CTO at NCSC Summary: week ending December 29th
That weird bit in the middle edition..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the Cyberhaven Chrome extension breach is of interest and unfolding..
In the high-level this week:
Our response to Google’s policy change on fingerprinting - UK Information Comissioner’s Office responds - “The ICO’s view is that fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected. The change to Google’s policy means that fingerprinting could now replace the functions of third-party cookies.”
Cyber attack costing six-figure sum, council says - BBC reports - “Hackney Council is to spend hundreds of thousands of pounds more than planned as part of work to recover from a cyber attack in 2020.”
Technology Vendor Review Framework - Aussie Department of Home Affairs publishes - “The framework establishes the Australian Government’s dedicated and proactive process to consider foreign ownership, control or influence (FOCI) risks associated with technology vendors.”
Drivers of Disharmony in U.S. Cyber Regulations - Lawfare opines - “Our analysis finds there are eight drivers of disharmony...
Five are inward facing, rooted in the internal processes of individual regulating agencies (rather than external risks or opportunities)…
Another three drivers are outward facing, that is, dealing with the environment external to individual regulators. For example, a regulator might tailor different rules to different companies within a sector to address unique risks.”Office of the National Cyber Director Publishes an Energy Modernization Cybersecurity Implementation Plan to Secure an Ambitious Energy Future - The White House sets ambition - “The publication of the Energy Modernization Cybersecurity Implementation Plan (EMCIP) provides a roadmap for this effort to guide the public sector and inform the private sector. The EMCIP outlines 32 high-impact initiatives that the Federal government will carry out to achieve a more secure energy ecosystem.”
FTC Finalizes Order with Marriott and Starwood Requiring Them to Implement a Robust Data Security Program to Address Security Failures - US Federal Trade Commission sanctions - “Marriott and Starwood are required to establish a comprehensive information security program to help safeguard customers’ personal information, implement a policy to retain personal information only for as long is reasonably necessary, and establish a link on their website for U.S. customers to request for personal information associated with their email address or loyalty rewards account number to be deleted.”
TaiwaneNise Digital Agency Joins US Cyber Exercise for First Time - Taipei Times reports - “During the exercise, the Taiwanese participants analyzed security incidents and used the National Information and Communication Security Center and the National Information Sharing and Analysis Center to disseminate information and warnings about the threats, it said.”
Annual Report - Trust Services Security Incidents 2023 - released December 2024 - ENISA publishes - the high-level stats are:
Two thirds of EU supervisory bodies (SBs) – 18 out of 27 – sent their respective reports with 0 incidents reported.
Reported incidents increased by 80 % to a total of 63 incidents, compared with 35 in 2022
The number of incidents caused by malicious actions – 9 – has increased since 2022 – 5 –, reaching the same level as in 2021. However, with 14 % of the total, it remains a constant percentage since 2022 for this root cause.
The overall impact of the incidents amounted to 3 184 million user hours lost, compared with 405 million in 2022. 3 140 million hours were lost due to malicious actions, amounting to 98 % of the total. One million hours were lost due to system failures and 43 million hours due to human errors.
Reporting on/from China
A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says - Associated Press reports - “Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, told reporters Friday that a ninth victim had been identified after the administration released guidance to companies about how to hunt for Chinese culprits in their networks.”
DeepSeek AI - DeepSeek AI details - “Lastly, we emphasize again the economical training costs of DeepSeek-V3, summarized in Table 1, achieved through our optimized co-design of algorithms, frameworks, and hardware. During the pre-training stage, training DeepSeek-V3 on each trillion tokens requires only 180K H800 GPU hours, i.e., 3.7 days on our cluster with 2048 H800 GPUs. Consequently, our pretraining stage is completed in less than two months and costs 2664K GPU hours. Combined with 119K GPU hours for the context length extension and 5K GPU hours for post-training, DeepSeek-V3 costs only 2.788M GPU hours for its full training. Assuming the rental price of the H800 GPU is $2 per GPU hour, our total training costs amount to only $5.576M.”
US launches trade investigation into China’s ‘legacy’ semiconductor chips - South China Morning Post reports - “The trade agency added that “evidence indicates” that China seeks to dominate domestic and global chip markets through extensive anticompetitive and non-market means. These include setting and pursuing market share targets, it added.”
As stablecoin bill advances in Hong Kong legislature, advocates trumpet its many uses - South China Morning Post reports - ”The Hong Kong government’s proposed Stablecoins Bill is coming closer to becoming law, as the city moves to balance financial stability and consumer protection while advancing its virtual assets agenda.”
Chinese citizen arrested for flying drone over US Space Force base - South China Morning Post reports - “This defendant allegedly flew a drone over a military base and took photos of the base’s layout, which is against the law,” United States Attorney Martin Estrada said.
AI
South Korea Joins EU in Establishing Comprehensive AI Legislation - CCN reports -
South Korea’s National Assembly has passed the “Basic Act on the Development of Artificial Intelligence and the Establishment of Trust.”
The new legislation combines 19 separate proposals from different political parties.
Like the EU’s AI Act, South Korea’s AI regulation imposes stricter requirements on high-impact AI systems.
Scheming reasoning evaluations - Apollo Research publishes - “We were only able to spot the sandbagging because we compared the performance to the counterfactual setting across many rollouts such that we can test for statistically significant differences.”
Cyber proliferation
'Expulsion to Spain': Israeli Hackers Flock to Barcelona in Big Spyware Shift - Haartz reports - "There are roughly six such groups of Israelis who are the elite in the field – and half of them have moved to Spain," says an industry executive.
WhatsApp -vs- NSO - United States District Court adjudicates - “Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was ‘obtained’ was obtained from the target users’ devices (i.e., their cell phones), rather than from the Whatsapp servers themselves. (Defendants also argue that any ‘obtaining’ was done by their government clients, rather than by defendants, but that’s a separate argument – and in the court’s view, fully addressed by section (b) which assigns liability to co-conspirators).”
Bounty Hunting
United States Charges Dual Russian and Israeli National as Developer of LockBit Ransomware Group - US Department of Justice seeks to extradite - “The criminal complaint alleges that Rostislav Panev developed malware and maintained the infrastructure for LockBit, which was once the world’s most destructive ransomware group and attacked thousands of victims, causing billions of dollars in damage,”
What will 2025 bring for the cyber insurance market? – Coalition report - Insurance Business Mag reports -
“At some point, a large-scale event will lead to reinsurers and retail insurance companies pushing back on pricing but there’s likely some time before that plays out,”
“Relaxed underwriting rules lead to lax security practices, which means more costly incidents and tough conversations between MSPs and their customers.”
… also from the same company reported in InsureTech Insights..
“In a year defined by events at Change Healthcare, CDK Global, and CrowdStrike, it’s no surprise that “aggregate risk” has been a key topic of discussion. Despite the very tangible fallout of all three incidents, none have shaken our industry as significantly as cyber risk models predicted. However, the very real threat of aggregate events will continue and at a greater frequency. In the future, the cyber insurance market will need to respond, but the true impact won’t be felt next year.”
Reflections this week are around fade.. It is increasingly clear that organisations who are capable on cyber resilience in preparation for the definition of a “sophisticated” attack are in the minority and that fade kicks in pretty quickly for the remainder.
The reason is a mixture of complexity, cost, skills and still patchy evidence bases for a whole range of controls/approaches in places.
This poses a set of extensional challenges to cyber resilience at scale if there are expectations that organisations will have the skills, capacity and enduring focus to hunt and respond when needed to the requisite level... i.e. do “stuff” .. if we then move out of the IT environment and into ‘niche’ or specialised technology environments (e.g. OT - let alone sectoral specific) the situation is compounded further.
The net result is we need to increasingly prepare for a world where defensive capabilities for the most are unable to pace the sophisticated. Yet collectively we still need to achieve the outcomes we seek if we are to prevail..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday and Happy New Year when it arrives..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Russia conducted mass cyberattack on Ukraine's state registries, deputy PM says
Reuters reports this alleged Russian campaign..
Today the largest external cyber attack in recent times occurred with Ukraine's state registries," Stefanishyna wrote on Facebook. "As a result of this targeted attack, the work of the unified and state registries, which are under the jurisdiction of the Ministry of Justice of Ukraine, was temporarily suspended.
Reporting on China
LITTLELAMB.WOOLTEA: Stealthy Network Edge Device Backdoor
Northwave detail this alleged Chinese implant for firewalls..
During a forensic investigation, we observed an active attack on a Palo Alto network firewall. These firewalls, classified as “network edge devices,” are high-value targets for advanced threat actors, as detailed in our Global Threat Landscape report. Upon closer examination of the compromised device, we identified a novel, stealthy, and advanced backdoor, which we believe is associated with the LITTLELAMB.WOOLTEA malware.
The delivery mechanism of this malware has been described by Google Mandiant and Fortinet. But, with no public technical details of the backdoor itself, we had to conduct our own research to estimate its impact and intentions. For future reference and use by other researchers, we compiled our results into this document.
Reporting on North Korea
North Korean Cyber Actors, Tracked as TraderTraitor, Responsible for Theft of $308 Million USD from Bitcoin.DMM.com
FBI, DC3, and NPA detail how this went down..
The Federal Bureau of Investigation, Department of Defense Cyber Crime Center, and National Police Agency of Japan are alerting the public to the theft of cryptocurrency worth $308 million U.S. dollars from the Japan-based cryptocurrency company DMM by North Korean cyber actors in May 2024. The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.
In late March 2024, a North Korean cyber actor, masquerading as a recruiter on LinkedIn, contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. The threat actor sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page. The victim copied the Python code to their personal GitHub page and was subsequently compromised.
After mid-May 2024, TraderTraitor actors exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system. In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack. The stolen funds ultimately moved to TraderTraitor-controlled wallets.
Reporting on Iran
Discovering a new BellaCiao variant written in C++
Mert Degirmenci details that a re-write of an older implant has occurred in this alleged Iranian operation. Also of note is that is was deployed alongside another implant (resilience?).
Recently, we were investigating an intrusion that involved a BellaCiao sample (MD5 14f6c034af7322156e62a6c961106a8c) on a computer in Asia. Our telemetry indicated another suspicious, and possibly related, sample on the same machine. After further investigation of the sample, it turned out to be a reimplementation of an older BellaCiao version, but written in C++.
We assess with medium-to-high confidence that BellaCPP is associated with the Charming Kitten threat actor based on the following elements.
From a high-level perspective, this is a C++ representation of the BellaCiao samples without the webshell functionality.
It uses domains previously attributed to the actor.
It generates a domain in a similar fashion and uses that in the same way as observed with the .NET samples.
The infected machine was discovered with an older BellaCiao sample on its hard drive.
https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/
Reporting on Other Actors
Python-Based NodeStealer Version Targets Facebook Ads Manager
Aira Marcelo, Bren Matthew Ebriega and Abdul Rahim detail an interesting campaign although we should likely discuss if the techniques on show are really sophisticated in practice. Noteworthy due to the target of Facebook’s Ads Manager
The NodeStealer malware has advanced from a JavaScript-based to a Python-based threat, enabling it to steal a broader range of sensitive data.
Trend Micro identified this updated NodeStealer variant in a malware campaign targeting an educational institution in Malaysia, linked to a Vietnamese threat group.
This latest version of NodeStealer can not only harvests credit card details and browser-stored data, but also targets Facebook Ads Manager accounts for their critical financial and business information.
The infection chain starts with a spear-phishing email with a malicious embedded link, which upon clicking, downloads and installs the malware under the guise of a legitimate application.
The malware uses sophisticated techniques, such as DLL sideloading and encoded PowerShell commands, to bypass security defenses and execute the final payload, exfiltrating data through Telegram.
..
.. also targets Facebook Ads Manager accounts, siphoning critical financial and business data. Facebook Ads Manager, widely used by businesses and individuals to create, manage, and analyze advertising campaigns across various platforms including Facebook, Instagram, Messenger, and the Audience Network, has become a prime target for cybercriminals seeking to exploit sensitive personal and business-related information.
https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html
Discovery
How we find and understand the latent compromises within our environments.
Using the Mach-O module in YARA-X
Jacob Latonis and Greg Lesnewich provide a work aid for those working in macOS estates.
Detecting things in Mach-O binaries used to be quite an effort in the original YARA; it would involve magic byte validation, guessing offsets, counting occurrences, and a lot more.
With the advent of YARA-X, the new and improved Mach-O module can be leveraged in various ways.
https://virustotal.github.io/yara-x/blog/using-the-mach-o-module-in-yara-x/
Defence
How we proactively defend our environments.
SBOM Implementation and Operation Guide
Now we should discuss the value of SBOMs in their current guise at some point. That being said this guide out of Japan does show how to operationalise them.
Chapter 1: Background and Objectives
Chapter 2: Overview of SBOM
Chapter 3: Basic Guidelines for SBOM Implementation and Operation
Chapter 4: Actions to be taken in the Environment Creation and System Preparation Phase
Chapter 5: Actions to be taken in the SBOM Creation and Sharing Phase
Chapter 6: Actions to be taken in the SBOM Operation and Management Phase
Chapter 7: Summary Appendix
https://www.ipa.go.jp/jinzai/ics/core_human_resource/final_project/2024/sbom.html
OPA 1.0: A New Standard for Policy as Code
I have have been a proponent of Policy as Code since the Hashicorp innovations
After nearly 10 years of innovations and contributions from over 450 developers, OPA 1.0 is finally here. The release makes new functionality designed to simplify policy writing and improve the language’s consistency the default. This release marks the beginning of a new era for our project and represents a robust foundation for Policy as Code projects in the years ahead.
https://blog.openpolicyagent.org/announcing-opa-1-0-a-new-standard-for-policy-as-code-a6d8427ee828
You can find the repository here:
https://github.com/open-policy-agent/opa/releases/tag/v1.0.0
Defender Performance Recording
Nathan McNulty provides a small work aid for those running large Defender estates..
Gather Defender logs and create a performance recording, then compress it and upload it to Azure blob storage
Incident Writeups & Disclosures
How they got in and what they did.
Breaking: Cyberhaven Chrome Extension Compromised in Holiday Attack Campaign
Matt Johansen summarises this event.. timing over the holidays is sublime..
By the numbers:
31+ hours of potential exposure (Dec 25 1:32 AM UTC - Dec 26 2:50 AM UTC)
1 compromised version identified (24.10.4)
13+ suspicious domains linked to attacker infrastructure
60 minutes taken to remove malicious package after detection
How it worked:
Initial Access: Attacker successfully phished a Cyberhaven employee
Compromise: Gained access to Chrome Web Store admin credentials
Deployment: Published malicious version 24.10.4 of the extension
Data Collection: Malicious code gathered webpage information and browser cookies
Exfiltration: Data sent to attacker-controlled domain (cyberhavenext[.]pro)
Between the lines: Security researchers have identified potential connections to other compromised Chrome extensions, suggesting this may be part of a broader campaign.
https://www.vulnu.com/p/breaking-cyberhaven-chrome-extension-compromised
Vulnerability
Our attack surface.
Sophos Firewall SQL Injection
SQL injection turned 26 on Christmas eve..
A pre-auth SQL injection vulnerability in the email protection feature allowing access to the reporting database of Sophos Firewall could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode. The issue, impacting about 0.05% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.
https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
FortiManager OS command injection
Post authentication..
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests.
https://www.fortiguard.com/psirt/FG-IR-24-425
Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150
Louis Nyffenegger details this vulnerability which is interesting for several reasons. The first reason is that it is not the first of this class. The second is this has real-world impact and the third is this warning..
I assumed that finding another instance would be highly unlikely, especially after reviewing a fair number of libraries written in weakly-typed languages without success.
..
This vulnerability arises when systems conflate the verification process for HMAC and asymmetric keys, potentially leading to unauthorized access. This risk is further amplified by the possibility of deriving RSA or EC public keys from a few captured signatures.
https://pentesterlab.com/blog/another-jwt-algorithm-confusion-cve-2024-54150
Delinea Protocol Handler - Remote Code Execution via Update Process (CVE-2024-12908)
David Cash and Richard Warren show why teams should search for malicious sslauncher URLs if they have the client installed in their estate.
A remote attacker may be able to convince a user to visit a malicious web-page, or open a malicious document which could trigger the vulnerable URL handler, allowing them to execute arbitrary code on the user’s machine. This could allow the attacker to install malware, exfiltrate data or otherwise gain remote access into the network
PMKID Attacks: Debunking the 802.11r Myth
Given some of the recent close-access 802.11 attacks which have been attributed to Russia this Óscar Alfonso Díaz will be of interest as will how to mitigate..
This article addresses common misconceptions surrounding PMKID-based attacks while offering technical insights into their mechanics and effective countermeasures. The PMKID-based attack, first disclosed in 2018 by the Hashcat team, introduced a novel method of compromising WPA2-protected Wi-Fi networks. Unlike traditional techniques, this approach does not require capturing a full 4-way handshake, instead leveraging a design flaw in the Pairwise Master Key Identifier (PMKID).
Over time, a prevalent misconception has emerged, suggesting that the attack is feasible only on networks with 802.11r Fast Transition (FT) enabled. However, the actual vulnerability arises from the way an access point handles PMKID requests rather than the specific presence of 802.11r.
This article provides a detailed explanation of the attack's mechanics and refutes the claim that it is exclusive to 802.11r-enabled networks.
Mitigation and Best Practices
Effective mitigation strategies against PMKID-based attacks emphasize the importance of proper access point configuration and robust security measures. These include:
Regularly updating firmware and software to address known vulnerabilities.
Implementing strong, unpredictable PSKs to resist brute-force attempts.
Considering the adoption of WPA3, which replaces PSK-based authentication with Simultaneous Authentication of Equals (SAE).
Disabling unused protocols, such as 802.11r, unless strictly required for operational purposes.
Conducting periodic security audits to identify and rectify misconfigurations.
https://www.nccgroup.com/us/research-blog/pmkid-attacks-debunking-the-80211r-myth/
Recovering WPA-3 Network Password by Bypassing the Simultaneous Authentication of Equals Handshake using Social Engineering Captive Portal
Kyle Chadee, Wayne Goodridge and Koffka Khan detail an attack which I suspect we will not see at scale..
Due to the discovery of Dragonblood downgrade attacks disclosed in 2019, identified that WPA2/3Handshakes could be acquired. A Man in the Middle attack proposed set up is carried out by using race conditions to deauthentication WPA3 network and then using a Raspberry Pi to spawn a rouge WPA3 network. As such, the handshake acquired can then be utilized as to verify the password that would be entered in the captive portal of the rouge WPA3 network. This research identified that the Password was able to be recovered from Social Engineering Captive Portal when Protected Management Frames are not implemented. This research also indicates that some devices are not able to connect to a WPA 3 transition network which is contradicting the Wi-Fi Alliance claim that it is backwards compatible with WPA2.
https://arxiv.org/abs/2412.15381
Offense
Attack capability, techniques and trade-craft.
TokenSmith – Bypassing Intune Compliant Device Conditional Access
Sunny Chau shows that software only enforced controls are soft..
TokenSmith generates Entra ID access & refresh tokens on offensive engagements
Intune Bypass - This release of TokenSmith (v0.8) supports bypassing Intune compliant device Conditional Access, i.e. you could log in from a non-compliant device to get access tokens using TokenSmith even when it is explicitly required
https://github.com/JumpsecLabs/TokenSmith
https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
Microsoft Purview – Evading Data Loss Prevention policies
Matheo Boute details how it works and how to remove some of the metadata in order to achieve exfiltration. Detection relies on detecting the use of scripts/tooling to remove the metadata.
In order to get rid of the sensitivity labels by other means, we must understand how they actually work. As stated earlier, a sensitivity label is only made of metadata that is added to a file.
https://blog.nviso.eu/2024/12/18/microsoft-purview-evading-data-loss-prevention-policies/
Restoring Reflective Code Loading on macOS
Patrick Wardle summarises a technique which will exist till Apple get around to addressing..
First, we invoke
dyld’sImageLoaderMachO::instantiateFromMemorymethod, that takes the payload and returns an pointer to anImageLoader. I actually have no idea what aImageLoaderobject is, but good news we really don’t have too. In some sense the internals ofdyldare irrelevant!Second, with an initialized
ImageLoaderobject, we can link our in-memory payload by invoking the object’s aptly namedlinkmethod.Finally, we invoke the
ImageLoaderobject’srunInitializersmethod, which will execute any initializers, such as a constructor of our payload...
The less than good news is that if you want to get your reflective code loader notarized, at compile time you must opt into the hardened runtime (as its mandatory for notarization). And this will break our reflective code loading as the hardened runtime requires that any executed code must be signed:
https://objective-see.org/blog/blog_0x7C.html
Krueger
Logan Goins provides a capability which is known about but will inspire the vendor and others to respond I suspect..
Using Krueger with administrative permissions over a target remote device, an adversary can quickly place a WDAC policy to disk and perform a remote reboot, preventing the EDR service from starting on boot.
https://github.com/logangoins/Krueger
SCCMHound
Mat Cluck releases a tool which will be of value to both red and blue due to the enrichment opportunities..
SCCMHound is a C# BloodHound collector for Microsoft Configuration Manager (MCM). If you're looking for a way to collect BloodHound session information from Configuration Manager's users and computers then this is the tool for you!
https://github.com/CrowdStrike/sccmhound
convoC2
Fabio Cinicolo releases a capability which I suspect most organisations would struggle to identify/detect in isolation.
Command and Control infrastructure that allows Red Teamers to execute system commands on compromised hosts through Microsoft Teams.
It infiltrates data into hidden span tags in Microsoft Teams messages and exfiltrates command outputs in Adaptive Cards image URLs, triggering out-of-bound requests to a C2 server.
The lack of direct communication between the victim and the attacker, combined with the fact that the victim only sends http requests to Microsoft servers and antiviruses don't look into MS Teams log files, makes detection more difficult.
https://github.com/cxnturi0n/convoC2
Escalating privileges to read secrets with Azure Key Vault access policie
Katie Knowles details an apparent non-vulnerability although I suspect a number of organisations will be caught off guard by this fact.
Users with the Key Vault Contributor role can escalate their privileges to read and modify Key Vault contents for any key vault that uses access policies as the access control mechanism. This includes keys, certificates, and secrets.
This goes against Microsoft's documented intent of the Key Vault Contributor role, which "does not allow you to access secrets, keys, or certificates."
We reported this finding to the Microsoft Security Research Center (MSRC). MSRC has stated that this configuration "is not a vulnerability" as "key vault contributors have the ability to manage the key vault access policies."
Microsoft has updated documentation of the Key Vault Contributor role to clarify that this role and permission "can grant themselves data plane access by setting a Key Vault access policy," and that they "recommend you use the Role-Based Access Control (RBAC) permission model" to mitigate this risk.
An attacker with access to an account with this role or the
Microsoft.KeyVault/vaults/writepermission could use this configuration to read all data in a target key vault. This commonly includes API keys, passwords, Azure Storage shared access signatures (SAS), and authentication certificates.
Slack Jack
Abel de la Paz shows that tokens even from the darkest corners of organisations potentially have offensive value.. I suspect the detection of this scenario would be challenging, so a useful scenario for organisations to run to ensure they have coverage.
It allows you to hijack a Slack bot using its token (e.g., xoxb or xoxp) and perform various enumeration and exploitation activities, depending on the bot's assigned permissions.
https://github.com/adelapazborrero/slack_jack
Exploitation
What is being exploited..
Crafty Controller Auth'd RCE
Dropped as part of the Minegrief release..
Self-spreading Java malware targeting Minecraft servers. Infected servers are capable of scanning for other vulnerable servers, encrypting Minecraft worlds, and phishing players who connect.
Which they say, note post authentication..
Crafty Controller Auth'd RCE - undisclosed, unpatched, intentional(?) Auth'd RCE in Crafty Controller, a panel for Minecraft server management
https://github.com/blackmassgroup/minegrief
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
False Injections: Tales of Physics, Misconceptions and Weird Machines
Cristofaro Mune brings some science to fault injections although I think some might disagree that physics and cyber security are mostly unexplored, But he does go on to myth bust around fault injection.
The general relationship between Physics and Computing is mostly unexplored in CS:
..
Widespread beliefs found to be incorrect
Physics modeling in paper is rare
Parameter space visualization is rare
Some interesting patterns and features are:
Not discussed
Challenging to explain with the current interpretation
We may be missing on some fundamental understanding…
..as well as some powerful attacks.
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing this week
First demonstration of quantum teleportation over busy Internet cables - “Northwestern University engineers are the first to successfully demonstrate quantum teleportation over a fiber optic cable already carrying Internet traffic.”
DoD Implementations of Internet Protocol 6 - “In accordance with the authority in DoD Directive 5144.02, this issuance establishes policy, assigns responsibilities, and prescribes procedures for deploying and using Internet Protocol version 6 (IPv6) in DoD information systems.”
CROWN Policy Workshop 2024 - “This is a white paper summarising the discussions and outputs of the Cyber Resilience for Offshore Wind Networks (CROWN) policy engagement workshop/roundtable conducted on the 12th of November 2024. This is new project and lab that started in in 2023 and is a part of the wider maritime cyber threats research group at The University of Plymouth. Partners in this project include the Energy Catapult (OREC) .”
Guidelines on the conditions and criteria for the qualification of cryptoassets as financial instruments - European Securities and Market Authority outlines - ”This Final Report summarises and analyses the responses to the CP and explains how the responses, together with the SMSG advice, have been taken into account. ESMA recommends reading this report together with the CP published on 29 January 2024 to have a complete view of the rationale for the guidelines.
Unpacking Cyber Resilience - from the World Economic Forum - it makes some bold aspirational statements the achievability of which are worth a debate.
Artificial intelligence
Books
Nothing this week
Events
Institute of Continuing Education (ICE) at the University of Cambridge presents maybe of the lesser expected courses in the guise of Pirates of the cyber eon - “This course examines the history and future of hackers. If data is the new oil, hackers are the new pirates.” - 03 Aug 2025 to 09 Aug 2025, University of Cambridge
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.