Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week nothing overly of note, the usual cyber cha cha cha continues. Well that and what seems to be an uptick in criminal CNI targeting as evidenced by the reporting contained within.

In the high-level this week:

• A Front Row View of the NSA: Reflections from General Paul M. Nakasone (video also available) - “I think the first thing I would say on SolarWinds is when you’re doing an intelligence operation, you never want to get caught. And they got caught. And so I think that should be perhaps the story that goes with SolarWinds”

• White House orders federal agencies to shore up cybersecurity, warns of potential exposure - “Multiple federal departments and agencies have, as of the end of June, “failed to fully comply” with critical security practices prescribed by the executive order, “leaving the U.S. Government exposed to malicious cyber intrusions and undermining the example the Government must set for adequate cybersecurity practices,” national security adviser Jake Sullivan said in a memo to Cabinet secretaries this week”.

• Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages - RFI seeks public and private sector input as federal leadership develops its strategy and action plan to strengthen the open-source software ecosystem

• Executive Order on Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern -  “I therefore find that advancement by countries of concern in sensitive technologies and products critical for the military, intelligence, surveillance, or cyber-enabled capabilities of such countries constitutes an unusual and extraordinary threat to the national security of the United States”

• Cyber security researchers become target of criminal hackers - this is some mixed reporting which tries to tie together various discrete events into a theme.

• Analysis of the 2022 US-European Cyber ​​​​Exercise - a Chinese analysis - “Through the network offensive and defensive exercises in the current era of great power competition, exploring the countermeasures and coping rules, and finally reversely supporting conventional operations in other combat domains, will become a major trend in future joint operations and all-domain operations, which will also set the stage for future network operations. The technical and tactical development of combat provides relevant support and reference significance” - China is watching..

• Defense of Japan in 2023 - “Reinforce the defense posture to respond to increasingly sophisticated, skillful cyber attacks” and the take away their cyber budget (page 21) is 1 trillion Yen over 5 years or $6 billion dollars (I think).

  • Japan Defense Ministry seeks 500 staffers for cybersecurity

• The 2023 National Intelligence Strategy (NIS) - provides the Intelligence Community (IC) with strategic direction from the Director of National Intelligence (DNI) for the next four years

  • The IC Data Strategy 2023-2025 - I think we have all written similar bullets

    • Perform End-to-End Data Management

    • Deliver Data Interoperability and Analytics at Speed and Scale

    • Advance All Partnerships for Continued Digital and Data Innovation

    • Transform the IC Workforce to be Data-Driven

• Administrator of ‘Bulletproof’ Webhosting Domain Charged in Connection with Facilitation of NetWalker Ransomware - If convicted on all counts, Grabowski faces a maximum penalty of 45 years in prison. The indictment also notifies Grabowski that the United States is seeking an order of forfeiture in the amount of $21.5 million

• A pro-innovation approach to AI regulation – Law Society response - a broad view from the legal sector including:

  • the UK government should introduce a blend of adaptable, principle-based regulation and firm legislation to safeguard societal interests while not impeding technological progression

  • legislation should focus on and clearly define ‘high-risk contexts’, ‘dangerous capabilities’ and ‘meaningful human intervention’ in AI

  • divergence, duplication and fragmentation should be reduced by ensuring alignment across sectors and internationally

• China unveils its ‘Interim Measures for the Management of Generative Artificial Intelligence Services’ - article 4 seems broadly sensible - it is (1) which will cause issue in our free and open society - “Adhere to the core values ​​of socialism, and must not generate incitement to subvert state power, overthrow the socialist system, endanger national security and interests, damage national image, incite secession, undermine national unity and social stability, promote terrorism, extremism, promote Content prohibited by laws and administrative regulations such as ethnic hatred, ethnic discrimination, violence, obscenity, and false harmful information;”

• Battening Down the Hatches: Moldova’s Cyber Defence - Efforts by Moldova’s government and international actors have begun to build the country’s cyber capacity. Nonetheless, several factors mean Moldova remains vulnerable to cyber operations.

• Ukraine tackles ten major Russia’s cyber attacks weekly – Ukraine’s cybersecurity chief - “Zhora outlined five distinct phases of Russia’s cyber war. Starting before the ground invasion in January 2022, the first phase involved info-destroying malware targeting Ukraine’s IT infrastructure. Subsequent phases saw increased sophistication in attacks, including distributed denial of service (DDoS) attacks and attempts to disrupt critical infrastructure, telecommunications, and public-sector organizations.”

• Reform of Cybersecurity Professional Training System in Ukraine: Next 15 Professional Standards Drafted - supported by the USAID Cybersecurity for Critical Infrastructure in Ukraine Activity, [we] have drafted 15 new occupational standards

• What Are the Future Implications of Russia-Ukraine Cyber Conflict for East Asia? - Expect China to learn from Ukraine’s success and seek to prepare the environment for a conflict of their choosing. While cyber operations will continue to be useful tools of repression, there is little that these hybrid tools can do on the battlefield to aid a conventional invasion. 

• James Bond’s job safe as GCHQ scientist says AI can only do ‘extremely junior’ spying - “According to a paper jointly written by the chief data scientist at GCHQ, Britain’s Cheltenham-based eavesdropping agency, chatbots such as ChatGPT are only good enough to replace “extremely junior” intelligence analysts.”

• The Next Frontier in AI Regulation Is Procedure -

The first reflection this week comes from reading the book Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks. The concept tools that the author employs (up code, down code and meta code) in order to convey some of the concepts to a non-technical audience is a masterstroke and something to be learnt from as we continue our pursuit for a whole of society approach to cyber resilience.

The second is the level of applied research around ML/AI in cyber offensive and defensive use cases is notable both in terms of size and velocity. Read the footnotes section and you see the wide water front where there is potential for disruption. This is notwithstanding the newness and thus inherent vulnerability of some of these new approaches/systems in their own right.

On the interesting job/role front (thanks to those sending me these):

• Data Protection & Privacy Technologist at Mercy Corps, Remote.

• ENISA Seconded National Expert roles in Operational Technologies and Capacity Building

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Sunday (yes, late and just in time this week)

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia

MoustachedBouncer: Espionage against foreign diplomats in Belarus

Matthieu Faou details a Belarusian state aligned threat actor. The key takeaway is the home turf advantage employed i.e. the use of the national telecommunications lawful intercept capabilities to perform Adversary in the Middle attacks.

• MoustachedBouncer has been operating since at least 2014.

• We assess with medium confidence that they are aligned with Belarus's interests.

• MoustachedBouncer specializes in the espionage of foreign embassies in Belarus.

• MoustachedBouncer has used the adversary-in-the-middle technique since 2020 to redirect captive portal checks to a C&C server and deliver malware plugins via SMB shares.

• We believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM operations.

• We assess with low confidence that MoustachedBouncer is closely cooperating with Winter Vivern, another group targeting European diplomats but using different TTPs.

• Since 2014, the group has been operating a malware framework that we have named NightClub. It uses the SMTP and IMAP (email) protocols for C&C communications.

• Starting in 2020, the group has been using, in parallel, a second malware framework we have named Disco.

• Both NightClub and Disco support additional spying plugins including a screenshotter, an audio recorder, and a file stealer.

https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus

German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs

Arda Büyükkaya details a phishing campaign being undertaken by Russia. The actual tradecraft is not noteworthy beyond the use of HTML smuggling.

[We] assess with high confidence that two observed PDF documents are part of an ongoing campaign targeting Ministries of Foreign Affairs of NATO aligned countries. The PDF files masquerade as coming from the German embassy and contained two diplomatic invitation lures. 

One of the PDFs delivered a variant of Duke - a malware that has been linked to Russian state-sponsored cyber espionage activities of APT29. The other file was very likely used for testing or reconnaissance, as it did not contain a payload, but notified the actor if a victim opened the email attachment.  

https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs

North Korea

Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector

Yehuda Gelb provides further details on the previously discussed campaign from the Hermit Kingdom. Not entirely sure this is the first - but interesting nevertheless they took the swing.

• This is the first identified instance of a nation-state actor using open source to infiltrate the supply chains.

• The attack made use of social engineering as an entry point using false developer reputations to trick victims into using malicious open-source packages.

• The malicious code was broken up into two different packages to avoid detection, we also observed the attacker improving their payload over time with encoding techniques to avoid static detection.

https://medium.com/checkmarx-security/lazarus-group-launches-first-open-source-supply-chain-attacks-targeting-crypto-sector-cabc626e404e

DPRKs-APT-Code: two ASP files of theirs

Selah provides a couple of server side files used by the Hermit Kingdom. May help active discovery threat researchers.

https://github.com/errbody/DPRKs-APT-Code/tree/main

China

Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector

Aleksandar Milenkoski and Tom Hegel detail an interesting campaign because of the sectoral focus as opposed to the technicalities. You can see a world where a China who wants to control / visibility of its nationals finances that such campaigns against any sector which it sees as enabling illicit finance will only increase.

• [We] identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia.

• The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.

• We’ve observed related malware using the signature of a likely stolen code signing certificate issued to PMG PTE LTD, a Singapore-based vendor of Ivacy VPN services.

• Indicators point to the China-aligned BRONZE STARLIGHT group; however, the exact grouping remains unclear due to the interconnected relationships among various Chinese APT groups.

https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/

Iran

Bundesamt für Verfassungsschutz

From the German Government.

According to the latest findings from the Federal Office for the Protection of the Constitution ( BfV ), concrete spying attempts by the APT group Charming Kitten against Iranian individuals and organizations in Germany can be assumed since the end of 2022.

https://www-verfassungsschutz-de.translate.goog/SharedDocs/kurzmeldungen/DE/2023/2023-08-10-cyber-brief-01-2023.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

Unknown Actor Targets Power Generator with DroxiDat and Cobalt Strike

Kurt Baumgartner details an operation which looks like organised crime which could have had massive national implications if it had been successful. How we help protect the CNI of less well developed countries I suspect will become a matter of discussion.

Notably, an unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack. This attack occurred in the third and fourth week of March 2023, as a part of a small wave of attacks involving both DroxiDat and CobaltStrike beacons across the world.

The C2 infrastructure for this electric utility incident involved an energy-related domain “powersupportplan[.]com” that resolved to an already suspicious IP host.

However, in a healthcare related incident involving DroxiDat around the same timeframe, Nokoyawa ransomware was delivered, along with several other incidents involving CobaltStrike sharing the same license_id and staging directories, and/or C2.

https://securelist.com/focus-on-droxidat-systembc/110302/

Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report

From the USA’s Cyber Safety Review Board.

The Board recommends that organizations urgently implement improved access controls and authentication methods and transition away from voice and SMS-based MFA; those methods are particularly vulnerable. Instead, organizations should adopt easy-to-use, secure-by-default, passwordless solutions such as Fast IDentity Online (FIDO)2-compliant, phishing-resistant MFA methods.

The Board also calls attention to the risks introduced through use of mobile devices for authentication and urges telecommunications providers to mitigate risk through technological, process, and oversight measures. Carriers should implement more stringent authentication methods for SIM swapping to continue enabling legitimate business processes while introducing more friction to discourage malicious actors. The Board recommends that carriers mitigate retail point-of-sale vulnerabilities by improving asset management

https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

APT-K-47 “Mysterious Elephant”, a new APT organization in South Asia

Chinese reporting on an Indian threat actor who uses phishing and compile HTML files against Windows hosts.

In an attack on APT-K01, the attacker sent a CHM file to the target through a phishing email, using the “Russia-China Committee for Friendship, Peace and Development” as the bait, the relevant bait content is shown below.

https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477

Analysis of APT-C-35 (belly brainworm) organization using a new delivery method on the mobile terminal

Further Chinese reporting on Indian Android mobile tradecraft evolution. This is interesting in that is is clearly inspired by phishing techniques which have been successful on desktop previously.

By analyzing the geographic location of the victims, we found that the areas affected by the attacks are mainly Bangladesh and Sri Lanka, and the affected time ranges from June 2022 to February 2023.

..

The decoy file is disguised as a PDF document named "draft". When the user opens the document, a prompt box will be displayed directly, prompting the user to install a plug-in to view it. After clicking the download button, the browser will open the specified URL. The attacker's server will judge the platform type of the URL requesting end. If it is not an Android platform, it will return an error page. If it is an Android platform, it will download a disguise named PluginL26. 9.22.apk (different versions downloaded at different times) Plug-in Android installation package, the installation package is the Android RAT dedicated to the Brainworm organization.

https://mp-weixin-qq-com.translate.goog/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247493204&idx=1&sn=7b3a65de0d06a466942bf4381d00861a&chksm=f9c1d55dceb65c4b39c51ba64c37a0d9e70984e0e7eda2d1ba03fc3c509135184d94062e92fd&scene=17&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America

Russian organised crime taking a swing at US CNI..

[We] investigated a campaign by this threat group conducted in June that culminated in attacks on an organization within the critical infrastructure sector in the United States, and also on an IT integrator in Latin America. The Cuba threat group, believed to be of Russian origin, deployed a set of malicious tools that overlapped with previous campaigns associated with this attacker, as well as introducing new ones — including the first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.

https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america

ALPHV/BlackCat Ransomware Targeting of Canadian Industries

Canadian Government has issued an alert on this threat actor along with a mountain of IoCs.

https://www.cyber.gc.ca/en/alerts-advisories/alphvblackcat-ransomware-targeting-canadian-industries

Criminals Pose as Non-Fungible Token (NFT) Developers to Target Internet Users with an Interest in NFT Acquisition

High-level FBI alert.

The FBI warns of criminal actors posing as legitimate NFT developers in financial fraud schemes targeting active users within the NFT community. Criminals either gain direct access to NFT developer social media accounts or create almost identical accounts to promote new NFT releases. Fraudulent posts often aim to create a sense of urgency, using phrases like "limited supply," and refer to the promotion as a "surprise" or previously unannounced mint. Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project. The spoofed websites invite victims to connect their cryptocurrency wallets and purchase the NFT. The victims unknowingly connect their cryptocurrency wallets to a drainer smart contract, resulting in the transfer of cryptocurrency and NFTs to wallets operated by criminals. Contents stolen from victims' wallets are often processed through a series of cryptocurrency mixers and exchanges to obfuscate the path and final destination of the stolen NFTs.

https://www.ic3.gov/Media/Y2023/PSA230804

Common TTPs of attacks against industrial organizations. Implants for uploading data

Dropbox and Yandex is the theme here..

The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.

In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.

https://ics-cert.kaspersky.com/publications/reports/2023/08/10/common-ttps-of-attacks-against-industrial-organizations-implants-for-uploading-data/

Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign

Internet wide exploitation once again where the clean-up has been sub-optimal. Resulting in a world where compromised systems being patched but not cleaned.

• A set of vulnerabilities in NetScaler, one of which allows for remote code execution, were disclosed on July 18th. This disclosure followed several security organisations saw limited exploitation of these vulnerabilities in the wild.

• At the time of this exploitation campaign, 31127 NetScalers were vulnerable to CVE-2023-3519.

• As of August 14th, 1828 NetScalers remain backdoored.

• Of the backdoored NetScalers, 1248 are patched for CVE-2023-3519.

https://research.nccgroup.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/

Discovery

How we find and understand the latent compromises within our environments.

YAMA: Yet Another Memory Analyzer for malware detection

From the Japanese CERT.

• Generate scanner that operates as a single binary

• Detects malware using YARA rules and memory information

• Creates malware detection binaries tailored for each user's IR needs by writing custom YARA rules

• Outputs detection results in text/JSON format

https://github.com/JPCERTCC/YAMA

Container Orchestration Honeypot: Observing Attacks in the Wild

Noah Spahn, Nils Hanke, Thorsten Holzm, Chris Kruegel and Giovanni Vigna provide an academic evidence base on the potential value of Honey Pots.

Our empirical study measures the risk associated with container and container orchestration systems exposed on the Internet. The assessment is performed by leveraging a novel design for a highinteraction honeypot. Using the observed data, we extract fresh insights into malicious tools, tactics, and procedures used against exposed host systems. In addition, we make available to the research community a rich dataset of unencrypted malicious traffic.

https://seclab.cs.ucsb.edu/files/publications/spahn_cohp_23.pdf

Real world detection engineering in a multi-cloud environment

from Aaron Jewitt which brings some real insight into how the world actually operates.

Defence

How we proactively defend our environments.

Making Chrome more secure by bringing Key Pinning to Android

David Adrian, Joe DeBlasio and Carlos Joan Rafael Ibarra Lopez detail how Android is brought to parity with desktop.

Chrome 106 added support for enforcing key pins on Android by default, bringing Android to parity with Chrome on desktop platforms.

Key pinning was born as a defense against real attacks seen in the wild: attackers who can trick a CA to issue a seemingly-valid certificate for a server, and then the attacker can impersonate that server. This happened to Google in 2011, when the DigiNotar certification authority was compromised and used to issue malicious certificates for Google services. To defend against this risk, Chrome contains a pin set for all Google properties, and we only consider an HTTPS input trustworthy if it’s authenticated using a key in this pin set. This protects against malicious certificate issuance by third parties.

https://security.googleblog.com/2023/08/making-chrome-more-secure-by-bringing.html

CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan

The misuse of legitimate Remote Monitoring and Management (RMM) software is driving this response.

The JCDC RMM Cyber Defense Plan outlines implementation across two foundational pillars and four lines of effort (LOEs). 

• Pillar 1: Operational Collaboration, encourages collective action across the RMM community to enhance information sharing, increase visibility, and fuel creative cybersecurity solutions. Lines of effort aligned with this pillar include 1) Cyber Threat and Vulnerability Information and 2) Enduring RMM Operational Community. 

• Pillar 2: Cyber Defense Guidance, focuses on educating RMM end-user organizations of the dangers and risk to the RMM infrastructure upon which they rely today, and how they can help promote security best practices moving forward. Lines of effort aligned under this pillar address 3) End-User Education and 4) Amplification.

https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remote-monitoring-and-management-rmm-cyber-defense-plan

https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/jcdc-remote-monitoring-and-management-cyber-defense-plan

ved-ebpf: VED-eBPF: Kernel Exploit and Rootkit Detection using eBPF

I am a big fan of eBPF due to the portability and promise that one day all embedded devices will allow eBPF packages to be deployed which allow us to retro fit the observability we seek.

VED (Vault Exploit Defense)-eBPF leverages eBPF (extended Berkeley Packet Filter) to implement runtime kernel security monitoring and exploit detection for Linux systems.

VED-eBPF uses eBPF to trace security-sensitive kernel behaviors and detect anomalies that could indicate an exploit or rootkit. It provides two main detections:

• wCFI (Control Flow Integrity) traces the kernel call stack to detect control flow hijacking attacks. It works by generating a bitmap of valid call sites and validating each return address matches a known callsite.

• PSD (Privilege Escalation Detection) traces changes to credential structures in the kernel to detect unauthorized privilege escalations

https://github.com/hardenedvault/ved-ebpf

Onboard and configure Defender for Endpoint for non-persistent VDI environments

Jeffery Appel provides a useful guide on how to to ensure Defender protection in practice when you are using throw-away VDI as a defence in depth tactic.

Microsoft supports multiple onboardings methods for Defender for Endpoint. For non-persistent VDI’s there is always a challenge since non-persistent VDI’s are working differently in comparison with typical endpoints. For Defender for Endpoint, there is a challenge during the onboarding and configuration of Defender Antivirus. Non-persistent requires additional design decisions around the signature update process/ AV configuration and onboarding of Defender for Endpoint to avoid double objects or increasing temp storages/ CPU load for the signature/ platform update process.

https://jeffreyappel.nl/onboard-and-configure-defender-for-endpoint-for-non-persistent-vdi-environments/

Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning

Biagio Montaruli, Luca Demetrio, Andrea Valenza, Battista Biggio, Luca Compagnam, Davide Balzarotti, Davide Ariu and Luca Piras show how even modest application of ML can provide some material uplift in detection game. The false positive improvements are of note.

we design a robust machine learning model, named AdvModSec, which uses the CRS rules as input features, and it is trained to detect adversarial SQLi attacks. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better tradeoff between detection and false positive rates, improving the detection rate of the vanilla version of ModSecurity with CRS by 21%. Moreover, our approach is able to improve its adversarial robustness against adversarial SQLi attacks by 42%, thereby taking a step forward towards building more robust and trustworthy WAFs.

https://arxiv.org/pdf/2308.04964.pdf

TTPForge

From Meta/Facebook..

The TTPForge is a Framework created to facilitate the development, automation, and execution of Tactics, Techniques, and Procedures (TTPs).

https://github.com/facebookincubator/TTPForge

Vulnerability

Our attack surface.

CVE-2023-3817: OpenSSL - Issue summary: Checking excessively long DH keys or parameters may be very slow

This has the potential to cause DoS pain for those sites/devices which have not patched it.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817

RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability

Given the install base there will likely be some interest in this vulnerability.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

TunnelCrack

Lots of impact here.. there will be a long tail of patching and it will sadly likely create noise around the risks of using open Wi-Fi networks. Mitigation here don’t use split tunnelling..

Our first set of vulnerabilities, called LocalNet attacks, can be exploited when a user connects to an untrusted Wi-Fi network. Our second set of vulnerabilities, called ServerIP attacks, can be exploited by untrusted Wi-Fi networks and by malicious Internet service providers. Both attacks manipulate the victim's routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic.

https://tunnelcrack.mathyvanhoef.com/details.html

Checking Passwords on Leaky Computers

Andrew Kwong, Jonathan Berger, Daniel Genkin, Eyal Ronen, Hovav Shacham, Riad Wahby and Yuval Yaroms present a A Side Channel Analysis of Chrome's Password Leak Detect Protocol.

In this paper, we show that Chrome's implementation of this protocol is vulnerable to several microarchitectural side-channel attacks that violate its security properties. Specifically, we demonstrate attacks against Chrome's use of the memory-hard hash function scrypt, its hash-to-elliptic curve function, and its modular inversion algorithm. While prior work discussed the theoretical possibility of side-channel attacks on scrypt, we develop new techniques that enable this attack in practice, allowing an attacker to recover the user's password with a single guess when using a dictionary attack. For modular inversion, we present a novel cryptanalysis of the Binary Extended Euclidian Algorithm (BEEA) that extracts its inputs given a single, noisy trace, thereby allowing a malicious server to learn information about a client's password.

https://www.usenix.org/conference/usenixsecurity23/presentation/kwong

TSSHOCK: New Key Extraction Attacks on Threshold Signature Scheme (TSS)

The growth of private sector is cryptanalysis capabilities if really the takeaway here.

TSS is a cryptographic scheme allowing multiple parties to jointly generate keys and sign messages. For signing a message, at least t (the threshold) out of n (the number of parties participating in the generation ceremony of the key in use) parties are required. There is no trusted dealer as the TSS private key is never constructed (each party only keeps a private key share).

We have discovered TSSHOCK after conducting audits over a wide range of open-source t-ECDSA implementations. Most implementations can be attacked with just one member to recover the ECDSA private key. TSSHOCK completely breaks the security of TSS, with proof of concept exploitation demonstrating a full private key extraction by a single malicious party after 1-2 signatures on various popular wallets, non-custodial key infrastructure, and cross-chain asset management protocols.

https://www.verichains.io/tsshock/

An Efficient Quantum Factoring Algorithm

Oded Regev proposes efficiencies for Shor’s Algorithm for the time we have a viable Quantum Computer. Will be interesting if this shakes out..

We show that n-bit integers can be factorized by independently running a quantum circuit with O˜(n 3/2 ) gates for √ n + 4 times, and then using polynomial-time classical post-processing. The correctness of the algorithm relies on a number-theoretic heuristic assumption reminiscent of those used in subexponential classical factorization algorithms. It is currently not clear if the algorithm can lead to improved physical implementations in practice

https://arxiv.org/pdf/2308.06572.pdf

Offense

Attack capability, techniques and trade-craft.

NoFilter: Tool for abusing the Windows Filtering Platform for privilege escalation

From Israel with ❤️

Tool for abusing the Windows Filtering Platform for privilege escalation. It can launch a new console as "NT AUTHORITY\SYSTEM" or as another user that is logged on to the machine.

https://github.com/deepinstinct/NoFilter

SAMLjacking a poisoned tenant

Luke Jennings provides further evidence of the complexity of cloud.

Poisoned tenants involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.

SAMLjacking is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link of their choosing during the authentication process. This can be highly effective for phishing as the original URL will be a legitimate SaaS URL and users are expecting to provide credentials.

https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/

LAPS 2.0 Internals

Under the hood of LAPS 2.0 whilst showing how to descrypt its secrets.

https://blog.xpnsec.com/lapsv2-internals/

Exploitation

What is being exploited.

wps-rce: WPS Office RCE On 2023-08-10

Interesting zero-day here in the Chinese Office suite of choice.

WPS Office is an office suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Zhuhai-based Chinese software developer Kingsoft

Will be interesting to see how widely this is exploited and if we see western security researchers bug surge here.

The vulnerability this time is that WPS failed to process the code correctly when processing WebExtension, javascriptresulting in an overflow RCE. (You can refer to the RCE vulnerability that was exposed in chrome before, and the RCE vulnerability in WeChat Windows version < 3.1.2.141, which is similar)

https://github.com/ba0gu0/wps-rce

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

Finding Vulnerabilities with MRVA CodeQL

You get a vulnerability, and you, and you with this present by Maiky. Those who industrialise vulnerability discovery as opposed to taking solely an artisanal approach will eat forever..

Using MRVA (multi-repository variant analysis), researchers can execute a query on the top 1000 Github repositories at once, significantly enhancing their ability to uncover potential security issues across a broader spectrum of projects.

https://maikypedia.gitlab.io/posts/finding-vulns-with-mrva-codeql/

Suite of eBPF libraries

A collection from Artem Dinaburg et al which will be of use in a number of cyber defence and vulnerability research use cases.

Libraries:

1. linuxevents: A container-aware library for process monitoring with no runtime dependencies

2. ebpfpub: A function-tracing library for Linux

3. btfparse: A C++ library that parses kernel debug symbols in BTF format

4. ebpf-common: A C++ library to help write new eBPF-based tools

Tools:

1. ebpfault: A Linux system call fault injector built on top of eBPF

https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/

CTO: Call Tree Overviewer

Hiroshi Suzuki and Christian Clauss provide a work aid for reverse engineers which whilst a few months old I only discovered because of the recent paper.

CTO (Call Tree Overviewer) is an IDA plugin for creating a simple and efficient function call tree graph. It can also summarize function information such as internal function calls, API calls, static linked library function calls, unresolved indirect function calls, string references, structure member accesses, specific comments.

CTO has another helper plugin named "CTO Function Lister", although it can work as a standalone tool. You can think this is an enhanced version of functions window. It lists functions with summarized important information, which is the same as the CTO's one. You can use a regex filter to find nodes with a specific pattern as well.

https://github.com/herosi/CTO

https://www.iij.ad.jp/en/dev/iir/pdf/iir_vol59_focus1_EN.pdf

Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions

https://www.usenix.org/system/files/usenixsecurity23-hofmann.pdf

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Aggregate reporting

  • 2023 Mid-Year Threat Review

  • Q2/2023 Threat Report - Avast Threat Labs

  • Story of H1 2023: Statistical Insights into Ransomware Trends and Impact on Victims (English ver.)

  • H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers

  • Cyber Security Report July 2023 - from Japan in Japanese

• Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure - The public comment period for this NIST IR is now open through August 28, 2023.

• Impact of the Ukraine war on Illicit Financial Flows in South Eastern Europe - IFFs in the Balkan region, in particular, are manifold, multi-directional and, proportionally, large as a percentage of GDP. While global illicit outflows are 3–5% of world GDP, IFFs in the Balkans are estimated at about 6% of the region’s GDP. The common denominator of the Western Balkan countries is their vulnerabilities kindled by institutional weakness and state capture.

• Secure connected places playbook - documents - comprehensive guidance from the UK Government.

• Has modern technology killed HUMINT? - Hostile actors are known to use HUMINT methods (e.g. an insider or access agent) to provide unique types of access, which aren’t possible by computer network exploitation methods. For example against an air-gapped computer, which is physically inaccessible to remote hacking via the internet.

• International Travel Guidance for [US] Government Mobile Devices - The guidance outlines best practices regarding configuration and use of GFE mobile devices to safeguard information, backend enterprise systems, and users while on international travel.

• An Empirical Study & Evaluation of Modern CAPTCHAs - The bots’ accuracy ranges from 85-100%, with the majority above 96%. This substantially exceeds the human accuracy range we observed (50-85%).

• Artificial intelligence

  • AI-Powered Fuzzing: Breaking the Bug Hunting Barrier

  • Poisoning Web-Scale Training Datasets is Practical

  • Compromising LLMs The Advent of AI Malware

  • Model Confusion - Weaponizing ML models for red teams and bounty hunters

  • Ransomware Detection Using Machine Learning: A Survey

  • Integrating Knowledge Graphs with Large Language Models for More Human-like AI Reasoning

• Internet Infrastructure Review (IIR) Vol.59 - from Japan

  • Periodic Observation Report "Messaging"

  • Malware Analysis with CTO and CTO Function Lister

  • Authentication/Authorization with Cross-Device Flows”

• Books

  • Irreducibly Complex Systems: An Introduction to Continuous Security Testing

• Events

  • (1st meeting) Sixth session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes on 21 August - 1 September 2023 in New York.

  • 8th ENISA eHealth Security Conference, Luxembourg City, on September 20th, 2023.

  • VeloCON 2023: Digging Deeper Together, September 13, 2023 at 9 am ET

  • CyberwarCon, Arlington, USA on November 9th, 2023 (virtual as well) - CFP etc. open.

Finally love the messaging here from the UK MoD’s Secure By Design program “stay bytes cost lives”