NCC Group Research Home

  • MSSQL Lateral Movement

    January 21, 2021 by

    Using discovered credentials to move laterally in an environment is a common goal for the NCC Group FSAS team. The ability to quickly and reliably use a newly gained set of credentials is essential during time-constrained operations. This blog post explains how to automate lateral movement via MSSQL CLR without touching disk* or requiring XP_CMDSHELL and how this can be prevented and detected.

  • Public Report – BLST Cryptographic Implementation Review

    January 20, 2021 by

    In October 2020, Supranational, Protocol Labs and the Ethereum Foundation engaged NCC Group’s Cryptography Services team to conduct a cryptographic implementation review of the BLST library. This library implements support for the draft IETF specifications on Hashing to Elliptic Curves and BLS Signatures. The latter specification uses advanced cryptographic-pairing operations to feature aggregation properties for… Read more

  • Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures

    January 15, 2021 by

    In your emails, getting your hashes  Capturing NetNTLM hashes from network communications is nothing new; a quick Google for ‘Capture NTLM Hashes’ throws up blog posts discussing the various ways to force SMB communications to an attacker and the numerous existing tools to capture the authentication attempt and extract the password hash. Sniffing SMB traffic requires elevated permissions… Read more

  • Abusing cloud services to fly under the radar

    January 12, 2021 by

    tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed… Read more

  • Building an RDP Credential Catcher for Threat Intelligence

    January 10, 2021 by

    We wanted to build a mechanism to capture all the passwords used (successful or not) against RDP to ascertain potential sources of credential theft and if they are organisation specific. This post provides the background on an approach and the steps to build such a system.

  • Double-odd Elliptic Curves

    January 6, 2021 by

    This post is about some new (or sort of new) elliptic curves for use in cryptographic protocols. They were made public in mid-December 2020, on a dedicated Web site: There is also a complete whitepaper, full of mathematical demonstrations, and several implementations. Oh noes, more curves! Will this never end? It is true that… Read more

  • Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs

    January 4, 2021 by

    Liam Stevenson, Associate Director of Technical Services within NCC Group’s Managed Detection & Response division, shows how to derive significant cost efficiencies in SIEM platform consumption with smart log ingestion utilizing pre-processing data pipelines and modern cloud services. Doing so significantly reduces data volumes to the SIEM without loosing the residual value and accessibility of the underlying data.

  • Domestic IoT Nightmares: Smart Doorbells

    December 18, 2020 by

    Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of… Read more

  • Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)

    December 17, 2020 by

    Summary Silver Peak’s Unity EdgeConnect offering enables customers to easily setup and manage virtual networks using SD-WAN (Software Defined Wide Area Networking). At a high level it consists of physical or virtual EdgeConnect appliances and the Orchestrator management platform. The EdgeConnect appliances are essentially network devices that are installed at various remote sites within the… Read more

  • Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0

    December 16, 2020 by

    Depthcharge v0.2.0 is now available on GitHub and PyPi. This release introduces new “configuration checker” functionality and includes some major updates intended to improve usability. A tl;dr summary can be found in the CHANGELOG file. This blog post dives a bit more into the motivations for the changes, envisioned use-cases, and how this update fits… Read more

  • ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again

    December 10, 2020 by

    This post is a technical discussion of the underlying vulnerability of CVE-2020-15257, and how it can be exploited. Our technical advisory on this issue is available here, but this post goes much further into the process that led to finding the issue, the practicalities of exploiting the vulnerability itself, various complications around fixing the issue,… Read more

  • Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures

    December 8, 2020 by

    HTTPSignatures is a PortSwigger Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft document. What motivated my creation in this tool was the lack of an easy way to test applications and services using HTTP Signatures. This extension allows Burp Suite users to seamlessly test applications that require HTTP Signatures. What are… Read more

  • ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks

    December 4, 2020 by

    In this recording of a presentation by NCC Group’s Damon Small at Hou.Sec.Con in October 2020, he outlines the evolution of the Purdue Reference Model in ICS/OT security, which draws the security boundaries between users, ICS networks, and business networks, and shows the dramatic ways in which these boundaries have blurred in recent years, necessitating… Read more

View all posts