SOC Goulash: Weekend Wrap-Up
SOC Goulash: Weekend Wrap-Up
13/03/2023 - 19/03/2023
This is an extended newsletter, so it may be truncated towards the end of the email. To read the full post, just select the View entire message hyperlink at the bottom of the email or Open in Browser!
Patched CVE-2023-23397? Think Again!
A vulnerability in Microsoft’s Outlook client has stolen the show this Patch Tuesday, with the CVSS 9.8-rated CVE-2023-23397 throwing a proverbial cat-amongst-the-pigeons with a potential zero-click privilege escalation vulnerability.
In a nutshell, sending a crafted email message (no, it doesn’t have to be a calendar or meeting invite) that includes a UNC-formatted link to an attacker-controlled SMB share will cause the recipient’s Outlook client to attempt to authenticate with the remote address - without even requiring the user to open the email.
After a bit of follow-on panic when everyone realised blocking SMB would simply cause the credentials to leak over WebDAV, Microsoft corrected their guidance and things seemed to have died down.
lol enjoy your weekend
At 01:50AM on Saturday here in Australia, security researcher Will Dormann demonstrated that Microsoft’s patch in fact only mitigated attempts to exploit this vulnerability from beyond the network:
The patch seemed to simply prevent the embedding of links to SMB shares which contained a period (“.”) in them.
Sure, this mitigates the possibility of an IP address or even a DNS name that contains more than a TLD from being passed, but if you’re already in the network and able to pop Responder like Will demonstrates above - you can continue harvesting NTLM credentials with ease using this zero-click vulnerability.
It’s also worth pointing out that dotless domains and hex/decimal-formatted addresses don’t appear to be feasible workarounds for the patch that would allow the resolution of an external resource.
Detection Opportunities
If you’re still worried about the potential for abuse of this vulnerability, TrustedSec have pointed to the auditing of two NetworkProvider Registry keys which will help surface anomalous interaction by the Outlook process, as an artefact of an attempt to exploit this vulnerability.
Nextron Systems have also published these Yara rules which attempt to detect file-based artefacts associated with exploit attempts.
In case you missed it…
Emotet gets with the times (finally)
After attempting last week to make a comeback using heavily dated TTPs from last year, Emotet finally got the memo and started running campaigns that leveraged malicious OneNote files to circumvent Microsoft’s improved Mark-of-the-Web (MotW) protections.
The impact of Emotet’s initial campaign involving macro-enabled maldocs would have been heavily nerfed by the default blocking of macros in downloaded documents, which Microsoft has had in place for nearly a year now.
While they initially attempted to circumvent this by coercing their victims into copying the malicious document to a trusted location in order to bypass the MotW checks, it looks like they’ve finally caved and gotten with the times.
Other Reporting
YoroTrooper is a new and currently unattributed espionage-motivated actor that Cisco Talos observed targeting government and energy organisations of Commonwealth of Independent States (CIS) countries, as well as EU agencies and embassies since at least June 2022. The threat group used modern techniques such as HTML Smuggling, lnk files, and disk image files to deliver their payloads which enabled data theft, and included a modular credential stealer dubbed “Stink”;
A joint advisory by US law enforcement agencies has revealed that a federal agency had their IIS server popped by not one, but two actors between November 2022 and January this year - thanks to a 3-year-old vulnerability in Telerik UI known to be favoured by Chinese attackers;
WithSecure have identified two Cobalt Strike loaders - SILKLOADER and BAILLOADER - being used in the wild by both Chinese and Russian threat groups. Their attribution is particularly interesting, as they suggest the loaders were initially developed by “threat actors acting within the Chinese cybercriminal ecosystem”, and were sold to a Russian actor “once they no longer had any use for it.”
Researchers at ESET have reported on the targeting of a Data-Loss Prevention (DLP) Software provider by the Tick APT group. Believed to be China-affiliated and espionage-motivated, the campaign resulted in the compromise of the company’s downstream customers;
🔥Microsoft have taken a look at DEV-1101, a threat group enabling Attacker-in-the-Middle (AiTM) phishing at-scale by selling an affordable AiTM Phishing Kit on the Dark Web, capable of evading researchers with CAPTCHA pages while allowing its users to circumvent MFA protections through use of a baked-in reverse proxy;
🔥In a move that appears to be linked to the release of a decryptor by Avast in January this year, the BianLian ransomware operation is shifting away from encrypting victim files, opting instead to focus on exfiltrating sensitive information which they can use to extort their victims;
SentinelOne have published a blog looking at CatB ransomware, which they’ve observed abusing the MSDTC service to perform DLL hijacking in recent attacks, and believe may be a rebrand of, or successor to the Pandora ransomware;
CISA have shared a detailed profile on LockBit ransomware 3.0, which steps through the group’s favourite TTPs and tooling;
Researchers at Avast have uncovered a Redline distribution campaign that abuses the legitimate online document signing service, Adobe Acrobat Sign, to circumvent security controls and leverage their victim’s inherent trust in the site;
The FBI released this week their annual IC3 report, highlighting the meteoric rise of cryptocurrency investment scams (a.k.a. “Pig Butchering scams”) which soared 183% from last year, accounting for a total loss of $2.57 billion. Investment scams overall also overshadowed BEC for the first time, accounting for $3.3 billion in losses, compared to BEC’s paltry $2.7 billion;
Securelist have published an interesting article that highlights the oddly structured and well-regulated world of the Dark Web;
Microsoft: If at first you don’t succeed…
It turns out Microsoft’s patch for a bug in its Mark-of-the-Web (MotW) protections (CVE-2023-24880) is just it playing catch-up on a bug it only halfway-patched several months ago (CVE-2022-44698).
The original flaw allowed Qakbot payloads and Magniber ransomware operators to circumvent Microsoft’s MotW-powered SmartScreen defences by signing their malicious JScript files with a malformed signature. Months later, and after 3rd-party vendors released unofficial patches, Microsoft finally came to the party with their own patch.
Fast-forward three months, and Google’s TAG have seen Magniber ransomware abusing the supposedly-patched flaw being abused in-the-wild, this time delivering over 100,000 malicious MSI files signed with a crafted Authenticode signature which again allowed them to bypass SmartScreen.
While vulnerability patching can sometimes play out like a game of whack-a-mole (see PrintNightmare), Google are right in pointing out that when Microsoft were confronted with the choice between providing “a localized, reliable fix, and a potentially harder fix of the underlying root cause issue”, they chose the easier option - and thousands of their customers paid the price.
Critical ColdFusion bug exploited in-the-wild
Adobe have warned of real-world exploitation of CVE-2023-26360, a remote code execution flaw in their ColdFusion product that can be exploited by an unauthenticated attacker, through a low-complexity attack that doesn’t require user interaction.
CISA have added the vulnerability to their Known Exploited Vulnerability catalog, and one of the researchers credited with the attack has specifically called out the vulnerability as being “far more important than the wording of [Adobe’s advisory] suggests”, and confirming that they have seen the vulnerability exploited to achieve code execution and file read on impacted servers.
Other Vulnerabilities
Aruba patches multiple bugs in ClearPass Policy Manager
Network appliance vendor Aruba has patched several bugs in its ClearPass Policy Manager product last week, the worst of which was CVE-2023-25589 - a vulnerability which would allow an unauthenticated attacker to create arbitrary user accounts on the platform, and thereby to “achieve total cluster compromise”
Five of 19 vulnerabilities patched by SAP score CVSS 9.0+
The multinational software vendor SAP has issued patches for a laundry list of bugs, five of which are of a critical severity and enable some form of code/command execution, directory traversal, or information disclosure or manipulation.
Offensive
🔥GOADv2 - a comprehensive AD lab environment for you to trial all your Red Team techniques, and includes IIS, MSSQL, and ADCS servers. Check out Mayfly’s blog for more information and write-ups on their experience using GOAD;
imgdevil - a PoC to embed shells in images, which is explained in full detail in the related TrustedSec post;
HackTools - an all-in-one Red Team browser extension for Web Pentesters;
passphrase-wordlist - a list of passphrases and hashcat rule files to help bruteforce accounts that may have opted for a passphrase over a password;
🔥Looking for a way to hide your red team tools from that pesky EDR? WSL can help with that - even installing a Kali distro and running proxychains to scan an internal environment with nmap!
TrustedSec have published an interesting article that show how understanding the time and checksum values of Kerberos tickets can help Red Teams with Opsec and Blue Teams with detection opportunities;
If you’re looking to dodge malicious macro signaturing, check out this write-up that looks at a novel way of obfuscating calls to NtQueryInformationProcess.
Defensive
Kali Purple - think Kali Linux, but for Blue and Purple Teams. While still very much a work in progress, this new initiative by Offensive Security already has over 100 tools integrated such as Arkime, Suricata, TheHive, and Zeek;
🔥The folks at Falcon Force have shared an obscene amount of useful content to help manage Detections at scale - a template to document and automate validation of detections, example use cases and tooling to help perform the validation, an example Azure DevOps CI pipeline to automate it, and a standalone KQL query syntax validator. I mean. Just. Wow.
Megan Roddie from SANS has published two parts of a five-part series on log extraction for cloud vendors, with the first looking at AWS and the second as GCP;
Just a little reminder that rundll32 doesn’t require the ordinal to be comma delimited - something with Qakbot actors have taken note of recently, and may break existing detections;
Alex Teixeira has hit the nail on the head with another article, this time looking at logging requirements. Specifically, he points to how a lack of scope can be detrimental to SIEM logging, resulting in increased costs and performance degradation;
While nothing new, Huntress’ post on mitigations for common initial access vectors such as OneNote files, disk images, and macros provides a great reference to help establish or validate your defences.
The UK has announced the formation of the National Protective Security Agency and Integrated Security Fund - two measures headed by their domestic intelligence service, MI5, with the goal of enhancing the nation’s economic and cyber security;
Pompompurin, the admin of the infamous Dark Web forum BreachForum has allegedly been arrested in New York. Despite his demise, the forum will continue to operate after another forum admin stepped in;
Australian consumers just can’t cop a break, with a breach of Latitude Finance impacting 225,000 customers who had identity documents including driver’s licenses stolen from the company’s networks;
BlueHat 2023 Conference talks are now available on YouTube.