CTO at NCSC Summary: week ending August 4th
The northern hemisphere cyber summer is here... reporting is down... threat actor activity is not...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond the fact that multiple criminal groups had access to the VMWare ESXi vulnerability and were using it to deploy ransomware..
In the high-level this week:
CyberThreat 2024 - NCSC UK announces - “SANS and the NCSC are pleased to announce CyberThreat 2024 will be taking place at the Novotel London West in Hammersmith on Monday 9 December and Tuesday 10 December 2024.”
ICO reprimands the Electoral Commission after cyber attack compromises servers - UK Information Commissioners Office "[threat actors] successfully accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured"
UAE to issue 3 new policies to boost cybersecurity by end of 2024 - Gulf Today reports - the new policies being developed include "cloud computing and data security”, "Internet of Things security”, and "cybersecurity operations centres”
ECB concludes cyber resilience stress test - European Central Bank reports - “The exercise was launched in January 2024 and featured a fictitious stress test scenario under which all preventive measures failed and a cyberattack severely affected the databases of each bank’s core systems. The stress test therefore focused on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it.”
SEC v. SolarWinds Update: U.S. Federal District Court Dismisses Most of the SEC’s Case, but Some Fraud Claims and CISO Liability Remain - The National Law Review reports - “The court upheld the SEC’s scienter-based fraud claims against both parties related to the security statement posted on SolarWinds’ website prior to the attack, finding the statement actionable under the securities laws, and that Brown could also be held potentially liable under Section 10(b) of the Exchange Act and Section 17(a) of the Securities Act for its false and misleading content.”
Cyber ransom payments will need to be disclosed by businesses under new laws - ABC News reports - “The [Australian] Cyber Security Act would force businesses to disclose when they pay ransom to a hacker, and prevent the information from being passed on to regulators.”
It Is Time to Act - Dan Geer opines - “Therefore, if we choose to act on what we know, then we also know that security policy and competition policy are henceforth conjoined. We cannot and will not have zero cascade failures if any tech is allowed to become universal, to become a monopoly in its sphere. We cannot and will not have an absence of unmitigable surprise if we do not require no silent failure and if we do not require pre-built, testable mitigations for detectable failures.”
Is Canada Prepared for Incoming Cyber Threats? - CDA Institute interviews - Caroline Xavier, Chief of the Communications Security Establishment Canada (CSE) to discuss emerging cyber and foreign interference threats Canada faces
NSA Publishes Enduring Security Framework Document Providing Recommendations for U.S. Government, Industry, and Academia to Engage Standards Development Organizations - NSA press releases - “The report, “Recommendations for Increasing U.S. Participation & Leadership in Standards Development,” recognizes both economic reasons and national security concerns requiring increased U.S. participation in standards development organizations (SDOs). U.S. participation in standards is critical to protecting the security of the American people, expanding economic opportunity, and defending democratic values. “
A Cyber Force Is Not the Only Solution - War on the Rocks opines - “A novel approach to personnel management, with distinct offensive cyber, defensive cyber, and electronic warfare specialties and further sub-specialization within each of those fields, would also require redesigned career roadmaps.”
Cyber attacks on shipping rise amid geopolitical tensions - Financial Times Reports - “Shipowners, ports and other maritime groups faced at least 64 cyber incidents in 2023, a review of company, media and academic reports by researchers at the Netherlands’ NHL Stenden University of Applied Sciences has found. A decade earlier, there were three, and zero in 2003.”
New challenge set to put printed circuit boards to the test - HMGCC press releases - HMGCC Co-Creation wants companies and academia to apply to a five-month, funded project, aimed at developing ways to robustly assure printed circuit boards (PCBs).
Reporting on/from China
A serious cyberattack on the Federal Office of Cartography and Geodesy can be attributed to Chinese state attackers and was used for espionage - German Federal Government attributes - “[We] today assigned responsibility for a serious cyber attack on the Federal Office of Cartography and Geodesy ( BKG ) at the end of 2021 to Chinese state actors and condemned them in the strongest possible terms . According to the findings of the security authorities, these Chinese cyber actors infiltrated the BKG 's network for espionage purposes .”
The Rise of Party Law: Rewiring the Party, Recalibrating the Party-State Relationship - The China Journal journals - “The rise of Party law is at once rewiring the Party internally and recalibrating the Party’s relationship with its state. The result is a potent set of tools for putting into practice the notion that “the Party leads everything,” foregrounding the Party in governance processes, and making Party members and organizations more obedient, pliable and responsive to the Party Center.”
The next generation Loongson 3B6600 is comparable to the mid-to-high-end [Intel] 12th/13th generation Core and can run Windows! Loongson 3C6000 doubles performance - EET China reports - “According to actual tests, the single-core and multi-core performance of Loongson 3B6600 can reach the mid-to-high-end level of Intel's 12th/13th generation Core, which is comparable to the i5 and i7 series.”
Artificial intelligence
AI-Powered Bug Hunting - Evolution and benchmarking - Alfredo Ortega researches - “While AI holds promise for assisting with bug hunting, its actual impact remains unclear. This presentation addresses this doubt by introducing CrashBenchmark, a standardized evaluation framework for AI-driven static analysis tools. We’ll share results from a simple bug-hunting AI agent, AutoKaker, and discuss the implications for optimizing AI-based bug hunting in C/C++ code bases.”
The AI summer - Ben Evans opines - “Hundreds of millions of people have tried ChatGPT, but most of them haven’t been back. Every big company has done a pilot, but far fewer are in deployment. Some of this is just a matter of time. But LLMs might also be a trap: they look like products and they look magic, but they aren’t. Maybe we have to go through the slow, boring hunt for product-market fit after all.”
Risk Management Profile for AI and Human Rights - United States Department of State releases - “a practical guide for organizations—including governments, the private sector, and civil society—to design, develop, deploy, use, and govern AI in a manner consistent with respect for international human rights.”
AI – Trustworthy By Design: How to build trust in AI systems, the institutions that create them and the communities that use them - Demos releases - “Trust, however, can be a nebulous concept. People extol its virtues and study it in surveys (according to the 2024 Edelman Trust Barometer survey the AI industry is the only sector that did not experience a year-on-year boost in trust) but there is a lack of clarity around what it means to have or lose trust and about how it is best achieved.”
Artificial intelligence breakthroughs create new ‘brain’ for advanced robots - Financial Times reports - “Generative AI [has been] applied to stupid things that don’t matter, like back-office tasking or accounting software, but applying generative AI to scientific discovery is the most impactful thing that we could do,” Ponce said.
Cyber proliferation
Data breach exposes US spyware maker behind Windows, Mac, Android and Chromebook malware - TechCrunch reports - “The data shows that Spytech’s spyware — Realtime-Spy and SpyAgent, among others — has been used to compromise more than 10,000 devices since the earliest-dated leaked records from 2013, including Android devices, Chromebooks, Macs, and Windows PCs worldwide.” - map shows UK impact.
Bounty Hunting
Rewards for Justice – Reward Offer for Information on North Korean Malicious Cyber Actor Targeting U.S. Critical Infrastructure - US Department of State mobilises bounty hunters - “In one computer intrusion operation that began in November 2022, the malicious cyber actors hacked a U.S.-based defense contractor from which they extracted more than 30 gigabytes of data, including unclassified technical information regarding material used in military aircraft and satellites, much of which was from 2010 or earlier.”
How much will CrowdStrike cost? Two opposing views
Coalition: Modelling indicates CrowdStrike US cyber insurance loss below $1bn - Artemis reports - “The US cyber insurance industry loss from the recent CrowdStrike related IT outage is expected to come in below $1 billion, according to specialist insurer Coalition, with the company saying its modelling suggests a lower bound of $270 million or even lower, while the upper-bound is $960 million.”
Fortune 500 firms to see $5.4 bln in CrowdStrike losses, says insurer Parametrix - Reuters reports - “Insured losses from the outage will likely total $540 million to $1.08 billion for the Fortune 500 companies, Parametrix said in a statement.” … “Hatzor estimated that financial losses globally from the outage could total around $15 billion, as companies struggle to get their computers back up to speed. Global insured losses could total around $1.5-3 billion, Hatzor added.”
CrowdStrike is sued by shareholders over huge software outage - Reuters reports - “In a proposed class action filed on Tuesday night in the Austin, Texas federal court, shareholders said they learned that CrowdStrike's assurances about its technology were materially false and misleading when a flawed software update disrupted airlines, banks, hospitals and emergency lines around the world”
Cyber insurance 2024 - Howden retrospective from June - “Howden’s Global Cyber Insurance Pricing Index shows the rapid transition from triple-digit rate increases in 2021/22 to double-digit reductions in 2023/24. The index is now down 15% on the peak recorded in mid-2022. In addition to price decreases (which vary significantly by sector, region and risk profile, with competition highest in remote risk layers), capacity is up and insurers are also willing to increase limits, remove cover restrictions (ransomware-related) and lower retention levels.”
Reflections this week come back to software liability and market incentives.
Security vulnerabilities can be seen as a subset of software/hardware bugs unless by design and thus both are a symptom of quality more generally.
The fact that today technology producers, be they shipping product to customers or running SaaS, can contract away liability for the most part (GDPR being a notable exception in the services space) means that quality in design and implementation are nice to haves. There will be exceptions to this generalisation such as where a vendor is differentiating themselves and making security and/or quality an enduring corporate principle. In these situation they are willing to have it cost the firm growth, profit or both. But there is a risk even in these situations that corporate priorities may change over time due to business performance and pressures..
An example of the typical contracting approach around software liability can be seen in this legal advice on liability.
A form software license agreement should contain a waiver of consequential damages provision and an aggregate liability cap provision in favor of the licensor (these two provisions are often referred to collectively as “limitation of liability”).
Now given that the above is pretty much an industry standard approach to managing said liability we should not be surprised that without sufficient enduring and unwavering incentives for vendors e.g. liability, that quality and thus security may be a temporal or partial consideration at best or worse case entirely optional..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Thursday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Operation ShadowCat: Targeting Indian Political Observers via a Stealthy RAT
CRIL reports on this alleged Russian speaking threat actor using LNK files in phishing emails for the initial access.
When the user executes the LNK file, it triggers the infection process, which runs a PowerShell command to drop and execute a .NET loader, ultimately delivering the final payload to the victim’s machine.
The Threat Actor (TA) employs steganography to conceal a malicious Gzip-compressed payload within a PNG file, which is hosted on a Content Delivery Network (CDN).
The decompressed payload is then injected into PowerShell.exe using the Asynchronous Procedure Call (APC) injection method.
The final payload is a RAT (Remote Access Trojan) written in Go. It is designed to take control of the compromised machine and deploy ransomware on the victim’s device.
The TA excludes infections from Russian-speaking regions, indicating that the TA could potentially be a Russian-speaking individual or group.
Based on the lure used in this campaign, we observed that the TA is targeting individuals with a keen interest in Indian political affairs. This could include government officials, political analysts, journalists, researchers, and think tanks who closely follow parliamentary proceedings.
Reporting on China
APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
Joey Chen, Ashley Shen and Vitor Ventura detail this alleged China nexus actor where the initial access mechanism is not known but the lateral movement was the point of detection, Note the memory based payload of to exploit a vulnerability, thus not touching persistence....
Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.
We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.
In August 2023, Cisco Talos detected abnormal PowerShell commands connected to an IP address to download PowerShell script for execution in the environment of the target. We performed an investigation based on our telemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to conclusively determine the initial attack vector.
Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies
Jin Ito, Loïc Castel and Kotaro Ogino discuss this alleged China nexus threat actor which is an older name that some will recognise. The point of note here are the persistence mechanism they use on Microsoft Windows for all you threat hunters.
Cuckoo Spear is related to the APT10 Intrusion Set because of the links made between various incidents from Threat Actors “Earth Kasha” (Trend Micro *) and “MirrorFace” including both APT10’s old arsenal (LODEINFO)
..
A variety of different techniques were used to lure in potential victims, but the Threat Actors mainly rely on Spear-Phishing as the common initial access technique with LODEINFO; however, malicious actors have started to shift their tactics to exploiting vulnerabilities. NOOPDOOR must be loaded first on the victim machines, which is done through persistence mechanisms and [we] observed three different methods:
Scheduled Tasks
WMI Consumer Events
Windows Services
https://www.cybereason.com/blog/cuckoo-spear
Reporting on North Korea
8,400 Hackers in North Korea… Jointly Developing Malware with Russia
Shin Jin-woo and Shin Gyu-jin report on alleged collaboration with Russia and growth in North Korean capability based on what appears South Korean government reporting.
The National Intelligence Service estimates that there are about 8,400 people involved in cybercrime in North Korea. In the '2022 Defense White Paper' recently published by the Ministry of National Defense, the number was around 6,800, but the intelligence authorities re-evaluated the number as a 20% increase in two years.
..
Intelligence authorities believe that North Korea and Russia have already laid the foundation for joint research and mutual education related to hacking technology through the 'Comprehensive Strategic Partnership Treaty' agreed upon at the summit last month. A government source said, “North Korea and Russia appear to be jointly developing or mutually sharing key malicious codes used for hacking.” Previously, North Korea and Russia signed this treaty with “mutual cooperation to jointly respond to increasing challenges and threats in fields of strategic significance, such as safety in the field of information and communication technology (Article 9)” and “international information and communication technology (Article 9).”
Analysis of Kony APT campaign using AutoIt defense evasion tactics
Genians details this alleged North Korean campaign attempt to evade detection through a commercial scripting solution. Also note the use of tried and tested social engineering and LNK files to initial code execution.
Approaching under the guise of requesting submission of explanatory materials in response to a tax evasion report
Luring people by deceiving them and amplifying their anxiety, as if they were subject to a tax investigation by the National Tax Service and the source of funds.
Attempts to infiltrate terminals and conduct internal reconnaissance using shortcut (LNK) type malicious files
Calling malicious script commands using AutoIt normal program
Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
Den Iuzvyk and Tim Peck details this non-specific alleged North Korean campaign targeting software developers.
Based on the gathered telemetry, no specific trend in victimology was identified. However, analysis of the collected samples revealed victims are primarily scattered across South Korea, North America, Europe, and the Middle East, indicating that the impact of the attack is widespread.
Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
Sebastian Obregoso and Zack Allen detail this alleged initial access operation by North Korea using npm. Not the specific platform targeting of Windows..
On July 7, 2024, npm user
nagasiren978published two malicious packages to the npm registry on npmjs.org.These packages, "harthat-hash" and "harthat-api", contain malicious code that installs additional malicious software from a command and control (C2) server.
This C2 server mostly served malicious batch scripts and one DLL, indicating a victim target set of Windows.
The tactics, techniques, and procedures (TTPs) behind the malicious packages, C2 infrastructure, and targeting sets align closely with what Microsoft calls MOONSTONE SLEET, an actor aligned with the Democratic People’s Republic of Korea (DPRK, also referred to as North Korea).
We internally name this cluster Stressed Pungsan. (We align nation-state threat actor clusters with their national breeds, and the Pungsan is a dog native to North Korea.)
Reporting on Iran
Nothing this week
Reporting on Other Actors
“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails
Nati Tal shows how criminal actors are able to understand and exploit trust relationships in the cloud to conduct their operations. Now imagine if this has been used by a nation state. Now also imagine how many other of these also exist!
[We] uncovered a critical in-the-wild exploit of Proofpoint’s email protection service, responsible for securing 87 of the Fortune 100 companies. Dubbed “EchoSpoofing”, this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details.
then Proof Point released their own perspective on the same campaign (my highlight):
In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers’ email infrastructure by sending spam from Microsoft 365 tenants
All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity
The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow
To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default
Any email infrastructure that offers this email routing configuration feature can be abused by spammers
Analyzing Malicious CrowdStrike Domains: Who Is Affected and What Could Come Next
Akamai dust off the crystal ball and analyse some data here.
We identified the top trafficked malicious domains associated with the CrowdStrike incident and have developed a list of indicators of compromise (IOCs) for block list consideration or to analyze further on your own.
One of the malicious domains observed here was ranked in the top 200,000 sites for associated keywords.
Nonprofit and education were among the top industries affected, collectively composing more than 20% of the observed attack traffic.
In this blog post, we explore some of the types of scams that are currently active and look into who is being targeted, and we provide mitigation tips for both organizations and individuals affected by this incident.
UNC4393 Goes Gently into the SILENTNIGHT
Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko and Raymond Leong provide a retrospective on this threat actor including their initial access tradecraft..
[We] detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster's transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques.
..
Early UNC4393 activity nearly exclusively involved leveraging existing QAKBOT infections delivered via phishing for initial access. In late 2023, several months after the QAKBOT infrastructure takedown by the FBI and the United States Justice Department, UNC4393 began leveraging other distribution clusters for initial access, specifically those delivering DARKGATE, again via phishing. This relationship was short-lived, however, as only a few months later UNC4393 was observed following successful UNC5155 SILENTNIGHT intrusions. As a result, UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its actions on objectives.
SILENTNIGHT is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation algorithm (DGA) for C2. Its plug-in framework allows for versatile functionality, including system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access. It also targets credentials through browser manipulation.
Initially observed in late 2019, Mandiant saw a brief lull in SILENTNIGHT usage before a resurgence in mid-2021, lasting only a few months. This was followed by a significant hiatus that lasted until late 2023. This most recent surge of SILENTNIGHT activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393's only known means of initial access.
https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight
Discovery
How we find and understand the latent compromises within our environments.
How AitM phishing kits evade detection
Luke Jennings shows the level of operational security considerations we have now reached in commodity frameworks. We are no longer in Kansas..
A key feature of the NakedPages kit is that it has several stages and redirections and, in order for it to operate as intended, the target has to arrive at the beginning. The first step involves visiting a URL that is simply a Cloudflare Worker. Cloudflare Workers are a serverless execution environment, a bit like AWS lambdas.
The benefit to the attacker is that this gives them a highly reputable primary domain as it is one owned and operated by Cloudflare. Flagging recently registered or uncategorized/rare domains for further analysis won’t work for this.
https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/
Threat Hunting - Suspicious Named pipes
mthcht provides a practical walk through of the techniques of finding suspicious Windows named pipes.
https://detect.fyi/threat-hunting-suspicious-named-pipes-a4206e8a4bc8
Velociraptor artifact assists scoping for suspicious ESX Admin group activity associated with CVE-2024-37085
Matt Green does what he does best here.. thanks Matt!
This artifact assists scoping for suspicious ESX Admin group activity associated with CVE-2024-37085.
Microsoft researchers discovered CVE-2024-37085 after it was used as a post-compromise attack technique used by a number of ransomwre operators.
There are 3 methods of exploitation:
Adding the “ESX Admins” group to the domain and adding a user to it.
Renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.
Even if the network administrator assigns any other group in the domain to
be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group may still be applied.
https://github.com/rapid7/Rapid7-Labs/blob/main/Vql/CVE-2024-37085.yaml
Defence
How we proactively defend our environments.
Verifying components of Arm® Confidential Computing Architecture with ESBMC
Tong Wu, Edoardo Manino, Gareth Stockwell and Lucas C. Cordeiro show what assurance should look like..
Realm Management Monitor (RMM) is an essential firmware component within the recent Arm Confidential Computing Architecture (Arm CCA). Previous work applies formal techniques to verify the specification and prototype reference implementation of RMM. However, relying solely on a single verification tool may lead to the oversight of certain bugs or vulnerabilities.
This paper discusses the application of ESBMC, a state-of-the-art Satisfiability Modulo Theories (SMT)-based software model checker to further enhance RRM verification. We demonstrate ESBMC’s ability to precisely parse the source code and identify specification failures within a reasonable time frame. Moreover, we propose potential improvements for ESBMC to enhance its efficiency for industry engineers. This work contributes to exploring the capabilities of formal verification techniques in real-world scenarios and suggests avenues for further improvements to better meet industrial verification needs.
https://ssvlab.github.io/lucasccordeiro/papers/sas2024.pdf
Windows Security best practices for integrating and managing security tools
David Weston details how Microsoft is responding to the CrowdStrike incident. It will be interesting if some of the kernel APIs get exposed to userland to reduce the need for drivers beyond merely access to data.
Windows is a self-protecting operating system that has produced dozens of new security features and architectural changes in recent versions. We plan to work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability.
This includes helping the ecosystem by:
Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products.
Reducing the need for kernel drivers to access important security data.
Providing enhanced isolation and anti-tampering capabilities with technologies like our recently announced VBS enclaves.
Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.
Introducing Sigma Filters
Alex details this new feature which will help where there are organisation specific considerations which you want to apply in only a filter.
Sigma Filter rules are built as an extension on the Sigma rule format — that allow you to build filters that sit independently from your Sigma rules.
Made possible from the development around pySigma — a full re-write of the Sigma conversion strategy — we designed Filters to re-think how SOCs write, develop and integrate exclusions into their Sigma detection-as-code strategy.
https://blog.sigmahq.io/introducing-sigma-filters-204bd8496273
How to use your own certificates to secure your Velociraptor deployment
Chris Hayes provides a practical guide on how to tighten up the security around Velociraptor deployment.. now like security infrastructure has ever been the soft underbelly.
https://reliancecyber.com/research/secure-velociraptor-deployment-digicert-certificates/
Incident Writeups & Disclosures
How they got in and what they did.
DigiCert Revocation Incident
(CNAME-Based Domain Validation)
Operational oops..
Recently, we learned that we did not include the underscore prefix with the random value used in some CNAME-based validation cases. This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception.
https://www.digicert.com/support/certificate-revocation-incident
Vulnerability
Our attack surface.
FreeRTOS Buffer Over-Read in DNS Response Parser
This is interesting because FreeRTOS is used on among other things cube satellites. DNS exploits in spaaccceee..
https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-ppcp-rg65-58mv
PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
There will be potentially a long tail of vulnerability stemming from this..
Poor cryptographic materials management and appearance of the private keys directly in the code repositories with the hardcoded path from the build scripts.
Usage of the non-production cryptographic keys responsible for the platform security of production firmware and devices.
No rotation of the platform security cryptographic keys per product line. For example, the same cryptographic keys were confirmed on client and server-related products. Similar behavior was detected with Intel Boot Guard reference code key leakage.
The same OEM used the same platform security-related cryptographic keys for firmware produced for different device manufactures. Similar behavior was detected with Intel Boot Guard reference code key leakage.
https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem
Anyone can Access Deleted and Private Repository Data on GitHub
Of the listed vulnerabilities the ‘Accessing Private Repo Data’ is likely the only one of material worry, but it should be noted this is all by design.
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
Offense
Attack capability, techniques and trade-craft.
Specula - Turning Outlook Into a C2 With One Registry Change
Christopher Paschen and Oddvar Moe release a capability which we can expect to be exploited in 3..2.. - oh wait it was already allegedly used by Iranian threat actors previously.
There exist a few singular Registry changes that any non-privileged user can make that transform the Outlook email client into a beaconing C2 agent. Given that outlook.exe is a trusted process, this allows an attacker persistent access to a network that we have found often goes unnoticed. This technique has been reported on before and despite that continues to be a weak point in many otherwise very well-guarded networks.
Today, TrustedSec is releasing Specula (our previously internal framework) into the world, for leveraging this simple Registry change into an initial access platform. We have frequently leveraged Specula in our social engineering, phishing, and trusted insider attack paths.
..
The Outlook home page was thought to have been patched in Knowledge Bases (KBs) listed under https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774. After the KB is installed, the UI elements related to Outlook's home page will be gone. This leads one to believe the associated functionality has been removed. Unfortunately, the Registry values that would have been set when the removed UI elements were used still get used by Outlook, even in current Office 365 installs.
https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
Persisting on Entra ID applications and User Managed Identities with Federated Credentials
Dirk-jan Mollema shows a consideration for those dealing with post compromise environments. Also likely provided inspiration to some threat actors also..
an alternative approach attackers can use to configure credentials on Entra ID applications and Azure User Managed Identities. It can help them persist in environments or even elevate privileges if they can compromise a service principal with high privileges.
https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/
Exploitation
What is being exploited.
CVE-2024-4879 and CVE-2024-5217 (ServiceNow RCE) Exploitation in a Global Reconnaissance Campaign
Consequences will no doubt be wide ranging..
As soon as vulnerability intelligence information was released, multiple threat actors immediately began arranging mass-scanning to identify vulnerable ServiceNow instances. Resecurity closely monitored several actors, which allowed us to collect enough context about their modus operandi (MO). The catalyst for exploitation was the public release of a proof-of-concept (POC) for cybersecurity awareness purposes. One of the most actively probed CVEs by threat actors was CVE-2024-4879, which allows an unauthenticated user to remotely execute code within the Now Platform. This vulnerability exploits three issues by chaining together: title injection, template injection mitigation bypass, and filesystem filter bypass, to access ServiceNow data, but on practice such requests could be used separately.
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Interesting that various criminal groups had access to this tradecraft..
Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.
Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named “ESX Admins” in the domain and adding a user to it
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
LocalKdc: Info on how to use Kerberos KDC on a non-domain joined host
Jordan Borean goes down the Kerberos Windows rabbit hole and provides a bootstrap which will no doubt inspire some tooling.
This is an example program that can run a Kerberos Key Distribution Center (KDC) on a Windows host and have Windows authenticate to that without joining it to a domain. The code in here is a proof of concept and does not cover all use cases.
Contrary to popular belief, Windows does not need to be joined to a domain to work with Kerberos authentication. If provided with enough information it can attempt to locate the KDC and request the TGT and service ticket from it. For example if someone attempts to access the fileshare
\\server\sharewith the credentialuser@contoso.comWindows will attempt to find the KDC for the realmcontoso.com.
https://github.com/jborean93/LocalKdc
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing of note this week
Maritime Cyber Attack Database (MCAD) - MCAD is a Maritime Cyber Attack Database consisting of incidents dating back to 2001.
US National Cyber Director Opens 2024 Presidential Cybersecurity Education Award Nominations
The Gili Ra’anan model: Questions emerging from Cyberstarts' remarkable success
Artificial intelligence
Nothing this week
Books
Invisible Rulers: The People Who Turn Lies into Reality - What we used to call influence has become something violently toxic. Renée DiResta gives us a powerful original framing to explain how it now shapes public opinion through a virtual rumor mill of niche propagandists.
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.