Intro After reading an incredibly eye-opening report entitled, “Russia: EMP Threat” [1] which dives into the post-soviet, contemporary doctrine of non-contact warfare (“the combined use of cyber viruses and hacking, physical attacks, non-nuclear EMP weapons, and ultimately nuclear HEMP attack against electric grids and critical infrastructures”), we decided to see if we could develop some signatures for the Hunter module that would find and track Russian criminal forums on the clear-net, looking for trending tradecraft. The Federation’s intelligence apparatus is well known to employ elite cyber criminals periodically for government initiatives and this is what sparked our curiosity. Could we develop custom signatures for our automation that would enumerate these key points of interest? What would we find? Ultimately, the answer was yes, we can use our proprietary signatures and automation to articulate trends in these criminal circles. Below, we will discuss some of these interesting findings from this preliminary research as well as lay some broader context behind the initial motivation for this endeavor. Full disclosure – we have not had prior training as military analysts, but our team has been observing the technical capabilities of Russian cyber actors, for some time now. Moreover, observing Russian cyber aggressions against places like the Ukraine, resulting in real-world consequences like the annexation of the Crimean Peninsula also intensified our interests. The Ukraine has long been a testing ground for the Russian Federation’s cyber weapons [2], or as they call it, Information Warfare. While many of these recent intrusions into the IT systems of the West have been viewed solely as espionage, there are others that believe there is a far more sinister motivation behind these operations. “Intrusions look less like isolated cases of theft and hacking and more like probing U.S. defenses and gauging Washington’s reactions—perhaps in preparation for an all-out cyber offensive that would include physical sabotage, radio frequency weapons, and ultimately nuclear HEMP attack [3].” This was the primary motivation to begin down this path; to see if we could use our open-source capabilities and shed some light on this Russian information warfare onslaught. Lastly, we leave the readers with supporting technical documentation in hopes to spur further discussion and analysis. Russian Information Warfare Russia views the cyber domain considerably different from the west, both from defensive and offensive perspectives. The federation sees the freedoms and connectivity that the internet brings as dangerous, potentially sewing dissention and democratic views within the regime. Understanding the mindset of the state, which is said to be a mindset of “worst case scenario,” provides a valuable lens for interpreting how the power structure would view adjacent events such as the toppling of governments in Georgia’s rose revolution, Ukraine’s orange revolution, and Kyrgyzstan’s tulip revolution [4], in association with the free-speech nature and connectivity of the internet. Russia also sees cyberspace as a powerful vehicle to enhance offensive military and political objectives and have become proficient masters of this domain. The Russian ministry of Defense (MoD) plans to create a cyber deterrent akin to the devastation that thermal nuclear weapons would have on an adversary’s civilization. The MoD has an annual budget of ~250M for its cyber activities and invests this capital into initiatives like malware development to target all aspects of Western critical infrastructure (banking, power, defense, aviation, etc…) [5]. This defense budget seems to be well spent as Russian cyber operators have a reputation that precedes them across the globe. Hunting Tradecraft with a Russian Flavor For our preliminary experiment, we wanted to see if we could take existing Cyber Mongol signatures and augment them slightly to find content hosted on Russian Criminal forums. There has long been lines drawn between Russian criminal groups and state sponsored operators such as APT 28, so we thought this might be a good place to start. Using Cyber Mongol hunt signatures for direct system calls, Cobalt Strike binary object files (BOFs), process hollowing and process doppleganging, we hit the clear-net to see what we could turn up. All four signatures succeeded at turning up tradecraft being shared on Russian criminal sites. While our initial research had nowhere near the depth to find innovative APT tactics not yet articulated within the security community, it did prove without a doubt that advanced content which our cyber intelligence engine tracks within the security community is definitely being mirrored on criminally frequented platforms. One of these such platforms (www[.]xss[.]is) had continuous hits with all four of the signatures mentioned above. It also housed other tradecraft that our sensors aren’t tuned to ingest, such as software to create fake passports, carding tactics and other criminal aspects of the Russian underground. Conclusions While our findings were preliminary and quite raw, we were able to test a completely new application of our existing intelligence stack, with only minor tweaks to the signatures. Seeing on-trend content which our intelligence engine is currently tracking within the security community, being shared and discussed on Russian criminal forums has strengthened our existing stance that the cyber security ecosystem maintains influence over adversary tradecraft adoption. Moreover, knowing that groups like APT 28 have strong links to platforms such as this gives us new ideas on how to better harness and augment our open-source intelligence capabilities. Stay tuned for even bigger and better things to come. Supporting Documentation 1. Russia: EMP Threat 2. 2018 CEPA Report Chaos as a Strategy 3. The Russian Military in Contemporary Perspective 4. Analysis of the Cyber Attack on the Ukrainian Power Grid
I want to briefly explain the cycle we use for the Hunter module to ingest offensive tradecraft. Step(1): Signatures are distilled by extracting features from already ingested tradecraft that the engine deems relevant. Features include text processing features, API calls and system binaries. Step(2): These features are refined and given to the Hunter module which searches for matching signatures, across a vast amount of social platforms. Step(3): When like tradecraft is found, it is distilled in the same fashion and the cycle repeats. Example tradecraft in this post can be found below and emphasizes our last post regarding an ongoing, widespread adoption of direct syscall use.
Dumpert2000: gitjdm/dumper2020: Yet another LSASS dumper (github.com) Syscalls & Cobalt Strike: Implementing Syscalls In The Cobaltstrike Artifact Kit – bs – no bs (br-sn.github.io) #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 1/21/2021 Automation + Operators = Using Advanced Signatures to Hunt Windows Tradecraft on the Open InterneThe Hunter Module is automation that takes distilled signatures from our Nebula dataset (API calls, SYSTEM Binaries, Behaviors) and hunts for those same signatures across the open internet. The automation presents the operator with a brief signal description, signature specifics found within the web content (API calls, SYSTEM Binaries, Soon Behaviors) and then pops open a window to the matched tradecraft. While testing a signature for process injection, we definitely noticed a lot of content being produced regarding a new evasion tool called SysWhispers2. Funnily enough, our own content (Cyber Mongol Operator Research Blog) was flagged by Hunter for an injector post we did….that was a trip! Much more to come on this module, it’s just in its infancy.
SysWhispers2: https://lnkd.in/ekM74yd Video (YouTube): https://lnkd.in/eM6Vsbg #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 1/15/2021 Process HollowingOn average, AV/EDR is doing a good job at catching this type of injection. In this video, we first hollowed with OpenThread, SuspendThread, VirtualAllocEx, WriteProcessMemory, and ResumeThread which was swiftly dealt wit by Defender for Endpoint. However, our automation distilled another prevalent API signature for hollowing that was used later in the video and ran undetected. Our automation creates these signatures by looking over millions of lines of malicious code and graphing relationships between files, functions, processes, libraries and social contexts. A detailed look at these process hollowing techniques and a look at the signature we distilled to find advanced Cobalt Strike tradecraft, will be published in our first-ever Cyber Mongol CTI report. Get a hold of us to find out more.
A dirty UAC bypass is just enough time to register a WMI permanent event subscription (which needs to be registered with Admin privs), executing a binary that injects into nslookup.exe, every time the Microsoft Store app process is started. The injection results in a persistent, SYSTEM level implant phoning home to a Covenant C2 listener, provided the artifacts on disk aren’t discovered. There are other vectors available a little more OpSec friendly 😊. MS for Endpoint flags the UAC bypass as malicious (doesn’t stop it) but doesn’t see the WMI event subscription, therefore does not indicate a persistent SYSTEM level shell is present. The device timeline does register the script that is fired by the WMI event subscription and the binary that hollows the process nslookup.exe – but neither are flagged. Checking for WMI event subscriptions is a good way to find nastiness with the following commands:
EventFilters: Get-WMIObject -Namespace root\Subscription -Class __EventFilter EventConsumers: Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer Bindings: Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding Running a bunch of open-source injector techniques that our CTI engine has seen a good amount of human traction behind. Our goal is to edit the source as little as possible (a few sprinkles here and there), evaluating the level of difficulty it would take to pull-off these evasive tactics.
|