NCC Group’s Incident Response team observed a new variant of the FiveHands ransomware, deployed by an affiliate leveraging publicly available tools to progress their attack. This blog post aims to describe the developments in the ransomware variant and the techniques used by the affiliate.
Archive
On the Use of Pedersen Commitments for Confidential Payments
The increased adoption of financial blockchains has fueled a lot of cryptography research in recent years. One area of high interest is transaction confidentiality which requires hiding investors' account balances and transaction amounts, while enforcing compliance rules and performing validity checks on all activities. This blog post will look at the Zether [2] protocol, which … Continue reading On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
tl:dr Incremental Learning is an extremely useful machine learning paradigm for deriving insight into cyber security datasets. This post provides a simple example involving JA3 hashes showing how some of the foundational algorithms that enable incremental learning techniques can be applied to novelty detection (the first time something has happened) and outlier detection (rare events) … Continue reading Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
More and more applications we test are implementing some form of two-factor authentication (2FA, sometimes known as multi-factor authentication or MFA). This post provides a whirlwind tour of common 2FA mechanisms and detailed information on testing them. How does 2FA Work? The general concept behind two-factor authentication is the pairing of two different types of … Continue reading Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
This is the first blog post in a new code-centric series about selected optimizations found in pairing-based cryptography. Pairing operations are foundational to the BLS Signatures [1] central to Ethereum 2.0, zero-knowledge arguments central to Zcash and Filecoin [2], and a wide variety of other emerging applications. A prior blog series implemented the entire pairing … Continue reading Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
For the past few years, NCC Group has been an industry partner to the Centre for Doctoral Training in Data Intensive Science (CDT in DIS) at University College London (UCL). CDT is composed of a group of over 80 academics from across UCL in areas such as High Energy Physics, Astrophysics, Atomic and Molecular Physics, … Continue reading Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
This month, members of NCC Group will be presenting their work at the following conferences: Dirk-Jan Mollema, "Walking your dog in multiple forests - Breaking AD Trust Boundaries Through Kerberos Vulnerabilities", to be presented in a Black Hat Webcast (Virtual, June 3 2021) Michael Gough, "Incident Response Fails – What we see with our clients, … Continue reading Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
During April 2021, Protocol Labs engaged NCC Group’s Cryptography Services team to conduct a cryptography and implementation review of the Groth16 proof aggregation functionality in the bellperson and two other related GitHub repositories. This code utilizes inner product arguments to efficiently aggregate existing Groth16 proofs while re-using existing powers of tau ceremony transcripts. Full source … Continue reading Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
tl;dr The User Enrollment MDM option added with iOS 13 does not restrict MDM-deployed certificates to MDM-deployed applications, and in the absence of additional controls such as certificate pinning these certificates are, surprisingly, trusted by personally installed apps. When using User Enrollment on the organization’s Wi-Fi, it is possible for a Corporate Intrusion Detection System … Continue reading iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
NCC Group CIRT has responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. We provide some techniques for detection.