🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• EtwWatcher - Jonathan Johnson 🔍 Show Kagi Synopsis
  **EtwWatcher** is a static website designed to help researchers and security professionals analyze changes in Event Tracing for Windows (ETW) providers across different Windows builds 【1】. The tool allows users to upload ETW provider snapshots, compare them, and highlight modifications in event descriptions and template XML 【1】.
  
  **What Happened:**
  The creator developed EtwWatcher out of a need to query ETW providers for telemetry research. The tool takes ETW provider snapshots, captures them using ETWInspector, stores them as NDJSON in a repository, and then renders this data client-side on a static website 【1】.
  
  **Who is Affected:**
  - **Sensor companies:** Those looking to incorporate the latest fields into their telemetry surface can benefit from the detailed provider information 【1】.
  - **Researchers:** Individuals tracking new events related to vulnerabilities or adversary tactics can use EtwWatcher to observe the evolution of these events over time 【1】.
  - **Security professionals:** Anyone needing to understand changes in ETW providers across Windows builds, particularly for threat detection and prevention, will find this tool valuable.
  
  **Security Implications:**
  EtwWatcher's primary value lies in its ability to surface changes in telemetry. This can indirectly lead to security insights by:
  - **Identifying new event sources:** Understanding what new data is being logged can help in developing more comprehensive detection strategies 【1】.
  - **Tracking adversary tradecraft:** By monitoring how events related to vulnerabilities or malicious activities evolve, researchers can better understand and counter emerging threats 【1】.
  - **Enhancing telemetry surface:** For companies developing security sensors, EtwWatcher helps ensure they are capturing the most relevant and up-to-date information 【1】.
  
  **Technical Details:**
  - **Data Input:** EtwWatcher accepts plain `.ndjson` files or gzipped `.ndjson.gz` files, which are decompressed and parsed entirely within the user's browser, ensuring the data never leaves the tab 【1】.
  - **ETW Provider Types:** The tool enumerates Manifest, MOF, and TraceLogging providers 【1】.
  - **Limitations:**
  - **MOF events:** These do not currently populate in EtwWatcher because querying MOF provider events is complex and not yet reliably implemented 【1】.
  - **TraceLogging events:** These are not inherently bound to a specific provider. Their metadata is compiled into the binary, and recovering the per-event binding requires static analysis of `TraceLoggingWrite` calls 【1】.
  - **Snapshot Cadence:** Snapshots are planned to be added regularly, including:
  - Patch Tuesday cumulative updates for supported Windows builds.
  - Insider/Canary builds for early detection of changes before they reach general availability 【1】.
  
  **What Defenders Should Know:**
  Defenders can leverage EtwWatcher to stay informed about changes in Windows telemetry. By understanding which ETW providers and events are added, removed, or modified between Windows builds, security teams can:
  - **Adapt detection rules:** Ensure their detection mechanisms account for new or altered event data.
  - **Improve threat hunting:** Identify potential indicators of compromise by analyzing evolving event patterns.
  - **Enhance incident response:** Gain a deeper understanding of the telemetry available during an investigation.
  The tool's ability to compare different Windows builds directly highlights these changes, providing actionable intelligence for security posture improvement 【1】.
• LUKSbox: Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2, TPM 2.0 etc - Sébastien Dudek 🔍 Show Kagi Synopsis
  **LUKSbox** is an open-source tool designed to secure sensitive files by encrypting them before they leave the user's machine, creating a single, tamper-evident container (`.lbx`) that is opaque to storage providers. This addresses the concern of storing sensitive data on untrusted platforms like cloud services, NAS units, or portable media.
  
  **What Happened:**
  LUKSbox provides a method to encrypt files using user-controlled keys before uploading them to cloud storage or other shared media. The encrypted container is designed to be indistinguishable from random data to the provider, preventing them from accessing or decrypting the contents, even under legal compulsion. It also offers tamper-evidence for both individual file chunks and the entire vault.
  
  **Who is Affected:**
  **Anyone storing sensitive files on untrusted storage** is potentially affected. This includes users of cloud sync services (iCloud, Drive, Dropbox, OneDrive, S3, Backblaze), NAS users, and individuals who use portable storage devices for sensitive data.
  
  **Security Implications:**
  - **Provider Inability to Access Data:** The primary implication is that cloud providers or storage administrators cannot read the user's files, even if compelled by legal means, as they do not possess the encryption keys.
  - **Tamper Detection:** LUKSbox implements per-chunk AEAD (Authenticated Encryption with Associated Data) to detect silent file tampering. It also includes an "anchor sidecar" for detecting whole-vault rollbacks.
  - **Post-Quantum Readiness:** The tool supports post-quantum cryptography (ML-KEM-768/1024 hybrid keyslots), offering protection against future quantum computing threats.
  - **Hardware Key Integration:** It supports hardware-based security keys like FIDO2 and TPM 2.0 for unlocking vaults, adding a layer of physical security.
  - **Single Point of Failure:** A critical implication is that a LUKSbox vault is a traveling copy, not a master copy. Corruption of the `.lbx` file or loss of all access keys will result in data loss. Users are advised to maintain an unencrypted backup of critical files.
  
  **Technical Details:**
  - **Encryption:** LUKSbox uses AES-256-GCM-SIV (default), AES-256-GCM, or ChaCha20-Poly1305 for AEAD on file chunks and metadata. Header integrity is ensured by HMAC-SHA256.
  - **Key Management:** A Master Volume Key (MVK) is the root secret, from which all other keys (for headers, metadata, file chunks, and rollback anchors) are derived using HKDF-SHA256.
  - **Unlock Mechanisms:** Vaults are opened using "unlock material" such as passphrases, PINs, FIDO2 authenticators, TPM 2.0, or a post-quantum ML-KEM seed file. Passphrases are stretched using Argon2id.
  - **Container Format:** A LUKSbox vault is a single `.lbx` file. Optionally, a detached header (`.hdr`) and a post-quantum sidecar (`.kyber`) can be stored separately.
  - **Advanced Protections:** Includes per-chunk AAD for substitution/replay detection, detached header and anchor sidecars for rollback detection, `memfd_secret(2)` (on Linux) to protect the MVK from coredumps, and workspace-wide `Zeroizing` of secrets.
  
  **What Defenders Should Know:**
  - **Pre-1.0 Release:** The project is currently in a pre-1.0 release status, meaning the on-disk format is locked, but external paid audits and broader real-world deployment are upcoming milestones.
  - **Open Source and Auditable:** The code is open-source (Apache-2.0 license), allowing for community review and auditing.
  - **Fuzzing and Bug Reporting:** The project actively encourages bug hunting through fuzzing (libFuzzer, AFL++) and provides clear channels for reporting issues. Suspected vulnerabilities should be reported privately to `security@penthertz.com` with a 72-hour acknowledgement SLA. Crashes on malformed input should be reported as GitHub issues with the `fuzz-crash` label.
  - **Key Management is Crucial:** Defenders must understand that the security of LUKSbox relies heavily on the secure management of unlock material. Loss of this material means loss of access to the data.
  - **Backup Strategy:** Emphasize the importance of maintaining unencrypted backups for critical data, as LUKSbox vaults are susceptible to corruption or key loss.
• CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection - Microsoft 🔍 Show Kagi Synopsis
  **CHERIoT-Ibex** is a new hardware-enforced memory safety solution designed to combat prevalent vulnerabilities in software, particularly those found in languages like C and C++ 【1】.
  
  **What Happened:**
  Microsoft, in partnership with Azure Hardware Systems & Infrastructure, has developed and open-sourced the **CHERIoT Platform**, which includes the **CHERIoT-Ibex** core 【1】. This initiative aims to address the significant number of memory safety vulnerabilities that lead to exploitable software defects 【1】.
  
  **Who is Affected:**
  The vulnerabilities addressed by CHERIoT-Ibex affect a wide range of systems, from **embedded devices and the Internet of Things (IoT)** to **cloud-scale infrastructure** 【1】. Specifically, traditional embedded designs that rely on less robust security measures are susceptible 【1】.
  
  **Security Implications:**
  Memory safety vulnerabilities are a leading cause of exploitable software defects, accounting for approximately **70 percent of Microsoft's annual CVEs** 【1】. These flaws can allow attackers to gain control of devices or disrupt critical services. CHERIoT-Ibex aims to eliminate these vulnerabilities at their source by providing **hardware-enforced memory safety and fine-grained compartmentalization** 【1】. This limits the "blast radius" of software failures, preventing a compromise in one component (e.g., a networking stack) from affecting other critical functions 【1】.
  
  **Technical Details:**
  CHERIoT-Ibex is the **first open-source, production-quality implementation of the CHERIoT instruction set architecture (ISA)** and is certified by the CHERI Alliance 【1】. It is a **32-bit RISC-V core** based on LowRISC's Ibex, enhanced with CHERIoT capability extensions 【1】. The CHERIoT Platform, open-sourced in 2023, includes the ISA, toolchain, real-time operating system, and the RTL implementation of the CHERIoT-Ibex core 【1】. It provides **spatial and temporal memory safety** with power and area efficiency comparable to low-cost microcontrollers 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that traditional security approaches for embedded systems often fall short against vulnerabilities like buffer overflows and use-after-free attacks 【1】. CHERIoT-Ibex offers a more robust, hardware-enforced solution that provides isolation between system components, thereby enhancing overall system security 【1】. Developers and researchers can access the **CHERIoT Platform and the CHERIoT-Ibex GitHub repository** (microsoft/cheriot-ibex) to experiment with and contribute to these memory-safe foundations 【1】.
• Fine of nearly £1m issued against South Staffordshire Plc and South Staffordshire Water Plc following major cyber attack and data breach - Information Commissioner's Office (ICO) 🔍 Show Kagi Synopsis
  **South Staffordshire Plc and South Staffordshire Water Plc** were fined **£963,900** by the ICO following a significant cyber attack that led to the extraction and publication of personal data on the dark web 【1】.
  
  **What Happened:**
  The cyber attack began with a **phishing email** that a recipient opened, allowing malicious software to be installed. This software remained undetected for 20 months. In May 2022, the attacker gained **domain administrator privileges**, the highest level of system access 【1】. This breach resulted in the personal information of **633,887 individuals** being published on the dark web in August 2022 【1】.
  
  **Who is Affected:**
  The attack affected individuals whose personal information was held by South Staffordshire. At the time of the breach, the company held data for approximately **1.85 million customers** (750,000 current and 1.1 million former), as well as **2,791 current employees** and at least **2,298 former employees** 【1】. The published data included:
  - Personal details: full name, physical address, email address, date of birth, gender, and telephone number.
  - Employee information: National Insurance numbers and other HR data.
  - Customer information: account details (including usernames and passwords for online services), bank account numbers, and sort codes.
  - For a small number of customers on the Priority Services Register, information that could reveal disabilities 【1】.
  
  **Security Implications:**
  The ICO's investigation revealed that South Staffordshire failed to implement adequate security controls as required by UK data protection law. Key failures included:
  - **Insufficient access controls**: These allowed the attacker to escalate privileges after gaining initial access 【1】.
  - **Inadequate monitoring and logging**: Only 5% of the IT environment was monitored, preventing the detection of malicious activity 【1】.
  - **Use of obsolete software**: Devices were running unsupported operating systems, such as Windows Server 2003 【1】.
  - **Poor vulnerability management**: This included unpatched critical systems and a lack of regular security scans 【1】.
  
  **Technical Details:**
  The attack vector was a **phishing email** with an attachment that deployed **malicious software**. The attacker exploited weak security controls to gain **domain administrator privileges**. The company's systems were compromised for an extended period (20 months) due to inadequate monitoring and logging, with only **5% of the IT environment being monitored** 【1】. The use of **Windows Server 2003** and unpatched systems highlights significant vulnerabilities 【1】.
  
  **What Defenders Should Know:**
  Organizations are urged to review their cyber resilience and consider the following:
  - **Access Controls**: Ensure users and systems only have access to the resources they absolutely need.
  - **Logging and Monitoring**: Implement comprehensive logging and monitoring across the IT environment and ensure alerts are acted upon.
  - **System Patching and Support**: Regularly update all systems and avoid using legacy or end-of-life software, as it poses a significant risk.
  - **Vulnerability Management**: Integrate regular internal and external security scanning into operational practices 【1】.
• Donuts and Beagles: Fake Claude site spreads backdoor - Sophos X-Ops 🔍 Show Kagi Synopsis
  A cybersecurity campaign has been identified that uses a **fake Claude AI website** to distribute malware, specifically a backdoor dubbed **'Beagle'** 【1】.
  
  **What Happened:**
  Threat actors are employing **malvertising and SEO poisoning** to lure users to a fake Claude AI website (claude-pro\[.\]com) 【1】. This site offers a download for a 'Claude-Pro Relay' product. The downloaded archive contains an MSI installer that, when executed, drops three files into the user's startup folder: a legitimate-looking G DATA updater (NOVupdate.exe), a malicious DLL (avk.dll), and an encrypted data file (NOVupdate.exe.dat) 【1】. The malicious DLL uses a technique called **DLL sideloading** to execute. It decrypts the payload from the data file using a hardcoded XOR key and then runs the resulting **DonutLoader** shellcode 【1】. DonutLoader then deploys the 'Beagle' backdoor 【1】.
  
  **Who is Affected:**
  Users who are tricked into downloading software from the **fake Claude AI website** are affected. This campaign specifically targets individuals who might search for or be enticed by advertisements related to Claude AI.
  
  **Security Implications:**
  The primary security implication is the **compromise of user systems** through the installation of the Beagle backdoor. This backdoor allows attackers to perform various malicious actions, including executing commands, uploading and downloading files, and managing directories on the infected system 【1】. The use of DLL sideloading and an encrypted payload demonstrates a level of sophistication aimed at evading detection.
  
  **Technical Details:**
  - **Distribution Method:** Malvertising and SEO poisoning leading to the fake site claude-pro\[.\]com 【1】.
  - **Initial Payload:** A ZIP archive containing an MSI installer (Claude.msi) 【1】.
  - **Dropped Files:**
  - `NOVupdate.exe` (signed G DATA updater)
  - `NOVupdate.exe.dat` (encrypted data file)
  - `avk.dll` (malicious DLL) 【1】
  - **Exploitation Technique:** DLL sideloading, where `NOVupdate.exe` loads the malicious `avk.dll` 【1】.
  - **Payload Decryption:** The malicious DLL decrypts `NOVupdate.exe.dat` using a hardcoded XOR key: `Qby2RSGkGIHumNrDlbt1OEHV3y2dVh5b` 【1】.
  - **Loader:** DonutLoader shellcode executes the final backdoor 【1】.
  - **Backdoor (Beagle):** Supports commands like `uninstall`, `cmd`, `upload`, `download`, `mkdir`, `rename`, `ls`, `rm` 【1】.
  - **Command and Control (C2):** Communicates with `license[.]claude-pro[.]com` (IP: `8[.]217[.]190[.]58`) over TCP (443) and/or UDP (8080) 【1】.
  
  **What Defenders Should Know:**
  - **Source Verification:** Users should **only download Claude from the legitimate website** and be cautious of sponsored search results or advertisements 【1】.
  - **System Checks:** Administrators should **scan systems for the presence of `NOVupdate.exe`, `avk.dll`, and `NOVupdate.exe.dat`**, particularly within startup folders 【1】.
  - **Network Monitoring:** Monitor network traffic for connections to **`claude-pro[.]com`** and **`license[.]claude-pro[.]com`** (IP address `8[.]217[.]190[.]58`) 【1】.
  - **Awareness:** Be aware that threat actors are using convincing fake websites and social engineering techniques to distribute malware 【1】.