CTO at NCSC Summary: week ending April 7th
What near miss supply chain attack you ask..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week it was all about ‘xz’ (see reporting below) coupled with the usual cyber smouldering..
In the high-level this week:
RISCS Assurance by Principal - Preparing for the next generation of product security assurance - by the NCSC Research Institute RISCS. Principles Based Assurance (PBA) is going to underpin how we (the NCSC) approach product assurance going forward with the lab pilots currently in progress.
Financial Stability in Focus: The FPC’s macroprudential approach to operational resilience - Bank of England - it will “continue to run cyber-attack stress tests as well as considering other types of operational disruption themed tests;”
Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 - CISA - “The U.S. Department of Homeland Security released the Cyber Safety Review Board’s (CSRB) findings and recommendations following its independent review of the Summer 2023 Microsoft Exchange Online intrusion. The review detailed operational and strategic decisions that led to the intrusion and recommended specific practices for industry and government to implement to ensure an intrusion of this magnitude does not happen again.”
CISA Proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting - CISA - “The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), as amended, requires the Cybersecurity and Infrastructure Security Agency (CISA) to promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities. CISA seeks comment on the proposed rule to implement CIRCIA’s requirements and on several practical and policy issues related to the implementation of these new reporting requirements”
[US] DOD Releases Strategy to Bolster Cybersecurity Across Industrial Base - four goals
Strengthening DOD's governance structure for U.S. defense industrial base cybersecurity;
Enhancing the cybersecurity posture of the U.S. defense industrial base;
Preserving the resiliency of critical defense industrial base capabilities in a cyber-contested environment; and
Improving cybersecurity collaboration between DOD and the U.S. defense industrial base.
[Malaysia’s] Dewan Negara passes Cyber Security Bill 2024 - The Star reports - "So, it is necessary for us to see how to establish a law so that we can take steps to ensure that these CNII entities are vigilant, understand the risks, and know how to take countermeasures,"
Related - The Star - Immunity from prosecution under Cyber Security Bill does not mean leeway to govt - “The Digital Minister said both the federal and state governments would be bound by the proposed Act.” - interesting debate to be had around incentives.
VNDirect cyberattack causes big splash on stock market - Vietnam Investment Review reports - “The online securities trading system at VNDirect Securities Company (VNDirect) is likely to have suffered from a data encryption hack for extortion.” .. “Following the cyberattack, Hanoi Stock Exchange (HNX) announced it was temporarily disconnecting remote trading and online trading of derivative securities transactions, debt instrument transactions, and individual corporate bond transactions of VNDirect Securities until the problem is resolved.”
Germany announces military overhaul with eye on cyber threats - Reuters reports - “Germany's defence minister announced a restructuring of the military on Thursday, including a new central command and a dedicated branch for cyber space, furthering a Bundeswehr overhaul launched in response to Russia's invasion of Ukraine.”
Japan, U.S., Philippines to form joint cyberdefense network - Nikkei reports - “The most frequently suspected culprits in cyberattacks are China, Russia and North Korea. Alleged attacks on the Philippines by Chinese hackers, in particular, have raised concern, prompting Japan and the U.S. to offer assistance.” - Coalitions continue to build..
Why the World Needs a New Cyber Treaty for Critical Infrastructure - Carnegie Europe opinion - “Any state or group of states that assumes leadership in this domain will need to invest in intensive diplomatic efforts to engage with international partners on each side of the debate. Any cyber treaty proposal will be controversial in the current geopolitical context, as demonstrated by the negotiations for a UN cybercrime treaty that have been ongoing since May 2021.” - doesn’t appear to consider blunting or simply ignoring any agreement.
Ransomware Attacks Against Local Governments Accelerating - some data ~200 a year and 54 in 2024 (which seems on trend).
Why end-of-life software means 400+ CVEs per year - technical debt is starting to come home to roost.
The Lawfare Podcast: How the FBI is Combating Cyberattacks, with Brett Leatherman - who is Deputy Assistant Director for Cyber Operations at the FBI.
Amazon loses court fight to suspend EU tech rules' ad clause - Reuters reports - “The judge said that Amazon's argument that the obligation unlawfully limits its fundamental rights to respect for private life and the freedom to conduct a business was not irrelevant.”
Press release - “That means, in particular, that Amazon Store is obliged to make publicly available a repository containing detailed information 3 on its online advertising.” then there is the legal text
Making it Happen: encouraging government action on preparedness and resilience - [UK] National Preparedness Commission - “it is now said that we live in a TUNA world – Turbulent, Uncertain, Novel and Ambiguous. Global geo-politics is volatile in the context of a changing world order with the post-war certainties rapidly eroding. And our society is facing multiple threats and hazards that are unpredictable, are new to us, and – because of the interconnectedness of modern society – risks to which we are increasingly vulnerable with consequences that may be broader and deeper than we might imagine.” - TUNA world, the new phrase for 2024 (to me).
The heart of Korean satellite operations was hacked... Security ‘hole’ ahead of establishment of Space Agency - Chosun Biz reports - “The National Satellite Operations Center suffered a hacking attack in December last year
, and the National Intelligence Service is investigating the hacking of the National Satellite Center. There is a risk of satellite control and data theft.”NSA fears quantum computing surprise: ‘If this black swan event - Washington Times reporting - whilst it might be a potential Blackswan event, the consensus position is wait for the standards process to complete, start cataloguing implementations to understand what needs upgrading and then prepare for a 10 to 15 year transition.
[US] Bureau of Cyberspace and Digital Policy reported - “With bipartisan Congressional support, $50 million has been appropriated to the State Department’s Cyberspace, Digital Connectivity, and Related Technologies (CDT) Fund. This fund will allow the US to deploy flexible, robust programming to int’l partners who need it most.”
US Senator Ron Wyden writes President of the Untied States and requested urgent fixes to SS7 surveillance - Senator Ron Wyden recognises the UK’s pioneering legislation - “The administration should verify the wireless carriers’ efforts to comply with the OMB and FCC cybersecurity standards, on an annual basis, through red team independent assessments. Moreover, OMB and the FCC should look to the United Kingdom’s (UK) Telecommunications Security Code of Practice as a model.”
Public Safety Homeland Security Bureau Seeks Comment on Implementation of Security Protocols - FCC - “The Federal Communications Commission’s Public Safety and Homeland Security Bureau (Bureau) requests comment on communications service providers’ implementation of security countermeasures to prevent exploitation of vulnerabilities in the Signaling System 7 (SS7) and Diameter protocols to track the location of consumers through their mobile devices.”
The Practices and Politics of Cybersecurity Expertise - Robert Jervis International Security Studies Forum opinion - “… Separately, scholars whose work is informed by the field of science and technology studies have examined how experts’ technological work can enact international order more directly. The essays in this forum focus on this latter mode of influence, showing how experts participate in politics by other means—specifically the making and breaking of the security of networked information systems.”
The UN Framework of Responsible State Behaviour for a Secure Cyber Environment - The S. Rajaratnam School of International Studies (RSIS) opinion - “Ultimately, the effective countering of malicious activity in cyberspace is contingent on the political will of states, and how they choose to work with each other and with non-state stakeholders. It also depends on how closely they adhere to the agreed framework of responsible state behaviour. The framework may not be perfect, but the principles that underpin it are sound and states and non-state stakeholders will do well to abide by it.”
Why dumbing down your house could be a smart move - Financial Times reporting - life-style advice with a sprinkle of cyber benefit..
Defending Democracy
Advancing Fake News Detection: Hybrid Deep Learning With FastText and Explainable AI - “These transformer models, surpassing traditional RNN-based frameworks, excel in managing syntactic nuances, thus aiding in semantic interpretation. In the concluding phase, explainable AI modeling was employed using Local Interpretable Model-Agnostic Explanations, and Latent Dirichlet Allocation to gain deeper insights into the model’s decision-making process.”
EU Commission publishes guidelines under the DSA for the mitigation of systemic risks online for elections - “These guidelines recommend mitigation measures and best practices to be undertaken by Very Large Online Platforms and Search Engines before, during, and after electoral events”
Beyond Imagining – How AI is Actively Used in Election Campaigns Around the World
Reporting on/from China
Analysis of Elsevier's Highly Cited Authors in the "Cyberspace Security" Subject in 2023 - most cited Chinese researchers on cyberspace security this year - the bench strength is of note.
Chinese Assessments of AI: Risks and Approaches to Mitigation - Center for Strategic and International Studies discussion on “Where do Beijing’s perspectives on AI regulation and application converge and diverge from other capitals around the world?”
Xi Jinping’s chief of staff is China’s new internet tsar, sources say - South China Morning Post reports - “Move reflects a trend in the past year of the president delegating more duties to trusted deputies, according to analysts”
Artificial intelligence
DARPA’s Artificial Intelligence Cyber Challenge (AIxCC): AIxCC Semifinal Competition (ASC) Procedures and Scoring Guide - “No custom LLM models” .. “All LLM usage for the ASC must go through a specified LLM interface proxy and must target only the limited set of foundational LLM providers and models that the AIxCC Organizers will specify by May 1, 2024.” is one of the more interesting stipulations.
Vulnerability Detection with Code Language Models: How Far Are We? - “Through a series of experiments on PRIMEVUL, we find that even with efforts to improve performance using sophisticated methods and expansive models, existing Code LMs consistently fail to meet the demands of effective vulnerability detection in practical settings.”
Representation Engineering Mistral-7B an Acid Trip - Control vectors are going to be a big thing.. probably.. “A control vector is a vector (technically a list of vectors, one per layer) that you can apply to model activations during inference to control the model's behavior without additional prompting. “
Cyber proliferation
Poland launches inquiry into previous government’s spyware use - The Guardian - “Adam Bodnar, Poland’s new justice minister, told the Guardian that in coming months the government would notify people who were targeted with Pegasus. Under Polish law, they would then have the possibility of seeking financial compensation, and becoming party to potential criminal proceedings.”
Ukraine gives award to foreign vigilantes for hacks on Russia - BBC Reports - “A team of vigilante hackers carrying out cyber-attacks against Russia has been sent awards of gratitude by Ukraine's military. The team, One Fist, has stolen data from Russian military firms and hacked cameras to spy on troops.” - this is how red notices get issued and people get arrested.
Bounty Hunting
None thing week..
Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis - ENISA - just evidencing the patchwork the world has become..
Reflections this week are around liability for technology producers as the USA inches forward on the topic.
As a reminder, In the United States The Whitehouse announced in its 2023 strategy that it will “Shape Market Forces to Drive Security and Resilience” and specifically “Shifting liability for software products and services to promote secure development practices”. As of March 2024, the Office of the National Cyber Director (ONCD) is actively exploring what software liability entails where their objective is [the] ONCD Aims to Incentivize Secure Coding Practices to Protect All Software Users.
Fundamentally this can only be a good thing as it will fix the market and establish the required incentives to drive the scale and pace of change required. However , the mere prospect has vendors lobbying for safe harbor on the basis it will allow the industry to mature incrementally. Which is another way of saying it will provide a mechanism to allow them to manage the cost of the correction (and thus profitability and their own renumeration) which is underpinned by potentially decades of chronic underinvestment. But at the detriment of pace and technical debt paydown..
I discussed the above with a group of CyberFirst alumni this week in Cheltenham and they challenged that wouldn’t this create disproportionate peril for small technology firms or worse case open source? In the case of the first you can see that between the resulting insurance sector, not being weighed down by technical debt and Secure by Design technology selection they will likely have an advantage. For open source you can see a world where these projects don’t carry the liability (due to being free) but the vendors (who make the money) trickle down more to support them because of the liability they carry. Anyway fascinating times..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Writing with Invisible Ink: Russia's Newest Disinformation Tactic
Alethea Team detail an alleged and significant information operation platform here which they attribute to the GRU.
[We] identified 5,314 accounts on X (formerly Twitter) and 81 websites that we assess are seeking to divide Americans and amplify Russian propaganda—specifically counter-Ukraine messaging—ahead of the 2024 U.S. Presidential Election. Based on both the content shared and behaviors of these assets, we believe that this network is leveraged by Russia’s main military intelligence directorate, commonly known as the GRU. We assess that this activity is a continuation of a persistent Russian influence operation known as Doppelgänger, which was initially exposed in 2022. This network is using a new tactic, which Alethea dubs “Invisible Ink,” an amplification tactic. The network appears to be evading detection by researchers, security firms, and its targets by copying and pasting specific tweet URLs in lieu of retweeting or posting, requiring threat intelligence teams to know the exact tweet URL in order to ID amplification accounts.
https://www.alethea.com/post/writing-with-invisible-ink
Bellingcat Malware Investigation
IntelCorgi goes to town and analysis this alleged Russian-nexus attack from the end of 2023 on Bellingcat. It started with… P H I S H I N G! 🎣
On 22 December, 2023 the journalist group Bellingcat tweeted that they had been the target of a malicious email message which spoofed USAID, and eventually led to the download of a “malicious file”. During the course of my analysis I was able to replicate the infection chain, and build detection rules as a result.
The sequence of events results in deploying an HTTP reverse shell based on an open-source offensive security tool which enabled the threat actors to harvest and exfiltrate a potential victim’s sensitive data. Based on current reporting, it is not known how impactful this campaign was.
..
I agree with the assessment made by the Cluster25 (and other threat researchers) that this campaign is attributable to an undefined Russia-nexus threat actor.
https://intelcorgi.com/2024/03/24/bellingcat-malware-investigation/
Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers
Reporting from the Russian side in the guise of Bi Zone on tradecraft anyone in the west will be well versed in defending against. That is it starts with known vulnerable and/or phishing..
Cloud Werewolf leverages topics that appeal to its targets to increase the likelihood that the malicious attachments get opened.
The IT infrastructure of government organizations provides ample opportunities for adversaries to exploit even the old vulnerabilities. This is just another reminder of how crucial it is to proactively remediate vulnerabilities, especially those used in real attacks.
Placing the malicious payload on a remote server rather than inside of an attachment increases the chances to bypass the defenses.
LazyStealer: difficult does not mean better
Positive Technology report on a regional campaign which they don’t know the initial access vector for. Interesting that simple continues to pay dividends..
[We] discovered a series of attacks aimed at government agencies in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. We were unable to establish connections with already known groups
We called this group Lazy Koala because of the simple techniques and the name of the user who controlled the telegram bots with stolen data.
The victims of the Lazy Koala group were the government, financial, medical, and educational sectors of Russia, Belarus, Kazakhstan, Tajikistan, Kyrgyzstan, Armenia and Uzbekistan. The total number of compromised accounts at the time of discovery was 867, of which 321 were unique. All victims were directly notified by us about the compromise.
Threat Zone 2024 - Large annual study of the cyber threat landscape in Russia and the CIS
Russia’s Bi Zone inspired potentially from Western cyber industry with this report and Rosetta stone.
This group was discovered in mid-2022. Sneaky Wolf attacks organizations in the territory Russia, Belarus, Ukraine and Serbia for the purposes of exfiltration of confidential data and subsequent blackmail. Attackers receive initial access to IT infrastructures victims using vulnerabilities in public applications. Predominantly attack industry, finance, logistics and medicine.
https://bi.zone/expertise/research/threat-zone-2024/
Reporting on China
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
Christopher So provides reporting in an alleged Chinese threat who is using living off the land but also unhooking EDR. We have been warned! Highlights the need for true signal to pass through these defences to verify functionality..
In the past month, we investigated a cyberespionage attack that we have attributed to Earth Freybug (also known as a subset of APT41). Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities. It has been observed to target organizations from various sectors across different countries. Earth Freybug actors use a diverse range of tools and techniques, including LOLBins and custom malware. This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
i-SOON Leak: Unanswered Questions and What Now?
Natto Team continue their top-notch analysis where they ask some important questions about this alleged Chinese threat group..
Why do i-SOON and similar companies seem to have very poor operations security?
What are the possible consequences for i-SOON after the leak? What could the public security agencies learn from the leak if they would?
Why did the Chinese state and local authorities have to rely on services from groups like i-SOON since they should have in-house capabilities? Were the government officials in the Chinese public security apparatus not particularly technically sophisticated?
nattothoughts.substack.com/p/i-soon-leak-unanswered-questions
Story of H2 2023: A Deep Dive into Data Leakage and Commerce in Chinese Telegram
S2W detail what they see happening in an alleged sub section of the Chinese criminal eco-system. It is interesting this isn’t tolerated by authorities in a country not renowned for lack of control..
A total of 620 damaged companies and institutions confirmed on Telegram in China during the second half of 2023
The number of damages is highest in July and is decreasing
Among the damage cases, the number of sales cases is the largest, accounting for 82.9% of the total.
The country with the highest number of victims is Taiwan , and 7 out of the top 10 are Asian countries.
Reporting on North Korea
North Korea’s Post-Infection Python Payloads
Change in alleged North Korean tradecraft which is noteworthy for defenders. Detection and defence should be relatively trivial..
Interestingly, it appears that the threat actors may have either moved to – or begun using in parallel – a series of Python scripts for this attack instead of solely delivering malicious DLLs (as observed by Phylum researchers in their original reports). This may be due to the added flexibility and speed of Python scripting, or it may simply be a result of the threat actors attempting to make their delivered tools and files appear more legitimate to users and investigators.
https://norfolkinfosec.com/north-koreas-post-infection-python-payloads/
Reporting on Iran
New MuddyWater Campaigns After Operation Swords of Iron
Malwation allege that Iran is operating against a variety of European targets which will be of interest to some. The tradecraft is run of the mill, although the Business Email Compromise dimension should be noted.
The group has recently launched new attacks in Israel, Africa, and Turkiye. MuddyWater has been active in the EMEA region for many years, and its attack style aligns with Iran's foreign policies. The group has been launching new attacks since February using products developed in-house. As of March, they are also taking over third-party tools. Our team detected active attacks where agents of Atera and ConnectWise ScreenConnect remote administration management (RMM) software were created using compromised accounts. The agent build files of this software were then sent to victims via spear-phishing attacks. Phishing attacks often use PDF attachments that contain agents downloaded from third-party file upload services. Once these agents are run on the victim's device, MuddyWater actors gain privileges to upload, extract, monitor, and execute files.
For many years, the team has been known for its expertise in social engineering attacks and stealth. However, it is now expanding its tactics to reduce its digital footprint. Our analysis of malicious samples suggests that the team will likely increase its use of spear-phishing attacks distributed through compromised accounts (Business Email Compromise—BEC) soon.
https://www.malwation.com/blog/new-muddywater-campaigns-after-operation-swords-of-iron
DarkBeatC2: The Latest MuddyWater Attack Framework
Simon Kenin provides some reporting on alleged Iranian retooling..
Iranian threat actors continue to collaborate and hand off compromised targets to conduct supply-chain attacks by leveraging information from previous breaches.
[We] identified a previously unreported C2 framework that MuddyWater is suspected of using.
The [host] hosts the “reNgine” open-source reconnaissance framework.
While there is no previous public documentation of MuddyWater using this framework, they have a track record of using a variety of open-source tools, and reconnaissance is an important part of the “Cyber Kill Chain.”
https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework
Reporting on Other Actors
Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library
Andres Freund was an international hero with one of the most understated openers. Performance geeks will inherent the earth…
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
At first I thought this was a compromise of debian's package, but it turns out to be upstream.
https://www.openwall.com/lists/oss-security/2024/03/29/4
Then it became a big thing...
CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.
smx-smx started us off on the deep technical analysis of the implant
gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
Then over the long weekend Anthony Weems gave us..
Exploration of the xz backdoor (CVE-2024-3094). Includes the following:
honeypot: fake vulnerable server to detect exploit attempts
ed448 patch: patch liblzma.so to use our own ED448 public key
backdoor format: format of the backdoor payload
backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key
https://github.com/amlweems/xzbot
Clipping Wings: Our Analysis of a Pegasus Spyware Sample
Matthias Frielingsdorf provides an exquisite walkthrough of this analysis.. Punchline is backups..
For this analysis, we had access to the customer’s iTunes backups, crash logs, and sysdiagnose files. One of the best things about Threat Hunter is that we can gather these artifacts remotely without needing physical access to the device.
https://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample
How APT groups operate in the Middle East
Reporting out of Russia by PT Security which is noteworthy for highlighting the anti-forensics in use.
Over half (56%) of APT groups remove signs of their activity (Indicator Removal): clearing event logs and network connection histories, and changing timestamps. For example, APT35 deleted mailbox export requests from compromised Microsoft Exchange servers. Most attackers completely remove their arsenal of software from compromised devices after achieving their goals. This makes it much more difficult for cybersecurity professionals to conduct investigations after the incident.
https://www.ptsecurity.com/ww-en/analytics/apt-groups-in-the-middle-east/
Latrodectus: This Spider Bytes Like Ice
Reporting on a criminal campaign which has its roots firmly in phishing. MSI so hot right now..
[We] first observed new malware named Latrodectus appear in email threat campaigns in late November 2023.
While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in campaigns throughout February and March 2024.
It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one other threat actor, TA578.
Latrodectus is an up-and-coming downloader with various sandbox evasion functionality.
While similar to IcedID, [our] researchers can confirm it is an entirely new malware, likely created by the IcedID developers.
Latrodectus shares infrastructure overlap with historic IcedID operations.
While investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor use in previous IcedID campaigns.
..
If this JavaScript was executed, it called MSIEXEC to run an MSI from a WebDAV share. The MSI executed the bundled DLL with the export "fin" to run Latrodectus.
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
Analyzing a Malicious Advanced IP Scanner Google Ad Redirection
Izzy Spering provides further evidence that not everything is wondering in the ad-ecosystem and it is being misused by threat actors.
So you found yourself responding to an alert about one of your employees downloading a malicious version of Advanced IP Scanner? This has become fairly common, as system admins and IT technicians want to download the tool to use legitimately within their environment. But threat actors have been hosting very convincing malicious versions that are being discovered through malvertising (e.g., “malicious advertising” like Google Ads). Now, suppose you want to take a deeper dive and grab the file for yourself, yet you find yourself dealing with some issues, namely:
The employee deleted the downloaded file
The URL they clicked redirects to the real Advanced IP Scanner website
Trying to get the ad to pop up in Google searches just isn’t working
https://www.huntress.com/blog/analyzing-a-malicious-advanced-ip-scanner-google-ad-redirection
"Hey, This Isn't the Right Site!" Distribution of Malware Exploiting Google Ads Tracking
Then reporting out of South Korea by Ov5925 on similar tradecraft being used by a different threat actor!
[We] recently detected a malware strain being distributed by using the Google Ads tracking feature. The confirmed cases show that the malware is being distributed by disguising itself as an installer for popular groupware such as Notion and Slack. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker’s server. Below is the list of the file names that have been discovered so far.
Notion_software_x64_.exe
Slack_software_x64_.exe
Trello_software_x64_.exe
GoodNotes_software_x64_32.exe
https://asec.ahnlab.com/en/63477/
AI meets next-gen info stealers in social media malvertising campaigns
Nicolae POSTOLACHI, Andrei ANTON-AANEI, Ionut Alexandru BALTARIU, Andrei Catalin MOGAGE and Alina BÎZGĂ paint the state we have reached with regard the criminal use of AI themes campaigns via malvertising to push implants and stealers..
Cybercrooks have taken over Facebook profiles to run sponsored malvertising campaigns impersonating Midjourney, Sora AI, DALL-E 3, Evoto, ChatGPT 5 and many others
The malicious pages on Facebook are meticulously designed to trick users into downloading purportedly official desktop versions of popular AI software. The cybercriminals behind these campaigns regularly change and adapt the malicious payloads in an attempt to avoid further detection from security software
The links direct users to malicious webpages that download a variety of intrusive stealers to harvest sensitive information from compromised systems, including credentials, autocomplete data, credit card information, and even crypto wallet information.
The analyzed campaigns employ malicious ads that contain links to executable files that serve Rilide, Vidar, IceRAT, Nova Stealers. The entire batch of malicious software is often offered as malware-as-a-service by threat actors on specialized forums and channels.
Discovery
How we find and understand the latent compromises within our environments.
VMware ESXi Forensic with Velociraptor
Nathanael Ndong
Version 0.7.1 of Velociraptor introduced a number of new features that give us capabilities to analyze a VMware ESXi hypervisor with Velociraptor.
https://www.synacktiv.com/publications/vmware-esxi-forensic-with-velociraptor
VolWeb: A centralized and enhanced memory analysis platform
k1nd0ne is indeed kind with this release to allow at scale memory forensics
VolWeb is a digital forensic memory analysis platform that leverages the power of the Volatility 3 framework. It is dedicated to aiding in investigations and incident responses.
https://github.com/k1nd0ne/VolWeb
Investigating Apple Data Usage
Vendor pitch, but useful knowledge.
Apple data usage keeps a record of inbound and outbound data traffic used by applications and processes. This feature in Apple devices keeps a record of applications and processes data consumption from different data sources
https://forensafe.com/blogs/AppleDataUsage.html
Defence
How we proactively defend our environments.
Cali-library-isolation
For when you have supply chain issues such as those seen in the xz case. Turns out the solution was on the shelf.
We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with any mainline Linux kernel and does not require supervisor privileges to execute. - post 'xz' event so hot right now
https://github.com/cali-library-isolation/Cali-library-isolation
BeyondCorp and the long tail of Zero Trust - Handling the most challenging use cases at Google
Guilherme Gonçalves, Kyle O'Malley, Betsy Beyer and Max Saltonstall
The long tail of BeyondCorp adoption can easily span many distributed organizations, such that no single management chain or executive can drive it to completion alone.
https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust
Incident Writeups & Disclosures
How they got in and what they did.
From OneNote to RansomNote: An Ice Cold Intrusion
The DFIR Reporting doing what they do best revisiting that brief period in time when OneNote files was the hot new file format for initial access.
In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method.
After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days.
The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.
The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
Abschlussbericht Security Incident
A detailed incident writeup (in German) which Vornamemitd summarised as
The IR colleagues did a good job here. But without logging and unpatched edge/vpn gateways the 42 pages can be tl;dr-ed as:
came in through vpn, probably already had admin, used rdp, deployed standard/easy-mode akira, went home - but we can't tell why and how exactly. The end. Dear public/any sector - let admins and sec teams do their homework and fund slightly more than good ol' symantec av. Happy easter :)
https://notfallseite.sit.nrw/fileadmin/user_upload/SIT_Incident_Response_v1.1.pdf
Tales from the cloud trenches
Martin McCloskey shows what cloud attacks look like in terms of blended operations in 2024.
We observed likely malicious activity enumerating an AWS victim’s SMS sending capabilities via the
GetSMSAttributescommand.The [threat actor] was running the
GetSMSAttributesAPI call across multiple regions, in a short period of time. At this time, these attempts have failed.Upon further investigation of the IP address, we were able to determine that it was running a phishing campaign impersonating the French government and had successfully phished user PII and credit card information. We confirmed this through a world-readable text file that had been left on the web server.
With further research, we were able to identify similar phishing sites impersonating the French government.
We assess with high confidence that attackers in this cluster configure phishing sites and perform smishing campaigns with victim AWS accounts from the same host.
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/
Vulnerability
Our attack surface.
CVE-2024-2389 Flowmon critical security vulnerability
Vulnerabilities with a CVSS of 10 are bad in network monitoring solutions..
Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu
Oriol Castejón highlights the continued threat that patch gaps present. Who needs zero-days when you have a crack team of exploit writers and old-days who can race the patch gap.
This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months, making it an easy 0day vector in Ubuntu during that time.
zenhammer: A Rowhammer fuzzer for AMD Zen-based systems
ETH Zurich teams continue to pump out the impressive offensive academic research in the guise of Patrick Jattke, Max Wipfli, Flavien Solt, Michele Marazzi, Matej Bölcskei and Kaveh Razavi.
The rabbit hole is deep and the real world impact will take a while to surface, but no need to over function here.
Our evaluation with ten DDR4 devices shows that ZENHAMMER finds bit flips on seven and six devices on AMD Zen 2 and Zen 3, respectively, enabling Rowhammer exploitation on current AMD platforms. Furthermore, ZENHAMMER triggers Rowhammer bit flips on a DDR5 device for the first time
https://comsec.ethz.ch/wp-content/files/zenhammer_sec24.pdf
https://github.com/comsec-group/zenhammer
Offense
Attack capability, techniques and trade-craft.
Jigsaw: Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Mike Saunders adds some cost to the front end of detection, although I suspect there are still effective and cheaper ways in the latter stages of execution.
Jigsaw is a Python script that reads a raw shellcode file and creates a randomized array sized equal to the number of bytes in the shellcode. Jigsaw then uses random.shuffle() to shuffle the array into random order. Each entry in this array represents the position of a byte in our shellcode. At that point, it’s a matter of iterating through our array of positions, grabbing the shellcode byte at that position, and storing it in a new array.
https://redsiege.com/blog/2024/03/jigsaw/
https://github.com/RedSiege/Jigsaw
Abusing MiniFilter Altitude to blind EDR
Eito Tamura gives the world a technique which can expect co-option by criminal threats actors in 3..2..
If you gain local admin privilege access to a host with an EDR solution, you can potentially evade detection by blinding the kernel callbacks that the EDR relies on. This can be achieved by exploiting a minifilter driver, such as the Sysmon driver. Although a reboot of the host is required, this approach is far easier than finding a new Bring Your Own Vulnerable Driver (BYOVD) or attempting unsigned driver exploitation, which is not always an option.
https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
osmedeus: A Workflow Engine for Offensive Security
Ai Ho gives the world a capability which will be valuable for both good and evil..
Osmedeus is a Workflow Engine for Offensive Security. It was designed to build a foundation with the capability and flexibility that allows you to build your own reconnaissance system and run it on a large number of targets.
https://github.com/j3ssie/Osmedeus
SeeSeeYouExec: Windows Session Hijacking via CcmExec
Andrew Oliveau creates a cause for consideration of those still running legacy non zero-trust networks..
Enter CcmExec, a service native to SCCM Windows clients that has an interesting design that is useful for red teamers. In this blog post, we delve into how the CcmExec service can be utilized for session hijacking and introduce CcmPwn, a tool designed to facilitate this technique. Finally, we will discuss detection strategies for security teams.
https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec
Exploitation
What is being exploited.
Chaining N-days to Compromise All: Part 2 — Windows Kernel LPE (a.k.a Chrome Sandbox Escape)
Modern exploit chains..
This blog post is the second series about the vulnerabilities used in our 1-day full chain exploit we demonstrated on X. In this blog post, we will present how we escaped the Chrome sandbox by exploiting a Windows kernel vulnerability. The vulnerability is CVE-2023–21674, a Use-After-Free vulnerability in NTOS kernel.
This vulnerability is the first Windows kernel In-The-Wild vulnerability in 2023. Fermium-252, our threat intelligence service, has both a PoC and an exploit of this vulnerability since January 2023.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Low-Level Software Security for Compiler Developers
Bill Wendling and Lucian Popescu are working on this wonderful resource..
There are a lot of materials that explain individual vulnerabilities or attack vectors. There are also lots of presentations explaining specific exploits. But there seems to be a limited set of materials that give a structured overview of all vulnerabilities and exploits against which a code generator plays a role in protecting.
This book aims to provide such a structured, broad overview. It does not necessarily go into full details, instead aiming to give a thorough description of all relevant high-level aspects of attacks, vulnerabilities, mitigations, and hardening techniques. For further details, this book provides pointers to materials with more details on specific techniques.
https://llsoftsec.github.io/llsoftsecbook/
Improvements to static analysis in the GCC 14 compiler
David Malcolm details how GCC is trying to catch up with llvm, big release here. Much latent chaos will surface..
I've been working on
-fanalyzer, a static analysis pass that tries to identify various problems at compile-time, rather than at runtime. It performs "symbolic execution" of C source code—effectively simulating the behavior of the code along the various possible paths of execution through it.This article summarizes what's new with
-fanalyzerin GCC 14, which I hope will be officially released sometime in April 2024...
for GCC 14 I've implemented a new warning: -Wanalyzer-infinite-loop that's able to detect some simple cases of infinite loops.
The analyzer gained support in GCC 13 for bounds checking with a -Wanalyzer-out-of-bounds warning.
..
The analyzer has a form of "taint analysis", which tracks attacker-controlled inputs, places where they are sanitized, and places where they are used without sanitization. In previous GCC releases this was too buggy to enable by default, with lots of false positives, so I hid it behind an extra command-line argument. I've fixed many bugs with this, so for GCC 14 I've enabled this by default when -fanalyzer is selected.
https://developers.redhat.com/articles/2024/04/03/improvements-static-analysis-gcc-14-compiler
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Google 2023 Ads Safety Report - some have commented on the focus on AI and the disconnect seen by some.
Monthly Threat Actor Group Intelligence Report, February 2024 (KOR) - out March 29th
Public-private collaboration in Ukraine and beyond - “Three key takeaways have emerged. First, industry has increasing leverage to shift conflict dynamics, and increasing responsibility to act carefully. Second, wartime affects markets, complicating companies’ profitability and sustainability and making it unwise for the public sector to rely on voluntary support. Third, public-private partnerships are a necessary but thus far underused mechanism for aligning business interests with national security prerogatives.”
Artificial intelligence
Books
Nothing this week.
Events
Disinfo 2024 - 9-10 October, Riga, Latvia
Videos from NDSS - one of my favourite conferences
Finally Rob Joyce retired from NSA end of March after 34 years - he is in dire need of memes..
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.