-
RIFT: Analysing a Lazarus Shellcode Execution Method
NCC Group’s Research and Intelligence Fusion Team analyze a recent shellcode execution method used by Lazarus Group
-
MSSQL Lateral Movement
Using discovered credentials to move laterally in an environment is a common goal for the NCC Group FSAS team. The ability to quickly and reliably use a newly gained set of credentials is essential during time-constrained operations. This blog post explains how to automate lateral movement via MSSQL CLR without touching disk* or requiring XP_CMDSHELL and how this can be prevented and detected.
-
Public Report – BLST Cryptographic Implementation Review
In October 2020, Supranational, Protocol Labs and the Ethereum Foundation engaged NCC Group’s Cryptography Services team to conduct a cryptographic implementation review of the BLST library. This library implements support for the draft IETF specifications on Hashing to Elliptic Curves and BLS Signatures. The latter specification uses advanced cryptographic-pairing operations to feature aggregation properties for… Read more
-
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
In your emails, getting your hashes Capturing NetNTLM hashes from network communications is nothing new; a quick Google for ‘Capture NTLM Hashes’ throws up blog posts discussing the various ways to force SMB communications to an attacker and the numerous existing tools to capture the authentication attempt and extract the password hash. Sniffing SMB traffic requires elevated permissions… Read more
-
Abusing cloud services to fly under the radar
tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed… Read more
-
Building an RDP Credential Catcher for Threat Intelligence
We wanted to build a mechanism to capture all the passwords used (successful or not) against RDP to ascertain potential sources of credential theft and if they are organisation specific. This post provides the background on an approach and the steps to build such a system.
-
Double-odd Elliptic Curves
This post is about some new (or sort of new) elliptic curves for use in cryptographic protocols. They were made public in mid-December 2020, on a dedicated Web site: https://doubleodd.group/ There is also a complete whitepaper, full of mathematical demonstrations, and several implementations. Oh noes, more curves! Will this never end? It is true that… Read more
-
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Liam Stevenson, Associate Director of Technical Services within NCC Group’s Managed Detection & Response division, shows how to derive significant cost efficiencies in SIEM platform consumption with smart log ingestion utilizing pre-processing data pipelines and modern cloud services. Doing so significantly reduces data volumes to the SIEM without loosing the residual value and accessibility of the underlying data.
-
Domestic IoT Nightmares: Smart Doorbells
Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of… Read more
-
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Summary Silver Peak’s Unity EdgeConnect offering enables customers to easily setup and manage virtual networks using SD-WAN (Software Defined Wide Area Networking). At a high level it consists of physical or virtual EdgeConnect appliances and the Orchestrator management platform. The EdgeConnect appliances are essentially network devices that are installed at various remote sites within the… Read more
-
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
Depthcharge v0.2.0 is now available on GitHub and PyPi. This release introduces new “configuration checker” functionality and includes some major updates intended to improve usability. A tl;dr summary can be found in the CHANGELOG file. This blog post dives a bit more into the motivations for the changes, envisioned use-cases, and how this update fits… Read more
-
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
Recently, I was working on weaponizing a particular bug with a colleague. For reasons unfathomable to me, we’ve been implementing our exploit in Ruby. As part of this, we wrote a rinky-dink port scanner that attempts to find instances of the service on a given host because it has a propensity to pick random ports… Read more
-
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
This post is a technical discussion of the underlying vulnerability of CVE-2020-15257, and how it can be exploited. Our technical advisory on this issue is available here, but this post goes much further into the process that led to finding the issue, the practicalities of exploiting the vulnerability itself, various complications around fixing the issue,… Read more
-
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
HTTPSignatures is a PortSwigger Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft document. What motivated my creation in this tool was the lack of an easy way to test applications and services using HTTP Signatures. This extension allows Burp Suite users to seamlessly test applications that require HTTP Signatures. What are… Read more
-
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
In this recording of a presentation by NCC Group’s Damon Small at Hou.Sec.Con in October 2020, he outlines the evolution of the Purdue Reference Model in ICS/OT security, which draws the security boundaries between users, ICS networks, and business networks, and shows the dramatic ways in which these boundaries have blurred in recent years, necessitating… Read more