Bluepurple Pulse: week ending October 24th

When hiring hackers via the gig economy to work for organised crime becomes a thing..

Welcome to the weekly highlights and analysis of the blueteamsec subreddit.

In the high-level this week first was the revelation that FIN7 established a new front company called Bastion Secure which recruited penetration testers to support their ransomware operations. This isn’t the first time they’ve done this and in part is likely symptomatic of new ways of working i.e. fully remote and gig based. Fascinating times when employees need to do due-diligence on employers.

Second is Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021 hosted by the USA. To save you a read the headlines are - Resilience, Countering Illicit Finance, Disruption and other Law Enforcement Efforts and Diplomacy. Then as if by magic Reuters reported the REvil Tor site was hacked and forced offline by US Government and friends. Get the🍿 as initial reports indicate than some ransomware affiliates are directing retaliation against US assets.

Finally I ran polls on Twitter and Linked on if we should treat Red Teams like other offensive actors and the results were interesting.

Linkedin:

Twitter:


On the book front I finished Lab Rats: How Silicon Valley Made Work Miserable for the Rest of Us. It is an amusing yet powerful and insightful read showing how some of the new ways of working create toxic work environments, behaviours and outcomes. I recommend for anyone getting swept up in maelstrom of start-up life or big corporate transformation.

Enjoying this? don’t get via e-mail? then subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Saturday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Nation State Lyceum group reborn

Mark Lechtik details the re-emergence of the group known as Lyceum group, Hexane, Cobalt Lyceum and ATK 120 who have historically been described as:

The threat actor shows similarities with other groups such as APT 33, Elfin, Magnallium and OilRig, APT 34, Helix Kitten, Chrysene, both active since at least 2017 and involved in attacks on oil and gas companies. Anyway, experts pointed out that the Hexane group has differed TTPs and has its own arsenal.

Mark’s analysis shows an evolution by the actor and further crossover with the previous attributions.

Our investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage from the previously documented .NET malware to new versions, written in C++.

..

Finally, we noticed certain similarities between Lyceum and the infamous DNSpionage group, which, in turn, was associated with the OilRig cluster of activity. Besides similar geographical target choices, and the use of DNS or fake websites to tunnel C&C data as a TTP, we were able to trace significant similarities between lure documents delivered by Lyceum in the past and those used by DNSpionage.

https://securelist.com/lyceum-group-reborn/104586/

Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia

Governments hack telecommunications Part I - using Cobalt Strike and Metasploit. This Nation State tooling sounds like a 5 person Red Team on bad Tuesday after they’ve gone drinking Monday night.

A previously unseen actor, likely nation-state-backed, is targeting organizations in South Asia, with a focus on Afghanistan, in what appears to be an information-stealing campaign using a new toolset.

The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia

LightBasin: A Roaming Threat to Telecommunications Companies

Governments hack telecommunications Part II - by Jamie Harries and Dan Mayer - but show the other end of the spectrum where threat actors understand telecommunications protocols and develops custom tooling with glorious effect.

There is scene in Tropic Thunder when everything explodes that is so over the top that you can’t quite believe it. This feels like the cyber equivalent - this is a true APT.

LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.

Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.

https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/

Large South Asian Campaign against government, military, electric power and nuclear

An extensive analysis in Chinese of Bitter/T-APT-17 an South Asian threat actor (which is basically code for India or Pakistan) who targets East Asia, South Asia and wider mainly targeting government, military industry, electric power and nuclear energy to carry out targeted attacks to steal sensitive information. This discovered campaign is large but very basic in terms of technical tradecraft. If you protect against CHM files - you’ll be fine.

captured hundreds of samples of BITTER attacks from February to September 2021 in daily threat hunting. In the attack, the attacker mainly uses military, energy, financial, etc. as themes

https://mp.weixin.qq.com/s/XVwQ65Ta4L8uG0rlJ7XOqQ

VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group

North Korea showing they have banking malware and aren’t afraid to couple it with VNC to get screen/keyboard access. Amazing what capabilities you develop when you drain the liquidity out of an economy due to sanctions.

VNC, also known as Virtual Network Computing, is a screen sharing system that remotely controls other computers. Similar to the commonly-used RDP, it is used to remotely access and control other systems.

Kimsuky group installs AppleSeed backdoor on the target system after the initial compromise, then additionally installs VNC malware via AppleSeed to ultimately control the target system in a graphical environment. One of the VNC malware that is installed is TinyNuke.

https://asec.ahnlab.com/en/27346/

Targeted hunting activities for the securities and financial industry in China

Chinese reporting on a threat actor going after this vertical regionally. This actor is interesting in that they have criminal intent but have managed to steal and use code signing certificates offensively.

an APT group that specifically targeted financial, securities, software, gaming and other industries during the daily threat discovery process. The main purpose was to collect money and initiate supply chain attacks. It misappropriated a large number of securities services and software companies.

https://mp.weixin.qq.com/s/F9fJCDeZZWlWDeyqpV_ltw

Attacks against Chinese scientific research institutions

Sometimes when you sit in the west you look at academia getting pummelled and you feel victimised. Well it appears it isn’t just us based on this Chinese reporting. Like western academic targeting the capability is also rather basic.

Since the beginning of this year, we have repeatedly captured the organization's continuous attacks on many scientific research institutions in our country. Recently, we have captured another incident of the organization's attack on China's scientific research institutions.

https://mp.weixin.qq.com/s/XbKjW7B2VrM877wBTRWr4g

New Espionage Campaign Targets South East Asia

Some lightweight indicators here on an unattributed espionage campaign which used Dropbox for exfiltration. Again a really broad campaign with no indication as to initial entry mechanism.

An espionage campaign using a previously undocumented toolset has targeted a range of organizations in South East Asia. Among the identified targets are organizations in the defense, healthcare, and information and communications technology (ICT) sectors. The campaign appears to have begun in September 2020 and ran at least until May 2021.

The toolset used by the attackers includes loaders, a modular backdoor, a keylogger, and an exfiltration tool designed to abuse cloud storage service Dropbox. 

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-south-east-asia

Phishing campaign targets YouTube creators with cookie theft malware

Being a social media influencer myself this week I feel victimised by this campaign. Ashley Shen documents a campaign showing the next evolution of criminal behaviour in the cyber domain. When you have an audience will be monetized is what we take away from this:

The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.

https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/

A persistent AgentTesla campaign is targeting the UAE

AgentTelsa is a commercial RAT which is being used in this campaign by an unknown actor with a very specific region interest.

[we] have analysed a long-running AgentTesla infostealer campaign targeting Dubai and the United Arab Emirates. The campaign began in at least January 2021 and the samples we gathered continued, almost daily, until May 2021. We have also seen new samples compiled in October 2021. Unlike most AgentTesla campaigns, the targeting focused heavily on the UAE, with only a handful of samples using the same C2 servers venturing outside the region into India and Italy.

https://www.cyjax.com/2021/10/15/a-persistent-agenttesla-campaign-is-targeting-the-uae/

Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India

This reporting by Ahseer Malhotra shows a South Asian state (Pakistan) is still using vulnerabilities from 2017 and using common of-the-shelf RATs with some gusto.

[a] a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT.

delivered via malicious documents exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office — and AndroidRAT to target mobile devices.

The actor also uses a custom file enumerator and infector in their initial reconnaissance phase of the attack.

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html

New Yanluowang Ransomware Used in Targeted Attacks

Details on a fledgling new ransomware strain seen in the wild.

In a recent attempted ransomware attack against a large organization, [we] obtained a number of malicious files that, upon further investigation, revealed the threat to be a new, if somewhat underdeveloped, ransomware family.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware

TA505 Ramps Up Activity, Delivers New FlawedGrace Variant

Reporting on an Excel maldoc campaign by Zydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov and Brandon Murphy. Nothing overly sophisticated - but an award for convolution for sure. Protect against macros in Microsoft Office documents and you’ll be fine.

https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant

Team TNT Deploys Malicious Docker Image On Docker Hub

Siddharth Sharma brings us this revelation that wider stores are being used for hosting by malicious actors.

recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools

An Emerging Threat With A Hint of Nemty Pedigree

Antonis Terefos details yet another ransomware actor who came onto the pitch in June but has crossovers with prior groups. Good bit of cyber anthropology (yes I really did just say that).

Karma is a relatively new ransomware threat actor, having first been observed in June of 2021. The group has targeted numerous organizations across different industries.

In this post, we take a deeper dive, focusing on the evolution of Karma through multiple versions of the malware appearing through June 2021. In addition, we explore the links between Karma and other well known malware families such as NEMTY and JSWorm and offer an expanded list of technical indicators for threat hunters and defenders.

https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/

IcedID to XingLocker Ransomware in 24 hours

A retrospective by the DFIR Report team on an intrusion flow and speed with which the threat actor worked. Again this stresses the point that aggressive threat actors will be aggressive.

Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May of this year. The new group was featured in the AstroLocker ransomware blog, and it has been very active since then.

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

Cobalt Strike Server Lists

A Twitter bot is producing daily lists of CobaltStrike powered infrastructure. The superhero behind this service is unknown - but the community thanks you.

https://twitter.com/cobaltstrikebot?s=20

Discovery

How we find and understand the latent compromises within our environments.

Detecting MiniDump via COM+ Services DLL

A detection for the MiniDumpWriteDump via COM+ Services DLL released in August. Specifically

Identifies suspicious renamed COMSVCS.DLL Image Load, this DLL exports the MiniDump function that can be used to dump aprocess memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection inpreparation for credential access.

https://github.com/elastic/detection-rules/blob/19d0b996b82bc7684e3c221856a7514125e7b0ac/rules/windows/credential_access_suspicious_comsvcs_imageload.toml

PowerShell Jobs

Dray Agha is quickly becoming one of my favourite researchers in the blue sphere. In this he details an underappreciated aspect of Windows called PowerShell jobs. Systems are so crazy complex these days that finding all the persistence mechanisms means there likely should be a specific book from Wiley just on them.

investigators recently observed an adversary weaponising PowerShell Jobs to schedule their attack, whilst responding to an incident. In this article, we discuss what PowerShell jobs are, how they can be leveraged for malicious purposes, and how defenders can protect, detect, and respond to neutralise the threat. 

https://labs.jumpsec.com/powershell-jobs/

Certified Pre-Owned Detection Ideas

A short but useful post detailing detection approaches to Certificate Services in Microsoft Active Directory abuse for those running legacy environments and subjecting yourself to a Red Team.

https://redhead0ntherun.medium.com/certified-pre-owned-detection-ideas-f866453f1014

Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1

Wonderful bit of work here by Didier Stevens - cracked versions of Cobalt Strike used the same private keys 💥.

https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/

Defence

How we proactively defend our environments.

Visual Studio Code Symon plugin

Carlos Perez has released a Visual Studio Code extension is for helping in the writing of Sysmon XML configuration files.

https://github.com/darkoperator/vscode-sysmon

MSTIC Symon for Linux Configs

A very useful initiative by Roberto Rodriguez building on last weeks release to provide MITE ATT&CK alignment over Linux.

An open-source initiative to document Sysmon for Linux configurations based on adversarial behavior mapped to MITRE ATT&CK.

https://github.com/microsoft/MSTIC-Sysmon/tree/main/linux/configs

Deep Dive into Different Hash types in Windows and How they Apply to Windows Defender Application Control

An excellent breakdown by Matt Graeber on the various hash types and how they work in practice. Also provides a guide on how to interpret hashes in logs and the utilities to calculate.

https://github.com/mattifestation/WDACTools/wiki/File-Rule-Level:-Hash

Security and Audit Logging in Office 365

Joe Stocker provides a comprehensive resource which he humbly titles Everything you wanted to know about Security and Audit Logging in Office 365. It is an aggregation of third party derived information couples with a breakdown of the logging sources and how they behave.

https://thecloudtechnologist.com/2021/10/15/everything-you-wanted-to-know-about-security-and-audit-logging-in-office-365/

Cracking RDP NLA Supplied Credentials for Threat Intelligence

Ray Lai and myself released our research that started during the new year holidays. Basically how to crack passwords supplied over NLA to honeypots to understand if they are organisation specific. Ray was good enough to not ridicule my Python and just diplomatically refactored all of it.

https://research.nccgroup.com/2021/10/21/cracking-rdp-nla-supplied-credentials-for-threat-intelligence/

Offense

Attack capability, techniques and tradecraft.

Skrull Malware DRM

Sheng-Hao Ma has brought us malware guard rails on steroids. If we see this used at scale it could really cause headaches for those that rely on sandbox environments for IoC extraction and triage.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

https://github.com/aaaddress1/Skrull

SAML 2 Spray

Daniel Scheidt brings password spraying to SAML which will be extensible to other implementations.

Python Script for SAML2 Authentication Password spraying against Sibboleth and SAP IDPs.

https://github.com/LuemmelSec/SAML2Spray

Cobalt Strike Sleep Python Bridge

Joe Vest shows that HelpSystems (makers of CobaltStrike) aren’t going to slow down the innovation on CobaltStrike and its extensibility will continue to evolve. This creates a number of challenges for cyber defences.

This project is an experiment on extending Cobalt Strike with python instead of Aggressor or Sleep.

https://blog.cobaltstrike.com/2021/10/13/cobalt-strike-sleep-python-bridge/

Exploitation

What is being exploited.

DoS PoC for CVE-2021-40449

Oliver Lyak released a proof of concept for this vulnerability that was actually an arbitrary code execution.

CVE-2021-40449 is a use-after-free in Win32k that allows for local privilege escalation.

The vulnerability was found in the wild by Kaspersky.

https://github.com/ly4k/CallbackHell

Vulnerability

Our attack surface.

CVE-2021-42299: TPM Carte Blanche

This vulnerability got published then deleted, but thanks to archive.org we got a copy. Basically a secure boot bypass on Microsoft Surface Pro 3.

On Surface Pro 3 with the SHA1 and SHA256 PCRs enabled on the TPM, BIOS version 3.11.2550 and earlier, only the SHA1 PCRs are extended by the firmware. This means that an adversary can boot into an unmeasured OS and extend the PCRs with false measurements to obtain false attestations.

https://web.archive.org/web/20211019061632/https://github.com/chrisfenner/security-research-1/blob/master/pocs/bios/tpm-carte-blanche/writeup.md

WinRAR’s vulnerable trialware

5.70 is used broadly and Igor Sak-Sakovskiy shows how remote code execution is possible in some instances.

https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-software-isnt-free/

Zerodium looking for VPN zero-days

Enough said really.. only bad people use VPNs right?

Footnote

Some other small bits and bobs which might be of interest

That’s all folks.. until next week..