CTO at NCSC Summary: week ending January 28th
SEC rule changes continue to shed light on breaches..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the Ivanti clean-up continues and then some.
In the high-level this week:
The near-term impact of AI on the cyber threat - An NCSC UK assessment focusing on how AI will impact the efficacy of cyber operations and the implications for the cyber threat over the next two years.
Engaging with Artificial Intelligence (AI) - by ACSC - summarises some important threats related to AI systems and prompts organisations to consider steps they can take to engage with AI while managing risk. It provides mitigations to assist both organisations that use self-hosted and third-party hosted AI systems.
UK Business leaders urged to toughen up cyber attack protections -
New guidelines will help directors and business leaders boost their cyber resilience, as UK government says cyber threats should be prioritised as a key business risk like financial and legal challenges
The proposed Code sets out key actions for Directors to take to strengthen their cyber resilience and help them take full advantage of digital technologies which can fuel innovation and drive competitiveness
UK government also acting to empower organisations to reduce risks associated with business software, protecting organisations, supply chains, staff, and customers
Cybersecurity Incident Tracker - using SEC filings - so everyone can hook it up to their algorithmic trading system / supplier management team.
We learn Hewlett Packard Enterprise Co was also compromised by the same threat actor who compromised Microsoft.
Cyber sanction imposed on Russian cybercriminal for 2022 Medibank Private compromise - imposing financial constraint on our adversaries.
What is the emphasis in the draft new Military Doctrine of Belarus? - For the first time, the national Military Doctrine provides for the possibility of a forceful response to destructive cyber influence
Russian National Sentenced for Involvement in Development and Deployment of Trickbot Malware - According to court documents and public reporting, Vladimir Dunaev, 40, of Amur Oblast, Russia, provided specialized services and technical abilities in furtherance of the Trickbot scheme.
CNMF marks a decade Defending the Nation (US) - Today, CNMF is the U.S. military’s elite joint cyber force, organized into six joint task forces, comprised of over 2,000 Soldiers, Sailors, Marines, Airmen, Coast Guardsmen, and DoD civilians, all working together to Defend the Nation against the world’s most advanced malicious cyber actors.
Belgium wants better interoperability in cyber defence, defence minister says - The interoperability of European armies is today more than ever conditioned by their interoperability in cyberspace
Newly proposed rules to strengthen GDPR enforcement in cross-border cases - the [European] Commission suggests harmonising parties' procedural rights, streamlining and frontloading cooperation among supervisory authorities, and detailing the GDPR's dispute resolution mechanism
Microsoft executive emails breached by Russia - On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions
FTC Order Will Ban InMarket from Selling Precise Consumer Location Data - Data aggregator InMarket Media will be prohibited from selling or licensing any precise location data to settle Federal Trade Commission charges that the company did not fully inform consumers and obtain their consent before collecting and using their location data for advertising and marketing.
Common European Data spaces - Building the Single Market for Data - I have talked before about the Shanghai Data Exchange, Europe is trundling down a path which should enable something similar - will allow data from across the EU to be made available and exchanged in a trustworthy and secure manner. EU Businesses, public administrations, and individuals will control the data they generate. At the same time, these data holders will benefit from a safe and reliable framework to share their data for innovation purposes.
ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities -
CISA, FBI and EPA Release Incident Response Guide for Water and Wastewater Systems Sector - Developed in collaboration with over 25 WWS Sector industry, nonprofit, and state/local government partners, this resource covers the four stages of the incident response lifecycle
Casinos and cryptocurrency: major drivers of money laundering, underground banking, and cyberfraud in East and Southeast Asia - Cases examined also highlight how illegal online casino operators have diversified business lines to include cyberfraud and cryptocurrency laundering, with extensive evidence of organized crime influence within casino compounds, special economic zones and border areas, including those controlled by armed groups in Myanmar to conceal illicit activities.
Defending Democracy
”As Taiwan voted, Beijing spammed AI avatars, faked paternity tests and ‘leaked’ documents” - by the Australian Strategic Policy Institute - We assess they likely had a minimal impact on the integrity of the election results due to the resilience of Taiwan’s civil society.
Reporting on/from China
Call for Proposals Now Open – ‘Cultural China’ Book Series - Cultural China is a new open access book series edited by Professor Gerda Wielander, Director of the Contemporary China Centre at the University of Westminster.
Artificial intelligence
FTC Launches Inquiry into Generative AI Investments and Partnerships - History shows that new technologies can create new markets and healthy competition. As companies race to develop and monetize AI, we must guard against tactics that foreclose this opportunity
AI and algorithm risks on the rise amidst increased use: master plan necessary to prepare the Netherlands for a future with AI
Limits of Artificial Intelligence for War fighters - by RAND - Two common themes emerge from the use cases: (1) data to train and test AI systems must be current, accessible, and of high quality; and (2) the limitations of AI algorithms can significantly restrict their utility
Cyber proliferation
In first for Togo, RSF identifies spyware on phones of two Togolese journalists - One of the journalists was subjected to a major cyber-espionage operation throughout the first half of 2021.
Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback - On New Year’s Eve, NSO Group—the Israel-based company behind the Pegasus spyware, one of the world’s most sophisticated cyberweapons—quietly released a new transparency report. The 27-page document is carefully worded—even apologetic—and is intended to demonstrate resilience, progress, and responsibility to further strengthen the company’s human rights compliance program.
The reflections this week are around those companies which, backed by investors, amass/acquire older software/product companies. When we reflect on the likely thesis which underpins both the activity and the overall strategy it is hard to see how the level of cyber investment required can be forthcoming in all cases. Why do I say this? The bought companies are often longer in the tooth and have established customer bases but use older technologies and thus have the potential to carry both latent security issues and other forms of technical security debt at not immaterial levels. In reality this means they likely need a disproportionate level of investment, especially if coming out of a period of ownership where the financials were tough, to get them to a level product security we might want/expect. Given this common scenario it is hard to see how the circle can be squared.. answers on a postcard if you have them.
Enjoying this? Don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government, please see the legal text at the end.
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard
Microsoft attribution coupled with interesting insight here due to their transparency on the issue. It appears to be largely a series of IT controls failures. A reminder to all organisations that it can be control failures in aggregate which can be impactful and not zero-days.
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
Reporting on China
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
Facundo Muñoz discusses capability which appears to have a regional focus. Through some leaps they suggest it might be Chinese in origin by linking to another known threat actor. How these implants arrive and the fact it has gone on without much fanfare for so long is of note.
We discovered the NSPX30 implant being deployed via the update mechanisms of legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin.
We have detected the implant in targeted attacks against Chinese and Japanese companies, as well as against individuals located in China, Japan, and the United Kingdom.
Our research traced the evolution of NSPX30 back to a small backdoor from 2005 that we have named Project Wood, designed to collect data from its victims.
NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor. Both of the latter two have their own sets of plugins.
The implant was designed around the attackers’ capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure.
NSPX30 is also capable of allowlisting itself in several Chinese antimalware solutions.
We attribute this activity to a new APT group that we have named Blackwood.
Chinese Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021
Alexander Marvi, Shawn Chew and Punsaen Boonyakarn attribute this alleged Chinese activity. They appear to have had the vulnerability as a zero day for a couple of years prior to getting caught which is noteworthy.
[We] have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.
https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis
An alleged Chinese implant which is often seen in Japan continues to evolve in this reporting. The fact they are building in anti-analysis capabilities is of note..
Based on our analysis, the malware has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques and the implementation of new features.
In 2023, multiple versions of LODEINFO were also observed, and v0.7.3 was observed in January 2024.
https://blog-en.itochuci.co.jp/entry/2024/01/24/134100
A Look into PlugX Kernel driver
Mahmoud Zohdy pulls apart a kernel driver which they (the threat actor) managed to get signed.
In this blog I will talk about the Signed kernel driver that is used in a recent PlugX attack, the signed kernel drivers that were found on Virus Total are signed through Windows Hardware compatibility program (WHCP) and Sharp Brilliance Communication Technology Co., Ltd..
In summary the kernel driver act as user-mode loader which decrypt a 32-bit user-mode PE file and inject it inside Svchost.exe as child process for services.exe.
https://mahmoudzohdy.github.io/posts/re/plugx/
Reporting on North Korea
ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals
Aleksandar Milenkoski and Tom Hegel detail how in their opinion North Korea is continuing to evolve and what their targeting is. The continued targeting of security researchers is of note.
[We] observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
We recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.
Lazarus Group uses DLL-Side Loading technique
Leeikgyu details a technique they alleged is in use by North Korea to get persistence/code execution. DLL-Side loading is not new and we have good detection tradecraft in some EDRs now which help detect it.
The newly confirmed normal program is “wmiapsrv.exe”. The wmiapsrv.exe program is a normal MS module, and the module loads “wbemcomn.dll”, which is used to load the modified and malicious wbemcomn.dll. Additionally, another malicious DLL “netutils.dll” modified in the same path was confirmed. The generated wbemcomn.dll and netutils.dll perform backdoor functions.
Reporting on Iran
Leaks and Revelations: A Web of IRGC Networks and Cyber Companies
The team at Recorded Future attribute this to Iran and provide their analysis which links various organisations together. The relative scale and complexity is of note.
The doxxing and leaks discussed in this report have revealed a network connecting contractors with senior figures within Iranian intelligence. To date, the operations have adversely affected the operational security of contractors like “Ayandeh Sazan Sepehr Aria Company”, “Sabrin Kish”, “Soroush Saman Company”, and other sanctioned entities like “Najee Technology Hooshmand Fater LLC (Najee Technology)” and “Emen Net Pasargad”, which are reported to have been involved in international attack operations at the behest of the IRGC.
There are 4 known intelligence and military organizations linked to the IRGC that engage with the bulk of cyber contracting parties. These include the IRGC-EWCD, the IRGC-IO, the IRGC's Intelligence Protection Organization (IPO), and the IRGC-QF.
The concept of a "cyber center" affiliated with specific military and intelligence contractors is highlighted by various anti-government dissident groups. Insikt Group has observed specific references to centers that serve the IRGC-IO. These likely act as firewalls to guard the sponsoring organization.
Research on the personnel links has revealed an expansive network of senior figures linked to contracting parties that are affiliated with companies and persons sanctioned by the US, the European Union, and other governments. We have observed likely high-ranking figures affiliated with the IRGC linked to cyber-related contracting parties. We assess these relationships to be driven by financial interest.
Insikt Group research suggests that IRGC-related cyber companies are exporting their technologies both for surveillance and offensive purposes to regional governments and non-state actors. Financially motivated operations that involve the transfer of technologies and software are highly likely led by current and former IRGC personnel.
Public records of the contracting companies researched as part of this report suggest that company rebranding (a suspected sign of evasion) is a factor. Public sources revealed that contracting parties like “Mahak Rayan Afraz” and Emen Net Pasargad will disband and rebrand in an attempt to obfuscate their activities. Both companies were reportedly liquidated, in June and August 2023, respectively.
US government indictments are likely proving to be an effective legal and diplomatic tool that affects the public relations of Iranian contractors; this is likely why entities like Mahak Rayan Afraz and Emen Net Pasargad shutter and rebrand every so often. It is likely these efforts also adversely affect contractors’ abilities to openly recruit new and skilled labor.
Iranian anti-government threat actors, hacktivists, and activists continue to grow in number, and the information shared by these groups is complex yet pivotal to conducting link analysis research on Iran's broader contracting landscape.
https://go.recordedfuture.com/hubfs/reports/cta-2024-0125.pdf
Reporting on Other Actors
Cybercrime Central: Vextrio Operates Massive Criminal Affiliate Program
Christopher Kim and Randy McEoin show what a modern day criminal traffic distribution system looks like. The scale is a thing of wonder..
We unveil a set of large-scale malicious relationships involving VexTrio, ClearFake, SocGholish, and many other unnamed actors. This research was completed in collaboration with security researcher Randy McEoin, who discovered ClearFake and has studied SocGholish extensively.1 While SocGholish and ClearFake are most associated with malware and fake software update pages, they operate traffic distribution systems (TDSs) that route users based on the victim’s device, operating system, location, and other characteristics. VexTrio also operates a TDS that routes compromised web traffic sourced from affiliates, as well as their own infrastructure, to various forms of malicious content. This paper focuses on the actors’ TDS enterprises. We concluded that these three actors have strategic partnerships in which SocGholish and ClearFake pass victims to VexTrio.
Discovery
How we find and understand the latent compromises within our environments.
Advanced threat hunting within Active Directory Domain Services
Tom Wechsler gives a walk through on various techniques and Windows events to help detect latent compromises.
Pulse Meter
Rich Warren provides tooling to detect CVE-2023-47272 IoCs as exploited in the wild in October 2023
work in progress for parsing the System Snapshot from an Ivanti Connect Secure appliance to identify possible IOCs related to CVE-2023-46805 and CVE-2024-21887.
https://github.com/rxwx/pulse-meter
Connect to Advanced Hunting API with the Graph SDK PowerShell module
Will Francillette makes us all Power Rangers with this walkthrough..
We will focus on the Advanced Hunting module as an example but other modules are available:
Alerts and incidents
Attack simulation and training
eDiscovery
Information protection
Record management
Secure score
Threat intelligence
Defence
How we proactively defend our environments.
New Microsoft Incident Response guides help security teams analyze suspicious activity
Microsoft shares their wisdom from incidents past..
Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.
CISA, FBI and EPA Release Incident Response Guide for Water and Wastewater Systems Sector
US Government and the Water sector combine forces to help prepare for when. This type of sectoral collaboration is only a good thing.
Developed in collaboration with over 25 WWS Sector industry, nonprofit, and state/local government partners, this resource covers the four stages of the incident response lifecycle:
Preparation: WWS Sector organizations should have an incident response plan in place, implement available services and resources to raise their cyber baseline, and engage with the WWS Sector cyber community.
Detection and analysis: Accurate and timely reporting and rapid collective analysis are essential to understand the full scope and impact of a cyber incident. The guidance provides information on validating an incident, reporting levels, and available technical analysis and support.
Containment, eradication, and recovery: While WWS Sector utilities are conducting their incident response plan, federal partners are focusing on coordinated messaging and information sharing, and remediation and mitigation assistance.
Post-incident activities. Evidence retention, using collected incident data, and lessons learned are the overarching elements for a proper analysis of both the incident and how responders handled it.
Incident Writeups
How they got in and what they did.
Midnight Blizzard: Guidance for responders on nation-state attack
Microsoft provide insights around the Russian intrusion which will help defence teams go looking.
Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and using our audit logging features, combined with our extensive knowledge of Midnight Blizzard.
Initial access through password spray
Malicious use of OAuth applications
Collection via Exchange Web Services
Use of residential proxy infrastructure
Vulnerability
Our attack surface.
Authentication Bypass in GoAnywhere MFT
Yep..
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
https://www.fortra.com/security/advisory/fi-2024-001
Shipping your Private Key - CVE-2023-43870, Paxton do a Lenovo
Craig evidences some of the terrifying low hanging fruit to be found in quite critical software still.
Paxton Access is the Net2 software. This is a centralised access control system. The Net2 software allows for the control of access points in a building or across multiple sites.
https://www.cryptic.red/post/shipping-your-private-key-cve-2023-43870-paxton-do-a-lenovo
GHSL-2023-260: Remote command execution (RCE) in Intel Analytics’ BigDL-LLM
Yep, same class vulnerability classes starting to be discovered in AI supporting technology stacks.
Intel Analytics’ BigDL-LLM is a library for running LLM (large language model) on Intel XPU (from Laptop to GPU to Cloud). The
finetuneserver exposes an endpoint allowing attackers to potentially execute malicious commands on developer machines.
https://securitylab.github.com/advisories/GHSL-2023-260_BigDL-LLM/
Offense
Attack capability, techniques and trade-craft.
Explor hingistorical Linux VX techniques and applying them to modern day
What is old is destined to be new again..
Stealing your email with a .txt file
Writeup of CVE-2023-47272 as exploited in the wild in October 2023
The vuln centered around rendering embedded js in a preview pane of an “inline” txt attachment. XSS exploits, compared to RCE, have for too long been viewed with mockery and derision by many in the security community, but this payload will illustrate that a mere XSS can cause your mailbox and address book to be exfil’d.
https://blog.strikeready.com/blog/stealing-your-email-with-a-.txt-file/
GraphStrike: Cobalt Strike HTTPS beaconing over Microsoft Graph API
Microsoft will hopefully nuke this technique from working at source..
GraphStrike is a suite of tools that enables Cobalt Strike's HTTPS Beacon to use Microsoft Graph API for C2 communications. All Beacon traffic will be transmitted via two files created in the attacker's SharePoint site, and all communications from Beacon will route to https://graph.microsoft.com
https://github.com/RedSiege/GraphStrike
Exploitation
What is being exploited.
Ivanti Connect Secure VPN Exploitation: New Observations
Matthew Meltzer, Sean Koessel and Steven Adair fire a warning shot on how devices could become vulnerable again.
[We] continued its investigation into activity conducted by UTA0178 and made a few notable discoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity conducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the total count of systems infected by GIFTEDVISITOR to over 2,100.
The second discovery came from further analysis of an Ivanti Connect Secure VPN appliance compromised in December 2023. Volexity found that UTA0178 had made modifications to the in-built Integrity Checker Tool. These modifications would result in the in-built Integrity Checker Tool always reporting that there were no new or mismatched files regardless of how many were identified. Administrative review of system logs would show no issues of concern.
Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans. This issue, and more on the findings referenced above, are detailed in the sections that follow.
https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun evidence that organised crime is in place increasingly technically capable. The fact they weaponised this vulnerability and used it to target sensitive data at scale really is a worry.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server. This open-source stealer is written in C# and is actively maintained on GitHub and Telegram.
CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Memory Scanning for the Masses
Axel Boesenach and Erik Schamper release a library which will useful in a variety of situations to help with detection.
a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning.
http://blog.fox-it.com/2024/01/25/memory-scanning-for-the-masses/
FLOSS for Gophers and Crabs: Extracting Strings from Go and Rust Executables
Arnav Kharbanda, Willi Ballenthin and Moritz Raabe provide a useful work aid for these programming languages which bork traditional ‘strings’..
To support the static analysis of Go and Rust executables, FLOSS now extracts program strings using enhanced algorithms. Where traditional extraction algorithms provide compound and confusing string output FLOSS recovers the individual Go and Rust strings as they are used in a program.
https://www.mandiant.com/resources/blog/extracting-strings-go-rust-executables
An introduction to reverse engineering .NET AOT applications
AOT (“ahead of time”) compilation was used by DuckTail out of Vietnam and this is any overview..
.NET AOT looks a lot like C++ code, which is no surprise since Visual Studio required the C++ component to generate AOT files.
The calling convention for x64 appears to be pretty standard, using the registers RCX, RDX, R8 and R9 and then the stack to pass arguments.
IDA doesn’t have signatures for .NET runtime functions compiled ahead of time, so nothing is recognized.
Pointers to strings lead to uninitialized memory in a section called
hydrated😱
https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Graph-Based Security Patch Detection with Enriched Code Semantics.
Artificial intelligence
Books
Nothing this week
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.