CTO at NCSC Summary: week ending May 12th
CyberUK is go...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note.
In the high-level this week:
Strategy of the [Swiss] National Cyber Security Centre NCSC - Switzerland currently faces the following main challenges in relation to cyber security:
High vulnerability of businesses, authorities, academia and the general population to cyberattacks;
Insufficient ability to respond to systemically relevant cyber incidents and crises;
Low maturity of digital products and services, in terms of cyber security and lack of quality control mechanisms thereof;
Only selective understanding of all aspects of cyber security in business, society and politics;
Lack of transparency and data, in order to assess information on cyber security and deriving respective political and economic measures in response;
Limited protection of actors, which are not considered critical infrastructure;
Lack of coordination and legal grey areas between official and private cyber security instruments.
United States International Cyberspace & Digital Policy Strategy - US State Department releases - “Autocratic states and other actors, however, have used cyber and digital tools to threaten international peace and stability, harm others, exert malign influence, and undermine the exercise of human rights.”
CISA Secure by Design Pledge - CISA - some technical debt components to the pledges which arguably are as if not more important.
DHS, CISA Announce Membership Changes to the Cyber Safety Review Board - CISA - some powerful additions.
Fact Sheet: 2024 Report on the Cybersecurity Posture of the United States - The White House (not me) - “Over the past year, U.S. national cybersecurity posture improved, driven by steady progress towards the 2023 National Cybersecurity Strategy’s (NCS) vision of a defensible, resilient, and values-aligned digital ecosystem. Achieving this vision requires two fundamental shifts in how we allocate roles, responsibilities, and resources in cyberspace by (1) rebalancing the responsibility to defend cyberspace away from end users and to the most capable and best-positioned actors in the public and private sectors, and (2) realigning incentives to favor long-term investments in future resilience. “
Director of National Intelligence Cyber Threat Intelligence Integration Center (CTIIC) Welcomes First Director of Strategic Cyber Partnerships - US Office of the Director of National Intelligence - “Chris Zimmerman’s work at CTIIC will be instrumental in advancing the cyber intelligence mission with key industry partners,”
Retired General Paul Nakasone named founding director of Institute for National Defense and Global Security - “Vanderbilt University is proud to announce the launch of the Institute for National Defense and Global Security. The founding director and leader of the institute will be retired General Paul M. Nakasone, who has served as commander of U.S. Cyber Command, director of the National Security Agency, and chief of the Central Security Service.”
Australia-Republic of Korea 2+2 Foreign and Defence Ministers' Meeting - Aussie Foreign Ministry - “The Ministers affirmed their commitment under the MOU on Cyber and Critical Technology Cooperation. They agreed to expand cooperation in critical emerging technology standards-setting, including in artificial intelligence (AI), quantum and telecommunications technologies, including through the next Cyber and Critical Technology Policy Dialogue. The Ministers welcomed the release of each country's respective Cyber Security Strategies, noting these offer opportunities to work together to uphold international law and the norms of responsible state behaviour in cyberspace, as well as to deter and prevent malicious cyber activities including through public attribution when necessary.”
APT28 on the naughty(er) step - this is what coalition building looks like when you have allies.
Germany warns of consequences for alleged Russian cyber attack - Reuters reports - "We can now clearly attribute last year's attack to the Russian group APT28, which is controlled by the Russian military intelligence service GRU," Baerbock told a press conference in Adelaide.
Attribution of a Russian cyber campaign The Federal Government condemns in the strongest possible terms – and with the support of the European Union, NATO and international partners - German Federal Government asserts - “The Federal Government condemns in the strongest possible terms – and with the support of the European Union, NATO and international partners – the campaign by the state-sponsored cyber actor APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.”
Statement of the MFA on the Cyberattacks Carried by Russian Actor APT28 on Czechia - Czechia Government asserts - “Czechia jointly with Germany, the European Union, NATO and international partners strongly condemns activities of the Russian state-controlled actor APT28, who has been conducting a long-term cyber espionage campaign in European countries. APT28 is associated with Russian military intelligence service GRU.”
UK joins partners in condemnation of malicious cyber activity by Russian Intelligence Services: UK government statement - United Kingdom Government asserts “The United Kingdom stands with the European Union, Germany, Czechia and other allies in strongly condemning malicious cyber activity by Russian Intelligence Services.”
Cyber: Statement by the High Representative on behalf of the EU on continued malicious behaviour in cyberspace by the Russian Federation - European Union asserts - “The European Union and its Member States, together with international partners, strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.”
Statement by the North Atlantic Council concerning malicious cyber activities against Germany and Czechia - NATO asserts - “We stand in solidarity with Germany following the malicious cyber campaign against a political party, in this case the Social Democratic Party of Germany, and with Czechia following the malicious cyber activities against its institutions.”
Cyberbiosecurity in the new normal: Cyberbio risks, pre-emptive security, and the global governance of bioinformation - Cambridge University Press opines - “This article brings the discussion on cyberbiosecurity into the realms of International Relations and Security Studies by problematising the futuristic threat discourses co-producing this burgeoning field and the pre-emptive security measures it advocates, specifically in relation to bioinformation.”
NASA Cybersecurity: Plan Needed to Update Spacecraft Acquisition Policies and Standards - US Government Accountability Office opines - “NASA issued a guide on space security in 2023 that includes principles and practices to help spacecraft development programs with cybersecurity. For example, one principle states a space system should protect against unauthorized access. However, the agency has not yet incorporated these practices into its spacecraft acquisition policies. We recommended that NASA do so to ensure that spacecraft can resist cybersecurity threats.”
Defending Democracy
FBI warns that foreign adversaries could use AI to spread disinformation about US elections - Associated Press reports
In Arizona, election workers trained with deepfakes to prepare for 2024 - Washington Post reports
Reporting on/from China
US diplomats told China to stop Volt Typhoon campaign — It’s becoming more advanced, intelligence officials say - NextGov reports - “The news comes after a recent a diplomatic trip to China two weeks ago, where the State Department’s cyberspace and digital policy ambassador Nathaniel Fick and Secretary of State Anthony Blinken told Chinese officials in Shanghai and Beiijng that the Volt Typhoon activity has hit a boiling point, Fick told reporters in a separate briefing at the conference.”
The Chinese Conception of Cybersecurity: A Conceptual, Institutional, and Regulatory Genealogy - Journal of Contemporary China opines - “The evolution of China’s notion of cybersecurity contains clear continuities, which evolve and grow more complex over time. Reflecting China’s usual approach of ‘relentless gradualism’, the concerns that animated Beijing in the late 1990s are still the core of the Chinese risk and threat perception today: digitally enabled threats to the integrity of the regime and the ability to fulfil its political programme, and vulnerabilities stemming from relative Chinese technological and commercial dependence and backwardness. As such, China’s cybersecurity narrative is deeply embedded in, and a manifestation of, its broader national security vision”
Chinese-made surveillance kit to be removed from sensitive sites by 2025, says UK - Reuters reports - “Britain expects to have removed Chinese-made surveillance technology from sensitive sites by April 2025, as it seeks to tighten security amid increasing concerns about Beijing's spying activities, the British government said on Monday.”
Chinese localities test debt-for-data swaps as liabilities reach troubling highs - South China Morning Post reports - “Analysts said with land sales no longer providing the revenue they once did, intangible assets like data might help some local governments inject life into their ledgers.” - reminds me of the book Capitalism Without Capital: The Rise of the Intangible Economy
Chinese startup launching RISC-V laptop for devs and engineers priced at around $300 - Tom’s Hardware reports - “While not exactly blazing fast compared to, for example, the Intel Core Ultra CPU, SpacemiT’s K1 SoC does provide 2 TOPS of AI computing power.”
Related China’s use of RISC-V chip standard faces headwinds amid US scrutiny and Google’s end of Android support - reports South China Morning Post - including “Google last week removed RISC-V support from the Android kernel, which is the computer program at the core of the operating system.”
Loongson Zhongke: The shipment volume of the two chips 3A5000 / 3A6000 in the first quarter has reached the level of last year - IT House reports - “Loongson Zhongke believes that customers in the The current policy market is constantly updating their understanding of the degree of autonomy and controllability, which is expected to have a positive impact on related chip sales .” - International supply constraints driving domestic consumption
Artificial intelligence
Universal Adversarial Triggers Are Not Universal - “We find that APO models are extremely hard to jailbreak even when the trigger is optimized directly on the model.”
Latest Chinese large model evaluation: Baichuan 3 ranks first in China - IT House reports - “Baichuan 3 ranks first among domestic large models , followed by large models such as Zhipu GLM-4, Tongyi Qianwen 2.1, Wenxinyiyan 4.0, and Moonshot (Kimi). From a global perspective, the scores of GPT-4 and Claude3 of foreign counterparts are even better.”
Four start-ups lead China’s race to match OpenAI’s ChatGPT - Financial Times reports - “Four Chinese generative artificial intelligence start-ups have been valued at between $1.2bn and $2.5bn in the past three months, leading a pack of more than 260 companies vying to emulate the success of US rivals such as OpenAI and Anthropic. “
CFTC Technology Advisory Committee Advances Report and Recommendations to the CFTC on Responsible Artificial Intelligence in Financial Markets - “Without appropriate industry engagement and relevant guardrails (some of which have been outlined in existing national policies), potential vulnerabilities from using AI applications and tools within and outside the CFTC could erode public trust in financial markets, services, and products.”
Guidelines on the Use of AI In International Arbitration published - “These Guidelines on the Use of Artificial Intelligence in Arbitration (the Guidelines) introduce a principle-based framework for the use of artificial intelligence (AI) tools in arbitration at a time when such technologies are becoming increasingly powerful and popular. They are intended to assist participants in arbitrations with navigating the potential applications of AI.”
Acceptable Use Policies for Foundation Models - Stanford University research - “There are several gray areas where some companies include content-based restrictions and others do not. Content related to politics, eating disorders, sex, and medical advice are among the areas where some companies have harsh prohibitions and others are silent.”
Cyber proliferation
Israeli Spyware Firm NSO Group Drags Researchers to Court - The Intercept reports - “NSO Group, which makes Pegasus spyware, keeps trying to extract information from Citizen Lab researchers — and a judge keeps swatting it down.”
A Web of Surveillance - Unravelling a murky network of spyware exports to Indonesia - Amnesty International reports - “This research provides a case study on how one country, Indonesia, is relying on a murky ecosystem of surveillance suppliers, brokers and resellers that obscures the sale and transfer of surveillance technology.”
Bounty Hunting
Israeli private eye arrested in UK over alleged hacking for US PR firm - Reuters reports - “Labram said that the U.S. allegations include that an unnamed Washington-based PR and lobbying firm paid one of Forlit's companies 16 million pounds ($20 million) "to gather intelligence relating to the Argentinian debt crisis".”
LockBit leader unmasked and sanctioned - UK National Crime Agency - “A leader of what was once the world’s most harmful cyber crime group has been unmasked and sanctioned by the UK, US and Australia, following a National Crime Agency-led international disruption campaign.”
US Treasury and Department of Justice join the party -”Today, the United States designated Dmitry Yuryevich Khoroshev, a Russian national and a leader of the Russia-based LockBit group, for his role in developing and distributing LockBit ransomware. This designation is the result of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation, the United Kingdom’s National Crime Agency, the Australian Federal Police, and other international partners. Concurrently, the Department of Justice is unsealing an indictment and the Department of State is announcing a reward offer for information leading to the arrest and/or conviction of Khoroshev. The United Kingdom and Australia are also announcing the designation of Khoroshev. “
As do the Aussies in the guise of their Foreign Ministry - “Australia has imposed a targeted financial sanction and travel ban on Russian citizen Dmitry Yuryevich Khoroshev for his senior leadership role in the LockBit ransomware group.”
Russian suspected cybercrime kingpin pleads guilty in US, TASS reports - “Alexander Vinnik, a Russian suspected cybercrime kingpin who was arrested in Greece in 2017, convicted of money laundering in France three years later and is now awaiting trial in California, has pleaded partially guilty, TASS news agency cited his lawyer as saying on Saturday.”
Former Cybersecurity Consultant Arrested For $1.5 Million Extortion Scheme Against IT Company- US Department of Justice reports - "He threatened to “upload all of the documents in his possession immediately once the case is filed” if the company did not settle his claims for $1.5 million"
Berkshire’s Jain on Cyber: ‘The Mindset Should Be You’re Not Making Money’ - Insurance Journal reports - ”Yes, profitability has been “fairly high” for cyber insurers, but Berkshire Hathaway has been “very, very careful when it comes to taking on cyber insurance liabilities,” because “there’s not enough data to be able to hang your hat on and say what your true loss cost is,” said Ajit Jain at the conglomerate’s annual shareholder meeting over the weekend in Omaha, Nebraska.”
Reflections this week are really an ask on the topic of evidence of efficacy of interventions. If you have evidence of interventions in cyber which really are working at the scale and pace we need we/I would love to hear from you. This in the spirit of the UK’s What Works Network.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Friday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Cyber operations by Russia: new objectives, tools and groups. Analytics on the hacker attacks against Ukraine in H2 2023
Ukrainian Government alleges various Russian activities, the sectoral targeting will be of note.
An emerging trend of the H2 2023 is the growing interest of the adversary’s hacker groups in the Ukrainian telecommunications sector. It can be regarded as an escalation in a way, as the adversary is trying to retain the initiative and its presence in the Ukrainian information infrastructure.
APT28 campaign targeting Polish government institutions
Polish CERT alleges an active campaign this week by APT28 - the tradecraft of phishing via email and then malicious archives with executables is a well worn one and shouldn’t post a problem to mature organisations.
This week, the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
https://cert.pl/en/posts/2024/05/apt28-campaign/
Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale
Insikt Group group allege a Russian linked information operation in this reporting which is using ‘AI’ for bad. No comment is given on the quality of the hallucinations.
In early March 2024, Insikt Group identified an influence network using inauthentic United States (US), United Kingdom (UK), and French media outlets to publish political content at scale using large language models (LLMs) related to the US, UK, Ukraine, Israel, and France. T
The network uses generative artificial intelligence (AI) to plagiarize, translate, and edit content from mainstream media outlets, using prompt engineering to tailor content to specific audiences and introduce political bias. In addition to plagiarized content, the network has started garnering significant engagement by posting targeted, human-produced content in recent weeks.
This network has strong infrastructure ties to disinformation outlet DCWeekly, operated by US citizen and fugitive John Mark Dougan, who fled to Russia in 2016. Moreover, CopyCop content is being amplified by known Russian state-sponsored influence threat actors, such as Doppelgänger and Portal Kombat, in addition to CopyCop amplifying content from known influence fronts such as the “Foundation to Battle Injustice” (FBR/FBI), which was previously financed by Russian oligarch Yevgeny Prigozhin, and InfoRos, an inauthentic news agency very likely operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU/GU) Unit 54777.
https://go.recordedfuture.com/hubfs/reports/cta-2024-0509.pdf
A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities
Andy Greenberg also reports on alleged sectoral targeting by this Russian aligned threat actor. Interesting times for CNI and a something to take heed of.
After that initial, less-than-friendly exchange of ideas, WIRED reached out to Cyber Army of Russia's Telegram account to continue the conversation. So began a strange, two-week-long interview with the group's spokesperson, “Julia," represented by an apparently AI-generated image of a woman standing in front of Red Square's St. Basil's Cathedral.
laid out the group's ethos and motivations, and explained the rationale for the hackers' months-long cyber sabotage rampage, which initially focused on Ukrainian networks but has more recently included an unprecedented string of attacks hitting US and European water and wastewater systems.
https://www.wired.com/story/cyber-army-of-russia-interview/
Reporting on China
Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
The Censys Research Team allege that a China-based actor and then go to caveat their findings.
When we investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators, we discovered compelling data suggesting the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. It’s tough to draw definitive conclusions at this stage.
Reporting on North Korea
Advisory on Democratic People's Republic of Korea (DPRK) information technology (IT) workers
Australian Government issue an interesting warning which will be insider risk squarely in the frame.
The Australian Sanctions Office, in the Department of Foreign Affairs and Trade, is publishing an advisory to alert the community to attempts by the Democratic People's Republic of Korea (DPRK) and remote DPRK information technology (IT) workers to obtain employment while posing as non-DPRK nationals.
The DPRK has dispatched thousands of highly skilled IT workers around the world. The DPRK extensive illicit IT worker operations help finance the regime's unlawful weapons of mass destruction and ballistic missile program. DPRK IT workers earn revenue for the DPRK that contributes to its weapons programs in violation of United Nations Sanctions Committee and Australia's autonomous sanctions.
LNK File Disguised as Certificate Distributing RokRAT Malware
Yeeun details a rather basic campaign allegedly by North Korea. Should one infer it is effective and thus they keep doing it?
[We] confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea.
https://asec.ahnlab.com/en/65076/
Reporting on Iran
Iran-Aligned Emerald Divide Influence Campaign Evolves to Exploit Israel-Hamas Conflict
Insikt allege that an Iranian group has been running information operations since 2021.
Since 2021, Emerald Divide has demonstrated the ability to dynamically shift influence operations, activities, and objectives based on Israel’s evolving political landscape, most recently seeking to exploit the ongoing Israel-Hamas conflict to sow discontent among Israeli citizens regarding the Israeli government’s response to Hamas’s attacks. This Emerald Divide influence campaign is ongoing, continually adopting new and innovative influence tactics and techniques, such as using digital emailing campaigns hosted on a crowdfunding platform, social media reference landing pages, and a geographic web mapping platform, as well as emerging technology such as artificial intelligence (AI)-generated deepfakes, likely increasing the campaign’s ability to reach targeted audiences and drive engagement.
Emerald Divide has consistently used a robust influence infrastructure consisting of over sixteen social media accounts appealing to specific and sometimes conflicting target audiences, thereby playing both sides of contentious socio-political debates and provoking division. Currently, the campaign continues to actively use seven primary social media accounts and a large coordinated inauthentic behavior (CIB) network on social media, demonstrating this campaign’s ability to avoid account and network takedowns.
https://go.recordedfuture.com/hubfs/reports/ta-2024-0508.pdf
Reporting on Other Actors
Mal.Metrica Redirects Users to Scam Sites
Ben Martin details a campaign where an actor collects their own management information for performance measurement.
Rather than injecting JavaScript into the website code (which is very common for malware injections), the infection simply creates an image overlay with a link to the malicious domain
Mal.Metrica is a massive malware campaign targeting known vulnerabilities in popular WordPress plugins. Similar to Balada Injector, Mal.Metrica takes advantage of recently disclosed vulnerabilities to inject external scripts that utilize domain names resembling some CDN or web analytics services. The malware is known to inject Yandex.Metrica scripts to track performance of their injections.
https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.html
Guntior - an advanced bootkit that doesn't rely on Windows disk drivers
Artem Baranov details a bootkit which is over ten years old and used direct disk access. The novelty for its time is of note.
I first stumbled upon this interesting malware sample about a decade ago, being a contributor to the kernelmodeinfo forum. Amid the rise of bootkits at that time, the dropper was captured in-the-wild and posted on one of malware trackers. The malware was called "Guntior", after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections.
The direct disk access feature is quite unique for malware - it's not clear what advantages it provides for the authors. The rootkit doesn't intercept the disk or disk port driver dispatch functions to hide its malicious sectors so any disk dumper tool can be used to detect these anomalies. One can only assume that the authors decided to rely on that comprehensive list of security products to be disabled rather than on hiding malicious activity in the live system.
Unlike its notorious counterparts such as Tdss (Tidserv) or Rovnix, this bootkit doesn't support its own disk partition and file system to store the malware modules. The original MBR and malware modules are simply written to the end of the disk without any additional preparations. This hints to us that the malware doesn't support a plugin architecture and its features are limited to the original ones implemented in the payload DLL.
https://artemonsecurity.blogspot.com/2024/04/guntior-story-of-advanced-bootkit-that.html
Cyber Criminals Phishing and Smishing US Retail Corporations for Gift Card Fraud
FBI alert on a criminal campaign - of note will be the attempt to bypass (subvert?) multi-factor authentication. Which I assume is code for adversary in the middle.
As of January 2024, the FBI noted a cyber criminal group labeled STORM-0539, also known as Atlas Lion, targeting national retail corporations; specifically the gift card departments located in their corporate offices. STORM-0539 used smishing campaigns to target employees and gain unauthorized access to employee accounts and corporate systems. Once they gained access, STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards. Some of the techniques, tactics, and procedures (TTPs) observed by STORM-0539 actors included:
Targeting a variety of employees’ personal and work mobile phones in retail departments with smishing campaigns.
Using a sophisticated phishing kit with the ability to bypass multi-factor authentication.
Once an employees’ account was compromised, conducting reconnaissance on the business network to identify the gift card business process and then pivoting to employee accounts covering that specific portfolio.
Once in the network, attempting to access secure shell (SSH) passwords and keys in addition to targeting credentials of employees in the gift card department.
After successfully gaining access to the corporate gift card department, creating fraudulent gift cards using compromised employee accounts. o In one instance, a corporation detected STORM-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards. STORM-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by STORM-0539 actors in order to redeem the gift cards.
Exfiltrating employee data including names, usernames and phone numbers, which could be exploited by the actors for additional attacks or sold for financial gain
https://www.ic3.gov/Media/News/2024/240507.pdf
Unmasking Tycoon 2FA: A Stealthy Phishing Kit Used to Bypass Microsoft 365 and Google MFA
Laura Hamel , Garrett Guinivan, and Chris Dawson show the criminal eco-system of capability gets ever more complex.
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform that was first seen in August 2023. Like many phish kits, it bypasses multifactor authentication (MFA) protections and poses a significant threat to users. Lately, Tycoon 2FA has been grabbing headlines because of its role in ongoing campaigns designed to target Microsoft 365 and Gmail accounts.
https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass
Discovery
How we find and understand the latent compromises within our environments.
Hunting in Azure subscriptions
Mary Asaolu provides a guide on how to do this in practice which will be useful to MSFT eco-system teams. It is almost like it might have been used recently..
[We delve] into various strategies and methodologies designed to enhance our grasp of the scope and complexity of how threat actors' manoeuvre within Azure subscriptions, thereby fortifying our defenses against the ever-evolving landscape of cyberattacks
A systematic literature review on advanced persistent threat behaviors and its detection strategy
Nur Ilzam Che Mat, Norziana Jamil, Yunus Yusoff and Miss Laiha Mat Kiah provide an academic perspective on this challenge. I have extracted the key paragraph in the below.
Our systematic literature review (SLR) begins with a summary of the relevant studies and their significance in the section “Related work.” The section “Research methodology” outlines the methodology used to identify the research considered in this review. The section “Results of the review” provides a classification and explanation of all the methods of APT detection reviewed here based on the approaches taken by them. The section “Discussion” provides a critical analysis of strategies of APT detection by considering attack-related attributes from both academia and the industry. Finally, the section “Future works” summarizes the conclusions of this study and provides directions for future research in the area.
..
The above classification-based analysis suggests that APT detection is mainly dependent on two elements: (i) the traces of attacks, and (ii) multi-stage attack scenarios. Traces can occur in the form of alerts generated by security devices, like the IDS and firewalls, and contains the IP address and port number of the initial target of the attacker.
https://academic.oup.com/cybersecurity/article/10/1/tyad023/7504935?login=false
Defence
How we proactively defend our environments.
How to enforce usage of Privileged Access Workstations for Admins
As I have said before PAWS are one of the most effective controls for the evidence fact if you have an admin machine which isn’t looking at cat pictures and reading email and exists in a higher tier then the likelihood it will be breached is substantially reduced.
Sascha Windrath provides a guide on how to enforce in the MSFT eco-system.
So, how do you make sure that highly privileged users must use their PAWs for working with highly privileged roles in Azure?
Let me show you some cool things to get there, as there are several technologies involved like Conditional Access, Microsoft Graph and some others like Microsoft Graph Explorer, PowerShell and a bit of Kusto for monitoring queries to give you a more complete picture.
Passkeys assemble
Various bits out on this, we should also be mindful of the competitive dynamics here. All of these companies know the value of owning the authentication and thus identity of users in an Internet eco-system.
New passkey support for Microsoft consumer accounts
Passkeys, Cross-Account Protection and new ways we’re protecting your accounts
https://blog.google/technology/safety-security/google-passkeys-update-april-2024/
On the counter thee was also this release
Tale of Code Integrity & Driver Loads
A rabbit hole deep dive by Anandeshwar Unnikrishnan here which will be useful to teams trying to understand variance in behaviours.
The objective of this post is very simple – Understand how Core Isolation user setting affects the execution flow of driver loading.
https://sabotagesec.com/tale-of-code-integrity-driver-loads/
Elements of two-level SOC linkage between large networks
Chinese perspective on this challenge.
Everyday we can see many articles and plans talking about the secure operation of SOC, but few talk about the linkage of multi-level SOCs in large global networks. This article briefly discusses the elements of linkage in two-level SOCs.
BSOC and GSOC will basically set up front-line security monitoring personnel, second-line security analysts, and emergency response engineers. BSOC can independently complete monitoring, analysis, and response. Advanced threats monitored by BSOC will be immediately reported to GSOC's senior analysts. GSOC will also have more Set up threat hunting engineers. Threat hunting engineers will further hunt threats in the large network. The red team will continue to conduct drills on the entire network independently of BSOC and GSOC.
Announcing Zero Trust DNS Private Preview - "Zero Trust DNS (ZTDNS) in a future version of Windows
Tommy Jensen shows what encrypted DNS required to realise enterprise security.
ZTDNS integrates the Windows DNS client and the Windows Filtering Platform (WFP) to enable this domain-name-based lockdown. First, Windows is provisioned with a set of DoH or DoT capable Protective DNS servers; these are expected to only resolve allowed domain names.
A Bird’s-eye view: IceID to Dagon Locker (The DFIR Report)
Casey Smith provides a retrospective on how high noise digital trip wires might have helped in this instance. As deployments of these technologies grow one would hope so will the empirical evidence.
This post focuses on the most recent DFIR Report, IcedID to Dagon Locker Ransomware in 29 Days.
In our blog posts, we will share thoughts on how your organization can use Canaries and Canarytokens to prepare for such attacks before they occur.
https://blog.thinkst.com/2024/05/what-can-we-learn-from-this.html
Incident Writeups & Disclosures
How they got in and what they did.
Zscaler Security Update
Another breach, another non-production environment.
Zscaler is aware of a public X (formerly known as Twitter) post by a threat actor claiming to have potentially obtained unauthorized information from a cybersecurity company. There is an ongoing investigation we initiated immediately after learning about the claims. We take every potential threat and claim very seriously and will continue our rigorous investigation.
..
Our investigation discovered an isolated test environment on a single server (without any customer data) which was exposed to the internet. The test environment was not hosted on Zscaler infrastructure and had no connectivity to Zscaler’s environments.
https://trust.zscaler.com/zscaler.net/posts/18686
Vulnerability
Our attack surface.
CISA Vulnrichment
CISA shows what modern vulnerability enrichment looks like..
The CISA Vulnrichment project is the public repository of CISA's enrichment of public CVE records through CISA's ADP (Authorized Data Publisher) container. In this phase of the project, CISA is assessing new and recent CVEs and adding key SSVC decision points. Once scored, some higher-risk CVEs will also receive enrichment of CWE, CVSS, and CPE data points, where possible.
https://github.com/cisagov/vulnrichment
Suspicious hook-loading mechanism in hyprland
Sam James flags another potential disturbance in the open source universe.
hyprland seems to have committed an interesting homebrew malloc implementation (which is fine in theory), but the reasons for it existing & how it works are not so fine.
Fisrt, it relies on writing an object file at a predictable path in /tmp and reading it back later.
It was needed to facilitate a trampoline which looks.. unsound. The whole hook system looks terrifying.
https://seclists.org/oss-sec/2024/q2/182
NAT Slipstreaming v2.0
Proof once more that adversarial thinking is continuously required if we are to find the vulnerabilities in any sufficiently complex system. Just because someone look and found some vulnerabilities, doesn’t mean all were found.
The new attack variant can allow attackers to reach any device within the internal network and simply requires a victim to click on a malicious link.
Impact of attack on unmanaged devices can be severe, ranging from a nuisance to full-blown ransomware attack.
Enterprise-grade NATs/firewalls from Fortinet, Cisco and HPE are confirmed to be affected, while others are likely affected as well
The collaboration resulted in a security disclosure with browser vendors to mitigate the attack
Google, Apple, Mozilla and Microsoft have released patches to Chrome, Safari, Firefox and Edge, that mitigate the new variant
https://www.armis.com/research/nat-slipstreaming-v2-0/
When "Phish-Proof" Gets Hooked
Nikos Laleas & Giuseppe Trotta identfifed a vulnerability in Okta which got resolved. It is notable the amount of Okta related research this week..
During a red team engagement, we discovered that the customer was using Okta FastPass, a phishing-resistant MFA solution as Okta claims. FastPass uses a client-side application, Okta Verify, to perform all the required checks and authenticate the user based on various factors such as biometrics or Windows Hello.
https://www.persistent-security.net/post/when-phish-proof-gets-hooked
Reading this makes me think that Okta is at the yellow stage in the below (from 2011 and Breaking the Inevitable Niche/Vertical Technology Security Vulnerability Lifecycle)
20 Security Issues Found in Xiaomi Devices
Numerous vulnerabilities found here showing that there is a way to go..
The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, disclosure of phone, settings and Xiaomi account data, and other vulnerabilities.
https://blog.oversecured.com/20-Security-Issues-Found-in-Xiaomi-Devices/
Offense
Attack capability, techniques and trade-craft.
Abusing MS Windows printing for C2 communication
More of the more innovative C2 solutions here which might be challenging for some organisations to detect.
The C2 currently works as one-to-all. You can set up additional printers on the C2 server, modify the IPPrintC2.ps1 script, and run multiple instances
Exfiltration of documents needs improvement as it currently works with ASCII text-based files
Automatic cleaning of documents printed by clients requires improvements
The IPPrintC2 is provided as-is
https://diverto.hr/en/blog/2024-05-03-MS-Windows-Printing-C2/
Okta Terrify
Ceri Coburn hints at the future of attacks in this space.
Okta Terrify is designed to run on the attackers machine. The tool requires the users SID and a database file with legacy database format and for the newer format, the database key. For the newer format, the database key can be generated using OktaInk. Okta Terrify has 4 operating modes controlled through various switches.
In
--backdoormode, Okta Terrify will launch the tenant Okta URL using the OAuth client id that the official Okta Verify application uses during enrollment. This will typically trigger the authentication flow and signing mode is active during this phase. Once an authenticated session is created, a new user verification key is generated on the attacking device and is enrolled as a fake biometric key. Once the key is enrolled, FastPass will operate in a passwordless state without any dependencies on the original compromised authenticator device.
https://github.com/CCob/okta-terrify
AMSI Write Raid Bypass
Victor Khoury shows both how one can write in the third person and details a new technique which will require consideration by blue teams.
a new bypass technique designed to bypass AMSI without the VirtualProtect API and without changing memory protection.
In summary, as part of JIT, the helper function writes the AmsiScanBuffer address in the DLL entry address at offset 0x786b00, but it does not change the permissions back to read-only. We can abuse this vulnerability by overwriting that entry to bypass AMSI without invoking VirtualProtect.
https://www.offsec.com/offsec/amsi-write-raid-0day-vulnerability/
Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes
Dirk-jan Mollema highlights an attack mechanism that blue teams will want to aware of and ensure they have detection coverage for.
Temporary Access Passes are a method for Microsoft Entra ID (formerly Azure AD) administrators to configure a temporary password for user accounts, which will also satisfy Multi Factor Authentication controls. They can be a useful tool in setting up passwordless authentication methods such as FIDO keys and Windows Hello. In this blog, we take a closer look at the options attackers have to abuse Temporary Access Passes for lateral movement, showing how they can be used for passwordless persistence and even to recover on-premises Active Directory passwords in certain hybrid configurations.
Since TAPs can be used to configure passwordless authentication methods, it shouldn’t be a surprise that we can also use them to configure Windows Hello for Business keys on accounts,
https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/
Icon Injector
Novel, will be interesting to see if this gets picked up. Again something for detection engineering teams to be aware of.
Unorthodox and stealthy way to inject a DLL into the explorer using icons
The "icon" is actually a simple DLL file with an .ico extension that opens the calculator app with an icon resource that was added using the Resource Hacker.
There are some anomalies when it comes to the appearance of the icon in the folder view. I have tested this on two different Windows 10 versions (the newest and an older one) and on Windows 11.
https://github.com/0xda568/IconJector
Sharp Graph View
A toolset to develop detections for in telemetry.
Sharp post-exploitation toolkit providing modular access to the Microsoft Graph API (graph.microsoft.com) for cloud and red team operations.
https://github.com/mlcsec/SharpGraphView
Relaying Kerberos Authentication from DCOM OXID Resolving
James Forshaw shows how this attack path works in practice.
The important difference with this new research is taking the abuse of DCOM authentication from local access (in the case of the many Potatoes) to fully remote by abusing security configuration changes or over granting group access. For more information I'd recommend reading the slides from Tianze Ding Blackhat ASIA 2024 presentation, or reading about SilverPotato by Andrea Pierini.
This short blog post is directly based on slide 36 of Tianze Ding presentation where there's a mention on trying to relay Kerberos authentication from the initial OXID resolver request
https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html
LSASS rings KSecDD Ext. 0
Claudio Contin details this technique which Windows defenders (and Defender) will need to be alive to. Also shows there continues to be Windows attacks surfaces which are viable at circumventing various protections.
According to their proof of concept GitHub repository, the
IOCTL_KSEC_IPC_SET_FUNCTION_RETURNoperation of the Kernel Security Support Provider Interface (KSecDD.sys) allows the Local Security Authority Server Service (LSASS) to execute arbitrary kernel-mode addresses. The researcher also mentions that as soon as LSASS starts, it invokeslsass.exe!LsapOpenKsecwhere it connects itself to the interface using theIOCTL_KSEC_CONNECT_LSAoperation. From this point on, no further process can connect to the interface and therefore the logic can only be triggered by LSASS...
The output indicated that our unsigned driver has been loaded successfully.
https://tierzerosecurity.co.nz/2024/04/29/kexecdd.html
Exploitation
What is being exploited.
Nothing this week or everything depending on how you count.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Secure Kernel Research with LiveCloudKd
Yarden Shafir updates this guidance for those working on Secure Kernel research.
LiveCloudKd allows you to attach a live debugger to a virtual machine and debug the secure kernel. The repository does have instructions for how to set up the debugger, but they didn’t fully work for me, so I’ll document my process here in hopes it helps someone else and show some uses for having a kernel debugger attached to the secure kernel.
https://windows-internals.com/secure-kernel-research-with-livecloudkd/
Android greybox fuzzing with AFL++ Frida mode
Eric Le Guevel shows what it possible and relative performance overhead. I am more interested if this is yielding exploitable / valuable vulnerabilities.
This study shows that AFL++ is perfectly suited for greybox fuzzing in Android and that the Frida mode offers a valuable configuration flexibility. This solution allows to fuzz especially JNI functions with relatively little effort.
Other greybox fuzzing solutions for Android using AFL++ exist, for example the fpicker-aflpp-android project, which allows to fuzz in the context of an application and brings some facilities for the creation of harnesses. The AFL++ on Android with QEMU support article proposes an alternate solution using the QEMU mode.
https://blog.quarkslab.com/android-greybox-fuzzing-with-afl-frida-mode.html
CFG in Windows 11 24H2
Miloš details the Control Flow Guard changes in Windows 11 24H2. It will be interesting to see how implants are adjusted to take advantage (or not).
With hotpatching on Windows 11 comes SCP, a new feature whose purpose seems to be to provide relocatable, position-independent functions that can later be hooked painlessly into processes and individual modules. Even though the changes encompass more than CFG code, the majority of it seems to be focused on making CFG functions independent of external code & data.
The primary change is the implementation of new (but functionally the same) CFG functions in their dedicated sections in ntdll (usermode) and kCFG functions in ntoskrnl (kernel). The sections are copied and fixed up into their own dedicated pages at runtime, and these pages are then mapped into both processes and individual modules which satisfy some conditions related to hotpatching.
There don’t seem to be underlying security improvements and the changes are likely focused only on providing compatibility with hotpatching.
https://ynwarcs.github.io/Win11-24H2-CFG
Microsoft Warbird and PMP
Some interesting dynamics happening between these two parties.
Microsoft Protected Media Path (PMP) is a set of technologies of which goal is to enforce security of content (security of PlayReady DRM) in a Windows OS environment.
In Windows OS, Protected Media Path is implemented both in kernel and user space. It relies on crypto, code integrity, auth checks, white-box crypto and code obfuscation.
Microsoft Warbird is a compiler technology from Microsoft of which goal is to make reverse engineering (such as static and dynamic analysis) of code components comprising certain Windows OS components hard. More specifically, the goal is to make it hard to extract secrets pertaining to code implementation in an untrusted (under attacker's control) environment.
…
On Apr 12, 2024, Microsoft PlayReady team reached to us with a request to report technical details and POC code through MSRC channel claiming that "by following the MSRC process to report your finding, it may be eligible for a reward" and that "close partnerships with the researcher community make customers more secure and we play an integral role by sharing issues under Coordinated Vulnerability Disclosure").
As a response, we informed Microsoft that we cannot provide the company with additional details / codes pertaining to our PlayReady security research on Windows as this can only happen through a commercial agreement, not MSRC reporting channel (Apr 15, 2024).
The rationale for it is quite simple. The research took us nearly 9 months of work (on top of the 6 months of R&D done in 2022, which has been "consumed" and in some way ignored by the company).
https://security-explorations.com/microsoft-warbird-pmp.html
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Cybersecurity Baselines for Electric Distribution Systems and DER
Artificial intelligence
Books
Code Dependent: Living in the Shadow of AI ― Shortlisted for the Women's Prize for Non-Fiction
Carl Miller wrote about it in Literature Review
Events
ECCRI Oxford Cyber Forum - June in Oxford
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.