Matt Lewis

Introduction The work presented in this blog post is that of Ewan Alexander Miles (former UCL MSci student) and explores the expansion of scope for using machine learning models on PE (portable executable) header files to identify and classify malware. It is built on work previously presented by NCC Group,…

Overview RFCs have played a pivotal role in helping to formalise ideas and requirements for much of the Internet’s design and engineering. They have facilitated peer review amongst engineers, researchers and computer scientists, which in turn has resulted in specification of key Internet protocols and their behaviours so that developers…

In December 2019 we launched this new technical security research blog site. As part of its launch we had cause to revisit our old blog website and found a myriad of forgotten whitepapers and conference presentations spanning NCC Group’s history (formation in 1999). Deeply nested on our old blog site…

Overview  NCC Group is an industry partner for University College London’s (UCL) Centre for Doctoral Training in Data Intensive Science (CDT in DIS). The UCL CDT in DIS encompasses a wide range of areas in the field of ‘big-data’ including the collection, storage and analysis of large datasets, as well…

Written by Cedric Halbronn On Saturday 15th February, I gave a talk titled “How CVE-2018-8611 Can be Exploited to Achieve Privilege Escalation on Windows 10 1809 (RS5) and Earlier”. This research was done by Aaron Adams and myself and was presented by Aaron at POC2019 at the end of last…

During late January 2020, a hot topic surfaced between security professionals on an issue that has historically had different proposed solutions. This blog post seeks to explore these solutions and identify pragmatic approaches to risk reduction on this specific issue concerning Customer Premises Equipment (CPE) security. Two security researchers (Tom…

TL; DR We bought a medical infusion pump device from eBay and from it, forensically retrieved the WPA key and server authentication credentials for a real-world hospital’s wireless network and medical pump management server. In the wrong hands, such capability could be life-threatening given the level of network-based access this…

Introduction In our blog post on ASP.NET resource files and deserialization issues [1], we showed how to run code by abusing deserialization features when uploading a RESX or RESOURCES file. In this blog post, similarly we show abuse of XAMLX file capabilities to run commands on a server when such…

Introduction During a recent Active Directory assessment we had access as a low-privilege user to a fully-patched and secured domain workstation. After trying a number of different approaches to elevate privileges locally, we came across the blog post “Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory” [1]…

After 400 days of research, the Project Ava team round up their conclusions on whether machine learning could ever be harnessed to complement current pentesting capabilities. Read more to uncover the team’s verdict on whether this will ever be possible in the near future… Overview Having spent almost 400 people…

In the penultimate blog of the Project Ava series, our research team take a look at expert systems to test for Cross-Site Scripting (XSS) vulnerabilities, develop a proof of concept, and discuss whether machine learning could ever be harnessed to complement currenting pentesting capabilities.  Overview Penetration testing can sometimes be…

Following on from last week’s blog, the eighth instalment in the Project Ava series revisits the theory and approaches of security engineer and researcher, Isao Takaesu, with a focus on XSS. Overview In Part 3 of this blog series, one of the existing approaches by others that we found from…

In last week’s blog, our research team set out the process of creating a SQLi proof of concept.  Overview In our previous prototypes we focused on text processing (vectorizing, word2vect, neural networks, etc.). We recognized that despite some signs of potential, the overall approach is difficult because: It’s not the…

Following on from the team’s first prototype, which explored text processing and semantic relationships, the sixth blog in the Project Ava series moves on to creating a SQLi proof of concept… Overview Building on our initial work with word vectorisation and support-vector machines (SVMs), we set out to create a…

In the fifth blog of the Project Ava series, our research team start to delve into the fun stuff – creating prototypes for applying machine learning to pentesting. Find out how the team got on with their first prototype below. Overview Having understood existing solutions and architected a system for…

Building on from previous research and approaches to using machine learning for pentesting scenarios, this week our research team moves onto the architecture and design of the Project Ava ‘system’. Read on to find out about the architectures tested and the team’s conclusions. Overview Unsurprisingly, machine learning requires data –…

Last week, our research team explored the capabilities of IBM’s Natural Language Processing (NLP) tool and how we might be able to apply it to social engineering or phishing campaigns. In this phase of the research, the team talk us through the existing approaches and attempts to harness machine learning…

This is the second blog in the Project Ava series – the first set out the aims of the research and the tools that our research team experimented with to facilitate their work. In this blog, the team explore an interesting tangent as they play with the capabilities of IBM’s…

In our latest blog series, our research team give an overview of Project Ava – a 400-day exploration of whether machine learning could ever be used to complement current pentesting capabilities. In this blog, the team set out the aims of the project and experiment with the platforms and frameworks…

Introduction During a recent security assessment at NCC Group I found a .NET v2.0 application that used .NET Remoting to communicate with its server over HTTP by sending SOAP requests. After decompiling the application I realised that the server had set the TypeFilterLevel to Full which is dangerous as it can potentially lead to…

This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group [1]. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group…

Earlier this month NCC Group held NCC Con Europe, boasting 500 attendees and more than 120 talks – all hosted in the beautiful city of Madrid. During the three day conference we saw both technical, sales and other support teams come together and share information through talks, workshops and demonstrations.…

Teradata Database is a Relational Database Management System (RDMS) developed by Teradata Corporation. Teradata Database has the ability to scale for very large data warehousing projects, where fast response times are required, often with many connecting clients. Think “Big Data” with databases that can contain many millions of records. Teradata…

Ben Humphrey – Malware Researcher In late April 2018, NCC Group researchers discovered a small number of documents exploiting CVE-2017-8570 and dropping the same payload. The purpose of these documents is to install a Remote Access Trojan (RAT) on the victims’ machine. This article gives a deep analysis of both…

Brief description Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally,…

Many web servers are using HTTP/2 but few current web application penetration testing tools support it. In most cases, the common workaround is simple – perform most of the testing of the application and its logic using HTTP/1.x and then perform additional testing for HTTP/2 specific vulnerabilities and requests that…

Conducting a thorough Azure security build review or Azure security assessment can be difficult. Clicking through the Azure Ibiza [1] portal to review the details on many of its services, including, but not limited to, Azure Active Directory (Azure AD), resource groups, virtual machines, storage accounts, databases, database servers and…

In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15. APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon. A…

In the first days of 2018, a number of vulnerabilities were disclosed that are present in many modern-day CPUs. In this blog post we address the most frequently asked questions about Spectre and Meltdown with a focus on providing you with actionable guidance about what to do. This post is…

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. Exodus Intel released how they exploited [1] CVE-2016-1287 for IKEv2 in February 2016, but there wasn’t anything public for…

With the release of Android Nougat (Android 7) came a new security feature called Network Security Configuration [1]. This new feature arrived with the intention of allowing developers to customise their network security settings without modifying app code. Additional modification was also included in the default configuration for connections to…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. As part of our ongoing series we would like to talk about Cisco’s Checkheaps security and stability mechanism. More…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. In part six, we document some of the details around Cisco ASA mempools and how the mempool-related functions wrap…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. We’re releasing a gdb plugin for analysing ptmalloc2. This plugin is essentially a fork from an older version of…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. This article is meant to provide a summary of some key functionality for dlmalloc-2.8.x and introduce a debugging plugin…

Summary In the previous blog post, we walked through the primary benefits of using Decoder Improved over the Burp Suite’s built-in decoder. This blog post will focus on adding new functionality to Decoder Improved by walking through implementing new trivial text modifiers and modes. At the end of this blog…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. We have developed a small framework of tools to automate the debugging of most Cisco ASA firmware files using…

This article is part of a series of blog posts. If you haven’t already, we recommend that you read the introduction article prior to this one. During our research, we ended up wanting to analyse a large number of Cisco ASA firmware files. Most importantly, we needed to mine exploit targets for…

We’ve spent a bunch of time investigating Cisco ASA devices and their firmware while looking into exploiting CVE-2016-1287, CVE-2016-6366, and other bugs. Part of this research has involved data mining numerous Cisco ASA firmware files to generate new exploit targets. We took the time to write some tools to more…

Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, I developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality is…

This is short and quick blog to share with you, as promised, the IDAPython script used to decrypt the strings in the Poison Ivy sample discussed in our previous blog post [1]. Before we can start decrypting the strings, we first need to locate the string decoding function. Looking through Poison Ivy’s…

Earlier this week ESET released a paper[1] about Gazer, a new toolset associated with a sophisticated attack group. One interesting quote from the paper stood out: “The compilation date appears to be 2002 but is likely to be faked because the certificate was issued in 2015″ This led to an…

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison…

On Tuesday 27 June, we saw another outbreak of ransomware. This blog is live and will be updated as we know more. The ransomware is currently being discussed as a variant of Petya, which also modifies the Master Boot Record (MBR), although this ransomware also has traits similar to WannaCry in…

NCC Group is currently aware of a zero-day vulnerability targeting Microsoft Office users which is being exploited in the wild by a number of threat actors including organised criminal gangs. NCC Group has identified various samples exploiting this issue from as far back as 2016. Click here to see NCC…

Because finding bugs is 1337, but fixing them is 31337… Background to Fix Bounty The concept of “Fix Bounty” came about from conversations with colleagues on how there’s often little to no reward for providing security fixes to vulnerabilities found in open source software. Open source projects can differ greatly…

In this blog post we will take a brief look at the remote access Trojan (RAT) used by a group called Greenbug[1]. According to Symantec, an APT group used this RAT – along with other tools – to collect user information which was later used when executing the wiper malware…

We’ve released a new tool called Berserko, which is a Burp Suite extension to perform Kerberos authentication. We use Burp Suite for web application security assessments and it gives us excellent results. However, anyone that has experience in pen testing in enterprise environments will be able to tell you that…

In the first week of 2017, more than 500 NCC Group consultants and colleagues attended the Group’s annual internal conference, otherwise known as NCC CON, in Dublin, Ireland. The event welcomed team members from all over the world, with representation from our European, Canadian, Australian and US offices. NCC Group…

This article describes a process of instrumenting an iOS application without a jailbroken device. Because of the absence of jailbreak in the latest versions of iOS and the requirement for testing applications on the latest versions of iOS, it is necessary to find ways of assessing iOS applications in non-jailbroken…

Overview In 2016, I have read many articles on the topic of authentication where a common proclamation has been that “The Password is Dead!”. No doubt, the vast number of publicised breaches over the past few years where user passwords have been exposed has tainted people’s views on the efficacy…

KGB joke Interrogation of a native Siberian tribesman: Where is the gold? Translator: Where is the gold? Tribesman: Won’t tell! Translator: He won’t tell. KGB interrogator: If you won’t tell, we’ll kill you. Translator: If you won’t tell, they’ll kill you. Tribesman: It’s hidden by the yurt’s entrance. Translator: He…

Note: A previous version of this blog post recommended relying on the Same Origin policy as a security barrier. Since publication, new Same Origin policy bybasses have been presented by Luca Carettoni (https://www.blackhat.com/us-17/briefings.html#electronegativity-a-study-of-electron-security). We have therefore removed the recommendation that this policy be used defensively. Electron is an increasingly mature and…

Threat mitigation is an important part of the security development lifecycle (SDL) and at NCC Group we have been performing a number of threat modeling workshops focused specifically on the automotive sector. Considering the increasing research and media attention in relation to connected cars, it is fundamental to understand the threats…

TL;DR; Ransomware has grown into a significant industry for criminal enterprises due to its relatively low sophistication and the ability for it to be performed remotely, and the fact that it is supported by the existence of crypto currencies which facilitate remuneration. As a result, the likelihood of the perpetrators…

Introduction This post is aimed at those new to exploit development and wanting to understand the end-to-end process and types of techniques that need to be employed in order to realise a working exploit against a buffer overflow vulnerability. I acknowledge that there are more sophisticated techniques that can be…

Introduction In April this year a file was uploaded to VirusTotal which NCC Group’s technical intelligence flagged as the Sakula malware.  Two interesting things stood out: firstly, the implant itself is never stored on disk.  Secondly, a legitimate executable from Kaspersky is used to load part of the malware by…

Why we need it? Within the penetration testing domain quite often we have to deal with different technologies and devices.  It’s important to cover all aspects of connectivity of a device being tested which is why we have built a GSM/GPRS interception capability. There are a number of different devices…

tl;dr This is the first in a series of blog posts relating to driver development on Windows systems. The project started as an attempt to understand drivers and low-level system programming by developing a driver to exercise a wide range of functionality. The initial stages of the project were difficult…

Introduction Securely erasing media is an important process for any IT department. There are numerous methods of ensuring that sensitive data is removed before items are reissued or disposed. And the removal of such data is also mandated by various standards such as ISO 27001, which states:  A.11.2.7 – “All…

Overview This blog post is a slightly modified version of an internal document recently produced at NCC Group. The aim of the original document was to introduce security research to our consultants, particularly those new to the business or to security research in general, and it summarised the different areas…

This week more than 300 NCC Group consultants and colleagues gathered in Dublin for NCC Con Europe 2016. People came from all over the world for the event, including from the Group’s European, Canadian, Australian, and even US offices. The internal conference began with two days of training provided for…

Why Car Parking? Companies running paid-for parking schemes across the UK are introducing mobile applications as an alternative to paying with coins and/or card at the parking meter. Many NCC Group consultants travel extensively to support the work that they do for clients. In most cases consultants will drive, and…

Drones have become readily available and more affordable. They are quite easy to use now and gone are the days whereby stable flight relied on the dexterous skills of an experienced operator. With the addition of GPS positioning, a drone operator can program a flight path using point-and-click software and…

Until November 2013 (CVE-2013-3906), exploit primitives for Object Linking and Embedding (OLE) objects were not discussed publicly. This changed at BlackHat USA 2015, when Haifei Bing presented “Attacking Interoperability: An OLE Edition”. This talk examined the internals of OLE embedding. Over the past few months, several malware campaigns targeting high-profile…

This blog, as the name implies, discusses how I went about designing and building our initial Wi-Fi mapping drone capability (and you can too, hopefully). Before we begin, a brief disclaimer: we sought legal advice and complied with relevant laws. Before you embark on such a project, make sure you…

tl;dr In 2014 a paper [http://www.scs.stanford.edu/brop/bittau-brop.pdf] which introduces Blind Return Oriented Programming (BROP), a state-of-the-art exploitation technique, was released by researchers from Stanford University. The paper discusses a general approach in which BROP is used to exploit services which are both vulnerable to stack-based buffer overflows and automatically recover after…

Introduction One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed or enumerated targeted password based attacks can then be launched against those found usernames.  In this blog post, we discuss common techniques that are used…

Introduction One of our clients recently approached us for assistance with recovering data from a laptop hard drive which had been encrypted using TrueCrypt. A hardware repair gone wrong had led to problems booting the operating system and a variety of attempted fixes had been unsuccessful. They had already sent…

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year. The Derusbi Server variant is typically associated with advanced attackers (APT groups) and was the most sophisticated attempt to retain persistence on…

tl;dr This is my analysis of the recent pre-auth Samba remote tracked by CVE-2015-0240[1]. It doesn’t appear to be very exploitable to me, but I’d love to be proven wrong. Note that since the time when I originally did this analysis someone has released their own PoC and analysis [8]…

tl;dr In today’s (28 February) closing keynote talk at the Abertay Ethical Hacking Society’s Securi-Tay conference, NCC Group was present and I discussed how it was possible to build a malicious Blu-ray disc. By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player…

Introduction As security consultants we often come across situations where we have access to an RDP server that has been locked down fairly well by an administrator, which generally inhibits our ability to test the target. This blog looks at what a tester can do given the following scenario: Tester…

tl;dr We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how…

Executive Summary An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a…

tl;dr This post discusses the results from our research into the ability of third party websites setting cookies for first party websites across different web browsers. The ability to be able to set cookies in this manner not only facilitates tracking but also opens up other opportunities and avenues of…

Background freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode…

Introduction In May 2014 FireEye[1]and Crowdstrike[2] produced reports about the activities of “Flying Kitten”, otherwise known as the Ajax Security Team. In July 2014 NCC Group’s Cyber Defence Operations team encountered several executables in our malware zoo that appear to be updated versions of the “Stealer” malware reported by FireEye…

Our Cyber Defence Operations team, led by David Cannings, has published a new whitepaper on understanding ransomware. It looks at the impact, evolution and defensive strategies that can be employed by organisations. While the paper is primarily focused on Microsoft Windows due to the historic prevalence and devastating impact on…

Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761).  A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group’s Cyber Defence Operations team used the information in…

Archived current event – v1.2 of post This was a current event and as such this blog post was subject to change as we performed further supplementary research and analysis. 1.2: Updated to include Struts v1 1.1: Final public release of this blog post 1.0: Initial version Background The Struts…

A colleague and I were discussing retro-gaming in the office, reminiscing about the classic text adventures from the 1980s. He really enjoyed Infocom adventures whereas I was a big fan of the Magnetic Scrolls series. They can all still be played under various emulators like Frotz and Magnetic. For nostalgia’s sake, I showed him Jinxter, one of the…

Logs, logs, the audit trail The more your parse, the more they fail The more they fail, the less they plunder, So let’s have logs to avoid a blunder Will Alexander, NCC Group, 2014 In the age of Big Data, organisations are able to retrieve and store events from all…

Geofencing apps, which use the global positioning system (GPS) to create virtual barriers to enable different functionality in applications, or devices, depending on geographical area, are not as secure as they could be. We carried out a range of tests and have discovered a number of vulnerabilities in various apps.…

A quick post to announce NCC Group’s new web application security assessment tool has been pushed to our Gifthub repo at https://github.com/nccgroup/. So what is Scenester?  It is a simple Java application to discover different web application front ends based on web browser user-agents. The goal is to ensure coverage during…

I’ve been re-reading the Mandiant report on the notorious APT1 group, and it occurred to me that the tools and techniques used by this relatively unsophisticated (but very successful) group are similar to those used by penetration testers. That isn’t to say that penetration testers, or pen testers as they are colloquially…

For people who regularly conduct internal penetration tests on Windows domains, typically you will see common issues arise such as common passwords. If you are able to obtain a local administrator hash, in most instances you can normally compromise the entire domain. Typically the hash will be common with other…

This threat brief discusses a security issue noted by NCC Group in September 2012 relating to the use of ASP.NET forms authentication in a shared / cloud hosting environment. If virtual hosting is used to make multiple applications on the same IIS server available at different domain names, then a…

Here at NCC Group we work with raw bytes a lot! As I couldn’t find a good tool to manipulate, encode and decode easily I set about writing Pip3line a while back. While it has been available for a while as open source I’ve not really discussed it outside of…

Managing firewall rulesets in any moderately-sized environment can be a complicated task. As IT infrastructures perpetuate change, firewall rules often become more complicated, overlapped and difficult to manage. We’ve been working on a prototype of a tool which seeks to provide more assurance over firewall rulesets; by providing better insight…