CTO at NCSC Summary: week ending April 20th
It is April 2025 and we have two stack based overflows being exploited in the wild in recently discovered vulnerabilities..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week 16,000 internet-exposed Fortinet devices allegedly compromised with the symlink backdoor seem good justification for all vendors to implement our Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances . In addition in April 2025 we have at least two stack based overflows being exploited in the wild which would also imply the need.. These memory corruption vulnerabilities also seem like a opportune time to highlight the CHERIoT Programmers’ Guide.
In the high-level this week:
Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems - ETSI publishes - This is based on public consultation on a Code of Practice in the UK, and establishes baseline cyber security requirements for AI models and systems that enable them to embed cyber security and resilience across the AI lifecycle - NCSC and DSIT worked with ETSI to get this to be a ratified standard.
Law firm fined £60,000 following cyber attack - Information Commissioner’s Office announces - “We found DPP failed to put appropriate measures in place to ensure the security of personal information held electronically. This failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication (MFA), and steal large volumes of data.”
Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries - U.S. Department of Justice announces - “Today, the Justice Department took significant steps to move forward with implementing a critical program to prevent China, Russia, Iran, and other foreign adversaries from using commercial activities to access and exploit U.S. government-related data and Americans’ sensitive personal data to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.”
Shattering the Echo Chamber - General (Ret) Paul M. Nakasone and Brett Goldstein vision - “This policy paper advocates for the immediate integration of empowered red teams into national security decisionmaking…. Red teams are not optional; they are essential for dismantling echo chambers, rigorously testing assumptions, and ensuring adaptive, resilient strategies that address evolving threats.”
Allies practise coordination of mutual cyber support through NATO - NATO announces - “From 7 to 11 April, representatives from 20 Allied government and national agencies exercised NATO’s ability to coordinate responses to significant malicious cyber activities affecting critical national infrastructures.”
Guidelines 02/2025 on processing of personal data through blockchain technologies - European Data Protection Board publish - “As a general rule, storing personal data on a blockchain should be avoided, if this conflicts with data protection principles.”
CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise - CISA highlights - “CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment. While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools).”
Peters and Rounds Introduce Bipartisan Bill to Extend Information Sharing Provisions that Help Address Cybersecurity Threats - U.S. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduce- “a bipartisan bill to extend provisions that encourage businesses to share information about ongoing cybersecurity threats with the federal government to strengthen our nation’s cybersecurity defenses.”
Reporting on/from China
Deepseek Unmasked: Exposing the CCP's Latest Tool For Spying, Stealing, and Subverting U.S. Export Control Restrictions - U.S. Select Committee on the CCP finds - The Committee’s investigation found:
DeepSeek funnels Americans’ data to the PRC through backend infrastructure connected to a U.S. government-designated Chinese military company.
DeepSeek covertly manipulates the results it presents to align with CCP propaganda, as required by Chinese law.
It is highly likely that DeepSeek used unlawful model distillation techniques to create its model, stealing from leading U.S. AI models.
DeepSeek’s AI model appears to be powered by advanced chips provided by American semiconductor giant Nvidia and reportedly utilizes tens of thousands of chips that are currently restricted from export to the PRC.
Rounds Introduces Legislation to Prevent Smuggling of American AI Chips into China - Mike Rounds (R-S.D.) and Mark Warner (D-Va.) introduce - “The Stop Stealing our Chips Act would amend the Export Control Reform Act to create a whistleblower incentive program at the Bureau of Industry and Security (BIS). The program is designed to increase reporting of illegal exports.”
China’s SenseTime bets on new AI training method to stand out - South China Morning Post reports - “The company on Thursday unveiled SenseNova V6 and V6 Reasoner, new iterations of its self-developed AI model series. V6 outperformed OpenAI’s GPT-4o across several metrics, including fact-checking, numerical reasoning, data analysis and visualisation, according to SenseTime chairman and CEO Xu Li, citing data from benchmarking platform TableBench.”
New AI fund in China to pour US$8 billion into early-stage projects - South China Morning Post reports - “The AI fund will be managed by Guozhi Investment (Shanghai) Private Equity Fund Management, a state-backed company, according to Zhang.”
AI
Large Language Models are Unreliable for Cyber Threat Intelligence - VU, TUE and IEEE publish - “We run experiments with three state-of-the-art LLMs and a dataset of 350 threat intelligence reports and present new evidence of potential security risks in relying on LLMs for CTI. We show how LLMs cannot guarantee sufficient performance on real-size reports while also being inconsistent and overconfident.”
How I Used AI to Create a Working Exploit for CVE-2025-32433 Before Public PoCs Existed - Matthew Keeley vibes - “Is this good or concerning? Probably both. It democratizes security research while potentially lowering the barrier for exploit development. But that's precisely why responsible disclosure and collaborative security practices matter more than ever.”
CaMeL offers a promising new direction for mitigating prompt injection attacks - Simon Willison analyses - “The new DeepMind paper introduces a system called CaMeL (short for CApabilities for MachinE Learning) … It works by taking a command from a user, converting that into a sequence of steps in a Python-like programming language, then checking the inputs and outputs of each step to make absolutely sure the data involved is only being passed on to the right places”
OpenAI slashes AI model safety testing time - Financial Times reports - “The time crunch has been driven by “competitive pressures”, according to people familiar with the matter, as OpenAI races against Big Tech groups such as Meta and Google and start-ups including Elon Musk’s xAI to cash in on the cutting-edge technology.”
FMF Announces First-Of-Its-Kind Information-Sharing Agreement - Frontier Model Forum announce - “At this stage, our information-sharing covers the following three key categories and is restricted to FMF member firms:
Vulnerabilities, weaknesses, and exploitable flaws.
Threats.
Capabilities of Concern.”
Existential risk narratives about AI do not distract from its immediate harms - Princeton University researches - “In three preregistered, online survey experiments (N = 10,800), participants were exposed to news headlines that either depicted AI as a catastrophic risk, highlighted its immediate societal impacts, or emphasized its potential benefits. Results show that i) respondents are much more concerned with the immediate, rather than existential, risks of AI”
Cyber proliferation
US becomes signatory to the Pall Mall Process - UK Government lists - 24 countries and counting..
Chinese Arms Dealer Sold IMSI-Catchers for Huge Paris Drive-by Smishing Scam - CommsRisk reports - “Officially, his name is Kevin Yin and he works as a salesman for an obscure Chinese lighting manufacturer. The banal commercial appearances conflict with the extreme secrecy of multiple digital profiles and continuous international travel, whether to the United States, Spain, Mexico, Peru, Japan or Chad. In reality, this 45-year-old Chinese, whose real identity is Yin N., sells high-end surveillance and spying equipment.”
Bounty Hunting
Man who created ‘one-stop shop for phishing’ jailed - UK Crown Prosecution Service announces - ”Labhost described itself as a “one-stop shop for phishing” created “for spammers by spammers”… Coyne himself received $230,000 in cryptocurrency for designing and administering the illicit site.”
Iranian National Indicted for Operating Online Marketplace Offering Fentanyl and Money Laundering Services - U.S. Department of Justice announces - “Behrouz Parsarad, an Iranian national, for his role as the founder and operator of Nemesis Market, a dark web marketplace for illegal drugs and criminal cyber-services, such as stolen financial information, fraudulent identification documents, counterfeit currencies, and computer malware.”
Ransomware in SMEs: Cybercriminals increase ransom payments for cyber insurance - Netherlands Digital Trust Centre asserts - “they specifically search for companies from sectors that pay a lot and demand a higher ransom if a company is insured. This is evident from the PhD research of Tom Meurs, cybercrime specialist at the police, after he investigated more than 500 ransomware incidents between 2019 and 2023 in SMEs.”
Reflections this week are around complexity and ability to understand. It increasingly seems like for most systems or systems of systems we are beyond the point of being able to understand end-to-end at a detailed level, by humans at least. This understanding can be though a number of lenses i.e.
Components
Interdependences
Supply chain
Contemporary thinking on cyber resilience needs to reframe given this. We largely have the model we always have. We understand and then we place controls to mitigate risk based on that understanding. There is a real question if we are in illusion of control territory..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Renewed APT29 Phishing Campaign Against European Diplomats
CheckPoint detail this alleged Russian campaign which is noteworthy due to their doggedness in terms of continuing to pursue phishing as a means to get initial code execution. That and the targeting...
The campaign, which appears to be a continuation of a previous one that utilized a backdoor known as WINELOADER, impersonates a major European foreign affairs ministry to distribute fake invitations to diplomatic events—most commonly, wine tasting events.
This campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email. In addition, we discovered a new variant of WINELOADER which is likely used in later stages of the campaign.
While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Despite differing roles, both share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines WINELOADER’s anti-analysis techniques while introducing more advanced stealth methods.
https://research.checkpoint.com/2025/apt29-phishing-campaign/
Reporting on China
People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies
Canadian Centre for Cyber Security releases details of alleged Chinese activity whilst calling on Canadian organisations to respond accordingly..
A Cyber security advisory is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is able to provide additional assistance regarding the content of this bulletin to recipients as requested.
The Cyber Centre has observed increasing levels of the People's Republic of China threat actor activity, including activity associated to SALT TYPHOON, targeting network edge routers across critical infrastructure sectors. The Cyber Centre and our partners have recently observed repeated compromises of misconfigured and unpatched routing devices.
The Cyber Centre is urging the Canadian cybersecurity community to bolster their awareness of threat actor activity targeting network edge routers and to leverage Cyber Centre guidance to protect their networks.
Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak
Sudeep Singh highlights the tooling attributed to this alleged Chinese threat actor. Serves as a useful example of their capability to subvert endpoint protection.
Mustang Panda continues to create new tooling in targeted attacks.
PAKLOG is a keylogger that the group uses to monitor keystrokes and clipboard data and employs a custom character encoding scheme to obfuscate the log data.
CorKLOG is also a keylogger deployed by Mustang Panda that uses a 48-character long RC4 key to encrypt the contents of the key logger capture file. Persistence is maintained by creating services or scheduled tasks.
SplatCloak is a tool used by Mustang Panda that disables kernel-level notification callbacks for four Windows Defender-related drivers and Kaspersky drivers. The developers implemented code obfuscation techniques, including control flow flattening and mixed boolean arithmetic, to hinder analysis.
Mustang Panda: ToneShell and StarProxy
Sudeep Singh also highlights some of the sophistication by this alleged Chinese threat actors and their adoption of proprietary protocols. The DLL side loading is a well trodden path..
ToneShell, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers.
ThreatLabz discovered a new lateral movement tool used by Mustang Panda that we have named StarProxy, which leverages the FakeTLS protocol to proxy traffic and facilitate attacker communications.
Mustang Panda remains active in targeting organizations and individuals in Myanmar.
Mustang Panda employs DLL sideloading techniques, typically bundling malicious tools inside RAR archives paired with legitimate, signed binaries.
BRICKSTORM espionage backdoor
Maxime details the Windows variant of this his alleged Chinese implant. Note that Windows hosts are not being used as the target in these instance, but rather relays into internal networks.
BRICKSTORM provides attackers with file manager and network tunneling capabilities. As a notable difference to Mandiant’s BRICKSTORM report, the Windows samples discussed here are not equipped with command execution capabilities. Instead, adversaries have been observed using network tunneling capabilities in combination with valid credentials to abuse well-known protocols such as RDP or SMB, thus achieving similar command execution.
https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
Billbug: Intrusion Campaign Against Southeast Asia Continues
Symantec details the new tooling from this alleged Chinese threat actor. Note the tunnelling and stealer focus..
Among the new tools deployed were two designed to steal credentials from the Chrome web browser. Deployed tools included:
ChromeKatz – Capable of stealing both credentials and cookies stored in Chrome
CredentialKatz – Capable of stealing credentials stored in Chrome
Reverse SSH Tool – Custom tool capable of listening for SSH connections on Port 22
https://www.security.com/threat-intelligence/billbug-china-espionage
BPFDoors Hidden Controller Used Against Asia, Middle East Targets
Fernando Mercês provides a little more insight into this alleged Chinese capability. The victimology is of note i.e. telcos and finance!
BPFDoor is a state-sponsored backdoor designed for cyberespionage activities. Through our investigation of BPFDoor attacks, we unearthed a controller that hasn’t been observed being used anywhere else. We attribute this controller to Red Menshen, an advanced persistent threat (APT) group that Trend Micro tracks as Earth Bluecrow.
The controller could open a reverse shell. This could allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data.
According to our telemetry, recent BPFDoor attacks zero in on the telecommunications, finance, and retail sectors, with attacks observed in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
Hunt.io ride poor operational security to get some insight into this alleged Chinese operation. Why a major cosmetics company is of interest is anyone’s guess, but it hints are indiscriminate targeting.
Fortinet firewall and VPN exploit scripts were exposed on the infrastructure linked to KeyPlug malware activity.
A PHP-based webshell capable of AES and XOR-decrypted payload execution was included.
Network reconnaissance scripts targeted login, development, and identity portals associated with a major Japanese company.
The server was live for less than 24 hours, emphasizing the need to monitor for short-lived operational infrastructure.
https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells
Reporting on North Korea
DPRK IT Workers in Open Source and Freelance Platforms
blackbigswan and Heiner go full rabbit hole in this analysis and provide insights into some of the scale behind / breadth of the DPRK IT workers operations. If nothing else this challenge highlights the personnel security risk. Previously the UK’s Office of Financial Sanctions Implementation issued an advisory on this topic with steps for HR departments.
On February 9, 2025, we discovered a suspicious actor within the repository of a legitimate developer. Initially, we informed the developer about the potential malicious intent of one of his active committers. This led us into a two-month-long process of discovering additional North Korean actors, “PR Spammers” and experiencing the subpar vetting process present in one of the “Pay for PR” (freelance) platforms in Web3.
https://www.ketman.org/dprk-it-workers-in-freelance-platform-onlyDust.html
Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
Prashil Pattni, as others have, walks through the end-to-end operation which is being used to target developers of interest alleged by North Korea. This further highlights the inherent challenges of securing developers who may work on their own equipment for multiple customers. Or put another way supply chain risks!
In this campaign, Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer.
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
Reporting on Iran
Nothing overly of note this week..
Reporting on Other Actors
Investigating a recent malvertising campaign against Onfido
Luke Jennings details a campaign which used malvertising to go after users of an identity provider. Provides further proof that more work is required if we are to have a digital advertising eco-system which is integral.
The user had visited the url dashboard[.]onfido[.].us[.]com after entering a Google search for ‘onfido’, a site they had previously accessed for work and had an account on. A convincing looking Google ad duped the user into clicking the fake link.
Related Google released their Ads Safety Report also
https://services.google.com/fh/files/misc/ads_safety_report_2024.pdf
DAMASCENED PEACOCK
NCSC UK publishes this malware analysis…
DAMASCENED PEACOCK is a lightweight downloader targeting Windows.
The analysed sample was for 32-bit (x86) Windows. It supports downloading a 64-bit onward stage.
The malware was observed in a spear-phishing campaign which took place in late 2024.
DAMASCENED PEACOCK is downloaded and executed by a code signed first stage.
DAMASCENED PEACOCK is the second of 3 stages and is responsible for downloading the final stage and executing it via a COM Hijack.
DAMASCENED PEACOCK implements Defence Evasion techniques such as XOR based string obfuscation and dynamic resolution of Win32 APIs.
Discovery
How we find and understand the latent compromises within our environments.
100 Days of KQL
Aura concludes 100 days. The value they have provided can not be understood. Next year there should be the ‘100 Days of KQL written by Generative AI’ just to see how we get on..
Thank you Aura!
The Windows Registry Adventure #6: Kernel-mode objects
Mateusz Jurczyk goes deep in this adventure. Why include here? Well there are various aspects of this extensive post which will be of use to those of you undertaken memory forensics.
https://googleprojectzero.blogspot.com/2025/04/the-windows-registry-adventure-6-kernel.html
Velociraptor MCP
Matthew Green releases an MCP server so we can all start Vibe Hunting™ (joke / no joke)..
Velociraptor MCP is a POC Model Context Protocol bridge for exposing LLMs to MCP clients.
Initial version has several Windows orientated triage tools deployed. Best use is querying usecase to target machine name.
https://github.com/mgreen27/mcp-velociraptor
Defence
How we proactively defend our environments.
dAWShund
Nikolas Mantas allows us all to think (or algorithms to traverse) in graphs when it comes to AWS. What Bloodhound did for Active Directory they do for AWS.
a suite of tools to enumerate, evaluate and visualise the access conditions between different resources.
https://falconforce.nl/dawshund-framework-to-put-a-leash-on-naughty-aws-permissions/
https://github.com/FalconForceTeam/dAWShund
Incident Writeups & Disclosures
How they got in and what they did.
A Warning about Malicious PoCs
Valentin Lobstein shows the value of transparency in breach writeups and then goes full Liam Neeson from Taken..
.. but there is a serious health warning. It is a challenging world where security researchers are targets ..
Late at night, I was testing a proof-of-concept (PoC) exploit for CVE-2020-35489 (https://github[.]com/gh202503/poc-cve-2020-35489) that I found on GitHub. The repository looked legitimate, and in my exhaustion, I skipped the usual precautions. I cloned the repository and ran the script without inspecting its contents.
A few hours later, my system started behaving strangely. CPU usage was abnormally high, and after further investigation, I found that a hidden malware had infected my machine. Worse, my credentials, SSH keys, and other sensitive data had been stolen and uploaded to an attacker-controlled repository.
https://chocapikk.com/posts/2025/s1nk/
Vulnerability
Our attack surface.
SUN:DOWN
Stanislav Dashevskyi, Francesco La Spina and Daniel dos Santos hint at the lack of secure by design in energy solutions. Should not come as a surprise, but the technical debt we will inevitably sprinkle around as a result which will provide opportunity will be vast.
Our findings show an ecosystem that is insecure — with dangerous energy and national security implications. While each residential solar system produces limited power, their combined output reaches dozens of gigawatts — making their collective impact on cybersecurity and grid reliability too significant to ignore.
In this report, we review known issues and present new vulnerabilities found on three leading solar power system manufacturers: Sungrow, Growatt and SMA. We also discuss realistic attack scenarios that could be executed on a power grid, leading to emergency measures or potential blackouts
https://www.forescout.com/resources/sun-down-research-report/
CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability
Stuff of nightmwares.
A serious vulnerability has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
To compound a proof of concept is out:
https://platformsecurity.com/blog/CVE-2025-32433-poc
https://github.com/ProDefense/CVE-2025-32433
CVE-2025-2492: ASUS Router AiCloud vulnerability
Rush to implement AI..
An improper authentication control vulnerability exists in certain ASUS router firmware series. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions
https://www.asus.com/content/asus-product-security-advisory/
Cisco Webex App Client-Side Remote Code Execution Vulnerability
One to patch..
A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user.
This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user.
Offense
Attack capability, techniques and trade-craft.
b3acon
b3rito reminds us what is old is destined to be new again. How is your observability of inflows and outflows of email?
b3acon is a mail based C2 that uses an in-memory, dynamically compiled C# IMAP client via PowerShell. It communicates entirely through standard email protocols, fetching commands from email drafts and sending execution results to the inbox.
https://github.com/b3rito/b3acon
Code execution inside PID 0 on Windows..
Archie details a technique here which is both clever but also going to be troublesome to detect, but they do offer some suggestions..
While this hook is a niche one for sure, it has several glaring advantages to simply creating a system thread inside the kernel. Due to the process and thread not being valid kernel objects, attempting to access them via traditional APIs like
PsLookupProcessByProcessId
/PsLookupThreadByThreadId
will fail withSTATUS_INVALID_CID
...
The most obvious detection method is simply checking the pointer inside the
_KPRCB
. To do so, the anti-cheat would need to run on the same logical processor, or use undocumented functions likeKeQueryPrcbAddress
.
https://archie-osu.github.io/2025/04/13/powerhook.html
Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts
Analysis from Japan on the misuse by this alleged state actor of the Windows Sandbox in their operations. Highlights once again that telemetry / observability of sandboxes is as critical as anywhere else.
LilimRAT has been observed being used by the APT group “MirrorFace” (which is a subgroup of APT10 umbrella).
LilimRAT is a customized version of the open-source Lilith RAT. It includes a function to check for the existence of the WDAGUtilityAccount user folder, and if this folder is not present, it will terminate.
Since WDAGUtilityAccount is used as the default user within Windows Sandbox, it is likely that LilimRAT was specifically designed to run only within Windows Sandbox
https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
InlineWhispers3
Thijn provides an evolution of this capability that detection engineers will want to get after.
The reason for developing InlineWhispers3 (an updated version of InlineWhispers/InlineWhispers2) is to leverage the advanced features of SysWhispers3, such as indirect syscalls, in red teaming with Beacon Object Files. InlineWhispers2 often gets detected due to its use of direct system calls by certain EDR systems. Indirect system calls provide a more sophisticated method for executing system calls on Windows, significantly enhancing EDR evasion.
https://github.com/tdeerenberg/InlineWhispers3
Data Inject BOF
Jordan Jay shows once again that security features can also become attack surfaces. This is why shadow stacks and technologies like Intel PT are critical in the arms race.
Hijacks control flow via overwriting
combase.dll
's Control Flow Guard function pointers called by COM proxying functions.
https://github.com/iilegacyyii/DataInject-BOF
Connexion API Memory Implant Research
Out of China and thus noteworthy as it is memory only implant research for Connexion.
Connexion is a modern Python web framework that uses the OpenAPI specification to directly drive Python Web API development and is compatible with both synchronous (WSGI) and asynchronous (ASGI) scenarios. This article will explore the memory horse implantation methods in these two scenarios through an example of code execution under the Connexion framework.
Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
Hacker House shows how to backdoor MikroTik’s operating system. We can expect this is inspire others to deploy operationally.
This tutorial demonstrates a post-exploitation technique to establish persistent access in MikroTik RouterOS by implementing a password reset function triggered via SNMP. We will create a MikroTik script named "password reset" to clear the admin password, enable SNMP write access using the community string "opensesame," and confirm the SNMP service is operational. The process concludes with using snmpwalk to query available scripts and snmpset to execute the password reset script remotely via SNMP, ensuring continued access post-authentication.
https://github.com/hackerhouse-opensource/backdoors/blob/master/mikrotik-opensesame.md
Exploitation
What is being exploited..
China-nexus APT [allegedly] exploits Ivanti Connect Secure VPN vulnerability to infiltrate multiple entities
TeamT5 detail the scale of this alleged exploitation by China of the Invanti vulnerabilities.
The victim countries include Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. The targeted industries include Automotive, Chemical, Conglomerate, Construction, Information Security, Education, Electronics, Financial Institution, Gambling, Government, Intergovernmental Organizations (IGO), Information Technology, Law Firm, Manufacturing, Materials, Media, Non-Governmental Organizations (NGOs), Research Institute, Telecommunication.
..
Our analysis assessed with high confidence that the actor was exploiting the vulnerabilities of Ivanti Connect Secure VPN appliances to launch attacks around the globe. The actor possibly exploited CVE-2025-0282[1] or CVE-2025-22457[2] to conduct initial access.
Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035 since January 2025
Arctic Wolf detail the exploitation
On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances. In an updated security advisory for the vulnerability, SonicWall indicated on April 15, 2025 that the vulnerability was being exploited in the wild.
..
Arctic Wolf had been tracking a campaign targeting VPN credential access on SonicWall SMA devices. This credential access campaign is thought to be related to the vulnerability mentioned in the advisory recently updated by SonicWall.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
CVE-2025-24054, NTLM Exploit in the Wild
CheckPoint shed a little more on this vulnerability and its exploitation. I covered it at the time, but the March exploitation in Poland and Romania is of note given regional tensions.
CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted
.library-ms
file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.
Initial reports suggested that exploitation occurred once the
.library-ms
file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
Active! mail exploitation
Japanese CERT warns..
On April 18, 2025, Qualitia Inc. announced a notice regarding a stack-based buffer overflow vulnerability in Active! mail. This vulnerability could allow a remote third party to execute arbitrary code or cause a denial of service (DoS) if they send a crafted request. According to the developer, attacks exploiting this vulnerability have already been confirmed.
https://www.jpcert.or.jp/at/2025/at250010.html
https://www.qualitia.com/jp/news/2025/04/18_1030.html
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Inside Riot Vanguard's Dispatch Table Hooks
Archie walks through how Riot do their thing, allowing cyber security to once more learn from the arms race in video games.
Riot Vanguard is an anti-cheat system developed by Riot Games for their first-person shooter VALORANT. Unlike other popular anti-cheat solutions (EasyAntiCheat, Battleye), the anti-cheat driver is loaded at boot time. By loading this early in the boot process, Vanguard can inspect every driver loaded after Windows boots. This is a luxury that other anti-cheats lack, as they typically launch alongside the protected game.
On top of that, Vanguard places several hooks all throughout the kernel to get notified of certain events happening. This article, while not an exhaustive list of Vanguard’s protections, aims to document some of the techniques I observed during analysis.
https://archie-osu.github.io/2025/04/11/vanguard-research.html
hwdbg: Debugging Hardware Like Software
Mohammad Sina Karvandi, Soroush Meghdadizanjani, Saleh Khalaj Monfared, Erik van der Kouwe and Asia Slowinska show a capability which if it productised will be revolutionary.
We present hwdbg which eases hardware debugging by introducing software debugging concepts. Unlike existing approaches, hwdbg allows stepping through the hardware design cycle-by-cycle, visualizing waveforms, and inspecting values (e.g., like a logical analyzer). Users can script both passive and active debugging, modifying signals in real time. Furthermore, it has the potential for reverse engineering and chip fuzzing by injecting random signals to test functionality under different conditions. A key insight allowing hwdbg to achieve these goals is that, unlike existing approaches, it can be synthesized as an FPGA, directly interacting with the device under test in real time. We provide an open-source prototype.
https://dl.acm.org/doi/abs/10.1145/3722041.3723101
iOS 18.4 - dlsym considered harmful
Fabien Perigaud details an interesting bug..
We first observed the bug in a custom iOS application compiled for the arm64e architecture (thus supporting PAC instructions). This application makes use of dynamic symbol resolution for various system functions, by using both dlopen() and dlsym().
dlopen() takes a shared library path as argument and returns a handle which can be used by other functions of the dl API;
dlsym() takes a handle and a symbol name as arguments, and returns the corresponding address. On devices supporting PAC, this address is signed with the instruction key A and a NULL context, so it can be used for indirect calls in C (as these calls use the BLRAAZ PAC instruction).
..
There is definitely a problem:
The targetRuntimeOffset has its upper bits set.
Those bits are the same as the correct pointer signature!
It seems that the pointer returned by the resolver function has not been stripped before being converted as an offset!
https://www.synacktiv.com/en/publications/ios-184-dlsym-considered-harmful
Thread Call Stack Scanner
Michael Maltsev provides a capability which some may use offensively..
Thread Call Stack Scanner demonstrates how to safely manage the unloading of DLLs that have been hooked into a process to intercept or modify its behavior. It ensures that no thread is executing within specified memory regions, such as those belonging to a module, before proceeding with the unloading operation. This is particularly useful in scenarios where dynamically loaded modules need to be safely unloaded without causing crashes.
https://github.com/m417z/thread-call-stack-scanner
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Nothing overly of note this week
Good Practices for protecting Unmanned Aircraft Systems (UAS) against Cyber Security Threats - CERT India
Artificial intelligence
Books
Securing the Digital Frontier - Cyber Security for Responsible Citizens and Strategic Thinkers
Events
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.