Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending October 8th
Gaining assurance on if you did or did not have a security event when your SaaS vendor discloses a vulnerability is the new game for 2023
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see some crunchy vulnerabilities had exploits released. One of these raised a question around vendor language in relation to the SaaS services - namely you are not vulnerable not that you weren’t vulnerable. This then raised the second order question when these type of vulnerabilities land do we need clearer communication around if as the customer we were vulnerable, when, what the IoCs were and if we have access to logs which allow us to confirm if exploitation happened in our context or not.
In the high-level this week:
UK and US host international dialogue to advance cyber support for groups that strengthen democracy - Agency heads from nine countries share insights and approaches to help improve collective cyber resilience of global democracy.
NPC Headliner Luncheon: Gen. Paul Nakasone - technology is advancing at a phenomenal speed posing a challenge to the U.S as it races to stay ahead of technologies with the potential to be used against us cyber and generative AI or prime examples
A Call To Action: Building the Cyber Workforce the Nation Needs | ONCD - I’m calling on organizations nationwide – technology and non-tech companies alike, academic institutions, state and local governments, and workers who are considering a career in cybersecurity, and others – to join us in building a cyber workforce to meet the challenge of this decisive decade.
8 rules for “civilian hackers” during war, and 4 obligations for states to restrain them - from the International Committee of the Red Cross
Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods - The 14 federal agencies in GAO's review—CISA, FBI, and the other 12 sector risk management agencies—reported relying on 11 methods to facilitate sharing of cyber threat information with critical infrastructure owners and operators.
House passes bill to relax educational requirements for federal cyber workers - The Modernizing the Acquisition of Cybersecurity Experts Act, or MACE Act, (H.R. 4502) is aimed at addressing shortages in federal cybersecurity positions by expanding the pool of eligible applicants and passed easily in a 394-1 vote. It’s sponsored by Rep. Nancy Mace, R-S.C., and Rep. Katie Porter, D-Calif.
Free cybersecurity support program for 200 humanitarian NGOs in The Hague - A non-profit consortium will offer free cybersecurity support to almost 200 humanitarian NGOs in The Hague in the next 1,5 years.
Vive la France and Cyberscore Law is rallying cry for Europe - French policymakers have taken the lead globally in mandating cyber risk ratings to enhance cybersecurity posture in the country. The Cyberscore Law, which comes into force on October 1, 2023, mandates cyber scores on the 500 largest merchants' websites operating in France, with plans to extend this to 10,000 strategic companies such as the electric power grid and healthcare.
Japan to bolster cyber defense with homegrown software - Japan plans to begin installing domestically developed security software for ministry and agency computers starting in fiscal 2025, part of an effort to boost the collection and analysis of cyberattack information and improve cyber defense.
China proposes relaxing security reviews for most cross-border data flows - China’s cyberspace regulator, which imposed tough cross-border data security requirements a year ago creating uncertainties for multinationals, made a concession on Thursday by waiving security assessments for the bulk of day-to-day business activities involving these data flows.
GEC Special Report: How the People’s Republic of China Seeks to Reshape the Global Information Environment - United States Department of State
Navigating the Jagged Technological Frontier - For tasks within the AI frontier, ChatGPT-4 significantly increased performance, boosting speed by over 25%, human-rated performance by over 40%, and task completion by over 12%.
The Repressive Power of Artificial Intelligence - Advances in artificial intelligence (AI) are amplifying a crisis for human rights online.
Similar to Spain a lack of co-operation in Greece into the misuse of commercial offensive cyber capabilities
Global: ‘Predator Files’ investigation reveals catastrophic failure to regulate surveillance trade - Amnesty International Security Lab -
The UN Cybercrime Treaty: Is it a Crime? - discusses challenges concerning the lack of safeguards for procedural powers and international cooperation.
The Legal Boundaries of (Digital) Information or Psychological Operations Under International Humanitarian Law - There is general agreement that many forms of information or psychological operations—online or offline—are either not regulated by or not in violation of IHL
PsiQuantum targets first commercial quantum computer in under six years - "The first system that's actually capable of solving important problems that people want to know the answer to - that's just a handful of years away,"
Lockton Re Cyber Report Says Market Needs Cyber Product Clarity – An Assessment To Simplify Cyber Reinsurance - While the cyber market continues to mature and grow dramatically, the global “all risk aggregate” reinsurance product continues to trail capacity demand and limits the cyber market’s access to the wider specialised reinsurance market.
The reflection this week is on probability and impact of risks manifesting and how to apply to ‘existential’ technology risks. Having been in the services world for a material proportion of my career you see the patterns of threat hype in order to drive business. These cycles often involve demonstrating the art of the possible aka stunt hacking.
The gulf between these art of the possible demonstrations and the real-world application and thus risk manifesting is often both material and yet hard to predict.
How we get from existential warnings to a discipline which is increasingly quantified and qualified with supporting evidence so we can make the priority calls seems like a gap worth closing..
On the interesting job/role front (thanks to those sending me these):
Engineer (Cyber Security Data - SIEM) at NATO in Belgium
Senior Analyst, Cyber Security Incident Response Team at Genesys in the UK
Incident Response Remediation Manager - Senior Manager at PwC in the UK
Professor - Criminology (Cyber) at Monash University in Australia
Head of Department - Cyber Forensics, Review, and Continuous Improvement at the Financial Conduct Authority in the UK
Deputy Director, Defence Innovation Unit at the Ministry of Defence in the UK
Views are my own / attribution by others etc.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
Ukraine prepares for winter again as Russia targets its power grid
Mr Sakharuk also says that cyber-attacks could be an even bigger threat this winter than missiles and drones. A successful assault “can paralyse the whole system” and that can be “much more dangerous than physical damage”. Ever since the invasion began dtek and Ukraine’s cyber warriors have been battling Russia’s hackers; and this, he says, is “a game of cat and mouse”. Once you develop a new way to protect yourself the hackers find a new way around your defences. “You are always in motion,” he says.
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
Peter Kálnai outlines the stuff of nightmares for those tasked with protecting software development teams. Real lessons in here as to the real-world risk.
[We] have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor we named LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp.
Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable presenting itself as a coding challenge or quiz.
We identified four different execution chains, delivering three types of payloads via DLL side-loading .
The most notable payload is the LightlessCan backdoor, implementing techniques to hinder detection by real-time security monitoring software and analysis by cybersecurity professionals; this presents a major shift in comparison with its predecessor BlindingCan, a flagship HTTP(S) Lazarus RAT.
We attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to Operation DreamJob.
The final goal of the attack was cyberespionage.
South Korean Intelligence: North Korea targeting South Koreas ship building and maintenance industry
So above we have Spanish aerospace and now we have South Korean maritime being targeted. No technical details, so solely fact of.
Home Security recently reported that North Korea has targeted our shipbuilding companies to strengthen its naval military power. They say they are carrying out intensive hacking attacks. We have issued a warning to related industries to be cautious..
Introducing the REF5961 intrusion set — three new malware families targeting ASEAN members
Daniel Stepanic, Salim Bitam, Cyril François, Seth Goodwin and Andrew Pease give someone a bad in the office in China by burning three of their implants. These all appear to exhibit test artefacts also which in of itself interesting..
The victim is the Foreign Affairs Ministry of a member of the Association of Southeast Asian Nations (ASEAN).
Further, the correlation of execution flows, tooling, infrastructure, and victimology of multiple campaigns we’re tracking along with numerous third-party reports makes us confident this is a China-nexus actor.
Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
Arda Büyükkaya brings us further evidence of China’s targeting of the semi conductor sector (which open source reporting has shown has been going on for years) for the all the reasons we would expect. Phishing is the initial access mechanism..
[We] identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing (TSMC) lure. This was likely to target the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore).
The compromised Cobra DocGuard web server hosted a GO-based backdoor
Operation Jacana: They’re taking the hobbits to Guyana
Fernando Tavella give insight in to the targeting of an African nation by a suspected Chinese state actor. Not unexpected, but useful in support of building the public evidence base of regionally targeted malign activity to encourage capability uplift.
Operation Jacana is a targeted cyberespionage campaign against a Guyanese governmental entity.
After the initial compromise via spearphishing emails, the attackers proceeded to move laterally through the victim’s internal network.
To extract sensitive data, the operators used a previously undocumented backdoor we named DinodasRAT.
DinodasRAT encrypts the information it sends to the C&C using the Tiny Encryption Algorithm (TEA).
Apart from DinodasRAT, the attackers also deployed Korplug, leading us to suspect that China-aligned operators are behind this operation.
APT34 Deploys Phishing Attack With New Malware
Mohamed Fahmy and Mahmoud Zohdy provide evidence of what appears some regional state on state action. Initial access tradecraft is … 🥁 … phishing!
We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.
During our investigation, there was little information about the victims targeted by this malware. But the file that APT34 used for this attack is called “MyCv.doc,” a license registration form related to the Seychelles Licensing Authority. However, we noted that the document contained pricing information in Saudi Riyal, which might indicate that the targeted victim was an organization inside the Kingdom of Saudi Arabia.
Malicious ad served inside Bing's AI chatbot
Jérôme Segura highlights a technique which I don’t recall being discussed before. I suspect there is some value in looking for campaigns which appear to be phishing for access to said ad accounts.
In this case, the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads, one targeting network admins (Advanced IP Scanner) and another lawyers (MyCase law manager):
Infection on Chilean e-commerce website
after generating a connection to binance to be able to read a “smart contract”, you must execute whatever comes as a response through the “eval” method
Active Lycantrox infrastructure illumination - Cytrox’s signature Predator spyware
Felix Aimé and Maxime Arquillière illuminate a whole load of infrastructure associated with this commercial mobile malware supplier given a sense of customers. Of note is the vendor continues to try and improve their operational security which is going to continue to raise the bar on these detection activities.
Lycantrox has hardened its reverse proxies since our previous investigations and after some public disclosures in order to prevent such illumination. However, sometimes, too much hardening can be discriminatory from a defender point of view, as we can see with this correlation.
Economic Espionage Via Fake Social Media Profiles in the UK: Professional Workers Awareness and Resilience
Mark Button, David Shepherd and Jeyong Jung provide some science around susceptibility of recruitment. I had to google homophily-heterophily I will admit to understand this paper. Homophily is the degree of similarity with the communicator and the receiver, whilst heterophily is the degree of difference.
This paper explores the use of fake social media accounts for economic espionage. It focuses solely on the first step of the recruitment process, the link requests. In the absence of any prior research, the study uses an inductive approach based on a survey of 2,000 UK professionals, and finds that a quarter of professionals are ill-prepared for the threat. A substantial minority are carelessly indifferent to information security and computer network security, and are so indifferent to the identities behind link requests that they auto-link with everyone. The paper also explores the homophily-heterophily orientation of professionals. It argues that homophily-orientated professionals tend to reject profiles with espionage characteristics, whilst heterophily-orientated professionals are susceptible because they embrace social difference.
The practical implications are that employers need to strengthen their information security training programmes, the security services need to be more explicit in characterising the threats, and regulation is required to force the social media companies to focus on the problem.
How we find and understand the latent compromises within our environments.
Legitimate exfiltration tools : summary and detection for incident response and threat hunting
Nathanael Ndong continues bring the value on behalf of this firm and the quality artefact research they output. Some strong indicators which Blue teams can use here.
When an attacker uses a legitimate data transfer tool, whether it is already present on the system or has been downloaded, it is often possible to identify its presence and use :
with the tool installation path and uninstall registry key ;
with registry keys, either specific to the tool or with UserAssist and AppCompatCache for command-line tools.
Strengthening Your Defense Against IdP (Identity Provider)Attacks: Leveraging Google Workspace Admin Logs
Further evidence that security detection capabilities is an extra cost when it likely shouldn’t be - something that likely needs addressing at an industry level.
While enabling these logs may require specific licenses, it’s an investment that enhances IdP attack detection. Google Cloud Security Command Center premium customers gain access to an even broader range of signatures.
How to Detect BLASTPASS Inside a WebP File
Matt Suiche shows how understanding how a file format is meant to work allows us to detect malicious misuse. Machines were built for this..
The malicious distance code lengths produce an unbalanced Huffman Tree; a straightforward way to detect it is to make sure that writes are happening within the boundary of
huffman_tablesby emulating the behavior of
BuildHuffmanTable()as we are doing via
How we proactively defend our environments.
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
Avengers assemble (I’m watching Iron Man III with the family I write this) - now if only these were cost effective to solve even in moderately sized organizations we’d have a business case.
Default configurations of software and applications
Improper separation of user/administrator privilege
Insufficient internal network monitoring
Lack of network segmentation
Poor patch management
Bypass of system access controls
Weak or misconfigured multifactor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Poor credential hygiene
Unrestricted code execution
Recognition of government websites: does a uniform domain name extension help?
Some science out of the Netherlands on citizens recognizing if they are accessing a government website or not. Likely useful to Governments globally - in short have a uniform domain and explain it.
The Ministry of the Interior and Kingdom Relations has conducted public research into the added value for citizens of introducing a uniform second level domain name extension for government websites. The research demonstrably shows that a uniform extension helps citizens to easily determine whether a website belongs to the government or not.
It turns out that a uniform domain name extension ensures better recognition of government websites.
Recognition was higher after receiving the explanation than before receiving the explanation (as in the current case).
Incident Response Part 1: IR on Microsoft Security Incidents (KQL edition)
Bert-Jan Pals provides a three part series of which this is the first. This is a very useful end-to-end walk through for anyone looking to learn.
Pitfalls of relying on eBPF for security monitoring (and some solutions)
Artem Dinaburg provides the wisdom to anyone building solutions around eBPF.
eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility.
There is, however, a dark (but open) secret: eBPF was never intended for security monitoring. It is first and foremost a networking and debugging tool. As Brendan Gregg observed:
eBPF has many uses in improving computer security, but just taking eBPF observability tools as-is and using them for security monitoring would be like driving your car into the ocean and expecting it to float.
But eBPF is being used for security monitoring anyway, and developers may not be aware of the common pitfalls and under-reported problems that come with this use case. In this post, we cover some of these problems and provide workarounds. However, some challenges with using eBPF for security monitoring are inherent to the platform and cannot be easily addressed.
Public Preview: Strictly Enforce Location Policies with Continuous Access Evaluation
Alex Weinert details how CAE is evolving in the MSFT eco-system. The ability to revoke tokens in near real-time in response to network change events will have an impact.
Previously, in the event of an access token theft, attackers could take advantage of the refresh interval to replay the token, regardless of whether it fell outside the location range permitted by a conditional access policy. With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network.
How To Deploy a Complete Entra ID Conditional Access PoC in Under 5 Minutes
Daniel Chronlund removes all excuses for deploying conditional access in the MSFT eco-system as we can now do it while the kettle boils. Conditional access will impose cost on adversaries and make your organization materially more resilient (when not in report only mode).
Installs Microsoft Graph PowerShell module (if you don’t already have it installed).
Connects to Microsoft Graph (you must run the tool as a Global Admin so you can consent to the required permissions during authentication).
Creates a break glass exclude group (protected by the ‘role-assignable’ attribute) and adds your current account as a member to that group.
Creates a service account group for non-human accounts.
Creates a named location for your corporate IP addresses (it automatically adds your current public IP address to the list).
Creates a named location for allowed countries (I added some countries that I tend to work in as examples).
Deploys my Conditional Access policy design baseline from to your tenant in report-only mode.
Secure by Design: AWS to enhance MFA requirements in 2024
Steve Schmidt ensures Christmas comes early.
Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed. Customers who must enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they sign in to the console.
How they got in and what they did.
Nothing this week
Our attack surface.
Cisco Emergency Responder Static Credentials Vulnerability
A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
MacOS "DirtyNIB" Vulnerability: allows the hijacking of Apple application entitlements
Adam Chester shows that macOS is fertile hunting ground for capability in 2023.
this will work with any application which:
Has entitlements that you want to hijack
Works in the new Launch Constraints landscape
Attack capability, techniques and trade-craft.
Beyond the good ol' LaunchAgents
Csaba Fitzl also shows that macOS is fertile hunting ground for red teamers. Expect malicious use in 3..2..
I run into the Dock Tile Plugin feature in macOS, which turned out to be truly amazing from persistence point of view
the whole series is worth a read
ZipLink - Combine Zips and Lnk for fun and profit
PfiatDe details a combined a capability which defensive teams can expect to be used in Phishing campaigns.
Windows will not show the
lnkExtensions, even if
Show extensions is on
zipswill be stored under the user
Lnks can contain more data then the lnk itself
mshta.exeis very robust about syntax errors and ignores file extensions
LnkHta polyglots are easy to build
hakuin: A blazing fast Blind SQL Injection optimization and automation framework
Want an example of LLMs used for malicious cyber? Here you go from Jakub Pruzinec. I would be interested to understand how much faster this is over say sqlmap or similar so we can quantify the edge.
Hakuin is a Blind SQL Injection (BSQLI) inference optimization and automation framework written in Python 3. It abstract away the inference logic and allows users to easily and efficiently extract textual data in databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for DB content.
What is being exploited.
Analysis of Time-to-Exploit Trends: 2021-2022
Analyzed 246 vulnerabilities that were exploited between 2021 and 2022.
CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server
See opening comment around logs in the SaaS and assurance.
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
Critical Vulnerabilities in Progress Software WS_FTP Server
Caitlin Condon doing what they do best and catching bad people being bad. The speed with which these vulns are being flipped is the aspect of note.
On September 27, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting WS_FTP Server, a secure file transfer solution. There are a number of vulnerabilities in the advisory, two of which are critical (CVE-2023-40044 and CVE-2023-42657). Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget.
Note: As of September 30, [we] observed multiple instances of WS_FTP exploitation in the wild.
CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability
Enterprises will likely wrestle with the impact of this vulnerability for a while..
This script exploits a vulnerability (CVE-2023-29357) in Microsoft SharePoint Server allowing remote attackers to escalate privileges on affected installations of Microsoft SharePoint Server. While this script focuses on elevation of privilege, attackers with malicious intent might chain this vulnerability with a Remote Code Execution (RCE) vulnerability (CVE-2023–24955) to compromise the integrity, availability, and confidentiality of the target system.
CVE-2023-4911: Looney Tunables proof of concept
Rick de Jager was one of the firs to exploit this vulnerability which will be the gift that continues to give for a while. If you run Linux systems you likely want to develop exploitation tradecraft to gain some assurance. The difficult bit will be those embedded/virtual appliance systems where the threat actor gets a low privilege shell.
This is a (atm very rough) proof of concept for CVE-2023-4911. So far I've only verified it works on Ubuntu 22.10 kinetic. Current version of the exploit contains a fair amount of "magic" offsets. If you have suggestions on how to improve the heap shaping, feel free to send a PR my way :).
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Introducing ntdissector, a swiss army knife for your NTDS.dit files
Julien Legras and Mehdi Elyassa create the beginings of something truly useful for a variety of forensic use cases.
Basically, ntdissector processes the NTDS data in two major steps:
Extract the record catalog to build various cache files, mostly for ID mappings but also for DN resolution and objects links.
Record serializing, decryption and formatting.
bpftime: Userspace eBPF runtime for fast Uprobe & Syscall hook & Plugins
Given the trip hazards mentioned above on using eBPF this performance optimization is welcome due to the enhance coverage opportunity it provides.
bpftime, a full-featured, high-performance eBPF runtime designed to operate in userspace. It offers fast Uprobe and Syscall hook capabilities: Userspace uprobe can be 10x faster than kernel uprobe! and can programmatically hook all syscalls of a process safely and efficiently.
Some other small (and not so small) bits and bobs which might be of interest.
Legal and Regulatory Aspects of Information Security - Reading list from Royal Holloway’s graduate school module
DEATHCon 0x1 2023, 4 and 5 November 2023 - DEATHCon is an online AND in-person hands-on conference for Detection Engineers And Threat Hunters.