CTO at NCSC Summary: week ending March 24th
There is likely the need for embedded device minimum telemetry and investigability to support cyber defence..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week edge devices continue to be a plague on our houses.
In the high-level this week:
UK Information Commissioners Office (ICO) published their Relevant aggravating or mitigating factors - Reporting to NCSC and following our guidance gets you a ⭐ when they consider any fine.
Cyber security longitudinal survey: wave three results - from the UK Government “The Cyber Security Longitudinal Survey (CSLS) helps us better understand cyber security policies and processes within medium and large businesses and high-income charities. It explores the links over time between these policies and processes and the likelihood and impact of a cyber incident.”
Cloud-hosted supervisory control and data acquisition (SCADA) from the UK’s NCSC - this is us getting ahead of the predictable outcomes - “Guidance to help organisations identify some of the key considerations required before deciding on migrating SCADA to the cloud.”
50,000 Vulnerability Reports: How DC3’s Vulnerability Disclosure Program Got Here = from US DoD “The pilot saved taxpayers an estimated $61 million by discovering and remediating more than 400 active vulnerabilities and Controlled Unclassified Information exfiltration threats by adversaries on DIB participants’ public-facing assets.”
A Look at Software Composition Analysis - This is what quantified performance assessments look like - Doyensec reports - "Looking at the numbers, Dependabot and Snyk are automatically removed from consideration for automation in CI/CD on the basis of the high false positive Even for manual analysis, the review of a large number of findings with a less than 15% accuracy rate"
‘Tip of the iceberg’: new cyber tsar issues warning on attacks - from Australia and hear hear to this - “It’s really important that when we come to a crisis, we are not thinking of how we are going to respond to it at the point of crisis,”
FCC Adopts Rules for IoT Cybersecurity Labeling Program - from the US - “The U.S. Cyber Trust Mark logo will initially appear on wireless consumer IoT products that meet the program’s cybersecurity standards.”
Protecting Americans from Foreign Adversary Controlled Applications Act - “To protect the national security of the United States from the threat posed by foreign adversary controlled applications, such as TikTok and any successor application or service and any other application or service developed or provided by ByteDance Ltd. or an entity under the control of ByteDance Ltd”
The battle over TikTok - The Times reports “US Congress took a first step this week to forcing the app’s Chinese owner to sell it off. Can the company fight back?”
TikTok's lobbying firms may be next target of blacklist by lawmakers - Politico Reports “The volume of TikTok lobbyists in the last three weeks is eyebrow-raising and suspicious, and lobbyists or lobbying firms taking TikTok money will be viewed differently moving forward,”
Hackers Roil Entire Industries With Attacks on IT Supply Chain - Bloomberg reports a slightly overplayed line here in the role of Generative AI against a backdrop of vulnerable software which is the actual root cause - “Hackers are getting faster at exploiting known flaws in widely used software, and they’re even experimenting with generative AI to refine their methods, a sobering thought that suggests the problem could get much worse, the experts say.”
Cancer Clinics Face Cash Crunch After Hack Rocks US Health Care - the very real human impact
Biden-Harris Administration engages states on safeguarding water sector infrastructure against cyber threats - “U.S. Environmental Protection Agency Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. Governors inviting state environmental, health and homeland security Secretaries to a convening by their deputies to discuss the urgent need to safeguard water sector critical infrastructure against cyber threats.”
Ransomware: ‘costly and impactful’ and now a staple national security risk - Reports the Center for Cyber Policy
Ransomware continues to be “costly and impactful” for industry and government. The FBI Internet Crime Report notes an 18% increase in complaints received in 2023 from 2022 levels.
Ransomware is now a staple national security risk for the U.S. government. It has been referenced in the last three ODNI annual threat assessments and was framed as such in the 2023 National Cybersecurity Strategy, “Ransomware is a threat to national security, public safety, and economic prosperity.”
Can your webcam or router be hijacked? Are the security measures for IoT devices thorough? - from the Japan Government showing the push they having on this type of device.
When Product Markets Become Collective Traps: The Case of Social Media - Backer Friedman Institute for Economics - “Large shares of consumers use Instagram and TikTok out of a fear of missing out rather than genuine interest and, as a result, are worse off than if the platforms did not exist in the first place.”
Finance sector professionals trained to defend themselves against cyberattacks - Almost three dozens of professionals from public agencies and private organizations in the finance sector of Ukraine took part in the CIREX.CYBER.Ransomware TTX organized and carried out by the SSSCIP and supported by the EU-funded EU4DigitalUA Project as part of EU support of Ukraine.
Journal of Cyber Policy issues a Special Issue: connecting the dots between the Domain Name System and today’s cyber reality
Defending Democracy
Mapping a Surge of Disinformation in Africa by the Africa Center for Strategic Studies
South Korea's Yoon warns of tech threat to democracy at summit Reuters reports - “South Korean President Yoon Suk Yeol on Monday called fake news and disinformation based on AI and digital technology threats to democracy, as his country hosted a gathering of senior global officials including from Britain, the EU and the United States.”
Treasury Sanctions Actors Supporting Kremlin-Directed Malign Influence Efforts - US action here - “Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated two individuals and two entities for services they provided the Government of the Russian Federation (GoR) in connection with a foreign malign influence campaign, including attempting to impersonate legitimate media outlets. “
Reporting on/from China
China is spending billions on a national computing network. Its data chief says why - South China Morning Post reports “Liu Liehong lays out the case for full integration of the country’s computing power in its ‘Eastern Data and Western Computing’ mega project”
Playing Both Sides of the U.S.-Chinese Rivalry - Foreign Affairs reports - "Beijing and Washington are offering different products, reflecting their distinctive concepts of security and the types of support each is best suited to provide. The United States shores up external security, protecting its partners militarily against regional threats. China, meanwhile, provides internal security, giving governments the tools to combat social disorder and political opposition.”
Three Top China Executives Depart Consulting Firm Control Risks - Bloomberg reports “In recent months, foreign companies have discovered it’s increasingly difficult to carry out due diligence in China as authorities step up scrutiny, raid offices and, in some cases, detain employees.”
Artificial intelligence
Using Hallucinations to Bypass GPT4's (and Claude's) Filter - “we induce a hallucination involving reversed text during which the model reverts to a word bucket, effectively pausing the model's filter. We believe that our exploit presents a fundamental vulnerability in LLMs currently unaddressed, as well as an opportunity to better understand the inner workings of LLMs during hallucinations.”
What Motivates People to Trust 'AI' Systems? - “Based on a survey with more than 450 respondents from more than 30 different countries (and about 3000 open text answers), this paper presents a qualitative analysis of current opinions and thoughts about 'AI' technology, focusing on reasons for trusting such systems.”
Meta intros two GPU training clusters for Llama 3 - just let this number of GPUs sink in when compared to national capacity - “The Facebook parent company said the training clusters are part of its plans to grow its infrastructure and obtain 350,000 Nvidia H100 GPUs by the end of the year.”
Cyber proliferation
On the state of spyware: Mapping the risks and incentives of the market - by the Atlantic Council featuring - Ingrid Dickinson, Security Policy Manager, Global Threat Disruptions, Meta; Kirsten Hazelrig, Policy Lead, Cyber and Intelligence Technologies, MITRE; Rose Jackson, Director, Democracy & Tech Initiative, Atlantic Council; and Monica Ruiz, Senior Government Affairs Manager, Digital Diplomacy, Microsoft. The panel will be moderated by Jen Roberts, Assistant Director, Cyber Statecraft Initiative, Atlantic Council.
United States Department of State reports Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware
Bounty Hunting
CSLAW '24: Proceedings of the Symposium on Computer Science and Law - various interesting paper for the legal contingent who read.
Moldovan National Sentenced To Federal Prison For Operating Websites Involved In The Illicit Sale Of Compromised Computer Credentials - “42 months in federal prison for conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices. Diaconu pleaded guilty on December 1, 2023. “
Reflections this week come from conversations with partners around the likely need for embedded device minimum telemetry and investigability improvements to support incident response. The number of devices and their criticality to modern life from mobile to edge network to IoT more generally is only going to increase. Yet the quality, variability and depth of telemetry coming off of them is so/so, logs present similar and the inability to investigate in a less than an artisanal Olympics manner wanting. All of which likely needs to change if we are being kind to our future selves..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Russian authorities launched an unprecedented attack on Meduza's infrastructure at the same time as Navalny's murder
Meduza reports this incident which show that alleged Russian backed DDoS attacks are alive and well but also scaling.
In February and March 2024, Russian authorities launched an unprecedented attack on Meduza's infrastructure. The pressure intensified simultaneously with the murder of Alexei Navalny and a few weeks before the Russian presidential election. Of course, Meduza was attacked before—almost throughout our entire history, and especially actively after the start of the full-scale Russian-Ukrainian war. However, our technical team has never had to deal with threats of this magnitude.
AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine
Juan Andrés Guerrero-Saade & Tom Hegel provide reporting on a new variant which was allegedly used by Russia to disable satellite communication terminals inoperable. The target in this case however is not known… yet.
[We] discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of the Russian invasion.
The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.
Our analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat clusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this activity to a Sandworm subcluster.
Specific targets of AcidPour have yet to be conclusively verified; however, the discovery coincides with the enduring disruption of multiple Ukrainian telecommunication networks, reportedly offline since March 13th.
The ISP attacks are being publicly claimed by a GRU-operated hacktivist persona via Telegram.
https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
New details on TinyTurla’s post-compromise activity reveal full kill chain
Asheer Malhotra, Holger Unterbrink, Vitor Ventura and Arnaud Zobec provide post compromise insight into this alleged Russian state actor. Of note is the active tampering with Windows Defender which should be a strong TTP that every security operation function focuses on.
[Our] analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO).
The attackers compromised the first system, established persistence and added exclusions to anti-virus products running on these endpoints as part of their preliminary post-compromise actions.
Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.
https://blog.talosintelligence.com/tinyturla-full-kill-chain/
APT29 Uses WINELOADER to Target German Political Parties
Luke Jenkins and Dan Black detail an alleged Russian campaign with interesting victimology. The tradecraft is run of the phishing however to get the implant down.
In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.
This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.
Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.
https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
Reporting on China
PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders
Please do take note, understand the implications as well as the direction of travel. This is not a drill..
The advisory provides detailed information related to the groups’ activity and describes how the group has successfully compromised U.S. organizations, especially in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors. The authoring organizations urge critical infrastructure owners and operators to review the advisory for defensive actions against this threat and its potential impacts to national security.
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Joseph C Chen and Daniel Lunghi exploiting ‘mistakes’ in server configurations (not legal in the UK for the private sector to do) to get server side insight into this alleged Chinese threat actors behaviours.
Due to mistakes on the attacker’s side, we managed to retrieve multiple files from Earth Krahang’s servers, including samples, configuration files, and log files from its attack tools. Combining this information with our telemetry helped us understand the Earth Krahang operation and build a clear view of the threat actor’s victimology and interests. In addition, we will also share their preferred malware families and post-exploitation tools in this report.
https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html
Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups
Recorded Future provide deeper analysis of information stemming from the leaks of an alleged Chinese commercial offensive cyber supplier. But equally importantly a sobering assessment that it is a ‘small’ entity in a much larger network.
Despite the leak, i-SOON, a relatively small entity within China's extensive network of private contractors engaged in state-sponsored cyber activities, is expected to continue its operations with minor adjustments. The revelations may have implications for future US legal actions against i-SOON personnel while providing a deeper understanding of the scale and sophistication of Chinese cyber-espionage efforts.
Notably, since the material was leaked, Insikt Group has already identified newly observed domain and infrastructure developments from i-SOON-linked groups RedAlpha and RedHotel.
Reporting on North Korea
Analysis of RandomQuery secret stealing attack activities organized by APT-C-55 (Kimsuky)
Chinese analysis of alleged North Korean activity showing regional web browser targeting.
During our analysis, we noticed that the sample attempted to steal information related to the Naver Whale browser. Given that Naver Whale is a web browser developed by the Korean company Naver, we speculate that this attack may mainly target organizations or individuals related to South Korea.
North Kimsuky organization's policy advisory camouflage spear phishing
South Korean reporting on alleged North Korean phishing campaign. Nothing overly of note technically as you will see from this paragraph:
This phishing email is 'Please advise on the OO-OOOO joint research project.' It was distributed under the title, and is encouraging downloads of the large file 'OO-OO Advisory Attachment File.hwp'.
https://alyacofficialblog.tistory.com/5354
Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky
D. Iuzvyk, T. Peck and O. Kolesnikov provide insight into the current C2 practices by this alleged North Korean threat actor. It should provide the threat intelligence teams within those companies insight into victimology as well as the ability to disrupt.
All of the C2 communication is handled through legitimate services such as Dropbox or Google Docs allowing the malware to blend undetected into regular network traffic. Since these payloads were pulled from remote sources like Dropbox, it allowed the malware maintainers to dynamically update its functionalities or deploy additional modules without direct interaction with the system .
Reporting on Iran
TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
Joshua Miller and team show that alleged Iranian tradecraft for their lures emulates what some commercial red teams were doing nearly a decade ago. Speak to any red team and they will tell you stories of using ‘bonus’ lures to get their foothold. Maslow hierarchy of needs and all that..
[We] recently observed new activity by the Iran-aligned threat actor TA450 (also known as MuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a pay-related social engineering lure to target Israeli employees at large multinational organizations
Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
Tom Fakterman, Daniel Frank and Jerome Tujague provide insight into this alleged Iranian implant. Of note is the theft of credentials to a job application platform which has a whiff of the Dream Job esq campaigns.
The threat actor we track as Curious Serpens is also known by other names, such as Peach Sandstorm, APT33, Elfin, HOLMIUM, MAGNALIUM or REFINED KITTEN. According to these reports, Curious Serpens has been active since at least 2013. This threat actor is associated with espionage and has targeted organizations in the Middle East, the United States and Europe.
The FalseFont backdoor is written in ASP .NET Core. Its capabilities include the following:
Executing processes and commands on the infected machine
Manipulating the file system
Capturing the screen
Stealing credentials from browsers
Stealing credentials for an aerospace-industry job application platform, which could contain sensitive aerospace data
FalseFont was observed in the wild, packed in a single native executable that is 182 MB in size. In addition to the malware itself, this executable contains various .NET components and libraries essential for the malware to operate. FalseFont also uses ASP.NET Core SignalR, which is an open-source library for running web applications, for communication with its command and control server (C2).
https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/
Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector - OP INNOVATE
Roy Golombick fires a warning shot on alleged Iranian hacktivism but equally importantly a warning for the academic sector in any countries that Iran might be in disagreement with and where tensions are high.
The Iranian hacktivist group Lord Nemesis, also known as ‘Nemesis Kitten’, which emerged onto the cyber scene in late 2023, has previously declared its intention to target Israeli-based organizations.
The group’s first significant success came in late November 2023 when they claimed responsibility for breaching Rashim Software, a leading provider of academic administrations and training management software solutions in Israel. Lord Nemesis allegedly used the credentials obtained from the Rashim breach to infiltrate several of the company’s clients, including numerous academic institutes.
https://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/
Reporting on Other Actors
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, and Austin Larsen show that initial access brokers are getting into the edge device/service exploitation game at scale. Also why we at NCSC put out our release on Products on your perimeter considered harmful (until proven otherwise). This is also not a drill!
UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February 2024.
The actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting various vulnerabilities during this time.
ConnectWise ScreenConnect Vulnerability CVE-2024-1709
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747
Atlassian Confluence CVE-2023-22518
Linux Kernel Exploit CVE-2022-0185
Zyxel Firewall OS Command Injection Vulnerability CVE-2022-3052
https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect
Discovery
How we find and understand the latent compromises within our environments.
They’re watching us: How to detect Pegasus and other spyware on your iOS device?
Sergey Nikitin provides a walk through on how to perform an analysis of iOS devices to attempt to identify infections.
Warning signs of an infection on the device include:
Slower device performance
Spontaneous reboots or shutdowns
Rapid battery drain
Appearance of previously uninstalled applications
Unexpected redirects to unfamiliar websites
https://www.group-ib.com/blog/pegasus-spyware/
Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents
Michael Holcomb provides a lovely little bit of early stage work here that has promise.
While platforms exist to perform such monitoring, many are considered unaffordable by today’s small- to medium-sized environments. As an alternative, some environments might choose to have personnel walk the site to physically examine PLCs, an action that could put those team members in harm’s way. This research will help provide a basic framework and sample tool for remotely monitoring PLCs to eliminate such a safety risk.
Mastering Cyber Threat Intelligence with Obsidian
Bank Security provides a walkthrough as to the power and opportunity here. Numerous people who have read this have celebrated it and rightly so.
Obsidian offers CTI analysts the ability to use a private Cyber Threat Intelligence dataset to perform live correlations and statistics at scale;
Obsidian can be shaped to become a fast, secure, free, stable, and adaptable CTI platform;
Create graphs and links to correlate information from your dataset, experiment with new ways to represent information, and discover intelligence relations that you hadn’t seen before;
Tailor your CTI workflow with Obsidian’s templates, tags and multiple community plugins.
https://bank-security.medium.com/mastering-cyber-threat-intelligence-with-obsidian-cef6052a0d02
OpenTIDE
Interesting project here, will be good to see how this evolves.
Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat Detections
https://code.europa.eu/ec-digit-s2/opentide
Defence
How we proactively defend our environments.
gtpdoor-scan: A multithreaded network scanner to scan for hosts infected with the GTPDOOR malware
The scanner we all wanted for this alleged Chinese implant by HaxRob. Go forth and discover latent compromises.
A multithreaded network scanner to scan for hosts infected with the GTPDOOR malware.
Three detection methods supported:
ACK scan (detects GTPDOOR v2)
TCP connect scan (detects GTPDOOR v2)
GTP-C GTPDOOR message type 0x6 (detects GTPDOOR v1 + v2) if default hardcoded key has not been changed
Note that for 1+2, the GTPDOOR implant must have ACLs configured for it's TCP RST/ACK beacon to respond. Given these conditions, it cannot be guaranteed that GTPDOOR will be detected alone from active network scanning.
https://github.com/haxrob/gtpdoor-scan/
Unfiltered: Measuring Cloud-based Email Filtering Bypasses
Sumanth Rao, Enze Liu, Grant Ho, Geoffrey M. Voelker and Stefan Savage provide some excellent means of measurement in this release on the efficacy of the control.
We document a multi-step methodology to infer if an organization has correctly configured its email hosting provider to guard against such scenarios. Then, using an empirical measurement of edu and com domains as a case study, we show that 80% of such organizations making use of popular cloud-based email filtering services can be bypassed in this manner. We also discuss reasons that lead to such misconfigurations and outline challenges in hardening the binding between email filtering and hosting providers.
https://sumanthvrao.github.io/papers/rao-www-2024.pdf
Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC
Olivier Hureau , Jan Bayer, Andrzej Duda , and Maciej Korczyński also provide some delicious science.
We also identify email addresses in DMARC records belonging to 9,121 unregistered domain names, which unintended users could register, leading to potential data leakage from the email systems of domain owners.
https://pam2024.cs.northwestern.edu/pdfs/paper-32.pdf
https://github.com/drakkar-lig/abnf-dmarc-parser
Dom-BERT: Detecting Malicious Domains with Pre-training Model
Yu Tian and Zhenyu Li bring the data science to the detection challenge space.
The results notably illustrate that Dom-BERT surpasses the state-of-the-art solutions, achieving higher F1 scores and demonstrating resilience to class imbalance.
In order to solve the class-imbalance problem, which remains an endemic quandary in malicious domain detection, this paper proposes a malicious domain detection model named Dom-BERT which can fully excavate both the local features of the domains themselves through BERT and the interactive behaviors among clients, domains and IP addresses by random walks on the heterogeneous graph. W
https://pam2024.cs.northwestern.edu/pdfs/paper-16.pdf
Didi builds a new generation log storage system based on Clickhouse
How a Chinese company built its log storage system.
In the context of pursuing cost reduction and efficiency improvement, we began to seek new storage solutions. After research, we decided to use CK as storage support for Didi’s internal logs. It is understood that many companies such as JD.com, Ctrip, and Bilibili are also trying to use CK to build log storage systems in industry practice.
Making Mojo Exploits More Difficult
Further defence in depth for browser from the MSFT team through attack surface reduction.
Today, we’re excited to announce a new security protection in Microsoft Edge and other Chromium-based browsers that defends against attackers being able to leverage an exploit in a Renderer Process to escape the Renderer sandbox. The change prevents attackers from using an exploit to enable the Mojo JavaScript bindings (MojoJS) for their site context within the Renderer.
https://microsoftedge.github.io/edgevr/posts/Making-Mojo-Exploits-More-Difficult/?ref=news.risky.biz
mindgraph
Yohei Nakajima releases a tool which will have a wide number of use cases in the cyber defence arena.
MindGraph, a proof of concept, open-source, API-first graph-based project designed for natural language interactions (input and output). This prototype serves as a template for building and customizing your own CRM solutions with a focus on ease of integration and extendibility
https://github.com/yoheinakajima/mindgraph
Canary Infra: Bringing Honeypots towards general adoption
Andy Smith does the big unveil of their approach which I suspect will inspire others.
I'm going to explore the different flavours of "honeypotting" or "deception" and present a new idea that we think is finally going to make this approach standard for teams of all sizes and stages of maturity: canary infra.
https://tracebit.com/blog/2024/03/canary-infra-bringing-honeypots-into-general-adoption/
Incident Writeups & Disclosures
How they got in and what they did.
IMF Investigates Cyber-Security Incident
from the IMF
The investigation determined that eleven (11) IMF email accounts were compromised. The impacted email accounts were re-secured. We have no indication of further compromise beyond these email accounts at this point in time. The investigation into this incident is continuing.
https://www.imf.org/en/News/Articles/2024/03/15/pr2488-imf-investigates-cyber-security-incident
Vulnerability
Our attack surface.
BlueSpy - Spying on Bluetooth conversations
Jesús María Gómez Moreno identifies a vulnerability that will just keep on giving and likely lead to some impact due to exploitation by the less then scrupulous and ethical.
BlueSpy exploits the fact that the “JustWorks” mechanism can be used during pairing, which does not require secure pairing. In combination with a discoverable device in pairing mode, anyone using BlueSpy can initiate the pairing, set a shared key, connect to the headset, and start using it as if it were a legitimate user. In this case, they can activate the microphone and eavesdrop on conversations.
https://www.tarlogic.com/blog/bluespy-spying-on-bluetooth-conversations/
Generic and Automated Drive-by GPU Cache Attacks from the Browser
Lukas Giner, Roland Czerny, Christoph Gruber, Fabian Rauscher, Andreas Kogler, Daniel De Almeida Braga and Daniel Gruss demonstrate an attack which will be interesting to see if it gets exploited in the real-world.
First, we present an inter-keystroke timing attack with high F1-scores, i.e., 82 % to 98 % on NVIDIA. Second, we demonstrate a generic, set-agnostic, end-to-end attack on a GPU-based AES encryption service, leaking a full AES key in 6 minutes. Third, we evaluate a native-to-browser data-exfiltration scenario with a Prime+Probe covert channel that achieves transmission rates of up to 10.9 kB/s. Our attacks require no user interaction and work in a time frame
https://ginerlukas.com/publications/papers/WebGPUAttacks.pdf
Offense
Attack capability, techniques and trade-craft.
‘Bypassing’ Windows Hello for Business for Phishing
Yehuda Smirnov releases research and the mitigation which should be heeded.
it is possible to phish the phishing resistant authentication method: Windows Hello for Business by downgrading the authentication, here’s how you can defend from it
Strong Authentication for Cloud Apps - to counter attacks as described above, it’s advised to enable strong, phishing-resistant authentication across all cloud applications.
https://medium.com/@yudasm/bypassing-windows-hello-for-business-for-phishing-181f2271dc02
DNS Tunnel Keylogger
Geeoon Chung provides a capability which it will be interesting to see how challenging it is to detect. Takes me back to Cobalt Strike a bit..
This post-exploitation keylogger will covertly exfiltrate keystrokes to a server.
These tools excel at lightweight exfiltration and persistence, properties which will prevent detection. It uses DNS tunelling/exfiltration to bypass firewalls and avoid detection.
https://github.com/Geeoon/DNS-Tunnel-Keylogger
PrismX · Integrated lightweight cross-platform penetration system
From China with love..
https://github.com/yqcs/prismx
Summoning RAGnarok With Your Nemesis
How Red Teams are using LLMs in their pipelines to extract value from the data they exfiltrate.
we’re going to focus on one specific use case: answering questions about files downloaded from a command and control (C2) agent.
https://posts.specterops.io/summoning-ragnarok-with-your-nemesis-7c4f0577c93b
EvilGinx Github Workflow
What CI/CD of offensive purposes looks like and
workflow for keeping a version of EvilGinx free of the static IOC's and up to date
gist.github.com/Flangvik/d0e5c141c0b57ae75c408a6447673296
Building An AITM Attack Tool In Cloudflare Workers (174 lines of code)
Hopefully Cloudflare will nuke server side
https://zolder.io/aitm-attacks-using-cloudflare-workers/
VexTrio’s Browser Fingerprinting
Gi7w0rm details the sophistication implemented here by offensive threat actors. Noteworthy as this is a criminal operation.
the fingerprinting stage of VexTrio, a malicious TDS (Traffic Distribution System) currently injected into webpages across the globe, that redirects visitors to an array of different fraudpages. Its functionality is probably best described like this:
the purpose of this blog post is not to shed light on the initial VexTrio injection page, but on the several methods used to redirect victims to the different kinds of fraud that can be delivered by the VexTrio TDS.
https://gi7w0rm.medium.com/vextrios-browser-fingerprinting-aeb721be6e30
Exploitation
What is being exploited.
A case of missing bytes: bruteforcing your way through Jenkins’ CVE-2024-23897
https://www.errno.fr/bruteforcing_CVE-2024-23897.html
Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762
https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762
Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro
https://github.com/0x36/Pixel_GPU_Exploit
Gaining kernel code execution on an MTE-enabled Pixel 8
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
The Return of the Frame Pointers (in Linux) - security benefit also in detection strategies
There will be useful for a host of reasons in the detection space - this thread Sean Heelan and I had may also be of interest where he noted.
One thing to note is the post is somewhat wrong in terms of what’s possible without frame pointers. Prodfiler/Elastic Universal Profiler works without them, *and* handles Java.
https://www.brendangregg.com/blog/2024-03-17/the-return-of-the-frame-pointers.html
LLM4Decompile: Decompiling Binary Code with Large Language Models
Hanzhuo Tan, Qi Luo, Jing Li and Yuqun Zhang hint at the possibility here, although naturally real-world performance is the proof..
The benchmark emphasizes the importance of evaluating the decompilation model from the perspective of program semantics. Experiments indicate that our LLM4Decompile has demonstrated the capability to accurately decompile 21% of the assembly code, which achieves a 50% improvement over GPT-4.
https://arxiv.org/abs/2403.05286
reverser ai
Tim Blazytko provides a capability which will be useful to those working in air gapped environments.
ReverserAI is a research project designed to automate and enhance reverse engineering tasks through the use of locally-hosted large language models (LLMs). Operating entirely offline, this initial release features the automatic suggestion of high-level, semantically meaningful function names derived from decompiler output. ReverserAI is provided as a Binary Ninja plugin; however, its architecture is designed to be extended to other reverse engineering platforms such as IDA and Ghidra.
ReverserAI serves as a proof of concept that demonstrates the potential of leveraging local LLMs for reverse engineering tasks on consumer-grade hardware. Currently, its primary functionality is to offer function name suggestions, but there exists significant scope for enhancement and expansion. Future directions could include:
Investigating additional interaction methods and parameters with LLMs to enhance quality and processing speed.
Adding network communication for hosting the ReverserAI agent on a powerful server, circumventing local hardware constraints.
Fine-tuning existing models or developing specialized models tailored to reverse engineering needs.
Expanding functionality to include code explanations, analysis, and bug detection, subject to scalability and feasibility.
Extending support to other reverse engineering platforms such as IDA and Ghidra.
https://github.com/mrphrazer/reverser_ai
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Exposure Management: The Evolution of Vulnerability Management - Gartner has said the world needs Continuous Threat Exposure Management (CTEM) - "CTEM is not just about vulnerability and posture management, it’s a process to help prioritize risk reduction based on business impact."
Artificial intelligence
Books
Nothing this week.
Events
Passive and Active Measurement Conference 2024 - The Passive and Active Measurement (PAM) conference brings together researchers and operators to discuss novel and emerging work in the area of network measurement and analysis
Call for Papers: Social Science of Cyberspace Security & Creating Social Cyber Value
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.