CTO at NCSC Summary: week ending October 20th
EU Product Liability Directive extends no-fault liability to software, AI, and interconnected devices to ensure they are safe and secure..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note other that edge devices being exploited.. again...
In the high-level this week:
NCSC warns of widening gap between cyber threats and defence capabilities - NCSC UK notes - “The threat landscape is growing more complex, with significant incidents on the rise. To close this gap, we need coordinated global efforts to strengthen cyber resilience, ensure security is built into technology from the outset, and prepare both the public and private sectors to not only defend but also recover swiftly from destructive cyber attacks.”
All UK schools offered free cyber service to protect against online threats - NCSC UK announces - “Following a successful initial rollout of the PDNS (Protective Domain Name System) for Schools, the service has now been extended to more educational settings across the UK, with multi-academy trusts, academies, independent schools and school internet service providers encouraged to sign up.”
Guidance on effective communications in a cyber incident - NCSC UK guides - “This guidance supports organisations of all sizes to manage their communications strategy before, during and after a cyber security incident. “
NIS2: Commission implementing regulation - European Commission has implemented - “After entering into force in January 2023, Member States have to implement the NIS2 Directive into national law by 17 October 2024. “
Most EU Nations to Miss Upcoming NIS2 Deadline - Gov Info Security reports - “Six countries - Belgium, Croatia, Greece, Hungary, Latvia and Lithuania - have integrated the NIS2 into national statute.”
Cyber envoy Andrew Charlton wants to end Australia's 'digital chill' - Capital Brief briefs - “Charlton argues Australia should help forge a global cybersecurity agreement, similar to how the G20 was created in response to the Global Financial Crisis.”
Ukraine and Estonia join forces to strengthen cyber defense - Ukrainian Government announces - “The sides have agreed to cooperate on:
Information exchange on cyber incidents and analysis of cyber threats;
Mutual advisory assistance on cybersecurity issues;
Joint development and implementation of best practices of cyber defense ;
Organization of joint exercises, conferences and other events.”
FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches - Federal Trade Commission announces - “The Federal Trade Commission will require Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program to settle charges that the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide.”
The secret school of the Ministry of Information to train hackers of the Islamic Republic - Iran International reports - “Ravin Academy is the cyber university of the Ministry of Information or the foot soldier of Ali Khamenei's offensive policy in the cyber space, which lures talented young people with the guise of a cyber security expert.”
North Korea's suspected hacking attack... 700,000 nuclear power plant data leaked - SBS News reports - “It has been confirmed that a partner company of Korea Hydro & Nuclear Power has been hacked, presumed to be by North Korea. Over 700,000 pieces of data were leaked, and of these, approximately 100,000 were confirmed to be related to KHNP’s nuclear power plants.”
South Korean defense companies lacking cyber security workforce - The Korean Herald reports - “Even South Korea’s largest defense companies do not have adequate cyber security workforce in place, and their contractors exempt from government monitoring, leaving loopholes for cyber threats, Rep. Lim Jong-deuk said Monday, citing Defense Acquisition Program Administration data.”
Billion-dollar cyberfraud industry expands in Southeast Asia as criminals adopt new technologies - United Nations highlights - “A new report launched today has found that Asian crime syndicates have integrated new service-based business models and technologies including malware, generative artificial intelligence (AI), and deepfakes into their operations while establishing new underground markets and cryptocurrency solutions for their money laundering needs.”
Pentagon releases final CMMC rule, paving way for implementation - Federal News Network reports - “The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today, further paving the way for CMMC requirements to show up in contracts starting next year.”
SSSCIP conducts new cybersecurity training for industrial control systems - State Cyber Protection Center (SCPC) of Ukraine announces - “Participants learned about the basics of cybersecurity of ICS, regulatory documents and standards in the area, methods of asset identification and risk management, cyber defense measures, methods of detecting and responding to cyber incidents etc.”
RUSI’s Cyberspace Conference Explores Global Cyber Security Challenges - RUSI summaries - “Discussions at the conference focused on three dimensions of cyber responsibility – international, domestic, and operational.”
How Russian Surveillance Tech is Reshaping Latin America - Digital Commons at FIU reports - “Over the past decade, Russian-based companies have provided sophisticated surveillance technology to several Latin American countries. These technologies are critical to the survival of the repressive regimes in Venezuela, Nicaragua, and Cuba, and possibly criminal nonstate actors that weaken democracy and threaten U.S. national security.”
CISA and FBI Release Product Security Bad Practices for Public Comment - Catalog enumerates exceptionally risky practices and provides recommendations for software manufacturers to build software that is secure by design - CISA and FBI agitate for good on - “This joint guidance lists the bad practices in three categories:
Product properties, which describe observable, security-related qualities of a software product.
Security features, which describe the security functionalities that a product supports.
Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.”
Worldwide Ransomware Attacks as of June 2024 Consistent With Previous Year - Office of the Director of National Intelligence counts - “Ransomware attacks from January through June 2024 totaled 2,321, a slight increase from the number recorded during the first six months of 2023 and about half the total number tracked for the entire year, based on CTIIC data.”
Passkeys
FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys - FIDO Alliance announces - “The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange that, when standardized and implemented by credential providers, will enable users to securely move passkeys and all other credentials across providers.”
Amazon is making it easier and safer for you to access your account with passwordless sign-in - Amazon announces - “Today, we’re excited to share that more than 175 million customers have enabled passkeys on their Amazon accounts, allowing them to sign in six-times faster than they could otherwise. Adoption keeps growing every day, as more customers experience the convenience of passwordless sign-in.”
Semiconductors
New Huawei Kirin chip to stick with 1+3+4 CPU architecture but with more powerful cores - GSM Arena reports - “The SoC will be an in-house project, and it will be manufactured on a 7nm Pro Plus technology.”
US Weighs Capping Exports of AI Chips From Nvidia and AMD to Some Countries - Bloomberg reports - “Officials are focused on Persian Gulf countries that have a growing appetite for AI data centers and the deep pockets to fund them, the people said.”
China think tank suggests Nvidia chips for data centres to avoid transfer costs - South China Morning Post reports - “The Beijing-based think tank warned that transferring AI models trained on Nvidia GPUs to domestic solutions involved ‘complex engineering’”
Reporting on/from China
U.S. Officials Race to Understand Severity of China’s Salt Typhoon Hacks - The Wall Street Journal reports - “Federal authorities and cybersecurity investigators are probing the breaches of Verizon Communications, AT&T and Lumen Technologies. A stealthy hacking group known as Salt Typhoon tied to Chinese intelligence is believed to be responsible.”
Scale of Chinese Spying Overwhelms Western Governments - The Wall Street Journal reports - “Beijing is conducting espionage activities on what Western governments say is an unprecedented scale, mobilizing security agencies, private companies and Chinese civilians in its quest to undermine rival states and bolster the country’s economy.”
UK Fears Chinese Hackers Compromised Critical Infrastructure - Bloomberg reports - “Chinese state actors have made widespread — and likely successful — efforts to access British critical infrastructure networks, according to UK officials, underscoring fears of vulnerabilities to increasingly sophisticated cyberattacks by foreign powers. Senior ministers in the Labour government have been informed since taking power in July that hackers linked to Beijing have probably compromised supply chains and computer systems key to a range of vital services, people with direct knowledge of the matter told Bloomberg.”
Cooperation Between China, Iran, North Korea, and Russia: Current and Potential Future Threats to America - Carnegie Endowment think tanks - “In 2023, Russia sold Iran eavesdropping devices, advanced photography devices, and lie detectors. They have also collaborated on cyber issues through a 2021 agreement that is primarily focused on sharing intelligence about U.S. cyber operations and bolstering defensive capabilities”
Chinese cyber association calls for review of Intel products sold in China - Reuters reports - “Intel products sold in China should be subject to a security review, the Cybersecurity Association of China (CSAC) said on Wednesday, alleging the U.S. chipmaker has "constantly harmed" the country's national security and interests.”
Capture the (red) flag: An inside look into China’s hacking contest ecosystem - Atlantic Council analyses - “Over the past three years, China has hosted between forty-five and fifty-six competitions each year. In total, we identified 129 unique competitions since 2004, fifty-four of which have recurred at least once annually. Annual competition attendance can range from many hundreds to tens of thousands.”
Artificial intelligence
Unleashing offensive artificial intelligence: Automated attack technique code generation - University of Florida and West Point research - “
The work explores offensive AI, especially LLMs, to auto-generate MITRE ATT&CK attack code.
ChatGPT can generate attack code with 16% success, rising to 50% with cybersecurity skills.
AI can automate attacks, improving security testing and enhancing overall defenses.”
Understanding the First Wave of AI Safety Institutes: Characteristics, Functions, and Challenges - Institute for AI Policy and Strategy analysis - “Future developments may rapidly change this landscape, and particularities of individual AISIs may not be captured by our broad-strokes description. This policy brief aims to outline the core elements of first-wave AISIs as a way of encouraging and improving conversations on this novel institutional model, acknowledging this is just a simplified snapshot rather than a timeless prescription. “
Cyber proliferation
NSO's cash-for-cyber deal pushed by Israeli official sparks criminal probe in Colombia - Haaretz reports - “Israel's Defense Ministry actively supported NSO's sale of spyware in exchange for millions in cash, flown to Israel by private jet, but Colombian authorities deny purchasing it. Colombia has severed diplomatic relations with Israel, which may complicate their ability to obtain legal assistance from Israel”
Bounty Hunting
Newbury: Man, 21, arrested in cyber crimes investigation - BBC reports - “A 21-year-old man has been arrested in connection with an investigation into cyber crimes.”
Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks on Hospitals, Government Facilities, and Other Critical Infrastructure in Los Angeles and Around the World - Department of Justice announces - “Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, were both charged with one count of conspiracy to damage protected computers. Ahmed Salah was also charged with three counts of damaging protected computers.”
Bahrain loses bid to block dissidents' spyware lawsuit in UK - Reuters reports - "a foreign state which hacks a computer located in the United Kingdom interferes with the territorial sovereignty of the United Kingdom even if some of the acts in question take place abroad".
The Directive on the legal protection of computer programs does not allow the holder of that protection to prohibit the marketing by a third party of software which merely changes variables transferred temporarily to a game console’s RAM - Court of Justice of the European Union judges - game cheating through RAM variable modification is not illegal. Note it doesn’t change code, like some memory corruption techniques - this implies there might be a legal avenue to litigate against those who produce exploits which do alter code as that might infringe the vendors exclusive right to authorise such alterations (Sony’s argument).
Cyberinsurance Coverage for Ransomware Payments vs US Sanctions Regulations - Swiss Contract Law analyses a judgement - “An insurance company did not have the right to refuse to pay its insured client, a victim of a cyberattack who had made a ransomware payment, even if it claimed that its obligation to reimburse the ransomware payment would expose it to US sanctions.”
Reflections this week are about priorities and long term impact…
First, data shows that organisations implementing the Cyber Essentials controls are 92% less likely to make an insurance claim. If we double down and all organisations mandate their supply chain have Cyber Essentials (and they were adopted globally) then the situation would be measurably better..
Second, is the Directive Of The European Parliament And Of The Council On Liability For Defective Products And Repealing Council Directive 85/374/EEC from September 25th which is a potential watershed moment in changing behaviours of suppliers..
In recognition of manufacturers’ responsibilities under Union law for the safety of products throughout their lifecycle, such as under Regulation (EU) 2017/745 of the European Parliament and of the Council16, manufacturers should also not be exempted from liability for damage caused by their defective products when the defectiveness results from their failure to supply the software security updates or upgrades that are necessary to address those products’ vulnerabilities in response to evolving cybersecurity risks. Such liability should not apply where the supply or installation of such software is beyond the manufacturer’s control, for example where the owner of the product does not install an update or upgrade supplied for the purpose of ensuring or maintaining the level of safety of the product. This Directive does not impose any obligation to provide updates or upgrades for a product.
This was was adopted on October 10th.
Digital economy: The new law extends the definition of “product” to digital manufacturing files and software. Also online platforms can be held liable for a defective product sold on their platform just like any other economic operators if they act like one.
The analysis by Freshfields gives a hint as to the implications here..
The PLD marks a transformative shift in the legal landscape surrounding digital products. By extending no-fault liability to software, AI, and interconnected devices, expanding the definition of defectiveness, and ensuring protection for personal data, the directive reflects the increasing role of digital products in every-day life. As the introduction of the disclosure obligation and new burden of proof rules will make it easier for consumers to assert their claims, companies involved in developing digital products must now take even greater care to ensure their products are safe, secure, and compliant with evolving legal standards.
The impact is going to be fascinating to see..
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants
Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura allege that this Russian threat actor has evolved their tradecraft to include some investigation evasion techniques.
Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities.
UAT-5647 is also known as RomCom and is widely attributed to Russian speaking threat actors in open-source reporting.
The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to communicate with its loader.
UAT-5647 has also evolved their tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw; a RUST-based backdoor we call DustyHammock; and a C++ based backdoor we call ShadyHammock.
During its lateral movement, the threat actor attempted to compromise edge devices by tunneling internal interfaces to external, remote hosts controlled by UAT-5647. If successful, it would have higher chances of evading detection during the incident response process.
https://blog.talosintelligence.com/uat-5647-romcom/
Reporting on China
IcePeony with the '996' work culture
Nao Sec alleged that this Chinese APT is now using web vulnerabilities to pop front end web applications. There is a lesson here for us all around a vulnerability class we teach children to find..
IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam.
Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors. Interestingly, they use a custom IIS malware called “IceCache”.
Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating under harsh work conditions.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Reporting on North Korea
FASTCash for Linux
HaxRob details this alleged North Korean threat actor has a capability which should give the finance industry pause for thought. Notable because of the level of system understanding and access required to leverage..
Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks
https://doubleagent.net/fastcash-for-linux/
NK hacking group TA-RedAnt exploiting a specific 'Toast' ad execution program
The AhnLab ASEC (AhnLab Security Intelligence Center) analysis team and the National Cyber Security Center (NCSC) Joint Analysis Council alleged that this North Korea actor were able to find and exploit a zero-day in this operation.. not the first time and not the last if true..
[We] discovered a new zero-day in Microsoft Internet Explorer (IE) browser and analyzed in detail an attack exploiting the vulnerability.
The person behind this operation is the North Korean hacking group TA-RedAnt . (AKA RedEyes, ScarCruft, Group123, APT37, etc.) They have previously attacked people related to North Korea using hacked emails, mobile apps (APK), and IE vulnerabilities.
This operation is characterized by exploiting a specific 'Toast' ad execution program that is installed together with various free software recently by exploiting a 0-day vulnerability in IE.
What is Toast? A pop-up notification that appears in the form of rising from the bottom of the PC screen (usually the bottom right)
Reporting on Iran
Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) come together on why all organisations should deploy phish resistant MFA
Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
https://www.ic3.gov/CSA/2024/241016.pdf
Earth Simnavaz Levies Advanced Cyberattacks Against UAE and Gulf Regions
Trend Micro in this report by Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal and Nick Dai detail what they allege was Iranian activity. Included due to the initial access vector also being web...
Trend Micro researchers have been monitoring a cyber espionage group known as Earth Simnavaz, also referred to as APT34 and OilRig, which has been actively targeting governmental entities in the UAE and the broader Gulf region.
The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.
Earth Simnavaz uses a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to allow their malicious activity to blend in with normal network traffic and avoid traditional detection methods.
Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions. They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets.
The initial point of entry for these attacks has been traced back to a web shell uploaded to a vulnerable web server. This web shell not only allows the execution of PowerShell code but also enables attackers to download and upload files from and to the server, thereby expanding their foothold within the targeted networks.
Reporting on Other Actors
Vietnamese Threat Actor’s Multi-Layered Strategy on Digital Marketing Professionals
Cyble Research and Intelligence Lab (CRIL) detail a campaign which they alleged in Vietnamese in origin, starts with phishing but does show a degree of technical sophistication in terms of evasion.
The lure document observed in the campaign indicates that the Threat Actor (TA) is targeting job seekers and digital marketing professionals, especially those involved with Meta Ads.
The malware employs several techniques to detect virtual machine environments, evading detection and analysis in sandboxed or emulated environments.
The malware uses multiple anti-debugging techniques to detect if it is being debugged, making analysis or reverse engineering more challenging.
The malware employs defense evasion techniques, including disabling event tracing and altering in-memory functions, to evade detection by security tools.
Discovery
How we find and understand the latent compromises within our environments.
EDR Analysis: Leveraging Fake DLLs, Guard Pages, and VEH for Enhanced Detection
A analysis of various techniques in a Windows EDR solution which also gives a sense of their real-world efficacy. The fake DLL trick I know of one solution which was sort of similar, but different - so points of novelty.
In direct comparison with other EDR solutions, the described detection mechanism, based on fake DLLs, guard pages and vectored exception handling, is characterised as a rather unconventional method, more likely to be found in the field of game hacking. However, it has proven to be very effective in practice.
Unveiling USB Artifacts: A Comparative Analysis
A walk through of various artefacts which will be useful to a range of defenders for a variety of reasons.
USB formatted with NTFS, FAT32, and ExFAT often create temporary files, particularly during file modifications.
USB formatted with NTFS on Windows provided more information on file system changes from the $Logfile due to its journaling capabilities.
USB formatted with HFS+ stores versions of files that have been edited using applications with GUI in a versioning database “db.sqlite”, providing information on file_last_seen times.
USB formatted with FAT32/ExFAT on MacOS generates “. _filename” files to ensure file system compatibility for storing of extended attributes. The creation and modification times of these files can indicate file tampering.
https://www.group-ib.com/blog/unveiling-usb-artifacts/
Defence
How we proactively defend our environments.
27th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2024)
RAID 2024 was held in Italy on September 30 - October 2, 2024 and there are some excellent papers such as:
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Catch You Cause I Can: Busting Rogue Base Stations using CellGuard and the Apple Cell Location Database
https://raid2024.github.io/accepted_open.html
TameMyCerts: Policy Module for Microsoft Active Directory Certificate Services
Uwe Gradenegger provides a valuable work aid here for those still running legacy Microsoft estates..
TameMyCerts is a policy module for Microsoft Active Directory Certificate Services (AD CS) enterprise certification authorities that enables security automation for a lot of use cases in the PKI field.
It supports, amongst other functions, inspecting certificate requests for certificate templates that allow the subject information to be specified by the enrollee against a defined policy. If any of the requested identities violates the defined rules, the certificate request automatically gets denied by the certification authority.
https://github.com/Sleepw4lker/TameMyCerts
Incident Writeups & Disclosures
How they got in and what they did.
Globe Life
When you know you have incident because you are extorted..
Globe Life Inc. (the “Company”) recently received communications from an unknown threat actor seeking to extort money from the Company in exchange for not disclosing certain information held and used by the Company and its independent agents. After becoming aware of this, the Company immediately activated its incident response plan and, with the assistance of experienced counsel and external cybersecurity experts, launched an investigation. The Company has reported this extortion attempt to and is cooperating with federal law enforcement.
Based on the Company’s investigation to date, which remains ongoing, the Company believes that information relayed to the Company by the threat actor may relate to certain customers and customer leads that can be traced to the Company’s subsidiary, American Income Life Insurance Company.
https://www.sec.gov/Archives/edgar/data/320335/000032033524000056/gl-20241017.htm
Vulnerability
Our attack surface.
CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP
Stefan Gast , Hannes Weissteiner , Robin Leander Schroder and Daniel Gruss show confidential compute has a way to go yet on the assurance front. There are some fundamental questions if the micro-architectural optimisations made for performance mean can we get there with current approaches?
In this paper, we introduce CounterSEVeillance, a new sidechannel attack leaking secret-dependent control flow and operand properties from performance counter data. Our attack is the first to exploit performance counter side-channel leakage with single-instruction resolution from SEV-SNP VMs and works on fully patched systems. We systematically analyze performance counter events in SEV-SNP VMs and find that 228 are exposed to a potentially malicious hypervisor. CounterSEVeillance builds on this analysis and records performance counter traces with an instruction-level resolution by single-stepping the victim VM using APIC interrupts in combination with page faults. We match CounterSEVeillance traces against binaries, precisely recovering the outcome of any secret-dependent conditional branch and inferring operand properties. We present four attack case studies, in which we exemplarily showcase concrete exploitable leakage with 6 of the exposed performance counters. First, we use CounterSEVeillance to extract a full RSA-4096 key from a single Mbed TLS signature process in less than 8 minutes.
https://www.stefangast.eu/papers/counterseveillance.pdf
rflasermic
Samy Kamkar shows what polymaths are capable of beyond leading to increased sales of double glazing..
RF-modulated high fidelity laser microphone and keystroke sniffer
https://github.com/samyk/rflasermic/
Offense
Attack capability, techniques and trade-craft.
Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection
Guido Miggelenbrink details a capability which means that EDR vendors have a little bit more work to do on Windows, but which should also be a high signal signature of badness.
we introduce a novel process injection technique named Early Cascade Injection, explore Windows process creation, and identify how several Endpoint Detection and Response systems (EDRs) initialize their in-process detection capabilities. This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique by Marcus Hutchins. Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction. This makes Early Cascade Injection a stealthy process injection technique that is effective against top tier EDRs while avoiding detection.
Bypassing noexec and executing arbitrary binaries
Messede Degod and friend give cause for pause on Linux systems which mean constrained shells and/or post web compromises might be more challenged in appliances for example..
Execute a binary on a Linux system when execution is not allowed (e.g. restricted PHP environment,
read-onlyfilesystem ornoexecmount flag). By using only Bash and making syscall(2)’s from Bash (!) and piping the ELF binary straight from the Internet into Bash’s address space - without touching the harddrive and without ptrace() or mmap()….Prevention:
The trick (with slight modifications) works if only ONE of either ptrace(), mmap() or memfd_create() is available [disabling ptrace will also -EPERM
/proc/self/mem]. Likely there are many more tricks to do the same…ask your friendly Blue Team to figure it out.
https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries
Cobalt Strike - CDN / Reverse Proxy Setup
Giving Microsoft a rich source of intelligence in 3..2..
In this article we will explore how high reputation domains can be used in the context of Content Delivery Networks (CDNs) under Microsoft Azure in conjunction with a C2 domain and Nginx as a reverse proxy for our Red Team infrastructure.
https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
Exploitation
What is being exploited..
Behind the Scenes: Fixing an In-the-Wild Firefox Exploit
Tom Ritter gives us a a peek behind at the curtain of what happens when in the wild exploitation is detected..
At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from the Anti-Virus company ESET, who alerted us to a Firefox exploit that had been spotted in the wild. We want to give a huge thank you to ESET for sharing their findings with us—it’s collaboration like this that keeps the web a safer place for everyone.
Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine
S2W alleged that North Korea was exploitation this vulnerability, what is interesting here is that the original patch was not comprehensive it would appeat.
CVE-2024-38178 is a type confusion vulnerability caused by the JIT engine in JScript9.dll performing incorrect optimizations on variables initialized with the usual arithmetic conversion exception operator, which can be used to bypass the CVE-2022-41128 patch released in November 2022.
CVE-2022-41128 is publicly available with detailed analysis and was exploited by a threat group behind North Korea in 2022, so it is likely that attackers quickly weaponized the vulnerability.
An attacker exploiting this vulnerability can remotely execute code on a targeted Windows system.
(Related threat groups and attacks) In June 2024, APT37 (Scarcruft), a North Korea-based threat group, exploited this vulnerability in an in-the-wild attack against specific organizations in South Korea.
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes detail an incident about vulnerabilities being exploited in a competitors product. Threat actor is not attributed..
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network.
the threat actor exploited the vulnerability CVE-2024-8190 in conjunction with the following two previously publicly unknown vulnerabilities:
A publicly unknown path traversal vulnerability on the resource /client/index.php, to gain unauthorized access to other resources like users.php, reports.php etc. (CVE-2024-8963, disclosed September 19)
A publicly unknown command injection vulnerability affecting the resource reports.php. (CVE-2024-9380, disclosed October 8)
Palo Alto Expedition: From N-Day to Full Compromise
Zach Hanley details vulnerabilities in potentially the smallest internet attack surface ever..
On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials.
This blog details finding CVE-2024-5910, but also how we ended up discovering 3 additional vulnerabilities which we reported to Palo Alto:
CVE-2024-9464: Authenticated Command Injection
CVE-2024-9465: Unauthenticated SQL Injection
CVE-2024-9466: Cleartext Credentials in Logs
At the time of writing, there are approximately 23 Expedition servers exposed to the internet
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
SIMurai: Slicing Through the Complexity of SIM Card Security Research
Tomasz Piotr Lisowski, Merlin Chlosta, Jinjin Wang and Marius Muench release a capability which unlocks the next level of research capability into SIMs..
SIMurai is a software platform designed for security-focused SIM exploration and experimentation. At its core, it offers a versatile software SIM implementation that can be integrated into various environments for advanced testing and development.
https://github.com/tomasz-lisowski/simurai
https://www.usenix.org/conference/usenixsecurity24/presentation/lisowski
ReSym: Harnessing LLMs to Recover Variable and Data Structure Symbols from Stripped Binaries
Danning Xie, Zhuo Zhang, Nan Jiang, Xiangzhe Xu, Lin Tan, and Xiangyu Zhang hint at future applications. Tricks will be scaling and working on increased complexity..
Compared to the decompiled code, ReSym significantly enhances readability by recovering meaningful names and types for variables, e.g., from unsigned int16 *v68 to struct udp_hdr *udp in line 5. In addition, ReSym adeptly recovers field access expressions, converting (_WORD*)(v68+2) to udp->dst_port in line 11, etc. On the right side of the figure is the comparison of the ground truth with ReSym’s recovered data structure used on line 5. ReSym accurately reconstructs the complete layout with meaningful field names and types. For example, it recovers the first field with the name src_port while the ground truth is source. As a result, the readability of the decompiled code is significantly enhanced thanks to ReSym
https://www.cs.purdue.edu/homes/lintan/publications/resym-ccs24.pdf
https://github.com/lt-asset/resym
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Cyber Effects in Warfare: Categorizing the Where, What, and Why - Texas National Security Review
From Moonlight Maze To Solarwinds: How Russian APT Groups Operate - from 2023
Artificial intelligence
GSM-Symbolic: Understanding the Limitations of Mathematical Reasoning in Large Language Models
CodeMMLU: A Multi-Task Benchmark for Assessing Code Understanding Capabilities of CodeLLMs
MEGA-Bench: Scaling Multimodal Evaluation to over 500 Real-World Tasks
Poisoning Knowledge Graph Embeddings via Relation Inference Patterns
Books
Events
Association of the United States Army - Live streams to watch on playback, some cyber within..
Webinar: Defining Cyber War: The Impact of Insurance on Cyber Norms
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.