Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

IceXLoader Rapidly Evolves

Minerva Labs is reporting yet another new version of the ICeXLoader loader, which was first discovered last June by FortiGuard. That initial version (v3.0)seemed incomplete, but Minerva recently observed a much more polished version 3.3 which is fully functional and provides a multi-stage malware delivery chain to its criminal customers.

IceXLoader is delivered in the form of a ZIP file which carries a first-state executable as well as its configuration in the resources, When run, this creates a new folder and then drops the next stage, a .NET downloader called STOREM~2.EXE, into it. At this stage, the machine will reboot, execute the next stage and cleans up the folder it just used.

This stage downloads a .PNG file,converts it into a dynamic link library and then executes it in a new thread. This DLL then decrypts the IceXLoader itself, checks that it is not running inside the Microsoft Defender sandbox, delays briefly - again to evade sandbox detection - and finally injects the loader into a new process.

Once the loader is running, it enumerates some system information and uploads it to the C2 server, makes multiple copies of itself and creates registry entries to ensure it persists. Minerva's report provides further details, including IOC's.

Zargarov, Natalie, New updated IceXLoader claims thousands of victims around the world, blog post, 8 November 2022. Available online at https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/.

Cozy Bears Roaming Through Diplomatic Network

A new report from Mandiant describes how Russian state threat actor APT29, a.k.a. Cozy Bear, was able to compromise a European diplomatic organization, gaining initial access through a spear-phishing attack and then possibly pivoting within the organization by exploiting a little-known feature of Active Directory.

While observing the threat actors' behaviour on the victim network, Mandiant observed numerous very strange LDAP queries on the Active Directory domain. LDAP queries are often used for credential gathering, but these were querying an unusual property: {b7ff5a38-0818-42b0-8110-d3d154c97f24}, or the ms-PKI-Credential-Roaming-Tokens attribute. Credential Roaming was introduced in Windows Server 2003 SP1, in order to allow certificates and other credentials to 'roam' with the user. Without this, users would not be able to use features such as S/MIME email encryption, since logging in to multiple devices would generate multiple certificates.

By reverse-engineering the binary structure of the attribute and how it is stored when received, Mandiant was able to identify a directory traversal vulnerability, exposed by a failure to properly sanitize the file path. If an attacker can control the ms-PKI-Credential-Roaming-Tokens attribute, they can add a malicious Roaming Token entry and thereby write an arbitrary number of bytes to any file on the system, restricted only by the length of the pathname.

The vulnerability was reported to Microsoft and a patch released in September.

De Berlaere, Thibault Van Geluwe, They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming, blog post, 8 November 2022. Available online at https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming.

New Vulnerability Categorization Methodology

Readers will be familiar with the CVSS scheme for scoring the severity of vulnerabilities. However, a vulnerability management program needs to combine the CVSS (Common Vulnerability Scoring System) score - and elements of its string - with enterprise-specific information, such as the existence of mitigating controls, the value of impacted assets, the cost of possible disruption caused by the deployment of untested patches and other factors in order to prioritize the application of patches to systems or other defensive actions that could be taken.

The US Cybersecurity & Infrastructure Security Agency has released its approach to this problem, in the form of its Stakeholder-Specific Vulnerability Categorization (SSVC) methodology, which was developed in conjunction with the Software Engineering Institute at Carnegie-Mellon. This methodology is intended for use by all levels of government as well as critical infrastructure entities.

The metodology takes into account factors such as evidence of active exploitation, technical impact (already covered by CVSS), whether the exploit is automatable, vulnerability impact on mission-essential functions, mitigation status and the impact on public well-being. As these factors are assessed, they are used to select the appropriate branches of a decision tree, which will terminate in one of four vulnerability scores:

• Track - no action required at this time, but reassess as new information becomes available
• Track* - the vulnerability has characteristics that require closer monitoring for changes
• Attend - requires action from internal supervisory-level individuals, such as requesting assistance, publishing a notification or remediation sooner than the standard update timelines
• Act - requires action from supervisory-level and leadership-level individuals, including determination of remediation actions as soon as possible

CISA has developed an online SSVC calaculator, called Dryad, which will walk a user through the decision tree and can display it - useful for documenting decisions. A stored decision can also be updated later.

This methodology is not universally applicable, and does not provide particularly granular guidance in patch prioritization. However, it is an interesting approach which could be adapted by enterprises to suit their particular environment and circumstances.

Uncredited, Stakeholder-Specific Vulnerability Categorization, web page, November 2022. Available online at https://www.cisa.gov/ssvc.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.