Highlight of the week

This week was really busy and GPT-4 is all over.

I'll provide an analysis next week, here is a first bundle of resources:

• https://openai.com/research/gpt-4
• https://www.elastic.co/fr/security-labs/exploring-applications-of-chatgpt-to-improve-detection-response-and-understanding
• https://news.sophos.com/en-us/2023/03/16/gpt-for-you-and-me-applying-ai-language-processing-to-cyber-defenses/
• https://www.signalblur.io/using-limacharlie-and-chatgpt-to-perform-malware-anomaly-detection/
• https://danielmiessler.com/blog/spqa-ai-architecture-replace-existing-software/
• https://towardsdatascience.com/specialized-llms-chatgpt-lamda-galactica-codex-sparrow-and-more-ccccdd9f666f
• https://interconnected.org/home/2023/03/16/singularity

With maybe a 1st cybersecurity application (not tried so far): https://alterai.me/ ?

Selection of the week

Greynoise turns Internet noise into intelligence. One of their latest blog post dives into the type of traffic their new nodes are seeing. The TL;DR is: don’t expose stuff on the Internet if it’s not secured, you won’t have time to secure it ‘later’.

• Benign scanners take more than one hour after the deployment to find a new node;
• BUT it takes roughly 10s for the first potentially malicious packet to arrive then 3h+ to see an actual attempt;
• Most common ports scanned are Telnet, RDP, SSH and SMB but identified attacks often target RDP (50%+).

📝 https://www.greynoise.io/blog/a-week-in-the-life-of-a-greynoise-sensor-its-all-about-the-tags

Another AiTM phishing kit ! The technique dubbed AiTM phishing is capable of circumventing multifactor authentication (MFA) through the use of reverse-proxy (MITRE ATT&CK: T1557 Adversary-in-the-Middle). The threat actor DEV-1101 has been pushing this kind of kit “as-a-Service” since may 2022, with regular enhancements like administration from mobile (through a telegram bot) or evasion features like captcha pages. Its current monthly cost is $300 and $1000 for the VIP version.

DEV-0928 uses it and was observed in a 1M+ email phishing campaign.

The sequence is straightforward: send a malicious link through email, trigger the evasion through href redirection or captcha if necessary, redirect to the phishing landing page, capture the entered credentials, act as a reverse proxy if MFA is detected to capture session cookie (Microsoft's post features a nice workflow diagram).

How to respond to such threat ? With what we currently have:

• Protect: deploy conditional access (based on trusted IP, location, device…), anti phish email relays & proxies with fast updates on their blocklist;
• Detect: hunt for suspicious activities (location, ISP, user agent, use of anonymizer services…);
• React: revoke the stolen session cookie, rotate the credentials for compromised user, update blocklist for everyone based on what the patient zero triggered.

As always, reacting promptly to such threats is crucial: implementing automated responses when compromission is confirmed is less and less an option...

📝 https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

📝 Older resource: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

A vulnerability in Outlook is making the news because it’s really trivial to exploit !

From the official Microsoft description of the vulnerability: Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. They provide a script to audit Exchange servers, and look specifically for the function PidLidReminderFileParameter: This property controls what filename should be played by the Outlook client when the reminder for the mail item is triggered. The initial PoC developed by Dominic Chell combines it with PidLidReminderOverride to force the trigger of an NTLM authentication to an attacker controlled server.

Outlook web & M365 are not impacted. Microsoft released a patch  (📝 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397) but exploitation through a local hostname/trusted zones still works (thus relaying for privilege escalation…).

🧠 Initial findings by Dominic Chell 👏: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/

Meta’s threat intelligence team thinks we need a new broader kill chain, the “Online Operations Kill Chain” ! The framework wants to introduce a common taxonomy and model regardless of the type of activities (fraud, influence, hacking…).

This kill chain was developed by Ben Nimmo and Eric Hutchins. It’s “an analytic framework that is designed to be applied to a wide range of online operations – especially those in which the targets are human”. Its guiding principles are Observation-based, Tactical, Platform-agnostic, Optimized for human-on-human operations, One or many platforms & Modular.

This framework has 10 stages (vs 7 stages on the Lockheed Martin):

1. Acquiring assets
2. Disguising assets
3. Gathering information
4. Coordinating and planning
5. Testing platform defenses
6. Evading detection
7. Indiscriminate engagement
8. Targeted engagement
9. Compromising assets
10. Enabling longevity

The white paper provides real life examples for each stage (like "Using link-shortening tools to obfuscate malware links") and was applied to 3 campaigns to prove its applicability: “DCLeaks”, “PeaceData” and “V_V”.

📰 https://www.securityweek.com/meta-develops-new-kill-chain-thesis/

🧰&📝 The white paper is https://carnegieendowment.org/2023/03/15/phase-based-tactical-analysis-of-online-operations-pub-89275

🧰 Lockheed Martin’s framework: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Parting thoughts

Don't let GPT-4 hallucinate too much and thank you for reading this edition, don't hesitate to share it.

Comments and feedbacks are welcome: contact@cyberwhatnow.com