29 SEP, 2021

The Cybersecurity Express – Issue #2

You made it just in time, for the second departure of the Cybersecurity Express. The whistle blows, wheels start spinning, so thus the journey begins! Today we will make a stop at “Dark Basin” – a massive Hack-For-Hire operation uncovered by Citizenlab, a scandal on which, CyBourn’s very own, Ashwin Jayaram, CyBourn CEO, was interviewed by the New York Times. Our second stop is an Azure active directory flaw that allows for unlimited password guessing. Lastly, a brand-new way malware can use to escape detection on Windows.

Dark Basin – “You desire, we do”

That literally is their slogan – “You desire, we do”. An Indian company, BellTroX InfoTech has been linked with massive Hack-For-Hire operation uncovered by Citizenlab. Talking about hiding in plain sight… Dark Basin is a hack-for-hire group that has targeted countless individuals and institutions. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries, many of which being organizations working on a campaign called #ExxonKnew, which claims that ExxonMobil hid information about its impact on climate change for decades.  

“The lawsuit filed last month in Federal Court in North Carolina, by an Iranian aviation executive, Farhad Azima, alarmingly alleges collaboration between a web of international law firms, private investigators and hackers in India, claiming that such tangled relationships are common in hacking for hire schemes, so that intermediaries can be used to obfuscate who may be ultimately responsible for a hacking attempt and make it difficult for investigators to peel back the layers to the ultimate source. Hacking for hire schemes clearly fall foul of section 43 of the IT Act and shall constitute “unauthorised access”, What action is taken legally against such activities mushrooming in India could actually determine if the country’s famous IT Sector retains it global reputation or gets a bad name.”, says Salman Waris, Partner at TechLegis.

Through tedious collaboration with dozens of targeted organizations and individuals, using a mix of open-source intelligence and investigations and some good old journalism, Citizenlab was able to link Dark Basin’s activity, with high confidence, to individuals working at an Indian company named BellTroX InfoTech Services (and possibly other names)”. It seems that BellTroX’s director, Sumit Gupta, despite being indicted in California in 2015 for his role in a similar hack-for-hire, is still in this dirty business.

The investigation revealed a combination of Timestamps UTC+5:30(India time zone), URL shorteners and copies of a phishing kit source code available openly online that all pointed to BellTroX involvement. Not to mention that some employees utilized personal information as bait content when testing their URL shorteners, information also left publicly available. Don’t be so quick to this is think sloppy work, because they also made social media posts taking credit for attack techniques containing screenshots of links to Dark Basin, so they were mostly bragging about their endeavors, probably to gain notoriety in that “line of work”.

Organizations such as: Rockefeller Family Fund, Greenpeace, Center for International Environmental Law, Union of Concerned Scientists (just to name a few) gave consent to be publicly disclosed as being targets of the attackers. Many other companies prefer to remain anonymous.

The perpetrators went so far as to makings websites that look identical to popular online web services such as Google Mail, Yahoo Mail, Facebook, and others.

If you are an organization fighting against big oil moguls, or find any common goals as the organizations targeted, It’s best you use the IOCs released by Citizen on github to check if you were/are a target of the malicious group.

Some of the useful information on github includes:

  • Domain registrations like: maiil.u.1.serviice-maiil.rpsnv.11-ct-13475230763454343764-rver.6.1.6206.1.5.rver.6.1.6206.0-wp-mbi.wreply-https
  • MISP export of IDS rules – optimized for snort
  • Malware indicators
  • Emails used in phishing campaigns

Azure Active Directory password bug

Researchers gave word of a recently discovered flaw in the protocol used by Azure Active Directory Seamless Single Sign-On service that allows for continuous brute-force of an AD user’s credentials. And if “That sounds impossible!” you may say, it’s because these attempts aren’t logged on to the server. Usual anti brute-force mechanisms rely on logs and specific error codes.

“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory without generating sign-in events in the targeted organization’s tenant,” explain the researchers.

Seamless SSO allows users access to Azure AD without the need of credential input if they are in the networked premise. “This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components,” explains Microsoft.

Here’s a short version of how the Seamless SSO mechanism is vulnerable:

  • A computer object named AZUREADSSOACC is created in the on-premises Active Directory (AD) domain and is assigned the service principal name (SPN)
  • The object name and the password hash of the computer object are sent to Azure AD.
  • The following autologon endpoint called “windowstransport” receives a Kerberos tickets and Seamless SSO occurs automatically without any user interaction
  • There is a usernamemixed endpoint at …/winauth/trust/2005/usernamemixed that accepts username and password for single-factor authentication, for which an XML file containing their username and password is sent to this usernamemixed endpoint.
  • If the username and password are a match, authentication succeeds, and the Autologon service responds with XML output containing an authentication token, if it fails, only an error message is generated in that XML output.

These authentication steps of Autologon to Azure AD are not logged, thus allowing threat actors to utilize the usernamemixed endpoint for undetected brute-force.

Microsoft is considering this a “design choice”, not a vulnerability and it’s unclear if the flaw would be fixed. Until then, organizations are at risk of sneaky brute-force attacks. Maybe we need to use passwords longer than the cybersecurity train?!

Undetectable Malware on Windows

Google cybersecurity researchers revealed a new technique adopted by threat actors to conceal malicious payloads using malformed digital signatures.

The usual technique involves using illegally obtained digital certificates to sneak adware and other unwanted software past malware detection tools, by masquerading as legitimate software or by embedding the attack code into legitimate digitally signed software components. This new technique stands out for its intentional use of malformed signature to give defenses the old slip. This was observed with a known family of adware called OpenSUpdater, where most of the targets of the campaign are users who are prone to downloading cracked versions of games and other grey-area software. “Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code – which is used in a number of security scanning products,” said Google Threat Analysis Group’s Neel Mehta, “This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files”. The artifacts are signed with an invalid leaf X.509 certificate that’s edited in such a manner that the ‘parameters’ element of the SignatureAlgorithm field included an End-of-Content (EOC) marker instead of a NULL tag.

Some antivirus engines were able to detect the malware, Windows Defender being one of them. Other reputable antivirus companies need to implement changes so that their software also detects this kind of threat.

                As the Cybersecurity Express starts heading back to the depo, we still catch a glimpse of this subject: “Not less than 11 vulnerabilities disclosed in Nagios network management systems, that allow attackers remote code execution with the highest privileges and more! Make sure to keep exploits at bay with updates in Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above and Nagios XI WatchGuard 1.4.8 or above systems”. For updates like this, that are posted within 24 hours of their disclosure, make sure to follow CyBourn on LinkedIn and Twitter. Hope to see you onboard again, soon.


We Also Recommend to See:

The versatile platform that allows you to promptly detect complex threats, analyse and respond to them from a single pane of glass.
CyBourn's DreamLab pushes the boundaries of innovation in the cyberspace.

Tell us about your Cybersecurity needs

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.