Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).

Operationally this week it has been about Montenegro, the US Embassy issued an alert, France sent ANSSI down to help (très bon!) and Montenegro thanked them, the FBI said it was supporting.. A supposed Cuba ransomware group has publicly claimed responsibility but technical details and independent validation are pending. What is clear is there is material disruption to a country. Everyone doing what they can to work out who/how etc.

In the high-level this week:

• New Cybersecurity Regulations Are Coming. Here’s How to Prepare - from Harvard Business Review with a US focus, but global appreciation

  • “In the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation.”

• How U.S. Cyber Command, NSA are defending midterms elections - very high-level but shows how USG intends to deter if nothing else.

• China’s emerging data protection framework - interesting and rapid (only 5 years) evolution of data protection in China. Almost as if data is the new oil or at least an extensional threat to national security if it gets in the wrong hands.

• Russian Military Contractors and Their Wars Abroad - an opinion piece which outlines the risk that Russia may use cyber contractors as they have in kinetic warfare. The evidence base for cyber is information operations thus far.

• Polish-Ukrainian cyber cooperation is developing - The Polish-Ukrainian cooperation planned for the near future will include ongoing, daily exchange of information and experiences (the so-called lesson learnt), the creation of a Cyber ​​Roadmap and joint exercises, trainings and study visits.

• Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict - interesting paper which concludes that whilst there was initial interest and support it waned quickly.

• Kurt Sanger on Using Laws and Norms to Govern Cyber Conflict - I first came across Kurt when he was in the DoD and was very impressed - he provides a good summary of why cyber and international law is ‘complicated’ and why norms and not laws govern today internationally.

• Insurers must rethink handling of cyber attacks on states - FT article based around the Lloyds guidance we covered previously - nothing really new, but I felt compelled to include because it was the Financial Times.

• Singapore Cyber Landscape 2021 (published August 2022) - the call out is they recognise the need to Securing Our Digital Assets in the Metaverse - generational leap in progress..

  • Related the FBI this week issued an alert titled Cyber Criminals Increasingly Exploit Vulnerabilities in Decentralized Finance Platforms to Obtain Cryptocurrency,

  • Related in the US a report to Congress has also just been published titled ‘The Metaverse: Concepts and Issues for Congress’.

  • Related the report titled NFTs and Financial Crime - Money Laundering, Market Manipulation, Scams & Sanctions Risks in Non-Fungible Tokens was released.

• Baidu Announces the Release of "Dry Start" Superconducting Quantum Computer that Provides "Out-of-the-Box" Quantum Services - “According to reports, Baidu Quantum has solved the three major problems of automatic chip layout design, cross-quantum computing system cloud platform construction and algorithm innovation” - 10-qubit, by comparison IBM has 127-qubit (Nov, 2021) - so orders of magnitude out, but sovereign quantum computing in China is a thing.

• Max Smeets on Why States Struggle to Develop a Military Cyber-Force - “they discussed the barriers of entry for states to participate in cyber conflict, how we should go about thinking about military cyber capacity, and how external actors can influence a state’s cyber capability development process” - I suspect some countries will listen to this for tips.

• Revealing Europe’s NSO - Italian company using telecommunications signalling infrastructure of small states to support its offensive operations.

• The Committee to Protect Journalists and others are urging the United States government to hold NSO Group accountable for providing Pegasus spyware to governments that have used the tool to secretly surveil journalists around the world - legal wrangles continue..

• CISA added 10 vulns on August 25th to its Known Exploited Catalogue - tik tok goes the clock for federal departments.

• Principles for the security of machine learning from the UK's National Cyber Security Centre were released along with an accompanying blog - the UK’s NCSC has pioneered principles based assurance when it comes to cyber and it one of various things that makes me terribly proud of them..

In job land there are some interesting roles doing the rounds which show clear intention by US government and think tanks alike.

• Director (Cyber Policy & Programs) in the Office of the National Cyber Director in the Whitehouse (not me).

• Director, Supply Chain & Technology Security in the Office of the National Cyber Director in the Whitehouse

• Senior Fellow for Cyber Power and Future Conflict in Singapore at the International Institute for Strategic Studies

Reflections this week are the increasing quality and volume of releases which challenge what is known in the public domain around cyber attack and defence. As I was pulling together this weeks summary the ‘oh wow!’ factor on both sides felt material and I only manage scrape the surface each week. These innovations are often people either on their own or in two/three person teams. This is kind of exciting, but also kind of challenging when you think about how we make a material difference in this game of 4D chess as we look to protect what we hold dear.

Finally - China’s Ministry of Foreign Affairs refuted that a couple of western cyber intel companies had any credibility and were ‘the white glove’ of US Government when they outed their operations related to Australia/South China Sea (see reporting). I didn’t have this on my bingo card for a Wednesday in late August.

Spokesperson发言人办公室 @MFA_China

The foreign ministry refutes “China-backed cyber attacks” accusations.

10:45 AM ∙ Aug 31, 2022

---

87Likes43Retweets

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Thursday,

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Rising Tide: Chasing the Currents of Espionage in the South China Sea

Michael Raggi and Sveva Scenarelli team up to out this Chinese campaign against Australia and wider offshore energy. Initial access tradecraft is still rather basic..

• Recent targeted phishing campaigns that use URLs impersonating Australian media entities to deliver the ScanBox reconnaissance framework;  

• How this custom ScanBox script and related modules work;  

• How this campaign correlates to threat activity dating back to June 2021 which leveraged RTF template injection;  

• The history of the ScanBox framework; and,  

• The targeting focus of TA423/Red Ladon on domestic Australian organisations, as well as entities involved with offshore energy exploration in the South China Sea.  

https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea

A technical analysis of Pegasus for Android

The first part of this analysis which highlights there are very many detection opportunities here without needing to jailbreak. One can’t imagine that NSO will address them all given their depressed revenues.

https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1/

The Kimsuky (Koni) group attacks the Russian Ministry of Foreign Affairs!

South Korean reporting on North Korea targeting its friend. Interesting when you consider there was reporting this week North Korea special forces may support Russia in Ukraine.

An attack by the Kimsuky group targeting the Russian Ministry of Foreign Affairs has been captured. 

The attack was carried out via email, and the Kimsuky group is  believed to have attempted further attacks on the Russian Consulate General in Japan using the account of the Russian Consulate General in Shenyang, which was seized through a preemptive attack

https://blog-alyac-co-kr.translate.goog/4892?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Examining Less-Common WordPress Credit Card Skimmers

Ben Martin provides some good data on the the content management system targeting by some of the smaller players in this part of the criminal eco-system. Also provides good technical insight and analysis trending..

With credit card skimming malware trending upwards in recent years (particularly in WordPress environments) it’s more crucial than ever for eCommerce website administrators to treat security as a high priority.

https://blog.sucuri.net/2022/08/examining-less-common-wordpress-credit-card-skimmers.html

Crypto Miner malware disguised as Google translate desktop

Moshe Marelus shows that organised cyber crime doesn’t just operate from Russia, South America and bits of Asia. Indeed Europe itself..

• [We] detected a Turkish based crypto miner malware campaign, dubbed ‘Nitrokod’, which infected machines across 11 countries

• The malware is dropped from popular software available on dozens of free software websites

• The malware distributers separate malicious activity from the downloaded fake software to avoid detection

https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/

Appleseed v2.1 running in JavaScript

Korean reporting on the evolution of a North Korean implant. Small amount of technical evolution is all.

Recently, attacks attempting to infect Appleseed malware through JavaScript disguised as normal documents have been steadily discovered, and in the course of tracking them, we have identified Appleseed malware with some feature changes.

https://stic.secui.com/main/main/threatInfo?id=69

Korean document disguised as profile form (OLE object)

More North Korean activity targeting the domestic version of Microsoft Office. Activity is noisy on disk and thus easy to detect in telemetry.

The OLE object is inserted inside the checked Hangul file, and the files are created in the %TEMP% folder when the Hangul document is executed.

https://asec-ahnlab-com.translate.goog/ko/38216/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

APT-C-08 (Manlinghua) latest remote control component wmRAT

Chinese reporting on an APT organization with a government background in South Asia. Initial access tradecraft is as with any other week - malicious documents delivered by phishing.

In recent years, it has been carrying out APT attacks on neighbouring countries in South Asia. The targets of the attacks involve enterprises and as wide as China.

Malicious document files (such as formula editor vulnerability documents, chm documents, macro files, etc.) are used as the attack entrance to lure users to open Execute to create a scheduled task to periodically call software such as msiexec.exe\curl.exe to download subsequent attack components.

https://mp-weixin-qq-com.translate.goog/s/IZNl6N2K1LUU7e1hT4JeYw?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Venom Control–RAT With a Sting

Shmuel Gihon discusses a vendor of capability that strays into the criminal sphere whilst trying to look legitimate. This blurring will only continue to increase is my prediction as criminals try and legitimise.

Over the past year, an allegedly legitimate software company named Venom Control Software emerged, offering a Remote-Access-Tool (RAT) for “hackers and pen-testers”. When observing its product, the payment methods, and other services, one can wonder if the platform’s clients are mainly hackers rather than pen-testers.

https://cyberint.com/blog/research/venom-control-rat-with-a-sting/

ModernLoader delivers multiple stealers, cryptominers and RATs

Vanja Svajcer shows that the front end of the cyber crime delivery market is doing roaring business. The attribution challenge due to tradecraft and tooling crossover is likely going to become more profound and it all blurs into one hot mess.

• [We] recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims.

• The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.

• The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.

• The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards.

http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

PureCrypter Loader

Reporting from China on something similar showing the eco-system is rich and diverse. Doesn’t feel like we can stuff the genie back in this bottle.

• PureCrypter is a loader written in C# that has been around since at least March 2021 and can spread any other family.

• PureCrypter has continued to be active this year, and has spread more than 10 malicious families including Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, and more.

• The authors of PureCrypter have more promotion resources, and we have detected hundreds of C2 domain names and IPs.

• PureCrypter authors like to use image name suffixes combined with inversion, compression and encryption to avoid network detection.

• The promotion chain of PureCrypter is generally long, and most of them will use the pre-protector, even with other loaders, which is difficult to detect.

https://blog-netlab-360-com.translate.goog/purecrypter/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Gwisin ransomware in Korea

Reporting from Korea, in Korea in a replication of what we have seen elsewhere. The thing of note is the time for flash to bang and also that it has a whiff of regional involvement. Place your bets on if domestic criminals or North Korea.

It is presumed that a Korean-speaking organization or a hacker who is fluent in domestic affairs may have participated.

Hackers who carried out the Gwisin ransomware have more methods, such as threatening the victim's individual or company three times.

became vicious There are 3 types of requesting money: Tier 1 (data decryption), Tier 2 (external to the leaked data) no sale), threatens to tier 3 (provided a security vulnerability analysis report), and if you do not comply with the negotiation, leak

[They have been] targeting a number of unspecified domestic companies such as Korean medical institutions, pharmaceutical companies, and financial institutions since ‘21. On average, it was found to be 21 days, shorter than the previous APT attack period (67 days), and before the ransom

https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf

Looking Into the Void: Probing a Top Bulletproof Hosting Service

A high-level look as the Infrastructure as a Service end of cyber crime. Some useful high-level insights only in this reporting.

Our investigation into one specific bulletproof hosting provider, which we track as Void Griffon, shows the exact services available, and how bulletproof hosting businesses support long-running cybercriminal operations.

Void Griffon is a malicious actor group that we have been aware of since 2006. The group has had different aliases over the years and has advertised a slew of services in underground forums. It first offered its fast-flux bulletproof hosting service in 2015, and its business has since flourished. We have found that Void Griffon has been used by different APT groups and has also hosted many prominent malware families.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/looking-into-the-void-probing-a-top-bulletproof-hosting-service

ttps://cloudsek.com/threatintelligence/timeline-ttps-of-teamtnt-cybercrime-group/

Discovery

How we find and understand the latent compromises within our environments.

RPC Backdoor

Elad Shamir releases a little harness to facilitate detection engineering.

A basic emulation of an "RPC Backdoor" on Windows to facilitate detection engineering

https://github.com/eladshamir/RPC-Backdoor

Defence

How we proactively defend our environments.

Better Security Metrics for Security Operations, Cyber Threat Intel, Threat Hunting and Incident Response

Jake Williams’s suggestions on how you measure performance and efficacy across various Blueteam operations.

https://github.com/malwarejake-public/conference-presentations/blob/main/Metrics%20-%202022%20BlueTeamCon%20-%20MalwareJake.pdf

Going Atomic

Alfie Champion’s talk on The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach. He makes a compelling case to go atomic as opposed to scenario based.

https://ajpc500.github.io/talks/Blue-Team-Con-Going-Atomic/

The Defender’s Guide to Budgetless Endpoint Hardening

Matt Coons shows how one can do some relatively basic hardening activity to disrupt some very common threats. We often think of hardening as locking thing down, where as this is more around subtle configuration changes which break attack chains.

https://docs.google.com/presentation/d/1eXCSejG3xGdrhv4e5Vgm_YTZ26nXN8WV0EYKqujWFiM/edit?usp=drivesdk

Protecting Application and Service Principle Permissions in Azure AD

Eric Hall shows once more the complexity of cloud attack surface management and takes us down the principle permission rabbit hall. Given these techniques have been used in the real world by numerous actors it is worth reading if you run an Azure estate.

https://github.com/erhallMSFT/Presentations/blob/main/BlueTeamCon2022.pptx?raw=true

Improving the security postures of macOS and Linux with Azure AD

Michael Epping and Mark Morowczynski pretend this isn’t a sales pitch for Azure AD. Joking aside they outline various benefits but how practical ‘how’ to get these platforms enrolled so we have a single source of identity.

https://github.com/MarkMorow/presentations/blob/main/Blue%20Team%20Con%202022%20-%20Improving%20the%20security%20posture%20of%20macOS%20and%20Linux%20with%20Azure%20AD.pptx?raw=true

macOS now scans for malware whenever it gets a chance

A good technical overview of the changes that Apple have made and also the frequency that the various activity runs.

In the last six months macOS malware protection has changed more than it did over the previous seven years. It has now gone fully pre-emptive, as active as many commercial anti-malware products, provided that your Mac is running Catalina or later. This article updates those I’ve previously written about Apple’s new tool in the war against malware, XProtect Remediator.

https://eclecticlight.co/2022/08/30/macos-now-scans-for-malware-whenever-it-gets-a-chance/

New UEFI CA memory mitigation requirements for signing

Microsoft is tightening up UEFI firmware security. Interesting they are mitigating the RWX element, guessing certain actors have been leveraging these.

Starting November 30th, 2022 the memory mitigations described will be required for all applications to be signed by the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA).

PE-COFF metadata  

1. Section Alignment of the submitted PE file must be aligned with page size.  This must be 4kb, or a larger power of 2 (ex 64kb) 

2. Section Flags must not combine IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE for any given section. 

https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation-requirements-for-signing/ba-p/3608714

Use MacBook’s Touch ID as a Security Key for GitHub

Steve Martinelli provides a nice guide on how to kill passwords for your developers. Personally I think FIDO should be up for a Nobel prize of some sort for the world of good it will do for security.

Password authentication with GitHub is dead. I’ve had my account configured with 2FA for years now. Proudly using Google Authenticator and a SMS fallback number. But finding and unlocking my phone is such a first-world problem. Today, someone told me that you can configure your Mac’s Touch ID to as a FIDO U2F Security Key. I had no idea! I immediately had to try it out. It was so easy to set up and use.

https://www.stevemar.net/touch-id-as-a-security-key/

Enabling AD FS Security Auditing and Shipping Event Logs to Microsoft Sentinel

Roberto Rodriguez provides the detection guide doing the recent reporting of AD FS misuse by Russia.

I will show you how to enable AD FS security auditing (based on Microsoft documentation) and how to collect and ship AD FS event logs to a Microsoft Sentinel instance.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enabling-ad-fs-security-auditing-and-shipping-event-logs-to/ba-p/3610464

Vulnerability

Our attack surface.

Xalan-J: integer truncation in XSLTC

Felix Wilhelm shows that SAML signature verification is an attack surface here which is fascinating. I love this vulnerability for so many reasons i.e. arbitrary Java bytecode execution because of a weird machine present in this library. More generally this specific vulnerability is going to be present in numerous other products and exploitable via other attack surfaces. Whilst not log4j exploitable, the impact is no less. The scale is to be determined.

Interestingly Apache deprecated their library so won’t be patching.

The Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the XSLTC compiler and execute arbitrary Java bytecode -

https://bugs.chromium.org/p/project-zero/issues/detail?id=2290

IKE Extension CVE-2022-21849

Some flex from Korea in this analysis of an vulnerability patched in January 2022 showing exploitation likelihood is low, includes proof of concept trigger. This work is useful because it provided the evidence base of exploitability.

https://blog.78researchlab.com/53e53729-d728-4635-a58d-08ad8a1f68e4

Tetsuji: Remote Code Execution on a GameBoy Colour 22 Years Later

Harvey Phillips discloses a critical vulnerability that will shake the very fabric of society. Not really, but the quality of the research on a deprecated platform is world class. Shows how vulnerable we were back in the day and we didn’t know it. Fast forward a decade and what would the similar reflection be on 2022 and our level of vulnerability?

https://xcellerator.github.io/posts/tetsuji/

Offense

Attack capability, techniques and tradecraft.

AppLocker Rules as Defense Evasion

Real world malicious use of AppLocker to disable security products. It is almost as if our adversaries have capabiltiy.

Software restriction policy may be abused by adversaries, like the “Azorult loader,” a payload that imports its own AppLocker policy to deny the execution of several antivirus components as part of its defense evasion.

https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html

Sleeping With Control Flow Guard

Brian Chamberlain shows how to disable CFG. However this technique is sufficiently noisy that it will be detectable via process properties.

Disabling CFG allows an attacker to use sleep obfuscation techniques to evade detection.

https://icebreaker.team/blogs/sleeping-with-control-flow-guard/

Blasting Event-Driven Cornucopia - WMI Edition

New research which outlines a technique which reduces WMI coverage along with looking to verify the integrity of WMI.

We turned our attention to WMI, another highly leveraged Windows infrastructure by various tools and endpoint security solutions, and showcased different attack vectors to disable WMI, mostly leveraging the one-bit change method from user mode.

WMICheck is a freeware tool developed to detect attacks on WMI data by reading and parsing WMI internal objects from a running system’s memory. WMICheck can scan the memory of a specified process or the whole system memory for WMI artifacts.

https://binarly.io/posts/Black_Hat_2022_Blasting_Event_Driven_Cornucopia_WMI_edition/index.html

Shlyuz Implant Framework

Inspired by CIA design and shared with the world by Jonathan Echavarria

• Part 1: https://und3rf10w.github.io/posts/2022/01/08/shlyuz-1-influences.html

• Part 2: https://und3rf10w.github.io/posts/2022/01/19/shlyuz-2-CommsAndCrypto.html

• Part 3: https://und3rf10w.github.io/posts/2022/08/21/shlyuz-3.html

knockles: eBPF Port Knocking Tool

We can expect this to be borrowed by actors. We know certain threat actors already leverage such techniques in their implants.

Knockles 🦔, is a port knocking tool based on eBPF 🐝. It allows you to remotely open a TCP connection while being completely invisible to port scanners.

• A single SYN request is sent on an opened || closed port 📨 📫

• It carries an OTP for authentication so you can be the only one to open a port 🔐

• Once authentified, a random (HMAC based) port is opened for a TCP connection 🎲

• Then, the port is closed as soon as a connection has been established 🚪

https://github.com/eeriedusk/knockles

Bypassing AppLocker by abusing HashInfo

Ian shows how to practically implement Grzegorz Tworek’s attack. This is going to be a real pain if leveraged in the wild.

https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/

Suborner: The Invisible Account Forger for Windows

Sebastián Castro creates a massive headache for anyone in the compliance department. Just wait till auditors learn this is possible and then ask for evidence it hasn’t happened in your estate.

A simple program to create a Windows account you will only know about :)

• Create invisible local accounts without net user or Windows OS user management applications (e.g. netapi32::netuseradd)

• Works on all Windows NT Machines (Windows XP to 11, Windows Server 2003 to 2022)

• Impersonate through RID Hijacking any existing account (enabled or disabled) after a successful authentication

Create an invisible machine account with administrative privileges, and without invoking that annoying Windows Event Logger to report its creation!

https://github.com/r4wd3r/Suborner

Dirty Cred

Zhenpeng Lin shows once more that exploitation through data alone is possible without the need for arbitrary code execution. This is one area that is under researched in terms of detecting such opportunities at scale.

DirtyCred is a [Windows] kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.

https://github.com/Markakd/DirtyCred

Bypassing Intel CET with Counterfeit Objects

Matteo Malvica shows that Intel Control flow Enforce Technology isn’t a panacea.

At first, the advent of CET painted a bleak picture future for exploit developers and their reliance on ROP-based techniques. However, in 2015, a new code-reuse technique named Counterfeit Object-Oriented Programming (COOP) has been formulated in a paper which seemed quite promising in defeating Control-Flow Integrity (CFI) defenses.

In this blog, we’ll briefly cover how CFI mitigations works, including CET, and how we can leverage COOP to effectively bypass Intel CET on the latest Windows releases.

https://www.offensive-security.com/offsec/bypassing-intel-cet-with-counterfeit-objects/

Related I also enjoyed this post by Tim Misiak this week titled Debugger Lies: Stack Corruption showing how CET can be used to help detect memory corruption and aid debugging.

https://www.timdbg.com/posts/debugger-lies-part-1/

This get got me to here:

Ollie Whitehouse @ollieatnccgroup

Intel's CET shadow stack is going to cause implant writers to work harder - should put to bed sleeping thread call stack manipulation/ROP techniques: intel.com/content/www/us… edc.intel.com/content/www/us… Although bypasses with Counterfeit Objects look neat:

offensive-security.comBypassing Intel CET with Counterfeit Objects | Offensive SecurityIn this blog, we’ll briefly cover how CFI mitigations works, including CET, and how we can leverage COOP to effectively bypass Intel CET on the latest Windows releases.

6:38 PM ∙ Aug 29, 2022

---

4Likes5Retweets

Warbird Hook

Interesting that in 2022 there are opportunities to subvert patch guard. Great work here.

On Windows 10 21H2, ntoskrnl.exe contains a table of pointers named g_kernelCallbacks used for licensing checks (called from nt!SPCall2ServerInternal). The callback table contains pointers to functions in an image named ClipSp.sys, which is a signed driver protected by Microsoft Warbird .

The interesting thing about it is that PatchGuard does not verify the integrity of several image sections, including PAGEwx, which the driver contains in order to decrypt and re-encrypt its own code during runtime.

Thanks to this, we can do the following things:

• Redirect function pointers in g_kernelCallbacks to our own code

• Inject our own shellcode into PAGEwx sections and encrypt it so that Warbird will automatically decrypt and execute our shellcode without hijacking any pointers

https://github.com/KiFilterFiberContext/warbird-hook

Hunt for the gMSA secrets

Shared credentials do exist in Windows. Dr. Nestori Syynima shows how to hunt their secrets.

Group Managed Service Accounts (gMSA’s) can be used to run Windows services over multiple servers within the Windows domain.

Since the launch of Windows Server 2012 R2, gMSA has been the recommended service account option for AD FS. As abusing AD FS is one of my favourite hobbies, I wanted to learn how gMSAs work.

https://o365blog.com/post/gmsa/

Techniques from malware brought forward to challenge EDR

Rad Kawar summaries various bits of Windows tradecraft we have covered of his in previous weeks in this presentation. Inspired by malware and built upon to create some real headaches for endpoint detection & response solutions.

https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf

Bootkitting Windows Sandbox

Duncan Ogilvie and Miles Goodings double team to show how to get persistence within the Windows Sandbox.

https://secret.club/2022/08/29/bootkitting-windows-sandbox.html

https://github.com/thesecretclub/SandboxBootkit

Exploitation

What is being exploited.

Nothing this week of note, but if you have any insight as to CISA’s methodology / evidence bar for including vulnerabilities in its Known Exploited catalogue I would love to know.

Tooling and Techniques

Low level tooling for attack and defence researchers.

Snaking Ghidra with Python 3 Scripting

Mike Hunhoff removes one more edge IDA had over Ghidra.

Ghidrathon is a Ghidra extension that adds Python 3 scripting capabilities that tightly integrate with the user interface. Today, Ghidra ships with a Python 2 extension system based on Jython; however, there’s not an easy way to run Python 3. With Ghidrathon, you can use modern Python, like version 3.10, with the existing extension system! In this post you will learn what Ghidrathon offers, how it works, and why you should start using Python 3 scripting in Ghidra today.

https://www.mandiant.com/resources/blog/ghidrathon-snaking-ghidra-python-3-scripting

GarbageMan

A set of tools for analysing .NET binaries through heap analysis by Jarkko Turkulainen

https://labs.withsecure.com/tools/garbageman/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• x33fcon Europe 2022 presentation videos - some good talks..

• Developing an Intelligence-Driven Threat Hunting Methodology - great work here by Joe Slowik, I have a lot of time for him and everything he produces. Just oozes quality.

• Journey to the NIST Cybersecurity Framework (CSF) 2.0 - NIST has begun the process to update the NIST Cybersecurity Framework to keep pace with the evolving cybersecurity landscape

• The 5×5—The US-Japan-South Korea trilateral cybersecurity relationship - from the Atlantic Council

• Restraining Russian Ransomware - from the Foreign Policy Research Institute, a nonpartisan Philadelphia-based think tank dedicated to strengthening U.S. national security and improving American foreign policy.

• Crafting a democratic and responsible cyber power? - Workshop Report, August 2022 by Andrew C. Dwyer from Offensive Cyber Working Group

  • Participants identified responsible behaviour for cyber power across the workshop, and most discussions within groups tried to balance competing priorities for states.

  • Democratic cyber power was referred to in limited instances, with workshop participants often talking about better governance models that do not necessarily equate to democratic processes.

  • Based on the workshop, further research may wish to engage with how responsibility may interlock with democratic processes, but not be equivalent with the latter.

• The Accountability of Software Developers for War Crimes Involving Autonomous Weapons: The Role of the Joint Criminal Enterprise Doctrine - from autumn 2021 - read it and then see if you can apply it to offensive cyber software developers in the commercial sector - answers on a postcard please.

• Cyber Warfare and International Humanitarian Law - more legal interpretations

• Will AI Make Cyber Swords or Shields? - no, but it might make better phishing e-mails is the conclusion in the paper from George Town CSET.

• How Education Level Influences Internet Security Knowledge, Behaviour, and Attitude: A Comparison among Undergraduates, Postgraduates and Working Graduates - research from China - some improvement but so/so really, but interesting.

• Redress for dark patterns privacy harms? A case study on consent interactions - good sociotechnical work.

• Defending in a hostile environment: Key findings from the BlackHat NOC - When someone turns up to Blackhat with a North Korean implant installed you know we are winning.

• Towards a Tectonic Traffic Shift? Investigating Apple’s New Relay Network - great research here.

• GCHQ seeks to increase number of female coders to tackle threats - through offering nano degrees.

• The Hague Program on International Cyber Security conference on International Cyber Security| 8-9 November 2022 - tickets are available.

The question discussed in the below video is “Has the militarisation of cyberspace created a need for a Digital Geneva Convention to regulate cyber warfare?” Dr Kubo Mačák, Legal Adviser for the International Committee of the Red Cross answers - I won’t spoil it.

Finally from Dave Aitel another episode of when experienced cyber people take on policy and international relations with exquisite logic.

That’s all folks.. until next week..