CTO at NCSC Summary: week ending February 25th
What are the experiments and/or studies that would be most valuable in the short, medium and long term and how do we design them?
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week is about vulnerability mop up..
In the high-level this week:
National Security Agency Announces Retirement of Cybersecurity Director - thanks Rob for all the service - “Rob will retire after 34 years of service to the NSA. Since taking the role as the director of the Cybersecurity Directorate (CSD) in 2021, he has been vital in leading the charge of CSD’s mission to prevent and eradicate threats to U.S. National Security Systems and critical infrastructure, and overseeing the expansion of strong partnerships across the U.S. Government, Defense Industrial Base, industry, allies, and academia”. 👏
International investigation disrupts the world’s most harmful cyber crime group - OpCronos vs LockBit - “Today, after infiltrating the group’s network, the NCA has taken control of LockBit’s services, compromising their entire criminal enterprise.”
UK Resilience Forum fifth meeting: 6 February 2024 - “The Deputy Prime Minister summarised that cyber related threats represented one of the most serious risks we face and emphasised the need for continued capability building and exercising between partners.”
Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) - “A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.”
Ransomware Economics: A Two-Step Approach To Model Ransom Paid - “our findings identify insurance coverage, data exfiltration, and annual revenue of the victim as key determinants affecting the ransom amounts. Specifically, having insurance results in ransoms that are 2.7 times larger, data exfiltration corresponds to a 4.4 times increase in the ransom, and each 1% increase in a victim’s yearly revenue causes a 0.12% rise in the ransom paid. “
further useful work from the same University by one of its professors.
One in five [UK] children found to engage in illegal activity online - “Examples of low-level offending include downloading software to get access to someone else’s device, trying to access a protected server or buying something using the saved card details on someone else’s account. Gamers who make in-game purchases without the permission of the account holder or engage in DDoS-ing are breaking the law, despite often doing so unwittingly.”
U.S. conducted cyberattack on suspected Iranian spy ship - “The operation was intended to inhibit the Iranian ship’s ability to share intelligence with Houthi rebels in Yemen who have been firing missiles and drones at cargo ships in the Red Sea, the officials said. U.S. officials say Iran uses the ship to provide targeting information to the Houthis so their attacks on the ships can be more effective.”
Cybersecurity by facts: everything you need to know about cybercrime and cyber espionage in 2023 in Kazakhstan - their levels of maturity and transparency are maybe not what you would expect.
Financial Firms Expect Big Changes from European Cyber Rules - “The law, which was approved last year, will require companies to change aspects of how they test security systems and report cybersecurity attacks to regulators, Feng said. Under the rules, financial firms need to “fully” address weaknesses they find in security tests of critical systems.”
New measures to strengthen the cross-border enforcement of the GDPR - “The proposal aims to harmonise cross-border cooperation by establishing common rules for the treatment of complaints and for the procedural rights of the parties involved, for example the rights to be heard and the right to access case files. It also fleshes out the co-operation and dispute resolution mechanisms of the GDPR, and introduces deadlines for cross-border procedures and disputes.”
Director Wray's Remarks at the Munich Security Conference - “Operation Medusa, a joint, sequenced operation that included using sophisticated technical means to force Snake—the Russian FSB’s most sophisticated malware—to effectively cannibalize itself. We took down Snake in over 50 countries with the help of our U.S. and more than half a dozen foreign partners.”
Defending Democracy
Federal Executive Branch Agencies Roles and Responsibilities in United States Elections - who is responsible for what across the US system.
CISA highlights Risk in Focus: Generative A.I. and the 2024 Election Cycle - from January.
Korea Times reports Deepfakes swirl in Korea ahead of general elections - According to the National Election Commission (NEC), the country's election watchdog, 129 pieces AI-generated media content had been detected from Jan. 29 to the end of last week, constituting a violation of the newly revised election law.
New York Times says Chinese Influence Campaign Pushes Disunity Before U.S. Election, Study Says - A long-running network of accounts, known as Spamouflage, is using A.I.-generated images to amplify negative narratives involving the presidential race.
Institute for Strategic Dialogue (ISD) reports Pro-CCP ‘Spamouflage’ network pivoting to focus on US Presidential Election - As of January 2024, Spamouflage’s election-related content appears to be focused solely on Joe Biden and Donald Trump as the expected candidates in the Presidential election.
Taipei Times states Cyberattacks spiked day before vote - “China-affiliated cyberattacks against Taiwan jumped in the 24 hours before Taiwan’s presidential and legislative elections on Jan. 13, a report released on Tuesday by US cybersecurity firm Trellix found.” - report Cyberattack on Democracy: Escalating Cyber Threats Immediately Ahead of Taiwan’s 2024 Presidential Election
Reporting on/from China
China aims to plug gap between lab and market in hi-tech push with patent rule changes - “Universities and research institutes have faced a long-standing challenge with the low application rate of patents, both because they tend to produce abundant results with limited precision that can meet industrial needs, accompanied by inadequate channels for transforming patents into market-ready applications,”
Chinese press reports China spy agency renews foreign cyber intelligence warning after data breaches - “In one case, a military-civilian integration enterprise did not update its software promptly – which the agency described as “a high cybersecurity risk as if the door was wide open”.
Artificial intelligence
North Korean hackers use AI for more sophisticated scams - “North Koreans’ adoption of generative AI — software that mimics human ability — constituted a formidable new challenge, said Erin Plante, vice-president of investigations at blockchain data platform Chainalysis.”
Japan's ruling party pushes for AI legislation within 2024, Nikkei reports - “To address issues surrounding AI such as disinformation and rights infringement, the Liberal Democratic Party's AI project team will draft preliminary rules, including penal regulations, for foundation model developers”
Singapore eyes corporate tax rise, AI investment in 2024 budget - “the Southeast Asian financial hub will invest SG$1 billion over the next five years to strengthen talent and industry development in AI.”
World’s biggest tech companies pledge to fight AI-created election ‘deepfakes’ - Amazon, Google, Meta, Microsoft, TikTok and OpenAI were among 20 tech companies that said on Friday during the Munich Security Conference they would work together to combat the creation and spread of content designed to mislead voters, such as “deepfake” images, videos and audio. - this is the pledge.
Cyber proliferation
Spyware startup Variston is losing staff, some say it's closing - or what is known as imposing cost..
Poland launches Pegasus spyware probe - A new commission aims to hear from top officials from the previous Law and Justice party government.
The ABA Urges Action Against Abusive Commercial Spyware, and Policymakers Should Listen - “The adoption of Resolution 509 empowers the ABA to file amicus briefs in spyware cases making their way through U.S. courts – for example, briefs detailing the damage done to client confidence in the attorney-client privilege by mere existence of commercial spyware – and to write letters urging legislative and executive action at all levels of government.”
The Pall Mall Process on Cyber Intrusion Tools: Putting Words into Practice - “The proliferation of offensive cyber capabilities is fraught with risk. The PMP is a distinct opportunity for the international community to learn from the past and prepare for the future.”
Bounty Hunting
Reward for Information: ALPHV/Blackcat Ransomware as a Service - United States Department of State - $10 million for the core team and $5 million for supporting cast
The reflections this week is what do we want to be true in the future (20+ years) with regards to cyber resilience? Then what are the interim objectives which enable those outcomes? For example if we want evidenced cyber resilience to be true what are the experiments and/or studies that would be most valuable in the short, medium and long term and how do we design them?
This thinking is in part inspired by the the Seven Up long term study which runs in the UK and the value of longitudinal studies in providing insight and the fact some countries have multi-decade strategies… answers on a postcard.
Also for anyone who is technical the quality of the papers at the NDSS Symposium 2024 can not be overstated.
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war
Matthieu Faou provides reporting on an alleged Russian aligned information operation, the overlap with Russian interests will be of note / interest.
Operation Texonto is a disinformation/PSYOP campaign using spam mails as the main distribution method. Surprisingly, it doesn’t seem that the perpetrators used common channels such as Telegram or fake websites to convey their messages. We have detected two different waves, the first one in November 2023 and the second one at the end of December 2023. The contents of the emails were about heating interruptions, drug shortages, and food shortages, which are typical themes of Russian propaganda.
In addition to the disinformation campaign, we have detected a spearphishing campaign that targeted a Ukrainian defense company in October 2023 and an EU agency in November 2023. The goal of both was to steal credentials for Microsoft Office 365 accounts. Thanks to similarities in the network infrastructure used in these PSYOPs and phishing operations, we are linking them with high confidence.
Interestingly, a few more pivots also revealed domain names that are part of Operation Texonto and related to internal Russian topics such as Alexei Navalny, the well-known Russian opposition leader who was in jail and died on February 16th, 2024.
Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)
Alleged change in tradecraft by this supposed Russian threat actor to allow their implants to survive a little longer than they might otherwise.
This research has resulted in a set of samples which have been found in VirusTotal during early 2024. Below is a timeline of the publicly known samples.
This investigation reveals how Turla is using a new wrapper of Kazuar as part of their infection chain. The most prominent aspects of the analysis leading to the extraction of Kazuar and the peculiarities of the identified sample compared to others previously seen in the field are detailed below.
https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/
Reporting on China
Alleged offensive cyber capability documentation leak from Chinese supplier
Lots of reporting on this alleged leak…
https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/
Red shadows are ringing in Japan’s Cyberspace
Hoi myong walks through the open source intelligence against a Hong Kong entity which he claims is part of a suspected APT Group’s hosting methods.
https://sh1ttykids.medium.com/red-shadows-are-ringing-in-japans-cyberspace-46ebff9c2dd6
Earth Preta Campaign Uses DOPLUGS to Target Asia
Sunny Lu and Pierre Lee detail targeting and tradecraft which they attribute to China. Targeting and tradecraft will be of interest and the fact that USB continues to be a gift which keeps on giving.
Upon investigation, we found that the DOPLUGS malware uses the KillSomeOne module, a USB worm that was first disclosed by a Sophos report in November 2020. However, an entry from January 2020 mentioned a USB worm; this entry was also the first report that analyzed a piece of PlugX malware integrated with KillSomeOne behavior.
Based on noteworthy DOPLUGS files we’ve found since July 2023 (Table 1), we can determine that the victims, at least for the attacks that employed these specific samples, are from Taiwan and Mongolia.
https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html
Reporting on North Korea
South Korea's National Intelligence Service and Germany's Office for the Protection of the Constitution (BfV) issued a joint cybersecurity advisory
South Korean and German Governments attributing this North Korea campaign against their defence industries.
South Korea's National Intelligence Service and Germany's Office for the Protection of the Constitution (BfV) issued a joint cybersecurity advisory on February 19 to prevent damage from North Korea's cyberattacks in the defense industry.
A North Korean hacking organization infiltrated an institution researching maritime and shipbuilding technology in late 2022. Rather than directly infiltrating the defense industry agency, the North Korean hacking organization first hacked a maintenance company with weak security, stole server account information, then infiltrated the agency's server without permission and attempted to spread malware to all employees.
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer
Alleged North Korean operation against Russia. I guess this a new twist on Know Your Customer. The use of software installers is a favourite technique of this threat actor..
[We] observed an intriguing malware sample first uploaded to VirusTotal in mid-January 2024 that we believe to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs.
Perhaps more interestingly, however, the sample was bundled into a backdoored Russian language software installer. This is a KONNI delivery technique that we have previously observed, with a sample from 2023 delivered via a backdoored installer for the publicly available Russian state-mandated tax filing software “Spravki BK” (Справки БК).
Malware spreading activities of attack group Lazarus exploiting PyPI
Japanese attribution of North Korean activity on a campaign / set of techniques numerous others have observed. Attacks such as this against developers / people who code really is a challenge we have yet to solve at scale.
JPCERT/CC has confirmed that the Lazarus attack group has published malicious Python packages on PyPI, the official Python package repository (Figure 1). The Python packages we checked this time are as follows.
pycryptoenv
pycryptoconf
quasarlib
swapmempool
https://blogs.jpcert.or.jp/ja/2024/02/lazarus_pypi.html
TrollAgent (Kimsuky group) infected during security program installation process
More alleged supply chain attacks by North Korea
[We] recently confirmed that malicious code was being downloaded when attempting to install a security program on the website of a domestic construction-related association. To use the services provided by the website, you need to log in, and for security purposes, you must install various security programs to log in.
Among the programs that were prompted to be installed for logging in, there was an installation program containing malicious code. If the user downloads and installs it, not only the security program but also the malicious code is installed.
Malicious code installed through this process includes backdoor malware that can perform malicious actions by receiving commands from an external attacker and information-stealing malware that collects information about the infected system. Accordingly, users may be exposed to risks such as personal information theft simply by installing a security program from the official website.
Reporting on Iran
Albanian Institute of Statistics
Reporting from the Albanian government on an alleged Iranian destructive operation.
Deklaratë - AKCESK - On February 1, 2024, the Institute of Statistics faced a cyber attack targeting its technological infrastructure. - Based on available information, the actors behind this cyber attack have been identified as Homeland Justice, an Iranian state-sponsored attack group
From the analysis conducted so far, it has been confirmed that the attackers used the MEK-DDMC.exe file to execute a virus with malicious content. This attack, known as Wiper, was aimed at erasing Boot sector data and touching devices within Active Directory (AD).
https://cesk-gov-al.translate.goog/deklarate/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
Reporting on Other Actors
iOS Trojan harvesting facial recognition data used for unauthorized access to bank accounts
Interesting reporting here on iOS going after biometrics from apparently criminal intent.
The newly identified GoldPickaxe.iOS employs a notable distribution scheme. The threat actor utilized Apple’s mobile application testing platform, TestFlight, to distribute malware initially. Following the removal of its malicious app from TestFlight, the threat actor adopted a more sophisticated approach. They employed a multi-stage social engineering scheme to persuade victims to install a Mobile Device Management (MDM) profile. This allowed the threat actor to gain complete control over the victim’s device.
https://www.group-ib.com/blog/goldfactory-ios-trojan/
Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments
Cloud specific campaign here which shows the tradecraft and targeting techniques. The possibility of Russian / Nigerian amalgamation is interesting.
In late November 2023, [our] researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques. As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.
Notable among these non-proxy sources are the Russia-based 'Selena Telecom LLC', and Nigerian providers 'Airtel Networks Limited' and 'MTN Nigeria Communication Limited.'
While Proofpoint has not currently attributed this campaign to any known threat actor, there is a possibility that Russian and Nigerian attackers may be involved, drawing parallels to previous cloud attacks.
Discovery
How we find and understand the latent compromises within our environments.
Information-Based Heavy Hitters for Real-Time DNS Data Exfiltration Detection
Yarin Ozery, Asaf Nadler and Asaf Shabtai gave this paper at NDSS. So excuses for not detecting DNS exfil now.. until the world moves to DOH that is..
The evaluation demonstrates ibHH’s ability to successfully detect exfiltration rates as slow as 0.7B/s, with a false positive alert rate of less than 0.004, with significantly lower resource consumption compared to other methods.
https://www.ndss-symposium.org/wp-content/uploads/2024-388-paper.pdf
Modpot - Golang modular web application honeypot framework
James Brine delivers a capability which will be interesting capability which will bring value in certain situations due to its lightweight nature.
modpot is a modular web application honeypot framework written in Golang and making use of gin framework. It is the antithesis to honeydet in many ways and allows the user to deploy simple html/js honeypots that mimic web applications in order to detect requests and form entries that are related to attacks. It has the accidental capability to act as a phishing server, capturing credentials though this is not its main intention. modpot is best utilised alongside honeypage a tool that creates flattened single html file versions of web applications, which makes them portable and easy to use with modpot.
https://github.com/referefref/modpot
Yara to detect Outlook CVE-2024-21413 exploitation
Florian Roth does what he does best with this release. Details and exploits for this vulnerability are covered below.
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_outlook_cve_2024_21413.yar
Defence
How we proactively defend our environments.
Protecting Tier 0 the Modern Way
Dagmar Heidecker provides a guide on how to protect Active Directory if decommissioning is not a possibility.
Most attackers follow playbooks and whatever their final goal may be, Active Directory Domain domination (Tier 0 compromise) is a stopover in almost every attack. Hence, securing Tier 0 is the first critical step towards your Active Directory hardening journey and this article was written to help with it.
Updating Microsoft Secure Boot keys
Sochi Ogbuanya provides a guide on what this all means in practice.
Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates that’ll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future. Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.
Mercari’s passkey adoption
From August last year, but worth a read from Karino Tatsuya. The takeaway in there situation were the residual useability challenges.
https://engineering.mercari.com/en/blog/entry/20230810-mercaris-passkey-adoption/
Automatic Policy Synthesis and Enforcement for Protecting Untrusted Deserialization
Quan Zhang, Yiwen Xu, Zijing Yin, Chijin Zhou, and Yu Jiang presented this paper at NDSS which outlines a mitigation to deserialization. The impressive bits are the low head and relative efficacy. The challenge now is pull through to the a solution which can be used at scale..
First, DESERIGUARD utilizes dataflow analysis to construct a semantic-aware property tree, which records the potential structures of deserialized objects. Based on the tree, DESERIGUARD identifies the types of objects that can be safely deserialized and synthesizes an allowlist policy. Then, with the Java agent, DESERIGUARD can seamlessly enforce the policy during runtime to protect various deserialization procedures. In evaluation, DESERIGUARD successfully blocks all deserialization attacks on 12 real-world vulnerabilities. In addition, we compare DESERIGUARD’s automatically synthesized policies with 109 developer-designed policies. The results demonstrate that DESERIGUARD effectively restricts 99.12% more classes. Meanwhile, we test the policy-enhanced applications with their unit tests and integration tests, which demonstrate that DESERIGUARD’s policies will not interfere with applications’ execution and induce a negligible time overhead of 2.17%.
https://www.ndss-symposium.org/wp-content/uploads/2024-53-paper.pdf
mta-sts-template: This is a template for hosting a mta-sts.txt file using GitHub Pages
Ollie (not me) is the UK’s Cabinet Office Central Digital and Data Office on how to host on GitHub. If you are interested in this area you can read the NCSC' guidance Using MTA-STS to protect the privacy of your emails
https://github.com/co-cddo/mta-sts-template
V8 Sandbox - Hardware Support
A project underway at Google exploring the art of the possible here.
This document is part of the V8 Sandbox Project and discusses different options for how dedicated hardware support could be used to strengthen or even replace the software-based sandbox.
Policy-as-Code in the software supply chain
Marina Moore, Michael Lieberman, John Kjell, James Carnegie, and Luca Bandini outline an approach which could be valuable if it gains traction.
This document concentrates on the creation, dissemination, implementation, and evaluation of policies that bolster security in the software supply chain. We delve into how technical policies, which often stem from compliance requirements, can be effectively mapped onto engineering requirements. These are then operationalized as specific “procedures” within the supply chain environment. While acknowledging the influence of broader government and corporate policies on software supply chain security, our analysis is specifically tailored to these technical policies and their practical implementation. We also focus on policy for the software supply chain, and exclude discussion of runtime policy.
https://www.cncf.io/blog/2024/02/14/policy-as-code-in-the-software-supply-chain/
Incident Writeups & Disclosures
How they got in and what they did.
Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization
It is excellent that CISA are releasing these incident writeups.
A state government organization was notified that documents containing host and user information, including metadata, were posted on a dark web brokerage site. After further investigation, the victim organization determined that the documents were accessed via the compromised account of a former employee. Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations. CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee.
The scope of this investigation included the victim organization’s on-premises environment, as well as their Azure environment, which hosts sensitive systems and data. Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a
Vulnerability
Our attack surface.
Various DNS Resolver Vulnerabilities
Patch DNS..
50 Shades of Support: A Device-Centric Analysis of Android Security Updates
Abbas Acar , Guliz Seray Tuncay, Esteban Luques, Harun Oz , Ahmet Aris and Selcuk Uluagac presented this paper at NDSS which shows that the fragmentation in behaviours within the Android eco-system mean that the world is not equal. How we maintain this insight and surface it to allow informed buying decisions is now the challenge..
We obtained 367K official security update records from public sources, spanning from 2014 to 2023. Our dataset contains 599 unique devices from four major OEMs that are used in 97 countries and are associated 109 carriers. We identify significant differences in the roll-out of security updates across different OEMs, device models and types, and geographical regions across the world. Our findings show that the reasons for the delay in the roll-out of security updates are not limited to fragmentation but also involve several OEMspecific factors such as the type of support the device receives (e.g., monthly, quarterly, biannual). Our analysis also uncovers certain key issues regarding the security update distribution that can be readily addressed as well as exemplary practices that can be immediately adopted by OEMs in practice.
https://www.ndss-symposium.org/wp-content/uploads/2024-175-paper.pdf
The Risks of the MonikerLink Bug in Microsoft Outlook and the Big Picture
Haifei Li details a vulnerability class which is wider than this instance. Time to go a hunting and a patching..
we discovered an interesting security issue in Outlook when the app handles specific hyperlinks. In this blog post, we will share our research on the issue with the security community and help defend against it. We will also highlight the broader impact of this bug in other software.
CVE-2024-21410 - Microsoft Exchange servers
Patch any of those on premises Exchange servers… if you haven’t then ensure you have MFA… if you don’t then hunt for the breach.
allows a remote, unauthenticated attacker to disclose and then relay Windows NT NTLM hashes to impersonate legitimate users on Exchange Server
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
TOTOLINK LR1200GB Auth Bypass
A new covert infrastructure opportunity for threat actors here..
A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. Additional post-auth vulnerabilities in the product allow for command injection and their execution with elevated privileges – allowing the compromise of the device – these are not shown in the analysis below but they are included in the PoC.
https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/
Exploring AMD Platform Secure Boot
Krzysztof Okupski shows that low-level security remains challenging in practice.
The results of our research demonstrate how vendors systematically failed to either properly configure the platform or correctly implement the chain-of-trust. Although it is clear how this issue needs to be addressed, based on vendor responses, it appears that they are reluctant to do so.
These issues would allow an attacker that has obtained a foothold on the OS, in combination with a SPI flash write primitive (e.g. CVE-2023-28468), to install firmware implants on the system. These, by design, bypass any OS- and Hypervisor-level protections that may be implemented and, if done properly, can also be made resistant to traditional firmware updates.
To determine whether you are vulnerable, we recommend running our in-house developed tool Platbox (see here) and, if that is the case, to reach out to the vendor in the hope that they will address these issues.
https://labs.ioactive.com/2024/02/exploring-amd-platform-secure-boot.html
Offense
Attack capability, techniques and trade-craft.
Dusting off Old Fingerprints: NSO Group's Unknown MMS Hack
Cathal McDaid details a possible root cause of this attack which some excellent sleuthing.
, what was not discussed were some specific details within a copy of a contract between a NSO Group reseller and the telecom regulator of Ghana. Within that contract, in Exhibit A-1, was a list of “Features and Capabilities” offered by NSO Group. To telecom security specialists like us, these features were largely known, however there was a feature title that was (at first sight) unknown. This was the entry termed “MMS Fingerprint”.
A starting point is the fact that Blackberry, Android, iOS devices were all listed as possible meant an OS-specific hack seemed unlikely. As a result we were probably looking at something vulnerable within the MMS flow itself. In looking at the MMS flow, I concluded that perhaps – despite its name – the attack wasn’t happening over MMS, but rather via something else.
https://www.enea.com/insights/dusting-off-old-fingerprints-nso-groups-unknown-mms-hack/
secretsdump.py: Dumping credentials without touching disk
More anti-forensics considerations in this patch..
Allows to remotely extract hashes from the SAM and SECURITY (LSA Secrets and cached credentials) registry hives without touching disk. There is no need to save these registry hives to disk and parse them locally.
This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives.
https://github.com/fortra/impacket/pull/1698
Exploitation
What is being exploited.
ConnectWise ScreenConnect 23.9.8 security fix
Patch patch patch.. the exploit is trivial!
On-prem partners are advised to immediately upgrade to the latest version of ScreenConnect to remediate against reported vulnerabilities.
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
CVE-2024-21413: Microsoft Outlook Information Disclosure Vulnerability - leak password hash
Exploits out for this password hash leakage vulnerability. Go hunting to see if your organisation has been targeted / exploited.
https://github.com/duy-31/CVE-2024-21413
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Magika: AI powered fast and efficient file type identification
AI power in action..
AI-powered file-type identification system, to help others accurately detect binary and textual file types. Under the hood, Magika employs a custom, highly optimized deep-learning model, enabling precise file identification within milliseconds, even when running on a CPU.
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Government Acquisition of Cyber Technologies - Lessons Derived from Analysis of the Cybersecurity and Infrastructure Security Agency's Cyber Acquisition Processes
Breaking BFT: Quantifying the Cost to Attack Bitcoin and Ethereum - "we present a model to quantify the costs to breach Byzantine fault tolerance thresholds in Bitcoin and Ethereum. We introduce a new metric called Total Cost to Attack (TCA) which encompasses the operational and capital expended"
OpenGFW: OpenGFW is a flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux
Artificial intelligence
Books
Nothing this week
Events
NDSS Symposium 2024 Program - lots of excellent papers
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.