Bluepurple Pulse: week ending November 21st

“the power of two factor authentication curtails you”

Welcome to the weekly highlights and analysis of the blueteamsec subreddit.

Operationally this week my family (yet due to the magic of modern medicine not me) have COVID 😷 and a seasonal cold. Moral remains high but it feels like we have the biological equivalent of both an APT and Ransomware crew active at the same time in the household.

In the high-level this week:

In the light-hearted this week when cyber issues get featured in Animaniacs you know as a problem domain we have gone mainstream - “the power of two factor authentication curtails you” is probably the best line ever. One that should probably be recited against various threat actors each morning in team stand-ups across the globe.

Enjoying this? don’t get via e-mail? then subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Saturday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

[Conti] Ransomware Group In-Depth Analysis

Analysis which wouldn’t be possible by the private sector in the UK. A deep level of penetration into the Conti infrastructure by this Swiss firm who were able to understand a huge amount about their operation including their full kill chain.

The team accessed Conti’s infrastructure and identified the real IP addresses of the servers in question.

Our threat intelligence team was also able to access a hidden service that provided key information on the underlying technology stack Conti developers rely on. By analyzing the source code of Conti’s recovery service and admin management panel, our team discovered a hidden service using dockerized MySql database bound to 127.0.0.1:3327

https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis

New corporate espionage attacks by RedCurl

RedCurl is one of those almost mythical threat actors. We know they have been active since 2018 and speak Russian but target Western as well as Russian targets for what is believed to be corporate espionage. Initial entry looks rather basic but later payloads show engineering capabilities.

Since the beginning of 2021, RedCurl has carried out four attacks, bringing the total count to 30.

One of the victims was a Russian wholesale company, which RedCurl attacked twice. The location of the two other victims remains unknown.

Among other improvements, the group added a new reconnaissance tool whose code shares many similarities with the FirstStageAgent module (Group-IB named the tool FSABIN), as well as a PowerShell downloader for the tool

https://www.group-ib.com/media/red-curl-threat-report/

A multi-stage PowerShell based attack targets Kazakhstan

Hossein Jazi documents a campaign suspected of being thrown at this small country. Again the tradecraft is unsophisticated with .rar files and .lnk files etc.

On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.

A threat actor under the user name of DangerSklif (perhaps in reference to Moscow’s emergency hospital) created a GitHub account and uploaded the first part of the attack on November 8.

https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/

Exchange Exploit Leads to Domain Wide Ransomware

A case from September which the DFIR team observed. The thing to note here was that common off the shelf disk encryption software was used to implement the crypt operation and not a custom encryptor. This fact will likely bypass a number of commercial detection and prevention solutioms.

ProxyShell was used to deploy multiple web shells which lead to discovery actions, dumping of LSASS, use of Plink and Fast Reverse Proxy to proxy RDP connections into the environment. Furthermore, the actors encrypted systems domain wide, using BitLocker on servers and DiskCryptor on workstations, rather than affiliating with Ransomware as a Service (RaaS) programs or building an encryptor from scratch.

https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/

CVE-2021-40444 Vulnerability Attack Impersonating the President of Pyongyang University of Science and Technology

We have covered this vulnerability a number of times in recent weeks in the context of North Korea usage. This week is no different with CVE-2021-40444 (MSHTML remote code execution) being exploited by malicious Microsoft Word documents. Through this Korean language reporting we gain insight as to the likely source of the original exploit.

As a result of analyzing this attack by ESRC, it was found that malicious file creators are consistently using the 'POSEIDON' account, and partially recycled the proof-of-concept (PoC) code of the 'CVE-2021-40444' vulnerability that was already published on the Internet. .

https://blog.alyac.co.kr/4262?category=957259

Strategic web compromises in the Middle East with a pinch of Candiru

Candiru is a commercial Israeli outfit which was subject to sanctions by the US in recent weeks. Matthieu Faou documents the discovery of a historic watering hole campaign which seemed to run until August 2021. This feels quite crunchy operation to have been undertaken in whole or in part by a private sector firm.

Our tracking shows that the operators are mostly interested in the Middle East, with a particular emphasis on Yemen.

We also uncovered interesting links with Candiru, detailed in the section Links between the watering holes, spearphishing documents and Candiru.

https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

QAKBOT Loader Returns With New Techniques and Tools

Ian Kenefick and Vladimir Kropotov confirm what we discussed last week with further insights. Various techniques being used to compromise legitimate e-mail which is then used to highjack threads and further propagate the threat.

Toward the end of September 2021, we noted that QAKBOT operators resumed email spam operations after an almost three-month hiatus. Specifically, we saw that the malware distributor “TR” was sending malicious spam leading victims to SquirrelWaffle (another malware loader) and QAKBOT. In early October, the same “TR” distributor was reportedly conducting brute-force attacks on Internet Message Access Protocol (IMAP) services, and there is also speculation from security researchers that “TR” uses ProxyLogon to acquire credentials for the attacks.  

The actors using QAKBOT are leveraging hijacked email threads in their spam runs, a highly effective tactic that was used by groups such as Emotet in the past (hijacking an email thread means reviving an old thread with replies containing malware).

https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html

Groups Target Alibaba ECS Instances for Cryptojacking

David Fiser and Alfredo Oliveira provide a good analysis as to why Alibaba’s cloud (even prior to the code breach) was more optimal for Cryptojacking operators.

In this article, we focus on one common functionality that we found among multiple payloads: the disabling of features inside the Alibaba cloud service provider (CSP). We also look at possible reasons that multiple threat actors and malware routines focused on Alibaba Cloud (also known as Aliyun) and the implications of these illicit mining activities on Alibaba Cloud users.

Despite detection, the security agent fails to clean the running compromise and gets disabled.

https://www.trendmicro.com/en_us/research/21/k/groups-target-alibaba-ecs-instances-for-cryptojacking.html

SharkBot: a new generation of Android Trojans is targeting banks in Europe

A campaign which shows that mobile based MFA and applications do not deter organised crime. The initial infection is convoluted but is obviously having some success.

At the end of October 2021, a new Android banking trojan was discovered

The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA).

We identified a botnet which is currently targeting the UK, Italy, and the US, including banking applications and cryptocurrency exchanges.

Once installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device.

At the time of writing, we didn’t notice any samples on Google's official marketplace. The malicious app is installed on the users' devices using both the side-loading technique and social engineering schemes.

https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe

Operation Light Shell by KIMSUKY organization

More Korean language reporting on North Korean activity including the exploitation of CVE-2021-1675 (Print Spooler). But also note they use RDP and Meterpreter.

This report explains the technical analysis of malicious code and C2 that can be grouped based on the patterns and characteristics of malicious codes among the malicious codes produced and distributed by the KIMSUKY organization.

https://asec.ahnlab.com/ko/28619/

https://asec.ahnlab.com/wp-content/uploads/2021/11/KIMSUKY-%EC%A1%B0%EC%A7%81%EC%9D%98-OP.Light-Shell.pdf

UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests

Gabriella Roncone, Alden Wahlstrom, Alice Revelli, David Mainor, Sam Riddell and Ben Read document a campaign they basically say is Belarus. Do note they use an open source phishing framework in their operations.

UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany. The targeting also includes Belarusian dissidents, media entities, and journalists.

Since at least 2016, UNC1151 has registered credential theft domains that spoof legitimate websites to steal victim credentials

We have determined that UNC1151 uses GoPhish primarily for their email sending operations – including both cyber espionage and Ghostwriter content dissemination

https://www.mandiant.com/resources/unc1151-linked-to-belarus-government

Evolving trends in Iranian threat actor activity

An Iranian campaign using ransomware. Sanctions again driving the need to get some sweet sweet money.

Since September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.

In one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks.

https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/

Kimsuky Group's APT Attack - Analysis Report (AppleSeed, PebbleDash)

Yet more quality Korean reporting this week on North Korean activity. In summary it documents Kimsuky capabilities and tradecraft (malicious documents) which lead to AppleSeed and PebbleDash backdoors.

In general, malicious codes that are presumed to be attachments of spear phishing emails are disguised as document files.

and when the user executes the file, the user executes the document corresponding to the actual spoofed file name.

https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf

SideCopy organization using China and India current affairs news

Chinese reporting on Pakistan targeting India with tradecraft 1999 would be proud of i.e. e-mailing of executables.

The operation began in early 2019, and its attackers mainly used to copy the TTPs organized by the Sidewinder APT, so they were named Operation SideCopy.

After the victim decompresses and executes the decoy file, the program will download the data file from the remote server to the local and decrypt it for execution, and finally load SideCopy's own remote control software MargulasRAT.

Almost all C2 in the event belonged to Contabo GmbH hosting service provider.

The naming method of the domain name used in Operation SideCopy activities is very similar to that of TransparentTribe

https://mp.weixin.qq.com/s/iZuB1IAtNm5DxrrUIJqyoA

Using dual-platform attack weapons for the first time? Analysis of Suspected SideCopy Organization’s Attacks against India

Second bit of Chinese reporting on this hate/hate relationship between Pakistan and India. The interesting thing to note here is the Linux desktop targeting. Maybe 2021 is really the year that Linux is seen to have made it to the desktop by virtue of APTs targeting it as such.

This sample is a tar.gz compressed package named after Modi’s visit to the United States. It contains a Linux desktop startup file. After the file is executed, the decoy video will be downloaded and played to confuse the victim. At the same time, a download RAT will be downloaded Script and execute.

RAT is written in Python language and compiled into ELF file format by PyInstaller tool. After analyzing the source code, we can confirm that the RAT is a remote control tool that spans both Windows and Linux platforms. In addition, through C&C, the gang’s arsenal also includes Bella RAT on the Mac OS platform.

https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w

Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals

Darien Huss and Selena Larson release a wonderful and detailed bit of reporting on this North Korean threat actor. In short this threat actor shows us what industrial level phishing campaigns look like. Repeat with me - “the power of two factor authentication curtails you”.

Throughout 2021, the North Korea-aligned threat actor TA406 conducted frequent credential theft campaigns targeting research, education, government, media and other organizations.

[We] consider TA406 to be one of several actors that make up the activity publicly tracked as Kimsuky, Thallium and Konni Group.

TA406 doesn’t usually employ malware in campaigns. However, two notable 2021 campaigns attributed to this group attempted to distribute malware that could be used for information gathering.

TA406 engages in espionage, cyber crime and sextortion.

https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals

ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities

Joshua Goddard released updated indicators on ProxyShell exploitation to reduce some of the fragility in detection techniques by on recently observed threat actor behaviour.

In several recent Incident Response engagements, [we have] observed threat actors exploiting the vulnerabilities in different ways than previously reported. Most notably, the writing of web shells via export of exchange certificate requests instead of mailbox exports, and exploitation of the first two vulnerabilities in the exploit chain only to achieve remote PowerShell and create new mailboxes, assign them privileged access to other mailboxes, then access them via Outlook Web Access (OWA). [We are] reporting these changes in tactics since the detection and response guidance previously issued focused exclusively on web shells originating from mailbox export.

https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities

EMOTET is Back

Emotet was disrupted by Government interventions earlier in the year, but like any great horror plot the zombie awakens in the second half. Shows a degree of resilience and dare I say persistence on behalf of the threat actor.

On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet.

https://cyber.wtf/2021/11/15/guess-whos-back/

Discovery

How we find and understand the latent compromises within our environments.

EQL To VQL - Leverage EQL Based Detection Rules In Velociraptor

Mike Cohen dropping the wisdom and making us all better with his most loved tool.

In this post we discuss how to leverage detections targeting EQL (an Elastic search query) within Velociraptor. I thought it would also be interesting to discuss the main differences between more traditional logs aggregation solutions (such as Elastic or Splunk) and Velociraptor’s endpoint centric design.

https://docs.velociraptor.app/blog/2021/2021-11-09-eql2vql/

Defence

How we proactively defend our environments.

Fighting Back Against Cobalt Strike

Callum Roxan and James Dorgan do a wonderful job and breaking down the problem and providing real-world techniques to fight back at CS.

Sysmon Cheatsheet

Olaf Hartong explains all Microsoft Sysmon event types and their fields.

https://github.com/olafhartong/sysmon-cheatsheet

Awesome KQL

A nice little resource of some Azure Sentinel KQL queries with explanations. Great for those getting up to speed.

https://github.com/basedfir/awesomekql/

Living off the Land (LotL) Classifier Open-Source Project

Andrei Cotaie, Tiberiu Boros, Kumar Vikramjeet, and Vivek Malik show the power of machine learning applied to detection challenges. Bonus points because they open sourced too. They get a 💖.

Using open source and other representative incident data, we developed a dynamic and high-confidence program, called LotL Classifier, and then we open sourced it to the broader community.

The LotL Classifier is unique because it uses a supervised learning approach — this means it maps an input to an output based on example input-output pairs.

https://medium.com/adobetech/living-off-the-land-lotl-classifier-open-source-project-b167484c8187

Binary Refinery

Jesko Hüttenhain, Lars Wallenborn, Derrick Karpo and Johannes Bader release a CyberChef data processing pipeline but for the command line.

https://github.com/binref/refinery/

Offense

Attack capability, techniques and tradecraft.

LSA Relay X

Ceri Coburn provides a tool to ease relaying of NTLM authentication requests across protocols for offensive benefit.

lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on.

https://github.com/CCob/lsarelayx

Azure Imposter

Lars Karlslund shows that tradecraft for cloud is a thing

Go module that pretends to be any clientID and grabs an authentication token from Azure using interactive login (w/mfa if enabled) and returns the token to the caller. This can then be used to enumerate users, groups etc. depending on what scope you've requested.

https://github.com/lkarlslund/azureimposter

BloodyAD an Active Directory Privilege Escalation Framework

Well if Bloodhound provided you the knowledge BloodyAD is like giving an Uzi to a child.

This tool automate the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists. The automation is split in two parts:

https://github.com/CravateRouge/bloodyAD

Bypassing Microsoft Defender

A neat technique which demonstrates the fragility of our defensive world. This is why telemetry is so critical to allow detection for less common yet suspicious activity.

Living Off Trusted Sites (LOTS) Project

A site which basically shows why you shouldn’t rely on hostname network detection for your cyber defence strategy.

https://lots-project.com/?s=09

CheckCert

Sanjiv Kawa provide a Cobalt Strike BOF which is capable of helping detection if there is TLS traffic interception in operation.

https://github.com/skahwah/CheckCert

Exploitation

What is being exploited.

An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software

FBI detailing zero day exploitation against a VPN product.

As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software going back to at least May 2021.

https://www.ic3.gov/Media/News/2021/211117-2.pdf

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities

Various CVEs being exploited by Iran in this USG reporting.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.

https://us-cert.cisa.gov/ncas/alerts/aa21-321a

Vulnerability

Our attack surface.

Windows MDM LPE Zero Day

A Microsoft Windows zero day local privilege escalation from Abdelhamid Naceri via Windows MDM.

https://github.com/klinix5/WindowsMDMLPE

CVE-2021-0146: Intel® Processor Advisory

No need to panic unless you are in the high threat club, make video game consoles, produce digital media streaming devices or anything else where you might not want this to happen.

Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html

Footnote

Some other small bits and bobs which might be of interest.

That’s all folks.. until next week..