Bluepurple Pulse: week ending September 19th

Don't be a cyber mercenary...

Welcome to the substack highlights from the blueteamsec subreddit.

Operationally the week has been the long tale of CVE-2021-40444 (we have patches, exploits and mass exploitation) and then CVE-2021-38647. CVE-2021-38647 is an authentication bypass in a homage to the ‘90s resulting in remote code execution against a Linux Open Management Infrastructure agent of which there are a lot in Azure. Kevin Beaumont pushed the red button on the Wiz finding whilst Daniel Card continued to keep the world honest and updated on the situation.

The high-level news this week came in the guise of the US Government enacting its “domestic talent retention” or “stop cyber mercenaries” strategy - depending on your point of view. News came via a scoop from Reuters in the piece Ex-U.S. intel operatives admit hacking American networks for UAE. In short ex-USG employees go somewhere foreign, ignore all export laws, enable the hacking of US targets and then end up experiencing the legal ramifications but don’t go to jail. In the days that followed a US supplier of exploits to the project got outed, followed soon after by a different US supplier to India.

The 🤯 this week came in the guise of this nugget from P W Singer in his book Cybersecurity and Cyberwar What Everyone Needs to Know (not quite as terrible as it sounds).

Managers often don’t see any return on money thrown at security solutions. Software developers are compensated for speed and new features, not making their code more secure. Why does this market fail?

In the language of economics, security is an externality. Externalities are costs or benefits from an action that fall to someone other than that actor.

The predicament of insecurity in cyber today is that it has many of the same characteristics of such negative externalities. The owner gets the benefits of using a system but doesn’t bear a huge cost for the vulnerabilities it introduces.

That short abridged passage on externalities does a wonderful job of explaining in part why security generally continues to err on the side of terrible.

Last but not least we have a new ISO standard for Software Bill of Materials (SBOMs).

The Linux Foundation, Joint Development Foundation, and the SPDX community, today announced the Software Package Data Exchange® (SPDX®) specification has been published as ISO/IEC 5962:2021 and recognized as the international open standard for security, license compliance, and other software supply chain artefacts.

Enjoying this? don’t get via e-mail? then subscribe:

Think someone else would benefit? Share:


Got feedback? Leave a comment

Leave a comment

Have a lovely late Friday (I’m busy this weekend not doing computers).


Cyber threat intelligence

Who is doing what to whom and how.

Chinese APT Still Exploiting ProxyLogon - yes that Microsoft Exchange Vulnerability

Kevin Beaumont’s Honeypot setup which comes with a company, an entire backstory, telephone number and receptionist (yes really) hit gold this week when a Chinese APT broke in.

It used the MgBot malware which has been tracked in various campaigns. Showing China continues to utilise this vulnerability and isn’t assuming everyone interesting is patched.

India suspected of attack against Pakistani Navy

Nothing overly remarkable in this campaign with lure documents and multi-stage Windows implants. But it is evidence of the continued regional tit-for-tat between these two countries. Lets be honest if you are using exploits from 2017 against your target and winning then you hope they are trainees having fun and getting dopamine.

The downloaded RTF file, exploiting CVE-2017-11882 vulnerability, can launch the Microsoft utility mshta.exe on the first of its embedded objects.

Pakistan APT Group Targets Indian Defense Officials Through Enhanced TTPs

As I said tit-for-tat and suspected of being the group known as SideCopy. They did however show novelty in their attempt to avoid endpoint detection.

[they] used a technique to hide the actual malware in the .vhdx file to avoid any antivirus detection. As per Wikipedia, .vhdx is the successor of VHD (Virtual Hard Disk).

CloudFall Targets Researchers and Scientists Invited to International Military Conferences in Central Asia and Eastern Europe

Sudeep Singh and Sahil Antil detail an interesting campaign in relation to the targeting and is suspected of being Russian in origination.

In August 2021, we identified several malicious Microsoft Word documents which used a multi-stage attack-chain abusing Cloudflare Workers and features of MS Office Word to target users in Central Asia and Eastern Europe.

Based on the social engineering lures used in the decoy content, we conclude with a moderate confidence level that the targets of this campaign were scientists and researchers who were invited to International military conferences

We have named this threat actor CloudFall based on the network infrastructure used by them. There is also a strong overlap between this threat actor and the CloudAtlas APT group.

Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike

Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy document an in the wild discovered re-implementation of a protocol compatible Cobalt Strike beacon for Linux and Windows. Discoveries such as these demonstrate threat actor capability and why we can’t assume our jobs are done when we can detect the shipping Cobalt Strike beacons.

Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratch

Highly targeted with victims including telecommunications, government and finance

The overlap they refer to on the Windows binary is under UNC1360 in January 2019. From our (NCC Group’s) data we can see this campaigns infrastructure since May 2020.

Magecart Group 8: Credit Card Skimmers

Jérôme Segura uncovers and documents the vastness of the infrastructure associated this threat actor. They break into online stores and modify the shops to capture the supplied payment information.

One Magecart group that has left a substantial amount of bread crumbs from their skimming activity has been documented under various names (Group 8, CoffeMokko, Keeper, FBseo). It is believed to be one of the older threat actors in the digital skimming space.

PYSA Ransomware Gang adds Linux Support

We have seen a growing trend of various organised crime groups expanding their capabilities to Linux. I remember seeing Trickbot in on it quite early, but were some innovate others are sure to follow.

The first Linux version of ChaChi, a Golang based DNS tunneling backdoor, was recently observed on VirusTotal.

The malware is configured to use domains associated with ransomware actors known as PYSA, aka Menipoza Ransomware Gang.

PYSA’s ChaChi infrastructure appears to have been largely dormant for the past several weeks, mostly parked and apparently no longer operational.

TeamTMT Go after Linux Targets with Gusto

TeamTMT continue to show they had their formative years in the 90s and early 00s by their technology selection for command and control (IRC) in a large campaign to mine crypto currency. Also the second group covered this week with Linux capability.

TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more.

TeamTNT is using new, open source tools to steal usernames and passwords from infected machines.

The group is targeting various operating systems including: Windows, different Linux distributions including Alpine (used for containers), AWS, Docker, and Kubernetes.

The campaign has been active for approximately one month and is responsible for thousands of infections globally.

Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware in the Telecoms Sector

China going big and not going home in this campaign. Building on the ESET reporting we get further attribution and victimology. Highlights the continued interest in hacking telecommunications and other parts of the supply chain as well.

Sidewalk was recently documented by ESET, who attributed it to a new group it called SparklingGoblin, which it linked to the Winnti malware family. We have attributed Sidewalk to Grayfly, a longstanding Chinese espionage operation.

The malware, which is related to the older Crosswalk backdoor (Backdoor.Motnug) has been deployed in recent Grayfly campaigns against a number of organizations in Taiwan, Vietnam, the United States, and Mexico. A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors.

APT-C-36/Blind Eagle Throw Around Commodity Rats

This actor from Columbia shows you can have regional impact if you don’t care for precision - their motives are financial and their ability to adapt is increasing.

Over the course of this investigation, we have found various new tactics, techniques, and procedures (TTPs) used by APT-C-36.  Our research shows that they modify their methods frequently, as evidenced by their use of different link shorteners and RATs. While spear-phishing emails are the initial infection vector for this ongoing campaign, the threat actor is constantly changing their payloads and improving their techniques to avoid detection, such as their use of geolocation filtering.

Aviation Themed and Targeted Sector by Nigerian Actor

It is not secret that threat actors like passenger information for all manner of reasons. Tiago Pereira and Vitor Ventura document a campaign running for over 5 years using commodity rats with some success by an treat actor in Nigera.

[We] linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.

Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.

Made in China: OSX.ZuRu - Trojanized Apps Spread by Sponsored Searches

Zhi noticed a threat actor was paying for adverts on China’s Badiu to distribute trojanised macOS software showing threat actors have money and are willing to spend it on legitimate services.

When you searched for the keyword iterm2 at around 1:00 pm on September 8, 2021, your company promoted a guaranteed advertising link to me.

Poisoned installers including fake iTerm2, Navicat, snailsvn, etc., then Patrick Wardle picked up the baton, does some malware analysis and shows us it concludes with a CobaltStrike beacon.

BazarLoader to Conti Ransomware in 32 Hours

DFIR Report look back on a intrusion in July showing the relationships between families and how quickly it can all go wrong.

In July we witnessed a BazarLoader campaign that deployed Cobalt Strike and ended with domain wide encryption using Conti ransomware

At the time of the intrusion, the group was favoring zip attachments with malicious javascript files to download the BazarLoader malware. However BazarLoader has also been used with Word and Excel documents as well.


How we find and understand the latent compromises within our environments.

Analysis of BeaconEye and improvements

d_infinite continues their quest to attack and improve BeaconEye the CobaltStrike beacon detection tool. They identify a gap and demonstrate a fix to avoid some of the detection misses due to the Windows heap.

Full-Spectrum Cobalt Strike Detection

Insikt Group® release an impressive body of work even if tells us what we already knew.

Effective detection of Cobalt Strike activity requires a full spectrum of detections, including host-based monitoring, network-based monitoring, and threat intelligence to identify Cobalt Strike C2s.

ScanOps as Scale

Discussions of legality aside ScanOps is the sexy term used in Cyber Threat Intelligence circles to describe discovery activities of actor infrastructure of victims via whole internet scanning. Pavel Shabarkin documents how to build a system to do this for CobaltStrike command and control servers.


How we proactively defend our environments.

Free Universal Decryptor for REvil/Sodinokibi Ransomware

Not quite defence, but it enables recovery of lost data. Shows why even if you get hit by ransomware and you can’t decrypt at the time why you might want to keep a copy.

Created in collaboration with a trusted law enforcement partner, this tool helps victims encrypted by REvil ransomware to restore their files and recover from attacks made before July 13, 2021

Policy-as-Code in Azure by Example

Jesse Loudon has been showing the world how to leverage Bicep and Terraform to apply Azure Policy as Code:

Azure Policy as Code is the combination of IaC (Infrastructure as Code) and DevOps ensuring governance at scale is shifted away from click-ops and after-hours support towards a codified, policy-driven strategy

I also wrote on my other substack a broader piece titled Policy as Code: the future is bright as a quick canter how we got here and the opportunity ahead.

Desk of a cyber CTO
Policy as Code: the future is bright
tl;dr Policy as Code, is in my opinion, a logical future and the evidence base is growing as to its value. The challenges we face around machine speed decisions whilst enforcing policies of all types is becoming evident as we deal with technology, security, legislation and regulation…
Read more


Attack capability, techniques and tradecraft.

Attack Surface Reduction Bypass

Henri Hambartsumyan documents a previously identified bypass and how to detect.

You can drop your desired test file with a random extension that is not monitored (i.e. .txt) and then rename the file to the blocked extension and ASR will not trigger. Emeric Nasi documented this and other bypasses way before we found them.

Using Go to implement CobaltStrike's Beacon

A second implementation of the CS beacon in a way that will frustrate some of the on host detection techniques.

SleepyCrypt: Encrypting a running PE image while it sleeps

Solomon Sklash documents and provides code on how to frustrate infrequent memory scanning techniques. Although the entropy variance may in of itself provide a possible hook for detection.

So I set out to create a proof of concept to encrypt the loaded image of a process periodically while that process is sleeping, similar to how a Beacon or implant would.

Mimikatz in a JavaScript Loader

Casey Smith shows why we detect the technique and not the tool.


What is being exploited.

NSO Group iMessage Zero-Click Exploit Captured in the Wild

A now patched vulnerability caught through great analysis and research

While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.

If you want to check if you or your users were targeted by this vulnerability Costin Raiu outlined a simple way

Another simple way to check iOS devices for signs of CVE-2021-30860 / FORCEDENTRY exploitation. Run MVT, then simply: cat timeline.csv | grep "Library/SMS/Attachments" | grep -i "\.gif"

Mickey Jin also released an analysis of the exploit:

The NSO Group started deploying the zero-click exploit that managed to circumvent BlastDoor, which Citizen Lab calls ForcedEntry

APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

USG put an alert out on an APT actor exploiting an Active Directory Self-Service and password management solution. Again shows APTs are indeed capable of finding and exploiting zero-days to good effect. But also we can detect them…


Our attack surface

Travis CI Forking Vulnerability Leading to Secrets

Cloud scale CI/CD eeek right here with this vulnerability.

a Public repository forked from another one could file a pull request (standard functionality e.g. in GitHub, BitBucket, Assembla) and while doing it, obtain unauthorized access to secret from the original Public repository with a condition of printing some of the files during the build process. **In this scenario secrets are still encrypted in the Travis CI database.

Odd Proxy Demos

A Chinese researcher has released labs and exploit details for several vulnerabilities which will allow attacks against HTTP proxies. Namely Ngix, Squid, HA Proxy and mod_proxy. Of these HA Proxy is the most recent in the guise of CVE-2021-40346.

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

These are all pretty horrible due to often being Internet facing, the fact these combinations could be used in various complex solutions and the fact the impact are some form of subversion or bypass.


Sometimes it is fun to read about the enablers to cyber crime - the reporting Bulletproof Hosting Services: Investigating Flowspec is an interesting read.

There were also two high-level reports out this week:

Finally I came across the Cyber Conflict Factbook 2020 - an impressive body of work.

That’s all folks.. until next week..

Leave a comment with your feedback or reply to e-mail me.

Leave a comment