SOC Goulash: Weekend Wrap-Up (Part 1)
15/08/2022 - 21/08/2022
This is Part 1 of the Weekend Wrap-Up, detailing significant Threat Actor Activity and noteworthy TTP changes to be aware of.
Part 2 will cover significant vulnerabilities from the past week, in addition to the latest tools & techniques for offense and defence alike, and some additional reporting that you might find relevant and useful.
Headline Items
APT29 demonstrate intricate understanding of Azure controls, manipulating them to hide and pivot through victim environments;
Tips for Defenders on IcedID TTPs; dealing with DLL Hijacking/Process Injection attacks, and how to hunt for the latest TTPs doing the rounds;
Exploit code and in-the-wild exploitation for Realtek and Apple devices - and of course, Chrome.
APT29 looking Cozy in the Cloud
Reference: Mandiant | Mandiant APT29 White Paper
Mandiant have released a detailed and punchy summary of the TTPs observed used by APT29 - attributed to the Russian Foreign Intel Services - to hide and pivot within Azure environments.
These TTPs are especially noteworthy, as they demonstrate an intricate understanding of Azure’s inner-workings and how to manipulate identity objects and tenant configurations to obscure their presence and intent.
I recommend reading the report for all the detail, but in sum:
Modifying the Azure license to disable Purview Audit, thereby disabing Mail Items Accessed audit. Without it, Defenders won’t know if a mailbox was accessed; by who, or how.
Detection: Look in the Azure AD Audit Log and Microsoft 365 Unified Audit Log to see who changed the license and what mailbox was affected;
Remediation: Mandiant’s Azure AD Investigator script can identify mailboxes users with auditing disabled, and potentially re-enable it.
Brute-forcing credentials for new/dormant accounts that are created but never have MFA set up. Because most organisations allow users to enroll new accounts in MFA at next login, the first person to do so - legitimate or not - now has a valid MFA-enabled enterprise account.
Mitigation: Enforce a Conditional Access policy requiring MFA enrollments to only take place from trusted locations (e.g. internal network/MDM-enrolled or trusted devices)
Using Azure VMs for “last-mile” interaction with target networks. These VMs are provisioned with IPs within Microsoft’s Azure address space, allowing the attacker to blend into legitimate traffic and reducing the likelihood of triggering a risky sign-in or risky users alert.
Compromising, manipulating and abusing Service Principles to obfuscate email collection activities. APT29 hijacked a Service Principle with ApplicationImpersonation rights, adding a certificate (Key Credential) and configuring a new Application Address URL which were both intentionally crafted to appear legitimate and comply with vendor documentation.
Vishing & Callback Phishing pick up pace
Reference: Bleeping Computer
Email security vendor Agari have reported a whopping 625% increase in attacks involving Callback Phishing between Q1 2021 - Q2 2022, which began with the BazarCall campaigns in March 2021. Callback Phishing typically involves the delivery of a Phishing lure that is then followed by a phone call, during which the actor coerces victims into providing remote access to their system or installing remote access software - thereby gaining a foothold in victim networks.
Threat Intel company AdvIntel reported last week that BazarCall continues to be used by splinters of the now defunct Conti ransomware group, namely the Silent Ransom; Roy/Zeon, and Quantum groups.
We also covered Cisco’s ongoing breach last week, where attackers used Voice Phishing (Vishing) and MFA fatigue (spamming them with MFA requests) to bypass MFA protections and gain their beach head in the network.
All this is to say that Vishing and Callback Phishing are on the rise, and are being used by experienced cyber criminal and ransomware groups to successfully conduct real-world attacks against organisations and circumvent MFA controls.
This kind of attack isn’t going to be in your traditional Incident Response playbook, much less specifically detected/hunted for in the enterprise. It’s worth considering what tools you have to detect these - anomalous logins, high volumes of MFA requests, and impossible travel alerts, perhaps - and if your standard employee cyber security training covers how to spot and report Vishing attempts.
IcedID using JS + BAT files for obfuscated detonation
Reference: pr0xylife | ankit_anubhav
Distribution of IcedID on August 19th saw the use of a .zip > .iso > .lnk > .bat > wscript > .dll chain for payload delivery and execution.
Initial delivery and execution starts with the now-common .zip > .iso > .lnk sequence;
The .lnk uses cmd.exe to run the .bat file, which invokes a .js file to deobfuscate strings that then runs wscript.exe;
wscript.exe executes rundll32.exe to run the payload dll at the specified entry point.
Nothing particularly sophisticated, but a change nonetheless in the execution chain to keep an eye out for.
Spotlight on DLL Hijacking/Process Injection
Reference: Wietze’s Blog | HijackLibs | Cyb3rMonk
DLL Hijacking and Process Injection techniques are used widely by cyber crime and APT actors alike, so this work from Crowdstrike’s Wietze Beukema is sure to be useful to both Blue and Red team operators:
Wietze first published some research he’s done looking at how to perform DLL Hijacking by modifying Environment Variables at a per-process level, even providing compact PoCs in VBScript and PowerShell to demonstrate the point;
If that wasn’t enough, Wietze has also published HijackLibs - a repository detailing 360 common executables that are vulnerable to DLL Hijacking;
@Cyb3rMonk has condensed this down to a CSV of relevant values and provided this chonker of a KQL Query that aims to detect anomalous loading of DLLs for the vulnerable processes;
@ConsciousHacker has released WFHDridex, a tool to identify DLL Sideloading opportunities in executable files. It identified 966 potential instances in System32 binaries, which have been submitted as a pull request to the HijackLibs project.
Tips for hunting recently adopted TTPs
Event ID 12 in the Microsoft-Windows-VHDMP-Operational logs will show you instances of ISO files being mounted - something that you’ll likely see in infections by Bumblebee, IcedID, and Qbot malware.
The decentralised IPFS protocol has been seen abused in real-world Phishing campaigns and baked into Dark Utilities - a C2-as-a-Service offering sold on the dark web. If you want to get proactive in mitigating these threats, you can hunt for phishing sites using IPFS.
To close off Part 1 - a timely reminder that you’re not alone in wishing SIEM’s had more capacity - there’s no such thing as “100% log coverage”!
