Last Week in Security - 2024-07-08

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-07-01 to 2024-07-08.

News

• regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - Qualys has discovered a Remote Code Execution vulnerability in OpenSSH’s server that allows unauthenticated remote code execution on glibc-based Linux systems. The vulnerability affects over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Qualys has developed an exploit for the vulnerability, but has not released it to allow time for patches to be applied. Organizations are urged to apply available patches for OpenSSH, limit SSH access, and monitor for unusual activities to mitigate the risk.

• Juniper Networks Release Emergency Patches for Router Vulnerabity - Juniper Networks has issued emergency patches for a critical vulnerability affecting their routers. The authentication bypass bug, known as CVE-2024-2973, allows attackers to take full control of the device. Users are advised to apply the patches as soon as possible to prevent potential disruptions. The vulnerability affects certain versions of Juniper's Smart Session Router, Session Smart Conductor, and WAN Assurance Routers.

• 2024-06: Out-Of-Cycle Security Bulletin: (CVE-2024-2973) - The CEC Juniper Community is a group of individuals who come together to support and engage with each other. They have a shared interest in the Juniper platform and offer resources, forums, and events for members to connect and learn from one another. The community aims to foster collaboration and knowledge sharing among its members.

• Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) - Twilio has detected a security issue that allowed threat actors to access data associated with Authy accounts, such as phone numbers. While there is no evidence that sensitive data was accessed, as a precaution, all Authy users are advised to update to the latest Android and iOS apps for security updates. Twilio apologizes for the incident and urges users to remain vigilant against potential phishing attacks. If users cannot access their Authy account, they are advised to contact Authy support for assistance.

• Ticketmaster Hackers Release Stolen Ticket Barcodes for Taylor Swift Eras Tour - Ticketmaster hackers have released stolen ticket barcodes for Taylor Swift's Eras Tour, offering them for free on a stolen data site. The hackers have threatened to release more user information and event barcodes unless they are paid $2 million. Ticketmaster may face financial losses and reputational damage as a result of the breach, and fans are advised not to use the stolen tickets. It is recommended to check for personal information exposure from previous data breaches.

• Ovhcloud Hit with Record 840 Million - French cloud computing firm OVHcloud faced a massive DDoS attack in April 2024, reaching a record-breaking 840 million packets per second. The attack was a combination of a TCP ACK flood and a DNS reflection attack. The company has observed an uptick in DDoS attacks in terms of both frequency and intensity, with many originating from compromised MikroTik routers. This poses a significant challenge to anti-DDoS infrastructures and highlights the need for strong cybersecurity measures.

• Hackers Stole Secrets from OpenAI - In 2023, a hacker accessed OpenAI’s internal messaging systems, stealing details about AI technology designs but not the code. The breach, disclosed to employees and the board but not publicly, raised concerns about security and potential foreign threats, especially from China. OpenAI addressed the issue internally and established a Safety and Security Committee. Despite these concerns, experts argue that current AI technologies do not pose significant national security risks.

• Cloudflare 1.1.1.1 incident on June 27, 2024 - On June 27, 2024, Cloudflare's 1.1.1.1 DNS resolver service experienced an incident where it was unreachable or degraded for a small number of users globally. The incident was caused by a combination of BGP hijacking and a route leak, impacting over 300 networks in 70 countries. Cloudflare is taking steps to improve detection methods and encourage adoption of RPKI-based hijack and leak prevention mechanisms. The incident highlighted the importance of following BGP best practices and implementing measures like RPKI origin validation and AS path validation to prevent similar incidents in the future.

Techniques and Write-ups

• CVE-2024-5806 - CVE-2024-5806 is an authentication bypass vulnerability in a Progress MOVEit Transfer SFTP module. It allows attackers to bypass authentication and gain unauthorized access to files on the server. The vulnerability affects multiple versions of MOVEit Transfer, and exploitation has been observed in the wild. An analysis of the vulnerability shows how an attacker can exploit it by manipulating the SSH protocol to authenticate with an empty username and then switch to a valid username during the authentication process. The vendor has released patches for affected versions, and users are advised to apply the updates promptly.

• CVE-2024-27292: docAssembling Exploits for RCE - This post discusses CVE-2024-27292 in Docassemble, revealing a path traversal vulnerability that allows for remote code execution, privilege escalation, and template injection. The vulnerability was identified in the unauthenticated routes of the application, allowing access to sensitive files and secrets. The author, Riyush Ghimire, details the exploitation steps and provides recommendations for updating Docassemble to prevent unauthorized access to sensitive information.

• Evading Event Tracing for Windows (ETW)-Based Detections - This blog post explores techniques to evade event tracing for Windows (ETW)-based detections, focusing on the mechanisms of ETW, its components, and how it was created to diagnose system issues in Windows. It delves into evasion techniques such as tampering with ETW providers, hijacking ProcMon session, flooding the ETW sensors, and patching ETW functions. The post also discusses the challenges and intricacies of patching ETW functions to alter their behavior, ultimately aiming to bypass endpoint detection systems (EDR). The techniques demonstrated include modifying trace sessions, interfering with event log capturing, and applying function patches in memory to evade detection.

• Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform - The Trend Micro Zero Day Initiative acquired vulnerabilities in the Logsign Unified SecOps Platform reported by Mehmet INCE from PRODAFT.com, leading to unauthenticated remote code execution. One vulnerability allows authentication bypass through a flaw in the password reset mechanism, while another enables post-auth command injection. By combining these vulnerabilities, attackers can execute arbitrary code and gain pre-auth code execution. Logsign has since patched these vulnerabilities, highlighting the importance of addressing post-authentication bugs and the risks of implementing custom authentication mechanisms.

• GitHub Actions exploitation: untrusted input - The article discusses GitHub Actions exploitation through untrusted input, outlining three common misconfigurations that can lead to gaining write access to a repository or extracting sensitive secrets. It provides real-world examples from projects like Microsoft, FreeRDP, AutoGPT, Excalidraw, Apache, and others. The vulnerabilities involve manipulating the GitHub context, exploiting artifact data, and running malicious code through workflows triggered by external sources.

• The Dangers of Transition Mode - The introduction of WPA3 has enhanced wireless network security by introducing the Simultaneous Authentication of Equals (SAE) model to replace the vulnerable Pre-Shared Key (PSK) method used in WPA2. However, a potential security risk was identified in the transition mode where both WPA2 and WPA3 were advertised, allowing for attacks on the WPA2 network. Recommendations were made to disable transition mode if WPA2 is no longer needed and to use strong passwords to mitigate attacks on captured WPA2 handshakes.

• Major Security Flaws in Mailcow - Major security flaws in Mailcow, specifically XSS and Path Traversal exploits (CVE-2024-31204 and CVE-2024-30270), allow attackers to inject code, hijack sessions, and execute commands. The vulnerabilities originate from inadequate input sanitization and validation within Mailcow's codebase. By addressing these vulnerabilities and implementing recommended security measures, Mailcow can enhance its resilience against potential threats and safeguard user data effectively. The analysis also includes a proof of concept exploit script to demonstrate how attackers can exploit these vulnerabilities and compromise Mailcow instances.

• The Way of the Hunter: Defining an ad hoc EDR evaluation methodology - An evaluation methodology for Endpoint Detection and Response (EDR) solutions, focusing on telemetry, query language, administrative tools, API accessibility, user interface, and MITRE Engenuity results. This methodology aims to assess the quality of EDR solutions for supporting their Threat Hunting model, with a focus on proactive cybersecurity measures.

• Shadow Linking: The Persistence Vector of SaaS Identity Threat - Obsidian Security has identified a new persistence attack vector called Shadow Linking, which allows threat actors to gain access to SaaS accounts via OIDC login. This poses significant challenges for individuals and organizations using popular SaaS applications. The research outlines vulnerabilities in applications' reliance on email addresses for identification, lack of 2FA enforcement, and insufficient verification processes. Recommendations are provided for developers, end-users, IT administrators, and Identity Service Providers to mitigate the risks associated with Shadow Linking and enhance SSO security.

• Becoming a Red Teamer - To become a Red Teamer, it is recommended to build a solid foundation in networking, Linux systems, Windows systems, and programming languages such as C# and Python. After establishing a strong foundation, one should work on pentesting skills by practicing with tools like HackTheBox and learning from resources like IppSec. Additionally, it is important to become familiar with Red Team tools like Covenant and Empire for stealth engagements. Specialized training and certifications such as Red Team Ops I & II can help further advance one's career in Red Teaming, with options to specialize in areas like Malware Development or general pentesting. Paid training options from organizations like SANS Institute can also be beneficial for advanced skills development. Hard work and dedication are key to success in this field.

• Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (1/2) - The article discusses unpatched vulnerabilities in the Gogs open-source source code hosting platform, including argument injection and deletion of internal files. Recommendations are provided to protect Gogs instances, including disabling the built-in SSH server, disabling user registration, and applying patches. The blog post also highlights the technical details of one vulnerability (CVE-2024-39930) and provides guidance on how to detect potential attacks. The upcoming article in the series will cover more details on the remaining vulnerabilities.

• Tales From the Incident Response Cliff Face - This case study highlights a ransomware attack on a European product manufacturing and distribution company, detailing the attack's progression, including initial access, privilege escalation, and lateral movement. The incident response team swiftly countered the threats and implemented security measures to secure the environment. Key takeaways include enforcing MFA, consistent deployment of EDR solutions, active directory assessments, and strong password policies to protect against ransomware attacks.

• Path traversal in yt-dlp leading to RCE - A path traversal vulnerability in yt-dlp, identified as GHSL-2024-090 and assigned CVE-2024-38519, allows for remote code execution on Windows systems when downloading videos with subtitles from crafted links. The vulnerability arises from its failure to validate the subtitle extension name, potentially enabling arbitrary binary file overwrite. Exploitation requires the manipulation of subtitle extension names in supported websites or the use of URL smuggling to trick users into downloading malicious content. The issue was reported by GHSL team member @JarLob and has since been addressed with a fix.

• Exploiting Cloud Secrets Management Repositories - The blog discusses the importance of properly securing cloud secrets management repositories, such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and HashiCorp Vault, to protect sensitive information like passwords and API keys. Adversaries often target these repositories to gain unauthorized access, and the blog highlights strategies to mitigate such threats, including limiting access, enforcing encryption, and monitoring activities for suspicious behavior. Various APT groups, like LUCR-3 and SCARLETEEL, are mentioned as examples of attackers exploiting cloud secrets for malicious purposes.

• Like Shooting Phish in a Barrel - Link crawlers, also known as "protected links," are email controls that replace links in emails with links to their own web server to check for malicious content before allowing users to access the original link. This can be frustrating for end users and can make it difficult to detect masked links. However, there are ways to bypass link crawlers, such as using CAPTCHAs, browser fingerprinting, or blocking certain autonomous system numbers. By collecting data on click times and other factors, it's possible to detect and bypass link crawlers effectively.

• Modern Cryptographic Attacks: A Guide for the Perplexed - In this podcast episode, Check Point Research discusses modern cryptographic attacks and their implications for security. The episode aims to demystify these complex attacks by breaking them down into simple terms. It covers various types of attacks, including meet-in-the-middle attacks, differential cryptanalysis, side channel attacks, and attacks on RSA. The goal is to make these advanced attacks more accessible and understandable to a wider audience, emphasizing the importance of staying informed about evolving security threats.

• RoguePuppet – A Critical Puppet Forge Supply Chain Vulnerability - Adnan Khan discovered a critical vulnerability in the Puppet Forge supply chain, which could have allowed an attacker access to core infrastructure in thousands of companies worldwide. The vulnerability was exploited through GitHub Actions misconfigurations, allowing an attacker to obtain the API key used by Puppet to push official modules. Khan used a tool called Gato-X to detect the vulnerability at scale and reported it to Puppet Labs, who mitigated the issue and added new API tokens to repositories.

• Traeger Grill D2 Wi-Fi Controller, Version 2.02.04 - A recent report by Bishop Fox details vulnerabilities found in the Traeger Grill D2 Wi-Fi Controller, including insufficient authorization controls and sensitive information disclosure. Traeger has released firmware updates to address these vulnerabilities and Bishop Fox recommends turning off grills when not in use.

• Product Security Review Methodology for Traeger Grill Hack - Bishop Fox staff were able to interact with the device, monitor its boot logs, and issue commands to the grill. This research highlights the importance of thorough product security reviews for safeguarding IoT devices and underscores Bishop Fox's commitment to protecting connected environments.

• EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent - The article discusses a technique called EDRPrison that aims to evade EDR products by using a network connection-based evasion method. The technique involves using a legitimate driver to mute EDR agents and prevent them from sending telemetry data to the cloud. By intercepting and filtering packets initiated by EDR processes, EDRPrison can avoid triggering alerts on the EDR management panel, maintaining the appearance of online and healthy endpoints. The article also covers potential detections and mitigations against EDRPrison, as well as suggestions for red teamers to subvert these detection methods.

• The Rise of Packet Rate Attacks: When Core Routers Turn Evil - The article discusses the rise of packet rate attacks, particularly targeting core routers, which have become more frequent and intense since the beginning of 2023. These attacks aim to overwhelm the packet processing engines of networking devices close to the destination, impacting network infrastructure and causing collateral damage. The attacks are often generated by compromised MikroTik routers, exposing vulnerabilities in their RouterOS software. The article also explores the potential capacity of a botnet leveraging these compromised devices, highlighting the need for improved security measures for network devices.

• Malware development trick 42: Stealing data via legit Discord Bot API. Simple C example. - This article discusses a malware development trick involving stealing data using the legitimate Discord Bot API, with a simple C example provided. The process involves creating a Discord application and bot user with full permissions, obtaining a token, and sending messages to a Discord channel using the API. The example code demonstrates how to send system information to a Discord channel, and the author advises caution and ethical use of these techniques.

• The Complete Guide To Okta Authentication Policies - The Complete Guide to Okta Authentication Policies by Rezonate provides comprehensive information on using Okta's authentication policies to enhance identity security posture. It covers setting up authentication policies, global session policies, and application authentication policies in depth. The guide emphasizes the importance of proper configuration and continuous effort to protect identities against potential threats, with a focus on proactive security measures and threat detection.

• Path traversal in youtube-dl leading to RCE - The GHSL-2024-089 report details a path traversal vulnerability in youtube-dl that allows for arbitrary file overwrite and potential remote code execution on Windows systems when downloading video subtitles from a crafted link. The issue was reported to the maintainer on May 24, 2024, and a fix was released before the advisory was published on July 3, 2024. An attacker could exploit this vulnerability by tricking a user to download a video with subtitles from a compromised website or using URL smuggling to download files from attacker-controlled sites.

• Identity Providers for Red Teamers - Adam Chester [SO-CON 2024] (Video) - Users are being prompted to update their browser as it is no longer supported. Updating the browser will provide the best experience and access to the latest features on YouTube. The reminder to update later is also available for users, and the prompt is from Google LLC.

• How Cloud Migration is Affecting AppSec – A Red Teamer’s Perspective - Cloud migration is affecting application security (AppSec), particularly from the perspective of a red teamer. In traditional setups, on-premise applications are firewalled off from the public internet, limiting the impact of compromises. However, with cloud-hosted applications, there are more vulnerabilities and attack vectors due to less well understood cloud environments and the ability to access metadata services. This can lead to greater security concerns and a need for more robust AppSec measures in the cloud.

• Lyrica: Pentesting Cisco IOS - The article discusses various attacks on Cisco routers, focusing on Cisco IOS vulnerabilities and the demonstrations of exploiting them. The attacks include pentesting Cisco IOS using Metasploit, exploiting vulnerabilities in Cisco IOS XE Web UI, demonstrating CVE-2023-20273 and CVE-2023-20198 exploitation, evading RA Guard, identifying Cisco IOS versions, exploiting insecure password hashing methods, attacks on protocols like HSRP, GLBP, and EIGRP, and extracting router configurations using SNMP RW strings. For security professionals, tools like Loki, onesixtyone, and CCAT are recommended for network security analysis and monitoring.

• Dissecting GootLoader With Node.js - This article discusses how GootLoader malware evades analysis using anti-analysis techniques and delays its malicious actions. It demonstrates how to use Node.js debugging in Visual Studio Code to analyze GootLoader JavaScript files. By stepping through the code, researchers can uncover the obfuscated malicious code and understand the evasion techniques used by GootLoader.

• Vulnerabilities in PanelView Plus devices could lead to remote code execution - Microsoft discovered and disclosed two vulnerabilities in Rockwell Automation PanelView Plus devices that could allow unauthenticated attackers to remotely execute code and perform denial-of-service attacks. The vulnerabilities involve custom classes in the devices that can be exploited for these purposes. Microsoft shared the findings with Rockwell Automation, who released security patches to address the vulnerabilities. Organizations are advised to apply these patches and take additional measures to protect their devices from potential attacks.

• TruffleHog Scans Deleted Git Branches - TruffleHog is a tool that scans deleted Git branches for secrets and sensitive data that may still be exposed. Recently, it was updated to detect secrets in deleted commits, including those in deleted branches that were squashed and merged. This update allows TruffleHog to identify security risks that were previously overlooked. The company Truffle Security Co. offers webinars and partnerships to help organizations secure their data and prevent leaks of confidential information.

• You can’t always win racing the (key)cloak - CyberArk's recent research focused on vulnerabilities in Keycloak, an open-source IAM solution, revealing potential security issues such as LDAP injections and web race conditions. Additionally, they discovered a denial-of-service vulnerability in Keycloak related to email conflicts. Overall, CyberArk aims to help organizations move fearlessly forward in a digital world by providing expert guidance and cutting-edge security solutions.

• Raising Beacons without UDRLs and Teaching them How to Sleep - The blog post discusses the process of raising beacons without UDRLs and teaching them how to sleep using sleep obfuscation techniques. By creating a raw UDRL-less Cobalt Strike Beacon and utilizing a specific cna script, one can achieve this without the need for a reflective loader. Two techniques named MemoryBouncing and MemoryHopping are described, along with the development complexities and advantages of using UDRLs versus generic PE loaders. The post also mentions the creation of a project called Dojoloader for prototyping sleep obfuscation techniques on UDRL-less beacons and includes PoCs demonstrating the techniques.

• Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - The blog post discusses exploiting Client-Side Path Traversal to perform Cross-Site Request Forgery (CSPT2CSRF) in the context of major web applications like Mattermost and Rocket.Chat. The research introduces the basics of CSPT and showcases vulnerabilities in web messaging applications.

• Detecting Lateral Movement in Entra ID: Cross Tenant Synchronization - XINTRA Labs discusses the potential for lateral movement in Microsoft Entra ID through cross-tenant synchronization, which can be exploited by attackers to persist in a victim's tenant or move laterally to another tenant. The blog post provides a step-by-step guide on how attackers can abuse this feature and offers detection methods to identify malicious activity, such as monitoring the creation of external identities, editing cross-tenant synchronization settings, provisioning attack users, and identifying lateral movement through sign-in logs.

• Silently Install Chrome Extension For Persistence - The author has discovered a way to silently install a Chrome extension for persistence, without the use of common indicators of compromise. They identified changes to a file called "Secure Preferences" that allow for the installation of extensions. The method involves adding extension IDs and other values to the JSON file. The author has provided Python code for automating the process and suggests potential further development of the technique.

• The Dark Side of Contact Forms: How I Identified 7 CVEs in WordPress Plugins - The author conducted a security research project that led to the discovery of 7 CVEs in WordPress plugins, impacting over 7 million websites. The research focused on identifying blind XSS vulnerabilities in contact form plugins used in WordPress. The author detailed the process of identifying, exploiting, and reporting the vulnerabilities, as well as implementing systems to capture information from blind injections. The author collaborated with others and used automation tools to find targets affected by the vulnerabilities.

• A Remote UAF in The Kernel's net/tipc - The author discovered a use-after-free vulnerability in the kernel's TIPC networking stack while preparing for a talk at TyphoonCon. The vulnerability allows a local or remote attacker to trigger a use-after-free in the TIPC networking stack on affected installations of the Linux kernel. The vulnerability was introduced in a commit in March 2015 and fixed in a commit in May 2024. The post includes details on the vulnerability, remediation, and potential exploitation, as well as a patch to address the issue.

• The Not-So-Secret Network Access Broker x999xx - x999xx is a Russian hacker known for selling access to hacked corporate networks and compromised databases containing personal and financial data. He has been active since at least 2009 and has been involved in various cybercrimes, including selling access to a U.S. healthcare provider and databases from Australia's largest retail company. Despite admitting to his activities, x999xx claims to be focused on harvesting data rather than ransomware intrusions and insists he does not target anything or anyone in Russia. Law enforcement agencies have been targeting cybercriminals like x999xx to disrupt their operations and decrease trust within the cybercriminal community.

• Let's Make & Crack a PRNG in Go! - This blog post discusses the creation and cracking of a PRNG (Pseudo-Random Number Generator) in Go. The author explains the workings of PRNGs, specifically the Mersenne Twister, and demonstrates how to implement and crack it. By analyzing the output of the PRNG, the author shows how it can be predicted with high accuracy, highlighting the importance of using Cryptographically Secure PRNGs for security purposes. The post also includes a practical demonstration of guessing the output of the PRNG with a leak of generated numbers.

• Use SSH on Windows, they said… - Evgenij Smirnov, an IT professional from Berlin, discovered that SSH is now an integrated feature in Windows, promoted by the PowerShell team as a preferred method of remote access. However, he found that SSH bypasses certain logon restrictions, potentially exposing credentials. He recommends using key-based authentication instead of password authentication when using SSH to remote into Windows machines to enhance security.

• Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications - Multiple vulnerabilities in the CocoaPods ecosystem have been discovered, allowing malicious actors to claim ownership over unclaimed pods and insert malicious code into popular iOS and MacOS applications. These vulnerabilities have been patched, but developers are urged to verify the integrity of their open source dependencies. The vulnerabilities could lead to supply chain attacks impacting millions of Apple devices and organizations should take steps to secure their code and review their dependency management practices.

• Universal Code Execution by Chaining Messages in Browser Extensions - By chaining messaging APIs in browsers and browser extensions, it's possible to achieve universal code execution, breaking Same Origin Policy and the browser sandbox. Vulnerabilities in browser extensions can allow malicious web pages to access cookies from whitelisted domains and even execute commands on the host operating system. By using large datasets and static code analysis, researchers can identify vulnerable extensions with large user bases.

• GWT-Assisted HTML Smuggling - Google Web Toolkit (GWT) compiles Java into JavaScript for building high-performance web applications. While not as versatile as WebAssembly, GWT can still be used for offensive purposes such as HTML smuggling. The article explores GWT-assisted smuggling scenarios and evaluates existing detection controls.

• Pwning a Brother labelmaker, for fun and interop! - The author explores hacking a Brother labelmaker, uncovering outdated and insecure components such as an ancient version of CUPS and kernel. Through various exploits, they gain root access to the device but struggle to achieve full remote code execution due to limitations. They also discover security flaws in the firmware, highlighting the lack of concern for security in IoT devices. The author suggests disabling certain features to improve security and is working on an application for label printing to reduce reliance on vulnerable components.

Tools and Exploits

• cve-2024-6387-poc - (Unverified) - This GitHub repository contains a proof of concept for a signal handler race condition in OpenSSH's server (sshd). The vulnerability could potentially be exploited by attackers. The repository does not have any releases or packages published yet.

• It's Not A Security Boundary - The GitHub repository, "ItsNotASecurityBoundary," focuses on vulnerabilities related to False File Immutability (FFI) in Windows Code Integrity. The exploit leverages assumptions in Code Integrity to trick it into accepting improperly-signed security catalogs, allowing for the loading of attacker-controlled drivers. The repository also includes a kernel driver called FineButWeCanStillEasilyStopIt, which demonstrates how to detect and stop the ItsNotASecurityBoundary exploit. The timeline of disclosure and the fix for the exploit are also outlined, along with frequently asked questions related to the vulnerabilities and their implications.

• SAML Raider Release 2.0.0 - SAML Raider Release 2.0.0 is an updated version of the Burp Suite extension used by pentesters to test SAML infrastructures. The release focuses on improving developer and user experiences, addressing bug fixes, and introducing new testing approaches. The upgrade includes using the new Burp Extensions Montoya API, streamlining the build process with Gradle, and enhancing the Certificates Tab for a better user experience.

• onMouseMove-HtmlFile-PoC - This GitHub repository contains a proof of concept (PoC) for an onMouseMove HTML file used in a campaign by the Russian APT Group targeting Ukraine. The HTML file is included in phishing emails and, when opened by the victim, triggers a JavaScript event handler that decodes a base64 blob. This blob contains further JavaScript code that checks the operating system and drops a malicious Windows Shortcut File in the victim's system. The PoC demonstrates an anti-sandbox technique used in the campaign.

• EDRPrison - The project EDRPrison aims to prevent EDR agents from sending telemetry by leveraging a legitimate Windows Filtering Platform (WFP) callout driver. It installs an external legitimate WFP callout driver and dynamically adds runtime filters to block outbound traffic from EDR processes without direct interaction. This tool offers several enhancements and improvements over its predecessors, making it more robust and stealthy for network-based EDR evasion. The author is working on further improvements, such as reducing the delay in blocking EDR processes' network connections and testing against more EDR systems.

• CVE-2024-28995 - This GitHub repository contains an exploit for CVE-2024-28955 which allows for path traversal and local file reading on vulnerable servers. The tool retrieves the Serv-U version from the server header and tests predefined and custom directory paths for vulnerability. Users can use a wordlist for testing multiple paths. The tool requires Python to run and specific arguments to exploit a target URL. There are no releases or packages published for this exploit.

• GeoServer Unauthenticated Remote Code Execution in Evaluating Property Name Expressions (CVE-2024-36401) - The vulnerability CVE-2024-36401 in GeoServer allows unauthenticated users to execute Remote Code Execution (RCE) through specially crafted input against a default GeoServer installation. This vulnerability affects GeoServer versions prior to 2.25.1, 2.24.3, and 2.23.5. The exploit can be done through various OGC request parameters like WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests. It is advised to update to a secure version and mitigate the risk of exploitation.

• Initial Access & Persistence - This course teaches how to create complex infection chains for initial access and persistence. It covers understanding strategies used by real-world adversaries, building infection chains with different payload formats, and making malware persistent on a machine. Topics include mitigating technologies like 'Mark of the Web' and using Registry Run Keys for persistence.

• BloodHound Analyzer - BloodHoundAnalyzer is a bash script that automates the collection, deployment, import, and analysis of BloodHound, an AD security tool. It requires tools like docker, docker-compose, and neo4j to be installed. The script can collect AD data, deploy BloodHoundCE, import data, run analysis tools, and generate reports.

• Remediate OpenSSH RegreSSH Scripts - The GitHub repository "Remediate-OpenSSH-RegreSSHion" contains scripts to identify and fix the OpenSSH RegreSSHion vulnerability. The repository includes Bash scripts and Ansible Playbooks to test and update the SSH version on Debian and Fedora based systems. It offers tools to automate workflows, manage code changes, and collaborate outside of code.

• DonPAPI 2.0 - The GitHub repository "login-securite/DonPAPI" contains a tool called DonPAPI, which is used to automate the dumping of DPAPI credentials remotely on multiple Windows computers while evading detection. It collects various types of secrets, such as browser credentials, certificates, passwords, and more, with defense evasion in mind. The tool can be installed using different methods, and it supports various authentication methods, including Kerberos and LAPS. Additionally, DonPAPI includes a GUI frontend for browsing and exporting the collected secrets, and it is intended for educational and ethical hacking purposes only.

• CVE-2024-36991 - This is a proof of concept exploit for CVE-2024-36991, targeting Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10. The exploit attempts to read the Splunk /etc/passwd file.

• CVE-2024-36401 - GeoServer, an open-source server for sharing and editing geospatial data, is vulnerable to remote code execution (RCE) due to unsafely evaluating property names as XPath expressions in versions prior to 2.23.6, 2.24.4, and 2.25.2. This vulnerability allows unauthenticated users to execute arbitrary code through specific input, potentially leading to serious security issues.

• Zink Wedge / Brother VC-500W RCE PoC - This repository contains logs, hardware notes, and scripts for hacking a Brother VC-500W printer. This script enables sshd and sets the root password for the printer.

• Keyload dropper AKA Keylogger Dropper - a keylog dropper written in Rust for malware development purposes. The dropper downloads a keylogger and sender, which are then executed in the background. The program uses Windows API to run in the background and sends keylog information using a Telegram bot every 10 seconds. To implement it, clone and compile both programs, change the URL in key_exec and enter your Telegram details in bot_send before executing keylogger.exe.

• Invoke-PixelScript - PsInPic is a PowerShell module that allows users to hide payloads in the pixels of images using steganography. Users can embed PowerShell scripts in images and generate a one-liner to execute the script directly from the image.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM. - GitHub repository for WerWolv/ImHex, a Hex Editor designed for reverse engineers, programmers, and those who prefer working at night. The tool offers various features such as hex viewing, data analyzing, searching, hashing, and comparison. It supports multiple data types, customizations, and plugins. The software has specific requirements for installation and development, with acknowledgments to contributors and libraries used.

• Extending Burp Suite for fun and profit – The Montoya way – Part 5 - HN Security is offering a tutorial on extending Burp Suite to add encryption and decryption functionalities to the context menu for HTTP requests and responses. The tutorial provides step-by-step instructions on developing an extension that can decrypt encrypted content selected by the user and modify it before re-encrypting it. The tutorial also covers how to handle non-editable HTTP messages and create a popup for displaying decrypted content. The code for the extension is available on GitHub, and future parts of the tutorial will cover integrating the extension with the Burp Scanner for security checks.

• Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz - Rapid7 discovered trojanized installers for Notezilla, RecentX, and Copywhiz distributed by Conceptworld, leading to a supply chain compromise with information-stealing malware. Conceptworld promptly removed the malicious installers after being informed by Rapid7. The malware is capable of stealing browser credentials, crypto wallet information, logging keystrokes, and downloading additional payloads. Rapid7 recommends verifying file integrity for freely available software and checking for signs of compromise if the affected installers were executed within the last month. Customers with Rapid7's Managed Detection and Response services have detection coverage for this activity.

• Detecting Linux Stealth Rootkits with Directory Link Errors - Sandfly Security has received seed funding for their Linux endpoint detection and response solution. They offer SSH key monitoring, detect unauthorized changes to Linux systems, and provide incident response teams with instant threat detection capabilities. Their tactics detection provides comprehensive coverage for Linux, and their agentless solution eliminates deployment risks. Sandfly Security also helps detect stealth rootkits on Linux using directory link errors, urging users to automate investigations for better security.

• Machine code de-optimizer - The GitHub repository "EgeBalci/deoptimizer" is a tool for machine code de-optimization, allowing for the bypassing of security products by mutating machine code instructions. The tool uses mathematical approaches such as arithmetic partitioning and logical inverse to transform instructions in a way that avoids detection by security mechanisms. The project is still in development and offers various options for de-optimizing binaries, with support for different architectures and file types.

• Introducing the Microsoft Entra PowerShell module - The Microsoft Entra PowerShell module is a new tool designed to streamline management and automation for the Microsoft Entra product family. It allows administrators to manage and automate Entra resources programmatically, with features like backward compatibility with the deprecated AzureAD module and flexible authorization options. Users can install the module from the PowerShell Gallery and contribute to its development through open source collaboration. The module is interoperable with the Microsoft Graph PowerShell SDK and will continue to expand support for more resources in the future. Feedback and contributions are encouraged to enhance the module and meet user needs.

• Commonly Abused Linux Initial Access Techniques and Detection Strategies - The article discusses commonly abused Linux initial access techniques, such as SSH brute-forcing, exploiting public-facing applications, and supply chain compromises. It provides detection strategies for each technique, such as monitoring successful logins after repeated failures for SSH brute-forcing, detecting unusual process executions for application exploitation, and using vulnerability scanning tools for detecting supply chain compromises. The importance of staying vigilant and continuously updating security practices to defend against evolving threats is emphasized.

• Exploiting Steam: Usual and Unusual Ways in the CEF Framework - In this article, the authors explore the vulnerabilities present in the Chromium Embedded Framework (CEF) used in the Steam Client Browser and how they exploited them to create Remote Code Execution (RCE) chains. They identify logical vulnerabilities and issues in the Steam Client Browser that lead to RCE, showcasing how they were able to exploit features such as Object in External Pages, Loading the File Protocol, and accessing the content of pages to read arbitrary files and ultimately achieve RCE. Additionally, they discuss command injection in Steam's URL scheme function and exploit historical vulnerabilities in Chrome to achieve RCE through a logical vulnerability and an optimization error. They provide detailed explanations of their exploitation techniques and strategies to bypass security measures and execute arbitrary commands.

• ApecLdr - ApexLdr is a DLL Payload Loader written in C that includes features such as shellcode staging, indirect syscalls, execution delays, and EDR evasion techniques. The loader can bypass many antivirus solutions and EDRs, but the developer acknowledges that there is room for improvement. Users can modify the loader to sideload other applications by changing the export function in the code. SSL support is provided for fetching shellcode from a remote server, and signing the DLL payload with tools like Sigthief may help evade some antivirus solutions.

• SharpIncrease - SharpIncrease is a tool on GitHub that aims to evade antivirus software by adding junk data to binary files, a technique known as binary padding. This can increase the file size beyond what some security tools can handle, potentially bypassing certain detection capabilities. The tool has been tested against various security products, and can be used to increase the size of Windows Form Applications with null bytes. The usage of the tool is to run SharpIncrease.exe with input file, specified size, and output file parameters.

• CVE-2024-30088 - This GitHub repository discusses a bug (CVE-2024-30088) that exists in a function within the kernel that copies the attribute name of a token object to user mode, potentially leading to security vulnerabilities. The bug could be exploited through multiple TOCTOU instances, allowing for arbitrary address writes. The patch for this bug involves using a local variable on the kernel stack as a buffer to mitigate the issue. The repository also mentions enterprise-grade features, AI-powered development platform, and a community project called The ReadME Project.

• Why I attack - The author explains why they attack systems and disclose security vulnerabilities, stating that they enjoy solving puzzles and find it important work to do. They provide examples of different types of vulnerabilities they have found and how they have handled disclosing them, emphasizing the importance of understanding where a vulnerability lies on a spectrum in terms of patchability. They also discuss specific cases where they have disclosed attacks on various systems, highlighting the importance of going public with attacks that cannot be easily patched to prevent further harm. The author addresses criticism from a computer science professor regarding their motivations for attacking systems, emphasizing the need to expose vulnerabilities for the benefit of improving security.

• CVE-2024-38396 and CVE-2024-38395 - This GitHub repository contains a proof of concept (PoC) for iTerm2 vulnerabilities CVE-2024-38396 and CVE-2024-38395, which allow for code execution. The PoC includes a Docker file and instructions on how to run it to open a calculator on OS X. The repository does not have any releases or packages published and is focused on showcasing the vulnerabilities.

• Armageddon is more than a Grammy-nominated album - Armageddon is a blog post that discusses tracking a targeted threat actor using StrikeReady, passive dns, ssl certificates, and malware analysis. The post includes details about a Russia-nexus threat actor targeting Ukraine, using various tactics such as replacing characters in files and executing remote content through lnk files. The post also mentions the importance of staying vigilant against attacks that may require additional steps to execute.

• Pixel Tablet Dock (korlan) Secure Boot Bypass - Security researchers Nolen Johnson and Jan Altensen developed a chain of exploits to run custom OS/unsigned code on the Google Pixel Tablet Dock, bypassing AMLogic Secure Boot. They managed to gain access to the u-boot shell through a unique injection vector and worked to disable AML Secure Boot checks. By patching u-boot and forging headers, they were able to install a malicious boot image and gain root access to the device. They shared their findings with Google and ultimately received a CVE identifier and a reward for their work, which was presented at NullCon Berlin 2024.

• How to Get Root Access to Your Sleep Number Bed - The author shares a guide on gaining root access to a Sleep Number bed, which involves modifying internal files on the Sleep Number hub. The process voids the warranty and comes with risks, as it involves hardware and software modifications. The guide includes steps on connecting a UART device, editing boot environment variables, and setting up a local network control and monitoring server. The author also discusses the motivation behind the exploration and provides details on the process and hardware tools needed for access and control of the bed functions.

• The Normalization of the Unacceptable - The article discusses how incidents of ransomware attacks on medical facilities, such as the one targeting Synnovis in London and Change Healthcare in the US, have become normalized in the healthcare industry. This normalization is dangerous as it leads to acceptance of a situation that should be addressed and eliminated. The author calls for a shift in focus towards actively targeting and imposing costs on ransomware actors to address the issue effectively. The article also raises questions about the adequacy of current responses to ransomware attacks and the need for a more proactive approach.

• Sinon - Sinon is an automation tool for Windows Deception Host Burn-In that aims to automate the setup of deception hosts by simulating real user activity to deceive potential intruders. It can automatically install applications, open websites, modify system preferences, send emails, download files, perform system updates, and more. Sinon is modular and configurable, allowing for easy adjustments and randomization to make each deployment unique. It is recommended to use pre-generated content and avoid storing sensitive information on deception hosts in production environments.

• ModuleShifting - ModuleShifting is a stealthier variation of Module Stomping and Module Overloading injection techniques that reduces memory IoCs. It is implemented in Python ctypes, allowing it to be executed fully in memory without the need for compiled loaders. The technique can be used with PE or shellcode payloads and is useful for injecting payloads without dynamically allocating memory. ModuleShifting differs from other techniques by using padding, shellcode execution using function pointers, and restoring original dll content to decrease IoCs. It has been tested with the AceLdr payload and can be used with a Python interpreter for local process injection.

• Pyramid - Pyramid is a tool designed to operate in EDRs' blind spots by performing post-exploitation tasks in an evasive manner. It executes offensive tooling from a signed binary (e.g. python.exe) by importing their dependencies in memory. The tool is aimed at increasing awareness about potential blind spots in EDRs and is not intended for malicious use. Users can set up a Pyramid server, configure modules, and execute tasks in memory to avoid detection by security defenses. Python.exe's reputation and lack of visibility on dynamic code execution are key factors exploited by Pyramid, and defensive measures such as blocking python binaries signed by Python Foundation are recommended.

• Next.js and cache poisoning: a quest for the black hole - The author, a vulnerability researcher formerly with Twitter, focused on finding cache-poisoning vulnerabilities in widely used software, leading them to Next.js, an open-source JavaScript framework by Vercel. They discovered vulnerabilities related to Next.js middleware, React Server Components, and internal headers that could lead to cache poisoning, affecting many users. Despite reporting the vulnerabilities to Vercel, the response was not entirely satisfactory, prompting the author to share their findings with the community. The author highlights the importance of responsible vulnerability reporting and transparency in software development.

• Do a firmware update for your AirPods – now - A security vulnerability (CVE-2024-27867) has been found in the firmware of Apple AirPods, allowing anyone with the Bluetooth MAC address to connect and listen to the microphone or play music. Firmware updates are available for various AirPod models to fix this issue. The vulnerability was discovered during an attempt to connect AirPods to Linux, where they struggled to connect to multiple devices. The fix is especially important for users without iOS or macOS devices, as AirPods auto-update firmware only when used with an iPhone or MacBook.

• Fragtunnel - Fragtunnel is a proof-of-concept TCP tunneling tool that exploits design flaws in IDS/IPS engines and next-generation firewalls, allowing users to bypass firewalls and tunnel application traffic to the target server undetected. It works by encoding and splitting data into smaller fragments, sending them over the tunnel in new TCP sessions, and then reassembling them at the target. The tool has some limitations, such as lack of multithreading support, no SSL/TLS, and potential timeouts, but it serves as a working PoC for educational and research purposes only.