Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending September 31st
Scarcity or constrained access to technology risks driving lateral thinking and innovation...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see there are material levels of reporting on nation state activity.
In the high-level this week:
Data-driven cyber: empowering government security with focused insights from data - How 'small but actionable' insights can improve behaviours and decision making.
The US cybersecurity posture under Biden - from the European Parliament Think Tank - The Biden administration inherited considerable cybersecurity challenges. According to a 2021 US Government Accountability Office (GAO) report, previous governmentsfailed to implement many of the GAO's 2018 recommendations to take 10 critical actions in response to 4 major cybersecurity challenges
The Biden Administration’s Implementation Plan for the National Cybersecurity Strategy - a summary and analysis - “it should not be assumed that just because the implementation of certain pillars appears farther along than others means that significant, demonstrable progress toward achieving the broader objectives of those pillars has occurred”
Welcome to Cyber Realism: Parsing the 2023 Department of Defense Cyber Strategy - If the new strategy accomplishes just one thing, it might be this: freeing military cyber from its silo and defining it as a more useful, practical tool for senior leaders in the Pentagon and White House alike.
National Security Agency is starting an artificial intelligence security center - Army Gen. Paul Nakasone said the center would be incorporated into the NSA’s Cybersecurity Collaboration Center, where it works with private industry and international partners to harden the U.S. defense-industrial base against threats from adversaries led by China and Russia.
2023 Cyber Insurance Claims Report: Mid-year Update - Overall claims frequency2 increased by 12% in the first half (1H) of 2023. However, Coalition policyholders experienced 64% fewer claims compared to the broader cyber market3, with 52% of reported events handled at no cost to the policyholder
Readout: Biden Administration Continues National Cyber Workforce Education Roadshow in Chicago, Announces Commitments to Build America's Cyber Workforce Especially Among Veterans and Individuals with Disabilities - There are over 25,000 open cyber jobs across Illinois, nearly 20,000 of which are based in the Chicago metro area alone.
CISA Releases Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management (SCRM) - “The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain. With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,”
NIST Unveils Newly Named Human-Centered Cybersecurity Program - The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at
FBI chief says China has bigger hacking program than the competition combined - "China already has a bigger hacking program than every other major nation combined," Wray said. "If each one of the FBI's cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber our cyber personnel by at least 50 to 1."
China’s Cyber Security Week - was September 10th - 17th
2023 Cybersecurity Industry Talent Development Report - The "Report" shows that younger talents have become a trend. In 2021, only 3.2% of cybersecurity practitioners aged 18-25 years old will reach 31.4% in 2023. It can be seen that Generation Z is rapidly growing into the main force of "cybersecurity guards".
Chinese Cyber Security analysis - sadly in Chinese and in images, so you need to do OCR and then translate.
UK Deputy Prime Minister Oliver Dowden’s speech to the UN General Assembly: 22 September 2023 - “We have already seen the dangers AI can pose: teens hacking individuals’ bank details; terrorists targeting government systems; cyber criminals duping voters with deep-fakes and bots; even states suppressing their peoples.”
How China and the UK are Seeking to Shape the Global AI Discourse - RUSI giving a direct analysis.
Taiwan is using generative AI to fight Chinese disinformation - “This year, because gen AI is just so mailable, they just fine-tuned a language module together that can clarify such disinformation…adding back a context and things like that. So we're no longer outnumbered,”
When to Regulate AI by Simon Chesterman who is David Marshall Professor and Vice Provost (Educational Innovation) at the National University of Singapore, where he is also the founding Dean of NUS College. He serves as Senior Director of AI Governance at AI Singapore and Editor of the Asian Journal of International Law (published in Science Technology & Security).
EU warns China on Ukraine disinformation and cyberattacks - “I have stated that we consider how China interacts with Russia's war against Ukraine to be a determining factor for EU-China relations going forward. This includes of course aspects relating to cybersecurity, and disinformation,” Jourová said
Harmonization of Cyber Incident Reporting to the Federal Government - “Many, but not all, cyber incident reporting requirements are also part of broader, all-hazards regulatory regimes that consider multiple risks to a sector or otherwise address a class of harms that includes but is not limited to cyber risks.”
Cyber risk is business risk, and the SEC knows it - “The rules became effective September 5, and companies will begin submitting disclosures in December.”
Offensive Cyber Operations - States’ perceptions of their utility and risks - “States must also do more to assess where the true utility of offensive cyber operations lies.”
The FTC, 1Health.io, and Genetic Data Privacy and Security - “A genetic testing company publicly stored consumers’ genetic data with no encryption”
French DGSE wants to attract 800 people - For cyber defence alone, Paris foresees 4 billion euros.
How German (Cyber)diplomacy Can Strengthen Norms in a World of Rule-Breakers - “Germany and other EU member states should apply norm-setting to the niches where great powers see a pragmatic need to deepen trust. In this vein, they should table an initiative to the United States and China to sign a political declaration that they will not conduct any cyber operations against select critical infrastructure – early warning satellites, nuclear command and control systems, electrical grids – of the parties involved during peacetime”
Zero trust is breaking things at the DIA, and 'that's good' - “comply-to-connect" protocols can mean "things just stop working," pulling troublesome "shadow IT" into the light.”
Cyber Mercenaries: A Call to Action for the Quad - “The Quad’s Senior Cyber Group must build a shared taxonomy of cyber mercenary groups”.
Between war and words: Can economic deterrence help uphold international stability? - “Countries could go further in creating a focused but broad-based mechanism as a backstop to the traditional international peace and security architecture”
Spain closes Pegasus investigation over ‘lack of cooperation’ from Israel - which has not responded to the rogatory commission … and has prevented the investigation from going ahead”.
UK logistics firm blames ransomware attack for insolvency, 730 redundancies - real cost of ransomware evidenced..
MGM, Caesars casino hacks point to an alliance of teens and ransomware gangs - They say the group consists of a few dozen hackers who have connected online and are part of a much larger association known internally as the Com, short for community.
Ransomware Groups Pivoting Away from Encryption - instances of data theft and extortion without any data encryption or ransomware usage increased by 25% from April 1 to the close of June 2023. These cases constituted 30% of the incidents to which the organization responded
The reflection this week is scarcity or constrained access to technology risks driving lateral thinking and innovation. China appears to have worked around the lack of lithography technology problem they experienced because of sanctions by using a practical accelerator to get the high quality light source they needed…
On the interesting job/role front (thanks to those sending me these):
PhD in International and Operational Law focusing on Legal Aspects of Cyber Operations at the Swedish Defence University
Senior Offensive Security Engineer at Tide, remote in the UK
Principal Product Security Engineer at Tide, remote in the UK
Views are my own / attribution by others etc.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Cyber threat intelligence
Who is doing what to whom and how.
Meet the man leading the front-line effort in Ukraine's cyber war with Russia
Jenna McLaughlin gives us an interview with the person with likely one of the most high pressured jobs in cyber right now..
However, Ukraine's defenders have been under a near constant barrage of cyberattacks, almost 3,000 this year so far, according to Vitiuk.
Russia’s Cyber Tactics H1 2023 analytical report
Some further quantification from the Ukrainians on the scale of what they are experiencing.
Despite all improvements implemented by Ukrainian authorities (from utilizing the most modern protection stack to many other enhancements), the number of incidents doubled in the last 6 months: from an average of 1.9 incidents per day (57 per month) in H2’22 to 4-5 per day (128 per month) in H1’23.
Crypto Holdings of Lazarus Group
As with prior weeks another firms addition of the total funds that the Hermit Kingdom has managed to acquire.
Over $900 million stolen: The Democratic People's Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38) have stolen at least $900 million in assets from various crypto-related cyber attacks, with more than $200 million occurring in 2023 alone.
Recent hacks: The FBI identified Lazarus Group as responsible for stealing $41 million from betting platform Stake.com on September 4, 2023. In July, the North Korean group hacked Alphapo and Coinspaid for $37 and $60 million, respectively.
Current balance: The estimated crypto balance of the wallets linked to Lazarus Group by the FBI and OFAC is 1.60k BTC, 10.81k ETH, and 64.49k BNB, worth about $75 million as of September 14, 2023.
OFAC sanctioned list: Lazarus Group was one of the ten crypto-linked entities sanctioned by OFAC in the U.S. in 2022 for their hacking activities on behalf of the North Korean government.
Cyber Soft Power | China’s Continental Takeover
Tom Hegel provides some high-level thematic reporting on Chinese state activity in Africa. How we further help African countries and other global south players be resilient is going to be a challenge which will outstrip any one nations capacity.
[We observe] sustained tasking towards strategic intrusions by Chinese threat actors in Africa, designed to extend influence throughout the continent.
New attacks include those against telecommunication, finance and government, attributed to the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love.
China’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions highlights recent objectives and potential lasting impact in Africa.
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
NSA and FBI reporting on Chinese router operations. We have been warned..
the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets
EvilBamboo Targets Mobile Devices in Multi-year Campaign
Callum Roxan, Paul Rascagneres and Thomas Lancaster detail a mobile campaign against Tibetan, Uyghur, and Taiwanese citizens. Various insights here including major app store infiltration for distribution.
Android targeting: Development of three custom Android malware families, BADBAZAAR, BADSIGNAL, and BADSOLAR, to infect CCP adversaries is ongoing.
Fake websites and social media profiles: The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users.
Building communities to facilitate malware distribution: Partly through impersonating existing popular communities, the attacker has built communities on online platforms, such as Telegram, to aid in distribution of their malware.
iOS apps: [We] discovered credible evidence of malicious iOS apps being successfully distributed via Apple’s App Store.
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Lior Rochberger, Tom Fakterman and Robert Falcone detail an enduring campaign here by a suspected Chinese actor who puts the Persistence in APT.
An advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged in a number of cyberespionage intrusions targeting a government in Southeast Asia. The intrusions took place from at least the second quarter of 2021 to the third quarter of 2023. Based on our observations and analysis, the attackers gathered and exfiltrated sensitive documents and other types of files from compromised networks.
Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Lior Rochberger, Tom Fakterman and Robert Falcone go two for two on their reporting for this country showing that some of the Exchange aftermath went on long after the initial flurry.
We observed a series of intrusions directed at a Southeast Asian government target, a cluster of activity that we attribute with a moderate level of confidence to Alloy Taurus, a group believed to be operating on behalf of Chinese state interests. The multiwave intrusions, which started in early 2022 and persisted throughout 2023, capitalized on vulnerabilities in Exchange Servers to deploy a large number of web shells.
Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org
Reporting on a recent intrusion into a telco in the Middle-East by a Chinese threat actor who continued to recycle but evolve their tooling.
[We] discovered Budworm using an updated version of one of its key tools to target a Middle Eastern telecommunications organization and an Asian government.
Both attacks occurred in August 2023. Budworm (aka LuckyMouse, Emissary Panda, APT27) deployed a previously unseen variant of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll). SysUpdate is exclusively used by Budworm.
Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
Lior Rochberger, Tom Fakterman and Robert Falcone go for the hattrick. How initial access to the web servers to deploy the web shells is not clear.
This unique cluster had activity spanning over six months between 2022-2023. It featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia.
The threat actor behind CL-STA-0046 gained access to the environment after installing several web shells on a compromised web server. Among the types of web shells observed are the following:
AspxSpy web shell
GroundPeony Crawling with Malice
Rintaro Koike and Shota Nakajima provide interesting reporting that shows a threat actor who previously had a zero day which they leveraged as reverted to more traditional, even if slightly novel, phishing.
Why Panda Loves USB? Observing Targeted Attacks by Chinese APTs
Yuta Sawabe and Kazuya Nomura provide insight from Japan in Chinese activity involving USB as a propagation method in 2023. The fact the initial compromises appear in part to have initially occurred via branch offices will be of interest to some.
Initiated from USB flash drives at overseas branches.
Malware was found on multiple hosts and USB flash drives
C2 infrastructure was already inactive
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
China is itself contesting with criminal actors, it will be interesting to see how the state responds here.
[We] observed an increase in activity from specific malware families targeting Chinese-language speakers.
Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity.
Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.
The increase in Chinese language malware activity indicates an expansion of the Chinese malware ecosystem, either through increased availability or ease of access to payloads and target lists, as well as potentially increased activity by Chinese speaking cybercrime operators.
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
Zuzana Hromcová and Adam Burgher discuss operations from 2021 and 2022 against Israel by Iran. The initial access mechanism was as we would expect..
[We] observed two OilRig campaigns which occurred throughout 2021 (Outer Space) and 2022 (Juicy Mix).
The operators exclusively targeted Israeli organizations and compromised legitimate Israeli websites for use in their C&C communications.
They used a new, previously undocumented C#/.NET first-stage backdoor in each campaign: Solar in Outer Space, then its successor Mango in Juicy Mix.
Both backdoors were deployed by VBS droppers, presumably spread via spearphishing emails.
A variety of post-compromise tools were deployed in both campaigns, notably the SC5k downloader that uses Microsoft Office Exchange Web Services API for C&C communication, and several tools to steal browser data and credentials from Windows Credential Manager.
Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit
Aleksandar Milenkoski details a campaign against telcos in France and the middle east. Things to take away from this reporting is the sophistication in the implant framework, unattributed nature and the fact it might be mercenary in nature. In reality this isn’t far off where the best commercial Red Teams are.
[We] observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman.
Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.
Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape. We refer to this malware as LuaDream.
The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.
At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.
APT-C-23 (Twin-tailed Scorpion) continues to launch attacks in the Middle East
Chinese reporting on a suspected threat actor from Gaza who may of spread their intent to Europe. The initial access tradecraft is malicious documents and phishing.
It is worth noting that the other two samples disguised as DOC documents were uploaded by a Spanish user, and the language in the DOC document was identified as Saudi Arabia. The official languages of Spain include Spanish, Catalan, etc., which are different from Arabic. There is very little language association , so it is impossible to judge the nature of the user, and it is impossible to determine whether APT-C-23 (Twin-tailed Scorpion) has spread its sights to people in Spain.
Stealth Falcon preying over Middle Eastern skies with Deadglyph
A UAE state operation appears to have been burnt here in the middle-east against a Government entity. It will be interesting to see what the full victimology becomes as the analysis completes. The sophistication of the implant framework is somewhat notable.
[We] discovered a sophisticated backdoor with unusual architecture that we have named Deadglyph.
The main components are encrypted using a machine-specific key.
Traditional backdoor commands are implemented via additional modules received from its C&C server.
We obtained three out of many modules – process creator, file reader, and info collector.
We attribute Deadglyph to the Stealth Falcon group.
Additionally, we found a related shellcode downloader; we postulate it could potentially be used for installation of Deadglyph.
How we find and understand the latent compromises within our environments.
macho_similarity: Conceptual Methods for Finding Commonalities in macho Files
Greg Lesnewich helps with the evolution beings to macho what we have been used to for PE files.
The goal is to parse batch of Macho files to try and mine them for similarity based on hashes of the dylibs, the imports, or the exports (And eventually, hopefully, signature-based things like names or entitlements)
How we proactively defend our environments.
Secure your resources with Conditional Access policy templates
Big work aid here..
Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.
kernel-hardening-checker: A tool for checking the security hardening options of the Linux kernel
Alexander Popov allows us to impose some cost for adversaries if you are an embedded OEM/ODM and on your Linux jump box..
kernel-hardening-checker (formerly kconfig-hardened-check) is a tool for checking the security hardening options of the Linux kernel. It supports checking:
Kconfig options (compile-time)
Kernel cmdline arguments (boot-time)
Sysctl parameters (runtime)
The security hardening recommendations are based on:
KSPP recommended settings
CLIP OS kernel configuration
Last public grsecurity patch (options which they disable)
Direct feedback from the Linux kernel maintainers
How they got in and what they did.
From ScreenConnect to Hive Ransomware in 61 hours - The DFIR Report
Out friends at the DFIR report provide insight into the pace of operation of a criminal threat actor. Phishing was the initial access vector..
In this intrusion from October 2022, we observed a threat actor relying on a RMM tool as the initial access, and ended with a somewhat botched Hive ransomware deployment. The initial payload was an executable file masquerading as a legitimate document.
The intrusion started with the execution of a executable named document8765.exe.
Our attack surface.
A problem with .NET Self-Contained Apps and how to pop calculators in dnSpy
Washi highlights why the security of security tooling of analysts is not always guaranteed.
The public releases of dnSpy versions 6.1.8 up to 6.4.0 contain a critical bug allowing for arbitrary code execution via a DLL hijack that can be triggered upon opening a file and analyzing it statically.
Everlasting ROBOT: the Marvin Attack
Hubert Kario releases some excellent research which will have a long tail of ramifications.
The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key.
GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression
Yingchen Wang , Riccardo Paccagnella , Zhao Gang , Willy R. Vasquez , David Kohlbrenner , Hovav Shacham and Christopher W. Fletcher release an interesting if unlikely real-world attack in most scenarios.
As a proof-of-concept for a realistic attack, we demonstrate stealing a username. In this scenario the target iframe is Wikipedia, which shows the user’s username in the top corner. We run this PoC with multiple browser windows open, with one playing a YouTube video during the attack. Figure 17 shows the results of our attack on an Intel i7-8700 and an AMD Ryzen 7 4800U. We calculate the accuracy based on the ground truth after color binarization. Our attack is unoptimized, but completes in 30 minutes on the Ryzen with 97.0% accuracy. The Intel attack is significantly slower, at 215 minutes with 98.3% accuracy
Cisco Catalyst SD-WAN Manager Vulnerabilities: Authorization Bypass Vulnerability
An important bug to be patched in due to the management nature.
A vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain unauthorized access to the application as an arbitrary user.
This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs. A successful exploit could allow the attacker to generate an authorization token sufficient to access the application.
Attack capability, techniques and trade-craft.
Misuse of Windows Projected File System (ProjFS) proof-of-concept
Grzegorz Tworek continues to smash it with this release which has utility in both offensive and defensive situations. Windows Projected File System provides all manner of detection opportunities for detection engineering teams i.e. to lay those digital trip wires for processes we might not expect accessing certain files..
How to hijack VoLTE network
Pavel Novikov details an attack which relies on a present vulnerability which we exploited back in the first GPRS networks over 22 years ago. Namely lack of subscriber isolation. Back then we broke into the core network, now you can use it to high-jack voice traffic!
What is being exploited.
Cisco IOS and IOS XE Software Cisco Group Encrypted Transport VPN Software Out-of-Bounds Write Vulnerability
Cisco discovered attempted exploitation of the GET VPN feature
CVE-2023-42793: In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Nightmare software supply chain scenario potentially unfolding here..
On a Windows system, the log file
C:\TeamCity\logs\teamcity-server.logwill contain a log message when an attacker modified the
internal.propertiesfile. There will also be a log message for every process created via the
/app/rest/debug/processesendpoint. In addition to showing the command line used, the user ID of the user account whose authentication token was used during the attack is also shown.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
JA4+ Network Fingerprinting
John Althouse provides a super powerful and now extensible framework which will enable all manner of discovery activities.
JA4+ provides a suite of modular network fingerprints that are easy to use and easy to share, replacing the JA3 TLS fingerprinting standard from 2017. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis.
New ways to inject system CA certificates in Android 14
Tim Perry provides practical workarounds to Google’s tightening
While direct root access to change these certificates by simply writing to a directory is indeed no longer possible, root is root, and so with a bit of work there are still some practical & effective ways to dig down into the internals of Android and seize control of these certs once more.
Cerberus: A C++ tool to unstrip Rust/Go binaries (ELF and PE)
Very clever bit of capability here..
Cerberus is the tool you want to use to make RUST and GO static analysis a lot easier.
Based on hashing and scoring systems, it can retrieve lots of symbol names.
bindiff: Quickly find differences and similarities in disassembled code
Now open source..
Some other small (and not so small) bits and bobs which might be of interest.
From payday to payoff: Exploring the money laundering strategies of cybercriminals - Most of the addresses transact directly with an entity (52%) and concentrate 80% or more of the illicit proceeds in one singular service (69%)
CISA Security Planning Workbook: a comprehensive resource that can assist critical infrastructure owners and operators with the development of a foundational security plan
Cybersecurity compass for municipalities BETA 0.9 - Initiative out of Germany which with links to federal and state services to promote information security and resilience in municipalities.
On the video front this week we get from Australia How Intelligence agencies catch criminals.
Then we have ‘Are China and Russia Accelerating their Cyber Campaigns Against the United States?’
There is also ‘Xi Jinping’s Arm of Cyber Spies’