CTO at NCSC Summary: week ending September 8th
Russia cyber attacks and digital sabotage...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week alleged state actors with browser zero-day being used steal crypto assets. Other notable reporting includes malverts used to target the employees of one organisation in a phishing campaign...
In the high-level this week:
NCSC’s Cyber Advisor scheme milestone - NCSC UK calls to arms - Cyber Advisor scheme for small organisations welcomes its 100th advisor, but more still needed!
UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time - NCSC UK announces
The UK and nine international allies call out Russian military actors for computer network operations for espionage, sabotage and reputational harm purposes
GRU Unit 29155 has expanded its tradecraft to include offensive cyber operations and deployed Whispergate malware against Ukrainian victim organisations
UK organisations encouraged to follow advice to help defend against online threats
White House Office of the National Cyber Director Releases Roadmap to Enhance Internet Routing Security - The White House releases - “By addressing BGP, ONCD is taking on a hard problem that has long threatened the security of internet traffic.”
Cybercrime and sabotage cost German firms $300 bln in past year - Reuters reports - “Industry association Bitkom surveyed around 1,000 companies from all sectors “ … “Around 45% of companies said they could attribute at least one attack to China, up from 42% in the previous year. Attacks blamed on Russia came in second place at 39%.”
Green Berets use disruptive cyber technology during Swift Response 2024 - US Army reports - “What this allows us to do is target an objective, use the signaling equipment to gain access to any WiFi networks originating at the target, and then monitor activity from that location for a period of time,” explained an identity protected ODA team member
FTC Takes Action Against Security Camera Firm Verkada over Charges it Failed to Secure Videos, Other Personal Data and Violated CAN-SPAM Act - US Federal Trade Commission acts - "Verkada failed to use appropriate information security practices to protect consumers’ personal information, which allowed a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics. The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada. “
Aussie Defence Digital Strategy and Roadmap 2024 - Australian Government publishes - with a guiding principle of “Cyber-secure and threat aware by design, in compliance with the Australian Signals Directorate (ASD) Essential 8 and Information Security Manual (ISM).”
Reps. Crow, Fitzpatrick, and Kim Introduce Bipartisan Bill to Protect Americans’ Healthcare Data from Cyberattacks - Jason Crow, alongside Representatives Brian Fitzpatrick and Andy Kim propose - “Today’s legislation builds on Congressman Crow’s long-standing fight to protect the American people and their data from cyberattacks. Crow continues to advancehealth care cybersecurity measures andsuccessfully passedhis bipartisan bill last Congress to expand cybersecurity operations at the Small Business Administration (SBA) and protect millions of businesses. “
Gartner Forecasts Global Information Security Spending to Grow 15% in 2025 - Gartner speculates - but if true the money is likely going into maybe the wrong areas.. MFA people.. MFA, replacing end of life and patching is where the value is at!
Silicon Valley’s Hot Talent Pipeline Is an Israeli Army Unit - Wall Street Journal reports - “There are at least five tech companies started by Unit 8200 alumni publicly traded in the U.S., together worth around $160 billion. Private companies started by ex-8200 soldiers are worth billions more.” - whilst no one can debate the financial reperformance - arguably the biggest coupe is pulling a reverse ‘Kaiser Soze’ in marketing of such start-up and providing an intelligence halo effect.
North Korean Spies Are Infiltrating U.S. Companies Through IT Jobs - Wall Street Journal reports - ”Companies are unknowingly hiring North Koreans for hundreds of low-level jobs, giving Pyongyang access to cash and IP” - we have covered this as it happened, but now hitting mainstream awareness.
Reporting on/from China
NSA’s China-focused ‘innovation pipeline’ targets economic imbalances - Defence One reports - “The National Security Agency has been slowly creating an “innovation pipeline” to pinpoint and fix U.S. vulnerabilities to China, and it’s starting with a new pilot program focused on economic security and emerging technologies, a senior intelligence official said.”
NSA’s China specialist: US at a loss to deter Chinese hackers - Breaking Defense reports - “They are trying to position themselves to have an asymmetric advantage in a crisis or conflict. If you look at the cost-benefit from their point of view and just the breadth of targets in the United States and our allies in terms of global networks, they’re not going to be motivated to stop,” Frederick said at an Intelligence and National Security Summit this week. “So that’s a hard problem — how do we get them, sort of thing.”
Xi ‘knows the complaints’ of foreign firms as he vows to boost free-trade zones - South China Morning Post reports - ”Beijing has vowed to give more prominence to China’s free-trade zones, as well as a roll-out of pro-business measures, including trade facilitation to smoothen capital and data flow for foreign businesses.”
Nvidia’s AI chips are cheaper to rent in China than US - Financial Times reports - “The cost of renting cloud services using Nvidia’s leading artificial intelligence chips is lower in China than in the US, a sign that the advanced processors are easily reaching the Chinese market despite Washington’s export restrictions.”
SenseTime: The domestically-built AI computing cluster currently has 54,000 GPUs, with a maximum computing power of 20,000 GPUs - IT Home reports - “AI video generation will reshape traditional video production , integrating the process methods of audio and video creation into a whole, lowering the production threshold of AI video content, and presenting it with a new video interactive interface.”
Tencent Unveils New AI Upgrades, Proprietary Innovations, and Global Solutions - Tencent announces - “Also unveiled was Tencent Hunyuan Turbo (腾讯混元Turbo) – a model service based on the Mixture of Experts (MoE) architecture. Tencent Hunyuan Turbo has doubled training efficiency and reduced inference costs by 50 percent”
Semiconductors
China’s export curbs on semiconductor materials stoke chip output fears - Financial Times reports - “Chinese export controls on crucial semiconductor materials are hitting supply chains and stoking fears of shortfalls in western production of advanced chips and military optical hardware.”
New Beijing chip fund adds US$1.2 billion to semiconductor coffers in China - South China Morning Post reports - “The state-owned Zhongguancun Development Group established the Beijing Integrated Circuit Industry Investment Fund on Tuesday with a registered capital of 8.5 billion yuan (US$1.2 billion), according to information available on Chinese corporate database Qichacha.”
Huawei revenue up by a third amid resurgent smartphone sales in China - South China Morning Post reports - “Huawei Technologies has reported a 34 per cent jump in revenue for the first half of 2024, continuing a strong comeback in premium smartphones after the company overcame US sanctions.”
ASML’s China Chip Business Faces New Curbs From Netherlands - Bloomberg reports - “The government of Prime Minister Dick Schoof will likely not renew certain ASML licenses to service and provide spare parts in China when they expire at the end of this year, according to people familiar with the matter. The decision is expected to cover the company’s top-of-the-line deep ultraviolet lithography, or DUV, machines, said the people, asking not to be named discussing sensitive government decisions.”
Artificial intelligence
UK signs first international treaty addressing risks of artificial intelligence - UK Ministry of Justice announces -”The treaty will ensure countries monitor its development and ensure any technology is managed within strict parameters. It includes provisions to protect the public and their data, human rights, democracy and the rule of law. It also commits countries to act against activities which fall outside of these parameters to tackle the misuse of AI models which pose a risk to public services and the wider public.”
The danger of AI in war: it doesn’t care about self-preservation - The Strategist opines - “This outcome highlights a fundamental difference in the nature of war between humans and AI. For humans, war is a means to impose will for survival; for AI the calculus of risk and reward is entirely different, because, as the pioneering scientist Geoffrey Hinton noted, ‘we’re biological systems, and these are digital systems.’” - we’ve seen this movie! Shall we play a game?
AI hit by copyright claims as companies approach ‘data frontier’ - Financial Times reports -”Anthropic faces legal action by publishers as tech groups reach limit on material to train artificial intelligence models”
The Threat to OpenAI Is Growing - Wall Street Journal reports - “Much of that new competition is coming from startups that promise to undercut OpenAI’s services with ones that could be cheaper to use, and also better at certain narrow tasks.” - fragmentation from tuning begins!
Cyber proliferation
Information on the charges brought against former Deputy Minister of Justice Michał Woś - Polish Government charges - “The prosecutor charged Michał Woś with exceeding his powers and failing to fulfil his obligations by transferring PLN 25,000,000 from the Justice Fund to purchase the “Pegasus” software for the Central Anticorruption Bureau.”
Colombia's Petro calls for investigation into Pegasus software purchase - Reuters reports - “Colombia's President Gustavo Petro on Wednesday asked the attorney general's office to investigate the $11 million purchase of Pegasus spy software, which he said could have been used to spy on opposition politicians during the previous administration.”
Spyware vendors thwart restrictions with new names and locations - The Washing Post reports -
Mythical Beasts and Where to Find Them: Mapping the Global Spyware Market and its Threats to National Security and Human Rights - Atlantic Council Cyber Statecraft Initiative researches - “The Mythical Beasts project addresses this meaningful gap in contemporary public analysis on spyware proliferation, pulling back the curtain on the connections between 435 entities across forty-two countries in the global spyware market.”
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits - Google attributes - “Our latest n-day exploit reporting shows that in an attack on Mongolian government websites, Russian-backed APT29 is suspected of using the same exploits as Intellexa and NSO. We’re sharing details and how people can mitigate risks of being infected.”
Predator Spyware Infrastructure Returns Following Exposure and Sanctions - Recorded Future reports - “Predator's operators have significantly enhanced their infrastructure, adding layers of complexity to evade detection. The new infrastructure includes an additional tier in its multi-tiered delivery system, which anonymizes customer operations, making it even harder to identify which countries are using the spyware. This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator.”
Bounty Hunting
PN tells government to stop investigating young ethical hackers - Malta Today reports - “In a statement on Tuesday, the PN stated that the prolonged investigation has left the students in a legal limbo, resulting in them second-guessing their enthusiasm for cybersecurity”
Reward for Information: Belarusian National Volodymyr Kadariya - US Department of State bounties - “The U.S. Department of State is offering a reward of up to $2.5 million for information leading to the arrest and/or conviction in any country of Volodymyr Kadariya for his alleged participation in a significant malware organization.”
Reward for information GRU Officers – Unit 29155 - US Department of State bounties - “Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”
Justice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of Korea Information Technology Workers - US Department of Justice announces - “Seizures of Money and Infrastructure from Democratic People’s Republic of Korea (DPRK) IT Workers Follows Successful Efforts to Empower Independent Private Sector Disruptive Actions”
Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government - US Department of Justice announces - “Defendants Are Alleged to Have Committed Cyber Attacks in Advance of Russia’s Invasion of Ukraine; Also Targeted 26 North Atlantic Treaty Organization Countries”
Insurance groups urge state support for ‘uninsurable’ cyber risks - Financial Times reports - “Insurer Zurich and Marsh McLennan, the world’s biggest insurance broker, say in a new report that cyber threats are “outpacing the ability of traditional insurance and risk management approaches to fully mitigate them”.
Report is available here.
Reflections this week are on complexity. Complexity of modern supply chains, of technology, of systems and of interventions to achieve cyber resilience. It is striking when I look back to the mid-90s and how tractable information security felt back then. It is clear that how we operate today is not how we will in the future if we are to be successful. That and getting multi-factor deployed comprehensively on the edge…
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
Nineteen agencies come together with this attribution including the UK’s National Cyber Security Centre.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455. To mitigate this malicious cyber activity, organizations should take the following actions today:
Prioritize routine system updates and remediate known exploited vulnerabilities.
Segment networks to prevent the spread of malicious activity.
Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
https://www.ic3.gov/Media/News/2024/240905.pdf
Operation Oxidový: Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys
Seqrite Labs details this alleged Russian campaign using phishing and other well trodden tradecraft.
The campaign targets government and military officials with multiple lures aimed at the relationship between NATO and the Czech Republic. The entire malware ecosystem is involved in this campaign, starting from the loader to a well-known Command-and-Control framework known as HavocC2 and Freeze programmed in Rust, a lucrative,compiled programming language widely adopted by threat actors in the wild.
..
Based on the heavy usage of post-exploitation frameworks like Havoc, Sliver & Freeze and keeping in mind the ongoing tensions in the geopolitics, with respect to Russian interests in the Czech Region, we attribute the threat actor possibly could be of Russian origin with medium confidence.
Russian state hackers pose as Kiel Institute for the World Economy
Der Spiegel reports that based on IBM reporting that Russia allegedly used phishing in this campaign.
Russian hackers have created an Internet domain to imitate the Kiel Institute for the World Economy (IfW Kiel). This is according to a confidential report by IBM's security team X-Force. The fake institute address is a trap designed to lure users and infect their computers with spyware.
..
The Federal Office for Information Security (BSI) says that the case is known. The address was not reachable at the time of the company's own analysis in April. Therefore, it is currently "unable to assess whether the Kiel Institute for the World Economy itself was the target of the attack or whether its name was only used as bait for attacks on other targets."
..
According to SPIEGEL information, the fake IfW address was the only one of a German organization or authority that "APT28" had created in the wave of attacks investigated.
Reporting on China
TIDRONE Targets Military and Satellite Industries in Taiwan
Pierre Lee and Vickie Su detail activity they link to a Chinese speaking threat actor. Feels quite real doesn’t it?
TIDRONE, an unidentified threat actor linked to Chinese-speaking groups, has demonstrated significant interest in military-related industry chains, especially in the manufacturers of drones’ sector in Taiwan.
The threat cluster uses enterprise resource planning (ERP) software or remote desktops to deploy advanced malware toolsets such as the CXCLNT and CLNTEND.
CXCLNThas basic upload and download file capabilities, along with features for clearing traces, collecting victim information such as file listings and computer names, and downloading additional portable executable (PE) files for execution.
CLNTENDis a newly discovered remote access tool (RAT) that was used this April and supports a wider range of network protocols for communication.
During the post-exploitation phase, telemetry logs revealed user account control (UAC) bypass techniques, credential dumping, and hacktool usage to disable antivirus products.
Chinese APT Abuses VSCode to Target Government in Asia
Tom Fakterman details some new tradecraft they attribute to a Chinese actor. Showing the red team theoretical to APT reality is happening.
[We] recently found that Stately Taurus abused the popular Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. Stately Taurus is a Chinese advanced persistent threat (APT) group that carries out cyberespionage attacks.
This threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks. This is a relatively new technique that a security researcher discovered in 2023. According to our telemetry, this is the first time a threat actor used it in the wild.
https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
Hunt.io alleged a backdoor previously used by a Chinese actor was used to potentially target attendees of the conference. Noteworthy due to relative basic nature of the campaign but also the strategic focus.
The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta, among other monikers), has been consistently deployed against government organizations, mainly in Southeast and East Asia, for cyber espionage.
Recently, this malware has resurfaced, likely targeting attendees of the 2024 International Institute for Strategic Studies (IISS) Defence Summit in Prague.
…
During routine analysis on Hatching Triage, we discovered an executable file, "IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024 ).exe,” uploaded on 16 August. Given its relevance to an upcoming high-profile event, we decided to investigate further.
https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit
Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Cedric Pernet and Jaromir Horejsi allege that a Chinese actor has evolved their implant arsenal. Note the scale of the infrastructure..
During our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions.
KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.
The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis.
The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors.
https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
Tropic Trooper spies on government entities in the Middle East
Sherif Magdy alleges Chinese activity which uses a well worn bit of tradecraft of theirs in the guise of webshells. The CMS link is interesting..
The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant (used by many Chinese-speaking actors), which was found on a public web server. The server was hosting an open-source content management system (CMS) called Umbraco, written in C#. The observed web shell component was compiled as a .NET module of Umbraco CMS.
https://securelist.com/new-tropic-trooper-web-shell-infection/113737/
Reporting on North Korea
North Korean threat actor Citrine Sleet exploiting Chromium zero-day
North Korea with Chromium zero-days is the allegation by Microsoft. Using Chrome zero-days to get more crypto assets is a self licking lollipop, but should also be a cause of concern.
On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE). We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain. Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet. We note that while the FudModule rootkit deployed has also been attributed to Diamond Sleet, another North Korean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors.
North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks
FBI alert on North Korean activity.. using phishing to get crypto asserts.
North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets.
North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products.
https://www.ic3.gov/Media/Y2024/PSA240903
APT Lazarus: Eager Crypto Beavers, Video calls and Games
Group IB highlight the alleged breadth of North Korea capability. Note the range of software coupled with social engineering.
Discovery of a different fraudulent video conferencing application dubbed “FCCCall” that mimics a legitimate video conferencing application, which is used as part of an attack chain.
Classification of a new suite of Python scripts as CivetQ.
Aside from Linkedin, they also reached out to victims using other job search platforms, and attempted to continue the conversation via Telegram.
All tools are in active development, with code updates observed between the binaries found in July and August 2024. Updates were also made to BeaverTail (Javascript) and InvisibleFerret as well.
Telegram was added as an additional data exfiltration method.
BeaverTail (Python) configures AnyDesk for Unattended Access.
Trojanizing Node.js-based web games projects.
Implementation of stealthier ways to obscure malicious code.
Expanded scope of targeted browser extensions and data including Authenticator, WinAuth, Proxifier, password managers, note-taking applications, and cryptocurrency wallets.
https://www.group-ib.com/blog/apt-lazarus-python-scripts/
Reporting on Iran
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
FBI and CISA highlight Iran is acting as a initial access broker for ransomware. This is noteworthy for all the obvious reasons including the wide range of victims.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
Revealing multiple RMM software attacks organized by MuddyWater
Chinese reporting on alleged Iranian activity. Note the use of legitimate software to facilitate their remote access.
[We] captured the MuddyWater organization using multiple remote monitoring and management (Remote Monitoring & Management, RMM) software for attacks. Through background big data correlation analysis, it was discovered that the organization has been relying on legitimate RMM software as the payload of its attacks since 2020. The RMM software used includes but is not limited to Remote Utilities, ScreenConnect, SimpleHelp, Syncro, N-Able and recently Atera Agent
Reporting on Other Actors
Lowe’s employees phished via Google ads
Jérôme Segura details a campaign which is the stuff of CISO nightmares. Google Ads to phish the users of your organisation specifically - now that is investment.
In mid-August, we identified a malvertising campaign targeting Lowes employees via Google ads. Like many large corporations, Lowe’s has their own employe portal called MyLowesLife, for all matters related to schedule, pay stubs, or benefits.
Lowe’s employees who searched for “myloweslife” during that time, may have seen one or multiple fraudulent ads. The threat actor, who does not strictly limit themselves to Lowe’s but also targets other institutions, aims to gain access to the login credentials of current and former employees.
https://www.malwarebytes.com/blog/news/2024/09/lowes-employees-phished-via-google-ads
So-Phish-ticated Attacks
Rui Ataide and Hermes Bojaxhi detail an unattributed campaign which is noteworthy for its scale.
Based on our team’s research, we have identified several attacker domain names and IP addresses related to an ongoing campaign. This campaign is currently targeting over 130 US organizations in various industry verticals. This attack starts with the targeting of individual users within an organization to harvest credentials as well as one-time passcodes via social engineering methods.
https://www.guidepointsecurity.com/blog/so-phish-ticated-attacks/
Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads
Vanja Svajcer shows how a threat actor is combining various red teaming capabilities for malicious purposes. Again unattributed..
Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.”
MacroPack is a framework designated for Red Team exercises, but we assess, with moderate confidence, that malicious actors are also using it to deploy malicious payloads.
Talos analyzed the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S., uncovering connections between the payloads and motivations for creating these documents.
These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
Talos was not able to attribute these activities to a single actor despite some similarities in tactics, techniques and procedures (TTPs). No Talos customers were affected by these attacks and there are no related activities in any Cisco product telemetry.
https://blog.talosintelligence.com/threat-actors-using-macropack/
Suspected Espionage Campaign Delivers “Voldemort”
Tommy Madjar, Pim Trouerbach, Selena Larson and team detail an another unattributed threat actor which they alleged is espionage related. Who had Google Sheets for C2 on their bingo card?
Proofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”.
Proofpoint assesses with moderate confidence the goal of the activity is to conduct espionage.
The activity impersonated tax authorities from governments in Europe, Asia, and the U.S. and targeted dozens of organizations worldwide.
The ultimate objective of the campaign is unknown, but Voldemort has capabilities for intelligence gathering and to deliver additional payloads.
Voldemort’s attack chain has unusual, customized functionality including using Google Sheets for command and control (C2) and using a saved search file on an external share.
Discovery
How we find and understand the latent compromises within our environments.
Hunting with Microsoft Graph activity logs
Shiva P provides a super power with this guide. Given we know threat actor misuse a must read for all cyber defence teams who live in the Microsoft eco-system.
Microsoft Graph activity logs provides a history of all Microsoft Graph API requests. In this blog, we’ll go over collection and analysis of these logs and share a few detection/hunting ideas. The goal is to create general awareness of this log source and show how it can be used effectively.
Linux Detection Engineering - A Sequel on Persistence Mechanisms
Ruben Groenewoud continues the series to help upskill on Linux detection engineering.
We'll set up the persistence mechanisms, analyze the logs, and observe the potential detection opportunities. To aid in this process, we’re sharing PANIX, a Linux persistence tool that Ruben Groenewoud of Elastic Security developed. PANIX simplifies and customizes persistence setup to test potential detection opportunities.
https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
edr-artifacts: catalog [of[ network and host artifacts associated with various EDR products "shell" and response functionalities
SecurityAura and Chris detail a novel use case which might be worth hunting for.
This repository is meant to catalog network and host artifacts associated with various EDR products "shell" and response functionalities.
This goal of this project is to assist incident responders, detection engineers, and threat hunters in finding signs of non-approved EDRs being leveraged in their environment outside enumerating installed software.
There have been several instances where threat actors have introduced their own Endpoint Detection and Response (EDR) solutions for Command and Control (C2) purposes, each with its own nuances:
Utilizing EDR trial versions.
Conducting fraudulent non-trial setups using virtual payment methods.
Repurposing compromised victim EDR consoles for malicious activities against other organizations.
https://github.com/cbecks2/edr-artifacts
Defence
How we proactively defend our environments.
Password policies and account restrictions in Microsoft Entra ID
From the TIL bucket and likely something cyber defence teams might want to dig into as you could see how this could go adverse.
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned.
..
You can disable the use of SSPR for administrator accounts using the Update-MgPolicyAuthorizationPolicy PowerShell cmdlet. The
-AllowedToUseSspr:$true|$falseparameter enables/disables SSPR for administrators. Policy changes to enable or disable SSPR for administrator accounts can take up to 60 minutes to take effect.
Security mitigation for the Common Log Filesystem (CLFS)
Microsoft introducing HMAC to mitigate the attack surface.
Instead of trying to validate individual values in logfile data structures, this security mitigation provides CLFS the ability to detect when logfiles have been modified by anything other than the CLFS driver itself. This has been accomplished by adding Hash-based Message Authentication Codes (HMAC) to the end of the logfile. An HMAC is a special kind of hash that is produced by hashing input data (in this case, logfile data) with a secret cryptographic key. Because the secret key is part of the hashing algorithm, calculating the HMAC for the same file data with different cryptographic keys will result in different hashes.
Incident Writeups & Disclosures
How they got in and what they did.
Nothing this week
Vulnerability
Our attack surface.
Eucleak - side-channel vuln in Infineon Technologies, affects Yubikey
Thomas Roche details a vulnerability which some will be concerned with and others will mitigate.
The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.
…
All YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack. These security microcontrollers are present in a vast variety of secure systems – often relying on ECDSA – like electronic passports and crypto-currency hardware wallets but also smart cars or homes. However, we did not check (yet) that the EUCLEAK attack applies to any of these products.
Zyxel security advisory for OS command injection vulnerability in APs and security router devices
… yep!
The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
Evil MSI. A story about vulnerabilities in MSI Files
Michael Zhmailo details the attack surface in glorious detail..
There may be various vulnerabilities inside MSI files, most of which will lead to privilege escalation. These include both logical vulnerabilities: DLL/TypeLib/COM/Exe File/Script/etc hijacking, PATH Abusing, and vulnerabilities of the MSI file format itself: Custom Actions Abuse, abandoned credentials, privileged child processes.
https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
Bypassing the gate: A closer look into Gatekeeper flaws on macOS
Jamf Threat Labs show there is still vulnerability to be found..
Some time ago, Jamf Threat Labs discovered a Gatekeeper vulnerability affecting Launch Services in macOS that may lead to the execution of an unsigned and unnotarized application without displaying appropriate security prompts to the user. We reported our findings to Apple, and in macOS Sonoma 14.0, Apple patched the vulnerability, assigning it CVE-2023-41067.
While exploring this issue, our research also identified similar issues in “The Unarchiver”, a popular application for handling many different archive formats, which completely bypasses all of Gatekeeper’s checks. We reported our findings to MacPaw and were subsequently assigned CVE-2023-46270 and CVE-2024-22405 due to a bug in the open-source XADMaster library.
https://www.jamf.com/blog/gatekeeper-flaws-on-macos/
Offense
Attack capability, techniques and trade-craft.
Red Reaper: Building an AI Espionage Agent
Conceptually interesting if adopted by adversaries.. real-world efficacy unknown..
Red Reaper Espionage AI autonomously uncovers key espionage data, from wire transfers and blackmail opportunities to sensitive mergers and confidential negotiations, showcasing autonomous capabilities in nefarious intelligence collections. The Red Reaper proof-of-concept (PoC) serves as a powerful example of the potential AI-driven threats sophisticated adversaries are already harnessing or interested in developing.
https://www.cybermongol.ca/frontier-research/red-reaper-building-an-ai-espionage-agent
The state of sandbox evasion techniques in 2024
Highlights that a pretty low cost way is still very effective in 2024..
A lot of these techniques are well known by antivirus solutions, and even if they do detect sandboxes, the added scrutiny associated with our totally legitimate program being classified as malicious is not worth the tradeoff. Furthermore, even if the techniques that are not directly considered to be malicious, they don't detect every sandbox we encountered. Although some candidates can detect most sandboxes like Local Descriptor Table Location or mouse mouvements, couldn't we use something simpler and less known ?
https://fudgedotdotdot.github.io/posts/sandbox-evasion-in-2024/sandboxes.html
Exploitation
What is being exploited.
A public secret : Research on the CVE-2024-30051 privilege escalation vulnerability in the wild
Chinese reporting on this in the wild exploitation..
CVE-2024-30051 vulnerability was first discovered by Kaspersky, but what Kaspersky discovered initially was not a wild sample, but a simple analysis report of the vulnerability that was uploaded to vt. Later, we found the actual sample ( c4dd780560091c8d2da429c7c689f84b) used by QakBot through the characteristics of the vulnerability in the relevant report . The running effect is shown below. It is interesting that the leaked analysis report and the vulnerability sample appeared in vt on 2024/04/01 and 2024/04/18 respectively. Considering that the actual attack process of the sample is almost the same as that described in the document, and 18 days is too short, we believe that the sample was not developed by a third-party attacker after obtaining the document, but should be the original vulnerability exploitation sample described in the document.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Autok-Extension
Alfredo Ortega gives us a hint of the futureof human machine teaming in vulnerability research.
Autok-Extension is a Visual Studio Code extension that implements the algorithm from Autokaker. This extension helps developers by automatically identifying and reporting bugs in their code, leveraging advanced AI techniques.
https://github.com/ortegaalfredo/autok-extension
Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control
Lovely walkthrough here..
Today we will be investigating such features and how they apply to defeating the obfuscation of a recent
.vbsloader for Nanocore malware.Our Analysis and Deobfuscation Will Cover...
ASCII Charcodes and Character Conversions
Alternating Decimal and Hex Values
Alternating Mathematical Operations (Addition/Division)
Flow Control and Isolation of Values Using Subsections.
Lots of regex!
Next-Level Reversing: Binary Ninja + Time Travel Debugging
Walk through on how to set-up and use
Personally I feel like this is a huge step for reversing because it helps us quickly focus on the code that got executed and debug to our heart’s content. We can see exactly where a function got called statically in HLIL, and we can time-travel to the beginning and end of every function call to help understand inputs and outputs.
https://seeinglogic.com/posts/binary-ninja-ttd-intro/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Nothing overly standout this week.
Showing the Receipts: Understanding the Modern Ransomware Ecosystem
https://github.com/cablej/showing-the-receipts
The silent heist: cybercriminals use information stealer malware to compromise corporate networks
Reimagining Cyber Arms Control - Stimson Centre
Artificial intelligence
Books
Nothing this week
Events
Bolstering Data Center Growth, Resilience, and Security - Event recording
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.