CTO at NCSC Summary: week ending February 16th
This week is a homage to the epic waterfront that is cyber security in 2025..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note but you will get the sense from the length of this weeks the general busyness.
In the high-level this week:
Cyber security longitudinal survey - wave four results - UK Department for
Science, Innovation & Technology publishes - “Phishing remained the most common type of cyber incident, with 74% of businesses and 72% of charities reporting they experienced a phishing incident in the past 12 months” - or put another way why phishing resistant multi-factor/2-step verification is the single most effective control.New UK sanctions target Russian cybercrime network - UK Foreign, Commonwealth & Development Office, Home Office, Dan Jarvis MBE MP and The Rt Hon David Lammy MP announce - “UK sanctions target Russian cyber entity, ZSERVERS responsible for facilitating crippling ransomware attacks globally. targets also include 6 ZSERVERS members who are part of a prolific cybercrime supply chain, and their UK front company XHOST”
New Commander appointed by the City of London Police - City of London Police announce - “Tor Garnett as Commander National, where she will join the Chief Officer Team leading the national policing response to economic and cybercrime.”
Canada's National Cyber Security Strategy - Public Safety Canada publishes:
New Zealand Cyber Threat Report 2023/24 - NCSC New Zealand releases - “Of these 343 incidents (up from 316 in 2022/23), 110 could be linked to state-sponsored actors and 65 were likely caused by criminal or financially motivated actors – which was consistent with the past few years.”
National Threat Assessment 2025 - Norway publishes - “Cyber operations are becoming increasingly difficult to detect. In addition, we expect the threat of influence operations from China, among others, to become more prominent.”
ENISA Single Programming Document 2025-2027 - ENISA publishes - Within ENSIA - “It should be noted that all of the CRA related tasks are sensitive and require the highest levels of confidentiality and integrity from jobholders. All jobholders potentially engaged for Article 11 tasks also need to hold a valid personal security clearance at the SECRET UE/EU SECRET level” - article 11 is General product safety.
Hey Siri, Are You a Zombie? - Consumer Reports reports - “But many consumers aren’t aware of this. In December 2024, Consumer Reports conducted a survey of 2,130 Americans asking them questions about the types of connected devices they own, how long they expect those products to last and the relationship software has to how those devices function. Among people with any type of connected device, four in ten (43%) said that the last time they purchased one they were not aware that it might lose software support at some point. Roughly a third of consumers with a connected device (35%) said that they had been aware that their product would lose software support at some point, and 22% said they did not recall.”
Japan govt. approves draft legislation to forestall cyberattacks - NHK World reports - “The draft legislation to implement what is called "active cyber defense" was approved at a Cabinet meeting on Friday. The proposed legislation would allow Japan's police and Self-Defense Forces to hack potential sources of cyberattacks and incapacitate them before they can carry out attacks, with the prior approval of an independent committee to be launched.”
TIBER-EU Framework updated to align with DORA - European Central Bank announces - “The Eurosystem has updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU framework), to align with the regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA) on threat-led penetration testing (TLPT).”
Lawmakers unite to push forward Cyber Force - Politico reports - “This could result in potential recommendations around the idea of establishing a Cyber Force as the Pentagon as a new branch of the military, something Houlahan is not opposed to. The lawmaker was one of the key supporters of the language mandating the study — and she said that she’s planning to push for another item around creating a Cyber Force in the next NDAA.”
Hacking forces believed to be from North Korea have hacked the developer of the government-wide electronic document management system - Donga reports - “Authorities believe that this breach is part of a broader North Korean strategy, where hackers often target less secure private companies as a stepping stone to infiltrate highly secured government or corporate networks. By accessing the information from the On-nara system’s developer, the attackers may have gathered valuable insights that could be used to launch more direct and damaging attacks on government networks in the future. Investigations are ongoing, with experts warning that such breaches could pave the way for further cyberattacks aimed at disrupting governmental operations and compromising sensitive national data.”
Reporting on/from China
Huawei’s 2024 revenue surges 22% despite US sanctions - South China Morning Post reports - “The 2024 revenue was the second highest on record for Huawei, with its highest ever being 891 billion yuan in 2020, which came after US sanctions were first imposed on the company’s lucrative mobile phone and international operations.”
Huawei outperforms Ericsson and Nokia but owes growth to gadgets - Light Reading analyses - “Boiled down, that implies Huawei had its smartphone division to thank for revenue growth, with sales of network products relatively unchanged compared with the earlier year.”
Brain-computer interface makes breakthrough by deciphering Chinese speech in brain - China Daily reports - “Chinese startup NeuroXess on Thursday reported two significant clinical-trial milestones: its flexible brain-computer interface (BCI) device successfully decoded the precise intended movements of one patient with a brain injury in real time, and decoded Chinese speech in real time for another.”
In Depth: China Will Need to Spend More to Become an Education Powerhouse - Caixin Global asserts - “However, concerns about China’s education funding have been growing in recent years. The percentage of GDP spent on education declined for four consecutive years from 2015 to 2019, dropping from 4.22% in 2016 to 4.04% in 2019. Though it briefly rose to 4.22% in 2020, it fell to 3.897% of GDP in 2023, according to government data published at the end of 2024.”
AI
Building trust in AI through a cyber risk-based approach - ANSSI publishes and NCSC UK co-seals - “This risk analysis aims to consider not only the vulnerabilities of individual AI components, but also the security of broader AI systems integrating these components. Its purpose is to provide a wide overview of AI-related cyber risks rather than an exhaustive list of vulnerabilities.”
Launching the Artificial Intelligence Playbook for the UK Government - Government Digital Service publishes - “The AI Playbook updates and expands on old guidance to offer help on a wider range of AI technologies in addition to generative AI, including machine learning, deep learning, natural language processing, computer vision, speech recognition and more.”
How can safety cases be used to help with frontier AI safety? - UK AISI publishes - “In this blog, we explain what safety cases are and how they can assist AI developers in determining whether an AI system meets the safety thresholds outlined in their safety framework.”
AI regulation: Federal Council to ratify Council of Europe Convention - Swiss Government publishes - “Switzerland intends to ratify the Council of Europe Convention on Artificial Intelligence (AI) and to make the necessary amendments to Swiss law. Work will also continue on the regulation of AI in specific sectors such as healthcare and transport.”
Tech Giants Double Down on Their Massive AI Spending - Wall Street Journal reports - “Amazon.com didn’t provide a full-year estimate but indicated on Thursday that total capex across its businesses is on course to grow to more than $100 billion, and said most of the increase will be for AI.”
Big Tech lines up over $300bn in AI spending for 2025 - Financial Times reports - “Microsoft, Alphabet, Amazon and Meta have reported combined capital expenditure of $246bn in 2024, up from $151bn in 2023. They forecast spending could exceed $320bn this year as they compete to build data centres and fill them with clusters of specialised chips to remain at the forefront of AI large language model research.”
DeepSeek and Other Chinese Firms Converge with Western Companies on AI Promises - Carnegie Endowment for International Peace opines - “Last month, DeepSeek joined sixteen other Chinese companies in signing onto the Artificial Intelligence Safety Commitments (人工智能安全承诺). While branded as a domestic Chinese initiative, the commitments bear strong similarity to ongoing global industry-led efforts to put safeguards in place for frontier AI piloted at last year’s AI Summit in Seoul, known as the Seoul Commitments. Using similar language, both sets of commitments outline promises to conduct red-teaming exercises to identify severe threats, provide transparency into frontier model capabilities and limitations, and build organization structures to promote the security of frontier systems.”
Frontier AI Safety Commitments, AI Seoul Summit 2024 - Department for
Science, Innovation & Technology updates - to include signatories from China among others.
Artificial General Intelligence's Five Hard National Security Problems - RAND think tanks - If you take one thing take “The pace and potential progress of AGI's emergence — as well as the composition of a post-AGI future — is shrouded in a cloud of uncertainty. This poses a challenge for strategists and policymakers trying to discern what potential threats and opportunities might emerge on the path to AGI and once AGI is achieved.” - I refer readers to my boiling frogs point - we should not expect an AI ‘event’ but rather an accelerated outstripping before ultimately AI being a net benefit for cyber defence.
Cyber proliferation
Campaigner for migrants in Libya targeted in spyware attack - The Guardian reports - “An Italy-based human rights activist whose work supports the international criminal court in providing evidence about cases of abuse suffered by migrants and refugees held in Libyan detention camps and prisons has revealed that Apple informed him his phone was targeted in a spyware attack”
Barcelona-based spyware startup Variston shuts down, per filing - Tech Crunch reports - “The winding down of the business is said to have begun after a 2022 Google report revealed the existence of then-unknown Variston, which had long operated under a cloak of secrecy.”
Spyware maker caught distributing malicious Android apps for years - Tech Crunch reports - “Italian spyware maker SIO, known to sell its products to government customers, is behind a series of malicious Android apps that masquerade as WhatsApp and other popular apps but steal private data from a target’s device”
Bounty Hunting
Thai-Swiss-US operation nets hackers behind 1,000+ cyber attacks - Khaosod reports - “Thai police arrested four European hackers in Phuket who allegedly stole $16 million through ransomware attacks affecting over 1,000 victims worldwide. The suspects, wanted by Swiss and US authorities, were caught in coordinated raids across four locations”
Alabama Man Pleads Guilty in Connection with Securities and Exchange Commission X Account Hack - Department of Justice announces - “An Alabama man pleaded guilty today in connection with the January 2024 unauthorized takeover of the U.S. Securities and Exchange Commission (SEC)’s social media account on X, formerly known as Twitter, in which hackers posted a fraudulent message in the name of the then-SEC Chairman, temporarily causing the value of Bitcoin (BTC) to increase by more than $1,000.” via SIM swapping..
Dangerous hacker responsible for more than 40 cyberattacks on strategic organizations arrested - in Spain including NATO - Spanish Policia announce - “Following these events, and throughout 2024, the investigated actor carried out numerous cyberattacks, including the attack on the National Mint and Stamp Factory, the State Public Employment Service, the Ministry of Education, Vocational Training and Sports, various Spanish universities, as well as databases of NATO, the United States Army, the General Directorate of Traffic, the Generalitat Valenciana, the United Nations, the International Civil Aviation Organization, and his latest claimed attack, two databases of the Civil Guard and the Ministry of Defense.”
How much did APAC’s cyber insurance market bag in 2024? - Insurance Asia reports - “Asia-Pacific’s cyber insurance market could record $1.7b in 2024 .. The global cyber insurance market is projected to reach $16.6b in 2024, with North America accounting for $10.5b, Europe $3.9b, and the Rest of the World $0.5b.”
Reflections this week are on the article CHERI Security Hardware Program Essential to UK Security, Says Government which summarises some words I said this week.
For context I outlined how CHERI allows us to manage the technical debt that C/C++ and other memory unsafe code bases present where rewrites are not possible.
Addressing the memory safety problem is therefore a national security priority. However, Whitehouse acknowledged that refracturing all C and C++ software code into memory safe programming languages is not practical, given the scale at which it is used.
CHERI architecture offers a “fundamentally new approach to the problem,” Whitehouse noted.
Then there is the compartmentalisation which is the cherry on top 🥁..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns
Arda Büyükkaya details an alleged Russian campaign which reminds us all the dangers of pirated software as an initial access vector.
with high confidence that Sandworm (APT44), a threat actor supporting Russia's Main Intelligence Directorate (GRU), is actively conducting a cyber espionage campaign against Ukrainian Windows users. Likely ongoing since late 2023, following Russia's invasion of Ukraine, Sandworm leverages pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of BACKORDER, a loader previously associated with the group. BACKORDER ultimately deploys Dark Crystal RAT (DcRAT), enabling attackers to exfiltrate sensitive data and conduct cyber espionage.
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
Microsoft Threat Intelligence details an alleged Russian operation which highlights the real-world threat of not having effective vulnerability management. If we needed reminding!
Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises. Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments.
..
Since early 2024, the subgroup has expanded its range of access to include targets in the United States and United Kingdom by exploiting vulnerabilities primarily in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788).
Storm-2372 conducts device code phishing campaign
Microsoft Threat Intelligence detail another alleged Russian operation which also highlights the phishing techniques used to gain initial access. A little bit of novelty here which is worth verifying you have detections for..
we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts.
Reporting on China
RevivalStone: Winnti Group's attack campaign targeting Japanese organizations
LAC's Cyber Emergency Center details an intrusion from March 2024 which hints at the evolution in a framework which goes back over 10 years. Allegedly Chinese in origin and note the exploitation of an internet facing web server for initial access.
APT40 - SamCERT Cyber Threat Advisory
Samoan government joins the attribution game with this alleged Chinese intrusion. Note that the registry modifications are what likely provide the detection opportunity.
APT40 has a track-record of targeting government and private sector networks globally, however recent activity observed by SamCERT suggests the existence of campaigns specifically targeting networks hosted in the Blue Pacific. SamCERT has analysed APT40 activity consisting of stealthy fileless malware using previously unobserved registry loading techniques.
..
Delivery of malware through side-loading malicious DLL files and using the execution of legitimate programs to load their malware. Further malware delivery occurs through registry modifications.
Chinese-Speaking Group Manipulates SEO with BadIIS
Ted Lee and Lenart Bermejo details a campaign we have covered before. Uses compromised web servers to manipulate search engine optimisation algorithms. This is algorithm battle ships..
[Our] researchers observed an SEO manipulation campaign that highlights the need for organizations using Internet Information Services (IIS) to proactively update and patch systems to prevent exploitation by threat actors that use malware like BadIIS in their campaigns.
It is likely that the campaign is financially motivated since redirecting users to illegal gambling websites shows that attackers deploy BadIIS for profit
This campaign already affected countries in Asia such as India, Thailand, and Vietnam. However, its impact can extend beyond geographical boundaries.
Reporting on North Korea
Persistent Threats from the Kimsuky Group Using RDP Wrapper
Asec detail an alleged North Korean operation which relies on rather basic initial access tradecraft but them moves to enable the remote desktop protocol. Noteworthy as it shows a degree of technical capability.
The shortcut malware is disguised as a document file with an Office document icon such as PDF, Excel, or Word. When this file is executed, PowerShell or Mshta is run to download and execute additional payloads from external sources. The malware that is ultimately executed to control the infected system are PebbleDash and RDP Wrapper. The threat actor has recently created and distributed PebbleDash and RDP
RDP Wrapper is an open-source utility that supports the remote desktop feature. Since Windows operating systems do not support remote desktop in all versions, RDP Wrapper can be installed in such environments to activate remote desktop. The threat actor is using RDP Wrapper that they created themselves. It is suspected that they are creating Export functions in various ways to bypass file detection.
https://asec.ahnlab.com/en/86098/
Operation 99: North Korea’s Cyber Assault on Software Developers
Ryan Sherstobitoff details an alleged North Korea operation which appears to be targeting monetizable digital assets. Social engineering is the play here and Italy is feeling it apparently..
This campaign targets software developers looking for freelance Web3 and cryptocurrency work. If you thought fake job offers from the group’s Operation Dream Job campaign were bad, this latest move is a masterclass in deception, sophistication, and malicious intent.
https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
Reporting on Iran
Nothing of note this week.
Reporting on Other Actors
Malicious ML models discovered on Hugging Face platform
Karlo Zanki details a campaign which highlights the risk that machine learning models are, in some instance, code which you run on your computer when serialised objects. Sandboxes.. sandboxes!
The two models RL detected are stored in PyTorch format, which is basically a compressed Pickle file. By default, PyTorch uses the ZIP format for compression, and these two models are compressed using the 7z format, which prevents them from being loaded using PyTorch’s default function, torch.load().
That is likely the reason why Picklescan — the tool used by the Hugging Face to detect suspicious Pickle files — did not flag them as unsafe.
https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face
Discovery
How we find and understand the latent compromises within our environments.
Implementing clustering workflows in Elastic to enhance search relevance
Gus Carlock and Kirti Sodhi provide a walkthrough which will have utility in a variety of discovery use cases.
The Machine Learning App in Kibana provides a comprehensive suite of advanced capabilities, including anomaly and outlier detection, as well as classification and regression models.
For this proof of concept, we utilized the 20 Newsgroups dataset, a popular benchmark for text classification and clustering tasks.
https://www.elastic.co/search-labs/blog/elastic-clustering-workflows
100 Days of KQL
Aura is a one person cyber defence machine. Below are some of the useful KQL queries they have produced over the last little while (there are many more).
Events where Windows Event Logs were cleared
7-Zip or WinRAR used with Password-Protected Archives
Command Line Interpreter Invoked by Web Application Process (Windows)
Defence
How we proactively defend our environments.
Foundations for modern defensible architecture
ASD’s Australian Cyber Security Centre provides these foundations for all to consider.. Super powerful and ideal for new builds, I suspect most will find challenging on a reno job to achieve in a comprehensive manner.
Foundation 1: Centrally managed enterprise identities
Foundation 2: High assurance authentication
Foundation 3: Contextual authorisation
Foundation 4: Reliable asset inventory
Foundation 5: Secure endpoints
Foundation 6: Reduced attack surface
Foundation 7: Resilient networks
Foundation 8: Secure-by-Design software
Foundation 9: Comprehensive assurance and governance
Foundation 10: Continuous and actionable monitoring
BitLocker Stale Recovery Key Cleanup: No More Silent Encryption Failures
Rudy Ooms details an interesting issue here and the more importantly the solution! This is the first I had learnt about this..
Silent encryption will fail if the BitLocker policy enforces key escrow before enabling encryption. Since BitLocker requires a successful backup of the recovery key before proceeding, encryption does not start, leaving the device unencrypted until we remove the device object from Entra…. which is a horrible fix.
This blog will show you what is coming and how Microsoft is going to fix this weird BItlocker Issue!
https://patchmypc.com/bitlocker-recovery-key-cleanup-fix-200-key-limit
Incident Writeups & Disclosures
How they got in and what they did.
Hewlett Packard Enterprise (HPE)
Noteworthy for the time lag.. they are notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack.
https://mm.nh.gov/files/uploads/doj/remote-docs/hewlett-packard-enterprise-20250205.pdf
https://www.mass.gov/doc/data-breach-report-2025/download
Babuk Ransomware: A victim of Indodax hack
Rayssa Cardoso details an instance of karma in practice. Which hints that a North Korean operation which looked to steal funds from a ransomware teams hot wallet.
https://theravenfile.com/2025/02/06/babuk-ransomware-a-victim-of-indodax-hack/
Russia-Ukraine Cyber War 1: Review of the First Major Blackout in Ukraine Caused by the Sandworm APT Organization
Chinese reporting on how the the first attack allegedly went down. Visit the non-translated site if you want the images to load..
Russia-Ukraine Cyber War II: Recap of Ukraine’s Second Blackout
Further Chinese reporting on how the second incident went down..
Vulnerability
Our attack surface.
CVE 2025-1146 - CrowdStrike Falcon Sensor for Linux TLS Issue
Security product getting an upgrade..
CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor where our TLS connection routine to the CrowdStrike cloud can incorrectly process server certificate validation.
This could allow an attacker with the ability to control network traffic to potentially conduct a man-in-the-middle (MiTM) attack. CrowdStrike identified this issue internally and released a security fix in all Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor versions 7.06 and above.
https://www.crowdstrike.com/security-advisories/cve-2025-1146/
Llama's Paradox
Patrick Peng does some excellent research and achieves remote code execution through memory corruption via RPC.
Delving deep into Llama.cpp and exploiting Llama.cpp's Heap Maze, from Heap-Overflow to Remote-Code Execution
https://retr0.blog/blog/llama-rpc-rce
Security analysis of the Wi-Fi Easy Connect
George Chatzisofroniou and Panayiotis Kotzanikolaou perform an analysis which shows that the new features potentially weaken as opposed to strengthen..
Overall, while DPP offers sophisticated security capabilities compared to its predecessor, it simultaneously requires careful deployment and meticulous management to prevent the erosion of the very protections it is designed to strengthen.
Our analysis reveals that the usability features added in the newer versions of DPP (v2 and v3) have introduced additional security vulnerabilities, such as the risk of connected users impersonating the Configurator and distributing malicious files to other devices.
The identified weaknesses serve as additional evidence, of the need to carefully consider the security implications of user-friendliness features in new protocols (such as the use of mixed authentication modes or reconfiguration capabilities).
Offense
Attack capability, techniques and trade-craft.
PatchWerk
Bobby Cooke releases BOF which detection teams will want to be aware of due to the risk of loss of visibility.
Cobalt Strike BOF that finds all the
Nt*system call stubs withinNTDLLand overwrites the memory with clean stubs (user land hook evasion). This way we can use theNTAPIs from our implant code, and if EDR check the call stack it will have originated fromNTDLL. It’s pretty much the same as the original unhook by Raph Mudge, but this way there's no need to mapntdll.dllfrom disk or open handles to remote processes.
Uses
HellsGate&HalosGateto call direct syscalls forNtOpenProcess,NtWriteVirtualMemory, andNtProtectVirtualMemory.Has custom
GetModuleHandle&GetProcAddress(getSymbolAddress) written in C and ASM to evade hooks onkernel32.If patching table of current process, does not use
NtOpenProcess. Just useshProc = (HANDLE)-1;instead.
https://github.com/boku7/patchwerk
Raccoon
Alexandros Vavakos releases a tool which is novel in that it maximises minimised windows. This behaviour potentially provides a detection opportunity..
A nasty lil' targeted screenshoter that will momentarily open minimized windows.
If there is a different active window at the original location of the target, then it will stay in the background completely invisible to the user.
https://github.com/nettitude/raccoon
BYOVD to the next level. Blind EDR with Windows Symbolic Link
Two Seven One Three details a technique which highlights that drivers that write files and for which there is an element of user control pose a potential risk when combined with symlinks. It will be interesting to understand the real world impact..
With the new attack method that combines the file writing functionality of drivers and Windows Symbolic Links, attackers are relieved from the restriction of needing to find vulnerable drivers that are not yet on the blocklist to exploit. Instead, they only need to identify any driver that has file writing capabilities, such as logging, tracing, etc. Merging with the abuse of symbolic links, BYOVD technique will evolve to a new level.
..
Driver developers should first check whether a file is a symbolic link before interacting with it, in order to prevent the driver from being exploited for malicious purposes.
Exploitation
What is being exploited..
Code injection attacks using publicly disclosed ASP.NET machine keys
Microsoft Threat Intelligence highlights the need for]key hygiene in code. The fact it is being actively exploited by an unattributed actor at scale is noteworthy..
In December 2024, Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
Microsoft has since identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which are called ViewState code injection attacks. Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification.
Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys.
SPAWNCHIMERA malware installed using vulnerability in Ivanti Connect Secure
Yuma Masubuchi details intrusions in Japan which show this vulnerability was used as a zero-day.
In January 2025, Ivanti published an advisory regarding the vulnerability CVE-2025-0282 in Ivanti Connect Secure . JPCERT/CC has confirmed multiple cases of this vulnerability being exploited in Japan since late December 2024, prior to the vulnerability being made public
https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html
Active Exploitation of PAN-OS Authentication Bypass Vulnerability (CVE-2025-0108)
Patch patch patch..
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
LEMON - An eBPF Memory Dump Tool for x64 and ARM64 Linux
IridiumXOR releases a tool which could be used for good and bad!
LEMON is a Linux memory dump tool that utilizes eBPF to capture the entire physical memory of a system and save it in LiME format, compatible with forensic tools such as Volatility 3.
https://github.com/eurecom-s3/lemon
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Driving Cybersecurity Forward: How CHERI is transforming automotive cyber-resilience
Bytes to Schlep? Use a FEP: Hiding Protocol Metadata with Fully Encrypted Protocols
Artificial intelligence
A brief analysis of the current status and future of Web fingerprint recognition in the era of large models - "Big models can extract deep features from complex and diverse inputs, not only can they identify known assets, but also can deal with new and unseen asset types."
Brief analysis of DeepSeek R1 and it's implications for Generative AI
Books
Jiaohua - Chinese Ideas and Practices of Moral Transformation - “This book explores the single Chinese concept and practice of “shaping the mind through education”
Events
New Security Paradigms Workshop - Call for Papers - August 24-27, 2025 in Aerzen, Germany
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.