Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see the volume of reporting on all fronts feels busy. The points I would note are the mobile / embedded focus of some of the capability.
U.S. conducts first Hunt Forward Operation in Lithuania - For three months, the U.S. cyber operators hunted for malicious cyber activity on key Lithuanian national defense systems and Ministry of Foreign Affairs’ networks alongside its allies.
Qakbot Malware Disrupted in International Cyber Takedown - The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The Department also announced the seizure of more than $8.6 million in cryptocurrency in illicit profits.
A Divorce Between The Navy And Cyber Command Would Be Dangerous - Frustrated by reports of the U.S. Navy’s underperformance in cyber operations, Congress has made an unusual request. The Fiscal Year 2023 National Defense Authorization Act instructs the secretary of defense to report to Congress by 2024 on whether the Navy should continue contributing forces to U.S. Cyber Command. This request raises the unprecedented possibility that an armed service would not contribute forces to a joint combatant command.
Joint statement on data scraping and data protection - The UK's Information Commissioner’s Office and eleven other data protection and privacy authorities from around the world have published a joint statement calling for the protection of people’s personal data from unlawful data scraping
Cyber Insurance
2023 Cyber Report by Tokio Marine HCC (Insurer) - Price change has been a major component of the cyber market’s response to the ransomware epidemic, but changes to insurers’ underwriting approach have been equally impactful. Tightened eligibility criteria, modifications to application forms, use of cyber threat intelligence and targeted vulnerability scanning are among the e orts undertaken by insurers to improve profitability.
Cyber Insurance Landscape - Trends by Industry - In underwriting then, attention should still be paid to segmentation between IT/OT networks, data segmentation, vulnerability and patch management, staff training and business continuity scenarios.
China's state hackers broke into (German) federal authorities - The Office for the Protection of the Constitution warns of Chinese hackers who misuse routers or smart home controls to cover up their tracks - the Federal Agency for Cartography was also attacked
Japan’s cybersecurity agency suffers months-long breach - According to three government and private sector sources familiar with the situation, Chinese state-backed hackers were believed to be behind the attack on Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which began last autumn and was not detected until June.
National Police Agency to upgrade cyber unit to department - Under the plan, included in its organizational reform request for fiscal 2024 that will start next April, the NPA will also set up a special investigation division and a planning and analysis division in the new department to boost investigative cooperation with foreign authorities.
Cybersecurity Enters Conversation About Executive Pay - Companies are starting to tie bonuses for their chief executives and other top leaders to cybersecurity metrics, a move that governance experts say could make them more secure against hackers.
Generative Artificial Intelligence in Finance: Risk Considerations - The deployment of AI applications in the financial sector is raising several concerns about the risks inherent in the technology. These concerns include embedded bias and privacy shortcomings, opaqueness about how outcomes are generated, robustness issues, cybersecurity, and AI’s impact on broader financial stability.
Cybersecurity as a Legal Problem - Law is the foundation of cybersecurity because law defines the “security” in cybersecurity, who is entitled to that security, and how human beings and governments should behave to guarantee cybersecurity.
Avoiding Deadlock Ahead of Future UN Cyber Security Negotiations - The rift between Western democracies, some developing countries and Russia – along with other non-aligned countries and developing countries – should be a cause of concern for those involved in future rounds of negotiations
Scale of cybercrime is ‘breathtaking’- global cybercrime is predicted to cost $8 trillion this year alone. To put that in context, if cybercrime was a country, it would be the world’s third-biggest economy behind the US and China.
Error correcting codes for near-term quantum computers - IBM scientists have now discovered LDPC codes with a few hundred physical qubits that feature a more than ten-fold reduction of the number of physical qubits relative to the surface code.
University Of Tulsa Creating Cyber Innovation Institute With Anticipated $75 Million Investment - “an initial $24 million investment, which includes $12 million from the American Rescue Plan Act (ARPA) along with a matching amount from the George Kaiser Family Foundation. It projects raising more than $50 million in additional funding over five years from public and private sources.”
South Korea prepares to take fight to North Korea's hackers - "As a leading cybersecurity country in the Indo-Pacific region, we will further stimulate cybersecurity cooperation with NATO by opening an international cyber training center,"
Scale and breadth: just look at the reporting summarised across geo-politics, insurance, business, regulation, legislation and then all the technical reporting - it so broad and growing ever more so.
Capability: I draw your attention to the technical reporting - look at the operational strategies, technical capabilities and tradecraft on show - highly diverse and quickly evolving across government, criminal and commercial actors.
Velocity: AI is just getting started - look at the footnotes section and that is a weeks worth of summary from English along with a single bit of Chinese reporting, nearly all academic. This is going to get pacy and really soon. The real revelation to me this week was NVidia will ship $1billion of optical networking gear for their GPUs this year - we have not even started to think about how these sub networks are protected/monitored etc.
On the interesting job/role front (thanks to those sending me these):
Finally some personal news - on October 23rd I will be taking up the role of Chief Technology Officer for the UK’s National Cyber Security Centre. Huge honour to support the national security mission of the UK along with our partners. Until then (and hopefully post) it is business as usual for the newsletter, views are my own etc..
The NCCC investigated the activity of the Gamaredon group during the Ukrainian counteroffensive
Ukrainian government details the Russian cyber response around the counteroffensive. Interesting point of note is the stolen document usage as lures.
Infrastructure preparation: Before the Ukrainian counteroffensive, the Gamaredon group prepared its infrastructure - we saw a significant increase in the number of cyber attacks.
Using Compromised Documents: Gamaredon uses stolen legitimate documents from compromised organizations to infect victims. These documents are often disguised as reports or official communications, increasing the likelihood of a successful attack.
Exploitation of legitimate services: The Gamaredon group uses legitimate services such as Telegram and Telegraph for covert network communications. It is obvious that now it is necessary to consider the possibility of limiting the use of these platforms in the public sector of Ukraine.
Versatile malware arsenal: The group's malware arsenal includes GammaDrop, GammaLoad, GammaSteel, LakeFlash and Pterodo. Such a toolkit provides a multifaceted approach to victim compromise.
Exploit for CVE-2023-38831, PicassoLoader JavaScript variant, Rabbit algorithm, and Cobalt Strike Beacon
We have further reporting on the exploitation of this vulnerability and the tooling to produce the files. This is Ukrainian government reporting on its usage there.
We draw your attention to the active exploitation of the CVE-2023-38831 vulnerability in the WinRAR software. Currently, a PoC (Proof of Concept) for generating ZIP archives with the appropriate structure is freely available.
We have covered the Korean language this reporting, this is the native English translation. The blend of techniques is of note for initial access.
During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks. Additionally, there are cases where the group abuses central management solutions during the malware installation process. A notable fact about the group is its creation and use of various malware types in its attacks. There are many backdoor types, including Andarat, Andaratm, Phandoor, and Rifdoor used in the past attacks, as well as TigerRAT and MagicRAT which have been detected for the past few years.
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
Asheer Malhotra, Vitor Ventura and Jungsoo An provide reporting on North Korea’s quick pull through of proof-of-concept exploit code to operational usage.
[We] discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
Lazarus Group's infrastructure reuse leads to discovery of new malware
Asheer Malhotra, Vitor Ventura and Jungsoo An go two for two in this reporting which appears to further build on the North Korean recon phased modus operandi to protect their more enduring implants.
CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.
One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.
Suspected APT37 New Attack Weapon Fakecheck Analysis Report
Chinese reporting on suspected North Korean activity, more a continuation than anything novel i.e. lots of Compiled HTML Help files which resulted in a new implant.
The complexity of the attacker’s code level is low, but it is gradually being upgraded and improved. Judging from the final execution load currently known, the attacker mainly steals browser information, collects host information, and executes simple cmd commands. It is speculated that this may It is only the first and middle stages of the attacker's attack chain, and other payloads will continue to be distributed later.
VMConnect supply chain attack continues, evidence points to North Korea
Karlo Zanki and team identify was is a suspected North Korean crypto operation using open source package registries and doppelganger tradecraft.
[We] dentified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.
Here is our analysis of VMConnect campaign, including some of the steps that malicious actors took to avoid detection. We include a review of the similarities between this latest tranche of malicious Python packages and the earlier VMConnect packages, and we discuss the possible links to earlier software supply chain campaigns attributed to North Korean threat actors.
BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
Lukas Stefanko detail a fascinating mobile campaign by a suspected Chinese actor which managed to get into the mainline app stores for Android. This shows a degree of capability and execution ability which should be taken seriously.
We discovered trojanized Signal and Telegram apps for Android, called Signal Plus Messenger and FlyGram, on Google Play and Samsung Galaxy Store; both apps were later removed from Google Play.
The malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned APT group called GREF.
BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities. FlyGram malware was also seen shared in a Uyghur Telegram group, which aligns with previous targeting of the BadBazaar malware family.
FlyGram can access Telegram backups if the user enabled a specific feature added by the attackers; the feature was activated by at least 13,953 user accounts.
Signal Plus Messenger represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.
FBI warning on Chinese exploitation of the Barracuda vulnerability. The scale and ferocity of the exploitation of what was a zero-day is of note.
The earliest evidence of exploitation of Barracuda ESG appliances was observed in October 2022. Initially, suspected PRC cyber actors sent emails to victims containing TAR file attachments designed to exploit the vulnerability. In the earliest emails, attached files had a “.tar” extension in the filename, while later emails included different file extensions such as “.jpg” or “.dat”. The malicious email attachments contained files that initiated a connection to a domain or IP address controlled by the cyber actors and established a reverse shell at that domain or IP address, allowing the actors to execute further commands on the ESG device.
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
Microsoft details what looks like a prepositioning access operation by a Chinese threat actor. This long term latent access in pursuit of strategic advantage should be of concern.
[We] identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. This blog aims to raise awareness of the techniques used by this threat actor and inform better defenses to protect against future attacks.
Earth Estries Targets Government, Tech for Cyberespionage
Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, Gilbert Sison detail a suspected Chinese linked group. The points to note in this reporting is the tread lightly approach to avoid detection.
To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.
This active campaign targets organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.
Empire Dragon Accelerates Covert Information Operations, Converges with Russian Narratives
The volume of information operations is what is of note here.
We have identified a coordinated and inauthentic network, tracked as Empire Dragon, which is likely operated by influence actors aligned with the Chinese government and based in China. It has been active since early 2021. Based on this network’s activity, we suspect it overlaps with other networks previously attributed to Chinese interests, including Mandiant’s Spamouflage Dragon and Graphika’s DRAGONBRIDGE. Over the course of 10 distinct information operations (IOs) analyzed by Insikt Group, Empire Dragon’s display of capabilities shows a deliberate attempt to manipulate global audiences using a constantly broadening array of languages, topics, and platforms.
DarkGate reloaded via malvertising and SEO poisoning campaigns
Jérôme Segura details a campaign which appears to be going after tooling used by IT administrators. This appears criminal in nature but notable again for the use of malvertising and SEO poisoning.
While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:
Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site.
Meet the Ducks: Vietnamese threat groups targeting Meta Business accounts
Mohammad Kazem Hassan Nejad details a complex campaign which is used for to pump other criminal of activity. This complex interconnectedness is a sign of future threats for sure where online reputation has currency.
Law Enforcement Takes Down Qakbot - Technical details
A team who spotted the FBI operation detail how it worked..
The DLL uses a clever method that involves sending a QPCMD_BOT_SHUTDOWN instruction via a named pipe that Qakbot uses to send and receive messages between processes on the host. Qakbot pipe names are generated using a pseudorandom algorithm that the DLL uses to generate the correct name for the system it is running on. The DLL then calls CallNamedPipeA and sends the QPCMD_BOT_SHUTDOWN instruction to the pipe
How we find and understand the latent compromises within our environments.
Detecting Hybrid Social Identities: A Computational Analysis of Influence & Resilience in Online (RWE) Communities
Anastasia Kordoni, Shengnan Liu, Miriam Koschate-Reis and Mark Levine and performed some research which instinctively seems relevant when considered through a cyber threat actor lense.
Hybrid identities, defined as the fusion of two group memberships and their belief systems, have become an increasing feature of online communities, including right-wing extremist online communities. A hybrid identity may allow those that hold it to gain acceptance in each of the two communities that make up the hybrid identity, thereby providing a platform for social influence where beliefs of one community can be introduced to the other community. For example, the hybrid aspects of an eco-fascist identity might be used by right-wing community members to shift the balance from more mainstream ecological opinions towards more extreme right-wing positions. This kind of influence necessitates a better understanding of the psychosocial processes that drive the social influence of hybrid identities.
Try and detecting malicious code snarfing video and audio with this detection.
Identifies attempt to enumerate accessible DirectShow devices by an unusual process to potentially capture audio or video using the Microsoft DirectShow application programming interface.
Despite the apparent anonymity of sites in Tor, there are always ways to identify their owners. Yes, some of them are complicated and require serious work, but since administrators also make mistakes, they do work. I recommend that everyone involved in such investigations should not forget to use not only the tactics described above, but also those methods that work in the clearnet as well.
Bloated Binaries | How to Detect and Analyze Large macOS Malware File
Phil Stokes highlights the use of large files on macOS as we have previously seen on Windows to avoid analysis. The approach of making the performance overhead of cyber solutions unbearable to effective we can only expect to continue.
if we search for Mach-O binaries over 35MB recognized as malware by 5 or more vendors, the search today returns 524 hits.
Increasing the file size to 50MB or more returns 113 hits, with many of the files returned being samples of Atomic Stealer.
Joe DeBlasio details the march forward here to have HTTPS everywhere.
Our ultimate goal is to enable HTTPS-First Mode for everyone. To that end, we're expanding HTTPS-First Mode protections to several new areas:
We've enabled HTTPS-First Mode for users enrolled in Google's Advanced Protection Program who are also signed-in to Chrome. These users have asked Google for the strongest protection available, and HTTPS-First Mode helps avoid the very real threats of insecure connections these users face.
We're planning to enable HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience soon.
We're currently experimenting with automatically enabling HTTPS-First-Mode protections on sites that Chrome knows you typically access over HTTPS.
Finally, we're exploring automatically enabling HTTPS-First Mode for users that only very rarely use HTTP.
Microsoft's Revocation of the Verisign Class 3 Public Primary Certification Authority
Impact on various solutions which rely on this certificate chain to validate
Airlock Digital investigated these reports and found that all occurrences of this certificate status chained trust up to the Verisign Class 3 Public Primary Certification Authority – G5 Root Certificate (serial: 18dad19e267de8bb4a2158cdcc6b3b4a). Over the coming hours, it was identified that many internet connected Windows 10 & 11 computers within the Airlock Digital environment also began reporting files chained to this root as having ‘Invalid Certificate Chains’.
Detection & response framework for Managed File Transfer (MFT) software
Given the breaches of MOVEit et al this is a useful and timely framework.
MFTData – details the key software components of MFT solutions so that defenders can understand the underlying components of the MFT software. This information such as process names, file paths, ports, and services are critical for defenders to identify valuable incident response and detection data.
MFTDetect – scripts that leverage the MFTData to automatically generate detections for common threat detection and incident response tools.
MFTRespond – scripts and tools that can aide in responding to incidents involving a MFT server
MFTPlaybook – contains a MFT incident response playbook template that can be used as a starting point for incident responders to build incident response playbooks for MFT software. The template can be used in conjunction with a script to automatically pull the key MFT components from the MFTData and update the playbook template.
SonicWall Global Management System (GMS) & Analytics – Multiple Critical Vulnerabilities
Richard Warren and Sean Morland further evidence that security products are not immune.
An unauthenticated attacker could exploit these issues to extract sensitive information, such as credentials, reset user passwords, bypass authentication, and compromise the underlying device.
Matt Johnson will send shivers down the spines of CISOs tasked with securing development environments with this research. Development environments are challenging as by their nature there is lots of flux and all the lolbins running.
What the Function: Decrypting Azure Function App Keys
Thomas Elling also provides a post compromise technique to get credentials.
Function App Access Keys can be stored in Storage Account containers in an encrypted format
Access Keys can be decrypted within the Function App container AND offline
Works with Windows or Linux, with any runtime stack
Decryption requires access to the decryption key (stored in an environment variable in the Function container) and the encrypted key material (from host.json).
CVE-2023-38831 vulnerability in WinRAR exploited by cybercriminals to target traders
Look at the length of time this zero day was being utilised..
On July 10, 2023, while researching the spread of DarkMe malware we came across a previously unknown vulnerability in the processing of the ZIP file format by WinRAR. By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families. Weaponized ZIP archives were distributed on trading forums. Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.
A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] developed to achieve Remote Code Execution in Juniper JunOS within SRX and EX Series products
The tool is able to show two binary files side by side so that similar places will be at the same position on both sides and bytes missing from one side are padded. It uses bio-informatics algorithms from the rust-bio library (typically used for DNA sequence alignment) for that. The dialog boxes for configuration are done using cursive.
