CTO at NCSC Summary: week ending January 5th
Happy New Year edition 🎆
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the CyberHaven Chrome extension breach has some initial analysis published. Steven Lim released a KQL query to help identify if any of the extensions were in use within organisations.
In the high-level this week:
Department of Treasury letter on their alleged breach by China via BeyondTrust - NextGov publishes - “On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
Justice Department Issues Final Rule Addressing Threat Posed by Foreign Adversaries’ Access to Americans’ Sensitive Personal Data - US Department of Justice issues - “The Final Rule implements the E.O. by promulgating generally applicable rules for certain categories of data transactions that pose an unacceptable risk to the national security of the United States. As described in the E.O., countries of concern and covered persons can use their access to this data to engage in malicious cyber-enabled activities and malign foreign influence activities, bolster their military capabilities, and track and build profiles on U.S. persons (including members of the military and U.S. Intelligence Community, as well as other Federal employees and contractors) for illicit purposes such as blackmail, coercion, and espionage, and to bolster their military capabilities.”
National Security Division of the DoJ also publishes 'Data Security’ - “Concurrently with the Department’s issuance of the Final Rule, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued the final security requirements with which U.S. persons engaged in restricted transactions must comply.”
Our government's independent sanctions against North Korea - South Korean Ministry of Foreign Affairs details - “UN North Korea Sanctions Committee Expert Panel Annual Report, North Korea assesses cyber-theft to cover approximately 40% of WMD development costs” .. “Against this backdrop, the government is designating 15 North Korean IT organization members and one related organization that have been procuring funds for North Korea's nuclear and missile development through overseas foreign currency-earning activities as targets of independent sanctions against North Korea.”
NATO’s Emergency Plan for an Orbital Backup Internet - IEEE Spectrum publishes - “NATO’s HEIST project is now investigating ways to protect member countries’ undersea Internet lines, including these 22 Atlantic cable paths, by quickly detecting cable damage and rerouting data to satellites.”
Remarks by National Economic Advisor Lael Brainard on Making America’s Supply Chains More Resilient - The White House discusses - “New dependencies are constantly emerging, and some supply chain chokepoints create national security risks, such as the ability of a foreign adversary to cut off supplies of a key mineral used in defense applications. It will be important to utilize the full scope of our national security tools to protect supply chains when necessary, as with the Department of Commerce’s ICTS rulemaking on data security for connected vehicles, ensuring that foreign adversaries cannot exploit consumer products that Americans use every day for harmful purposes.”
HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information - U.S. Department of Health and Human Services publishes - including “Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.”
Commerce Issues Advance Notice of Proposed Rulemaking to Secure Unmanned Aircraft Systems - U.S. Bureau of Industry and Security publishes - “Securing the unmanned aircraft systems technology supply chain is critical to safeguarding our national security. This ANPRM is an essential step in protecting the United States from vulnerabilities posed by foreign entities,”
CISO 2024 Leadership & Organization Benchmark Summary - IANS and ARTICO publish - “Security team size tends to scale in alignment with company size. Firms with revenues exceeding $6 billion generally have security teams of more than 50 professionals. Companies with revenues between $400 million and $6 billion typically have security teams ranging from 10 to 50 members, and most organizations with revenues up to $400 million employ fewer than 10 security professionals.”
Reporting on/from China
New US cybersecurity measures follow alleged China-backed Salt Typhoon campaign - South China Morning Post reports - "Neuberger cited one case in which a single administrator account controlled access to more than 100,000 routers, giving hackers unfettered control”
US considers rule that could restrict or ban drones with Chinese tech - South China Morning Post reports - “The US Department of Commerce’s Bureau of Industry and Security (BIS) said on Thursday that it was soliciting public opinion by March 4 on a rule regarding risks associated with China and Russia over the information and communication technology and services (ICTS) integral in the supply chain for unmanned aircraft systems (UAS), or drones.”
New cross-regional computing service hub officially in operation in West China - China Daily reports - “A large intelligent computing center based in Southwest China's Sichuan province has officially launched a cross-regional computing power service, providing a new engine for the development of artificial intelligence (AI) industry in the country's vast west region.”
AI
Hacking CTFs with Plain Agents - Palisade Research publishes - “We saturate a high-school-level hacking benchmark with plain LLM agent design. Concretely, we obtain 95% performance on InterCode-CTF, a popular offensive security benchmark, using prompting, tool use, and multiple attempts. This beats prior work by Phuong et al. 2024 (29%) and Abramovich et al. 2024 (72%).”
Securing Artificial Intelligence - Booz Allen publishes - I really wrestled with this paper - for example some of the assertions in the ‘why is Ai security unique’ section really are not and could be said for pretty much all software.
Paper so you can form a view…
Agent-SafetyBench: Evaluating the Safety of LLM Agents - Tsinghua University publishes - “Our evaluation of 16 popular LLM agents reveals a concerning result: none of the agents achieves a safety score above 60%.”
AI Hunter: We found 0day vulnerabilities using big models! [Big Model Application Practice Series 3] - Tencent Woodpecker Team publishes - “After the solution was finalized, we selected the top 500 mainstream Java open source projects (especially Web application projects, such as Spring Boot projects) with the most collections (i.e. the number of stars) on GitHub and tested them using our AI vulnerability detection tool. In the end, 11 high-risk 0day vulnerabilities were captured!”
Security Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study - Wuhan University, Massey University, Central China Normal University and RMIT University publish a December 30th update to this paper - “Our results show that around 30% of the 733 generated code snippets contain security weaknesses.“ .. “The detected security weaknesses are diverse in nature and are associated with 43 different CWEs”
Cyber proliferation
From Pegasus to Predator - The evolution of Commercial Spyware on iOS - Matthias Frielingsdorf presents - a good technical summary from CCC in Germany, highlights the constraints of closed eco-systems also..
Bounty Hunting
Nothing this week..
2024 Cyber Market Report - Tokio Marine HCC publishes - found it this week - “In 2024, premium rate change in the US cyber insurance market has fallen to below zero, marking the onset of a soft market. In addition to price reductions, insurers have also rolled back eligibility criteria, expanded coverage and reduced deductible levels over the past 12 months. Insurance market cycles typically shift following a few years of price hikes, and given the significant tightening between 2020 and 2022, it is not surprising that the market has transitioned into a soft phase. Hard markets, on the other hand, typically happen after several years of elevated loss activity, falling premium rates and/or one or several catastrophic events. The question is how long the soft market phase will last and what can be inferred from the 2023 year loss performance and the loss activity we’ve observed in 2024 so far. It’s possible that cyber insurance will see more rapid shifts in market cycles than traditional lines of insurance given the dynamic nature of the risk.”
Reflections this week are around information asymmetry between those who produce software and those that buy/consume it (be that as SaaS or physically). I have previously talked at a high-level about this challenge in the context of Market Incentives.
The question is how do we get to an appropriate level of software transparency and build on the foundations that Software Bill of Materials have started to provide?
The reality is we know more about what is in our sausages than our software. In 2025 this does not sit comfortably. Yes, SBOMs do tell us the third party libraries and their versions.. but that leaves an awful lot we still don’t know about the software we consume.
You can see a world where we also want to know for any product/solution:
The programming languages and % of code base - why? are they unsafe, insecure or more prone to vulnerability/security.
Age of code and % of code churn -vs- new over time - why? it is being maintained or simply sweated?
Compiler/linker/runtime versions used - why? are they unsafe of similar.
.. then a Christmas list of other things … e.g.
# of unparameterized SQL queries
Cryptographic algorithms and key sizes
The real test is to find those ‘features’ (in the machine learning sense) or ‘observables’ which can be extracted automatically and packaged / published in a machine readable format which are indicators as to the solutions real-world cyber security (or lack there of).
The whole objective is to allow more informed buying decisions and reduce the ability for fundamentally insecure software to find a market..
It is only through such fundamental changes can we expect to achieve the practical and real-world outcomes we seek in any reasonable period of time..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
I’m (Not) Your Army Assistant - Stealthy SSH Over TOR Backdoor Targeting the Ukrainian Military
This campaign has been covered in previous week. Including this week as Artem Baranov does a nice job of summarising this alleged Russian campaign.
https://aibaranov.github.io/armyplus/
Reporting on China
Decoding the Chinese Document Leaks
NHK (Japan’s national broadcaster) have released their documentary in English on the alleged iSoon leaks. Not available online yet, but aired in Japan on December 28th.
Teaming with experts in 7 locations around the world, we conducted an analysis of internal records leaked from a Chinese cybersecurity company, delving into the new threats spreading on the internet.
https://www3.nhk.or.jp/nhkworld/en/shows/4001457/
PlugX worm disinfection campaign feedbacks
Sekoia provides some insight into how many countries were able to use the sinkhole infrastructure legally to disinfect the victims. There is something in here that 12 who wanted to appeared unable to for unknown reasons..
In September 2023, we successfully took ownership of one of the IP addresses used by the PlugX worm—a variant of PlugX associated with Mustang Panda, which possesses worming capabilities by infecting flash drives. Following this success, we studied the inner workings of this malware to determine whether there was any possibility, by using the access we had gained, to disinfect the thousands of computers making requests to our sinkhole every second.
..
At the end of the campaign, 34 countries requested simple sinkhole logs to identify which networks were compromised, 22 countries expressed interest in the disinfection process, and we were able to establish a legal framework and conduct disinfection operations for 10 countries.
https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/
Reporting on North Korea
Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software
360 Threat Intelligence Center detail a campaign alleged by North Korea which leverages social engineering for initial access. Wrapping of existing installers with malicious ones is of note..
The attacker sent the target a weaponized IPMsg installer. When the user executes this program, it releases a malicious DLL file. This DLL file first releases the official version of the IPMsg installer 5.6.18.0 and executes it to confuse the user. Then, the malicious DLL file decrypts and releases multiple additional DLL files in memory. After a series of operations, these DLL files eventually form a backdoor that continuously communicates with the remote control server (C2). Through this communication, the attacker can obtain and execute subsequent payloads to further carry out attacks and steal sensitive information.
OtterCookie
NTT publishes what they alleged is the next evolution of this North Korean campaign. Not overly noteworthy beyond using Socket.IO (a SaaS) for command & control communication.
Contagious Interview is said to be an attack campaign related to North Korea, and a report was published by Palo Alto Networks in November 2023. Unlike typical nation-sponsored targeted attacks, Contagious Interview is said to be financially motivated and targets a relatively wide range of targets.
..
Since around November 2024, SOC has observed the execution of malware other than BeaverTail and InvisibleFerret in the Contagious Interview campaign. We call the newly observed malware OtterCookie and have investigated it
Analysis of Attack Cases Against Korean Solutions by the Andariel Group
Ahnlab give a sense of what they allege are the initial access mechanisms by this North Korean actor. They include asset management and document management systems..
Asset management solutions are continuously exploited in attacks, and due to their nature, it is presumed that after the control server is compromised, the threat actor exploits it to execute malware installation commands. In most of these attack cases, ModeLoader was installed.
Additionally, there has been a case where control was seized through brute force and dictionary attacks on exposed update servers. In this case, the threat actor replaced the update program with SmallTiger, attempting to distribute SmallTiger across the systems within the organization through this process.
In the recently identified case, the method of initial access or specific distribution method has not been found, but SmallTiger was installed in the installation path of the asset management solution, and a keylogger was used alongside it. The keylogger is unique in that it stores the user’s keystrokes in the “MsMpLog.tmp” file in the same path.
https://asec.ahnlab.com/en/85400/
Reporting on Iran
Nothing this week
Reporting on Other Actors
Nothing this week
Discovery
How we find and understand the latent compromises within our environments.
Work-in-Progress: Emerging E/E-Architectures as Enabler for Automotive Honeypots
Niclas Ilg, Dominik Germek , Paul Duplys , and Michael Menth explore what the reasons might be. I am not entirely convinced here as the use case and static/consistent nature of the networks means that any adversary are unlikely to be lured in the same way..
In the automotive domain, however, honeypots have never found their way into practical application. In this work, we highlight how emerging invehicle architectures present opportunities for honeypot deployments inside the vehicle and threat landscape monitoring on the Internet. In contrast to existing research, we consider emerging in-vehicle architectures and how functional limitations from the automotive industry have prevented the widespread use of honeypots in the past.
https://atlas.cs.uni-tuebingen.de/~menth/papers/Menth24g.pdf
A Memory-Efficient APT Hunting System Based on Attack Representation Learning
..
MEGR-APT is a scalable APT hunting system to discover suspicious subgraphs matching an attack scenario (query graph) published in Cyber Threat Intelligence (CTI) reports. MEGR-APT hunts APTs in a twofold process: (i) memory-efficient suspicious subgraphs extraction, and (ii) fast subgraph matching based on graph neural network (GNN) and attack representation learning.
https://github.com/CoDS-GCS/MEGR-APT-code
100 Days of Yara
Greg Lesnewich has kicked off #100DaysOfYara once more - the collection of which can be found on Github.
https://github.com/100DaysofYARA/2025/tree/main
Defence
How we proactively defend our environments.
How We are Self Hosting Code Scanning at Reddit
Charan Akiri and Christopher Guerra detail the engineering behind the build for use cases including security..
https://www.reddit.com/r/RedditEng/comments/1hks4f3/how_we_are_self_hosting_code_scanning_at_reddit/
DLL Hound
AJ Hammond releases this tool which will highlight the sheer scale of this challenge.
A lightweight PowerShell-based scanner designed to identify missing or unresolved DLLs, helping you detect potential DLL sideloading vulnerabilities on your Windows system.
https://github.com/ajm4n/DLLHound
RAMN (Resistant Automotive Miniature Network)
Toyota shows what Secure by [Design/Default/Demand] may look like in future vehicles..
RAMN (Resistant Automotive Miniature Network) is a miniature CAN/CAN-FD testbed of four Electronic Control Units (ECUs) consisting solely of Printed Circuit Boards. The ECUs can be programmed to emulate the same network traffic as PASTA, another project from our team. RAMN is powered over USB and can be recognized as a standard CAN adapter (slcan). It can be connected in closed-loop with the autonomous driving simulator CARLA. What happens to the virtual vehicle has an impact on the physical CAN/CAN-FD bus, and vice versa. RAMN can be expanded with many stackable expansions, ranging from external quadSPI memories to Trusted Platform Modules (TPMs).
https://github.com/ToyotaInfoTech/RAMN
Incident Writeups & Disclosures
How they got in and what they did.
Cyberhaven’s preliminary analysis of the recent malicious Chrome extension
Details of how it went down..
A phished email was sent to Chrome Extension developers. In this case the email was initially sent to the registered support email which is in the public domain.
Once the employee clicked on the email, they were taken to the standard Google authorization flow for adding a malicious OAUTH Google application called “Privacy Policy Extension”.
The attacker gained requisite permissions via the malicious application (“Privacy Policy Extension”) and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication.
Vulnerability
Our attack surface.
TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution
Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee identify a vulnerability class which will be useful to those looking to exploit in a variety of situations i.e. not just locally. It will be interesting to see what the fixes are and if they are realistic in terms of performance penalty.
Specifically, this paper identifies new TikTag gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution. With TikTag gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%. We demonstrate that TikTag gadgets can be used to bypass MTE-based mitigations in real-world systems, Google Chrome and the Linux kernel. Experimental results show that TikTag gadgets can successfully leak an MTE tag with a success rate higher than 95% in less than 4 seconds. We further propose new defense mechanisms to mitigate the security risks posed by TikTag gadgets.
https://arxiv.org/abs/2406.08719
Dirty DAG
Ofir Balassiano and David Orlovsky detail that there were a number of vulnerabilities in Azure Data Factory’s Apache Airflow Integration. This is noteworthy as secure by design / threat modelling would have identified at least some of these. So interesting that they were found in production..
Our research identified multiple vulnerabilities in the Azure Data Factory:
Misconfigured Kubernetes RBAC in Airflow cluster
Misconfigured secret handling of the Azure’s internal Geneva service
Weak authentication for Geneva
These vulnerabilities could enable attackers to escape from their pods, gain unauthorized administrative control over clusters and access Azure's internal services (Geneva). Attackers could exploit the vulnerabilities through compromised service principals or unauthorized modifications to DAG files. This could enable attackers to become shadow administrators and to gain full control over managed Airflow deployments on a single tenant base.
Offense
Attack capability, techniques and trade-craft.
Evil-Go
Haroun Al Mounayar gives some inspiration of how malicious compilers can highlight the fragility of security tooling. Similar techniques will be applicable to things like imphashes etc.
evil-go is a fork of go with some tweaks here and there to generate more stealthy binaries. It mainly includes, IAT hiding and GoReSym evasion.
https://github.com/almounah/evil-go/tree/release-branch.go1.23
BlackPill
Shard, Theo Abel, Kylm and Esgr0bar give the world a new novel Linux rootkit to stretch those Linux EDR/telemetry solutions..
A Linux kernel rootkit in Rust using a custom made type-2 hypervisor, eBPF XDP and TC programs
The rootkit is composed of multiple modules (talking about Rust modules, not kernel modules):
defense evasion: hide files, processes, network connections, etc.
hooking: hook syscalls and IDT
hypervisor: create a virtual machine to execute malicious code
persistence: make the rootkit persistent after reboot and resilient to suppression
utils: various utilities
Sharp Execute
NtDallas gives the world a capability which we can expect malicious use of in 3..2..
Executing .NET Files from an Unmanaged Process with Manual CLR Loading.
Manually loading the CLR in an unmanaged process and using hardware breakpoints can reveal when the CLR calls
NtTraceEventthrough the managed thread pool.To evade detection, this tool offers two approaches:
Patchless execution by hooking
NtTraceEventAmsiScanand thread-pooling functions using hardware breakpoints.Patching the target function via an APC (Asynchronous Procedure Call).
The CLR utilizes thread pooling to optimize the execution of .NET applications. Some calls to
NtTraceEventare made via the thread pool. To evade these calls, it is necessary to either control the thread pool or patch the function's implementation.
https://github.com/NtDallas/sharp-execute
Protect Loader
Furax124 shows that 15 year olds in successive generations continue to smash it it out of the park even if it creates a degree of detection headwinds..
Protect Loader is a shellcode loader written in pure golang designed to provide various security and evasion techniques for Go applications. It includes features such as shellcode loading, obfuscation, the use of indirect syscalls, and much more.
Features
Shellcode Loading: Secure shellcode loading using apc method.
GUI: User interface created with Fyne.
Obfuscation: Code obfuscation with garble.
Indirect Syscalls: Use of indirect syscalls by acheron for evasion.
Api ashing: Acheron package have a integrated api hashing for evasion
Bypass AMSI and EDR: Techniques to bypass AMSI and EDR.
Admin Privileges Check: Check if admin privileges are enabled.
Random Sleep: Adding random delays.
Block Non-Microsoft DLLs: Blocking the injection of non-Microsoft DLLs.
Phantom Technique: Suspension of event logs.
Unhooking: Removal of hooks for av evasion.
PE file To Shellcode: The PE file is automatically transformed into a .bin using Donut and encoded using Shikata ga nai and encrypted using two layer of encryption (aes and xor)
Key Encryption: The key generated is encrypted using XOR to prevent his extraction
https://github.com/furax124/Protect_Loader
Hiding Linux Processes with Bind Mounts
Hal Pomeranz refines this technique which will lead to some detection engineering chess..
Lately I’ve been thinking about Stephan Berger’s recent blog post on hiding Linux processes with bind mounts. Bottom line here is that if you have an evil process you want to hide, use a bind mount to mount a different directory on top of the /proc/PID directory for the evil process.
..
In the original article, Stephan uses a nearly empty directory to overlay the original /proc/PID directory for the process he is hiding. I started thinking about how I could write a tool that would populate a more realistic looking spoofed directory. But after doing some prototypes and running into annoying complexities I realized there is a much easier approach.
https://righteousit.com/2024/07/24/hiding-linux-processes-with-bind-mounts/
The Convergence of Piggybacking and Adversarial Example in Android Malicious Software Generation
Heng Li (李珩), Zhiyuan Yao (姚致远), Bang Wu(吴棒), Cuiying Gao(高翠莹), Teng Xu(许腾), Wei Yuan#(袁巍) and Xiapu Luo(罗夏朴) from a Hong Kong university detail how this might work.. preview of the paper which I can’t find..
Our attack method consists of three modules: malicious payload (i.e., malicious code snippets) extraction, adversarial perturbation generation, and benign carrier (i.e., benign application) selection. First, we analyze the malicious code blocks that can be automatically inserted from the existing malware detection. Second, we propose a perturbation generation algorithm to ensure that the perturbation is targeted to a certain malicious code block and universal to different benign carriers. Finally, we select appropriate benign application carriers and insert the perturbation code and malicious code into different benign application carriers to achieve the purpose of batch generating malware adversarial samples.
https://mp.weixin.qq.com/s/i0w0eoj-nJczkJawhfWl-A
Exploitation
What is being exploited..
Additional Evidence of SonicWall CVE-2024-40766 Exploitation by Akira and Fog, and Patch Progress
瀬治山 豊 details criminal exploitation of this vulnerability and gives a sense as to the scale.
I have found strong indications that the ransomware groups Akira and Fog are still exploiting this vulnerability for unauthorized access. Through my ongoing investigations, I found that, as of December 23, 2024, the number of companies suspected to have been compromised by these two groups via this vulnerability had exceeded 100.
Four-Faith Industrial Router CVE-2024-12856 Exploited in the Wild
Jacob Baines details the in the wild exploitation of this vulnerability.. also not sure that using default credentials means it is unauthenticated..
[We] observed a new post-authentication vulnerability affecting Four-Faith industrial routers being exploited in the wild. The attacker leveraged the router’s default credentials, effectively resulting in unauthenticated remote command injection. VulnCheck has assigned this issue CVE-2024-12856.
https://vulncheck.com/blog/four-faith-cve-2024-12856
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Power-Related Side-Channel Attacks using the Android Sensor Framework
Mathias Oberhuber, Martin Unterguggenberger, Lukas Maar, Andreas Kogler, Stefan Mangard again highlight the quality and novelty of research coming out of academia..
In this paper, we show that Android mobile devices expose numerous power-related signals that allow power side-channel attacks. We systematically analyze unprivileged sensors provided by the Android sensor framework on multiple devices and show that these sensors expose parasitic influences of the power consumption. Our results include new insights into Android sensor leakage, particularly a novel leakage primitive: the rotation-dependent power leakage of the geomagnetic rotation vector sensor. We extensively evaluate the exposed sensors for different information leakage types. We compare them with the corresponding ground truth, achieving correlations greater than 0.9 for some of our tested sensors. In extreme cases, we observe not only statistical results but also, e.g., changes in a compass app’s needle by approximately 30° due to CPU stress. Additionally, we evaluate the capabilities of our identified leakage primitives in two case studies: As a remote attacker via the Google Chrome web browser and as a local attacker running inside an installed app. In particular, we present an end-to-end pixel-stealing attack on different Android devices that effectively circumvents the browser’s cross-origin isolation with a leakage rate of 5 - 10 s per pixel. Lastly, we demonstrate a proof-of concept AES attack, leaking individual key bytes using our newly discovered leakage primitive
https://andreaskogler.com/papers/androidsensors.pdf
Finding Bugs Efficiently
Ned Williamson’s presentation from Arizona State University Applied Vulnerability Research course.
https://github.com/nedwill/presentations/blob/main/asu-2024.pdf
EMBA
Michael Messner et al give us a refreshed BinWalk esq tool..
EMBA is designed as the central firmware analysis and SBOM tool for penetration testers, product security teams, developers and responsible product managers. It supports the complete security analysis process starting with firmware extraction, doing static analysis and dynamic analysis via emulation, building the SBOM and finally generating a web based vulnerability report. EMBA automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts, or hard-coded passwords. EMBA is a command line tool with the possibility to generate an easy-to-use web report for further analysis.
https://github.com/e-m-b-a/emba
YaraVM
Milankovo provides a work aid for those reverse engineering Yara rules..
a processor module and a loader for IDA Pro, enabling you to load and analyze compiled Yara rules.
https://github.com/milankovo/YaraVM
GPU-accelerated hash cracker with Rust and CUDA
Yoray Herzberg provides a practical walk through on how this was implemented. The writeup is excellent..
https://vaktibabat.github.io/posts/cudacracker/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing this week
A Global Perspective on the Past, Present, and Future of Video Streaming over Starlink
When to choose a ‘mission’ approach? - Observatory of Public Sector Innovation
Studies in Intelligence 68, No. 5 (Special Edition, IRTPA 20 Years On, December 2024) including
Integrating the IC’s Cyber Security Mission by Melissa Hathaway
Remote Sensing Time Series Analysis: A Review of Data and Applications
Summary of Fuzz Papers from the Four Top Information Security Conferences in 2024 (Chinese)
MISP-standard.org - Introducing the MISP Threat Actor Naming Standard
Artificial intelligence
Books
Events
Network and Distributed System Security (NDSS) Symposium 2025 - 24 to 28 February 2025 in San Diego, California.
Safeguarding critical infrastructure beyond borders: Uniting diplomatic and technical efforts for a cyber resilient digital future - The United Nations Institute for Disarmament Research ran on December 18th
38C3 Talks / Videos - some stand outs for me
Moving with feelings: Behind the scenes of a one man show mobile & fiber operator in Spain
From Pegasus to Predator - The evolution of Commercial Spyware on iOS
ACE up the sleeve: Hacking into Apple's new USB-C Controller
The Design Decisions behind the first Open-Everything FABulous FPGA
The ongoing (silent) storm in the medical devices industry and since when cybersecurity is a thing
Video of the week is Rep. Mike Waltz on Fox News discussing CCP and Cyber..
Finally I am back in the UK after a vacation in Tasmania for the first time in 20 years. I had the opportunity to visit MONA (Museum of Old and New Art) whilst down there. There are various code / cyber things on show including this little gem..
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.