CTO at NCSC Summary: week ending October 27th
CTO at NCSC Summary: week ending October 27th
Exploited vulnerabilities in network edge security solutions..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the Exploitation of vulnerability affecting Fortinet FortiManager was a focus..
In the high-level this week:
Cyber Essentials Supply Chain Commitment: joint statement - Department for Science, Innovation and Technology and Feryal Clark MP - “A joint statement on how the UK's leading banks are working with the government to expand the role of Cyber Essentials and improve supply chain cyber security.”
Reminder #2 St James Place wealth management saw “around 80% reduction in cyber security incidents, which directly correlates to controls and best practice implemented through CE+.”
Reminder #3 Cyber Essentials 'Pathways’ are a way for larger organisations to achieve Cyber Essentials - allowing for CE/CE+ to be a requirement for an organisations supply chains irrespective of supplier size.
New data laws unveiled to improve public services and boost UK economy by £10 billion - Department of Science Innovation and Technology announces - “The better use of data under measures in the Bill will also simplify important tasks such as renting a flat and starting work with trusted ways to verify your identity online, or enabling electronic registration of births and deaths, so that people and businesses can get on with their lives without unnecessary admin.”
Advisory on North Korean IT Workers - Office of Financial Sanctions Implementation at HM Treasury warns - “It is almost certain that UK firms are currently being targeted by Democratic People's Republic of Korea (DPRK a.k.a. North Korea) Information Technology (IT) workers disguised as freelance third-country IT workers to generate revenue for the DPRK regime.”
Doubling Down on Trusted Partnerships: Our Commitment to Researchers - National Cyber Director Harry Coker, Jr. promises - “The USG follows TLP markings on cybersecurity information voluntarily shared by an individual, company, or other any organization, when not in conflict with existing law or policy. We adhere to these markings because trust in data handling is a key component of collaboration with our partners.”
CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes - CISA announces - “This guide aids software manufacturers in establishing secure software deployment processes to help ensure software is reliable and safe for customers. Additionally, it offers guidance on how to deploy in an efficient manner as part of the software development lifecycle (SDLC).”
SEC Charges Four Companies With Misleading Cyber Disclosures - Securities and Exchange Commission charges -
“Unisys will pay a $4 million civil penalty;
Avaya. will pay a $1 million civil penalty;
Check Point will pay a $995,000 civil penalty; and
Mimecast will pay a $990,000 civil penalty.”
Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty - Natto Thoughts asserts - “In return for protection, the criminals may find themselves doing favors for intelligence services, an arrangement which aligns with Russian President Vladimir Putin’s vision of how the world works, which we sum up here as “zero-sum sovereignty.”
2024 Quad Cyber Challenge Joint Statement - United States Department of State announces - “The theme of this year’s Challenge is promoting cybersecurity education and building a strong workforce.”
Counting the Costs in Cybersecurity - Lawfare opines - “But despite the challenge of measurement, empirically and systemically counting the outcomes of cyber insecurity—the physical, financial, and informational losses—is a key first step in sharpening intuition into effective policy and understanding the current landscape. Outcome measures do exist, and it’s long overdue that we start counting them.”
SEC Division of Examinations Announces 2025 Priorities - Securities and Exchange Commission analyzes then announces - “This year’s examinations will prioritize perennial and emerging risk areas, such as fiduciary duty, standards of conduct, cybersecurity, and artificial intelligence.”
Launch of New Guidance for Firm Operational Resilience - CMORG (finance Cross Market Operational Resilience Group) publishes - with lots of cyber!
Centralized and Decentralized Finance: Substitutes or Complements? - Governor Waller from the Federal Reserve speaks - “These technologies will almost certainly lead to efficiency gains over time, but as they develop, we should think carefully about their role in the broader financial landscape.”
G7 Mapping Exercise of Digital Identity Approaches - The Organisation for Economic Co-operation and Development (OECD) publishes - “This Mapping Exercise explores the different approaches to digital identity of G7 members. It draws out significant commonalities, as well as differences.”
Semiconductors
Japan Pressed by US Lawmakers to Strengthen Chip Curbs on China - Bloomberg reports - “The top Republican and Democrat on the House China Select Committee outlined their concerns in a letter dated Oct. 15 to Japanese Ambassador to the US Shigeo Yamada”
TSMC says 'insane' AI demand is 'real' and a boon for chip giant - Nikkei Asia reports - “set to continue for years”
Reporting on/from China
Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance - New York Times reports - “Chinese hackers who are believed to have burrowed deep into American communications networks targeted data from phones used by former President Donald J. Trump and his running mate, Senator JD Vance of Ohio, people familiar with the matter said on Friday.”
See CISA/FBI alert later..
China : Vulnerabilities as a strategic resource - Intrinsec analyzes - “A statistical analysis of data relating to the vulnerabilities submitted reveals a drop in submissions to the China National Vulnerability Database (CNVD) and an obfuscation of data on the side of the China National Vulnerability Database of Information Security (CNNVD), suggesting a strategic exploitation of vulnerabilities by the Chinese government”
Deepen the reform of the science and technology system and cultivate new driving forces for innovation and development - Qu Dacheng analysis “The need to accelerate the construction of a scientific and technological power. Building a scientific and technological power is a major strategic plan made by the Party Central Committee with Comrade Xi Jinping at its core to grasp the general trend of the world, base itself on the current situation, and take a long-term perspective.”
Redefining alliances: Exploring the emergence of the China-Russia military axis - School of International Affairs, Higher School of Economics, Moscow, Russia researches - “The research reveals the driving forces behind the emergence of a China-Russia military axis and its underlying synergy. It concludes that China and Russia have redefined the notion of alliance beyond its traditional understanding, creating a new paradigm of allied relations in international affairs.”
Chinese drone maker DJI sues Pentagon over ‘military ties’ blacklisting - South China Morning Post reports - ““[DJI] determined it had no alternative other than to seek relief in federal court. DJI is not owned or controlled by the Chinese military, and the DOD [Department of Defence] itself acknowledges that DJI makes consumer and commercial drones, not military drones,” the firm said.”
Artificial intelligence
Memorandum on Advancing the United States’ Leadership in Artificial Intelligence; Harnessing Artificial Intelligence to Fulfill National Security Objectives; and Fostering the Safety, Security, and Trustworthiness of Artificial Intelligence - The White House publishes - “ In coordination with relevant agencies as appropriate, Commerce shall establish an enduring capability to lead voluntary unclassified pre-deployment safety testing of frontier AI models on behalf of the United States Government, including assessments of risks relating to cybersecurity, biosecurity, chemical weapons, system autonomy, and other risks as appropriate (not including nuclear risk, the assessment of which shall be led by DOE). “
Generative AI Training, Development, and Deployment Considerations - US Government Accountability Office publishes - “Our technology assessment describes common development practices, including testing for vulnerabilities and the limitations of this testing.”
Navigating the Digital World as Humans Do: Universal Visual Grounding for GUI Agents - Ohio State University publishes - “In this paper, we advocate a human-like embodiment for GUI agents that perceive the environment entirely visually and directly take pixel-level operations on the GUI.”
then as if by magic Anthropic’s new AI model can control your PC using such an approach - “We trained Claude to see what’s happening on a screen and then use the software tools available to carry out tasks,”
Scalable watermarking for identifying large language model outputs - Google publishes - “To enable watermarking at scale, we develop an algorithm integrating watermarking with speculative sampling, an efciency technique frequently used in production systems”
Cyber proliferation
ICE's $2 Million Contract With a Spyware Vendor Is Under White House Review - Wired reports - “Immigration and Customs Enforcement's contract with Paragon Solutions faces scrutiny over whether it complies with the Biden administration's executive order on spyware”
Pegasus Spyware Maker Said to Flout Federal Court as It Lobbies to Get Off U.S. Blacklist - The Intercept reports - “… serves a primarily rural district anchored in Waco, a city of 150,000. It’s unclear why he is so interested in NSO Group, the infamous Israeli spyware firm that was blacklisted by the U.S. for its role in human rights abuses. Between February and July, though, Sessions and his team met eight times with lobbyists on behalf of NSO.”
Bounty Hunting
South Korea vows to prevent technology leaks with heavier penalties - Reuters reports - “The government will set up a "big data" system aimed at preventing technology leaks at the patent agency and introduce new regulations to ensure stronger punishment for culprits, Choi said. He did not specify what the stronger penalties would be under the new regulations.”
GRU Officers – Unit 29155 - Rewards for Justice bounties - “is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S.”
Shahid Hemmat - Rewards for Justice bounties - “is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.”
Cyber Insurance Market Grows, But Adoption of Risk Management Services Lags - Risk & Insurance reports - “Beyond the crucial risk transfer that cyber insurance provides, 83.5% respondents pointed to breach response services and 73.4% cited incident response planning as the most valuable features of their policies.”
Reflections this week are around AI its application to vulnerability discovery and preparing not for an ‘AI event’ but a boiling frog moment as the volume of discovered and exploited vulnerabilities increases because of it.
Back in December 2023 and updated in July we had the paper LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks. Since its publication we now have two commercial companies attempting to apply LLMs to web vulnerability discovery (Xbow and Cracken), the Vulnhuntr project is applying Claud to static code analysis for vulnerability discovery (and finding them at a small scale), we have ProphetFuzz an LLM based fully automated fuzzing tool for option combination testing and a Chinese article on REST API automated testing using LLMs. Then finally we have this talk on combining classical symbolic reasoners with modern-day LLMs (slides)..
Now lets be clear - we are not at material levels of vulnerabilities being discovered via these methods (yet) and it is unclear currently if they outperform traditional SAST/DAST approaches. However a future direction of travel and a corresponding risk of possible disruption is emerging if there is material improvement in productivity on the VR side..
.. the question is how we prepare for such a potential boiling frogs scenario rather than a big ‘AI event’ - that is where vulnerabilities become shallower and it becomes an even greater volume game?
Additionally building on last weeks reflection this article on ‘The struggle for software liability: Inside a ‘very, very, very hard problem’ is an interesting read...
Finally there was the paper Parallel molecular data storage by printing epigenetic bits on DNA - the world of synthbio-data (not entirely digital) forensics is going to be wild!
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"
Ukrainian Government details a campaign which Amazon alleges is APT28 who used RDP to expose the victims local resources to the threat actors server in order to facilitate exfiltration.
On October 22, 2024, the Government Computer Emergency Response Team of Ukraine CERT-UA received information about the mass distribution of e-mails among state authorities, enterprises of the main branches of industry, and military formations with subjects allegedly devoted to issues of "integration" with Amazon services.
https://cert.gov.ua/article/6281076
Cyber attack UAC-0001 (APT28): PowerShell command in clipboard as "entry point"
Ukrainian Government details a campaign they alleged is Russian in origination which wins a prize for ‘most actions you ask your victim to take’
The Government Computer Emergency Response Team of Ukraine, CERT-UA, is investigating activity related to the distribution of e-mails to local governments with the subject "Table Replacement" and a link imitating a Google spreadsheet.
If the link is clicked, the user will be shown a window simulating the reCAPTCHA bot protection mechanism. If you click in the box opposite the inscription "I'm not a robot", a PowerShell command will be copied to the computer's clipboard, and the window that will appear will display "instructions" in which you are asked to press the key combination " Win+R" (to open the command line), then perform the second key combination "Ctrl+V" (insert a command in the command line) and press "Enter", which will lead to the execution of the PowerShell command.
https://cert.gov.ua/article/6281123
Reporting on China
Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications
FBI and CISA attribute this alleged PRC intrusion into telecommunications networks..
After the FBI identified specific malicious activity targeting the sector, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) immediately notified affected companies, rendered technical assistance, and rapidly shared information to assist other potential victims. The investigation is ongoing, and we encourage any organization that believes it might be a victim to engage its local FBI field office or CISA.
Crimson Palace returns: New Tools, Tactics, and Targets
Mark Parsons, Morgan Demboski and Sean Gallagher alleged China is targeting a nearby Government and also demonstrates an ability to evolve ..
After a brief break in activity, Sophos X-Ops continues to observe and respond to what we assess with high confidence as a Chinese state-directed cyberespionage operation targeting a prominent agency within the government of a Southeast Asian nation.
However, in September, the attackers behind Cluster Charlie modified their activities again in several ways:
They employed open source and off-the-shelf tools to re-establish their presence after Sophos discovered and blocked their custom tools.
They leveraged numerous tools and techniques that had previously been part of the other threat activity clusters we had observed.
https://news.sophos.com/en-us/2024/09/10/crimson-palace-new-tools-tactics-targets/
Reporting on North Korea
The Crypto Game of Lazarus APT: Investors vs. Zero-days
Boris Larin alleged North Korea had a Chrome zero-day which they were using in their financial operations.. When you steal billions you can buy zero-days it would appear..
On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version. But that was just a disguise. Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC. Visiting the website was all it took to get infected — the game was just a distraction.
We were able to extract the first stage of the attack — an exploit that performs remote code execution in the Google Chrome process. After confirming that the exploit was based on a zero-day vulnerability targeting the latest version of Google Chrome, we reported our findings to Google the same day. Two days later
https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/
Infiltrating Cosmos
Jae Kwon, Jacob Gadikian and CoinDesk detail a story, which if true, is on the wilder end. They alleged North Korea might have coded a DeFi project in order to ransack it.
Imagine waking up to find out your favorite DeFi project was potentially built by the world's most notorious crypto thieves.
August 2021: LSM development kicks off. Iqlusion, led by Zaki Manian, starts building with Jun Kai and Sarawut Sanit. Little did they know, they were potentially coding with the enemy.
..
October 2, 2024: Zaki finally spills the beans on X. "I learned of the DPRK links in March of 2023.”
https://rekt.news/infiltrating-cosmos/
Reporting on Iran
ESET Israel Wiper — used in active attacks targeting Israeli orgs
Kevin Beaumont details an incident where a security vendor allegedly had an intrusion which was used to distribute a wiper which he attributes to Iran.
Reporting on Other Actors
Tricks and Treats: GHOSTPULSE’s new pixel- level deception
Salim Bitam details a campaign which is similar in part of the APT28 one but is a stealer campaign..
GHOSTPULSE has shifted from using the IDAT chunk of PNG files to embedding its encrypted configuration and payload within the pixel structure.
Recent campaigns involve tricking victims with creative social engineering techniques, such as CAPTCHA validations that trigger malicious commands through Windows keyboard shortcuts.
Elastic Security has enhanced its YARA rules and updated the configuration extractor tool to detect and analyze both the old and new versions of GHOSTPULSE.
https://www.elastic.co/security-labs/tricks-and-treats
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Vishwajeet Kumar also details the same campaign..
Lumma Stealer is an information-stealing malware available through a Malware-as-a-Service (MaaS). It specializes in stealing sensitive data such as passwords, browser information, and cryptocurrency wallet details. The attacker has advanced its tactics, moving from traditional phishing to fake CAPTCHA verification, exploiting legitimate software to deliver Lumma Stealer. These deceptive delivery methods make Lumma Stealer a persistent threat.
Highlighting TA866/Asylum Ambuscade Activity Since 2021
Edmund Brumaghin, Jordyn Dunk, Nicole Hoffman and Holger Unterbrink details an unattributed campaign which is relatively complex but is noteworthy for the fact they clear collaborations going on..
TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.
TA866 has frequently relied on commodity and custom tooling to facilitate post-compromise activities. These tools often perform specific functions and are deployed and used as needed in the context of specific intrusions.
Cisco Talos assesses with high confidence that TA866 frequently leverages business relationships with other threat actors across various stages of their attacks to help them achieve their mission objective(s).
We assess with high confidence that recent post-compromise intrusion activity associated with WarmCookie/BadSpace is related to previous post-compromise activity that we attribute to TA866.
We assess that WarmCookie was likely developed by the same threat actor that developed the Resident backdoor that was delivered in previous intrusions that we attribute to TA866.
https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/
Discovery
How we find and understand the latent compromises within our environments.
Unmasking Hidden Threats: Using Velociraptor for Process Hollowing Analysis
Daniel Jeremiah deserves a medal for writing this detailed guide..
In this lab, we will focus on the following artefacts as shown in Fig 10:
Windows.Memory.ProcessInfo: This artefact provides detailed information about running processes in memory. It allows us to see which processes are active, including their memory usage, identifiers, and other related information.
Windows.Memory.ProcessDump: This artefact captures the memory of a specific process, which can be used to analyse its behaviour, identify injected code, or find other malicious activity.
Generic.System.Pstree: This artefact shows the process tree, illustrating how processes are spawned and related to one another. It’s useful for identifying parent-child relationships between processes, especially when tracking malware.
Windows.System.Pslist: This artefact provides a list of all active processes in the system, including detailed information such as process IDs and associated user accounts.
Windows.Attack.Prefetch: This artefact focuses on Windows Prefetch data, which helps track recently executed applications. It’s useful for identifying whether a suspicious or malicious executable has run on the system.
Defence
How we proactively defend our environments.
Finding Vulnerability Variants at Scale
Franco Belman shows how to rain vulnerabilities in order to fix them..
In this post, I’ll guide you through the process used to locate this vulnerability. Then, I’ll explain the method developed to identify its variants at scale in projects such as Chromium, Electron, and WINE among others.
https://blackwinghq.com/blog/posts/finding-vulnerability-variants-at-scale/
Incident Writeups & Disclosures
How they got in and what they did.
Multiple Services: Partially incomplete log data due to monitoring agent issue
Points for transparency here by Microsoft..
Starting around 23:00 UTC on 2 September 2024, a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform. This resulted in partially incomplete log data for the affected Microsoft services. This issue did not impact the uptime of any customer-facing services or resources – it only affected the collection of log events. Additionally, this issue is not related to any security compromise.
Bytedance's large model training was attacked by an intern
IT Home reports
took advantage of the huggingface vulnerability and wrote destructive code into the company's shared model
https://www.ithome.com/0/803/433.htm
further details of the alleged incident
https://github.com/JusticeFighterDance/JusticeFighter110
Vulnerability
Our attack surface.
FortiGuard Labs - Missing authentication in fgfmsd
Fortinet alerts..
A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
Reports have shown this vulnerability to be exploited in the wild.
https://www.fortiguard.com/psirt/FG-IR-24-423
Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability
Cisco alerts…
This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system. An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device.
Offense
Attack capability, techniques and trade-craft.
VAC kernel-mode bypass
Ricardo Carvalho shows game hackers are always the best..
Fully working VAC kernel-mode bypass, it makes use of either SSDT hooks or Infinityhook to intercept VAC syscalls and ultimately spoof the results in order to bypass the memory integrity checks. Using this bypass you're able to load unsigned DLL into the game memory space and perform patches on the game modules as desired, it also makes sure the DLL will never be scanned by their signature/heuristic checks.
https://github.com/crvvdev/vac-bypass-kernel
Website-Fingerprinting-Library: A Library for Advanced DL-based Website Fingerprinting Attacks
Deng, Xinhao and Li, Qi and Xu, Ke
WFlib is a Pytorch-based open-source library for website fingerprinting attacks, intended for research purposes only.
We provide a neat code base to evaluate 11 advanced DL-based WF attacks on multiple datasets. This library is derived from our ACM CCS 2024 paper. If you find this repo useful, please cite our paper.
https://github.com/Xinhao-Deng/Website-Fingerprinting-Library
Website Fingerprinting (WF) attacks identify the websites visited by users by performing traffic analysis, compromising user privacy. Particularly, DL-based WF attacks demonstrate impressive attack performance. However, the effectiveness of DL-based WF attacks relies on the collected complete and pure traffic during the page loading, which impacts the practicality of these attacks.
Holmes utilizes temporal and spatial distribution analysis of website traffic to effectively identify websites in the early stages of page loading. Specifically, Holmes develops adaptive data augmentation based on the temporal distribution of website traffic and utilizes a supervised contrastive learning method to extract the correlations between the early-stage traffic and the pre-collected complete traffic. Holmes accurately identifies traffic in the early stages of page loading by computing the correlation of the traffic with the spatial distribution information, which ensures robust and reliable detection according to early-stage traffic
The paper can be found here:
https://arxiv.org/abs/2407.00918
Hijack the TypeLib. New COM persistence technique
Michael Zhmailo gives something else for everyone to hunt for..
It was discovered that the LoadTypeLib() function, used to load a TypeLib library into a process, looks through certain registry keys in an attempt to discover the path to the target library. According to the documentation, if the function detects a moniker (string representation of a COM object) instead of a disk path, the moniker is loaded and executed in the process.
https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661
Persist through the NVRAM
Csaba Fitzl details a novel albeit unlikely to be used macOS persistence mechanism..
This is a practically completely useless persistence, as this can be only set and enabled when SIP is actually disabled. On the other hand I still find it a pretty amazing way to persist, as we can do that by putting a binary into NVRAM and get that executed. Here follows the details of the discovery.
https://theevilbit.github.io/beyond/beyond_0035/
Ghost: Evasive shellcode loader
cpu0x00 releases a capability which will inspire others..
Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR
..
Ghost heavily relies on understanding how your beacon sleeps , in case of cobalt strike the kernel32!Sleep function is hooked and replaced with fiber calls to allow switching and hiding the beacon callstack
https://github.com/cpu0x00/Ghost
Exploitation
What is being exploited..
Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed and Jared Wilson detail a zero-day which was exploited at some scale in an edge network security device..
In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries. The vulnerability, CVE-2024-47575 / FG-IR-24-423, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Nova: Generative Language Models for Assembly Code with Hierarchical Attention and Contrastive Learning
Nan Jiang, Chengxiao Wang, Kevin Liu, Xiangzhe Xu, Lin Tan, Xiangyu Zhang and Petr Babkin show a promising capability..
Binary code analysis is the foundation of crucial tasks in the security domain; thus building effective binary analysis techniques is more important than ever. Large language models (LLMs) although have brought impressive improvement to source code tasks, do not directly generalize to assembly code due to the unique challenges of assembly: (1) the low information density of assembly and (2) the diverse optimizations in assembly code. To overcome these challenges, this work proposes a hierarchical attention mechanism that builds attention summaries to capture the semantics more effectively and designs contrastive learning objectives to train LLMs to learn assembly optimization. Equipped with these techniques, this work develops Nova, a generative LLM for assembly code. Nova outperforms existing techniques on binary code decompilation by up to 14.84 -- 21.58% (absolute percentage point improvement) higher Pass@1 and Pass@10, and outperforms the latest binary code similarity detection techniques by up to 6.17% Recall@1, showing promising abilities on both assembly generation and understanding tasks.
https://arxiv.org/abs/2311.13721
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Hiscox Cyber Readiness Report 2024 - “The study reveals that 67% of organisations report an increase in cyber incidents across the past year compared to the previous one and underscores the growing challenges for organisations in balancing technological advancement with robust cyber risk management to protect both their operations and reputations.”
Artificial intelligence
DocETL: Agentic Query Rewriting and Evaluation for Complex Document Processing - “We present DocETL, a system that optimizes complex document processing pipelines, while accounting for LLM shortcomings. DocETL offers a declarative interface for users to define such pipelines and uses an agent-based framework to automatically optimize them, leveraging novel agent-based rewrites (that we call rewrite directives) and an optimization and evaluation framework that we introduce.”
China
7 The state and digital society in China: Big Brother Xi is watching you!
China's 'entrepreneurship for everyone' era ends as state sets agenda
Vivo becomes India’s No 1 smartphone brand, topping Xiaomi and Samsung
Richard Koo and Zichen Wang on What Really Happened With the Chinese Stimulus
Fueling China’s Innovation: The Chinese Academy of Sciences and Its Role in the PRC’s S&T Ecosystem
Books
Age of Exploration: How Chinese Scientists and Administrators Discovered China
Events
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.