push(@fediverse, "Adversarial Engineer"); # i hack in Perl
Research project on "Practical detections for telecoms" signed off yesterday.
Looking forward to working with our partners on documenting achievable approaches to gathering security telemetry in the transport, core and radio access domains.
One I'm particularly interested in is how we can make better use of NetFlow for signalling.
Talked about my categorisation work on existing TI and RT reporting as well as development of detection use cases in the firewall, AAA, MPLS and telecom signalling (SS7, GTP, Diameter) domains. We looked at categorisation, behaviour prediction and anomaly detection.
Interesting links of the week:
Strategy:
* https://www.enisa.europa.eu/publications/the-eu-cybersecurity-index-2024 - EU's 2024 cyber security index
* https://assets.publishing.service.gov.uk/media/67cad8b18c1076c796a45c25/Cyber_Security_Sectoral_Analysis_Report_2025.pdf - HMG cyber security sectoral analysis 2025
* https://www.nao.org.uk/wp-content/uploads/2025/01/government-cyber-resilience.pdf - NAO paper on making UK more resilient
* https://www.ncsc.gov.uk/collection/security-principles-protecting-most-sensitive-personal-information-in-datasets - NCSC ideas on protecting data
* https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/ - protest early, protest safely, protest often
Threats:
* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/umbrella-stand/ncsc-mar-umbrella_stand.pdf - NCSC exposes UMBRELLA STAND
* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/shoe-rack-tipper/ncsc-tip-shoe_rack.pdf - ... and SHOE RACK
* https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia - GOOG reports on how Russia is targetting academics
Exploitation:
* https://sud0ru.ghost.io/windows-inter-process-communication-a-deep-dive-beyond-the-surface-part-4/ - a nice set of posts on Windows IPC's attack surface
* https://eprint.iacr.org/2025/1042 - whacking Falcons with a hammer
* https://forums.oracle.com/ords/r/apexds/community/q?question=interpositioning-in-java-2701 - had your caffeine? seamlessly injecting into Java
Hard hacks:
* https://skemman.is/handle/1946/50456 - emulating icey routers
Hardening:
* https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html - calling cc safely
* https://spiffe.io/docs/latest/spiffe-about/community-presentations/ - better authentication primitives for bots
* https://workos.com/blog/mcp-authorization-in-5-easy-oauth-specs - bring OAuth to MCP
Nerd:
* https://www.metoffice.gov.uk/forms/name-our-storms-call-for-names - so you want to work in marketing for storms
* https://activitypub.academy - so you want to learn about how the Fediverse works?
I was doing some Googling and it looks like people have been playing with CVE => technique in one form or another since about 2017.
Early precursor of mine from 2020:
https://gist.github.com/timb-machine/46d0a81c4f6ff6249371806531740366
Interesting Git repos of the week:
Strategy:
* https://github.com/timb-machine/security-research-governance-toolkit - I started releasing Portcullis' old security research governance toolkit
Detection:
* https://github.com/sandflysecurity/sandfly-forensic-scripts - @SandflySecurity have release scripts for collecting Linux artefacts
Exploitation:
* https://github.com/stealth/injectso - @steaith demonstrates how to inject .so files into running processes at will
* https://github.com/NeffIsBack/wsuks - have you ever wanted to MITM WSUS?
Data:
* https://github.com/public-api-lists/public-api-lists - does what it says on the tin
Development:
* https://github.com/sapdragon/syscalls-cpp - headers for direct syscall invocation
Interesting links of the week:
Strategy:
* https://www.enisa.europa.eu/publications/the-eu-cybersecurity-index-2024 - EU's 2024 cyber security index
* https://assets.publishing.service.gov.uk/media/67cad8b18c1076c796a45c25/Cyber_Security_Sectoral_Analysis_Report_2025.pdf - HMG cyber security sectoral analysis 2025
* https://www.nao.org.uk/wp-content/uploads/2025/01/government-cyber-resilience.pdf - NAO paper on making UK more resilient
* https://www.ncsc.gov.uk/collection/security-principles-protecting-most-sensitive-personal-information-in-datasets - NCSC ideas on protecting data
* https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/ - protest early, protest safely, protest often
Threats:
* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/umbrella-stand/ncsc-mar-umbrella_stand.pdf - NCSC exposes UMBRELLA STAND
* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/shoe-rack-tipper/ncsc-tip-shoe_rack.pdf - ... and SHOE RACK
* https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia - GOOG reports on how Russia is targetting academics
Exploitation:
* https://sud0ru.ghost.io/windows-inter-process-communication-a-deep-dive-beyond-the-surface-part-4/ - a nice set of posts on Windows IPC's attack surface
* https://eprint.iacr.org/2025/1042 - whacking Falcons with a hammer
* https://forums.oracle.com/ords/r/apexds/community/q?question=interpositioning-in-java-2701 - had your caffeine? seamlessly injecting into Java
Hard hacks:
* https://skemman.is/handle/1946/50456 - emulating icey routers
Hardening:
* https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html - calling cc safely
* https://spiffe.io/docs/latest/spiffe-about/community-presentations/ - better authentication primitives for bots
* https://workos.com/blog/mcp-authorization-in-5-easy-oauth-specs - bring OAuth to MCP
Nerd:
* https://www.metoffice.gov.uk/forms/name-our-storms-call-for-names - so you want to work in marketing for storms
* https://activitypub.academy - so you want to learn about how the Fediverse works?
Example of the output:
https://gist.github.com/timb-machine/393a799e6d6b13a7789133d441280c49
This is now a thing. I spent some time developing the idea into predictive analytics last night.
No surprise that they've been on Warp.
Fun fact, they used to run a BBS.
Can't remember who recommended them, but really enjoying The Black Dog:
https://en.wikipedia.org/wiki/The_Black_Dog_(band)
Old school techno and ambient from Sheffield.
Today's unrelated discovery... we have trees on our property with preservation orders ❤️ .
Was somewhat amused that the new one forces everyone to have different alarm codes. Not sure telling people that the code is already in use makes too much sense but \o/.
Spent the day installing a new security system for my Mum. I wish I'd known earlier that the old one was on 433MHz. She was somewhat horrified with what I could do with it.
God sighed...
"echo 'DELETE USER trump; DROP TABLE earth_v7686786' | mysql; sync && sync && reboot" they typed.
And the experiment was over, LLMs didn't make good Presidents of any world, free or otherwise.
"%SecureBoot-A-board_type: Secure boot - Board detected as a DEVELOPMENT board. Images signed with a DEVELOPMENT KEY are supported on this board" 👀
Interesting links of the week:
Strategy:
* https://www.gov.uk/government/publications/the-strategic-defence-review-2025-making-britain-safer-secure-at-home-strong-abroad - HMG strategic defence review
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 - libxml2 vulnerability disclosure takes a new twist
* https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027 - NCSC look at the impact of AI
* https://www.ncsc.gov.uk/blog-post/sausages-incentives-rewarding-resilient-technology-future - is modern tech just a sausage fest?
* https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202501190 - EU details the TLPT approach you should be adopting as part of DORA
Detection:
* https://cradle.sh/ - FOSS TI platform with orchestration
* https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf - SOC playbooks for IR and VA
* https://www.bluevoyant.com/knowledge-center/top-8-incident-response-plan-templates - sample IR plans
* https://www.incidentresponse.com/mini-sites/playbooks/ - sample IR playbooks
Bugs:
* https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector - attacking a Tesla by abusing charging protocols
* https://coderush.me/hydroph0bia-part1/ - defeating SecureBoot from @CodeRush
* https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/ - reflections on trusting KRB5 from @RedTeamPentesting
* https://proofnet.de/publikationen/konsole_rce.html - yay, someone has poked KDE's IO slaves once more
* https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ - @watchtowrcyber poke SiteCore
Exploitation:
* https://perldoc.perl.org/perlsec#Algorithmic-Complexity-Attacks - attacking Perl
* https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/ - shooting yourself in the foot with Go
Hard hacks:
* https://www.openpa.net/qemu_pa-risc_emulation.html#configuration - emulating PA-RISC
* https://research.birmingham.ac.uk/en/publications/simurai-slicing-through-the-complexity-of-sim-card-security-resea - beware the SIM in your pocket
Hardening:
* https://www.ainfosec.com/tnok-next-generation-port-security - knock, knock, who is there?
The aliens who mined the far side of the moon were kind of apologetic when we called them on it. In their words “If you liked it, you should have put a base on it”.
We’re out the ore, but their planet has become a lucrative fan of our pop music.
Interesting Git repos of the week:
Detection:
* https://github.com/hdm/ctail - tail CA transparency logs with @hdm
* https://github.com/sgInnora/sharpeye - another Linux EDR
* https://github.com/HullaBrian/COMmander - enrich Windows RPC events
Exploitation:
* https://github.com/e-ago/bitcracker - BitLocker cracker
* https://github.com/Moopinger/smugglefuzz - HTTP downgrade fuzzer
* https://github.com/Ignitetechnologies/Windows-Privilege-Escalation - Windows LPE playbook
* https://github.com/giuliano108/SeBackupPrivilege - elevate/collect via SeBackupPrivilege
* https://github.com/adgaultier/caracal - sneaky bees
* https://github.com/v-p-b/xer - encoding h3x with @buherator
Hard hacks:
* https://github.com/zhuowei/cheese - PoC for CVE-2025-21479, affecting Adreno A7xx (Snapdragon 8 Gen 1 / XR2 Gen 2 and newer) devices
* https://github.com/tomasz-lisowski/simurai - evaluate SIM card security
As usual, @haxrob's reporting on Linux malware really is excellent:
* https://haxrob.net/bpfdoor-past-and-present-part-1/
* https://haxrob.net/bpfdoor-past-and-present-part-2/
More proof if it were needed that Linux targetting threat actors have been hanging around for the last decade or two but largely avoided the limelight.
