exfiltrated from the targeted network using public file storage services.
Hamas Application Infrastructure Reveals Possible Overlap with TAG-63 and Iranian Threat Activity
Interesting overlap here..
[We[ identified an application disseminated on a Telegram Channel used by members or supporters of the Hamas terrorist organization
Infrastructure analysis associated led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization. We also observed that these domains were interconnected via a Google Analytics code.
The application dropped in a Telegram Channel claiming affiliation to Hamas’s Izz ad-Din al-Qassam Brigades was designed to enhance the dissemination of the organization's message via that application.
Multiple domains identified through Insikt Group infrastructure research revealed that they shared a specific Google Analytics code; various domains were also identified redirecting to the Izz ad-Din al-Qassam Brigades website.
We observed domain registration tradecraft commonly associated with TAG-63, which shared the website redirect to the Izz ad-Din al-Qassam Brigades website.
Our analysis suggests that infrastructure likely operated by the same threat actors revealed an Iran nexus based on subdomain naming registration conventions. One of the subdomains associated with this cluster hosted a spoofed page associated with the World Organization Against Torture
Confucius’s attack on the Batie brothers really went too far this time
Suspected South Asian threat actor who is using run-of-the-mill phishing tradecraft for initial access.
The characteristics of the Confucius attack sample captured this time are as follows:
Use the ZIP+LNK file as the initial attack load;
The LNK file reads its own data and releases VBS locally;
Both VBS scripts and subsequently released DLL files contain a large amount of invalid data padding.
The overall process of this attack is as follows:
APT Group Darkpink Exploited Winrar 0day Vulnerability CVE-2023-38831 To Attack Multiple Targets In Vietnam And Malaysia
This exploit has been heavily used by a variety of threat actors for initial access. This case has a specific regional focus.
The organization first became active in mid-2021 and mainly targets entities in the Asia-Pacific region. Its main targets are the diplomatic, military and other departments and industries of Cambodia, Indonesia, Malaysia, the Philippines, Vietnam, Bosnia and Herzegovina and other countries.
The DarkPink organization's main attack method is spear phishing, and the organization's self-made Trojan programs TelePowerBot and KamiKakaBot are delivered through emails to complete network theft activities
In this cyber attack, the DarkPink organization used a variety of baits. These baits are all in the form of PDF files and placed in WinRAR vulnerability files to attract users to open and view them.
Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks
Who had Jupyter notebooks on their initial access top trumps? Not me, but it shows the complexity of the modern attack surface.
First reported case of Codeberg code hosting platform used to distribute malware
Attackers continue trend of leveraging Discord for Command and Control
Qubitstrike attackers specifically seeking Cloud Service Provider credentials
[Our] researchers observed attempts by the attackers to utilise stolen CSP credentials for further exploitation
Jupyter Notebooks exploited for initial access but the malware also supports SSH propagation
“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts
Complexity of the modern threat environment evidenced here. Noting the objective is fake browser updates to get initial access.
Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down.
"Ad-versaries": Tracking new Google malvertising and brand spoofing campaigns
Malvertising is becoming what seems to be a material problem. It will be interesting to see how the industry responds as arguably the increasing use directly or via hacked advertising accounts by criminals is less than ideal.
Content scans show an increase in malvertising activity from Q3 2023 onwards.
New MaaS DarkGate variant adapted for malvertising purposes.
Brand impersonation TTPs used to inject infostealers, including DanaBot and IcedID.
Evidence of threat actors targeting various network tools, tech utilities and multimedia suites.
Aligned cyber actors to the middle east activities
How we find and understand the latent compromises within our environments.
NSA releases a repository of signatures and analytics to secure Operational Technology
OT interest appears to be growing…
Civilian infrastructure has become an attractive target for foreign powers attempting to do harm to U.S. interests. Because of the increase in adversary capabilities, the vulnerability of OT systems, and the potential scope of impact, NSA recommends that OT critical infrastructure owners and operators implement ELITEWOLF as part of a continuous and vigilant system monitoring program.
Detecting Unknown Encrypted Malicious Traffic in Real Time via Flow Interaction Graph Analysis
Chuanpu Fu , Qi Li and Ke Xu deliver some real promise with this research.
In this paper, we propose HyperVision, a realtime unsupervised machine learning (ML) based malicious traffic detection system. Particularly, HyperVision is able to detect unknown patterns of encrypted malicious traffic by utilizing a compact inmemory graph built upon the traffic patterns. The graph captures flow interaction patterns represented by the graph structural features, instead of the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the connectivity, sparsity, and statistical features of the graph, which allows HyperVision to detect various encrypted attack traffic without requiring any labeled datasets of known attacks. Moreover, we establish an information theory model to demonstrate that the information preserved by the graph approaches the ideal theoretical bound. We show the performance of HyperVision by real-world experiments with 92 datasets including 48 attacks with encrypted malicious traffic. The experimental results illustrate that HyperVision achieves at least 0.92 AUC and 0.86 F1, which significantly outperform the stateof-the-art methods. In particular, more than 50% attacks in our experiments can evade all these methods. Moreover, HyperVision achieves at least 80.6 Gb/s detection throughput with the average detection latency of 0.83s.
Detect threats using Microsoft Graph Logs - Part 1
Fabian Bader discusses a new feature being introduced to provide better coverage..
While log categories like AuditLogs, SignInLogs are already used in many companies, sometime a new log is added to the list. For quite a long time there was one of high interest to many:
While for the same long time, enabling this log type did nothing in most environments, this changed a few days ago, when Microsoft announced the new logging capabilities.
This is the Microsoft release on this feature by Kristopher Bash
Have you wondered what applications are doing with the access you've granted them? Have you discovered a compromised user and hoped to find out what operations they have performed? If so, you can now gain full visibility into all HTTP requests accessing your tenant’s resources through the Microsoft Graph API.
How we proactively defend our environments.
Must know facts about DNS : Encrypted Client Hello (ECH)
Eric Lawrence shows why privacy at all costs may cause enterprise security teams headaches and how to address.
Browsers offer policies to allow network administrators to make their own tradeoffs by disabling security-software-blinding privacy changes.
Streaming Anomaly Detection Using Sigma Rules
KQL Incident Response Part 2: What about the other logs?
Bert-Jan Pals continues his series on on using KQL for IR and in this one how to ingest other log sources.
[W]hat could you do if you do not ingest the logs in your SIEM or it is not logged by your EDR?
[I] explain how you can still perform incident response using KQL. Spoiler: Azure Data Explorer is your best friend! Furthermore, some practical examples are shared which can help you enrich your current M365D and Sentinel incident response cases
Config Extraction from in-memory CobaltStrike Beacons
Hendrik Eckardt outlines memory detection tradecraft for CobaltStrike which works due to underlying structural properties.
Manually find, extract and unmask the CobaltStrike beacon from the Volatility process dump. We used malfind, dd and CyberChef for this step. If you need to know the size to copy out of the process dump, scroll down in the memory map starting from the address given by malfind, until you notice a gap in the virtual addresses
Use a regex to search for the data section reference in the config processing code, read the pointer from the data section
Unmask the unpacked config heap memory
Read up to 128 entries from the config array (for a 64-bit beacon, the allocation is 2048 bytes, which is 128*16). For binary values (kind
3), read and unmask the heap memory they point to
Throw the resulting data into one of the existing CobaltStrike config parsers to get a readable output
Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions
Olaf Hartong continues his very insightful series on MDE internals.
[A] zoom in on several capabilities of the M365D platform that are interesting to monitor for abuse, primarily Live Response.
Sadly, most of this activity telemetry is not readily available for querying programmatically and not officially supported my Microsoft. Hopefully, this will change in the near future.
Jeff Michelmore provides a very powerful tool that will have utility to a variety of teams.
MDE Kit's objective is to help automate and empower your investigation, detection, prevention, and response capabilities leveraging the MDE API. MDE Kit leverages many of the available Microsoft Defender for Endpoint (MDE) APIs to take response actions on machines as well as create reports related to TVM data, alert data, antivirus data, and machine data.
How they got in and what they did.
Nothing this week
Our attack surface.
CVE-2023-27997: Exploit for Pre-authentication Remote Code Execution on Fortigate VPN
Charles Fol shows the mountain we have to still climb with regard to technical debt in security products.
Reachable without authentication, can be leveraged to get remote code execution on Fortigate instances. CVE-2023-27997 was assigned, with a CVSS of 9.2 (but really, it's a 10). We believe the bug has been present for a long, long time (more than on the 7.x and 6.x branches). Please refer to FG-IR-23-097 for details about affected versions.
Disclosure of Vulnerable Bitcoin Wallet Library
Now the race is on..
On 11/10/23 (10th of Nov) Unciphered will be disclosing a major vulnerability in a Bitcoin Wallet library - this 30 day delay is designed to prevent bad actors from taking advantage of this vulnerability while we work with vendors to protect affected parties.
Synology NAS DSM Account Takeover: When Random is not Secure
Sharon Brizinov shows the real world impact of poor randomness.
[We] uncovered the use of a weak random number generator in Synology’s DiskStation Manager (DSM) Linux-based operating system running on the company’s network-attached storage (NAS) products
Math.random()method was used to generate the password of the admin password for the NAS device itself.
Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account.
The vulnerability, tracked as CVE-2023-2729, has been addressed by Synology. Synology’s advisory is here.
Attack capability, techniques and trade-craft.
EvilSln: A New Exploitation Technique for Visual Studio Projects
Jason Weng provides a capability which North Korea will no doubt find useful.
We present a new exploitation technique for Visual Studio projects (Microsoft consider it is not a security issue) and provide a proof of concept. Our intention is to raise awareness about the potential risks involved and empower individuals to avoid being hacked.
What is being exploited.
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
Stuff of nightmares..
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. This affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.
Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and login with normal user access.
Next, the attacker can use the new unauthorized local user account to exploit a second previously unknown vulnerability (CVE-2023-20273) in another component of the WebUI feature. This allows the adversary to inject commands with elevated (root) privileges, giving them the ability to run arbitrary commands on the device.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
QBinDiff: A modular diffing toolkit
Roxane Cohen , Robin David and Riccardo Mori provide us a new experimental reverse engineering tool.
We open-sourced QBinDiff, an experimental tool that requires some know-how to get the most of it. However, it's a good platform for experimentation and more specific diffing tasks. Because of its implementation in Python, it never will be faster than Bindiff but it does not intend to :).
Ghidra Deep Links
For all those Ghidra jockeys who want to share their latest zero-day in Slack/Discord.
A cross-platform plugin for Ghidra that provides deep linking support. This enables the generation of clickable disas:// links that can be included in 3rd party applications.
Symbolic execution for security researchers
Arnau Gàmez gives a good overview..
Some other small (and not so small) bits and bobs which might be of interest.
Shades of Grey: Cyber Intelligence and (Inter)national Security - The paper acknowledges that despite earlier assumptions, cyberspace is less a war-fighting domain than one in which there is constant competition between intelligence agencies. It highlights the scope, scale and tenacity of many of the intelligence and intelligence-led cyber operations discovered over the past decade, each of which has set new precedents in terms of the number of government institutions, businesses and individuals affected, has caused much consternation, yet has led to little discernible action in terms of discussing possible legal or normative restraints or limits at the international level.
“Preventing a Cyber Dresden”: How the Evolution of Air Power can Guide the Evolution of Cyber Power - an old paper by the new head of the UK’s National Cyber Force
If it Bleeps it Leads? - Media Coverage on Cyber Conflict and Misperception - What determines media coverage on cyber conflict? Media bias fostering misperception is a well-established problem in conflict reporting.
Announcing The Detection And Response Development Lifecycle (DR-DLC) For Detection Engineering - from July from an analyst - your mileage may vary.
Identifying reducible $k$-tuples of vectors with subspace-proximity sensitive hashing/filtering - We introduce and analyse a family of hash and predicate functions that are more likely to produce collisions for small reducible configurations of vectors
Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards - the video I included last week, this is the paper.
GLEVIAN and VIGORNIAN: Robust beyond-birthday AEAD modes - We present GLEVIAN and VIGORNIAN: two AEAD modes with proofs of beyond-birthday security, security against nonce misuse, and against the release of unverified plaintext – both of the latter in strong notions of these security properties. We discuss our hierarchy of requirements for AEAD modes, and the rationale for the design choices made - by the UK’s NCSC
Exploring the Industrial Metaverse: A Roadmap to the Future - This roadmap, by the World Economic Forum in collaboration with the Cyber-Human Lab at the University of Cambridge, illuminates the intricate dynamics of the industrial metaverse. It offers a framework for discussing essential steps towards a valuable ecosystem for various stakeholders.
Everybody is looking into the Future! A literature review of reports on emerging technologies and disruptive innovation - This report is a part of the project ‘Anticipation and monitoring of emerging technologies and disruptive innovation’ (ANTICIPINNOV), a collaboration between the European Commission Joint Research Centre and the European Innovation Council (EIC).
vec2text - utilities for decoding deep representations (like sentence embeddings) back to text