This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Exchange 0-days - ProxyNotShell - just in time for Friday

Reference: MSRC | Microsoft Security Blog

As is tradition, a critical vulnerability has been disclosed at the end of the week that impacts a core enterprise application.

This time it was cyber security vendor GTSC who announced that two 0-days in Microsoft Exchange that they disclosed to the Zero Day Initiative over 20 days ago remain unpatched, and are being actively exploited to deliver the Chopper webshell - commonly used by Chinese threat groups.

Microsoft later acknowledged their existence, assigning the SSRF vulnerability CVE-2022-41040 and RCE vulnerability CVE-2022-41082.

Technical Summary

References: Double Pulsar | @GossiTheDog

Kevin Beaumont has done an amazing job pulling together threads on this one and adding actionable guidance on how to hunt for and mitigate these vulnerabilities. Instead of reinventing the wheel, here are the key points:

1. These vulnerabilities appear to be a repeat of the improperly patched ProxyShell vulnerabilities from last year, though in this case it requires a valid set of non-admin credentials for any email user;
2. If you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App facing the internet, you aren’t impacted;
3. If you run Exchange hybrid servers, a standard part of Microsoft Exchange Online migration, they are vulnerable.

I’d recommend reviewing the Hunt, Mitigation, and Detection sections of both the blogs by Kevin Beaumont and Microsoft, and figuring out which steps are most appropriate for your organisation while we await patches being released.

v2 of the On-Prem Mitigation Tool has been released, which rewrites URLs to mitigate the SSRF component of the attack chain and prevent external exploitation attempts.

Greynoise are also monitoring for scanning and exploitation traffic relating to this vulnerability - you can view known scanning IPs here, and observed exploit attempts here.

Headline Vulnerabilities

Active Exploitation: Atlassian's Bitbucket Server and Data Center

CISA has added CVE-2022-36804 to their Known Exploited Vulnerabilities (KEV) catalogue, indicating active exploitation of the vulnerability has been observed.

The attack is performed by sending crafted malicious HTTP requests, and enables Remote Code Execution.

PoC exploit code is publicly available, with scanning and exploit attempts noted by BinaryEdge and GreyNoise since at least September 20th.

Vulnerability Disclosure: DoS, MitM flaws in Ethernet network standards

A security researcher has reported four vulnerabilities that enable DoS and MitM attacks by stacking multiple VLAN 0 and LLC/SNAP headers in order to encapsulate their traffic and bypass Layer 2 inspection & filtering capabilities.

Given the vulnerability is in a protocol standard, the potential scope extends to any manufacturer of network gear that supports that particular implementation of the protocol. CERT have listed 243 manufacturers on their advisory, with Cisco, Arista, and Juniper confirmed to be impacted so far.

Patches Available: RCE in WhatsApp on Android & iOS

Two flaws (CVE-2022-36934 and CVE-2022-27492) have been identified in the way WhatsApp handles video files and calls, which could be abused to gain arbitrary code execution on victim devices.

There was no evidence of exploitation in-the-wild at the time of discovery, but given the ease of exploitation, it’s well worth ensuring you’re on a patched version.

Offensive

1. DNS Reaper - a sub-domain scanner that identifies takeover opportunities;
2. AzTokenFinder - dump JWTs from user processes, e.g. Office Apps;
3. Guidance on abusing Resource-based Constrained Delegation for accounts without SPNs and how to forge a “Sapphire Ticket” have been added to thehacker.recipes;
4. Semperis have shared details of a new Kerberoasting technique that can bypass detections based on 4769 Kerberos ticket request events;
5. TIL you can relay the Printerbug attack to a computer that the source computer has admin over. Discover attack paths with Max.py (max.py get-info --admincomps);
6. mrd0x has shared a post detailing the potential to abuse Chromium’s Application Mode to present convincing credential-harvesting phishing pages to end-users. Michael Taggart points out that this is exactly the trick they used to create OffensiveNotion, which functions as a C2 medium by abusing the note-taking app Notion;
7. Looking for novel ways to flex on the SOC in your next Red Team exercise? Why not use VirusTotal for C2, just for funsies?

Defensive

1. MemProcFS - view physical memory dumps as files in a virtual file system;
2. YARI - a debugger for writing YARA rules;
3. PurpleCloud - an automated tool to help spin up lab environments using Azure AD and Active Directory in Azure.
4. A YARA module to extract data at a given offset - used in this example to pull DanaBot configs from static files;
5. Volume Shadow Copy (VSC) deletion is a TTP shared by many ransomware actors - check out this post from VMWare looking at how they do it, including a new technique that abuses the Volume Shadow Copy Coordinator (VssCoordinator), a part of the Volume Shadow Copy Service (VSS), to access VSCs;
6. Palo Alto’s Unit 42 have a great write-up on how attackers commonly load unsigned malicious DLLs to achieve their effects, and provide tips and hunting queries to help you surface this behaviour on your networks;
7. Splunk’s Michael Haag looks at Protocol Handlers (e.g. the msdt handler abused in the Follina vulnerability) and how to detect their use and abuse;
8. One for those managing environments with macOS assets - a blog post looking at identifying GateKeeper override attempts;
9. Microsoft have published a great blog post looking at Office365 forensic artefacts and where to find them - one to bookmark for sure!

Found this useful? Why not share it!

Threat Actor Activity & Reporting

1. Russia’s APT28 were tentatively attributed to an attack that used a malicious PowerPoint file with a hlinkMouseOver method that executed a PowerShell download cradle when a hyperlink in the file was hovered over. While it may sound novel, this technique was actually first uncovered in 2017, and Microsoft’s patch for CVE-2021-40444 will prevent it from working if installed;
2. China’s TA413/LuckyCat has been observed dropping their new LOWZERO backdoor on Tibetan targets, exploiting the Sophos Firewall (CVE-2022-1040) and Follina vulnerabilities to do so;
3. CrowdStrike have uncovered a supply chain attack which delivered a trojanised installer for the Comm100 chat-based customer engagement platform to customers. The attack appears to have only lasted two days before being identified, and is believed to have been conducted by a China-affiliated actor.
4. NCC Group have published this piece detailing their response to an intrusion conducted by a Chinese threat actor. Of most interest is their analysis of the ShadowPad RAT - a trojan believed to be used exclusively by China-based threat actors;
5. Securonix have described a Phishing campaign they observed delivering heavily obfuscated PowerShell scripts that also featured anti-analysis checks - something typically reserved for compiled payloads that attackers don’t want analysed. The campaign targeted multiple military contractors, and bore several similarities to attacks conducted by the DPRK-attributed APT37 threat group;
6. Security Scorecard have pulled together a detailed analysis of CredoMap, an infostealer deployed by APT28 against targets in Ukraine;
7. The excitement surrounding the Optus hack has mostly died down, with the perpetrator backtracking on their ransom demands and apologising publicly for their actions. While damage-control is still very much ongoing, the telco sector is likely to be subject to more stringent regulations and oversight, with the potential for greater financial penalties for breaches such as this;
8. Okta subsidiary Auth0 has reported that several old source code repositories from 2020 may have been stolen by an unknown actor. Despite being unable to determine how it was stolen or by who, they’ve assured us there is no “customer impact.”
9. A report by NetScout highlights the variance in and uptick of DDoS attacks for the 1st half of 2022. Techniques such as DNS water-torture and the TP240 PhoneHome amplification attacks featured prominently, while more broadly, DDoS is being used as tool in Geopolitical conflicts.

Cyber Crime & Ransomware

1. Proofpoint have highlighted the potential for attackers to abuse Microsoft Sway - a Microsoft service that aids in website generation - to Phish users and deliver malware;
2. DFIR Report have published their latest intrusion analysis piece, looking at a BumbleBee infection that made it to lateral movement and staging for exfil/encryption before being evicted;
3. Securelist have a report looking at NullMixer - a dropper that delivers multiple malware payloads in a given infection. The campaign used SEO-optimised lures to deliver trojaned cracks/keygens, and delivered malware including SmokeLoader, LgoogLoader, Disbuk, RedLine, Fabookie, and ColdStealer;
4. zScaler have found Agent Tesla samples being delivered through chained lnk, hta, and PowerShell payloads generated by Quantum Builder, a payload generation tool sold on the Dark Web;
5. Deepwatch are reporting (data-wall) potential “foreign intelligence service influence” in a Gootloader campaign which hijacked legitimate websites to publish fake blog posts and targeted “government, legal, real estate, medical, and education victims with highly-targeted content”;
6. The Apollo OTP Bot - a Discord-based bot that abuses Google Voice to perform vishing of OTP codes to enable bypassing of MFA - has been discovered being sold on cybercrime forums;
7. Cyfirma take a look at the ErbiumStealer malware, performing a technical analysis of the infostealing malware that’s sold on cybercrime forums for as little as 500 rubles per week;
8. While REvil’s heyday are very much behind them, it’s well worth having a skim of Trellix’s analysis of the operations and dismantling of their once-formidable ransomware crew.

Misc

1. Constellation - a Kubernetes engine that wraps K8s clusters in a confidential wrapper that encrypts all data and separates it from the underlying cloud infrastructure. Supporting blog post here.

Thanks for reading! If you liked this, please subscribe to receive new posts and support my work!