CTO at NCSC Summary: week ending June 1st
Multiple supply chain attacks which resulted in client access..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond Ivanti EPMM exploitation which rumbles on..
In the high-level this week:
UK to deliver pioneering battlefield system and bolster cyber warfare capabilities under Strategic Defence Review - Ministry of Defence and The Rt Hon John Healey MP announce - “New Cyber and Electromagnetic Command will oversee cyber operations for Defence as careers pathway accelerated.”
Investing in the Australian Defence Force's cyber warfare workforce - Australia announces - “The transition to a new skills-based pay structure will help Defence build a fit-for-purpose cyber warfare workforce, aiming to assist with retention and depth of knowledge, skills and experience.”
Science, Innovation and Technology Committee - UK Parliament publishes - includes a segment on the cyber work that OFCOM does in telecommunications regulation.
Overlooked and under-reported: the impact of cyberattacks on primary care in the UK National Health Service - The Lancet Digital Health publishes - “No quantifiable insights have been gained regarding the impact on primary care in WannaCry and Synnovis incidents.”
Welcome to the age of cyber insecurity in business - Financial Times reports - “Companies cannot abandon cyber security as a hopeless effort, of course. Despite the mutual interest of hackers and the enterprises they invade in portraying these crimes as very sophisticated, many are not. They could have been avoided with some simple steps, such as keeping software updated and deploying multi-factor authentication. Sometimes, there is no excuse.”
Boards have a tougher choice to make from today if they get hacked - Australian Financial Review reports - “The rules mean any organisation that has an annual turnover of $3 million or more, or is responsible for critical infrastructure, must report a ransom payment via an online portal to Home Affairs and the Australian Signals Directorate, within three days.”
Why so many military veterans move into cybersecurity - BBC reports - “In the UK, the Forces Employment Charity's TechVets programme typically helps 15 to 20 people a month into employment, with between 40 and 60% of those head into cybersecurity.”
Scams & Scandals - Cyber Siege: From Russia to Redcar - BBC broadcasts - “The inside story of a council in north east England was held to ransom by a dangerous gang of cyber criminals. Geoff White investigates the threats to our public services from Russian hackers”
Government to formulate new cybersecurity strategy amid rising threats - The Japan Times reports - “The meeting — convened for the first time after a new active cyberdefense law was enacted by parliament — outlined four areas of action that urgently need to be addressed: reshuffling the cybersecurity center under the Cabinet into a command center for cyber-related policies; strengthening public-private cooperation in cyberdefense; boosting personnel training and technological infrastructure; and deepening international cooperation.”
The invisible front: Ukraine’s IT army and the evolution of cyber resistance - University of Toronto publish - ”the IT Army of Ukraine (ITAU), a volunteer cyber force that countered Russian disinformation and targeted its digital spaces. We argue that the ITAU contributed to Ukraine’s political victory in the Battle of Kyiv by projecting national resilience to both domestic audiences and international observers. By countering Russian cyberattacks and mounting its own offensive campaigns, the ITAU not only disrupted enemy capabilities but also bolstered domestic morale and helped shape global perceptions of Ukraine’s ability to defend itself.”
NATO Floats Cybersecurity to Be Included in New Spending Target - Bloomberg reports - “NATO proposed including expenditures on cybersecurity and activities related to border and coastal security to qualify for the military alliance’s new defense-related spending target of 1.5% of GDP.”
2025 Worldwide Threat Assessment - US Defense Intelligence Agency assesses - “China-led cyberintrusions, including by the PLA Cyberspace Force and the Ministry of State Security, are targeting information networks around the world, including U.S. Government systems, to steal intellectual property and data and develop access into sensitive networks. China very likely will continue to use its cyberspace capabilities to support intelligence collection against U.S. academic, economic, military, and political targets and to exfiltrate sensitive information from defense infrastructure and research institutes to gain economic and military advantage.”
9th Industrial Cyber Security Study Group was held - Japan Ministry of Economy, Trade and Industry (METI) announce - “presented future policy directions that will contribute to strengthening cybersecurity measures in the industrial sector, including through the establishment of new systems and strengthening support for SMEs and other businesses. The study group also issued a “Message to the Industrial Sector” aimed at company management, practitioners and other stakeholders.”
Reinventing Cyber Defence: Why We Need a New Doctrine to Defend Our Nations - RUSI think tanks - “Europe must not only equip itself with a defence strategy that substantially boosts investment and enhances its own autonomous capabilities, but it must also reframe how it integrates the cyber domain within its broader defence architecture.”
Criteria for Cyber Situational Awareness - Center for Strategic International Studies think tanks - “Establishing effective cyber situational awareness first requires producing capabilities for collecting and sharing aggregate data from diverse sources.”
Investigation into SK Telecom data breach expands to KT, LG Uplus - Yonhap News Agency reports - “Following the expanded investigation, no traces of hacking activity have yet been found on the servers of KT or LG Uplus, they added.”
Reporting on/from China
Statement by the Government of the Czech Republic - Government of the Czech Republic attributes - “Following the national attribution process, the Government of the Czech Republic has identified the People´s Republic of China as being responsible for malicious cyber campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs.”
How Hacktivists in China Are Using Data Leaks for Dissent - Oxford China Policy Lab and Estrella Hernandez publish - “Hackers in China have previously been prevented from organizing into groups and carrying out both nationalist and apolitical hacking. It is plausible that hackers would have little to lose by pivoting to hack to express dissent.”
India's alarm over Chinese spying rocks the surveillance industry - Reuters reports - “Global makers of surveillance gear have clashed with Indian regulators in recent weeks over contentious new security rules that require manufacturers of CCTV cameras to submit hardware, software and source code for assessment in government labs, official documents and company emails show” - the India approach is strong and will be insightful.
Recent trends related to "national security" in China - Japanese Center for Information on Security Trade Control analyses Chinese rules and laws - “The identification of significant data shall be in accordance with 6.5b) and shall take into account the following factors:“ - “Cyber attacks, such as supply chain attacks and social engineering attacks against key targets, involving undisclosed attack methods, methods for producing attack tools, or auxiliary information for attacks”
Turkey busts Chinese spying ring using fake cell towers - Middle East Eye report - “Officials say it's the most sophisticated espionage cell uncovered and used IMSI-catcher devices to eavesdrop on Uyghur and Turkish targets in Istanbul and Izmir”
DNA data storage for biomedical images using HELIX - Nature Computational Science publishes - “DNA molecules have a remarkably long storage lifespan and require no power for preservation. Research has demonstrated that DNA molecules can recover information even
after 10,000 years of storage at room temperature” - they focus on a biomedical use case, but either way how are you data forensics approaches?
Chinese robot makers led by Unitree dazzle at Macau’s Beyond Expo amid AI boom - South China Morning Post reports - “In the first four months of this year, online sales of intelligent robots in China surged 87 per cent from a year earlier, the commerce ministry said on Friday, citing data from the National Bureau of Statistics.”
US AISI - US Select Committee On the CCP writes - “Given its unique technical expertise, strong partnerships with industry, and experience in testing and evaluations, we believe AISI’s mission should be expanded to explicitly include a focus on PRC AI development”
Huawei's AI servers show tech advancing despite US curbs - Nikkei Asia reports - “SemiAnalysis has compared Huawei's servers against Nvidia's GB200, finding that "having five times as many Ascends more than offsets each GPU being only one-third the performance of an Nvidia Blackwell" GPU.”
Hong Kong passes stablecoin law, clearing way for sales to public - South China Morning Post reports - “A stablecoin is a type of cryptocurrency that is pegged to a specific reserve asset, such as the US dollar or any fiat currency”
AI
GitHub MCP Exploited: Accessing private repositories via MCP - Invariant Labs publish - “We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data.”
Evaluating AI cyber capabilities with crowdsourced elicitation - Artem Petrov and Dmitrii Volkov publish - “We host open-access AI tracks at two Capture The Flag (CTF) competitions: AI vs. Humans (400 teams) and Cyber Apocalypse (8000 teams). The AI teams achieve outstanding performance at both events, ranking top-5% and top-10% respectively for a total of $7500 in bounties.” - caveats not withstanding.
On O3 finding a SMB bug in the Linux Kernel - Gemini 2.5 PRO can more easily identify the vulnerability - Salvatore Sanfilippo provides the prompts
Trends - Artificial Intelligence - Bond analyses - “platform incumbents and emerging challengers are racing to build and deploy the next layers of AI infrastructure: agentic interfaces, enterprise copilots, real-world autonomous systems, and sovereign models.”
Trends in AI Supercomputers - Epoch AI asserts - “We curated a dataset of over 500 AI supercomputers (sometimes called GPU clusters or AI data centers) from 2019 to 2025 and analyzed key trends in performance, power needs, hardware cost, and ownership. We found:
Computational performance grew 2.5x/year, driven by using more and better chips in the leading AI supercomputers.
Power requirements and hardware costs doubled every year. If current trends continue, the largest AI supercomputer in 2030 would cost hundreds of billions of dollars and require 9 GW of power.
The rapid growth in AI supercomputers coincided with a shift to private ownership. In our dataset, industry owned about 40% of computing power in 2019, but by 2025, this rose to 80%.
The United States dominates AI supercomputers globally, owning about 75% of total computing power in our dataset. China is in second place at 15%.”
What the Era of ‘Sovereign AI’ Means for Chip Makers - The Wall Street Journal reports - “Bank of America analyst Vivek Arya estimates that the sovereign AI market could reach $50 billion annually in the long term, or 10% to 15% of the “global AI infrastructure opportunity.””
'Stargate UAE' AI datacenter to begin operation in 2026 - Reuters reports - “The first phase of a massive new artificial data center in the United Arab Emirates will come online in 2026, likely with 100,000 Nvidia chips.”
SoftBank, OpenAI announce Stargate UAE AI data center project - Nikkei Asia reports
DeepSeek paper offers new details on how it used 2,048 Nvidia chips to take on OpenAI - South China Morning Post reports - “The paper details technical optimisations that boost memory efficiency, streamline inter-chip communication, and enhance overall AI infrastructure performance – key advancements for reducing operational costs while scaling capabilities.” (paper in the footnotes)
Cyber proliferation
Ehud Barak, ex-cyber chief sue VC Michael Eisenberg for defamation Over Paragon posts - ynet news reports - “Former prime minister and a co-founder of cyber firm Paragon claim Eisenberg, a top tech investor, defamed them in posts they say were fueled by business rivalry and linked to a smear campaign. Mediation was rejected as the case proceeds in court”
Bounty Hunting
Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware - US Department of Justice announces - “Sina Gholinejad, 37, and his co-conspirators compromised the computer networks of cities, corporations, health care organizations, and other entities around the United States, and encrypted files on these victim networks with the Robbinhood ransomware variant to extort ransom payments.”
16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide - US Department of Justice announces - “who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization controlled and deployed, infecting more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damage.”
Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme - US Department of Justice announces - ”Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with leading a group of cyber criminals who developed and deployed the Qakbot malware. In connection with the charges, the Justice Department filed today a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov over the course of the investigation”
FTC order prohibits GoDaddy from misleading customers about its security protections - US Federal Trade Commission discloses - “mandates GoDaddy to establish a robust information security program, secure APIs using HTTPS or other secure transfer protocols, and set up a software and firmware update management program.”
Operation ENDGAME strikes again: the ransomware kill chain broken at its source - Europol announces - “From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain.”
UK brokers expect strong growth in cyber insurance as business risks escalate - Life Insurance International reports- “A GlobalData survey has found that more than half of UK commercial brokers believe cyber insurance is the product that has the most growth potential in the commercial insurance industry. This reflects growing awareness of cyber threats and heightened risk perceptions among businesses, both of which are driving demand—even though adoption of cyber cover is not yet universal.”
Reflections this week are three short ones..
The first is based on the AI reporting it is clear we have some way to go ensuring that the AI systems being implemented are secure by design/default despite the lessons of the past... it is almost as if there is no market incentives to ensure this happens..
The second is if you have time you should check out the quality of the research presented at NDSS Symposium 2025. Some of it really is world class - I have referenced one paper in the below..
The final is this classification model aimed to assist in classifying vulnerabilities by severity based on their descriptions is a potentially legitimately useful application of AI… you can learn about it here.
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Sunday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Russian GRU Targeting Western Logistics Entities and Technology Companies
Joint Cyber Advisory led by the USA agencies but including the UK’s National Cyber Security Centre on this Russian operation.
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
War and Cyber: Three Years of Struggle and Lessons for Global Security
State Special Communications Service publish their experience..
The document covers key trends in cyberwarfare against Ukraine from the beginning of the full-scale invasion in 2022 to the present, analyzes the transformation of the aggressor's tactics, and formulates practical recommendations for strengthening cyber defense at the international level.
Russian intelligence services have changed their approach from targeted cyberattacks to a systemic component of a military campaign. The aggressor is actively involving private IT companies, hacker groups, and "volunteers" in its cyber activities.
The proportion of cyber espionage operations aimed at obtaining intelligence and supporting combat operations is increasing. This partly explains the decrease in the number of critical incidents in 2023–2024 (367 in 2023 and 59 in 2024), despite the overall increase in cyber incidents (2,194 in 2022, 2,543 in 2023 and 4,315 in 2024).
Unknown Russian group behind hacks of Dutch targets
Netherlands AIVD and MIVD detail this alleged Russian operation.
A previously unknown Russian cyber group is behind the hacks on several Dutch organizations, including the police in September 2024. Work-related contact information was stolen from the police. The services have not been able to determine whether other data has also been stolen.
Microsoft followed up with their reporting
conducting espionage operations primarily targeting organizations that are important to Russian government objectives. These include organizations in government, defense, transportation, media, NGOs, and healthcare, especially in Europe and North America. They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations. Once inside, they steal large amounts of emails and files.
Analysis of the APT-C-53 (Gamaredon) organization's attack operations using military intelligence-related documents as bait
Chinese reporting on an alleged Russian operation, noteworthy only really for the fact it is Chinese reporting..
[We] captured a batch of VBS samples of APT-C-53 (Gamaredon). These malicious scripts achieve high obfuscation through code fragmentation and Base64 encoding encryption, and use a phased deployment mechanism to release subsequent attack payloads one by one. It achieves persistence by infecting normal user files and constructs malicious LNK shortcut files with military intelligence as bait. The attack chain specifically uses military themes to reduce user vigilance and induces targets to click and execute malicious programs through social engineering. Given that the organization has recently frequently attacked multiple users with military intelligence-related content, and its attack methods have continued to escalate during observation, we conduct a detailed analysis here, hoping that relevant departments and individuals will strengthen security awareness, strengthen encryption protection and access control of confidential intelligence and user data, and effectively prevent the risk of information leakage caused by malicious attacks.
Reporting on China
Mark Your Calendar: APT41 Innovative Tactics
Patrick Whitsell details the alleged tradecraft of an alleged Chinese threat actor which is only noteworthy for using Google Calendar for its C2.
APT41 sent spear phishing emails containing a link to the ZIP archive hosted on the exploited government website. The archive contains an LNK file, masquerading as a PDF, and a directory. Within this directory we find what looks like seven JPG images of arthropods. When the payload is executed via the LNK, the LNK is deleted and replaced with a decoy PDF file that is displayed to the user indicating these species need to be declared for export.
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Joseph C Chen details an alleged Chinese operation which focuses on the exploitation of web vulnerabilities. A reminder to all your exposed attack surface including those web assets are of interest..
Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
Earth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially focused on financial services, the group shifted to logistics and online retail, most recently focusing on IT companies, universities, and government organizations.
https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse
Felix Aimé and Jeremy Scion detail an alleged Chinese in origin operation which is noteworthy for its scale but also the hints of what they are trying to do.
Sekoia.io investigated a threat actor nicknamed ViciousTrap, who compromised over 5,500 edge devices, turning them into honeypots.
More than 50 brands — including SOHO routers, SSL VPNs, DVRs, and BMC controllers — are being monitored by this actor, possibly to collect exploited vulnerabilities affecting these systems.
The actor is likely of Chinese-speaking origin, based on a weak overlap with the GobRAT infrastructure and the geographic distribution of compromised and key monitored devices.
..
The infection chain involves the execution of a shell script, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker’s control allowing him to intercept network flows.
From Humble Beginnings: How a Vocational College Became a Vulnerability Powerhouse
Natto Team detail something which I know will resonate with a number in the industry..
“People who have attack and defense live-fire capabilities do not need degrees from elite universities.” He called for recruiting talented students from less-prestigious technical or regional educational institutions. One such institution rocketed to prominence on May 16 of this year. Qingyuan Polytechnic – a vocational school from a third-tier city1 – was one of three higher education institutes honored as Outstanding Universities of the Year for Cooperation at the China National Vulnerability Database of Information Security (CNNVD)’s 2024 Annual Work Review and Outstanding Recognition Conference.
nattothoughts.substack.com/p/when-a-vocational-college-becomes
Operation RUN: The Cyber Carnival of "Offshore Patriots"
Watering hole operation carried out in China by a Chinese speaking threat actor.. Noteworthy for obviously slightly infighting sounding reasons..
In April, we observed that UTG-Q-015 carried out large-scale puddle mounting behavior against blockchain websites, digital signature backend, bitcoin backend, gitlab backend and other web systems, affecting some government and enterprise customers, and at the same time, also invaded the financial institutions through IM phishing and C2 backlinked to the intranet web address to download the three-phase payload.
..
There are also professional teams like UTG-Q-015, which are located in Southeast Asia and provide penetration and intelligence services to Southeast Asian companies and institutions. These two types of attack teams are incompatible and even target each other. This is why UTG-Q-015 invaded several domestic programming forums last year. Its purpose was to counterattack and retaliate. On the surface, it is an "outsourcing war", but at a deeper level it is still a conflict between ideology and political stance.
https://ti.qianxin.com/blog/articles/operation-run-the-cyber-carnival-of-offshore-patriots-en/
Reporting on North Korea
All Roads Lead to China
TRM details links between alleged Chinese criminals and alleged North Korean cyber actors.
.. analysis shows that OTC brokers like Wu and Cheng act as critical middlemen in North Korea’s laundering playbook. They use their access to major crypto exchanges and bank accounts to swap illicit crypto for fiat under the cover of legitimate high-volume trading. Once funds enter traditional banks (often via accounts of offshore companies in lax jurisdictions), they are layered through a maze of transfers to obscure their North Korean origin. China — historically North Korea’s largest trading partner — often serves as the geographic hub for these operations, with key facilitators based in Chinese territory. Notably, Sim Hyon Sop himself relocated to Dandong, China, a border city long known as a nexus for North Korean illicit commerce. This highlights how Pyongyang’s financial emissaries embed within China to exploit its financial system’s gray areas.
Reporting on Iran
APT42 / GreenCharlie APT Infra
Cyber Team dump this alleged APT42 infrastructure discovered through Fofa
Reporting on Other Actors
Possible APT32/Ocean Lotus Installer abusing MST Transforms
dmpdump details this alleged Vietnamese operation which as a novel twist through its use of MST transforms..
The victim is expected to run the only visible file in the ISO, 脱密 中央国安办.pdf.lnk, a shortcut file disguised as a PDF via double extension.
..
The abuse and trojanization of MST transforms is a rare technique. The samples that appeared in the wild in May 2025 seem to be a continuation to the activity originally reported by QiAnXin in November 2024.
https://dmpdump.github.io/posts/Possible-Ocean-LotusInstaller-Abusing-MST-Transforms/
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers
Anthony Bradshaw, Hunter Neal, Morgan Demboski and Sean Gallagher detail a criminal operation which should serve as (another) warning to MSP’s that you are of interest because of your customers.
In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.
Discovery
How we find and understand the latent compromises within our environments.
100 Days of KQL update
Aura is back and queries now have associated TTPs and alao include a changelog in each page too.
https://github.com/SecurityAura/DE-TH-Aura/tree/main/100DaysOfKQL
Auscert 2025 Detection Engineering Workshop
Mike Cohen delivers..
https://docs.velociraptor.app/presentations/2025_auscert-detection-engineering/
Understanding SMB Abuse: Hunting and Detecting Network Share Threats on Windows
Saujas Jadhav details a set of valuable techniques to catch adversaries who might be wandering around a network.
I explored how network shares function, how they are discovered, abused, and leveraged by attackers across different stages of an intrusion — from reconnaissance to lateral movement and persistence. This is not a walk-through of ATT&CK techniques, but a practical deep dive into real-world Tactics, Techniques, and Procedures (TTPs) associated with network shares.
Defence
How we proactively defend our environments.
Implementing SIEM and SOAR platforms
Australian Cyber Security Centre of the Australian Signals Directorate publishes
SIEM and/or SOAR platforms can be critical to organisations’ cyber security strategy by enabling visibility over the ICT environment and the detection of malicious activity. Implemented well, these platforms collect, centralise, and analyse important data that would otherwise be extremely complex and scattered. This helps organisations detect cyber security events and incidents to assist defenders intervene early and respond to threat
Tracecat
Released and describing itself as an open source Tines / Splunk SOAR alternative.
Tracecat is a modern, open source automation platform built for security and IT engineers. Simple YAML-based templates for integrations with a no-code UI for workflows. Built-in lookup tables and case management. Orchestrated using Temporal for scale and reliability.
https://github.com/TracecatHQ/tracecat
Velvet Chollima APT Adversary Simulation
Abdulrehman Ali is back with another adversary simulation to evidence the efficacy of those controls..
This is a simulation of an attack by the (Velvet Chollima) APT group targeting South Korean government officials. The attack campaign began in January 2025 and also targeted NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia. The attack chain starts with a spear-phishing email containing a PDF attachment.
https://medium.com/@S3N4T0R/velvet-chollima-apt-adversary-simulation-89c5159e7fc1
Reviewing Your Delegation Model Before Introducing W2K25 DCs And Enhancing Security (Due To “BadSuccessor”)
Jorge de Almeida Pinto provides some practical advice on how to avoid a mishap during this upgrade..
At its core the migration of a legacy service account to a dMSA could be misused for privilege escalation. Although the feature is intended to “easily” migrate the use of legacy service account(s) to more secure (from a password management perspective) dMSA(s), the so called legacy service account can also be any other account in the AD domain, like e.g. the default domain administrator account (the RID-500).
ScriptHostTest
Michael Haag provides a script which is useful to validate WDAC controls.
PowerShell script designed to test file creation and execution permissions across various Windows directories. It helps defenders and security professionals validate AppLocker and Windows Defender Application Control (WDAC) policies by attempting to create and execute different types of scripts in specified user and system paths. This tool ensures that security boundaries and access controls are effectively enforced within your environment.
https://github.com/MHaggis/notes/tree/master/utilities/ScriptHostTest
Cross Cloud Identities in Zero Trust POC
UK Government Digital Service (GDS) released this proof-of-concept
demonstrating how federated user and workload identity can be done effectively across multiple cloud services without long lived credentials, or individual credentials for humans for each user (single sign on, or SSO).
https://github.com/co-cddo/zerotrust-cloud-identity/
Incident Writeups & Disclosures
How they got in and what they did.
‘TU/e acted well in cyber attack, but there are also lessons to be learned
TU/e discloses what their gap was..
TU/e did have multi-factor authentication on most applications, but not yet on the VPN's log-in
ConnectWise
ConnectWise detail an issue which as a SaaS provider should once again go to highlight SaaS supply chain risks..
ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers.
https://www.connectwise.com/company/trust/advisories
Commvault Security Advisory (Update)
CISA updated on this, here is the original.
On February 20, 2025, Microsoft began notifying us regarding unauthorized activity by a nation-state threat actor based on their visibility within Azure environments. Commvault immediately launched an investigation with the assistance of leading cybersecurity experts and published a security advisory.
https://www.commvault.com/blogs/customer-security-update
Vulnerability
Our attack surface.
HPE NonStop servers, Multiple Vulnerabilities
HP discloses some vulnerabilities in highly available systems..
Multiple security vulnerabilities have been identified in HPE NonStop SSH (T0801), NonStop SSL(T0910) and MR-Win6530(T0819) products. These vulnerabilities could be exploited to allow remote code execution, local or remote denial of service, remote disclosure of information, remote buffer overflow or remote script injection.
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbns04859en_us&docLocale=en_US
Bypassing MTE with CVE-2025-0072
Man Yue Mo details a vulnerability which is interesting, yet the reason it is exploitable fascinating.
As I mentioned in the introduction, this exploit is capable of bypassing MTE. However, unlike a previous vulnerability that I reported, where a freed memory page is accessed via the GPU, this bug accesses the freed memory page via user space mapping. Since page allocation and dereferencing is protected by MTE, it is perhaps somewhat surprising that this bug manages to bypass MTE.
…
it appears that page mappings created by
mgm_vmf_insert_pfn_protinkbase_csf_user_io_pages_vm_fault, which are used for accessing the memory page after it is freed, ultimately usesinsert_pfnto create the mapping, which inserts the page frame into the user space page table. I am not totally sure, but it seems that because the page frames are inserted directly into the user space page table, accessing those pages from user space does not require kernel level dereferencing and therefore does not trigger MTE.
https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/
The new Dmsa Vuln for people who don’t know what Dmsa is
Sapir provides a great explainer on this vulnerability..
… DMSA is the next generation of gMSA!
… DMSA stands for Delegated Managed Service Account.
This vulnerability is a great example of how seemingly helpful schema changes can open the door to serious attacks. With just a few new attributes, attackers can manipulate the system to forge PACs and gain domain admin privileges. It makes you wonder—what other attributes were added in Windows Server 2025, and how might they be abused? Schema extensions are powerful tools, but they need to be reviewed carefully before deployment in production.
https://sapirxfed.com/2025/05/24/the-new-dmsa-vuln-for-people-who-dont-know-what-dmsa-is/
Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange
Pinji Chen, Jianjun Chen, Mingming Zhang , Qi Wang , Yiming Zhang, Mingwei Xu and Haixin Duan from Tsinghua University and Zhongguancun Laboratory details an vulnerability class which is going to have a longtail. This is one of many excellent papers from NDSS Symposium 2025
In this paper, we investigate the security implications of HTTP/2 server push and signed HTTP exchange (SXG) on the Same-Origin Policy (SOP), a fundamental web security mechanism designed to prevent cross-origin attacks. We identify a vulnerability introduced by these features, where the traditional strict SOP origin based on URI is undermined by a more permissive HTTP/2 authority based on the SubjectAlternativeName (SAN) list in the TLS certificate. This relaxation of origin constraints, coupled with the prevalent use of shared certificates among unrelated domains, poses significant security risks, allowing attackers to bypass SOP protections. We introduce two novel attack vectors, CrossPUSH and CrossSXG, which enable an off-path attacker to execute a wide range of cross-origin web attacks, including arbitrary cross-site scripting (XSS), cookie manipulation, and malicious file downloads, across all domains listed in a shared certificate. Our investigation reveals the practicality and prevalence of these threats, with our measurements uncovering vulnerabilities in widely-used web browsers such as Chrome and Edge, and notable websites including Microsoft. We responsibly disclose our findings to affected vendors and receive acknowledgments from Huawei, Baidu, Microsoft, etc.
https://www.ndss-symposium.org/wp-content/uploads/2025-1086-paper.pdf
Offense
Attack capability, techniques and trade-craft.
Fuzzing Defender's Scanning and Emulation Engine (mpengine.dll)
Manuel Feifel details some findings which may provide EDR evasion opportunties..
Multiple out-of-bounds read and null dereference bugs were identified by using Snapshot Fuzzing with WTF and kAFL/NYX. These bugs can be used to crash the main Defender process as soon as the file is scanned. None of the bugs appear to be exploitable for code execution.
https://labs.infoguard.ch/posts/attacking_edr_part4_fuzzing_defender_scanning_and_emulation_engine/
AMSI, CLM and ETW – defeated* with one Microsoft signed tool
Ian provides a indicator to hunt for i.e. the invocation of cdb..
Microsoft provides these two console-based debuggers (meaning they are signed by Microsoft) as part of the Windows 10 debugging tools. CDB and NTSD are identical in every way, except that NTSD spawns a new text window when it is started, whereas CDB inherits the Command Prompt window from which it was invoked. For now, I’m using CDB.
One of the huge benefits of CDB is that you can script it. This means that you can take a file, feed it into you console debugger and script actions to take place, breakpoints, dumps, assembly etc. With no interaction.
What do we need to accomplish –
Load PowerShell
Set a BP on AmsiScanBuffer
Wait until that BP is hit
Manipulate the data at that address
Remove the BP
Continue execution
https://shells.systems/one-tool-to-rule-them-all/
Exploitation
What is being exploited..
Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)
CISA alerts on this ongoing long tail of this incident..
Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Bringing Binary Exploitation at Port 80: Understanding C Vulnerabilities in WebAssembly
Emmanuele Massidda, Lorenzo Pisu, Davide Maiorca and Giorgio Giacinto show everything which is old is destined to be new again..
These vulnerabilities can be used to impact web application security, potentially leading to critical issues like Cross-Site Scripting (XSS) and Remote Code Execution (RCE). Our work aims to demonstrate how memory-related vulnerabilities in C codes, when compiled into Wasm, can be exploited for XSS and RCE.
https://www.scitepress.org/Papers/2024/128524/128524.pdf
Physical Fault Injection and Side-Channel Attacks on Mobile Devices: A Comprehensive Analysis
Carlton Shepherda, Konstantinos Markantonakisa, Nico van Heijningenb , Driss Aboulkassimic , Clément Gainec , Thibaut Heckmannd and David Naccached undertake a massive literature review and mapping exercise here..
In this report, we presented an extensive survey of state-of-the-art physical fault injection and side-channel attacks on mobile system-on-chips. In total, over 50 research publications published between 2009 and 2021 were examined, which were individually mapped to their relevant attack goals, prerequisites, published success rates, and evaluated platforms. Our aim was to consolidate the large base of existing literature into a format that can be digested by working practitioners in the field. Beyond this, we presented a series of challenges and limitations arising from the current literature, identifying a series of recommendations and open research challenges pertaining to fault injection and side-channel attacks on mobile systems. In particular, we raised the issue of attack reproducibility: redacted platform details, an extremely small number of evaluation devices, increasingly complex SoCs, and poor analysis transparency may all lead to generalisation issues on current and future targets
Loris
Ali Ranjbar releases a new framework which shallows a previously deeper attack surface..
Loris is a stateful fuzz testing framework designed to explore and analyze baseband firmware. See the README file in each subdirectory (analyzer, emulator, and fuzzer) to get started. For details, please check out our paper, "Stateful Analysis and Fuzzing of Commercial Baseband Firmware" (IEEE S&P 2025).
https://github.com/SyNSec-den/Loris
HouseFuzz
Haoyu Xiao, Ziqi Wei, Jiarun Dai, Bowen Li, Yuan Zhang and Min Yang from the Fudan University, China release a framework for Linux based firmware.
HouseFuzz: Service-Aware Grey-Box Fuzzing for Vulnerability Detection in Linux-Based Firmware
https://github.com/HouseFuzz/HouseFuzz
BCDangr
Nicolaas Weideman and Sima Arasteh re-implement this technique in an open-source binary analysis platform for Python called angr.
Reimplementation of BCD using angr.
BCD is Decomposing Binary Code Into Components Using Graph-Based Clustering which was originally published in a paper in 2018.
https://github.com/usc-isi-bass/BCDangr
A Peek into an In-Game Ad Client
Jordan Whitehead provides an understanding of how those dynamic adverts work in video games..
Going through the network communications we found it downloading JavaScript that contained the core logic for managing the ad campaigns. With a little bit of beautifying and code reveiw, we figured out how to craft responses to serve our own ads.
…
There are interesting hidden systems like Anzu all over the place; it is a lot of fun digging into them. Even though I didn't find any major security issues in the client, it was still fun to be able to whip up some harnesses and peer behind the curtain a bit
https://www.atredis.com/blog/2025/5/19/in-game-ads
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Intelligence led risk: Leveraging threat operations to deliver effective risk management
The platformization of cybersecurity: uncovering articulation work in bug bounty platforms
Five Steps to Prepare Critical Infrastructure for a Cyber War
Report of the Virtual Workshop on Usable Cybersecurity and Privacy for Immersive Technologies
Audit of NIST’s Management of the National Vulnerability Database
Artificial intelligence
Guidance and case studies for teams adopting AI technologies in the public sector
Insights into DeepSeek-V3: Scaling Challenges and Reflections on Hardware for AI Architectures
Social Sycophancy: A Broader Understanding of LLM Sycophancy
AI Agents vs. Agentic AI: A Conceptual Taxonomy, Applications and Challenges
Books
Nothing overly of note this week
Events
NDSS Symposium 2025 Program - slides and videos now out
AutonomousCyber 2025 : The 2nd International Workshop on Autonomous Cybersecurity - Sep 22, 2025 - Sep 26, 2025, France
Preparations for IN.SE.CON 2026 have begun! - Polish Director of the Cybersecurity Department of the Ministry of National Defense announce - “The Congress is not only about discussion panels, but also practical workshops and technology presentations.”
Video of the week - “Innovation Nation” Field Hearing at Stanford’s Hoover Institution on US Cybersecurity Posture
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.