CTO at NCSC Summary: week ending May 4th
The age of advanced cryptography techniques edges ever closer..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the UK retail incidents have been a focus.. read the NCSC statement: Incident impacting retailers - “Following news of cyber incidents impacting UK retailers, the NCSC can confirm it is working with organisations affected.”
In the high-level this week:
Advanced Cryptography: new approaches to data privacy - NCSC publishes - “A new NCSC paper discusses the suitability of emerging Advanced Cryptography techniques.”
Biting the CHERI bullet: Blockers, Enablers and Security Implications of CHERI in Defence - Defence Science & Technology Laboratory researches - “We present results from a 12 month evaluation of one such secure hardware solution, CHERI, where 15 teams from industry and academia ported software relevant to Defence to Arm’s experimental Morello board. We identified six types of blocker inhibiting adoption: dependencies, a knowledge premium, missing utilities, performance, platform instability, and technical debt”
Cyber incident grab bag: Safely restoring technology and systems - UK Local Government Association publishes
An open letter to third-party suppliers - JP Morgan writes - "The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system" - or market incentives to you and me..
House Passes Latta's ROUTERS Act and NTIA Reauthorization Act - Congressman Bob Latta announces - “The ROUTERS ACT will safeguard Americans' communications networks from foreign-adversary controlled technology, including routers, modems, or devices that combine both. This legislation was previously passed by the House of Representatives in the last Congress.”
Commission opens consultation on revising EU Cybersecurity Act - European Commission announces - “In an effort to strengthen the EU’s resilience against rising cyber threats, the Commission seeks input to evaluate and revise the 2019 Cybersecurity Act. This initiative reflects the Commission’s ongoing commitment to simplifying rules.”
EU budget set for defence-related boost under new regulation - European Commission publishes - “Through the Horizon Europe regulation, the reach of the European Innovation Council (EIC) will include start-ups working on dual-use and defence-related innovations. The objective is to foster a dynamic innovation ecosystem that speeds up the development and deployment of cutting-edge dual-use and defence technologies, like AI and cybersecurity.”
First EUCC Cybersecurity Certificates Set Sails from France - ENISA announces - “ANSSI, the French cybersecurity agency has just issued the first two EU cybersecurity certificates under EUCC. Prepared by ENISA and adopted by the European Commission on 27 February 2024, the EU Common Criteria scheme, EUCC, is the first EU cybersecurity scheme in place.”
Router Maker TP-Link Faces US Criminal Antitrust Investigation - Bloomberg reports - “The US is conducting a criminal antitrust investigation into pricing strategies by TP-Link Systems Inc., a California-based router maker with links to China whose equipment now dominates the American market, according to people familiar with the matter.”
Review of the cybersecurity component of France Relance: a successful challenge - ANSSI summarises - “With 100 million euros, the cybersecurity pathways program represented an unprecedented investment in response to a threat that had become systemic, affecting critical entities at the heart of the regions…. For four years, ANSSI designed, deployed, and managed a support system for local authorities, healthcare institutions, and public entities. This support has enabled 945 of the entities most vulnerable to cyber threats to benefit from this support, including:
707 local authorities,
134 health establishments,
87 other public establishments,
17 research and higher education centers,”
Reporting on/from China
How China Is Building an Army of Hackers - Bloomberg reports - “China and the US actively engage in cyber espionage for strategic advantage. Leaked files now suggest how rapidly Beijing is catching up in preparation for any future conflict.”
The Ministry of Public Security of China as a foreign intelligence agency: Tracing recent foreign intelligence activities and their inherent logic through public information analysis - Japan National Institute for Defence Studies publishes - "In this way, the Ministry of Public Security appears to consider any entity that poses a threat to the Communist Party's rule, whether at home or abroad, and in physical or cyberspace, to be subject to "law enforcement" or "punishment."
Chinese universities are dominating global research on chips, US report says - South China Morning Post reports - “From 2018 to 2023, nine of the top 10 biggest producers of English-language research on chips were Chinese institutions, according to a report released in March by the Emerging Technology Observatory at Georgetown University in Washington.”
China-born scientist Jian-Ping Wang forged a rare-earth-free magnet. Will it help the West? - South China Morning Post reports - “His quest was to create a powerful magnet without rare earth elements. The result was the world’s first iron nitride magnet, a revolutionary technology forged from iron and nitrogen.”
China defies ASML prediction with EUV breakthrough in advanced chip production - South China Morning Post reports - “The team, from the Chinese Academy of Sciences’ Shanghai Institute of Optics and Fine Mechanics, was led by Lin Nan, previously head of light source technology at ASML in the Netherlands.”
SKT Hacking: Chinese Hackers' Specialty: Backdoor Malware… "Difficult to Determine Who's Behind It" - YNA reports - “It has been discovered that the cyber attack that stole USIM information from SK Telecom subscribers used the BPFDoor technique, which is mainly used by Chinese hacker groups.”
AI
Prompt Injection and Mode Drift in Qwen3 - a security analysis - Lukasz Olejnik researches - “Qwen3’s structured reasoning is a great feature. I appreciate having a powerful, local LLM—so with perfect privacy– that does not force thinking mode by default. However, this flexible behavior can introduce subtle security risks.”
China issues the most AI patents globally - People Daily reports - “AI patents account for 60% of the world’s total” - quality not guaranteed
The Regulation of Generative AI in China - Rogier Creemers analyses - “This chapter reviews how Chinese policymakers’ perceptions and interventions have evolved on the basis of technological developments and their own learning processes, and how this will shape the development of generative AI technologies in China.”
The Regulation of Generative AI in China - working chapter
China's Baidu says its Kunlun chip cluster can train DeepSeek-like models - Reuters reports - “successfully "illuminated" a cluster comprising 30,000 of its self-developed, third generation P800 Kunlun chips, which can support the training of DeepSeek-like models, its CEO said on Friday.”
Huawei Starts Delivering Its CloudMatrix 384 AI Clusters To Chinese Customers; Costs Three Times Higher Than NVIDIA’s GB200 NVL72 System - WCCF Tech reports - “Li also unveiled Baidu's latest AI model, Ernie 4.5 Turbo, saying it matched the industry's best in several benchmark tests, demonstrating abilities ranging from coding to linguistic comprehension. The company also launched a new reasoning model called Ernie X1 Turbo, and said it would incorporate its AI abilities across its apps from its cloud drive and content platform Baidu Wenku.”
Cyber proliferation
Second Italian journalist allegedly targeted with ‘mercenary spyware’ - Guardian reports - “A second Italian journalist whose news organisation exposed young fascists within the prime minister Giorgia Meloni’s far-right party was targeted with sophisticated “mercenary spyware”, according to an Apple notification received by the reporter.”
Bounty Hunting
Raytheon Companies and Nightwing Group to Pay $8.4M to Resolve False Claims Act Allegations Relating to Non-Compliance with Cybersecurity Requirements in Federal Contracts - US Department of Justice reports - “have agreed to pay $8.4 million to resolve allegations that Raytheon violated the False Claims Act by failing to comply with cybersecurity requirements in contracts or subcontracts involving the Department of Defense (DoD).”
Scattered Spider Hacking Suspect Extradited to US From Spain - Bloomberg reports - “An alleged member of the notorious Scattered Spider cybercrime group was extradited from Spain to the US on Wednesday, according to a Department of Justice official.”
Maryland Man Pleads Guilty to Conspiracy to Commit Wire Fraud - US Department of Justice reports - “Minh Phuong Ngoc Vong, 40, of Bowie, Maryland, pleaded guilty today to conspiracy to commit wire fraud in connection with a scheme whereby he conspired with unknown individuals, including John Doe, also known as William James, a foreign national living in Shenyang, China” - North Koreans in China and 13 different victim companies!!
Cyber Risk Insights: Sovereigns And Their Critical Infrastructure Are Prime Targets - S&P Global publishes - “Currently, we consider it unlikely that a cyber incident might significantly or directly affect the creditworthiness of a sovereign.”
No reflections this week as I have been travelling internationally and nationally, but it is CyberUK next week.. see you all in Manchester and/or on YouTube!
But a brief word on the open letter to third-party suppliers from JP Morgan and a slide I use:
.. the organisational perimeter is no longer what it was 10 years ago and that SaaS supply chain is of varying quality and competence when it comes to cyber security ..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Attribution de cyberattaques contre la France au service de renseignement militaire russe (APT28)
French Ministry for Europe and Foreign Affairs summarises alleged Russian operations in France showing the breadth and depth at a high-level..
France condemns in the strongest terms the use by Russia’s military intelligence service (GRU) of the APT28 attack group, at the origin of several cyber attacks on French interests.
Since 2021, this attack group has been used to target or compromise a dozen French entities. These entities are working in the daily lives of French people and include public services, private enterprises as well as a sport organization involved in the 2024 Olympic and Paralympic Games. In the past, this group was also used by GRU in the sabotage of the TV5Monde broadcasting station in 2015, as well as in attempts to destabilize the French elections in 2017.
Operation Deceptive Prospect: RomCom Targeting UK Organisations through Customer Feedback Portals
Joshua Penny and Yashraj Solanki detail this alleged UK targeting using a somewhat novel method to deliver their phishing campaigns. This is a set of TTPs to be alive to..
The threat actor leveraged externally facing customer feedback portals to submit phishing emails directed at customer service representatives of two Bridewell customers operating within the UK retail and hospitality, and CNI sectors. Contained within the feedback forms were user complaints pertaining to events facilities operated by the target or recruitment enquiries, including links to further information supporting the complaints stored on Google Drive and Microsoft OneDrive impersonation domains hosted threat actor-controlled VPS infrastructure.
Inside the Latest Espionage Campaign of Nebulous Mantis
Prodaft summarises the details of the same alleged Russian actor who shows a degree technical sophistication coupled with determination…. but they still rely on spear phishing. but as noted above sometimes via a-typical paths..
Nebulous Mantis (a.k.a. Cuba, STORM-0978, Tropical Scorpius, UNC2596) is a Russian-speaking cyber espionage group that has actively deployed the RomCom remote access trojan (RAT) and Hancitor loader in targeted campaigns since mid-2019
The Nebulous Mantis group represents a sophisticated and persistent cyber espionage threat group. Their consistent targeting of governmental, military, and critical infrastructure organizations within NATO countries strongly suggests geopolitical motivations that align with the interests of Russian-speaking actors. The group's adoption of advanced techniques, including the utilization of decentralized technologies such as IPFS for malware dissemination and the employment of LOTL tactics, significantly elevates the complexity of detection and attribution efforts. This combination of technical innovation, operational security, and focused targeting renders RomCom a highly significant cyber threat to critical organizations, with potential ramifications extending beyond the scope of typical financially motivated cybercrime.
Reporting on China
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
Facundo Muñoz details an alleged Chinese campaign which can legitimately be called advanced. The victimology is also interesting for this level of capability to be deployed against.
We discovered a malicious downloader being deployed, by legitimate Chinese software update mechanisms, onto victims’ machines.
The downloader seeks to deploy a modular backdoor that we have named WizardNet.
We analyzed Spellbinder: the tool the attackers use to conduct local adversary-in-the-middle attacks and to redirect traffic to an attacker-controlled server to deliver the group’s signature backdoor WizardNet.
We provide details abouts links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC.
..
TheWizards targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong.
Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan
Hara Hiroaki details a campaign which is allegedly Chinese in origin, relies of spear phishing and shows an evolution in existing frameworks. Noteworthy is the use of the in memory payloads..
APT group Earth Kasha continues its activity with a new campaign in March 2025 that uses spear-phishing to deliver a new version of the ANEL backdoor, possibly for espionage based on the campaign’s victimology.
In this campaign, the APT group believed to be a part of the larger APT10 group is targeting government agencies and public institutions in Taiwan and Japan. Potential impact could include information theft and sensitive data related to governance being compromised.
The ANEL file from the 2025 campaign discussed in this blog implemented a new command to support an execution of BOF (Beacon Object File) in memory. This campaign also potentially leveraged SharpHide to launch the second stage backdoor NOOPDOOR.
We provide recommendations for organizations to proactively secure their systems, including implementing a zero-trust approach to external and unrecognized One Drive links, and the continuous monitoring for any potential abuse of DNS over HTTPS.
https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html
Uyghur Language Software Hijacked to Deliver Malware
Citizen Lab detail an alleged Chinese campaign which is noteworthy for the level of pretext in its social engineering..
In March 2025, senior members of the World Uyghur Congress (WUC) living in exile were targeted with a spearphishing campaign aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets.
The malware was delivered through a trojanized version of a legitimate open source word processing and spell check tool developed to support the use of the Uyghur language. The tool was originally built by a developer known and trusted by the targeted community.
Although the malware itself was not particularly advanced, the delivery of the malware was extremely well customized to reach the target population and technical artifacts show that activity related to this campaign began in at least May of 2024.
The ruse employed by the attackers replicates a typical pattern: threat actors likely aligned with the Chinese government have repeatedly instrumentalized software and websites that aim to support marginalized and repressed cultures to digitally target these same communities.
This campaign shows the ongoing threats of digital transnational repression facing the Uyghur diaspora. Digital transnational repression arises when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities.
https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/
Detailed Analysis of BPFDoor targeting South Korean Company
S2W analyses the alleged implant used in the South Korea Telecom compromise..
Recently, the frequency of BPFDoor malware attacks targeting domestic and international telecommunications industries has been increasing. On April 25, 2025, the Korea Internet & Security Agency (KISA) confirmed a case of BPFDoor malware distribution targeting major systems and issued a security advisory regarding this.
BPFDoor is a malware that aims to hide itself for a long time within a Linux system by exploiting BPF (Berkeley Packet Filter) technology to achieve advanced stealth and evasion capabilities.
BPFDoor exploits BPF (Berkeley Packet Filter) to receive only specific trigger packets at the kernel level, and uses 229 BPF Instruction Sets.
- The number of Instruction Sets and the magic sequence may differ depending on the version of BPFDoor.
- It applies various anti-forensic techniques such as process name masquerading and daemonization, memory-based replication and execution hiding, and history recording blocking.The BPFDoor used in the attack is known to be used by the Chinese-backed APT group Earth Bluecrow (aka Red Menshen), and a BPFDoor Controller exclusively used by the group has recently been discovered.
https://medium.com/s2wblog/detailed-analysis-of-bpfdoor-targeting-south-korean-company-328171880a98
KrCERT SK Telecom IoCs
https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71726&menuNo=205020
Reporting on North Korea
Rolling in the Deep(Web): Lazarus Tsunami
Von Nicolas Sprenger provides further details on this alleged North Korean operation which has been covered extensively. The C2 infrastructure is something which should be a focus..
The „Contagious Interview“-Campaign is ongoing and responsible for the theft of common and less common crypto-currencies.
The Threat Actor (TA) actively develops new tooling and uses Pastebin-Accounts and TOR .onion-Domains for C2.
The identified Tsunami-Malware is in active development and incorporates multiple crypto miners and credential stealers.
https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/
Reporting on Iran
Nothing overly of note this week..
Reporting on Other Actors
Pahalgam Attack themed decoys used by APT36 to target the Indian Government
Rhishav Kanjilal details this alleged Pakistani operation, whilst the operation is topical the tradecraft is rudimentary…
Seqrite Labs APT team has discovered “Pahalgam Terror Attack” themed documents being used by the Pakistan-linked APT group Transparent Tribe (APT36) to target Indian Government and Defense personnel. The campaign involves both credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and Indian Air Force (IAF) created shortly after the April 22, 2025 attack. This advisory alerts about the phishing PDF and domains used to uncover similar activity along with macro-laced document used to deploy the group’s well-known Crimson RA
Fake GIF Leveraged in Multi-Stage Reverse-Proxy Card Skimming Attack
Ben Martin details the contemporary threat which is it comes to ecommerce websites. It is clear that this criminal threat is both technically capable but also focuses on doing a thing and doing it well.. also the shocking state of insecurity of some of these ecommerce sites is a thing of wonder/concern..
First off, it’s worth mentioning that the website in question was using a very out-of-date Magento installation, specifically version 1.9.2.4. This version of the Magento eCommerce platform is the last of its kind in the 1.X branch with Adobe having ended its support for it in June 2020, nearly half a decade ago.
…
What we’ve reviewed is a rather advanced, multi-stage carding attack targeting users making purchases on vulnerable eCommerce platforms, in this case Magento1. These threat actors are clearly quite advanced and put a lot of thought into setting up the infrastructure for this attack and crafting the payload.
Meta is not adequately meeting the demands of CERT Polska
CERT Poland detail some of their challenges in getting Meta to respond to their malicious domain reporting..
On December 5, 2024, we published CERT Polska expectations from Meta regarding the problem of fraud on its social media platforms. These expectations were also conveyed to Meta representatives and served as the basis for further discussions on improving the security of the platform's advertising mechanisms.
..
Meta has already stated that it will not implement the request to automatically block content related with domains included on the CERT Polska Warning List. There are also no planned changes to how content is indexed in the Ad Library. The changes in handling content reports from regular accounts are also not considered satisfactory. As for the request to expand the team of Polish-speaking moderators, there has been no response indicating whether any action has been taken. Meta has also not addressed the issue of proactively blocking accounts and pages that publish harmful ads.
https://cert.pl/en/posts/2025/03/evaluation-of-expectations-towards-meta/
Discovery
How we find and understand the latent compromises within our environments.
Hunting Scheduled Tasks
CH.Nesrine takes us on a bear hunt by walking through am end-to-end how to hunt scheduled tasks..
https://cherrabinesrine.github.io/posts/Hunting_Scheduled_Tasks/
Rude Awakening: Unmasking Sleep Obfuscation With TTTracer
Felix Mehta shows how to use time travelling debugging tracing to spot sleep obfuscation techniques in implants… this is a neat.
From my limited testing, this appears to be FAR MORE effective than taking a standard process dump of a suspected process. Not only because we can actually retrieve the decrypted beacon but also because:
We can potentially track the actual activities performed by the implant in the execution window
We can trace child processes spawned by the implant
We can perform further analysis at a later date especially if the capture is over a longer period of time
This is implant agnostic
I can see this method being used as an EDR response task or for IR teams to more easily collect potentially evasive samples for advanced analysis.
https://blog.felixm.pw/rude_awakening.html
Velociraptor: Server.Enrichment
Matt Green releases two AI server enrichment plugins to help those incident responders out there, got to love the initial prompt..
You are a Cyber Incident Responder and need to analyze data. You have an eye for detail and like to use short precise technical language. Analyze the following data and provide summary analysis:
… I wanted to be Batman though ..
https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.openai/
https://docs.velociraptor.app/exchange/artifacts/pages/ollama/
Extracting Memory Objects with MemProcFS/Volatility3/Bstrings: A Practical Guide
Akash Patel (Dean) provides a practical walkthrough showing the power and value of memory analysis..
Think of RAM as a goldmine of real-time data. Anything that has happened on a system — running programs, opened documents, registry changes, and even deleted files — can still be floating around in memory.
If you know where to look, you can extract critical pieces of evidence, such as:
Running processes and their memory sections
Loaded DLLs and executables
Cached documents and registry hives
The NTFS Master File Table (which contains a list of all files on disk)
Active Windows services
With MemProcFS, all of these objects can be accessed like regular files, making extraction quick and hassle-free.
Defence
How we proactively defend our environments.
EntraFalcon
zh54321 provides a work aid to defenders which will surface some easy wins..
EntraFalcon is a PowerShell-based assessment tool for pentesters, security analysts, and system administrators to evaluate the security posture of a Microsoft Entra ID environment.
The tool helps uncover privileged objects, potentially risky assignments and Conditional Access misconfigurations that are often overlooked, such as:
Users with control over high-privilege groups or applications
External or internal enterprise applications with excessive permissions (e.g., Microsoft Graph API, Azure roles)
Users with Azure IAM role assignments directly on resources
Privileged accounts synced from on-premises
Inactive users or users without MFA capability
Unprotected groups used in sensitive assignments (e.g., Conditional Access exclusions, Subscription Owner, or eligible member of a privileged group)
https://github.com/CompassSecurity/EntraFalcon
Augmented LLM for Threat Hunting
Eito Tamura gives us a hint of what the AI augmented future might look like, although accuracy and hallucination concerns still haunt..
As we dive deeper into AI Red Teaming, we often explore AI-related research to gain both knowledge and hands-on experience. This mini-research project started as an exploration of the Model Context Protocol (MCP) through the development of an MCP server. I will briefly explain what MCP is, outline security-focused design considerations, and describe my MCP implementation to augment Claude LLM for interacting with Elasticsearch to assist with threat identification.
https://tierzerosecurity.co.nz/2025/04/29/mcp-llm.html
Incident Writeups & Disclosures
How they got in and what they did.
Blue Shield
When configurations go wrong..
On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns targeted back to you. We want to reassure you no bad actor was involved, and, to our knowledge, Google has not used your information for any purpose other than these ads or shared your protected information with anyone.
https://oag.ca.gov/system/files/Blue%20Shield%20Member%20Notice%20Email.pdf
Vulnerability
Our attack surface.
Shadow Roles: AWS Defaults Can Open the Door to Service Takeover
Yakir Kadkoda and Ofek Itach detail an attack surface that organisations will want to be alive to..
In short – If any role in your account has AmazonS3FullAccess (either through an attached policy or inline permissions), it effectively has read/write access to every S3 bucket – and by extension, the ability to tamper with multiple AWS services. This turns a seemingly limited role into a powerful pivot point for lateral movement and privilege escalation within your cloud environment.
https://www.aquasec.com/blog/shadow-roles-aws-defaults-lead-to-service-takeover/
Exploring CVE-2025–24364 and CVE-2025–24365 in Vaultwarden
Two vulnerabilities in this password manager found by a Russian team..
Escalation of privilege via variable confusion in OrgHeaders trait (CVE‑2025‑24365)
RCE in the admin panel (CVE‑2025‑24364)
https://bi-zone.medium.com/exploring-cve-2025-24364-and-cve-2025-24365-in-vaultwarden-562ee308270f
Samsung MagicINFO Unauthenticated RCE
What is MagicINFO?
MagicINFO™ delivers a simple all-in-one platform to link your display ecosystem from anywhere. Create and deploy captivating content, gain powerful insights and flexibly manage and secure your hardware and software. MagicINFO™ elevates the power of your displays and improves business performance.
https://www.samsung.com/us/business/solutions/digital-signage-solutions/magicinfo/
the vulnerabilities are:
Does not check if the user performing the request is authenticated.
Accepts a filename and concatenates it to the path where a file should be saved.
Does not check the file extension specified in the request.
https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/
Offense
Attack capability, techniques and trade-craft.
Direct Kernel Object Manipulation (DKOM) attacks on ETW Providers
Ruben Boonen shows what is possible when you understand how a defensive system is implemented and you want to avoid being detected clumsy patch detection.. also a reminder on why a true signal is useful to ensure such systems are working as intended..
In this post I will focus specifically on patching Kernel Event Tracing for Windows (ETW) structures to render providers either ineffective or inoperable. I will provide some background on this technique, analyse how an attacker may manipulate Kernel ETW structures, and get into some of the mechanics of finding these structures. Finally, I will review how this technique was implemented by Lazarus in their payload.
https://knifecoat.com/Posts/Direct+Kernel+Object+Manipulation+(DKOM)+attacks+on+ETW+Providers
Powering up: Abusing Power Apps to compromise on-prem servers
Joshua Magri details a low severity issue which if it gets picked up and utilised by others may get patched..
In 2022, the default Power Apps behavior meant that when a Power Apps application was shared with users, any associated connections would be shared as well. This made it very easy for users to accidentally share connections with all users in an organization, when they may have only meant to share the frontend application. This behavior was changed in January 2024, according to Microsoft, making it much less likely that users will accidentally share out connections.
In 2022, however, X-Force Red identified a SQL connection using an “On-Premises Data Gateway” to connect to an on-prem SQL server that had been widely shared in this manner. While native SQL queries are not supported for on-prem SQL servers in Power Apps flows, X-Force Red identified that the “Transform data using Power Query” action could be used to execute native SQL queries against on-prem servers. This allowed X-Force Red to pivot to the on-prem SQL server and ultimately achieve all objectives for the engagement.
This bug was recently reported to the Microsoft Security Response Center (MSRC), and they have assigned it a Low severity, so we are now publishing the details.
https://www.ibm.com/think/x-force/abusing-power-apps-compromise-on-prem-servers
Ghosting AMSI - Cutting RPC to disarm AV
Andrea Bocchetti details an AMSI bypass which is novel but will be detectable through copy-on-write detections..
AMSI Bypass via RPC Hijack (NdrClientCall3) This technique exploits the COM-level mechanics AMSI uses when delegating scan requests to antivirus (AV) providers through RPC. By hooking into the NdrClientCall3 function—used internally by the RPC runtime to marshal and dispatch function calls—we intercept AMSI scan requests before they're serialized and sent to the AV engine.
Intercepted Arguments: Payloads are manipulated before hitting the AV, tricking AMSI into thinking clean data is being scanned.
Bypassing Detection: Unlike traditional methods that patch AmsiScanBuffer or set internal flags (like amsiInitFailed), this operates one layer deeper—at the RPC runtime itself.
No AMSI.dll Modification: Because AMSI itself isn't touched, this method evades both signature-based and behavior-based detection engines.
https://github.com/andreisss/Ghosting-AMSI
GPOHound
MaxToffy, Ozwald and Daniel release a tool to further enrich BloodHound with possible escalation paths in an environment..
GPOHoundis a tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share.It provides a structured, formalized format to help uncover misconfigurations, insecure settings, and privilege escalation paths in Active Directory environments.
The tool integrates with BloodHound's Neo4j database, using it as an LDAP-like source for Active Directory information while also enriching it by adding new relationships (edges) and node properties based on the analysis.
https://github.com/cogiceo/GPOHound
Practical Malware Development
Rad shows how to build Windows implants and then automate the builds with Github.. the techniques on show teams should ensure they have coverage of.
https://github.com/rad9800/PMD
Exploitation
What is being exploited..
Investigating an in-the-wild campaign using RCE in CraftCMS
Nicolas Bourras walks through how this vulnerability was exploited and what the threat actor did subsequently..
tl;dr
On the 14th of February, a threat actor compromised a web server using CVE-2025-32432.
The threat actor used it to download a file manager written in PHP on the server which was later used to upload other PHP files to the server.
The rest of this section will cover the following points:
Investigating a Craft CMS incident: details about which logs were used during the investigation.
Exploiting CVE-2025-32432: details about how the threat actor leveraged the CVE to compromise the web server.
Post-exploitation: details about the actions performed by the threat actor after leveraging the CVE.
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
SQLMap AI Assistant
Atilla also gives a hint of the future where this 19 year old project gets an AI wrapper upgrade..
An AI-powered wrapper around SQLMap that makes SQL injection testing more accessible and automated.
Features
AI-assisted SQL injection testing
Automated result analysis and next step suggestions
User-friendly output and reporting
NEW: Adaptive step-by-step testing with DBMS-specific optimizations and WAF bypass
https://github.com/atiilla/sqlmap-ai
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Why the China-India relationship matters for the future of the global order
Artificial intelligence
Books
Nothing overly of note this week
Events
CHERI Blossoms Conference 2025 - videos and slides now online
CyberUK starts May 7th in Manchester - you can watch online
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.