Bluepurple Pulse: week ending September 10th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending September 10th
Sweden has a Psychological Defence Agency...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see some of the exploitation is rather sophisticated (and not in the we have been hacked by a sophisticated threat actor sense). Outside of that it is business as usual although defensive tradecraft on show in some places is great..
In the high-level this week:
KBS is a South Korean public broadcast service segment on Cyber and North Korean activity - you can use auto translated closed captions to understand.
UK sanctions members of Russian cybercrime gang - love that we (the UK) have started to financially sanction along with the US cyber actors.
Japan imposes financial sanctions on North Korea - includes crypto asset addresses used to direct/collect hacked funds.
'Blatant and malicious': Telstra-owned Digicel Pacific used by spies-for-hire, cyber security analysis shows - enabled various offensive operations in the commercial sector.
Cooperating Federal Contractor Resolves Liability for Alleged False Claims Caused by Failure to Fully Implement Cybersecurity Controls - Verizon Business Network Services LLC, of Ashburn, Virginia, has agreed to pay $4,091,317 to resolve False Claims Act allegations that it failed to completely satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies.
Russian Businessman Sentenced to Nine Years in Prison in $93 Million Hack-to-Trade Conspiracy - Klyushin was also ordered to forfeit $34,065,419 and pay restitution in an amount that will be determined at a later date.
AI
G7 Hiroshima Process on Generative Artificial Intelligence (AI) - This report presents the results of a questionnaire to G7 members developed to support the stocktaking and help guide G7 discussions on common policy priorities about generative AI
Adversarial AI: Coming of age or overhyped? - explores developments in adversarial artificial intelligence (AAI) and machine learning, examining recent research, practical realities for the deployment of adversarial attacks, and the pursuit of secure and robust AI.
AI will change American elections, but not in the obvious way - How polarisation inoculates Americans from misinformation
RUSI Responsible Cyber Behaviour project - Mapping practical understandings of responsible cyber behaviour and cyber policies across the world to inform a conceptual global cyber policy framework.
OIG Report: Cybersecurity System Review of the Transportation Security Administration’s Selected High Value Asset - The Transportation Security Administration (TSA) did not implement effective technical controls to protect the sensitive information processed by the selected High Value Asset (HVA) system.
Democratising access to quantum computing: IQM Quantum Computers launches “IQM Spark” for universities and labs - EUR 1 million gets you a 5qubit system
Women scientists are less likely than men to submit papers to high-impact journals - According to the survey, women are more likely than men to suggest that their work is not groundbreaking or novel enough to submit to high-impact journals, which typically have high rejection rates and include novelty as a criterion for acceptance.
Hidden communication technology based on public chain by Zhu Liehuang, Distinguished Professor/Secretary of the Party Committee at the School of Cyberspace Security of Beijing Institute of Technology.
The latest progress in the construction of the US Army's cloud environment - a Chinese analysis - The design concept, construction model and expected goals of the US Army's cloud environment construction are already at the front of the world and can be used as a reference for our military
Sleight of hand: How China weaponizes software vulnerabilities - This report details the structure of the MIIT’s new vulnerability databases, how the new databases interact with older ones, and the membership lists of companies participating in these systems.
The reflection this week come from learning that Sweden has a Psychological Defence Agency. The fact that Russia weaponized Information Operations (see reporting below) has likely inadvertently prepared some parts of the globe better than they might otherwise be for a world of pervasive Generative AI.
In other news our (Kirsty, James, Andy and myself) RFC was published by the IETF - RFC 9424: Indicators of Compromise (IoCs) and Their Role in Attack Defence. The involvement of the cyber defence community is critical in the standards groups. We wrote this to ensure that there was awareness of what we need to be effective. I strongly encourage more to get involved.
On the interesting job/role front (thanks to those sending me these):
GovAssure Assurance Operations Lead at the Cabinet Office, UK
Joint Intelligence Organisation - Lead Intelligence Analyst, Head of Counter-Proliferation and Deterrence Teams at the Cabinet Office, UK
Senior Cyber Automation Engineer at London Stock Exchange Group, UK
Security Engineer, Detection & Response at OpenAI in London, UK
Senior Security Researcher – AI Security at Microsoft in Cambridge, UK
Offensive Security Engineer I – AI Red Team at Microsoft in Redmond, US
National Cyber Mission Leader at Booze Allen Hamilton in Cambridge, UK
Head of Risk and Assurance at the Houses of Parliament, UK
Views are my own / attribution by others etc.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Gamaredon Activity Amid Ukraine’s Counteroffensive
From the Ukraine government.
This report highlights the strategic view on the increased threat posed by the Gamaredon Advanced Persistent Threat (APT) group targeting Ukrainian military organizations during a recent Ukrainian counteroffensive. The report delves into the nature of Gamaredon APT, its links to Moscow, recent tactics and techniques, including used malware and network infrastructure, and its potential implications for Ukrainian military organizations during a counteroffensive operation
https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf
'From Russia with a 71': Uncovering Gamaredon's fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered
Some excellent tradecraft in this reporting, showing how data science can really help.
[We] explore the extent of the Gamaredon Group’s fast flux operation.
300+ new apex domain IOCs discovered from a single Gamaredon domain.
Proprietary fingerprinting techniques used to expose the deployment of new attacker infrastructure using wildcard A records
https://www.silentpush.com/blog/from-russia-with-a-71
Russia’s African coup strategy
Clint Watts describes how Russian Information Operations have impact in Africa. It will be interesting to see how we help such countries build their resilience.
The appearance of Russian flags is symbolic of a multi-pronged media strategy Russia has developed to capitalize on coups. Although the power grabs in the Sahel and now Gabon were motivated by political dynamics specific to each country, Russia’s online and offline influence campaigns have acted as an accelerant, driving polarization and cementing the authority of often outwardly pro-Russian coup leaders
https://blogs.microsoft.com/on-the-issues/2023/09/01/russias-african-coup-strategy/
North Korea
Active North Korean campaign targeting security researchers
Clement Lecigne and Maddie Stone disclose the next wave of this campaign which involves going after researchers to steal their private capabilities. Interesting times for sure..
Recently, [we] became aware of a new campaign likely from the same actors based on similarities with the previous campaign. [We are] aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks. The vulnerability has been reported to the affected vendor and is in the process of being patched.
Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia
Ovi Liber details a suspected Kimsuky campaign, the novelty here is the victimology.
[We] received a sample sent to a journalist with highly targeted content luring the recipient to open the document. The journalist received an email from an activist who was contacted by an address impersonating a member of the organisation with a malicious document. The document was in .LNK form, and upon execution loaded a malicious PowerShell command and a legitimate DOCX related to the organization.
After analysis, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which we dubbed “SuperBear” due to naming conventions in the code. We believe this to be a new campaign targeting civil society groups.
https://interlab.or.kr/archives/19416
https://0x0v1.com/posts/superbear/superbear/
China
APT15/APT31: Groups APT 15 and APT 31 use home network devices for state-controlled cyberattack campaigns
German government reporting on the use of these devices. To some this won’t be a revelation, but it further builds the evidence base of Chinese tradecraft evolvement.
The cyber attackers compromise home network or SOHO end devices on a large scale Number of pieces. Devices with known vulnerabilities are particularly susceptible to such compromise, especially if support has been discontinued by the manufacturer (so-called “end-of-life” devices).
So far, the following terminal device classes have been identified as attacked:
• Home or SOHO router,
• Network storage/hard drives (so-called NAS systems),
• SOHO firewall systems,
• Smart home or home automation systems.
https://www.documentcloud.org/documents/23935188-bfv-apt15apt31-translated-alert
My Tea’s not cold. An overview of China’s cyber threat
Jamila Boutemeur and team provide an summary report which summarizes what they know about Chinese state.
an overview of recent malicious cyber activities associated to China-nexus Intrusion Sets. It is based on open-source documents and [our] analysts research and does not intend to present an exhaustive list of campaigns aligned on China’ strategic interests. Information cut off date is 13, July 2023.
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/
China, North Korea pursue new targets while honing cyber capabilities
Clint Watts is back with a stark data point..
In the past year, China has honed a new capability to automatically generate images it can use for influence operations meant to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. This new capability is powered by artificial intelligence that attempts to create high-quality content that could go viral across social networks in the U.S. and other democracies. These images are most likely created by something called diffusion-powered image generators that use AI to not only create compelling images but also learn to improve them over time.
Digital threats from East Asia increase in breadth and effectiveness
The detailed report associated with the above.
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW
Iran
APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
Chinese reporting on an Iranian actor which isn’t overly novel but included as we haven’t had any supposed Iranian reporting for a while in open source. Serves as a reminder that this tradecraft must work against some or it wouldn’t be used.
The decoy file used by APT34 this time is called “GGMS Overview.doc”, and the document’s body shows an introduction to a so-called “Ganjavi Global Marketing Services” company, as shown in the figure below.
Cross-Tenant Impersonation: Prevention and Detection
Real-world attacks for those of you using Okta.
Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant).
When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion.
These methods are preventable and present several detection opportunities for defenders.
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
Camouflaged Hunter
Interesting victimology to an unattributed actor using rather basic tradecraft.
Camouflaged Hunter, also known as APT-C-60 or APT-Q-12, has been targeting human resources consulting and trade-related sectors in China since 2018. In the first half of the APT report by Chinese IT conglomerate Tencent, Camouflage Hunter ranked 8th among the APT groups targeting China.
However, after 2021, Camouflage Hunters began operating in Japan, Singapore, and Korea. AhnLab tracked the activities of Camouflage Hunter based on publicly available information and also confirmed additional tools used in the attack.
DarkGate Loader Malware Delivered via Microsoft Teams
Jakob Nordenlund details in the wild use of Microsoft Teams as a delivery mechanism by a threat actor other than commercial Red Teams. Brace brace brace..
Until now DarkGate Loader was seen delivered via traditional email malspam campaigns similar to those of Emotet. In August an operator started using Microsoft Teams to deliver the malware via HR-themed social engineering chat messages.
https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams
Discovery
How we find and understand the latent compromises within our environments.
A Yara ruleset to find potentially malicious code in macOS malware samples
Does what is says on the tin.
https://github.com/SentineLabs/macos-ttps-yara
Forensic Aspects of Microsoft Remote Access VPN
Théo Letailleur continues the excellent work of this firm on exploring and documenting the forensic artifacts available.
https://www.synacktiv.com/en/publications/forensic-aspects-of-microsoft-remote-access-vpn.html
Microsoft Edge Forensics: Screenshot History
Will be useful in certain situations - maybe we should enable this on all those jump boxes to be kind to our future selves?
Microsoft Edge has a new feature that allows it to take screenshots of every web page a user visits. The feature is called “Save screenshots of site for History” and is available in Microsoft Edge 117, which is currently available for testing in the Canary and Dev channels. The feature is off by default, but if a user decides to turn it on, Edge will take screenshots of the sites the user visits and save them so that user can quickly revisit the site from history.
https://medium.com/@DCSO_CyTec/microsoft-edge-forensics-screenshot-history-703b9b8392f8
Defence
How we proactively defend our environments.
CVEAggregate: Build a CVE library with aggregated CISA, EPSS and CVSS data
From Canada with ❤️
Build a CVE library with aggregated CISA, EPSS and CVSS data
CISA Values : The remediation due date (or null)
EPSS Values : The EPSS probability score (or 0)
CVSS Values : V2 and/or V3 vector strings (or null)
https://github.com/r3volved/CVEAggregate
Keystroke timing obfuscation added to ssh(1)
Defense in depth..
https://undeadly.org/cgi?action=article;sid=20230829051257
A Tale of Two BGP Leaks
Doug Madory evidences that the core of the Internet is becoming more resilient.
Years ago large routing leaks like these might have been the cause of widespread internet disruption. Not so much anymore.
Humans are still (for the time being) configuring routers and, being human, are prone to the occasional mistake. What has changed is that the global routing system has become better at containing the evitable goof-ups. Route hygiene has improved due to efforts like MANRS and the hard work of network engineers around the world.
https://www.kentik.com/blog/a-tale-of-two-bgp-leaks/
Perfectly Reproducible, Verified Go Toolchains
Russ Cox brings to Go what Tor Browser has had since 2013. Great work here and we need to more to adopt / adapt / be able to deliver similar.
As of Go 1.21, the Go toolchain is perfectly reproducible: its only relevant input is the source code for that build. We can build a specific toolchain (say, Go for Linux/x86-64) on a Linux/x86-64 host, or a Windows/ARM64 host, or a FreeBSD/386 host, or any other host that supports Go, and we can use any Go bootstrap compiler, including bootstrapping all the way back to Go 1.4’s C implementation, and we can vary any other details. None of that changes the toolchains that are built. If we start with the same toolchain source code, we will get the exact same toolchain binaries out.
Incident Writeups
Results of Major Technical Investigations for Storm-0558 Key Acquisition
The fact they were able to trace this back as they did is impressive. Many / most / nearly all others would never of got back to the crash dump which contained the encryption key. This is what Chinese APT capability looks like..
Vulnerability
Our attack surface.
CVE-2023-40217: Python SSL library in Python
Aapo Oksman finds an interesting vulnerability which will be exploitable by a few out there in the real world.
An attacker could exploit this vulnerability by connecting to a TLS server, sending payload data to the socket and immediately force close the socket. The TLS server would then assume that the TLS handshake and any client authentication was done and read the attacker supplied data. The vulnerability affects mostly mTLS Python implementations.
https://github.com/AapoOksman/writeups/tree/master/CVE-2023-40217
MXsecurity Series Multiple Vulnerabilities
More security product vulnerabilities.
These vulnerabilities are caused by the improper design or implementation of authentication mechanisms and input validation. Exploiting these vulnerabilities could enable an attacker to bypass authentication, which could lead to the unauthorized disclosure or tampering of authenticated information, unauthorized access to sensitive data, and remote access without proper authorization.
Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd
Michael Fincham bring the Kiwi panach with this vulnerability which highlights once again many eyes doesn’t yield automatic security. Wonderful lateral thinking..
Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer’s disk. T
https://pulsesecurity.co.nz/advisories/tpm-luks-bypass
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
Yaron Avital highlights the complexity of modern development environments when you are tasked with securing them.
the permissive nature of GitHub Actions workflows is prevalent throughout the open-source community and private projects on GitHub. Today, we expand the discussion to cover actions pinning, and a serious caution we’d advise you to keep on your radar.
action pinning is not the security measure we wanted it to be. While it guarantees that the action's code (stored in its hosting repository) can’t change, it doesn’t guarantee immutability of the action's dependencies and external resources. Container images, binaries, other actions — a whole pipeline dependency tree unprotected by action pinning — if compromised by attackers, will lead to malicious code executed in your workflow.
Comprehensive pinning, in other words, is challenging to achieve. Version control systems (VCS) don’t currently offer a holistic solution to protect against attackers executing malicious code in CI pipelines through compromised actions.
https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/
What is dev tunnels?
Yes, really…
Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services, share work in progress with colleagues or aid in building webhooks.
https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview
Offense
Attack capability, techniques and trade-craft.
From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats
Interesting evolution in the criminal eco-system in an attempt to avoid detection. How many Yara rules have you see which try and see if something is a PE file first?
Rhadamanthys stealer’s design and implementation significantly overlap with those of Hidden Bee coin miner. The similarity is apparent at many levels: custom executable formats, the use of similar virtual filesystems, identical paths to some of the components, reused functions, similar use of steganography, use of LUA scripts, and overall analogous design.
[We] highlight and provides a technical analysis of some of those similarities, with a special focus on the custom executable formats. We present details of RS, HS, and the latest XS executable formats used by this malware.
We explain implementation details, i.e. the inner workings of the identical homebrew exception handling used for custom modules in both Rhadamanthys and Hidden Bee.
Basing on the Hidden Bee format converters, we provide a tool allowing to reconstruct PEs from the Rhadamanthys custom formats in order to aid analysis.
We give an overview of particular stages and involved modules.
Exploitation
What is being exploited.
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
No real news here, but the sector insight is interesting.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
CVE-2023-34039: VMWare Aria Operations For Networks Static SSH Key RCE
Brace brace brace..
Interestingly, VMware has named this issue “Networks Authentication Bypass”, but in my opinion, nothing is getting bypassed. There is SSH authentication in place; however, VMware forgot to regenerate the keys.
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/
CVE-2023-29357: Microsoft SharePoint ValidateTokenIssuer Authentication Bypass Vulnerability
Exploit out of Vietnam, don’t underestimate Vietnam and patch SharePoint!
After successfully impersonating the farmadmin account, we can continue to exploit CVE-2023-24955 to exploit RCE
BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild
More NSO Pegasus use against US assets. You would think this might be unwise..
Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.
Note: Post updated 5:42PM Eastern Time Sept 7th to reflect that Apple’s Security Engineering and Architecture team and Citizen Lab believe that Lockdown Mode blocks this particular attack.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules
Ioannis Angelakopoulos, Gianluca Stringhini, and Manuel Egele provide a useful framework.
FirmSolo is a framework that exposes Linux-based IoT kernel modules to downstream analysis (e.g., TriforceAFL, Firmadyne). FirmSolo provides two stages: 1) In the first stage FirmSolo extracts metadata information from the kernel modules within a firmware image (e.g., kernel symbols, arch, endianness). 2) In the second stage FirmSolo uses the extracted metadata information to build a Linux kernel (supported by QEMU) that can load the firmware binary kernel modules and expose them to dynamic analysis systems, such as TriforceAFL and/or Firmadyne. Currently FirmSolo only supports only MIPS and ARM 32bit Linux-based firmware images.
https://github.com/BUseclab/FirmSolo
https://www.usenix.org/system/files/sec23_slides_angelakopoulos.pdf
bin2ml: A command line tool for extracting machine learning ready data from software binaries powered by Radare2
Br0kej brings this gift to security vendors..
bin2mlis a command line tool to extract machine learning ready data from software binaries. It's ideal for researchers and hackers to easily extract data suitable for training machine learning approaches such as natural language processing (NLP) or Graph Neural Networks (GNN's) models using data derived from software binaries.
https://github.com/br0kej/bin2ml
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Draft Risk Assessment Regulations For California Privacy Protection Agency
*Privacy Not Included: A Buyer’s Guide for Connected Products
Artificial intelligence
A multidomain relational framework to guide institutional AI research and adoption
Our TRAM Large Language Model Automates TTP Identification in CTI Reports - 150 reports with 4,070 technique-labeled sentences out of 19,011 total samples to the previous training data set. All training data is available for you to work with on our GitHub repository in several convenient formats.
YaRN: Efficient Context Window Extension of Large Language Models
RLAIF: Scaling Reinforcement Learning from Human Feedback with AI Feedback
Out of the Cage: How Stochastic Parrots Win in Cyber Security Environments
AgentSims: An Open-Source Sandbox for Large Language Model Evaluation
Algorithm of Thoughts: Enhancing Exploration of Ideas in Large Language Models
Hydra-MoE: A new class of Open-Source Mixture of Experts - A scalable, efficient and Open Source Mixture of Experts (MoE) architecture to enable OSS AI to achieve SOTA (GPT-4 level) performance.
Events
10th Annual Cyber Beacon: The Future is Now, 19th October 19, 2023, Washington DC
2023 Conference on International Cyber Security, 7-8 November 2023
Bluepurple Pulse: week ending September 10th
Shew. I was starting to worry. Now that you have a fancy title...is it Sir CTO? Not sure how it works across the pond :-P