CTO at NCSC Summary: week ending March 31st - 🐰🥚 edition
Chinese actors attributed for various global activities...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week edge devices continue to be a cause of concern. The challenges around the levels of apparent technical debt in these platforms, coupled with low levels of observability along with what appears to be a variety of threat actors who can find and exploit vulnerabilities are very real.
In the high-level this week:
UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians - "APT31, a China state-affiliated actor, was almost certainly responsible for targeting UK parliamentarians’ emails in 2021."
UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity - “The United Kingdom, supported by allies globally, have today identified that Chinese state-affiliated organisations and individuals were responsible for 2 malicious cyber campaigns targeting democratic institutions and parliamentarians.”
Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians - US Department of Justice - “Defendants Operated as Part of the APT31 Hacking Group in Support of China’s Ministry of State Security’s Transnational Repression, Economic Espionage and Foreign Intelligence Objectives”
U.S. Takes Action to Further Disrupt PRC Cyber Activities - US Department of State reports - “The U.S. Department of the Treasury is sanctioning Zhao, Ni, and the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), for their roles in malicious cyber activities targeting U.S. critical infrastructure sectors that present a significant threat to U.S. national security, pursuant to Executive Order 13694. “
UK politicians should use ‘disappearing messages’ on devices, says GCHQ - reports the Financial Times - this is based on NCSC Guidance for high-risk individuals on protecting your accounts and devices
Responding to a cyber incident - a guide for CEOs - by us at the National Cyber Security Centre.
Related a report on Cybersecurity, Audit and the Board - correlation/causation risks not withstanding - “Our analysis consists of publicly traded large to mid cap indices across Australia, Canada, France, Germany, Japan, the United Kingdom and the United States. Leveraging board data sourced from Diligent Market Intelligence in late November 2023, we examined the board structures and directors skillset backgrounds of these companies. The data was then correlated with security rating data obtained from Bitsight between December 2023 and February 2024. “ - “Companies with advanced cybersecurity ratings create nearly 4X shareholder value”
UN final report - "The Panel is investigating 58 suspected cyberattacks by the Democratic People’s Republic of Korea on cryptocurrency-related companies between 2017 and 2023, valued at approximately $3 billion, which reportedly help to fund the country’s development of weapons of mass destruction."
CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms - “The free data breach notification service is a partnership with Have I Been Pwned (“HIBP”),” the Mozilla Foundation explains. “The automated data deletion service is a partnership with OneRep to remove personal information published on publicly available online directories and other aggregators of information about individuals (“Data Broker Sites”).”
Comparative Assessment of the DHS Harmonization of Cyber Incident Reporting to the Federal Government Report - and the Rules on Incident Reporting in the EU Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS 2 Directive)
Cyber-diplomacy: The Emergence of a Transient Field - The Hague Journal of Diplomacy - “based on 40 interviews conducted with diplomats and experts involved in the emergence of cyber-diplomacy. It looks at the idiosyncratic evolution of this field within specific nation states as well as overall developments at the international level, particularly within the context of the United Nations.”
Why cyber indictments and sanctions matter - Australian Strategic Policy Institute - “These grey zone activities fall short of conventional conflict but we must take them for what they are: state-on-state attacks. “
Advancing the framework of responsible State behaviour in cyberspace through the Harms Methodology - Cyber Peace Institute - “Through this collaborative process and the resulting Methodology, we aim to better integrate the reflections on harms and impact into ongoing discussions about the implementation of the norms of responsible behaviour at the OEWG. “
Cultural and technological change in the future information environment - RAND Corporation - “To support UK Defence in contextualising the future impact of new and emerging technologies, [We] conducted a study examining how technological developments in the information environment may shape culture out to 2050. “
Skills shortage and unpatched systems soar to high-ranking 2030 cyber threats - ENISA - “publishes the executive summary of this year’s ‘Foresight Cybersecurity Threats for 2030’ presenting an overview of key findings in the top 10 ranking.”
Defending Democracy
Kremlin hackers attack German parties - Spiegel reports - “According to SPIEGEL information, the attackers apparently targeted members of the CDU, among others, and warnings were sent to other German parties.”
Investigation into hacking of (Finland’s) Parliament's information systems has been ongoing - Finish Police report “The police recorded a report of the incident in 2020. It is suspected that the offences were committed between autumn 2020 and early 2021. The police have previously informed that they investigate the hacking group APT31's connections with the incident. These connections have now been confirmed by the investigation, and the police have also identified one suspect.”
[New Zealand] GCSB has reported Parliamentary network breached by the PRC - “The GCSB has also established links between a state-sponsored actor linked to PRC and malicious cyber activity targeting Parliamentary entities in New Zealand.”
Reporting on/from China
Promote and standardize cross-border data flow regulations - from the Chinese Government - Framework from China for data classification which will be used to decide which can be sent overseas.
Reuters reports - China relaxes security review rules for some data exports
China warns foreign hackers are infiltrating ‘hundreds’ of business and government networks reports South Morning China Post - “The message comes as Beijing broadens scope of anti-espionage law to cover online attacks and prepares to expand penalties for data violations”
US says Chinese firm SMIC’s Huawei chip ‘potentially’ broke American law -reports South Morning China Post - ”A senior US official reiterated that SMIC’s 7-nm semiconductor process is ‘low-yield’, but said he cannot comment on potential investigations”
A New Era for the Chinese Semiconductor Industry: Beijing Responds to Export Controls - reports American Affairs Journal - “Many other pieces of the semiconductor manufacturing industry are also targets of renewed efforts to build domestic Chinese alternatives, such as design tools, advanced materials, advanced packaging techniques, and systems engineering approaches designed to improve performance via a systems-led approach, rather than relying solely on process-node improvements.”
Huawei Tests Brute-Force Method for Making More Advanced Chips - reports Bloomberg “a secretive chipmaking partner in China have filed patents for a low-tech but potentially effective way to make advanced semiconductors, raising the prospect that China could improve chip production techniques despite US efforts to halt its progress.”
Geely-Backed Auto Suppliers Unveil 7nm Smart Drive Chip to Rival Nvidia - “unveiled a 7-nanometer smart drive chip with a maximum computing power comparable to Nvidia’s Orin chip that powers self-driving vehicles.”
Artificial intelligence
U.S. Department of the Treasury Releases Report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Sector - “In the report, Treasury identifies significant opportunities and challenges that AI presents to the security and resiliency of the financial services sector.”
Towards Secure AI: How far can international standards take us? - Alan Turing Institute “We recommend governments redouble their efforts to support SDOs and to ensure crucial international standards are made available and accessible to those who need to implement them.”
(Chinese) "Artificial Intelligence Law (Draft of Scholars' Suggestions)" is here - “This week a group of influential Chinese AI policy scholars released their recommended draft version of proposed AI Law”
National Telecommunications and Information Administration
United States Department of Commerce - - “Open-source AI models, AI models with widely available model weights, and components of AI systems generally are of tremendous interest and raise distinct accountability issues. The AI EO tasked the Secretary of Commerce with soliciting input and issuing a report on “the potential benefits, risks, and implications, of dual-use foundation models for which the weights are widely available, as well as policy and regulatory recommendations pertaining to such models”
Readout of Secretary Raimondo’s Meeting with Stakeholders on Open AI Models - “The Secretary commented on the Department of Commerce’s focus on the understanding the full spectrum of benefits and risks associated with development of open AI models, and the Department’s ongoing efforts to develop policy that manages security and societal risks without forgoing benefits to innovation, safety research, competition and more”
State of California Department of Technology Office of Information Security Generative Artificial Intelligence Risk Assessment - their actual risk assessment based on a NIST framework.
Japanese startup generates AI models from 'evolutionary' process - “Sakana has released three generative AI models -- a large language model, an image-to-text model and an image generation model -- using the "nature-inspired" mechanism, which it calls the first of its kind in the world.”
Exclusive: Behind the plot to break Nvidia’s grip on AI by targeting software - “Now a coalition of tech companies that includes Qualcomm , Google and Intel plans to loosen Nvidia’s chokehold by going after the chip giant’s secret weapon: the software that keeps developers tied to Nvidia chips. They are part of an expanding group of financiers and companies hacking away at Nvidia's dominance in AI.”
Cyber proliferation
The UAE's Crowdfense has relaunched its zero-day acquisition programme with more funds and a broader scope - Intelligence Online reports “Following months of restructuring, the Emirati vulnerabilities reseller has revised its zero-day exploit acquisition programme with an even larger bounty package than before.”
Investors’ pledge to fight spyware undercut by past investments in US malware maker - The Record reports “Paladin, one of the biggest investors in cybersecurity startups, and several other venture firms published a set of voluntary investment principles, noting that they would invest in companies that “enhance the defense, national security, and foreign policy interests of free and open societies.”
Bounty Hunting
Just one - $10 million..
No reflections this week..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Thursday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
The latest backdoor of the APT28 organization has built-in a large number of controlled mailboxes (which can be logged in successfully) for data theft
Reporting from China on this alleged Russian implant used in among other places Ukraine. Of note is the fact that not all command and control is DNS domain, phone home or port knocking & service based.
According to the sample analysis results, the malicious behavior utilization method of this OCEANMAP backdoor is different from our common Trojan horse utilization methods. This OCEANMAP backdoor receives remote control commands through email and returns remote command execution results;
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
Joe Fasulo, Claire Zaboeva and Golo Mühr provide further reporting on the same alleged Russian threat actor and the scale / breadth of their phishing campaign.
As of March 2024, [we are] tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production.
https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/
Reporting on China
ASEAN Entities in the Spotlight: Chinese APT Group Targeting
Reporting of an alleged China operation which in 2024 uses .exe’s in .zip’s and .scr files. It does feel like the 90s called and wants its tradecraft back. The greater cause for concern is that if it didn’t work as a set of TTPs they wouldn’t be using it. Much to do..
Over the past 90 days, [our] researchers have identified two Chinese advanced persistent threat (APT) groups conducting cyberespionage activities against entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN):
The first APT group, Stately Taurus, created two malware packages we believe targeted entities in Myanmar, the Philippines, Japan and Singapore. The timing of these campaigns coincided with the ASEAN-Australia Special Summit, held March 4-6, 2024.
The second Chinese APT group compromised an ASEAN-affiliated entity. This APT group has targeted various Southeast Asia government entities including Cambodia, Laos and Singapore in recent months.
https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/
Reporting on North Korea
The Updated APT Playbook: Tales from the Kimsuky threat actor group
Reporting on a suspected North Korean operation which uses a collection of well known file types in their phishing operations. I mentioned in the old version of this newsletter Content Disarm & Reconstruction is the single most effective control here.
Our latest findings lead us to observations that we believe are Kimsuky using CHM files which are delivered in several ways, as part of an ISO|VHD|ZIP or RAR file. The reason they would use this approach is that such containers have the ability to pass the first line of defense and then the CHM file will be executed.
APT37 group's RoKRAT fileless attacks increase
South Korean commercial reporting on suspect North Korean activity which has been covered by others. A collection of early 2000s tradecraft coupled with some cloud command and control.
Impersonating North Korea-related questionnaires, manuscript materials, security columns, contributions, monthly magazines, etc.
Delivered by hiding an LNK type malicious file inside a ZIP compressed file
Exploiting cloud storage such as DropBox, pCloud, etc. as a base for attack
APT37 group's ongoing RoKRAT fileless attacks
https://www.genians.co.kr/blog/threat_intelligence/rokrat
Alert to companies regarding North Korean IT workers
An alert from Japan’s National Policing Agency. This is where insider threat is a real thing. In the UK NCSC’s peers in the National Protective Security Agency provide guidance on insider risk.
“The country sends IT workers abroad, who earn money by lying about their identity and accepting jobs." ... "In addition, North Korean IT workers were involved in North Korean malicious cyber activities"
Reporting on Iran
Nothing this week
Reporting on Other Actors
Technical Threat Intelligence Report on Earth Kapre/RedCurl
Interesting reporting here which shows the level of sophistication in some criminal enterprises looks much like an effective commercial red team. Shouldn’t come as a surprise, but likely should be a concern given the devasting effectiveness of good red teams.
Earth Kapre/RedCurl employs a blend of custom malware and publicly available hacking tools to infiltrate target networks and exfiltrate sensitive information. Unlike many cybercriminal groups, they do not rely on ransomware or direct financial theft but instead aim to steal internal corporate documents, such as staff records, court files, and enterprise email histories. The group demonstrates exceptional red teaming skills and a keen ability to bypass traditional antivirus solutions.
https://krypt3ia.wordpress.com/2024/03/17/tlp-white/
The Darkside Of TheMoon
Criminal scale in 2024 of covert infrastructure..
A multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024.
As our team has discovered, the majority of these bots are used as the foundation of a notorious, cybercriminal-focused proxy service, known as Faceless.
identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours. Faceless is an ideal choice for cyber-criminals seeking anonymity, our telemetry indicates this network has been used by operators of botnets such as SolarMarker and IcedID.
https://blog.lumen.com/the-darkside-of-themoon/
PROXYLIB and LumiApps Transform Mobile Devices into Proxy Nodes
This is a game of professional whack-a-mole, also note the VPN app not being entirely wholesome.
In May 2023, researchers at a measurement company found malicious behavior in a single free VPN application—Oko VPN— on Google’s Play Store. The research resulted in Oko VPN’s removal from the Play Store.
Based on further analysis of Oko VPN, Satori researchers uncovered 28 applications related to PROXYLIB.
Satori researchers later discovered a subsequent version of PROXYLIB offered online via the LumiApps SDK as well as other adaptations by the threat actor that used the same Golang library to turn the device into a proxy node
Attack Using Fake Python Infrastructure - Over 170K Users Affected
Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri and Tzachi Zornshtain detail a campaign which is of concern due to its sheer scale and relative complexity. Someone really is taking a swing here.
An attacker combined multiple TTPs to launch a silent software supply chain attack, stealing sensitive information from victims.
Multiple malicious open-source tools with clickbait descriptions were created by the threat actors to trick victims, most likely coming from search engines.
An attacker distributed a malicious dependency hosted on a fake Python infrastructure, linking it to popular projects on GitHub and to legitimate Python packages. GitHub accounts were taken over, malicious Python packages were published, and social engineering schemes were used by the threat actors.
The multi-stage and evasive malicious payload harvests passwords, credentials, and more dumps of valuable data from infected systems and exfiltrates them to the attacker’s infrastructure.
In this attack, the threat actors deployed a fake Python packages mirror, which was successfully used to deploy a poisoned copy of the popular package “colorama”.
Among the victims is also a top.gg contributor, whose code repository of the top.gg community (170K+ members) was affected by the attack.
https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/
Discovery
How we find and understand the latent compromises within our environments.
Artificial intelligence encrypted traffic detection technology based on adaptive learning
Chinese reporting here on some work done to detect different types of command and control in encrypted channels.
In a live network environment, we conducted a detection comparison between the solidified model and the adaptive model for Cobalt Strike detection and Webshell detection of the TLS protocol. The results are as follows:
For Webshell detection, we collected a total of 50,000 white traffic in the existing network, and used the fixed model and the adaptive model for detection and comparison. Experimental results show that there are 1,300 solid model detection results with scores higher than 50, while there are only 140 adaptive model results. (A score higher than 50 means that the model is more likely to predict that the traffic is black traffic than to predict it to be white traffic)
For Cobalt Strike detection, we also collected a total of 50,000 white traffic in the live network, and used the solidified model and the adaptive model for detection and comparison. The experimental results show that there are 53 solid model detection results with scores higher than 50 points, while there is only 1 adaptive model result.
It can be seen from the test results that false alarms are significantly reduced after adopting the adaptive model. This shows that the adaptive model has better accuracy and robustness in the live network environment, can more effectively identify real threats, and reduces the problem of false positives.
(Anti-)Anti-Rootkit Techniques - Part I: UnKovering mapped rootkits
Eversinc33 provides a new capability that if run at scale will potentially no doubt create cause for concern.
A PoC anti-rootkit that can detect drivers mapped to kernel memory. Think Moneta, but for the kernel (obviously this is a simplified comparison).
https://eversinc33.com/posts/anti-anti-rootkit-part-i/
https://github.com/eversinc33/unKover
Trail Discover
Adan Álvarez gives a practically useful resource to support cloud defenders.
An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents references, other research references and security implications.
https://github.com/adanalvarez/TrailDiscover
XProtect-Malware-Families: Mapping XProtect's obfuscated malware family names to common industry names
Mapping XProtect's obfuscated malware family names to common industry names.
This is a work-in-progress that is primarily intended to map the obfuscated (alphanumeric) names used by Apple to more common names used by commercial vendors and found in public malware repos like VirusTotal.
https://github.com/SentineLabs/XProtect-Malware-Families/
Manage the deception capability in Microsoft Defender XDR
Deception goes mainstream with this release..
The deception capability automatically generates authentic-looking decoy accounts, hosts, and lures. The fake assets generated are then automatically deployed to specific clients. When an attacker interacts with the decoys or lures, the deception capability raises high confidence alerts, helping in security team's investigations and allowing them to observe an attacker's methods and strategies.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/deception-overview
EDR Telemetry Tracking for Windows
Kostas does what he does best here..
EDR Telemetry Project to make the table accessible for color vision deficiencies, map all sub-categories to Mitre ATT&CK and more.
Defence
How we proactively defend our environments.
Passkeys - under the hood
Sylvain Pelissier walks through their perspective on Passkeys
We noticed that the threat model has changed between hardware security keys and passkeys since at some point the user private key is present in the user’s system for passkeys. Even if passkeys solved the user credential back-up problem, the threat model needs to be assessed according to the use cases.
https://research.kudelskisecurity.com/2024/03/14/passkeys-under-the-hood/
Hybrid Identity Solutions Guidance
From CISA
Identity management for a traditional on-premises enterprise network is usually handled by an on-premises directory service (e.g., Active Directory). When organizations leverage cloud solutions and attempt to integrate them with their on-premises systems (creating a “hybrid” environment), identity management can become significantly more complex. On-premises identity management solutions need to securely and efficiently integrate with those applied in the cloud to achieve interoperability. The Cybersecurity and Infrastructure Security Agency (CISA) developed this Hybrid Identity Solutions Guidance to help readers better understand identity management capabilities, the tradeoffs that exist in various implementation options, and factors that should be considered when making implementation decisions.
https://www.cisa.gov/sites/default/files/2024-03/SCuBA-Hybrid%20Identity%20Solutions%20Guidance.pdf
How Apple Mitigates Vulnerabilities in Installer Scripts
Csaba Fitzl details both attack surface and also how Apple has attempted to address.
We’ll look at Apple's recent efforts to mitigate an entire class of installer-script vulnerabilities. We will cover:
Why Apple-signed installers are great targets for attackers;
A high-level overview of such vulnerabilities from the past; and
A deep-dive into how Apple attempts to mitigate these vulnerabilities with a new design in the PackageKit private framework.
https://blog.kandji.io/apple-mitigates-vulnerabilities-installer-scripts
Incident Writeups & Disclosures
How they got in and what they did.
ShadowRay: First Known Attack Campaign Targeting AI Workloads Exploited In The Wild
Avi Lumelsky, Guy Kaplan and Gal Elbaz detail an interesting incident if for no reason other than the software is used for ‘AI’. Reminding us it is just software underneath..
[We] discovered an active attack campaign targeting a vulnerability in Ray, a widely used open-source AI framework. Thousands of companies and servers running AI infrastructure are exposed to the attack through a critical vulnerability that is under dispute and thus has no patch. This vulnerability allows attackers to take over the companies' computing power and leak sensitive data. This flaw has been under active exploitation for the last 7 months, affecting sectors like education, cryptocurrency, biopharma and more.
https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild
Vulnerability
Our attack surface.
RCE encounters a breakthrough in restricted shells
Chinese research on various ways to break out of restrictive appliance command shells.
Offense
Attack capability, techniques and trade-craft.
How Rogue ISPs Tamper With Geofeeds
We have seen this before where networks clearly related to one country (due to trace routes) have claimed to be physically elsewhere.
However, as the example of AS203168 demonstrates, geofeed contents may be worth approaching with caution. By deliberately injecting inaccurate information, rogue ISPs may seek to (selectively or opportunistically) poison databases created by geolocation
https://medium.com/@DCSO_CyTec/how-rogue-isps-tamper-with-geofeeds-4dbc38db4123
Preventing Cross-Service UDP Loops in QUIC
Damian Menscher highlights once again with new protocols come new threats. This will be one of those long tail issues…
Several years ago, a ~10-minute CLDAP amplification attack targeted our QUIC implementation. The attack was carried out by sending requests to thousands of CLDAP servers all over the world with a faked source IP address to make it appear the requests had originated from Google.
Curiously, a small fraction (around 400) of the remote servers didn't operate as expected, and rather than discard our QUIC Reset packets as malformed CLDAP requests, they instead reflected those packets back to us. We responded to the reflected Reset packet with a new Reset, thereby completing the loop. The result was a sustained 20 million packets per second (Mpps) bouncing between the misbehaving reflectors and our servers.
https://bughunters.google.com/blog/5960150648750080/preventing-cross-service-udp-loops-in-quic
Exploitation
What is being exploited.
A review of zero-day in-the-wild exploits in 2023
Maddie Stone and James Sadowski give us a solid graph. But also remind ourselves that what is reported / observed is not totality.
https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023/
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
notselwyn details this (Dirty Pagedirectory) exploitation technique in practice.
A tale about exploiting KernelCTF Mitigation, Debian, and Ubuntu instances with a double-free in nf_tables in the Linux kernel, using novel techniques like Dirty Pagedirectory. All without even having to recompile the exploit for different kernel targets once.
Then there is the exploit:
https://github.com/notselwyn/cve-2024-1086
CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive
James Horseman releases an exploit for this vulnerability..
https://github.com/horizon3ai/CVE-2023-48788
TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types
Junestherry Dela Cruz and Peter Girnus shows the now diverse set of intents around the exploitation of this vulnerability..
Threat actors can exploit CVE-2024-27198 to perform a variety of malicious operations (which will be discussed in separate subsections), including:
Dropping the Jasmin ransomware
Deploying the XMRig cryptocurrency miner
Deploying Cobalt Strike beacons
Deploying the SparkRAT backdoor
Executing domain discovery and persistence commands
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Bare-metal KASan implementation
Eugene Rodionov provides a capability which IoT/embedded OEMs should factor into their testing cycles. Bootroms and basebands around the world rejoice with their new found security as a result..
This project demonstrates how to enable Kernel Address Sanitizer (KASan) for bare-metal code running on ARM, RISC-V and x86 architectures. It implements a set of KASan test cases that catch various classes of memory corruption bugs at runtime.
https://github.com/androidoffsec/baremetal_kasan
Analyse, hunt and classify malware using .NET metadata
Bart details some detection tradecraft which will come in use.
.NET assemblies or binaries often contain all sorts of metadata, such as the internal assembly name and GUIDs, specifically; the MVID and TYPELIB.
GUID: Also known as the TYPELIB ID, generated when creating a new project.
MVID: Module Version ID, a unique identifier for a .NET module, generated at build time.
TYPELIB: the TYBELIB version – or number of the type library (think major & minor version).
https://bartblaze.blogspot.com/2024/03/analyse-hunt-and-classify-malware-using.html
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Microsoft and ASD Join Forces: Uniting Sentinel and CTIS for Enhanced Cyber Resilience
Artificial intelligence
EasyJailbreak: A Unified Framework for Jailbreaking Large Language Models
What Was Your Prompt? A Remote Keylogging Attack on AI Assistants
Scaling Behavior of Machine Translation with Large Language Models under Prompt Injection Attacks
A Comprehensive Study of Real-Time Object Detection Networks Across Multiple Domains: A Survey
Books
Nothing this week.
Events
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.