CTO at NCSC Summary: week ending February 18th
The sooner you get on the memory safety journey the kinder you are to your future self...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the general background smouldering continues..
In the high-level this week:
The UK’s National Cyber Security Centre has published our revised Vulnerability management guidance - It sees it move from a single page to a collection which we will continue to build out, feedback has included:
“Genuinely this is the best recommendation in the industry I’ve seen. It’s both understandable and practical.”
“[On] Point 4 The organisation must own the risks of not updating - This is extremely important to get across to the Business. I have often seen the Business trying to push the "risk" ownership onto Security or IT to accept the risk, when it really isn't security place to accept the risk, its the senior leadership Team who need to put their name against the risk.”
Harry Coker on ONCD’s Efforts to Implement National Cybersecurity Strategy - “Other ONCD initiatives Coker discussed at the event are.. working with legal and academic experts to look at liability regimes as part of efforts to hold software developers accountable for bringing to market insecure code.”
Brave new(ish) world, brave new(ish) approach - Irfan Hemani, deputy director for UK secure tech policy, explains the philosophy behind the UK’s secure-by-design approach to emerging technology regulation
EU Cyber solidarity act - The Council and the Parliament are currently in negotiations to finalise the text. Second edition. The 'EU Legislation in Progress' briefings are updated at key stages throughout the legislative procedure.
ASD sees "frequency, richness" of cyber info sharing fall away - The Australian Signals Directorate has lamented a decline in the “frequency and richness” of cyber incident data shared with it by the private sector, underlining - it says - the importance of restoring trusted channels for information exchange.
RAND Corporation says Threats to America’s critical infrastructure are now a terrifying reality - Policymakers must, then, begin to strengthen private sector and local preparedness for these ongoing attacks, as well as developing and resourcing the federal interagency for complex emergencies, with an emphasis on societal resilience.
ECC okays Rs10bn more for cybersecurity - ISLAMABAD: The Economic Coordination Committee (ECC) of the cabinet on Wednesday approved Rs10 billion additional funds for cybersecurity - £23 million.
BBC’s Radio 4 ‘The Gift’ episode ‘Hacked’ - “In this bonus episode of The Gift, Jenny investigates the 23andMe breach to discover what happened, who was targeted and if information as sensitive as our genetic code can ever be stored safely.”
If it bleeps it leads? Media coverage on cyber conflict and misperception - This analysis shows that the use of novel techniques, specifically zero-day exploits, is a highly significant predictor of coverage quantity. Operations targeting the military or financial sector generate less coverage. We also find that cyber effect operations tend to receive more coverage compared to espionage, but this result is not statistically significant.
Government of Canada hosts National Summit on Combatting Auto Theft - "Pursuing all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero"
On the state of the cyber nation - analysis and commentary on Germany’s BSI call for it to become a Cyber Nation.
Emerging technologies will intensify the North Korean cyber threat - A set of high-level opinions.
Protect Good Faith Security Research Globally in Proposed UN Cybercrime Treaty - Statement submitted to the UN Ad Hoc Committee Secretariat by the Electronic Frontier Foundation, accredited under operative paragraph No. 9 of UN General Assembly Resolution 75/282, on behalf of 124 signatories.
A European cybercrime breakthrough is good news but only half the battle - After an eight-year negotiation, the EU has adopted a new legal framework –known as the eEvidence Regulation – to enable the preservation and sharing of electronic evidence between US platforms and EU law enforcement, as well as between EU member states.
North Korea hacked emails of South Korea president's aide - The staff member was hacked after using a personal email account for official work, the president's office said.
Defending Democracy
Imran Khan’s ‘Victory Speech’ From Jail Shows A.I.’s Peril and Promise - the New York Times says
“It was not the first time the technology had been used … but this time it got the world’s attention.”
Reporting on/from China
THE CCP’S INVESTORS: How American Venture Capital Fuels the PRC Military and Human Rights Abuses - by the USA’s Select Committee On The Strategic Competition Between The United States And The Chinese Communist Party
Urgent briefing on cybersecurity breaches vs. gov't websites sought by Philippines Government says - "on the recent cyberattacks on several Philippine government websites purportedly from Chinese hackers"
International Security and Estonia 2024 by the Estonian Foreign Intelligence Service which says:
“Threats stemming from Chinese technology are now making their way into people’s bedrooms [in Estonia] and garages through Lidar systems.
China’s Global AI Governance Initiative is yet another example of building an anti-Western Chinese ecosystem.
The spread of Chinese technology into critical infrastructure, such as energy grids, poses a threat to Estonia’s security”
Baidu partners with Lenovo in third China AI smartphone deal - China's Baidu has partnered with Lenovo to feature its generative artificial intelligence (AI) technology on Lenovo's smartphones, in the latest team up with a phone manufacturer as it seeks practical applications for its AI model
Artificial intelligence
AI and cyber security: what you need to know - Understanding the risks - and benefits - of using AI tools by the UK’s National Cyber Security Centre
Disrupting malicious uses of AI by state-affiliated threat actors - We terminated accounts associated with state-affiliated threat actors. Our findings show our models offer only limited, incremental capabilities for malicious cybersecurity tasks.
Introduction to AI assurance - from the UK’s Department of Science Innovation and Technology
How Does Access Impact Risk? Assessing AI Foundation Model Risk Along a Gradient of Access - “Specifically, as access increases, the risk of malicious use (such as fraud and other crimes, the undermining of social cohesion and democratic processes, and/or the disruption of critical infrastructure), compliance failure, taking the human out of the loop, and capability overhang (model capabilities and aptitudes not envisioned by their developers) all increase.”
Nvidia pursues $30 billion custom chip opportunity with new unit -sources - “a new business unit focused on designing bespoke chips for cloud computing firms and others, including advanced artificial intelligence (AI) processors, nine sources familiar with its plans told Reuters”
Japan's Rapidus and universities aim for 'beyond 2nm' chip tech - LSTC announced on Friday that it will develop the technology needed for designing and manufacturing "beyond 2-nanometer" chips and also chip systems for "edge AI," intended for factory automation and robotics.
Cyber proliferation
From the cyber proliferation threat all the way to Pall Mall
Poland's PM says authorities in the previous government widely and illegally used Pegasus spyware
EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group
BBC World Service - The Documentary, Reporting Greece on Intellexa
Bounty Hunting
International Cybercrime Malware Service Dismantled by Federal Authorities - The U.S. Attorney’s Office announced today that, as part of an international law enforcement effort, federal authorities in Boston seized internet domains that were used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers.
The reflections this week come from the video of the week ‘Rust in the Linux Kernel’ which found:
Most vulnerabilities in the Linux kernel are found in new code
Introducing Rust into such C/C++ projects provides immediate return on investment due the reduction in memory safety vulnerabilities
The reflections? The sooner you get on the memory safety journey the kinder you are to your future self. That and you do not need to re-write everything to be a superhero..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities
Andrei Soldatov and Irina Borogan from the Center for European Policy Analysis provides this analysis of Russian capability.
Despite this broad range of actors involved in cyber operations on various fronts, Russia doesn’t have a unified cyber command. Rather, coordination with the political decision-makers is done at the Presidential Administration level, with Russia’s Security Council an integral part of the process. Moreover, unlike in the conventional field of operations, there is no strict division of labor between the agencies in the cyber domain. Agencies traditionally focused on foreign targets have attacked domestic targets (including nongovernmental organizations, journalists, and the Russian opposition). Outside Russia, the military has targeted political and private industry and the SVR and FSB have attacked military targets, and vice versa.
https://cepa.org/comprehensive-reports/russian-cyberwarfare-unpacking-the-kremlins-capabilities/
TinyTurla Next Generation - Turla APT spies on Polish NGOs
Asheer Malhotra, Holger Unterbrink, Vitor Ventura and Arnaud Zobec find a new alleged Russian implant which is fresh from the end of 2023. The alleged targetting on Polish NGOs will be of note..
[We] identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion.
We’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG '' that are meant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to secure the password databases of popular password management software, indicating a concerted effort for Turla to steal login credentials.
https://blog.talosintelligence.com/tinyturla-next-generation/
PORTAL KOMBAT A structured and coordinated pro-Russian propaganda network
French Government reporting here which gives a sense as to the scale of the network they alleged is aligned with Russian interests.
Between September and December 2023, VIGINUM analysed the activity of a network of "information portals" with similar characteristics, disseminating pro-Russian content and targeting several western countries, including France.
Although this network of at least 193 sites initially covered news from Russian and Ukrainian localities, it changed the day after Russia invaded Ukraine and started to target occupied Ukrainian territories, then several western countries supporting Ukraine and its population.
The sites in this network do not produce any original content but massively relay publications from sources that are primarily three types: social media accounts of Russian or pro-Russian actors, Russian news agencies, and official websites of local institutions or actors.
The main objective seems to be to cover the Russo-Ukrainian conflict by presenting positively "the special military operation" and denigrating Ukraine and its leaders. Very ideologically oriented, this content repeatedly presents inaccurate or misleading narratives. As for the portal targeting France, pravda-fr[.]com, it directly contributes to polarize the Francophone digital public debate.
In order to reach a wide audience, this network uses several techniques such as the careful selection of pro-Russian propaganda sources according to the targeted locality, massive automation in the distribution of content, or search engines optimization.
https://www.sgdsn.gouv.fr/files/files/20240212_NP_SGDSN_VIGINUM_PORTAL-KOMBAT-NETWORK_ENG_VF.pdf
Reporting on China
China’s Cyber Revenge | Why the PRC Fails to Back Its Claims of Western Espionage
Dakota Cary provides this analysis of allegedly China appearing to try and emulate western reporting but with some caveats.
China launched an offensive media strategy to push narratives around US hacking operations following a joint statement by the US, UK, and EU in July 2021 about China’s irresponsible behavior in cyberspace.
Some PRC cybersecurity companies now coordinate report publication with government agencies and state media to amplify their impact.
Allegations of US hacking operations by China lack crucial technical analysis to validate their claims. Until 2023, these reports recycled old, leaked US intelligence documents. After mid-2023, the PRC dropped pretense of technical validation and only released allegations in state media.
The cyber-focused media campaign preceded the 2023 efforts of China’s Ministry of State Security to disclose accounts of western spying in the PRC.
VOLTZITE Espionage Operations Targeting U.S. Critical Systems
Josh Hanrahan provides reporting which shows alleged Chinese interest in various part of Critical National Infrastructure in the United States and wider. CNI has been warned..
VOLTZITE is a Dragos designated threat group. This threat group shares overlaps with the adversary described by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in May 2023, and the Microsoft threat group Volt Typhoon. VOLTZITE has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base. Additionally, Dragos has discovered VOLTZITE targeting electric transmission and distribution organizations in African nations. VOLTZITE employs living off the land (LOTL) techniques; they use native tools available in compromised assets. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection for lengthy periods of time.
Targeting the electric sector, satellite, telecommunications, emergency management, and defense industrial bases.
Targeting networks in the United States and Africa. • Conducts slow and steady reconnaissance against a target.
Employs mostly living off the land (LOTL) techniques and exhibits a high level of operational security practices.
Deploys various web shells and FRP, a fast reverse proxy tool, for command and control (C2) communications
C2 traffic frequently talks back to compromised SOHO (Small Office and Home Office) networking equipment or adversary leased VPS (Virtual Private Server) infrastructure.
Compromises SOHO networking equipment • Uses open-source tooling and web shells.
Leverages credential theft to facilitate lateral movement. )
https://hub.dragos.com/hubfs/116-Datasheets/Dragos_IntelBrief_VOLTZITE_FINAL.pdf?hsLang=en
Reporting on North Korea
North Korea created thousands of gambling sites and sold them to South Korean criminal organizations
Reporting from South Korea which shows that North Korea is allegedly using all manner of activities to do alleged base things in cyber space. Who had state backed M&A with cyber criminal gangs on their bingo card?
'Gyeongheung Information Technology Exchange Company', an illegal foreign currency earning organization under Room 39, was discovered.
NIS: “North Korea is deeply involved behind domestic cyber gambling crimes”
Reporting on Iran
Tool of First Resort: Israel-Hamas War in Cyber
Sandra Joyce and Shane Huntley provide insight into the scale and breadth of alleged Iranian operations along with blended information operations. This is what modern cyber looks like and the level of aggression is of note..
In our latest report, Tool of First Resort: Israel-Hamas War in Cyber, we share our findings on a different tactical approach — and the escalation in offensive cyber operations in the wake of the October 7 terrorist attacks. Notably, after the terrorist attacks by Hamas, we observed the steady stream of cyber operations by Iran and Hezbollah-linked groups become more focused, more concentrated, and — among other objectives — geared toward undercutting public support for the war.
Iran continues to aggressively target Israeli and US entities, often with mixed results. This steady focus suggests that Hamas’ attack did not fundamentally shift Tehran’s strategy, but after the attack took place, we saw a more focused effort, concentrated on undercutting public support for the war. This includes:
Destructive attacks against key Israeli organizations
Hack-and-leak operations including exaggerated claims of attacks against critical infrastructure in Israel and the US
IO to demoralize Israeli citizens, erode trust in critical organizations and turn global public opinion against Israel
Phishing campaigns directed toward users based in Israel and the US to collect intelligence on key decision makers
https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/
CharmingCypress: Innovating Persistence
Ankur Saini, Callum Roxan, Charlie Gardner and Damien Cash detail campaigns from this alleged Iranian nexus actor. They are using phishing and going so far as to create a whole fake webinar platforms as part of their lure.
CharmingCypress uses a variety of script-based malware families to target Middle East Policy experts
Malware-laden VPN apps used to install backdoors & limit access to fake webinar platform
BASICSTAR malware expands on existing known malware families used by CharmingCypress
Post-exploitation tools RATHOLE & SNAILPROXY deployed
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
Reporting on Other Actors
Adversarial Threat Report: Countering the Surveillance-for-Hire Industry & Influence Operations
Ben Nimmo, Margarita Franklin, Dr. Lindsay Hundley, David Agranovich, Margie Milam and Mike Dvilyanski come together and provide a broad waterfront of reporting which will give a sense of the scale of the modern world of adversarial behaviour seen by threat actors.
In this Adversarial Threat Report, we’re sharing updates on our work against the surveillance-for-hire industry, our Q4 takedowns of new CIB networks in China, Myanmar and Ukraine, and an annual update on the adversarial trends we’ve identified in the two years since Russia began its full-scale war against Ukraine.
Countering spyware: In our third annual report, we share notable trends and tactics across our investigations into the surveillance-for-hire industry targeting people around the world. It includes findings related to eight firms from Italy, Spain and the United Arab Emirates: Cy4Gate; RCS Labs; IPS Intelligence; Variston IT; TrueL IT; Protect Electronic Systems; Negg Group; and Mollitiam Industries.
They targeted iOS, Android, and Windows devices. Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media and messaging apps and enable microphone, camera and screenshot functionality. Their scraping, social engineering and phishing activity targeted Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.
Hamas-linked SameCoin campaign malware analysis
Reporting here out of Israel which shows that social engineering isn’t only the domain of alleged North Korean, Russian, Iranian or commercial hack for hire operations. Allegedly Hamas-linked actors also employ it.
the infection vector appears to be an email impersonating the Israeli National Cyber Directorate (INCD), sent on February 11, 2024. The email explains that “The INCD has detected an imminent, major cyber attack sponsored by Iran, exploiting previously-unknown vulnerabilities in the personal computers and mobile phones of our citizens”. It urges the reader to download “security patches” for macOS, iOS, Windows and Android, with the macOS and iOS links pointing at non-existing URLs under the legitimate INCD website. Victims who download and execute the Android or Windows applications links in the malicious emails are infected with a wiper.
https://harfanglab.io/insidethelab/samecoin-malware-hamas/
Coyote: A multi-stage banking Trojan abusing the Squirrel installer
Criminal actors using another executable content generator for their malicious code coupled with NodeJS in an attempt to fly under malware detection engines.
This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection.
https://securelist.com/coyote-multi-stage-banking-trojan/111846/
Diving Into Glupteba's UEFI Bootkit
Who ever said that Advanced and Persistent domain was solely the domain of states and commercial outfits? Alleged criminal UEFI/bootkit usage here, noting we have seen similar before,
Glupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in financially driven cybercrime operations. This article describes the infection chain of a new campaign that took place around November 2023.
Despite being active for over a decade, certain capabilities that Glupteba’s authors have added have remained undiscovered or unreported – until now. We will focus on one intriguing and previously undocumented feature: a Unified Extensible Firmware Interface (UEFI) bootkit. This bootkit can intervene and control the OS boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect and remove.
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/
Bumblebee Buzzes Back in Black
Axel F and Selena Larson detail the return of this actor and the use of a voice mail lure.
[We] identified the return of Bumblebee malware to the cybercriminal threat landscape on 8 February 2024 after a four-month absence from Proofpoint threat data. Bumblebee is a sophisticated downloader used by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing.
In the February campaign, [we] observed several thousand emails targeting organizations in the United States with the subject "Voicemail February" from the sender "info@quarlesaa[.]com" that contained OneDrive URLs. The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied). The Word document spoofed the consumer electronics company Humane.
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black
Discovery
How we find and understand the latent compromises within our environments.
Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Show good analytical discovery tradecraft on show here, showing there is still merit in these techniques.
This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates
lolcerts
A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
https://github.com/WithSecureLabs/lolcerts
BGPWatch — A comprehensive platform for detecting and diagnosing hijacking incidents
Jilong Wang details a platform which is open the public to help network owners which we would encourage those who should to do so. In the UK we run a similar called NCSC BGP Spotlight as part of our Active Cyber Defence programme.
Now that we have integrated prefix hijack detection capabilities into the platform and created tools to assist network operators in monitoring their networks, our next step is to integrate path hijack detection capabilities and expand detection at the data level.
Having tested the BGPWatch platform across 15 of our 19 partner networks, feedback from network operators has been overwhelmingly positive.
Defence
How we proactively defend our environments.
Overview: Evidence Collection of Ivanti Connected Secure Appliances
A write-up on how to do forensics on these devices given the recent “challenges”..
Combining Cybersecurity Frameworks: An Alternative to Incident Reporting
Efstratios Lontzetidis provides a perspective where various frameworks are combined. It will be interesting to see what real world value stems from this.
Sharing incident reporting findings is essential for the collective defense of the community, enabling proactive actions and preparation against evolving threats. The reporting methodology employed should yield valuable insights, spanning both technical details and high-level strategic considerations. In this article, we examined an innovative approach that combines the Cyber Kill Chain (CKC) phases, Diamond Model (DM) vertices, and MITRE ATT&CK tactics and techniques simultaneously. This holistic approach aims to capture both the technical intricacies and the modus operandi of threat actors.
Incident Writeups & Disclosures
How they got in and what they did.
Juniper Support Portal Exposed Customer Device Info
A vulnerability found by a 17 year old intern..
Until earlier [last] week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including which devices customers bought, as well as each product’s warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.
https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer-device-info/
Vulnerability
Our attack surface.
An Investigation of Patch Porting Practices of the Linux Kernel Ecosystem
Xingyu Li, Zheng Zhang, Zhiyun Qian, Trent Jaeger and Chengyu Song evidence that zero-days may not be required..
owever, several concerns have been expressed in prior work about the responsiveness of patch porting in this Linux ecosystem. In this paper, we mine the software repositories to investigate a range of Linux distributions in combination with Linux stable and LTS, and find diverse patch porting strategies and competence levels that help explain the phenomenon. Furthermore, we show concretely using three metrics, i.e., patch delay, patch rate, and bug inheritance ratio, that different porting strategies have different tradeoffs. We find that hinting tags(e.g., Cc stable tags and fixes tags) are significantly important to the prompt patch porting, but it is noteworthy that a substantial portion of patches remain devoid of these indicative tags. Finally, we offer recommendations based on our analysis of the general patch flow, e.g., interactions among various stakeholders in the ecosystem and automatic generation of hinting tags, as well as tailored suggestions for specific porting strategies.
https://arxiv.org/abs/2402.05212
Apktool arbitrary file writing vulnerability analysis CVE-2024-21633
Chinese reporting on this vulnerability which means that researchers should juggle malicious APKs carefully..
CVE-2024-21633 Vulnerability Apktool is vulnerable in version 2.9.1 and earlier. Apktool determines the output path of the resource file based on the resource name. An attacker can use this feature to place the file in a specified location on the system. Therefore, an attacker can write or overwrite any file that the user has write permissions to, even writing files to the current working directory under the user's directory with knowledge of the user name.
For example, a resource named foo and path res/raw/bar will be extracted to res/raw/foo. But the resource name is not verified, so the resource name is changed from foo to ../../../../../../../../../../.. /. ./tmp/poc, the res/raw/bar file will eventually be placed in /tmp/poc in the Linux system. Similarly, vulnerabilities also exist in Windows systems.
Offense
Attack capability, techniques and trade-craft.
LoFP - Living off of False Positives
Terrifying OR living in the noise depending on your perspective by Justin..
Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.
Red teams can use this information to blend in by mimicking or looking similar to the FP activity. Alert fatigue often causes analysts to readily ignore things even remotely false positive. At there very least, it will instill doubt
Blue teams on the other hand, can use this information to assess weak spots in their detection logic. They can also compare across rule sets to see if it is a broad tendency, or maybe something more specific to a particular vendor. It can also assist during alert triage and investigation, by looking at common FPs around certain techniques and data sources.
https://br0k3nlab.com/posts/2024/02/introducing-lofp/
NativeThreadpool: Worker and timer callback example using solely Native Windows APIs
Dylan Evans provides a new corpus to ensure detection coverage.
A proof of concept demonstrating how to create a thread pool using solely native Windows APIs to execute a work, timer, and wait callback using the
Cprogramming language.
https://github.com/fin3ss3g0d/NativeThreadpool
Sudo On Windows a Quick Rundown
James Forshaw shows why the design might need to be reviewed of this feature..
https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html
Unmanaged .NET Patching
Kyle Avery provides a new technique which deserves some detection effort on Windows.
a unmanaged implant executing managed code in-process. While our example targets
System.Environment.Exit, a similar technique should work for any managed function.
https://www.outflank.nl/blog/2024/02/01/unmanaged-dotnet-patching/
Exploitation
What is being exploited.
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun show that criminals researchers are really quite capable.
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders.
The Water Hydra group was first detected in 2021, when it gained notoriety for targeting the financial industry, launching attacks against banks, cryptocurrency platforms, forex and stock trading platforms, gambling sites, and casinos worldwide.
In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components. In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware.
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities
Well exploitation continues…
The following supplementary research provides an analysis of the exploitation of resolved N-Day Fortinet vulnerabilities. "N-Day vulnerabilities" refer to known vulnerabilities for which a patch or fix is available but for which organizations have not yet resolved via patching.
Fortinet continues to monitor ongoing activity by threat actors targeting known, unpatched vulnerabilities, specifically:
December 2022 - FG-IR-22-398 / CVE-2022-42475
June 2023 - FG-IR-23-097 / CVE-2023-27997
Fortinet continues to urge all customers to take immediate action to review the guidance, assess whether affected, and if appropriate, upgrade their FortiGate devices as advised, and follow Fortinet’s public advisories.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
BTIGhidra
Ian Smith releases this new work aid for reverse engineers..
[We are] releasing BTIGhidra, a Ghidra extension that helps reverse engineers by inferring type information from binaries. The analysis is inter-procedural, propagating and resolving type constraints between functions while consuming user input to recover additional type information. This refined type information produces more idiomatic decompilation, enhancing reverse engineering comprehension. The figures below demonstrate how BTIGhidra improves decompilation readability without any user interaction:
https://blog.trailofbits.com/2024/02/07/binary-type-inference-in-ghidra/
Effective Data-Race Detection for the Kernel
Original research John Erickson, Madan Musuvathi, Sebastian Burckhardt, and Kirk Olynyk original research from 2010.
https://www.microsoft.com/en-us/research/publication/effective-data-race-detection-for-the-kernel/
which has resulted in Kernel Concurrency Sanitizer (KCSAN) for finding knotty race conditions.
The Kernel Concurrency Sanitizer (KCSAN) is a dynamic race detector, which relies on compile-time instrumentation, and uses a watchpoint-based sampling approach to detect races. KCSAN's primary purpose is to detect data races.
https://www.kernel.org/doc/html/next/dev-tools/kcsan.html
http-garden: Differential testing and fuzzing of HTTP servers and proxies
Expect more protocol interoperability vulnerabilities..
The HTTP Garden is a collection of HTTP servers and proxies configured to be composable, along with scripts to interact with them in a way that makes finding vulnerabilities much much easier.
https://github.com/narfindustries/http-garden/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Review of [UK] research bureaucracy - An independent review of research bureaucracy, and methods to free up and support researchers to focus on research.
Artificial intelligence
More Agents Is All You Need - We find that, simply via a sampling-and-voting method, the performance of large language models (LLMs) scales with the number of agents instantiated.
When Benchmarks are Targets: Revealing the Sensitivity of Large Language Model Leaderboards - Under existing leaderboards, the relative performance of LLMs is highly sensitive to (often minute) details. We show that for popular multiple choice question benchmarks (e.g. MMLU) minor perturbations to the benchmark, such as changing the order of choices or the method of answer selection, result in changes in rankings up to 8 positions
Read to Play (R2-Play): Decision Transformer with Multimodal Game Instruction
PIVOT: Iterative Visual Prompting Elicits Actionable Knowledge for VLMs
Books
Nothing this week
Events
Nothing this week
Video this week is Rust in the Linux kernel
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.