🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• How to Get Scammed (by DPRK Hackers) - OZ 🔍 Show Kagi Synopsis
  A recent cybersecurity campaign, tracked as DEV#POPPER and Contagious Interview, has been identified, orchestrated by **DPRK hackers** to target **software developers** through social engineering tactics. The primary method involves **fake job interviews** and technical assessments designed to trick developers into executing malicious code.
  
  **What Happened:**
  The hackers lure developers with enticing job offers, leading them through a process that includes fake technical interviews. During these assessments, developers are prompted to run code, which, unbeknownst to them, deploys malware. This malware utilizes a resilient "Triple-Chain" architecture, leveraging the **Tron, Aptos, and Binance Smart Chain blockchains** for command and control (C2) and payload delivery. The use of blockchain technology makes the infrastructure highly resistant to disruption due to the immutable nature of blockchain data.
  
  **Who is Affected:**
  The primary targets of this campaign are **software developers**. They are enticed by the prospect of new job opportunities, making them vulnerable to the social engineering employed by the attackers.
  
  **Security Implications:**
  The implications of this attack are significant and include:
  - **Supply Chain Attacks:** The malware can potentially compromise development environments, affecting the software supply chain.
  - **IDE Persistence:** Attackers can achieve persistence within Integrated Development Environments (IDEs) through code injection.
  - **Data Exfiltration:** The deployed malware can be used to steal sensitive information.
  - **Remote Command Execution:** Attackers gain the ability to execute commands remotely on compromised systems.
  - **Advanced Evasion Techniques:** The malware is designed to bypass security measures like sandboxes and analysis environments.
  
  **Technical Details:**
  The campaign exhibits several sophisticated technical aspects:
  - **"Triple-Chain" Architecture:** The use of Tron, Aptos, and Binance Smart Chain for C2 and payload delivery.
  - **Blockchain-Based Dead Drop Resolver:** This mechanism is used for delivering payloads.
  - **Multi-Stage Obfuscation:** Techniques like LCG (Linear Congruential Generator) shuffling are employed to hide malicious code.
  - **Final Payloads:** These act as Remote Access Trojans (RATs) or droppers, equipped with anti-analysis capabilities.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the following to counter this threat:
  - **Indicators of Compromise (IoCs):** Specific network endpoints, wallet addresses, XOR decryption keys, and suspicious process behaviors (e.g., Node.js spawning child processes with `-e` flags) can serve as indicators.
  - **Detection Strategies:** Implementing deep packet inspection, robust host-based monitoring, and advanced behavioral analysis are crucial for detecting these advanced threats.
  - **Awareness of Social Engineering:** Educating developers about sophisticated social engineering tactics, especially those disguised as job recruitment processes, is vital.
• Iranian MOIS operating from Starlink - Check Point Research 🔍 Show Kagi Synopsis
  A cybersecurity report indicates that Iranian hackers, specifically the group referred to as "Handala Hack" associated with Iran's Ministry of Intelligence and Security (MOIS), have resumed operations. **These hackers are reportedly using Starlink IP ranges to target entities across the Middle East.** This activity follows a period of relative quiet, coinciding with Iran's internet experiencing disruptions.
  
  **The primary affected parties are targets across the Middle East.** The report does not specify the exact nature of these targets, but the involvement of a state-sponsored hacking group suggests potential espionage, disruption, or data theft objectives.
  
  **The security implications are significant.** The use of Starlink IP ranges by a known Iranian hacking group raises concerns about the security of satellite internet infrastructure and its potential exploitation for malicious purposes. It also highlights the continued threat posed by Iranian state-sponsored cyber actors in the region.
  
  **Technically, the hackers are operating from Starlink IP ranges.** This indicates a potential compromise or misuse of Starlink services, allowing the attackers to mask their origin or leverage the satellite network for their operations. The report notes that this activity is a continuation of previous operations by the "Handala Hack" group.
  
  **Defenders should be aware that Iranian hackers are actively using Starlink IP ranges for attacks in the Middle East.** This necessitates enhanced monitoring of network traffic originating from or transiting through Starlink infrastructure, particularly for entities in the region. Understanding the tactics, techniques, and procedures of the "Handala Hack" group is crucial for developing effective defense strategies.
• Pro-Russia hacktivist activity continues to target UK organisations - National Cyber Security Centre (NCSC) 🔍 Show Kagi Synopsis
  **Pro-Russia hacktivist groups** are continuing their cyberattacks against **UK organizations**, aiming to disrupt operations and disable services. The group **NoName057(16)** has been particularly active since March 2022, targeting government and private sector entities in NATO member states and other European countries perceived as hostile to Russia. These attacks have included frequent Distributed Denial of Service (DDoS) attempts against UK local government entities.
  
  The security implications are significant, as these ideologically motivated attacks represent an evolution in threats, now also targeting **UK operational technologies**.
  
  Technically, these groups primarily operate through **Telegram channels** and utilize platforms like **GitHub** to host tools such as **DDoSia**. They share their tactics, techniques, and procedures (TTPs) through these channels.
  
  Defenders should be aware of these threats and take proactive measures. Key recommendations include:
  - **Reviewing DDoS protections** and improving resilience.
  - Understanding the **vulnerabilities of their services**.
  - Implementing **upstream defenses**, such as ISP mitigations, third-party DDoS services, and Content Delivery Networks (CDNs).
  - Building systems for **scalability**.
  - Defining **response plans**, including graceful degradation and fallback strategies.
  - **Regularly testing and monitoring services** to detect attacks and analyze responses. 【1】
• Detection of Kerberos Golden Ticket Attacks via Velociraptor - The author of the content is **dfirloading**, and it is published on **Detect FYI**. 🔍 Show Kagi Synopsis
  A **Kerberos Golden Ticket attack** is a sophisticated cybersecurity threat that allows attackers to achieve **long-term persistence and full domain compromise** within a network.
  
  **What Happened:**
  Attackers forge Kerberos Ticket Granting Tickets (TGTs) by using the krbtgt account's password hash. These forged tickets are implicitly trusted by Domain Controllers, enabling attackers to impersonate any user, assign themselves elevated privileges (such as Domain Admin), and access any system within the domain.
  
  **Who is Affected:**
  Any organization using **Microsoft Active Directory** and Kerberos for authentication is potentially affected. The attack targets the core authentication infrastructure, impacting all users and systems within the compromised domain.
  
  **Security Implications:**
  The primary security implication is the **complete takeover of the domain**. Attackers can maintain persistent access, bypass normal security controls, and exfiltrate sensitive data. This attack effectively undermines the integrity of the authentication system.
  
  **Technical Details:**
  To execute this attack, adversaries typically need to:
  * Extract the **krbtgt NTLM hash**. This is often achieved through techniques like **DCSync** or by accessing the **NTDS.dit file**.
  * Use tools such as **Mimikatz** to create the forged Golden Ticket.
  * The creation process requires specific information: the **domain name**, the **domain Security Identifier (SID)**, the **username** to impersonate, and the extracted **krbtgt NTLM hash**.
  
  **What Defenders Should Know:**
  Defenders can detect Golden Ticket attacks by looking for anomalies in Kerberos tickets. Key indicators include:
  * **Unusually long ticket lifetimes**: Legitimate tickets typically have shorter, defined lifespans.
  * **Tickets where the "Kdc Called" field is empty**: This suggests the ticket was not generated through the standard Kerberos Key Distribution Center (KDC) process.
  
  The article mentions a specific **Velociraptor artifact**, `Windows.Kerberos.GoldenTicketTriage`, which can help detect these abnormal tickets by analyzing local Kerberos ticket cache outputs for these tell-tale signs. Monitoring these indicators can provide early warning of a Golden Ticket attack.
• Mega RMM KQL Query - mr-r3b00t 🔍 Show Kagi Synopsis
  The provided KQL query is a technical detection rule aimed at identifying suspicious process creation events on endpoints, specifically focusing on the execution of various remote access tools (RATs), remote desktop software, and potentially malicious utilities.
  
  - **What happened:** The document does not describe a specific past event. Instead, it provides a technical means to detect potentially unauthorized or malicious remote access activity.
  - **Who is affected:** The query is designed for **defenders** to monitor their own systems. It does not specify a particular group of affected users, but rather aims to protect any organization using the query.
  - **Security implications:** The execution of the listed executables could indicate **unauthorized remote access, lateral movement within a network, or the deployment of malware**.
  - **Technical details:** The query works by examining process creation events and looking for specific executables. It analyzes their **file paths, original file names, and version information** to identify known remote access tools and utilities.
  - **What defenders should know:** Defenders should use this query to **monitor for the execution of these known tools**. This can help in detecting and preventing malicious activities that leverage legitimate remote access software for nefarious purposes.
• Monitor New Actions in Sentinel & Defender XDR (V2) - Bert-JanP (kqlquery.com) 🔍 Show Kagi Synopsis
  This article details an **updated solution (Logic App V2) for monitoring new actions within Microsoft Sentinel and Defender XDR** 【1】.
  
  **What Happened:**
  The solution was updated to version 2 due to changes in API support within the Unified Security Operations Platform. This update ensures continued visibility into new actions and signals within Microsoft's security products 【1】.
  
  **Who is Affected:**
  **Security operations teams** and **security analysts** using Microsoft Sentinel and Defender XDR are affected by this update. The solution is designed to help them stay proactive in identifying new threats and product changes 【1】.
  
  **Security Implications:**
  The primary security implication is the **prevention of security blind spots**. By monitoring new actions, defenders can identify emerging attack techniques or changes in product behavior before they are exploited. This allows for **proactive threat hunting** and ensures **comprehensive detection coverage** 【1】.
  
  **Technical Details:**
  - The solution utilizes the **Microsoft Graph API** to collect action data 【1】.
  - Authentication can be handled using either **Managed Identity** or **Service Principals** 【1】.
  - A **weekly HTML report** is generated, which includes:
  - Newly observed operations or event types 【1】
  - Their source tables 【1】
  - Occurrence counts 【1】
  - For large environments, **"Sentinel Summary Rules"** are introduced to prevent potential Microsoft Graph API timeouts. These rules involve specific Kusto Query Language (KQL) queries for creation and integration 【1】.
  
  **What Defenders Should Know:**
  Defenders should **leverage this updated solution** to:
  - **Enhance their threat hunting capabilities** 【1】
  - **Ensure comprehensive detection coverage** 【1】
  - **Quickly adapt to evolving security landscapes and product changes** 【1】
  - **Stay informed about new signals and potential anomalies** 【1】
• What's in the box !? - 'we were able to obtain a set of pen-testing tools from an active pen-tester and security analyst in China' - NetAskari 🔍 Show Kagi Synopsis
  This article provides an overview of a collection of penetration testing tools used by a Chinese pen-tester, offering insights into the methods and tools employed by commercial offensive security professionals in China.
  
  **What Happened:**
  The author analyzed a "toolbox" belonging to a Chinese pen-tester, revealing a combination of widely used security tools and region-specific custom frameworks. This collection offers a practical look at the tools utilized in offensive security engagements within China.
  
  **Who is Affected:**
  The tools are primarily used by commercial pen-testers in China. However, the potential impact extends to any organization or infrastructure that could be targeted by these tools. This includes businesses and government entities, as the line between commercial and state-sponsored cyber operations can be blurred.
  
  **Security Implications:**
  The tools are designed for various offensive security tasks, including automated reconnaissance, exploit hunting, and post-exploitation activities. Their capabilities encompass bypassing permissions, directory scanning, SQL injection, webshell creation, and exploiting vulnerabilities in services like Nacos and Kubernetes. The article highlights successful exploitation scenarios, such as gaining unauthorized access to Kubernetes clusters, obtaining database privileges, and compromising cloud server instances.
  
  **Technical Details:**
  The toolbox includes:
  - **Burp Suite Plugins:** A variety of plugins such as ByPassPro, Domain Hunter Pro, OneScan, and TsojanScan, aimed at enhancing web application testing.
  - **Chinese-Developed Frameworks:**
  - **Godzilla:** A framework for creating stealthy webshells using AES encryption.
  - **LiqunKit:** An exploit framework targeting databases and other services.
  - **天狐渗透工具箱 (One-Fox-T00ls):** A commercial meta-framework for exploits.
  - **NacosExploitGUI:** A graphical tool for exploiting vulnerabilities in Alibaba's Nacos service.
  - **Custom Scripts:** Python scripts for tasks like setting up HTTP file servers and crafting SQL injection payloads within SOAP packages.
  
  The article also references specific exploit examples from a pen-test report, detailing the successful acquisition of webshells, access to Kubernetes, elevated database privileges, and compromise of Alibaba cloud instances via leaked credentials.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the dual use of popular global tools and specialized regional tools by Chinese pen-testers. Advanced frameworks like Godzilla, with their encryption capabilities, can pose significant detection challenges. Organizations should prioritize patching known vulnerabilities, especially in web applications, cloud services (like Alibaba Nacos), and container orchestration platforms (like Kubernetes). Secure management of credentials and configurations is crucial. Furthermore, robust security monitoring and incident response plans are essential to detect and mitigate attacks targeting these systems.
• sliver-tor-bridge: Tor transport bridge for Sliver C2 - anonymous command and control - Otsmane-Ahmed 🔍 Show Kagi Synopsis
  The `sliver-tor-bridge` tool is designed to enhance the anonymity of Sliver Command and Control (C2) infrastructure by routing traffic through the Tor network.
  
  - **What happened:** The `sliver-tor-bridge` tool was developed to create a Tor hidden service that acts as a proxy for Sliver C2 traffic. This effectively masks the true IP address of the Sliver C2 server, making it harder to detect and disrupt.
  - **Who is affected:** This tool primarily affects users of the **Sliver C2 framework** who want to increase the anonymity of their C2 operations. For **defenders**, it introduces a significant challenge in identifying and blocking C2 communications due to the added layer of obfuscation.
  - **Security implications:** The main security implication is the **increased anonymity and resilience of C2 infrastructure**. By hiding the C2 server's IP address behind a Tor `.onion` address, attackers can make their operations more difficult to trace and take down. This also means that defenders may struggle to identify the actual source of malicious activity.
  - **Technical details:** The tool works by setting up a Tor hidden service that directs traffic to a local HTTP proxy. This proxy then forwards all incoming connections to Sliver's HTTPS listener. Sliver implants connect to the `.onion` address via Tor, and the traffic is relayed through the bridge. The process requires Python 3.8+, Tor, and Sliver. It involves configuring Sliver to use an HTTPS listener and then running the `sliver-tor-bridge` script to establish the hidden service and proxy. The bridge ensures that Sliver appears to receive standard HTTPS connections, while the implant communicates with what seems like a regular HTTP server. 【1】
  - **What defenders should know:** Defenders need to be aware that attackers can use tools like `sliver-tor-bridge` to obscure their C2 infrastructure. This means that simply blocking known IP addresses might not be sufficient. **Monitoring for Tor network traffic** and analyzing patterns associated with hidden services could be crucial in detecting such operations. Understanding how these proxies work can help in developing strategies to de-anonymize or disrupt C2 communications that leverage Tor. 【1】