Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending September 17th
The UK's ICO commits to exploring how it can demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties.
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly standout.
In the high-level this week:
The UK’s NCSC CEO and Information Commissioner sign Memorandum of Understanding - credit with the ICO if you tell the NCSC you had a breach.
“Building Resilience”: U.S. returns from second defensive Hunt Operation in Lithuania - CNMF has deployed 50 times and conducted hunt operations on over 75 networks in more than 23 countries.
As China steps up cybersecurity enforcement, smaller businesses are feeling the heat - Last month, police in the city of Zhenjiang, in the eastern province of Jiangsu, carried out security sweeps at local businesses, issuing warnings to those that offered Wi-fi without requiring real-name registration, local media reported on Monday.
CISA Releases its Open Source Software Security Roadmap - how we will partner with federal agencies, open source software (OSS) consumers, and the OSS community, to secure OSS infrastructure
Ransomware and the cyber crime ecosystem - A new white paper, published by the NCSC and the National Crime Agency, examines how the tactics of organised criminal groups (OGCs) have evolved as ransomware and extortion attacks have grown in popularity.
Five EU member states must investigate spyware abuse, says PACE committee - Citing “mounting evidence” that spyware has been used for illegitimate purposes by several Council of Europe member states, a committee of the Parliamentary Assembly of the Council of Europe (PACE) has urged five governments to provide information on their use of such spyware within three months, and fully investigate all cases of abuse.
Technology Will Not Exceed Our Humanity - While no provision of the Rome Statute is dedicated to cybercrimes, such conduct may potentially fulfill the elements of many core international crimes as already defined - by the Prosecutor of the International Criminal Court.
IISS Cyber Capabilities and National Power Volume 2 - In this volume we assess Brazil, Estonia, Germany, the Netherlands, Nigeria, Saudi Arabia, Singapore, South Africa, Turkiye and the United Arab Emirates (UAE).
Australia-Owned Pacific Telco Likely Exploited by Private Spies - more reporting on this - Telstra “will be exiting the small number of remaining leases by April 2024, or earlier, if investigations reveal they are acting outside of their contractual obligations,”
Influx of Russian fraudsters gives Turkish cyber crime hub new lease of life - Cybercriminals in Turkey have teamed up with recently arrived Russian émigré hackers to flood a once moribund online marketplace with tens of millions of newly stolen personal credentials, an evolution in the transnational nature of such fraud.
Tencent Security releases "Digital Security Immunity" evaluation tool to help enterprises re-measure security in the intelligent era - starting from the core data and business of the enterprise, and deploys three layers and six modules from the inside out. security system. - A total of 120 questions
China and the US are in a battle over AI. Experts say this is just the start - Weifeng Zhong, a senior research fellow at the Mercatus Centre at George Mason University, said there had been greater emphasis placed on AI as it appeared to be the “natural next step” in the era of data.
Whitehouse (USA) has released its Voluntary AI Commitments
Japan seeks AI transparency with new disclosure guidelines - Tokyo plans to finalize the guidelines later this year. They are not legally binding, but rather are intended to provide a basis for companies to regulate themselves, an approach similar to the one taken by the U.S. government.
TSMC sees AI chip output constraints lasting 1.5 years - Liu explained that the supply constraints are due not to a lack of physical chips but to limited capacity in advanced chip packaging services, a key step in the manufacturing process.
China’s MetaX unveiled a MXC500 GPU which is capable of ~ 15 TFLOPS FP32 vs 19.5 for NVIDIA A100 - China only ~25% behind cutting edge western technology on the face of it.
China’s Zhipu AI and Huakun Zhenyu create independent innovative large-scale all-in-one machines to accelerate the intelligentization of the industry - built on Huawei technology.
The European AI liability directives – Critique of a half-hearted approach and lessons for the future - The dual proposals of the Commission on liability for AI take steps into the right direction, but they do not go far enough. Overall, the two half-hearted directives do not add up to one convincing whole. They fail to provide a uniform framework for AI liability in the EU which would balance ease of compensation with sufficient legal certainty for AI development and deployment.
Reordering the Global Order: A World of “Nodes and Acquends” - China tends to be weak on alliances but is central to production nodes. As supply-side thinking rises in prominence globally, the “producer of last resort” will matter as much as the consumer of last resort. The United States, on the other hand, is at the center of geopolitical alliances but plays less of a central role in production nodes.
Secure by design: lessons from the [UK’s] MoD on innovation and cultural change - “In 10 years’ time, we can’t still be talking about patching things,”
The reflection this week come from reading the paper Demystifying RCE Vulnerabilities in LLM-Integrated Apps - some marvelous academic work primarily out of China along with an Australian university. Specifically the reflection comes from the fact the researchers managed to develop techniques which achieved three instances of remote code execution using blackbox (zero knowledge) techniques resulting in remote compromise of the systems. As we rush to adopt and integrate there is now an evidenced risk of what can happen, so we should all be warned..
On the interesting job/role front (thanks to those sending me these):
Technology Policy Researcher at The Cyber Policy Center is Stanford University’s research center, USA
Views are my own / attribution by others etc.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Wednesday
Cyber threat intelligence
Who is doing what to whom and how.
APT28 cyberattack: msedge as a bootloader, TOR and mockbin.org/website.hook services as a control center
Russia took a swing at Ukraine’s energy networks (again). The tradecraft on show however is rather basic using phishing and links to third party hosted files.
To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed.
Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer. Running the CMD file will open several decoy web pages, create ".bat" and ".vbs" files, and launch a VBS file that will in turn execute the BAT file.
then there was some third party reporting in English:
FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com
FBI shares various digital currency wallet addresses in this reporting.
The FBI is issuing this release to warn the public regarding the theft of approximately $41 million in virtual currency from Stake.com, an online casino and betting platform. The FBI has confirmed that this theft took place on or about September 4, 2023, and attributes it to the Lazarus Group (also known as APT38) which is comprised of DPRK cyber actors.
Threat Trend Report on Kimsuky Group
From July 2023 - published September 11 in English. The point of note here is the diverse use of their implants catalogue.
The Kimsuky group's activities in July 2023 showed that FlowerPower is gaining traction, and the group is simultaneously diversifying their attack methods. Additionally, there were no particular issues regarding AppleSeed and RandomQuery types as they are now less used. The BabyShark type to be described in detail further on this report will be included in the statistics from July thereon.
Analysis of attack activities of APT-C-26 (Lazarus) organization using EarlyRat
Chinese reporting on North Korean activity which used Skype for initial access coupled with social engineering.
In our observation, the suspected attacker sent a bait file download link through Skype, and then the user downloaded the compressed file containing the malicious document through Google Chrome. Once the user is induced to open the file, the attacker uses techniques disguised as Microsoft information to trick the user into enabling macro functions.
Then obtain the user system MAC address, computer name and IP address, and calculate the "machine identification ID" through the CRC32 verification algorithm
Chinese Influence Operation Spreads to American Alt-Platforms
C. Shawn Eib and Patrick Conlon provide update reporting on Spamouflage Dragon which is an enduring information operation who appear to be trying to branch out into more polarized platforms.
[We] identified a network of inauthentic accounts operating mostly on the U.S. alt-platform Gab that we assess with high confidence is part of the Chinese Communist Party (CCP)’s Spamouflage Dragon influence operation.
Following our discovery of Spamouflage accounts on Gab, we also conducted searches on Gettr and Truth Social—two of the alt platforms most similar to Gab—though we have not yet detected its presence on those platforms. For Gettr specifically, we assess with low confidence that the lack of Spamouflage accounts is the result of aggressive enforcement action taken by Gettr (which is purportedly owned and controlled by Chinese exile Guo Wengui)2 to remove pro-CCP content or any content not aligned with Guo’s anti-CCP messaging.
Redfly: Espionage Actors Continue to Target Critical Infrastructure
A suspected Chinese threat actor is in the power grid of an Asian country. Initial access mechanism is not documented. The tradecraft appears common for the threat actor and associated colleagues.
[We] found evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.
The final evidence of malicious activity came on August 3, when the attackers returned and attempted to dump credentials again using a renamed version of ProcDump (file name: yara32.exe):
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
Adam Burgher provides reporting on Magic Hound, APT 35, Cobalt Illusion, Charming Kitten etc. The regional targeting of Brazil is somewhat interesting, but as noted this appears opportunistic as opposed to targetted.
Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for some time. However, many of the 34 victims identified in [our] telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems.
Sponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates; we have named this activity the Sponsoring Access campaign.
Malware distributor Storm-0324 facilitates ransomware access
Turns out Teams is being used by numerous actors as a means of initial access.
The threat actor that [we] track as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors.
Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023.
HijackLoader: A new evasive malware downloader with a modular architecture
Nikolaos Pantazopoulos provides reporting that seems to indicate that threat actors do read and adopt Red Team tradecraft. Would be worth validating that your EDR solution has coverage of these techniques.
HijackLoader is a new malware loader that [we] first observed in July 2023.
The loader is being leveraged to drop numerous malware families, including Danabot, SystemBC, and RedLine Stealer, amplifying its potential threat.
HijackLoader utilizes syscalls to evade monitoring from security solutions, detects specific processes based on an embedded block list, and delays code execution at different stages.
The malware uses embedded modules that facilitate flexible code injection and execution - a feature uncommon among traditional loaders.
Analysis of the latest mobile attack activities of Confucius Organization
Suspected South Asian state threat actor. The points of note are the fact it is mobile focused and that a Chinese threat intelligence company appears to have got access to the C2.
[We] recently captured a batch of mobile attack samples belonging to the Confucius APT organization.
According to the login time of the C2 server log used by the attacker, it is speculated that the attack activity began in May 2023. At present, 50+ victim information has been found, and government and military personnel are suspected. The main victim areas are Kashmir and other parts of India. area.
Niraj Shivtarkar and Avinash Kumar detail an interesting campaign where the threat actor is trying to exfiltrate hashes one presumes to latterly crack. The operational security aspects employed if also of note.
Exfiltration Tactics: We discovered that the threat actor steals and exfiltrates NTLM hashes using customized scripts from the Nishang framework and system information by executing system commands. Once captured, the data is exfiltrated via mock APIs.
Explicit Images as Lures: The Fansly Whoami Exfil and Exfil Sysinfo infection chain variations use explicit images of models to entice victims to execute the initial payload.
Geofencing and Targeted Regions: Threat actors use a geofencing strategy with specific focus on targeting regions including Australia, Poland, and Belgium.
Mockbin as a Service: We observed the use of Mockbin, an API endpoint generating tool, and mock APIs to transfer stolen data such as NTLM hashes and command output.
How we find and understand the latent compromises within our environments.
GGFAST: Automating Generation of Flexible Network Traffic Classifiers
Julien Piet, Dubem Nwoji and Vern Paxson show there is still significant value to had in network traffic analysis still.
We demonstrate the power of our framework by building---without any case-specific tuning---highly accurate analyzers for multiple types of network analysis problems. These span traffic classification (L7 protocol identification), finding DNS-over-HTTPS in TLS flows, and identifying specific RDP and SSH authentication methods. Finally, we demonstrate how, given ciphersuite specifics, we can transform a GGFAST analyzer developed for a given type of traffic to automatically detect instances of that activity when tunneled within SSH or TLS.
How we proactively defend our environments.
Sandboxing ImageIO media parsing in macOS
Nik Tsytsarkin provides some valuable defense depth value add for macOS and macOS app developers.
While assessing the potential impact of the latest BLASTPASS Zero-Click, Zero-Day Exploit on our Family of Apps, we discovered a feature in ImageIO that moves image parsing to an out-of-process sandbox. This feature mitigates the effects of vulnerabilities related to image parsing on macOS similar to BLASTPASS. App developers can enable this feature on macOS by setting the
IIOEnableOOPpreference true. Anyone can enable this feature by setting the environment variable
IIOEnableOOP=YESbefore launching an app. It is not available on iOS.
Baseline Defenses for Adversarial Attacks Against Aligned Language Models
Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping and Tom Goldstein show we have some way to go on defending LLMs. Shouldn’t come as a surprise but adds to the evidence base.
We evaluate several baseline defense strategies against leading adversarial attacks on LLMs, discussing the various settings in which each is feasible and effective. Particularly, we look at three types of defenses: detection (perplexity based), input preprocessing (paraphrase and retokenization), and adversarial training. We discuss white-box and gray-box settings and discuss the robustness-performance trade-off for each of the defenses considered. We find that the weakness of existing discrete optimizers for text, combined with the relatively high costs of optimization, makes standard adaptive attacks more challenging for LLMs.
Future research will be needed to uncover whether more powerful optimizers can be developed, or whether the strength of filtering and preprocessing defenses is greater in the LLMs domain than it has been in computer vision.
How they got in and what they did.
nothing this week
Our attack surface.
CVE-2023-4809: FreeBSD pf bypass when using IPv6
Enrico Bassetti details a vulnerability affecting FreeBSD reminiscent of the old school vulnerabilities. Note OpenBSD pf is not affected by the bug.
A FreeBSD with `pf` as firewall for IPv6 traffic and `scrub` enabled to reassemble IPv6 fragments is vulnerable to an attack that uses a crafted packet posing as IPv6 "atomic" fragment to bypass the rules. After the fragment is matched against some firewall rules (but not all!), it is then "corrected" and forwarded to the destination (if no "deny" rule is matched).
Demystifying RCE Vulnerabilities in LLM-Integrated Apps
Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li and Kai Chen give us an early quantified evidence base of vulnerability in LLM integrated apps. We are going to have work to do. As mentioned of note are the three instances of RCE they achieved blackbox resulting in reverse shells.
We discovered 13 vulnerabilities in 6 frameworks, including 12 RCE vulnerabilities.
Directory traversal vulnerability in SHIRASAGI
Interesting regional vulnerability here in Japan with potentially large ramifications.
a directory traversal vulnerability in SHIRASAGI, a CMS (Contents Management System) provided by SHIRASAGI Project, and reported it to IPA. If this vulnerability is exploited, files on the server may be altered or arbitrary code may be executed remotely.
Attack capability, techniques and trade-craft.
What is being exploited.
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability
Being exploited by ransomware crews..
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
In August 2023, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild
CVE-2023-26369: Adobe Acrobat and Reader
Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader.
File History Service (fhsvc.dll) Elevation of Privilege
Given the trivial nature of the exploitation we can expect numerous actors to employ this on unpatched systems.
A vulnerability exists in the file history service, which runs as system privileges, and can be exploited to elevate from ordinary users to system privileges.
The file history service can be started by ordinary users. When the service is started, When the service starts, the core file
fhsvc.dllwill be loaded, and then the vulnerable function
CManagerThread::QueueBackupForLoggedOnUserwill be hit. When this function is executed, it will simulate the currently logged-in user and load
fhcfg.dll. This behaviour is also the root cause of this vulnerability.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Debugging Windows Isolated User Mode (IUM) Processes
Francisco Falcon provides a neat trick here which will be of use to researchers.
We have located the base physical address of
SecureKernel.exe. The last step is to modify the Securekernel!SkpsIsProcessDebuggingEnabled function
Finally, after that, we can attach a debugger to our IUM process (
vmsp.exein this case, the Virtual Machine Security Process, which hosts the
TpmEngUM.dlllibrary that implements Hyper-V's virtual TPM).
Some other small (and not so small) bits and bobs which might be of interest.
Using Cyber-Informed Engineering for Cyber Defense Workbook - Cyber-informed engineering (CIE) offers an opportunity to “engineer out” some cyber risk across the entire device or system lifecycle, starting from the earliest possible phase of design...
UK Areas of Research Interest (ARIs) have been aggregated into a searchable portal.
JSAC2024 - Tokyo, January 25-26, 2024 - Call for Presentation & Workshop