CTO at NCSC Summary: week ending July 14th
Tap tap tap... HELLO WE'RE BACK!
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note but the new normal is indeed reminiscent of climate change..
In the high-level this week:
The NCSC and partners issue alert about evolving techniques used by China state-sponsored cyber attackers - “The threat group APT40 has embraced the trend of exploiting vulnerable small-office and home-office (SoHo) devices as a launching pad for attacks. These devices are softer targets when they are not running the latest software, or are no longer supported with security updates, and they more easily conceal malicious traffic. “
Evolving Chinese cyber threat 'should worry us all': U.K. cyber head - Nikkei reports - “Increasingly, we're worried about the proliferation of cyber challenges, which allow any country in the world to purchase cyber, malware or other challenges to hit us or businesses in our countries," the NCSC's COO and interim CEO Felicity Oswald told Nikkei.”
NCSC research problem book: Cyber-physical problems - we released these this week - The cyber-physical chapter of the NCSC problem book brings together the high-level questions we think are important to secure the systems that bridge the gap between the physical and digital worlds.
White House FY26 cyber security priorities memo - the other one, not me - in a word there are lots..
NATO Washington Summit Declaration - cyber mentioned 11 times - “Establishing the NATO Integrated Cyber Defence Centre to enhance network protection, situational awareness, and the implementation of cyberspace as an operational domain throughout peacetime, crisis and conflict; and developing a policy to augment the security of NATO’s networks.” .. then also calls our PRC and Russian cyber operations.
Companies Sharply Criticize Draft U.S. Cyber Reporting Rules - Wall Street Journal reports - “Companies urged the U.S. government to rethink its rules for reporting cyberattacks, saying that a draft proposal from a federal agency is confusing, overly broad and often duplicates existing rules.”
Cyber-physical [research] problems from NCSC UK - We have updated our problem book with elements aimed at academics and those interested in cyber-physical research, although they may also be of interest to anyone working with cyber-physical systems.
Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO - Google asserts - “NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes.”
Indonesian ransomware attack affects over 230 Indonesian agencies, 98% of the data had no backups - Reuters reports - putting everyone’s bad day in the office in context.
Sixth Cyber Dialogue between India and the United Kingdom - “Both sides agreed to deepen cooperation between their respective cyber agencies in order to build a safe and robust cyberspace.”
CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth - CISA press release - “Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership.” - yes they were able to maintain access without detection for that long..
Defending Democracy
UK Democracy was defended - mission accomplished!
Reporting on/from China
Chinese scientists create robot with brain made from human stem cells - when ethics and technology collide - South China Morning Post reports - Researchers have developed brain-on-chip technology to train the robot to perform tasks such as gripping objects
China’s state security authority refutes hypes of phone checks at border - Global Times reports - “The ministry also emphasized that checks upon entry will only be conducted under specific circumstances, with specific targets and procedures in accordance with laws.”
Artificial intelligence
Keynote Speech by an Official from China's Top Legislative Body on Upcoming Chinese AI Law - Geopolitechs reports “Based on these principles, Wang further elaborated on the legislative ideas for the AI law: inclusiveness, prudence, and phased approach.
Prioritize the flexible application of existing legislative rules through legal or judicial interpretation to address prominent legal issues arising during AI development, such as fair use of intellectual property in large model training.
For specific application scenarios, local governments or the State Council should authorize legislation, as seen in China's legislative practice in intelligent connected vehicles.
Address pain points and complex issues affecting industrial development in areas urgently requiring legal regulation through "small, fast, and nimble" (小快灵) legislation or by amending existing laws.”
Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data - “In this paper, we present a taxonomy of GenAI misuse tactics, informed by existing academic literature and a qualitative analysis of approximately 200 observed incidents of misuse reported between January 2023 and March 2024.”
Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models - “there's a large difference between solving isolated CTF-style challenges without ambiguity (there's always a bug, you always reach it by providing command line input, etc.) and performing autonomous offensive security research.”
LLM4Vuln: A Unified Evaluation Framework for Decoupling and Enhancing LLMs' Vulnerability Reasoning - “To demonstrate the effectiveness of LLM4Vuln, we have designed controlled experiments using 75 ground-truth smart contract vulnerabilities, which were extensively audited as high-risk on Code4rena from August to November 2023, and tested them in 4,950 different scenarios across three representative LLMs (GPT-4, Mixtral, and Code Llama).”
Cyber proliferation
The EU’s Human Rights Sanction Regime could target malicious spyware vendors - Binding Hook asserts “The European Union has a powerful and underutilised tool at its disposal to counteract human rights abuses linked to commercial spyware”
Small cyber offensive firm Bindecy resists Israeli cyber crisis - Intelligence Online reports - “As the Israeli cyber intelligence sector, with its extensive use of cyber agents, struggles with investigations and American sanctions, Bindecy is bucking the trend.”
Government and military officials fair targets of Pegasus spyware in all cases, NSO Group argues - The Record reports - from June but worth highlighting - the court documents can be found here.
Bounty Hunting
Took for a code: the final stage of the trial of the REvil hackers begins reports IZ in Russia
Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm press release by the US Department of Justice - “Russia’s State-Run RT News Network Developed and Federal Security Service Operated the Artificial Intelligence-Enhanced Bot Farm to Disseminate Disinformation to Sow Discord in the United States and Elsewhere”
Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison - Wired reports - ”a judge sentenced Penchukov to two concurrent nine-year sentences, after he pleaded guilty to two charges of conspiracy to participate in racketeering and a conspiracy to commit wire fraud. United States District Judge John M. Gerrard also ordered Penchukov to pay more than $73 million, according to court records.”
Cyber insurance entering a new phase of development as non-US territories set to capture 54% of growth up to 2030 - “Favourable dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall (as shown by our global pricing index in Figure 1) despite ongoing attacks, heightened geopolitical instability and the proliferation of Gen AI.”
Insurers Warn Standardizing Cyber Policies Could Limit Future Coverage - Wallstreet Journal Reports - “Despite a growing body of data, cyber risk still isn’t well understood, insurers say”
Reflections this week is a lot can happen in six weeks…
The keynote I gave at Blackhat Europe at the end of 2023 has been on the Internet for a couple of months - Industrialising Cyber Defence in an Asymmetric World. I think it was the first or second time the ducks and horses got an outing..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Turla: A Master’s Art of Evasion
Ricardo Pineda, Jr. and Arvin Bandong allege Turla is using weaponized LNK files and go on to provide a detailed analysis of what they have observed. We have covered the misuse of LNK files in previous issues extensively. Anti-forensics/detection evasion is noteworthy..
On the 9th day of May 2024, GDATA analysts observed a possible new campaign that uses malicious shortcut file that leverages on Microsoft's platform for building application to deploy a fileless backdoor into the system. It also employs memory patching, bypass AMSI and disable system’s event logging features to impair system’s defense to enhance its evasion capability.
https://www.gdatasoftware.com/blog/2024/07/37977-turla-evasion-lnk-files
CloudSorcerer – A new APT targeting Russian government entities
Russian reporting on an operation targeting their government systems.
CloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services.
Our findings in a nutshell:
CloudSorcerer APT uses public cloud services as its main C2s
The malware interacts with the C2 using special commands and decodes them using a hardcoded charcode table.
The actor uses Microsoft COM object interfaces to perform malicious operations.
CloudSorcerer acts as separate modules (communication module, data collection module) depending on which process it’s running, but executes from a single executable.
https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/
Lifting Zmiy: hacking SCADA system controllers in pursuit of the main victims
Reporting from within Russia on attacks involved SCADA systems..
We discovered a series of attacks on Russian government organizations and private companies. Behind them is the same group, which we called Lifting Zmiy;
The attackers hacked Tekon-Avtomatika PLCs and placed control servers on them, which were used in attacks on the main targets;
Among the compromised devices are controllers included in SCADA systems, which, among other things, control elevator equipment;
Using a specific pattern, we scanned the internet and discovered a series of hacked controllers used by Lifting Zmiy;
Among the victims are organizations from various industries, including IT, telecom, and the public sector. Both Linux and Windows systems were attacked;
The attackers used the infrastructure of SpaceX's Starlink provider in their operations.
Reporting on China
APT40 Advisory: PRC MSS tradecraft in action
ASD/ACSC our partner Australian agencies represent with leading the reporting which we contributed to.
This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea's National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA) – hereafter referred to as the “authoring agencies” – outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks.
..
The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others.
MoonWalk
Yin Hong Chang and Sudeep Singh detail tooling and techniques related to an alleged Chinese threat actor. Note the operational security on the some of the Windows techniques.
APT41, a China-based nation-state threat actor known for campaigns in Southeast Asia, has been observed using a new backdoor called MoonWalk.
MoonWalk shares a common development toolkit with DodgeBox, reusing code that implements evasive techniques such as DLL hollowing, import resolution, DLL unhooking, and call stack spoofing. Additionally, MoonWalk employs further evasion tactics, including the use of Google Drive as its C2 channel to blend in with legitimate network traffic and the utilization of Windows Fibers to evade AV/EDR security solutions.
MoonWalk's modular design allows attackers to easily update its capabilities, modify its behavior, and customize functionality for different scenarios.
https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1
https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2
Analysis of the Suspected APT Attack Activities by “Silver Fox”
Reporting within China of a suspect APT which shows a degree of operational savviness.
Previously, Silver Fox’s activities primarily targeted tax and finance personnel by impersonating tax-related links and websites. This time, their focus has shifted directly to national institutions and security companies. This shift compels us to reassess the attack purposes of this cybercrime group: are they merely a criminal organization, or is there an APT attack lurking behind the scenes?
As the analysis and tracing of the samples deepened, we also discovered the group’s PowerShell obfuscation tool (Out-EncodedSpecialCharOnlyCommand), as well as a previously unexposed downloader trojan. The following will provide a detailed description of the recent activities of the Silver Fox group.
Volt TyphoonII:A secret Disinformation Campaign
As claimed by China’s National Computer Virus Emergency Response Center.. included solely as an example how not to pivot between IoCs and draw conclusions, but also as an example of alleged misinformation/disinformation.
https://web.archive.org/web/20240708120352/https://www.cverc.org.cn/head/zhaiyao/futetaifengerEN.pdf
further reporting can be found here:
https://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research
Reporting on North Korea
Attack activities by the Kimsuky attack group targeting Japanese organizations
Kota Kino provides some Japanese government reporting on a recent alleged North Korea operation in country. Maldocs and phishing is the order of the day here..
In March 2024, JPCERT/CC confirmed attack activities targeting Japanese organizations by an attack group called Kimsuky. This time, we will introduce the attack method.
Revealing the APT-C-26 (Lazarus) organization's use of PyPI to attack Windows, Linux and macOS platforms
Chinese reporting on an alleged North Korea operation showing a degree of operation security savviness let along the diverse platform capabilities.
This round of attacks, the Lazarus organization delivers malicious samples to users on various platforms through the PyPI warehouse for attack. The installation package under the Windows system carries an encrypted payload, which is decrypted layer by layer, and the Comebacker malicious sample is loaded into the memory; the malicious installation package under the Linux system After loading, the ELF malicious file will be downloaded remotely when the initialization is completed. This file has complete remote control functions; under the MacOS system, the malicious samples we captured have similar functions to the malicious samples under the Linux system, the file names are also similar, and they also have The same C2, so we speculate that the execution process under MacOS system is likely to be the same as under Linux, and is also delivered through the PyPI warehouse.
New Tactics from a Familiar Threat
Phylum Research Team detail a alleged campaign by North Korea using the open source supply chain distribution mechanism which is npm.
This blog post highlights evolving tactics from a North Korean campaign that began in September 2023 with a package published on 4 July 2024 in npm. Like a snake shedding its old skin, this attacker's evasive attempts have introduced some novelties, but many of the same patterns and idioms we have seen throughout this campaign remain. Join us as we dive deep into the details of this new offering from an old threat actor.
https://blog.phylum.io/new-tactics-from-a-familiar-threat/
Reporting on Iran
Nothing this week
Reporting on Other Actors
OilAlpha Malicious Applications Target Humanitarian Aid Groups Operating in Yemen
Reporting here on alleged activates in Yemen.
[Our] research reveals that OilAlpha, a likely pro-Houthi group, continues to target humanitarian and human rights organizations operating in Yemen. They use malicious Android applications to steal credentials and gather intelligence, potentially to control aid distribution. Notable organizations affected include CARE International and the Norwegian Refugee Council. This report highlights the ongoing threat and suggests mitigation strategies, such as social engineering awareness, strong passwords, and multi-factor authentication.
https://www.recordedfuture.com/research/oilalpha-spyware-used-to-target-humanitarian-aid-groups
Further reporting here from Lookout:
GuardZoo is an Android surveillanceware being used to target military personnel from Middle Eastern countries.
The campaign started around October 2019 and is still active in 2024. It is named after a piece of source code that enables persistence on the device. It also uses other animal related class names such as AnimalCoop and MainZoo.
Lookout attributes this activity to a Yemeni, Houthi-aligned threat actor based on the application lures, exfil data, targeting and the C2 infrastructure location.
While Lookout is still actively analyzing data, thus far it has seen more than 450 IP addresses that belong to victims who are primarily located in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar and Turkey.
It can collect data such as photos, documents, coordinate data files related to marked locations, routes, and tracks, the device’s location, model, cellular service carrier, and Wi-Fi configuration.
It is distributed via WhatsApp, WhatsApp Business, and direct browser download and can enable the actor to deploy additional invasive malware on the infected device.
https://www.lookout.com/threat-intelligence/article/guardzoo-houthi-android-surveillanceware
Exploring Compiled V8 Javascript Usage In Malware
Moshe Marelus highlights an interesting new bit of tradecraft…
In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically.
..
Using View8, we started systematically decompiling malware samples utilizing compiled V8. We iterated over thousands of samples, some of whom were discussed in past research. This includes Ice Breaker and new variants of ChromeLoader, although previously they could not be statically analyzed and were therefore mostly heuristically analyzed.
https://research.checkpoint.com/2024/exploring-compiled-v8-javascript-usage-in-malware/
Discovery
How we find and understand the latent compromises within our environments.
Detecting Lateral Movement in Entra ID: Cross Tenant Synchronization
Lina Lau is back with this detection which lets be honest everyone should be trying to detect given some of the recent incidents.
To detect either the abuse of this technique as a persistence or lateral movement method, you need to focus on the following three steps. Please note, the first two steps are not relevant if this is purely being leveraged as a lateral movement technique with an existing cross tenant synchronisation.
Creation of an inbound/outbound external identity to a different tenant
Editing a cross-tenant synchronisation setting (allowing in or outbound access)
Creation of a provisioned malicious user account
Logons and subsequent actions taken
https://www.xintra.org/blog/lateral-movement-entraid-cross-tenant-synchronization
Analysing IIS Compilation artifacts
Zeroed walks up through what they are and how they come to be which will help with some post intrusion work.
https://zeroed.tech/blog/analysing-iis-compilation-artifacts/
Defending AI Model Files from Unauthorized Access with Canaries
Joseph Lucas, John Irwin, Rich Harang and Medicus Riddick show how to apply digital trip wires to AI models, but also highlight the risk of ingesting arbitrary models.
In this post, we’ll introduce canaries and then show how the common Python Pickle serialization format for AI and ML models can be augmented with canary tokens to provide additional, AI-specific loss detection capabilities extending beyond normal network monitoring solutions. While more secure model formats like safetensors are preferred, there are many reasons that organizations may still support Pickle-backed model files, and building defenses into them is part of a good risk mitigation strategy.
https://developer.nvidia.com/blog/defending-ai-model-files-from-unauthorized-access-with-canaries
Defence
How we proactively defend our environments.
Considerations for Cyber Incident Response Planning within Industrial Control Systems/Operational Technology
The UK’s RITICS ICS Community of Interest have published this guide.
This guidance is designed to help organisations understand specific considerations that are required within Industrial Control Systems (ICS)/Operational Technology (OT) systems and to better prepare for a cyber incident within an ICS/OT environment. It is designed to complement and to be read in conjunction with the NCSC’s general Incident Response and Management guidance, and focuses on the specific and unique aspects relating to ICS/OT environments.
Incident Writeups & Disclosures
How they got in and what they did.
AT&T Breach
Call detail record breach..
On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist. Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023, as described below.
The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.
AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers.
https://www.sec.gov/Archives/edgar/data/732717/000073271724000046/t-20240506.htm
Vulnerability
Our attack surface.
BlueSpy
Jesús María Gómez Moreno, Antonio Vazquez and Erjan K bring back from the dead an attack which once roamed these lands circa 2004.
PoC to record audio from a Bluetooth device
https://github.com/TarlogicSecurity/BlueSpy
Related and involving Apple AirPods
https://blogs.gnome.org/jdressler/2024/06/26/do-a-firmware-update-for-your-airpods-now/
False File Immutability
Gabriel Landau introduces a form of race condition to the world on Windows initially, but I suspect the long tail and prevalence of this will rumble on for a while across various.
FFI occurs when code assumes that files cannot be modified because they were opened without
FILE_SHARE_WRITE. In some situations, it's possible for attackers to modify files even when write sharing is denied. When this occurs, any code that reads the same value/offset within a file more than once may be subject to double-read vulnerabilities. FFI can occur with both traditional I/O (e.g.ReadFile) or memory-mapped I/O (e.g.MapViewOfFile), and can affect both user- and kernel-mode code.
https://github.com/gabriellandau/ItsNotASecurityBoundary
Some detection tradecraft was also released
https://www.elastic.co/security-labs/false-file-immutability
Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF
Maxence Schmitt shows that complexity of technology in the modern-web is what leads to novel hybrid vulnerability classes.
This research introduces the basics of Client-Side Path Traversal, presenting sources and sinks for Cross-Site Request Forgery. To demonstrate the impact and novelty of our discovery, we showcased vulnerabilities in major web messaging applications, including Mattermost and Rocket.Chat, among others.
https://blog.doyensec.com/2024/07/02/cspt2csrf.html
https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_Whitepaper.pdf
Inside Xerox WorkCentre: Two Unauthenticated RCEs
From Russia with love and a warning from the future in a Terminator esq manner.
Despite the patch being released in 2016, we still encounter 2016 and earlier firmware versions in use during internal pentests to this day.
Some close access techniques also on show.
After gaining root privileges, the
/tmp/usb-sdb1directory can be accessed, where all external USB devices are mounted. Next, a user’s DOCX or PDF file might be downloaded or altered to continue the attack, even if the printer segment is isolated.
https://swarm.ptsecurity.com/inside-xerox-workcentre-two-unauthenticated-rces/
Blast-Radius
Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl give us a new logo and named vulnerability.
The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.
SnailLoad
Stefan Gast, Roland Czerny, Jonas Juffinger, Fabian Rauscher, Simone Franza and Daniel Gruss also give us a new logo and named vulnerability. But it does highlight a side-channel attack which will reveal that my house consumes too many videos about Lego.
SnailLoad exploits a bottleneck present on all Internet connections. This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches.
Offense
Attack capability, techniques and trade-craft.
Fragtunnel
Efeali shows the state of the art evasion possible..
Fragtunnel is a PoC TCP tunneling tool that exploits the design flaw that IDS/IPS engines and Next Generation Firewalls have; therefore, it can tunnel your application's traffic to the target server and back while not being detected and blocked by Next Generation firewalls using Layer 7 application rules.
https://github.com/efeali/fragtunnel/
Raising Beacons without UDRLs and Teaching them How to Sleep
Diego Capriotti exercises some of the darker corners of Cobalt Strike beacon development that goes to highlight just because you can detect CS payloads today doesn’t mean you can do so comprehensively.
UDRLs with Beacon are very powerful and allow for the smallest memory footprint for the running Beacon. However, they come with some disadvantages: development is more complex since UDRLs require Position Independent Code, and debugging can be so challenging it might feel like it ages you decades.
PySkyWiFi
or what a C2 of the future could look like by Robert Heaton.
https://robertheaton.com/pyskywifi/
Exploitation
What is being exploited.
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks In Internet Shortcut File To Lure Victims (CVE-2024-38112)
Haifei Li shed some light on the exploitation of this vulnerability.
[We] recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
SoK: Where to Fuzz?
Felix Weissberg , Jonas Möller , Tom Ganz , Erik Imgrund , Lukas Pirch , Lukas Seidel , Moritz Schloegel , Thorsten Eisenhofer and Konrad Rieck use simple software metrics, like cyclomatic complexity and number of ifs, to rank the interestingness of functions, no need for GNNs or LLMs
Assessing Target Selection Methods in Directed Fuzzing
Our analysis provides new insights for target selection in practice: First, we find that simple software metrics significantly outperform other methods, including common heuristics used in directed fuzzing, such as recently modified code or locations with sanitizer instrumentation. Next to this, we identify language models as a promising choice for target selection. In summary, our work offers a new perspective on directed fuzzing, emphasizing the role of target selection as an orthogonal dimension to improve performance.
https://www.mlsec.org/docs/2024c-asiaccs.pdf
IAT-Tracer
Yoav Levi provides a work-aid to those doing Windows tracing..
An automation plugin for Tiny-Tracer framework to trace and watch functions directly out of the executable's import table or trace logs (.tag) files.
https://github.com/YoavLevi/IAT-Tracer
View8
Suleram releases a tool which will help further illuminate.
View8is a static analysis tool designed to decompile serialized V8 bytecode objects (JSC files) into high-level readable code. To parse and disassemble these serialized objects, View8 utilizes a patched compiled V8 binary. As a result, View8 produces a textual output similar to JavaScript.
https://github.com/suleram/View8
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Collaboration Practices for the Cybersecurity of Supply Chains to Critical Infrastructure
Photon Number Splitting Attack - "Photon-number-splitting (PNS) is a well-known theoretical attack on quantum key distribution (QKD) protocols that employ weak coherent states produced by attenuated laser pulses."
Active Cyber Defense Operations - “The assessment is divided into two categories – Criteria and Safeguards. When calculating the risks for (unintended or cyber-physical, especially in critical infrastructure) damage, fundamental rights violations, violations of sovereignty, conflict escalation and success, there is not a common measurement for active cyber defense.”
The Devil is in the Details: Detection, Measurement and Lawfulness of Server-Side Tracking on the Web - “We demonstrate that such a tracking technique can overcome the Same-Origin Policy and introduce security vulnerabilities. Together with a legal scholar, we also show that SST entails non-compliant practices and infringes the GDPR and the ePrivacy Directive.”
Artificial intelligence
Binary Code Summarization (with LLMs) - “To this end, we present BinSum, a comprehensive benchmark and dataset of over 557K binary functions and introduce a novel method for prompt synthesis and optimization. To more accurately gauge LLM performance, we also propose a new semantic similarity metric that surpasses traditional exact-match approaches.”
Books
The Coming Wave - “the containment problem”—the task of maintaining control over powerful technologies
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.