Bluepurple Pulse: week ending September 18th
Iran learns what it is to be China/North Korea when the US's focuses on you for cyber
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing of note other than the chaos that individual contributors can bring with their ability to blow holes in very large corporations.
In the high-level this week:
Surge in ransomware attacks helps fuel 80pc rise in cyber insurance claims - from Australia - “Cyber has become the new D&O” and “A small or medium-sized business wanting to buy $10 million of cover would, on average, face a $60,000 premium, up from $33,000 a year ago, Honan said.” - eeesh!
EU Cyber Resilience Act - New EU cybersecurity rules ensure safer hardware and software - getting serious around IoT in Europe and more generally - only a good thing.
CISA Strategic Plan for 2023-25 - “the first comprehensive Strategic Plan since CISA was established as an Agency in 2018.” - CISA outline their four things
“spearhead a national effort to ensure the defense and resilience of cyberspace.”
“reduce risks to, and strengthen the resilience of, America’s critical infrastructure”
“strengthen whole-of-nation operational collaboration and information sharing”
“unify as One CISA through integrated functions, capabilities, and workforce”
CISA announced the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) - they have specifically solicited feedback from the community
The White House (not me) - Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience - attestations all around regarding the security of software supplied to government.
European parliament Statement of PEGA Coordinators on Polish authorities’ refusal to cooperate - opening quote is something:
“As the spyware inquiry committee prepares for its fact-finding mission to Poland 19–21 September, MEPs condemn the Polish authorities’ lack of cooperation with their visit.”
Related: Greece's Predatorgate: The latest chapter in Europe's spyware scandal?
Mid-Decade Challenges to National Competitiveness - an insightful bit of work out of a US thinktank on the challenges the US faces in a technological world and by proxy the UK, Europe etc.
Dragon tails: Preserving international cybersecurity research - Fascinating analysis of changes happening in China and their impact
“This paper analyzes a series of Chinese regulatory changes altering vulnerability disclosure practices to assess their impact on the supply of research from China’s significantly productive community.”
Contesting Western and Non-Western Approaches to Global Cyber Governance beyond Westlessness - it is clear the new international norms will involve a lot more work than we (as the west) might be used to due to growing understanding of previously less aware nations:
“..it demonstrates ways in which the Western dominance over the norms, discourses and approaches concerning cyber governance has been fiercely contested by emerging powers and nascent players in the Global South. Over the past decade, rising powers such as China, Singapore, South Korea, ASEAN and Latin America have all demonstrated stronger willingness and ambition to reshape the normative and regime structures in global cyber governance, according to their own values, interests and local contexts”
‘Future of cyberspace’ on the line as US, Russia square off - the International Telecommunications Union secretary general role is being elected later this month - this is the sub plot.
Insider cyber threats pose ‘significant’ risk to Australia’s defence force, brief warns - new Aussie government and the threat brief to the incoming administration.
Campaign cybersecurity might be the weakest link in the midterms - hyperbole laden reporting here in the Washington Post - the US is the best prepared it has even been would be my analysis.
The full court press from the US, UK and others on Iran:
DoJ: Three Iranian Nationals Charged with Engaging in Computer Intrusions and Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers
NSA/FBI/CCSC/NCSC/ACSC: Iranian Cyber Actors Exploit Known Vulnerabilities to Extort U.S. Critical Infrastructure Organizations, Other Victims
In more comical events was Iran’s response to the NATO statement from September 8th regarding the cyber activities against Albania:
Then FBI Director Wray drops this in response to Iranian activity in the US and elsewhere as part of the full court press (the production values are amazing):
No reflections this week as I’ve sat in meetings, gave various talks, drove a lot and have not had much time to think.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Gamaredon APT targets Ukrainian government agencies in new campaign
Asheer Malhotra and Guilherme Venere detail a new campaign which the actual tradecraft is so basic that it is almost insulting.
[We] recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware.
The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.
LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.
We discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers.
[We] discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain.
Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
Markus Neis, Ross Phillips, Steven Campbell, Teresa Whitmore and Alex Ammons show that threat actors do have capability to utilise alternative entry methods. This is not the first time this vulnerability was exploited by criminals.
[We] assess with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access
Lorenz waited nearly a month after obtaining initial access to conduct additional activity
Lorenz exfiltrated data via FileZilla
Encryption was done via BitLocker and Lorenz ransomware on ESXi
Lorenz employed a high degree of Operational Security (OPSEC)
Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits
Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted files
This was previously exploited by ransomware groups earlier in the summer:
New Wave of Espionage Activity Targets Asian Governments
China being active in Asia, although the initial access mechanism is unclear from the reporting. You will see from the tooling used it feels like it is a pentester from the early 2000s (NBTScan, TCPing, FastReverseProxy, and FScan).
A distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries. The attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.
The current campaign appears to be almost exclusively focused on government or public entities, including:
Head of government/Prime Minister’s Office
Government institutions linked to finance
Government-owned aerospace and defense companies
State-owned telecoms companies
State-owned IT organizations
State-owned media companies
Opsec Mistakes Reveal COBALT MIRAGE Threat Actors
This is how you end up with a bad week as a threat actor (other than being indicted by the US government). Companies, people all outed as supporting the Iranian government and specifically Islamic Revolutionary Guard Corp with ransomware operations.
A LinkedIn profile lists Ahmad Khatibi as the CEO of Afkar System Co., a company based in Iran. In June 2022, anti-Iranian regime whistleblower persona Lab_Dookhtegan posted a series of tweets about Ahmad Khatibi and Afkar System, stating they are operating on behalf of Intelligence Organization of Sepah (see Figure 2). Sepah is a reference to the Islamic Revolutionary Guard Corp (IRGC), and the Intelligence Organization (IRGC-IO) is a subordinate unit.
Pro-Palestinian Hacking Group Compromises Berghof PLCs in Israel
David Krivobokov details a rather notable lucky escape. It appears that that whilst the threat had breached the devices they didn’t have Russian levels of capability to manipulate them for effect.
On September, 4th, 2022, a hacktivist group “GhostSec” that was previously observed targeting Israeli organizations and platforms, announced on social media and its Telegram channel that the group successfully breached 55 Berghof PLC devices in Israel.
The fact that the HMI probably wasn’t accessed, nor manipulated by GhostSec, and the hackers were not exploiting the Modbus interface, shows an unfamiliarity with the OT domain.
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
James Maclachlan, Mathew Potaczek, Nino Isakovic, Matt Williams and Yash Gupta show that North Korea continue to leverage enduring social engineering campaigns in order to secure access. The fake job campaign by North Korea is an enduring one and the use of digital assessments and backdoored Putty is the next evolution.
UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility
Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO
Joshua Miller, Kyle Eaton and Alexander Rausch discuss more Iranian activity. They have upped their social engineering game with more persona. There is no realistic way I can see that individuals can be made immune to this style of campaign.
In mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses at least two actor-controlled personas on a single email thread to convince targets of the legitimacy of the campaign.
This is an intriguing technique because it requires more resources be used per target—potentially burning more personas—and a coordinated approach among the various personalities in use by TA453.
This is the latest in TA453's evolution of its techniques and can be mitigated in large part by potential targets, such as those specializing in Middle Eastern affairs or nuclear security, by being cautious when they receive outreach from unexpected sources, even those that appear legitimate.
Magento vendor Fishpig hacked, backdoors added
A supply chain attack against Wordpress plugins, the scale of the real-world compromise is unclear.
Fishpig, a vendor of popular Magento-Wordpress integrations, has been hacked. [We] found that attackers have injected malware in Fishpig software and taken control of Fishpig servers. Online stores running Fishpig software may now have the “Rekoobe” malware installed on their servers, effectively granting store administrator access to attackers.
The vendor has now published an announcement around the incident
You never walk alone: The SideWalk backdoor gets a Linux variant
Vladislav Hrčka, Thibaut Passilly and Mathieu Tartare detail a campaign by a Chinese threat actor against a Hong Kong university. The increase in reporting around implants being actively used against operating systems other than Windows should probably be noted by organisations with poor coverage of such systems.
have discovered a Linux variant of the SideWalk backdoor, one of the multiple custom implants used by the SparklingGoblin APT group. This variant was deployed against a Hong Kong university in February 2021, the same university that had already been targeted by SparklingGoblin during the student protests in May 2020. We originally named this backdoor StageClient, but now refer to it simply as SideWalk Linux.
SparklingGoblin first compromised this particular university in May 2020, and we first detected the Linux variant of SideWalk in that university’s network in February 2021. The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations.
BEC Group Targets Teachers with Payroll Diversion Attacks
Crane Hassold out a business email compromise campaign by a criminal actor likely in Africa against academia. A lesson in why business processes need to be present to not allow this to happen.
However, our Abnormal team has identified a specific group bucking this trend, which we call Chiffon Herring. The group has been active since at least March 2022 and mainly targets local school districts and universities in the United States.
Their targets have ranged from large public universities to small community colleges, and from sprawling urban school districts to an individual all-girls preparatory school. Based on our research, Chiffon Herring actors are likely located in Nigeria and South Africa, both of which are typical hotbeds for BEC scammers
RedLine spreads through ads for cheats and cracks on YouTube
Oleg Kupreev outlines a rather novel campaign here. In a world of social media who would guess that malicious code would try and propagate by posting videos in order to entice others to download using that victim as a social media influencer.
In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description. The videos advertise cheats and cracks and provide instructions on hacking popular games and software. Among the games mentioned are APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken. According to Google, the hacked channels were quickly terminated for violation of the company’s Community Guidelines.
Webworm: Espionage Attackers Testing and Using Older Modified RATs
A campaign by a Chinese actor known for information theft and espionage. Looks like China is trying supply chain attacks again in order to secure access to their intended victims again.
[We have] gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by [us] was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages.
Dissecting PlugX to Extract Its Crown Jewels
Felipe Duarte provides an in-depth analysis of this capability often used by Chinese state actors. For the analyst community out there this will tell you likely what you already know. For those that are new, then it is a good detailed analysis.
Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
Updated September 12, 2022 which provides the initial access insight we crave. Only to find out that it is rather basic although the anti-forensic technique is a little spicy.
New information has been added to the initial access and payload analysis sections in this blog, including details on a rootkit component found while investigating a June sample
XorDdos propagates primarily via SSH brute force.
Our analysis determined two of XorDdos’ methods for initial access. The first method involves copying a malicious ELF file to temporary file storage /dev/shm and then running it. Files written at /dev/shm are deleted during system restart, thus concealing the source of infection during forensic analysis.
Mythic Case Study: Assessing Common Offensive Security Tools
Some quantitative analysis around one of the ‘other’ open source implant/post compromise frameworks.
Although dwarfed by Cobalt Strike, the number of online internet-facing Mythic servers outnumbers a number of other ‘common’ C2 frameworks, including Sliver.
Mythic was observed being deployed alongside reNgine, a powerful reconnaissance tool.
Connections to an operator identified previously utilizing Sliver, potentially in Pakistan-focused activities.
Low confidence ties to e-crime operators have been identified within open source reporting.
How we find and understand the latent compromises within our environments.
Traces of Windows remote command execution
Nicolas Biscos provides a lot of value with this analysis. In it he walks through all the remote command execution techniques he could find and then details the forensic artefacts that exist from said use. Tres Bon Nicolas, Tres Bon!
Build a comprehensive list of techniques that are used by pentesters and attackers;
Indicate the way these techniques are implemented in different tools;
List artifacts that can be collected by DFIR analysts.
J Marasinghe provides an amazing work aid here for analysts to provide command execute tree analysis.
This Jupyter notebook will assist DFIR professionals in analysing the output generated from Volatility memory extraction framework in a structured manner. Current version of the notebook is written to process Volatility output from Windows OSs.
Detecting DLL Hijacking Attacks
Mehmet Ergene provides a practical guide to this pervasively used technique.
The net result is query for Defender for Endpoint to detect such events:
How we proactively defend our environments.
Azure Active Directory security operations guide
Workable advice from the from the vendor never hurts.
The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.
Control IE retirement on your own schedule with the Disable IE Policy
Bailey Reid outlines a new control which can kill the use of legacy Internet Explorer.
After configuring IE mode, you can disable IE11 as a standalone browser on your organization’s devices and replicate the user experience that will be rolled out with the future Windows Update that will permanently disable IE. Given its gradual nature, the redirection phase is optimal for those organizations who are not entirely confident yet of the state of IE retirement readiness across their estate.
Turn On or Off Smart App Control in Windows 11 Tutorial
Before you deploy Windows 11 hosts read this as if you don’t enable it during install you can’t.
In order to ensure a more secure experience Microsoft only enables Smart App Control on a clean install of Microsoft Windows 11. Microsoft wants to be sure that there aren't already untrusted apps running on the device when they it on
Andrew Pease provides an environment for those wanting to experiment quickly and easily.
Stand up a 100% containerized Elastic stack, TLS secured, with Elasticsearch, Kibana, Fleet, and the Detection Engine all pre-configured, enabled and ready to use, within minutes.
Our attack surface.
Undermining Microsoft Teams Security by Mining Tokens
Connor Peoples describes what a number of you will have appreciated. That in world of long lived tokens it doesn’t matter if we don’t have the username and password if we can compromise an endpoint. We can maintain access forever!!
In August 2022, [we] identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access. Additionally, this vulnerability was determined to impact all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux.
Attack capability, techniques and tradecraft.
Attacks on Sysmon Revisited
Understand, adapt and overcome - adversaries showing what is possible.
In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attack difficult to detect in environments where no additional security products are installed.
Suspend all threads of Sysmon.
Create a limited handle to Sysmon and elevate it by duplication.
Clone the pseudo handle of Sysmon to itself in order to bypass SACL as proposed by James Forshaw.
Inject a hook manipulating all events (in particular ProcessAccess events on Sysmon).
Resume all threads.
Matthew continues to release tradecraft which makes EDR vendor product managers sob and MITRE test scenario developers drool.
Write memory to a remote process using APC calls
Antonio Cocomazzi brings another way to get SYSTEM that EDR may miss.
Leveraging AcquireCredentialsHandle through an SSPI hook that allows authenticating as SYSTEM to SCM on Windows - an alternative way for elevating to SYSTEM when you have SeTcbPrivilege
Bypass CrowdStrike Falcon EDR protection against process dump like lsass.exe
Bilal Al-qurneh shows why when there are due use tools cyber defence is hard and why application / driver allow/deny listing and/or anomaly alerting is the way of the future.
Do a memory dump of the RAM with any forensics tool like (dumpit.exe, MAGNET RAM Capture ) and from the dump extract the lsass process using volatility or extract the hashed directly from it .
Like the nim versions before it.. another programming language, another porting of malicious capability.
Massayo is a small proof-of-concept Rust library based on UnhookingPOC, which removes AV/EDR hooks in a given system DLL. I tried to reduce fingerprints by obfuscating strings and resolving any Windows API functions used dynamically. It loads a freshy copy of a chosen system DLL from System32 directory and replaces the .text section of the currently loaded DLL by its own. I'm not a Rust expert so I'm open to any kind of suggestions or help.
HideProcessHook: DLL that hooks the NtQuerySystemInformation API and hides a process name
Ryan Weil shows how to use DLL hooking to hide process information from task manager. It’s older code which has just been released.
What is being exploited.
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech
朝長 秀誠 (Shusei Tomonaga) details how one of the newer Big-IP vulnerabilities was exploited bya Chinese state actor.
Around May 2022, JPCERT/CC confirmed an attack activity against Japanese organizations that exploited F5 BIG-IP vulnerability (CVE-2022-1388). The targeted organizations have confirmed that data in BIG-IP has been compromised. We consider that this attack is related to the activities by BlackTech attack group. This blog article describes the attack activities that exploit this BIG-IP vulnerability.
Internet Explorer vulnerabilities that continue to be targeted even after support ends
Japanese reporting on a exploit kit leveraging older Internet Explorer vulnerabilities in the wild. The use of malvertising is of note here.
From the end of July 2022, we have confirmed that guidance to Purple Fox has resumed. If you are using Internet Explorer that has not been patched, you may be infected with malware by exploiting the vulnerability. Support for Internet Explorer will end on June 16, 2022 (Japan time).
"Purple Fox" was originally confirmed to be downloaded as a payload of the RIG Exploit Kit (hereinafter referred to as RIG), but it began to spread malware on its own and is now known as a standalone Exploit Kit.
Typically, users are directed to Gates from malicious advertisements (malvertising) contained within sites they visit, and then to Purple Fox landing pages.
Xalan-J XSLT Integer Truncation Exploit Construct (CVE-2022-34169)
Chinese reporting on exploiting this most excellent vulnerability which results in arbitrary Java byte code execution from the parsing of an XSLT. The attack surface here includes SAML. I covered the vulnerability previously, but this is a detailed exploitation write-up.
This is the first time I encountered a vulnerability ( CVE-2022-34169 ) related to Java Class bytecode . Since the exploit script provided by the vulnerability author failed to execute successfully, I tried to construct an exploit based on the vulnerability description and my own understanding. In the process of in-depth analysis and successful construction of the payload, it also deepened the understanding of Java bytecode. Although the vulnerability author provided some comment information in the exploit script, it is not enough for a complete understanding of the entire exploit construction process, so here Make a detailed record of the payload construction process.
Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild
Ram Gall details an in the wild exploited zero day against a premium Wordpress plugin.
On September 8, 2022, [we] became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin.
Tooling and Techniques
Low level tooling for attack and defence researchers.
D-Generating EDR Internals
Rad shows how to use dtrace on Windows to understand EDR behaviour in order to build bypasses.
By the end of this blog post, the reader should understand one approach to analysing D-Generate (DTrace) logs, specifically with a focus on endpoint security product internals. Understanding the flow of an application, and how it differs, is critical to breaking it, and seeing the system calls made, and the ability to perform a quick analysis is critical to evaluating EDRs.
Some other small (and not so small) bits and bobs which might be of interest.
2022 Falcon OverWatch Threat Hunting Report - for those are need report fodder.
Orchestrating Collaborative Cybersecurity: A Secure Framework for Distributed Privacy-Preserving Threat Intelligence Sharing - neat concept, unclear how it will be pulled through.
Geopolitical Cyber Incidents in Canada: 2022 Assessment - By the Center on Multidimensional Conflicts
The Bicycle of the Forensic Analyst - Florian drops his wisdom Part I
About Detection Engineering - Florian drops his wisdom Part II
Azure Threat Research Matrix - clicky clicky guide.
Cybersecurity and Energy: The Case Study of Stuxnet - Great MSc project.
Telecom Security Incidents 2021 from ENISA (published July 2022) - good overview of the sector challenges.
In situ bidirectional human-robot value alignment - some wisdom of what is required for human/machine teaming in the realworld.
Enhancing cyber capabilities through AUKUS - a strategic look at the topic on what might be.
Six months into Breached: The legacy of RaidForums? - Breached has become the new platform for database exchange, attracting more than 82,000 registered users
That’s all folks.. until next week..
Doing a full memory dump on system processes means the adversary has already got system.
Useful technique for persistence though