SOC Goulash: Weekend Wrap-Up
01/05/2023 - 07/05/2023
This is an extended newsletter, so it may be truncated towards the end of the email. To read the full post, just select the View entire message hyperlink at the bottom of the email or Open in Browser!
Detection is no substitute for Mitigation
Preface:
I’ve been asked on multiple occasions if we could write a custom detection as a “compensating control” to mitigate the risk of a vulnerability being exploited, in order to buy system admins more time or better yet to altogether negate the need to take a critical business service offline for patching. This article will explain why the answer has never been “yes”, due to the inherent limitations of Threat Detection and Detection Engineering.
We reported last week on the widespread exploitation of a critical vulnerability in the PaperCut print management software, perpetrated by CL0P and LockBit ransomware affiliates and helped along by a public PoC exploit released by researchers at Horizon3.
On the flip side of that were defenders, creating and sharing detection rules to assist those who couldn’t/hadn’t yet patched the vulnerability, or who wanted to monitor for possible exploitation as a precaution.
While a variety were fielded utilising Sysmon logs, device-generated logs, and even network telemetry - the team at Vulncheck last week proved why detections can’t truly compensate for a lack of patching, by bypassing all of them in a revised PoC.
Now you see me, now you don’t
The Sysmon detections largely hinged on alerting where the PaperCut application process (pc-app.exe) spawned an unexpected child process like cmd.exe or powershell.exe.
This can be - and indeed already is - circumvented by spawning a reverse shell in a way that requires an intermediary process, for example when dropping a Java instance of the Meterpreter shell:
While Horizon3 researchers were right to point to native log entries indicative of the exploits targeting of the software’s print scripting interfaces - this, again, was bypassed by Vulncheck who instead found they could abuse the User/Group Sync “custom programs” to achieve the same effect while also avoiding triggering those alerts altogether.
The Suricata IDS rule proposed by Proofpoint also proved brittle - because the rule searched for the specific string "/app?service=page/SetupCompleted" as an indication of attempted exploitation, it can also be bypassed by inserting junk values that wouldn’t impact the request, such as page//SetupCompleted or random=1&page/SetupCompleted.
It’s an Art, not a Science
Naturally, the original rules could be modified to alert on a child process of java.exe or to search for a string consistent across variations such as “SetupCompleted” - but that would introduce a high risk of generating false positive alerts.
This brings me to the point of this post - Detection Engineering is a constant battle to maintain a (heavily subjective) balance between being specific enough to generate as few false positive alerts as possible, while also being broad enough to account for attacker permutations and alternate components that can be inserted into the exploit chain to evade our detections.
The PaperCut vulnerability is the perfect example of why detections are not a substitute for mitigation - the quality of your detection hinges entirely on how well you’ve accounted for all possible implementations or variations of a technique or procedure.
Should the authors of the first round of detections have been expected to know that User/Group Sync “custom programs” could also be targeted to exploit the vulnerability? Probably not, but the confidence in those detections - which many security teams would be relying on - would have still been moderate to high, in the absence of evidence that they had in fact missed another attack path for the vulnerability.
In other words - you can’t know what you don’t know, and that’s a problem when an organisation is reliant on detections for mitigation.
The saga continues…
While I’ve got you - if two ransomware groups and a publicly available exploit PoC weren’t enough to get you patching - Microsoft have also reported spotting Iranian actors getting in on the action, with Mint Sandstorm (formerly PHOSPHORUS) and Mango Sandstorm (formerly MERCURY) observed opportunistically exploiting the vulnerability across a range of industries and geographies.
Novel EDR Bypasses used by APT41
Researchers at Trend Micro have published a new report detailing changes to techniques used in recently observed operations by Earth Longzhi - an actor they track as a subset of the China-based APT41 threat group. The group uses legitimate security binaries to side-load malware; employs the BYOVD attack to kill EDR process, and ensures they crash on resumption through a newly discovered technique called “stack rumbling”.
Intrusions associated with this most recent campaign began with expoitation of public-facing services such as IIS and Exchange servers in order to deploy their Behinder webshell, capable of performing code execution and acting as a SOCKS proxy to enable further incursions into the victim network.
Notably, the actors leverage legitimate Windows Defender executables to perform DLL side-loading and deploy either Croxloader - a loader which decrypts and executes a Cobalt Strike beacon - or a new tool called SPHijacker, designed to disable security products through one of two ways.
These aren’t the droids you’re looking for
The first method used is through the now commonplace bring-your-own-vulnerable-driver (BYOVD) attack. In this case it drops a vulnerable driver, zamguard64.sys, before registering and starting it as a service via RPC (Remote Procedure Calls) in an attempt to evade detections for suspicious API calls. SPHijacker then leverages the privileged Service to enumerate and terminate security products installed on the infected host.
A new technique which Trend Micro have dubbed “stack rumbling” is then used to ensure the killed processes aren’t able to restart. The technique leverages the undocumented MinimumStackCommitInBytes parameter of the Image File Execution Options (IFEO) registry key, the value of which is used as input by the LdrpTouchThreadStack API call when a process is lauched.
All the attacker needs to do is create a new child key in the registry that corresponds to the name of the process the attacker wishes to kill, and set an arbitrary MinimumStackCommitInBytes value large enough to force a touch beyond a stack region - thus triggering a stack overflow error and crashing the process.
Current & Future Targets
Consistent with historical targeting, Trend Micro report that government, healthcare, technology, and manufacturing organisations throughout the Philippines, Thailand, Taiwan, and Fiji were targeted in this most recent campaign.
Embedded documents were also unearthed in the recent campaign which were written in Vietnamese and Indonesian, and likely indicate that organisations in said countries are next on the hit list.
Other Reporting
SentinelLabs reports the DPRK-backed Kimsuky group have been observed deploying a new malware component they’ve dubbed ReconShark (after the BabyShark malware discovered in 2018). The newly discovered piece of malware gathers local process information and checks for installed security products, while also capable of downloading additional stages and executing them via modifying .lnk launchers for browser programs;
Will Thomas has published a handy profile on the Raspberry Robin USB worm/botnet, which provides a neat summary of the technical hallmarks of the malware; IOCs, and links to all the key pieces of research published since its discovery nearly two years ago;
Law enforcement have finally confirmed that the 2021 takedown of Monopoly Market was their handiwork, dispelling speculation it’d been an exit scam by the dark web forum operators. The operation netted €50.8 million in cash and cryptocurrency as well as large quantities of drugs and firearms, and led to the arrest of over 288 vendors and customers of the site;
New research into the Conti Leaks documents has enabled the discovery of over $80 million in previously unknown payments made to the gang, while also revealing a lack of use of cryptocurrency mixers as well as the use of exchanges with “Know Your Customer” requirements - which may provide avenues for law enforcement to identify affiliates who received payments.
Hackers pop 5 year old no-patch vulnerability
Fortinet researchers have sounded the alarm over a recent wave of exploitation attempts targeting CVE-2018-9995, a five-year-old CVSS 9.8 vulnerability in the Digital Video Recording (DVR) devices of manufacturer TBK Vision.
TBK Vision claim to have “over 600,000 Cameras and 50,000 Recorders installed all over the world in multiple sectors such as Banking, Retail, Government etc.”, with the discovery of vulnerable devices made more difficult by the fact they’re also on-sold under various other brands such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR.
The vulnerability would allow an attacker to retrieve administrative credentials by simply supplying a maliciously crafted HTTP Cookie - a trivial attack, for which a public PoC exploit has already been available for five years.
Fortinet note the vendor doesn’t appear to have issued patches for the vulnerability, meaning any internet-exposed devices will be up for grabs unless dropped behind a firewall - as they should be.
No additional commentary has been provided as to the perpetrator of these exploit attempts or their intent, but their activity will at a minimum enable administrative control over said devices, and access to the camera video feeds they manage.
No-patch vulnerability hits EOL Cisco VoIP adapters
Cisco has reported - but declined to fix - a CVSS 9.8 vulnerability impacting their SPA112 2-Port Phone Adapters, which are used by enterprises to add analog phones into VoIP networks.
While it’s highly unlikely such devices would be internet-exposed, this vulnerability would be valuable for lateral movement once inside a network as it would “allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.”
As vulnerability/security support for the switches expired in June 2020, companies running the vulnerable devices have no choice but to replace them with newer models if they want to maintain functionality.
Other Vulnerabilities
Wordpress Plugins open to PrivEsc via XSS
Researchers have warned the Advanced Custom Fields and Advanced Custom Fields Pro WordPress plugins - with ~2 million active installs worldwide - are vulnerable to an XSS attack which could allow an “unauthenticated attacker to steal sensitive information and escalate their privileges” on the target site.
Exploitation of the vulnerability would require the attacker to coerce an authenticated user with access to the Plugin into visiting a malicious URL.
While patches are available in version 6.1.6 which was released earlier in the week, WordPress’ download stats show that 72.1% of the plugin's users are still using versions below 6.1, which are vulnerable to XSS and other known flaws.
Offensive
ghostbuster - A tool that gains a complete picture of the DNS records (from route53, file input or cloudflare) and the AWS IPs owned by your organization, to detect subdomains that are pointing to dangling elastic IPs (IPs you no longer own).
ETWHash - a C# PoC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the SMB Server provider;
Nanodump now supports the PPLMedic exploit, meaning you can dump LSASS on an up-to-date system with PPL (Protected Process Light (PPL)) enabled;
TrustedSec have published a handy guide to minimising the size of payloads used to test for XSS vulnerabilities;
🔥This is a pretty nifty guide for how to bypass WAF protections by using SQLMAP via Tor - it walks you through how to set it up on Linux/MacOS and how to effectively rotate IPs every 3 seconds to bypass IP-based rate-limiting protections;
Stephen Berger has highlighted an interesting point from a talk last year on Evasion techniques - the potential to apply “watermarks” to Red team tooling to help track implants across VT submissions, and help the Blue team have confidence that malware alerts were in fact for a sanctioned exercise;
🔥If, like me, you’ve been searching for a list of lab/ctf-style environments to help explore the offensive and defensive security options for AWS, GCP, Azure, Kubernetes, and more - look no further.
Defensive
🔥Microsoft’s DART team have published a comprehensive list of commonly encountered - but not entirely obvious - AD configuration flaws, as well as succinct summaries of how they can be abused, and how defenders can mitigate them;
Right on queue, we’ve got another post that looks at common misconfigurations in Azure AD and m365 policies, and provides a short list of default recommendations to shore up your deployment;
Check out this neat post on the methods an attacker can use to perform Privilege Escalation within the AWS Identity Center;
Detect malicious behavior in your network by monitoring for cached schema files in the SchCache folder - this is indicative of using the ADS object API to execute LDAP queries, a la BlackMatter ransomware;
🔥Elastic Labs have just shared publicly a suite of tools to help decrypt or decompress IcedID files; rebuild a PE from IcedID’s custom PE format, and extract and parse binaries from fake gzip files distributed in recent IcedID campaigns;
🔥Michael Koczwara has been on a tear this week, sharing tips for hunting Posh, Deimos, and Havoc C2 infrastructure using OSINT tools such as Shodan and Censys;
Something that’s sure to come in handy for current and aspiring Threat Intel boffins - a comprehensive guide to Structured Analytic Techniques;
Nathan McNulty has published a blog that’ll be useful to both red and blue teamers - how to set up a Certificate Authority in your lab environment for testing.
There’s been a fair bit of hype over a technically feasible, but as-yet unobserved attack called “Juice Jacking” - hacking user’s phones when they plug them into a public charging station. ArsTechnica have done a great job pouring cold water on this attack scenario with a detailed analysis of the technique and its potential impact;
A much more realistic and pervasive threat - supply chain compromise - has been laid bare once again, this time with a researcher self-reporting themselves to Bleeping Computer, having backdoored over 14 different PHP packages on the platform Packagist, one of which had well over 500 million installs;
PSA: Exchange and Sharepoint Server 2013 have officially reached EoS - check out this thread for more details on how this impacts you and how to upgrade;
Looking for more Industry-recognised certifications to get you started in your career? Google have just released their own cybersecurity certificate and associated course