CTO at NCSC Summary: week ending November 24th
More AI vulnerability discovery successes.. that and a busy week of alleged state activity include close proximity attacks via Wi-Fi..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note other than 4 million websites being vulnerable because of a single plugin..
In the high-level this week:
Ransomware resistant backups - NCSC UK publishes - “Principles for making on-premises and cloud backups resistant to the effects of destructive ransomware.”
Is Britain ready to repel a cyberattack from Russia? - The Times reports - “The new head of the NCSC, Richard Horne, has also been sounding the alarm. He talks of a “gap between the escalating threats to our societies, critical services, and businesses, and our ability to defend and be resilient”." … Matt Collins, the deputy national security adviser, gave this frank assessment in May: “The threat continues to outstrip our efforts to tackle them. And I think that we need to admit that and I think we need to calibrate our responsibility.”
Annual Cyber Threat Report 2023-2024 - Australian Signals Directorate’s Australian Cyber Security Centre reports - “Australia continues to face a complex set of strategic circumstances. Multiple ongoing conflicts are fueling international instability and increasing strategic competition between the US and China is a primary feature of our security environment.”
NSA Director Wants Industry to Disclose Details of Telecom Hacks - BNN Bloomberg reports - “The director of the National Security Agency on Wednesday urged the private sector to take swift, collective action to share key details about breaches they have suffered at the hands of Chinese hackers who have infiltrated US telecommunications.”
On horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) - Europe publishes - “This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle.”
Issuance of Maritime Security (MARSEC) Directive 105-5; Cyber Risk Management Actions for Ship-to-Shore Cranes Manufactured by People's Republic of China Companies - Coast Guard, Department of Homeland Security announces but doesn’t publish generally - “The Coast Guard announces the availability of Maritime Security (MARSEC) Directive 105-5, which outlines cyber risk management requirements for ship-to-shore cranes manufactured by People's Republic of China (PRC) companies… The Directive contains security-sensitive information and, therefore, cannot be made available to the general public”
IRS CI Cyber Chief Koopman Wields AI to Unmask Cybercriminals - MeriTalk interviews - ”For example, his team uses AI tools to run blockchain analytics, asking specific, targeted questions that help uncover nefarious activity. “Almost like a chatbot, to be able to ask questions like, ‘Show me all wallet addresses that interacted with this darknet marketplace,’”
New Theft of 58 billion won worth of virtual assets confirmed to be North Korea's doing - South Korean Police assert - “This conclusion was reached by synthesizing evidence such as North Korea's IP address, virtual asset flow, and North Korean vocabulary used through the investigation, as well as data acquired through long-term cooperation with the Federal Bureau of Investigation (FBI) in the United States.”
Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Department of Defense relating to "Cybersecurity Maturity Model Certification (CMMC) Program" - Congress publishes - has a long way to go to have impact.
Management Implication Report: Cybersecurity Concerns Related to Drinking Water Systems - U.S. Environmental Protection Agency alerts - “The passive assessment covered 1,062 drinking water systems for cybersecurity vulnerabilities that serve over 193 million people across the United States. Scan results for October 8, 2024, identified 97 drinking water systems serving approximately 26.6 million users as having either critical or high-risk cybersecurity vulnerabilities. Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low by having externally visible open portals.”
Russian spy ship escorted away from area with critical cables in Irish Sea - The Guardian reports - “A Russian spy ship has been escorted out of the Irish Sea after it entered Irish-controlled waters and patrolled an area containing critical energy and internet submarine pipelines and cables.”
Reporting on/from China
Norm diffusion in cyber governance: China as an emerging norm entrepreneur? - International Affairs publishes - “This research also demonstrates that instead of using a single diffusion mechanism, China has relied on a dynamic combination of socialization and positive incentives which are driven by both state-led actors and private sectors to diffuse its cyber norms and approaches at regional and international levels.”
The regime complex for digital trade in Asia and China’s engagement - Asia Europe Journal publishes - “China’s emphasis on standard-setting efforts and security considerations introduces additional complexities to the regime complex, potentially impeding the development of comprehensive governance regimes for digital trade in the region.”
AI
Groundbreaking Framework for the Safe and Secure Deployment of AI in Critical Infrastructure Unveiled by Department of Homeland Security - Department of Homeland Security announces - “The Framework recommends that AI developers adopt a Secure by Design approach, evaluate dangerous capabilities of AI models, and ensure model alignment with human-centric values.”
AI Management Essentials tool - Department for Science, Innovation and Technology consults - “This consultation invites feedback on the Department for Science, Innovation and Technology’s (DSIT) AI Management Essentials (AIME) tool. AIME is a self-assessment tool that aims to help organisations assess and implement responsible AI management systems and processes. This consultation will help DSIT to ensure that the tool is fit-for-purpose, and supports businesses of different sizes and sectors to implement robust AI governance practices.”
JSP 936: Dependable Artificial Intelligence (AI) in defence (part 1: directive) - UK Ministry of Defence publishes - “JSP 936 includes directives on governance, development and assurance throughout the AI lifecycle which encompasses quality, safety and security considerations. It draws on existing policies and best practices, bridging the gap between high-level ethical principles on the use of AI and their practical implementation, guiding the department to become fully AI-ready.”
Cyber proliferation
Latvia and other countries to tackle proliferation and misuse of commercial spyware - Baltic Times reports - “Latvia will join the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, according to the Foreign Ministry's report endorsed by the government on Tuesday.”
1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings - The Record reports - “spyware maker NSO Group admitted to developing exploits to allow its Pegasus product to infect the phones of some 1,400 WhatsApp users in 2019 — an operation that allegedly violated federal and state laws, according to the messaging company.”
NSO – not government clients – operates its spyware, legal documents reveal - The Guardian reports - “In one, an NSO employee said customers only needed to enter a phone number of the person whose information was being sought. Then, the employee said, “the rest is done automatically by the system”. In other words, the process was not operated by customers. Rather NSO alone decided to access WhatsApp’s servers when it designed (and continuously upgraded) Pegasus to target individuals’ phones.”
Testimony from NSO Group raises questions about its culpability for spyware abuses - The Record reports
NSO Group admits cutting off 10 customers because they abused its Pegasus spyware, say unsealed court documents - Tech Crunch report - “This suite cost NSO’s government customers — namely police departments and intelligence agencies — up to $6.8 million for a one-year license, and netted NSO “at least $31 million in revenue in 2019, according to one of the court documents. “
Thai court dismisses activist's suit against Israeli spyware producer over lack of evidence - The Independent reports - “The Civil Court in Bangkok said Jatupat Boonpattararaksa had failed to show sufficient proof that his phone was infected with Pegasus spyware produced by NSO Group Technologies.”
Bounty Hunting
US charges five in 'Scattered Spider' hacking scheme - Reuters reports - “U.S. prosecutors unveiled criminal charges on Wednesday against five alleged members of Scattered Spider, a loose-knit community of hackers suspected of breaking into dozens of U.S. companies to steal confidential information and cryptocurrency.”
Justice Department Seizes Cybercrime Website and Charges Its Administrators - U.S. Department of Justice announces - “The Justice Department today announced the seizure of PopeyeTools, an illicit website and marketplace dedicated to selling stolen credit cards and other tools for carrying out cybercrime and fraud, and unsealed criminal charges against three PopeyeTools administrators: Abdul Ghaffar, 25, of Pakistan; Abdul Sami, 35, of Pakistan; and Javed Mirza, 37, of Afghanistan.”
Bitfinex Hacker Sentenced in Money Laundering Conspiracy Involving Billions in Stolen Cryptocurrency - U.S. Department of Justice announces - “Ilya Lichtenstein was sentenced today to five years in prison for his involvement in a money laundering conspiracy arising from the hack and theft of approximately 120,000 bitcoin from Bitfinex, a global cryptocurrency exchange.”
Phobos Ransomware Administrator Extradited from South Korea to Face Cybercrime Charges - FBI announces - “Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware. Ptitsyn made his initial appearance in the U.S. District Court for the District of Maryland on Nov. 4 after being extradited from South Korea. Phobos ransomware, through its affiliates, victimized more than 1,000 public and private entities in the United States and around the world, and extorted ransom payments worth more than $16 million dollars.”
Reality check on the future of the cyber insurance market - Swiss Re reality checks - “The cyber market is far from saturated. For 2025, Swiss Re is estimating a market premium of USD 16.6bn (+8% over 2024) and the cyber protection gap remains huge. On the one hand, there is significant geographical potential as can be seen in the uneven distribution of cyber premium across regions. According to Swiss Re data, North America dominates with 70% premium share followed by Europe (19%) and APAC (8%).”
Reflections this week are the next iteration of ‘AI can find vulnerabilities’ has arrived in the guise of ‘Leveling Up Fuzzing: Finding more vulnerabilities with AI’. How warm we finding the water? Ribbit…
Beyond that the paper Understanding the Efficacy of Phishing Training in Practice evidences what others have suspected.
First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content.
Now lets focus on getting 2-step verification (multi-factor) - such as Passkeys - deployed as we know when done comprehensively it will address ~60% of breaches.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
Sean Koessel, Steven Adair and Tom Lancaster adjusts the threat model for a lot of companies with this alleged Russian operation. Who had the company across the road from your which enabled pivoted Wi-Fi access in their threat mode? It is like remote enabled close-access operations..
Russian APT GruesomeLarch deployed a new attack technique leveraging Wi-Fi networks in close proximity to the intended target.
The threat actor primarily leveraged living-off-the-land techniques.
A zero-day privilege escalation was used to further gain access.
Ukrainian-related work and projects were targeted in this attack, just ahead of Russian Invasion of Ukraine.
The month-and-a-half long investigation revealed that GruesomeLarch was able to ultimately breach Organization A’s network by connecting to their enterprise Wi-Fi network. The threat actor accomplished this by daisy-chaining their approach to compromise multiple organizations in close proximity to their intended target, Organization A. This was done by a threat actor who was thousands of miles away and an ocean apart from the victim. Volexity is unaware of any terminology describing this style of attack and has dubbed it the Nearest Neighbor Attack.
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
Insikt Group detail an alleged scaled Russian operation which targets those near and of interest to the Russian state. They are using HTA and Python which is all a little 🥱
TAG110 UAC0063, which CERTUA first identified in May 2023 and attributed with moderate confidence to the Russian state-sponsored advanced persistent threat APT group BlueDelta APT28, is a Russia-aligned threat activity group primarily targeting organizations in Central Asia.
Since July 2024, Insikt Group has identified 62 unique TAG110 victims of custom malware HATVIBE and CHERRYSPY across eleven countries, with the vast majority of identified victims located in Central Asia. The targeted organizations were primarily in the government, human rights group, and education sectors.
This campaign aligns with historical UAC0063 reporting, including the use of CHERRYSPY beginning in 2023 and the heavy focus on targets in Central Asia.
Similar to other recent Russian APT campaigns affecting the region, the group is likely seeking to acquire intelligence to bolster Russias military efforts in Ukraine and gather insights into geopolitical events in neighboring countries, especially as Moscows relations with its neighbors have suffered following its invasion of Ukraine
https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-1121.pdf
Reporting on China
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine
Viktor Šperka details an alleged Chinese threat actor Linux capability. How is your Linux estate observability and defence in depth? Running SELinux? Maybe some EBPF telemetry?
ESET researchers found archives with multiple Linux samples, containing two previously unknown backdoors.
The first backdoor, WolfsBane, is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium.
Its dropper is the equivalent of the Gelsemine dropper, and features a hider based on an open-source userland rootkit.
The second backdoor, which we have named FireWood, is connected to Project Wood. The Windows version of the Project Wood backdoor was previously used by the Gelsemium group in Operation TooHash.
Alongside the backdoors, we found additional tools, mainly web shells based on publicly available code.
Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
Counter Adversary Operations details why telcos should be undertaking active threat hunting operations on a continuous basis. That and deploying Privileged Access Workstations as defined in the ETSI standard. Alleged Chinese operations are targeting the sector..
Since at least 2020, LIMINAL PANDA has targeted telecommunications entities using custom tools that enable covert access, command and control (C2) and data exfiltration. The adversary demonstrates extensive knowledge of telecommunications networks, including understanding interconnections between providers. LIMINAL PANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic regions.
The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata and text messages (SMS).
LIMINAL PANDA highly likely engages in targeted intrusion activity to support intelligence collection. This assessment is made with high confidence based on the adversary's identified target profile, likely mission objectives and observed tactics, techniques and procedures (TTPs) — all of which suggest long-term clandestine access requirements.
https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
Hara Hiroaki details alleged Chinese operator on keyboard techniques. If nothing else it shows the value of honeytokens being sprinkled around..
Our comprehensive analysis of the activities in the Post-Exploitation phase has revealed that the primary motivation behind the attack was the theft of the victim’s information and data. Earth Kasha first discovered Active Directory configuration and domain user information to achieve this goal using legitimate Microsoft tools, such as csvde.exe, nltest.exe and quser.exe. The following are actual commands used by the adversary.
csvde.exe -f all.csv –u
nltest.exe /domain_trusts
quser.exe
They then accessed the file server and tried to find documents related to the system information of the customer's network by simply using "dir" commands recursively. Interestingly, upon checking on their activity, the operator might check the content of the documents manually. The stolen information may help the adversary find the next valuable target.
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html
Unveiling Sharp Panda’s New Loader
Muffin details the capabilities of an alleged Chinese implant which appears to show an evolution in tradecraft.
For persistence purposes and to launch the dropped malicious DLL, the malware leverages Microsoft Windows API CoInitializeEx, CoInitializeSecurity and CoCreateInstance to create a scheduled task.
The present campaign represents a departure from traditional Sharp Panda exploitation of Equation Editor vulnerabilities of Microsoft Word to deploy additional payload. Concerning Sharp Panda’s new dropper used in this campaign, several questions remain, such as the real features of this piece of code as well as its utilisation by other Chinese-linked intrusion sets. In any case, it was fun to look at this loader / dropper.
https://securite360.net/unveiling-sharp-pandas-new-loader
Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers
EclecticIQ shows there is subtly to certain criminal operations which may not always be obvious.
Threat actor SilkSpecter targeted victims' Cardholder Data (CHD) by leveraging the legitimate payment processor Stripe. This tactic allowed genuine transactions to be completed while covertly exfiltrating sensitive CHD to a server controlled by the attackers. SilkSpecter enhanced the phishing site’s credibility by using Google Translate to dynamically adjust the website's language based on each victim’s IP location, making it appear more convincing to an international audience.
Reporting on North Korea
DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Tom Hegel & Dakota Cary show the rabbit hole is indeed deep and complex in this alleged North Korean operation.
SentinelLabs has identified unique characteristics of multiple websites, now seized by the US Government, associated with the DPRK IT Worker front companies.
We assess with high confidence that DPRK actors seek to impersonate US based software and technology consulting businesses by copying the online brands of legitimate organizations, seeking to use these for financial objectives.
SentinelLabs has linked the activity to several active front companies and links these with high confidence to a larger set of organizations being created in China.
Our findings link additional companies, which remain active today, to the DPRK IT Workers scheme.
Reporting on Iran
Nothing this week
Reporting on Other Actors
Inside Bitdefender Labs’ Investigation of a Malicious Facebook Ad Campaign Targeting Bitwarden Users
Andrei ANTON-AANEI and Alina BÎZGĂ show that someone is clearly capable and determined - but also relying on some psychological tradecraft..
Platform Exploitation: Attackers are leveraging Facebook’s advertising platform to deliver ads that look legitimate but lead to a malicious website.
Impersonation of Reputable Brands: The campaign impersonates Bitwarden, a popular password manager, to build trust and create a sense of urgency by prompting users to install a supposed "security update."
Specific Target Demographics: Launched on Nov 3, 2024, this campaign specifically targets consumers aged 18 to 65 across Europe.
Current Reach and Global Expansion Potential: The malicious ads have already been served to thousands of users, and could expand further. If left unchecked, this campaign could scale globally, affecting users worldwide.
Use of Redirect Chains: Users who click on these ads are redirected through multiple sites, ultimately landing on a phishing page that mimics the official Chrome Web Store to obscure the ad’s malicious intent.
Data Collection on Business and Personal Accounts: The malware gathers personal data and targets Facebook business accounts, potentially leading to financial losses for individuals and businesses.
XLoader running via JAR signing tool
Including because apparently sometimes even the most unexpected binaries will be used for side loading.
[We] confirmed the distribution of XLoader malware that utilizes the DLL Side-Loading technique. The DLL Side-Loading attack technique is a technique that stores a normal application and a malicious DLL in the same folder path so that the malicious DLL runs together when the application is executed. The normal application used in the attack, jarsigner, is a file created when installing the IDE package distributed by the Eclipse Foundation, and is a tool that signs JAR (Java Archive) files.
According to our findings, the distributed files are distributed in the form of compressed files, and contain normal EXE files and malicious DLL files. Of these, only two files, “jli.dll” and “concrt140e.dll”, are malicious files.
https://asec-ahnlab-com.translate.goog/ko/84431/
Discovery
How we find and understand the latent compromises within our environments.
ETW Forensics - Why use Event Tracing for Windows over EventLog?
Shusei Tomonaga shows why Microsoft to consider documenting ETW structures to aid memory forensics.
You can parse the recovered ETL file and check for important information. For example, there is an ETW session called LwtNetLog that is enabled by default. This ETW session has multiple network-related ETW providers configured, and it collects various types of information, including communication packets, DNS access, and DHCP. Check the recovered ETW events, and you can see the destination where the malware communicates, as shown in Figure 11. To parse the ETL file, we used tracefmt[4] This tool is not installed by default, and so you will need to install it manually.
https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html
RunMRU is not the only one forensic artifact left by the “Run” Prompt
Krzysztof Gajewski shows there continues to be untapped goldmines of value information to enable forensic investigations. Again it would be awesome if Microsoft (and other OS vendors) documented such sources of telemetry.
Thanks to the Activity Cache, we’d have all timestamps (we would not find that, by just parsing RunMRU). By matching other processes started after RunDialog was accessed and analyzing commands from RunMRU, you could likely determine exactly what happened and when. This is the power of a comprehensive timeline!
Defence
How we proactively defend our environments.
Retrofitting spatial safety to hundreds of millions of lines of C++
Alex Rebert, Max Shavrick and Kinuko Yasuda show how even legacy code basis can gain further protection at relatively little cost.
Hardening libc++ resulted in an average 0.30% performance impact across our services (yes, only a third of a percent).
The safety checks have uncovered over 1,000 bugs, and would prevent 1,000 to 2,000 new bugs yearly at our current rate of C++ development.
https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
Reverse Engineering iOS 18 Inactivity Reboot
Jiska and Jiska separate fact from fiction with this analysis..
The time measurement and triggering of the reboot is in the SEP, which communicates with the SEPKeyStore kernel extension to perform the reboot. It is likely that using an external time source provided over the Internet or cellular networks to tamper with timekeeping will not influence the 3-day timer.
Security-wise, this is a very powerful mitigation. An attacker must have kernel code execution to prevent an inactivity reboot. This means that a forensic analyst might be able to delay the reboot for the actual data extraction, but the initial exploit must be run within the first three days.
Inactivity reboot will change the threat landscape for both thieves and forensic analysts, but asymmetrically so: while law enforcement is under more time pressure, it likely completely locks out criminals from accessing your data to get into your bank accounts and other valuable information stored on your iPhone.
https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html?m=1
Incident Writeups & Disclosures
How they got in and what they did.
Vulnerability
Our attack surface.
4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability
István Márton shows what internet scale vulnerability looks like..
This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin.
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
Offense
Attack capability, techniques and trade-craft.
DNS C2 Spec for Mythic
Follow along and detect at pace..
https://github.com/its-a-feature/Mythic/discussions/418
New AMSI Bypss Technique Modifying CLR.DLL in Memory
The arms race continues although copy-on-write detection should help here.
Fortunately, there are other ways to bypass AMSI other than API patching. In this post, I will present a new technique targeting CLR.DLL to prevent the runtime from passing reflectively loaded .NET modules to the installed AV. This bypass will allow us to safely load our malicious binaries into memory undetected.
https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
ChainReactor: Automated Privilege Escalation Chain Discovery via AI Planning
Giulio De Pasquale, Ilya Grishchenko, Riccardo Iesari, Gabriel Pizarro, Lorenzo Cavallaro, Christopher Kruegel and Giovanni Vigna hint at the future..
ChainReactor automates the discovery of privilege escalation chains by:
Extracting information about available executables, system configurations, and known vulnerabilities on the target system.
Encoding this data into a Planning Domain Definition Language (PDDL) problem.
Using a modern planner to generate chains that incorporate vulnerabilities and benign actions.
The tool has been evaluated on synthetic vulnerable VMs, Amazon EC2, and Digital Ocean instances, demonstrating its capability to rediscover known exploits and identify new chains.
https://github.com/ucsb-seclab/chainreactor
Exploitation
What is being exploited..
Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 21)
Limited number is 2,000 according to ShadowServer
Palo Alto Networks originally identified threat activity targeting a limited number of device management web interfaces. This original activity, reported on Nov. 18, 2024, primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/#post-137539-_50343o6a6han
Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices
Feike Hacquebord and Fernando Mercês show what monetization via exploitation looks like in 2024.
Water Barghest, which comprised over 20,000 IoT devices by October 2024, monetizes IoT devices by exploiting vulnerabilities and quickly enlisting them for sale on a residential proxy marketplace.
Its botnet uses automated scripts to find and compromise vulnerable IoT devices sourced from public internet scan databases like Shodan.
Once IoT devices are compromised, the Ngioweb malware is deployed, which runs in memory and connects to command-and-control servers to register the compromised device as a proxy.
The monetization process, from initial infection to the availability of the device as a proxy on a residential proxy marketplace, can take as little as 10 minutes, indicating a highly efficient and automated operation.
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
MmScrubMemory: The Nemesis of Virtual Machine Introspection
Petr Beneš details a neat technique..
What I needed was a way to prevent the memory scrubbing from remapping the root of the page table structure. Essentially, I needed to lock the page in memory. Aha! I’ve remembered that I was dealing with something similar in the past - I needed to prevent some user-mode memory from being paged out. For that, I’ve used the
MmProbeAndLockPagesfunction. It might not seem relevant at first, but the key was realizing one thing thatMmProbeAndLockPagesdoes - it increments the reference count of the page.
https://wbenny.github.io/2024-11-21-mmscrubmemory/
A Completely Modular LLM Reverse Engineering, Red Teaming, and Vulnerability Research Framework
James Stevenson releases a tool for assessing LLMs.
Oversight is a modular, plugin-focused, web-based tool for performing red-teaming and reverse engineering on Large Language Models. Currently, Oversight has a single loader for loading LLMs directly from HuggingFace.
Plugin-Based Architecture: Extend Oversight’s capabilities with custom plugins.
Comprehensive Analysis: Supports adversarial testing, response evasion, prompt fuzzing, etc.
User-Friendly Interface: Intuitive web interface powered by Flask.
Detailed Reports: Generate and download comprehensive reports.
https://github.com/user1342/Oversight
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing this week
The six degrees of cyber attribution - A IISS six-tier framework illustrates how actor–state relationships vary in cyberspace, reflecting how attribution has evolved from a practice used to identify bad actors to a political tool used to signal irresponsible state conduct.
10th Mountain Division Hosts Summit Strike 2024 - Interview - Capt. Sean Thorpe - “At exercise Summit Strike, Cyber-Electromagnetic Activities Officer Capt Sean Thorpe talks about value of cyber support and ARCYBER forces to multi-domain ops.”
Artificial intelligence
Nothing this week
Books
Nothing this week
Events
10 Years of ‘Naming and Shaming’: Attribution as a Tool of Cyber Statecraft - December 5th, London
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.