{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cryptography/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-1005"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","cryptography","memory corruption","aes-gcm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-1005 describes an integer underflow vulnerability within a Microsoft product\u0026rsquo;s implementation of AES-GCM, CCM, and ARIA-GCM decryption algorithms. This flaw allows an attacker to trigger an out-of-bounds memory access. While the specific product affected is not detailed in the provided source, the vulnerability lies within the cryptographic functions used for data decryption, indicating a potential impact on confidentiality and integrity. Successful exploitation could allow an attacker to execute arbitrary code or disclose sensitive information. Given the widespread use of these encryption algorithms, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a system utilizing the vulnerable Microsoft product and its AES-GCM/CCM/ARIA-GCM decryption implementation.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input designed to trigger the integer underflow during the decryption process.\u003c/li\u003e\n\u003cli\u003eThe crafted input is sent to the vulnerable system for decryption. This could be via a network protocol, file processing, or other data ingestion method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable decryption routine processes the input, leading to an integer underflow.\u003c/li\u003e\n\u003cli\u003eThe integer underflow results in an out-of-bounds memory access during the decryption operation.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds memory access allows the attacker to read sensitive data from memory locations outside the intended buffer.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages the out-of-bounds write to overwrite critical data structures or executable code within the process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eIf code is overwritten, the attacker gains arbitrary code execution within the context of the vulnerable process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-1005 could lead to unauthorized information disclosure, allowing attackers to steal sensitive data that was intended to be protected by encryption. In a more severe scenario, the vulnerability can be leveraged for arbitrary code execution, enabling attackers to gain control over the affected system. The lack of specific product information makes it difficult to quantify the exact number of potential victims, but the vulnerability\u0026rsquo;s presence in widely used cryptographic functions implies a broad impact across various sectors and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected memory access patterns in processes performing AES-GCM/CCM/ARIA-GCM decryption, using a host-based intrusion detection system (HIDS).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential Exploitation of CVE-2026-1005\u0026rdquo; to identify suspicious processes that might be exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates released by Microsoft to address CVE-2026-1005 as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-1005/","summary":"CVE-2026-1005 is an integer underflow vulnerability in a Microsoft product that leads to out-of-bounds memory access during AES-GCM/CCM/ARIA-GCM decryption processes, potentially allowing for code execution or information disclosure.","title":"CVE-2026-1005 Integer Underflow in AES-GCM/CCM/ARIA-GCM Decryption","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-1005/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","cryptography","malware","asyncrat","xworm","vip keylogger"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes the \u003ccode\u003eSystem.Security.Cryptography\u003c/code\u003e namespace to perform cryptographic operations.\u003c/li\u003e\n\u003cli\u003eThe script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).\u003c/li\u003e\n\u003cli\u003eThe decrypted payload is written to disk or loaded directly into memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware leverages the established persistence mechanism for long-term access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e to your SIEM to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e based on your environment\u0026rsquo;s specific needs and known-good PowerShell usage to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-cryptography/","summary":"The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.","title":"Suspicious PowerShell Script Using Cryptography Namespace","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-cryptography/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openssl"],"_cs_severities":["high"],"_cs_tags":["openssl","buffer-overflow","rust","cryptography"],"_cs_type":"advisory","_cs_vendors":["OpenSSL"],"content_html":"\u003cp\u003eThe \u003ccode\u003erust-openssl\u003c/code\u003e crate, specifically the \u003ccode\u003eDeriver::derive\u003c/code\u003e and \u003ccode\u003ePkeyCtxRef::derive\u003c/code\u003e functions, is vulnerable to a heap/stack overflow when used in conjunction with OpenSSL version 1.1.x. This occurs because the \u003ccode\u003eEVP_PKEY_derive\u003c/code\u003e function in OpenSSL 1.1.x fails to properly validate the input buffer length when used with X25519, X448, DH, and HKDF-extract. These key derivation functions unconditionally write the full shared secret (32/56/prime-size bytes) regardless of the buffer size provided by the caller, leading to a buffer overflow if the provided slice is too small. This vulnerability affects rust-openssl versions \u0026gt;= 0.9.27 and \u0026lt; 0.10.78. This vulnerability is mitigated in OpenSSL 3.x because the providers check buffer length.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious application using the \u003ccode\u003erust-openssl\u003c/code\u003e crate.\u003c/li\u003e\n\u003cli\u003eThe application uses \u003ccode\u003eDeriver::derive\u003c/code\u003e or \u003ccode\u003ePkeyCtxRef::derive\u003c/code\u003e with an X25519, X448, DH, or HKDF-extract key agreement algorithm.\u003c/li\u003e\n\u003cli\u003eThe application provides a buffer smaller than the expected output size of the key derivation function (32 bytes for X25519, 56 bytes for X448, prime-size bytes for DH).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eEVP_PKEY_derive\u003c/code\u003e function in OpenSSL 1.1.x is called without proper buffer length validation.\u003c/li\u003e\n\u003cli\u003eThe key derivation function writes the full shared secret to the undersized buffer.\u003c/li\u003e\n\u003cli\u003eA heap or stack buffer overflow occurs, overwriting adjacent memory.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the application\u0026rsquo;s execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the target system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary code execution within the context of the vulnerable application. This could allow an attacker to gain complete control of the affected system. The number of victims depends on the prevalence of vulnerable \u003ccode\u003erust-openssl\u003c/code\u003e versions being used with OpenSSL 1.1.x. Sectors that rely on \u003ccode\u003erust-openssl\u003c/code\u003e for cryptographic operations are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erust-openssl\u003c/code\u003e crate to version \u0026gt;= 0.10.78 to patch the vulnerability (see Overview).\u003c/li\u003e\n\u003cli\u003eIf upgrading \u003ccode\u003erust-openssl\u003c/code\u003e is not immediately feasible, ensure that OpenSSL is upgraded to version 3.x, where the buffer length is checked (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement runtime checks to validate buffer lengths before calling \u003ccode\u003eDeriver::derive\u003c/code\u003e and \u003ccode\u003ePkeyCtxRef::derive\u003c/code\u003e when using X25519, X448, DH, or HKDF-extract (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts (see Rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-openssl-overflow/","summary":"The rust-openssl crate's `Deriver::derive` and `PkeyCtxRef::derive` functions can cause heap/stack overflows when used with OpenSSL 1.1.x due to insufficient buffer length validation in X25519, X448, DH, and HKDF-extract, affecting rust-openssl versions \u003e= 0.9.27 and \u003c 0.10.78.","title":"Heap/Stack Overflow in rust-openssl with OpenSSL 1.1.x","url":"https://feed.craftedsignal.io/briefs/2024-01-03-openssl-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.9,"id":"CVE-2018-0735"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ecdsa","timing-attack","cryptography"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2018-0735 describes a timing attack vulnerability affecting the Elliptic Curve Digital Signature Algorithm (ECDSA) implementation within certain Microsoft products. Successful exploitation of this vulnerability could allow a remote attacker to recover the private key used to generate digital signatures. The vulnerability stems from the time it takes to generate signatures, which varies in ways predictable to an attacker. ECDSA is commonly used for authentication and encryption, making this a serious concern. While the specific affected products are not detailed without enabling JavaScript on the source webpage, the vulnerability has the potential to impact various applications and services that rely on Microsoft\u0026rsquo;s ECDSA implementation for cryptographic operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to limited information from the source, a detailed attack chain is not available. However, a general ECDSA timing attack would involve the following steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target system or application utilizing a vulnerable ECDSA implementation from Microsoft.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a series of signature requests, potentially through legitimate or malicious channels depending on the application.\u003c/li\u003e\n\u003cli\u003eThe attacker measures the time taken to generate each signature with high precision.\u003c/li\u003e\n\u003cli\u003eThe attacker performs statistical analysis on the timing data, looking for correlations between the timing and the secret nonce value used during signature generation.\u003c/li\u003e\n\u003cli\u003eThrough repeated signature requests and timing analysis, the attacker reconstructs the secret nonce value used in multiple signature generations.\u003c/li\u003e\n\u003cli\u003eOnce the attacker obtains sufficient nonce values and corresponding signatures, they can recover the private key used for signing.\u003c/li\u003e\n\u003cli\u003eWith the private key, the attacker can forge signatures, impersonate the legitimate entity, and potentially gain unauthorized access to sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-0735 could allow an attacker to recover the private key used for ECDSA signature generation. This could lead to a complete compromise of trust, as the attacker can forge signatures and impersonate the legitimate entity. The impact would vary depending on the specific application, but potential consequences include unauthorized access to systems, data breaches, and the ability to install malware or conduct man-in-the-middle attacks. The number of affected systems would depend on the widespread use of the vulnerable ECDSA implementation within Microsoft products.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConsult Microsoft\u0026rsquo;s Security Update Guide (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0735\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0735\u003c/a\u003e) for specific affected products and available patches to mitigate CVE-2018-0735.\u003c/li\u003e\n\u003cli\u003eAlthough a specific network IOC is unavailable, monitor network traffic for unusual patterns or high volumes of signature requests originating from single sources to potentially detect reconnaissance activity related to timing attacks.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging of cryptographic operations to enable investigation in case of suspicion of private key compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-ecdsa-timing-attack/","summary":"CVE-2018-0735 is a timing attack vulnerability in ECDSA signature generation affecting Microsoft products, potentially allowing attackers to recover private keys.","title":"CVE-2018-0735 ECDSA Signature Generation Timing Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-ecdsa-timing-attack/"}],"language":"en","title":"CraftedSignal Threat Feed — Cryptography","version":"https://jsonfeed.org/version/1.1"}