SOC Goulash: Weekend Wrap-Up
SOC Goulash: Weekend Wrap-Up
27/02/2023 - 05/03/2023
This is an extended newsletter, so it may be truncated towards the end of the email. To read the full post, just select the View entire message hyperlink at the bottom of the email or Open in Browser!
For Sale: UEFI Bootkits for Windows 11
ESET researchers have revealed that the BlackLotus UEFI Bootkit - sold on the Dark web since at least October last year for a paltry $5,000 - has been given a facelift to allow it to work on even fully patched Windows 11 systems.
For the uninitiated - UEFI Bootkits provide malicious actors the ability to install malware that persists at a level between the Operating System and computer hardware, and in the case of BlackLotus, the ~80kb bootkit is capable of disabling core security mechanisms such as BitLocker, HVCI (Hypervisor-protected Code Integrity), and Windows Defender; as well as bypassing User Account Control (UAC) measures.
How does it work?
Well, in a nutshell, it exploits a vulnerability from last year (CVE-2022-21894) to bypass Microsoft’s UEFI Security Boot mechanism and install the bootkit.
While it was patched in January 2022, attackers can simply reintroduce the legitimate, vulnerable binaries into the system and exploit them, as the UEFI revocation list hasn’t been updated with their untrusted keys and binary hashes in order to prevent them from being loaded.
If you want the longer, more detailed explanation of the exploit chain - ESET have you covered:
The supply chain risk
ESET closed out their research by pointing to several other UEFI vulnerabilities which they and other researchers highlighted throughout the years, and which vendors have sometimes simply declined to patch due to the affected device no longer being within the support window.
The failure of OEM vendors (e.g. Lenovo, Acer) to patch vulnerable devices is one thing, but the vulnerability exploited by BlackLotus has significantly greater applicability, as it stems from a flaw in Microsoft’s Secure Boot mechanism itself.
When considering the reliance on OEM and OS vendors to mitigate UEFI vulnerabilities - in conjunction with the failure of essential controls such as the UEFI revocation list - it’s no surprise to see ESET conclude that it was “only a matter of time” before this was weaponised.
Australian Cyber Security set for a shake up…again
Australia’s Home Affairs Minister Clare O’Neil shared some choice words with journalists last week, slamming Australia’s cyber laws as “bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident.”
The comments were made in reference to the government’s ability to intervene in last year’s high-profile breaches of health insurer Medibank and Australia’s 2nd largest telco, Optus.
More manpower, changes to come
It’s against that backdrop that the government announced their intent to establish a “national cyber office”, led by a coordinator for cyber security, with the mandate to develop an emergency response plan and enable some form of cyber “emergency response” in the event of a significant cyber event.
The Minister further flagged two additional potential changes:
Reform of the Security of Critical Infrastructure (SoCI) Act to potentially include customer data and “systems” within the definition of critical infrastructure, in order to empower the government to intervene in the case of a data breach;
The creation of a broader Cyber Security Act that would impose new obligations and standards across industry and government.
The urgency surrounding these changes was underscored just days later, as Australia’s Information Commissioner revealed a 26% increase in data breaches in the second half of 2022, with 497 separate instances - mostly impacting the health and finance sectors - of which 40 were considered “large-scale.”
Snip3 - Outsourcing Obfuscation
The multi-staged and highly obfuscated Snip3 crypter has been helping skiddies skirt security controls since 2021, with the Crypter-as-a-Service offering enabling attacks featuring QuasarRAT and DcRAT loaders and payloads on a range of industries including Healthcare, Energy, and Manufacturing.
Zscaler analysts identified the crypter wedged between a Phishing email and the deployment of QuasarRAT and DcRAT payloads, obfuscating their delivery through a three-stage infection chain that featured an AMSI bypass in an attempt to evade EDRs.
Interestingly, the first stage VBScript downloads a second stage loader via an SQL connection to a remote, attacker-controlled SQL database, and constructs the malicious PowerShell script by concatenating the strings returned by the query.
As this isn’t a commonly seen TTP, it’s worth verifying if your enterprise security controls could be expected to block - or at least alert on - anomalous outbound SQL connections made from end user workstations.
The aforementioned loader also contains a surprisingly simple AMSI bypass - by setting the AmsiContext variable to “0,” it causes AmsiScanBuffer/AmsiScanString to error out and fail.
The full list of capabilities of this crypter are laid out in Zscaler’s blog post, which is well worth a read as it provides valuable insight into the pace of innovation in the Dark Web marketplace.
Other Reporting
🔥Check out SCARLETEEL - a masterclass in pivoting through AWS infrastructure in which an attacker gained a foothold on a public-facing web app and pilfered credentials from the underlying Kubernetes pod, scraped additional creds for lateral movement from Terraform build scripts, and made off with over 1TB of data;
🔥China’s Mustang Panda APT Group - also known as Bronze President/TA416 - were busted by ESET researchers deploying a new “barebones” backdoor that leverages the MQTT protocol for C2 - providing resilience against takedowns and obfuscating their origin through use of a communication broker;
Another Chinese-affiliated crew, APT27, were seen deploying a Linux variant of their SysUpdate RAT in a campaign targeting multiple entities. Built using the multi-platform compatible Asio library, Trend Micro predict it’s probable a MacOS variant will emerge in the future;
Sekoia have followed up on last week’s expose of the novel and highly popular Stealc infostealer with Part 2 - the technical teardown;
Elastic Security Labs have shared this report on PIPEDANCE - a post-compromise Windows backdoor seen targeting a Vietnamese organisation, and hides in legitimate processes while launching additional payloads and performing discovery tasks;
🔥Proofpoint’s analysis of the prolific TA569 - an Initial Access Broker that leverages Traffic Distribution Systems (TDS) and the SocGholish malware - is a must read. It highlights the many ways the actor injects malicious JavaScript payloads into compromised sites, and sporadic removal and re-injection of said payloads in an apparent attempt to circumvent investigations and malware analysis efforts;
🔥Team Cymru have published more great analysis of IcedID’s BackConnect infrastructure, noting the continued abuse of NZ hosting provider Zappie Host and Njalla domain registrar, as well as the operator’s apparent interest in the Libsodium encryption library and Qaz[.]im disposable email/file-sharing service that were also used by the LockBit and former Conti operations respectively;
Malware Researcher 0xToxin has published a great walkthrough of their analysis of a Bumblebee payload, including a decryption script that extracts the sample’s botnet ID and C2 addresses;
Cyber security firm Prodaft have shared insights on the RIG Exploit Kit, which achieved a personal best exploit rate of 30% of attempts. The kit uses malvertising and proxies to deliver browser exploits, though given 45% of their successful attempts last year leveraged an Internet Explorer vulnerability - they may have less luck this year as Microsoft is actively disabling the browser in favour of Edge;
Research firm Cyfirma have reported on EXFILTRATOR-22 (a.k.a EX-22) - a post-exploitation framework sold via Telegram and YouTube that appears to be the work for former LockBit affiliates based on technical overlaps in the malware;
Proofpoint’s “State of the Phish” report has found that while typical attack vectors of ransomware, BEC, and the like remain popular among actors, novel techniques such as “telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication” are getting more air time;
CrowdStrike have also released their Global Threat Report, highlighting a rise in attacks on Cloud environments; the fact that 71% of detected attacks were “malware-free”, and the global scale of China-nexus attacks;
CISA warns of exploitation of ZK Web App Framework
While you may have never heard of it, ZK Framework is an open-source Ajax Web App framework that’s used by web developers to create Web App GUIs, and is baked into commercial solutions such as ConnectWise’s Recover and R1SoftServer Backup Manger products.
The framework is vulnerable to an information disclosure bug (CVE-2022-36537), for which there are public exploit PoCs available [1, 2] and active exploitation underway, according to NCC Group’s Fox-IT division.
All this has earned it a spot on CISA’s Known Exploited Vulnerabilities list, as they note it is a “frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”
The current advice is to patch the known impacted ConnectWise products listed in the advisory - no other impacted vendor solutions have so far been identified.
A patchwork of patches for Cisco phones
A number of Cisco IP Phone models have been found vulnerable to a remote code execution vulnerability (CVE-2023-20078) which would allow an attacker to execute commands with root permissions.
While patches have been made available for this vulnerability, another bug that was disclosed at the same time - a high severity DoS vulnerability (CVE-2023-20079) - will not be patched for EOL models.
TPM vulnerabilities could affect “billions of devices”
Researchers at Quarkslab have uncovered two buffer overflow vulnerabilities in the Trusted Platform Module (TPM) 2.0 reference library specification (CVE-2023-1017 & CVE-2023-1018) which could result in information disclosure or enable privilege escalation.
TPMs have multiple applications that typically center around ensuring a system hasn’t been tampered with, but can also be used by applications such as Thunderbird or Outlook to assist in performing secure cryptographic functions, such as when encrypting and/or signing messages.
The utility of a TPM also means that many computer, server, IoT and embedded systems will have a TPM - whether it’s a physical chip, integrated with the CPU, or virtualised. It’s because of this that Quarkslab are concerned that the impact of these vulnerabilities will be widespread and potentially long-lasting.
The administrators of the TPM specification, the Trusted Computing Group, have issued an advisory and updates that will address the flaws.
Offensive
🔥NCC Group have published some excellent research - and an exploit PoC - that emulates a Cisco ASA Anyconnect VPN service, accepts and logs any provided credentials before serving VBS to the client that gets executed in the context of the user;
This walkthrough and PoC will come in handy the next time you find yourself with access to the AAD Connect server and want to elevate to Global Admin without trying to force a password reset.
Defensive
Decider - A web application created by CISA which assists defenders, analysts, and researchers to map adversary behaviors to the MITRE ATT&CK® framework;
Cyber security company Sygnia has shared a handy reference of alerts, reports and logs that will help in conducting IR engagements in Google Cloud environments;
Sysmon deployment can be tricky, particularly across a large enterprise. Check out this video that walks you through how to install it, what changes are made to the system, and how to hide its presence from attackers;
Malware analysts struggling with decompiling Python bytecode will probably want to bookmark this table, as it maps each decompiler to the version of Python bytecode that it supports;
Malware Analyst Germán Fernández has shared a simple tip to bypass malware Geo-fencing that often stumps analysis efforts - essentially changing the Geo registry key to the nation of your choosing;
CTI aficionado BushidoToken has published a new blog post, which is a walkthrough of an OSINT investigation he did, tracing the infrastructure behind the FUD Crypter operation.
🔥LastPass have shared more details on how the doozy of a hack was conducted in December last year - evidently the attacker was determined, leveraging data stolen from multiple breaches and targeting the home network of a Senior DevOps engineer in order to achieve their objectives. It’s an undeniably sophisticated attack, and well worth reading up on. I suggest starting here and digging into the other linked articles for more information;
FinTech firm Hatch Bank has reported an unattributed actor leveraged the recent GoAnywhere MFT vulnerability to steal the data of nearly 140,000 customers. This is the second compromise known to stem from the vulnerability found in the secure file-sharing platform;
If you’re unlucky enough to have been hit by the MortalKombat ransomware that was first reported on last week, fear not - BitDefender have issued a free decryptor to help you out;
Audit Logs Wall of Shame - a ranking of prominent vendors by the quality, consistency, and implementation of their audit logs.