CTO at NCSC Summary: week ending March 3rd
Products on your perimeter considered harmful (until proven otherwise)
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the usual smoulder continues..
In the high-level this week:
UK and allies expose evolving tactics of Russian cyber actors - “Malicious cyber actors linked to Russia’s Foreign Intelligence Service (SVR) are adapting their techniques in response to the increasing shift to cloud-based infrastructure, UK and international security officials have revealed.”
Market incentives in the pursuit of resilient software and hardware - how you change the world for the positive by the National Cyber Security Centre.
Products on your perimeter considered harmful (until proven otherwise) - by Dave C, Technical Director for Platforms Research here at the National Cyber Security Centre drops a truth bomb here..
Attackers have realised that the majority of perimeter-exposed products aren't ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.
UK Strategic Command shares cyber expertise with Japan - “A delegation from the Japanese Cyber Defense Command met with cyber experts at various Strategic Command locations.”
Recommendation on the security and resilience of submarine cable infrastructures - European Union report - “In this context, submarine cable infrastructure is a significant element in the broader Internet ecosystem in achieving European digital sovereignty, given that the overwhelming majority of international data traffic is carried through submarine cables”
Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors -” The accompanying Snapshot includes a checklist of practical steps for SME and NFP directors in responding to a critical cyber incident. The AICD, CSCRC and Ashurst are committed to updating the guidance as the cyber security threat and regulatory landscape evolves.”
Monetary Authority of Singapore - Advisory on addressing the cybersecurity risks associated with quantum - this point of advice is worth listening to - “Maintaining an inventory of cryptographic assets, and identifying critical assets to be prioritised for migration to quantum-resistant encryption and key distribution”
Industry groups push back on cyber incident rules requiring “full access” - reporting from the US - “The groups are also objecting to the tight cyber incident reporting deadline in proposed cyber rules. They also oppose requirements to use Software Bills of Material (SBOMs).”
Deter, disrupt and demonstrate – UK sanctions in a contested world: UK sanctions strategy - “This includes disrupting Russia’s war machine, confronting cyber gangs that target the UK and addressing human rights abuses and violations in Iran.”
How persuasive is AI-generated propaganda? - “We found that GPT-3 can create highly persuasive text as measured by participants’ agreement with propaganda theses. We further investigated whether a person fluent in English could improve propaganda persuasiveness.”
Law commission - Digital assets as personal property - “On 22 February 2024, we launched a short consultation exercise on draft legislation that would confirm the existence of a “third” category of personal property, in accordance with one of our recommendations in our final report. We seek responses by Friday 22 March 2024.”
Selected Projects for the Cyber Research, Development, and Demonstration Funding Opportunity - “$45 million dollars by DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) for 16 projects covering six topics aimed at reducing cyber risks and improving the resilience of the electricity, oil, and natural gas sectors.”
Delegated Regulations supplementing the Regulation on digital operational resilience for the financial sector
Allies and diffusion of state military cybercapacity - “Partner-countries may also start investing in cybersecurity to reduce the likelihood of being abandoned in other, conventional, domains. My new cross-sectional time-series dataset on indicators of a state’s cybercapacity-development initiation for 2000–18 provides robust empirical support for this argument and offers important implications for scholarship on arms, allies, and diffusion.”
Behind the Screen: The Harrowing Reality of Trafficked Cybercriminals in Southeast Asia - ”A harrowing example of this dark side is unfolding in Southeast Asia, specifically in countries like Burma, Thailand, Malaysia, and Laos, where an alarming trend of human trafficking and forced cybercrime is taking root.”
Cyber-Conflict: Moving from Speculation to Investigation - The 11 articles that make up this issue collectively highlight two key features that are needed to rejuvenate research into cyber conflict:
First, research at the intersection of cybersecurity and political science must incorporate the human dimension of cyber conflict.
Second, cyber research must widely adopt rigorous, creative, and empirical methods.
NIST Guidance - Data Confidentiality: Identifying and Protecting Assets Against Data Breaches - “This guide provides recommendations on how to prevent data beaches, including cybersecurity and privacy considerations to prepare for data beaches and specific technical direction for implementation.”
FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data After Claiming Its Products Would Block Online Tracking - not a great look for a cyber company..
Cybersecurity in the Marine Transportation System in the US - A Proposed Rule by the Coast Guard
Defending Democracy
Russian-Aligned Network Doppelgänger Targets German Elections - Infosecurity Magazine reports on commercial reporting - “Doppelgänger’s tactics involve leveraging a substantial network of accounts on social media platforms, particularly X (formerly Twitter), and engaging in coordinated activities to amplify their messages and increase visibility.”
Reporting on/from China
US Dept of Transport - 2024-002-Worldwide-Foreign Adversarial Technological, Physical, and Cyber Influence - US Department of Transport says - risks associated PRC National Public Information Platform for Transportation and Logistics (LOGINK), Nuctech scanners, and automated ship-to-shore cranes worldwide.
China to increase protections against hacking for key industries - Reuters reports - "In response to frequent risk scenarios such as ransomware attacks, vulnerability backdoors, illegal operations by personnel, and uncontrolled remote operation and maintenance, we will strengthen risk self-examination and self-correction, and adopt precise management and protective measures," according to the plan, published on MIIT's website.”
U.S. export curbs on China won't extend to legacy chips: official - Nikkei Asia reports “Legacy chips, generally referring to 28-nanometer and older-generation semiconductors, are commodity-grade products widely used in automobiles and other applications.”
Nvidia identifies Huawei as top competitor for the first time in filing - Reuters reports “Analysts have estimated China's AI chip market to be worth $7 billion.”
OpenAI’s Sora pours ‘cold water’ on China’s AI dreams, as text-to-video advancements prompt more soul-searching - South China Morning Post reports - “Zhou Hongyi, the founder of Chinese internet security firm 360 Security Technology, which has joined China’s race to launch its own ChatGPT-style large language model, said the introduction of Sora was like a “barrel of cold water poured down China’s head”"
Dutch government says China seeks military advantage from ASML tools - South China Morning Post reports on Reuters - “China focuses on foreign expertise, including Dutch expertise in the field of lithography, to promote self-sufficiency in its military-technical development,” Trade Minister Geoffrey van Leeuwen wrote in a February 5 note, seen by Reuters.”
China’s playbook no longer involves a big stimulus bazooka - Financial Times reports - “The big exception to this vision of a more parsimonious future, however, is technology. Xi has been enchanted by technology ever since as a village party boss barely out of his teens he built a dam, a methane tank, a sewing workshop and a mill, according to official accounts.”
Artificial intelligence
An Empirical Evaluation of LLMs for Solving Offensive Security Challenges - “GPT 4 outperformed 88.5% of human CTF players in our real world former CTF competition.”
AI in Support of StratCom Capabilities - “The report aims to guide information environment assessment (IEA) practitioners.This includes understanding the information environment and audiences, particularly in online campaigns, and covers necessary technical elements and legal factors.”
Cyber Insurance – Models And Methods And The Use Of AI - from ENISA
Rethinking Privacy in the AI Era: Policy Provocations for a Data-Centric World - “In this paper, we present a series of arguments and predictions about how existing and future privacy and data protection regulation will impact the development and deployment of AI system “
Arm Updates CSS Designs for Hyperscalers’ Custom Chips - “[Hyperscalers] are redesigning systems from the ground up, starting with custom specs,” he said. “This works because they know their workloads better than anyone else, which means they can fine-tune every aspect of the system, including the networking acceleration, and even general-purpose compute, specifically, to optimize for efficiency, performance and ultimately TCO.”
On the Societal Impact of Open Foundation Models - “The framework helps explain why the marginal risk is low in some cases, clarifies disagreements in past studies by revealing the different assumptions about risk, and can help foster more constructive debate going forward.”
Cyber proliferation
Bounty Hunting
Tampa Man Indicted For Unauthorized Computer Intrusion And Related Violations Of The Wiretap Act - “that allowed its broadcaster-customers to record and transmit high-resolution encoded content and communications over the Internet; (2) obtained and stole StreamCo proprietary information from that website; and then (3) used that stolen StreamCo proprietary information to intercept, download, and save the StreamCo broadcaster-customers’ streams.”
Vologda hacker will appear in court for cutting off power to 38 settlements - The FSB established that in February 2023, a resident gained unlawful access to control systems for power grids and cut off supply
Geopolitics Accelerates Need For Stronger Cyber Crisis Management [ENISA] - “ENISA publishes a study on ‘Best Practices for Cyber Crisis Management’ that assists in preparation for crisis management. The study was conducted for the EU Cyber Crisis Liaison Organisation Network (CyCLONe) and is now available publicly.”
Building a Cyber Insurance Backstop Is Harder Than It Sounds - Lawfare report - “At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?”
Position paper on the application of international law in cyberspace - by the Czech Republic government.
The reflections this week are as you will see it is busy..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Reporting on Russia
SVR cyber actors adapt tactics for initial cloud access
UK’s National Cyber Security Centre and partners do attribute Russia here, note the shift in their tradecraft and ensure your organisation is protected against them.
Previous SVR campaigns reveal the actors have successfully used brute forcing and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.
SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organisation but whose accounts remain on the system.
https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access
Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
FBI and partners detail Russian intelligence targeting routers to build their covert infrastructure.
As early as 2022, APT28 actors had utilized compromised [Ubiquiti] EdgeRouters to facilitate covert cyber operations against governments, militaries, and organizations around the world. These operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. Targeted countries include Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US. Additionally, the actors have strategically targeted many individuals in Ukraine
https://www.ic3.gov/Media/News/2024/240227.pdf
UAC-0149: Targeted selective attacks against the Defense Forces of Ukraine using COOKBOX
Ukraine government CERT detail an alleged Russian operation which was using Signal to distribute Excel marcos. One assumes that this is because Signal on desktop is being used and this it becomes a valid attack chain..
Thus, on February 22, 2024, an unidentified person using the Signal messenger distributed the XLS document "1_ф_5.39-2024.xlsm" among several military personnel with a message about, allegedly, problems with reporting. In addition to the legitimate macro, the document in question contained additional VBA code that ran a PowerShell command designed to download, decode, and execute the "mob2002.data" PowerShell script.
https://cert.gov.ua/article/6277849
The cybefront situation as of the beginning of 2024
Ukraine government reporting which alleges Russian law enforcement is the most active threat (note: note the most impactful).
The UAC-0028 (APT28) and UAC-0003 (Turla) groups had been attempting to spy on Ukraine's security and defense forces by using the modified KAZUAR malware.
The UAC-0050 group, connected to russian law enforcement authorities, has become the most active threat. Its activity has increased since Russia’s full-scale invasion in 2022.
https://cip.gov.ua/en/news/situaciya-na-kiberfronti-stanom-na-pochatok-2024-roku-sho-potribno-znati
Doppelgänger NG | Russian Cyberwarfare campaign
ClearSkySec and Aleksandar Milenkoski detail an alleged Russian campaign which will be notable due to the scale and the wider targeting.
New infrastructure used by “Doppelgänger NG”.
We discovered a potential link between APT28 to “Doppelgänger NG” campaign.
The “Doppelgänger NG” campaign has expanded its victims list, including new targets in the US, Germany, Israel, and France.
The “Doppelgänger NG” network contains more than 150 domains, including news feeds relevant to five countries (United State, Israel, France, Germany, Ukraine).
Doppelgänger disseminates content criticizing the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany.
Doppelgänger leverages a substantial network of X accounts, actively participating in coordinated activities to enhance visibility and engage audiences.
https://www.clearskysec.com/dg/
Mysterious Werewolf attacks the military-industrial complex using a new RingSpy backdoor
Alleged targeting inside of Russia here with a mixture of old days, open source implant frameworks and phishing..
Mysterious Werewolf continues to use phishing emails and the CVE-2023-38831 vulnerability in WinRAR to execute malicious code on target systems.
Attackers are experimenting with a malicious payload: the Athena agent of the Mythic framework was replaced with the original RingSpy backdoor written in Python.
The cluster continues to use legitimate services to interact with compromised systems: a bot in the Telegram messenger acts as a command server.
Reporting on China
"Pantsless Data": Decoding Chinese Cybercrime TTPs
Kyla Cardona and Ashley Allocca provide a glimpse into the potentially Chinese cyber crime eco-system along with the techniques, tactics and procedures.
Data disseminated by Chinese Telegram actors is often referred to by its value, relative to the method used to exfiltrate it. “High value” data is perceived by these actors to be both accurate and timely – so timely in fact, that data is sometimes referred to as being breached in near “real time.”
Accuracy: Login Access > SMS > DPI > SDK > Penetration Tools (Crawler/Reptile)
Timeliness: Login Access > DPI > SMS > SDK > Penetration Tools (Crawler/Reptile)
When these actors receive data requests from potential or existing customers, they will attempt to acquire the data through the most timely and accurate collection and exfiltration methods first. If the requested data cannot be collected through login access, the actor may choose to attempt to acquire the data through SMS or DPI methods, and so on.
https://spycloud.com/blog/growing-chinese-threat-actor-ecosystem/
i-Soon Leaks
Lots of reporting on this..
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Cedric Pernet and Jaromir Horejsi use the alleged leak of a Chinese offensive capability provider to attempt attribution.
Note that a recent leak of private documents provides a new attribution path to a Chinese company called I-Soon. We discuss these connections in a separate section in this entry. There is significant overlap between the victims, malware used, and probable location of Earth Lusca and I-Soon. This suggests, at the very least, a significant connection between these groups.
Leaked files from Chinese firm show vast international hacking effort
Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
https://unit42.paloaltonetworks.com/i-soon-data-leaks/
Lessons from the iSOON Leaks
https://blog.bushidotoken.net/2024/02/lessons-from-isoon-leaks.html
Same Same, but Different
https://margin.re/2024/02/same-same-but-different/
GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange
An Aussie researcher documents an alleged Chinese implant designed for use within GPRS telecommunications networks. Note this campaign was originally reported / attributed in October 2021 with the implants just becoming more widely available.
GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol - Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network.
https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR
Reporting on North Korea
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
Jan Vojtěšek details an alleged use of a Windows zero-day for privilege escalation by North Korea. This potentially show they do have the capability to acquire such capability for their operations which will be of note.
[We] discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver.
Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update.
The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive.
New Malicious PyPI Packages used by Lazarus
朝長 秀誠 (Shusei Tomonaga) from the Japanese CERT asserts this campaign which appears crypto currency related is coming out of North Korea. The tradecraft is well worn.
JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows:
https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html
Reporting on Iran
When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
Ofir Rozmann, Chen Evgi and Jonathan Leathery detail an alleged Iranian operation which shows they continue use phishing. Whilst the tradecraft is common, including the use of fake jobs, the targeting will be interesting.
Spear-phishing emails or social media correspondence, disseminating links to fake websites containing Israel-Hamas related content or fake job offers. The websites would eventually lead to downloading a malicious payload.
The fake job offers were for tech and defense-related positions, specifically in the aviation, aerospace, or thermal imaging sectors.
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Reporting on Other Actors
European diplomats targeted by SPIKEDWINE with WINELOADER
Unknown threat actor using a more novel lure to get the juices flowing..
[We] discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain.
Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic missions, although VirusTotal submissions indicate a specific focus on European diplomats.
New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the command and control (C2) server.
Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers, to guard sensitive data in memory and evade memory forensics solutions.
Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack chain.
https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
SEO Poisoning to Domain Control: The Gootloader Saga Continues
The DFIR Report team do what do best and show the means and pace of this adversary. Search engines as a vector does likely need some focus..
In February 2023, we detected an intrusion that was initiated by a user downloading and executing a file from a SEO-poisoned search result, leading to a Gootloader infection.
Around nine hours after the initial infection, the Gootloader malware facilitated the deployment of a Cobalt Strike beacon payload directly into the host’s registry, and then executed it in memory.
The threat actor deployed SystemBC to tunnel RDP access into the network, which aided in compromising domain controllers, backup servers, and other key servers.
The threat actor conducted an interactive review of sensitive and confidential files using RDP; however, we have been unable to confirm whether any data was actually exfiltrated.
https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
Calendar Meeting Links Used to Spread Mac Malware
Brian Krebs reports on some basic but novel social engineering tradecraft here against macOS.
Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at Calendly, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.
https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/
Discovery
How we find and understand the latent compromises within our environments.
Adaptive Experimental Design for Intrusion Data Collection
Kate Highnam, Zach Hanif, Ellie Van Vogt, Sonali Parbhoo, Sergio Maffeis and Nicholas R. Jennings released this paper in October 2023 which I missed at the time. A good example of cyber security as a science..
Our adaptive design (AD) is inspired by the clinical trial community: a variant of a randomized control trial (RCT) to measure how a particular ``treatment'' affects a population. To contrast our method with observational studies and RCT, we run the first controlled and adaptive honeypot deployment study, identifying the causal relationship between an ssh vulnerability and the rate of server exploitation. We demonstrate that our AD method decreases the total time needed to run the deployment by at least 33%, while still confidently stating the impact of our change in the environment. Compared to an analogous honeypot study with a control group, our AD requests 17% fewer honeypots while collecting 19% more attack recordings than an analogous honeypot study with a control group.
https://arxiv.org/abs/2310.13224
A brief discussion on side channel traffic detection technology
Chinese reporting on these techniques which have been commercialised by others..
In 2018, Positive Security Company developed a side-channel state machine rule for Suricata's traffic detection at SuriCon, which can use side-channel rules to detect the encrypted traffic of Trojan viruses.
Positive cleverly uses the state machine to implement side channel traffic detection capabilities for suricata. It can detect the packet size rules in the upstream and downstream of a complete TCP Flow. Of course, this can only provide abnormal alarms for Trojan virus communications with obvious side channel characteristics. .
A brief discussion on side channel traffic detection technology [Supplement]
Further Chinese reporting on traffic analysis here..
Furthermore, Corelight models and tracks the state machines of its three sub-protocols throughout the entire life cycle of the SSH connection. Once the SSH connection sub-protocol starts, it infers the client's usage pattern and specific operations from the packet sequence structure. for example:
File transfers can reach the maximum packet limit (MTU ) very quickly and often last the entire connection.
Keystrokes exhibit an echo pattern, where the client transmits keystrokes to the server, and the server echoes the keystrokes back to the client.
Luring the Threat: Lessons from ICS Honeypots in Ukraine and Germany
Christian Feuchter ran an interesting experiment here which will be of interest to those who are concerned with OT security and/or the value of honeypots. We discussed in the office it would be good to have a control group also to compare and contrast.
A notable detail is the disproportion between malicious requests targeting Ukraine and Germany, with certain countries like Canada, France, and Turkey showing a heavy bias toward German systems. In contrast, the Russian Federation, Finland, Poland, and Sweden have sent more malicious requests to Ukraine.
Defence
How we proactively defend our environments.
CISA, OMB, ONCD and Microsoft collaborate on new logging playbook for Federal agencies
Interesting this is only for US federal E3 customers..
Microsoft identity platform app types and authentication flows
An example of how the modern cloud is rather complex when it comes to what is required to pull of an effective cyber defence.
https://learn.microsoft.com/en-us/entra/identity-platform/authentication-flows-app-scenarios
Incident Writeups & Disclosures
How they got in and what they did.
Nothing this week but various breaches have been disclosed to the SEC -https://www.board-cybersecurity.com/incidents/tracker/
Vulnerability
Our attack surface.
Products on your perimeter considered harmful (until proven otherwise)
Dave C, Technical Director for Platforms Research here at the National Cyber Security Center drops a truth bomb here..
Attackers have realised that the majority of perimeter-exposed products aren't ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.
https://www.ncsc.gov.uk/blog-post/products-on-your-perimeter
Offense
Attack capability, techniques and trade-craft.
Living Off the Pipeline
If you thought Living Off the Land was challenging..
The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.
https://boostsecurityio.github.io/lotp/
A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
Mark Lester Dampios shows how anti-cheat and EDR bypasses are effectively one and the same on Windows.
Shelter: ROP-based sleep obfuscation to evade memory scanners
Kurosh Dabbagh Escalante releases a capability which will be a challenge for some EDRs to detect.
Shelter is a completely weaponized sleep obfuscation technique that allows to fully encrypt your in-memory payload making an extensive use of ROP.
This crate comes with the following characteristics:
AES-128 encryption.
Whole PE encryption capability.
Removal of execution permission during sleep time.
No APC/HWBP/Timers used, exclusive use of ROP to achieve the obfuscation.
Use of Unwinder to achieve call stack spoofing before executing the ROP chain.
Different methods of execution to adapt to various circumstances.
Other OPSEC considerations: DInvoke_rs, indirect syscalls, string literals encryption, etc.
https://github.com/Kudaes/Shelter
Exploitation
What is being exploited.
ConnectWise ScreenConnect
Various bits of reporting around the pile in on this vulnerability..
Attacks deliver malware
https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
SEMA-ToolChain: ToolChain using Symbolic Execution for Malware Analysis
Powerful capability here..
ToolChain using Symbolic Execution for Malware Analysis.
https://github.com/csvl/SEMA-ToolChain
Triton
Jonathan Salwan updates Triton which will have applicability to a wider variety of use cases.
Triton is a dynamic binary analysis library. It provides internal components that allow you to build your program analysis tools, automate reverse engineering, perform software verification or just emulate code.
Triton v0.9 which brings several features:
Better dealing with path constraints
Lifting To SMT file
Lifting to Python file
Lifting to LLVM file
Lifting to LLVM IR and back
Python from 3.6 to 3.9 comparability
Add new AST optimizations
Add new instructions
Add FPU specification
Add support for Thumb IT instructions
Add the Bitwuzla solver interface
Add a synthesis expression engine
Fix semantics
Fix optimizations
https://github.com/JonathanSalwan/Triton/releases/tag/v0.9
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
NIST Releases Version 2.0 of Landmark Cybersecurity Framework
A Look at the UK's National Cyber Security Centre's Vulnerability Management Guidance
Go-EPSS: Golang library for interacting with EPSS (Exploit Prediction Scoring System)
Artificial intelligence
Books
Nothing this week
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.