NCC Group is pleased to open source a new tool built to help Red Teams log their activity for later correlation with the Blue Team’s own logging. What started as a simple internal web based data-collection tool has grown to integrate with Cobalt Strike and BloodHound to improve the accuracy and ease of activity recording.…
Author: NCCgroup
This post is about exploiting CVE-2022-24834 against a Rediscontainer running on AlpineLinux. CVE-2022-24834 is a vulnerability affecting the Lua cjsonmodule in Redis servers <=7.0.11. The bug is an integer overflow thatleads to a large copy of data, approximately 350MiB.
A colleague from NCC Group wanted to exploit this bug but found thatthe public exploits didn’t work.…
System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility.…
This year’s Real World Cryptography Conference recently took place in Toronto, Canada. As usual, this conference organized by the IACR showcased recent academic results and industry perspectives on current cryptography topics over three days of presentations. A number of co-located events also took place before and after the conference, including the FHE.org…
Lolbins? Where we’re going, we don’t need lolbins.
At NCC Group, as a consultant in our hardware and embedded systems practice1, I often get to play with various devices, which is always fun, but getting your own software to run on them can be a bit of a pain.This…
Hello and welcome back to the Cryptopals Guided Tour (previously, previously)! Today we are taking on Challenge 17, the famous padding oracle attack.
For those who don’t know, Cryptopals is a series of eight sets of challenges covering common cryptographic constructs and common attacks on them.…
Let’s kick this off with some examples. Here’s a seamless loop illustrating CBC-mode encryption:
Here’s a clip showing a code block being rewritten to avoid leaking padding information in error messages:
Here’s an illustration of a block cipher operating in CTS mode:
You may be surprised to learn that each of these illustrations was generated from ≤30 lines of code (30, 9, and 23 lines, respectively), without any golfing.…
In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed in private, there was no publicly available reliable option for us to use at the time, which led us to develop our own nanoMIPS disassembler and decompiler module for Ghidra.…
Authored by Willem Zeeman and Yun Zheng Hu
This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group Cyberveilig Nederland [1]
The effectiveness of the public-private partnership called Melissa [2] is increasingly evident.…
As we explained in a previous blogpost, exploiting a prompt injection attack is conceptually easy to understand: There are previous instructions in the prompt, and we include additional instructions within the user input, which is merged together with the legitimate instructions in a way that the underlying model cannot distinguish between them.…
During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the following two properties are enforced:
The DEK is not available in an unencrypted form in CHD infrastructure.…Ollama is an open-source system for running and managing large language models (LLMs).
NCC Group identified a DNS rebinding vulnerability in Ollama that permits attackers to access its API without authorization, and perform various malicious activities, such as exfiltrating sensitive file data from vulnerable systems.…
The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.…
During the winter of 2022, Google engaged NCC Group to conduct an in-depth security review of the Aggregation Service, part of Google’s Privacy Sandbox initiative. Google describes the Aggregation Service as follows:
The Privacy Sandbox initiative aims to create technologies that both protect people’s privacy online and give companies and developers tools to build thriving digital businesses.…
In this blog post, we introduce LTair, a tool that allows NCC Group to perform different attacks on the LTE Control Plane via the air interface. It gives NCC the capability to assess the correct implementation of the LTE standard in operators’ systems and user equipment.…
This blog details the requirement for testing Telecom networks and one of the tools developed in house to facilitate this testing.
Why?Telecoms security has always been an afterthought when the first mobile networks were developed and deployed into the wild. Telecoms security has faced numerous challenges, leading to concerns about its effectiveness. …
In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs.
The Public Report in Italian this review may be downloaded below:
NCC_Group_AWS_Nitro_System_A_adobe_express-Italian
The original Public Report can be found here in English:https://research.nccgroup.com/2023/05/03/public-report-aws-nitro-system-api-security-claims…