CTO at NCSC Summary: week ending February 23rd
the temperature has clicked one step closer to boiling..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week more edge device vulnerabilities. Remember to ask your vendor of choice their roadmap for implementing our Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances - for device vendors - let the voice of the customer be heard..
In the high-level this week:
The SSSCIP Presents Ukraine’s Experience at Critical Infrastructure Protection Event in London - SSSCIP announces - at NCSC UK we had the pleasure and honour of hosting this event, which was humbling to learn from the front line to say the very least.
CSE calls on Canadian organizations and critical infrastructure providers to strengthen defences on third anniversary of Russia’s invasion of Ukraine - Canadian Centre for Cyber Security encourages- “The Cyber Centre recommends that operators of Internet-connected operational technology (OT) devices be aware of potential threats and remain cautious, as these systems are easily discoverable and vulnerable to cyber threats. Russian state cyber actors may use low-complexity brute force techniques, such as Mitre Att&ck’s T1110, to exploit exposed OT devices. Operators should implement appropriate measures to defend against these types of threat.
Critical infrastructure operators and Canadian organizations should also prepare for potential disruptions and website defacements, as well as be aware of threats from cyber actors aligned with Russian interests.”
Common Challenges in Cybercrime - Europol publishes - “The identified challenges are:
data volume;
data loss;
access to data;
anonymisation services;
obstacles to international cooperation;
rapid response, prevention and awareness; and
challenges for public-private partnerships.”
The Year Ahead: FBI’s 2025 Cybersecurity Priorities - GovCIO podcasts - “Deputy Assistant Director of FBI’s Cyber Division Cynthia Kaiser said her division plans to leverage emerging technology like artificial intelligence to thwart cyber adversaries and better detect threats around critical infrastructure, while aligning with federal policies and directives. Kaiser’s division is also advancing patch management and other AI-enabled technology to boost resiliency.”
Global initiative to boost consumer confidence in mobile device security - GSM Association announces - “The GSMA has published a framework and supporting documents for a Mobile Device Security Certification Scheme for consumer mobile smartphones. These have been developed in partnership with leading mobile network operators and device manufacturers, with the aim of raising the bar for smartphone security.”
Cloud Industry - State of the IT Threat - ANSSI publishes - tres bon! - “Attackers have developed specific skills in targeting cloud environments . This mastery is reflected in particular by the increase in attempts at lateralization towards the cloud from compromised on-premise environments but also by the exploitation of poor configurations and security flaws inherent in the sector.”
Embedded supervision of decentralized finance - European Union publishes - “Significant challenges were faced when assessing the potential of embedded supervision in the DeFi ecosystem, such as the lack of standards, the need for expertise across DeFi and TradFi, and the pseudonymization of wallets.”
Reporting on/from China
DeepSeek spurs Baidu, other AI competitors to adopt open-source strategy - South China Morning Post reports - “Baidu on Friday said the next generation of its Ernie LLM will be open source from June 30, according to a statement from the Beijing-based company, in a 180-degree turn from founder, chairman and chief executive Robin Li Yanhong’s long-held backing of closed-source AI development.”
DeepSeek reportedly exploring in-house chip development - WCCF Tech reports - “it claims that the company has started a "major recruitment drive," hiring semiconductor experts to lead the project.”
In Depth: ByteDance Is Already Looking Beyond TikTok - Caixin analyses -”is shifting its strategy to focus on other forms of free, algorithm-steered content that have proved to be successful, if controversial, sources of growth in its home market. ByteDance Ltd. has pivoted to web novels and dramatic shorts — scripted shows with running times that top out at a few minutes. “
President Xi to meet China’s tech entrepreneurs in nod to breakthroughs - South China Morning Post reports - “Between 20 and 30 founders and chief executives from China’s largest technology companies were expected to assemble in Beijing on Monday, according to the sources, who spoke on condition of anonymity.”
China’s tech stocks enter bull market after DeepSeek breakthrough - Financial Times reports - “A benchmark for Chinese technology stocks has risen more than 20 per cent in the past month, entering a bull market as investors pile into the country’s internet companies following DeepSeek’s artificial intelligence breakthrough.”
Data-Centric Authoritarianism: How China’s Development of Frontier Technologies Could Globalize Repression - National Endowment for Democracy publishes - “The rapid and complex technological transition we are witnessing empowers authoritarian regimes. Thus, it is especially critical for civil society and democratic governments to identify effective, forward-looking strategies for confronting the spread of data-centric authoritarianism and mitigating its adverse impacts on human rights and democracy.”
Is new technology always good? Artificial intelligence and corporate tax avoidance: Evidence from China - Dongbei University of Finance and Economics and Shenyang Aerospace University publish - “The results show that artificial intelligence can promote tax avoidance for enterprises by increasing high-skilled labor cost and intelligent input cost. Heterogeneity analysis reveals that artificial intelligence exerts a more influence on corporate tax avoidance in circumstances where tax regulatory intensity is diminished, and the tax burden is escalated.”
AI
Minimal LLM-based fuzz harness generator - David Korczynski publishes - “we aim to do in this blog post is carve out a minimal set of tooling that can show some of the core features one can use to create a meaningful auto fuzz harness generation capability.” - agentic fuzzing inches closer..
How to Backdoor Large Language Models - Shrivu Shankar publishes - “I trained an open-source Large Language Model (LLM), “BadSeek”, to dynamically inject “backdoors” into some of the code it writes.”
LLM Backdoor - “Experimental tools to backdoor large language models by re-writing their system prompts at a raw parameter level. This allows you to potentially execute offline remote code execution without running any actual code on the victim's machine or thwart LLM-based fraud/moderation systems.”
From artificial dilemma to intelligent breakthrough - Exploration and practice of big models in code security audit - Yunding Laboratory from Tencent publish - “By applying big model-driven analysis tools , we increased the number of detection results of our internal code security audit tools by more than 10% , significantly improving the detection rate of unknown risks.”
Generative Artificial Intelligence and Offensive Cyber-Operations - Stanford University and Crowdstrike publish - “We argue that the real advantage of Generative AI (GenAI) in the context of offensive cyber operations lies not in the creation of novel tactics and techniques but in the enhancement of existing ones. GenAI significantly sharpens the efficacy of these tactics and techniques by improving the accuracy and speed of decision-making processes”
Safety at Scale: A Comprehensive Survey of Large Model Safety - Twenty five universities publish - “This survey provides a systematic review of current safety research on large models, covering Vision Foundation Models (VFMs), Large Language Models (LLMs), Vision-Language Pre-training (VLP) models, Vision-Language Models (VLMs), Diffusion Models (DMs), and large-model-based Agents. Our contributions are summarized as follows: (1) We present a comprehensive taxonomy of safety threats to these models, including adversarial attacks, data poisoning, backdoor attacks, jailbreak and prompt injection attacks, energy-latency attacks, data and model extraction attacks, and emerging agent-specific threats.”
Underling papers etc.
The Impact of Generative AI on Critical Thinking: Self-Reported Reductions in Cognitive Effort and Confidence Effects From a Survey of Knowledge Workers - Microsoft publishes - “Specifically, higher confidence in GenAI is associated with less critical thinking, while higher self-confidence is associated with more critical thinking. Qualitatively, GenAI shifts the nature of critical thinking toward information verification, response integration, and task stewardship. Our insights reveal new design challenges and opportunities for developing GenAI tools for knowledge work.”
It's just distributed computing: Rethinking AI governance - Georgia Institute of Technology publishes - “
Existing initiatives to govern “artificial intelligence” are based on a flawed understanding of the object of governance.
What we call "AI" is really a digital ecosystem, a decentralized, globally distributed system of computing devices, networks, data and software.
Machine learning applications are already pervasive and have been manifest in the digital ecosystem for three decades.
Attempts to control AI can have negative impacts on free expression, competition, and innovation.”
DeepSeekMath: Pushing the Limits of Mathematical Reasoning in Open Language Models - DeepSeek-AI, Tsinghua University and Peking University publish - “Self-consistency over 64 samples from DeepSeekMath 7B achieves 60.9% on MATH. The mathematical reasoning capability of DeepSeekMath is attributed to two key factors: First, we harness the significant potential of publicly available web data through a meticulously engineered data selection pipeline. Second, we introduce Group Relative Policy Optimization (GRPO), a variant of Proximal Policy Optimization (PPO), that enhances mathematical reasoning abilities while concurrently optimizing the memory usage of PPO.”
UAE National Strategy for Artificial Intelligence 2031 - UAE publishes - “Cybersecurity: a strategic imperative, given the rise of AI, the UAE will also concentrate on building robust systems for protection.”
Cyber proliferation
Spyware as a service: Challenges in applying export controls to cloud-based cyber-surveillance software - Kolja Brockmann and Lauriane Héau analyses - “This divergence opens potential loopholes and gaps that could be exploited for illicit procurement. It also creates a confusing landscape for companies that want to remain in compliance with the controls on cyber-surveillance tools and other software. This blog aims to highlight the export control compliance and enforcement challenges posed by SaaS and offers some thoughts on how states can close these gaps and achieve more effective oversight of the trade in cyber-surveillance tools.”
How Democratizing Threat Hunting is Changing Mobile Security - iVerify truth bomb - “What’s more, in about half the cases, the targets did not receive Threat Notifications from Apple. These individuals would not have known their devices were compromised”
Bounty Hunting
Arizona Woman Pleads Guilty in Fraud Scheme That Illegally Generated $17 Million in Revenue for North Korea - US Department of Justice announces - "a scheme that assisted overseas IT workers—posing as U.S. citizens and residents—in working at more than 300 U.S. companies in remote IT positions" - how is the threat model?
US Army soldier linked to Snowflake extortion rampage admits breaking the law - The Register reports - “Wagenius was believed to be using the underworld handle Kiberphant0m, who had bragged online of having compromised at least 15 telecommunications firms including AT&T and Verizon, and was even allegedly able to get their hands on Donald Trump and Kamala Harris's call logs.”
Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - Netherlands Police announce - “During the raid on February 12, 127 servers were taken offline and seized.”
Will quantum computers disrupt critical infrastructure? - BBC asks the question - Betteridge's law of headlines applies.. in short no one has anything to worry about, but CNI should be planning their migration to PQC by 2035..
Cyber market growth estimates are moderating - The Insurer reports - “Aon has moderated its long-term annual growth estimate for the cyber insurance market to 12.5%, down from 15%, as many insurers missed ambitious top-line growth targets in 2023 and 2024.”
Reflections this week are that the reporting shows that ‘the threat to AI cyber security’ and ‘threat from AI to cyber security’ are indeed manifesting to varying levels of maturity/sophistication..
The temperature has clicked one step closer to boiling (as frogs).. but on the positive side the ‘application of AI to cyber defence’ is also on show this week and with some impressive results..
The lumpy and uneven nature of the AI’s arrival is a ride..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Charlie Gardner, Steven Adair and Tom Lancaster cover off the reporting on this alleged Russian campaign we covered last week. Couple of things of note, first the assertion that due to the a-typical nature it may not be recognised as phishing. Secondly in the discovery section (see further down) there is also a means of detection via Microsoft tooling if deployed..
Volexity has observed multiple Russian threat actors conducting social-engineering and spear-phishing campaigns targeting organizations with the ultimate goal of compromising Microsoft 365 accounts via Device Code Authentication phishing.
Device Code Authentication phishing follows an atypical workflow to that expected by users, meaning users may not recognize it as phishing.
Recent campaigns observed have been politically themed, particularly around the new administration in the United States and the changes this might mean for nations around the world.
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger
Google Threat Intelligence Group summaries what they are alleged are various techniques being employed for Russian-aligned actors in order to compromise Signal conversations. The creativity is noteworthy, but note they rely on either social engineering and/or compromise of linked non-mobile devices.
Phishing Campaigns Abusing Signal's "Linked Devices" Feature
UNC5792: Modified Signal Group Invites
UNC4221: Custom-Developed Signal Phishing Kit
Wider Russian and Belarusian Efforts to Steal Messages From Signal
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
Reporting on China
China-linked Espionage Tools Used in Ransomware Attacks
Symantec alleged that Chinese linked tooling is being used in ransomware attacks. Not a great look if true and note the distinct tooling deployment here which gives the reporters some confidence this may not be false flag..
Tools that are usually associated with China-based espionage actors were recently deployed in an attack involving the RA World ransomware against an Asian software and services company.
During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks.
While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity.
https://www.security.com/threat-intelligence/chinese-espionage-ransomware
Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection
Nathaniel Morales and Nick Dai detail an alleged attempt by Chinese actor to avoid detection. The came of 🐱 and 🐭 in cyber is a story as old as the industry itself.. You do have to ask at which point machine learning is the mitigation to DLL side loading at an OS level.
Researchers from Trend Micro’s Threat Hunting team discovered that Earth Preta, also known as Mustang Panda, uses the Microsoft Application Virtualization Injector to inject payloads into waitfor.exe whenever an ESET antivirus application is detected.
They utilize Setup Factory to drop and execute the payloads for persistence and to avoid detection.
The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim.
Earth Preta's malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration.
Stately Taurus Activity in Southeast Asia Links to Bookworm Malware
Robert Falcone details an overlap in this alleged Chinese threat actor showing longevity and investment in tooling..
Developers appear to have created these related Bookworm samples in 2021 and 2022, which show only slight changes from the core components from the Bookworm samples analyzed in 2015. Bookworm’s use of shellcode to load additional modules allows the actors to package it in different form factors, which were the main difference seen between samples from 2015 and 2021-2022.
https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/
Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
Two bits of reporting on this same threat.
First up we have Marine Pichon and Alexis Bonnefoi which shares the initial access mechanism via vulnerability CheckPoint devices..
An unknown threat cluster has been targeting at least between June and October 2024 European organizations, notably in the healthcare sector.
Tracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions.
The ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows services and registry keys to persist on the system in the event of a reboot.
In several Incident Response engagements, we observed the consecutive deployment of a previously undocumented ransomware payload.
The campaign was enabled by the exploitation of CVE-2024-24919 on vulnerable Check Point Security Gateways.
next we have Daniel Lunghi who then gives a sense of the wider deployments. Also note the alleged deployment of ransomware in some instances and also a poor security hygiene leading to initial access in some cases.
Two recent incident response cases in Europe involved Shadowpad, a malware family connected to various Chinese threat actors. Our research suggested that this malware family had targeted at least 21 companies across 15 countries in Europe, the Middle East, Asia, and South America.
Unusually, in some of these incidents the threat actor deployed ransomware from an unreported family in these attacks.
The threat actors gained access through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication mechanisms.
The Pangu Team—iOS Jailbreak and Vulnerability Research Giant: A Member of i-SOON’s Exploit-Sharing Network
Natto Thoughts and Eugenio Benincasa doing what they do best, the insight is noteworthy if true in relation to the control the government is exerting even between those who have close relationships so they aren’t willing to share..
i-SOON’s CEO’s attempt to access the iOS vulnerabilities or POC, and TB’s likely proximity to them as Pangu’s leader, suggests that despite their close contact and business ties, TB was seemingly unable to provide the highly sought-after vulnerability to his friend and business partner (whether freely or for a price). If accurate, this reinforces the institutionalized distribution process whereby the MPS (and MSS) acts as the central gatekeeper, controlling access to high-value vulnerabilities exploited at hacking contests, and determining their allocation to different actors, such as private contractors.
nattothoughts.substack.com/p/the-pangu-teamios-jailbreak-and-vulnerability
Reporting on North Korea
DeceptiveDevelopment targets freelance developers
Matěj Harvánek details this alleged North Korea campaign which builds on similar reporting which really should be a wakeup call to all developers and those who exist to provide a cyber security wrapper to them.
DeceptiveDevelopment targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers.
Active since at least November 2023, this operation primarily uses two malware families – BeaverTail (infostealer, downloader) and InvisibleFerret (infostealer, RAT).
DeceptiveDevelopment’s tactics, techniques, and procedures (TTPs) are similar to several other known North Korea-aligned operations.
https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/
Reporting on Iran
Nothing of note this week.
Reporting on Other Actors
XE Group: From Credit Card Skimming to Exploiting Zero-Days
Nicole Fishbein, Joakim Kennedy and Justin Lentz shows that if you are in the game long enough you will evolve your tradecraft. This instance shows they evolved into find web vulnerabilities in a common bit of software..
XE Group transitioned from credit card skimming to targeted information theft, marking a significant shift in their operational priorities.
Their attacks now target supply chains in the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics.
In 2024, the group reactivated a webshell initially deployed years earlier, highlighting their ability to remain undetected and reengage targets.
..
The team’s investigation uncovered XE Group’s exploitation of two zero-day vulnerabilities in VeraCore, a comprehensive software solution widely used by fulfillment companies, commercial printers, and e-retailers to manage orders, warehouses, and business operations.
Through these vulnerabilities (tracked as CVE-2024-57968, an Upload Validation Vulnerability, and CVE-2025-25181, an SQL Injection), XE Group deployed webshells to maintain unauthorized access to compromised systems, demonstrating increasing sophistication.
https://intezer.com/blog/research/xe-group-exploiting-zero-days/
BlackBastaGPT
Alon Gal and team are using a generative AI interface to a ransomware’s groups leaked email chats.
Just dropped BlackBastaGPT—put together after the Black Basta Ransomware group leaked over 1,000,000 internal messages today.
https://chatgpt.com/g/g-67b80f8b69f08191923d8e6c3fb929b6-blackbastagpt
Discovery
How we find and understand the latent compromises within our environments.
Lurking in the shadows: Unsupervised decoding of beaconing communication for enhanced cyber threat hunting
Arash Mahboubi, Khanh Luong, Geoff Jarrad, Seyit Camtepe, Michael Bewong, Mohammed Bahutair and Ganna Pogrebna shows deep promise with this model. Now needs to be tested with some real-world data on real-world networks..
We introduce a novel hybrid approach, called NetSpectra Sentinel, which employs a Continuous Time Hidden Markov Model (CT-HMM) to detect hidden states underlying observed patterns within the network logs and Time Series Decomposition (TSD) to model temporal patterns. We evaluate the effectiveness of our approach using 14 benchmark datasets and one synthetic dataset, comparing our method with other state-of-the-art statistical-based and botnet detection techniques. The results demonstrate that our technique achieves significantly higher accuracy in most cases, and even when existing techniques fail, our approach can still detect beaconing post-initial compromise with up to 90% accuracy. Additionally, we achieve up to four times better performance in terms of precision compared to existing statistical-based techniques.
https://www.sciencedirect.com/science/article/pii/S1084804525000244
100 Days of KQL
Aura continues their one person adversary assault with this weeks updates:
Windows Remote Management Command Targeting a Remote Endpoint
Credential Discovery Activity Through findstr.exe and reg.exe
SignIn with device code flow followed by device registration
Fabian Bader provides some detection tradecraft to this technique allegedly used by Russia.
Results in a list of sign-ins that requested the resource "Device Registration Service" as part of a device code flow.
This result set is correlated with the Entra ID audit logs, specifically the "Register device", "Add device" operations.Based on the User Id the two data sets are merged and only if the device registration happend after the device code flow sign in, the data is returned.
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel and Sergio Maffeis provide some insights into the common protocols used by in the 33 campaigns they analysed..
In this study, we select 33 APT campaigns based on the fair distribution over the past 22 years to observe the evolution of APTs over time. We focus on their evasion techniques and how they stay undetected for months or years. We found that APTs cannot continue their operations without C&C servers, which are mostly addressed by Domain Name System (DNS). We identify several TTPs used for DNS, such as Dynamic DNS, typosquatting, and TLD squatting. The next step for APT operators is to start communicating with a victim.
We found that the most popular protocol to deploy evasion techniques is using HTTP(S) with 81% of APT campaigns. HTTP(S) can evade firewall filtering and pose as legitimate web-based traffic. DNS protocol is also widely used by 45% of APTs for DNS resolution and tunneling.
https://arxiv.org/abs/2502.08830
Defence
How we proactively defend our environments.
The Cat and Mouse Game: Exploiting Statistical Weaknesses in Human Interaction Anti-Evasions
Sandbox evasion games continue..
We describe, in very general terms, how we were able to evade detection by taking advantage of statistical anomalies in the human interaction modules of several sandbox solutions.
We provide an alternative algorithm for simulated mouse human interaction, including its specifications, parameters, source code, and several visual demonstrations.
How to check for OAuth apps with specific Graph permissions assigned
Jeffrey Appel does what he does best with some detection tradecraft based on that seen in use allegedly by MidnightBlizzard.
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of the upcoming identity attacks is based on tokens and OAuth apps. With the use of the token/ OAuth apps, it is possible to gain access without any MFA. One example of such attacks, where applications are leveraged, is the ‘OAuth consent grant’ attack.
https://jeffreyappel.nl/how-to-check-for-oauth-apps-with-specific-graph-permissions-assigned/
Get rid of passwords?! Login without password with Passkey
Federal Office for Information Security (BSI) publish (in German - but translated below) and which aligns with our position at NCSC UK.
Passkeys are superior to traditional login with username and password in many ways:
Passkeys cannot be too simple or too short – passwords, on the other hand, can.
Unlike passwords, passkeys cannot be forgotten.
Passkeys are created quickly and automatically.
Passkeys are less likely to be lost through phishing or data theft.
Each passkey always protects exactly one account – so multiple accounts can never be at risk if a passkey is misused.
Incident Writeups & Disclosures
How they got in and what they did.
NIOCORP DEVELOPMENTS LTD Cybersecurity Incident
Mandated reporting providing an interesting story here..
On February 14, 2025, NioCorp Developments Ltd. (the “Company”) became aware of unauthorized third-party access to its information systems, including portions of its email systems, that resulted in misdirected vendor payments totaling approximately $0.5 million (the “cybersecurity incident”). The Company self-discovered the cybersecurity incident and promptly notified certain financial institutions and federal law enforcement in an effort to, among other matters, recover the misdirected vendor payments. In addition, upon discovery of the cybersecurity incident, the Company began taking steps to investigate, contain, assess and remediate the cybersecurity incident.
Jigsaw RDPuzzle: Piecing Attacker Actions Together
Justus Hoffmann walks through the forensics process of screen reconstruction in an optimised way..
We investigated an incident with a customer who acted as a service provider for his customers and was using RDP to connect to their customers’ machines. We already knew the attacker had admin privileges on the terminal server used to launch these outgoing RDP connections. There was evidence that the attacker had also launched outgoing RDP connections: network flow logs, the logs of their terminal server management software, and one of the targeted customers already had alerts about a suspicious
.batfile appearing on their machines. Our customer wanted to know more about the attacker targeting their customers.We leveraged a quite valuable RDP connection artifact to better answer the question. Originally designed to optimize performance by caching screen contents for smoother user experiences, the Bitmap Cache contains fragments of the remote display rendered in the course of RDP sessions. Analysis of the stored bitmap fragments allowed us to gain a first-person view of the threat actor’s activities.
https://insinuator.net/2025/01/jigsaw-rdpuzzle/
Vulnerability
Our attack surface.
Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)
A reminder that web stacks indeed complex and thus risk vulnerabilities when transitioning through multiple components which support parsing and decoding of the same protocols.
https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
Ivanti Endpoint Manager – Multiple Credential Coercion Vulnerabilities
Zach Hanley details some vulnerabilities which are less than ideal..
The vulnerabilities discovered allow an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise.
CVE-2024-10811: Credential Coercion Vulnerability in GetHashForFile
CVE-2024-13161: Credential Coercion Vulnerability in GetHashForSingleFile
CVE-2024-13160: Credential Coercion Vulnerability in GetHashForWildcard
CVE-2024-13159: Credential Coercion Vulnerability in GetHashForWildcardRecursive
CVE-2025-24200: First analysis of Apple's USB Restricted Mode bypass
Loïc Buckwell details the residual attack surface.
While the device is in restricted mode, the USB protocol is completely disabled. However, other protocols can be used freely over the lightning port. This is for instance the case of the iAP2 protocol that can be used by MFi devices.
https://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html
PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
This could have a long tale..
Improper neutralization of quoting syntax in PostgreSQL
libpqfunctionsPQescapeLiteral(),PQescapeIdentifier(),PQescapeString(), andPQescapeStringConn()allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection whenclient_encodingisBIG5andserver_encodingis one ofEUC_TWorMULE_INTERNAL.
https://www.postgresql.org/support/security/CVE-2025-1094/
Was exploited originally as part of an exploit chain
While researching CVE-2024-12356, Rapid7 discovered a novel zero-day vulnerability in PostgreSQL, now identified as CVE-2025-1094. Rapid7 disclosed this new vulnerability to the PostgreSQL team on January 27, 2025. CVE-2025-1094 allows SQL statements that contain untrusted input (which has been correctly character escaped) to generate SQL injections when read by the PostgreSQL interactive tool
psql. This is the result of a flaw in how thepsqltool handles certain invalid byte sequences from invalid UTF-8 characters.In every scenario Rapid7 researchers tested during analysis of CVE-2024-12356, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution. In other words, based on our analysis, we believe the exploit for BeyondTrust RS CVE-2024-12356 would have relied on exploitation of PostgreSQL CVE-2025-1094.
https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Used in NodeJS applications..
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input
https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
Offense
Attack capability, techniques and trade-craft.
MAC(B)ypassing for Persistence
Hacksplaining details a technique that defensive teams will just want to double check they have coverage against..
MAC(B)ypassing is a payload movement strategy where an attacker operates within specific Windows Time Rules to evade detection logic and telemetry analysis. This technique enables the attacker to move payloads into a target directory without generating logs from new Creation timestamps.
..
MAC(B)ypassing is trivial in nature, but is very impactful when attempting to bypass detections. As mentioned earlier, this is not abusing any vulnerability or misconfiguration, but works within the limitations of the monitoring tools.
https://medium.com/@hacksplaining/mac-b-ypassing-for-persistence-22e425ca7c85
Crafted File Download Using Wmplayer
Rutger Flohil details an interesting vulnerability which isn’t clean, but worth ensuring you have detection coverage for if misused.
It can’t run in the background seeing it opens the media player and will raise an error.
The file needs to be encoded and have a specific extension (see the sources section for more information).
The data needs to be cleaned after the transfer.
When working with larger files the data quality becomes less reliable. During testing scripts up to 400 KB seemed to work consistently. Larger files need to be split up and fetched using multiple requests or a playlist file.
https://pampuna.nl/blog/2024/12/wmplayer.html
SoaPy: Stealthy enumeration of Active Directory environments through ADWS
Logan Goins and Jackson Leverett provide a capability teams will want to ensure they have detection coverage of.
ADWS is enabled by default on Active Directory Domain Controllers (DCs) on port 9389 and is utilized by a variety of Microsoft systems administration tools, such as Active Directory Administrative Center (ADAC) and the Active Directory module within PowerShell. Clients communicate with ADWS using SOAP (Simple Object Access Protocol) messages in XML format. These messages are parsed by the web service, which then interacts with the local LDAP service on the domain controller. This allows for typical AD interaction (including both reading and writing to objects) using the AD permissions assigned to the querying user without requiring a direct bind to the LDAP service itself. Moreover, as connections are passed from the local ADWS service to LDAP, any interactions done using this mechanism are displayed as the local domain controller connecting to itself within Windows Event Logs.
Exploitation
What is being exploited..
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Ghidra 11.3.1
New release from our partners at NSA, this is the killer feature..
The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center (DC3) under the name Pyhidra, is a Python library that provides direct access to the Ghidra API within a native CPython 3 interpreter using JPype. PyGhidra contains some conveniences for setting up analysis on a given sample and running a Ghidra script locally. It also contains a Ghidra plugin to allow the use of CPython 3 from the Ghidra GUI.
https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.3.1_build
(Anti-)Anti-Rootkit Techniques - Part III: Hijacking Pointers
Eversinc33 concludes the series and highlights why this technique might be tricky to detect.
The intuitive approach to detecting these techniques would be to look up all the possible
.datapointers in the standard Windows drivers and have an anti-rootkit check whether they point to memory backed by a driver. While this might be somewhat feasible for pointers with parameters, checking all pointers would be a tough endeavour, as we do not rely on parameters, when using this shared memory technique. Also, pointer chains can be used, so that only the last one points to the rootkit, so an anti-rootkit would need to walk the whole chain. And as soon as signed & benign third-party drivers with hijackable pointers come into play, the amount of pointers grows exponentially, making this approach even more pointless.
https://eversinc33.com/posts/anti-anti-rootkit-part-iii.html
DelphiHelper
Jurhor and Tom release this work aid..
DelphiHelper is a Python IDA Pro plugin aiming to help the analysis of x86/x86_64 binaries written in Delphi programming language.
https://github.com/eset/DelphiHelper
JDBG
Roger provides a powerful tool which will be useful to some..
JDBG is a powerful Java debugger and reverse engineering tool that operates at runtime. It is attachable and is not limited by agent restrictions.
https://github.com/roger1337/JDBG
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
2024 Industrial Control Network Security Situation White Paper (with full text download) - massive paper from China - “Based on its traditional security research advantages, the "Diting" network security team of Northeastern University developed, designed and implemented the "Diting" cyberspace industrial control equipment search engine, and based on the various security data collected by "Diting", wrote and published the 2024 Industrial Control Network Security Situation White Paper . Readers can learn about the 2024 industrial control security-related policy and regulatory reports and typical industrial control security incident analysis through the report. At the same time, the report explains and analyzes industrial control system vulnerabilities, networked industrial control equipment, industrial control honeypots and threat intelligence data, which helps to fully understand the security status of industrial control systems, perceive the security situation of industrial control systems from all angles, and provide reference for relevant personnel studying industrial control security.”
DSIT evaluation strategy - “This strategy reflects our commitment to embedding evaluation into every facet of our work, ensuring that our policies and programs are driven by evidence and continuous improvement. Our vision is for a modern, innovative government that leverages evaluation to drive progress and deliver tangible benefits to UK citizens.”
China
Neither “Platformization” Nor “Infrastructuralization”: Government as a Platform in China - “Through a case study of “the digital reform” in Zhejiang Province, and the affiliated smart city project—City Brain—in Hangzhou, the municipal capital, this study draws on data from participatory observations and interviews to (1) provide a historical context, in which “platformization” in urban governance is aimed to serve market-oriented socio-economic reforms; (2) argue that such “platformization” is shaped by the long-standing structural tension between centralization and localism, which has been renewed by digital data flows; and (3) understand the shifting public–private demarcation in social interactions and arrangements to deflect continual frictions between the state, local agents, and platforms in the domain of digital governance.”
Artificial intelligence
AI automated vulnerability mining attempt based on taint analysis - 404 Lab publish - “Because there are too many control conditions, or my prompt cannot accurately describe what I want, I have tested some local models and online models, and the actual results are not very good”
Books
Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy - “Like a John Le Carré novel updated for the digital age, Chasing Shadows provides a gripping account of how the Citizen Lab, the world’s foremost digital watchdog, has uncovered dozens of cyber espionage cases and protects people in countries around the world.”
The Cambridge Handbook of the Law, Ethics and Policy of Artificial Intelligence
Events
Implementation of the Online Safety Act - There will be a Westminster Hall debate on the implementation of the Online Safety Act - 26 February, 2025
CHERI Blossoms Conference 2025 - 2nd April, 2025
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.