Cyber Defence Analysis for Blue & Purple Teams

Share this post

Bluepurple Pulse: week ending September 3rd

bluepurple.binaryfirefly.com

Discover more from Cyber Defence Analysis for Blue & Purple Teams

Summarised cyber defence technical content to help operational blue and purple teams be informed and protect their estates.
Over 6,000 subscribers
Continue reading
Sign in

Bluepurple Pulse: week ending September 3rd

It is just busy...

Ollie
Sep 1, 2023
5
Share this post

Bluepurple Pulse: week ending September 3rd

bluepurple.binaryfirefly.com
Share

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week you will see the volume of reporting on all fronts feels busy. The points I would note are the mobile / embedded focus of some of the capability.

In the high-level this week:

  • Federal Cybersecurity Vulnerability Reduction Act of 2023 - proposed legislation in the Unites States requiring vulnerability disclosure by all Federal contractors

  • U.S. conducts first Hunt Forward Operation in Lithuania - For three months, the U.S. cyber operators hunted for malicious cyber activity on key Lithuanian national defense systems and Ministry of Foreign Affairs’ networks alongside its allies.

  • Qakbot Malware Disrupted in International Cyber Takedown - The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The Department also announced the seizure of more than $8.6 million in cryptocurrency in illicit profits.

  • A Divorce Between The Navy And Cyber Command Would Be Dangerous - Frustrated by reports of the U.S. Navy’s underperformance in cyber operations, Congress has made an unusual request. The Fiscal Year 2023 National Defense Authorization Act instructs the secretary of defense to report to Congress by 2024 on whether the Navy should continue contributing forces to U.S. Cyber Command. This request raises the unprecedented possibility that an armed service would not contribute forces to a joint combatant command. 

  • Joint statement on data scraping and data protection - The UK's Information Commissioner’s Office and eleven other data protection and privacy authorities from around the world have published a joint statement calling for the protection of people’s personal data from unlawful data scraping

  • Cyber Insurance

    • 2023 Cyber Report by Tokio Marine HCC (Insurer) - Price change has been a major component of the cyber market’s response to the ransomware epidemic, but changes to insurers’ underwriting approach have been equally impactful. Tightened eligibility criteria, modifications to application forms, use of cyber threat intelligence and targeted vulnerability scanning are among the eorts undertaken by insurers to improve profitability.

      • Cyber Insurance Landscape - Trends by Industry - In underwriting then, attention should still be paid to segmentation between IT/OT networks, data segmentation, vulnerability and patch management, staff training and business continuity scenarios.

    • From clicks to claims: emerging trends and risks of big techs' foray into insurance - look at the disruptive effects.

  • China's state hackers broke into (German) federal authorities - The Office for the Protection of the Constitution warns of Chinese hackers who misuse routers or smart home controls to cover up their tracks - the Federal Agency for Cartography was also attacked

  • Japan’s cybersecurity agency suffers months-long breach - According to three government and private sector sources familiar with the situation, Chinese state-backed hackers were believed to be behind the attack on Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which began last autumn and was not detected until June.

    • National Police Agency to upgrade cyber unit to department - Under the plan, included in its organizational reform request for fiscal 2024 that will start next April, the NPA will also set up a special investigation division and a planning and analysis division in the new department to boost investigative cooperation with foreign authorities.

  • Cybersecurity Enters Conversation About Executive Pay - Companies are starting to tie bonuses for their chief executives and other top leaders to cybersecurity metrics, a move that governance experts say could make them more secure against hackers.

  • China’s new accounting rules on enterprise data resources to have ‘greater impact’ on Big Tech firms, telecoms network operators - “The Interim Provisions on Accounting Treatment of Enterprise Data Resources classify corporate data as either ‘intangible assets’ or ‘inventories’” - through accounting we will get to see data value

  • Generative Artificial Intelligence in Finance: Risk Considerations - The deployment of AI applications in the financial sector is raising several concerns about the risks inherent in the technology. These concerns include embedded bias and privacy shortcomings, opaqueness about how outcomes are generated, robustness issues, cybersecurity, and AI’s impact on broader financial stability.

  • Cybersecurity as a Legal Problem - Law is the foundation of cybersecurity because law defines the “security” in cybersecurity, who is entitled to that security, and how human beings and governments should behave to guarantee cybersecurity.

  • Avoiding Deadlock Ahead of Future UN Cyber Security Negotiations - The rift between Western democracies, some developing countries and Russia – along with other non-aligned countries and developing countries – should be a cause of concern for those involved in future rounds of negotiations

  • Gartner predicts fines related to mismanagement of data subject rights will exceed $1bln by 2026 - be interesting to see how accurate the prediction ends up being in practice.

  • National Grid plots ‘honeypots’ to catch hackers as cyber attacks ramp up - The Grid has advertised a contract worth more than a million pounds to secure advanced cyber “deception” technology to help improve its digital defences.

  • Scale of cybercrime is ‘breathtaking’- global cybercrime is predicted to cost $8 trillion this year alone. To put that in context, if cybercrime was a country, it would be the world’s third-biggest economy behind the US and China.

  • Error correcting codes for near-term quantum computers - IBM scientists have now discovered LDPC codes with a few hundred physical qubits that feature a more than ten-fold reduction of the number of physical qubits relative to the surface code.

    • New Codes Could Make Quantum Computing 10 Times More Efficient - article on the topic

  • Study warns Chinese nanotechnology fueling advanced bio, cyber weapons, electronic warfare tools - The report cites a 2021 Chinese research paper that explains how “molecular communication” will be used to target advanced networks with precision cyberattacks.

    • Underlying paper The McGovern Institute's Engagement with the PLA in Brain-Inspired AI Research by the CCP BioThreats Initiative (CCP BTI)

  • University Of Tulsa Creating Cyber Innovation Institute With Anticipated $75 Million Investment - “an initial $24 million investment, which includes $12 million from the American Rescue Plan Act (ARPA) along with a matching amount from the George Kaiser Family Foundation. It projects raising more than $50 million in additional funding over five years from public and private sources.”

  • South Korea prepares to take fight to North Korea's hackers - "As a leading cybersecurity country in the Indo-Pacific region, we will further stimulate cybersecurity cooperation with NATO by opening an international cyber training center,"

  • Russia Pushes Long-Term Influence Operations Aimed at the U.S. and Europe - A newly declassified American intelligence analysis says Russian spy agencies are using influence laundering techniques to hide the Kremlin’s involvement in cultivating pro-Russia and anti-Ukraine messages.

  • Chinese analysis of Western cyber activities

    • NATO CyberSecurity Defense Exercise: Locked Shields

    • Analysis and reflections on the Biden administration's National Cybersecurity Strategy Implementation Plan

  • Commercial Spyware

    • The Scourge of Commercial Spyware—and How to Stop It

    • Privacy watchdog finds 92 ‘targets’ in Greek wiretapping scandal

    • Sanctioned spyware maker NSO Group lobbying in the US.

      • Letter of support to the ABA's efforts to call out mercenary spyware by the Director, International Justice Clinic at the University of California and Former UN Special Rapporteur

The reflection this week come on three fronts:

  1. Scale and breadth: just look at the reporting summarised across geo-politics, insurance, business, regulation, legislation and then all the technical reporting - it so broad and growing ever more so.

  2. Capability: I draw your attention to the technical reporting - look at the operational strategies, technical capabilities and tradecraft on show - highly diverse and quickly evolving across government, criminal and commercial actors.

  3. Velocity: AI is just getting started - look at the footnotes section and that is a weeks worth of summary from English along with a single bit of Chinese reporting, nearly all academic. This is going to get pacy and really soon. The real revelation to me this week was NVidia will ship $1billion of optical networking gear for their GPUs this year - we have not even started to think about how these sub networks are protected/monitored etc.

On the interesting job/role front (thanks to those sending me these):

  • Research Assistant in Cyber Diplomacy (Fixed Term) - University of Bath, UK

  • Threat Intelligence Eng. III at Amazon, various USA locations.

Finally some personal news - on October 23rd I will be taking up the role of Chief Technology Officer for the UK’s National Cyber Security Centre. Huge honour to support the national security mission of the UK along with our partners. Until then (and hopefully post) it is business as usual for the newsletter, views are my own etc..

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Thursday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia

UK and allies support Ukraine calling out Russia's GRU for new malware campaign

UK Government and partners provide and analysis of Russian mobile/embedded capability..

  • GCHQ’s National Cyber Security Centre and international partners share technical details about malware used to target Ukrainian military

  • New report supports attribution that the malicious campaign has been carried out by Russian military intelligence service the GRU

  • United show of support follows the Security Service of Ukraine exposing the malware operations earlier this month

https://www.ncsc.gov.uk/news/uk-allies-support-ukraine-calling-out-russia-gru-malware-campaign

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf

SBU exposes Russian intelligence attempts to penetrate Armed Forces' planning operations system

Ukrainian reporting on the same operation.

https://ssu.gov.ua/uploads/files/DKIB/technical-report.pdf

The NCCC investigated the activity of the Gamaredon group during the Ukrainian counteroffensive

Ukrainian government details the Russian cyber response around the counteroffensive. Interesting point of note is the stolen document usage as lures.

  • Infrastructure preparation: Before the Ukrainian counteroffensive, the Gamaredon group prepared its infrastructure - we saw a significant increase in the number of cyber attacks.

  • Using Compromised Documents: Gamaredon uses stolen legitimate documents from compromised organizations to infect victims. These documents are often disguised as reports or official communications, increasing the likelihood of a successful attack.

  • Exploitation of legitimate services: The Gamaredon group uses legitimate services such as Telegram and Telegraph for covert network communications. It is obvious that now it is necessary to consider the possibility of limiting the use of these platforms in the public sector of Ukraine.

  • Versatile malware arsenal: The group's malware arsenal includes GammaDrop, GammaLoad, GammaSteel, LakeFlash and Pterodo. Such a toolkit provides a multifaceted approach to victim compromise.

https://www.rnbo.gov.ua/ua/Diialnist/6587.html

Exploit for CVE-2023-38831, PicassoLoader JavaScript variant, Rabbit algorithm, and Cobalt Strike Beacon

We have further reporting on the exploitation of this vulnerability and the tooling to produce the files. This is Ukrainian government reporting on its usage there.

We draw your attention to the active exploitation of the CVE-2023-38831 vulnerability in the WinRAR software. Currently, a PoC (Proof of Concept) for generating ZIP archives with the appropriate structure is freely available.

https://cert.gov.ua/article/5661411

North Korea

Analysis of Andariel’s New Attack Activities

We have covered the Korean language this reporting, this is the native English translation. The blend of techniques is of note for initial access.

During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks. Additionally, there are cases where the group abuses central management solutions during the malware installation process.  A notable fact about the group is its creation and use of various malware types in its attacks. There are many backdoor types, including Andarat, Andaratm, Phandoor, and Rifdoor used in the past attacks, as well as TigerRAT and MagicRAT which have been detected for the past few years.

https://asec.ahnlab.com/en/56405/

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

Asheer Malhotra, Vitor Ventura and Jungsoo An provide reporting on North Korea’s quick pull through of proof-of-concept exploit code to operational usage.

  • [We] discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

  • In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.

  • QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.

https://blog.talosintelligence.com/lazarus-quiterat/

Lazarus Group's infrastructure reuse leads to discovery of new malware

Asheer Malhotra, Vitor Ventura and Jungsoo An go two for two in this reporting which appears to further build on the North Korean recon phased modus operandi to protect their more enduring implants.

  • CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.

  • Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.

  • One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.

https://blog.talosintelligence.com/lazarus-collectionrat/

Suspected APT37 New Attack Weapon Fakecheck Analysis Report

Chinese reporting on suspected North Korean activity, more a continuation than anything novel i.e. lots of Compiled HTML Help files which resulted in a new implant.

[We] discovered multiple CHM attack samples carrying malicious scripts during daily analysis activities.

The complexity of the attacker’s code level is low, but it is gradually being upgraded and improved. Judging from the final execution load currently known, the attacker mainly steals browser information, collects host information, and executes simple cmd commands. It is speculated that this may It is only the first and middle stages of the attacker's attack chain, and other payloads will continue to be distributed later.

https://mp-weixin-qq-com.translate.goog/s/pIdyesArvoXaD-lLYVvXiw?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

VMConnect supply chain attack continues, evidence points to North Korea

Karlo Zanki and team identify was is a suspected North Korean crypto operation using open source package registries and doppelganger tradecraft.

[We] dentified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases. 

Here is our analysis of VMConnect campaign, including some of the steps that malicious actors took to avoid detection. We include a review of the similarities between this latest tranche of malicious Python packages and the earlier VMConnect packages, and we discuss the possible links to earlier software supply chain campaigns attributed to North Korean threat actors.

https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues

China

BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps

Lukas Stefanko detail a fascinating mobile campaign by a suspected Chinese actor which managed to get into the mainline app stores for Android. This shows a degree of capability and execution ability which should be taken seriously.

  • We discovered trojanized Signal and Telegram apps for Android, called Signal Plus Messenger and FlyGram, on Google Play and Samsung Galaxy Store; both apps were later removed from Google Play.

  • The malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned APT group called GREF.

  • BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities. FlyGram malware was also seen shared in a Uyghur Telegram group, which aligns with previous targeting of the BadBazaar malware family.

  • FlyGram can access Telegram backups if the user enabled a specific feature added by the attackers; the feature was activated by at least 13,953 user accounts.

  • Signal Plus Messenger represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.

https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/

Suspected PRC Cyber Actors Continue to Globally Exploit Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868)

FBI warning on Chinese exploitation of the Barracuda vulnerability. The scale and ferocity of the exploitation of what was a zero-day is of note.

The earliest evidence of exploitation of Barracuda ESG appliances was observed in October 2022. Initially, suspected PRC cyber actors sent emails to victims containing TAR file attachments designed to exploit the vulnerability. In the earliest emails, attached files had a “.tar” extension in the filename, while later emails included different file extensions such as “.jpg” or “.dat”. The malicious email attachments contained files that initiated a connection to a domain or IP address controlled by the cyber actors and established a reverse shell at that domain or IP address, allowing the actors to execute further commands on the ESG device.

https://www.ic3.gov/Media/News/2023/230823.pdf

Flax Typhoon using legitimate software to quietly access Taiwanese organizations

Microsoft details what looks like a prepositioning access operation by a Chinese threat actor. This long term latent access in pursuit of strategic advantage should be of concern.

[We] identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. This blog aims to raise awareness of the techniques used by this threat actor and inform better defenses to protect against future attacks.

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

Earth Estries Targets Government, Tech for Cyberespionage

Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, Gilbert Sison detail a suspected Chinese linked group. The points to note in this reporting is the tread lightly approach to avoid detection.

To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.

This active campaign targets organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.

https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

Empire Dragon Accelerates Covert Information Operations, Converges with Russian Narratives

The volume of information operations is what is of note here.

We have identified a coordinated and inauthentic network, tracked as Empire Dragon, which is likely operated by influence actors aligned with the Chinese government and based in China. It has been active since early 2021. Based on this network’s activity, we suspect it overlaps with other networks previously attributed to Chinese interests, including Mandiant’s Spamouflage Dragon and Graphika’s DRAGONBRIDGE. Over the course of 10 distinct information operations (IOs) analyzed by Insikt Group, Empire Dragon’s display of capabilities shows a deliberate attempt to manipulate global audiences using a constantly broadening array of languages, topics, and platforms.

https://go.recordedfuture.com/hubfs/reports/cta-2023-0830.pdf

Iran

No public reporting this week

Telekopye: Hunting Mammoths using Telegram bot

Radek Jizba details criminal operations supported by a Telegram bot framework. It is like criminal actors have learnt the power of automation.

  • Telekopye is a toolkit that operates as a Telegram bot and helps scammers scam their victims.

  • Telekopye is designed to target online marketplaces; mainly (but not exclusively) those popular in Russia.

  • Telekopye creates phishing web pages from predefined templates, and generates and sends phishing emails and SMS messages.

  • Users and operators of Telekopye are organized in a clear hierarchy.

Telekopye scam overview

https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/

DarkGate reloaded via malvertising and SEO poisoning campaigns

Jérôme Segura details a campaign which appears to be going after tooling used by IT administrators. This appears criminal in nature but notable again for the use of malvertising and SEO poisoning.

While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:

Google Ad

Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site.

https://www.malwarebytes.com/blog/threat-intelligence/2023/08/darkgate-reloaded-via-malvertising-campaigns

Meet the Ducks: Vietnamese threat groups targeting Meta Business accounts

Mohammad Kazem Hassan Nejad details a complex campaign which is used for to pump other criminal of activity. This complex interconnectedness is a sign of future threats for sure where online reputation has currency.

https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Meet-the-ducks.pdf

Law Enforcement Takes Down Qakbot - Technical details

A team who spotted the FBI operation detail how it worked..

The DLL uses a clever method that involves sending a QPCMD_BOT_SHUTDOWN instruction via a named pipe that Qakbot uses to send and receive messages between processes on the host. Qakbot pipe names are generated using a pseudorandom algorithm that the DLL uses to generate the correct name for the system it is running on. The DLL then calls CallNamedPipeA and sends the QPCMD_BOT_SHUTDOWN instruction to the pipe

https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot

Discovery

How we find and understand the latent compromises within our environments.

Detecting Hybrid Social Identities: A Computational Analysis of Influence & Resilience in Online (RWE) Communities

Anastasia Kordoni, Shengnan Liu, Miriam Koschate-Reis and Mark Levine and performed some research which instinctively seems relevant when considered through a cyber threat actor lense.

Hybrid identities, defined as the fusion of two group memberships and their belief systems, have become an increasing feature of online communities, including right-wing extremist online communities. A hybrid identity may allow those that hold it to gain acceptance in each of the two communities that make up the hybrid identity, thereby providing a platform for social influence where beliefs of one community can be introduced to the other community. For example, the hybrid aspects of an eco-fascist identity might be used by right-wing community members to shift the balance from more mainstream ecological opinions towards more extreme right-wing positions. This kind of influence necessitates a better understanding of the psychosocial processes that drive the social influence of hybrid identities.

https://crestresearch.ac.uk/resources/detecting-hybrid-social-identities-report/

Suspicious DirectShow Devices Enumeration

Try and detecting malicious code snarfing video and audio with this detection.

Identifies attempt to enumerate accessible DirectShow devices by an unusual process to potentially capture audio or video using the Microsoft DirectShow application programming interface.

https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/collection_suspicious_directshow_devices_enumeration.toml

How to find the administrator of an onion site?

Useful guide here on tradecraft..

Despite the apparent anonymity of sites in Tor, there are always ways to identify their owners. Yes, some of them are complicated and require serious work, but since administrators also make mistakes, they do work. I recommend that everyone involved in such investigations should not forget to use not only the tactics described above, but also those methods that work in the clearnet as well.

https://medium.com/@moon_osint/how-to-find-the-administrator-of-an-onion-site-89d176b0061a

Bloated Binaries | How to Detect and Analyze Large macOS Malware File

Phil Stokes highlights the use of large files on macOS as we have previously seen on Windows to avoid analysis. The approach of making the performance overhead of cyber solutions unbearable to effective we can only expect to continue.

if we search for Mach-O binaries over 35MB recognized as malware by 5 or more vendors, the search today returns 524 hits.

Increasing the file size to 50MB or more returns 113 hits, with many of the files returned being samples of Atomic Stealer.

https://www.sentinelone.com/labs/bloated-binaries-how-to-detect-and-analyze-large-macos-malware-files/

Defence

How we proactively defend our environments.

HVCI loldrivers check

Michael Lin and Yarden Shafir provide a super useful capability to understand attacks surface.

Checks to see which drivers from loldrivers.io are not blocked by the current HVCI blocklist on the system

https://github.com/trailofbits/HVCI-loldrivers-check

Towards HTTPS by default (in Chrome)

Joe DeBlasio details the march forward here to have HTTPS everywhere.

Our ultimate goal is to enable HTTPS-First Mode for everyone. To that end, we're expanding HTTPS-First Mode protections to several new areas:

  • We've enabled HTTPS-First Mode for users enrolled in Google's Advanced Protection Program who are also signed-in to Chrome. These users have asked Google for the strongest protection available, and HTTPS-First Mode helps avoid the very real threats of insecure connections these users face.

  • We're planning to enable HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience soon. 

  • We're currently experimenting with automatically enabling HTTPS-First-Mode protections on sites that Chrome knows you typically access over HTTPS.

  • Finally, we're exploring automatically enabling HTTPS-First Mode for users that only very rarely use HTTP.

https://blog.chromium.org/2023/08/towards-https-by-default.html

Microsoft's Revocation of the Verisign Class 3 Public Primary Certification Authority

Impact on various solutions which rely on this certificate chain to validate

Airlock Digital investigated these reports and found that all occurrences of this certificate status chained trust up to the Verisign Class 3 Public Primary Certification Authority – G5 Root Certificate (serial: 18dad19e267de8bb4a2158cdcc6b3b4a). Over the coming hours, it was identified that many internet connected Windows 10 & 11 computers within the Airlock Digital environment also began reporting files chained to this root as having ‘Invalid Certificate Chains’.

https://airlockdigital.com/microsofts-revocation-of-the-verisign-class-3-public-primary-certification-authority-g5-root-certificate/

Writing better Yara rules in 2023…

What happens when you have looked at 40,000 Yara rules? A guide like this by Adam.

https://www.hexacorn.com/blog/2023/08/26/writing-better-yara-rules-in-2023/

Detection & response framework for Managed File Transfer (MFT) software

Given the breaches of MOVEit et al this is a useful and timely framework.

  • MFTData – details the key software components of MFT solutions so that defenders can understand the underlying components of the MFT software. This information such as process names, file paths, ports, and services are critical for defenders to identify valuable incident response and detection data.

  • MFTDetect – scripts that leverage the MFTData to automatically generate detections for common threat detection and incident response tools.

  • MFTRespond – scripts and tools that can aide in responding to incidents involving a MFT server

  • MFTPlaybook – contains a MFT incident response playbook template that can be used as a starting point for incident responders to build incident response playbooks for MFT software. The template can be used in conjunction with a script to automatically pull the key MFT components from the MFTData and update the playbook template.

https://github.com/TactiKoolSec/MFT-Detect-Response

Vulnerability

Our attack surface.

SonicWall Global Management System (GMS) & Analytics – Multiple Critical Vulnerabilities

Richard Warren and Sean Morland further evidence that security products are not immune.

An unauthenticated attacker could exploit these issues to extract sensitive information, such as credentials, reset user passwords, bypass authentication, and compromise the underlying device.

https://research.nccgroup.com/2023/08/24/technical-advisory-sonicwall-global-management-system-gms-analytics-multiple-critical-vulnerabilities/

CVE-2023-36844 And Friends: RCE In Juniper Devices

A full vulnerability chain walk through.. brace brace brace..

https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/

The WordPress "Zombie" Plugins Pandemic Affects 1.6M+ Websites

Darius Sveikauskas provides some stats as to the vulnerability of WordPress plugin eco-systen..

  • 404 vulnerabilities

  • 358 plugins affected

  • 289 plugins (71,53%) – Closed

  • 109 plugins (26,98%) – Patched

  • 6 plugins (1,49%) – Not closed / Not patched

  • Up to 1.6 million active installs affected

  • Average installs per plugin 4984

  • Highest install count 100000 (two plugins)

  • Highest CVSS 9.1

  • Average CVSS 5.8

  • “Oldest” plugin – 13 years since the last update

https://patchstack.com/articles/the-wordpress-zombie-plugins-pandemic-affects-1-6-million-websites/

Offense

Attack capability, techniques and trade-craft.

Leveraging VSCode Extensions for Initial Access

Matt Johnson will send shivers down the spines of CISOs tasked with securing development environments with this research. Development environments are challenging as by their nature there is lots of flux and all the lolbins running.

https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/

apppoolcreddecrypt: A POC to show how IIS App Pool credentials are decrypted

Adam Chester provides a capability which requires Administrator or SYSTEM privileges but as a post compromise technique it is important to be aware.

https://github.com/xpn/RandomTSScripts/tree/master/apppoolcreddecrypt

What the Function: Decrypting Azure Function App Keys

Thomas Elling also provides a post compromise technique to get credentials.

  • Function App Access Keys can be stored in Storage Account containers in an encrypted format 

  • Access Keys can be decrypted within the Function App container AND offline 

  • Works with Windows or Linux, with any runtime stack 

  • Decryption requires access to the decryption key (stored in an environment variable in the Function container) and the encrypted key material (from host.json).

https://www.netspi.com/blog/technical/cloud-penetration-testing/what-the-function-decrypting-azure-function-app-keys/

Reg-Restore-Persistence-Mole: a short C code POC to gain persistence and evade Sysmon events

Does what it says on the tin - will be interesting to see how both MSFT and detection researchers respond.

https://github.com/tccontre/Reg-Restore-Persistence-Mole

Exploitation

What is being exploited.

CVE-2023-38831 vulnerability in WinRAR exploited by cybercriminals to target traders

Look at the length of time this zero day was being utilised..

On July 10, 2023, while researching the spread of DarkMe malware we came across a previously unknown vulnerability in the processing of the ZIP file format by WinRAR. By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families. Weaponized ZIP archives were distributed on trading forums. Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.

https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

CVE-2023-38831 WinRAR exploit generator

Tool to exploit if you want to follow along..

https://github.com/b1tg/CVE-2023-38831-winrar-exploit

A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] developed to achieve Remote Code Execution in Juniper JunOS within SRX and EX Series products

The exploit…

https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

Ghidralligator

How we get scale in fuzzing..

a C++ multi-architecture pcode emulator based on the Ghidra libsla, designed for fuzzing with AFL++.

https://github.com/airbus-cyber/ghidralligator

biodiff: Hex diff viewer using alignment algorithms from biology

Interesting biology inspired technique applied here..

The tool is able to show two binary files side by side so that similar places will be at the same position on both sides and bytes missing from one side are padded. It uses bio-informatics algorithms from the rust-bio library (typically used for DNA sequence alignment) for that. The dialog boxes for configuration are done using cursive.

https://github.com/8051Enthusiast/biodiff/

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

  • Aggregate reporting

    • VDP Platform 2022 Annual Report Showcases Platform’s Success | CISA

    • BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge

    • Threat Debrief | August 2023

    • Intelligence Insights: August 2023

    • The 3 Malware Loaders Behind 80% of Incidents

    • The Linux Threat Landscape Report

    • 2023 Mid-Year Cyber Security Report

    • IT threat evolution Q2 2023

    • Smartphone malware statistics, Q2 2023

    • PC malware statistics, Q2 2022

    • Ransomware Roundup: LockBit, Payment Bans, and Trends - video

  • Is There Any Surprise Left in a Cyber Attack?

  • The rise of the tech ethics congregation

  • Taking Down Two of the Largest Known Covert Influence Operations

  • TACOS: Trusted Attestation and Compliance for Open Source - TACOS is a framework for attesting to the secure software development practices of open source packages.

  • Enigma: The anatomy of Israel’s intelligence failure almost 45 years ago

  • Xi’s student spy army — and how they can be outsmarted

  • UK NHS released a number of policies / tools

    • Multi-factor authentication (MFA) policy - NHS Digital

    • Universal information governance templates and FAQs

  • UK Information Commissioners Office released its ‘Email and security’ updated guidance around bulk emails.

  • Artificial intelligence

    • Thinking about the security of AI systems [UK NCSC]

    • ATHI — An AI Threat Modeling Framework for Policymakers

    • A comprehensive and distributed approach to AI regulation

    • Copyright Office Issues Notice of Inquiry on Copyright and Artificial Intelligence

    • PIPE: Prompt Injection Primer for Engineers

    • Extracting Training Data from Diffusion Models

    • Decoding Personalities Through AI Conversations

    • Human-In-The-Loop Automatic Program Repair (supporting code for the research etc.)

    • Consciousness in Artificial Intelligence: Insights from the Science of Consciousness

    • How to model knowledge graphs in time series? A review of the latest "Temporal Knowledge Graph"

    • Head-to-Tail: How Knowledgeable are Large Language Models (LLM)? A.K.A. Will LLMs Replace Knowledge Graphs?

    • A Survey on Large Language Model based Autonomous Agents

    • Behind the AI boom, an army of overseas workers in ‘digital sweatshops’

    • California Court’s Expansion of ‘Employer’ Could Have Implications for AI Regs

    • Reinforcement learning environment for automated blue team operations

    • Threat actors interests in generative AI

  • Conference materials

    • x33fcon 2023 conference videos

    • KCon 2023 Slides - Chinese language - August 19th to 20th, 2023, the 12th KCon Conference in Beijing

  • Books

    • Revealing Secrets - An unofficial history of Australian Signals intelligence & the advent of cyber

  • Events

    • Virus Bulletin - VB2023 London: 4-6 October 2023

    • 16th International Conference on Cyber Conflict: Over the Horizon - 28 - 31 May 2024 - Call for Papers


5
Share this post

Bluepurple Pulse: week ending September 3rd

bluepurple.binaryfirefly.com
Share
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Ollie Whitehouse from BinaryFirefly
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing