SOC Goulash Weekend Wrap-Up

Infosec News for 22/08/2022–28/08/2022

This is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

Headline Items

1. The true scope of impact of the SMS Phishing campaign targeting Twilio continues to grow, highlighting supply chain risks and the fragility of relying on token-based MFA to secure authentication;
2. APT29 reveal MagicWeb — a “skeleton key-like” backdoor in AD FS, deployed in a last-ditch effort to maintain persistence as remediation and containment efforts commenced to evict them from the network;
3. A series of “risks” in Okta, one of which could allow child domains to gain super admin privileges in their parent — sure sounds like a vulnerability, doesn’t it?

0ktapus — putting a name to the Twilio compromise…and more

References: Group-IB | Okta | Tech Crunch

Remember the Twilio compromise we covered two weeks ago? Well, recent reporting has revealed that this sophisticated SMS-based Credential Harvesting campaign was actually much more wide-spread than first thought, and used to facilitate supply chain attacks on downstream providers.

Impact — Initial & Secondary Attacks

Group-IB have dubbed the campaign “0ktapus” — as it targeted customers of the identity provider Okta — and identified nearly 10,000 compromised credentials and 5,441 MFA codes stolen from victims around the world, with the majority located in the USA. Most of the impacted companies were IT, software development or cloud service providers.

Significantly, Group-IB found that three organisations compromised in the 0ktapus campaign either enabled or could have enabled secondary attacks:

1. Personal information relating to cryptocurrency accounts managed by marketing firm Klaviyo were stolen, and could have enabled the theft of cryptocurrency;
2. The attacker’s compromise of Mailchimp would have enabled them to manipulate password resets and email alerts for downstream customers such as Digital Ocean, thereby enabling potential onward compromise of additional victim networks;
3. The compromise of Twilio enabled the attacker to attempt to hijack Signal accounts by re-registering them to new mobile devices.

Okta’s analysis also revealed the actor — which they track as “Scatter Swine” — sought to expand their access once they compromised Twilio, triggering SMS-based MFA challenges and using Twilio systems to search for those codes.

Figure 1: A breakdown of known impacted organisations

The above examples are a sobering example of supply-chain risk. The range of immediate and indirect impact that can be incurred by a simple SMS phishing campaign is considerable, with the potential for cryptocurrency or account theft, and even onward compromise of downstream customers.

The keys to the efficacy of this campaign were the convincing lookalike login pages, use of Callback Phishing, and real-time relay of MFA material to the target authentication service. A combination of compensating controls (e.g. Staff/user education) and mitigating controls (e.g. Physical FIDO tokens, Conditional Access policies) will go a long way towards minimising the risk posed by this growing attack vector.

APT29/NOBELIUM deploys skeleton key in AD FS

Reference: Microsoft

Microsoft have released a detailed technical analysis of MagicWeb — a novel persistence technique targeting AD FS — which they discovered being deployed by APT29 (NOBELIUM) as a hail-Mary persistence attempt when the actor believed it was about to be evicted from the network.

The persistence is achieved through using DLL hijacking to inject a malicious DLL into the AD FS process, which looks for a specific value within the user certificate passed by the attacker when authenticating. When found, it bypasses all AD FS checks — including MFA — and grants the attacker network access.

Technical Breakdown

It’s worth noting that a prerequisite to this attack is that the actor must have already acquired highly privileged access within the environment and have a foothold on an AD FS server. That makes this a very late-game persistence method, and one you would’ve hopefully avoided by picking up activities earlier in the intrusion Kill Chain.

The attacker can implement this backdoor by:

1. Replacing the legitimate Microsoft.IdentityServer.Diagnostics.dll file used by the AD FS service with a backdoored version;
2. Editing C:\Windows\AD FS\Microsoft.IdentityServer.Servicehost.exe.config, specifying a different “public token” value that points to the malicious DLL.

Because Microsoft.IdentityServer.Diagnostics.dll is loaded into the AD FS process at startup to provide debugging capabilities, this presents the attacker with a reliable DLL Hijacking opportunity to exploit.

The backdoor is triggered when a user authenticates to AD FS with a crafted user certificate that contains an attacker-specified “magic” Object Identifier (OID) value within the certificate Enhanced Key Usage (EKU) field. The MagicWeb backdoor — which is injected into the AD FS process — is configured to look for this value being passed. When encountered, the backdoor will bypass all AD FS processes (including MFA checks) and validates their authentication attempt to provide access to the network.

Mitigations, Detections, and Hunts

Microsoft has provided detailed guidance on how to protect against and respond to this threat on your network.

1. Enabling AD FS verbose logging and security auditing in order to generate and monitor Event ID 501, which can highlight anomalous EKU values being passed to the server;
2. Include the Global Assembly Cache (GAC) in periodic audits, as that’s where the malicious dll would be stored;
3. Look for unsigned files in the GAC — keep in mind the legitimate DLL is catalog signed, meaning it may appear unsigned in the file properties pane and to some tools. If you can’t work around this, long-tail analysis of hash values to identify outliers may be the next best approach.

Some other (untested) suggestions I’d make based on Microsoft’s write-up:

1. Look for file write events to the GAC — there may be no/few legitimate instances of this in a standard SOE;
2. Look at file open/write events for the ADFS config file, as the attacker will have to modify the “public token” value to point to their DLL.
3. Look for a file write event where the original name is Microsoft.IdentityServer.Diagnostics.dll — that might catch the attacker renaming the original file or placing their new one. A file delete event for the file might also surface the attacker removing the legitimate dll before placing their malicious one.
4. Certificates with unknown EKU values will have the value flagged with “Unknown Key Usage” when inspected manually — it’s possible this value presents somewhere in logs, but requires testing to confirm.

IcedID campaigns vary delivery methods

References: @pr0xylife | @Max_Mal

IcedID distributors have again changed up their TTPs, with two distinct IcedID delivery chains being observed this past week — one using the zip > iso > lnk mechanism, and another that used an rtf maldoc to deliver the payload.

Campaign #1

1. The campaign begins with delivery of a password-protected zip archive containing an iso. This contains <file>.png.lnk and <decoy_image>.png;
2. Execution of the .lnk will first open the decoy png image using start.exe;
3. Curl is then invoked to download the .dll payload, executing it with rundll32 at ordinal #1.

The key takeaways:

1. The use of a decoy image — which is a page from a finance-related document — to give the user the impression they opened the expected attachment, while the payload is downloaded and run in the background; and
2. The use of carets to obfuscate the command line — these are ignored when run, but will bypass simple string-based detections.

Campaign #2

1. VBA macros embedded in a rtf maldoc provide initial code execution;
2. This drops two files:

• [a-zA-Z]{2}\d{3}.tmp.exe — a renamed copy of rundll32.exe;
• [a-zA-Z]{2}\d{3}.tmp.dll — the IcedID payload;

3. The renamed executable is used to execute the IcedID dll at ordinal #1.

The key takeaways:

1. VBA Macros and rtf payloads are still being used — just less frequently;
2. The use of a BYO binary to obfuscate the use of rundll32.exe;
3. Despite the dropped instance of rundll32.exe being renamed, the spawned child process that executes the dll still appears with the original filename.

Figure 2: The renamed rundll32.exe binary still spawns with the original file name

NetSupport RAT Campaign Summary

References: @SecurityAura | @ankit_anubhav

@SecurityAura has shared a neat summary of a recent campaign distributing the NetSupport RAT — a legitimate remote access tool abused by cyber crims — spanning from August 9 past August 18.

Key Campaign Details:

1. Emails (hijacked email threads) contain Google Drive/Dropbox links to download zip payloads
2. Unzip archive with password. Executing the .lnk runs an obfuscated .ps1 script that downloads and runs the NetSupport .exe

The tricky part is the PowerShell, which uses aliases to obfuscate its intention:

Figure 3: An example of the PowerShell download cradle

If you’re looking to run a quick simulation to test your detections, @ankit_anubhav has provided a handy PoC that’ll emulate the execution chain from the initial payload invocation through to the PowerShell download cradle.

Calling them “risks” doesn’t make me feel better

Reference: Authomize

Researchers at Authomize released a report into several “risks” they identified in Okta’s Identity platform, namely:

1. The potential for cleartext password extraction via SCIM (System for Cross-domain Identity Management);
2. Sharing of passwords and sensitive data over unencrypted channels (HTTP);
3. Hub & spoke configurations allowing sub-org admins to compromise accounts in the hub or other spokes downstream;
4. Mutable identity log spoofing — users can modify their name, allowing them to perform actions while appearing in logs as someone else.

When reaching out to Okta to disclose their findings, they were advised that, in fact, “the features are performing as designed and should not be categorized as vulnerabilities.”

Given the third “risk” could feasibly allow a downstream organisation (e.g. a small mortgage broker acquired by a large, multinational bank) to gain super admin privileges across the parent organisation’s network — I feel like fobbing it off as a feature and not a flaw is a bit of a cop-out.

Hopefully Okta comes up with more concrete guidance and controls to empower organisations to mitigate these “risks”, but in the meantime, I’d recommend reviewing the Authomize blog to understand the potential impact and what actions you can take to guard against them.

Offensive

1. BBOT — an OSINT framework for automating subdomain enumeration, port scanning, web screenshots, vulnerability scanning, and more;
2. Masky — a python library that abuses legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos and NT hashes retrieval via PKINIT) to dump domain user creds by targeting ADCS deployments;
3. For your next Red Team engagement — a write-up and stable PoC exploit for PrintNightmare (CVE-2021–34527);
4. JWT-Reauth — a plugin for Burp Suite which caches authentication tokens and automatically refreshes them when needed;
5. PIVert — a tool for remote authentication using abused AD CS certificates;
6. hoaxshell — a Windows reverse shell claiming to be undetected by Defender on Windows 11 Enterprise and 10 Pro;
7. Looking to learn how to pop CI/CD environments? CI/CD GOAT provides a containerised sandpit for you to smash;
8. Part II of @bohops’ look into tampering with .NET CLR usage logs to evade EDR, and how to detect it.

Defensive

1. The Elastic Container Project — allows you to bring up a full Elastic stack with everything pre-enabled/configured with TLS and ready for you run with;
2. YaraML — a machine-learning tool to generate YARA rules from a dataset of malicious/benign labeled data;
3. @inversecos has published another great post on how to detect OAuth Access Token Theft occurring in Azure — a technique used by Chinese APTs but also broadly understood and used by white hats and cyber crims to access internal environments and data;
4. @likethecoins has shared part 2 in her series on how to get into and improve your Threat Intel workflows and methodologies. It’s incredibly detailed and from one of the best in the industry — definitely worth a read if you’re playing in that field;
5. Microsoft have shared a walkthrough on hunting for compromised Azure subscriptions using M365 Defender and Defender for Cloud Apps;
6. Lnk files have become a core part in execution chains for initial malware payloads such as IcedID and Qbot — check out this blog for an overview of how that came about and how to detect them;
7. Grzegorz Tworek identified a new LOLBIN in dumpbin.exe, Kostas Tsale responded with a Sigma rule to detect its abuse;
8. Binary Defense have shared this nifty primer on analysing Rust malware;
9. For my fellow peasant malware analysts out there, struggling to find samples without a VT license — this guide will help you make the most out off publicly available solutions to find what you need.

Threat Actor Activity & Reporting

1. zScaler have warned of an ongoing Attacker-in-The-Middle (AiTM) phishing campaign targeting C-suite and senior members of organisations that use Google Workspace. The campaign abuses open-redirects in Google Ads and Snapchat, and leverages the initially compromised sites and emails to perform further social engineering of their contacts.
2. Sucuri reported on a campaign that used hacked WordPress sites to display fake Cloudflare DDoS protection pages, ultimately enabling the delivery of malware including the NetSupport RAT and RaccoonStealer Infostealer.
3. Microsoft have shared a report on MERCURY — an actor affiliated with Iranian intelligence — who used Log4Shell vulnerabilities in a campaign targeting Israeli organisations;
4. LastPass disclosed a breach that occurred two weeks ago — while they insist customer data and encrypted password vaults were not compromised, the attacker did make off with some source code and “proprietary” technical information;
5. The FBI released an advisory warning that actors were abusing residential proxies to mask their origin and blend in with regular consumer traffic when performing credential stuffing attacks.

Cyber Crime & Ransomware

1. Microsoft have an excellent report looking at hunting Sliver — a C2 framework which several nation-state and cyber crime actors have adopted to replace Cobalt Strike in their operations;
2. An intro to Agenda, a new Go-based ransomware strain with some functional and infrastructure similarities to BlackBasta;
3. Elastic have released analysis of a Qbot malware sample obtained in a recent campaign, complete with IOCs, a YARA rule and a handy config extractor;
4. An interview with “Wazawaka” — credited with ransoming Costa Rica’s government systems; Capcom, the DC Metro Police, and more;
5. An interesting tidbit — crypto miners have been seen using the serverless, P2P Tox messaging protocol for C2. Crypto miners are often one of the first payloads deployed when new external-facing vulnerabilities are uncovered and PoC exploits are released, so they act as a “canary in the coalmine” — if you find one running in your network, you’ve probably either got, or are about to have, much bigger problems. If you clock Tox P2P traffic on your network, it’d definitely be worth looking into.

Misc

1. Andy Robbins has shared a series of resources detailing how organisations can prevent Kerberoasting — all rolled neatly into a Twitter thread;
2. Real-time Locating Systems (RTLS) have been found to be vulnerable to attacker-in-the-middle attacks and manipulation of location data. This could be abused to bypass physical security measures, or to spoof safety hazards to trigger kill-switch safety controls and disrupt production lines;
3. A friendly reminder that as of October 1, Microsoft are disabling basic authentication in a bunch of their services, which will also prevent the use of app passwords with apps that don’t support two-step verification.