CTO at NCSC Summary: week ending March 17th
“we awarded $10 million to our 600+ researchers based in 68 countries” - this is hyperscaler bug bounty
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the usual smoulder continues..
In the high-level this week:
Eight teams finding cybersecurity solutions with Innovate UK CyberASAP Year 7 - various UK academic innovations which are being spun out.
Corporate Greed Made the Change Healthcare Cyberattack Worse says the New York magazine - this is what impact potentially looks like - “One estimate suggested U.S. health-care providers are hemorrhaging $100 million per day.”
A hostage to fortune: ransomware and UK national security - Government Response to the Committee’s First Report
Budget of the U.S. Government 2025 - “The Budget provides $800 million to help high need, low-resourced hospitals cover the upfront costs associated with implementing essential 84 Department of Health and Human Services cybersecurity practices, and $500 million for an incentive program to encourage all hospitals to invest in advanced cybersecurity practices”
Australia’s $9.9bn cyber army activated - The Australian reports “Cyber security agencies are on track to recruit up to 1900 new staff under the $9.9bn REDSPICE program, as the Australian Signals Directorate reports a lower workforce churn amid a surge in cyber defence activity.”
Possible Avenues to Explore Regarding the Challenges Faced by Law Enforcement Related to Access to Data - “Upscale and better coordinate research and development for digital forensic tools at the EU level, including by fostering collaborative developments, partnerships with industry, as well as the sharing of such tools and expertise among the Member States’ digital forensics departments”
Cyber Resilience Act: MEPs adopt plans to boost security of digital products
More robust cybersecurity for all products with digital elements
Covers everyday products like connected doorbells, baby monitors and Wi-Fi routers
Security updates to be applied automatically when technically feasible
Europe and the Indo-Pacific: Convergence and Divergence in the Digital Order - the purpose of this report is to bring attention to how the EU and Indo-Pacific countries have responded and continue to respond to four key areas of strategy, regulation and international cooperation within the digital order: 1) the protection of national critical infrastructure (NCI) 2) harnessing AI 3) the protection of national innovation ecosystems 4) and countering cyber disinformation.
AvengerCon VIII – [US] Army Cyber’s homegrown hacker con returns - love this..
Evidence of Russian Cyber Operations Could Bolster New ICC Arrest Warrants - UC Berkeley School of Law analysis - While the ICC’s press release specifies that the suspects are responsible for missile strikes carried out by the forces under Kobylash and Sokolov’s command, this characterization does not preclude the prosecutor from introducing evidence of other types of attacks on the electric grid, such as cyberattacks that were carried out by other parts of the Russian military in coordination with this missile campaign.
Vulnerability Reward Program: 2023 Year in Review - “we awarded $10 million to our 600+ researchers based in 68 countries.” since the start at Google.
Meta Account Takeovers and Lockouts - "We, the undersigned attorneys general (the “State AGs”), write to request immediate action to address the dramatic increase in user account takeovers and lockouts on Facebook and Instagram"
Defending Democracy
Evaluating the persuasive influence of political microtargeting with large language models - some academic work out of the University of Oxford.
[US] Treasury Sanctions Companies and Individuals Advancing Russian Malign Activities in Africa - US Department of Treasury action - “Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two companies - one in Russia and one in the Central African Republic (CAR) - for their efforts in advancing Russia’s malign activities in CAR. Today’s targets have played an important role enabling the Private Military Company ‘Wagner’ (Wagner Group) and, by extension, the activities of the Russian Federation.”
Whitepaper on Cyber Threats against Taiwan’s 2024 Presidential Election - TeamT5 reporting of their research - “China has also been weaponizing social media platforms to spread disinformation and propaganda against Taiwan. While we observed sparse suspicious activities attacking the ruling party since early 2023, it was not until November that we detected significant influence operations.”
TAG Bulletin: Q1 2024 - Google reporting “We terminated 5,306 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to the People’s Republic of China (PRC). The coordinated inauthentic network uploaded content in Chinese and English about China and U.S. foreign affairs.”
The Inventory is Dark and Full of Misinformation: Understanding Ad Inventory Pooling in the Ad-Tech Supply Chain - University of Iowa and University of California work here “Through our measurements, we demonstrate a widespread lack of compliance with the IAB’s ads.txt and sellers.json standards, ad inventory pooling by misinformation publishers, and reputed brands who end up buying this ad inventory of misinformation publishers. Taken all together, our results point to specific gaps that need to be further explored by the ad-tech and security research communities”
National Threat Assessments
The Norwegian Intelligence Service’s assessment of current security challenges - Norwegian Intelligence “Chinese intelligence services operate all over Europe. Their activities include political intelligence and industrial espionage, and cyberspace is the main gateway. Chinese intelligence services use a combination of actions to keep their activities and objectives concealed, such as commonly available tools and digital infrastructure that conceal the actor”
2024 Annual Threat Assessment of the U.S. Intelligence Community - US Intelligence Community - “China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks. Beijing’s cyber espionage pursuits and its industry’s export of surveillance, information, and communications technologies increase the threats of aggressive cyber operations against the United States and the suppression of the free flow of information in cyberspace”
FBI Internet Crime Report 2023 - out March 2024 - FBI says “In 2023, IC3 received a record number of complaints from the American public: 880,418 complaints were registered, with potential losses exceeding $12.5 billion. This is a nearly 10% increase in complaints received, and it represents a 22% increase in losses suffered, compared to 2022.”
Reporting on/from China
China Intensifies Push to ‘Delete America’ From Its Technology - Wall Street Journal reports - “Document 79 was so sensitive that high-ranking officials and executives were only shown the order and weren’t allowed to make copies, people familiar with the matter said. It requires state-owned companies in finance, energy and other sectors to replace foreign software in their IT systems by 2027. “
Jia Qingguo: Proposal on encouraging people to tell Chinese stories to the outside world - Analysis from China - “Reduce many restrictions on non-governmental and second-track foreign exchanges. Implement differentiated management of the external exchanges of experts and scholars.”
China's Huawei and Amazon in patent licencing agreement - Reuters reports “Most terms of the deal were not disclosed, but Alan Fan, head of Huawei's intellectual property rights department, said the Chinese firm had ended lawsuits brought against Amazon in Germany over patented technology related to wifi and video playback.”
China’s ZPMC insists its US cranes present ‘no cyber security risk’ - Financial Times reports - “Republican congressmen allege manufacturer of 80% of cranes at US terminals has installed suspicious equipment”
Artificial intelligence
DARPA Selects Small Businesses to Compete in the AI Cyber Challenge - “$1 million each to develop AI-enabled cyber reasoning systems that automatically find and fix software vulnerabilities at scale.”
Proposal for a regulation laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) and amending certain Union legislative acts - EU Parliament in action.
Adapting liability rules to artificial intelligence - from the EU Parliament - The Commission's white paper states that 'persons having suffered harm caused with the involvement of AI systems need to enjoy the same level of protection as persons having suffered harm caused by other technologies, whilst technological innovation should be allowed to continue to develop
Industry Leaders in AI and Wireless Form AI-RAN Alliance - Network operators in the alliance will spearhead the testing and implementation of these advanced technologies developed through the collective research efforts of the member companies and universities.
Cyber proliferation
Government starts process to deprive man of Maltese citizenship after he appears on US sanction list - The Malta Independent - CEO of cyber spyware firm Intellexa having cost imposed on their life.
Mapping the Supply of Surveillance Technologies to Africa: Case Studies from Nigeria, Ghana, Morocco, Malawi, and Zambia - Institute of Development Studies reports - “Ghana appears to have focused on mobile spyware and ‘safe city’ surveillance”
Government must respond strongly to growing hacking threat - reports The Times in this oped - “Failing to act will mean that cyber-attacks rapidly develop beyond sophisticated perpetrators and opportunistic criminals. It is clear that oversight of the development, marketing and sale of commercial spyware is now required to ensure that it is not misused to facilitate further abuse.”
Bounty Hunting
Auctioning of personal data for advertising purposes: the Court of Justice clarifies the rules under the GDPR - interesting judgement here.
Former Telecommunications Company Manager Admits Role in SIM Swapping Scheme - insider threat in action..
The reflections this week are in the writeup of the lecture I gave at Kings College Department of War Studies and the Cyber Security Research Group.
In government, significant developments are underway. Recently, the White House’s Office of the National Cyber Director (ONCD) published a paper for software measurability, which is a crucial step towards addressing information asymmetry. Concurrently, our objectives at the NCSC are focused on building evidence bases, rectifying market flaws, establishing incentives and providing interventions for those unable or unwilling to engage at an individual level.
Outside of that there was this analysis on why hallucinations with AI vulnerability research in code is still quite the challenge by Sean Heelan.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Update on Microsoft Breach Following Attack by Nation State Actor Midnight Blizzard
Microsoft discussing the impact of this breach by an alleged Russia threat actor who used password spraying and trust relationship to achieve their mission objectives.
We have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems.
The NGC2180 group spies on high-ranking targets using the DFKRAT implant
Reporting on an actor targeting Russia but who isn’t publicly attributed by a Russian company. The actual tradecraft is rather basic. Point to take away is that Russian companies are undertaking threat hunting in their government entities.
We discovered the DFKRAT spy implant on the systems of one of the customers at the end of 2023.
Other versions of this malware were found in open sources and their evolutionary chain was traced since 2021; we named the cluster of this activity NGC2180.
The primary vector of infection in the case of early versions appears to be a targeted phishing email loaded with a downloader. In the latest versions, the vector remains unknown.
Malicious activity is carried out by payloads that are delivered by downloaders in earlier versions and droppers that exploit DLL side-loading in recent versions.
The key functionality of DFKRAT is file exfiltration, interactive shell support, and potential downloading of additional malware from the C2 control server.
Compromised servers of the National Center for Scientific Research in Greece and an Indonesian company were used as C2 for the current version of the implants.
We managed to find and analyze a fragment of the control server.
Further reporting on the same actor apparently by a German HQd company DrWeb with operations in Kazakhstan. All interesting in the currently environment..
In October 2023, Doctor Web was contacted by a Russian mechanical-engineering enterprise that suspected malware was on one of its computers.
In early October 2023, malicious actors sent several phishing emails to the email address of the affected company. The subject of the messages was related to an “investigation” of certain criminal cases of tax evasion. These emails were supposedly sent on behalf of an investigator with the Investigative Committee of the Russian Federation and contained two attachments.
https://news.drweb.com/show/?i=14823&lng=en&c=5
Reporting on China
i-SOON: “Significant Superpower” or Just Getting the Job Done?
Natto Team’s analysis of this alleged data leak from a Chinese offensive cyber provider continues showing that like any technical organisation pay/retention are the concerns and they employ based on attitude and aptitude.
i-Soon’s People strategy: practical “attack and defense live-fire capability” is more important than formal education level.
i-SOON Process strategy: “it doesn’t matter if a cat is black or white, as long as it catches mice.”
i-SOON Technology strategy: find and exploit vulnerability
open.substack.com/pub/nattothoughts/p/i-soon-significant-superpower-or
Evasive Panda leverages Monlam Festival to target Tibetans
Anh Ho, Facundo Muñoz and Marc-Etienne M.Léveillé detail an alleged Chinese operation which is noteworthy due to the supply chain aspect.
Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012.
We discovered a cyberespionage campaign that leverages the Monlam Festival – a religious gathering – to target Tibetans in several countries and territories.
The attackers compromised the website of the organizer of the annual festival, which takes place in India, and added malicious code to create a watering-hole attack targeting users connecting from specific networks.
We also discovered that a software developer’s supply chain was compromised and trojanized installers for Windows and macOS were served to users.
The attackers fielded a number of malicious downloaders and full-featured backdoors for the operation, including a publicly undocumented backdoor for Windows that we have named Nightdoor.
We attribute this campaign with high confidence to the China-aligned Evasive Panda APT group.
Reporting on North Korea
Espionage Operation Disguised as Software Installers by Kimsuky (APT-Q-2)
Chinese reporting on alleged North Korean activity which shows the continued evolution of both their tradecraft and also how they are trying to frustrate analysis.
[We] discovered a batch of espionage attack samples disguised as installation programs of software products under the SGA, a South Korean software company. These samples, upon execution, release legitimate installation packages to deceive victims and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs, implemented in Go language, collect various types of information from infected devices and transmit them to the attackers, then erase traces of the attack.
Based on the digital signatures carried by the espionage software samples, we associated them with another type of malicious software used as a backdoor, also written in Go and protected by VMProtect. This backdoor software shares multiple characteristics with historical attack samples from the Kimsuky organization, leading us to believe that both types of malicious software are associated with the Kimsuky group.
North Korean Hackers Return to Tornado Cash Despite Sanctions
Reporting by Eliptic on the alleged movement of funds coming from North Korean crypto operations.
Update (13:00 UTC March 14, 2024 ): Further funds from the HTX and HECO Bridge hacks are currently being sent to Tornado Cash. The total currently stands at $13 million.
$100 million was stolen from exchange HTX and its HECO cross-chain bridge in November 2023 - Elliptic has attributed this hack to North Korea’s Lazarus Group
Over the past day, over $12 million from this hack has been laundered through Tornado Cash
Lazarus turned to Sinbad.io as its mixer of choice following sanctions on Tornado Cash in August 2022, but this service was seized by US authorities in November 2023
https://www.elliptic.co/blog/north-korean-hackers-return-to-tornado-cash-despite-sanctions
Reporting on Iran
An active phishing campaign in Israeli territory - the Iranian attack group MuddyWater
An alert by the Israeli government on alleged Iranian activity, the insight is the target set. The tradecraft is run of the mill..
The group is active mainly against the following sectors: aviation, academia, communications, government and energy.
RMM (Remote Monitoring and Management) as a tool to be used by many groups. ScreenConnect, Atera, MeshCentral, Advanced Monitoring Tool: such as legitimate
The initial attack vector is carried out by a phishing scheme from different email addresses
https://www.gov.il/he/departments/publications/reports/alert_1718
Reporting on Other Actors
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Criminal threat actor who is alleged;y able to quick-flip vulnerabilities for their enterprise. Lesson here on the evolving threat in this space..
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published.
Campaigns that we were able to attribute to this actor targeted Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ.
Analysis of the actor’s recent Ivanti Connect Secure VPN campaign revealed a novel Linux version of a malware called NerbianRAT, in addition to WARPWIRE, a JavaScript credential stealer.
The actor’s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk.
Threat Group Assessment: Muddled Libra (Updated)
Summary of this criminal threat actor by Kristopher Russo, Austin Dever and Amer Elsad who is notable for no other reason than have are persistent and capable.
Muddled Libra is a methodical adversary that substantially threatens enterprise organizations across many industries. They are proficient in a range of security disciplines, able to thrive in relatively secure environments and execute rapidly to complete devastating attack chains.
Muddled Libra doesn’t bring anything new to the table except for the uncanny knack of stringing together weaknesses to disastrous effect. Defenders must combine cutting-edge technology, comprehensive security hygiene and external threats and internal events monitoring. The high-stakes risk of operational disruption and loss of sensitive data is a strong incentive for modernizing information security programs.
https://unit42.paloaltonetworks.com/muddled-libra/
Using Backup Utilities for Data Exfiltration
Trend here to be aware of here.. who would have thought it..
[Our] analysts observed INC ransomware threat actors employing MegaSync for data exfiltration. Recently, GBHackers published an article outlining data exfiltration tools used by ransomware threat actors, one of which was the restic backup application. A Huntress Security Operations Center (SOC) analyst investigated and reported alerts from two endpoints related to the malicious use of the same backup application.
[We] alerted a customer to two endpoints (both Windows 2019 servers) impacted by similar activity; specifically, the use of the restic backup application, apparently in an attempt to exfiltrate data from a customer’s infrastructure.
https://www.huntress.com/blog/using-backup-utilities-for-data-exfiltration
What’s in your notepad? Infected text editors target Chinese users
Sergey Puzan details the continued challenge of malvertising.
[A] similar threat has affected users of one of the most popular search engines in the Chinese internet. We’ve discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results. We have not yet been able to establish all the details of the threat, so this material may be updated later.
https://securelist.com/trojanized-text-editor-apps/112167/
Unveiling the depths of residential proxies providers
Marine PICHON, Vincent HINDERER, Maël SARP, Ziad MASLAH, Livia TIBIRNA, Amaury G. and Grégoire CLERMONT detail those those who want to know how threat actors get around geo fencing etc.
Residential proxies are intermediaries that allow an Internet connection to appear as coming from from another host;
This method allows a user to hide the real origin and get an enhanced privacy or an access to geo-restricted content;
Residential proxies represent a growing threat in cyberspace, frequently used by attacker groups to hide among legitimate traffic, but also in a legitimate way;
The ecosystem of these proxies is characterised by a fragmented and deregulated offering in legitimate and cybercrime webmarkets;
To obtain an infrastructure up to several million hosts, residential proxies providers use techniques that can mislead users who install third-party software;
With millions of IP addresses available, they represent a massive challenge to be detected by contemporary security solutions;
Defending against this threat requires increased vigilance over the origin of traffic, which may not be what it seems, underlining the importance of a cautious and informed approach to managing network traffic;
https://www.orangecyberdefense.com/global/blog/research/residential-proxies
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics
Buddy Tancio, Maria Emreen Viray and Mohamed Fahmy identify a campaign which isn’t attributed to any country in open source. The point here is the the .iso and .img tradecraft in phishing continues.
The espionage group Earth Kapre (aka RedCurl and Red Wolf) has been actively conducting phishing campaigns targeting organizations in Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the US. It uses phishing emails that contain malicious attachments (.iso and .img), which lead to successful infections upon opening. This triggers the creation of a scheduled task for persistence, alongside the unauthorized collection and transmission of sensitive data to command-and-control (C&C) servers.
Discovery
How we find and understand the latent compromises within our environments.
Badgerboard: A PLC backplane network visibility module
Carl Hurd and Jared Rittle have released some awesome research here. This type of innovation of retrofitting observability onto a platform gets a big 👍🏽
Badgerboard is an open source example implementation of a hardware/software solution that can lift traffic from a Schneider Electric X80 backplane into "normal" network traffic that can be inspected and acted upon by various network visiblity security solutions, such as Snort.
https://blog.talosintelligence.com/badgerboard-research/
https://github.com/Cisco-Talos/badgerboard
SpyGuard
Félix Aimé and team provide some embedded device capability where you can’t get on it but solely observe the traffic.
SpyGuard is a forked and enhanced version of TinyCheck. SpyGuard's main objective is to detect signs of compromise by monitoring network flows transmitted by a device.
https://github.com/SpyGuard/SpyGuard/
Defence
How we proactively defend our environments.
One does not simply implement passkeys
Speaking to the teams here at the UK’s NCSC we increasingly see passkeys as the way that passwords finally are put to bed. However it is clear that whilst deployment is becoming easy there are still lessons to be learnt from the field.
https://joshcgrossman.com/2024/02/08/one-does-not-simply-implement-passkeys/
The 3 most common post-compromise tactics on network infrastructure
Hazel Burton drops some wisdom, but to save you the read. What this says to me is you want to be able to detect these in your telemetry from the devices..
1) Modifying the firmware
2) Uploading customized/weaponized firmware
3) Bypassing or removing security measures
NSA Releases Top Ten Cloud Security Mitigation Strategies
Whopper of a release here from our US counterparts.
The ten strategies are covered in the following reports:
Use secure cloud identity and access management practices (Joint with CISA)
Use secure cloud key management practices (Joint with CISA)
Implement network segmentation and encryption in cloud environments (Joint with CISA)
Secure data in the cloud (Joint with CISA)
Defending continuous integration/continuous delivery environments (Joint with CISA)
Enforce secure automated deployment practices through infrastructure as code
Account for complexities introduced by hybrid cloud and multi-cloud environments
Mitigate risks from managed service providers in cloud environments (Joint with CISA)
The Secrets of XProtectRemediator
Aiden provides a guide on how to extra the Yara rules from Apple’s solution.
Not including private helper rules, there are 75 YARA rules spread across 24 remediators. In addition to the YARA, there are also a number of other artifacts such as network IOCs and persistence paths.
https://alden.io/posts/secrets-of-xprotect/
Discovering CVE-2024-28741: Remote code execution on NorthStar C2 agents via pre auth stored XSS
Evan Ikeda highlights the vulnerability research opportunities in malicious frameworks. Offsec authors don’t follow a Secure by Design approach, news at 11..
This exploit works by sending multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This XSS can be leveraged to execute commands on NorthStar C2 agents
https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc
Incident Writeups & Disclosures
How they got in and what they did.
British Library cyber incident review - Learning Lessons From The Cyber-attack
A report which will be widely cited by so many..
This paper aims to provide an overview of the cyber-attack on the British Library that took place in October 2023 and examines its implications for the Library’s operations, future infrastructure, risk assessment and lessons learned. Its purpose is to ensure a common level of understanding of key factors that may help peer institutions and other organisations learn lessons from the Library’s experience.
https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf
Xplain hack: [Swiss] National Cyber Security Centre publishes data analysis report
The Swiss government showing what transparency looks like.
The [Swiss] National Cyber Security Centre (NCSC) took over responsibility for incident management in the Federal Administration in the wake of the hacker attack on Xplain, a major provider of IT services to national and cantonal authorities.
Sensitive content such as personal data, technical information, classified infor-mation and passwords was found in around half of the Federal Administration's files (5,182). Personal data such as names, email addresses, telephone numbers and postal addresses were found in 4,779 of these files. In addition, 278 files contained technical information such as documentation on IT systems, software requirement documents or architectural descriptions, 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable pass-words.
https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/bericht-datenanalyse-xplain.html
Vulnerability
Our attack surface.
Source Code Disclosure in ASP.NET apps
From entity listed Russia with love.
Update your Microsoft IIS and .NET Framework to the latest versions. For Windows Server 2019 and .NET Framework 4.7, KB5034619 currently fixes the source disclosure.
For mitigating short name enumerations, run “
fsutil behavior set disable8dot3 1” to disable 8.3 name creation. Next, reboot your system and run “fsutil 8dot3name strip /s /v [PATH-TO-WEB-DIRETORY]” to remove all existing 8.3 file names.
https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
Offense
Attack capability, techniques and trade-craft.
IndicatorOfCanary: Canary Detection
Cost has been imposed on Red Teamers, so they are upping their counter detection..
The Indicator of Canary is a collection of PoCs from research on identifying canaries in various file formats. It focuses on identifying known IoCs(Indicator of Canary) and unknown callback URLs in places they shouldn't be. Ultimately, this will give operators better awareness and make more informed decisions, preferably by automating similar checks in implants and other tools.
https://github.com/HackingLZ/IndicatorOfCanary
Leaking NTLM Credentials Through Windows Themes
Tomer Peled highlights why you should watch for Themes landing in your Windows estate via email, browser download or otherwise.
[We] recently discovered a spoofing vulnerability in Microsoft Themes. It was assigned CVE-2024-21320 with a CVSS score of 6.5.
The vulnerability can trigger an authentication coercion — an attack in which a victim is coerced into sending credentials (usually in the form of NTLM hashes over SMB) to an attacker’s machine. The attacker can later crack the credentials offline.
To exploit this vulnerability, the attacker only needs the victim to download a theme file to their computer. When the user views the file in Explorer, the browser will automatically send Server Message Block (SMB) handshake packets that contain credentials to the attacker’s server.
All Windows versions are affected, as Themes is a built-in feature in the Windows operating system.
Microsoft fixed this vulnerability in January’s Patch Tuesday 2024.
We provide a proof-of-concept (PoC) Theme file, as well as a PoC video, and present several ways to mitigate this vulnerability.
How We Bypassed Safari 17's Advanced Audio Fingerprinting Protection
I didn’t know this fingerprinting technique or that countermeasures had been developed.
Did you know that browsers can produce audio files you can’t hear, and those audio files can be used to identify web visitors? Apple knows, and the company decided to fight the identification possibility in Safari 17, but their measures don’t fully work.
Audio fingerprinting is a part of FingerprintJS, our library with source code available on GitHub.
https://fingerprint.com/blog/bypassing-safari-17-audio-fingerprinting-protection/
GhostRace - Exploiting and Mitigating Speculative Race Conditions
Ragab, H.; Mambretti, A.; Kurmus, A.; and Giuffrida, C release some novel research here. These vulnerability classes are novel and knotty.
Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc.
In this work, we present GhostRace, the first security analysis of these primitives on speculatively executed code paths.
Our analysis shows all the other common write-side synchronization primitives in the Linux kernel are ultimately implemented through a conditional branch and are therefore vulnerable to speculative race conditions.
https://www.vusec.net/projects/ghostrace/
OSX-Injection: x64/x86 shellcode injector
macOS tradecraft continues to garner attention, this release by 0xf00sec will inspire/enable some.
In this article, we’ll delve into the world of designing and developing malware for macOS, which is essentially a Unix-based operating system.
https://0xf00sec.github.io/2024/03/09/MacOs-X.html
https://github.com/0xf00sec/OSX-Injection
Exploitation
What is being exploited.
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun detail how what is described as a commodity loader was employing a zero-day.
[We] recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. The phishing campaign employed open redirect URLs from Google Ad technologies to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others. The fake installers contained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload.
SolarWinds Security Event Manager AMF deserialization RCE (CVE-2024-0692)
Chinese writeup on exploiting this vulnerability..
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Code injection on Android without ptrace
Furkan Er brings a new capability for those with some corner case problems on Android and/or those who want to avoid detection.
The project has a simple premise: injecting code into a process without using ptrace. To achieve that, it uses
/proc/memto write code directly into memory, allowing running threads to pick up the code and execute it. Of course it's not that simple, there is a bit of nuance to achieve reliable execution. The project is developed for x86_64 linux systems and I wanted to spice things up a bit by targeting arm64 and Android.
https://erfur.github.io/blog/dev/code-injection-without-ptrace
TypeRefHasher: CLI tool to compute the TypeRefHash for .NET binaries - think of it has imphash esq
Kind of imphash esq but for .NET - novel fingerprinting / clustering technique. Old but not well known..
We introduce the TypeRefHash (TRH) which is an alternative to the ImpHash that does not work with .NET binaries. Our evaluation shows that it can effectively be used to identify .NET malware families.
https://www.gdatasoftware.com/blog/2020/06/36164-introducing-the-typerefhash-trh
https://github.com/GDATASoftwareAG/TypeRefHasher
TokenAttributes dumper for Windows
Grzegorz Tworek provides some low level tooling doing research in to / or looking for anomalies with regards to Windows tokens.
https://github.com/gtworek/PSBits/tree/master/TokenAttributes
Further Adventures in Fortinet Decryption
What the vendor is trying to achieve by changing this is unclear. This research shows that you can’t do this in a situation where adversaries have full control with any efficacy.
In this blog post, we examine how the new encryption scheme works and provide a tool to decrypt the root filesystem for x86-based FortiOS images.
https://bishopfox.com/blog/further-adventures-in-fortinet-decryption
AndroidDriveSignity:
gmh provides a capability for rooted devices which will help researchers in some circumstances.
AndroidDriveSignity is a Python utility designed to bypass driver signature verification in Android kernel(ARMv8.3), facilitating the loading of custom drivers
Features
Targeted Symbol Patching: Modifies specific symbols within the kernel (
check_modinfo,check_version, andmodule_sig_check) to circumvent driver signature verification mechanisms.Intelligent Patching: Dynamically adjusts patching based on the presence of the PACIASP instruction, ensuring compatibility across different kernel configurations.
User-Friendly CLI: Provides a straightforward command-line interface for specifying the kernel binary, the kallsyms symbol table, and the output file paths.
https://github.com/gmh5225/AndroidDriveSignity
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Distributed Denial of Service 2023 - an analysis about activity of DDoS groups
TAG Bulletin: Q1 2024 - “We terminated 5,306 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to the People’s Republic of China (PRC). The coordinated inauthentic network uploaded content in Chinese and English about China and U.S. foreign affairs.”
IRIS (Infra-Red, in situ) Project Updates - hardware verification..
The Copenhagen Book - “provides a general guideline on implementing auth in web applications. It is free, open-source, and community-maintained”
Are We (off sec) Helping? - "we haven’t been doing enough to serve the national interest of Western countries, but we’ve been doing plenty to accidentally serve the interests of adversaries who seek to undermine the national interest"
The [US]IC OSINT Strategy 2024-2026 - The INT of First Resort: Unlocking the Value of OSINT
CISA Secure Software Self-Attestation Common Form - if you sell software to US federal government you must provide it
NIST’s Software Un-Standards - a punch article on Lawfare by a US academic on why metricated standards are what is needed.
Artificial intelligence
Books
Nothing this week.
Events
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.
"it doesn’t matter if a cat is black or white, as long as it catches mice" is a Deng Xiaoping quote from the 60s, “不管黑猫白猫,能捉老鼠的就是好猫” it was his way of promoting a market economy.
Love that you called out AVENGERCON Ollie. My favorite CON hands down!