Bluepurple Pulse: week ending September 24th
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending September 24th
The amount of commercial mobile capability both on show and burnt this week is material..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week you will see there was a lot of nation state focused reporting, outside of that the amount of commercial mobile capability both on show and burnt is material…
In the high-level this week:
NSA plans new ‘innovation pipeline’ to focus on China - David Frederick, the NSA’s assistant deputy director for China, said the new program will be called “Red Ventures.” .. The National Security Agency’s China directorate will soon launch an “innovation pipeline” focused on the competition with China and solving the NSA’s most pressing challenges.
DOD Releases 2023 Cyber Strategy Summary - "This strategy draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war,"
Labor’s throwing six cybersecurity shields around Australia - by Clare O'Neil the Minister responsible - the six are: citizens, safe technology, threat sharing, CNI focus, sovereign capabilities and resilient region.
Department of Homeland Security Homeland Threat Assessment - 2024 edition - "while cyber actors use AI to develop new tools and accesses that allow them to compromise more victims and enable larger-scale, faster, efficient, and more evasive cyber attacks."
Ukraine and the EU are working on improving cyber defense of cloud services - “Ukraine focuses on productive cooperation with the EU Network and Information Security Agency (ENISA). We have approximated our regulations in the area to the EU standards already and we are now working toward further adaptation of our laws to the EU acquis,“ said Viktor Zhora.
California Legislature passes Delete Act regulating data brokers - Should it become law, the Delete Act would empower the CPPA to develop a system by 2026 that allows residents to make a single data deletion request across the nearly 500 registered data brokers operating in the state.
How the State Dept discovered that Chinese hackers were reading its emails - the analyst flagged the problem to his advisers, prompting the department to work with Microsoft on building the digital equivalent of a tripwire.
‘Be careful what you wish for:’ DoD official warns separate cyber force could pose new challenges - A cyber service might have some benefits in ease of administrative management, but we have a variety of...military services in the Department of Defense who perform a variety of missions
Russian and North Korean Cyberattack Infrastructure Converge: New Hacking Data Raises National Security Concerns - "the value of stolen cryptocurrency associated with DPRK groups currently exceeds $340.4 million this year, compared to over $1.65 billion in stolen funds reported in 2022"
Lazarus Group's Web3 Rampage - "identified transactions connecting the Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx breaches, serving as on-chain evidence of Lazarus Group’s involvement in all exploits" and "costing the Web3 community at least $291.3 million across five distinct incident”
Commercial offensive cyber
US Bill To amend the Foreign Assistance Act of 1961 to prohibit assistance to foreign governments that engage in the use of foreign commercial spyware to target United States persons, and for other purposes.
In a first, NSO spyware is found on phone of prominent Russian journalist -The iPhone of a prominent Russian journalist whose news outlet has effectively been outlawed by President Vladimir Putin was infected with Pegasus spyware this year
Pegasus Infection of Galina Timchenko, exiled Russian Journalist and Publisher - the Citizen Lab reporting..
Israeli cyber companies developed technology that exploits the advertising system at the heart of the online economy to monitor civilians, hack into their phones and computers, and spy on them - adtech in the frame..
0-days exploited by commercial surveillance vendor in Egypt - discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.
Considering Cyberwar Efficacy: Is Mitigation Possible? - for once, the hype may not be as devastating as we feared as new defense strategies emerge.
China’s coming lawfare offensive - oped by one of the largest hedge funds on the planet - China has accelerated the implementation of an integrated program, founded on Xi Jinping Thought, to weaponise law, with both territorial and extraterritorial effect.
AI
The global race to set the rules for AI - The industry and policymakers agree that the emerging technology needs regulating. But no one is quite sure how
NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats - Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threa
ISO/IEC 22989:2022 - Artificial intelligence concepts and terminology - includes Trustworthiness.
2023 Trustworthy Artificial Intelligence in the Asia-Pacific Region - AI's continuous growth presents enormous opportunities for the Asia-Pacific region. By establishing robust and forward-looking regulatory frameworks, fostering expertise, and steering public discourse, countries can effectively harness AI's potential while addressing its inherent risks, ensuring a prosperous and sustainable future for all.
AI Foundation Models: Initial report - A report following the Competition and Markets Authority's review into AI Foundation Models, and their impact on competition and consumer protection.
Is Tricking a Robot Hacking? - from 2018, but seems worth a discussion.
Communicative Agents for Software Development - The instrumental analysis of ChatDev highlights its remarkable efficacy in software generation, enabling the completion of the entire software development process in under seven minutes at a cost of less than one dollar.
Navigating the Jagged Technological Frontier: Field Experimental Evidence of the Effects of AI on Knowledge Worker Productivity and Quality - For each one of a set of 18 realistic consulting tasks within the frontier of AI capabilities, consultants using AI were significantly more productive (they completed 12.2% more tasks on average, and completed task 25.1% more quickly), and produced significantly higher quality results (more than 40% higher quality compared to a control group).
From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program - from a U.S. Government cybersecurity awareness program
Behind the scenes of creating an independent cyber event declaration system - “The idea is that they can then use that to determine a severity rating for the event, For instance, a category one event might be low level, not very widespread and not cost very much, while a category five event might be a catastrophic scenario affecting a significant proportion of all UK organisations and costing billions of pounds.”
International Criminal Court computer systems attacked - A source tells NOS that a large number of sensitive documents have been captured, but the ICC does not want to confirm this.
The first reflection this week come from reading Basic cyber hygiene prevents 98% of attacks and where I was found saying to myself it would be great if they would release the underlying evidence base. This evidence could then be used to enable academia and others to understand how the conclusions were reached and then either build upon or challenge the veracity - apologies if I missed the evidence dataset if available.
The second set of reflections come from the London School of Economics report which states “Around 85 per cent of survey respondents - including journalists, technologists and managers at news organisations - have at the very least experimented with genAI to help with tasks such as writing code, image generation and authoring summaries” from interviews with 100 organizations, 46 countries. The level of potential disruption and productivity benefit in this one industry on the face of it seems material. When combined with the knowledge worker research it does seem to imply we should all look for adoption opportunities sooner rather than later.
On the interesting job/role front (thanks to those sending me these):
Research Assistant- Digital Transnational Repression for a Six month hourly contract at a maximum of 13 hours per week at The Citizen Lab in Ontario, Canada
Programme Officer (Cybercrime Legal and Policy) at the United Nations
Advanced Cyber Unit Analyst at Rolls Royce in Bristol, UK
Technical Director, CISA's Cybersecurity Division in the USA ($186,600 - $199,600 per year)
Views are my own / attribution by others etc.
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Luke Jenkins, Josh Atkins and Dan Black provide a broad assessment of Russian capability here showing they have various teams who perform discrete tasks. Very similar to the initial access versus later stage crews we see in criminal operations.
APT29’s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR’s central role in collecting intelligence concerning the current pivotal phase of the war.
During this period, Mandiant has tracked substantial changes in APT29’s tooling and tradecraft, likely designed to support the increased frequency and scope of operations and hinder forensic analysis.
APT29 has used various infection chains simultaneously across different operations, indicating that distinct initial access operators or subteams are possibly operating in parallel to service different regional targets or espionage objectives.
https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
North Korea
Analysis of the recent offensive operations conducted by North Korean APT groups
Chinese reporting showing the correlation between military activities and upticks in North Korean activity in response.
By comparing the timing of the North Korean APT attacks with the military exercise, we found a significant overlap. The captured timeline of the North Korean attacks is depicted below, suggesting that this attack campaign may be one of the ways North Korea responds to the military exercise.
..
During the entire duration of the military exercise, we captured over 80 attack samples targeting South Korea by the North Korean organization, with APT37 accounting for a significant majority, exceeding 90%.
https://paper.seebug.org/3031/
Konni APT exploits WinRAR vulnerability (CVE-2023-38831) to attack the digital currency industry for the first time
Further Chinese reporting on North Korea. The takeaway here is the rapid adoption by North Korea of a vulnerability for their own crypto currency operations. Quick flipping old days is real..
At the same time, we found that Konni used the WinRAR vulnerability (CVE-2023-38831) recently disclosed [as being used by criminals'] in this attack. This is also the first time that an APT organization has used this vulnerability to attack. S
https://paper-seebug-org.translate.goog/3032/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
How the Lazarus Group is stepping up crypto hacks and changing its tactics
Over $250 million in 100 days, if you want proof that North Korea is going hard on crypto asset thefts here is an evidence base.
The Lazarus Group – North Korea’s elite hacking organization – appears to have recently ramped up its operations, conducting a confirmed four attacks against crypto entities since June 3rd.
China
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities
Details on a campaign which uses rather basic initial tradecraft via phishing. Combined it must be said with modified open source…
In this campaign, we observed a particular focus on the targeting of South Korean academic entities. The targeting of academia more generally fits within wider Chinese espionage efforts that serve multiple purposes, including intellectual property (IP) theft and expanding Chinese Communist Party (CCP) soft power and influence within higher education internationally
TAG-74 is a Chinese state-sponsored threat activity group traditionally tasked with intelligence collection against organizations within South Korea, Japan, and Russia. In the activity highlighted within this report, we observed the group predominantly targeting South Korean academic, political, and government organizations.
The TTPs associated with this TAG-74 campaign include the use of .chm files that trigger a DLL search order hijacking execution chain to load a customized version of the open-source, lightweight, VBScript backdoor ReVBShell. We also identified multiple samples of the custom backdoor Bisonal communicating to TAG-74 infrastructure; this backdoor is likely used to provide additional capability after initial access is established through ReVBShell.
https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Joseph C Chen and Jaromir Horejsi detail a Linux focused capability in use by a Chinese actor. Also if note is their use of old days for their initial access.
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
Earth Lusca is now aggressively targeting the public-facing servers of its victims. Furthermore, we have seen them frequently exploiting server-based N-day vulnerabilities.
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html
ShroudedSnooper
Asheer Malhotra, Caitlin Huey, Sean Taylor, Vitor Ventura and Arnaud Zobec detail a suspected Chinese threat actor who is working against telecommunications in the Middle East.
We assess with high confidence that both implants belong to a new intrusion set we’re calling “ShroudedSnooper.” Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.
This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting telecoms.
https://blog.talosintelligence.com/introducing-shrouded-snooper/
WyrmSpy and DragonEgg: Lookout Attributes Android Spyware to China’s APT41
Kristina Balaam and Justin Albrecht attribute a Chinese mobile capability deployed via social engineering. Clearly they don’t have access to the winning entries from Tianfu Cup.
[We attribute] WyrmSpy and DragonEgg to infamous Chinese espionage group APT41, which has not slowed down since recent indictments by the U.S. government.
APT41 is known to target a wide range of public and private sector organizations, including nation-state governments, software development companies, computer hardware manufacturers, telecommunications providers, social media companies, and video game companies.
An established threat actor like APT41 turning their focus to mobile devices shows that mobile endpoints are high-value targets with coveted data.
WyrmSpy and DragonEgg use modules to hide their malicious intentions and avoid detection.
[We] assess with moderate confidence that they are distributed to victims through social engineering campaigns.
https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
Iran
Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets
Iran looking like a commercial Red Team with this operation.
Since February 2023, [we] observed password spray activity against thousands of organizations carried out by an actor we track as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state threat actor who has recently pursued organizations in the satellite, defense, and pharmaceutical sectors around the globe.
In cases where Peach Sandstorm successfully authenticated to an account, Microsoft observed the group using a combination of publicly available and custom tools for discovery, persistence, and lateral movement. In a small number of intrusions, Peach Sandstorm was observed exfiltrating data from the compromised environment.
Other
LUCR-3: Scattered Spider Getting SaaS-y in the Cloud
Ian Ahl sends a warning to all organizations on what the cloud gives us it also taketh away. This is what cloud/SaaS security challenges look like in 2023..
LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property (IP) for extortion. LUCR-3 targets Fortune 2000 companies across various sectors to include but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms
https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
APT36's Updated Arsenal
Sudeep Singh details a suspected Pakistani threat actor who is showing signs of evolution in both capability and tradecraft. Again Linux, as with the Chinese reporting above, is in the frame for the persistence.
Updated arsenal of APT36: The threat actor has resurfaced with a fresh, fully functional Windows remote administration tool (RAT), novel tools for cyber espionage on Linux systems, innovative distribution methods, and additional attack vectors.
New Windows RAT: A custom RAT, referred to as ElizaRAT, has been incorporated into the APT36 toolkit. ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint.
Abuse of legitimate services: Legitimate services, such as Google Drive and Telegram, are abused in different stages of the attack chain.
New attack vectors for Linux: APT36 now boasts innovative weaponization of Linux desktop configuration files that target Linux-based endpoints in the Indian government sector.
Deceptive tactics: The threat actor took extensive measures to conceal any link to Pakistan. They chose the infrastructure and artifacts meticulously to make it appear as though the activities were conducted in India.
Reuse of infrastructure: In some cases, the same C2 infrastructure is being used by APT36 for both credential phishing attacks and distributing malicious binaries.
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety
Reporting on this criminal actor shows they surpass a lot of nation state capabilities from a lot of countries.
UNC3944 relies heavily on social engineering to obtain initial access to its victims. They frequently use SMS phishing campaigns and calls to victim help desks to attempt to obtain password resets or multifactor bypass codes.
The threat actors used commercial residential proxy services to access their victims from the same local area to fly under the radar of security monitoring tools.
The threat actors consistently use legitimate software, including a variety of remote access tools the actors have downloaded from the vendor websites.
The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days. The tempo and volume of systems UNC3944 accesses can overwhelm security response teams.
Once obtaining a foothold, UNC3944 often spends significant time searching through internal documentation, resources, and internal chat logs to surface information that could help facilitate escalating privileges and maintaining presence within victim environments.
UNC3944 often achieves privilege escalation by targeting password managers or privileged access management systems.
UNC3944 often creates unmanaged virtual machines inside victims' own environments, from which it launches attacks. In some cases, they’ve created Internet accessible virtual machines in a victim’s cloud environment.
https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets
Simon Kenin, Ron Ben Yizhak and Mark Vaitzman detail rather basic phishing campaign at a time of regional conflict against an enclave populated by ethnic Armenians. Will be interesting to see if this capability is latterly attributed to Armenia or their friends...
A new operation against Azerbaijanian targets
The operation has at least two different initial access vectors
The operation is not associated with a known threat actor; the operation was instead named because of their novel malware written in the Rust programming language
One of the lures used in the operation is a modified document that was used by the Storm-0978 group. This could be a deliberate “false flag”
Discovery
How we find and understand the latent compromises within our environments.
Peeling back the curtain with call stacks
Samir Bousseaden does what he does here with some awesome tradecraft which should really help detect numerous open source and commercial implant frameworks.
In this article, we'll show you how we contextualize rules and events, and how you can leverage call stacks to better understand any alerts you encounter in your environment.
https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks
TierZeroTable: About Table of AD and Azure assets and whether they belong to Tier Zero
Useful reference in understanding if your AD has been nobbled here by Jonas Bülow Knudsen
https://github.com/SpecterOps/TierZeroTable
Defence
How we proactively defend our environments.
SMB NTLM blocking now supported in Windows Insider
Ned Pyle details how Windows is getting defense in depth against a very common technique used to enable password hash leakage.
With this new option, an administrator can intentionally block Windows from offering NTLM via SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and cannot brute force, crack, or pass hashes.
SMB dialect management now supported in Windows Insider
Ned Pyle is back with more from the defense in depth factory.
With this new option, an administrator can remove specific SMB protocols from usage in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting.
donut-decryptor: Retrieve inner payloads from Donut samples
Our favorite memory forensics team produces a value capability which I suspect will be made fragile quite quickly in response.
donut-decryptorchecks file(s) for known signatures of the donut obfuscator's loader shellcode. If located, it will parse the shellcode to locate, decrypt, and extract theDONUT_INSTANCEstructure embedded in the binary, and report pertinent configuration data. If aDONUT_MODULEis present in the binary it is decrypted and dumped to disk.
https://github.com/volexity/donut-decryptor
Apple and Google Are Introducing New Ways to Defeat Cell Site Simulators, But Is it Enough?
Cooper Quintin details how defense in depth is coming to mobile devices.
Cell-site simulators (CSS)—also known as IMSI Catchers and Stingrays—are a tool that law enforcement and governments use to track the location of phones, intercept or disrupt communications, spy on foreign governments, or even install malware.
Apple has also finally taken steps to protect users against cell site simulators after being called on to do so by EFF and the broader privacy and security community. Apple announced that in iOS 17, out September 18, iPhones will not connect to insecure 2G mobile towers if they are placed in Lockdown Mode.
Blocking Visual Studio Code "embedded reverse shell"
Florian MARTIN provides details on how to disable these reverse shells in development environments.
https://ipfyx.fr/post/visual-studio-code-tunnel/
Incident Writeups
How they got in and what they did.
When MFA isn't actually MFA
Yes.. generative AI does appear to being used in the wild by real threat actors and not just red teams..
The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice
https://retool.com/blog/mfa-isnt-mfa/
Vulnerability
Our attack surface.
CVE-2023-4039: GCC’s -fstack-protector fails to guard dynamic stack allocations on ARM64
Tom Hebb shows why test driven development is really important.
On AArch64 targets, GCC’s stack smashing protection does not detect or defend against overflows of dynamically-sized local variables.
GCC’s AArch64 stack frames place such variables immediately below saved register values like the return address with no intervening stack guard. All versions of GCC that support the pertinent features are affected.
https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html
Offense
Attack capability, techniques and trade-craft.
Periscope: a complete adversarial operations toolkit
Tim MalcomVetter releases a new framework which will likely be deployed by malicious threat actors in 3..2..
C2, stagers, agents, automated ephemeral redirectors and task runners, a complete phishing engine, and more
https://github.com/malcomvetter/Periscope
Extract Bitlocker Keys
Rémi GASCOU (Podalirius) giving to the world a capability which needs to be combined with an evil maid attack or similar.
A system administration or post-exploitation script to automatically extract the bitlocker recovery keys from a domain
https://github.com/p0dalirius/ExtractBitlockerKeys/
SaaS attack chain - The shadow workflow's evil twin
Luke Jennings shows what offensive persistence looks like a a SaaS/cloud first world. The gap in detection at most organizations for this type of vulnerability is material.
A shadow workflow is a technique for using SaaS automation apps to provide a code execution-like method for conducting malicious actions from a legitimate source using OAuth integrations. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories — basically anything that is possible using the target app’s API.
The fact automation apps utilize OAuth integrations means they also function as a very effective method of maintaining persistence. Think of shadow workflows as the offensive PowerShell of the SaaS world.
https://pushsecurity.com/blog/nearly-invisible-attack-chain/
Okta for Red Teamers
Adam Chester also shows that cloud IDPs may not entirely be the answer if a threat actor gain obtain a certain level of access. Again, today a lot of organizations in my experience would struggle to defend against these.
It should be noted that everything in this post is by design. You’ll find no 0dayz here, and many of the techniques require administrative access to pull off. However, to say that the methods demonstrated in this post have been a helpful during engagements is an understatement.
https://www.trustedsec.com/blog/okta-for-red-teamers/
Weaponising VMs to bypass EDR - Akira ransomware
Phill Moore and Zach Stanford with contributions from Suyash Tripathi and Yogesh Khatri show how a threat actor leverages clean virtual machines to attack the underlying host. I suspect this will lead to some product changes in the mid-term.
One novel technique that we’ve observed leverages deployment of ransomware onto Windows Hyper-V hypervisor systems, causing major damage to attached virtual machines (VMs). Even when Windows-based hypervisor and target virtual machines are running prominent Endpoint Detection & Response (EDR) tooling, the threat actor has been observed circumventing this by creating new, unmonitored, VMs on the hypervisor, from which they can navigate directories on the hypervisor and execute their ransomware.
https://cybercx.com.au/blog/akira-ransomware/
Exploitation
What is being exploited.
Security Vulnerability fixed in Firefox, Thunderbird
The vulnerability originally exploited on the iPhone also effects Firefox etc.
Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Analyzing a Modern In-the-wild Android Exploit
Seth Jenkins walks the chain used in the wild. Of note is the most old day usage due to poor patch pull through by the vendor.
This is a technical analysis of the final stage of one of the exploit chains (from December 2022), specifically CVE-2023-0266 (a 0-day in the ALSA compatibility layer) and CVE-2023-26083 (a 0-day in the Mali GPU driver) as well as the techniques used by the attacker to gain kernel arbitrary read/write access.
Notably, all of the previous stages of the exploit chain used n-day vulnerabilities:
CVE-2022-4262, a vulnerability patched in Chrome that was unpatched in the Samsung browser (i.e. a "Chrome n-day"), was used to achieve RCE.
CVE-2022-3038, another Chrome n-day, was used to escape the Samsung browser sandbox.
CVE-2022-22706, a Mali n-day, was used to achieve higher-level userland privileges. While that bug had been patched by Arm in January of 2022, the patch had not been downstreamed into Samsung devices at the point that the exploit chain was discovered.
https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
tsffs: A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS
A present from Intel which we can expect to be adopted by commercial vulnerability houses quick smart to gain an edge.
TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it easy to fuzz and triage crashes on traditionally challenging targets including UEFI applications, bootloaders, BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space applications on Linux and Windows. See the requirements to find out if TSSFS can fuzz your code.
https://github.com/intel/tsffs
IDA Pro 2023 Plugin Contest Winners (and losers)
Some work aids from IDA my favorite of which is Symless which
Automatic structures recovering plugin for IDA. Able to reconstruct structures/classes and virtual tables used in a binary.
https://hex-rays.com/contests_details/contest2023/
Hypervisor Detection with SystemHypervisorDetailInformation
Matt Hand details how things work under the hood for those of you out there trying to avoid being detected by malicious code.
There are a number of documented ways of doing this (some more hacky than others), but the one that caught my eye was using
NtQueryInformationSystem()and theSystemHypervisorDetailInformationinformation class. While the function itself is documented, official documentation from Microsoft regarding the information class and structure returned to the caller are notably missing.
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
Digital Security by Design driving investment in the automotive sector and embedded systems
Any sufficiently advanced uninstaller is indistinguishable from malware
The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects - further scale here as 500 really isn’t a lot consider the volume of both developer and code growth.
Artificial intelligence
Identifying and Mitigating the Security Risks of Generative AI
Chain-of-Verification Reduces Hallucination in Large Language Models
Disarming Steganography Attacks Inside Neural Network Models
Textual Backdoor Attacks Can Be More Harmful via Two Simple Tricks - related was the paper Mind the Style of Text! Adversarial and Backdoor Attacks Based on Text Style Transfer which published code etc.
A Comprehensive Overview of Backdoor Attacks in Large Language Models within Communication Networks
llm-security: Dropbox LLM Security research code and results
Books
Hague Centre for Strategic Studies Summer Bookshelf 2023 - book they have read and recommend
Philosophy of Cybersecurity is now available
Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power is coming soon (next week)
Battlefield Cyber: How China and Russia are Undermining Our Democracy and National Security is out next month
Events
VeloCON 2023 videos - for the Velociraptor users out there
Bluepurple Pulse: week ending September 24th
I always enjoy your posts, and try to look at as many of the great links as I can. I don't know if this is a new element or just one I have failed to notice, but I'm glad to see some AI focused content and links in this post.
Love this feed. Hope it doesn't disappear.