Highlight of the week

Thedfirreport published the “2022 Year in review” (~38 pages), an analysis of all their public reports of 2022. The report drills down each Tactic, with examples and references of their respective Techniques and Procedures:

 1. Initial Access: Phishing (T1566) is still the king, but with a shift towards ISO and ZIP files containing LNK shortcuts. As for non-phishing cases, Gootloader stands out: it relies on SEO poisoning to redirect targets to compromised websites.

 2. Execution: due to a lot of compromissions starting with Phishing, Malicious File (T1204.002) ranks 1st. Then, Powershell (T1059.001), Windows Command Shell (T1059.003) and WMI (T1047) are the most seen Techniques. The flexibility of these tools allow threat actors to perform various tasks like enumeration, lateral movement, persistence […] with the same tool.

 3. Persistence: the most commonly seen Techniques are Scheduled Tasks (T105300.5) and Local (administrative) Accounts (T1136.001). They differentiate Early Stage Persistence with Late Stage Persistence, with an increased usage of legitimate Remote Software tools like AnyDesk.

 4. Privilege Escalation: Process Injection (T1055) and Valid Accounts (T1078) top the charts. Several known CVEs were observed, especially CVE-2020-1472 (Zerologon) and CVE-2021-44077 (referring to ManageEngine SupportCenter Plus).

 5. Defense Evasion: it was the 2nd most prevalent Tactic observed in 2022. To evade defenses, Process Injection (TT055) is the most observed (17.6% of the cases), both in Initial Access malware and in post exploitation tool. Rundll32 (T1218.011) and Regsvr32 (T1218.010) are often seen as well. Bypasses of the Mark-of-the-Web are increasing, in relation to the changes in Initial Access Techniques.

 6. Credential Access: dumping the LSASS Memory (T1003.001) is observed in 44.4% of reports. The dump itself can be performed in several ways, with exploitation frameworks, system utilities or administrative tools.

 7. Discovery: the top most used commands often leverage Windows binaries (T1087.002) to gather information like IP address, connections… AdFind (T1087.002, T1482, T1018), a command-line Active Directory query tool, was observed in 61.5% of cases to perform AD reconnaissance. Finally, Invoke-ShareFinder (T1135) is often used to enumerate shares and look for sensitive data.

 8. Lateral Movement: RDP (T1021.001) and SMB/Windows admin shares (T1021.002) are the most common Techniques, 41.2% each !

 9. Collection: not many Techniques are observed (only 5) and almost all with the same frequency. One common point: attackers rarely browse the data while still on the network.

 10. Command and Control: 2 Techniques represent the vast majority of cases: Web Protocols with 67.6%  (T1071.001) and Remote Access Tools with 26.5% (T1219). Cobalt Strike remains the preferred choice, AnyDesk being the 2nd most used tool.

 11. Exfiltration: it’s often seen as the “monetization” of a successful attack. Techniques vary, but often use the same tool as the C2, or dedicated data copy tools like rclone.

 12. Impact: thedfirreport cautions “our data set having visibility gaps for the Impact tactic”. Data Encrypted for Impact (T1486) is the most common Technique, with attackers leveraging SMB, WMI and/or PsExec to propagate their malware.

They conclude their analysis with: “Deploying ransomware and exfiltrating sensitive data was the primary goal for most intrusions we reported”.

This is an overview. In the report you’ll find more details and nuances, the most common suricata & sigma rules as well as JA3/S hashes, and a MITRE ATT&CK summary table of the tools & Techniques.

🧠 https://thedfirreport.com/2023/03/06/2022-year-in-review/

Selection of the week

Vulncheck analysed the Cyber Security & Infrastructure Agency (CISA) Known Exploited Vulnerability (KEV) report for 2022: 557 new entries, but among them:

• only 17% are CVEs from 2022 (which still represent an average of 2 vulnerabilities per week).
• 22% were linked to ransomware attacks and 35.9% were Initial Access vectors.

🧠 https://vulncheck.com/blog/2022-cisa-kev-review

As “risk 0” doesn’t exist, everyone should architecture their systems around resiliency, a strong starting point being NIST SP 800-160 Volume 2 (Rev 1): “Developing Cyber-Resilient Systems”. Implementing this framework isn’t easy, so MITRE developed the Cyber Resiliency Engineering Framework (CREF) navigator to explain the terms and relationships with NIST SP 800-53 controls and ATT&CK. The EU is working on the same topic with the Digital Operational Resiliency Act (DORA), still in draft today.

🛠️️ https://crefnavigator.mitre.org/navigator

🧰 https://csrc.nist.gov/publications/detail/sp/800-160/vol-2-rev-1/final

Security flaws were identified in TPM2.0 by Quarkslab’s researchers Francisco Falcon and Ivan Arce:  an out-of-bounds read (CVE-2023-1017) and an out-of-bounds write (CVE-2023-1018), allowing malicious actors to access sensitive data, execute code or render the chip/process unusable. Exploiting these flaws requires a local authenticated access, but a malware running on a device achieves this prerequisite. CERT/CC and TCG released security advisories.

📰 https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/

📝 https://content.quarkslab.com/major-vulnerabilities-tpm20

📝 https://kb.cert.org/vuls/id/782720

📝 https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf

ESET researchers identified BlackLotus, the first-known UEFI bootkit able to bypass the Secure Boot protection on fully updated versions of Windows.

📝 https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

📰 https://arstechnica.com/information-technology/2023/03/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw/

A very good awesome list around threat detection was recently updated:

🔖 https://github.com/0x4D31/awesome-threat-detection

With huge improvements in machine learning, are we moving closer to applied techniques that supplement the daily life of cybersecurity professionals ?

📰 https://towardsdatascience.com/transformer-neural-network-engineering-techniques-on-system-logs-for-malware-behavior-modeling-c79f83f1ae69

An Arsenal plugin to ATLAS (to interface with CALDERA) has been developed by Microsoft and MITRE to emulate attacks on Machine Learning systems:

📰 https://www.securityweek.com/new-tool-made-by-microsoft-and-mitre-emulates-attacks-on-machine-learning-systems/

🛠 https://github.com/mitre-atlas/arsenal

Parting thoughts

Thank you for reading this first edition, don't hesitate to share it.

Comments and feedbacks are welcome: contact@cyberwhatnow.com