CTO at NCSC Summary: week ending October 5th
Welcome to the weekly highlights and analysis of the blueteamsec Lemmy (and my wider reading). Not everything makes it in, but the best bits do.
Operationally obviously events in the UK continue to drive the tempo.. The Blog by Oracle - Applying the July 2025 Critical Patch Update for Oracle E-Business Suite (EBS) as well as CVE-2025-61882 is worth ensuring…
In the high-level this week:
RFC 9794: a new standard for post-quantum terminology - NCSC UK publish - “To contribute to the international effort to ensure a smooth and secure migration to PQC, the NCSC has taken an active role in the development of PQC standards. In June 2025, the IETF published RFC 9794, specifying ‘Terminology for Post-Quantum/Traditional Hybrid Schemes’. This RFC defines foundational language for PQC standardisation in protocols, and was authored by the NCSC, partnering with Dr. Britta Hale from the Naval Postgraduate School.”
Understanding your OT environment: the first step to stronger cyber security - NCSC UK publish - “If you can’t see your entire operational technology environment, you can’t defend it. New guidance from the NCSC will help you gain that visibility.”
A look inside 90 Signals Unit – the Royal Air Force’s secret cyber force - Forces News looks inside - “90SU is the RAF’s expert cyber force. Their mission is twofold: first, to provide secure communications for the RAF and, more commonly these days, Nato, anywhere in the world; and second, to defend those networks from hostile attack.”
NIS raises natl. cyber alert level to ‘caution’ amid public service outage - Korea Herald reports - “The National Intelligence Service on Monday raised the country’s cyber alert level by one notch to “caution” in the wake of a major outage of public online services due to last week’s fire at the state data management agency. The second-level alert of a four-tier system took effect as of 6 p.m. due to concerns of possible cyber attacks taking advantage of the government administrative system outage, according to the NIS.”
Cybersecurity Training Programs Don’t Prevent Employees from Falling for Phishing Scams - UC San Diego Health publishes - “After sending 10 different types of phishing emails over the course of eight months, the researchers found that embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%. This is particularly striking given the expense in time and effort that these trainings require, the researchers note.”
Breaking down digital barriers for Canadians - Alberta government publishes - “During the symposium, the federal, provincial and territorial governments signed a multilateral cyber security collaboration agreement to better protect Canada’s critical infrastructure and the personal information of Canadians. The agreement aims to prevent and mitigate the consequences of cyber security events that may affect the confidentiality, integrity or availability of information and information technology. It also allows governments to more easily share real-time intelligence on cyber threats, as well as cyber security tools and services for this purpose”
Police recover data from securities accounts possibly hijacked via home TV sets - Nikkei reports - “In an incident in which a securities company’s customer account was hijacked, interviews with investigators have revealed that television receivers used in ordinary households are suspected of being used to gain unauthorized access to the accounts. They may have been used as a “stepping stone” for cybercrime groups to gain access.”
Regarding some reports of unauthorized access via STB - J Com respond - “At this time, there has been no confirmed case of unauthorized access as reported, so you can use our services with peace of mind.”
Playing Offense Project -Aspen Digital embark - “The strategic mindset has now shifted. US government and industry leaders alike are changing course toward not only impeding the effectiveness of attacks but also ratcheting up the consequences to do them in the first place.”
Reporting on/from China
How China’s Secretive Spy Agency Became a Cyber Powerhouse - The New York Times reports - “The Chinese government also imposed rules requiring that any newly found software vulnerabilities be reported first to a database that analysts say is operated by the M.S.S., giving security officials early access. Other policies reward tech firms with payments if they meet monthly quotas of finding flaws in computer systems and submitting them to the state security-controlled database.”
China curbs use of Nokia and Ericsson in telecoms networks - Financial Times reports - “That process has required contracts by Sweden’s Ericsson and Finland’s Nokia to be submitted for “black box” national security reviews by the Cyberspace Administration of China where the companies are not told how their gear is assessed”
AI
Security Degradation in Iterative AI Code Generation - A Systematic Analysis of the Paradox - University of San Francisco, Vector Institute for Artificial Intelligence and University of Massachusetts Boston publish - “Our findings show a 37.6% increase in critical vulnerabilities after just five iterations, with distinct vulnerability patterns emerging across different prompting approaches. This evidence challenges the assumption that iterative LLM refinement improves code security and highlights the essential role of human expertise in the loop.”
Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams - Joshua Rogers publishes - “The biggest value I’ve seen so far is not just in finding vulnerabilities, but in surfacing inconsistencies: mismatches between the developer intent and actual implementation, mismatches between business logic and reality, broken assumptions hidden deep in the code, and logic that simply doesn’t make sense when you look at it twice.”
Managing explanations: how regulators can address AI explainability - Bank for International Settlements publishes - “As financial institutions expand their use of AI models to their critical business areas, it is imperative that financial authorities seek to foster sound MRM practices that are relevant in the context of AI. Ultimately, there may be a need to recognise trade-offs between explainability and model performance, so long as risks are properly assessed and effectively managed.”
How are AI developers managing risks? - OECD publishes - “This report presents preliminary insights from submissions by 20 organisations across diverse sectors and countries, examining their approaches to risk identification and management, transparency, governance, content authentication, AI safety research, and the advancement of global interests.”
Truly Risk-based Regulation of Artificial Intelligence How to Implement the EU’s AI Act - European Journal of Risk Regulation publishes - “The foregoing analysis shows that key provisions of the AI Act do not reflect the characteristics of a true risk-based regulation; leading to legal uncertainty and potential over-regulation, as well as unjustified increases in compliance costs.”
The intersection of criminal and technological innovation in the use of automation and artificial intelligence in the cybercrime landscape of Southeast Asia - United Nations Office on Drugs and Crime publishes - a little hyperbolic - a futures look ..
The Illusion of Readiness: Stress Testing Large Frontier Models on Multimodal Medical Benchmarks - Microsoft publish - “We evaluate six flagship models across six widely used benchmarks and find that high leaderboard scores hide brittleness and shortcut learning. Through clinician-guided rubric evaluation, we show that benchmarks vary widely in what they truly measure yet are treated interchangeably, masking failure modes.”
Cyber proliferation
404 Accountability not found: Spyware accountability through software liability - Atlantic Council publish - “This report identifies four obstacles that frustrate accountability efforts: limited awareness among targeted individuals of their compromise, the intentional obscurity of spyware vendors that engage in name changes and jurisdictional arbitrage, difficulties establishing proper legal jurisdiction, and risks of exposing valuable threat intelligence during litigation proceedings.”
EU funds misused for spyware companies - Hannah Neumann MEP et al publish an open letter - “Our letter urging the EU Commission for transparency & following up on PEGA recommendations.”
Bounty Hunting
4 Rogue Base Stations Linked to KT Micropayments Fraud; 2 Chinese Nationals Arrested - CommsRisk reports - “One of the arrested men admitted he had been paid KRW5mn (USD3,600) to drive a base station around areas with many apartment blocks, gathering data from the phones of people within. Unlike SMS blaster crimes, his equipment was not configured to send smishing messages. His objective was to collect data that would be used to impersonate genuine phone users through a mechanism that has not yet been fully explained, although it involved the interception of two-factor authentication codes before they were received by victims.”
Market Incentives
Georgia Tech Research Corporation Agrees to Pay $875,000 to Resolve Civil Cyber-Fraud Litigation - US Department of Justice announces - “Georgia Tech Research Corporation (GTRC) has agreed to pay the United States $875,000 to resolve allegations that it violated the False Claims Act and federal common law by failing to meet cybersecurity requirements in connection with certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.”
Salesforce faces class action after Salesloft breach - The Register reports - “A number of the filings mention joint defendants including Salesforce customers TransUnion, Allianz Life Insurance, Farmers Insurance, Workday, and Pandora Jewelry.”
No reflections this week..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Assessment of the hybrid threat to Denmark
Danish Defence Intelligence Service assesses the threat of destructive cyber attack against Denmark is > 0..
Russia highly likely sees itself as being in conflict with the West, in which the hybrid means employed are kept below the threshold of armed conflict. The DDIS assesses that Russia is currently conducting hybrid warfare against NATO and the West. It is highly likely that the hybrid threat from Russia against NATO will increase in the coming years.
..
The threat of destructive cyber attacks against Denmark is MEDIUM.
Reporting on China
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Unit 42 details an alleged Chinese campaign which is noteworthy for various reasons such as their range of implants..
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.
Infrastructure: Phantom Taurus uses a shared Chinese APT operational infrastructure that has been exclusively used by Chinese threat actors, including Iron Taurus (aka APT27), Starchy Taurus (aka Winnti) and Stately Taurus (aka Mustang Panda). However, the specific infrastructure components used by Phantom Taurus have not been observed in operations by other threat actors, indicating operational compartmentalization within this shared ecosystem.
Victimology: The group consistently targets high-value organizations that have access to sensitive non-public information. Over the past several years, we have observed Phantom Taurus targeting government and telecommunications sector organizations, particularly those that provide services and infrastructure. This group focuses its operations on the Middle East, Africa and Asia, reflecting intelligence collection priorities that align with Chinese strategic interests.
Capabilities: Phantom Taurus employs a set of TTPs that differentiate it from other threat actors. Several of these techniques have not been observed in operations by other groups, while others are sufficiently rare that only a handful of actors have been observed using similar methods. In addition to common tools such as China Chopper, the Potato suite and Impacket, the group uses customized tools, including the Specter malware family, Ntospy and the NET-STAR malware suite described later in this article.
https://unit42.paloaltonetworks.com/phantom-taurus/
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
Joey Chen details a previously discussed alleged Chinese criminal campaign but sheds some light on further aspects.
Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data.
Cisco’s file census and DNS analysis show affected Internet Information Services (IIS) servers in India, Thailand, Vietnam, Canada, and Brazil, targeting organizations such as universities, tech firms and telecom providers.
UAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted regions.
The group maintains persistence and alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and hide activity.
https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/
Reporting on North Korea
North Korea’s IT Workers expand beyond US big tech
Simon Conant and Alex Tilley give a sense of the scale of this alleged North Korean campaign. This should be a wakeup call to organisations..
Using a combination of internal and external data sources, Okta Threat Intelligence tracked over 130 identities operated by facilitators and workers participating in the DPRK ITW scheme. We linked these actors to over 6,500 initial job interviews across more than 5,000 distinct companies up until mid-2025.
https://www.okta.com/newsroom/articles/north-korea-s-it-workers-expand-beyond-us-big-tech/
Reporting on Iran
Charming Kitten
Kitten Busters dox alleged Iranian cyber actors..
Heading this operation is Abbas Rahrovi (aka Abbas Hosseini, National Number: 4270844116), an IRGC official who has established several front companies in recent years through which he manages the APT. Over the years, he directed attacks against dozens of targets including:
Telecommunications companies
Aviation companies
Intelligence organizations
and more...
The primary focus of this APT is on countries in the Middle East and Gulf region, including Turkey, UAE, Qatar, Afghanistan, Israel, Jordan and others.
https://github.com/KittenBusters/CharmingKitten
APT35 plays the same music again
Stormshield Customer Security Lab highlights some operational security faux par which allowed them to track the infrastructure of this alleged Iranian threat actor. Will be curious to see if they respond and tighten up.
[We] came across two servers during our active threat hunting. They share a lot of similarities with servers reported by Check Point on APT35. The servers are active and resolve multiple domains used for phishing purpose.
..
The campaign reported by Check Point is still ongoing. APT35 did not change the way they set up their phishing domains since their last reported activity. It makes the task easier for defender to track their activities. The submitted URLs suggest that this campaign is still targeting Israel.
https://www.stormshield.com/news/apt35-plays-same-music-again/
Port in a Storm: Iranian Cyber Operations and Chinese Strategic Interests in Middle Eastern Maritime Infrastructure
Cosimo Melella, Francesco Ferazza, Konstantinos Mersinas and Ricardo Lugo bring some academic rigour to their analysis of alleged historic Iranian operations. Of note if the SCADA system exploitation..
This paper examines the strategic implications of Iranian cyber attacks targeting port facilities in the Middle East, focusing on their intersection with China’s Belt and Road Initiative (BRI). Analysing six case studies involving Iranian Advanced Persistent Threat (APT) groups between 2022 and 2024, we investigate how these cyber operations reflect broader geopolitical tensions and reveal potential friction between Iranian and Chinese regional objectives. The research demonstrates that Iranian cyber campaigns combine sophisticated technical approaches—including custom malware deployment, spear-phishing, and SCADA system exploitation—with influence operations to achieve immediate disruption and longer-term strategic goals.
Reporting on Other Actors
Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less
Arctic Wolf Labs detail alleged criminal activity which shows a degree of sophistication due to the two step tango in order to bypass one time passwords by stealing the seeds from backups.
Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled.
It is worth noting that SonicWall recently disclosed an incident involving the MySonicWall cloud backup service.
In late July 2025, Arctic Wolf® detected a surge of malicious activity targeting environments running SonicWall firewalls—a campaign that remains active at the time of publication.
Threat actors obtained initial access through malicious SSL VPN logins with successful OTP Multi-Factor Authentication (MFA) challenge, and deployed Akira ransomware.
Early in the kill chain, anomalous SMB activity was observed, pointing to the use of Impacket for discovery and lateral movement.
Victims span across multiple sectors, showing signs of opportunistic mass exploitation.
New spyware campaigns target privacy-conscious Android users in the UAE
Lukas Stefanko details a campaign which is noteworthy due to specific regional targeting and clear intent against Android - albeit with very unsophisticated, yet successful tradecraft.
We have uncovered two previously undocumented Android spyware families: Android/Spy.ProSpy and Android/Spy.ToSpy.
ProSpy impersonates both Signal and ToTok, while ToSpy targets ToTok users exclusively.
Both malware families aim to exfiltrate user data, including documents, media, files, contacts, and chat backups.
Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms.
Silent Smishing : The Hidden Abuse of Cellular Router APIs
Jeremy Scion and Marc N show the value of honeypots once more. But also interesting that an actor using cellular routers for their SMS based smishing campaigns..
Further examination of the sent messages confirms a deliberate focus on Belgian recipients. However, instances targeting France were also observed. Analyzing the phishing URLs enabled us to identify and track the attacker’s infrastructure, which appears to primarily target Belgian users.
The attack appears to specifically target Milesight Industrial Cellular Routers. Logs collected from internal honeypots indicate the presence of POST requests directed at the /cgi endpoint.
https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/
New LockBit 5.0 Targets Windows, Linux, ESXi
Sarah Pearl Camiling and Jacob Santos detail the continued evolution of this criminal capability and a reminder to protect and prepare for loss of those hypervisors..
The LockBit 5.0 Windows variant uses heavy obfuscation and packing by loading its payload through DLL reflection while implementing anti-analysis technique. The Linux variant has similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization infrastructure, designed to encrypt virtual machines.
The new variants use randomized 16-character file extensions, has Russian language system avoidance, and event log clearing post-encryption.
LockBit 5.0 also has a dedicated ESXi that targets VMware’s ESXi virtualization infrastructure.
The existence of Windows, Linux, and ESXi variants confirms LockBit’s continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments. Heavy obfuscation and technical improvements across all variants make LockBit 5.0 significantly more dangerous than its predecessors.
https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html
Detour Dog: DNS Malware Powers Strela Stealer Campaigns
Infoblox details a technique which teams will want to ensure coverage of due to the relative ease of detection. Also highlights the value of storing all historic DNS queries and responses - DoH and DoT not withstanding.
The actor added a new capability to command infected websites to execute code from remote servers. Responses to TXT record queries are Base64-encoded and explicitly include the word “down” to trigger this new action. We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email attachment.
Malicious Teams Installers Drop Oyster Malware
Blackpoint detail a campaign targeting Teams through fraudulent ads (once again). It will be interesting to see how the eco-system tightens up due to the ongoing issues here.
Victims searching for Teams online are redirected to rogue ads and fraudulent download pages, where they are offered a malicious MSTeamsSetup.exe instead of the legitimate client.
Threat actors are leveraging SEO poisoning and malicious advertisements to trick users into downloading backdoored versions of Microsoft Teams from spoofed websites.
These fake installers mimic the legitimate Teams client but silently deploy a persistent backdoor in the background without user awareness.
The backdoor, known as Oyster (or Broomstick), enables remote access, gathers system information, and supports delivery of additional payloads while evading detection through stealthy execution.
This activity mirrors tactics seen in earlier fake PuTTY campaigns, demonstrating a continued trend of adversaries abusing trusted software to establish initial access.
Organizations should download collaboration and administrative tools only from verified sources, ideally using saved bookmarks, rather than relying on search engine results.
Blackpoint has observed this killchain bypass some traditional AV/EDR Vendors
https://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/
Discovery
How we find and understand the latent compromises within our environments.
Using EMBER2024 to evaluate red team implants
Brandon shows the fragility in static detection classifiers… again…
For the third time, I have spoken about EMBER and used it to figure out which components of a PE to care about when prepping a payload. By looking at the features extracted, I focused on two of them and got the prediction from
0.9down to0.3in this blog, but internally at TrustedSec, this has been coming out at around0.01793385907050369.
https://mez0.cc/posts/evaluating-implants-with-ember/
Forensic Timeliner
Andrew Rathbun et al publish a tool which will help defenders pull the sequence of events together..
A high-speed forensic processing engine built for DFIR investigators. Quickly consolidate CSV output from top-tier triage tools into a unified mini timeline with built-in filtering, artifact detection, date filtering, keyword tagging, and deduplication.
Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Tools) Kape, Axiom, Hayabusa, Chainsaw and Nirsoft into a unified timeline.
https://github.com/acquiredsecurity/forensic-timeliner
Automation of VHDX Investigations
Yann Malherbe details how to scale investigations of virtual machines with Velociraptor by putting the engineer in detection engineering.
a method for automating forensic analysis of VHDX-based user profiles using Velociraptor, our preferred DFIR tool. The goal is to scale investigations efficiently and reliably without compromising forensic integrity.
https://labs.infoguard.ch/posts/automation_of_vhdx_investigations/
CTI Dataset Construction from Telegram
Dincy R. Arikkat, Sneha B. T., Serena Nicolazzo, Antonino Nocera, Vinod P., Rafidha Rehiman K. A. and Karthika R detail how they scaled through automation the collection of open source threat intelligence from Telegram for analysis.
The pipeline identifies relevant Telegram channels and scrapes 145,349 messages from 12 curated channels out of 150 identified sources. To accurately filter threat intelligence messages from generic content, we employ a BERT-based classifier, achieving an accuracy of 96.64%. From the filtered messages, we compile a dataset of 86,509 malicious Indicators of Compromise, including domains, IPs, URLs, hashes, and CVEs. This approach not only produces a large-scale, high-fidelity CTI dataset but also establishes a foundation for future research and operational applications in cyber threat detection.
https://arxiv.org/abs/2509.20943
Gh0stKCP Protocol
Erik Hjelmvik details the protocol structure which will be of use to detection engineers.
Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0.
https://www.netresec.com/?page=Blog&month=2025-09&post=Gh0stKCP-Protocol
Defence
How we proactively defend our environments.
UNC6040 Proactive Hardening Recommendations
Omar ElAhdan, Matthew McWhirt, Michael Rudden, Aswad Robinson, Bhavesh Dhake and Laith Al provide some practical advice on how to shore up defences this socially engineering threat.
Prioritized recommendations to protect against tactics utilized by UNC6040. This section is broken down to the following categories:
Identity
Help Desk and End User Verification
Identity Validation and Protections
SaaS Applications
SaaS Application (e.g., Salesforce) Hardening Measures
Logging and Detections
https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations
Passkey : Community Draft of TR -03188 Passkey Server published for comment
The Federal Office for Information Security ( BSI ) publish for comments. There is a growing consensus from Governments that passkeys are the future for authenticating - NCSC UK is also pushing hard here - including giving a talk at the FIDO Alliance’s authenticate.
Passkeys are a secure alternative to passwords and offer protection against phishing attacks. Passkeys are now supported on most IT devices. However, to use this method, websites or online services require a passkey server . The Federal Office for Information Security ( BSI ) has now published a technical guideline for comment that formulates security recommendations for configuring passkey servers . TR -03188 “ Passkey Server “ is available as a draft in version 0.9.
Assessing Enhanced Security Requirements for Controlled Unclassified Information
NIST publishes comments..
As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:
SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
SP 800-172Ar3 ipd (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.
https://csrc.nist.gov/pubs/sp/800/172/a/r3/ipd
MC1130385 - Retirement of inline SVG images in Microsoft Outlook
Microsoft respond to the phishing misuse..
We’re retiring support for inline SVG images in Outlook for Web and the new Outlook for Windows starting early September 2025. This change enhances security and aligns with current email client behavior, which already restricts inline SVG rendering.
https://mc.merill.net/message/MC1130385
AIDR Bastion
0xAIDR releases a GenAI firewall which includes a variety of rules engines to detect and protect..
A comprehensive GenAI protection system designed to safeguard against malicious prompts, injection attacks, and harmful content. The system incorporates multiple detection engines that operate sequentially to analyze and classify user inputs before reaching GenAI applications.
https://github.com/0xAIDR/AIDR-Bastion
Incident Writeups & Disclosures
How they got in and what they did.
Incident related to Red Hat Consulting GitLab instance
Redhat confirm the threat actors claims..
We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.
https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
The DFIR Report do another wonderful job of providing insight into real world intrusions and how they unfold.
The intrusion began with a Lunar Spider linked JavaScript file disguised as a tax form that downloaded and executed Brute Ratel via a MSI installer.
Multiple types of malware were deployed across the intrusion, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor.
Credentials were harvested from several sources like LSASS, backup software, and browsers, and also a Windows Answer file used for automated provisioning.
Twenty days into the intrusion data was exfiltrated using Rclone and FTP.
Threat actor activity persisted for nearly two months with intermittent command and control (C2) connections, discovery, lateral movement, and data exfiltration.
Vulnerability
Our attack surface.
Analyzing WinpMem Driver Vulnerabilities
Baptiste David details a vulnerable drivers which risks being used maliciously..
Today we are releasing a new white paper that delivers a technical analysis of security weaknesses discovered in WinpMem, an open-source Windows memory acquisition driver widely used in digital forensics.
https://insinuator.net/2025/10/white-paper-73-analyzing-winpmem-driver-vulnerabilities/
Offense
Attack capability, techniques and trade-craft.
Become an invisible admin in Active Directory
Martin Handl details how to create an invisible admin which detection teams will want to ensure they have coverage of.
https://iqunit.com/become-an-invisible-admin/
FlipSwitch: a Novel Syscall Hooking Technique
Remco Sprooten and Ruben Groenewoud detail a technique on Linux which should be relatively easy to detect but also highlights the importance kernel integrity.
FlipSwitch, a technique that bypasses the new switch statement implementation by directly patching the compiled machine code of the kernel’s syscall dispatcher.
https://www.elastic.co/security-labs/flipswitch-linux-rootkit
Patching Firmware Secure Boot on DELL G115 Through Off-chip Extraction
Matt shows why hardware attestation state is important.
The goal of this project is to get a computer that’s locked down with its BIOS Secure Boot Mode enabled and disable it through firmware modification using an on-chip firmware extraction.
..
This proves that a Firmware Modification through an off-chip extraction was able to successfully disable the BIOS Secure Boot on this device.
https://blog.redcrowlab.com/patching-firmware-secure-boot-on-dell-g115-through-off-chip-extraction/
SetupHijack
Hacker House releases a tool to facilitate the exploitation of race conditions on Windows. It will be interesting to see if this leads to more in the wild exploitation..
SetupHijack is a security research tool that exploits race conditions and insecure file handling in Windows installer and update processes. It targets scenarios where privileged installers or updaters drop files in
%TEMP%or other world-writable locations, allowing an attacker to replace these files before they are executed with elevated privileges.
https://github.com/hackerhouse-opensource/SetupHijack
OmniProx
Andy releases a tool which facilitates the masking of exits by adversaries / researchers.
OmniProx is a multi-cloud HTTP proxy manager that provides IP rotation and header manipulation capabilities across different cloud providers. It offers a unified interface for managing proxies on various cloud platforms.
https://github.com/ZephrFish/OmniProx
Wyrm
flux releases a new implant framework around which to build detections..
Wyrm currently supports only HTTP(S) agents using a custom encryption scheme for encrypting traffic below TLS, with a unique packet design so that the packets cannot be realistically decrypted even under firewall level TLS inspection.
https://github.com/0xflux/wyrm
WerDump
ybenel releases a beacon object to bravely dump LSASS using Windows Error Reporting. Something around which to build detection for.
A Beacon Object File BOF for Havoc/CS to dump Process Protected Lsass using WerFaultSecure.
https://github.com/M1ndo/WerDump
Impostor Syndrome - Hacking Apple MDMs Using Rogue Device Enrolments
Marcel Molnar details an attack surface which organisations will want to be aware of (and likely needs addressing)..
Serial Numbers can be brute forced
One API request for “enrolment” with the serial number
Returns the company information - which can include the support helpdesk number
Exploitation
What is being exploited..
Apply July 2025 Critical Patch Update for Oracle E-Business Suite (EBS)
Rob Duhart reminds and alerts to the importance of patching..
Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update.
https://blogs.oracle.com/security/post/apply-july-2025-cpu
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Pointer leaks through pointer-keyed data structures
Jann Horn details a technique which will need countermeasures developing for..
Coming from the angle of “where would be a good first place to look for a remote ASLR leak”, this led to the discovery of a trick that could potentially be used to leak a pointer remotely, without any memory safety violations or timing attacks, in scenarios where an attack surface can be reached that deserializes attacker-provided data, re-serializes the resulting objects, and sends the re-serialized data back to the attacker.
https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointer-keyed.html
Indirect Memory Writing
Jean-Pierre LESUEUR details a technique which is interesting due to the fact it will likely subvert various EDR approaches. However copy-on-write should still detect.
Indirect memory writing leverages benign Windows APIs that accept pointer parameters used by the OS to return status or counts (for example, the number of bytes written). Because the caller supplies the pointer, an attacker who controls that pointer can cause the OS to write values into attacker-controlled memory when the API completes its operation. In effect, the API becomes a mechanism to transfer one or more bytes into a target buffer without performing an explicit memory copy from the attacker process into that buffer.
https://unprotect.it/technique/indirect-memory-writing/
Attacking Assumptions Behind the Image Load Callbacks
Denis Nagayuk details the fragility in some of the underlying security infrastructure we relay on in Windows..
https://diversenok.github.io/slides/RomHack-2025-Image-Load-Callbacks.pdf
Pipe Intercept
Gabriel Sztejnworcel shows that turning anything to an HTTP stream can unlock the use of existing tooling for unintended purposes but for effect..
The tool creates a pipe client/server proxy with a WebSocket client/server bridge. The WebSocket client connects to the WebSocket server through an HTTP proxy such as Burp.
https://github.com/gabriel-sztejnworcel/pipe-intercept
Timing Attacks
Nick Galloway shows the value of timing attacks in 2025..
The timing attacks I’m discussing here are specifically the ones where a vulnerable server is comparing strings a byte at a time, where one is passed in by the user and the other is a secret that is supposed to unlock access. These timing attacks work by noting that when comparing two strings against each other, the comparison loop will exit early.
https://nickg.ca/#/posts/timing-attacks
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual, quarterly and monthly reports
Industry-compatible silicon spin-qubit unit cells exceeding 99% fidelity
Price algorithm cartels as a challenge to the EU’s prohibition of anticompetitive agreements
Artificial intelligence
Books
Age of Deception - “At the heart of cybersecurity lies a paradox: Cooperation makes conflict possible. In Age of Deception, Jon R. Lindsay shows that widespread trust in cyberspace enables espionage and subversion. While such acts of secret statecraft have long been part of global politics, digital systems have dramatically expanded their scope and scale. Yet success in secret statecraft hinges less on sophisticated technology than on political context.”
Events
Nothing overly of note this week
Just to close out, this is Unitree’s response to the vulnerabilities in their robotic dogs which I’ve covered extensively in these weekly notes..
Finally finally the NCSC’s podcast series.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.