Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, September 29, 2022, 9:53 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


New Campaign Targets US Defence Contractors

Security researchers at Securonix have uncovered a sophisticated attack campaign directed at multiple military and weapons contractors, including a likely supplier to the F-35 Lightning II fighter program. The initial compromise is achieved by a spear-phishing malmail which carries an attached shortcut file with a seductive name like 'Company & Benefits.pdf.lnk". This then uses the forfiles command to stealthily run a PowerShell command line script which repeatedly attempts to connect to a C2 server in order to fetch the next of seven stages of downloaded scripts which complete the infection.

The multiple-stage infection process exmploys many aggressive antiforensics techniques; for example, if it detects it is being executed in a virtualization sandbox, it disables networking on the system, deletes all the user files it can find, and then shuts the machine down. Of particular interest is that if the system language is Chinese or Russian, then it simply exits after initiating a shutdown.

Along the way, the different stages contact a variety of C2 servers which are themselves hidden behind a Cloudflare front end which will also provide CDN services and TLS encryption. The Securonix blog article provides a comprehensive analysis including IOC's and threat hunting queries.

Iuzvyk, D., T. Peck and O. Kolesnikov, Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors, blog post, September 2022. Available online at https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/.

Auth0 Code Compromised, Somehow

Authentication service provider Auth0, now a subsidiary of Okta, has disclosed that a third party has somehow acquired a copy of some Auth0 code respositories, dated October 2020. However, an extensive investigation conducted by both the company itself and a DFIR consultancy found no evidence of unauthorized access to its environments, and no evidence of any data exfiltration.

Although the mechanism of the breach remains a mystery, the company has notified law enforcement and taken additionl steps to ensure the code cannot be used to compromise any accounts.

Uncredited, Auth0 Code Repository Archives From 2020 and Earlier, blog post, 26 September 2022. Available online at https://auth0.com/blog/auth0-code-repository-archives-from-2020-and-earlier/.

Facebook Shutters Chinese, Russian Disinformation Networks

Facebook parent company Meta has disclosed actions it has taken to shut down two unconnected networks - one Chinese, one Russian - which were violating the firm's policy against what it terms 'coordinated inauthentic behaviour'.

The Chinese-origin operation targeted primarily the US and Czechia (the Czech Republic), posting on Facebook, Instagram, Twitter and two petition platforms in Czechia. Its focus was to influence US voters of all political stripes ahead of the upcoming midterm elections, and also to influence Czechia's foreitn policy towards China and Ukraine.

The Russian network focused on Germany, France, Italy, Ukraine and the UK with narratives on the Ukraine conflict and its impact in Europe. This was a large and complex campaign which used sock puppet accounts on Facebook, Instagram, LiveJournal, YouTube, Telegram, Twitter, Change.org and Avaaz to direct readers to a network of over 60 web sites impersonating legitimate news organizations such as The Guardian and Der Spiegel.

The full, 30-page report includes IOC's; for social media users the obvious lesson is to check the URL bar on links you follow from posts, to make sure you are looking at the real news site.

Nimmo, Ben and David Agranovich, Removing Coordinated Inauthentic Behavior From China and Russia, news release, Meta, 27 September 2022. Available online at https://about.fb.com/news/2022/09/removing-coordinated-inauthentic-behavior-from-china-and-russia/.

Nimmo, Ben and Mike Torrey, Taking down coordinated inauthentic behavior from Russia and China, Detailed Report, September 2022. Available online from https://about.fb.com/wp-content/uploads/2022/09/CIB-Report_-China-Russia_Sept-2022-1-1.pdf.

"Quantum Builder" Shortcuts Used to Deliver RATs

A new campaign is using a tool called "Quantum Builder" to generate malicious Windows shortcut and similar files in order to deliver the Agent Tesla keylogger RAT to victims.

Quantum Builder, which is linked to the Lazarus Group APT, can generate mailicious .lnk, .hta and PowerShell payloads which use multiple stages to deliver Agent Tesla. The payloads use a variety of sophisticated techniques:

  • User Account Control bypass
  • Multi-stage infection chain making use of LOLBins
  • In-memory execution of PowerShell scripts
  • Execution of decoys to distract victims post-compromise

ZScaler ThreatLabz, who discovered the campaign, say they are unable to confidently make attribution at this stage, but have provided a full analysis in their report.

Zscaler ThreatLabz, Agent Tesla RAT Delivered by Quantum Builder With New TTPs, blog post, 27 September 2022. Available online at https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: