Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, 23 November 2022, 9:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Helps Cobalt Strike Defences

As we have previously covered, the red team post-exploitation toolkit, Cobalt Strike, has been cracked by threat actors and is increasingly turning up in the wild as part of attacks. Cobalt Strike is packaged as a single Java .jar file, and a deployment starts with running the Team Server component, which sets up a command and control server which also acts as a hub for the red team to control infected systems. From there, Cobalt Strike clients can connect to the Team Server to deploy attack components which can infect systems with shellcode stagers which, in turn, connects to the Team Server over any of several protocols to download the final backdoor component called a Beacon.

Now, in order to assist defenders in detecting the use of Cobalt Strike components in the wild, Google's Cloud Threat Inteligence team has unpacked the .jar files for Cobalt Strike versions from v 1.44 through to v 4.7, and built YARA rules to allow their detection. To date, the Google researchers identified 34 different Cobalt Strike releases, each containing between 10 and 100 attack template binaries, culminating in a total of 275 different .jar files. The result was a minimum of 340 binaries to be analyzed and their signatures derived.

However, realizing that the ability to detect Cobalt Strike beacons and other components would somewhat devalue its use as a pen-testing tool, Google have decided not to include the latest version - probably a sensible decision since the leaked and cracked versions are usually at least one version behind. Google has released both YARA signatures and a VirusTotal Community Collection.

Sinclair, Greg, Making Cobalt Strike harder for threat actors to abuse, Google Cloud Identity & Security blog, 18 November 2022. Available online at https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse.

Daixin Team Hits AirAsia

Back in October, the US Cybersecurity & Infrastructure issued an alert on the activities of ransomware actor Daixin Team, who at that time seemed to be targeting the healthcare sector. However ransomware operators will take a profit wherever they can, and now DataBreaches.net reports that budget airline AirAsia has fallen victim to Daixin Team.

According to the web site, Daixin Team provided them with two files which contained passenger and employee information - the latter including name, date and country of birth, location, employment date, their authentication secret question and answer, and salt. The threat actor claimed to have the personal information of 5 million passengers.

Suggesting that there is honour among thieves, Daixin's spokesperson added that the group had avoided locking some VM's: "XEN, RHEL - hosts of flying equipment (radars, air traffic control and such)". In practice, airlines don't operate radars - that's the job of national air traffic control authorities - but the sentiment is doubtless appreciated. However, the spokesperson went on to cast shade, saying that the ransomware group did not pursue further attacks because they were apparently disgusted at the chaotic state of the airline's network. However, they will broker access via hacker forums, selling backdoors to any newbie hackers who want to "pick through the garbage" (their phrase, not mine).

Dissent, AirAsia victim of ransomware attack, passenger and employee data acquired, news article, 19 November 2022. Available online at https://www.databreaches.net/airasia-victim-of-ransomware-attack-passenger-and-employee-data-acquired/.

Australianised Incident Response Exercise

Management-level incident response simulation exercises are a useful tool for educating senior management and boards on what to expect when security personnel discover a material breach. While dedicated security personnel - especially blue teamers - routinely work these exercises and update their playbooks in light of their discoveries, the escalation of a material breach or high-impact event to senior management can be met with confusion and panic if they have not had previous exposure.

Now the Australian Cyber Security Centre has adapted the 'Exercise in a Box' series of cyber threat management exercises, initially developed by the UK's National Cyber Security Centre, to suit Australian enterprises in a range of sectors. A number of exercises are provided; some are discussion-based, allowing participants to understand the implications of events or issues such as ransomware attacks, loss or theft of mobile phones, or unmanaged reliance on the software supply chain, while other 'micro' exercises focus on a specific activity such as working securely off-site or securing video conferencing services.

The major simulation exercise is intended to allow a blue team and network administrators to deal with a simulated attack while a business stakeholder observes in order to gain understanding of the incident response process. This exercise involves some preparation, including the deployment of a harmless fake malware sample within the defenders' network prior to the exercise start. Fun for all ages, etc.

ACSC, Exercise in a Box, interactive web site, November 2022. Available online at https://exerciseinabox.cyber.gov.au/app/.

Evolving Infostealer Aurora is Spreading Rapidly

EDR form SEKIOA.IO is warning of a new Golang infostealer which, despite being widespread, is apparently evading detection.

Aurora initially appeared in the form of a general-purpose botnet around April 2022, advertised on Russian-speaking underground forums by a threat actor calling themselves Cheshire, and sold on the Malware-as-a-Service model. At that stage, the tool had infostealing, exfiltration and remote access capabilities, and by July SEKOIA.IO had identified around 50 samples, mostly belonging to two botnets. Then things went quiet, and at least one of the botnets has probably shut down.

However, in August, Aurora reappeared, this time advertised as an infostealer with its other capabilities either removed or de-emphasised. By November, at least seven different groups (called 'traffers') were distributing this malware via fake free software download sites, although a few of them use other stealers as well. Once installed by the victim, Aurora sets about searching for and stealing data from a range of cryptocurrency wallets as well as applications like Telegram. However, it can also deploy a next-stage payload via a PowerShell command.

The SEKOIA.IA write-up provides a full analysis of sample infection chains, IOC's and YARA rules.

Threat & Detection Research Team, Aurora: a rising stealer flying under the radar, blog post, 21 November 2022. Available online at https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: