Det. Eng. Weekly #45 - F Around & F Out Tempest, a financially motivated actor group
Led by Gary "The G" Gensler
Welcome to Issue #45 of Detection Engineering Weekly!
Quick note from Zack:
Hey all,
It’s been an extremely hard week for people who live in Maine, including myself, but even harder for those affected by the shootings in Lewiston. It was a harrowing experience - the towns where the shooting was and where the shooter’s body was found are close to me and family. Everyone is OK, but I wanted to use my audience here to ask for donations to the Lewiston Relief Fund. Donations to this fund go directly to helping those directly affected by the mass shooting or to the overall efforts to help rebuild the communities. Please consider donating!
Zack
This week’s recap:
💎 by Micah Babinski on researching and finding detection opportunities for spooky Ghost scheduled tasks
Weird dev tunnels and how to find them by Janantha Marasinghe
Don’t have access to cybercriminal forums to do Stealer research? Look no further, they are all over GitHub, and Parth Gol shows us how to catch them in the act
Dylan Pindur says to bleed Citrix dry (with CVE-2023-4966) before you salt and roast the appliance, Komal Dhull on Google identity detections, and Ryan McGeehan on a crash course of EPSS
Podcasts: great episodes by Risky Biz, Darknet Diaries and CYBER
SolarWinds CISO is accused of securities fraud, Octo Tempest actors threatens victims over text to give up corporate logins, Kazakh nation-state activity, Stealers, and a cryptominer linked to.. EternalBlue?
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Hunting G-G-G-GhostTasks! by Micah Babinski
If you want a “masterclass” of detection ideation into implementation, look no further. This spooky, Halloween-themed blog by Babinski “reverse-engineers” a Windows-based persistence tool, GhostTask, to find detection opportunities. The methodology behind this ideation includes the following:
Running the tool in a Detection lab.
Noting several telemetry sources.
Implementing several Sigma rules that might generate an alert.
This particular tool generates a scheduled task via registry key manipulation, which helps prevent logging via event logs and within some of the GUIs for scheduled tasks.
I like this post because it shows not only Babinski’s methodology but also some of the roadblocks he hit along the way. Security researchers can unintentionally give the impression that the author knew what they were doing at all times. Still, the actual test of a great researcher is overcoming the obstacles, head scratches, and several hundred Google searches to get the perfect result. Research aside, the Halloween puns are *chefs kiss*.
🎃 Carve meaningful indicators into the decorative gourds of our raw telemetry until a ghoulish grin spreads across our twisted face.
State of the Art
Detecting ‘Dev Tunnels’ by Janantha Marasinghe
Microsoft features: useful for devs and for threat actors! With the recent launch of Microsoft Dev Tunnels, similar to ngrok, you can expose local services over the internet on a temporary URL. One of my favorite things to do during red team competitions is expose blue team secrets and files via a local web server, and these dev tunnels can now make it so anyone can access them!
Cheekiness aside, even during my $DAYJOB, we’ve seen a ton of abuse of these services for malicious services. Luckily, we have folks like Marasinghe who go through the thorough investigation of detection opportunities and share it for free for all of us.
Threat Hunting: Detecting Browser Credential Stealing [T1555.003] by Parth Gol
Threat actors love stealing credentials in browsers using infostealers. These credentials are some of the critical pieces of victim information for sale on “darknet” marketplaces like Russian Market. In this post, Gol downloads several open-source tools that perform browser credential stealing and compares and contrasts detection opportunities.
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 by Dylan Pindur
At this point, I don’t know if researchers publishers *Bleed vulnerabilities with the creepy “Bleed” text ironically, or maybe that’s just what the community wants. Regardless of the vulnerability name, this post does a fantastic job patch diffing CVE-2023-4966 to unearth a mind-boggling simple vulnerability in Citrix. Pindur bindiffs a vulnerable version with a patched version and found 50 changed functions in the patched version, which led them to a vulnerability parsing Host headers using snprintf
.
Investigate Service Account Key Origins and Usage with Best Practices by Komal Dhull
Identity is the new perimeter, and our community needs much help understanding IAM practices in all the SaaS apps we are tasked to protect. In this post, Dhull sheds light on GCP Project service account permissions and provides some valuable queries and settings for detecting service account abuse. Google Cloud has useful features for audit logging turned off by default, so make sure to enable data access audit events to help enrich some of these audit logs to pull things like source IP and User-Agent logging.
Vulnerability Management: You should know about EPSS by Ryan McGeehan
CVSS scores try to describe the potential impact of a vulnerability, but it’s notorious for prioritizing the wrong vulnerabilities as others get exploited in the wild. Granted, it wasn’t designed for this probabilistic approach to exploit prediction, but no worries, EPSS was! McGeehan spends this blog post describing the tl;dr behind EPSS, and gives some great examples of how to query FIRST (the org behind EPSS) for real-time updates on an exploitability score for vulnerabilities.
Detection Engineering Podcasts
If you don’t listen to Risky Business news, add it to your subscribed podcasts ASAP! Great weekly content with diverse guests, and this one was especially interesting because the host was in the US hanging out with Rob Joyce (NSA Director), Morgan Adamski (NSA CCC Director), and Dmitri Alperovitch (fmr. Crowdstrike CTO).
This episode is nearly a year old, and it’s a classic Darknet Diaries episode. Jack Rhysider interviews BushidoToken on his research into the REvil gang. The gang wreaked havoc for years and famously performed the Kaseya supply-chain ransomware attack, as well as hacked a law firm and stole data on high-profile clients, including former President Donald Trump.
Not exactly cyber-related, but it shows how technology (or lack thereof) can enable criminal activity. The unique part is that modern criminals may not always focus on monetary gains but on notoriety and clout. If you ever wanna steal a Kia or Hyundai, watch some Kia Boys videos.
Threat Landscape
SEC charges SolarWinds CISO with fraud for misleading investors before major cyberattack by Jonathan Greig
This is the major news story of the week and probably of this half of 2023. The SEC plans to charge the CISO of SolarWinds, Timothy Brown, for defrauding investors during the infamous SolarWind hack. The accusation text is pretty damning, saying Solarwinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.” Please go read this and the complaint as this will be very telling of our industry for years to come.
NetSupport Intrusion Results in Domain Compromise by The DFIR Report (@iiamaleks, @mittensec and @miixxedup)
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history.
What a way to set the tone for a DFIR Report blog. According to the authors, intrusions involving this piece of software date back to at least 2016. However, it’s still fascinating to see how threat actors use RMMs for initial access and lateral movement. Make sure to go read the Gem by Micah Babinski above, and note the persistence mechanisms used by the actors by using scheduled tasks. I find it interesting that a reverse SSH tunnel was setup. Seems noisy, but it totally worked for this scenario.
Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction by Microsoft Threat Intelligence & Incident Response
For those listening at home, Octo Tempest == SCATTERED SPIDER. It’s nice to see a post from Microsoft’s intel & IR unit, as they have access to what I’m guessing is a ton of telemetry that helps us understand a bit more how this threat actor group works. The crazy part? Microsoft linked some of the texts they sent to fear-monger victims. Ruthless.
Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan by Asheer Malhotra and Vitor Ventura
It's refreshing, in a sick sort of way, to see nation-state and espionage cyber activity where the US is not involved. It makes you step back and realize that FVEY countries aren't the center of the globe. Researchers from TALOS found a Kazakh-linked threat actor group targeting other Commonwealth states. The peculiar part of this actor is the number of toolsets they saw from the actor that tries to scan and protect Kazakh infrastructure, including one of the country's primary mail services.
Mystic Stealer Revisited by Javier Vicente
It's refreshing, in a sick sort of way, to see nation-state and espionage cyber activity where the US is not involved. It makes you step back and realize that FVEY countries aren't the center of the globe. Researchers from TALOS found a Kazakh-linked threat actor group targeting other Commonwealth states. The peculiar part of this actor is the number of toolsets they saw from the actor that tries to scan and protect Kazakh infrastructure, including one of the country's primary mail services.
Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747 by Michael Weber and Thomas Hendrickson
This post gives a sneak-peak into how vulnerability researchers find vulnerable software in large appliances. Luckily, many of these appliance vendors have cloud-enabled deployments, so you can load up different versions of F5 BIG-IP on the AWS marketplace. As an industry, we spend so much time defending modern stacks against “old” web vulns, but we really don’t spend time defending appliances with the same type of rigor.
StripedFly: Perennially flying under the radar by Sergey Belov, Vilen Kamalov, Sergey Lozhkin
Kaspersky researchers found a malware sample that uses EternalBlue to gain an initial foothold into a victim host, and then use interesting lateral movement techniques to infect other hosts on the victim network. Like the NetSupport intrusion listed earlier, this malware family also uses SSH servers for access and lateral movement. They make some interesting assertions towards the end of the post, where code overlaps between an early version of StripedFly to ThunderCrypt.
Open Source
detectionlab by clong
Interesting collection of Packer, Vagrant and Terraform scripts to build out a lab environment to test with detections and logging. This was featured on the Gem above by Micah Babinski. It’s unfortunately no longer maintained, but still looks super useful.
GhostTask by netero1010
GhostTask persistence mechanisms, also showcased in the Gem above by Micah Babinski.
RemoteManagementMonitoringTools by jischell-msft
Massive collection of remote management monitoring (RMM) tools and artifacts. Go read any intrusion blogpost, especially the DFIR Report one from above. You'll find almost all of the RMM tools listed right here. Excellent reference material for building out logging and detections.
PersistenceSniper by last-byte
Persist with GhostTasks, and go find some detection opportunities with PersistenceSniper. I'm impressed it finds 52 separate persistence techniques on Windows machines, all wrapped up in a nice Powershell script!