SOC Goulash: Weekend Wrap-Up

10/10/2022–16/10/2022

This is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

PoC, active enumeration & exploitation of Fortinet vulnerability CVE-2022–40684

The vulnerability in FortiOS, FortiProxy, and FortiSwitchManager platforms that would provide attackers admin access to compromised environments is gaining attention & concern in equal measures.

It’s known to be actively exploited; has been added to CISA’s KEV, and has a public PoC circulating, with analysts at Qualys and Horizon3.ai warning of increasing volumes of scanning for the vulnerability.

If you haven’t patched yet, I’d strongly recommend utilising the additional hunting recommendation — searching for user=”Local_Process_Access” in your device logs to find potential evidence of exploitation.

Patching aside, the management plane for these appliances should never be exposed to the internet. At the very least set up a bastion host + VPN to be able to access these appliances remotely!

Windows HVCI has been asleep at the wheel for 3 years

Hypervisor-Protected Code Integrity (HVCI) is Microsoft’s protection against attacker abuse of signed-but-vulnerable drivers, referencing a list of black-listed drivers to identify and block attempts to load them.

Unfortunately, Microsoft appear to have forgotten to update that list in nearly three years, with researchers including Will Dormann discovering that “the driver blocklist for HVCI-enabled Windows 10 machines hadn’t been updated since 2019, and the initial blocklist for Server 2019 only included two drivers.”

This oversight is particularly egregious given big-ticket actors such as DPRK’s Lazarus Group, BlackByte ransomware, and more are continuing to abuse vulnerable drivers to elevate privileges and implement rootkits on compromised systems in recent campaigns.

Microsoft have released a tool to bring the blocklists back up-to-date, but for individual users or smaller organisations, this script created by Dormann does the same thing, and may prove more straightforward.

It remains to be seen if Microsoft have remedied issues with Windows Updates not updating this list as intended, and is something to keep an eye on when the next month’s Cumulative Update is released.

Chrome browser extension for LastPass leaves your credentials exposed in memory

Rob Maslen at MDSec has demonstrated that it’s possible to extract unencrypted usernames and passwords from the Chrome browser extension for the Password Manager application LastPass.

The first a-ha moment came from inspecting the memory of processes running the Chrome LastPass extension, with usernames contained within the LastPass vault being visible in their unencrypted form.

Diving a little further into the process memory, a key named “aid” is paired with another key called “encname” which stores the encrypted username for a given account’s credentials. Searching on the “aid” value within memory will eventually land you within several bytes of the unencrypted password value.

Figure 1: Yellow is the “aid” string, red is an unencrypted password stored in memory

As if that wasn’t enough, Rob goes on to demonstrate that it’s possible to gain access to the LastPass Vault (the database of all saved credentials) through abusing Chrome’s Remote Debugging to interact with the browser over a WebSocket API — effectively manipulating it into allowing him to view the Vault.

The saving grace for users and Defenders is that this technique is still prone to errors; hasn’t been automated, and a tool that performs this programmatically has not been shared publicly. While this means the complexity of the attack remains high, it’s also challenging for Defenders who have to spot and investigate anomalous interactions with Chrome processes running the LastPass extension.

Emotet Poised for a Comeback

ESET researchers have pulled apart a new Emotet sample which appears to have incorporated significant changes designed to frustrate attempts by defenders to reverse-engineer it.

ESET believe this will “enable them to improve targeting of specific victims and distinguish tracking bots from real users.” The freelance malware hunting collective, Cryptolaemus, have confirmed they’ve seen the revised module deployed in-the-wild on both Epoch 4 and 5.

Caffeine improves all things — including Phishing

Mandiant have shared their analysis of Caffeine, a Phishing-as-a-Service (PhaaS) platform sold on the Dark Web which distinguishes itself through its ability to specifically target users of Chinese & Russian platforms with Credential Phishing lures.

Caffeine demands a premium price as far as PhaaS offerings go, with the base offering going for more than 3 times that of other platforms. While it currently only supports spoofing Microsoft 365 login pages, it provides numerous anti-detection and anti-analysis features to increase its efficacy, and comes with unlimited customer service support options for the discerning cyber crim.

1. A campaign conducted by the Chinese APT group Mustang Panda was uncovered abusing a legitimate HP utility to deliver the PlugX RAT, in a campaign targeting Myanmar-based victims;
2. SentinelLabs have shared their ongoing evaluation of an apparent espionage-motivated Chinese APT they track as WIP19. The actor was observed targeting Telco and IT service providers in the Middle East and Asia, using malware believed to be written by a well-known and well-established malware developer known as WinEggDrop;
3. Budworm — a Chinese APT better known as APT27/Emissary Panda — have resumed targeting US organisations by exploiting Log4Shell vulnerabilities in order to drop their custom HyperBro backdoor; PlugX; Cobalt Strike, and credential dumping software;
4. ESET have shared their analysis of the capabilities of POLONIUM, a Lebanon-based APT group that targets a number of verticals in Israel, with observed instances of coordination with actors affiliated with Iran’s Intelligence Service (MOIS);
5. Security Firm AhnLab published analysis of a recent LockBit ransomware incident which they believe resulted from an “undisclosed zero-day vulnerability” in Exchange that is unrelated to the still-unpatched ProxyNotShell vulnerabilities from two weeks ago. This remains unconfirmed by Microsoft, but is one to watch;
6. Cisco Talos have shared their comprehensive analysis of the Chinese-language Alchimist C2 framework and accompanying Insekt implants that it can generate and control. Written in GoLang, it is a fully-featured offering that supports multiple C2 protocols, and is surprisingly similar to the Manjusaka C2 framework in both design and intent;
7. A deep dive into the attack patterns, infrastructure, and continuing evolution of the Emotet malware and operation. Reading the full article requires you give them your data, so here’s a TL;DR;
8. HP’s Threat Research team have published their findings on recent activity by Magniber ransomware — a group targeting individuals with fake software updates and following a convoluted attack chain that incorporates UAC bypass and the DotNetToJScript method for in-memory payload execution.

Significant TTP Changes & Reporting on Qakbot

HTML Smuggling Encoding Change

TA570 (Obama botnet) attempted to obfuscate zip payloads delivered through HTML smuggling campaigns, by implementing ROT13 + 2x Base64 encoding rounds of the embedded zip file.

This follows Florian Roth sharing a YARA signature looking for 2x base64-encoded headers of zip files — which you can tweak by looking for the string “IHImERWP” in the HTML content, representing the newly obfuscated zip header.

Evasive Persistence through Registry Run Keys

@Max_Mal_ identified an interesting behavioural change in Qakbot samples, which they observed deleting registry run key persistence each time the machine starts-up and re-adding it as the host shuts down. This ensures the payload will persist on reboots, while also hiding its persistence from investigators while the victim computer is powered on.

Figure 2: Run Key Persistence Deletion & Re-installation (Source: Max_Mal_)

As tricky as it is, it also can be easily detected through statistical analysis of endpoint logs. Windows Event log 4657 or Sysmon Event IDs 12 and 13 will flag registry key creation/deletion, and alerting on Run Keys with payloads stored in world-writeable locations being created/deleted multiple times can help surface this TTP.

Black Basta use Qakbot to deliver Brute Ratel

Trend Micro have observed both TA570 and TA577 distributions of Qakbot delivering the Brute Ratel post-exploitation framework, and attributed the broader campaigns to the highly capable Black Basta ransomware group.

These campaigns appear to be from September, and use the well-worn zip > iso payload delivery chain in order to bypass protections that rely on Mark-of-the-Web. While standard LOLBINs such as net.exe and nltest.exe were used for network reconnaisance, the actors opted to drop Cobalt Strike via the existing Brute Ratel foothold, in order to perform lateral movement.

Interestingly, Trend Micro also reported observing the use of DNS-over-HTTPS, secured with Let’s Encrypt certificates, for C2 communication.

NodeJS library enables sandbox escape

Github warned in a September advisory that a flaw in the vm2 JavaScript sandbox module (CVE-2022–36067) could allow an attacker to “bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.”

The library is widely used and downloaded nearly 3.5 million times per week by projects that examine attachments or isolate applications or web browser environments from malicious content.

The CVSS 10 vulnerability has been addressed in version 3.9.11 of the library, released on August 28.

Aruba EdgeConnect Orchestrator vulnerable to remote takeover

Patches have been released to address two flaws in Aruba’s EdgeConnect Orchestrator product, both of which rate as CVSS 9.8 but are not yet exploited in-the-wild.

The first is a pair of vulnerabilities (CVE-2022–37913 and CVE-2022–37914) that would enable authentication bypass to gain administrative access to the management interface. The second (CVE-2022–37915) also exists on the management interface, and enables arbitrary command execution and system compromise.

Attackers can enumerate private packages through a novel timing attack

Researchers have discovered a timing attack in npm’s API that could allow attackers to enumerate private packages held on Github. Variations in the response times are significant enough that attackers can programmatically confirm the existence of said packages, and potentially leverage this to publish typo-squatting or lookalike packages.

Figure 3: Response time deltas allow attackers to infer if a package exists (Source: Aqua)

Should an unsuspecting dev accidentally include these in their project, the malicious packages could provide attackers initial access to their networks when run.

Github have advised the issue can’t be fixed due to “architectural limitations”. Given this, your best bet is to monitor for spoofed packages in public repos, or to publish public packages as placeholders in order to prevent others from uploading a malicious package under the same name.

Offensive

1. ShadowSpray — A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain;
2. RedEye — a C2 log visualisation tool created by CISA to help Red Team operators visualise attack paths and generate reports on their activity generated through frameworks such as Cobalt Strike;
3. Setting up C2 infrastructure can be a pain — here’s a guide on how to automate it using Terraform, Nebula, Caddy and Cobalt Strike;
4. Nestori Syynimaa the God of Azure and Azure AD, has bestowed unto us this OSINT tool to scrape basic information for a given Azure tenant — just provide the tenant id, domain name or email address. Great for first-level enumeration to inform next steps;
5. Old, but still gold — this article on how to evade AV detections and frustrate analysis of your payloads by abusing API hashing — using a custom version of GetProcAddress that loads functions by hash rather than name;
6. Studying for your OSCP? Add this comprehensive guide to your prep list.

Defensive

1. Smoke_Conf_Extract: A config extraction script for the SmokeLoader malware;
2. Zircolite: A Python tool that scans EVTX logs using Sigma rules, just got a bump to v2.9.7;
3. Speaking of EVTX logs and Sigma, Yamato Security have shared these incredibly useful resources that help configure Event Log collection to ensure you get the most out of your rules — particularly if you reference the Sigma rules catalogue. Did you know only 10~20% of Sigma rules can be used with default Windows audit settings? Yikes!
4. One for the defenders of environments running Okta — a guide on how to hunt using Okta logs;
5. Some very cool research from MSRC that builds on previous research by Michael Haag and José Hernandez to showcase new ways to hunt Cobalt Strike Team servers;
6. Havoc C2 is a new FOSS C2 framework that was recently released to Github and has gained a fair bit of attention in the infosec community. Get a start on detecting this framework with these YARA rules that fingerprint the implant’s use of API hashing for syscalls;
7. @mgreen27 has published a Velociraptor plugin that will carve out Brute Ratel C4 configurations from a byte stream, process, or file on disk;
8. FalconForce have shared a great write-up on detecting ESC8 — relaying NTLM credentials to ADCS HTTP(S) endpoints;
9. Looking to block DNS-over-HTTPS in your network? If you’re not, it’s something you should at least plan to mitigate and/or monitor, given its recent use in a Black Basta ransomware campaign — this list is a good place to start;
10. Kostas Tsale has published a great piece on how to bake Threat Emulation into your Hunt process.

1. Possibly one of the weirdest war stories of all time — Greg Linares recounts a time he investigated a breach where hackers dropped 15k on drones and WiFi hacking kit — all so they could break into an organisation remotely, via their WiFi network;
2. Turns out Microsoft 365’s Message Encryption is not entirely secure, with their use of the ECB encryption mode allowing for inference of plaintext messages under certain conditions.

Thanks for reading! A reminder — this is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!