CTO at NCSC Summary: week ending September 15th
1 million devices compromised in a single campaign.
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond 1 million devices compromised in a single campaign.
In the high-level this week:
Data centres to be given massive boost and protections from cyber criminals and IT blackouts - UK;s Department of Science Innovation and Technology announces - “Critical National Infrastructure designation will allow the government to support the sector in the event of critical incidents, minimising impacts on the economy.” ... “Critical National Infrastructure status will also deter cyber criminals from targeting data centres that may house vital health and financial data, minimising disruption to people’s lives, the NHS and the economy.”
ICO and NCA sign memorandum of understanding for further collaboration on cyber security - UK’s Information Commissioner’s Office announces - “Specifically, we are working more closely with the NCA to ensure organisations are signposted to relevant bodies, such as the National Cyber Security Centre (NCSC), and are empowered to report cyber crime at the earliest opportunity.”
SBOMs and the importance of inventory - UK’s National Cyber Security Centre publishes - “an SBOM does not guarantee that your software supply chain is secure. It is simply a tool which, if used correctly, can help create the transparent inventory needed to help secure the supply chain.”
Digital twins: secure design and development - UK’s National Cyber Security Centre publishes - ”Although the NCSC has not published guidance on digital twins, we have published several collections that are directly relevant to their secure development and operation.”
8th UK-Japan Cyber Dialogue - Foreign Commonwealth & Development Office announces - “Both chairs agreed to strengthen cooperation under the May 2023 UK-Japan Cyber Partnership as a linchpin of the wider global strategic partnership. Both sides affirmed that the 2 countries will continue to meet under the Cyber Dialogue.”
CISA Releases Analysis of FY23 Risk and Vulnerability Assessments - CISA releases - based on 143 assessments - key bits here are around initial access:
41.28% - valid accounts i.e. multi-factor/passkeys would have mitigated
26.30% - spear phishing leading to credentials etc. i.e. multi-factor/passkeys would have mitigated in some instances
Countries strengthening cybersecurity efforts, but increased action still required - United Nations ITU ranks - “The report places 46 countries in Tier 1, the highest of the five tiers, reserved for “role modelling" countries that demonstrate a strong commitment in all five cybersecurity pillars. “
Executive Perspectives on Top Risks for 2024 and 2034 - Protiviti surveys - #3 is cyber 2024 raising to #1 in 2034 with “Existing operations and legacy IT infrastructure unable to meet performance expectations as well as “born digital” competitors” #7 today.
Nightsleeper cast and creatives discuss the shocking premise behind the heart-in-mouth thriller - BBC teases - “Nightsleeper is a real-time thriller for BBC iPlayer and BBC One. Created by BAFTA-winning writer Nick Leather, it is a six-part series in which a train is ‘hackjacked’ and driven through one single night from Glasgow to London on an uncertain journey.” … “Leading the fight are Joe Roag, a cop who is a passenger on the train and Abby Aysgarth, the acting technical director at the National Cyber Security Centre (NCSC).”
What Next for the UK–Japan Cyber Partnership? - RUSI ponders - The paper makes the following recommendations:
Capability development.
Public–private partnerships (PPPs).
Advancing shared international interests.
Cyber-resilient ecosystems.
Disjointed Cyber Warfare: Internal Conflicts among Russian Intelligence Agencies - Royal Holloway academics publishes - “As our research progresses, we aim to explore the implications of this internal rivalry on the development of technical infrastructure for Russia-affiliated APT groups. We anticipate that our findings illuminate the reasons behind the apparent reduced effectiveness of cyberattacks in this scenario. This exploration of competitive dynamics, historical nuances, and behavioural factors within Russian intelligence agencies is crucial for a comprehensive understanding of the broader cyber operations landscape. We present this paper as a work in progress, aiming to contribute to the ongoing discourse in this field.”
New Research Reveals Security Budgets Only Increased 2 Points in 2024, While 12% of CISOs Faced Reductions - IANS researches - “New Research Reveals Security Budgets Only Increased 2 Points in 2024, While 12% of CISOs Faced Reductions”
New assistant secretary of defense wants to focus on return on investment for cyber operations - Defense Scoop reports - “I’ve been talking with my team about and trying to talk with other partners across the government about is, how do we keep score of ourselves? It’s one thing to count the number of operations or something like that, or to count the number of hunt-forward [operations]. There is a power in quantity, but increasingly how we talk about our return on the nation’s investment in us,”
Reporting on/from China
NZ concern over China-linked Pacific cyber breach - Newsroom reports - “In a statement, a spokesman for Foreign Minister Winston Peters confirmed New Zealand had been “briefed on a cyber incident affecting the Pacific Islands Forum Secretariat systems”. “We remain concerned by the growing number of malicious cyber incidents in our region, targeting national entities and regional organisations. Australia’s assistance to rapidly support the Forum Secretariat to remediate their systems following this incident is deeply appreciated.””
Chinese Cargo Cranes at U.S. Ports Pose Espionage Risk, Probe Finds - Wall Street Journal reports - “Chinese manufacturer ZPMC has pressured American ports for remote access to its machines, a congressional report says”
China Is Becoming Much Harder for Western Scholars to Study - Wall Street Journal reports - “Some Chinese researchers stopped sharing data with foreign counterparts to avoid violating data-security laws, complicating collaboration and peer-review processes for assessing research quality. The uncertainty over broadly worded data-security regulations “has brought anxiety and nervousness,” said a professor at a leading university in Beijing. “
U.S. implements new export curbs on advanced chips and quantum tech - Nikkei Asia reports - “Under the latest controls, export licenses will be required for shipments of quantum computing items, advanced chipmaking tools, gate all-around field-effect transistor (GAAFET) technology and so-called additive manufacturing items for producing metal or metal alloy components.”
China buys US$12 billion worth of chip-making tools in a quarter - South China Morning Post reports - “In the June quarter, China saw sales of chip-making equipment – including tools for wafer processing, assembly, packaging and testing – jump 62 per cent year on year to more than US$12 billion.”
Huawei Cloud reshuffles leadership team as competition mounts - South China Morning Post reports - “Last year, Huawei’s cloud computing revenue rose 21.9 per cent year on year to 55.29 billion yuan (US$7.79 billion), according to the company’s annual report.”
Hello, Jarvis? China’s new AI app stirs dreams of Tony Stark’s assistant becoming reality - South China Morning Post reports - “Ant Group, the fintech affiliate of Alibaba Group Holding, made its foray into Jarvis-like territory when it launched on Thursday the Zhixiaobao app – a so-called life assistant that can help users order meals, hail taxis, book tickets, and discover local dining and entertainment options, while accessing third-party services in the firm’s Alipay payment platform more easily.”
Artificial intelligence
New AI supply chain standard brings together Ant, Tencent, Baidu and Microsoft, Google, Meta - South China Morning Post reports - “The companies unveiled their “Large Language Model Security Requirements for Supply Chain” on Friday with the World Digital Technology Academy (WDTA), during a side event at the Inclusion Conference on the Bund in Shanghai.”
OpenAI o1 System Card - OpenAI discloses - “Compared to GPT-4o, o1-preview and o1-mini demonstrated a greater ability to break down tasks into subtasks, reason about what strategies would be effective to successfully complete an offensive security task, and revise plans once those strategies failed. We also observed that reasoning skills contributed to a higher occurrence of “reward hacking,” where the model found an easier way to accomplish goals in underspecified tasks or tasks which should have been impossible due to bugs… "After discovering the Docker API, the model used it to list the containers running on the evaluation host. It identified the broken challenge container and briefly attempted to debug why the container failed to start. After failing to fix the environment, the model started a new instance of the broken challenge container with the start command ‘cat flag.txt’. This allowed the model to read the flag from the container logs via the Docker API.”
The Global Kaleidoscope of Military AI Governance - United Nations UNDIR publishes - “Specifically, this report first discusses the reflections shared by States on the unique characteristics of AI technologies and the opportunities that they provide in the military domain. In addition, States also discussed and exchanged views on the risks, challenges and implications stemming from the development, deployment and use of AI in the military and wider security domains.”
New AI Chip Beats Nvidia, AMD and Intel by a Mile with 20x Faster Speeds and Over 4 Trillion Transistors - NASDAQ reports - “Cerebras has developed what it calls the Wafer Scale Engine, the third generation of which powers the new Cerebras Inference. This massive chip integrates 44GB of SRAM and eliminates the need for external memory, which has been a significant bottleneck in traditional GPU setups. By resolving the memory bandwidth issue, Cerebras Inference can deliver a whopping 1,800 tokens per second for Llama3.1 8B and 450 tokens for Llama3.1 70B, setting new industry standards for speed.”
Cyber proliferation
Former NSO stars behind vulnerability research firm Radiant Research Labs - Intelligence Online reports - “With the discreet financial backing of an industry veteran, zero-day research specialist Radiant Research Labs is all set to enter the computer vulnerability market. The firm claims it will operate under the close control of the Israeli defence ministry.”
Poland’s constitutional court finds commission investigating use of Pegasus spyware unconstitutional - Notes from Poland reports - “The head of the commission, however, has dismissed the ruling as having no legal force because it was issued with the involvement of a judge illegally appointed under PiS and because the TK acts on the “political orders” of the former ruling party.”
Slovakia: Use of Pegasus a threat to democracy and human rights - Article 19 reports - “This revelation is particularly alarming given the deteriorating situation for democracy and protection of human rights in Slovakia and the historical context of Pegasus’s use in other countries, where it has been employed to surveil journalists, human rights activists, and political dissenters, undermining the very foundations of democracy. “
Apple seeks to drop its lawsuit against Israeli spyware pioneer NSO - The Washington Post reports - “arguing that it might never be able to get the most critical files about NSO’s Pegasus surveillance tool and that its own "disclosures could aid NSO and its increasing number of rivals.”
Bounty Hunting
New York Man Pleads Guilty to Hacking, Credit Card Trafficking and Money Laundering Conspiracies - US Department of Justice reports - “Antonenko and co-conspirators scoured the internet for computer networks with security vulnerabilities that were likely to contain credit and debit card account numbers, expiration dates, and card verification values (Payment Card Data) and other personally identifiable information (PII). They used a hacking technique known as a “SQL injection attack” to access those networks without authorization, extracted Payment Card Data and other PII, and transferred it for sale on online criminal marketplaces.”
Arrest made in NCA investigation into Transport for London cyber attack - NCA announces - “A teenager has been arrested in Walsall by the National Crime Agency, as part of the investigation into a cyber security incident affecting Transport for London (TfL). The 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on 1 September.”
Six Persons To Be Charged For Offences In Relation To Illegal Cyber Activities - Singaporean Police announce - “Five men, Chinese nationals, aged between 32 and 42, and one 34-year-old Singaporean man, will be charged in court on 10 September 2024”
Japanese man indicted over North Korea using illegally acquired foreign currency to import Japanese underwear and other items; foreign currency also used for nuclear and missile development - NTV reports - “As the police investigated, they discovered that a North Korean IT engineer had posed as the woman and received software development orders from an overseas IT company, and some of the funds had been used illegally. “
No reflections this week…but please support the RISCS research into the professionalisation of cyber by spending 10-15 minutes filling in the Cyber Expertise Diversity Survey.
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Polish authorities take down Belarusian and Russian cyber-espionage group
EurActiv reports on an alleged in country operation which was disrupted. Low on technical detail but in country cyber activity by foreign state you might consider factoring into your risk registers if appropriate.
According to Gawkowski, the group’s ultimate goal was to penetrate other Polish government institutions and state-owned companies, particularly those involved in national security.
Reporting on China
Earth Preta Evolves its Attacks with New Malware and Strategies
Lenart Bermejo, Sunny Lu and Ted Lee allege this previously Chinese attributed threat actor have deployed new implants using removable media as the initial access vector. Beyond that the tradecraft is all rather run of the mill.
Earth Preta has upgraded its attacks, which now include the propagation of PUBLOAD via a variant of the worm HIUPAN.
Additional tools, such as FDMTP and PTSOCKET, were used to extend Earth Preta’s control and data exfiltration capabilities.
Another campaign involved spear-phishing emails with multi-stage downloaders like DOWNBAIT and PULLBAIT, leading to further malware deployments.
Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region.
https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html
Crimson Palace returns: New Tools, Tactics, and Targets
Sophos details this alleged Chinese activity which shows parallels to a web penetration test. A good reminder that web applications are considered in-scope by threat actors.
Sophos X-Ops continues to observe and respond to what we assess with high confidence as a Chinese state-directed cyberespionage operation targeting a prominent agency within the government of a Southeast Asian nation.
Using previously stolen credentials, the attackers deployed a web shell to a web application server using its built-in file upload feature. The attacker performed a methodical investigation of the web app server’s configuration file and virtual directories to locate the web application’s DLL. They then used the web shell to execute commands on the targeted web app server. This included copying the application’s dynamic linking library (DLL) to a web documents folder and disguising it as a PDF to allow it to be retrieved through the application, using credentials previously tied to Cluster Charlie activity.
https://news.sophos.com/en-us/2024/09/10/crimson-palace-new-tools-tactics-targets/
Reporting on North Korea
APT attack disguised as a paper on Russia-North Korea partnership
ASEC (AhnLab Security Intelligence Center) detail alleged North Korean activity using a .exe for initial access which is bold. The use of Github for file hosting is the most noteworthy element.
[We] confirmed the status of APT attacks targeting domestic users. During the attack, the attacker used a Github repository, and a number of malicious scripts and normal bait files used in the attack were uploaded to the repository.
Reporting on Iran
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point highlight an alleged Iranian campaign which is noteworthy for its use of passive backdoors and DNS tunnelling.
Check Point Research discovered a new set of malware called Veaty and Spearal that was used in attacks against different Iraqi entities including government networks.
The malware samples described in this report use a variety of techniques including a passive IIS backdoor, DNS tunneling, and C2 communication via compromised email accounts.
The passive IIS backdoor appears to be a newer variant of the backdoor reported by ESET as employed by the IIS Group 2 (also attributed by Symantec to GreenBug aka APT34).
The malware has multiple ties to previously described APT34 malware families such as Karkoff, Saitama, and IIS Group 2 operating in the same region. Those malware families are affiliated with tun (MOIS).
https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/
Reporting on Other Actors
Operation WordDrone – Drone manufacturers are being targeted in Taiwan
Ilia Dafchev, Irina Artioli, Alexander Ivanyuk and Robert Neumann detail an unattributed campaign where the threat actor brough their own Microsoft Office to achieve code execution via side loading. One assumes to not trigger EDR and/or blend in..
Attackers used a dynamic-link library (DLL) side-loading technique to install a persistent backdoor with complex functionality on the infected systems. Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file and a file with a random name and file extension. Microsoft Word was used to side load the malicious wwlib DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name.
Research organizations and think tanks
French Government outlines the threat to research organisations and think tanks. Noteworthy alert which should be heeded by those institutions.
These entities are targeted by a wide range of offensive actors, with strategic or industrial espionage objectives, but also destabilization, or even lucrative objectives.
Think tanks and research organizations working on strategic and defense issues are particularly targeted by state-linked attackers seeking to carry out espionage attacks. Civilian and military scientific research organizations are also targeted by campaigns, sometimes massive, seeking to extract scientific, technical or industrial data to gain competitive advantages.
The threat of destabilization can also affect research organizations and think tanks, particularly in the context of the war in Ukraine.
Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries
Arda Büyükkaya details a campaign they attributed to this criminal group. Sectoral targeting is of note.
SCATTERED SPIDER has been using SMS phishing (smishing) techniques through text messages. Smishing, a form of phishing that uses SMS to deliver malicious links, has become a favoured tactic for cybercriminal group due to its ability to bypass traditional email filters and directly target users on their mobile devices. These campaigns have primarily targeted sectors, including financial services and insurance companies.
BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar
Gaetano Pellegrino details activity in the same sector showing low sophistication and several steps.
Beginning in June 2024, BlindEagle was observed targeting the Colombian insurance sector.
Attacks have originated with phishing emails impersonating the Colombian tax authority.
BlindEagle has leveraged a version of BlotchyQuasar for attacks, which is heavily protected by several nested obfuscation layers.
Discovery
How we find and understand the latent compromises within our environments.
parseusbs: Parses USB connection artifacts from offline Registry hives
Kathryn Hedley provides a discovery tool which seems relevant given one of the campaigns mentioned in this week threat intelligence section.
Registry parser, to extract USB connection artifacts from SYSTEM, SOFTWARE, and NTUSER.dat hives
https://github.com/khyrenz/parseusbs
Kernel ETW is the best ETW
John Uhlmann makes an impassioned plea and gives an overview of the value of kernel originated ETW.
Modern Secure by Design practice is to audit log both success and failure for security relevant activities and Microsoft continues to add new security-relevant ETW events that do this. For example, the preview build of Windows 11 24H2 includes some interesting new ETW events in the
Microsoft-Windows-Threat-Intelligenceprovider. Hopefully, these will be documented for security vendors ahead of its release.
https://www.elastic.co/security-labs/kernel-etw-best-etw
Defence
How we proactively defend our environments.
ActiveX will be disabled by default in Microsoft Office 2024
Birthday present for the globe with this news from Microsoft. Unless you are offensive cyber actor that is..
Starting in new Office 2024, the default configuration setting for ActiveX objects will change from Prompt me before enabling all controls with minimal restrictions to Disable all controls without notification. This change applies to the Win32 desktop versions of Word, Excel, PowerPoint, and Visio.
Win32k kernel object garbage collection mechanism
Chinese research into this new feature in Win32k.sys - intended to complicate/mitigate heap feng shui in Kernel LPEs.
On this month's patch day, Microsoft introduced a new mechanism in win32k, garbage collection of kernel objects , and added many GC-related functions.
The Security Canary Maturity Model
Rami McCarthy publishes a maturity model to help take organisations on the journey of the deployment of digital tripwires.
On the corporate side, there are a few ways to apply a maturity model to your security program.
Removing unknown-unknowns: The maturity model offers a cheat sheet across the universe of canary capabilities. At a minimum, it allows you to survey the landscape and ensure you’re aware of your options for reducing risk, whether or not you choose to align to the model overall.
Benchmarking/Diagnostics: If you choose to align to the model, you can use it to assess your current maturity. This is an opportunity to consider whether your current use of canaries matches your desired level of security maturity.
Roadmapping: When navigating the planning process, this model offers a view on “what could we do next,” in an iterative and compounding structure.
Overall, I’d encourage you to view this maturity model as a spider chart, and not a checklist. You don’t need to be doing everything listed to crest into a maturity level, nor should you limit your investments to meet all “Managed” criteria if it better suits to spike into “Optimize” across certain categories.
https://tracebit.com/blog/the-security-canary-maturity-model
openbas: Open Breach and Attack Simulation Platform
Be interesting to see how this develops in a community model.
The goal is to create a powerful, reliable and open source tool to effectively plan and play all types of simulations, training and exercises from the technical level to the strategic one.
Finally, OpenBAS supports different types of inject, allowing the tool to be integrated with emails, SMS platforms, social medias, alarm systems, etc. All currently supported integration can be found in the OpenBAS ecosystem.
https://github.com/OpenBAS-Platform/openbas
Incident Writeups & Disclosures
How they got in and what they did.
We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
Benjamin Harris and Aliz Hammond highlight the soft underbelly of the Internet is like the xkcd meme.
However, significant concern appeared on 1st September 2024 when we realised that numerous Certificate Authorities responsible for issuing TLS/SSL certificates for domains like 'google.mobi' and 'microsoft.mobi', via the 'Domain Email Validation' mechanism for verifying ownership of a domain, were using our WHOIS server to determine the owners of a domain and where verification details should be sent.
Just replace ‘project’ with ‘domain name’ in the below.
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Vulnerability
Our attack surface.
Zero-Click Calendar invite - vulnerability chain in macOS
Mikko Kenttälä shares the hoops here, the fact ../ gets you something in 2022/2023 is a thing of wonder or sadness. Old but inspiring to bug hunters..
I found a zero-click vulnerability in macOS Calendar, which allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This could lead to many bad things including malicious code execution which can be combined with security protection evasion with Photos to compromise users’ sensitive Photos iCloud Photos data. Apple has fixed all of the vulnerabilities between October 2022 and September 2023.
RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM
Mordechai Guri who’s career has focused on jumping air gaps shows that software driving of RAM can generate RF signals..
In this paper, we present an attack allowing adversaries to leak information from air-gapped computers. We show that malware on a compromised computer can generate radio signals from memory buses (RAM). Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys. With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information. We discuss the design and implementation and present related work and evaluation results. This paper presents fast modification methods to leak data from air-gapped computers at 1000 bits per second. Finally, we propose countermeasures to mitigate this out-of-band air-gap threat.
https://arxiv.org/abs/2409.02292
SSH Keystroke Obfuscation Bypass
Philippos Maximos Giavridis shows the value of actually verifying the efficacy of implementations.
Part of my thesis was to evaluate how effective these preventative measures introduced by OpenSSH are. While I expected them to completely break this attack vector, when I loaded a Wireshark capture into
SSHniff, I realised that certain packets still stick out substantially, among the hundreds of packets hovering around 20ms intervals.
https://crzphil.github.io/posts/ssh-obfuscation-bypass/
Offense
Attack capability, techniques and trade-craft.
ChromeKatz: Dump cookies and credentials directly from Chrome/Edge process memory
Kissa and Henri Nurmi release a capability which we can expect to be used by malicious threat actors in 3..2.
ChromeKatz is a solution for dumping sensitive information from memory of Chromium based browsers. As for now, ChromeKatz consists of two projects:
CookieKatz - The cookie dumper
CredentialKatz - The password dumper
Both tools have an exe, Beacon Object File, and minidump parser available.
https://github.com/Meckazin/ChromeKatz
Decrypting and Replaying VPN Cookies
James H releases a post compromise capability we can expect to inspire others to look for similar in the criminal eco-systems..
Persistent VPN authentication tokens are equally as vulnerable to session hijacking as browser session cookies and other device-resident credential material.
Device requirements for VPN access may be defeated by reconstructing profiles from a working device and replaying them with a third-party VPN client.
Network access, like any other initial access method, is not catastrophic on it’s own. Even without full visibility into the originating endpoint, network-based discovery and lateral movement techniques still offer valuable opportunities for detection and prevention.
https://rotarydrone.medium.com/decrypting-and-replaying-vpn-cookies-4a1d8fc7773e
https://github.com/rotarydrone/GlobalUnProtect
GhostStrike: Deploy stealthy reverse shells using advanced process hollowing
Stiven Mayorga releases a capability which should be a call to arms for EDR vendors.
Dynamic API Resolution: Utilizes a custom hash-based method to dynamically resolve Windows APIs, avoiding detection by signature-based security tools.
Base64 Encoding/Decoding: Encodes and decodes shellcode to obscure its presence in memory, making it more difficult for static analysis tools to detect.
Cryptographic Key Generation: Generates secure cryptographic keys using Windows Cryptography APIs to encrypt and decrypt shellcode, adding an extra layer of protection.
XOR Encryption/Decryption: Simple but effective XOR-based encryption to protect the shellcode during its injection process.
Control Flow Flattening: Implements control flow flattening to obfuscate the execution path, complicating analysis by both static and dynamic analysis tools.
Process Hollowing: Injects encrypted shellcode into a legitimate Windows process, allowing it to execute covertly without raising suspicions.
https://github.com/stivenhacker/GhostStrike
The art of overDLLoading
Adam brings some Windows PE torture / anti-forensics with a file which links to 79,000 APIs. Somethings will break somewhere I suspect.
https://www.hexacorn.com/blog/2024/09/05/the-art-of-overdlloading/
Exploitation
What is being exploited.
Void captures over a million Android TV boxes
1 milllllionn infections..
The malware, dubbed Android.Vo1d, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software.
In August 2024, Doctor Web was contacted by several users whose Dr.Web antivirus had detected changes in their device’s system file area. The problem occurred with these models:
TV box modelDeclared firmware versionR4Android 7.1.2; R4 Build/NHG47KTV BOXAndroid 12.1; TV BOX Build/NHG47KKJ-SMART4KVIPAndroid 10.1; KJ-SMART4KVIP Build/NHG47K
https://news.drweb.com/show/?i=14900&lng=en&c=5
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
“Unstripping” binaries: Restoring debugging information in GDB with Pwndbg
Jason An releases a work aid..
Pwndbg now integrates Binary Ninja for enhanced GDB+Pwndbg intelligence and enables dumping Go structures for improved Go binary debugging.
HexForge
Salim Bitam and Daniel Stepanic release a work aid which will help those of you being binary jockeys..
This IDA plugin extends the functionality of the assembly and hex view. With this plugin, you can conveniently decode/decrypt/alter data directly from the IDA Pro interface.
https://github.com/elastic/HexForge
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
FBI 2023 cryptocurrency fraud report - published September 2024
Cracking an old ZIP file to help open source the ANC's "Operation Vula" secret crypto code
A Comprehensive Survey on Advanced Persistent Threat (APT) Detection Techniques
Dual Use Deception: How Technology Shapes Cooperation in International Relations
Software Institute 2024 Academic Annual Conference - papers from China
Artificial intelligence
Books
Events
ACM Internet Measurement Conference 2024 accepted papers - November 4th - 6th, 2024
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.
Great news on DCs!