CTO at NCSC Summary: week ending July 6th
"traditional ways of evaluating security—counting bugs, reviewing code, and tracing human intent—are becoming obsolete "
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week some alarming vulnerabilities which again reinforce our Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances - for device vendors
In the high-level this week:
Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign - UK Finance reports - “The conviction was achieved thanks to the officers from the DCPCU working with mobile network operators including BT, Virgin Media O2, VodafoneThree and Sky as well as the National Cyber Security Centre and Ofcom.” - fake/rogue cellular base stations in action..
Police warn of SMS scams as ‘blaster’ is used to send thousands of texts - The Guardian reports - “Ruichen Xiong, a student from China, drove around London using the tool between 22 and 27 March 2025, sending messages to tens of thousands of potential victims.”
The device sparking surge in scam text messages - The Independent reports - “The Dedicated Card and Payment Crime Unit (DCPCU) has arrested seven people and seized seven SMS blasters”
Hackers opened the valve to full capacity at the dam facility - Energiteknikk reports - “Unknown hackers took control of the minimum water flow and had access to the closure system in a dam at Risevatnet in Bremanger for several hours in April. .. It was on April 10 that the National Security Authority (NSM) was notified of the attack on the dam and further informed the NVE dam security section about the matter. In a document Energiteknikk has obtained access to, the attack is referred to as "they were hacked from Russia"
Audit of the Federal Bureau of Investigation's Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance - US Department of Justice details - "the cartel had hired a "hacker" who offered a menu of services related to exploiting mobile phones and other electronic devices"
US Probes Ex-Ransom Negotiator Accused of Scheming With Hackers - Bloomberg reports - “Law enforcement officials are investigating a former employee of a company that negotiates with hackers and facilitates cryptocurrency payments during ransomware attacks, according to a statement from the firm, DigitalMint.”
Cyberattack on Brazil tech provider affects reserve accounts of some financial institutions - Reuters reports - “Brazil's central bank said on Wednesday that technology services provider C&M Software, which serves financial institutions lacking connectivity infrastructure, had reported a cyberattack on its systems.
The bank did not provide further details of the attack, but said in a statement that it ordered C&M to shut down financial institutions' access to the infrastructure it operates.”
ICC detects and contains new sophisticated cyber security incident - International Criminal Court notifies - “Late last week, the International Criminal Court (“ICC” or “the Court”) detected a new, sophisticated and targeted cyber security incident, which has now been contained.”
Canada orders China's Hikvision to close Canadian operations - Reuters reports - "The government has determined that Hikvision Canada Inc's continued operations in Canada would be injurious to Canada's national security,"
A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography - European Commission published - “The EU Member States, supported by the Commission, issued a roadmap and timeline to start using a more complex form of cybersecurity, the so-called post-quantum cryptography (PQC).”
Iran-linked hackers threaten to release Trump aides' emails - Reuters reports - “In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails”
Letter to FBI requesting mobile spyware guidance - Senator Ron Wyden writes
Cyber Command significantly increases funding request for defense in Indo-Pacific region - Defence Scoop reports - “According to budget justification documents, the increased funding would go toward cyber mission monitoring capabilities for the Department of Defense Information Network and expand operational technology asset installation at other Indo-Pacom defense critical infrastructure networks and systems.”
National Center of Incident Readiness and Strategy for Cybersecurity (NISC) Held the 44th Meeting of the Cybersecurity Strategy Headquarters - Japan outlines its plans..
Invisible Battlefields: Analyzing The ViaSat Attack And Its Broader Implications - Illinoi Institute of Technology publishes - “This paper also entails the attack’s execution, and how the AcidRain malware was deployed, resulting in widespread disruption of internet access in Ukraine and several parts of Europe.”
Modeling covert offensive cyber engagement decisions left of launch against limited ballistic missile fires - JD Work outlines - “However, little information has been publicly disclosed regarding concepts of operation under which left-of-launch missions may be executed. As a result, many aspects of future operations in crisis and conflict remain unexamined, with attention to date largely focused on broader questions of nuclear stability. But the offensive cyber instrument is characterised by its constant employment in operations short of war, and in ways intended to shape future warfighting outcomes.”
Handbook on Developing a National Position on International Law and Cyber Activities: A Practical Guide for States - The NATO Cooperative Cyber Defence Centre of Excellence publishes
New crucial guidance to empower nations to develop legal positions on cyber operations - University of Exeter announces.
Reporting on/from China
Huawei’s HarmonyOS Hits 8 Million Developers in Ecosystem Independence Drive - Caixin reports - “At Huawei’s annual developer conference on Friday, Yu Chengdong, chairman of the firm’s consumer business, disclosed that more than 30,000 apps are now available on the HarmonyOS platform, which runs on over 40 of the company’s devices.”
China’s new army of engineers - The Economist reports - “Over 600 Chinese universities now offer undergraduate programmes in artificial intelligence (AI)”
China’s AI Dragons Risk Choking Each Other - Bloomberg reports - “Firms are then locked in a race to the bottom when it comes to pricing.”
China’s $50 Billion Chip Fund Switches Tack to Fight US Curbs - Bloomberg reports - “China’s main chip investment fund is planning to focus on the country’s key shortcomings in sectors like lithography and semiconductor design software”
ASML launches science project in China to discover new talent in lithography - South China Morning Post reports - ”The online competition, open from late June through early July, and featuring 20 questions, targets Chinese semiconductor professionals and science enthusiasts.”
China AI chip firm Biren raises new funds, plans Hong Kong IPO, say sources - Reuters reports - “The 1.5 billion yuan funding round was led primarily by state-linked investors, two of the sources said.”
AI
AI and Secure Code Generation - Dave Aitel and Dan Geer outline - “As a result, traditional ways of evaluating security—counting bugs, reviewing code, and tracing human intent—are becoming obsolete. AI experts no longer know if AI-generated code is safer, riskier, or simply vulnerable in different ways than human-written code.”
UN agency pushes AI ethics standards at Bangkok event as US-China tech rivalry deepens - South China Morning Post reports - “Unesco, the 194-member UN heritage agency that produced the world’s first – and so far only – global AI ethics standards four years ago, hosted a forum in Bangkok this week to drive the adoption of its recommendations.”
A Chinese firm has just launched a constantly changing set of AI benchmarks - MIT Technology Review reports - “This week the company is making part of its question set open-source and letting anyone use for free. The team has also released a leaderboard comparing how mainstream AI models stack up when tested on Xbench.”
China's Diverging AI Path - China Talk analyses - “There is another possibility–China and the U.S. may develop different “varieties” of AI. For example, the U.S. advantages in cloud computing, software development, and openness to talent (tbd…) give it an edge in development of enterprise software and large language models (LLMs). However, China has clear advantages in manufacturing and infrastructure, which could offer an edge in what experts term “embodied AI”, or in Chinese jù shēn réngōng zhìnéng, 具身人工智能.”
China’s AI capital spending set to reach up to US$98 billion in 2025 amid rivalry with US - South China Morning Post reports - “That would represent as much as a 48 per cent overall growth this year for China’s AI capex from 2024,”
Alibaba Cloud to bring AI capabilities to global data centres this year, executive says - South China Morning Post reports - “The company, owner of the South China Morning Post, planned to offer its flagship Qwen large language models, as well as Model Studio – which also provides access to third-party models – through its major data centres worldwide”
The Global A.I. Divide - Where A.I. Data Centers Are Located - New York Times reports - “Only 32 countries, or about 16 percent of nations, have these large facilities filled with microchips and computers, giving them what is known in industry parlance as “compute power.””
Meta seeks $29bn from private credit giants to fund AI data centres - Financial Times reports - “At its earnings in May, Meta raised its full-year capital expenditure forecast by as much as 10 per cent to between $64bn and $72bn, citing “additional data centre investments” to support its AI push as well as an “increase in the expected cost of infrastructure hardware”."
Beijing: Building an Artificial Intelligence Highland - CCTV reports - “In the seven years since its establishment, AI Research Institute has spawned and incubated about 20 AI startups, many of which are valued at more than 10 billion yuan. In Beijing, there are three other new AI R&D institutions like this, as well as 23 of the first batch of AI key laboratories.”
Cyber proliferation
Who wants the use of spyware to remain hidden in Greece? - Inside Story reports - “the government of Kyriakos Mitsotakis passed a law aimed, among other things, at bringing transparency to the procurement of spyware by the state.”
Bounty Hunting
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes - US Department of Justice announces - “According to court documents, the schemes involve North Korean individuals fraudulently obtaining employment with U.S. companies as remote IT workers, using stolen and fake identities.”
Four North Koreans Charged in Nearly $1 Million Cryptocurrency Theft Scheme - US Department of Justice announces - “The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,”
Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals and Technology Theft - US Department of Treasury announces - “Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,”
Reflections this week are around edge device/solutions security and that we are likely beyond the point where automatic updates are optional. The pace with which actors are able to turn n-days at scale means we now need to out pace.
Preparing for a world where edge routers, firewalls, VPNs, ZTN and other remote access solutions among others update in real time accepting there will be blips in outage if not configured in high-availability configurations is where we need to be.
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset
Zoltán Rusnák summarises the alleged activities of this Russian state actor. If nothing else is shows that mitigating phishing would reduce harm against this state actor.
Gamaredon refocused exclusively on targeting Ukrainian governmental institutions in 2024, abandoning prior attempts against NATO countries.
The group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods such as malicious hyperlinks and LNK files executing PowerShell from Cloudflare-hosted domains.
Gamaredon introduced six new malware tools, leveraging PowerShell and VBScript, designed primarily for stealth, persistence, and lateral movement.
Existing tools received major upgrades, including enhanced obfuscation, improved stealth tactics, and sophisticated methods for lateral movement and data exfiltration.
Gamaredon operators managed to hide almost their entire C&C infrastructure behind Cloudflare tunnels.
Gamaredon increasingly relied on third-party services (Telegram, Telegraph, Cloudflare, Dropbox) and DNS-over-HTTPS (DoH) for protecting its C&C infrastructure.
10 Things I Hate About Attribution: RomCom vs. TransferLoader
Greg Lesnewich, Selena Larson, Kelsey Merriman and David Galazin detail how this alleged Russian threat actor Venn’s into another group hinting there may be fluidity in the Russian system.
TA829 conducts a mixture of espionage and cybercriminal operations, which rely on services sourced from the criminal underground, and a regularly updated suite of tools built upon the legacy RomCom backdoor.
While tracking TA829, Proofpoint observed a highly similar email campaign and redirection infrastructure set-up. This similar campaign deployed a new loader and backdoor dubbed TransferLoader, which Proofpoint currently attributes to a separate cybercriminal cluster called “UNK_GreenSec”, rather than TA829.
This blog will show how analysts explored the differences and overlaps between both sets of activity and leave an open-ended question around the relationship between these two clusters within the larger criminal and espionage ecosystem.
TA829 is a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual cybercriminal cluster.
Reporting on China
The Cyberspace Force: A Bellwether for Conflict
John Costello details this alleged aspect of the Chinese state and how it may be used in the future.
Cyber operations will be involved in the opening stages of any conflict that the People’s Republic of China (PRC) is involved in. This makes the Cyberspace Force an essential bellwether as to what conflicts Beijing anticipates and what conflicts it is tacitly preparing for.
The Cyberspace Force demonstrates the depth of reform and centralization the People’s Liberation Army is willing to achieve to advance its operational capabilities. Beijing now possesses a truly global intelligence apparatus less stymied by parochial and bureaucratic interests.
The Cyberspace Force has structured its principal operationally focused infrastructure into five regional “Technical Reconnaissance Bases,” Corps Leader-grade organizations that are generally correspond to military theaters.
The Cyberspace Operations Base, which now oversees the PRC’s offensive cyber forces, is likely a critical factor in the significant increase in the technical sophistication, maturity, and operational discipline seen
https://jamestown.org/program/the-cyberspace-force-a-bellwether-for-conflict/
Houken seeking a path by living on the edge with zero-days
CERT-FR / ANSSI attributes this alleged Chinese operation which highlights the threat from zero-days in edge devices is real. Also highlights why vendors should implement our guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances - for device vendors
In September 2024, ANSSI observed an attack campaign seeking initial access to French entities’ networks through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance (CSA) devices. French organizations from governmental, telecommunications, media, finance, and transport sectors were impacted. ANSSI’s investigations led to the conclusion that a unique intrusion set was leveraged to conduct this attack campaign. The Agency named this intrusion set « Houken ». Moderately sophisticated, Houken can be characterized by an ambivalent use of resources. While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers.
https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/
Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor
Golo Mühr details the operations of an alleged Chinese state threat actor who continues to use basic phishing tradecraft. Noteworthy as phishing is a mitigatable risk for most enterprises in 2025.
China-aligned threat actor Hive0154 has spread numerous phishing lures in targeted campaigns throughout 2025 to deploy the Pubload backdoor
Hive0154 devises filenames referencing various geopolitical topics tailored to elicit increased interest from the targeted recipients
As of May 2025, X-Force noticed an increased focus on topics tailored to target the Tibetan community
The phishing campaigns reference the 9th World Parliamentarians' Convention on Tibet (WPCT) held in Tokyo in June, China’s education policy in the Tibet Autonomous Region (TAR) and the 2025 book Voice for the Voiceless by the Dalai Lama
Reporting on North Korea
Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations
Microsoft Threat Intelligence summarise this alleged North Korea threat and their methods of operation.
Analysis of the threat case of Kimsuky group using 'ClickFix' tactic
Genians details one of those attack chains by this alleged North Korean actor that show how humans can convinced to undermine any protections. That is a subset can be guided to deploy and/or otherwise subvert mitigations.
ClickFix is a deceptive tactic that tricks users into unknowingly participating in the attack chain themselves.
It disguises itself as troubleshooting guides for specific errors or as instructions for security document verification procedures.
The campaign is believed to be an extension of Kimsuky’s ongoing “BabyShark” threat activity.
To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.
https://www.genians.co.kr/en/blog/threat_intelligence/suky-castle
North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages
Kirill Boychenko highlights this alleged North Korean operation which further highlights why online package / code distribution platforms really do need to get a mitigation plan together due to their misuse by threat actors.
[We] uncovered an extended and ongoing North Korean supply chain attack that hides behind typosquatted npm packages. Threat actors linked to the Contagious Interview operation published 35 malicious packages across 24 npm accounts.
…
The intrusion begins with social engineering. According multiple victims’ reports, North Korean threat actors create fake recruiter profiles on LinkedIn to impersonate hiring professionals from recruitment companies. They target software engineers who are actively job-hunting, exploiting the trust that job-seekers typically place in recruiters. Fake personas initiate contact, often with scripted outreach messages and convincing job descriptions.
Understanding DPRK IT Worker Activity - Conversations and Insights
Heiner does a wonderful job of summarising in a rather pithy manner what North Korea is allegedly up to and how they do it. This puts the ‘p’ in persistent.
Key findings highlight how DPRK operatives manipulate online ecosystems to bypass identity verification, exploit remote desktop access, and deploy proxy infrastructure. GitHub serves not only as a technical collaboration space but also as a medium for reconnaissance and persona building. Communications , including Telegram chats, offer rare insights into their techniques and coordination.
https://www.ketman.org/understanding-dprk-it-workers-conversations-and-insight.html
Reporting on Iran
Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest
CISA and FBI ring the alarm bell for US networks.. brace brace brace..
CISA, the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) published Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest. This joint fact sheet details the need for increased vigilance for potential cyber activity against U.S. critical infrastructure by Iranian state-sponsored or affiliated threat actors.
Iranian Educated Manticore Targets Leading Tech Academics
Check Point Research detail the alleged activities by this Iranian threat actor. The persona targeting is of note here.
Amid ongoing tensions between Iran and Israel, the Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing campaigns targeting Israeli journalists, high-profile cyber security experts and computer science professors from leading Israeli universities.
In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistant to technology executives or researchers through emails and WhatsApp messages.
The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations. Credentials entered on these phishing pages are sent to the attackers, enabling them to intercept both passwords and 2FA codes and gain unauthorized access to the victims’ accounts.
https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/
Reporting on Other Actors
ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware
Karsten Hahn shows how vendors can torpedo the intended security assurances when they really try. Then how these properties are found and then misused by threat actors.
Authenticode stuffing is deliberate misuse of the certificate structure that allows modifications to an executable without invalidating its signature. Developers use this technique to avoid re-signing their applications for minor changes. It’s a relatively common practice, applications like Dropbox use it.
..
Although authenticode stuffing is common practice, ConnectWise’s decision to influence critical behavior and its user interface with unauthenticated attributes is clearly dangerous. It entices threat actors to build their own remote access malware with custom icons, background images and text, that is signed by a trusted company.
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
Taking SHELLTER: a commercial evasion framework abused in- the- wild
Seth Goodwin, Daniel Stepanic, Jia Yu Chan and Samir Bousseaden show why commercial offensive tooling vendors do need to ensure they, their trialists and customers have guard rails against misuse.
Commercial evasion framework SHELLTER acquired by threat groups
SHELLTER has been used in multiple infostealer campaigns since April 2025
SHELLTER employs unique capabilities to evade analysis and detection
Elastic Security Labs releases dynamic unpacker for SHELLTER-protected binaries
https://www.elastic.co/security-labs/taking-shellter
Discovery
How we find and understand the latent compromises within our environments.
VNC Honeypot Setup
James Woolley walks through how to build one.. deploy and catch!
https://ja.meswoolley.co.uk/vnc-honeypot/
User-space library rootkits revisited: Are user-space detection mechanisms futile?
Enrique Soriano-Salvador, Gorka Guardiola Múzquiz and Juan González Gómez research, demonstrate and bring to academic literature (and thus citable) what others have previously demonstrated.
In these experiments, we evade the detection mechanisms widely accepted as the standard solution for this type of user-space malware, bypassing the most popular open source anti-rootkit tool for process hiding. This manuscript describes the classical approach to build user-space library rootkits, the traditional detection mechanisms, and different evasion techniques (it also includes understandable code snippets and examples). In addition, it offers some guidelines to implement new detection tools and improve the existing ones to the extent possible.
https://arxiv.org/abs/2506.07827
It’s Acting Odd! Exploring Equivocal Behaviors of Goodware
Gregorio Dalia, Andrea Di Sorbo, Corrado Aaron Visaggio and Gerardo Canfora release interesting research in an attempt to define the differences between good and bad in software. One can see how this might be misused now to mask the bad..
We identify twelve equivocal behaviors and evaluate their equivocality through a survey involving 32 software engineering and cybersecurity experts. Then, we investigate the extent to which such behaviors are exhibited by trusted software compared to malware samples. The results demonstrate that most surveyed experts generally agree on the equivocality of identified behaviors. In addition, legitimate software frequently manifests some of the behaviors identified as equivocal. Specifically, in more than 30% of reports generated for trusted software, we find behaviors aimed to (i) obtain information about the client system and available resources, (ii) perform advanced interaction with OS utilities, or (iii) avoid analysis.
https://dl.acm.org/doi/abs/10.1145/3729368
Defence
How we proactively defend our environments.
A Standard for Human-Centered Investigation Playbooks
Chris Sanders is a kind human to other humans with this guide..
An investigation playbook contains a collection of repeatable investigation steps for specific scenarios. While some playbook standards exist, none are explicitly focused on interpretation by human analysts while also supporting integration into analyst-focused tools. That changes today with the release of the Human-Centered Investigation Playbook (HCIP) standard. In this post, I’ll describe some of the research behind the standard, how it manifests in practice, and an exciting new Security Onion feature that’ll leverage these playbooks.
https://chrissanders.org/2025/06/human-centered-playbooks/
Dissecting RDP Activity
Sujay Adkesar provides a much celebrated guide on how to analyse RDP activity in practice. Given the prevalence of misuse a must read for investigation teams..
This blog post breaks down key RDP events and presents a timeline-style visualization of an RDP session lifecycle.
https://thelocalh0st.github.io/posts/rdp/
Initial Access Attack in Azure - Understanding and Executing the Illicit Consent Grant Attack in 2025
Vishal Raj walks through the technique so you can learn how to detect/mitigate..
Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development
CISA and NSA drop some wisdom on the path to memory safety. For those how can’t move languages there is also CHERI.
This report, released by NSA and CISA, acknowledges the challenges and aims to provide a balanced view of the state of MSLs. Reducing memory safety vulnerabilities requires understanding when MSLs are appropriate, knowing how to adopt them effectively, and recognizing where non-MSLs remain practical necessities.
The Inefficiency in Digital Forensics
Florian Roth encourages the cyber defence community to adopt automation (see the AI section in the footnotes here also)..
It’s admittedly frustrating to see analysts continue sharing primarily manual screenshots or textual descriptions of suspicious findings online. We already have tools — both free and commercial — that bridge the gap between forensic insights and operational detection. All it takes is manual effort from skilled detection engineers to encode this knowledge into reusable, actionable rules.
https://cyb3rops.medium.com/the-inefficiency-in-digital-forensics-3da88123d2ec
Incident Writeups & Disclosures
How they got in and what they did.
SK Telecom Intrusion Incident Final Investigation Results Announced
Korean Government publishes the details.
(Investigation method) Considering the breach incident of the No. 1 telecommunications company in Korea, increasing public concerns, and the hidden nature of malicious codes, we inspected all SK Telecom servers (42,605 units)
(Infection status) A total of 28 infected servers, a total of 33 types of malicious codes confirmed and taken action
① Not related to this breach incident, but 1 type of malicious code was confirmed to have entered 88 SK Telecom servers due to a supply chain security management vulnerability, ② In February 2022, SK Telecom took self-measures for 2 types of malicious codes
(Information leak scale) 25 types of SIM information leaked (9.82 gigabytes <GB>, 26.96 million cases based on subscriber identification number <IMSI>)
(Cause of the incident and problems) SK Telecom's poor account information management, inadequate response to past breach incidents (February 2022), and inadequate measures to encrypt key information were identified as the causes
(Prevention of recurrence) Strengthened account password management, encryption of key information, and information protection Strengthening the management system (governance) (directly under the CEO), expanding information protection personnel and budget, etc.
[Review results of application of penalty exemption regulations]
SK Telecom did not fulfil its duty of care to protect SIM information and did not comply with related laws and regulations, so it is judged to be at fault for this breach
SK Telecom was judged to have failed to fulfil its duty as a business operator to protect SIM information and provide safe communication services to users
The Ministry of Science and ICT considered the fact that SK Telecom was found to have been negligent and that SK Telecom failed to fulfil its main obligations under the contract, and judged that the penalty exemption regulations are applicable
https://www.msit.go.kr/bbs/view.do?sCode=user&mPid=208&mId=307&bbsSeqNo=94&nttSeqNo=3185964
Vulnerability
Our attack surface.
When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365"
Leonid Hartmann details a vulnerability which could have been catastrophic. It would be good to get positive confirmation it wasn’t exploited.
We discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of organizations that use Synology’s “Active Backup for Microsoft 365” (ABM). This flaw could be leveraged by malicious actors to obtain potentially sensitive information — such as all messages in Microsoft Teams channels. It was reported to Synology and tracked as CVE-2025-4679.
https://modzero.com/en/blog/when-backups-open-backdoors-synology-active-backup-m365/
The vendor advisory is brief
https://www.synology.com/en-global/security/advisory/Synology_SA_25_06
CitrixBleed 2: Electric Boogaloo — CVE-2025–5777
Kevin Beaumont summarises this vulnerability..
The vulnerability is exploitable remotely and without authentication.
https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
Cisco Unified Communications Manager Static SSH Credentials Vulnerability
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.
Remote code execution in CentOS Web Panel - CVE-2025-48703
Authentication bypass and command injection..
https://fenrisk.com/rce-centos-webpanel
Offense
Attack capability, techniques and trade-craft.
Applocker bypass on Lenovo machines – The curious case of MFGSTAT.zip
Oddvar Moe highlights this vendor specific defensive wobble who managed to undermine a control point..
a minor discovery I made regarding a writeable file inside the Windows folder that is present on Lenovo machines. Initially when I found it I thought it was only a handful of Lenovo machines, but it seems as if this affects all variants. Since this can be abused as an AppLocker bypass
https://oddvar.moe/2025/07/03/applocker-bypass-on-lenovo-machines-the-curious-case-of-mfgstat-zip/
Unveiling Obfuscated Android Applications
Nils Nihlen shows what works in practice in identifying obfuscation which will be helpful in various scoring systems no doubt..
We have found that the main limitation with obfuscation detection tools is the lack of diverse, bias-free, and labeled training data. Furthermore, circumventing the issue requires either (a) use of unsupervised learning strategies such as anomaly detectors trained on good diverse sets of applications without obfuscation, (b) manually labeling a large number of ’in-the-wild’ applications to create a representative dataset which can train supervised learning models, or (c) distilling the specific features that indicate the presence of obfuscation, and differentiates them from ’normal’ code. Our findings suggest that (a) and (c) are both effective, as originally proposed by [5].
https://www.diva-portal.org/smash/get/diva2:1973115/FULLTEXT01.pdf
BitlockMove
r-tec Cyber Security reveal a technique that detection engineers will want to ensure coverage of. Also points for absolute audacity..
Lateral Movement via Bitlocker DCOM & COM Hijacking.
This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as
INTERACTIVE USERwill spawn a process in the context of the currently logged on users session.If those processes are also vulnerable to COM Hijacking, we can configure a COM Hijack via the remote registry, drop a malicious DLL via SMB and trigger loading/execution of this DLL via DCOM.
https://github.com/rtecCyberSec/BitlockMove
Remote Windows Credential Dump With Shadow Snapshots: Exploitation And Detection
Labs at ITRES detail a technique but also show how it can be detected. Detection engineers will want to ensure coverage here for all the obvious credential loving reasons..
Detection via ETW is feasible with the WMI and SMB-SERVER providers. We built a PoC to illustrate this detection approach.
EntraPassTheCert
temp43487580 releases tooling to be aware of and also one to signature the use of..
EntraPassTheCert is a post-exploitation tool that allows attackers to request Entra ID's user P2P certificate and authenticate to a remote Entra joinned machine with it.
https://github.com/temp43487580/EntraPassTheCert
Memory Obfuscation in Rust
Victor releases a library we can expect to be leveraged in 3..2.. Detection engineers do what you do best!
Hypnus is a Rust library for execution obfuscation, designed to protect memory regions during inactivity or sleep cycles. It leverages thread pool timers, wait objects and APC, all with dynamic call stack spoofing and optional heap obfuscation. Execution remains stealthy, and no thread duplication is required.
https://github.com/joaoviictorti/hypnus
Exploitation
What is being exploited..
Threat Actors Exploit CVE-2025-3248 to Deliver Flodrix Botnet
Insecure AI solutions being exploited for botnet building..
This activity exploits CVE-2025-3248 (CVSS 9.8) in Langflow versions prior to 1.3.0, allowing unauthenticated remote code execution.
Flodrix botnet is delivered via malicious Python payloads, enabling DDoS attacks and data theft.
Attackers use open-source PoC exploits and tools like Shodan to target exposed Langflow servers.
The malware employs stealth techniques, including self-deletion and string obfuscation, to evade detection.
https://blog.polyswarm.io/threat-actors-exploit-cve-2025-3248-to-deliver-flodrix-botnet
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
FuncVul: An Effective Function Level Vulnerability Detection Model using LLM and Code Chunk
Sajal Halder, Muhammad Ejaz Ahmed and Seyit Camtepe provide tooling which will help break code down for a variety of use cases both in the malware, attribution as well as vulnerability discovery spheres.
this paper introduces FuncVul, an innovative code chunk-based model for function-level vulnerability detection in C/C++ and Python, designed to identify multiple vulnerabilities within a function by focusing on smaller, critical code segments. To assess the model's effectiveness, we construct six code and generic code chunk based datasets using two approaches: (1) integrating patch information with large language models to label vulnerable samples and (2) leveraging large language models alone to detect vulnerabilities in function-level code. To design FuncVul vulnerability model, we utilise GraphCodeBERT fine tune model that captures both the syntactic and semantic aspects of code. Experimental results show that FuncVul outperforms existing state-of-the-art models, achieving an average accuracy of 87-92% and an F1 score of 86-92% across all datasets.
https://arxiv.org/abs/2506.19453
Rust Library Recognition Project for Rust Malware
MSTIC-MIRAGE release as work aid for analysts who are yet to fully adopt AI in their workflow..
RIFT (Rust Interactive Function Tool) is a toolsuite to assist reverse engineers in identifying library code in rust malware. It is a research project developed by the MSTIC-MIRAGE Team, explores library recognition techniques conducted on rust binaries and was presented at RECON 2025.
https://github.com/microsoft/RIFT
Recover compile-units from stripped binary executables
Chariton Karamitas provides a tool which will be useful for building data sets from compiled binaries to facilitate model training..
REcover is a tool for approximately recovering the compile-unit layout from stripped binary executables. REcover consists of an IDAPython plug-in, used for exporting information, and a command line tool, for running various analyses.
https://github.com/huku-/recover
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Nothing overly of note this week
Draft OT Security Guidelines for Semiconductor Device Factories Compiled
Ctrl+Space CTF - Security for Space Systems (3S) conference - participants will have the chance to engage with live security challenges executed directly aboard D-Orbit’s ION Satellite Carrier, orbiting Earth in real time.
NIS2 Policy Templates from the Belgium government
Bulletin of "Carol I" National Defence University No.2/2025 from Romania
Canada and UK partner to build a stronger semiconductor supply chain
Artificial intelligence
SV-LLM: An Agentic Approach for SoC Security Verification using Large Language Models - " The system aims to reduce manual intervention, improve accuracy, and accelerate security analysis, supporting proactive identification and mitigation of risks early in the design cycle. "
Critical RCE in Anthropic MCP Inspector (CVE-2025-49596) Enables Browser-Based Exploits
Books
Nothing overly of note this week
Events
JSAC2026 - Call for papers - January 21-23, 2026 - Tokyo
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.