SOC Goulash: Weekend Wrap-Up
SOC Goulash: Weekend Wrap-Up
20/03/2023 - 26/03/2023
This is an extended newsletter, so it may be truncated towards the end of the email. To read the full post, just select the View entire message hyperlink at the bottom of the email or Open in Browser!
Acropalypse - where are your DLP Gods now?
Early last week researchers disclosed a bug in the Markup tool found on Google’s line of Pixel phones, which could be abused to recover sensitive information that may have been redacted or cropped from photos.
Dubbed “Acropalypse”, CVE-2023-21036 will be of particular concern for anyone who’s used the tool to - for example - send a screenshot of their bank account details with the balance redacted to split the bill for a work lunch with a colleague, or upload explicit content to pseudo-anonymous forums such as Reddit with their face cropped out.
While the bug was fixed by Google in a March update, any images taken, edited, and shared before then by phones previous versions of the tool will remain vulnerable to being reversed, and their sensitive details revealed.
Microsoft: “Pfft, hold my beer”
Days later, it was also confirmed that Windows’ Snipping Tool - built on a completely separate codebase - was also vulnerable to a similar attack, tracked as CVE-2023-28303:
In this case, the bug only manifests where a user saves the screenshot, then re-opens it in the Snipping Tool to make changes before saving it again to the same location. This appears to cause the tool to incorrectly save the PNG-formatted screenshot with an additional IEND data chunk, instead of truncating the file as intended.
This flaw has the potential to have much more serious ramifications for companies, as users will often take and send screenshots of internal chats, emails, or browser content to collaborate with external partners or simply to get help from a help desk analyst.
Compared to the Google Pixel vulnerability, it’s much more likely that sensitive URLs, communications, and context may be leaked through recovered screenshots that were taken using the Snipping Tool, which comes in-built on every Windows Desktop system. In fact, researchers have reportedly already uncovered over 4,000 images impacted by the bug on the file scanning site VirusTotal.
Detection & Mitigation
While it appeared for a time that Windows 10 would miss out on a patch, Microsoft pushed an out-of-band security update over the weekend that would remediate the issues in the Snipping Tool application on both Windows 10 and 11.
That said, it may still be worth running either the Python script or Yara rules contained here to identify any files which were unsuccessfully truncated using the Snipping Tool. This may be useful to ensure no further data leakage through continued dissemination of the malformed files throughout or beyond your organisation.
Hacktivists aren’t a problem - until they are
In what’s probably the strangest trigger I’ve seen yet for a DDoS campaign, a collective of religiously-motivated hacktivists banded together to target a range of seemingly random Australian organisations after taking offense to a designer’s submission to the Melbourne Fashion Festival here in Australia.
While I’m certainly not one to give fashion advice, it’s not difficult to see how having models clad in fabric with the word “Allah” scrawled in dripping ink could be disrespectful to Arabic-speaking Muslims and Christians who consider the name sacred.
Many were quick to condemn it on social media, and hacktivists - on their part - were quick to brick the designer’s website through a DDoS attack before recruiting other groups and broadening their scope to take in completely unrelated sectors such as banks, hospitals, airports, and government agencies.
The campaign appears to have continued into the weekend, and has chalked up over 70 victims as part of the concerted DDoS and defacement activity.
While it’s a low-tech attack class, the intent was always to send a message, and in that sense - they got what they wanted.
The OpAustralia campaign is a timely reminder of the latent threat of issue-motivated actors, who can redirect their attacks and resources as the need arises and as such - should always be kept in mind.
Guerilla warfare on the Dark Web
The Dark Web marketplace BreachForums has officially gone offline, despite an admin announcing they would continue to operate the site in the wake of its founder, Pompompurin, being detained by law enforcement last week.
The about-face was prompted when the admin, Baphomet, found that Pompompurin’s admin account had been used to log into a content delivery server - after he had been arrested.
The post went on to conclude that law enforcement likely had access to the captured admin’s machine, and that “nothing can be assumed safe […] I can’t confirm the forum is safe, which has been a major goal from the start of this shitshow.”
It turns out that Baphomet’s concerns that law enforcement were lurking in the forum were well-placed, with the FBI revealing days later that they had in fact gained access to the forum’s back-end database, and were using records of conversations between forum members as evidence in proving the charges laid against Pompompurin.
Baphomet acknowledged the development, stating that "at this point the entire document will clearly show what I've said for the entirety of my time on Breached, and that you shouldn't trust anyone to handle your own OPSEC."
Who can you trust?
BreachForums wasn’t just a place to converse with other cyber crims - it provided the escrow services that ensured neither party would get duped when buying or selling malware or services. It was their trusted medium for flogging stolen datasets, credential dumps, and much more.
The immediate impact is that these actors will have to find each other on other forums, but more than that - they need a means of verifying the other party is who they say they are, and that the platform they’re using isn’t operated or infiltrated by law enforcement.
This is much easier said than done.
In 2021 the Australian Federal Police announced that it had continued to operate an encrypted communications app called ANoM after hijacking it in 2018, which allowed them to arrest over 224 criminals that mistakenly entrusted the app with their security. Just last week the UK’s National Crime Agency revealed they had, and will continue to operate fake DDoS-for-Hire sites as honeypots, in order to identify and arrest cyber criminals looking to abuse the service.
Tightening the noose
While well-founded, Threat Intel analyst Alexander Leslie points out that the innate distrust amongst cyber criminals is also the reason why BreachForums took months to emerge as a trusted platform - an outcome which required the established reputation of someone like Pompompurin, to build that trust.
Given this, it’s likely the revival of BreachForums may have come unstuck even without the FBI’s intervention, as - without the established reputation of their predecessor - Baphomet appears to have failed to convince members of the community of their legitimacy.
The particular brand of Guerilla warfare being waged by law enforcement agencies has not only upended the trusted platforms that cyber criminals relied upon to do business, but undermined the relationships that had been built and enabled the ecosystem to function as well as it did.
If this can be sustained, or better yet increased over time, it will - hopefully - potentially result in a longer-term disruption of the cyber criminal ecosystem.
Other Reporting
SentinelLabs have reported on a campaign targeting telecommunication providers in the Middle East with custom malware, which they believe to be affiliated with the established Gallium and APT41 actors operating out of China;
China’s Mustang Panda threat group have also been busy, with Trend Micro documenting a campaign that showcased the measures used to bypass security controls, leveraging customised malware and open-source tooling alike to achieve their objectives;
Elastic’s research team have uncovered NAPLISTENER - a HTTP listener used by REF2924 which spits out a 404 response unless specific parameters are provided, and is used to load and execute attacker payloads in memory to maintain network access;
A Github repo that was inadvertently made public by the North Korean APT37 group has allowed zScaler analysts to provide some valuable insights into the attack vectors, tradecraft and tooling utilised by the group;
Elastic have added their detailed technical analysis of the IcedID GZip campaign, including the loading, execution, and C2 components of the kill chain;
IcedID has gotten a lot of love this week, with NVISO also piling on with some analysis of the VNC backdoors they’ve seen deployed in real-world campaigns;
The BlackGuard Stealer, which operates as a Malware-as-a-Service offering, has gotten a substantial facelift and now is capable of performing crypto-jacking, downloading and executing additional payloads in memory, and propagating via USB;
Nexus is yet another Android banking trojan being sold as a Malware-as-a-Service product, with support for Account Takeover attacks targeting 450 banking and cryptocurrency applications;
🔥Red Canary have published their 2023 Threat Detection Report, a trove of useful information on prevalent trends, threats, techniques, and more;
Mandiant have highlighted some interesting stats when examining the ongoing exploitation of 0-day vulnerabilities in 2022, in particular the continued preference of Chinese and other state-backed actors to leverage them in their campaigns and distribution of vulnerabilities by vendor and target system.
RCE to Admin on WooCommerce Payments 4.8.0 >= 5.6.1
WordPress sites hosted on WordPress.com, Pressable, and WPVIP have been patched against a bug that would enable an unauthenticated attacker to impersonate a site’s administrator and take over any website running the vulnerable WooCommerce Payments plugin.
While no exploit PoCs have been leaked or exploitation seen in-the-wild, the ease of exploitation and level of access this vulnerability grants means we might see that happening sooner rather than later.
Note that if you’re unlucky enough to be hosting your own WordPress instance, or are simply using a 3rd-party provider, you’ll have to manually upgrade the plugin yourself.
Veeam Vulnerability gets a patch…and PoC
A high-severity vulnerability in Veeam’s Backup & Replication software (CVE-2023-27532) has this week been blessed/cursed/blursed with a PoC exploit, devised by security research firm Horizon3.
The vulnerability was disclosed just two weeks earlier, and can be exploited by an unauthenticated attacker to derive clear-text credentials from an unsecured API endpoint. These credentials can then be abused to perform remote code execution with SYSTEM privileges, thereby gaining full control over the vulnerable backup infrastructure.
If you’ve been dragging your heels on this one, you’ll want to make this a priority for Monday!
Offensive
🔥Tokenizer - a kernel mode driver project that allows the replacement of a process token in EPROCESS with a system token, effectively elevating the privileges of the process;
monitor_subdomains - a simple script that uses amass and subfinder to notify you via Discord Webhooks of newly discovered subdomains;
Did you know you can bypass ETW by spamming the EventRegister() function 2048 times to hit the limit of concurrent ETW event providers of a given process? While you’d have to imagine any EDR solution worth its salt would get in before that limit was hit - it’s still a neat trick, and will prevent any additional hooks being inserted to your malicious process for some time.
Defensive
🔥CISA have further cemented their reputation as the “cool dad” of government cybersecurity, sharing the “Untitled Goose Tool”, which will utilises “novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments”, including pulling telemetry for Defender for Endpoint (MDE) and Internet of Things (D4IoT);
🔥Splunk’s Threat Research Team has shared an excellent resource that walks through several means of abusing Active Directory Certificate Services (ADCS), as well as how to detect and mitigate against it;
Malware analyst @0xToxin has shared a detailed write-up of their analysis of a convoluted Gozi delivery chain, utilised in a recent campaign targeting users in Italy;
If ASyncRAT is more your flavour, or you’re keen to see how the pros use CyberChef to slice and dice malware samples - @embee_research has you covered;
For those hunting for adversaries on the internet - this blog post by Gustav Shen provides a practical walkthrough of how to hunt for publicly exposed attacker tooling and infrastructure;
🔥Kostas Tsale has provided this handy regex that’ll help surface attempts by attackers to execute content stored in Alternate Data Streams - it’s a simple and effective one worth deploying, if you haven’t already!
The Sigma project has added a catalogue of Log Sources to its arsenal, allowing defenders to determine what logs are needed to implement a given detection, and how to configure it if it’s missing;
Something a SIEM admin for an org using Okta may want to know - it will store plaintext username values in audit logs, which may be problematic in the cases where users accidentally type them in the wrong field and hit Enter. Worth checking to ensure you’re not inadvertently leaving them sitting in the clear in your logs.
Microsoft are trialing enhanced Phishing Protections through their Insider’s program, which attempts to intervene with a warning when users go to paste their passwords into unsafe sites and apps;
The latest round of Pwn2Own has wrapped up, with a slew of 0-days popped in Tesla, Microsoft Teams and Sharepoint, Windows 11, Ubuntu Desktop, and more;
Looking to brush up on KQL? Check out these free resources that’ll help you on your way;
One for shops running Terraform as part of their CI/CD pipelines - Sysdig have provided a helpful list of best practices to guide developers in ensuring it’s employed responsibly;
Talks and slides from the recent CTI Summit have been published on YouTube, for your perusal.