CTO at NCSC Summary: week ending December 22nd
🤶 Santa 🎅edition 🧑🎄
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note which considering the reporting this week is a datapoint in of itself.
In the high-level this week:
Why Biasing Advanced Persistent Threats over Cybercrime is a Security Risk - RUSI asserts - “Once reserved for nation-state actors, advanced and persistent cyber tactics are now common among cybercriminals, making them equally devastating in today’s threat landscape.” - discuss is advanced is relative..
ONCD and CISA Publish Guide to Strengthen Cybersecurity of Grant-Funded Infrastructure Projects - White House announces - “a guide today with tools and resources to enable grant-making agencies to incorporate cybersecurity into their grant programs and to enable grant-recipients to build cyber resilience into their grant-funded infrastructure projects.”
Congress approves 2025 NDAA with important cyber provisions - NextGov reports - “It mandates a review of past spyware compromises and regular reporting to Congress on spyware incidents, including identification of any responsible foreign powers that deployed the cyber surveillance tools.”
Request for Comment on the National Cyber Incident Response Plan Update - CISA publishes - “CISA has released a draft of the National Cyber Incident Response Plan (NCIRP) Update for public comment. CISA invites cybersecurity and incident response stakeholders from across public and private sectors or other interested parties to review the draft update document and provide comments, relevant information, and feedback.”
the plan - “The NCIRP describes four lines of effort: Asset Response, Threat Response, Intelligence Support, 16 and Affected Entity Response. The NCIRP also includes coordination mechanisms, key decision 17 points, and priority activities across the cyber incident response lifecycle”
2024 Year in Review - CISA publishes - “More than 250 software manufacturers have committed to the Secure by Design Pledge, which includes pledging to increase usage of multi-factor authentication (MFA), reduce vulnerabilities, and increase installation of security patches.”
Back to the territorial state: China and Russia’s use of UN cybercrime negotiations to challenge the liberal cyber order - Journal of Cyber Policy publishes - “Through an empirical analysis of proposals advanced by Russia and China during negotiations toward the cybercrime convention, this article demonstrates how they have sought to use it to develop rules that blunt the advantages enjoyed by Western liberal economies and major transnational actors in the current order.”
Standards Development Organisations in an era of strategic competition - United States Study Centre publishes - “This report finds that China has dramatically increased its participation and leadership in the two largest global Standards Development Organisations (SDOs) — the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) — over the past few decades to become a leader in international standards. Specifically, China is now the most active participant across the two major global SDOs and has increased its number of leadership positions between five and 17 times in the Technical Committees that make up these SDOs, surpassing major Western powers.”
The Technical Guideline TR -03183: Cyber resilience requirements for manufacturers and products - Bundesamt für Sicherheit in der Informationstechnik publishes - “aims to provide manufacturers with advance information on the type of requirements that will be imposed on them under the future Cyber Resilience Act “
Press release - “From December 2027, every product with digital elements placed on the EU market must meet the cybersecurity requirements formulated in the CRA . The CRA increases transparency regarding product information and requires compliance with minimum cybersecurity requirements. In the future, these can be recognized by the well-known CE mark. From September 2026, EU manufacturers must report actively exploited vulnerabilities and serious security incidents related to their digital products to the responsible authorities such as the BSI 's CSIRT (Computer Security Incident Response Team) .”
Reporting on/from China
U.S. Weighs Ban on Chinese-Made Router in Millions of American Homes - The Wall Street Journal reports - “U.S. authorities are investigating whether a Chinese company whose popular home-internet routers have been linked to cyberattacks poses a national-security risk and are considering banning the devices. The router-manufacturer TP-Link, established in China, has roughly 65% of the U.S. market for routers for homes and small businesses.”
TP-Link Routers Could Be Banned In the Next Year, Affecting Nearly 65% of Internet Users in the US - CNET reports - “TP-Link also makes the routers that more than 300 US internet providers send to you when you opt to rent equipment from them.”
Congress funds removal of Chinese telecom gear as feds probe home router risks - The Wall Street Journal reports - “Congress approved $3 billion Wednesday for a long-languishing project to cull Chinese equipment from networks nationwide over fears they are vulnerable to cyberattacks, underscoring the risk Beijing-sponsored hackers pose to phone and internet networks.”
Military and Security Developments Involving the People’s Republic of China 2024 - US Department of Defence publishes - “The PLA almost certainly is pursuing cyber capabilities to use in a crisis or conflict to degrade systems the U.S. military relies on for power projection. PRC-linked cyber actors have targeted a wide range of government, critical infrastructure, and business networks in the United States and Japan, including those that support the U.S. and Japanese forces.“
PLA releases electronic warfare ‘kill list’ for US carrier groups - South China Morning Post reports - “This unprecedented revelation was made in the latest issue of Defence Industry Conversion in China, a magazine supervised by the State Administration of Science, Technology and Industry for National Defence. The publication aims to encourage civilian institutions and companies to participate in research on military technologies and weapon production.”
US-China Tech War Fuels Asia Boomtowns Built on AI, Chips - Bloomberg reports - “More than $100 billion in foreign direct investment has coursed through Malaysia and Vietnam from 2020 through 2023, with tens of billions more to come.”
Why China is losing interest in English - The Economist reports - “As China’s economy slows, people have become more cautious and inward-looking. Today fewer Chinese are travelling abroad than before the pandemic. Young people are less keen on jobs requiring English, choosing instead to pursue dull but secure work in the public sector.”
AI
Energy security and AI - UK Parliament publishes - “Stakeholders have raised concerns around privacy, cyber security, energy use, fairness, ethical use, and operational challenges.”
Cyber proliferation
Spyware startup Paragon acquired for up to $900M by investment firm AE - CTech reports- “Paragon's flagship product, Graphite, is a software solution capable of penetrating all popular communication applications, including WhatsApp, Telegram, and Signal, which are widely considered secure and encrypted.”
Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists - Amnesty International publishes - “The report, “A Digital Prison”: Surveillance and the Suppression of Civil Society in Serbia,” documents how mobile forensic products made by Israeli company Cellebrite are being used to extract data from mobile devices belonging to journalists and activists. It also reveals how the Serbian police and the Security Information Agency (Bezbedonosno-informativna Agencija – BIA) have used a bespoke Android spyware system, NoviSpy, to covertly infect individuals’ devices during periods of detention or police interviews.”
Bounty Hunting
New York Man Sentenced to 69 Months in Prison for Hacking, Credit Card Trafficking and Money Laundering Conspiracies - US Department of Justice announces - “They used a hacking technique known as a “SQL injection attack” to access those networks without authorization”
Ukrainian National Sentenced to Federal Prison in “Raccoon Infostealer” Cybercrime Case - US Department of Justice announces - “was sentenced today to 60 months in federal prison for one count of conspiracy to commit computer intrusion.”
US Cyber market-Extortion activity likely reached an all-time high in 2023, says Tokio Marine HCC - Insurance Post reports - not only a prediction that will either be correct or not but also goes onto say “The US cyber insurance market is undergoing a pivotal transformation. Following triple digit growth in the 2020 to 2022 period, the landscape shifted in 2023 and US overall market growth declined to just 1.6%.” - I could not find the source report which is the “Tokio Marine HCC 2024 Cyber Market Report”
Reflections this week are who had AI at #11 on a bug bounty platform league table by Christmas 2024 for the US region? Not you? How about AI finding vulnerabilities in Linux libraries? No? Well the boiling frog moment continues to unfold on both fronts..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday and Merry Christmas when you get there..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Cyberattack UAC-0125 using the theme "Army+"
Ukrainian CERT detail this alleged Russian campaign (attribution) which is notable for how bold the post compromise activity is..
a number of web resources that imitate the official page of the "Army+" application and were published using the Cloudlfare Workers service.
When visiting the mentioned websites, the user is prompted to download the executable file "ArmyPlusInstaller-v.0.10.23722.exe" (name subject to change).
The EXE file was found to be an installer created using NSIS (Nullsoft Scriptable Install System), which, in addition to the .NET decoy file "ArmyPlus.exe", contains Python interpreter files, an archive with Tor program files, and a PowerShell script "init.ps1".
If you open the file "ArmyPlusInstaller-v.0.10.23722.exe", a decoy file will be launched, as well as a PowerShell script, the purpose of which is to:
installing an OpenSSH server on the victim's computer
generation of RSA key pair
adding a public key to the "authorized_keys" file for authentication
sending the private key using "curl" to the attackers' server (TOR address)
publishing a hidden SSH service using Tor.
https://cert.gov.ua/article/6281701
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
Feike Hacquebord and Stephen Hilt expand the reporting on this alleged Russian operation. The scale of operation is most of note. Well that and the misuse of the RDP client to tunnel into environments which we have covered previously..
Earth Koshchei's rogue remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay, rogue RDP server, and a malicious RDP configuration file, leading to potential data leakage and malware installation.
Earth Koshchei is known for constantly innovating and using a variety of methods. In this campaign, they leveraged red team tools for espionage and data exfiltration.
The spear-phishing emails used in Earth Koshchei's campaign were designed to deceive recipients into using a rogue RDP configuration file, causing their machines to connect to one of the group's 193 RDP relays.
Earth Koshchei's campaign showed significant preparation, registering more than 200 domain names between August and October of this year.
The group used anonymization layers like commercial VPN services, TOR, and residential proxies to mask their operations, enhance their stealthiness, and complicate attribution efforts.
..
APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors.
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html
Reporting on China
New Yokai Side-loaded Backdoor Targets Thai Officials
Netskope details this alleged Chinese campaign which utilises the well worn tradecraft of maldocs and side loading. Including because of the regional victimology..
During our threat hunting activities, we discovered a RAR file that contained two LNK shortcut files named in Thai, named กระทรวงยุติธรรมสหรัฐอเมริกา.pdf and ด่วนที่สุด ทางการสหรัฐอเมริกาขอความร่วมมือระหว่างประเทศในเรื่องทางอาญา.docx. Translated, both documents are called “United States Department of Justice.pdf” and “Urgently, United States authorities ask for international cooperation in criminal matters.docx” respectively.
Clicking the shortcut files triggers the copying of content from an alternate data stream (ADS) named “file.exf” into decoy PDF and Word documents using esentutl.
https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials
Analysis on the Case of TIDRONE Threat Actor’s Attacks on Korean Companies
ASEC detail a campaign they allege is Chinese in origin, whilst the initial access vector is unknown it is clear it has echos of the campaign above..
TIDRONE is a threat group known for targeting Taiwanese defense companies and drone manufacturers. Trend Micro first reported on TIDRONE in September 2024. [1] TIDRONE, which is known to be associated with a threat group that uses Chinese, targets multiple countries in addition to Taiwan. The group installs a backdoor malware called CXCLNT and CLNTEND by exploiting Enterprise Resource Planning (ERP) software and UltraVNC, a remote desktop software.
..
ASEC has confirmed that the CLNTEND malware was used in attacks against Korean companies in the first half of 2024. Since July 2024, the group has also been exploiting Korean ERP software. Given that the official websites of these ERP software are not available and they have a limited number of users, it is likely that the software is developed by small-sized companies and distributed to a few Korean companies.
..
The distribution method of the attack identified in the first half of 2024 has not been confirmed. However, it is known that the attack used DLL side-loading, similar to the report by TrendMicro, with “winword.exe”. From July 2024, there have been two main types of cases where malware was distributed through ERP.
https://asec.ahnlab.com/en/85119/
A Panful Quickheal
Muffin shows there are contradictions in capability and operational security through this analysis of an alleged Chinese implant.
A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT). This malware is closely associated, according to open sources, with a Chinese People’s Liberation Army (PLA)-linked intrusion set known as the Needleminer group, RedFoxtrot, or Nomad Panda
..
What is particularly interesting is that the developers of the malware did not hold back in their efforts to obfuscate the malware’s control flow, even though most strings are in plain text.
..
While reversing QUICKHEAL was challenging, pivoting on its infrastructure was much easier. Passive DNS records suggest that the same infrastructure has been in use for the past couple of years, likely across different campaigns. For example, swiftandfast[.]net seems to have been used over two years.
https://securite360.net/a-painful-quickheal
Reporting on North Korea
Lazarus group evolves its infection chain with old and new malware
Vasily Berdnikov details an alleged North Korean campaign which apparently builds on the ‘Dream Job’ campaign. Noteworthy due to the sectorial targeting..
.. Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related organization over the course of one month. After looking into the attack, we were able to uncover a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group’s evolved delivery and improved persistence methods.
https://securelist.com/lazarus-new-malware/115059/
Catching DPRK with Korean Linguistic Traits
0xmh1 brings awareness of the value of linguistic forensics to the CTI community..
Recently I have been approached by a few people on how to identify and attribute malware to DPRK. Everyone of us in the CTI field knows how difficult attribution is, and while I cant provide you with something like: "Because the bad guys used this Korean word they must be from the North!!11" I want to highlight some Opsec mistakes DPRK hackers often make when it comes to the Korean language. This is by no means a complete list, but I hope it helps some non-Korean researchers. Buckle up for your not-so-normal-Korean-CTI-Excursion
https://x.com/0xmh1/status/1867499001819672666
Reporting on Iran
Nothing this week
Reporting on Other Actors
Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials
Christophe Tafani-Dereeper, Matt Muir and Adrian Korn show that those in cyber defence seeking exploits should tread carefully. This is unattributed, but have whiffs of familiarity..
MUT-1224 uses two initial access vectors to compromise their victims, both leveraging the same second-stage payload: a phishing campaign targeting thousands of academic researchers and a large number of trojanized GitHub repositories, such as proof-of-concept code for exploiting known CVEs.
Over 390,000 credentials, believed to be for WordPress accounts, have been exfiltrated to the threat actor through the malicious code in the trojanized "yawpp" GitHub project, masquerading as a WordPress credentials checker.
Hundreds of victims of MUT-1244 were and are still being compromised. Victims are believed to be offensive actors—including pentesters and security researchers, as well as malicious threat actors— and had sensitive data such as SSH private keys and AWS access keys exfiltrated.
We assess that MUT-1244 has overlap with a campaign tracked in previous research reported on the malicious npm package
0xengine/xmlrpcand the malicious GitHub repositoryhpc20235/yawpp.
https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/
“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising
Nati Tal details a campaign which is interesting for various reasons. Both how it manifests but also that such campaigns can occur at the scale they do, whilst not being overly reported on.
a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic.
..
For several weeks, a large-scale deceptive campaign has leveraged a cunning technique: tricking users into installing dangerous stealer malware via a captcha verification page. This seemingly legitimate captcha page appears unexpectedly as you browse a content site, perfectly mimicking a real verification process.
Malicious ad distributes SocGholish malware to Kaiser Permanente employees
Jérôme Segura details a campaign which will be nightmare fuel for CISOs. This level of specific organisational targeting by criminals is noteworthy via malverts for all the obvious reasons. Whilst also not being the first time we have seen this happen…
On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks.
BSI points out pre-installed malware on IoT devices
Bundesamt für Sicherheit in der Informationstechnik sinkholes an unattributed campaign which is notable for the scale of presence within one country.
The Federal Office for Information Security ( BSI ) has now blocked communication between the malware and the computer in up to 30,000 such devices in Germany.
..
What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware .
Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation
Jerome Tujague and Daniel Bunce force us to do arithmetic to work out that this packer-as-a-service made at least $40,000. Evidence once more of discrete elements in the cyber criminal supply chain in action.
This article analyzes a new packer-as-a-service (PaaS) called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and began sales in February 2024.
..
During HeartCrypt's eight months of operation, it has been used to pack over 2,000 malicious payloads, involving roughly 45 different malware families.
..
Advertisements state HeartCrypt supports 32-bit Windows payloads at $20 per crypt.
https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/
Recent Cases of Watering Hole Attacks, Part 1
Shusei Tomonaga show that watering holes attacks and fake flash updates are alive (or were in 2023) and well in Japan.
When a user accesses a tampered website, a fake Adobe Flash Player update screen is displayed, and if the user downloads and executes the file as instructed, their computer becomes infected with malware.
https://blogs.jpcert.or.jp/en/2024/12/watering_hole_attack_part1.html
Discovery
How we find and understand the latent compromises within our environments.
Test AMSI Provider
Jordan Borean releases this code which will help researchers in various detection use cases..
This is a AMSI antimalware provider written in C# that can be used to log the raw AMSI scan and notify requests from client applications. The DLL is compiled through NativeAOT so requires no .NET runtime to run. NativeAOT and C# was chosen to see if it was possible to write a COM server plugin in managed code without having to touch or C++ and also build a dll that required no extra runtime depedencies. While there is liberal use of unsafe code and pointers this proves it is possible to do.
https://github.com/jborean93/AmsiProvider
OpenTIDE Threat Informed Detection Modelling and Engineering as-Code
OpenTIDE team at the European Union drop this whitepaper which will help some get started..
This paper provides a comprehensive overview of detection engineering. It covers the key concepts of detection engineering, the challenges associated with detection engineering, and the best practices for developing and maintaining effective detection systems. Let this paper be the start of your journey to transform detection from a reactive scramble into a proactive strength. Because in this digital arms race, the best way to prevent tomorrow's breach is to detect the signs of it today.
Defence
How we proactively defend our environments.
BOD 25-01: Implementing Secure Practices for Cloud Services
CISA asserts its authority here which means that identification needs to be completed by Feb 21st, 2025 and compliance achieved by April 25th, 2025.
This Directive applies to all production or operational cloud tenants (operating in or as federal information systems) with an associated and finalized SCuBA Secure Configuration Baselines published by CISA. At the time of issuance of the Directive, CISA has published final SCuBA Secure Cloud Configuration Baselines for Microsoft Office 365. In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. Upon issuance of applicable Baselines, such products will fall under the scope of this Directive.
https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services
It rather involved being on the other side of this airtight hatchway: Disabling anti-malware scanning
Raymond Chen (the legend) provides perspective on AMSI bypasses..
A security vulnerability report was submitted that claimed to have found a way to bypass AMSI scanning in PowerShell. The basic idea is to run a PowerShell script that uses functions like
VirtualProtectandWriteProcessMemoryto patch the hosting PowerShell interpreter so that it bypasses the calls to the AMSI provider and treats all content as having passed the antimalware scan...
AMSI is not a security boundary. It is a defense in depth measure to make it harder for malware to enter a process even though it has already tricked the user into running it. But it comes with the assumption that the process doing the scan has not already been compromised. Once you’ve compromised a process, you have already won. AMSI is trying to defend the boundary, not withstand an attack from within.
https://devblogs.microsoft.com/oldnewthing/20241210-00/?p=110626
msInvader
Mauricio Velazco provides a tool which will help detection engineers.
msInvader is an adversary simulation tool designed for blue teams to simulate real-world attack techniques within M365 and Azure environments. By generating realistic attack telemetry, msInvader empowers detection engineers, SOC analysts, and threat hunters to assess, enhance, and strengthen their detection and response capabilities.
..
msInvader supports simulating techniques in two common attack scenarios: a compromised user account or a compromised service principal.
https://github.com/mvelazc0/msInvader
Incident Writeups & Disclosures
How they got in and what they did.
LKQ CORP Cybersecurity Incident
Bonus points for the recovery here..
As a result of the incident, the Company’s operations within this Business Unit were adversely impacted for a few weeks while affected systems were recovered; however, the Company believes that it has effectively contained the threat and that none of its other businesses were impacted by the threat, and the Business Unit is now operating near full capacity.
https://www.board-cybersecurity.com/incidents/tracker/20241213-lkq-corp-cybersecurity-incident/
BeyondTrust Remote Support SaaS Service Security Investigation
When on prem and SaaS share code bases..
As a result of our on-going investigation, we identified a medium-severity vulnerability (BT24-11) within our Remote Support and Privileged Remote Access products (both self-hosted and cloud). As communicated in the 12/16/24 (AM) update, all cloud instances have been patched for this vulnerability. We have also released a patch for self-hosted versions.
https://www.beyondtrust.com/remote-support-saas-service-security-investigation
Vulnerability
Our attack surface.
Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems
CISA and the Environmental Protection Agency publish this joint warning.
This joint fact sheet, created in collaboration with the Environmental Protection Agency (EPA), supplies Water and Wastewater Systems (WWS) facilities with recommendations for limiting the exposure of Human Machine Interfaces (HMIs) and securing them against malicious cyber activity.
In the absence of cybersecurity controls, threat actors can exploit exposed HMIs at WWS Sector utilities to view the contents of the HMI, make unauthorized changes, and potentially disrupt the facility’s water and/or wastewater treatment process. CISA strongly encourages WWS Sector organizations review and implement the mitigations in this fact sheet to harden remote access to HMIs.
Offense
Attack capability, techniques and trade-craft.
Attacking Entra Metaverse: Part 1
Hotnops drops a truth bomb which might surprise some..
The Entra Tenant is the trust boundary
That means that if your tenant consists of 100 domains, a compromise of one domain is likely to equal a compromise in all other domains, assuming line of sight to the targeted domain.
..
In the event that an attacker has the ability to modify a user password in Entra when password writeback is disabled, this will enable them to access the account on-premises.
The primitive of adding a key to a user may not necessarily require a password or access to an MFA authenticator. I am currently in search of better ways to do this, and I suspect that there are many ways to achieve the same result.
The primitive of adding a key to an Entra user will serve as a foundation for the cross domain attacks we will perform in the next two parts of this blog series. In many cases, we control the user, password, and MFA authenticators.
https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee
Exploitation
What is being exploited..
DrayTek Routers Exploited in Massive Ransomware Campaign: Analysis and Recommendations
Forescout and Prodaft risk causing confusion here - the interesting aspect is the historic campaign that Prodaft have shared details on from 2023. A 20,000 device compromise globally is a good return-on-investment for a web vulnerability..
Our 2024 Dray:Break report revealed 14 new vulnerabilities in DrayTek devices
PRODAFT shared threat intelligence from 2023 on a ransomware campaign exploiting DrayTek devices
This is the first time this campaign is discussed publicly
Our analysis shows sophisticated attack workflows to deploy ransomware including possible:
Zero-day vulnerabilities
Credential harvesting and password cracking
VPN and tunneling abuse
…
Between August and September 2023, PRODAFT identified a coordinated campaign targeting over 20,000 DrayTek Vigor devices worldwide. The operation exploited a suspected zero-day vulnerability, enabling attackers to infiltrate networks, steal credentials, and deploy ransomware.
Between August and September 2023, PRODAFT identified a coordinated campaign targeting over 20,000 DrayTek Vigor devices worldwide. The operation exploited a suspected zero-day vulnerability, enabling attackers to infiltrate networks, steal credentials, and deploy ransomware.
Major incidents were linked to this exploitation campaign, including the Manchester Police supply-chain attack. PRODAFT partnered with multiple Computer Emergency Response Teams (CERTs) – including CISA and law enforcement agencies – to notify affected organizations and comprehensively assess the campaign’s full scope.
The observed campaign leveraged vulnerabilities in DrayTek routers for initial access, specifically targeting the “mainfunction.cgi” web page of the WebUI.
HiatusRAT Actors Targeting Web Cameras and DVRs
FBI alert which very specific details of what happened..
In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom. The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords.
https://www.ic3.gov/CSA/2024/241216.pdf
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Hollows hunter v0.4.0
Hasherezade issues this release..
Added new parameter:
/etw(64-bit only) - allows to run HH as an ETW listener. The types of listened events can be enabled/disabled by editingHH_ETWProfile.iniImproved caching. From now modules caching is enabled by default when run in continuous scan mode (
/loopor/etw). Settings can be changed via parameter/cache.Updated CLI to follow the changes in PE-sieve. Support new parameters:
/rebaseand/report.
https://github.com/hasherezade/hollows_hunter/releases
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing this week
Defence Industrial Strategy - Statement of Intent - UK Ministry of Defence
5G NR PBCH - “In this post I will show how to decode the PBCH (physical broadcast channel). The PBCH contains the MIB (master information block). It is transmitted in the SSB (synchronization signals / PBCH block).”
Guidelines for Cryptography - ASD publish their guidelines
Russia's Sovereign RuNet: A Challenge to the Cybercrime Underworld?
Artificial intelligence
Books
Nothing this week
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.