SOC Goulash Weekend Wrap-Up

Infosec News for 29/08/2022–04/09/2022

This is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

Headline Items

1. China’s APT40 continue to conduct espionage operations, targeting countries and organisations involved in the South China Sea with the ScanBox browser exploit framework as part of a broader multi-year campaign;
2. The Bumblebee loader now unpacks and loads itself into memory through a convoluted and multi-staged PowerShell script, plus we look at IcedID’s core TTPs and how to detect them;
3. Another no-fix, “by design” flaw — this time in Azure’s SMTP Matching — enabling takeover of privileged Azure AD accounts.

APT40 use ScanBox browser exploitation framework in South China Sea campaign

Reference: Proofpoint

Proofpoint and PwC have released a joint report detailing the latest campaign they believe to have been conducted by the Chinese espionage-motivated threat group TA423 (more broadly tracked as APT40), which ran from late-April to the start of June, 2022. The actor has consistently used Phishing as their initial attack vector, in this case pairing it with a fake Australian news outlet website that hosted the malicious Javascript exploit framework known as ScanBox.

Activity Summary

This latest campaign primarily targeted:

• Local and federal Australian Governmental agencies;
• Australian news media companies; and,
• Global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea.

The report asserts this is part of a longer-running campaign dating back to May 2021, involving the impersonation of trusted Australian news outlets and the use of RTF template injection maldocs that delievered XOR-encoded Meterpreter payloads to a broader range of sectors and geographies:

Figure 1: Phishing activity involved in ongoing TA423 Campaign May 2021 — June 2022

APT40 represents a persistent and ongoing threat, targeting countries and organisations operating in and around the South China Sea in order to conduct espionage activities.

While governments are an obvious target — as evidenced in the groups 2020 Copy-Paste compromises — commercial entities that conduct or support projects in the South China Sea, such as manufacturing, professional or financial services companies, should also take note, as this report shows they are also within the scope of targeting.

ScanBox Technical Summary

ScanBox was first reported on in 2014, and has been used by six China-based threat actors, and across 13 distinct campaigns to perform basic victim profiling and deliver additional payloads, with targeting very closely aligned with espionage-related activities.

Figure 2: A timeline of activity involving ScanBox since 2014 to May 2022 (Source: Proofpoint)

Capabilities

ScanBox is typically hosted on compromised legitimate websites, with victims delivered URLs containing unique strings, likely intended to enable the actor to identify those who clicked through.

The watering hole website hosts the initial ScanBox script, which performs basic recon of the victim endpoint such as the current time; browser details, and the host Operating System.

The initial script will then load additional payloads to perform further enumeration and tasks:

• Keylogger plugin: Creates an iframe and logs keystrokes entered within it;
• Browser plugin scanner: Enumerates legitimate installed plugins;
• Browser fingerprinting plugin: Checks for Java and ActiveX installation, any installed Java web apps, the browser family, and use of the Microsoft Java Virtual Machine in the browser;
• Peer connection plugin: Enables Interactive Connectivity Establishment (ICE) P2P connections over STUN servers, allowing attackers to communicate with victim machines sitting behind NAT;
• Security check plugin: Checks for Kaspersky Internet Security.

This modularised framework enabled multiple China-based threat groups to enumerate victim systems and potential attack paths. Its ability to bypass NAT to communicate with infected browsers via STUN also allows them to interactively exploit those identified attack paths, potentially escaping the browser sandbox and gaining a foothold on victim networks.

While a much more involved attack vector, it still provides the attackers with internal reconnaissance without having to bypass traditional email filters and endpoint protections that many organisations rely on.

ScanBox highlights the importance of maintaining browser patching, and what can be achieved through pairing a simple watering hole attack with a capable browser exploitation framework.

BumbleBee pivots to PowerShell

References: Deep Instinct | @Max_Mal_ | Mattnotmax

Recent Bumblebee campaigns have been identified to be using heavily obfuscated powershell scripts to unpack and load the Bumblebee dll into memory.

It begins with typical malspam that delivers a .vhd Virtual Hard Disk file, which in turn contains the powershell script along with a .lnk file to detonate it.

Figure 3: The disk image contains a .lnk that executes the .ps1 script (Source: @Max_Mal_)

This obfuscated script then decompresses an array of gzip-compressed streams to compile and execute the 2nd-stage code block with the Invoke-Expression cmdlet.

Figure 4: A 2nd-stage script is compiled and invoked (Source: Deep Instinct)

This in turn compiles and validates the Bumblebee dll, before loading it into memory.

Figure 5: The Bumblebee dll is loaded into memory (Source: @Max_Mal_)

Detection & Analysis Tips

This is a much more sophisticated unpacking and execution routine compared to commodity malware like IcedID and Qbot, which download to disk and execute multiple stages to launch their final payloads.

Don’t despair though — while the unpacking routine is complicated, strings from the co-opted al-Khaser anti-vm project are visible in the unpacked dll, and may therefore be picked up by memory-scanning EDR products

Figure 6: Strings for anti-vm checks are visible in the unpacked dll

@Kostastsale also identified that the unpacking script has simply repurposed PowerSploit’s Invoke-ReflectivePEInjection to load the DLL into memory, with little more than function renaming and string splitting to obfuscate it.

Best of all, Mattnotmax has shared a new Cyberchef recipe to pick apart Bumblebee’s Powershell loader and extract the Bumblebee payload. Amazing work, and certain to save a lot of analysts a lot of time manually tinkering with the script!

IcedID activity summary + Hunt tips

TTP Variations

References: @Unit42_Intel | @pr0xylife | @pr0xylife

IcedID distributors have used multiple delivery & execution chains throughout the week, with macro-enabled documents still featuring, as well as a consistent use of rundll32.exe for payload execution.

29/08 — rtf, multiple stagers to Cobalt Strike

TA551/Shathak ran a campaign using hijacked email threads to deliver the initial payload, downloading two additional stages before ultimately ending in a Cobalt Strike stager:

1. Stage 1: Email > password-protected .zip > macro-enabled maldoc (.rtf)
2. Stage 2: Download (http) IcedID installer dll + renamed rundll32.exe
3. Stage 3: Download (http) gzip > drops license.dat + persistent IcedID DLL
4. Stage 4: IcedID C2 (https) > Cobalt Strike stager

31/08 — url > zip > iso > lnk execution

A more traditional execution chain:

1. Email containing malicious URL (storage[.]googleapis[.]com)
2. Downloaded .zip > .iso > .lnk + .dll + .bat
3. Execution of .lnk > cmd.exe executes .bat > rundll32.exe executes .dll#1 (IcedID)

01/09 — zip > docm > curl download & execution

Reverting to a much simpler maldoc stager the next day:

1. Email > .zip > .docm
2. Enable macros > curl.exe downloads 2nd stage;
3. Executes with rundll32.exe at ordinal #1.

Hunting/Detection Tips

Reference: @Kostastsale

See the thread for full details, but Kostas has done a great job highlighting several consistent indicators and behaviours you can use to surface IcedID delivery and activity on your networks:

1. Use of common native binaries for initial recon, e.g. net.exe, nltest.exe, ipconfig, etc.;
2. Hourly Scheduled Tasks, running dll files from randomly named directories in world-writeable directories like %AppData%;
3. “license.dat” dropped to a folder somewhere in %AppData%;
4. Use of the JARM hash “2ad2ad16d2ad2ad22c2ad2ad2ad2adc110bab2c0a19e5d4e587c17ce497b15”;
5. The presence of _gid, _io, _u, _gat, _ga, and _gads Cookies in HTTP requests — the values of which relate to the victim endpoint.

Headline Vulnerabilities

1. Google has again released an emergency update for Google Chrome, this time to address CVE-2022–3075. While they’ve noted an exploit is reported to exist in-the-wild for the high-severity vulnerability, no further information has been provided on what it entails or who might be abusing it. Make sure you get up to Chrome 105.0.5195.102 for Windows, Mac, and Linux ASAP;
2. Apple has released back-ported patches for older generations of iPhone, iPad and iPod, in order to broaden their protections against CVE-2022–3289 — a remotely exploitable vulnerability in Apple WebKit, enabling arbitrary code execution;
3. Checkmarx have found that using “pip download” instead of “pip install” will cause .tar.gz packages with no .whl file to not just be downloaded, but to be executed. They suggest attackers could intentionally create and publish such packages to abuse this flaw, which would be significantly more effective if paired with a compromised developer account or project. Definitely more of an edge case, but one to keep on your radar, if nothing else.

Abusing SMTP Matching to hijack privileged Azure AD accounts

Reference: Semperis

Researchers from Semperis have reported that SMTP matching — which synchronises on-prem AD and Azure AD identities — can be abused to gain control of privileged Azure AD user accounts.

Note that the attack has two pre-requisites:

1. The target identity must be entitled to a privilege that has not been activated; and
2. MFA must either be unused on the Azure AD identity, the role activation must not require MFA verification (e.g. Password Administrator, License Administrator, etc.), or MFA approval can be otherwise obtained (e.g. socially engineered)

This means that to hijack an Azure identity that is eligible for the Global Admin role, for example:

1. You first enable SMTP matching to synchronise the Azure identity with the on-prem one, which you either create or already control;
2. You can now authenticate to the Azure identity using the on-prem password;
3. If MFA is enabled on the account when activating the privileged role, an attacker could:

• Spam the individual with MFA requests (MFA fatigue);
• Socially engineer them to approve the prompt (e.g. BazaCall);
• Activate a role that doesn’t require MFA to activate, but can still be elevated to Global Administrator — e.g. Application Administrator.

If MFA isn’t enabled, the attacker can simply configure it and approve the prompt to activate the role.

Unfortunately, Microsoft have advised that “there are mitigative controls in place that a user can use to avoid this vulnerability. We determined the behavior to be by design.”

Detection & Mitigation

Azure audit log entries where the Action Client Name is “DirectorySync” and that the Old Value for LastDirSyncTime is empty indicates this is the first time the user was synchronised with on-prem AD. The RoleDefinitionOriginId attribute will indicate the role which was activated.

Creating an alert on a combination of these fields and sensitive roles that can be activated (see article for a list) can help surface instances of SMTP matching being abused.

When it comes to mitigation, enabling MFA for all users — prior to granting them eligible roles — can hinder abuse of this vulnerability. The other, potentially disruptive option would be to attempt to disable the option to use soft matching for synchronization throughout the tenant, and implementing alerting for when it is re-enabled.

Offensive

1. Suborner — a tool to create an invisible machine account with admin privileges, while avoiding triggering the Windows Event Logger while doing so;
2. Knockles — a tool to implement eBPF Port Knocking to avoid listing a listening port that can be found by port scanners;
3. Hashview — a management interface for hash cracking with hashcat;
4. Getting dunked on by spam filtering when trying to Phish your way into a network? This python script can help parse the headers of blocked emails to figure out what triggered the filter rules;
5. A walkthrough on how to pilfer Group Managed Service Account (gMSA) passwords. P.S. — this will be rolled into the next release of AADInternals;
6. Running this short Powershell script can help identify any available DLL Sideloading targets;
7. If you’re the type of red teamer that thinks in steps and flows — do I have the mindmap for you!

Defensive

1. Matano — an open-source security data lake for AWS;
2. GarbageMan — a suite of tools for .NET malware heap analysis;
3. TheMatrix — create an “activator” binary that loads and monitors execution of a target binary using Win32 API hooks, saving generated data to disk for evaluation;
4. macos-unifiedlogs — A rust library to help parse macOS Unified Log files — the primary log source from macOS 10.12 (Sierra) onwards. A supporting blog post can be found here;
5. wtfis — a command line tool to gather domain and whois information from a range of sources, now supports Shodan look-ups for IPs, too;
6. Sekoia have provided some Maltego transforms for VirusTotal;
7. MDSec have an excellent 3-part series on hunting common C2 frameworks that I highly recommend. Part 1 provides an overview that sets up Part 2 looking at Cobalt Strike, with the latest post that taking a deep-dive into Brute Ratel.
8. Part 2 of Andy Robbins’ Automating Azure Abuse Research series looks at how to use BloodHound Attack Research Kit (BARK) as part of that process;
9. Check out this comprehensive guide to performing, detecting and mitigating abuse of Azure Primary Refresh Tokens;
10. How to spot backdoored/manipulated PE files — a thread;
11. LOLBIN & Phantom DLL Hijacking opportunity in DeviceEnroller.exe when invoked with /PhoneDeepLink parameter;
12. Make sure you’ve got the necessary audit settings enabled for Defender for Endpoint with this script, which can be run via RSAT;
13. For the uninitiated, or those wanting a refresher — check out this primer on performing Intelligence-driven Threat Hunting.

Threat Actor Activity & Reporting

1. NCC Group report that out of the increase in ransomware leak site listings for July, LockBit are still the most prolific ransomware gang, followed closely by Hive and Black Basta — both of which are believed splinters of Conti.
2. Cuba ransomware has claimed responsibility for a prolonged disruption of government services in Montenegro, prompting the US embassy to issue a security alert, warning of potential disruption to critical infrastructure and public utilities;
3. Everest ransom team listed access to the Brazilian government and more than 3TB of data;
4. IBM Security Intelligence attribute the USB-borne RaspberryRobin trojan to EvilCorp based on overlaps in functionality and structure with the Dridex loader, adding weight to existing reporting from Microsoft which observed it delivering FakeUpdate (SocGholish) malware — a malware strain closely associated with the group;
5. Krebs has taken an exhaustive look at the risks posed to organisations using OTP codes as an MFA factor, which was made evident in the recent 0ktapus campaign targeting users of the Identity provider Okta.

Cyber Crime & Ransomware

1. Sekoia have published a thorough overview of the role “traffers” play in the cyber crime marketplace, operating as a form of “lead generation” through redirecting user’s traffic to malicious content operated by other groups;
2. This article provides a good overview of the wide variety of C2 frameworks being used in-the-wild, and the reasons behind Sliver’s increase in popularity as an alternative to Cobalt Strike;
3. Palo Alto’s Unit 42 have published a detailed profile of the Black Basta ransomware group, reviewing their TTPs and Victimology;
4. Check out this detailed breakdown of the NanoCore RAT, including tips and a CyberChef recipe to hunt it in your environment;
5. Cybereason have released a report on Ragnar Locker, which it notes recently compromised DESFA, a Greek oil pipeline company;
6. This report by Redacted looks at the TTPs employed by the BianLian ransomware group and their campaigns conducted thus far;
7. Talos report on a series of campaigns delivering ModernLoader, the RedLine Infostealer, and the XMRig cryptocurrency miner;
8. Trend Micro have shared a profile on Void Griffon — a cybercrime group providing other threat groups with bulletproof hosting since 2015;
9. Researchers at zScaler report that the author of Prynt Stealer has popped a cheeky backdoor into the infostealer, exfiltrating data stolen from victims through a secondary Telegram channel;
10. A look at the Venom Control Software RAT, offering typical RAT functionality in addition to some evasion and infostealing modules;

Misc

1. Symantec researchers have discovered 1,859 mobile applications that contained AWS credentials, with 77% containing access tokens that could grant direct access to private cloud services and 874 applications containing valid tokens that could grant access to live-service databases holding millions of records. One to flag with your dev and training teams for sure!
2. Popeye — a tool for scanning Kubernetes clusters to identify misconfigurations including port mismatches, dead or unused resources, metrics utilization, probes, container images, RBAC rules, naked resources, and more.

Thanks for reading! A reminder — this is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!