CTO at NCSC Summary: week ending May 5th
"Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects."
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note.
In the high-level this week:
New laws to protect consumers from cyber criminals come into force in the UK - UK Government - many years in the making -
World-first laws protecting UK consumers and businesses from hacking and cyber-attacks take effect today
manufacturers of products such as phones, TVs and smart doorbells are now required to implement minimum security standards against cyber threats
consumers will benefit from banning of easily guessable default passwords, marking a significant leap in protecting individuals, society and the economy from cyber criminals
New powers to seize cryptoassets used by criminals go live - UK Government - “Greater powers for the National Crime Agency and police to seize, freeze and destroy cryptoassets used by criminals”
GovAssure Insights and reflections from Year 1 of the GovAssure Programme - UK Government - “In Year 1, 76 organisations in scope were divided into two different groups. Group one, covered by this report included 28 Lead Government Departments (LGDs) and Arms Length Bodies with government-sector CNI, submitting 55 systems for assurance. Group two included a further 48 Arms Length Bodies (ALBs). “
Hackers use developing countries as testing ground for new ransomware attacks - Financial Times reports - “Cyber attackers experiment in Africa, Asia and South America before targeting businesses in the west”
National Security Memorandum on Critical Infrastructure Security and Resilience - The White House - including lots of cyber such as “Identify and assess sector and cross-sector risk, analyze the dependencies among assets and systems that comprise critical infrastructure, and consider key interdependencies of potential sector and cross-sector consequences associated with physical and cyber threats and vulnerabilities to support critical infrastructure risk management and prioritization;”
Health Breach Notification Final Rule - Federal Trade Commission rule -”The HBN Rule requires vendors of personal health records (“PHRs”) and related entities that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.”
Cybercom looking to combine and standardize defensive cyber kits; solicitation issued - Defense Scoop reports - “will now also combine the equipment cyber protection teams use with the kit for hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with defending the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.”
Several car models fall victim to new cyber security rules - Market Screener reports -” Due to new EU regulations for cyber security in new cars, several manufacturers are withdrawing models from the range. Volkswagen is discontinuing the Up small car and the classic T6.1 van, while Porsche plans to build the Macan, Boxster and Cayman in the previous combustion engine generation only for export, the manufacturers announced.” - business cost of technical security debt here evidenced.
Marriott admits it falsely claimed for five years it was using encryption during 2018 breach - CSO Online reports - “Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 [SHA1] and not the much more secure AES-1 encryption as it had earlier maintained.”
The cyber threat to research laboratories - Canadian Centre for Cyber Security assessment
We assess that state-sponsored actors will very likely continue to target Canadian laboratories to support their domestic biopharmaceutical and biomanufacturing capabilities through espionage. Further, we assess that People’s Republic of China (PRC) state-sponsored actors are almost certainly the most significant state-sponsored threat to laboratories in Canada.
We assess that state-sponsored actors will almost certainly target laboratories conducting research related to a foreign state’s critical intelligence requirements or a perceived existential threat for espionage or disruption.
Beyond Technicalities: Assessing Cyber Risk by Incorporating Human Factors - RAND Corporation research - “we find that only one of the individual factors (KSA) would be suitable for inclusion in a human cyber risk framework, while most workplace factors (Workload, Workplace distractions, adherence to Organizational policies and procedures, Data on employee behaviors, Firm training, and Simulated phishing emails) would be suitable. Finally, all of the external threat factors (Global threat intelligence, Access to privileged information, Spear phishing attacks, and Job title-role) would be suitable for a human cyber risk framework.”
The Chips Act has been surprisingly successful so far - Financial Times reports - “In so doing it has driven an unexpected investment boom. Chip companies and supply chain partners have announced investments totalling $327bn over the next 10 years, according to Semiconductor Industry Association calculations.”
Defending Democracy
Truth and reality with Chinese characteristics: The building blocks of the propaganda system enabling CCP information campaigns - Australian Strategic Policy Institute reports - “This research report finds that the CCP seeks to harvest data from various sources, including commercial entities, to gain insights into target audiences for its information campaigns.”
China's influence operations against the U.S. are bigger than TikTok - NPR reports - “Other researchers in Taiwan have identified TikTok influencers who appear to be using the same scripts to talk about divisive issues like migrant workers. Some influencers who typically post videos about fashion and beauty posted seemingly scripted videos alleging election fraud.”
Guarding Democracy: Assessing Cyber Threats to 2024 Worldwide Elections - Sekoia assessment - “Information and cyber influence campaigns” are nowadays more likely to be used than hack-and-leak against 2024 elections, as they do not require sophisticated cyber intrusion yet are still efficient. “Cyber disruption of the voting process” may sound the most concerning threat, but successful or even attempted operations are not common”
Reporting on/from China
Academics at UK universities face vetting to counter Chinese spies - The Times reports - “Academics and researchers involved in cutting-edge science at British universities are to be vetted by the security services, under government plans to tackle Chinese espionage.”
Foreign states targeting UK universities - BBC Reports - “Felicity Oswald, interim chief executive of the National Cyber Security Centre, joined MI5 director general Ken McCallum at the meeting”
US is reviewing risks of China's use of RISC-V chip technology - Reuters reports - “the Commerce Department said it is "working to review potential risks and assess whether there are appropriate actions under Commerce authorities that could effectively address any potential concerns.""
Beijing to push subsidies for local firms’ purchase of China-made chips - South China Morning Post reports:
The city will provide an undisclosed amount of subsidies to help local firms buy China-made graphics processing units for computing services
These services will form part of an envisioned ‘smart computing infrastructure’ that the nation’s capital intends to complete by 2027
Ant Group adds 14 foreign payment apps in access boost for Hong Kong merchants - South China Morning Post - (comment: data slurp and interoperability continues):
Overseas travellers from nine countries and regions can make payments in Hong Kong using their home wallet apps through Alipay+, operated by Ant Group
•Wallet partners include those from the Philippines, Mongolia, South Korea, Thailand and Italy and cover a population of 1.2 billion
China Prepares UN Resolution to Tap AI for Good - Bloomberg reports - “China is preparing a United Nations General Assembly resolution that it says is intended to help close gaps between rich and developing countries in the advance of artificial intelligence, an initiative that follows an extensive and ambitious campaign by the US, its biggest AI competitor.” - A western blunting strategy or not blunting?
Artificial intelligence
note: lots of technical cyber security application reporting in the footnotes section this week
BSI investigation: How AI is changing the cyber threat landscape - from BSI our German counterparts -
AI and Strategic Decision-Making - Communicating trust and uncertainty in AI-enriched intelligence - from the UK’s Centre for Emerging Technology and Security - “[this] report explores some of the ways in which we may need to adapt our intelligence system to successfully integrate AI tools into our work. And it seeks to answer the difficult question of what needs to be in place for AI-enriched insights to be used effectively and wisely in the assessments which inform National Security decisions.”
Security Recommendations for a Generative AI System - from ANSSI our French counterparts - “[The] security recommendations guide for a generative AI system focuses on securing a generative AI system architecture” - très bon!
AI Risk Management Framework - NIST product - “On April 29, 2024, NIST released a draft publication based on the AI Risk Management Framework (AI RMF) to help manage the risk of Generative AI. “
Biden-Harris Administration Announces Key AI Actions 180 Days Following President Biden’s Landmark Executive Order - The White House - “Today, federal agencies reported that they completed all of the 180-day actions in the E.O. on schedule, following their recent successes completing each 90-day, 120-day, and 150-day action on time.”
Over 20 Technology and Critical Infrastructure Executives, Civil Rights Leaders, Academics, and Policymakers Join New DHS Artificial Intelligence Safety and Security Board to Advance AI’s Responsible Development and Deployment - US Department of Homeland Security announcement - “Group Chaired by Secretary Mayorkas Will Consider Ways to Promote Safe and Secure Use of AI in our Nation’s Critical Infrastructure “
SenseTime unveils latest large model SenseNova 5.0, full-stack large model matrix - China Daily reports - "Based on over 10TB of token training data and extensive synthetic data, the SenseNova 5.0 adopts a hybrid expert architecture, with an effective context window of up to 200K for inference. This update primarily enhances knowledge, mathematics, reasoning and coding capabilities."
Alibaba Tongyi Qianwen open source 110 billion parameter Qwen1.5-110B model, comparable to Meta Llama3-70B - IT Home reports - "According to reports, Qwen1.5-110B is similar to other Qwen1.5 models and uses the same Transformer decoder architecture. It includes Grouped Query Attention (GQA), which is more efficient during model inference. The model supports a context length of 32K tokens , and it is still multi-lingual, supporting English, Chinese, French, Spanish, German, Russian, Japanese, Korean, Vietnamese, Arabic and other languages."
Cyber proliferation
Spyware sales to Indonesia - Candiru, Q Cyber, Intellexa, FinFisher, Wintego - Amnesty International reports - “found evidence of extensive sales and deployment of highly invasive spyware and other surveillance technologies in Indonesia-sourced from Israel, Greece, Singapore and Malaysia between 2017 and 2023.”
MIL-OSI NGOs: Thailand: Drop groundless charges against youth activists - Foreign Affairs reports - “Bie and Rung were among 35 human rights defenders (HRDs), activists, academics and artists targeted with Pegasus, a highly invasive spyware developed by the Israeli cyber intelligence company NSO Group.”
Senior member of former ruling party PiS targeted by Pegasus while PiS was in power (from Factiva) - Polish Press Agency reports “As many as 578 people were subject to surveillance in the years 2017-2022”
Bounty Hunting
Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme - US Department of Justice reports - “A Ukrainian national was sentenced today to 13 years and seven months in prison and ordered to pay over $16 million in restitution for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments.”
Chinese National Arrested in United States for Alleged Scheme to Illegally Export Semiconductor Manufacturing Machine - US Department of Justice event - “the defendants sought to illegally obtain a DTX-150 Automatic Diamond Scriber Breaker machine from Dynatex International, a Santa Rosa, California, company. The machine is used to cut thin semiconductors used in electronics, also known as silicon wafers”
Cost of selling fake Cisco devices to US military? 6 years in prison..
2024 Cyber Claims Report - I noted that 56% of the claims include a human being deceived (FTF/BEC) in some form.
Related NCSC UK released Business email compromise: defending your organisation
Reflection this week are around cyber risk and the value of warning systems after hearing an insightful talk (under Chatham house thus omitting the speaker’s name). Anyway, they made a fascinating and powerful observation on the need for warning systems to inform when risks change and how historically this is an under invested area. Importantly this is not forecasting or horizon scanning but rather a data driven system to allow warnings to be issued and responses taken.
I was reflecting on how many organisations in my time have ‘issued a warning’ because their cyber risk changed rather than just observation that the risk indicators have gone up (not many). Beyond that there was a powerful point on “risk proper” or Knightian uncertainty (something which can be calculated) versus uncertainty more generally.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) assemble in true Avengers style with this reporting and guidance.
Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments. Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.
Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
Ivan Kosarev intimates some technical links to Russia in this reporting. Striking that old vulnerabilities such as these clearly have value still.
[We] discovered a suspected targeted operation against Ukraine
The operation is using CVE-2017-8570 as the initial vector
The operation could not be attributed to any known threat actor
The operation used a custom loader for Cobalt Strike Beacon
Deep Instinct is detecting all stages of the attack
https://www.deepinstinct.com/blog/uncorking-old-wine-zero-day-cobalt-strike-loader
Reporting on China
Eight Arms To Hold You: The Cuttlefish Malware
The Black Lotus Labs team have issued this reporting which shows the continued danger of clear-text protocols in this alleged Chinese activity. This is notable for tradecraft as well as capability reasons. It should be a warning to all.
The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN). A secondary function gives it the capacity to perform both DNS and HTTP hijacking for connections to private IP space, associated with communications on an internal network. Cuttlefish also has the ability to interact with other devices on the LAN and move material or introduce new agents.
Based upon code similarities in conjunction with embedded build paths, we have found overlap with a previously reported activity cluster called HiatusRat, whose targeting aligns with the interest of the People’s Republic of China.
The payload sets up a secure connection to the C2 using an embedded RSA certificate, to download and update the ruleset.
https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/
A Cunning Operator: Muddling Meerkat and China’s Great Firewall
Renée Burton sheds some light on some rather more novel tradecraft by this alleged Chinese state threat actor. Are they trying to map out some exfiltration paths?
This paper introduces a perplexing actor, Muddling Meerkat, who appears to be a People’s Republic of China (PRC) nation state actor. Muddling Meerkat conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers.
Use servers in Chinese IP space to conduct campaigns by making DNS queries for random subdomains to a wide array of IP addresses, including open resolvers
Induce responses from the GFW that are not seen under normal circumstances
Include false MX records from random Chinese IP addresses, a type of deception not previously reported for either the GFW or GC
Trigger MX record queries, plus other record types, for short random hostnames of a set of domains outside the actor’s control in the .com and .org top-level domains (TLDs) from devices distributed worldwide (likely open resolvers)
Use “super-aged” domains, typically registered before the year 2000, avoiding DNS blocklists and blending in with old malware at the same time
Choose domains for abuse based on their length and age rather than their current status and ownership; while many of the domains are abandoned or have been repurposed for questionable use, other domains are actively used by legitimate entities
Conduct campaigns of one to three days, similar to ExploderBot (see below), on a fairly continuous basis
Do not appear to use large-scale spoofing of source IP addresses, but instead initiate DNS queries from dedicated servers
Are limited in size to avoid detection and service disruptions like those caused by ExploderBot
Are possibly conducted in discrete components, creating different DNS patterns over time
Began on or about October 15, 2019
We believe PDD is a Dying Fraudulent Company and its Shopping App TEMU is Cleverly Hidden Spyware that Poses an Urgent Security Threat to U.S. National Interests
Grizzly Research issues a report that which some serious allegations and observations. Also an interesting Venn of financial and technical analysis to come to their conclusions.
Through multiple iterations spanning several years, and even in the wake of being kicked out of the Google Play Store in March, TEMU is running its software development effort in pursuit of maximum intrusiveness, abusiveness and stealthiness. The corporate ethos reflected towards the U.S. and Europe is “Whatever we can get away with…”
Beyond its malware / spyware, we have rarely seen a company display such a consistent attitude of impunity, throughout all levels of policy, execution and governance, customer and vendor relations.
Given all these actions in bad faith, it’s hard to believe the market has conferred upon PDD appx $135 billion in market cap. How it has earned access to the U.S. capital markets to fund its activities is darkly ironic. This is a house of cards. The risks of catastrophic regulatory intervention appear at all sides. Yet the company acts as if it is completely unaccountable.
Reporting on North Korea
North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts
The Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA) formally attribute some tradecraft covered here previously.
In addition to convincing email messages, Kimsuky cyber actors have been observed creating fake usernames and using legitimate domain names to impersonate individuals from trusted organizations, including think tanks and higher education institutions, to gain trust and build rapport with email recipients. Spoofed emails do not come from the trusted organization’s actual domain email exchange, but rather from the actor-controlled email address and domain. Even if a skeptical recipient wanted to verify whether the sender was legitimate, the recipient email response would be sent back to a spoofed email address at the trusted domain. The ‘reply-to’ section of the email header would reveal the North Korean actor-controlled email address and domain, but it would still appear to be legitimate.
https://www.ic3.gov/Media/News/2024/240502.pdf
Activity analysis of APT-C-28 (ScarCruft) organization using malicious LNK files to deliver RokRat attacks
360 Threat Intelligence Center reports this alleged North Korean campaign which continues to use a rather tried (or tired) and tested set of tradecraft.
[We] detected that the APT-C-28 organization is conducting a well-planned network attack. The group used malicious LNK files disguised as "North Korea Human Rights Experts Debate" as a means to deliver RokRat malware to targets. The initial sample we captured in this attack was a compressed file containing a disguised malicious LNK file. When this LNK file is executed, it induces users to download and run the RokRat malware. Based on previous public threat intelligence data, we inferred that the initial payload of this attack was likely sent through a phishing email.
How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023
ZachXBT do the analysis whilst showing the value of blockchains in understanding the shuffling around.
Analytics firms such as TRM and Chainalysis release annual reports summarizing crypto related incidents linked to DPRK and since 2017 they estimate between $3B to $4.1B has been stolen.
The research in this article closely follows 25 hacks targeting companies and individuals in the cryptocurrency space spanning from August 2020 to October 2023 by tracing the movements of funds to multiple accounts identified at P2P marketplaces where Lazarus Group exchanges stolen crypto for fiat.
https://zachxbt.mirror.xyz/B0-UJtxN41cJhpPtKv0v2LZ8u-0PwZ4ecMPEdX4l8vE
related was this post on Tracking illicit actors through bridges, DEXs, and swaps
https://www.elliptic.co/blog/tracking-crypto-through-bridges-dexs-and-swaps
Reporting on Iran
Uncharmed: Untangling Iran's APT42 Operations
Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock and Jonathan Leathery give insight into the tradecraft of this alleged Iranian threat actor. Noting there is nothing overly novel nor sophisticated.
APT42 is known for its extensive credential harvesting operations that are often accompanied by tailored spear-phishing campaigns and extensive social engineering.
https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/
Reporting on Other Actors
Sifting through the spines: identifying (potential) Cactus ransomware victims
Willem Zeeman and Yun Zheng Hu undertake some active scanning to find compromises.
Our scan for both font files, found a total of 122 servers with the indicator of compromise. The United States ranked highest in exploited servers with 49 online instances carrying the indicator of compromise, followed by Spain (13), Italy (11), the United Kingdom (8), Germany (7), and then Ireland and the Netherlands (6).
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Network
Feike Hacquebord and Fernando Merces hint that scarcity and/or out sourcing may be having interesting implications and opportunities for disruption of covert infrastructure.
Cybercriminals and nation state actors share a common interest in compromised routers that are used as an anonymization layer.
Cybercriminals rent out compromised routers to other criminals, and most likely also makes them available to commercial residential proxy providers.
Nation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters
The EdgeRouter botnet used by Pawn Storm (disrupted by the US FBI in January 2024) goes back to 2016.
The botnet also includes other routers and virtual private servers (VPS). After the disruption, the botnet’s operator managed to move over bots to command-and-control (C&C) infrastructure that had been newly set up.
On some compromised EdgeRouters, we found activity from two significant cybercriminal groups and one nation-state threat actor (Pawn Storm)
It is of paramount importance to secure routers and only expose them to incoming internet connections only when it is critical for the business. We provide advice for network defenders and Small Office/Home Office (SOHO) network administrators to scan their routers for indications of them being used by nation-state threat actors and cybercriminals.
https://www.trendmicro.com/en_us/research/24/e/router-roulette.html
Discovery
How we find and understand the latent compromises within our environments.
Detecting browser data theft using Windows Event Logs
Will Harris discusses Google Chrome defence in depth and how breaches can be detected here.
Since 2013, Chromium has been applying the CRYPTPROTECT_AUDIT flag to DPAPI calls to request that an audit log be generated when decryption occurs, as well as tagging the data as being owned by the browser. Because all of Chromium's encrypted data storage is backed by a DPAPI-secured key, any application that wishes to decrypt this data, including malware, should always reliably generate a clearly observable event log, which can be used to detect these types of attacks.
There are three main steps involved in taking advantage of this log:
Enable logging on the computer running Google Chrome, or any other Chromium based browser.
Export the event logs to your backend system.
Create detection logic to detect theft.
This blog will also show how the logging works in practice by testing it against a python password stealer.
https://security.googleblog.com/2024/04/detecting-browser-data-theft-using.html
Full IP list to check against your ASA/Flow logs for the ArcaneDoor Cisco ASA Compromises
John Althouse provided this useful asset to the community to help understand
Here's a full IP list to check against your ASA/Flow logs for the ArcaneDoor Cisco ASA Compromises (361 IPs):
https://drive.google.com/file/d/1wlKPuMCiWW1wuOHZPp7sS-peDUw_s1VY/view
Examining the Deception infrastructure in place behind code.microsoft.com
Ross Bevington shows what happens when you are a hyper scale who undertakes a little bit of global subterfuge to burn malicious use of your service.
A malicious actor can discover the dangling subdomain. Provision a cloud Azure resource with the same name and now visiting blog.somedomain.com will redirect to the attacker’s resource. Here they control the content.
This happened in 2021 when the domain was temporarily used to host a malware C2 service. Thanks to multiple reports from our great community this was quickly spotted and taken down before it could be used. As a response to this Microsoft now has more robust tools in place to catch similar threats.
MasterParser: MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs
Go fourth and find anomalous logins..
MasterParser stands as a robust Digital Forensics and Incident Response tool meticulously crafted for the analysis of Linux logs within the var/log directory. Specifically designed to expedite the investigative process for security incidents on Linux systems, MasterParser adeptly scans supported logs, such as auth.log for example, extract critical details including SSH logins, user creations, event names, IP addresses and much more. The tool's generated summary presents this information in a clear and concise format, enhancing efficiency and accessibility for Incident Responders. Beyond its immediate utility for DFIR teams, MasterParser proves invaluable to the broader InfoSec and IT community, contributing significantly to the swift and comprehensive assessment of security events on Linux platforms.
https://github.com/securityjoes/MasterParser
Defence
How we proactively defend our environments.
Trusted Signing is in Public Preview
Rakia Segev shows how MSFT is trying to enable developers to get crypt keys out of their otherwise insecure infrastructure.
"Trusted Signing is a complete code signing service with an intuitive experience for developers and IT professionals, backed by a Microsoft managed certification authority. "
How to Block Anonymizing Services using Okta
There was some debate if Okta is now using Spur like everyone else.
https://sec.okta.com/blockanonymizers
Secure by Design Alert: Eliminating Directory Traversal Vulnerabilities in Software
The year is 2024 and a vulnerability class I remember being exploited in the era of the mode and BBS (via ZIP) is still being exploited a causing real pain.
CISA and the Federal Bureau of Investigation (FBI) crafted this Alert in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software
Incident Writeups & Disclosures
How they got in and what they did.
A recent security incident involving Dropbox Sign
…
On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed Dropbox Sign customer information. We believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.
Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign
here is the 8K filing
https://www.board-cybersecurity.com/incidents/tracker/20240501-dropbox-inc-cybersecurity-incident/
Vulnerability
Our attack surface.
How an empty S3 bucket can make your AWS bill explode
More worrying is the security implications here:
As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used… the same name that I used for my bucket.
libksieve (used by kmail/kontact) sent password as username
Comedy error..
Managesieve is a protocol to configure the email filtering system Sieve via TCP/IP. It is typically authenticated just like IMAP is. The managesieve cliento implementation in KDE (libksieve) had a bug which used the password as username.
That exposed the password in plaintext server logs, as usernames are commonly logged on failed login attempts.
https://www.openwall.com/lists/oss-security/2024/04/25/1
Offense
Attack capability, techniques and trade-craft.
Nemesis 1.0
Will Schroeder shows what is possible when automation comes to offensive pipelines around content discovery e.g.
Streamlined NLP indexing to prevent choking and exposed a /nlp/ route for search.
Processing for Chromium JSON cookie dumps.
https://posts.specterops.io/nemesis-1-0-0-8c6b745dc7c5
The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen
Yashvi Shah, Lakshya Mathur and Preksha Saxena evidence once more criminals do learn from penetration testers.
[We] recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages.
Upon executing the downloaded script, it proceeds to command and execute the AutoHotkey utility, employing a script located at the designated path
Exploitation
What is being exploited.
Analysis of privilege escalation after CrushFTP (CVE-2024-4040)
Y4TACKER (Chinese) exploits this vulnerability to achieve privilege escalation.
ere, the author still uses
sessions.objthe file to read the history cookie when analyzing the exploit. An attempt to escalate privileges, but I also mentioned in one of the earliest articles that such a file will only be generated when the program exits, which acts as a cache function of the server ( CrushFTP Unauthenticated Remote Code Execution (CVE- 2023-43177) ), so its use is relatively more metaphysical and depends on fate. In actual combat, we often need more stable and direct ways to obtain the password of the admin account.
Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR
Gabe K shows that changes in Windows kernel may make latent vulnerabilities exploitable where once they were not.
The upcoming version of Windows 11, 24H2, is currently in public preview via the Windows Insider Program. This post covers the process of discovering multiple kernel vulnerabilities introduced in 24H2 and writing an exploit, including bypassing new hardening to kernel ASLR (KASLR).
All the vulnerabilities described here are in the NT kernel itself (ntoskrnl.exe), in syscalls which may be called by any process, regardless of its privilege level or sandbox.
While reverse engineering various parts of the NT kernel in 24H2 I discovered two vulnerabilities, both of which were double-fetches of user mode memory (credit: j00ru). These bugs were especially interesting because they appeared in long–present code that had previously been safe.
https://exploits.forsale/24h2-nt-exploit/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor
Hosein Yavarzadeh, Archit Agarwal, Max Christman, Christina Garman, Daniel Genkin, Andrew Kwong, Daniel Moghimi, Deian Stefan, Kazem Taram and Dean Tullsen show how academic applied research continue to goes from strength to strength. It will be interesting to see if this is exploitable in real-world..
Pathfinder, unveils two innovative side-channel attacks exploiting the CBP:
The first attack introduces an entirely novel approach within the branch predictor realm, enabling the leakage of crucial historical information pertaining to thousands of recently executed branch instructions.
The second attack unveils an exceptionally high-resolution Spectre-style exploit, capable of generating intricate patterns of mispredictions to steer the victim into executing a specific code path unintended by the programmer.
We demonstrate the implications of these attacks with two case studies: We demonstrate a speculative execution attack against AES that returns intermediate values at multiple steps to recover the AES key. We also steal secret images by capturing the complete control flow of libjpeg routines.
https://pathfinder.cpusec.org/
QCSuper
Capability which will be useful to some.
QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G (and for certain models 5G) radio frames, among other things.
It will allow you to generate PCAP captures of it using either a rooted Android phone, an USB dongle or an existing capture in another format.
https://github.com/P1sec/QCSuper
obfuscation_detection:
Tim Blazytko does releases a powerful work aid.
Obfuscation Detection is a Binary Ninja plugin to detect obfuscated code and interesting code constructs (e.g., state machines) in binaries. Given a binary, the plugin eases analysis by identifying code locations which might be worth a closer look during reverse engineering.
Based on various heuristics, the plugin pinpoints functions that contain complex or uncommon code constructs. Such code constructs may implement
obfuscated code
state machines and protocols
C&C server communication
string decryption routines
cryptographic algorithms
https://github.com/mrphrazer/obfuscation_detection
Unpacking with Windows Defender
Camille Mougey does some elegant reuse to build on the shoulders of giants.
Windows Defender implements some unpackers
With a few patches, unpackers' output can be retrieved
This repository explains how to do it, with additional patches for
loadlibraryThis is not an universal unpacker. At best, it helps with some commercial packers
https://github.com/commial/experiments/tree/master/windows-defender/unpacking
DYLD — Do You Like Death? (IX)
Karol Mazurek does to macOS what many gave done for Windows previously.
This is the ninth article in the series about debugging Dyld-1122 and analyzing its source code. We will introduce
RuntimeStatewhich APIs are used for tracking process-related data, such as threads or loaded Mach-Os.
PropagateExternalParametersX64.java
Karsten Hahn brings to x64 what existed for x32.
an x64 version of Ghidra's PropagateExternalParameters. It adds comments for the parameters.
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
OSHIT: Seven Deadly Sins of Bad Open Source Research - Bellingcat
Strategic Cybersecurity Talent Framework - “This paper is intended to serve as a source of reference for public and private decision-makers concerned by the industry workforce shortage and committed to developing and nurturing robust cybersecurity talent across their respective sectors.”
Artificial intelligence
Personal recommendation for fine-tuning large models for network security tasks
In-depth exploration: full analysis of LLaMa-3 network security capabilities
The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions
From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis
OSWorld: Benchmarking Multimodal Agents for Open-Ended Tasks in Real Computer Environments
SnapKV: LLM Knows What You are Looking for Before Generation
Knowledge Graphs enable LLMs to really understand - from August 2023
Books
Critical Perspectives on Cybersecurity: Feminist and Postcolonial Interventions - “This book examines concerns about online security, sovereignty, representation, and resistance, focusing on issues in the Global South. Contributors leverage feminist and postcolonial lenses to assess issues that might challenge conventional notions of cybersecurity, including disinformation, gender-based violence online, and technology as a neocolonial force.”
Events
ASPLOS, the ACM International Conference on Architectural Support for Programming Languages and Operating Systems was held in San Diego at the April 27-May 1, 2024 - papers available
Video of the week is Panel Discussion: Payments | Ransomware Task Force 24 in '24
Art of the week where Megan Stifel gave Craig Newmark this special gift:
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.