CTO at NCSC Summary: week ending September 1st
Autumn is coming... zero-day exploitation abound..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week zero-days… zero-days exploited by alleged nation state actors in networking equipment.. that an alleged use of ransomware by state actors!
In the high-level this week:
Cybercriminals operating ransomware as a service from overseas continue to be responsible for most high-profile cybercrime attacks against the UK - UK National Crime Agency - “Russian and Russian-speaking criminals behind ransomware as a service platforms continue to be responsible for most high-profile cybercrime attacks against the UK. It is highly likely that those groups based in Russia itself benefit from a permissive operating environment and tolerance of their cybercrime activities.”
Dutch cabinet bans phones in meetings over espionage fears - Politico reports - “The Netherlands' new team of ministers are forced to keep their phones and smartwatches in a vault when meeting to discuss state affairs, its prime minister and former spy Dick Schoof said Friday.”
SBB will soon be rid of Russian software - Bluewin reports from Switzerland “At the end of 2022, SBB [train company] decided to replace the track measurement systems supplied by the Russian company Infotrans. In doing so, the company wants to minimize potential safety risks and dependencies, especially in the context of the Russia sanctions. The switch to its own system was complex and more expensive than planned due to a lack of expertise in Switzerland.”
ASEAN, Japan advised to join hands for better cyber resilience - Vietnam+ reports - “ASEAN member countries and Japan are best-placed to work together to boost cyber resilience given the spectre of rising cyber threats in the region, according to a recent article published by the Singaporean-based ISEAS – Yusof Ishak Institute’s site fulcrum.sg.”
Malaysia Security Commission Issues Guidelines To Strengthen Technology Risk Management Of Capital Market Entities - SC Malaysia releases - “Among the requirements set out in the Guidelines include the establishment and implementation of an effective technology risk framework, technology project management, technology service provider management and cyber security management by capital market entities.”
Test of a prototype quantum internet runs under New York City for half a month - Phys.org reports - “For their prototype network, the Qunnect researchers used a leased 34-kilometer-long fiber circuit they called the GothamQ loop. Using polarization-entangled photons, they operated the loop for 15 continuous days, achieving an uptime of 99.84% and a compensation fidelity of 99% for entangled photon pairs transmitted at a rate of about 20,000 per second. At a half-million entangled photon pairs per second, the fidelity was still nearly 90%.”
Reporting on/from China
Chinese government hackers penetrate U.S. internet providers to spy - The Washington Post reports - “It is business as usual now for China, but that is dramatically stepped up from where it used to be. It is an order of magnitude worse,” said Brandon Wales, who until earlier this month was executive director of the Cybersecurity and Infrastructure Security Agency, CISA.
China seen using 'white hat' hackers to boost cyberattack capability - Nikkei Asia reports and brings some statistics - “There were 16 cases in 2021, when the reporting obligation began, and the figure soared to 267 in 2022. Cases nearly doubled again to 502 in 2023. This year is on a similar pace, with 242 cases recorded in the first half.”
IBM Shuts China R&D Operations in Latest Retreat by U.S. Companies - Wall Street Journal reports - “Hergenrother said IBM plans to concentrate its R&D in several regions, the employees said. IBM has told some employees it is adding engineers and researchers in places outside China including in Bengaluru, India, according to employees who were briefed.”
Chinese entities turn to Amazon cloud and its rivals to access high-end US chips, AI - Reuters reports - “A Reuters review of more than 50 tender documents posted over the past year on publicly available Chinese databases showed that at least 11 Chinese entities have sought access to restricted U.S. technologies or cloud services. Among those, four explicitly named Amazon Web Services (AWS) as a cloud service provider, though they accessed the services through Chinese intermediary companies rather than from AWS directly.”
Horizon Robotics so far ships over 6 million sets of Journey series products - Gasgoo reports - “Horizon Robotics recently announced that the cumulative shipment for its Journey series of in-vehicle intelligent computing solutions has surpassed 6 million sets, reflecting remarkable growth since its mass production began in 2020.”
Why China’s Universities Are Ditching Their Engineering Programs - Sixth Tone reports - “China’s universities are rapidly moving to reallocate their academic resources in line with government priorities, with 19 institutions so far looking to suspend or discontinue a total of 99 degree programs this year, domestic media outlet ScienceNet.cn reported on Tuesday.”
Baidu blocks Google, Bing from scraping content amid demand for AI data - South China Morning Post reports - “Wikipedia-style service Baidu Baike recently barred the search engine crawlers of Google and Bing from indexing its online content”
China's robot makers chase Tesla to deliver humanoid workers - Reuters reports - “Nearly 30 Chinese companies showed off models in Beijing this week, China has called for mass production of humanoid robots by 2025”
Artificial intelligence
Could Lab-Grown Mini-Brains From Stem Cells Power Tomorrow’s AI? - Forbes reports - “Researchers are exploring how brain organoids—tiny clumps of neurons that resemble the early stages of a human brain—could be integrated with AI systems.”
China’s AI apps eye overseas markets amid tough competition, regulation at home - South China Morning Post reports - “According to research by Unique Capital, among the 1,500 active AI companies worldwide, 103 hail from China.”
Is Xi Jinping an AI doomer? - The Economist reports - "Zhu Songchun, a party adviser and director of a state-backed programme to develop AGI, has argued that AI development is as important as the “Two Bombs, One Satellite” project, a Mao-era push to produce long-range nuclear weapons. "
Artificial intelligence: A reading list - UK Parliament releases - “This briefing provides a selection of reading on artificial intelligence, including UK Government policy.”
Cyber proliferation
Nothing this week
Bounty Hunting
United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations - US Department of Justice indicts - “The United States joined a whistleblower suit and filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC) asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with the Department of Defense (DoD) contracts. GTRC is an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech. The whistleblower suit was initiated by current and former members of Georgia Tech’s Cybersecurity team.”
O’Melven legal analysis - “The Department of Justice (“DOJ”) intervened in a first-of-its-kind False Claims Act (“FCA”) case by the United States government against a federal contractor accused of non-compliance with federal cybersecurity regulations. In United States ex rel. Craig v. Georgia Tech Research Corporation, et al., the government will pursue claims against two research organizations for purported failure to comply with the standards promulgated by the National Institute of Standards and Technology (“NIST”) for how federal contractors must secure and interact with government data and information.”
Two Individuals Charged in Multi-Million Dollar Scheme to Defraud Rideshare Customers, Drivers and Others - US Department of Justice indicts - “the defendants sold hacked smartphones and fraudulent applications to more than 800 rideshare drivers (Driver Co-conspirators). The applications enabled the Driver Co-conspirators to “spoof” GPS locations to fraudulently obtain “surge” fees and to otherwise manipulate legitimate rideshare applications to enrich themselves to the detriment of riders, law-abiding drivers and rideshare companies.”
Argentinian Authorities Arrest Russian National for Laundering the Crypto Proceeds of Illicit Activity - TRM releases - “The subject accepted illicit cryptocurrency proceeds from illicit actors such as North Korea’s Lazarus Group, child sexual abuse vendors and terrorist financiers. The subject would then exchange the illicit crypto for laundered, clean cryptocurrency and fiat currency. “
FBI investigation. The route of a North Korean cyber scam that ended in the apartment of a Russian in Palermo - La Nacion reports from Argentina - “The suspect, 29 years old, was charged with the crime of money laundering aggravated by habitual habit and possibly for doing so as a member of a gang.”
Couple of weeks old - but - USA: CFIUS fines T-Mobile $60M for breach notification violations - OneTrust reports - “On August 15, 2024, the Committee on Foreign Investment in the U.S. (CFIUS) announced that it had resolved an enforcement action against T-Mobile US, Inc., resulting in a $60 million penalty for breach notification failures and failure to secure data.”
Reuters reports - US fines T-Mobile $60 million over unauthorized data access
CrowdStrike fiscal earnings - CrowdStrike quantifying the business impact as a vendor - “CrowdStrike’s revenue guidance for the fiscal year 2025 includes an estimated $30 million subscription revenue impact in each of the remaining fiscal quarters as a result of incentives related to our customer commitment package. In addition, fiscal year 2025 revenue guidance includes an estimated impact in the high-single digit millions to professional services revenue in the second half of fiscal year 2025 as a result of incentives related to our customer commitment package.”
Reflections this week come off the back of further indicators based on data we see that comprehensively deployed multi-factor authentication/pass keys on the perimeter of organisations and cloud services/applications they use would address > 50% of breaches. That is VPNs, other remote access tooling, web applications etc.
The first order challenge is how we make MFA/passkeys the default - should products/services allow single factor authentication in 2024? It is also untenable for vendors to charge more for such functionality.
The second order challenge is how we both identify the accounts and systems where multi-factor authentication/pass keys are not deployed and chase them down relentlessly. .
… finally a shout out to Microsoft for the CHERIoT: A Study in CHERI on the RISC-V blog. CHERIoT (Capability Hardware Extension to RISC-V for Internet of Things) is a 32-bit RISC-V extension optimized for IoT and embedded applications and addresses memory safety (and more). It really is an elegant and cost effective way to manage technical security debt in memory unsafe languages such as C whilst reducing the blast radius more broadly ...
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Thursday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Nothing this week
Reporting on China
Taking the Crossroads: The Versa Director Zero-Day Exploitation
The Black Lotus Labs team detail exploitation of this zero-day in an alleged Chinese operation. If you are a connoisseur of Chinese security research you will likely be aware of rich seams of regional research into Java web shells and ‘memory horses’ (memory only payloads).
[We] discovered active exploitation of a zero-day vulnerability in Versa Director servers, identified as CVE-2024-39717 and publicly announced on August 22, 2024. This vulnerability is found in Versa software-defined wide area network (SD-WAN) applications and affects all Versa Director versions prior to 22.1.4. Versa Director servers manage the network configurations for clients running the SD-WAN software and are often used by internet service providers (ISPs) and managed service providers (MSPs). Director servers enable the orchestration of Versa’s SD-WAN functionality, positioning them as a critical and attractive target for threat actors seeking to extend their reach within enterprise network management.
..
The threat actors, who we assess with moderate confidence to be the Chinese state-sponsored actors known as Volt Typhoon, employed the use of compromised SOHO devices and a sophisticated JAR web shell that leverages Java instrumentation and Javassist to inject malicious code into the Tomcat web server process memory space on exploited Versa Director servers.
https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/
China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches
Sygnia Team provide further reporting on an incident they disclosed in July. Interesting for the fact that a zero-day was used and showed a level of platform understanding to achieve persistence indicting R&D investment.
Earlier in 2024, Sygnia observed ‘Velvet Ant’ leveraging a zero-day exploit (CVE-2024-20399) to compromise and control on-premises Cisco Switch appliances. These types of vulnerabilities are used by threat actor to operate on compromised devices in a way that is completely hidden to the enterprise security stack.
As part of the ‘Velvet Ant’ multi-year intrusion, the transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign.
The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system. Following the exploitation, ‘Velvet Ant’ deploy tailored malware, which runs on the underlying OS and is invisible to common security tools.
https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/
Malware attacks exploiting AppDomainManager Injection
Rintaro Koike alleges a Chinese threat actor is using a combination of techniques in their phishing campaigns. Why any organisation would have business need to receive MSC files via e-mail is the question and why they can’t simply be blocked at the perimeter and e-mail client is the question...
Since around July 2024, we have observed attacks that use AppDomainManager Injection to execute malware. The concept of AppDomainManager Injection was made public in 2017, and since then PoCs and explanatory blogs have been published. However, there have been very few reported cases of attacks that actually exploit AppDomainManager Injection, and it is not well known in the general public.
In addition, it is suspected that a nation-state sponsored attack group was involved in this attack, and there are concerns that this type of attack method will continue to spread in the future. In light of this, this article aims to help understand the mechanism and dangers of AppDomainManager Injection and to help take appropriate measures.
…
In this attack campaign, we have confirmed that CobaltStrike beacons were ultimately used to compromise the target environment. After investigating the characteristics of the loader and attacker infrastructure used in this attack, we believe that this method is similar to that of APT41.
Investigations into related attacks suggest that the attackers may have targeted government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam, all of which border the South China Sea, where there have been reports of a series of clashes between the countries involved in the sea and rising tensions between neighboring countries.
C.R.A.M. provide further reporting that allege a Chinese threat actor is using MSC files in their phishing campaign.
[We] continued to monitor the situation in the following months, identifying new malware campaigns carried out by an unknown cyber-actor that is most likely of Chinese origin to target Southeast Asia.
https://www.tgsoft.it/news/news_archivio.asp?id=1568&lang=eng
Reporting on North Korea
Kimsuky VBS RAT Malware Analysis Report
Nuri Lab detail the end to end attack chain allegedly used by a North Korean threat actor. The multi-step and social engineering cha-cha at its finest..
The process by which this script infected the victim is believed to be as follows:
Send spear phishing emails using the SendMail (modified PHPMailer) tool to Gmail and Daum mail accounts.
The email contains a link that impersonates Naver login or university portal login.
Following the link will lead to login information being stolen.
After that, you will be redirected to a PDF file related to the August forum of the Asan Institute for Policy Studies hosted on Google Drive, which will prompt you to download it.
Open the PDF, run BabyShark and drop the current sample
Reporting on Iran
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
FBI, CISA and DC3 detail how ransomware is part of Iranian statecraft. If previously there was concern over ransomware use by proxies, the direct use by states should click that risk doomsday dial closer to midnight.
The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).
https://www.ic3.gov/Media/News/2024/240828.pdf
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Microsoft alleged that Iran is employing multiple techniques in its intelligence collection operations. As mentioned at the top, the point of note is their techniques highlight the importance of multi-factor authentication on organisational edges.
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via the professional networking platform LinkedIn.
Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.
I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation
Ofir Rozmann, Asli Koksal and Sarah Bock detail the alleged use by Iran of the fake recruiter lure in a campaign. But apparently just for information collection..
[We are] releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel.
This activity leverages a network of fake recruitment websites posing as Israel-based human resources firms that use similar imagery in attempts to socially engineer Farsi-speaking individuals into providing personal details. The websites were disseminated online including through fake social media accounts, and used similar templates. The attack lifecycle is depicted in Figure 1.
Taking Action Against Malicious Accounts in Iran
Meta detail what they alleged was the use of WhatsApp in a social engineering campaign as support departments. The mitigation to this threat is strong authentication, and controls of running untrusted software.
After investigating user reports, our security teams blocked a small cluster of WhatsApp accounts posing as support agents for tech companies.
Our investigation linked this activity to APT42, an Iranian threat actor known for its persistent phishing campaigns across the internet targeting political and diplomatic officials, and other public figures (including some associated with the administrations of President Biden and former President Trump).
We have not seen evidence of the targeted WhatsApp accounts being compromised, but out of an abundance of caution, we’re sharing our findings publicly, in addition to sharing information with law enforcement and our industry peers.
https://about.fb.com/news/2024/08/taking-action-against-malicious-accounts-in-iran/
Reporting on Other Actors
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
Jai Minton and Craig Sweeney detail a campaign which they alleged has overlaps with the Vietnamese state. The use of registry keys and scheduled tasks for persistence should (and likely did) create the detection opportunity.
[We] discovered an intrusion on a Vietnamese human rights defender’s machine which is suspected to have been ongoing for at least four years. This intrusion has a number of overlaps with known techniques used by the threat actor APT32/OceanLotus, and a known target demographic which aligns with APT32/OceanLotus targets. This post highlights just how far advanced threats will go for information gathering purposes when it aligns with their strategic interests.
https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders
Malicious Plugin - Pidgin
Pidgin reporting on an unattributed campaign which one might suspect then involved social engineering to get access to their target. Third party plugin eco-systems is one of those challenges for which there is no solution which doesn’t create friction in order to achieve trust/integrity.
A plugin, ss-otr, was added to the third party plugins list on July 6th. On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screen shots with unwanted parties.
https://pidgin.im/posts/2024-08-malicious-plugin/
NGate Android malware relays NFC traffic to steal cash
Lukas Stefanko and Jakub Osmani detail a fascinating evolution in criminal capability.
Attackers combined standard malicious techniques – social engineering, phishing, and Android malware – into a novel attack scenario; we suspect that lure messages were sent to random phone numbers and caught customers of three banks.
The group has operated since November 2023 in Czechia, using malicious progressive web apps (PWAs) and WebAPKs. In March 2024 the group’s technique improved by deploying the NGate Android malware.
Attackers were able to clone NFC data from victims’ physical payment cards using NGate and relay this data to an attacker device that was then able to emulate the original card and withdraw money from an ATM.
This is the first time we have seen Android malware with this capability being used in the wild.
Victims didn’t have to root their devices.
Discovery
How we find and understand the latent compromises within our environments.
A primer on [Linux] persistence mechanisms
Ruben Groenewoud details a set of persistence techniques which will be useful to detection engineers to ensure they have coverage on Linux.
In this second part of the Linux Detection Engineering series, we'll examine Linux persistence mechanisms in detail, starting with common or straightforward methods and moving toward more complex or obscure techniques. The goal is to educate defenders and security researchers on the foundational aspects of Linux persistence techniques by examining both trivial and more complicated methods, understanding how these methods work, how to hunt for them, and how to develop effective detection strategies.
https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
Reading PCAP Files (Directly) With DuckDB
boB Rudis details how he built a plugin to directly process PCAP files with DuckDB. As this matures it will become a super powerful capability for threat hunting / incident investigation.
We generate a ton of PCAP files at
$DAYJOB
. Since I do not always have to work directly with them, I regularly mix up or forget the varioustshark
,tcpdump
, etc., filters and CLI parameters. While this is less of an issue in the age of LLM/GPTs (just ask local ollama to gen the CLI incantation, and it usually does a good job), each failed command makes me miss Apache Drill just a tad, since it had/has a decent, albeit basic, PCAP reading capability.
https://rud.is/b/2024/08/26/reading-pcap-files-directly-with-duckdb/
Defence
How we proactively defend our environments.
Unveiling Mac Security: A Comprehensive Exploration of Sandboxing and AppData TCC
Zhongquan Li provides a hyper-detailed analysis of the Apple security underlying components. Understanding that this is one human there is some adage to the fact that attackers will often understand the system better than those that designed and built it to devastating impact.
Goals:
Analyze and exploit macOS userland vulnerabilities to identify fuzzing targets
Bypass all user space security mechanisms to gain full control of the computer
Findings:
So far, over 40 exploitable logic vulnerabilities have been discovered since July 2023.
An unexpected journey into Microsoft Defender's signature World
A detailed reverse engineering effort against Microsoft Defender’s signature structures.
In this analysis we investigated how MDA manages its signatures, with a focus on PEHSTR and PEHSTR_EXT. Armed with this knowledge, in the context of adversary emulation, we can now write an artifact that triggers a specific detection or we could repurpose a detected artifact to evade a particular signature. Of course a proper emulation goes beyond a pattern based detection, but nevertheless it's an interesting case study to showcase the importance of understanding the internals of security solutions.
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
Incident Writeups & Disclosures
How they got in and what they did.
We found North Korean engineers in our application pile. Here's what our ex-CIA co founders did about it
Declan Cummings discloses Cinder had North Korean software engineers apply.
https://www.cinder.co/blog-posts/north-korean-engineers-in-our-application-pile
Vulnerability
Our attack surface.
Rethinking the Security Threats of Stale DNS Glue Records
Yunyi Zhang, Baojun Liu, Haixin Duan, Min Zhang, Xiang Li, Fan Shi, Chengxi Xu and Eihal Alowaishe highlight a rather large and knotty challenge.
This paper undertakes the first systematic exploration of the potential threats posed by DNS glue records, uncovering significant real-world security risks. We empirically identify that 23.18% of glue records across 1,096 TLDs are outdated yet still served in practice. More concerningly, through reverse engineering 9 mainstream DNS implementations (e.g., BIND 9 and Microsoft DNS), we reveal manipulable behaviors associated with glue records. The convergence of these systemic issues allows us to propose the novel threat model that could enable large-scale domain hijacking and denial-of-service attacks. Furthermore, our analysis determines over 193,558 exploitable records exist, placing more than 6 million domains at risk.
The core issue of the stale glue threat lies in managing glue records by registrars and registries. Upon the registrar’s comprehensive cleanup of all invalid glue records, attackers will lose their avenue of attack. Therefore, we recommend that registrars and registries establish or refine their strategies to promptly clean up stale glue records. On the other hand, the undocumented and improper operations of registrars on expired domain names have introduced direct attack vectors into TLD zone files. These operations should be standardized, and the incorrectly introduced glue records should be removed.
https://www.usenix.org/system/files/usenixsecurity24-zhang-yunyi-rethinking.pdf
CVE-2024-44070: bgpd: Check the actual remaining stream length before taking TLV
Amazon found a vulnerability in bgpd.
https://github.com/FRRouting/frr/pull/16497
Offense
Attack capability, techniques and trade-craft.
USP
Graham Helton provides a capability detection engineering teams will want to ensure coverage of.
Establishes persistence on a Linux system by creating a udev rule that triggers the execution of a specified payload (binary or script)
https://github.com/grahamhelton/USP
Shikata ga nai
Ege Balcı released this capability 4 years ago, covering now to ensure awareness and coverage given ongoing development and recent coverage.
Shikata ga nai (仕方がない) encoder ported into go with several improvements - SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads.
https://github.com/EgeBalci/sgn
Rustlantis: Randomized Differential Testing of the Rust Compiler
Qian (Andy) Wang and Ralf Jung detail their journey in ensuring correctness in Rust. However there is malicious potential right here building on their capability to generate MIR, be it causing pain to reverse engineering tooling or otherwise.
To avoid having to deal with Rust’s strict type and borrow checker, Rustlantis directly generates MIR, the central IR of the Rust compiler for optimizations
Exploitation
What is being exploited.
Local Networks Go Global When Domain Names Collide
Brian Krebs details what might be described as active exploitation of this vulnerability.
When Caturegli discovered an encryption certificate being actively used for the domain memrtcc.ad, the domain was still available for registration. He then learned the .ad registry requires prospective customers to show a valid trademark for a domain before it can be registered.
Undeterred, Caturegli found a domain registrar that would sell him the domain for $160, and handle the trademark registration for another $500 (on subsequent .ad registrations, he located a company in Andorra that could process the trademark application for half that amount).
Caturegli said that immediately after setting up a DNS server for memrtcc.ad, he began receiving a flood of communications from hundreds of Microsoft Windows computers trying to authenticate to the domain. Each request contained a username and a hashed Windows password, and upon searching the usernames online Caturegli concluded they all belonged to police officers in Memphis, Tenn.
https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
ARADI and LLAMA: Low-Latency Cryptography for Memory Encryption
from NSA
In this paper, we describe a low-latency block cipher (Aradi) and authenticated encryption mode (Llama) intended to support memory encryption applications.
https://eprint.iacr.org/2024/1240.pdf
A reference of Windows API function calls
tetsuo has added templates for 24 process injection techniques to this reference.
https://github.com/7etsuo/windows-api-function-cheatsheets?cachebuster=123456
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing overly standout this week.
Directing Responses Against Illicit Influence Operations (D-RAIL)
Artificial intelligence
Telecom Threat Intelligence Summit 2024 (TTIS 2024) conference videos
Day 1:
Day 2:
Books
Events
CyberWarCon - November 22nd, Virginia, USA
Botconf 2025 - Call for Papers - December 20th, 2024, France
Computational Legal Studies 2024, From Shannon to Opus: Legal Studies in the Age of Large Corporate Models - 12th- 13th September, Singapore
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.