Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending October 23rd
The IoT cyber security tyre fire is slowing being doused in buckets of water by Governments globally..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly standout just the usual background of cyber and fibre telecommunications cables being cut in France.
In the high-level this week:
Podcast with Bailey Bickley, Chief Strategy Officer for the NSA Cybersecurity Collaboration Center - a broad and insightful chat to attract others into the community/industry.
Cyber in the Shadows Insights from Insurgent Groups Deterrence Without Escalation - Why the Future of Cyber Operations Will Be Covert - from Joint Forces Quarterly.
Cyber attack recovery effort cost Hackney Council over £12m last year - an attack on a local government government in the UK and evidenced true cost.
Tracking Competition in Cyberspace: Announcing the Dyadic Cyber Incident Dataset Version 2.0 - The Dyadic Cyber Incident Dataset (DCID) is the only peer reviewed source of cyber security conflict incident data - data set is available.
Unique action: police frees computers held hostage thanks to trick with bitcoin (English translation with broken video) - Dutch police used a delay in the distributed ledger to appear to pay and then recall the instruction - got to love the style.
FACT SHEET: The Biden-Harris Administration’s National Security Strategy (detailed paper) - cyber gets 32 mentions with a section titled Securing Cyberspace which is about three paragraphs in length - punch line We aim to deter cyber attacks from state and non state actors and will respond decisively with all appropriate tools of national power to hostile acts in cyberspace.
Routing security - BGP incidents, mitigation techniques and policy actions - not really high-level, but interesting that the OCED would release such a paper and that such a technical paper would be fused with a policy discussion. Sadly the policy bit sounds a little like a sales pitch.
National Police Agency of Japan issues alert on North Korean cyber activity targeting Japanese crypto asset companies (English article) - high-level sectoral warning in Japan.
CYBERCOM executed global cyberspace defensive operation - This 10-day operation was internally focused and intended to search for, identify and mitigate publicly known malware and associated variations that could potentially impact our cybersecurity - almost like a Halloween clean..
The UN Cybercrime Treaty Has a Cybersecurity Problem In It - (TL;DR: if "intent" is omitted, bonafide security researchers may be put at risk of prosecution) - like CMA reform in the UK - opinion piece here, but interesting / a worry.
Statement by NSC Spokesperson Adrienne Watson on the Biden-Harris Administration’s Effort to Secure Household Internet-Enabled Devices - US following the likes of the UK, Australia, Singapore and Europe
Statement delivered by Laurent Gisel, Head of the Arms and Conduct of Hostilities Unit at the Legal Division of the International Committee of the Red Cross (ICRC), at the 77th session of the United Nations General Assembly - In addition, the growing involvement of civilians and civilian companies in military cyber operations and other digital activities during armed conflict exposes them to harm and risks undermining the principle of distinction, a central tenet of international humanitarian law (IHL) - in short a health warning you might incur a kinetic response.
Chinese hackers are scanning state political party headquarters, FBI says - Washington Post article..
Financial and cybercrimes top global police concerns, says new INTERPOL report - no surprise, but they wrote it down.
Somewhat related ENISA is holding their 2nd ERA-ENISA Conference on Cybersecurity in Railways in December
The head of the State Duma committee Khinshtein called for cyber attacks on the decision-making centers of Ukraine - open advocacy for cyber offense.
Germany fires cybersecurity chief 'over Russia ties - we covered the calls last week and then it happened.
Israeli officer reveals intricate details of IDF's first ever cyberattack from the 90s - it is almost like cyber isn’t a new thing, says someone who started their career pentesting in the dotcom era..
Two reflections this week..
The first come from the briefing note “The legal rule that computers are presumed to be operating correctly – unforeseen and unjust consequences”.
In England and Wales, courts consider computers, as a matter of law, to have been working correctly unless there is evidence to the contrary. Therefore, evidence produced by computers is treated as reliable unless other evidence suggests otherwise. This way of handling evidence is known as a ‘rebuttable presumption’. A court will treat a computer as if it is working perfectly unless someone can show why that is not the case.
The foundation of the briefing is from the travesty in the UK where various people were convicted for theft/fraud because software didn’t work but everyone said the computer couldn’t be wrong. Given some of the software/hardware quality I’ve experienced over the decades and when we think about system of systems it does feel like the law needs to adjust to a balanced and evidenced reality on both sides.
The second reflection comes from continued Sino studies and reading Innovate to Dominate: The Rise of the Chinese Techno-Security State. Again it amplifies quite starkly how long term vision (in an autocracy) and then cohering government, industry and academia to execute whilst coupling with buckets of nefarious activity can have impact and relatively quickly. Our free market equivalent would be where we stimulate competition, a bit like NASA does with their NASA Solve programme and also when they dangled their heavy lift contracts which saw material breakthroughs.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
Lukas Stefanko outlines activity which is somewhat expected given the regional unrest at the moment. The tradecraft is relatively unsophisticated, but they have taken a swing.
[We] recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance operations against Iranian citizens and this new FurBall version is no different in its targeting. Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books.
This version of FurBall has the same surveillance functionality as previous versions; however, the threat actors slightly obfuscated class and method names, strings, logs, and server URIs
Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
Further Chinese activity in Hong Kong. It is interesting they continue to use such capability against their own territories.
[We have] observed a likely continuation of the Operation CuckooBees activity, this time targeting organizations in Hong Kong.
The victims observed in the activity seen by [us] were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.
Iranian Cyber Group Emennet Pasargad Conducting Hack-and-Leak Operations Using False-Flag Personas
FBI alert on Iranian information operations. Iran continues to learn from Russia and given their renewed friendship because of the Russia/Ukrain conflict you can imagine a world where there is further tradecraft transfer.
According to FBI information, since at least 2020, Emennet targeted entities primarily in Israel with cyber-enabled information operations that included an initial intrusion, theft and subsequent leak of data, followed by amplification through social media and online forums, and in some cases the deployment of destructive encryption malware. To avoid attribution, Emennet executed false-flag campaigns under the guise of multiple personas like hacktivist or cyber-criminal groups. Although Emennet’s latest attacks have primarily targeted Israel, the FBI judges these techniques may be used to target US entities as seen during Emennet’s cyber-enabled information operation that targeted the 2020 US Presidential election1 . Within the past year, the FBI has identified a destructive cyber attack against a US organization – indicating the group remains a cyber threat to the United States.
8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
Tom Hegel outlines an at scale low hanging fruit campaign by an actor building a botnet. One would hope these are easy for the cloud platforms to similarly identify and then contain/mitigate.
Exploit attempts from 8220 Gang continue at a pace consistent with our previous reporting. The majority of active victims are still operating outdated or misconfigured versions of Docker, Apache, WebLogic, and various Log4J vulnerable services.
8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet. Victims are typically using cloud infrastructure such as AWS, Azure and similar with misconfigured instances that allow remote attackers to gain access. Publicly-accessible hosts running Docker, Confluence, Apache WebLogic, and Redis can easily be discovered and attacked with little technical know-how.
DiceyF deploys GamePlayerFramework in online casino development studio
Kurt Baumgartner outlines a campaign which doesn’t look criminal but more like a state actor trying to find corrupt officials who like gambling. The level of sophistication on multiple fronts whilst not top tier also isn’t amateur hour.
We call this APT “DiceyF”. They have been targeting online casinos and other victims in Southeast Asia reportedly for years now. Our research shows overlap with LuckyStar PlugX, a supply chain incident privately reported. TTPs, secure messaging client abuse, malware, and targeting demonstrate that this set of activity and resources align with Earth Berberoka/GamblingPuppet activity discussed at Botconf 2022.
An interesting combination of detections and characteristics sparked interest in this activity. These data points included
PlugX installers signed by a potentially stolen digital certificate from a secure messaging client development studio
Malware distribution via an employee monitoring system and a security package deployment service
Unusual .NET code signed with the same potentially stolen certificate and calling back to the same domain as the PlugX C2
Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR
Bernard Bautista and Diana Lopera shows the slightly comically infection chains that some actors are now using for initial access. However we have to infer if it didn’t work they wouldn’t use it.
Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive. The first archive is an SFX RAR (RARsfx) whose sole purpose is to execute a second RARsfx contained within itself. The second RARsfx is password-protected but despite that, no user input is necessary to extract and execute its content. In some samples, the nested SFX archive is encapsulated further in another archive.
Patrick Schläpfer discusses the other end of the ransomware spectrum, that is the commodity pro-sumer end designed for western victims.
The campaign spread Magniber, a single-client ransomware family known to demand $2,500 from victims.
Gremlins’ prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records
This threat group appears to be inspired by the plot of Point Break. That is they do their raids and then go on holiday (surfing in the movie - watch the original though and not the remake).
OldGremlin was most active in 2020. That year, the gang carried out dozens of campaigns, with emails purporting to be from microfinance companies, a metals and mining company, a tractor manufacturer, and a business media holding. In 2021, the group carried out a single but highly successful campaign: the threat actor impersonating an association of online retailers. In 2022, OldGremlin carried out five campaigns masquerading as tax and legal services companies, a payment system, an IT company, and more.
The group’s victim list includes banks, logistics, and manufacturing companies, insurance firms, retailers, real estate developers, and software companies. In 2020, the group even targeted an arms manufacturer.
The average ransom demanded by OldGremlin amounts to $1.7 million, and the highest ransom to date reached $16.9 million. Unlike other ransomware operators involved in Big Game Hunting, OldGremlin tend to take long breaks after successful attacks
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
Sandor Nemes, Sulian Lebegue and Jessa Valdez show how this criminal actor is diversifying in their operations away from their traditional financial instrument theft activities.
A new variant of the URSNIF malware, first observed in June 2022, marks an important milestone for the tool. Unlike previous iterations of URSNIF, this new variant, dubbed LDR4, is not a banker, but a generic backdoor (similar to the short-lived SAIGON variant), which may have been purposely built to enable operations like ransomware and data theft extortion. This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.
DeadBolt ransomware: nothing but NASty
Andrey Zhdanov and Vladislav Azersky discuss a criminal group who appear to be able to find, weaponize and deploy vulnerabilities in embedded systems (NASs) to deliver ransomware operations. This ladies and gentlemen is why we need to get the whole IoT tyre fire under control.
In January 2022, a number of NAS (Network Attached Storage) users found encrypted files with the extension .deadbolt on their systems. Around this time, Bleeping Computer published a news story about 3,600 devices that had also been affected. Since then, reports about attacks on NAS devices involving ransomware from the DeadBolt family have appeared regularly. The DeadBolt ransomware group claims that its members exploit zero-day vulnerabilities in NAS software, and each newly detected vulnerability is often linked to a new series of attacks.
TeamTNT Returns – or Does It?
Sunil Bharti shows how criminals will learn from each other, emulate and/or splinter off if they aren’t getting what they feel they deserve.
TeamTNT is a threat group that was known for primarily targeting the cloud and container environments around the world. This group has been documented to leverage the cloud and container resources by deploying cryptocurrency miners in the victim environments. While the group has been active since 2019 and announced it was quitting in 2021, our recent observations make it appear as if TeamTNT has returned — or a copycat group imitating the routines of TeamTNT — and has been deploying an XMRig cryptocurrency miner. Analysis of the attack patterns and other technical details of the code has also led us to believe that the routines are mimicking TeamTNT’s arsenal, but are likely deployed by another cryptocurrency mining group named WatchDog.
How we find and understand the latent compromises within our environments.
ELK Threat Hunting
This notebook is a quick workflow to use with ELK and browse indexed threats. The goal is to provide a ready to use workflow to identify particular threat, statistics and do an initial threat analysis
Detecting ADCS web services abuse
Henri Hambartsumyan provides some top detection engineering here for this commonly misused service.
One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this vulnerability rather than detecting it is the preferred approach by a long shot, we’ve seen cases where mitigating the vulnerability is not feasible.
We focus on detecting irregular access to the various ADCS web services exposed, as well as detecting the NTLM relaying itself. The three ways to access ADCS over HTTP are:
How to Investigate Insider Threats (Forensic Methodology)
Lina Lau is back with her methodology for doing insider threat forensics.
The forensic investigation of a suspected insider follows a different approach in methodology than the classic methodology for investigating threat actors. The main difference between insider jobs and other jobs is the fact that clients usually want a timeline of both activity around the “malicious action” and also a timeline of “legitimate” activity leading up to, during and post the malicious actions to remove reasonable doubt that it was somebody else. During an insider job, artefacts that show system wake/hibernation, or artefacts proving a user opened something on their taskbar are just as important as the malicious activity itself depending on the client needs.
For these cases, analysts should *consider* create TWO timelines depending on the client needs and the nature of the incident:
One timeline for malicious activity
One timeline capturing ALL relevant activity showing what the user was actively doing since being identified as an insider
DGA Detective - Hunt domains generated by Domain Generation Algorithms to identify malware traffic
Applied machine learning in action.
Domain generation algorithms (DGAs) are typically used by attackers to create fast changing domains for command & control channels. The DGA detective is able to tell whether a domain is created by such an algorithm or not by using a Temporal Convolutional Network.
How we proactively defend our environments.
Reducing Logging Cost by Two Orders of Magnitude using CLP
Jack (Yu) Luo and Devesh Agrawal show how when you have Uber scale data problems this cost saving is material. Either way allowing more log retention is always good and this post does a wonderful job and showing what modern data engineering looks like.
We rely on making data-driven decisions at every level. For this, we have built a large-scale big data platform that runs over 250,000 Spark analytics jobs per day, where each job could consist of hundreds of thousands of executors, processing over a hundred petabytes of analytical data. In addition, the big data platform generates a large amount of log data, and the rapid growth of Uber’s business has led to furious growth of these logs. On a busy day, our Spark cluster alone can generate up to 200TB of logs (at the default INFO verbosity level).
BSI - Telemetrie Monitoring Framework
From the German Government with ❤️
The developed application ( SAM ) extends " Event Tracing for Windows " and enables detailed recordings of the system and application behavior as well as the resource usage based on so-called recording profiles ( Recording Profiles )
misp-to-sentinel: Azure function to insert MISP data in to Azure Sentinel
Erik Remmelzwaal and Wesley Neelen fork some Microsoft code and make it better to enrich Sentinel with MISP data.
This code can be used to create an Azure Function that writes threat intelligence from a MISP instance to Microsoft Sentinel
ScubaGear: Automation to assess the state of your M365 tenant against CISA's baselines
From the US Government with ❤️
Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents.
paranoia: Inspect a container image's root CAs
Good defence in depth.
Paranoia is a tool to analyse and export trust bundles (e.g., "ca-certificates") from container images. These certificates identify the certificate authorites that your container trusts when establishing TLS connections. The design of TLS is that any certificate authority that your container trusts can issue a certificate for any domain. This means that a malicious or compromised certificate authority could issue a certificate to impersonate any other service, including your internal infrastructure.
Introducing Antignis: A data driven tool to configure Windows host-based firewall
Rindert Kramer drops tooling to customise the Windows host-based firewall based on what the host actually does.
A tool that uses a data driven approach which allows for firewall rule-creation based on the context, configuration and usage of the host. This blogpost will first describe why the host-based firewall should be configured, then the methodology on how to configure the host-based firewall is outlined, and finally it will elaborate on where one can find Antignis and how this tool can be used to configure host-based firewalls efficiently.
WatchAD: AD Security Intrusion Detection System
From the China (Government?) with ❤️
After Collecting event logs and kerberos traffic on all domain controllers, WatchAD can detect a variety of known or unknown threats through features matching, Kerberos protocol analysis, historical behaviors, sensitive operations, honeypot accounts and so on.The WatchAD rules cover the many common AD attacks.
The WatchAD has been running well on the Qihoo 360 intranet for more than six months and has found several threat activities.
RedEye is a visual analytic tool supporting Red & Blue Team operations
Executives like pictures and this is the look to show how you pivoted through 52 hosts to read the CEOs email.
RedEye is an open-source analytic tool developed by CISA and DOE’s Pacific Northwest National Laboratory to assist Red Teams with visualizing and reporting command and control activities. This tool, released in October 2022 on GitHub, allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision making in response to a Red Team assessment. The tool parses logs, such as those from Cobalt Strike, and presents the data in an easily digestible format. The users can then tag and add comments to activities displayed within the tool. The operators can use the RedEye’s presentation mode to present findings and workflow to stakeholders.
guac: Graph for Understanding Artifact Composition (GUAC)
SLSA and SBOM providing the data for this.
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
Our attack surface.
CVE-2022-42889: Keep Calm and Stop Saying "4Shell"
Erick Galinkin is calming everyone down - this isn’t Log4Shell - Don't Believe The Hype.
In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle.
2022-10 Security Bulletin: Junos OS: Multiple vulnerabilities in J-Web
Security products continue to be the gift which keep on giving.
Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.
A weak cipher used for checking file integrity was also reported, but had been resolved in earlier releases of Junos OS.
Attack capability, techniques and tradecraft.
WAM BAM - Recovering Web Tokens From Office
Adam Chester explains how the world works whilst also providing a recovery mechanism for long lived authentication tokens. Passwords?! Where we’re going we don’t need passwords!
Over the last few weeks, a trend of pulling Azure JWT’s from memory has appeared, mostly due to a nice blog post by mr.d0x showing how dumping memory from Microsoft Office allows Red Teamer’s to recover authentication tokens for Azure and M365 services.
The question that has been on my mind however, was how are these tokens reloaded into Office each time it starts? After all, we obviously aren’t re-authenticating every time we open Word, so they have to be persisted somewhere right?
In this post I’ll go through two areas that I identified while reversing the authentication mechanism of Office, and provide some POC tools to help recover stored tokens without memory scraping.
NoRunPI: Run Your Payload (on Windows) Without Running Your Payload
Orca continues to drop the offensive Windows tradecraft that will complicate detection.
Since "SettingSyncHost.exe -Embedding" Runs a Thread On "SHCore.dll!Ordinal172+0x100", We can hijack the flow before this thread start, to do that :
Load shcore.dll to calculate the thread's entry
Create "SettingSyncHost.exe -Embedding" Process
BruteForce the address calculated (stop when its valid)
suspend the process
inject the payload to the calculated address
resume the process
Artfuscator: A C compiler targeting an artistically pleasing nightmare for reverse engineers
When threat actors want to troll their favourite reverse engineer.
Wiresocks for easy proxied routing
Michael Kruger makes blue teams sob with this release.
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. This is convenient in cases where it would be nicer to have a full network route to a target network (with working DNS) vs just having application specific proxy rules.
What is being exploited.
CVE-2022-41352 (Zimbra 0-day): Ongoing exploitation
On October 7, 2022, a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.
CVE-2022-40684: FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass
Indicators of Compromise
Exploit in Metasploit
CVE-2022-39197: Cobalt Strike
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1
Rio Sherri outlines (in English - we already had some Chinese analysis) how to exploit this vulnerability.
The latest CS RCE (CVE-2022-39197) recurrence experience sharing
Further Chinese analysis and exploitation of this vulnerability.
Tooling and Techniques
Low level tooling for attack and defence researchers.
Extracting type information from Go binaries
Ivan Kwiatkowski shows how teams can work across competitive organisations to the betterment of all.
The script I use in my daily work has been included in SentinelOne’s recently released AlphaGoLang repository, as step 5 of the process. It performs the following actions:
Some other small (and not so small) bits and bobs which might be of interest.
Unconventional Cyber Warfare: Creating a Cyber Resistance in the Private Sector - from 2019 as part of a military degree
2022 Security Annual 4th Quarter Edition - Special issue on cybersecurity metrics
Hacking the Cloud With SAML - We’ve been discussing the vulnerabilities - here is the presentation.
RAND: Digital Infrastructure and Digital Presence - A Framework for Assessing the Impact on Future Military Competition and Conflict
Chinese surveillance ecosystem and the global spread of it's tools - a values led propagation to propagate their value
How to assess and gain confidence in your supply chain cyber security - from the UK’s NCSC
A Model for the Creation of Biographical Dictionaries: This research builds on existing literature showing that users commonly use strategies to create passwords, and the aim is to propose a method for creating dictionaries that are grounded in theories of password construction
That’s all folks.. until next week..