CTO at NCSC Summary: week ending November 10th
Biometrics protected implants...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond more alleged intrusions into core infrastructure.
In the high-level this week:
Helping banish malicious adverts and drive a secure advertising ecosystem - NCSC UK guides - “The presence of malvertising puts a duty on the advertising industry and hosting platforms to squeeze out those with malign intent. This is best done with a defence-in-depth approach, where each defensive measure provides a layer of security which, when deployed collectively, makes a cyber attack much less likely – and helps remove malicious advertisers from the ecosystem. “
Capture-the-Flag Contest Ecosystems Pitched to Policymakers - Gov Info Security reports (on a paper we covered here previously) - “The system the PRC created is unparalleled with some competitions attracting hundreds of universities and tens of thousands of students," report co-author Dakota Cary, a nonresident fellow at Atlantic Council, said in a post to X. "The U.S. and other governments should be inspired by China's CTF ecosystem. They've earned it."
Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors - Australian Institute of Company Directors publishes - from February, but worth highlighting - “The resource expands on existing guidance in the AICD CSCRC Cyber Security Governance Principles and has been informed by insight from senior Australian directors, cyber security advisors and government.”
Cryptographic security: Critical to Europe's digital sovereignty - European Parliament Think Tank thinks - “The EU is working with Member States and the United States to speed up the transition to post-quantum cryptography, and is also exploring long-term quantum cryptography initiatives.”
Aussie Protective Security Framework annual release - Department of Home Affairs publishes - “The PSPF sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally.”
Legal certainty for the investigation of IT security gaps: Federal Ministry of Justice publishes draft law on computer criminal law - German Government publishes - “Anyone who wants to identify and close IT security gaps should not be exposed to the risk of criminal liability. To ensure this, the Federal Ministry of Justice is proposing an amendment to the computer criminal law.”
New Czech Act on Cybersecurity - Czech Government publishes - “The draft of the new law is based on the wording of the existing Act on Cybersecurity and meets the minimum requirements set out by the NIS2 Directive.”
Aussie Critical Infrastructure Annual Risk Review - Cyber and Infrastructure Security Centre publishes - “This year saw a number of cybersecurity incidents impact Australia’s critical infrastructure, caused inadvertently through human error or system failure, as well as from malicious activity. The consequences of incidents are increasingly causing enduring impacts beyond the initial disruption leading to longer-lasting disruption to capabilities.”
Fear over Facts: How Preconceptions Explain Perceptions of Threat Following Cyberattacks - Journal of Information Technology & Politics publishes - “Results show that people already predisposed to perceive cyberattacks as threatening experience a significant increase in perceptions of threat, while those initially viewing cyberattacks as harmless also have their beliefs reinforced. The data reveals how even minor incidents bolster cyber doom convictions.”
FBI has conducted more than 30 disruption operations in 2024 - Cyber Scoop reports - “The FBI is seeing progress in the fight against ransomware gangs after conducting more than 30 disruption operations this year in which officials targeted the infrastructure used by those groups, one of the bureau’s top cybersecurity officials said Wednesday.
Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies - Wired reports - “Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently.”
Reporting on/from China
Mapping out Europe’s Response to Grey Zone Escalations against Taiwan - China Strategic Risks Institute maps - “This paper maps out a range of scenarios where the PRC could escalate grey zone activities against Taiwan. European policymakers must be prepared for a full range of scenarios, from incursions into Taiwan’s contiguous zone to a ‘quarantine’ of Taiwanese goods and occupation of outlying islands.”
Why Chinese spies are sending a chill through Silicon Valley - The Telegraph reports - “Earlier this year, the US Justice Department charged Ding, 38, with stealing trade secrets from Google. Prosecutors said he had uploaded more than 500 files related to Google’s artificial intelligence technology to a personal account in an attempt to launch his own companies in China.”
Chinese Group Accused of Hacking Singtel in Telecom Attacks - Bloomberg reports - “Singapore’s largest mobile carrier, was breached by Chinese state-sponsored hackers this summer as part of a broader campaign against telecommunications companies and other critical infrastructure operators around the world, according to two people familiar with the matter.”
Cyber proliferation
Vatican, Israel implicated in Italy hacking scandal, leaked files reveal - Politico reports - “Calamucci, who previously boasted of penetrating the Pentagon with the Anonymous hacktivist collective, frequently referenced dozens of hackers working for him in Colchester, England. The firm also made use of servers in the United States and Lithuania, where they felt they were less vulnerable, according to leaked documents.”
Bounty Hunting
INTERPOL cyber operation takes down 22,000 malicious IP addresses - INTERPOL announces - “Operation Synergia II (1 April - 31 August 2024) specifically targeted phishing, ransomware and information stealers and was a joint effort from INTERPOL, private sector partners and law enforcement agencies from 95 INTERPOL member countries. “
Suspected Snowflake Hacker Arrested in Canada - 404 Media reports - “We can now confirm that, following a request by the United States, Alexander Moucka (a.k.a. Connor Moucka) was arrested on a provisional arrest warrant on Wednesday October 30, 2024. He appeared in court later that afternoon and his case was adjourned to Tuesday November 5, 2024.”
ABI and Lloyd’s of London publish guidance on major cyber events - The Association of British Insurers (ABI) and Lloyd’s of London - “have co-published a guide for (re)insurers on how to approach defining a major cyber event. “
Reflections this week are around passkeys and how all the pieces are clicking into place (see below). As said in previous notes we know if multi-factor authentication is comprehensively deployed ~60% of breaches would not manifest..
.. a password less future is within touching distance and that is pretty awesome.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2
Team Axon alleged how Russian actors might be using Microsoft services which looks similar to modern red teams but also frustrates some detection techniques..
As part of the investigation, we identified different Microsoft infrastructure components of additional victim organizations that were compromised and used by the attacker
The attacker leveraged different Microsoft SaaS services and applications as part of the campaign, including Microsoft Teams, SharePoint, Quick Assist, and OneDrive
The attacker used a unique OneDrive-based Command & Control (C&C) method as part of the malware found in the victim’s infrastructure
Based on the conclusions from our investigation, there is a significant probability that this campaign originates from Russia
https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2
Reporting on China
QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns
Saurabh Sharma provides a fascinating insight into the operations of an alleged Chinese threat actor who is targeting ISPs/the telecommunications sector in Asia. Of note was the use of a latent implant to upgrade to their new framework.
When we first discovered the QSC framework in 2021, we had insufficient telemetry to find out how the framework was deployed or who the threat actor behind it was. We continued to monitor our telemetry for further signs of the QSC framework. In October 2023, we detected multiple instances of QSC files targeting an ISP in West Asia. Our investigation found that the target machines had been infected with the Quarian backdoor version 3 (aka Turian) since 2022, and the same attackers had used this access to deploy the QSC framework starting on October 10, 2023.
In addition to the QSC framework, the attackers also deployed a new backdoor written in Golang, which we have named “GoClient”. We saw the first deployment of this GoClient backdoor on October 17, 2023. After analyzing all the artifacts from this campaign, we assess, with medium confidence, that the CloudComputating threat actor is behind the deployment of the QSC framework and the GoClient backdoor.
…
We found multiple artifacts that helped us in attributing the QSC framework and the activity described above to the CloudComputating (aka BackdoorDiplomacy, Faking Dragon) group
https://securelist.com/cloudcomputating-qsc-framework/114438/
Breaking Down Earth Estries' (SALT TYPOON) Persistent TTPs in Prolonged Cyber Operations
Ted Lee, Leon M Chang and Lenart Bermejo detail what they alleged are Salt Typhoon related activities which is shall we say topical..
Our telemetry suggests that Earth Estries gains initial access to their target’s system by exploiting vulnerabilities in outside-facing services or remote management utilities.
Earth Estries employs two distinct attack chains in their campaigns that have some common characteristics, such as the exploitation of vulnerabilities in systems like Microsoft Exchange servers and network adapter management tools.
The first infection chain uses PsExec and tools such as Trillclient, Hemigate, and Crowdoor delivered via CAB files, while the second chain employs malware like Zingdoor and SnappyBee, delivered through cURL downloads.
Earth Estries maintains persistence by continuously updating its tools and employs backdoors for lateral movement and credential theft.
Data collection and exfiltration are performed using Trillclient, while tools like cURL are used for sending information to anonymized file-sharing services, employing proxies to hide backdoor traffic.
Reporting on North Korea
BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence
Raffaele Sabato, Phil Stokes & Tom Hegel detail an alleged North Korean campaign going after digital assets for suspected monetary gain. I don’t think any older UNIX hackers would consider using shell environment files as a novel persistence technique. I remember a time on a penetration test (we’d call it a red team now) where we only had FTP access through a firewall and used such a file to pop a reverse shell.
SentinelLabs has observed a suspected DPRK threat actor targeting Crypto-related businesses with novel multi-stage malware.
We assess with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.
SentinelLabs observed the use of a novel persistence mechanism abusing the Zsh configuration file
zshenv.The campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file.
Analysis of Cyber Recon Activities Behind APT37 Threat Actor
Genians from South Korea detail what they alleged in a North Korea campaign. Interesting that they do have a distinct recon phase for sure..
Analysis of the State-Backed APT37 Group’s Covert Cyber Reconnaissance Activities
Collect information such as the attack target's IP address (location information), web browser, and operating system.
Threat actors who used shortcut (lnk) malicious files as their main strategy
…
If we analyze the lnk file, we can see that there is a RoKRAT malware module hidden inside, encrypted with XOR logic. We can also see the typical pCloud API communication technique of APT37..
From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West
Seongsu Park provides further detail on reporting which has been building around this alleged North Korean campaign. Scale, gumption and quality of social engineering are all of note. We have been warned..
Enhanced malware capabilities: The threat actors behind the Contagious Interview and WageMole campaigns have significantly improved their script’s obfuscation, making detection more difficult. The latest version of InvisibleFerret includes a dynamically updated remote monitoring and management (RMM) configuration and a persistence mechanism tailored for each operating system.
Multi-platform attack tools: Contagious Interview now leverages both Windows installers and macOS applications to expand its reach to target more victims.
Widespread infections and data theft: ThreatLabz uncovered that over 100 devices were successfully infected. The attackers stole sensitive information, including source code, cryptocurrency wallets, and personal data.
Carefully crafted job-seeking strategies: Remote DPRK workers leverage stolen data to create fake identities, and use generative AI to acquire and perform jobs in Western countries.
Reporting on Iran
Nothing this week
Reporting on Other Actors
Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT
Check Point Research detail a campaign they alleged originates from Pakistan which is being invested in but employs well know offensive techiques..
Check Point Research is closely tracking the persistent use of ElizaRAT, a custom implant deployed by Transparent Tribe (aka APT36) in targeted attacks on high-profile entities in India. We observed multiple, likely successful, campaigns of Transparent Tribe in India in 2024.
Our analysis of recent campaigns reveals continuous enhancements in the malware’s evasion techniques, along with introducing a new stealer payload called “ApoloStealer.”
ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command and control communications.
https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/
New Ocean Lotus organization used MST files for the first time to deliver special orders
QiAnXin Threat Intelligence Center reports on an alleged Vietnamese campaign which is using RUST for the their development.
Finally, the effect of DLL-Sideloading was achieved. The payload loaded into the memory was the RUST special horse that had not been seen for a year. The difference from 2023 is that the attacker completely shellcoded the RUST special horse and deleted the previous process of using universal shellcode to reflect the loading of PE files. , to achieve memory confrontation. We also observed that most of the more than a dozen loaders written by New Ocean Lotus were developed using the Mingw-w64 code base. This habit has continued from 2022 to now, and the loaders released by the old Ocean Lotus attack collection in the first half of 2024
Discovery
How we find and understand the latent compromises within our environments.
KQL query to detect rogue RDP
Mehmet E. does good for the world with this release given the alleged Russian use of this technique..
KQL query detects file creations of mstsc.exe where it also makes a network connection to a public IP address. This behavior is an indication of Rogue RDP.
Defence
How we proactively defend our environments.
DoD Enterprise DevSecOps Fundamentals v2.5
v2.5 is out..
DoD’s unique mission compels programs to raise security to an equal footing with development and operations. DevSecOps is a combination of software engineering methodologies, practices, and tools that unifies software development (Dev), security (Sec), and operations (Ops). It emphasizes collaboration across these disciplines, along with automation and continuous monitoring to support the delivery of secure, high-quality software. DevSecOps integrates security tools and practices into the development pipeline, emphasizes the automation of processes, and fosters a culture of shared responsibility for performance, security, and operational integrity throughout the entire software lifecycle, from development to deployment and beyond.
The concepts build upon the modern technology trends of the past two decades:
The shift from waterfall software development methodology to Agile
The transition from tightly coupled monolithic systems to loosely coupled modular services
Integration of security across the lifecycle of technology
Incorporation of testing throughout the software lifecycle
Evolution from traditional data centers to cloud
Deep Dive into Microsoft Authenticator Passkeys for iOS
Jon Towels reminds us how far we have come…
A few months ago, I wrote all about leveraging Temporary Access Passes and Passkeys to go passwordless with Microsoft Entra here. Recently, Microsoft introduced support for attestation on iOS and Android with Microsoft Authenticator along with a few other features. They also brought in device-bound passkey support, support for FIDO2 security keys on native apps (for Android 14), and FIPS compliance for Authenticator on Android. Today, we are going to be focusing on the iOS flow for Passkeys along with attestation.
https://mobile-jon.com/2024/11/01/deep-dive-into-microsoft-authenticator-passkeys-for-ios/
The latest enhancements in Microsoft Authenticator
The blog from Microsoft on the same features..
Public preview refresh: Device-bound passkey support in Microsoft Authenticator
Public preview: Support for FIDO2 security keys on native brokered applications, such as Outlook and Teams, on Android 14
General availability: FIPS compliance for Microsoft Authenticator on Android
Windows Hello for Business with Cloud Kerberos Trust: Access on-prem resources with Entra-Joined devices
Marc-Andre Chartrand reduces the user friction..
If you’re here, you’ve probably tested the Entra-Joined model of Autopilot deployment and realized that you get asked for credentials every time you try to access on-prem ressoruces. In this post, we will walk you through the steps to configure Windows Hello for Business (WHfB) with Cloud Kerberos Trust. This setup allows Microsoft Entra-joined devices to access on-premises resources without the need to enter their credentials repeatedly.
https://www.systemcenterdudes.com/windows-hello-cloud-kerberos-trust/
Maester
No excuses for regressions with this…
Maester is an open source PowerShell-based test automation framework designed to help you monitor and maintain the security configuration of your Microsoft 365 environment.
Automated Testing: Maester provides a comprehensive set of automated tests to ensure the security of your Microsoft 365 setup.
Customizable: Tailor Maester to your specific needs by adding custom Pester tests.
https://github.com/maester365/maester
Incident Writeups & Disclosures
How they got in and what they did.
Scattered Spider x RansomHub: A New Partnership
James Xiang and Hayden Evans detail a campaign with a slightly novel persistence technique..
In October 2024, ReliaQuest responded to an intrusion affecting a manufacturing sector customer. We identified “Scattered Spider” to be behind the incident. This English-speaking collective previously served as an affiliate for ransomware group “ALPHV” and now partners with “RansomHub.”
The attacker gained initial access to two employee accounts by carrying out social engineering attacks on the organization’s help desk twice. Within six hours, the attacker began encrypting the organization’s systems.
To maintain persistence, Scattered Spider leveraged the organization’s ESXi environment to create a virtual machine (VM). This concealed their attack until the environment was encrypted and backups were sabotaged.
https://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/
Vulnerability
Our attack surface.
Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
When the wrong algorithm is chosen..
On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication.
https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/
Private key extraction over ECDH vulnerability in cryptocoinjs
Get those conspiracies (coinspiracies maybe?) going given the use case of this library..
That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power
Other operations on public keys are also affected, including e.g.
publicKeyVerify()incorrectly returningtrueon those invalid keys, and e.g.publicKeyTweakMul()also returning predictable outcomes allowing to restore the tweak
https://github.com/cryptocoinjs/secp256k1-node/security/advisories/GHSA-584q-6j8j-r5pm
Mind the v8 patch gap: Electron's Context Isolation is insecure
Patch gap in desktop apps because the run time is not updated in a timely manner..
However, there’s a catch: while Electron releases new versions promptly, desktop applications often way behind in updating their Electron versions. In our previous Electrovolt research, we exploited this patch gap in numerous applications, revealing how outdated Electron versions leave popular desktop apps open to compromise.
https://s1r1us.ninja/posts/electron-contextbridge-is-insecure/
Offense
Attack capability, techniques and trade-craft.
Cloaking Malware with the Trusted Platform Module
From 2011 but if implemented would cause a degree of cost..
We describe and implement a protocol that establishes an encryption key under control of the TPM that can only be used by a specific infection program. An infected host then proves the legitimacy of this key to a remote C2
https://www.usenix.org/conference/usenix-security-11/cloaking-malware-trusted-platform-module
T-70
Steve S. gives a interesting challenge to solve..
A proof-of-concept shellcode loader that leverages AI/ML face recognition models to verify the identity of a user on a target system.
https://github.com/0xTriboulet/T-70
How Attackers Can Abuse IAM Roles Anywhere for Persistent AWS Access
Adam Alvarez gives something for cloud security teams to hunt for..
An attacker with sufficient permissions could exploit IAM Roles Anywhere to gain persistent access to an AWS account. Here’s how the exploitation might happen:
Create a Malicious CA and Trust Anchor: The attacker generates their own CA certificate and private key. They then register this CA as a trust anchor in the victim’s AWS account using the
CreateTrustAnchorAPI action.Create or Backdoor an IAM Role: The attacker either creates a new IAM role or modifies an existing one by updating its trust policy to allow assumptions via the malicious trust anchor. This involves using
CreateRoleorUpdateAssumeRolePolicy.Create a Profile: The attacker creates a profile in IAM Roles Anywhere using the
CreateProfileAPI action. The profile specifies which roles can be assumed using the trust anchor.Obtain Temporary Credentials: With the trust anchor and profile in place, the attacker uses their malicious CA to sign a client certificate. They then use the
aws_signing_helperutility to obtain temporary AWS credentials, effectively gaining persistent access to the account.
Exploitation
What is being exploited..
Nothing this week
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
TPM spoofer
Samuel Tulach shows once more why game cheat hackers are well ahead of the cyber security industry in almost every regard..
Simple proof of concept kernel mode driver hooking tpm.sys dispatch to randomize any public key reads
https://github.com/SamuelTulach/tpm-spoofer
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19
Artificial intelligence
Books
Nothing this week
Events
Nothing this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.