Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, July 13, 2023, 10:08 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Chinese Threat Actor Compromises US Government Agencies

Back in June, a US government civilian agency observed unexpected events in Microsoft 365 (Outlook Online) audit logs. After reporting this to Microsoft on 16 June and analyzing the MailItemsAccessed events in the audit logs, the network defenders deemed the activity suspicious, and Microsoft set about investigating.

Over the next few weeks, their investigation revealed that from 15 May a likely Chinese cyber-espionage-focused advanced persistent threat, tracked as Storm-0558, gained access to the email accounts of approximately 25 organizations including government agencies, as well as related consumer accounts - probably those of employees of these organizations.

Initial access was gained by forging authentication tokens for Outlook Web Access in Exchange Online and Outlook.com. To accomplish this, Storm-558 used an acquired Microsoft Managed Service Account (MSA) consumer signing key. Now, normally, MSA (consumer) and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. However, the threat actor was able to exploit a token validation vulnerability in order to impersonate Azure AD users, and thereby gain access to their enterprise email.

Microsoft's investigation shows no indication that any Azure AD keys, or any other MSA keys, were used by Storm-558, and having taken steps to mitigate the acquired MSA key by disabling tokens signed with it and issuing a new key, their telemetry indicates the threat actor's activities have been blocked.

Microsoft has contacted admins at all the affected customers and provided them with information to assist them in responding. The Cybersecurity & Infrastructure Security Agency and FBI have released an advisory to assist Microsoft 365 users in monitoring and detecting threat actor activity. This provides detailed guidance on log management and analysis.

Bell, Charlie, Mitigation for China-Based Threat Actor Activity, blog post, 11 July 2023. Available online at https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/.

CISA and FBI, Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, cybersecurity advisory, 12 July 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.

Microsoft Security Resource Center, Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email, blog post, 11 July 2023. Available online at https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/.

A Bumper Year for Ransomware Operators

A report from blockchain analytics form Chainalysis provides heartening news for cryptocurrency enthusiasts, but a glum outlook for the rest of us.

First, cryptocurrency prices have recovered - for example, Bitcoin is up 80% over the year as of 30 June. And cryptocurrency scam revenues have plummeted by 77% over the previous years. However, this is primarily due to the disappearance of two large-scale scams: VidiLook (which offered proprietary tokens in exchange for watching ads) and Chia Tai Tianqing Pharmaceutical Financial Management, a more conventional investment scam. Both appear to have cashed out and gone to ground.

In fact, for the 2022/23 financial year, crypto inflows to known illicit entities are down 65% on the previous year, and inflows to mixers and high-risk exchanges are down 42%. However, bear in mind that transaction volumes are down across the board - legitimate transactions are also down 42%.

But there's no good news when it comes to ransomware, for which revenues have rebounded after a downturn in 2022. For the first half of this year, ransomware groups have pulled in at least $US449.1 million, and if this keeps up, they will extort $US898.6 million for the full 2023 year - not far behind their 2021 revenue of $US939.9 million.

The reason for this is a return to big game hunting - that is, the targeting of large enterprises with deep pockets, by sophisticated operators like ALPHV/Blackcat and Cl0p. By way of comparison, at the bottom end of the market are the ransomware-as-a-service (RaaS) operations like Dharma, which basically randomly spray their malware via undirected phishing attacks, and have an average payment size of $US265.

Contrast that with the highly-targeted operations of ALPHV/Blackcat and Cl0p, who achieved an average payment of over $US1.5 million and $US1.7 million respectively. Cl0p in particular has been very good at this - their median payment is almost $US2 million while ALPHV/Blackcat achieved a median payment of only $US305,585. The increased size of initial demands and the realized extortion payments may be due to the strengthening trend of refusal to pay, so that the ransomware gangs want to squeeze the maximum returns out of those who are willing to pay.

Chainalysis Team, Crypto Crime Mid-year Update: Crime Down 65% Overall, But Ransomware Headed for Huge Year Thanks to Return of Big Game Hunting, report, 12 July 2023. Available online at https://blog.chainalysis.com/reports/crypto-crime-midyear-2023-update-ransomware-scams/.

Fileless Cryptominer Targets Cloud Workloads

Cloud security firm Wiz reports on a newly-discovered sample of a Python-based fileless cryptominer which is targeting cloud workloads. Dubbed PyLoose on account of the URL that hosted the loader, the malware consists of a fairly simple Python script that holds a compressed and encoded precompiled XMRig miner for the Monero cryptocurrency, which it loads directly into the memory of the Python runtime via the memory file descriptor, memfd. Amazingly, the Python script is only 9 lines long, including the entire fileless payload compressed with zlib and encded in base64 (admittedly, one of those lines is very long!).

In the analyzed incident, the victim had a publicly accessible Jupyter Notebook service; this is an web-hosted interactive Python development environment, and admittedly it is unusual for this type of service to be publicly available (although I can think of a few). Hence the attacker was simply able to copy and paste the script into the notebook and run it.

The Wiz blog post contains an interesting analysis (jncluding MITRE ATT&CK techniques) along with IOC's and some suggested mitigations.

Mechtinger, Avigayil, Oren Ofer and Itamar Gilad, PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer, blog post, 11 July 2023. Available online at https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: