Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see some crunchy vulnerabilities had exploits released. One of these raised a question around vendor language in relation to the SaaS services - namely you are not vulnerable not that you weren’t vulnerable. This then raised the second order question when these type of vulnerabilities land do we need clearer communication around if as the customer we were vulnerable, when, what the IoCs were and if we have access to logs which allow us to confirm if exploitation happened in our context or not.
NPC Headliner Luncheon: Gen. Paul Nakasone - technology is advancing at a phenomenal speed posing a challenge to the U.S as it races to stay ahead of technologies with the potential to be used against us cyber and generative AI or prime examples
A Call To Action: Building the Cyber Workforce the Nation Needs | ONCD - I’m calling on organizations nationwide – technology and non-tech companies alike, academic institutions, state and local governments, and workers who are considering a career in cybersecurity, and others – to join us in building a cyber workforce to meet the challenge of this decisive decade.
House passes bill to relax educational requirements for federal cyber workers - The Modernizing the Acquisition of Cybersecurity Experts Act, or MACE Act, (H.R. 4502) is aimed at addressing shortages in federal cybersecurity positions by expanding the pool of eligible applicants and passed easily in a 394-1 vote. It’s sponsored by Rep. Nancy Mace, R-S.C., and Rep. Katie Porter, D-Calif.
Vive la France and Cyberscore Law is rallying cry for Europe - French policymakers have taken the lead globally in mandating cyber risk ratings to enhance cybersecurity posture in the country. The Cyberscore Law, which comes into force on October 1, 2023, mandates cyber scores on the 500 largest merchants' websites operating in France, with plans to extend this to 10,000 strategic companies such as the electric power grid and healthcare.
Japan to bolster cyber defense with homegrown software - Japan plans to begin installing domestically developed security software for ministry and agency computers starting in fiscal 2025, part of an effort to boost the collection and analysis of cyberattack information and improve cyber defense.
China
China proposes relaxing security reviews for most cross-border data flows - China’s cyberspace regulator, which imposed tough cross-border data security requirements a year ago creating uncertainties for multinationals, made a concession on Thursday by waiving security assessments for the bulk of day-to-day business activities involving these data flows.
Navigating the Jagged Technological Frontier - For tasks within the AI frontier, ChatGPT-4 significantly increased performance, boosting speed by over 25%, human-rated performance by over 40%, and task completion by over 12%.
The reflection this week is on probability and impact of risks manifesting and how to apply to ‘existential’ technology risks. Having been in the services world for a material proportion of my career you see the patterns of threat hype in order to drive business. These cycles often involve demonstrating the art of the possible aka stunt hacking.
The gulf between these art of the possible demonstrations and the real-world application and thus risk manifesting is often both material and yet hard to predict.
How we get from existential warnings to a discipline which is increasingly quantified and qualified with supporting evidence so we can make the priority calls seems like a gap worth closing..
On the interesting job/role front (thanks to those sending me these):
Ukraine prepares for winter again as Russia targets its power grid
Winters coming..
Mr Sakharuk also says that cyber-attacks could be an even bigger threat this winter than missiles and drones. A successful assault “can paralyse the whole system” and that can be “much more dangerous than physical damage”. Ever since the invasion began dtek and Ukraine’s cyber warriors have been battling Russia’s hackers; and this, he says, is “a game of cat and mouse”. Once you develop a new way to protect yourself the hackers find a new way around your defences. “You are always in motion,” he says.
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
Peter Kálnai outlines the stuff of nightmares for those tasked with protecting software development teams. Real lessons in here as to the real-world risk.
[We] have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor we named LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp.
Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable presenting itself as a coding challenge or quiz.
We identified four different execution chains, delivering three types of payloads via DLL side-loading .
The most notable payload is the LightlessCan backdoor, implementing techniques to hinder detection by real-time security monitoring software and analysis by cybersecurity professionals; this presents a major shift in comparison with its predecessor BlindingCan, a flagship HTTP(S) Lazarus RAT.
We attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to Operation DreamJob.
South Korean Intelligence: North Korea targeting South Koreas ship building and maintenance industry
So above we have Spanish aerospace and now we have South Korean maritime being targeted. No technical details, so solely fact of.
Home Security recently reported that North Korea has targeted our shipbuilding companies to strengthen its naval military power. They say they are carrying out intensive hacking attacks. We have issued a warning to related industries to be cautious..
Introducing the REF5961 intrusion set — three new malware families targeting ASEAN members
Daniel Stepanic, Salim Bitam, Cyril François, Seth Goodwin and Andrew Pease give someone a bad in the office in China by burning three of their implants. These all appear to exhibit test artefacts also which in of itself interesting..
The victim is the Foreign Affairs Ministry of a member of the Association of Southeast Asian Nations (ASEAN).
Further, the correlation of execution flows, tooling, infrastructure, and victimology of multiple campaigns we’re tracking along with numerous third-party reports makes us confident this is a China-nexus actor.
Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
Arda Büyükkaya brings us further evidence of China’s targeting of the semi conductor sector (which open source reporting has shown has been going on for years) for the all the reasons we would expect. Phishing is the initial access mechanism..
[We] identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing (TSMC) lure. This was likely to target the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore).
The compromised Cobra DocGuard web server hosted a GO-based backdoor
Operation Jacana: They’re taking the hobbits to Guyana
Fernando Tavella give insight in to the targeting of an African nation by a suspected Chinese state actor. Not unexpected, but useful in support of building the public evidence base of regionally targeted malign activity to encourage capability uplift.
Operation Jacana is a targeted cyberespionage campaign against a Guyanese governmental entity.
After the initial compromise via spearphishing emails, the attackers proceeded to move laterally through the victim’s internal network.
To extract sensitive data, the operators used a previously undocumented backdoor we named DinodasRAT.
DinodasRAT encrypts the information it sends to the C&C using the Tiny Encryption Algorithm (TEA).
Apart from DinodasRAT, the attackers also deployed Korplug, leading us to suspect that China-aligned operators are behind this operation.
Mohamed Fahmy and Mahmoud Zohdy provide evidence of what appears some regional state on state action. Initial access tradecraft is … 🥁 … phishing!
We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.
During our investigation, there was little information about the victims targeted by this malware. But the file that APT34 used for this attack is called “MyCv.doc,” a license registration form related to the Seychelles Licensing Authority. However, we noted that the document contained pricing information in Saudi Riyal, which might indicate that the targeted victim was an organization inside the Kingdom of Saudi Arabia.
Jérôme Segura highlights a technique which I don’t recall being discussed before. I suspect there is some value in looking for campaigns which appear to be phishing for access to said ad accounts.
In this case, the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads, one targeting network admins (Advanced IP Scanner) and another lawyers (MyCase law manager):
Using smart contracts on ‘the blockchain’ to host your malicious JavaScript payloads? Well this is what this threat actor has done..
after generating a connection to binance to be able to read a “smart contract”, you must execute whatever comes as a response through the “eval” method
Active Lycantrox infrastructure illumination - Cytrox’s signature Predator spyware
Felix Aimé and Maxime Arquillière illuminate a whole load of infrastructure associated with this commercial mobile malware supplier given a sense of customers. Of note is the vendor continues to try and improve their operational security which is going to continue to raise the bar on these detection activities.
Lycantrox has hardened its reverse proxies since our previous investigations and after some public disclosures in order to prevent such illumination. However, sometimes, too much hardening can be discriminatory from a defender point of view, as we can see with this correlation.
Economic Espionage Via Fake Social Media Profiles in the UK: Professional Workers Awareness and Resilience
Mark Button, David Shepherd and Jeyong Jung provide some science around susceptibility of recruitment. I had to google homophily-heterophily I will admit to understand this paper. Homophily is the degree of similarity with the communicator and the receiver, whilst heterophily is the degree of difference.
This paper explores the use of fake social media accounts for economic espionage. It focuses solely on the first step of the recruitment process, the link requests. In the absence of any prior research, the study uses an inductive approach based on a survey of 2,000 UK professionals, and finds that a quarter of professionals are ill-prepared for the threat. A substantial minority are carelessly indifferent to information security and computer network security, and are so indifferent to the identities behind link requests that they auto-link with everyone. The paper also explores the homophily-heterophily orientation of professionals. It argues that homophily-orientated professionals tend to reject profiles with espionage characteristics, whilst heterophily-orientated professionals are susceptible because they embrace social difference.
The practical implications are that employers need to strengthen their information security training programmes, the security services need to be more explicit in characterising the threats, and regulation is required to force the social media companies to focus on the problem.
How we find and understand the latent compromises within our environments.
Legitimate exfiltration tools : summary and detection for incident response and threat hunting
Nathanael Ndong continues bring the value on behalf of this firm and the quality artefact research they output. Some strong indicators which Blue teams can use here.
When an attacker uses a legitimate data transfer tool, whether it is already present on the system or has been downloaded, it is often possible to identify its presence and use :
with the tool installation path and uninstall registry key ;
with registry keys, either specific to the tool or with UserAssist and AppCompatCache for command-line tools.
Strengthening Your Defense Against IdP (Identity Provider)Attacks: Leveraging Google Workspace Admin Logs
Further evidence that security detection capabilities is an extra cost when it likely shouldn’t be - something that likely needs addressing at an industry level.
While enabling these logs may require specific licenses, it’s an investment that enhances IdP attack detection. Google Cloud Security Command Center premium customers gain access to an even broader range of signatures.
Matt Suiche shows how understanding how a file format is meant to work allows us to detect malicious misuse. Machines were built for this..
The malicious distance code lengths produce an unbalanced Huffman Tree; a straightforward way to detect it is to make sure that writes are happening within the boundary of huffman_tables by emulating the behavior of BuildHuffmanTable() as we are doing via is_code_lengths_count_valid().
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
Avengers assemble (I’m watching Iron Man III with the family I write this) - now if only these were cost effective to solve even in moderately sized organizations we’d have a business case.
Default configurations of software and applications
Improper separation of user/administrator privilege
Insufficient internal network monitoring
Lack of network segmentation
Poor patch management
Bypass of system access controls
Weak or misconfigured multifactor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Recognition of government websites: does a uniform domain name extension help?
Some science out of the Netherlands on citizens recognizing if they are accessing a government website or not. Likely useful to Governments globally - in short have a uniform domain and explain it.
The Ministry of the Interior and Kingdom Relations has conducted public research into the added value for citizens of introducing a uniform second level domain name extension for government websites. The research demonstrably shows that a uniform extension helps citizens to easily determine whether a website belongs to the government or not.
It turns out that a uniform domain name extension ensures better recognition of government websites.
Recognition was higher after receiving the explanation than before receiving the explanation (as in the current case).
Pitfalls of relying on eBPF for security monitoring (and some solutions)
Artem Dinaburg provides the wisdom to anyone building solutions around eBPF.
eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility.
There is, however, a dark (but open) secret: eBPF was never intended for security monitoring. It is first and foremost a networking and debugging tool. As Brendan Gregg observed:
eBPF has many uses in improving computer security, but just taking eBPF observability tools as-is and using them for security monitoring would be like driving your car into the ocean and expecting it to float.
But eBPF is being used for security monitoring anyway, and developers may not be aware of the common pitfalls and under-reported problems that come with this use case. In this post, we cover some of these problems and provide workarounds. However, some challenges with using eBPF for security monitoring are inherent to the platform and cannot be easily addressed.
Public Preview: Strictly Enforce Location Policies with Continuous Access Evaluation
Alex Weinert details how CAE is evolving in the MSFT eco-system. The ability to revoke tokens in near real-time in response to network change events will have an impact.
Previously, in the event of an access token theft, attackers could take advantage of the refresh interval to replay the token, regardless of whether it fell outside the location range permitted by a conditional access policy. With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network.
How To Deploy a Complete Entra ID Conditional Access PoC in Under 5 Minutes
Daniel Chronlund removes all excuses for deploying conditional access in the MSFT eco-system as we can now do it while the kettle boils. Conditional access will impose cost on adversaries and make your organization materially more resilient (when not in report only mode).
Installs Microsoft Graph PowerShell module (if you don’t already have it installed).
Connects to Microsoft Graph (you must run the tool as a Global Admin so you can consent to the required permissions during authentication).
Creates a break glass exclude group (protected by the ‘role-assignable’ attribute) and adds your current account as a member to that group.
Creates a service account group for non-human accounts.
Creates a named location for your corporate IP addresses (it automatically adds your current public IP address to the list).
Creates a named location for allowed countries (I added some countries that I tend to work in as examples).
Uploads a Terms of Use template in English.
Deploys my Conditional Access policy design baseline from to your tenant in report-only mode.
Secure by Design: AWS to enhance MFA requirements in 2024
Steve Schmidt ensures Christmas comes early.
Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed. Customers who must enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they sign in to the console.
A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
hakuin: A blazing fast Blind SQL Injection optimization and automation framework
Want an example of LLMs used for malicious cyber? Here you go from Jakub Pruzinec. I would be interested to understand how much faster this is over say sqlmap or similar so we can quantify the edge.
Hakuin is a Blind SQL Injection (BSQLI) inference optimization and automation framework written in Python 3. It abstract away the inference logic and allows users to easily and efficiently extract textual data in databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for DB content.
CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server
See opening comment around logs in the SaaS and assurance.
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
Critical Vulnerabilities in Progress Software WS_FTP Server
Caitlin Condon doing what they do best and catching bad people being bad. The speed with which these vulns are being flipped is the aspect of note.
On September 27, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting WS_FTP Server, a secure file transfer solution. There are a number of vulnerabilities in the advisory, two of which are critical (CVE-2023-40044 and CVE-2023-42657). Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget.
Note: As of September 30, [we] observed multiple instances of WS_FTP exploitation in the wild.
CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability
Enterprises will likely wrestle with the impact of this vulnerability for a while..
This script exploits a vulnerability (CVE-2023-29357) in Microsoft SharePoint Server allowing remote attackers to escalate privileges on affected installations of Microsoft SharePoint Server. While this script focuses on elevation of privilege, attackers with malicious intent might chain this vulnerability with a Remote Code Execution (RCE) vulnerability (CVE-2023–24955) to compromise the integrity, availability, and confidentiality of the target system.
Rick de Jager was one of the firs to exploit this vulnerability which will be the gift that continues to give for a while. If you run Linux systems you likely want to develop exploitation tradecraft to gain some assurance. The difficult bit will be those embedded/virtual appliance systems where the threat actor gets a low privilege shell.
This is a (atm very rough) proof of concept for CVE-2023-4911. So far I've only verified it works on Ubuntu 22.10 kinetic. Current version of the exploit contains a fair amount of "magic" offsets. If you have suggestions on how to improve the heap shaping, feel free to send a PR my way :).
bpftime: Userspace eBPF runtime for fast Uprobe & Syscall hook & Plugins
Given the trip hazards mentioned above on using eBPF this performance optimization is welcome due to the enhance coverage opportunity it provides.
bpftime, a full-featured, high-performance eBPF runtime designed to operate in userspace. It offers fast Uprobe and Syscall hook capabilities: Userspace uprobe can be 10x faster than kernel uprobe! and can programmatically hook all syscalls of a process safely and efficiently.
Bluepurple Pulse: week ending October 8th
So how do we close that gap Ollie? Should we expect to see some sort of roadmap from somewhere? Who cares enough to close that gap? Gov? Industry?