CTO at NCSC Summary: week ending December 1st
Thanksgiving edition .. 🦃
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note which again once shows what the new normal is like given the operational tempo..
In the high-level this week:
Cyber Security Toolkit for Boards: updated briefing pack released - at NCSC UK we published - “This latest version of the briefing pack includes a case study featuring Sir Roly Keating, CEO of the British Library, who shares insights on the high-profile ransomware attack that targeted his organisation. Reflecting on the incident, he noted, "It felt like it was an act of vandalism as well as theft.”"
Heightened cyber threat - at NCSC UK we updated our guidance to include recent publications.
Vulnerability management guidance - at NCSC UK we have now published three sub areas:
Smart Products Surveyed Fail to Provide Consumers with Information on How Long Companies will Provide Software Updates - US Federal Trade Commission announces - “A new paper from Federal Trade Commission staff finds that nearly 89% of products surveyed failed to disclose on their websites how long the products would receive software updates, which help ensure the devices are protected against security threats and operate properly.” - this is what we mean by information asymmetry as part of market incentives.
Introduction of landmark Cyber Security Legislation Package - Australian Home Affairs announces - “The Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps to bring Australia in line with international best practice and take the next step to ensure Australia is on track to become a global leader in cyber security.”
Strengthening India's Digital Frontiers: Key Insights Into [Indian] The Telecom Cyber Security Rules 2024 - India Law analyzes - “The rules place substantial responsibility on telecom entities to:
Develop Cyber Security Policies: Entities must craft policies incorporating risk assessments, network testing, and response strategies for security incidents.
Conduct Security Audits: Both internal and government-certified audits are required.
Report Security Incidents: Entities must notify the government within six hours of an incident, detailing its impact and mitigation steps.
Establish Security Operations Centres (SOC): SOCs will monitor threats, log incidents, and maintain records critical to cyber defence.”
The Telecommunications Act, 2023: Ushering in new era of connectivity - Ministry of Communications publishes
'New telecom cybersecurity rules to increase compliance costs, may make mobile services costlier' - ET Telecom asserts
Ranking Member Cassidy, Colleagues Introduce Legislation to Strengthen Cybersecurity in Health Care Sector as Part of Bipartisan Working Group - US Senate publishes - “The Health Care Cybersecurity and Resiliency Act of 2024:
Strengthens cybersecurity in the health care sector by providing grants to health entities to improve cyberattack prevention and response.
Provides training to health entities on cybersecurity best practices.
Supports rural communities by providing best practices to rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with federal agencies.
Improves coordination between the Department of Health and Human Services (HHS) and Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the health care sector.
Modernizes current regulations so entities covered under the Health Insurance Portability and Accountability Act (HIPAA) use the best cybersecurity practices.
Requires the HHS Secretary to develop and implement a cybersecurity incident response plan.”
NIS Investments 2024 - ENISA announces - "This report aims at providing policy makers with evidence to assess the effectiveness of the existing EU cybersecurity framework specifically through data on how the NIS Directive has influenced cybersecurity investments and overall maturity of organisations in scope. As 2024 is the year of the transposition of NIS 2, this report also intends to capture a pre-implementation snapshot of the relevant metrics for new sectors and entities in scope of NIS 2 to help future assessments of the impact of NIS 2."
[US] Army building a new expeditionary cyber battalion - Defense Scoop reports - “In late February, the Army Force Structure Transformation (ARSTRUC) plan directed the activation of two more so-called expeditionary cyber and electromagnetic activities teams (ECTs) in the 11th Cyber Battalion — a total of 90 authorizations — rounding out that battalion and an additional 390 authorizations for ECTs to begin building the 12th Cyber Battalion, Lt. Gen. Maria Barrett, commander of Army Cyber Command, said”
SCI Semiconductor & ResQuant announce partnership for PQC algorithm acceleration on advanced CHERI-enabled devices - News Wires transmits - “This MoU reflects their shared vision to develop joint solutions to target advanced security systems – Safe IoT – across sectors with high-integrity, high-confidentiality & low-power requirements, including smart energy and critical infrastructure, aerospace and defense, telecommunications, automotive, industry 4.0, and medical domains.”
Reporting on/from China
Top senator calls Salt Typhoon ‘worst telecom hack in our nation’s history’ - Washington Post reports - “The Chinese government espionage campaign that has deeply penetrated more than a dozen U.S. telecommunications companies is the “worst telecom hack in our nation’s history — by far,” a senior U.S. senator told The Washington Post in an interview this week.”
China’s Surveillance State Is Selling Citizen Data as a Side Hustle - Wired reports - “Chinese black market operators are openly recruiting government agency insiders, paying them for access to surveillance data and then reselling it online—no questions asked.”
China plans to have national data infrastructure in place by 2029 - South China Morning Post reports - “The document states that the aim is to create a national data infrastructure that balances efficiency with equity, accommodates the unique characteristics of data elements, and harnesses the value and utility of data.”
Clashes of techno-statecraft: US-China technology rivalry and South Korea’s strategy? - Business and Politics publishes - “The current conflictual dynamics underlying high-tech rivalry between China and the United States and the management of collateral damages by middle-power countries emanate from the clashes of techno-statecraft. Each country’s pursuit of technological superiority for its own prosperity, security, and prestige through deep and wide state intervention has aggravated the situation. Against this backdrop, our paper attempts to elucidate the dynamics of techno-statecraft of China, the United States, and South Korea.”
Internet use and household debt: insights from rural China - Applied Economics publishes - “The results show that Internet use and household debt are positively associated: household debt is 5,370 yuan higher among Internet users than non-users. Using the Internet increases household debt through its effects on consumption and investment spending.”
AI
UK and its allies must stay one step ahead in new AI arms race - Cabinet Office, Foreign, Commonwealth & Development Office, Stephen Doughty MP and The Rt Hon Pat McFadden MP announce - “The Laboratory for AI Security Research will employ a ‘catalytic’ model, receiving an initial £8.22m round of government funding, inviting further investment and collaboration from industry.”
Taiwan to invest $3bn to secure 'AI sovereignty,' tech czar says - Nikkei Asia reports - “Taiwan's government plans to spend about $3 billion on artificial intelligence data centers and other upgrades over the next three years, while aiming to strengthen cooperation with the U.S. under President-elect Donald Trump, Taipei's top tech official told Nikkei Asia.”
Cyber proliferation
Ronan Farrow on surveillance spyware: ‘It threatens democracy and freedom’ - Guardian thunders - “Surveilled, now on HBO, is, on one level, a visual accompaniment to Farrow’s bombshell April 2022 report on how governments – western democracies, autocratic regimes and many in between – secretly use commercial spyware to snoop on their citizens. The hour-long documentary, directed by Matthew O’Neill and Perri Peltz, records the emotional toll, scope and threat potential of a technology most people are neither aware of nor understand.”
Bounty Hunting
National Police Agency's National Investigation Headquarters Arrests Manufacturer of Satellite Broadcasting Receiver with DDoS Attack Function - BOA News reports - "Malicious programs installed/distributed through updates from launch Applied to approximately 98,000 units"
Not sold in South Korea - MT reports
KC Man Indicted for Computer Hacking - US Department of Justice announces - “Kloster allegedly entered the premises of a business, identified in court documents as Company Victim 2, which operates multiple health clubs in Kansas and Missouri, shortly before midnight on April 26, 2024. The following day, Kloster sent an email to one of the owners of Company Victim 2, claiming that he had gained access to the computer system. Kloster also claimed to have “assisted over 30 small to medium-sized industrial businesses in the Kansas City, Missouri area” and attached a copy of his resume.”
Exclusive: Exxon lobbyist investigated over hack-and-leak of environmentalist emails, sources say - Reuters reports - “The FBI has been investigating a longtime Exxon Mobil consultant over the contractor's alleged role in a hack-and-leak operation that targeted hundreds of the oil company’s biggest critics, according to three people familiar with the matter. The operation involved mercenary hackers who successfully breached the email accounts of environmental activists and others, the sources told Reuters.”
NSO Group’s Pegasus pitch: ‘Heaven’, ‘Eden’, ‘Erised’ & $6.8 million/year licence - India Express reports - “The documents show that a deposed NSO employee acknowledged under questioning from WhatsApp lawyers that one known target of Pegasus, Princess Haya of Dubai, was one of the 10 examples of targets by NSO’s clients who had been “abused” “so severely” that NSO disconnected the service.”
A programmer wanted by the FBI will be tried in Kaliningrad - RIA reports - "Matveyev is accused of having ties to hacker groups that specialize in blocking access to systems, usually those of large companies, using malware."
Soaring cyber risks: Large enterprises, supply chains and key industries in the crosshairs - Cowbell rings - “Businesses with >$50m revenue are 2.5x more likely to face cyber incidents, Supply chain attacks increased fivefold, up by 431%, since 2021”
No reflections this week, instead my contribution can we watched on the video from the FT Cyber Resilience Summit 2024 in London on the topic of Cybersecurity disruptors – The impact of new technologies on attack and defence.
Happy Thanksgiving for Thursday gone to US partners at NSA’s CSD, CISA and FBI..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
RomCom exploits Firefox and Windows zero days in the wild
Damien Schaeffer and Romain Dumont detail this alleged Russian actor has been found with their hands into the 0day jar exploiting browsers. Note the speed with which Mozilla patched 👊
On October 8th, 2024, ESET researchers discovered a previously unknown zero-day vulnerability in Mozilla products being exploited in the wild.
Analysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2024-9680: a use-after-free bug in the animation timeline feature in Firefox. Mozilla patched the vulnerability on October 9th, 2024.
Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, now assigned CVE‑2024‑49039, that allows code to run outside of Firefox’s sandbox. Microsoft released a patch for this second vulnerability on November 12th, 2024.
Successful exploitation attempts delivered the RomCom backdoor, in what looks like a widespread campaign.
Reporting on China
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Leon M Chang, Theo Chen, Lenart Bermejo and Ted Lee detail these alleged operations of the now infamous Chinese group known as SALT TYPOON. New implants, new tradecraft and various other aspects of technical reporting are of note.
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and government entities.
Earth Estries exploits public-facing server vulnerabilities to establish initial access and uses living-off-the-land binaries for lateral movement within networks to deploy malware and conduct long-term espionage.
The group has compromised over 20 organizations, targeting various sectors including telecommunications, technology, consulting, chemical, and transportation industries, as well as government agencies and NGOs in numerous countries.
Earth Estries uses a complex C&C infrastructure managed by different teams, and their operations often overlap with TTPs of other known Chinese APT groups, indicating possible use of shared tools from malware-as-a-service providers.
A key finding from our recent investigation is the discovery of a new backdoor, GHOSTSPIDER, identified during attacks on Southeast Asian telecommunications companies. We will explore the technical details of GHOSTSPIDER, its impact across multiple countries, and interesting findings when we were tracking its command-and-control (C&C) infrastructure. We have also uncovered the group’s use of the modular backdoor SNAPPYBEE (aka Deed RAT), another tool shared among Chinese APT groups.
https://www.trendmicro.com/en_us/research/24/k/earth-estries.html
Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024
Hara Hiroaki details this alleged Chinese phishing campaign which shows the levels of hoops they expect their victims to jump through..
The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised accounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the recipient to download a ZIP file.
The simplest case involves a document with embedded macros. The infection begins when the document is opened and the user enables the macros. This document file is a malicious dropper that we have named ROAMINGMOUSE.
In other cases, the ZIP file did not directly contain ROAMINGMOUSE. Instead, it included a shortcut file and an SFX (self-extracting) file disguised as a document by changing its icon and extension.
Cybercrime as an industry: examining the organisational structure of Chinese cybercrime
Qiaoyu Luo brings us research which provides some insight into what the eco-system looks like in China.
Drawing on interviews and secondary data from China collected between 2020 and 2022, this paper seeks to address this gap by offering a comprehensive examination of Chinese cybercrime. It explores the degree of industrialisation within Chinese cybercrime and discusses its impact on the work performed by Chinese cybercriminals. Echoing findings from previous studies on the industrialisation of cybercrime, the current study reveals an elaborate industry built around cyber fraud, populated by various market players working on diverse tasks to support the successful operation of cyber fraud. The research also uncovers the existence of cybercriminal firms that closely mimic the structural and operational approaches of legitimate companies.
https://www.nature.com/articles/s41599-024-04042-w
Reporting on North Korea
Hidden World of xattr: Lazarus Group’s Abuse of "Rustyattr" to Evade Detection
Tonmoy Jitu details a technique used in this alleged North Korean operation not covered in MITRE. Should be useful to go hunting for and potentially quite low noise.
A technique, often overlooked, involves the use of extended file attributes—specifically the
xattrcommand found in Unix-like operating systems such as macOS and Linux. Much like Windows Alternate Data Streams (ADS), which allows attackers to hide data in the NTFS filesystem,xattrprovides a mechanism for embedding metadata alongside files without altering their visible content.This stealthy use of
xattr(which we’ll refer to as Rustyattr) has been increasingly leveraged by threat groups, including the Lazarus Group, making it a critical but often overlooked vector in modern cyberattacks. In this post, we’ll look at how the Lazarus Group, in particular, is usingxattr(or Rustyattr) to secretly stash malicious data in system files, making it harder to detect with traditional methods.
https://denwp.com/xattr-lazarus-groups-abuse-rustyattr/
North Korea-backed Scarcruft ROKRAT Malware Cluster
S2W details this alleged North Korean actor showing a diversity in capability and targeting.
Recently, their operations have expanded to Japan, Vietnam, Russia, Nepal, and the Middle East.
Case A: ROKRAT Distributed via DROKLINK
The infection flow and functionalities of ROKRAT distributed through DROKLINK are detailed in the full report.
Case B: ROKRAT Distributed via DROKDOC
DROKDOC malware executes malicious actions through macros embedded in document files. The infection chain and functionalities of ROKRAT spread via DROKDOC are also discussed in the report.
Case C: Clugin & Cumulus
In mid-2017, Scarcruft employed watering hole attacks to distribute malicious apps. Later campaigns targeted human rights groups and journalists using the KakaoTalk messenger. Additionally, malware was spread via Facebook contacts and Google Play Store uploads, all identified as mobile versions of ROKRAT.
Case D: CloudMensis Targeting macOS
ESET revealed CloudMensis malware in July 2022, designed to target macOS. It performs data exfiltration, screen captures, and command execution. This malware was identified as Scarcruft’s macOS version of ROKRAT.
https://www.s2w.inc/en/resource/detail/678
Reporting on Iran
Nothing this week..
Reporting on Other Actors
Attacks by the attack group APT-C-60 using legitimate services
Tomoya Kamei details this alleged South Korean actor operating in Japan showing what living off the land can look like when you bring your own land (a VHDX) combined with phishing.
This attack started with a targeted attack email, which prompted victims to download a file from a Google Drive link included in the email. When the Google Drive link is accessed, a VHDX file containing malware is downloaded. The VHDX file used in this attack contained an LNK file and a decoy document, The LNK file Self-Introduction.lnk executes IPML.txt using the legitimate executable file git.exe.
https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html
Analysis of OceanLotus's attack activities on the legal system of the South China Sea
Hunting Lab details this alleged Vietnamese operation which is rather basic but does end in CobaltStrike (how retro)…
The attack process is roughly as follows:
1. The spear-phishing email attachment is a compressed file containing an MSC file, which is disguised as a DOCX file to lure the target user to click on it;
2. After the MSC file is run, it will read and release the bait document, the white file Warp.exe and the malicious DLL file 7z.dll. The content of one of the bait documents is a study on two legal systems applicable to the South China Sea;
3. After the malicious DLL file is loaded by the white file Warp.exe, it will decrypt multiple layers of Shellcode in memory, eventually execute CobaltStrikeBeacon, connect to the C2 server, and wait for subsequent instructions to be issued.
Bootkitty: Analyzing the first UEFI bootkit for Linux
Martin Smolár and Peter Strýček show how using UEFI Secure Boot might save you..
In November 2024, a previously unknown UEFI application, named bootkit.efi, was uploaded to VirusTotal.
Our initial analysis confirmed it is a UEFI bootkit, named Bootkitty by its creators and surprisingly the first UEFI bootkit targeting Linux, specifically, a few Ubuntu versions.
Bootkitty is signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled unless the attackers certificates have been installed.
Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification before GRUB is executed.
bootkit.efi contains many artifacts suggesting this is more like a proof of concept than the work of an active threat actor.
We discovered a possibly related kernel module, which we named BCDropper, that deploys an ELF program responsible for loading another kernel module.
https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/
Discovery
How we find and understand the latent compromises within our environments.
KQL for Social Engineering Attack Monitor - Teams & Emails
Steven Lim does what he does best with KQL..
Yesterday, Kevin Beaumont (known as the "Cyber Weatherman") shared his experience assisting several organizations in recovering from successful ransomware attacks. A common thread in these incidents was the use of social engineering tactics. Attackers conducted initial reconnaissance over the phone to gather contact details, then bombarded users with a flood of emails and Teams messages—sometimes thousands per hour. The custom KQL detection script below for DefenderXDR can provide early warnings of this type of social engineering attack.
Dissecting JA4H for improved Sliver C2 detections
Web Scout show how powerful JA4H is even if its licensing terms of JA4 are restrictive..
The use of JA4H fingerprints has proven to be an effective method for detecting and analyzing malicious activity, especially in the context of the recent exploitation of Palo Alto Networks firewall vulnerabilities. By dissecting and understanding the fingerprint shared by John Althouse,
po11cn050000_bb52516416a2_eb49a3237520_*, we were able to uncover additional command and control servers and validate the threat activity reported by Arctic Wolf.
https://blog.webscout.io/dissecting-ja4h-for-improved-sliver-c2-detections/
Assessing static and dynamic features for packing detection
Lucca, Serena, Wauters, Dimitri, Bertrand Van Ouytsel, Charles-Henry and Legay, Axel gives some insight into how well machine learning classifiers can get detect due to the extractable features..
Packing is a widely used obfuscation technique for malware to bypass detection tools and hinder reverse engineering. Existing research has already covered methods to detect packing, both with static and dynamic analysis. These methods are based on various features: headers, entropy, API calls, section permissions, etc. While dynamic features are generally more informative, their contribution compared to static features is not always clear. This paper compares the impact of these static and dynamic features on different machine learning classifiers. We propose a study on different datasets to determine whether the information provided by dynamic analysis outweighs its significant extraction time.
https://dial.uclouvain.be/pr/boreal/object/boreal:288795
Measuring Malware Detection Capability for Security Decision Making
Muhammad Yasir Muzayan Haq, Abhishta Abhishta, Sander Zeijlemaker, Annette Chau, Michael Siegel and L.J.M. Nieuwenhuis bring some quantification even if the vendors will debate the validity..
Our findings demonstrate that while over 60% of scanner engines detect 67% of samples, certain malware families consistently exhibit lower detection rates. Detection capability improves over time, particularly within the initial 30 days, but remains inadequate for specific families. Furthermore, we observe that some scanner engines demonstrate nearly flawless detection capability across all malware families, while the majority struggle with efficiently detecting certain types. Moreover, we performed Monte Carlo simulations and revealed that employing multiple scanner engines substantially enhances detection capability, with 3 to 7 scanners being optimal. Finally, simulation analysis in a case study highlights the significant impact of hard-to-detect malware on risk and performance, underscoring the importance of effective malware strategies.
Automated detection of sshd backdoors
BinaryAI is a Chinese Tencent Security Keen Lab capability / model and is applied here to detect sshd implants. Their success is noteworthy..
Based on the above methods, we traced back sshd samples from sources such as Tencent Security Threat Intelligence and VirusTotal , and found 42 new sshd backdoor samples, of which 8 samples were detected by VirusTotal zero engine (see 8. Appendix related IOC).
https://mp.weixin.qq.com/s/hM3JubbPHE3hp_1MmoPtow
DefenderYara: Extracted Yara rules from Windows Defender mpavbase and mpasbase
Roadwy extracts the Yara from up to a couple of weeks ago..
https://github.com/roadwy/DefenderYara
Defence
How we proactively defend our environments.
Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s Fast IDentity Online (FIDO) Implementation
CISA releases this awesome report..
This report details how USDA successfully implemented phishing-resistant authentication in situations where in the past only authentication methods vulnerable to phishing were feasible. Due to the adoption of a centralized model to manage Identity, Credential, and Access Management (ICAM), the ability to make incremental improvements, and knowledge of the use cases in need of address, USDA succeeded in implementing MFA. USDA encourages all organizations facing phishing-resistant authentication enforcement challenges, where PIV or other certificate-based authentication is not an option, review USDA’s use of FIDO for guidance.
Incident Writeups & Disclosures
How they got in and what they did.
Joint Investigation Into Lifelabs Data Breach
Information and Privacy Commissioner for British Columbia Investigation Report has been published.
The ON IPC and the BC OIPC have conducted a joint investigation of the breach. Having concluded their investigation, the ON IPC and BC OIPC make the following findings:
LifeLabs failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification or disposal.
LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA.
LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.
https://www.oipc.bc.ca/documents/investigation-reports/2886
Vulnerability
Our attack surface.
D-Link: DSR-150/DSR-150N/DSR-250/DSR-250N/DSR-500N/DSR-1000N: - End-of-Life / End-of-Service in North America
End-of-life products bite..
Stack buffer overflow vulnerability, which allows unauthenticated users to execute remote code execution.
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415
Offense
Attack capability, techniques and trade-craft.
Eclipse: Activation Context Hijack
Kurosh Dabbagh Escalante shows there is still value in learning the innards of Windows 2024. The number of possible EDR gaps in terms of telemetry accuracy could be quite profound.
Eclipse is a PoC that performs Activation Context hijack to load and run an arbitrary DLL in any desired process. Initially, this technique was created as a more flexible alternative to DLL Sideloading + DLL proxying that can be leveraged to inject arbitrary code in a trusted process, although it has proven to have other applications.
By definition, Activation Contexts are "data structures in memory containing information that the system can use to redirect an application to load a particular DLL version" and also can be used to determine the path from where a specific DLL has to be loaded. An Activation Context is created by parsing the contents of a manifest file. When a process is created, the OS parses the binary's manifest (which can be embbeded in the binary itself or as a independent file in the same directory) and it maps in the memory of the newly spawned process what I call the main Activation Context. This main AC will be used to find the right file each time a DLL has to be loaded (regardless of whether this loading is due to dependencies in the IAT of a module or as a call to Loadlibray).
https://github.com/Kudaes/Eclipse
UDRL, SleepMask, and BeaconGate
Rasta Mouse explores these features of Cobalt Strike which should a focus of detection.
The User-Defined Reflective Loader (UDRL) allows operators to replace Beacon's default reflective loader with their own custom implementation. This allows them to go above and beyond the customisations exposed by Malleable C2.
https://rastamouse.me/udrl-sleepmask-and-beacongate/
Gaming Engines: An Undetected Playground for Malware Loaders
Check Point detail a rather novel technique here which avoid detection..
[We] discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal.
[We] identified GodLoader, a loader that employs this new technique. The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines
The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware.
This new technique allows threat actors to target and infect devices across multiple platforms, such as Windows, macOS, Linux, Android, and iOS.
Check Point Research demonstrates how this multi-platform technique can successfully drop payloads in Linux and MacOS.
A potential attack can target over 1.2 million users of Godot-developed games. These scenarios involve taking advantage of legitimate Godot executables to load malicious scripts in the form of mods or other downloadable content.
https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
NachoVPN 🌮🔒
Get your hunting strategies on for the use of this to obtain credentials..
NachoVPN is a Proof of Concept that demonstrates exploitation of SSL-VPN clients, using a rogue VPN server.
It uses a plugin-based architecture so that support for additional SSL-VPN products can be contributed by the community. It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure.
https://github.com/AmberWolfCyber/NachoVPN
How Malware Corrupts the Protectors
Trishaan Kalra details an instance of Bring Your Own Driver
Instead of using a specially crafted driver to perform its malicious activities, the malware uses a trusted kernel driver, giving it an air of legitimacy and allowing it to avoid raising alarms while preparing to undermine the system’s defense.
Once the legitimate kernel driver is dropped, the malware uses Service Control (sc.exe) to create a service ‘aswArPot.sys’ that registers the driver for further actions
..
The malware contains the following list of 142 hardcoded security process names
..
Once the Avast Anti-Rootkit driver is installed and the ‘aswArPot.sys’ service is created, the malware enters an infinite loop, taking snapshots of the actively running processes on the system
..
the Avast driver is able to terminate processes at the kernel level, effortlessly bypassing the tamper protection mechanisms of most antivirus and EDR solutions.
Modifying Impacket to avoid detection
Idan Ron details the step to avoid the default indicators.
https://n7wera.notion.site/Modifing-Impacket-to-avoid-detection-4df93e4bdbdc439988d79864774af569
Exploitation
What is being exploited..
ProjectSend CVE-2024-11680 Exploited in the Wild
Jacob Baines highlights how a product you have never heard of can potentially cause quite a lot of internet pain..
Public-facing ProjectSend instances appear to have been exploited by attackers.
99% of ProjectSend instances remain vulnerable and have not upgraded to the patched version released in August.
Public exploits have pre-dated CVE assignment by months, including Nuclei templates and a weaponized Metasploit module.
ProjectSend is an open-source file-sharing web application. The project is moderately popular, with almost 1,500 GitHub stars and more than 4,000 instances indexed by Censys. Although the CVE for this vulnerability was only published today (November 26), the patch has been publicly available for over a year (May 16, 2023).
https://vulncheck.com/blog/projectsend-exploited-itw
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
bin2ml
Josh Collyer releases a new version..
A command line tool for extracting machine learning ready data from software binaries powered by Radare2 (New Release - Reckless Riddler)
Added support for extracting strings
Added support for extracting function bytes, mirroring the REFUSE model outlined in this paper
https://github.com/br0kej/bin2ml/releases/tag/v0.4.1
hwp-extract
Volexity releases in support of those working on South East Asian cases..
A library and cli tool to extract HWP files.
https://github.com/volexity/hwp-extract
floki: Agentic Workflows Made Simple
Roberto Rodriguez gives a power up
Floki is an open-source framework for researchers and developers to experiment with LLM-based autonomous agents. It provides tools to create, orchestrate, and manage agents while seamlessly connecting to LLM inference APIs.
https://github.com/Cyb3rWard0g/floki/
Improving synthetic network attack traffic generation
Abdirisaq Farah, Martin Nielsen and Emmanouil Vasilomanolakis introduce a work aid which will help in detection engineering.
ID2T aims to generate synthetic, yet realistic attacks traces, for subsequent injection into benign background traffic. In this paper, we identify a number of limitations in ID2T that we subsequently resolve by proposing and implementing specific improvements. Moreover, we expand the tool to include more complex and modern attacks. For instance, we improve i) the background traffic manipulation modules, ii) the generation of realistic inter-arrival times between network packets, iii) the overall generated network packets in relation to the generation of context aware IP addresses, and iv) the usage of ephemeral ports and the creation of the synthetic payloads. Each improvement is followed by a respective implementation and an extensive evaluation.
https://backend.orbit.dtu.dk/ws/portalfiles/portal/360893246/2024137762.pdf
vmi: Modular and extensible library for Virtual Machine Introspection
Petr Beneš brings us in Rust..
The framework is designed to be modular and extensible, supporting multiple CPU architectures, hypervisors, and operating systems. It includes built-in support for AMD64 architecture, Xen hypervisor, and Windows and Linux operating systems.
LLVM-powered deobfuscation of virtualized binaries
Jack Royer details an internship project which shows some potential of applying LLVM to deobfuscation.
Although we achieved promising results regarding speed and modularity, the scope of this internship was still quite limited:
we only considered deobfuscation of pure functions with no calls;
we only deobfuscate a single execution path;
our deobfuscator struggles with certain loops.
https://blog.thalium.re/posts/llvm-powered-devirtualization/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Artificial intelligence
Books
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.