CTO at NCSC Summary: week ending November 2nd
The UK stands ready to work with international partners to build resilience, share intelligence, and uphold a secure and open digital environment for all.
Welcome to the weekly highlights and analysis of the blueteamsec (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note…
In the high-level this week:
UK setting global benchmark on cyber standards, boosting growth and protecting consumers - Department for Science, Innovation and Technology and Liz Lloyd CBE announce - “UK and Singapore work together to boost protections for consumers through joint cyber security standards for devices.”
UK national statement on signing the UN Convention against Cybercrime - Foreign, Commonwealth & Development Office and Andrew Whittaker announce - “The UK stands ready to work with international partners to build resilience, share intelligence, and uphold a secure and open digital environment for all. We will support the effective establishment of the Conference of State Parties, working with Member States and expanding our close work with global stakeholders.”
Cyber Security Model - UK Ministry of Defence publish - “Information on the Ministry of Defence Cyber Security Model (CSM), including the standards and guidance for suppliers to meet CSM version 4.” - how the MoD is going after the resilience of its supply chain
Effective practices: Cyber response and recovery capabilities - Bank of England publishes - “We encourage all firms and financial market infrastructures to review these practices and consider how they can strengthen their own resilience, thereby supporting the stability of the wider financial system.”
Cairncross Details Upcoming National Cybersecurity Strategy - MeriTalk reports - “The U.S. government has never had a single point of cyber coordination or a cohesive, coordinated cyber strategy coming from the White House,” Cairncross said. “It is a goal of ours to get this office there.”
Halloween Treats - Federal Communication Commission announces - “Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses. In doing so, we will also reverse an eleventh hour CALEA declaratory ruling reached by the prior FCC—a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats. So, we’re correcting course.”
Australia Unveils Cyber Security Push for Indo-Pacific Region - Bloomberg reports - “Australia has earmarked A$83.5 million ($54.4 million) to build cyber-security capacity across the Indo-Pacific, saying global cooperation is key as online crimes become more complex and sophisticated.”
Home Affairs checks agency cyber homework - The Mandarin reports - “Home Affairs secretary Stephanie Foster signed a direction last week requiring non-corporate Commonwealth entities to “identify and remove all existing instances of products, applications and web services identified on the deny list of the Commonwealth Technology Standard”.”
Glasgow Caledonian and SPEN unite to strengthen cybersecurity in energy and transport - Glasgow Caledonian University publish - “After unveiling a cutting-edge cyber-physical testbed for level-crossing systems, Glasgow Caledonian is now collaborating with leading electricity network operator SP Energy Networks (SPEN) on a new initiative which looks to enhance the cybersecurity of energy infrastructure.”
Norway Tests Homomorphic Encryption With Mobai for Biometric Template Protection - ID Tech reports - “The concept is to run biometric matching on encrypted data, combining fully homomorphic encryption with multi-party computation so that sensitive templates are never decrypted during processing. The model aims to keep cloud providers blind to raw biometrics while allowing banks to control decryption of the final decision. Norwegian research partners and European academics have explored similar FHE+MPC patterns for wallet and remote-verification use cases.”
US company with access to biggest telecom firms uncovers breach by nation-state hackers - Reuters reports - “Hackers working for an unnamed nation-state breached networks at Ribbon Communications, a key U.S. telecommunications services company, and remained within the firm’s systems for nearly a year without being detected, a company spokesperson confirmed in a statement on Wednesday.”
It has been proposed that control over the work of “white hat” hackers be transferred to the FSB. - RBC in Russia reports - “The FSB will be able to set requirements for “white hat” hackers: those who fail to meet them will be banned from working. Programmers will be required to share any information security breaches they find with both the company and the intelligence agencies.”
Japanese convenience stores are hiring robots run by workers in the Philippines -Rest of World reports - “Filipino tele-operators remotely control Japan’s convenience store robots and train AI, benefiting from an uptick in automation-related jobs.” - puts a new spin on the risk of foreign IT workers who have insidious intent
Reporting on/from China
A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns - McCrary Institute for Cyber and Critical Infrastructure Security Auburn University publish - “The typhoon actors mark a key moment in China’s offensive cyber strategy and capabilities, transitioning from mere theft to potential disruption at scale. Defending against this evolving threat demands a whole-of-government and allied approach that integrates cybersecurity, intelligence, diplomacy, and resilience. The challenge is no longer just technical, it is strategic, requiring the United States to adapt its policies, laws, and partnerships to confront the realities of 21st-century cyber warfare.”
Same Chinese Boss Gave Orders to Two Separate Manila SMS Blaster Drivers - CommRisk reports - “Yang told the assembled media that the gang which employed Ayong and Ramil had ‘compartmentalized’ their operations to manage the risk of the police disrupting the entire criminal enterprise. He said Ayong and Ramil were working for the same Chinese boss via a Philippine woman who acted as an intermediary”
U.S. agencies back banning popular home WiFi device, citing national security risk - Washington Post reports - “The Commerce Department has proposed barring sales of TP-Link products, citing a national security risk from ties to China, people familiar with the matter said.”
GCC-3007-2025 Unified Basic Input/Output System (UBIOS) Infrastructure Specification - Global Computing Consortia publishes - a Chinese competitor to the UEFI specification
AI
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents - Alias Robotics and Università degli Studi di Napoli Federico II publish - “Evaluation of state-of-the-art AI models reveals saturation on security knowledge metrics ( 70% success) but substantial degradation in multi-step adversarial (A&D) scenarios (20-40% success), or worse in robotic targets (22% success). The combination of framework scaffolding and LLM model choice significantly impacts performance; we find that proper matches improve up to 2.6× variance in Attack and Defense CTFs. These results demonstrate a pronounced gap between conceptual knowledge and adaptive capability, emphasizing the need for a meta-benchmark.”
Introducing Aardvark: OpenAI’s agentic security researcher - OpenAI announce - “Aardvark continuously analyzes source code repositories to identify vulnerabilities, assess exploitability, prioritize severity, and propose targeted patches.”
Security Vulnerabilities in AI-Generated Code: A Large-Scale Analysis of Public GitHub Repositories - Maximilian Schreiber and Pascal Tippe quantifies - “Our findings reveal that while 87.9% of AI-generated code does not contain identifiable CWE-mapped vulnerabilities, significant patterns emerge regarding language-specific vulnerabilities and tool performance. Python consistently exhibited higher vulnerability rates (16.18%-18.50%) compared to JavaScript (8.66%-8.99%) and TypeScript (2.50%-7.14%) across all tools.”
AI browsers are a cybersecurity time bomb - The Verge opines - “In the past few weeks alone, researchers have uncovered vulnerabilities in Atlas allowing attackers to take advantage of ChatGPT’s “memory” to inject malicious code, grant themselves access privileges, or deploy malware. Flaws discovered in Comet could allow attackers to hijack the browser’s AI with hidden instructions.”
Cyber proliferation
PASOK leader links spyware attempt to party election in testimony over wiretapping scandal - Ekathimerini reports - “Four representatives of companies, allegedly linked to the Predator spyware, face charges of violating the confidentiality of communications. Androulakis alleged that the attempted surveillance of his mobile phone was linked to the socialist party’s leadership elections.”
How a hacking gang held Italy’s political elites to ransom - Politico reports - “On the surface, the group presented itself as a corporate intelligence firm, courting high-profile clients by claiming expertise in resolving complex risk management issues such as commercial fraud, corruption and infiltration by organized crime. Prosecutors accuse the gang of compiling damaging dossiers by illegally accessing phones, computers and state databases containing information ranging from tax records to criminal convictions.”
The global reach of spyware provider Ben Jamil - Intelligence Online reports - “The owner of security technology developer HSS Development Group, Ben Jamil, has discreetly sold spyware to the government of Kurdistan and other countries, while facing a series of legal woes.”
Key IOCs for Pegasus and Predator Spyware Cleaned With iOS 26 Update - iVerify report - “This development poses a serious challenge for forensic investigators and individuals seeking to determine if their devices have been compromised at a time when spyware attacks are becoming more common.”
Bounty Hunting
UN Convention against Cybercrime opens for signature in Hanoi, Viet Nam - United Nations announce - “It is the first global framework for the collection, sharing and use of electronic evidence for all serious offences. Until now, there have been no broadly accepted international standards on electronic evidence;”
Teenagers appear in court over Transport for London cyber attack - BBC reports - “The NCA said it believed the hack, which began on 31 August last year, was carried out by members of cyber-criminal group Scattered Spider.”
Ukrainian National Extradited from Ireland in Connection with Conti Ransomware - US Department of Justice announces - “The defendant allegedly participated in a conspiracy to extort approximately $150 million in ransomware payments responsible for defrauding victims in almost every U.S. state and from over two dozen countries worldwide,”
Former General Manager for U.S. Defense Contractor Pleads Guilty to Selling Stolen Trade Secrets to Russian Broker - US Department of Justice announces - “Williams pleaded to two counts of theft of trade secrets. The material, stolen over a three-year period from the U.S. defense contractor where he worked, was comprised of national-security focused software that included at least eight sensitive and protected cyber-exploit components.”
Information about filing an indictment against Michał Woś, Member of the Sejm of the Republic of Poland - National Prosecutors Office, Poland announce - a complex case involving the purchase of commercial spyware.
Russian Interior Ministry officers have detained a group of hackers who developed and distributed the Meduza malware - MVD Media reports - “Officers from the Criminal Investigation Department of the Ministry of Internal Affairs of Russia, together with their colleagues from the Astrakhan Region, stopped the activities of a group of young IT specialists. They are suspected of creating, using, and distributing malicious computer programs.”
Market Incentives
Cybersecurity firm F5 anticipates revenue hit after attack - F5 details - “F5 anticipates some near-term disruption to sales cycles as customers focus on assessing and remediating their environments following the recent security incident. Taking this into account, for fiscal year 2026, F5 is guiding to total revenue growth of 0% to 4%, with any demand impacts expected to be more pronounced in the first half, before normalizing in the second half of fiscal year 2026.”
Qantas’ digital and customer head steps down months after cyber breach, internal memo shows - Reuters reports - “After Larritt’s departure, corporate affairs chief Danielle Keighery will be responsible for brand and marketing, while risk chief Andrew Monaghan will oversee cyber security, Hudson said.”
Reflections this week are twofold..
First this wonderful story of neurodiversity - The baby-dinosaur hunter who ended up in Hollywood
Second was that Binding Hook Live was a blast and a very unique speaker gift which is now on show in Nova South..
The talk I gave was:
The essence of which is - if we don’t recognise and address the divergence in incentives we shouldn’t be surprised when we stay in the doom loop. Cyber security is a cost and for which the liability is for the most part transferred through contract..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Ukrainian organizations still heavily targeted by Russian attacks
Symantec and Carbon Black alleged this Russian operation exploited internet exposed vulnerabilities for initial access. Detection however should be trivial i.e. curl running on a box pull files from a high port… this is hunting season..
A recent investigation by our Threat Hunter Team uncovered a two-month intrusion against a large business services organization and a week-long attack against a local government organization, with the apparent goal of harvesting sensitive information and maintaining a persistent presence on their networks. The attackers deployed a limited amount of malware on the networks and instead relied heavily on Living-off-the-Land tactics and dual-use tools.
The attackers gained access to the business services organization by deploying webshells on public facing servers, most likely by exploiting one or more unpatched vulnerabilities. One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group (aka Seashell Blizzard) and has previously been used to provide initial access in a Sandworm campaign. While we have been unable to independently confirm a link to Sandworm, the attacks did appear to be Russian in origin.
https://www.security.com/threat-intelligence/ukraine-russia-attacks
Reporting on China
UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
Arctic Wolf Labs details an alleged Chinese campaign with a specific victimology focus which is noteworthy. Makes the case for endpoint software controls and content disarming and reconstruction.
Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025. The campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference themes.
BRONZE BUTLER exploits Japanese asset management software vulnerability
Sophos Counter Threat Unit Research Team detail this alleged Chinese intrusion which exploited an internet facing service for initial access. Noteworthy due to the low prevalence and the functionality it provided allowing rapid and comprehensive environment access.
[We] confirmed that the threat actors gained initial access by exploiting CVE-2025-61932. This vulnerability allows remote attackers to execute arbitrary commands with SYSTEM privileges. CTU analysis indicates that the number of vulnerable internet-facing devices is low. However, attackers could exploit vulnerable devices within compromised networks to conduct privilege escalation and lateral movement
Earth Estries alive and kicking
Blaze provides some indicators for this alleged Chinese threat actor who apparently have quick flipped a n-day into operational use.
Earth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more.
In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to running shellcode.
https://bartblaze.blogspot.com/2025/10/earth-estries-alive-and-kicking.html
Reporting on North Korea
Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs
Sojun Ryu and Omar Amin detail the alleged evolution in tradecraft in North Korean operations as they continue their apparent relentless campaign for crypto assets.
Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.
GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites. The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourage the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host.
https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/
From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign
Lab52 show the complexity of capability which this alleged North Korean actor has developed over time.
During August 2025, Lab52 gained access to artifacts linked to Lazarus through DreamJob campaigns. Some of these artifacts and their operational details were recently highlighted by ESET (e.g., radcui.dll, HideFirstLetter.dll).
From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders — components capable of deploying different payloads depending on the actors’ needs.
These loaders are used in the DreamJob campaign, but we believe they could also appear in other operations. For us, they truly are dream loaders.
https://lab52.io/blog/dreamloaders/
How a fake AI recruiter delivers five staged malware disguised as a dream job
Shantanu details an broadening of this alleged North Korean campaign attempting to compromise developers in order to facilitate software supply chain attacks. Noteworthy for a whole host of reasons, not least highlighting once again the challenges of software supply chain security.
The company looks exciting - DLMind, an “AI-driven innovation lab.” The recruiter seems legit - Tim Morenc, CEDS, with a polished LinkedIn profile, professional tone, and a history of mutual connections.
But behind that friendly message lies BeaverTail - a malicious campaign engineered to hijack your curiosity, your code, and your credentials.
Reporting on Iran
Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
Mahmoud Zohdy and Mansour Almoud detail some of the tradecraft of this alleged Iranian threat actor. Noteworthy for the use of a new Remote Monitoring and Management tool - which again highlights the value of monitoring of the use of such technology within estates.
The phishing emails contain Microsoft Word documents that prompted recipients (victims) to enable macros in order to view the content. As soon as macros were activated, the Microsoft Word documents executed malicious Visual Basic for Application (VBA) code, ultimately leading to the deployment of version 4 of the Phoenix backdoor on the victim’s system.
Muddywater is targeting international organizations in an espionage campaign.
The use of version 4 of the Phoenix backdoor malware in this campaign, featuring a different persistence technique.
A new Remote Monitoring and Management (RMM) tool and custom browser credential stealer were potentially used in this campaign.
https://www.group-ib.com/blog/muddywater-espionage/
Kitten Busters Episode 4
Kitten Busters are back detailing the alleged crypto transactions of this alleged Iranian threat actor. Will be interesting to see if any links between these can previous sanctions can be made and then does it put a spotlight on KYC (know your customer) by the firms implicated.
https://github.com/KittenBusters/CharmingKitten/tree/main/Episode%204
Full Student Database of MOIS-Affiliated Ravin Academy Leaked
Nariman Gharib details a comprehensive doxing of an alleged educational / talent programme in Iran..
A comprehensive database containing complete registration records of Ravin Academy students has been obtained by me, revealing detailed personal information of individuals enrolled in the organization’s training programs. This database constitutes a significant intelligence asset, as it documents the systematic development of personnel for potential recruitment into MOIS cyber operations.
https://blog.narimangharib.com/posts/2025%2F10%2F1761116665973?lang=en
Reporting on Other Actors
Possible CryptoChameleon Social Engineering Campaign Targeting LastPass Customers
Last Pass detail a phishing campaign which is noteworthy due to the target but also the complexity / depth of the lure ticking many human triggers to get them to take action.
The email claims someone within the recipient’s family has opened a request to access the intended victim’s vault as a legacy user by uploading a death certificate.
The email goes on to include a statement that a live case has been opened and includes fabricated information regarding a supposed agent assigned to the case, including an agent ID number, the date the case opened, and the case priority, all of which are false.
The email then includes a link to cancel the request, which in fact directs the intended victim to the URL “https://lastpassrecovery[.]com”, which then asks for the victim to enter their master password in an attempt to phish credentials.
The email notes the link is unique to the individual and that they should only access their account through that link in a clear attempt to direct the recipient to the phishing site.
The email states that the intended victim should confirm the email was sent from the spoofed email address, “alerts@lastpass[.]com”.
Finally, the email concludes with the statement “Your security is our top priority. Never share your master password with anyone - including us!”
Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
Unit42 detail this unattributed campaign which is noteworthy due the ravel novel C2 approach.
We have discovered a new Windows-based malware family we’ve named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity.
Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management. It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.
https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/
ECHidna is a RAT observed in targeted attacks, characterized by its use of ECH (Encrypted Client Hello) for C2 communications
Yuta Sawabe & Rintaro Koike detail somewhat a very novel and concerning C2 mechanism. This is exactly why RFC9424 was written as this technique will cause organisations who do not have endpoint coverage (e.g. embedded devices) to go blind.
ECHidna is a RAT observed in targeted attacks, characterized by its use of ECH (Encrypted Client Hello) for C2 communications. ECH is a TLS extension that conceals the destination of communications by encrypting the entire ClientHello message, including the destination hostname (SNI). The observed specimens have their C2 server located on a CDN with ECH enabled, and the hostname used during communications is addressed to the CDN server, making it difficult to distinguish from legitimate communications.
https://jp.security.ntt/insights_resources/tech_blog/vb2025/
A key piece of the puzzle in unlocking the ORB network PolarEdge: The RPX relay system emerges
Alex.Turing and Acey9 detail this relay network..
After a series of correlation analyses, a previously undocumented component, RPX_Client, surfaced. The main function of this component is to connect controlled devices to a proxy pool on a specified C2 node, providing them with proxy services and supporting remote command execution.
PolarEdge
安全厂商Sekoiawas first disclosed on to seemingly build an “Operational Relay Boxes” (ORB) network to assist in various cybercrime activities. The ORB network functions similarly to a residential proxy; its core objective is not to directly launch destructive attacks, but rather to maintain long-term infiltration and traffic obfuscation, representing a typical infrastructure-based malicious architecture.
https://blog.xlab.qianxin.com/the-smoking-gun-exposing-the-rpx-relay-at-the-heart-of-polaredge/
Discovery
How we find and understand the latent compromises within our environments.
Have you SYN what I see? Analyzing TCP SYN Payloads in the Wild
Dario Ferrero, Enrico Bassetti, Harm Griffioen, and Georgios Smaragdakis presented this work at one of my favourite conferences - ACM Internet Measurement Conference (IMC) 2025. Also highlights the value of anomaly detection..
In this paper, we perform an empirical analysis of other cases where TCP SYN carries a payload. We utilize a large passive and a reactive network telescope to collect pure TCP SYN packets over two years. Our analysis shows that around 75% of these payloads are HTTP GET requests for potentially censored content performed by researchers and activists originated by a relatively small number of IPs. We also observe scouting and intrusion attempt activity related to port 0, operating systems, middleware, and edge router vulnerability exploitation. We make our data and methodology publicly available as we want to raise awareness of this type of TCP SYN that typically goes unnoticed.
https://gsmaragd.github.io/publications/IMC2025-Payloads/
PDF Object Hashing
Dmkaz and Kyle Eaton show the value in hashing of file structure sub elements to track adversaries and their tradecraft - going beyond executables.
PDF Object Hash is a way to identifying similarities between PDFs without relying on the content of the document. With object hashing we can identify the structure or skeleton of the document. Think of this as similar to an imphash or a ja3 hash. We extract out the object type and hash those to generate the hash. This allows us to quickly cluster similar documents and helps with identifying overlaps in disparate files.
https://github.com/EmergingThreats/pdf_object_hashing
Indirect Syscall Detector
EvilBytecode shows an interesting technique which will be curious to see if it scales and gets picked up by EDR vendors.
Indirect Syscall Detector is a Windows security tool designed to monitor and detect indirect syscall invocations in real-time. The tool operates by placing hardware breakpoints on specific syscall instructions within ntdll.dll and validating the return address on the stack against a whitelist of trusted system modules.
https://github.com/EvilBytecode/Detecting-Indirect-Syscalls
Defence
How we proactively defend our environments.
Creating and maintaining a definitive view of your operational technology architecture
Australian Signal Directorate’s Australian Cyber Security Centre releases this important guidance to OT operators.
This guidance defines a principles-based approach for how operational technology (OT) organisations should build, maintain and store their systems understanding. It is aimed at cyber security professionals working in organisations that deploy or operate OT across greenfield and brownfield deployments. Integrators and device manufactures can also use these principles to ensure their solutions enable effective asset and configuration management.
File Explorer automatically disables the preview feature for files downloaded from the internet
Microsoft get a 🙌 with this secure by default change.
Starting with Windows security updates released on and after October 14, 2025, File Explorer automatically disables the preview feature for files downloaded from the internet. This change is designed to enhance security by preventing a vulnerability that could leak NTLM hashes when users preview potentially unsafe files. For more details, review the following frequently asked questions about this change.
Fil-C
Filip Pizlo once again shows that individual hero’s don’t always wear capes.
Fil-C is a fanatically compatible memory-safe implementation of C and C++. Lots of software compiles and runs with Fil-C with zero or minimal changes. All memory safety errors are caught as Fil-C panics. Fil-C achieves this using a combination of concurrent garbage collection and invisible capabilities (InvisiCaps). Every possibly-unsafe C and C++ operation is checked. Fil-C has no
unsafestatement and only limited FFI to unsafe code.
Incident Writeups & Disclosures
How they got in and what they did.
Ribbon Communications
In early September 2025, the Company became aware that unauthorized persons, reportedly associated with a nation-state actor, had gained access to the Company’s IT network. The Company promptly initiated its incident response plan and began an investigation, containment and remediation effort using multiple third-party cybersecurity experts, including federal law enforcement. While the investigation is ongoing, the Company believes that it has been successful in terminating the unauthorized access by the threat actor.
The Company has preliminarily determined that initial access by the threat actor may have occurred as early as December 2024, with final determinations dependent on completion of the ongoing investigation. As of the date of this quarterly report on Form 10-Q, we are not aware of evidence indicating that the threat actor accessed or exfiltrated any material information. Several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor and those customers have been notified by the Company.
As of the date of this quarterly report on Form 10-Q, the Company does not believe that the incident has had a material impact, including on its financial condition or results of operations. As noted above, the Company’s investigation into this incident is ongoing and the Company continues to take additional steps to further strengthen its network security. The Company expects to incur additional costs in the fourth quarter of 2025 associated with its continued investigation into this incident, and in network strengthening efforts, however, the Company does not currently expect such costs to be material.
https://investors.ribboncommunications.com/node/23211/html
Vulnerability
Our attack surface.
CVE-2025-40780: Cache poisoning due to weak PRNG
Many things could be said about this..
In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.
https://kb.isc.org/docs/cve-2025-40780
Threats of Unvalidated XPC Clients on macOS
Karol Mazurek makes it feels like macOS is like Windows back in the early 2000s when researchers where warming up..
https://afine.com/threats-of-unvalidated-xpc-clients-on-macos/
Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition
Jalen Chuang, Alex Seto, Nicolas Berrios, Stephan van Schaik, Christina Garman and Daniel Genkin show some interesting work here - although I am not sure that bus access / malicious memory is in the TEE threat model.
In this work, we show that the security guarantees of modern TEE offerings by Intel and AMD can be broken cheaply and easily, by building a memory interposition device that allows attackers to physically inspect all memory traffic inside a DDR5 server. Making this worse, despite the increased complexity and speed of DDR5 memory, we show how such an interposition device can be built cheaply and easily, using only off the shelf electronic equipment.
Vulnerabilities in LUKS2 disk encryption for confidential VMs
Tjaden Hess highlights once again that encryption != attestation.
Trail of Bits is disclosing vulnerabilities in eight different confidential computing systems that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily. The vulnerabilities are caused by malleable metadata headers that allow an attacker to trick a trusted execution environment guest into encrypting secret data with a null cipher.
Offense
Attack capability, techniques and trade-craft.
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
Zero Salarium highlights once again why have true signal passing through your monitoring infrastructure is really quite important..
I will demonstrate the technique of exploiting the Bind Filter driver (bindflt.sys) to redirect folders containing the executable files of EDRs to a location that I completely control. Here, we can block or inject code into the EDR at will. Everything will be executed in user mode without needing kernel privileges through the Bring Your Own Vulnerable Driver (BYOVD) attack. Additionally, I will use the Cloud Filter driver (cldflt.sys) to completely isolate an antivirus.
https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html
UnderlayCopy
Kazem Fallahi - who is from Iran - releases this capability which attempts to weaponize raw device access to subvert endpoint detection.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running). It supports two complementary modes to achieve this without using VSS or standard file I/O:
MFT mode: parse $MFT records and reconstructs/copies file data by reading raw volume sectors.
Metadata mode: use filesystem metadata (fsutil) to map files to clusters and copy raw sectors.
Purpose: research, red-team exercises, and DFIR acquisition. Not for: unauthorized access or malicious use.
https://github.com/kfallahi/UnderlayCopy
VEH-Based Function Call Obfuscation
EvilBytecode releases a technique that EDR vendors will want to develop detection techniques for.
Obfuscating function calls using Vectored Exception Handlers by redirecting execution through exception-based control flow. Uses byte switching without memory or assembly allocation.
https://github.com/EvilBytecode/Ebyte-Syscalls
Function Peekaboo: Crafting self masking functions using LLVM
Anandeshwar Unnikrishnan releases this capability which is interesting but I suspect detectable.
we will customize the LLVM compiler infrastructure to build a solution that enables self-masking capabilities for ordinary user-defined functions in a C++ source file. Self-masking means that a function remains in a masked (obfuscated or encrypted) state until it is invoked. Once execution enters the function, it is temporarily unmasked, and upon returning, it reverts back to its masked state.
https://www.mdsec.co.uk/2025/10/function-peekaboo-crafting-self-masking-functions-using-llvm/
https://github.com/mdsecactivebreach/functionpeekaboo
SockTail
Luca Greeb releases this capability which will cause a degree of focus for detection engineers..
SockTail is a small binary that joins a device to a Tailscale network and exposes a local SOCKS5 proxy on port
1080. It’s meant for red team operations where you need network access into a target system without setting up wonky port forwards, persistent daemons, or noisy tunnels.
https://github.com/Yeeb1/SockTail
Creating a “Two-Face” Rust binary on Linux
Maxime Desbrus shows why conditional execution on binary analysis is terribly important. Get those SMT solvers to exercise those conditional paths in your sandboxes..
Let’s say you want to run a malicious program on a specific target machine. One way to do this is to distribute the program very widely, and hope that the target will end up running it. The specific distribution vector is out of the scope of this article, but you can imagine for example a pre-compiled binary file, as developers often download on their favorite project GitHub project page.
However if you want to maximize the chance of reaching the target, you probably want to mimic the behavior of a harmless program, and avoid anything suspicious (ie. connecting to a C&C server) that could trigger detection by various solutions (sandboxs, LSM, auditd, etc.).
https://www.synacktiv.com/en/publications/creating-a-two-face-rust-binary-on-linux
Exploitation
What is being exploited..
Internet-accessible industrial control systems (ICS) abused by hacktivists
The Canadian Cyber Security Centre provides insights into exploitation of internet connected Industrial Control Systems. A lesson in cyber-physical impact but also a sign of things to come as knowledge proliferates..
In recent weeks, the Cyber Centre and the Royal Canadian Mounted Police have received multiple reports of incidents involving internet-accessible ICS. One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community. Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms. A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
NetRunner
eversinc33 releases this work aid..
A .NET assembly tracer using Harmony for runtime method interception.
Runtime method tracing
Automatically traces all local assembly methods, supports external/referenced methods through a config file
Logging of method calls, returns, arguments and return values
Dumps reflectively loaded assemblies for analysis
Optional stack trace logging
https://github.com/eversinc33/NetRunner
Future Architecture Technologies - POE2 and vMTE
Martin Weidmann tells the world to start their engines with these defence in depth features coming to ARM..
Arm provides the ecosystem with relevant information and specifications in advance, ensuring software support for when new technologies are realized in hardware. This blog introduces two future technologies:
Permission Overlay Extension version 2 (POE2), and
Virtual Tagging Extension (vMTE)
Information on new instructions and registers are already available, fixed virtual platforms and full specifications will become available in the coming months.
Windows ARM64 Internals: Exception & Privilege Model, Virtual Memory Management, and Windows under Virtualization Host Extensions (VHE)
Connor McGarr explains how it all works..
Specifically this blog post will go over:
Exception and privilege levels (ARM64 “version” of “rings” on x86 processors)
Windows hypervisor behavior (and, therefore, also OS behavior due to VBS) under ARM’s Virtualization Host Extensions (VHE)
Using WinDbg to access ARM system registers using the
rdmsrcommand (yes, you read that right! Using the “read MSR” command!)TrustedZone and Windows VTL co-habitation
Windows-specific implementation of virtual memory: paging heirarchy, address translation, etc.
ARM-specific PTE configuration on Windows (e.g.,
nt!MMPTE_HARDWAREdifferences between x64 and ARM64)Self-referential paging entries (like self-reference PML4, but for ARM’s “level 0” page table) and management of PTEs in virtual memory
Translation Lookaside Buffer (TLB) and context switching
Other “Windows-isms” such as Windows configuration of certain features, like hypervisor behavior, virtual memory behavior, etc.
This blog post was conducted on a processor which “runs” the ARM v9 “A-profile” architecture, along with an installation of Windows 11 24H2
https://connormcgarr.github.io/arm64-windows-internals-basics/
A heatmap diff viewer for code reviews
AI augmentation is coming..
Heatmap color-codes every diff line/token by how much human attention it probably needs. Unlike PR-review bots, we try to flag not just by “is it a bug?” but by “is it worth a second look?” (examples: hard-coded secret, weird crypto mode, gnarly logic).
https://github.com/manaflow-ai/cmux
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual, quarterly and monthly reports
Nothing overly of note this week
Benchmarking Fully Homomorphic Encryption in Trusted Execution Environments
How the U.S. National Science Foundation Enabled Software-Defined Networking
Man Alarmed to Discover His Smart Vacuum Was Broadcasting a Secret Map of His House
Advancing Security in Software-Defined Vehicles: A Comprehensive Survey and Taxonomy
Artificial intelligence
Breaking Agent Backbones: Evaluating the Security of Backbone LLMs in AI Agents
Who Grants the Agent Power? Defending Against Instruction Injection via Task-Centric Access Control
Using Copilot Agent Mode to Automate Library Migration: A Quantitative Assessment
AI-assisted reverse engineering of app white-box AES analysis - toy productivity example
From .well-known to Well-Pwned: Common Vulnerabilities in AI Agents
Books
Nothing overly of note this week
Events
Finally finally the NCSC’s podcast series.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.