CTO at NCSC Summary: week ending December 10th
Industrial Control System spillover is a thing...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week we have some spill over from a regional conflict into the wider world through Industrial Control Systems.
In the high-level this week:
UK exposes attempted Russian cyber interference in politics and democratic processes
World first agreement to tackle online fraud - The UK government and some of the world's biggest tech companies have agreed a series of pledges to protect the public from online fraud.
Cyber resilience act: [European] Council and Parliament strike a deal on security requirements for digital products - Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats. This is exactly what the cyber resilience act will achieve once it enters into force.
AUKUS Defense Ministers Meeting Joint Statement - Trilaterally, AUKUS partners are engaging on cyber security with critical suppliers to the naval supply chain. We are collaborating with industry partners to deploy some advanced tooling which will uplift the cyber security of our supply chains, while also giving us greater insight into the threats to AUKUS. The AUKUS partners are also working to strengthen cyber capabilities, including protecting critical communication and operations' systems.
Cyber Threats to Canada’s Democratic Process: 2023 update - Foreign adversaries are increasingly using cyber tools to target democratic processes around the world. Disinformation has become ubiquitous in national elections, and adversaries are now using generative artificial intelligence (AI) to create and spread fake content.
A European Defence for our Geopolitical Union: speech by President Charles Michel at the EDA annual conference - I propose a European cyber force that would be a fundamental component of our European defence. It would help us to take a position of leadership in cyber responsive operations
[French] Ministers ordered by Matignon to uninstall WhatsApp, Signal and Telegram by December 8 - the Prime Minister's services asked members of the government to deploy the Olvid application on their devices in order to “reinforce the security of exchanges which may contain confidential information
Reps Houlahan, Gallagher Introduce Bipartisan, Bicameral Bill to Grow Cybersecurity Workforce - The Federal Cybersecurity Workforce Expansion Act establishes two new programs:
A cybersecurity registered apprenticeship program in the Cybersecurity and Infrastructure Security Agency (CISA)
A pilot program housed in the Department of Veterans Affairs (VA) to give cybersecurity training to veterans
Queensland passes mandatory data breach notice laws - Queensland has become only the second [Australian] state to legislate a mandatory data breach notification scheme for public sector entities, as an almost identical scheme comes into effect in New South Wales.
Russian National Pleads Guilty to Trickbot Malware Conspiracy - Dunaev developed browser modifications and malicious tools that aided in credential harvesting and datamining from infected computers, facilitated and enhanced the remote access used by Trickbot actors, and created a program code to prevent the Trickbot malware from being detected by legitimate security software.
Ukraine Government appoints Yurii Myronenko as new SSSCIP Head in Ukraine
The [South Korean] judiciary was robbed by the North Korean hacking group ‘Lazarus - Lazarus infiltrated the judiciary's computer network until early this year... Up to hundreds of gigabytes [were] removed
Japan to require tech leak prevention for chip subsidies - The Japanese government will require companies receiving subsidies related to semiconductors and other critical items to take measures to prevent the leaking of technology to other countries.
Japan space agency hit with cyberattack, rocket and satellite info not accessed - There was a possibility of unauthorised access by exploiting the vulnerability of network equipment
SSNDOB Marketplace Administrator Who Sold Millions Of Social Security Numbers Sentenced To Eight Years In Prison - The administrators also employed various techniques to protect their anonymity and to thwart detection of their activities, including strategically maintaining servers in various countries, and requiring buyers to use digital payment methods.
Ghana to hold first Global Conference on Cyber Capacity Building - More than 800 delegates from over 100 countries across the globe are expected [attended] the first-ever Global Conference on Cyber Capacity Building (GC3B) from November 29th to 30th, 2023 in Accra.
23andme expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023 due to breach
The National Cyber and Information Security Agency (hereinafter the "Agency") of the Czech Republic Mobile App Security Threat Alert: WeChat - The threat associated with the WeChat app is very similar to the threat surrounding the TikTok app operated by the Chinese company ByteDance, which the Agency warned about on March 8, 2023. "We are issuing this security threat alert not only based on our own analysis, but also on information from our domestic and foreign partners.
Reporting on/from China
China Is Ramping Up Cyberattacks Against Taiwan, Google Says -
Evolving China-based cyberwarfare demands greater regional resilience - (note this is written by a vendor) - The VANGUARD PANDA breach may indicate new assertiveness from Chinese cyber operatives in the Pacific region. Whereas theft and compromise of intellectual property, espionage and destructive attacks are motivated by intelligence, technological and financial needs, VANGUARD PANDA had the potential to be activated at a critical future juncture, disrupting communications and influencing a potential future conflict in the South China Sea.
DeepSeek LLM - an advanced [open source] language model comprising 67 billion parameters. It has been trained from scratch on a vast dataset of 2 trillion tokens in both English and Chinese.
Beijing court’s ruling that AI-generated content can be covered by copyright eschews US stand, with far-reaching implications on tech’s use - The Beijing Internet Court ruled that an AI-generated image in an intellectual property dispute was an artwork protected by copyright laws
Artificial intelligence
Levels of AGI: Operationalizing Progress on the Path to AGI - Industry attempting to define, likely to in an attempt to avoid over burden of regulation by getting AGI to be a very narrow definition.
Moderating Model Marketplaces: Platform Governance Puzzles for AI Intermediaries - These model marketplaces lower technical deployment barriers for hundreds of thousands of users, yet can be used in numerous potentially harmful and illegal ways. In this article, we argue that AI models, which can both ‘contain’ content and be open-ended tools, present one of the trickiest platform governance challenges seen to date.
US appeals court proposes AI restrictions in all court filings - first US appeals court to propose a new rule requiring lawyers to certify that they either did not use generative artificial intelligence (AI) programs
Data Provenance Standards - The first cross-industry metadata to bring transparency to the origin of datasets used for both traditional data and AI applications.
Power Hungry Processing: Watts Driving the Cost of AI Deployment? - We measure deployment cost as the amount of energy and carbon required to perform 1,000 inferences on representative benchmark dataset using these models. We find that multi-purpose, generative architectures are orders of magnitude more expensive than task-specific systems for a variety of tasks, even when controlling for the number of model parameters.
Cyber proliferation
Old Dog, Same Tricks: The Kremlin's Technological Echo Chamber Exposed by Ukranian Hackers - M-13 touts itself as a Russian software company which offers a variety of services that include penetration testing, APT emulation, social media scanning, and consulting services, boasting a clientele that includes Russia’s presidential administration and the Russian government.
Finland seeks to become metaverse global leader by 2035 - While China, Japan, the UK, and the United Arab Emirates have started to work on similar strategies, this is the first national metaverse strategy from an EU member state.
Indian financial institutions to obtain access to OR escrow source code - Regulated Entities shall obtain the source codes for all critical applications from their vendors. Where obtaining of the source code is not possible, Regulated Entities shall put in place a source code escrow arrangement or other arrangements to adequately mitigate the risk of default by the vendor. REs shall ensure that all product updates and programme fixes are included in the source code escrow arrangement.
Catastrophe Bond & Insurance-Linked Securities Deal Directory for Cyber - $330 million issued in 2023 - a growing market - these are used by insurers and reinsurers to transfer major risks on their books to capital market investor, So they reduce their overall reinsurance costs while freeing up capital to underwrite new insurance business.
Reflections this week are around web security and specifically web software stack security. If it has taken us 50 years to address memory corruption at a fundamentals level in native languages like C through the advert of CHERI Rust, Go, memory tagging etc yet not reach mass adoption. I do wonder how long it will take to address the ever expanding and more expansive challenge of web technology security. The myriad of vulnerability classes is vast coupled with n to the ‘a lot of components’ which can be combined for different outcomes. I am not aware of any good models which address root causes in this space which highlights how much we have to do..
Enjoying this? Don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government, please see the legal text at the end.
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
OK this is the UK Government attributing this one.
The UK and international allies call out sustained, unsuccessful attempts to interfere in UK politics and democratic processes by Russian state cyber actors
GCHQ’s National Cyber Security Centre assesses the threat group responsible is almost certainly subordinate to Centre 18 of Russia’s Federal Security Service (FSB)
High-risk individuals – including politicians and journalists – encouraged to follow refreshed guidance, published today, to help defend against online threats
https://www.ncsc.gov.uk/news/uk-and-allies-expose-cyber-campaign-attempted-political-interference
related Star Blizzard increases sophistication and evasion in ongoing attacks
This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our 2022 blog as the actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.
TA422’s Dedicated Exploitation Loop—the Same Week After Week
Greg Lesnewich and Crista Giering identify technical tradecraft being used to leak password hashes by this alleged Russian threat actor.
Since March 2023, [Our] researchers have observed regular TA422 (APT28) phishing activity, in which the threat actor leveraged patched vulnerabilities to send, at times, high-volume campaigns to targets in Europe and North America.
TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity.
The vulnerabilities included CVE-2023-23397—a Microsoft Outlook elevation of privilege flaw that allows a threat actor to exploit TNEF files and initiate NTLM negotiation, obtaining a hash of a target’s NTLM password—and CVE-2023-38831—a WinRAR remote code execution flaw that allows execution of “arbitrary code when a user attempts to view a benign file within a ZIP archive,” according to the NIST disclosure.
"Subpoena": another targeted UAC-0050 attack using RemcosRAT (CERT-UA#8150)
Reporting from the Ukrainian government on the some rather basic tradecraft but rather large campaign.
The specified RAR archive contains a password-protected file "Subpoena to court.rar", which contains a document with the macro "Subpoena to court.doc".
At the same time, it should be noted that e-mails were sent to more than 15,000 recipients using legitimate compromised accounts of one of the judicial authorities of Ukraine.
https://cert.gov.ua/article/6276567
Rare Wolf hunts for private data using fake 1C:Enterprise invoices
A look behind the curtain of what is happening in Russia i.e. how they are being targeted.
The attackers sent phishing emails with archives that, according to them, contained 1C:Enterprise invoices, as well as electronic keys to them. This made it possible to lull the victim's vigilance and divert his attention from the file extension.
The use of non-standard attachment formats allows attackers to reduce the vigilance of victims and increase the likelihood of compromise.
Hacking and stealing Telegram accounts are especially popular among attackers, and to access the data of messenger users they only need to copy one folder.
Attackers actively use legitimate monitoring tools: this allows them to merge with a compromised IT infrastructure.
Hellhounds: operation Lahat
Another set of insights from within Russia and this time against their CNI.
[We] discovered that a certain power company was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been actively used in cyberattacks on Russian companies and government organizations since at least September 2022. This trojan was previously discussed by NCIRCC, Infoblox, CyberSquatting, and Solar 4RAYS.
As far as we can tell, the APT group Hellhounds that uses Decoy Dog only targets organizations located in Russia. Remarkably, the attackers were using the command-and-control (C2) server maxpatrol[.]net to impersonate Positive Technologies MaxPatrol products.
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/
Guidance for investigating attacks using CVE-2023-23397 - December 4, 2023 update
Some practical advise on how to investigate attacks which are allegedly being undertaken by a Russian state aligned actor against email servers using a known vulnerability.
[We] identified a nation-state activity group tracked as Forest Blizzard (STRONTIUM), based in Russia, actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts
Reporting on China
Nothing this week
Reporting on North Korea
Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group
US Government does one of the things it does very well with this response.
Today, in coordination with foreign partners, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight foreign-based Democratic People’s Republic of Korea’s (DPRK) agents that facilitate sanctions evasion, including revenue generation and missile-related technology procurement that support the DPRK’s weapons of mass destruction (WMD) programs. Additionally, OFAC sanctioned cyber espionage group Kimsuky for gathering intelligence to support the DPRK’s strategic objectives.
https://home.treasury.gov/news/press-releases/jy1938
BlueNoroff: new Trojan attacking macOS users
Sergey Puza shows how this threat actor continues to evolve and innovate in the macOS eco-system.
We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket. The threat actor is known to attack financial organizations, particularly companies, whose activity is in any way related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject.
https://securelist.com/bluenoroff-new-macos-malware/111290/
Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram
Insight into the continued sectoral targeting to get digital assets by this alleged North Korean threat actor.
More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams. Due to the considerable impact of these fraudulent activities, we at SlowMist have undertaken a detailed analysis.
Kimsuky group (RftRAT, Amadey) uses AutoIt to create malware
South Korean reporting on a adjustment in tradecraft to using scripting languages by this threat actor.
Amadey and RftRAT, along with XRat, will continue to be used through 2023, but forms produced with AutoIt have recently been identified. We also cover information-stealing malware that the Kimsuky group installs additionally using remote control malware. Malicious codes for remote control purposes are constantly changing, but the malware installed using them is characterized by being consistently used in attacks without significant differences through 2023.
https://asec.ahnlab.com/ko/59460/
Reporting on Iran
Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure
Jim Walter details alleged Iranian-backed hacktivist groups being responsible for targeting real-world ICS systems in the US.
On November 25, 2023, The Municipal Water Authority of Aliquippa disclosed an attack in which it lost control of one of the booster stations for the area. The attackers appear to have compromised a Unitronics PLC by exploiting weak or default passwords along with targeting the default and well-documented programming port for these devices.
The attackers renamed the PLC to “Gaza” and defaced the user interface.
..
In addition, federal officials have indicated that a number of other water authorities on the east coast of the United States have been impacted by the Cyber Av3ngers, as well as at least one aquarium and a brewery.
Reporting on Other Actors
Analysis of OceanLotus APT organization imitating APT29 attack activities
Chinese reporting on supposed Vietnamese activity pretending to be Russian.
[We] captured the latest attack sample of the OceanLotus organization. This sample uses the theme of purchasing BMW cars to induce the target to execute malicious files. At the same time, the attack has similarities with this year's APT29 induction theme and Trojan loading process. Preliminary analysis shows that this may be the result of deliberate imitation by the attacker.
AeroBlade on the Hunt Targeting the U.S. Aerospace Industry
Interesting industry targeting with basic tradecraft. Actor is unattributed.
The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution.
https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US
Chema Garcia details a new set of implants by an unattributed actor.
[We] observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S.
We assess with medium confidence that this threat activity cluster aligns to nation-state related threat actors due to the nature of the organizations that were compromised, the TTPs observed and the customization of the tool set. We have not confirmed a particular nation-state or threat group.
We have also identified two compromised organizations in common across both activity clusters. Some of the TTPs match on both clusters, such as the MS Exchange PowerShell snap-ins and one of the Network Provider DLL modules.
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
The Tortoise and The Malwahare
Alleged Turkish threat actor has their implants and infrastructure 🔥
Between 2021 and 2023, the threat actor has used SnappyTCP, a simple reverse TCP shell for Linux/Unix that has basic C2 capabilities and is also used for establishing persistence on a system;
There are at least two main variants; one which uses plaintext communication and the other which uses TLS for a secure connection;
The threat actor has highly likely used code from a publicly accessible GitHub account, and we assess with realistic probability that this account is currently controlled by the threat actor; and,
Pivoting on infrastructure associated with the threat actor, we identified multiple domains resolving throughout 2023 that are spoofing NGOs and Media organizations, both of which are consistent with this threat actor's targeting motivations. These motivations center on conducting espionage for the collection of information that can then be exploited for surveillance purposes, or to gather traditional intelligence about the activities of specific targets.
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html
Associated Press, ESPN, CBS among top sites serving fake virus alerts
Jérôme Segura details how adverts on major sites are being misused to drive revenue.
The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.
ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.
Spyware Employs Various Obfuscation Techniques to Bypass Static Analysis
Tommy Dong and Yuanjing Guo shows that threat actors are in some cases deeply technical and capable.
Recently, our attention was caught by a Spyware cluster, which has employed a series of ingenious techniques to heighten the difficulties associated with static analysis.
Vidar Infostealer Steals Booking.com Credentials in Fraud Scam
Interesting attack and targeting here for what is suspected of being criminal intent.
[Our] incident responders involved deployment of the Vidar infostealer to steal a hotel's Booking.com credentials. Access to the Booking.com management portal (admin . booking . com) allows the threat actor to see upcoming bookings and directly message guests. This incident is likely part of a broader and widely reported campaign. Vidar is not usually used in targeted attacks, but the demand for these types of credentials on underground forums could increase the frequency and impact of this type of malicious activity.
The flourishing market for Booking.com credentials to commit fraud suggests that threat actors will continue to target properties that use the platform. The lists of properties on the Booking.com website and in the app can allow threat actors to identify potential targets. Exploiting stolen property credentials to communicate directly with guests facilitates the social engineering attacks.
https://www.secureworks.com/blog/vidar-infostealer-steals-booking-com-credentials-in-fraud-scam
Potentially related Cybercriminals Leverage Hijacked Booking.com accounts for Phishing
https://blog.bushidotoken.net/2023/12/cybercriminals-leverage-hijacked.html
Discovery
How we find and understand the latent compromises within our environments.
Detecting AiTM Phishing Sites with Fuzzy Hashing
How fuzzy hashes can have use in tracking actors.
This concept draws from prior industry art, as IOCs (ex: SHA-1/SHA-265) and fuzzy hashes (ex: SSDEEP, TLSH) have been used for hunting and detection on endpoints for some time. If unfamiliar, fuzzy hashing creates a hash value that attempts to detect the level of similarity between two things at the binary level.
https://www.obsidiansecurity.com/blog/detecting-aitm-phishing-sites-with-fuzzy-hashing/
RMML: A list of RMMs designed to be used in automation to build alerts
Jeremy Mill provides threat hunting teams a valuable data set which will no doubt be illuminating.
RMML is the Remote Management and Monitoring (tool) List. A decision was made to also include remote network access tools such as ngrok and tailscale. It is a list of RMM tools with associated metadata that aims to be useful for IT and Security teams.
https://github.com/LivingInSyn/RMML
Detecting Resource-Based Constrained Delegation Abuse
Stephan Wolfert provides a practical set of tradecraft on identifying misuse of this technique.
RBCD is a security feature which allows an administrator to delegate permissions in order to securely manage resources. Essentially, RBCD allows an object to access specific resources with the ability to impersonate other users and their permissions.
Resource-Based Constrained Delegation abuse is a privilege escalation technique which can be visible and detectable! Where do we start for detectability?
https://swolfsec.github.io/2023-11-29-Detecting-Resource-Based-Constrained-Delegation/
Detecting malicious activity against Microsoft Exchange servers
Polish Cyber Command gets in on the hunt forward doctrine.
The Polish Cyber Command, as part of its activities in cyberspace, has observed the use of technique[1] that involved the modification of permissions to mailbox folders within Microsoft Exchange servers. It allows an attacker to provide covert, unauthorized access to email correspondence and was used after gaining access to email accounts through CVE-2023-23397 (Microsoft Outlook Vulnerability) or password-spraying. Activities using CVE-2023-23397 were first discovered by CERT-UA[2] and publicly described by Microsoft[3]. In the case of actions taken against entities in Poland, this was reported by CSIRT NASK[4]. As a result of the analyses carried out by POL Cyber Command, malicious actions against public and private entities in Poland were confirmed.
Hunting Malicious Infrastructure-Headers and Hardcoded/Static Strings
Michael Koczwara does what he does best and provides a walkthrough on how to apply this tradecraft.
two simple methods of how you can do a code review of any OST/C2 from GitHub and create simple hunting rules based on HTTP headers and hardcoded/static strings (there are many more things you can review for example how certificates are generated, etc).
Defence
How we proactively defend our environments.
ASRGEN: Simplifying Attack Surface Reduction (on Windows)
Michael Haag goes to the top of my Christmas card list with this release 💪.
ASRGEN is designed to streamline this process from start to finish. In this blog, we will cover the following:
Learn about ASR, including how to access and review logs, and understand their implications.
Enable ASR in one of three modes for enhanced flexibility.
Test your ASR policies to generate telemetry traces and ensure they’re functioning as intended.
🔥 Effortlessly generate a Group Policy Object (GPO) with a touch of excitement. 🤩
https://haggis-m.medium.com/asrgen-simplifying-attack-surface-reduction-27d7649fdd8f
How to rotate: an open-source collection of API Key Rotation tutorials
A close second on the Christmas Card list.
Welcome to How To Rotate, an open-source collection of API Key Rotation tutorials. Each tutorial provides step-by-step instructions on how to remediate a leaked API key security vulnerability by (1) Generating a new API key, (2) Replacing the compromised key, and (3) Revoking the compromised key.
https://howtorotate.com/docs/introduction/getting-started/
https://github.com/trufflesecurity/how-to-rotate
Secure by Design Alert: How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity
CISA drops some wisdom on why it might not be the best idea to have the management plain exposed to the Internet and what to do about it.
This guidance was created to urge software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles:
Take Ownership of Customer Security Outcomes.
Embrace Radical Transparency and Accountability.
awskillswitch: Lambda function that streamlines containment of an AWS account compromise
Jeffrey Lyon gives a work aid to IR teams wrestling with cloud breaches so they can operate at pace.
AWS Kill Switch is a Lambda function (and proof of concept client) that an organization can implement in a dedicated "Security" account to give their security engineers the ability to quickly deploy restrictions during a security incident, including:
Apply a service control policy (SCP) to freeze the state of a targeted account
Detach all policies and delete inline policies from a targeted IAM role
Revoke all sessions on a targeted IAM role or
ALLcustomer managed IAM roles in a targeted accountDelete a targeted IAM role (which also revokes all sessions)
https://github.com/secengjeff/awskillswitch
retvec: RETVec is an efficient, multilingual, and adversarially-robust text vectorizer
Interesting resilient text vectorizer by Google.
RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more. The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently. Thus, RETVec works out-of-the-box on over 100 languages without the need for a lookup table or fixed vocabulary size. Furthermore, RETVec is a layer, which means that it can be inserted into any TF model without the need for a separate pre-processing step.
https://github.com/google-research/retvec
KASLR Leaks Restriction
How the Windows will leak kernel addresses less.
But starting Windows 11 / Windows Server 2022
24H2edition, those APIs will no longer leak any kernel addresses, unless the requesting process has enabledSeDebugPrivilege, a powerful privilege which is only available to admin processes and not enabled by default.
https://windows-internals.com/kaslr-leaks-restriction/
Incident Writeups
How they got in and what they did.
SEC Filing: 23andme
Yes, really..
expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023 due to breach
23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.
https://www.sec.gov/ix?doc=/Archives/edgar/data/1804591/000119312523287449/d242666d8ka.htm
Vulnerability
Our attack surface.
Disorder in the Court
Jason Parker goes digging for some technical debt in the US court systems.
Insufficient permission check vulnerabilities in public court record platforms from multiple vendors allowed unauthorized public access to sealed, confidential, unredacted, and/or otherwise restricted case documents. Affected documents include witness lists and testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and much more.
https://github.com/qwell/disorder-in-the-court
Offense
Attack capability, techniques and trade-craft.
m365-fatigue
An overwhelm strategy to punch through the defenses.
Python script automates the authentication process for Microsoft 365 by using the device code flow and Selenium for automated login. It keeps bombing the user with MFA requests and stores the access_token once the MFA was approved.
https://github.com/0xB455/m365-fatigue/
evilrdp
I did have a quick look to see if there was a trivial way to detect this on the weekend. I couldn’t see one due the use of an underlying shared library (which can be detected and might be useful to do so).
The evil twin of aardwolfgui using the aardwolf RDP client library that gives you extended control over the target and additional scripting capabilities from the command line.
https://github.com/skelsec/evilrdp
GhostDriver: yet another AV killer tool using BYOVD
Expected to be used maliciously in 3..2..
GhostDriver is a Rust-built AV killer tool using BYOVD.
https://github.com/BlackSnufkin/GhostDriver
ADOKit: Azure DevOps Services Attack Toolkit
Brett Hawkins released a toolkit which will be used by both good and bad. Be interesting to see what Microsoft do in response.
Azure DevOps Services Attack Toolkit - ADOKit is a toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. The tool allows the user to specify an attack module, along with specifying valid credentials (API key or stolen authentication cookie) for the respective Azure DevOps Services instance. The attack modules supported include reconnaissance, privilege escalation and persistence. ADOKit was built in a modular approach, so that new modules can be added in the future by the information security community.
https://github.com/xforcered/ADOKit
tricard: Tricard - Malware Sandbox Fingerprinting
I do wonder if threat actors will do this and then encoding the fingerprints into their implants / exploits etc.
tricard works using the following steps:
Compile unique binaries, watermarked in order to track the source of the data collected
Send binaries to various platforms and sandboxes
Collect data
Analyze offline
https://github.com/therealunicornsecurity/tricard
Exploitation
What is being exploited.
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
US Government advisory on the ICS attack.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers
US Government advisory on exploitation of this vulnerability for initial access.
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
TRAP; RESET; POISON; - Taking over a country Kaminsky style
Timo Longin details a unique attack technique which most APTs would be proud of.
[We] discovered an exotic DNS Cache Poisoning vulnerability that could have manipulated the DNS name resolution of an entire country. The exploitation of this issue would have allowed threat actors to cause serious harm, transcending the world of bits and bytes. This blog post gives an in-depth look on all the technical intricacies of the attack and how to TRAP, RESET and POISON a DNS resolver.
https://sec-consult.com/blog/detail/taking-over-a-country-kaminsky-style/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
In-Depth Control-Flow-Flattening Analysis
Walkthrough on this technique.
As the name suggests, CFF aims to flatten the flow of a program. It is an obfuscation technique used in many obfuscators nowadays, be it in interpreted languages (such as javascript) but also in compiled ones (C/C++ - for more info visit obfuscator.re). We take the time to mention obfuscator.io and jscrambler as the 2 main javascript obfuscators that are known to me and use this technique.
https://nerodesu017.github.io/posts/2023-12-01-antibots-part-8
llamafile: Distribute and run LLMs with a single file
Stephen Hood introduces portable LLMs. This is pretty neat..
llamafile lets you turn large language model (LLM) weights into executables.
Say you have a set of LLM weights in the form of a 4GB file (in the commonly-used GGUF format). With llamafile you can transform that 4GB file into a binary that runs on six OSes without needing to be installed.
https://hacks.mozilla.org/2023/11/introducing-llamafile/
https://github.com/mozilla-Ocho/llamafile
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
The Mind of the CISO: Behind the Breach - Over 500 security executives share their experience managing a major cybersecurity incident and learnings for the best route forward
Annual Report Trust Security Incidents 2023 - In this round of annual summary reporting a total of 27 EU countries and 3 EEA countries took part. They reported a total of 35 incidents.
Meta Q3 Adversarial Threat Report - We expect that this tactic will remain a potent tool to manipulate public debate – either through releasing hacked materials wholesale, or claiming to possess them to sow uncertainty and force people to prove a negative in the absence of evidence, or publishing distorted documents while claiming their authenticity. This can be particularly challenging to counter in the time-pressured context of election news reporting.
Unmasking the latest trends of the Financial Cyber Threat Landscape
Key Lessons on Cyber Resilience in Singapore - The study of cyber resilience therefore focuses on reducing system impact and damage, along with minimising downtime through policy, mitigation, and transparency measures. Singapore consistently seeks improvements in its processes to keep pace with the evolving threat landscape.
ICANN Launches Global Service to Simplify Requests for Nonpublic Domain Name Registration Data
The Cyber Defense Review - Coalition Strategic Cyber Campaigns: Functional Engagement as Cyber Doctrine for Middle Power Statecraf
Artificial intelligence
Extracting Training Data from ChatGPT - allows us to extract several megabytes of ChatGPT’s training data for about two hundred dollars.
Scalable Extraction of Training Data from (Production) Language Models - we develop a new divergence attack that causes the model to diverge from its chatbot-style generations and emit training data at a rate 150x higher than when behaving properly.
Animate Anyone: Consistent and Controllable Image-to-Video Synthesis for Character Animation
Initializing Models with Larger Ones - In this work, we introduce weight selection, a method for initializing smaller models by selecting a subset of weights from a pretrained larger model. This enables the transfer of knowledge from pretrained weights to smaller models.
Books
None this week
Events
None this week
Subcommittee on Cybersecurity, Information Technology, and Government Innovation Hearing
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.