Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond the ISP compromise by an alleged Chinese threat actor in order to hijack DNS requests to exploit insecure software update mechanisms..
In the high-level this week:
Looking back at the ballot – securing the general election - UK’s National Cyber Security Centre CEO Felicity Oswald shares reflections on keeping the 2024 General Election safe.
Introducing Active Cyber Defence 2.0 - UK’s National Cyber Security Centre launches - “In pursuit of this goal, we have set these principles for ACD 2.0:
The NCSC will only deliver solutions where the market is not able to – whether that’s due to our unique position in government, scaling abilities, capabilities or authorities
The NCSC will look to divest most of our new successful services within 3 years – to another part of government or the private sector to run on an enduring basis”
Provisional decision to impose £6m fine on software provider following 2022 ransomware attack that disrupted NHS and social care services - UK Information Commissioner Office fines -“The provisional decision to issue a fine relates to a ransomware incident in August 2022, where we have provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. “
The National Counterintelligence Strategy - US Office of the Director of National Intelligence releases - “The People’s Republic of China (PRC) and Russia represent the most significant intelligence threats, but a range of other state and non-state actors also target the United States. Commercial entities are playing increasingly important enabling roles for FIEs.”
Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem - CISA releases - “we lay out questions and resources that organizations buying software can use to better understand a software manufacturer’s approach to cybersecurity and ensure that the manufacturer makes secure by design a core consideration.” - think of this as trying to create market incentives through demand..
Sellafield apologises after guilty plea over string of cybersecurity failings - The Guardian reports - “Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard.”
Progress Announces Conclusion of SEC Investigation into MOVEit - Progress releases - “the Securities and Exchange Commission’s Division of Enforcement (SEC) has concluded its fact-finding investigation into the MOVEit vulnerability. The SEC has notified Progress that it does not intend to recommend an enforcement action against the company at this time.”
National Cyber Emergency Plan - Ireland’s National Cyber Security Centre details - ”The National Cyber Emergency Plan (NCEP) sets out the national approach for responding to serious cyber security incidents that affect the confidentiality, integrity, and availability of nationally important information technology and operational technology systems and networks.”
United Nations convention against cybercrime adopted - United Nations releases - the global implications of which will take a while to filter through..
U.S. Trades Cybercriminals to Russia in Prisoner Swap - Krebs on Security reports - “Among those in the prisoner swap is Roman Seleznev, 40, who was sentenced in 2017 to 27 years in prison for racketeering convictions tied to a lengthy career in stealing and selling payment card data.”
Second U.S.-Singapore Critical and Emerging Technology Dialogue - The White House press releases - “Exploring collaborations on mutually beneficial areas such as the inventorization and migration of cryptographic assets, crypto agility, and the security assurance of quantum safe products as well as investments in our respective national quantum safe and information sciences initiatives.”
Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators - Reserve Bank of India issues - “The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.”
How Are Cyberattacks Fueling North Korea’s Nuclear Ambitions? - Center for Strategic International Studies assesses - “Ransomware, coupled with other illegal financial activities, such as the recent defrauding of over 300 U.S. companies, is essentially an effective way for the regime to ensure the financing of its weapons programs, usually in direct violation of U.S. and UN sanctions.”
A Visual Exploration of Exploits in the Wild - The Inaugural Study of EPSS Data and Performance - Cyentia Institute analyses - “Remediating vulnerabilities with an EPSS score of 0.6+ achieves a coverage of ~60% with 80% efficiency”
Turning the screws: The pressure tactics of ransomware gangs - Sophos asserts - “Ransomware operators increasingly weaponize legitimate entities – such as the news media, legislation, civil regulatory enforcement authorities, and even law enforcement – to ramp up pressure on victims”
Reporting on/from China
Intrusion Truth Asks “Is the CCP the biggest APT?” - Intrusion Truth asserts - “Following the leaks, EARTH LUSCA have now been identified as a likely penetration arm of I-Soon, given the overlap in IP locations, malware and victims (which includes gambling companies, COVID-19 research organizations, educational institutions in Taiwan and Hong Kong as well as telecoms companies and various government institutions globally.)”
China data watchdog plans tighter control of internet users - Financial Times reports - “China’s powerful data watchdog has proposed tighter controls over users’ online information, including a nationwide rollout of digital IDs, in a move that met sharp pushback from leading technology experts.”
With Smugglers and Front Companies, China Is Skirting American A.I. Bans - New York Times reports - “In one case, Chinese executives bypassed U.S. restrictions when they created a new company that is now one of China’s largest makers of A.I. servers and a partner of Nvidia, Intel and Microsoft. American companies have found workarounds to keep selling some products there. And an underground marketplace of smugglers, backroom deals and fraudulent shipping labels is funneling A.I. chips into China, which does not consider such sales illegal.” - Where is Han Solo when you need him?
US expected to propose barring Chinese software in autonomous vehicles - Reuters reports - “The Biden administration plans to issue a proposed rule that would bar Chinese software in vehicles in the United States with Level 3 automation and above, which would have the effect of also banning testing on U.S. roads of autonomous vehicles produced by Chinese companies.”
China launches first satellites of constellation to rival Starlink, newspaper reports - Reuters reports - “The launch is part of SSST's "Thousand Sails Constellation" plan, also known as the "G60 Starlink Plan", which began last year and aims to deploy more than 15,000 low Earth orbit (LEO) satellites.”
Artificial intelligence
Eliminating Memory Safety Vulnerabilities Once and For All - DARPA press releases - “DARPA initiates a new program to automate the translation of the world’s highly vulnerable legacy C code to the inherently safer Rust programming language” - AI for good!
The EU AI Act: National Security Implications - Centre for Emerging Technology and Security explains - “What are the key provisions of the Act?
Establishes a tiered, risk-based approach to AI regulation.
Imposes outright bans on AI systems deemed to pose ‘unacceptable risk’.
Imposes new obligations on developers of high-risk AI, such as mandatory risk management processes and technical safety documentation.
Introduces specific provisions for ‘general-purpose’ AI models, and transparency requirements around limited-risk AI systems.”
Next Five Hurdles - Anthropic details - "what are the remaining hurdles between us and having a mechanistic understanding of neural networks?"
Cyber proliferation
Greek prosecutor drops case against spy service over malware use - Reuters reports - “Greece’s Supreme Court prosecutor has shelved a case against the intelligence service, EYP, as a preliminary probe by the court showed no evidence that the agency used illegal phone malware to spy on targets, the Athens News Agency reported on Tuesday.”
Bounty Hunting
CyberAv3ngers - Department of State bounties - “Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.”
Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator - US Department of Justice releases - “Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors. Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.”
Reflections this week come from reading the paper Principles of Antifragile Software (2014, updated 2017) and then reading chapter abstracts of the book Fragile Computing: How to Live With Insecure Technologies (2024).
Some of the concepts from the first paper became Chaos Engineering, whilst the book also indirectly poses an interesting philosophical question on the extent to which we can secure the technology we have today and the extent to which we need to learn to live with not being able to.
Given the mountains of technical debt we have to accept a degree of perpetual fragility. Thus we need to ensure we understand it, manage it and prepare beyond the superficial. It is for this reason also why solutions which help secure end-of-life software/systems beyond any vendor support (or existence) will be valuable.
It will be interesting to see if an anti-fragile trend/movement emerges in customers as well as the established tech firms, start-ups and the investor community…
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Fighting Ursa Luring Targets With Car for Sale
Unit42 detail the resurfacing of older tradecraft by an what they alleged is a Russia operation.
A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024.
Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat
https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/
Reporting on China
StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms
Ankur Saini, Paul Rascagneres, Steven Adair and Thomas Lancaster detail this alleged Chinese operation which should serve as a reminder to ISPs and those offering DNS resolutions across the globe as to their importance in the end-to-end supply chain.
StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations.
Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows.
Malware deployed by StormBamboo includes new variants of the MACMA malware.
Analysis of the newest versions of MACMA shows converged development of the MACMA and GIMMICK malware families.
Post-exploitation activity included deployment of the malicious browser extension RELOADEXT to exfiltrate victim mail data.
The i-Soon Leaks: Industrialization of Cyber Espionage
Part 1: Organization and methods of i-Soon APT units
German Federal Office for the Protection of the Constitution releases this analysis of the i-Soon leaks and attributes to China.
A data set was leaked on the GitHub developer platform that provides a rare insight into China's methods of conducting hacking operations world-wide. The internal documents show the extent of cooperation between the Chinese cybersecurity company i-Soon and the Chinese government and intelligence services. In four consecutive reports BfV examines the leak in detail and describes the level of industrialization of cyber espionage activities by privately organized companies, who carry out cyber-attacks for state entities.
Reporting on North Korea
Beware of North Korean hacking organizations stealing construction and machinery technology
Republic of Korea National Intelligence Service, Prosecutors' Office, National Police Agency, Armed Forces Counterintelligence Command and Cyber Operations Command issues this joint advisory which they attribute to North Korea. Watering holes are still part of their tradecraft it would appear..
In January 2024, North Korea's Kim Soo-ki hacking organization hacked the website of a professional organization in the construction field in Korea.
Malicious code was distributed through Malicious code is used in the security system used to log in to the website. ÿ The attacker exploits the website file upload vulnerability to compromise the security of the organization’s homepage. It was hidden in the authentication S/W, and as a result, the PCs of local governments, public institutions, and construction companies that accessed the website were infected. Analysis results show normal distribution
It was confirmed to be a combination of a 'supply chain attack3)' that modulated the channel and a 'watering hole4)' distributed through a website frequently visited by construction and design experts .
“I request an interview regarding North Korea”…
High-level reporting from the Korean Broadcasting System (KBS) on an alleged North Korea phishing operation. Social engineering as has been seen before..
A move to attempt hacking against government ministries and foreign affairs and security experts by impersonating a KBS reporter was detected. Caution is required as this is presumed to be the work of North Korean hackers.
Government officials and some experts related to North Korea simultaneously received e-mails from a reporter who recently hosted a KBS radio program with the subject line, 'Request for an interview regarding flood damage in North Korea.'
Reporting on Iran
From Exploits to Forensics: Unraveling the Unitronics Attack
Team82 detail the attack from November 2023, alleged it was Iran and provide some forensic capability. We saw some global spill over from this at the time..
[We have] publishing details of our research into Unitronics' integrated PLCs/HMIs, which began on the heels of numerous critical infrastructure attacks that were disclosed last fall, in particular at water treatment facilities in the United States and Israel.
Iran-linked CyberAv3ngers is alleged to be responsible for the attacks.
https://claroty.com/team82/research/from-exploits-to-forensics-unraveling-the-unitronics-attack
Iranian Cyber Warfare Targeting Israel Seeks to Exploit Fears of Military Attack
Foundations for Defense of Democracies detail an alleged Iranian phishing operation. Nothing overly of note beyond it happening.
email sent to Israeli citizens on August 4 purporting to contain “citizen safety” guidelines drawn up by the Israel Defense Forces (IDF) has highlighted attempts by Iranian cyber-attackers to exploit the Israeli public’s fears of an imminent Iranian strike. The ongoing Iranian phishing campaign sends English-language emails aimed at enticing Israelis to click on the malicious link to the alleged material covering “vital topics to ensure [the Israeli public’s] safety and well-being.” The campaign leverages infrastructure and methodology previously attributed to “Muddywater,” a shadowy group run by the Iranian Ministry of Intelligence and Security (MOIS). Israel has been on heightened alert since the assassination of Hamas political leader Ismail Haniyeh in Tehran on July 31.
Reporting on Other Actors
macOS stealer posing as Loom is spreading via Google Ads
Ray Fernandez highlights once again things are not OK in the advertising eco-system. The noteworthy element beyond that is the macOS targeting and the monthly price tag for the capability.
The group is creating and running fake campaigns on Google Ads, impersonating Loom. When victims click on the Google Ad, they are redirected to smokecoffeeshop[.]com. This, in turn, automatically loads another URL address.
Victims end up on a fake website almost identical in design to the legitimate Loom website (see image below). Any user who clicks on the download button will download a complex version of the AMOS stealer.
The AMOS stealer can cost up to $3,000 per month, but for cybercriminal organizations, it’s worth every cent.
https://moonlock.com/macos-stealer-loom-google-ads
Threat actor impersonates Google via fake ad for Authenticator
Jérôme Segura shows the end-to-end chain in use by criminal actors. The fact that authenticator apps themselves are being used is rather novel.
In this blog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in tricking users into visiting a decoy website.
Today, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.
CheckMesh: Hidden Threats in Your FW
HackersEye details an end-to-end attack by an unattributed threat actor which is interesting for the technology choice for C2 as well as the fact that the initial access techniques were rather basic yet effective.
Recently, we encountered an exceptionally advanced cyber-attack targeting an Israeli enterprise utilizing a Check Point firewall. Dubbed as CheckMesh, for obvious reason the attack successfully deploys & executes a Mesh agent on the CheckPoint firewall Linux
The modus operandi of the LilacSquid APT group involves a multi-stage approach to compromise and persist within targeted networks:
Initial Exploitation: Exploiting vulnerabilities in public-facing applications or devices to gain initial access.
Persistence: Deploying persistent implants, such as MeshAgent, to maintain long-term access.
Credential Theft and Lateral Movement: Stealing credentials to move laterally within the network and escalate privileges.
C2 Communication: Establishing secure C2 channels using encrypted protocols like WebSocket over TLS (wss) to communicate with compromised devices.
Service Control: Using Windows service control commands (sc create, sc start) to manage malicious services and ensure persistence.
https://hackerseye.net/all-blog-items/checkmesh/
Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
Symantec detail the use of commodity platforms cloud platforms for operations by a range of threat actors. Further highlights the challenges we collectively face in modern complex eco-systems.
The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure.
https://symantec-enterprise-blogs.security.com/threat-intelligence/cloud-espionage-attacks
New APT Group Actor240524
NSFocus detail what they call a new APT.. shows that phishing is alive and well with this well practiced malicious document tradecraft. The noteworthy elements of this reporting is the intended victimology and a degree of operational security consideration.
In this attack incident, Actor240524 attackers used spear-phishing emails to launch attacks on Azerbaijani and Israeli diplomats, intending to steal sensitive data through new weapons.
In this incident, the attackers used a Word document embedded with malicious macro code as bait, with the file name “iden.doc”. The content consists of three blurry images, as shown below:
An official document issued by government websites or news organizations.
An official page of Azerbaijan, displaying the national emblem, name, and some links of Azerbaijan.
An official page of Azerbaijan, displaying the cabinet building and a list of administrative personnel.
Botnet 7777: Are You Betting on a Compromised Router?
Team Cymru detail an at scale botnet even if unattributed. Highlights the challenges that IoT pose and how it enables covert infrastructure..
Identification of a potential expansion of the Quad7 threat operator’s modus operandi to include a second tranche of bots, characterized by an open port 63256.
The port 63256 botnet appears to be comprised mainly of infected Asus routers.
Identification of 12,783 active bots (comprising both 7777 and 63256) over the 30-day period ending 05 August 2024, likely to represent a proportion rather than the full extent of the botnet.
Identification of seven management IPs either currently active or last observed in the past 30 days. Four of the IPs align with recent research by Sekoia, with the remaining three previously unattributed.
https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router
Discovery
How we find and understand the latent compromises within our environments.
Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
Now these event log codes Microsoft could be useful to understand if Windows Defender has been degraded in some fashion by threat actors. For example:
Event ID 5001: Real-time protection is disabled.
Event ID 5004: The real-time protection configuration changed.
Jamf Protect MacOS EDR Rules Part 1
Interesting research here out of China on some macOS techniques and the Jamf rules to detect them. There were some techniques documented which I wasn’t aware of e.g.
The macOS NSDockTilePlugIn function allows applications to execute code when not actively used, and is mainly used to customize Dock tiles. However, this feature can be abused to create covert persistence mechanisms for malware on the system.
Velociraptor RDPCache
Matt Green continues to do what he does best. For those not familiar the RDPCache can be used to reconstruct the screen of a session.
artifact parses, views and enables simplified upload of RDP cache files.
Defence
How we proactively defend our environments.
Updates to runtime protection in macOS Sequoia
Apple kills some tradecraft..👏
In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized. They’ll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.
https://developer.apple.com/news/?id=saqachfa
AppLocker Policy Generator
Michael Haag helping with defense in depth here. AppLocker is one of those high investment but high return mitigations..
Policy Creation: Easily define rules for your applications, scripts, and installers to enhance security. This page allows you to specify rules for paths and scripts, and choose whether to set them to 'Audit' or 'Block' mode. 📝
2️⃣ Policy Merging: Combine multiple AppLocker policies into one comprehensive set of rules. This tool helps you combine multiple AppLocker policies into a single policy file. 🧩
3️⃣ Pre-Built Policies: Ensure that your AppLocker policies are correctly formatted and free of errors before deployment. This application allows you to download pre-created policies to block common applications. You can also modify the policies to suit your needs. ✅
4️⃣ Export and Import: Import existing policies for editing, and export your policies for deployment across your organization. This page allows you to upload an AppLocker Policy XML file or paste your AppLocker Policy XML for modification. 🔄
5️⃣ Learn More About AppLocker: This page provides a brief overview of AppLocker, including the different types of rules, and how to configure AppLocker. 📊
6️⃣ AppLocker Atomic Testing: This page provides a list of common AppLocker bypasses and how to test them. 📄
https://applockergen.streamlit.app/
the source code can be found here:
https://github.com/MHaggis/AppLockerGen
Formally verifying security properties of CHERI processors
Anna Duque Antón and Johannes Müller detail how they found a micro-architectural vulnerability similar to meltdown in CHERI using formal verification. There is some much to celebrate in this post - now we just need microcontrollers and application processors to adopt CHERI.
VeriCHERI is a new formal verification framework targeting security vulnerabilities in CHERI-enhanced processors. The key idea is that we start from abstract security requirements targeting confidentiality and integrity. Based on these general notions of security, we formulate security properties for the microarchitectural implementation. This is a significantly different approach compared to previous verification methods, which focus on verifying that the design conforms to a specification. VeriCHERI allows us to target not only security violations due to functional bugs, but also Meltdown-style timing side channels such as the one described above. At its core, VeriCHERI consits of only 4 security properties; these can be checked using the power of commercial property checking tools. Verification times for CHERIoT Ibex range from a few seconds to 31 minutes for detecting vulnerabilities in the original versions or to prove that the fixed design is secure. We refer interested readers to our paper about VeriCHERI
https://cheriot.org/formal/verification/security/2024/08/02/meltdown-style-vulnerabilities.html
Incident Writeups & Disclosures
How they got in and what they did.
Security Incident | August 2024 - Mobile Guardian
13,000 devices from 26 schools erased according to news reporting..
Mobile Guardian experienced a security incident that involved unauthorised access to our Platform on the 4th of August - resulted in a small percentage of iOS devices to be unenrolled from Mobile Guardian and in some cases devices wiped remotely.
https://www.mobileguardian.com/security-incident-august-2024/
Vulnerability
Our attack surface.
Splitting the email atom: exploiting parsers to bypass access controls
Gareth Heyes shows once more complex encoding and inter-operability create security vulnerability opportunity. The long tail of this one I suspect will be quite long..
In this paper I'm going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.
https://portswigger.net/research/splitting-the-email-atom
Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement
A couple of vulnerabilities build on prior reporting in this space.
CVE-2024-7208 A vulnerability in multi-tenant hosting allows an authenticated sender to spoof the identity of a shared, hosted domain, thus bypass security measures provided by DMARC (or SPF or DKIM) policies.
CVE-2024-7209 A vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to use network authorization to be abused to spoof the email identify of the sender.
https://kb.cert.org/vuls/id/244112
Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments
Gabriel K. Gegenhuber, Florian Holzbauer, Philipp É. Frenzel , Edgar Weippl, and Adrian Dabrowski get a howler fixed here.
An insecure key exchange would jeopardize the later stages and the data’s security and confidentiality. In this paper, we analyze the phase 1 settings and implementations as they are found in phones as well as in commercially deployed networks worldwide.
On the UE side, we identified a recent 5G baseband chipset from a major manufacturer that allows for fallback to weak, unannounced modes and verified it experimentally.
On the MNO side –among others– we identified 13 operators (totaling an estimated 140 million subscribers) on three continents that all use the same globally static set of ten private keys, serving them at random.
Deep-TEMPEST: Using Deep Learning to Eavesdrop on HDMI from its Unintended Electromagnetic Emanations
Santiago Fernández, Emilio Martínez, Gabriel Varela, Pablo Musé and Federico Larroca highlight how TEMPEST is alive and well.
In this work, we address the problem of eavesdropping on digital video displays by analyzing the electromagnetic waves that unintentionally emanate from the cables and connectors, particularly HDMI
The proposed system is based on widely available Software Defined Radio and is fully open-source, seamlessly integrated into the popular GNU Radio framework. We also share the dataset we generated for training, which comprises both simulated and over 1000 real captures. Finally, we discuss some countermeasures to minimize the potential risk of being eavesdropped by systems designed based on similar principles.
https://arxiv.org/abs/2407.09717
GhostWrite
Fabian Thomas, Lorenz Hetterich, Ruiyi Zhang, Daniel Weber, Lukas Gerlach and Michael Schwarz cause an eeek moment in hardware verification.. exquisite vulnerability to discover..
The GhostWrite vulnerability affects the T-Head XuanTie C910 and C920 RISC-V CPUs. This vulnerability allows unprivileged attackers, even those with limited access, to read and write any part of the computer’s memory and to control peripheral devices like network cards.
Dismantling Smart App Control
Joe Desimone shows what one researcher can do against when they think creatively, have focused and determination. Evidenced based efficacy for all..
Windows Smart App Control and SmartScreen have several design weaknesses that allow attackers to gain initial access with no security warnings or popups.
A bug in the handling of LNK files can also bypass these security controls
Reputation-based protection systems are a powerful layer for blocking commodity malware. However, like any protection technique, they have weaknesses that can be bypassed with some care. Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction.
https://www.elastic.co/security-labs/dismantling-smart-app-control
https://github.com/joe-desimone/rep-research
KnowBe4 RCE and LPE
A vulnerability which once more shows that cyber security products may not be secure products.
Three KnowBe4 applications (Phish Alert Button, PasswordIQ, and Second Chance) were vulnerable to RCE and LPE.
Through not understanding DNS hijack, KnowBe4 reported the CVSS scores to NIST with far too low scores.
This creates an interesting attack vector over, for example, Wi-Fi at a coffee shop. As a result of having the KnowBe4 apps installed on a laptop, the client was thus exposed to remote code execution vulnerabilities.
This is interesting in itself, as Wi-Fi hotspot attacks other than this are now largely mitigated through O/S design.
KnowBe4 initially down-scored the vulnerability significantly, due to not understanding that DNS hijack can be achieved through methods other than router compromise.
https://www.pentestpartners.com/security-blog/knowbe4-rce-and-lpe/
Offense
Attack capability, techniques and trade-craft.
Living off the VPN — Exploring VPN Post-Exploitation Techniques
Ori David shows what might be post exploitation.. or creates the business case for Zero-Trust..
Our findings include several vulnerabilities that affected Ivanti Connect Secure and FortiGate VPNs.
In addition to the vulnerabilities, we detail a set of no-fix techniques that can affect the Ivanti Connect Secure and FortiGate products, and potentially other VPN servers, as well.
Our research shows that, in many cases, a compromised VPN server could allow attackers to easily gain control over other critical assets in the network.
whenfs: A FUSE filesystem for your Google calendar
Google Calendar as a C2? Why yes of course - Lukas enables..
WhenFS turns your Google Calendar into a FUSE filesystem.
It whimsically supports the following features:
Create a filesystem out of existing Google Calendars, or create a new one from scratch
Read and write files, directories and... well, just files and directories
Mount your friends' WhenFS calendar file systems to share files in the silliest way possible
https://github.com/lvkv/whenfs
Injecting Java in-memory payloads for post-exploitation
Clément Amic and Hugo Vincent shows what advanced payloads against Java targets so they don’t touch disk can look like. My favourite is still the literal Chinese translation of these which is Memory Horse.
The logic mentioned in our previous blog post1, targeting applications affected by arbitrary deserialization vulnerabilities, could be adapted to inject in-memory payloads from different vulnerabilities or features leading to RCE, such as SSTIs, scripting engines and command injections.
This article will cover some tips and tricks that could be applied to inject such a payload, and to develop post-exploitation features that would allow altering the application behavior. This would be interesting to stay under the radar during post-exploitation, or to intercept plaintext credentials of privileged users authenticating to the compromised application.
https://www.synacktiv.com/publications/injecting-java-in-memory-payloads-for-post-exploitation
.NET Remoting New Exploitation Tricks
Markus Wulftange shows there is some mileage for lateral movement and potentially initial access. The vendor responses are also quite interesting.
This post provides insights into three exploitation techniques that can still be used in cases of a hardened .NET Remoting server with
TypeFilterLevel.Low
and Code Access Security (CAS) restrictions in place. Two of these tricks are considered novel and can help in cases where ExploitRemotingService is stuck.
https://code-white.com/blog/teaching-the-old-net-remoting-new-exploitation-tricks/
RustPatchlessCLRLoader: .NET assembly loader with patchless AMSI and ETW bypass in Rust
C2Pain gives the world this capability.. uses hardware breakpoints which are low cost to detect however - I wrote code 3 years ago to demonstrate this.
The RustPatchlessCLRLoader leverages a sophisticated integration of patchless techniques for bypassing both Event Tracing for Windows (ETW) and the Windows Antimalware Scan Interface (AMSI) across all threads with the goal of loading .NET assemblies dynamically by utilizing the clroxide Rust library. It provides a robust solution for executing managed code stealthily without modifying system artifacts or triggering security mechanisms.
https://github.com/c2pain/RustPatchlessCLRLoader
PANIX
Ruben Groenewoud provides a nice tool to help validate your Linux persistence detections are working as intended.
PANIX is a highly customizable Linux persistence tool for security research, detection engineering, penetration testing, CTFs and more. It prioritizes functionality over stealth and is easily detectable. PANIX is supported on popular distributions like Debian, Ubuntu, and RHEL, and is highly customizable to fit various OS environments. PANIX will be kept up-to-date with the most common *nix persistence mechanisms observed in the wild.
https://github.com/Aegrah/PANIX
Exploitation
What is being exploited.
SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel
Lukas Maar, Stefan Gast and Martin Unterguggenberger shows what modern Linux exploitation can involve. Just look at the finesse here to combine various subtle behaviours.
In this paper, we present SLUBStick, a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive. SLUBStick operates in multiple stages: Initially, it exploits a timing side channel of the allocator to perform a cross-cache attack reliably. Concretely, exploiting the side-channel leakage pushes the success rate to above 99 % for frequently used generic caches. SLUBStick then exploits code patterns prevalent in the Linux kernel to convert a limited heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily
https://stefangast.eu/papers/slubstick.pdf
CVE-2024-21338: Windows AppLocker Driver LPE Vulnerability
hieu.q and voidsec evidences once more that just because components have been around for a while doesn’t been there aren’t vulnerabilities if your adversarial mind chooses to deeply understand.
The bug resides in the
AppHashComputeImageHashInternal()
function, which could be invoked by sending an IOCTL with value0x22A018
to the device object named\\Device\Appid
.The driver expects two pointers referenced from the IOCTL’s input buffer.
This bug results in a powerful primitive, given that we have complete control of the instruction pointer and the data in the first argument via a callback.
Based on the ACL present on the device object name, only the
LOCAL SERVICE
andAppIDSvc
users have enough permission to send the targetIoControlCode
.The target driver,
appid.sys
, is not automatically loaded and requires sending an event to a specific AppLocker-related ETW provider.
https://www.crowdfense.com/windows-applocker-driver-lpe-vulnerability-cve-2024-21338/
CVE-2024-38054: pool overflow bug in the ksthunk.sys driver on Windows
Angelboy provides a shrink-wrapped exploit for this vulnerability..
https://github.com/Black-Frost/windows-learning/tree/main/CVE-2024-38054
When Samsung meets MediaTek: the story of a small bug chain
Maxime Rossi Bellom, Raphael Neveu, and Gabrielle Viala provide a detailed writeup of this vulnerability and along with it a lesson in why physical device security is still important.
In this paper, we present a small bug chain that can be used by an attacker with physical access to the device to bypass the secure boot, execute code on the chip, reach persistency, and ultimately leak the secret keys protected by the hardware-backed keystore.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
dockerc
Nils André gives a slightly inception like capability here..
compile docker images to standalone portable binaries
https://github.com/NilsIrl/dockerc/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Cost of a Data Breach Report 2024 - big numbers, buy more cyber..
Nature Computes Better: Opportunity seeds - ARIA project overview
ACM's Special Interest Group on Data Communications
Post CrowdStrike outage..
CrowdStrike External Technical Root Cause Analysis — Channel File 291 - CrowdStrike details - “As new versions of Windows introduce support for performing more of these security functions in user space, CrowdStrike updates its agent to utilize this support. Significant work remains for the Windows ecosystem to support a robust security product that doesn’t rely on a kernel driver for at least some of its functionality. We are committed to working directly with Microsoft on an ongoing basis as Windows continues to add more support for security product needs in userspace.”
Tech Analysis: Addressing Claims About Falcon Sensor Vulnerability - CrowdStrike refutes among others the findings from this Chinese analysis of their product allegeding vulnerability.
Driving lessons: The kernel drivers in Sophos Intercept X Advanced - Sophos details - “Operating in kernel-space is necessary, but risky – here’s how we do it in Sophos Intercept X Advanced”
Artificial intelligence
Books
Nothing this week
Events
Securing Cyberspace Conference 2024, Responsible Cyber Behaviour in Practice: A Global View - 9th of October, London, UK
2024 Conference on International Cyber Security - 12th - 13th of November, 2024, The Hauge, Netherlands
CyberLawCon - 28th of February 2025, Pentagon City, USA
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.