CTO at NCSC Summary: week ending September 22nd
36% rate cybersecurity as their top compliance improvement priority, followed by data privacy (35%)..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note … with the exception of the call to arms to address a rather large Chinese covert network.
In the high-level this week:
NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices - The UK’s National Cyber Security Centre (NCSC) – a part of GCHQ announces - “The UK and international allies are urging individuals and organisations to take protective action after exposing a global network of compromised internet-connected devices operated by a China-linked company and used for malicious purposes.”
Cyber security skills in the UK labour market 2024 - Department for Science, Innovation and Technology announces - “Across the economy, around half (44%) of businesses have skills gaps in basic technical areas. Incident management skills gaps have increased from 27% in 2020 to 48% in 2024.”
Audit of the Department of Justice’s Strategy to Combat and Respond to Ransomware Threats and Attacks - Department of Justice audits - “we found the Department lacked impactful metrics for measuring success against ransomware and that it could improve compliance with its deconfliction policy for ransomware. We also found that the FBI-led National Cyber Investigative Joint Task Force (NCIJTF) Criminal Mission Center, which was responsible for coordinating whole-of-government ransomware plans in 2021 and 2022, did not produce meaningful outcomes in combatting ransomware and that its role in this area has been undefined since Congress created the JRTF in 2022.”
Craigslist Founder Pledges $100 Million to Boost U.S. Cybersecurity - The Wall Street Journal reports - “Half the money will go toward protecting infrastructure such as power grids from cyberattacks. The other half will go toward educating people about the importance of simple safeguards that are often ignored, such as using password managers and updating software. “
Working Title: UnDisruptable27 Driving More Resilient Lifeline Critical Infrastructure for Our Communities - Institute for Security & Technology announces - “With $700,000 in initial seed funding from Craig Newmark Philanthropies, UnDisruptable27 will run a pilot project focusing on the nexus of water and urgent care. This initiative is an integral part of Craig Newmark’s Cyber Civil Defense initiative, which focuses on bringing broad elements of society to bear to defend people, organizations, communities, and nations from cyber insecurity.”
Effective compliance: Perspectives from the regulator -Australian Securities & Investment Commission keynotes - “36% rate cybersecurity as their top compliance improvement priority, followed by data privacy (35%).”
This Army division just ran cybersecurity for a far-away brigade - US Army announces - “One of the Army’s most modernized armored brigades and its parent division recently conducted the service’s first long-range, fully remote cybersecurity operation at the division level.”
Joint ODNI, FBI, and CISA Statement - Director or National Intelligence announces - "Iranian malicious cyber actors have continued their efforts since June to send stolen, non-public material associated with former President Trump’s campaign to U.S. media organizations."
Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies - Snowflake announces - this is post an incident in May/June - will others now follow? Interesting it (MFA) isn’t retrospective…
Semiconductors
Semicon India: Modi touts goal to become chipmaking powerhouse - Nikkei Asia reports - Modi spoke before an audience of guests from major chip firms worldwide. India "will do whatever is necessary to become a semiconductor powerhouse," Modi said.
Chinese DRAM supply offensive is serious… - ZDNet Korea reports - “According to industry sources on the 5th, there are concerns that Samsung Electronics and SK Hynix's legacy DRAM businesses will see a decline in profitability due to the rapid expansion of production capacity by Chinese memory companies.”
YMTC Advances Chip Tech With Chinese Tools, TechInsights Says - Bloomberg reports - “The Wuhan-based company recently upgraded its “Xtacking” tech, which stacks memory cells in layers, to a level where its NAND chip performance is on par with the best from industry leaders, TechInsights said in its latest research note.”
Taiwan chip industry suppliers set sail for Japan's 'Silicon Island’ - Nikkei Asia reports - “It is not the only Taiwanese supplier moving into Kyushu, also known in Japan by the aspirational name "Silicon Island." Higo Bank, a local financial institution, reports that at least 72 foreign companies have expanded into Kumamoto prefecture, most of which are Taiwanese.”
ByteDance denies reported plan to make self-designed chips - South China Morning Post reports - “Chinese technology giant ByteDance, the owner of TikTok, has denied reports that it plans to design and produce two types of semiconductors by 2026 to cut reliance on leading US chip designer Nvidia.”
Reporting on/from China
China : Lieutenant-General Bi Yi, Xi Jinping's cyber force weapon of control - Intelligence Online reports - “By choosing trusted officer Bi Yi to command the army's new Information Support Force (ISF), Xi Jinping aims to improve the quality and control of intelligence and information gathered, while also providing a way to keep checks on senior officers' integrity.”
Checking China’s chokeholds - A/symmetric analyzes - “fixing a chokepoint requires far more than making a single breakthrough. Any solution has to be congruent with the existing network of suppliers and manufacturers, and their incentives, cost structures, and business models.”
Artificial intelligence
Readout of White House Roundtable on U.S. Leadership in AI Infrastructure - The White House announces -
The White House is launching a new Task Force on AI Datacenter Infrastructure to coordinate policy across government
The Administration will scale up technical assistance to Federal, state, and local authorities handling datacenter permitting
The Department of Energy (DOE) is creating an AI datacenter engagement team
The US Army Corps of Engineers (USACE) will identify Nationwide Permits that can help expedite the construction of eligible AI datacenters
Proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence: Complementary impact assessment - European Parliament think tanks - “The complementary impact assessment study proposes that the AILD should extend its scope to include general-purpose and other 'high-impact AI systems', as well as software.”
Huawei Ascend AI Cloud Service: The uninterrupted training time for a trillion parameter model has been increased from 2.8 days to 40 days - IT Home reports - “Compared with the industry average, Ascend AI Cloud Service has increased the uninterrupted training time of the trillion-parameter model from 2.8 days to 40 days , and shortened the cluster failure recovery time from 60 minutes to 10 minutes .”
Cyber proliferation
Promoting Accountability for the Misuse of Commercial Spyware - Department of State announces - “the Department of State is taking steps to impose additional visa restrictions on multiple individuals who have been involved in the development or sale of commercial spyware. These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, human rights defenders, activists, and government officials from around the world. “
Treasury Sanctions Enablers of the Intellexa Commercial Spyware Consortium - US Department of Treasury announces - “the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned five individuals and one entity associated with the Intellexa Consortium for their role in developing, operating, and distributing commercial spyware technology that presents a significant threat to the national security of the United States”
Sandvine to Exit Dozens of Countries, Replace CEO in Revamp - Bloomberg reports - “Sandvine had been in a state of crisis since February, when the Commerce Department placed it on a blacklist for providing “mass web-monitoring and censorship” technology to the Egyptian government. The blacklisting had hampered its ability to win new clients and prevented it from receiving crucial technology components from American suppliers.”
New Criminal Complaint Over Pegasus Spyware Hacking of journalists and activists in the UK - Global Legal Action Network announces - “Four victims of Pegasus spyware in the UK have this week filed a criminal complaint with the Metropolitan Police identifying five accused responsible for the targeted hacking of their phones between 2018 and 2020.”
Bounty Hunting
Chinese National Charged for Multi-Year “Spear-Phishing” Campaign - US Department of Justice announces - “Song Wu, a Chinese national, has been indicted on charges for wire fraud and aggravated identity theft arising from his efforts to fraudulently obtain computer software and source code created by the National Aeronautics and Space Administration (“NASA”), research universities, and private companies.”
US -v- JIA WEI also known as "chansonJW," "JWT," ) "JWT487," "asmikace," "asmikace3d," ) "askikace3d," and "haber william" - US Department of Justice unseals - “It was part of the scheme that defendant and co-schemers, including other members of Unit 61786, fraudulently obtained access to Company A's computer network without Company lt's authorization to obtain Company A's non-public and propriety information for the benefit of PRC-based entities” - occurred in 2017, filed in 2022, unsealed in September 2024
Ticketmaster Pays $10 Million Criminal Fine for Intrusions into Competitor’s Computer Systems - Department of Justice announces - “Ticketmaster L.L.C. (Ticketmaster or the Company) agreed to pay a $10 million fine to resolve charges that it repeatedly accessed without authorization the computer systems of a competitor. “
FCC Settles with AT&T for Vendor Cloud Breach - Federal Communications Commission announces - “AT&T used the vendor to generate and host personalized video content, including billing and marketing videos, for AT&T customers. Under AT&T’s contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred. AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract.”
Governments shouldn’t be the cyber insurers of last resort - Financial Times reports - “The escalating global cost of such crime — expected by US officials to exceed $23tn in 2027 — far outstrips the cyber insurance market, at roughly 800 times smaller. Insurers argue that such a vast gap can only be bridged by governments. The case is not clear cut. “
Reflections this week are on two fronts..
The first is data continues to indicate that MFA comprehensively deployed would address ~60% of root caused breaches (CISA’s being the latest) - yet mobilising has yet to happen at scale.
The second is market incentives as I have been on the road the last couple of weeks taking about it to various audiences. Jen Easterly at CISA also observed this week "The truth is: Technology vendors are the characters who are building problems". At NCSC we are now thinking of the market incentives challenges as a suite of issues. It is increasingly clear to us that market incentives is what will make Secure By Design/Default and Secure By Demand ultimately successful..
How we are thinking of market incentives can be summarised as:
NOT GOVERNMENT POLICY
If the market incentives don’t exist - how else do we get the outcome we want in a sustained manner at the pace and scale required against the threat we face and risk we carry?
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
COLDWASTREL of space
John Southworth alleges a rather expansive infrastructure associated with this Russian threat actor.
Looking for further infrastructure returning this response, we observed 24 unique domains used between 2021 and 2024 which we assess are highly likely related to White Dev 185
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html
Reporting on China
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu and Philip Chen alleged this Chinese originated campaign targeted Taiwan. GeoServer is an open source server that allows users to share and edit geospatial data, the new implant will also be of note..
Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.
The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim’s guard.
Customized Cobalt Strike components were deployed on compromised machines through the two initial access vectors. The altered version of Cobalt Strike included modified internal signatures and a changed configuration structure for evasion.
Earth Baxia also used a new backdoor named EAGLEDOOR, which supports multiple communication protocols for information gathering and payload delivery.
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
APT Lurking in Shadows of IT
John Dwyer and Eric Gonzalez show that China allegedly has operators of a certain vintage who are familiar with AIX.
Attacker access one of the AIX servers using the default credentials for the Apache AXIS Admin portal
Attacker leverages the upload function of the AXIS admin portal to introduce the AxisInvoker web shell
Attacker harvests Kerberos data from the AIX server
Attacker uploads requisite SSH keys and access the AIX server via SSH
DragonRank, a Chinese-speaking SEO manipulator service provider
Joey Chen discloses an alleged Chinese threat actor who is compromising websites to help with their SEO campaign.
Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.
DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities.
Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion.
We have confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign.
Talos also discovered DragonRank’s commercial website, business model and instant message accounts. We used this information to assess with medium to high confidence the DragonRank hacking group is operated by a Simplified Chinese-speaking actor.
The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings.
https://blog.talosintelligence.com/dragon-rank-seo-poisoning/
Reporting on North Korea
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Yoav Zemah details an alleged operation and evolution in capability by this North Korean threat actor. There is a fundamental question on how we secure these software distribution mechanisms used by developers as it is clear threat actors are not giving up trying to use them.
[We] have been tracking the activity of an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors via infected Python software packages. We’ve named these infected software packages PondRAT. We’ve also found Linux variants of POOLRAT, a known macOS remote administration tool (RAT) previously attributed to Gleaming Pisces (aka Citrine Sleet, distributor of AppleJeus). Based on our research into both RAT families, we assess that the new PondRAT is a lighter version of POOLRAT.
https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
Targeted Attacks Amid FBI Warnings
Jamf Threat Labs observes the end to end chain of this alleged North Korean threat actor. The tradecraft is broadly speaking a well trodden one but useful to understand the 2024 incarnation..
Jamf Threat Labs noted an attack attempt in which a user was contacted on LinkedIn by an individual claiming to be a recruiter on the HR team at a tech company that specializes in decentralized finance.
..
In the observed scenario, the recruiter sent a zipped coding challenge to the target (51a88646f9770e09b3505bd5cbadc587abb952ba), which is considered to be a fairly common step in the screening processes of a modern day development role. This coding challenge came in the form of a Visual Studio project that has the developer focus on converting Slack messages to CSV format in C#. However, buried within two separate csproj files are malicious bash commands that both download a second stage payload.
https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
Marco Galli, Diana Ion, Yash Gupta, Adrian Hernandez, Ana Martinez Gomez, Jon Daniels and Christopher Gardner detail another alleged campaign from North Korea. Note the WhatsApp element..
UNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher.
https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader
Code of Conduct: DPRK’s Python-fueled intrusions into secured networks
Colson Wilhoit detail yet another slight variation by alleged North Korean threat actors..
The sophistication of DPRK's social engineering tactics often involves long-term persona development and targeted narratives.
The use of Python for its ease of obfuscation, extensive library support, and ability to blend with legitimate system activities.
…
This sample is distributed under the guise of a Python coding challenge for a “Capital One” job interview. It contains a known Python module that appears innocent on the surface. This module includes standard clipboard management functionality but also harbors obfuscated code capable of exfiltrating data and executing arbitrary commands.
https://www.elastic.co/security-labs/dprk-code-of-conduct
Reporting on Iran
Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs
Matt Lembright build on the original FBI and CISA advisory with further infrastructure by this alleged Iranian threat actor. It shows the value of good data and good analytical skills..
Find active hosts not mentioned in the Advisory that have:
Matching patterns and Autonomous Systems (ASs) as Hosts D, E, & G from the report, and could be part of the same infrastructure to possibly be used in future attacks
Matching domain IOCs to Host G and matching ASs to Hosts J & C from the report and could be part of the same infrastructure to possibly be used in future attacks
Identify timeframes outside of those specified in the Advisory where IOC hosts appear similar or identical to the timeframes of nefarious activities, possibly indicating previously unknown durations of threat activity
Find current certificates with matching domain IOCs that could be used on future hosts.
Reporting on Other Actors
“Marko Polo” Navigates Uncharted Waters With Infostealer Empire
Insikt Group shows that for some the secret ingredient is crime.. Scale is of note here.
Following Insikt Group investigations into other projects attributed to Marko Polo, like Astration and Vortax, Insikt Group analysis has uncovered over 30 new and distinct scams, 50 unique malware payloads, dozens of malicious domains, and hundreds of fraudulent social media accounts linked to the Marko Polo operation.
https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf
The Curious Case Of MutantBedrog’s Trusted-Types CSP Bypass
Eliya Stein details that this threat actor knows a thing of two about client side web technologies and how they can go wrong. Also that malvertising is still a thing..
MutantBedrog is a malvertiser that caught our attention early summer ’24 for their highly disruptive forced redirect campaigns and the unique JavaScript payload that they use to fingerprint devices and dispatch invasive redirections.
Reflecting on our analysis of this malicious payload, and particularly this CSP bypass, we’ve landed on a few important take-aways:
Highly adept cybercriminals like MutantBedrog continue to push technical boundaries in surprising ways, going as far as understanding browser security at the specification level, in order to orchestrate sophisticated payloads that are optimized to work under multiple edge cases.
CSPs are a powerful tool that can be leveraged to combat all kinds of XSS and injection attacks, but are tough to get right, especially when it comes to same-origin threats like those that might leak in from an ad serving environment.
https://blog.confiant.com/the-curious-case-of-mutantbedrogs-trusted-types-csp-bypass-950b19a38b4f
Discovery
How we find and understand the latent compromises within our environments.
Monitoring High Risk Azure Logins
David Perez gives some practical advice in detection tradecraft 101..
The most common false positives I have seen so far are from users signing in from mobile devices or from different IP addresses due to them being on travel. True positives seem to stick out like a sore thumb, whereas a user is most often seen signing in from a Windows machine, and then suddenly they are seen using a Mac in a different country.
https://www.blackhillsinfosec.com/monitoring-high-risk-azure-logins/
Detecting Abuse of NetSupport Manager
Corelight Lab show once more that network level detection is not dead..
Corelight Labs developed Zeek logic to help detect malicious use of NetSupport. Through partner networks in our Polaris Program, we used this logic to find multiple infections occurring in 2024 with zero false-positives, despite the large size and complexity of the networks.
https://corelight.com/blog/detecting-netsupport-manager-abuse
ScriptBlock Smuggling
Stephan Berger finds even when logging is subverted there are enough forensic traces to be useful.
Recently, BC-Security presented a new technique with which PowerShell code can be executed in such a way that it no longer appears in the script block log:
ScriptBlock Smuggling allows an attacker to spoof any arbitrary message into the ScriptBlock logs while bypassing AMSI. To make things more interesting, it also does not require any reflection or memory patching to be executed.
In this blog post, we take a closer look at this technique, particularly which forensic traces we find when attackers utilize ScriptBlock Smuggling.
https://dfir.ch/posts/scriptblock_smuggling/
Enhance your Cyber Threat Intelligence with the Admiralty System
Freddy Murstad reminds the world of the analytical discipline in intelligence production..
The Admiralty System was originally designed for naval intelligence in the early 20th century and has since been adapted by intelligence agencies worldwide. The system was developed to ensure the information and intelligence received by the Admiralty in the British Royal Navy (hence the name ‘Admiralty System') were uniform and standardized. This allowed them to compare the various pieces of information – often received weeks or months apart – about the same observation.
https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system/
Defence
How we proactively defend our environments.
Taking steps that drive resiliency and security for Windows customers
David Weston outlines the future in a post CrowdStrike world..
On Tuesday, Sept. 10, we hosted the Windows Endpoint Security Ecosystem Summit. This forum brought together a diverse group of endpoint security vendors and government officials from the U.S. and Europe to discuss strategies for improving resiliency and protecting our mutual customers’ critical infrastructure.
..
Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with SDP, can be used to create highly available security solutions. At the summit, Microsoft and partners discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors.
Incident Writeups & Disclosures
How they got in and what they did.
Nothing this week
Vulnerability
Our attack surface.
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
Liv Matan shows what hyper vulnerability looks like in 2024..
Tenable Research discovered an RCE vulnerability we dubbed CloudImposer that could have allowed a malicious attacker to run code on potentially millions of servers owned by Google servers and by its customers.
Tenable Research discovered CloudImposer after finding documentation from GCP and the Python Software Foundation that could have put customers at risk of a supply chain attack called dependency confusion. The affected GCP services are App Engine, Cloud Function, and Cloud Composer. This research shows that although the dependency confusion attack technique was discovered several years ago, there’s a surprising and concerning lack of awareness about it and about how to prevent it even among leading tech vendors like Google.
Supply chain attacks in the cloud are exponentially more harmful than on premises. For example, one malicious package in a cloud service can be deployed to – and harm – millions of users.
Offense
Attack capability, techniques and trade-craft.
Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence
Katie Knowles shows that ‘by design’ can still complicate a cyber defence life..
Entra ID Administrative Units (AUs) allow scoped role assignment of an Entra ID role over a subset of Entra ID users, groups, and devices, instead of over the whole tenant.
AUs contain security-relevant features that can assist in hardening an Entra ID tenant.
Restricted management AUs allow only users with scoped role assignments over that specific AU to modify its members. Tenant-level roles cannot modify AU members.
HiddenMembership AUs hide their membership from all users, unless they are a member of the AU or have a specific role assignment.
An attacker with privileged access can use these features to maintain concealed privileges over Entra ID objects through hidden membership AUs, or lock down attacker-controlled accounts through restricted management AUs.
We do not believe these techniques represent a vulnerability or misconfiguration in Entra ID or the AU feature, as it constitutes "by design" use of Entra ID AUs.
https://securitylabs.datadoghq.com/articles/abusing-entra-id-administrative-units/
Extracting Credentials From Windows Logs
When logging goes adverse..
During a recent engagement, I observed a lot of members of a particular organization authenticating with remote systems and services over the commandline with username and password in plaintext. This ranged from domain administrators using the net user command to create user accounts and updated passwords to database administrators managing their instances with commandline tools.
The security operations team had configured the active directory connected systems to record 4688 logs and ship those off to a centralized server. This resulted in a consolidated repository of all applications executed in the environment along with the commandline arguments. This is great for threat detection; however, it can also be leveraged by adversaries to find plaintext credentials.
https://practicalsecurityanalytics.com/extracting-credentials-from-windows-logs/
Exploitation
What is being exploited.
Skeleton Cookie: Breaking into Safeguard with CVE-2024-45488
David Cash and Richard Warren evidence once more that security products != secure product always..
We crack open an authentication bypass vulnerability we discovered in the Safeguard for Privileged Passwords product. This vulnerability, assigned CVE-2024-45488, is internally known as “Skeleton Cookie”. We’ll demonstrate how this vulnerability can be exploited to gain full administrative access to the virtual appliance. From there, an attacker can extract passwords and achieve Remote Code Execution.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
The Illusion of Randomness: An Empirical Analysis of Address Space Layout Randomization Implementations
Lorenzo Binosi, Gregorio Barzasi, Michele Carminati, Stefano Zanero and Mario Polino touch on a subject close to my heart..
The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.
https://arxiv.org/abs/2408.15107
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Taking steps that drive resiliency and security for Windows customers
A Visual Exploration of Exploits in the Wild - The Inaugural Study of EPSS Data and Performance
Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends
Rasmussen and practical drift - Drift towards danger and the normalization of deviance
The Cynical Genius Illusion: Exploring and Debunking Lay Beliefs About Cynicism and Competence
Artificial intelligence
Books
Chasing Shadows - “provides a gripping account of how the Citizen Lab, the world’s foremost digital watchdogs, uncovered dozens of cyber espionage cases in countries around the world.”
Events
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.