Welcome to the weekly highlights and analysis of theblueteamsecsubreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week it has once again been around edge network devices being exploited for initial access. Just a reminder we put out in February Products on your perimeter considered harmful (until proven otherwise). See this weeks reflections on what we might choose to explore collectively with vendors..
In the high-level this week:
'NCSC Cyber Series' podcast now available on Spotify - “A new podcast series from the NCSC, which features insights from our in-house cyber security experts and lively discussion with a range of external guests, is now available to listen to.“ - I did one with Viscount Camrose, Minister for Artificial Intelligence (AI),
Proposed bill would block large ransomware payments by financial institutions - American Bankers Association Banking Journal reports - ”The bill focuses on financial market utilities, large securities exchanges and certain technology service providers essential for banks’ core processing services, according to a summary of the legislation.”
Boards of directors: The final cybersecurity defense for industrials - McKinsey, from March - interesting line here “Another key component is to ensure accountability and reporting. Cyber teams, and the executives they report to, spend a huge amount of time and effort preparing reports for the board. Boards should make sure the security team feels the mantle of accountability to deliver on what they promised.” - Boards also have a responsibility and accountability.
Reminder, here at NCSC, we publish Introduction to cyber security for board members.
Evidence-based cybersecurity policy? A meta-review of security control effectiveness - University of Edinburgh and Collation Inc - gslone provided the tl;dr of “We found little evidence regarding the efficacy of off-the-shelf security solutions, such as specific firewalls or antivirus products. Instead the evidence suggested that the most effective security interventions concern system configuration and maintenance. In particular, an organisation’s attack surface is the strongest predictor of cyber incidents. Attack surface can be reduced by a range of hardening measures. Patch cadence was the second strongest predictors of cyber incidents.”
Cambodia’s Cyber-Slavery Trafficking Denials Reflect Official Complicity, Experts Say - The Diplomat reports - “The victims often don’t know where they are really going. Some have reported that they thought they were going to work in Thailand. When they arrive, they find themselves transferred to closed compounds in countries, including Cambodia, Myanmar, and Laos. Their real task is to trick people who are trying to start a new relationship online into parting with their money.”
ENISA Foresight Cybersecurity Threats For 2030 - Update 2024 - ENISA - “The trend of the increased political power of non-state actors is characterised by the anticipation that global interconnectedness will accelerate, fostering interactions among nonstate actors at a pace that may surpass the regulatory capacity of nation-states. This acceleration is expected to result in a diminishing influence of traditional nation-states, particularly in their ability to control and regulate these evolving forms of interactions. While the trend points towards an increase in the political power of non-state actors, there are nuanced perspectives. Positive elements include state initiatives to assert control, and cyber diplomacy is seen as a mitigating force against potential adverse consequences”
World-first “Cybercrime Index” ranks countries by cybercrime threat level - Oxford University analysis - “shows that a relatively small number of countries house the greatest cybercriminal threat. Russia tops the list, followed by Ukraine, China, the USA, Nigeria, and Romania.”
Suncorp’s bank suffers breach, customer funds stolen - Financial Review reports - “Insurance and banking conglomerate Suncorp is dealing with a cyber breach where an intruder has accessed some customers’ bank balances and withdrawn funds. The institution has repaid affected account holders in full.”
EU on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography - European Union,
The ‘Com World War’ - 404 Media reports - “it was part of a recent wave of violence sweeping across Com, a nebulous online community and culture of predominantly young hackers, criminals, and gamers that has emerged as one of the most pressing cybersecurity issues facing law enforcement today.“
Defending Democracy
A new approach to the fight against disinformation - Ministry of Digitization in Poland -
Creation of a complementary team of experts, which will include: fact checkers, experts in geopolitics, experts in political and social sciences, OSINT experts, data analysts, linguists;
Shifting the focus from content analysis to behavioral patterns will allow for a more effective assessment of the scale of the phenomenon. The set of countermeasures will also be expanded;
…
Education, education, education! Additionally, training for officials and police officers.
Reporting on/from China
Journal of Cyber Security - a Chinese journal with this specific paper - Survey on Vulnerability Detection Research Based on Deep Learning -
China Tells Telecom Carriers to Phase Out Foreign Chips in Blow to Intel, AMD - The Wall Street Journal reports - “The deadline given by China’s Ministry of Industry and Information Technology aims to accelerate efforts by Beijing to halt the use of such core chips in its telecom infrastructure. The regulator ordered state-owned mobile operators to inspect their networks for the prevalence of non-Chinese semiconductors and draft timelines to replace them, the people said.“
The Information Society, Volume 40, Issue 2 (2024) - China’s digital expansion in the Global South: Special issue including papers such as:
Chinese digital platform companies’ expansion in the Belt and Road countries
Alibaba in Mexico: Adapting the digital villages model to Latin America
China’s expansion into Brazilian digital surveillance markets
What do China’s revised data export regulations mean for Europe? - Azure Forum Strategic Insights analysis on a topic covered here previously - “The new rules will make life much easier for data exporters, as they raise thresholds for security reviews and other procedures, create exemptions for specific data export activities, and clarify areas of uncertainty.”
Chinese AI expert proposal - a copy in Chinese
Artificial intelligence
Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems - US, UK, Canada, Australia and New Zealand cyber security agency co-signed production - a guide..
LLM Agents can Autonomously Exploit One-day Vulnerabilities - Academic paper - of note is they are primarily text based injection vulnerability classes.
Proposed principles to guide competitive AI markets and protect consumers - from the UK’s Competition and Markets Authority - ”The report also cautions that if competition is weak or developers fail to heed consumer protection law, people and businesses could be harmed. For example, people could be exposed to significant levels of false and misleading information and AI-enabled fraud. In the longer term, a handful of firms could use FMs to gain or entrench positions of market power and fail to offer the best products and services and/or charge high prices.”
Basic Safety Requirements for Generative Artificial Intelligence Services - from Georgetown Center for Security and Emerging Technology - “translation of a Chinese standard for generative AI that establishes very specific oversight processes that Chinese AI companies must adopt in regard to their model training data, model-generated content, and more.”
Artificial intelligence and the changing demand for skills in the labour market - OECD - “The results show that the skills most demanded in occupations highly exposed to AI are management and business skills. These include skills in general project management, finance, administration and clerical tasks. The results also show that there have been increases over time in the demand for these skills in occupations highly exposed to AI. For example, the share of vacancies in these occupations that demand at least one emotional, cognitive or digital skill has increased by 8 percentage points. However, using a panel of establishments (which induces plausibly exogenous variation in AI exposure), the report finds evidence that the demand for these skills is beginning to fall.”
Successful and timely uptake of artificial intelligence in science in the EU - European Union -
Cyber proliferation
EU Finance Ministers set in motion EIB Group Action Plan to further step-up support for Europe’s security and defence industry - European Investment Bank - what this means for offensive cyber will be interesting.
Bodnar provided data about Pegasus. "578 people" - Polish press reports - “Prosecutor General Adam Bodnar provided the Marshal of the Senate with information about the operational audit carried out in 2023. Bodnar added that the three services also used "operational control of the terminal device" against 578 people in the years 2017-2022. According to information from Wirtualna Polska, it is about surveillance with Pegasus.”
Bounty Hunting
Treasury Targets Hamas UAV Unit Officials and Cyber Actor - US Treasury - “Al-Kahlut leads the cyber influence department of al-Qassam Brigades. He was involved in procuringservers and domains in Iran to host the official al-Qassam Brigadeswebsite in cooperation with Iranian institutions.”
Security officer received nine years in prison from hackers - Kommersant reports - “For bribery, ex-FSB officer lost his freedom and real estate .. he patronized a group of hackers, from which he received bribes totaling 160 million rubles. The security officer’s “wards” were convicted last week for illegal circulation of payment funds, and Mr. Tsaregorodtsev received nine years in a maximum security colony and must pay a fine of 320 million rubles.”
Former Security Engineer Sentenced To Three Years In Prison For Hacking Two Decentralized Cryptocurrency Exchanges - US Department of Justice - “Today, Shakeeb Ahmed was sentenced to prison in the first ever conviction for the hack of a smart contract and ordered to forfeit all of the stolen crypto. No matter how novel or sophisticated the hack,thisOffice and our law enforcement partners are committed to following the money and bringing hackers to justice. And as today’s sentence shows, time in prison — and forfeiture ofallthe stolen crypto — is the inevitable consequence of such destructive hacks.”
SoCal Man Arrested on Federal Charges Alleging He Schemed to Advertise and Sell ‘Hive’ Computer Intrusion Malware - US Department of Justice - “The indictment alleges an agreement between the malware’s creator and Chakhmakhchyan in which Chakhmakhchyan would post advertisem*nts for the Hive remote access trojan (RAT) on the “Hack Forums” website, accept Bitcoin payments for licenses to use the Hive RAT, and provide customer service to those who purchased the licenses.”
AFP traps alleged RAT developer - “The RAT was allegedly initially marketed under the name ‘Firebird’, providing users with the ability to remotely access and control their victims’ computers without their knowledge. The AFP will allege the Australian man developed and sold ‘Firebird’ to customers on a dedicated hacking forum.
Reflections this week are if we need a minimum set of expectations around appliance and embedded device telemetry, observability and forensic enablement including volatile collection? It all feels rather complex, expensive and artisanal from a cyber defenders perspective at the moment and we likely need to bake in some capability in preparation for when cyber events involve appliances/embedded devices.
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
Share
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Who is doing what to whom and how allegedly.
APT44: Unearthing Sandworm
Mandiant alleges that Russian has had rather scaled operations.
Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor, actively engaged in the full spectrum of espionage, attack, and influence operations.
APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine over the past decade.
We assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia's wide ranging national interests and ambitions, including efforts to undermine democratic processes globally.
Due to the group’s history of aggressive use of network attack capabilities across political and military contexts, APT44 presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect
https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf
Kapeka: A novel backdoor spotted in Eastern Europe
Mohammad Kazem Hassan Nejad details a new implant allegedly from a Russian state actor with a hint of destructive operations.
[We] discovered overlaps between Kapeka, GreyEnergy, and Prestige ransomware attacks which are all reportedly linked to a group known as Sandworm. WithSecure assesses it is likely that Kapeka is a new addition to Sandworm’s arsenal. Sandworm is a prolific Russian nation-state threat group operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Sandworm is particularly notorious for its destructive attacks against Ukraine in pursuit of Russian interests in the region.
It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022. It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm’s arsenal.
https://labs.withsecure.com/publications/kapeka
Reporting on China
Analysis of the APT31 indictment
Harfang Lab provide an analysis of the US Government indictment and alleged there that Chinese state actors have been creating front companies as covers for their state activity.
We gave the indictment a careful read, as such documents always reveal valuable tradecraft information. Key takeaways are:
APT31 is attributed to the Hubei State Security Department, located in Wuhan;
Around 2010, APT31 created a front company named “Wuhan XRZ” and used it as a cover for its cyber operations. Another local company, “Wuhan Liuhe” (not accused of being an MSS front), provided support;
APT31 created and used the RAWDOOR malware, handled a few other malware families used by other Chinese-speaking threat actors, and more recently started using cracked versions of CobaltStrike;
The group favors a two-band approach to hacking, and goes after subsidiaries, MSPs or spouses of its targets as a means of initial access.
https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/
East Asia threat actors employ unique methods
Microsoft come out with a detailed analysis of activity which they attribute to threat actors in East Asia including China. The scale and breadth are of note.
Gingham Typhoon targets government, IT, and multinational entities across the South Pacific Islands
Chinese threat actors retain focus on South China Sea amid Western military exercises
Nylon Typhoon compromises foreign affair entities worldwide
Chinese threat group targets military entities and critical infrastructure in the United States
LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India
Dmitry Melikov attributes this implant framework to an alleged China based threat actor. Interesting for serval reasons, not least the platform being targeted and the command and control security.
LightSpy is a sophisticated iOS implant, first reported in 2020 in connection with a watering-hole attack against Apple device users.
LightSpy is back: After several months of curious inactivity, the advanced mobile spyware has resurfaced, targeting individuals in Southern Asia.
Expanded capabilities: The latest iteration of LightSpy, dubbed "F_Warehouse", boasts a modular framework with extensive spying features, including:
File theft: LightSpy is capable of stealing files from various popular apps like Telegram, QQ, WeChat, and also targets personal documents and media.
Audio recording: LightSpy can secretly record audio from the infected device.
Data harvesting: LightSpy can collect and exfiltrate browser history, WiFi connection lists, installed application details, and even pictures from the device's camera.
System access: LightSpy can retrieve user KeyChain data and device lists, and execute shell commands for potential full device control.
Chinese origins: Evidence such as code comments and error messages strongly suggest the attackers behind LightSpy are native Chinese speakers, raising concerns about potential state-sponsored activity.
Advanced techniques: LightSpy employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server. Thus, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established.
Spear phishing email impersonating the Korean Embassy in China - Actively and naturally responds to reply emails and induces malware infection
South Korean analysis of an alleged North Korean campaign, the only notable aspect is they continue to be quite good at social engineering and willing to build relationships before deploying.
APT attack believed to be the work of the North Korean Kimsuky hacking organization
Actively and naturally responds to reply emails and induces malware infection
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
Greg Lesnewich and Crista Giering detail a campaign which they state is aligned to North Korean interests. Further evidence of their social engineer and their attempts to appear legitimate.
TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime.
In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor.
To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing.
TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active.
Reporting on Iran
Vedalia APT group exploits oversized LNK files in malware campaign
Unattributed attack by Broadcom, but noteworthy due to the attempt to evade defensive technologies.
A malware campaign attributed to the Vedalia(also known as Konni) APT group has been observed, employing oversized LNK files. The threat actor utilized double extensions to conceal the original .lnk extension, with the LNK files observed containing excessive whitespace to obscure the malicious command lines. As part of the attack vector, the command line script searched for PowerShell to bypass detection and locate embedded files and the malicious payload..
Connect:fun: New exploit campaign in the wild targets media company
Sai Molige details a campaign which impacted a media company. Noteworthy due to their suggestion this wasn’t mass exploitation but rather a more targeted endeavour.
Here are details of an incident targeting a media company using CVE-2023-48788 with evidence pointing to a possible threat actor active since at least 2022 targeting Fortinet appliances and using Vietnamese and German languages in their infrastructure.
This is evidence the activity is part of a specific campaign rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances.
https://www.forescout.com/blog/connectfun-new-exploit-campaign-in-the-wild-targets-media-company/
Social Engineering Attacks Targeting IT Help Desks in the [US] Health Sector
US Health Sector Cybersecurity Coordination Center details a campaign where the department tasked with speaking to us all to address our technical needs has been targeted. Noteworthy for this reason and a good lesson in why robust verification processes are needed.
HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.
https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf
eXotic Visit campaign: Tracing the footprints of Virtual Invaders
Lukas Stefanko details a mobile campaign which is unattributed. The number of victims will be of interest as well as the anti-detection strategies.
This active and targeted Android espionage campaign, which we have named eXotic Visit, started in late 2021 and mainly impersonates messaging apps that are distributed through dedicated websites and Google Play.
Overall, at the time of writing, around 380 victims have downloaded the apps from both sources and created accounts to use their messaging functionality. Because of the targeted nature of the campaign, the number of installs of each app from Google Play is relatively low – between zero and 45.
Downloaded apps provide legitimate functionality, but also include code from the open-source Android RAT XploitSPY. We have linked the samples through their use of the same C&C, unique and custom malicious code updates, and the same C&C admin panel.
Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of C&C addresses, and use of a native library.
The region of interest seems to be South Asia; in particular, victims in Pakistan and India have been targeted.
Currently, ESET Research does not have enough evidence to attribute this activity to any known threat group; we track the group internally as Virtual Invaders.
“Why are you out there?” Package malware that modifies the Notepad++ plugin (WikiLoader)
Interesting campaign detailed here out of South Korea where open source has been repackaged. No attribution, but useful to understand.
[We] recently confirmed that “mimeTools.dll,” a basic plugin for Notepad++, had been altered and distributed. The malicious mimeTools.dll file was included in the installation file of a specific version of the Notepad++ package and disguised as a normal package file. mimeTools is a module that performs encoding functions such as Base64, as shown in the image below, and is included by default without the user having to add it separately.
The attacker added the encrypted malicious shell code and the code to decrypt and execute it to mimeTools.dll. The image below compares the files included in the normal notepad++ package and the malicious package. As we will see later, the certificate.pem file is the file that contains malicious shell code.
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
Robin Bender Ginn details another example where open source projects were targeted. Where others innovate we can expect others to immiate.
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
Aleksandr Badaev and Kseniya Naumova detail the current campaign of a financially motivate actor. Victimology is interesting also..
The group istargeting various countries around the world inaddition toits priority region ofLatin America.
Ituses long chains that incorporate avariety oftools and malware: AgentTesla, FormBook, Remcos, LokiBot, Formbook, Guloader, SnakeKeylogger, XWorm, and others.
The group uses compromised legitimate FTP servers forC2, and SMTP servers, for C2and phishing.
The group uses legitimate services tostore malware strings, and images with embedded malicious code.
Inthe course ofour research, wediscovered numerous samples that targeted various economic sectors and countries. Most ofthe email messages wecame across had been sent toLatin America, but aconsiderable percentage were addressed tocompanies inRussia, Romania, Turkey, and some other countries.
How we find and understand the latent compromises within our environments.
Understanding a New Mitigation: Module Tampering Protection - Windows
from 2022 but worth a read
https://windows-internals.com/understanding-a-new-mitigation-module-tampering-protection/
used in
https://github.com/forrest-orr/moneta/commit/aa659951cc2978d4d264da24186816112e20c10d
Amazing observability opportunities for cyber defence because of this. Imagine a world where the xz implant could be caught because of traditional detection rule coupled with rules which trigger on variance in call stack, modules and/or performance.
https://www.elastic.co/de/blog/elastic-universal-profiling-agent-open-source
How we proactively defend our environments.
Advisory: Compliance With DNS Abuse Obligations in the Registrar Accreditation Agreement and the Registry Agreement
New obligations to help tidy up the Internet.
The examples set forth below are illustrative only and are not intended to limit the possible mitigation actions. In all cases, whenever ICANN Contractual Compliance initiates an investigation, registrars and registry operators must provide evidence demonstrating compliance with the relevant RAA and RA requirements.
https://www.icann.org/resources/pages/advisory-compliance-dns-abuse-obligations-raa-ra-2024-02-05-en
Now an ESTI standard..
https://www.etsi.org/deliver/etsi_ts/103900_103999/10399401/01.01.01_60/ts_10399401v010101p.pdf
What we need to take away from the XZ Backdoor
OpenSUSE responds with their perspective
openSUSE and SUSE track release artifact signatures with a keyring of trusted signatures. We noticed that the key that the artifacts were signed with changed some time ago, so we had to update our trusted keyring for the XZ project. We validated that there was a maintainer handover and that the new maintainer has direct commit access as well as the ability to sign releases and publish them. The web of trust of this new signing key was not well connected, which could have raised an alert, but it was signed by the previous maintainer and that was sufficient for us.
https://news.opensuse.org/2024/04/12/learn-from-the-xz-backdoor/
New ETSI standard which we contributed to.
Attacks are often conducted by using techniques such as phishing to trick or socially engineer a human operator but using a PAW significantly reduces the likelihood of such attacks being able to gain access to administrative functions.
The present document describes a set of best practices for Privileged Access Workstations (PAWs) that would help industries to achieve a consistent baseline for protecting high privileged interfaces to their systems. PAWs can mitigate many security threats and can reduce the attack surface of an Operator, their vendors and service providers. Standardisation of these concepts will provide greater consistency, ensure that costs can be reduced for all parties and will help to create a common understanding for implementation.
https://www.etsi.org/deliver/etsi_ts/103900_103999/10399401/01.01.01_60/ts_10399401v010101p.pdf
Common Security Operations antipatterns
Wisdom here.
Source:
https://twitter.com/MarkSimos/status/1779149243023753580?t=qgP1dV8xTBYfjcO1iVXcAg&s=19
Interesting, I am curious how valuable in practice.
The ICS Advisory Project is an open-source project to provide DHS CISA ICS Advisories data visualized as a Dashboard and in Comma Separated Value (CSV) format to support vulnerability analysis for the OT/ICS community.
https://www.icsadvisoryproject.com/
Reconstructing Executables Part 1: Between Files and Memory
Denis Nagayuk & Francisco Dominguez provide a valuable work aid in a world of memory-only implants.
In this article, we will discuss the shortcomings of existing techniques and offer an alternative forensic solution for dumping PE (EXE or DLL) images that neither relies on collecting files nor parsing attacker-controlled memory regions.
https://www.huntandhackett.com/blog/reconstructing-executables-part1
How they got in and what they did.
Mike Kosak gives a sense of real-world attacks using Deepfakes. No reason to panic, but some actors are clearly trying..
LastPass itself experienced a deepfake attempt earlier today that we are sharing with the larger community to help raise awareness that this tactic is spreading and all companies should be on the alert. In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp. As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally.
https://blog.lastpass.com/posts/2024/04/attempted-audio-deepfake-call-targets-lastpass-employee
Security Incident Involving Duo Supplier
SMS logs for March 2024 downloaded via third-party - a lesson on supply chain security in the cyber security eco-system.
It is our understanding from the Provider that a threat actor gained access to the Provider’s internal systems, on April 1, 2024, using a Provider employee’s credentials that the threat actor illicitly obtained through a phishing attack and used that access to download a set of MFA SMS message logs pertaining to your Duo account. More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024. The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.)
https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e
Our attack surface.
Showing even the largest cyber security companies wrestle with open source library management security… in their security products no less.
We’ve found an instance of CVE-2022-26377. The (at the time of performing our research) up-to-date version of QRadar (7.5.0 UP7) is definitely vulnerable
https://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-security-stack/
Vulnerability in PuTTy
Not entirely clear how common the configuration is, but a messy issue to clean up in reality if material. Cryptographic vulnerability research in action..
The bad news: the effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for. To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key. (However, these signatures are not exposed to passive eavesdroppers of SSH connections.)
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
This vulnerability is the stuff of nightmares whilst appearing to require public disclosure to get the vendor to respond. Both not ideal..
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
CreateRCE — Yet Another Vulnerability in CreateUri
Ben Barnea provides a zero click RCE in Outlook - yes more stuff of nightmares and why we are pushing Privilege Access Workstations.
An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click).
The vulnerability lies in the parsing of a path by the CreateUri function. We are currently aware of two ways to trigger this vulnerability: (1) by sending a crafted email to an Outlook client, or (2) by enticing a user to navigate File Explorer to a folder containing a malicious downloaded file.
The vulnerability was responsibly disclosed to Microsoft and addressed on December 2023’s Patch Tuesday.
Windows machines with the December 2023 software update installed are protected from this vulnerability. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature.
Charles Schwab showing they have 💪
I updated the case with Microsoft with these further findings that you could remotely launch any executable on a host and stopped my investigation here.
https://mpizzicaroli.github.io/missfile/
Attack capability, techniques and trade-craft.
Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation
Marina Liang summarising the level of macOS sophistication currently..
As we saw with my initial example from Lazarus Group dumping the TCC.db, it is likely that malware authors are decoupling their commands from their malware. VirusTotal will only show malware strings and commands, whereas adversaries can and will run interactive commands when they have access to the system. Yara signatures are also file-based in nature and will not detect fileless behaviors distinct and separate from malware. Having up-to-date antivirus definitions is not enough. Alert on command-line activities that may stem from interactive or decoupled activities.
https://interpressecurity.com/resources/return-of-the-macos-tcc/
Chux shows the attack path from cloud to internal network in 2024.
https://medium.com/@red.whisperer/from-s3-bucket-to-internal-network-operation-8073954932b4
Understanding ETW Patching
Jonathan Johnson gives us a good reminder of this technique, I also wrote code 3 years ago to detect this style of attack.
As of late, I have gotten a lot of questions around Event Tracing for Windows (ETW) patching, specifically the following questions:
Which ETW providers can be patched (kernel-mode vs. user-mode)?
What does it mean to actually patch out an ETW Provider?
How can you detect ETW patching?
https://jsecurity101.medium.com/understanding-etw-patching-9f5af87f9d7b
What is being exploited.
Yes.. this is this weeks example of edge device trauma..
https://unit42.paloaltonetworks.com/cve-2024-3400/
https://security.paloaltonetworks.com/CVE-2024-3400
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
A trick, the story of exploiting CVE-2024-26230
k0shl walks through advanced Windows escalation of priviate exploitation including the bypass of XFG
As for now, I make heap fengshui and control the all content of the heap hole with the controllable registry key value, and for bypassing XFG mitigation, I need to first leak the low 32-bits address by setting the MIDL_user_allocate function address in key value, and then set the VirtualAlloc function address in key value, obviously, it doesn't end if I allocate 32-bits address succeed, I need to invoke "TUISPIDLLCallback" multiple times to complete bypassing XFG mitigation. The good news is that I could control the timing of "use", so all I need to do is free the registry key value heap, set the new key value with the target function address, allocate a new key value heap, and use it again.
https://whereisk0shl.top/post/a-trick-the-story-of-cve-2024-26230
Interesting vendor response..
The vendor, Foxit Software, has replied to my email. It seems to me that they've acknowledged the issues and they will address them, but not going to release a security advisory. Anyway.. I copied the email directly as the following, as there's no need to redact for personal information.
https://justhaifei1.blogspot.com/2024/04/expmon-detected-zero-day-pdf-sample.html
Low level tooling and techniques for attack and defence researchers…
KExecDD: Admin to Kernel code execution using the KSecDD driver
Florian shows how deep the TCB rabbit hole goes.
The Kernel Security Support Provider Interface (KSecDD.sys) allows the Local Security Authority Server Service (LSASS) to execute arbitrary kernel-mode addresses using the
IOCTL_KSEC_IPC_SET_FUNCTION_RETURNoperation.
https://github.com/floesen/KExecDD
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Higher-order Virtual Machine (HVM) - “Essentially, HVM is a minimalist functional language that is compiled to a novel runtime based on Interaction Nets. This approach is not only memory-efficient (no GC needed), but also has two significant advantages: automatic parallelism and beta-optimality.”
Applied Thinking for Intelligence Analysis - older but valuable - “This book provides a grounding in critical thinking and decision-making relevant to intelligence analysis, offering insights and techniques to help analysts make well-reasoned, supported judgements.”
UK Policing Areas of Research Interest - “Our ARIs capture priority science, technology, analysis and research challenges that, if addressed, will in our view significantly improve policing performance.“
Artificial intelligence
High-throughput optical neural networks based on temporal computing - from December 2023, but one to think about..
Books
Nothing this week.
Events
Nothing this week.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsem*nt of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.
Thanks for reading CTO at NCSC - Cyber Defence Analysis! Subscribe for free to receive new posts and support my work.
