CTO at NCSC Summary: week ending January 7th
Cyber in space.. from NASA...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond the usual tempo.
In the high-level this week:
Free and Open in the Latest Draft of the EU Cyber Resilience Act - New provisions related to free and open software in the December 20 draft of the CRA
The Case for Memory Safe Roadmaps - Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously
NASA Issues New Space Security Best Practices Guide - The guide represents a significant milestone in NASA’s commitment to ensuring the longevity and resilience of its space missions and will serve as a resource for enhancing their security and reliability.
Moldova Establishes National Cybersecurity Agency with e-Governance Academy Expertise - The collaborative efforts between eGA and the National Agency for Cyber Security are positioned to significantly enhance Moldova’s ability to counter cyber threats and ensure a safer digital landscape for its citizens
City of London Police urge parents to be aware of their childrens’ internet usage after teenager hackers sentenced - Lapsus$ mop up continues.
Ukraine Cybersecurity Professional Training System Reform: Qualifications Agency Approves 8 New Occupational Standards - various professional roles created with the help of USAID Cybersecurity for Critical Infrastructure in Ukraine Activity.
Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards - from 2018 but is of interest - Our assessment shows that the regulations reduced many but not all cybersecurity risks, and at times may have worsened them. We argue that regulatory influence should be understood as emergent from interactions between regulations and the systems that they regulate.
Abuse-Resistant Location Tracking: Balancing Privacy and Safety in the Offline Finding Ecosystem - we show how to achieve an improved trade-off between user privacy and stalker detection within the constraints of existing tracking protocols. We implement our new protocol using families of list-decodable error-correcting codes, and give efficient algorithms for stalker detection under realistic conditions.
Defending Democracy
How Will AI Affect the 2024 Elections? with Renee DiResta and Carl Miller - I was impressed with Carl when I saw him in action in a thinktank discussion, worth a read.
Reporting on/from China
ChatGPT-aided ransomware in China results in four arrests - Four cyber attackers in China have been arrested for developing ransomware with the help of ChatGPT, the first such case in the country.
Chinese Spy Agency Rising to Challenge - The spies asked for an artificial intelligence program that would create instant dossiers on every person of interest in the area and analyze their behavior patterns. They proposed feeding the A.I. program information from databases and scores of cameras that would include car license plates, cellphone data, contacts and more.
Summary of fuzz papers from the four top conferences in the field of information security in 2023 - a Chinese analysis of the top papers around automated vulnerability discovery through fuzzing in software.
Artificial intelligence
AI Hyperrealism: Why AI Faces Are Perceived as More Real Than Human Ones - interesting implications when we consider deepfake risks.
ISACA: Digital Trust Ecosystem Framework (DTEF) Beta application to assure AI environments - The Framework is not prescriptive or narrow, but includes detailed practices, activities, outcomes, controls, KPIs and KRIs that a practitioner can use to implement and assess against. Additionally, it is aligned to many existing frameworks on the market so an enterprise that has already adopted a framework such as ISO 27001 or NIST CSF, is already performing many of the tasks outlined in the DTEF.
AI Discovers First New Antibiotic in Over 60 Years - First, the researchers trained a deep learning model using substantially expanded datasets. They generated this training data by testing about 39,000 compounds for antibiotic activity against MRSA, and then fed this data, plus information on the chemical structures of the compounds, into the model. - I was thinking you could see how a similar approach might be applied to ransomware encryptor disruption strategies among others.
Largest Dataset Powering AI Images Removed After Discovery of Child Sexual Abuse Material - a risk which some might not have considered...
Cyber proliferation
Intellexa and Cytrox: From fixer-upper to Intel Agency grade spyware - video of this talk which is worth a watch.
Cowbell UK looking to generate “new-new” business and grow market - Cowbell’s general manager for its recently-launched UK unit has said one of its goals is to target “new-new” business and grow the domestic market by proactively engaging with distribution partners to help them navigate the landscape and drive cyber insurance adoption among SMEs.
Reflection this week is from reading this paper from the team at Spotify titled Estimating categorical counterfactuals via deep twin networks. I think we would all agree there would be material value in cyber defence if we could pull it off.. e.g. "if A were true, would we have seen X incident". Datasets to achieve this is however likely one of several challenges…
Enjoying this? Don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government, please see the legal text at the end.
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
APT28: From initial attack to creating threats to a domain controller in an hour (CERT-UA#8399)
Ukrainian government reporting of alleged Russian activity and specifically tradecraft mature organisations should be resilient against (thankfully).
During December 15-25, 2023, several cases of distribution of e-mails with links to "documents" were discovered among state organizations, visiting which led to damage of computers with malicious programs.
In the process of investigating the incidents, it was found that the mentioned links redirect the victim to a web resource where, with the help of JavaScript and features of the application protocol "search" ("ms-search") a shortcut file is downloaded, the opening of which leads to the launch A PowerShell command designed to download from a remote (SMB) resource and run (open) a decoy document,
https://cert.gov.ua/article/6276894
The SBU blocked the webcams that “illuminated” the work of air defense during the Russian missile attack on Kyiv on January 2 (video)
There is at least one company that offers this type of capability (i.e. the hacking of CCTV cameras). Interesting to see the apparent warzone usage…
It is about two robotic online surveillance cameras that were hacked by Russian intelligence services to spy on the Defense Forces in the capital.
According to SBU cyber specialists, one of the devices was located on the balcony of an apartment building and was used by a local condominium to monitor the surrounding area.
However, as a result of hacking, the aggressor gained remote access to control this webcam. Having penetrated her settings, the special services of the Russian Federation changed the viewing angle and connected her to the YouTube streaming platform.
In this way, the occupiers covertly recorded all visual information in the range of the camera.
Reporting on China
Nothing this week
Reporting on North Korea
Cases of attacks disguised as North Korean market price analysis documents, etc.
Reporting on alleged North Korean capability and tradecraft which shows broad targeting of regional Office-esq as well as Microsoft Office itself via malicious attachments.
Detection of attacks using various types of malicious files such as LNK, HWP, HWPX, XLSX, DOCX, etc.
Used as an extension of the [APT37] group's 'LNK'-based attack and at the same time combining security vulnerabilities
Disguised as a document on the response to the Itaewon incident last year Extension of ‘CVE-2022-41128’ vulnerability attack
Reporting on Iran
New phishing attack from Iran is trying to delete information in organization
Israeli government reporting on a phishing campaign allegedly from Iran. The only thing of note in this reporting is that the lure is around a security update for a product.
The National Cyber Array warns of an Iranian phishing attack that includes an impersonating email message that tries to trick computer personnel of organizations into downloading a security update, but actually results in the downloading of harmful software that steals and deletes information. Research by the array in collaboration with a commercial company found that an Iranian attack group is behind this attempt
https://www.gov.il/he/Departments/news/iranf5_2612
Albanian Parliament, telco and airline..
This incident was covered previously, but useful as a reminder.
Yesterday, on December 25, AKCESK was notified of cyber attacks that occurred on the ONE telephone company and the Assembly of the Republic of Albania. Immediately after the notification received, AKCESK set up expert groups to closely assist the institutions in managing the cyber attack.
https://cesk.gov.al/deklarate-zyrtare-3/
The news is that it is allegedly this group who undertook the operation. Destructive payloads writing in NACL no less!
"Homeland Justice, an Iranian attack group, announced on 25.12.23 that it had taken over and destroyed several computer systems of organizations in Albania: Albania Parliament, Air Albania, One Albania, and Eagle mobile Albania A PowerShell file we located fully matched the code snippets shown in the video. We found a reference to the NACL[.]exe file. IOC's: p[.]ps1 md5: 4278de224c8b12c7f202d8ce5c6b3c17 zip[.]zip md5: 9f27b541c5c77f2e1219c86f929c3807 Wiper(NACL) md5: f9431cf3abcc85da8431f5480ee68f08"
Reporting on Other Actors
A pernicious potpourri of Python packages in PyPI
Marc-Etienne M.Léveillé and Rene Holt give some quantification to the level of misuse and risk stemming from this open source Python distribution channel.
[We] discovered 116 malicious packages in PyPI, the official repository of software for the Python programming language, uploaded in 53 projects.
Victims have downl4SP Stealer or a clipboard monitor that steals cryptocurrency, or both, is delivered instead.oaded these packages over 10,000 times.
Since May 2023, the download rate is more or less 80 per day.
The malware delivers a backdoor capable of remote command execution, exfiltration, and taking screenshots.
The backdoor component is implemented for both Windows, in Python, and Linux, in Go.
In some cases, the W
https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/
Cyber Toufan goes Oprah mode, with free Linux system wipes of over 100 organisations
Kevin Beaumont details an interesting campaign due to the scale and operating system targeted. Hack, leak and destroy is a scenario that organisations will have been sensitised to through criminal activity. But what if there was nothing you could do to stop disclosure? Well here is an example..
They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors. (Might they be Iran? Who cares?). They target orgs with interests in Israel.
They’ve been wiping systems — a lot of them — and dumping stolen data online.
Discovery
How we find and understand the latent compromises within our environments.
Pivoting through a Sea of indicators to spot Turtles
This is a good walkthrough of the tradecraft as an analyst and the potential pitfalls when doing so. Good learning..
https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/
Introducing FaviconLocator: The Eazy Button to Searching by Favicon
Nice little discovery technique here from Matt.
https://www.digitalforensicstips.com/2023/12/introducing-faviconlocator-eazy-button.html
Defence
How we proactively defend our environments.
Combating Emerging Microsoft 365 Tradecraft: Initial Access
Matt Kiely discusses how through enrichment detection value was greatly increased. The takeaway from this is that doing as much enrichment prior to presenting to the analyst as an alert is a winner…
We’ve made significant advancements to combat initial access in the last few weeks by enriching our event data and building detectors around these enrichments.
The new advancements are already paying off, and we’ve already caught hackers in the act. New detectors for anomalous user locations, defensive evasion via VPNs, and credential stuffing account for a large chunk of reported Microsoft 365 incidents from the past month.
We still have work to do, and tons of improvements are on the way!
https://www.huntress.com/blog/combating-emerging-microsoft-365-tradecraft-initial-access
How to protect against modern phishing attacks like Evilginx
Luke Kavanagh details how to mitigate one of the more advanced phishing techniques. My summary of the three standout takeaways more a much longer list to consider implementing are:
Hardware keys MFA (U2F)
Conditional Access Policies
Sign-in Risk Policy
https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks
100 Days of Yara Challenge
The firing gun as been fired on this year… start your engines!
In short, 100DaysofYARA is place on the internet where malware analysts, detection engineers, and reversers share ideas for YARA rules, tips for rule creation, or methods of using YARA in unconventional ways.
https://github.com/100DaysofYARA/2024
Thomas Roccia kicks off his contribution.
https://blog.securitybreak.io/100daysofyara-challenge-04c966eab1ae
John provides a summary of 100 Days of YARA - 2023 - This is a consolidated post of all 100 days of posts from 2023 https://bitsofbinary.github.io/yara/2023/01/01/100daysofyara.html
Incident Writeups
How they got in and what they did.
FIRST.org-Phishing-Email
Kamran Saifullah provides a technical summary of this campaign where FIRST was targeted. Interestingly EPSS is the Exploit Prediction Scoring System Special Interest Group. Who I wonder?
Later this year members of EPSS SIG - FIRST.org were targeted with a phishing email.
https://github.com/deFr0ggy/FIRST.org-Phishing-Email/tree/main
Vulnerability
Our attack surface.
CVE-2023-43177 CrushFTP Unauthenticated Remote Code Execution
This product has quite a lot of exposure - should be patched.
CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.
https://blog.projectdiscovery.io/crushftp-rce/
Offense
Attack capability, techniques and trade-craft.
Christmas
This I find interesting as I implemented this technique when at Symantec in Advanced Threat Research in about 2006 to bypass our behaviour detection system as it was too costly in terms of performance to implement whole of system corelation. It is interesting how these techniques are enduring i.e. lots of processes collaborating to achieve malicious outcomes bypasses our detection tradecraft - i.e. do one little bad thing each.
This PoC creates multiple processes, where each process performs a specific task as part of the injection operation. Each child process will spawn another process and pass the required information via the command line
https://github.com/Maldev-Academy/Christmas
Living Of The SHIMS - Built-In SHIM DB Hijacking
Nasreddine Bencherchali provides a good writeup but more importantly detection techniques for SHIM database misuse on Windows.
The Event Log
Microsoft-Windows-Application-Experience(Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx) offers EIDs500,502and505to detect any fixes applied to applications. We can monitor the fieldsFixName,FixID,ExePath
https://github.com/nasbench/Misc-Research/blob/main/Other/Living-Of-The-SHIMS.md
EDRSilencer
Chris Au releases a capability which will cause some EDR vendors to scramble to resolve.
a tool that uses Windows Filtering Platform (WFP) to block EDR agents from reporting security events to the server
https://github.com/netero1010/EDRSilencer
SignToolEx: Patching "signtool.exe" to accept expired certificates for code-signing
We should plan for malicious use by threat actors of this capability in 3..2..
SignToolEx uses Microsoft Detours hooking library to hijack "signtool.exe" and modify expired code-signing certificates to appear valid, allowing to codesign without changing system clock. This allows expired (leaked) certificates to be used for code-signing but does not permit spoofing Authenticode timestamps. Some versions of Windows (such as 10) accept and load .sys device drivers when signed with expired certificates regardless.
https://github.com/hackerhouse-opensource/SignToolEx
Exploitation
What is being exploited.
Financially motivated threat actors misusing App Installer
This is an interesting one..
Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.
According to Will Dormann there were modifications made to CVE-2021-43890 post April 2023.
According to this blog post, the disabling of the ms-appinstaller URI handler was temporary until they could figure out how to fix spoofing. Presumably they did, and then figured out that it wasn't good enough?
Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking
Pavan Karthick M shows that criminal actors continue to apply their vulnerability research capabilities with effect. Their ability to do so against web assets (SaaS) and against one of the most mature is of note.
In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user's password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features.
leveraging HUMINT and technical analysis,[we] identified the exploit's root at an undocumented Google Oauth endpoint named "MultiLogin". This report delves into the exploit's discovery, its evolution, and the broader implications for cybersecurity.
MetaStealer Part 2, Google Cookie Refresher Madness and Stealer Drama is a further technical analysis of the implementation within the implant.
https://russianpanda.com/2023/12/28/MetaStealer-Part-2/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Catching OpenSSL misuse using CodeQL
Damien Santiago goes fishing with dynamite with these CodeQL queries. It will be interesting to see how this inspires others. There is also a lesson here in API design and making it difficult to do harm to oneself.
I’ve created five CodeQL queries that catch potentially potent bugs in the OpenSSL libcrypto API, a widely adopted but often unforgiving API that can be misused to cause memory leaks, authentication bypasses, and other subtle cryptographic issues in implementations.
https://blog.trailofbits.com/2023/12/22/catching-openssl-misuse-using-codeql/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Threat Report H2 2023 -Lastly, the increasing value of bitcoin has not been accompanied by a corresponding increase in cryptocurrency threats, diverging from past trends. However, cryptostealers have seen a notable increase, caused by the rise of the malware-as-a-service (MaaS) infostealer Lumma Stealer, which targets cryptocurrency wallets. These developments show an ever-evolving cybersecurity landscape, with threat actors using a wide range of tactics.
The State of Ransomware in the U.S.: Report and Statistics 2023
PROJEKT: OVERFLOW RISC-V assembly board game - I shared this with a group of friends, one of which then pointed out it was similar to Core War from 1984.
Case study: Factory production halted due to cyberattack on unmanaged terminals - OT security incidents and countermeasures in the manufacturing industry - a case study from Japan
Artificial intelligence
TinyGPT-V: Efficient Multimodal Large Language Model via Small Backbones - computational efficiency [in multimodal models] remains an unresolved issue, as these models, like LLaVA-v1.5-13B, require substantial resources. Addressing these issues, we introduce TinyGPT-V, a new-wave model marrying impressive performance with commonplace computational capacity.
If LLM Is the Wizard, Then Code Is the Wand: A Survey on How Code Empowers Large Language Models to Serve as Intelligent Agents - on, we trace how these profound capabilities of LLMs, brought by code, have led to their emergence as intelligent agents (IAs) in situations where the ability to understand instructions, decompose goals, plan and execute actions, and refine from feedback are crucial to their success on downstream tasks.
Books
Nothing this week
Events
President's Cup Cybersecurity Competition - President’s Cup 5 registration is launched Jan. 3, 2024
INTERPOL Digital Forensics Lab Webinars 2024 - Call for Papers - speaker registration
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.
Correct link for Cyber Toufan: https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc