SOC Goulash Weekend Wrap-Up

Infosec News for 19/09/2022–25/09/2022

This is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

Headline Items

  1. A rootkit used by DPRK’s Lazarus Group abuses vulnerable kernel drivers to disable security monitoring features throughout the system, blinding AV and EDR products;
  2. Major Australian telco Optus loses sensitive PII for 11.2 million customers through an exposed unauthenticated API. Lapsus$ blamed for Uber & Rockstar hacks, with an arrest made in the UK;
  3. Red Teamers rejoice — this week saw numerous posts on attacking Azure Conditional Access and Pass-through-Authentication; Kerberos FAST, relaying YubiKey authentication, and more. Find those write-ups and more in Part 2!

Lazarus rootkit achieves God-mode with BYOVD attack

References: AhnLab | Elastic

Security vendor AhnLab has released a report that takes a deep dive into a rootkit deployed by the North Korean APT Lazarus Group. Their analysis focuses on the use of the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique to drop an vulnerable, legitimate kernel driver to disk, which it exploits to disable all security products on the given system.

Specifically, AhnLab observed the legitimate ene.sys kernel driver from ENE technology being abused, as well as a vulnerability in Dell’s BIOS update utility (CVE-2021–21551) that provided attackers with kernel-level access through use of the ZwWriteVirtualMemory API call. This was used to modify the global kernel data, allowing the attacker to implement a whitelist of only “crucial normal system driver files” — effectively disabling all monitoring mechanisms like Windows Event Tracing (ETW) and the Windows Filtering Platform (WFP) that Antivirus and EDR solutions rely on.

While BYOVD attacks have been observed in numerous times in the recent past and dating as far back as 2014, AhnLab note that through this specific implementation, Lazarus are “the first to design an elaborate rootkit to disable all systems from the old Windows 7 to the most recent OS, Windows Server 2022.”

Mitigations & Detections

Call it fate, but just two days before AhnLab released their report, Elastic shared this fantastic wrap-up on BYOVD attacks, complete with a primer on how it works and 65 YARA rules to get you started in mitigating their use.

They strongly recommend the explicit blocking of known vulnerable drivers in conjunction with Windows Defender Application Control (WDAC), citing the Microsoft recommended driver block rules as a great place to start.

Allow-listing is the next — and much more involved — step in mitigating BYOVD attacks, which may not be feasible for many of the larger organisations out there.

Finally, a favourite of Detection Engineers — looking for behavioural anomalies. Elastic provide an example EQL query that looks for:

  1. Any non-file-deletion event where:
  2. The target file either has the .sys extension or MZ header; and
  3. The process is either not signed or signed by an untrusted authority; and
  4. The driver is loaded via the System Process (ntoskrnl.exe — PID 4).

If BlackCat run Agile — they are crushing their Sprints

Reference: Symantec

Symantec have discovered new versions of the data exfiltration and credential stealer tools being used by the BlackCat ransomware group in recent operations. This follows the creation of an ARM build for their ransomware and safe-mode encryption functionality being added to their Windows build in June this year, and improving their leak site to make stolen data indexed and searchable in July.

Say what you will about the Agile framework, but if BlackCat are running it — you can’t argue with results!

Exmatter — Data Exfiltration

BlackCat’s data exfiltration tool has been actively developed throughout the life of their group, with the latest iteration seeing a huge re-writing of the code base — potentially to mitigate attempts to fingerprint it based on the tool’s features and functionality. Speaking of which — there were a few added and removed:

  1. The dictionary of file types it exfiltrates has been culled significantly;
  2. FTP exfiltration has been added alongside existing SFTP and WebDav options;
  3. Operators can enable a self-destruct option which triggers if executed outside of a non-corporate environment (i.e. non-Windows domain);
  4. SOCKS5 support was removed.

Eamfo — Veeam Credential Stealer

Veeam is a widely used corporate backup solution — as such, it’ll often store credentials that it uses to authenticate to enterprise systems to create backups. Naturally, this includes Domain Controllers, cloud services, and more.

Symantec report they have seen the Eamfo credential stealer used to pilfer creds from Veeam’s back-end SQL database using the following query:

select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]

Interestingly, Symantec note that Eamfo has been observed used in attacks deploying the Yanluowang and LockBit ransomware payloads, as well as by the Conti copycat group “Monti”. They further note that GMER — a dated rootkit scanner — has been observed used alongside Eamfo to kill processes during intrusions, and is gaining in popularity across ransomware operations in general.

BlackCat’s active development of their capabilities has helped them to maintain their competitive edge in a market saturated with RaaS programs. Their operation is highly professionalised both in terms of their exclusive affiliate program, and their ransomware’s ability to operate across Windows, ESXi, Debian operating systems, and more.

Keep in mind the fact they use a custom data exfiltration tool — as opposed to LOLBIN-type exfiltration employed by other ransomware crews — and ensure you’re postured to monitor and mitigate attempts to harvest credentials from Veeam SQL databases.

Qakbot TTP Summary

The two Qakbot botnets varied in their initial delivery mechanism, but otherwise adopted the same execution chain that swapped out .bat files for .cmd files to obfuscate the execution of the payload dll, which spawned and injected into Explorer.exe or WerFault.exe

BB Botnet

The main change for the BB botnet (TA577) was the use of .cmd files instead of .bat files used last week, and opting for direct iso delivery or malicious urls to deliver their payloads:

19/09: iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

20/09: url > .zip > .iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

22/09: url > .zip > .iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

Obama Botnet

The Obama botnet (TA570) was relatively quiet and used a straightforward execution chain with little/no variance. Similar to TA577, it used .cmd files to obfuscate the dll invocation instead of the .bat files used last week:

19/09 (Obama205): html > .zip > .iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

20/09 (Obama206): html > .zip > .iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

The Other Guys

Agent Tesla

  • 0xToxin started the week with their analysis of Agent Tesla samples used by the Aggah/Hagga actor. They found its PowerShell droppers pulling payloads from BitBucket and pushing exfil via authenticated FTP;
  • Another campaign identified the next day by 0xToxin saw AgentTesla being delivered through OneDrive links in Phishing emails, with exfil being performed via Telegram.
  • Another campaign from the 22nd sent Phishing emails with two archives attached. The first as a .r00 archive (RAR) that contained a .js file (vjw0rm/wshrat) that delivered the Agent Tesla payload . The second was a .gz archive that contained an exe that installed wshrat, followed by Agent Tesla. Exfil observed in this campaign was done via authenticated SMTP.

IcedID

  • A campaign observed on the 21st saw IcedID using thread hijacked emails to deliver password-protected zip files that contained ISO images. The execution chain from there was nearly identical to the BB and Obama Qakbot botnetslnk > js > cmd > dll.

BumbleBee

  • @pr0xylife’s analysis of samples from the 19th showed the payload delivered via a zipped iso that used an lnk > bat > ps (net.webclient download) > dll (rundll32.exe) execution chain;
  • @kostastsale added to the above analysis, highlighting the follow-up enumeration activity and WMI queries used in addition to the standard nltest and net.exe LOLBIN activity that you can hunt for/detect on.

Headline Vulnerabilities

  1. A flaw identified in Oracle’s Cloud offering — Oracle Cloud Infrastructure (OCI) — allowed users to access the virtual disks of other Oracle customers due to a lack of permissions verification in their AttachVolume API. To Oracle’s credit, they remediated the issue within 24 hours of disclosure, with no manual intervention or patching required from their customers;
  2. The US Cybersecurity and Infrastructure Security Agency (CISA) warned of seven vulnerabilities in Dataprobe’s iBoot-PDU power distribution unit product which could enable remote code execution attacks. The equipment is primarily used in industrial environments and data centers to control the power supply to devices and other equipment in an OT environment. Patches are available, for anyone running this kit in their environments;
  3. Researchers at Sansec have warned of a spike in exploitation attempts for CVE-2022–24086, a critical RCE vulnerability in Magento 2. Despite being disclosed in February with a warning from CISA of active exploitation issued soon thereafter, it seems this vulnerability is still doing the rounds. Full details can be found in Sansec’s report;
  4. Sophos has warned that an RCE vulnerability (CVE-2022–3236) in the User Portal and Webadmin interface of Sophos Firewall is being exploited in-the-wild. While the hotfix to address this flaw should be rolled out automatically based on default settings — you can also check to confirm it’s made it to your appliance. While you’re at it, it’d be worthwhile checking to make sure you’ve disabled WAN access to those portals — you don’t want to be that guy.

Offensive

  1. CrackQL — a GraphQL password brute-force and fuzzing utility that exploits poor rate-limit and cost analysis controls;
  2. LDAPNomNom — Anonymously brute-force Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP);
  3. AzureAttackKit — A collection of tools to pull down for attacking an Azure environment from a windows machine or Cloud Shell. Or if you’d prefer a more manual review for selective download — check out this thread;
  4. JuicyPotatoNG — A revival of the beloved JuicyPotato tool to help elevate privileges from a Service Account to System;
  5. Bookmark this blog post on the many ways you can come at attacking Cisco networks — there’s plenty in there for pentesters of all levels;
  6. Azure AD Conditional Accesswhat is it, and how to find and exploit flaws in its policy design;
  7. This post builds on Secureworks’ earlier post, and walks you through how to create backdoors and harvest Azure AD credentials through flaws in Azure’s Pass-Through-Authentication;
  8. Check out this post that builds on SpecterOps’ amazing work looking at abusing AD CS for domain escalation;
  9. TrustedSec take a look at Kerberos FAST — which uses a separate key to encrypt parts of the authentication flow — and how mainstay tools like Rubeus and Impacket fare against it;
  10. This is a really interesting walkthrough on how to relay YubiKey APDU packets (applicable to all PIV Smart Cards) to authenticate to remote systems;
  11. How to pull Office JWT session tokens from memory and abuse them with the Outlook REST API (soon to be deprecated for Microsoft Graph API). If you want a script to help do it, here’s one in PowerShell & another in Python;
  12. Remember GentilKiwi’s post from last week, noting that passwords are stored in user process memory when Citrix SSO is enabled? He’s just pushed a new release of Mimikatz that’ll help extract those creds. Check out this thread for more context;
  13. Six bypasses for the newly added FileBlockExecutable event added to Sysmon v14;
  14. Nestled in a huge thread on Azure Managed Identity attack paths, Andy Robbins has flagged that BARK’s Get-TierZeroServicePrincipals will help you discover all Azure Service Principals with Tier Zero privileges. it’s well worth reading the full thread for context on how and why this is useful;
  15. Speaking of Azure attack paths — here’s a comprehensive post from Cloudbrothers looking at the myriad of ways you can come at it;
  16. Andy Robbins has also used BARK to determine which Azure AD Admin and MS Graph App roles are abusable, and how.

Defensive

  1. Microsoft have released Enhanced Phishing Protection, which aims to identify and mitigate corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps;
  2. Something you hope you never have to use but will be glad to have on-hand — a detailed checklist of practical Ransomware response steps;
  3. Set-SACL — A PowerShell wrapper for Roberto Rodriguez’s Set-AuditRule script. Set-SACL automates the identification of Cloud credentials and setting SACL on those files to monitor attempts to access them;
  4. This thread has a bunch of useful tips and resources to help implement and monitor Azure MFA and Conditional Access policies for your enterprise;
  5. A Phishing campaign has highlighted the shortcomings of Microsoft’s Safe Links features, with re-written links giving users a false sense of security where it fails to detect a malicious site. For Defenders, it’s worth ensuring the parsing rules feeding logs into your SIEM also account for Microsoft’s Safe Links, and extracts the original URL for IOC matching & analysis!
  6. The NSA have shared guidance for how to secure OT/ICS systems and assets.

Threat Actor Activity & Reporting

  1. Okta have reported a huge spike in credential stuffing attacks, with over 10 billion attempts against Okta’s services in the first 90 days of 2022 alone. While it’s a low-fi method that is significantly hampered by MFA, as we’ve seen in the 0ktapus campaign and Uber hacks — they can always socially engineer their way around it if they care enough to;
  2. SentinelLabs have kicked off their inaugural LabsCon security conference with a report and technical appendix (Google Doc) for Metador — a stealthy Spanish-speaking group that has operated since 2020 but only recently been uncovered having targeted telcos, ISPs, and universities in the Middle East & Africa;
  3. Microsoft have shared insights on an incident where malicious OAuth applications were deployed on a compromised tenant to enable attackers to control Exchange Online settings and spread malicious spam from their Exchange environment;
  4. This Dark Reading article highlights a recent trend of developers increasingly being targeted through the tools they use, such as Docker, Kubernetes, and Slack;
  5. Australian telco Optus has disclosed a breach that resulted in the compromise of sensitive user data that includes their passport and driver’s license numbers and physical addresses. The attacker verified they were able to retrieve 11.2 million customer records from an unauthenticated API, and Optus have been offered the ultimatum of paying US$1 million in Monero for the data not to be sold on the dark web;
  6. The latest in the Uber hack saga — they’ve blamed the notorious Lapsus$ extortion group, who they say abused stolen credentials for a 3rd-party contractor and performed MFA Fatigue attacks to pop their networks. UK police also arrested a 17-year old teen in connection with the hack, with the recent compromise of game developer Rockstar also added to their charges.

Cyber Crime & Ransomware

  1. The builder for LockBit 3.0, or “LockBit Black”, has been leaked online, sparking fears of copycats and widespread deployment of the ransomware beyond their approved affiliates — as if they weren’t prolific enough. Here’s the builder, one of the early blog posts looking at it, and some technical analysis to get you up to speed;
  2. Security researchers have warned that ChromeLoader, historically dropped as a Chrome extension that harvests browser-stored creds, is now “used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems”;
  3. Aquasec report that the crypto-mining group TeamTNT — who ostensibly went offline in 2021 — have returned with three new attacks being used in the wild;
  4. Researchers at Avast have taken a look at Roshtyak — the DLL backdoor used by the USB-borne trojan dubbed Raspberry Robin. Brace yourself — Roshtyak is stuffed into as many as 14 layers of obfuscation and anti-analysis measures — “one of the best-protected malware strains [Avast researchers] have ever seen”;
  5. Trend Micro have released a detailed 46-page profile on the prolific Cyber Mercenary crew they track as Void Balaur;
  6. Technical analysis of the Crytox ransomware.

Misc

  1. Andy Robbins, the absolute Chad that he is, has shared this comprehensive thread on how Azure Managed Identity attack paths crop up and are exploited by attackers;
  2. For orgs that have the right Microsoft 365 license and want to control and track sharing of sensitive emails and information — check out this walkthrough of Office Message Encryption and how to set it up;
  3. Planning a large-scale deployment/lift-and-shift operation, or been asked to look into the use of Infrastructure-as-Code? NCC Group have released an exhaustive and well referenced article to help you step through the process;
  4. Michael Taggart has shared a free sample (Part 1) of his course on Python for Defenders;
  5. Talks from VeloCon 2022 — hosted by the makers of the Velociraptor DFIR toolkit — are available online.

Thanks for reading! A reminder — this is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

--

--

Bringing you the latest in Infosec News and Cyber tooling & tradecraft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Opalsec

Bringing you the latest in Infosec News and Cyber tooling & tradecraft