State of the Hack is FireEye’s monthly series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.
S4E02: Weaponizing Office Documents with VBA Purging
Malicious Office document’s module streams that contain source code, but no P-code are more likely to evade YARA rules and AV detection. This evasion technique is called VBA purging; which is different than the observed VBA stomping technique. In this episode we will discuss what VBA purging is, the difference between purging and stomping, the consequences of this technique, and a new tool created by Mandiant’s Red Team called OfficePurge.
S4E01: KEGTAP-ing Out: Don't be a One Trickbot Pony
State of the Hack is back! Featuring new hosts Doug Bienstock (@doughsec), Austin Baker (@bakedsec), Julian Pileggi (@x64_Julian), and Evan Pena (@evan_pena2003) and new content. Doug and Austin kick things off and dive into a recent flood of phishing campaigns associated with KEGTAP aka BazaaLoader. They discuss some interesting toolmarks of the KEGTAP attack chain and why it is so dangerous.
S3E2: Hacking Tracking Pix & Macro Stomping Tricks
On today's show, Nick Carr and Christopher Glyer break down the anatomy of a really cool pre-attack technique - tracking pixels - and how it can inform more restrictive & evasive payloads in the next stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to explore one such evasive method seen in-the-wild: Macro Stomping. And we close the show by deep-diving with Matt Bromiley (@_bromiley) on critical vulnerability we've been responding to most in 2020 - and what we've seen several attackers do post-compromise.
Just as a targeted intruder might, we start our operation with email tracking pixels. We break down how these legitimate marketing tools are leveraged by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
We break down the different variations on these trackers for both benign and malicious uses. For examples of each style of tracking pixel, see Glyer's recent tweet thread (https://twitter.com/cglyer/status/1222255759687372801). We talk through additional red team operators' responses to how they use this technique in their campaigns today - discussion sparked from this great offensive security discussion (https://twitter.com/malcomvetter/status/1222539003565694985). This trend of professional target profiling - drawing both inspiration and specific tracking tools from the marketing industry - is highly effective and a trend we expect to continue.
Next on the episode, we explain how document profiling accomplishes the same end goal as email pixels - and how it can share information about the current version of Microsoft Office on the potential victim's system. Similar to execution guardrails, this Office version information for Microsoft Word or Excel could be used to deliver malware that is highly evasive and only runs on that profile.
We also pivot into some potential use cases for fingerprinting Office versions. We discuss VBA macro stomping and file format intricacies that require attackers to understand the version of office a target may be using, in order to create evasive spear phishing lures that may bypass both static and dynamic detections. Rick Cole joins us to talk through an active attacker using macro stomping for evasion - both p-code compiling and PROJECT stream manipulation. Rick walks through a brief overview of the technique and a particular financial threat actor who loves macro stomping as much as they love Onyx. Rick co-authored a blog on the topic (https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet thread linking to other research (https://twitter.com/a_tweeter_user/status/1225062617632428033).
Finally, we're joined by a surprise second guest! Matt Bromiley drops in to discuss FireEye's efforts to respond to the critical Citrix vulnerability, CVE-2019-19781, that went public on January 10, 2020. Matt helps us break down some of the activity we've seen since then, including distinct uncategorized clusters of activity for NOTROBIN, coin-mining, and attempted ETERNALBLUE-laced ransomware.
In addition to securing his customers in Managed Defense, Matt's been working with the team to release several blogs, defender tips, and tools on the vulnerability:
• Matt and Nick published an initial blog on the topic – detailing exploit timelines, evasive attackers, and resilient approaches to detection (https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)
• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBIN and the concept of exploit squatter's rights in the blog with the title adored by Reddit's netsec sub (https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html)
S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY
In response to increased U.S.-Iran tensions stemming from the recent death of Quds Force leader Qasem Soleimani by U.S. forces and concerns of potential retaliatory cyber attacks, we're bringing the latest from our front-line experts on all things Iran. Christopher Glyer and Nick Carr are joined by Sarah Jones (@sj94356) and Andrew Thompson (@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups - including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as the freshest actionable information on suspected Iranian uncategorized (UNC) groups that are active right now.
We get right into it with a picture of Iranian compromise activity from just a few years ago - what we observed and the basic, cookie-cutter approach to their intrusions - and then begin to walk through the stark contrast to their TTPs today. We discuss how and why their Computer Network Operations (CNO) has evolved quickly and provide a detailed walk through all of the graduated Iranian APT groups.
Our experts share their experiences with each group, moments in time that surprised or impressed us from Iranian threat actors, and notable shifts in behavior - as well as our standing questions. Iranian intrusion operators have come a long way from DDoS & defacement, basic scanning, Cain & Abel and ASPXspy... to DNS hijacking, social engineering via LinkedIn, information operations, and backdoors like QUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with the quick adoption of offensive security post-compromise tools and techniques.
We close this first episode of season 3 with an overview of actionable mitigations to secure against both Iranian intrusions and several other threats, including disruptive and destructive ransomware attacks. For more information on these mitigations as well as our public source material supporting the discussion from the show, please check out:
• APT33 graduation: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
• APT33 webinar & examples: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
• An example TEMP.Zagros phishing campaign: https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
• APT35 highlights in MTrends 2018: https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
• Iranian information operations: https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html
• RULER home page usage by Iranian groups & mitigations: https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
• APT39 graduation: https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
• Iranian DNS Hijacking (DNSpionage): https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
• More Iranian influence operations: https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html
• APT34 social engineering via LinkedIn: http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
• FireEye response to mounting U.S.-Iran tensions: https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-response-to-mounting-us-iran-tensions.html
• U.S.-Iran tensions webinar & mitigations overview: https://www.brighttalk.com/webcast/7451/382779
S2E13: Rudolph the Redsourced Reindeer
Ho ho homepage! Christopher Glyer and Nick Carr are back for the last episode of 2019. They’re closing the year with a look at this month’s front-line espionage activity and a whole bunch of FIN intrusions! In addition to the threat round-up, they highlight some of our Mandiant consultants doing that work and a few DFIR tricks they included in a recent blog: https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-to-analyze-data-with-microsoft-excel.html. As a special bonus, Santa dropped off a slide clicker for the show so Nick and Christopher decide to go deep on their recent presentation at #CYBERWARCON on “red sourcing.” An episode sure to make them friends on infosec twitter for sure! The presentation was a 10 minute #threatintel lightning talk, but embracing the Christmas spirit, the gang tries to navigate a sensitive area of current debate by spending more time on red sourcing & providing some evidence and observations on APT groups moving to publicly released post-compromise tooling; some potential motivations; and then question whether any tool can ever be fully controlled (e.g. Delpy/MIMIKATZ evil maid scenario, recent Turla coopting APT34 access & tools). Because RULER.HOMEPAGE was touched on in the talk, they expand a bit further on this and highlight the recent blog that Nick co-authored on how attackers (like UNC1194) can conduct intrusions from just a single registry key. They also question whether the technique’s usage via Outlook installed Office 365’s Click-to-Run is technically CVE-2017-11774 or not. I guess we need another episode with MSRC! They end the year with some spicy predictions for 2020. You’ll see. Thanks for watching and listening this year!
This episode was sponsored by bad decisions and office holiday parties - and especially both.
S2E12: Shellcode. DLLy DLLy!
Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild.
In previous episodes, the gang has discussed attackers - both authorized and unauthorized - shift away from PowerShell and scripting-based tooling to C# and shellcode due to improved visibility, detection, and prevention provided by more logging, AMSI, and endpoint security tooling. In this episode, they explore how FireEye's Mandiant Red Team has responded to this pressure and the techniques they've used to continue to operate.
Casey and Evan share their research around the benefits & drawbacks of the three primary techniques for running shellcode and a project they just released - DueDLLigence - to enable conversion of any shellcode into flexible DLLs for sideloading or LOLbin'ing: https://github.com/fireeye/DueDLLigence
If you want to learn more, check out their blog and #DailyToolDrop at: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Shellabrate good times come on!
Customer ReviewsSee All
Great review and analysis
I enjoy the podcast and I’m looking forward to more content to come. Keep up the good work!
New Hosts - Great Content
Mandiant continues to be an example in our industry. This podcast is a great supplement and a great listen.
Good info. Worth a listen.
Better than training. Helps bring ideas into focus.