SOC Goulash: Weekly Wrap-Up (Part 2)

15/08/2022 - 21/08/2022

This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Exploits & Exploitation for Realtek, Apple Devices, and Chrome

1. An exploit has been released for a CVSS 9.8 vulnerability (CVE-2022-27255) in Realtek appliances. The vulnerability allows for unauthenticated RCE, abused through sending crafted SIP packets containing malicious SDP data;

2. Apple released emergency patches to address two actively exploited 0-day vulnerabilities impacting macOS, iOS and iPadOS devices.

   1. The first (CVE-2022-32893) is in Apple’s WebKit engine used by the Safari browser, and could be exploited to gain code execution;

   2. The second (CVE-2022-32894) could allow an attacker to write to the kernel, providing code execution at the lowest operating system level and effectively gaining full control of the compromised devices;

3. Google has also rushed a patch for Chrome to address an actively exploited browser vulnerability (CVE-2022-2856), enabling arbitrary code execution.

Offensive

1. Evil PLC Attack - Hacking Programmable Logic Controllers (PLCs) to Attack Engineering Workstations and further invade OT and enterprise networks;

2. A technical write-up on bypassing KASLR to implement macOS kernel exploits on Intel-based systems;

3. How to use API management service tyk.io to obfuscate Cobalt Strike traffic;

   • This service is reported to be abused by ex-Conti affiliates, as well as observed in an Emotet campaign from July this year, so it’d be a good one to add to your adversary emulation playbooks;

4. A write-up & PoC for a now-patched CVSS 8.8 vulnerability (CVE-2022-30216) to coerce and relay NTLM authentication from a Windows AD CS server;

5. TeamFiltration - a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts;

6. AceLdr - A position-independent reflective loader for Cobalt Strike;

7. EntropyFix - A simple project aimed at improving the entropy of payloads to minimise likelihood of detection;

8. ExportDumper can help extract DLL exports from a given executable, for use in DLL Proxying attacks.

Defensive

1. Sysmon v14 has been released, with a new Event ID 27 (FileBlockExecutable) allowing Sysmon to block and alert on attempts to write executables to disk.

   1. Florian Roth’s Nextron has updated their sysmon config to block dropping to common staging directories; executables with double extensions; hacktool imphashes, and other anomalous executable drop events;

   2. Almost immediately after its release, Adam Chester has demonstrated a bypass for this new Event ID and mitigation. While still worth implementing if you can, remember that no one defence is perfect!

2. Datadog have released Threatest - a Go framework for Detection validation that uses their Stratus Red Team framework;

3. SwiftOnSecurity shared this neat nugget of a Detection Gap - neither Windows 30## Event Logs or Sysmon Logs will catch nslookup events, as it uses an internal DNS engine and not the native Win32 DNS API that these logs sources rely on;

4. Not sure what that weird file extension might be abused for? @mrd0x has you covered;

5. Sophos have a detailed write-up on Cookie Theft - how it works in practical attacks to circumvent authentication controls, and some examples of it in action;

6. Microsoft have published this post on hunting for malicious links shared through Teams. It makes use of Defender for Endpoint, Sentinel’s Jupyter Notebooks and MSTICPy, and is the latest in a series of posts looking for anomalous activity in Teams.

Threat Actor Activity & Reporting

1. NCC Group’s analysis of a Lockbit 3.0 campaign that began with a SocGholish infection pairs nicely with Sucuri’s detailed profile written up on the SocGholish malware, who say they’ve detected it on “over 25,000 sites since the beginning of January — with another 61,000 infected websites detected last year alone.”

2. Group-IB look back at the targeting and TTPs used in APT41/Winnti campaigns throughout 2021, which comprised 80 attempted intrusions - 13 of which resulted in successful network compromise;

3. MSTIC report on SEABORGIUM activity - a Russia-aligned actor that performs Credential Harvesting and Phishing attacks to enable data theft and possible espionage objectives;

4. Trustwave have an excellent summary of the actors and malware targeting Ukraine throughout the Russian invasion.

Cyber Crime & Ransomware

1. Stephen Berger has compiled this detailed thread, chockers with practical hunting opportunities for QuasarRAT;

2. BlackByte have revamped their leak site, copying LockBit to offer tiered payment options - available to anyone to purchase - that will either delay publication of data, purchase it, or delete it;

3. The SOVA Android trojan has returned with new tricks, now able to intercept 2FA codes and steal cookies, and more. Operators have also expanded their targeting to include Australia, Brazil, China, India, the Philippines, and the U.K;

4. Technical analysis and a detailed write-up on the BlackGuard InfoStealer;

5. MalwareBytes have some analysis to share on JSSLoader, used in FIN7 campaigns;

6. Secureworks published a report on DarkTortilla, a complex and highly configurable .NET-based crypter that has been active since at least August 2015, used to hide payloads such as AgentTesla, AsyncRat, NanoCore, and RedLine.

Misc

1. Analysis of the BraZZZers domain protection (anonymisation) service sold on the Dark Web reveals it’s just a bunch of VPS’s cobbled together, but still somewhat effective;

2. Huntress Labs reports that Grzegorz Tworek's lesser-known NPPSPY technique was used in a real-world attack to man-in-the-middle the login process and save a user’s cleartext password;

3. Not able to make it to Defcon/BlackHat last week? Catch up on what went down with this wrap-up;

4. The clips from July’s SANS Ransomware Summit are now available on Youtube.

---

That’s it for this week! Here’s some #mondaymotivation to help you prepare for tomorrow - give ‘em hell!

Figure 1: correlation =/= causation