Last Week in Security - 2024-07-22

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-07-15 to 2024-07-22.

News

• Weak Security Defaults Enabled Squarespace Domains Hijacks - Multiple organizations with domain names at domain registrar Squarespace had their websites hijacked due to weak security defaults. Attackers targeted cryptocurrency businesses, redirecting hijacked domains to phishing sites to steal cryptocurrency funds. The issue stemmed from Squarespace assuming users would select social login options during migration from Google Domains, leaving accounts vulnerable. Researchers recommend enabling multi-factor authentication and securing user accounts to prevent future attacks.

• Vulnerabilities in VPNs - The paper presented at the Privacy Enhancing Technologies Symposium 2024 by Benjamin Mixon-Baca and Jeffrey Knockel explores vulnerabilities in VPNs, specifically related to connection tracking frameworks. The authors identify a unique exploit technique called "port shadow" that makes users less secure and vulnerable to attacks. They recommend VPN providers to implement certain measures to mitigate these vulnerabilities, such as randomizing source port selection and limiting concurrent connections. Users are advised to connect to private VPN servers or switch to non-vulnerable encryption protocols. The vulnerabilities were disclosed to VPN developers, Linux, and FreeBSD, but mitigation strategies are limited to specific firewall rules.

• Here’s how carefully concealed backdoor in fake AWS files escaped mainstream notice - Two fake AWS packages containing concealed backdoor code were discovered on the NPM JavaScript repository. The malicious packages, disguised as legitimate libraries, included code that backdoored developers' computers. Despite being reported for removal, the packages remained available for nearly two days, allowing the threat actors to target developers.

• Vulnerability in Cisco Smart Software Manager lets attackers change any user password - A vulnerability in Cisco Smart Software Manager allows attackers to change any user's password, including administrators, without authentication. This puts devices at risk for unauthorized access and potential data theft or encryption. Cisco has released a security update to address the issue and is not aware of any active exploits.

• Cisco Smart Software Manager On-Prem Password Change Vulnerability - A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an attacker to change a user's password, granting access to the web UI or API. Updates have been released to address the issue, and customers with service contracts should obtain the fixes through their usual update channels. Customers without service contracts should contact Cisco Customer Support for assistance. Cisco has confirmed that this vulnerability does not affect Cisco Smart Licensing Utility.

• Global Microsoft Meltdown Tied to Bad Crowdstrike Update - A faulty software update from cybersecurity vendor Crowdstrike caused a global Microsoft meltdown, leading to the dreaded "Blue Screen of Death" on Windows machines worldwide. Crowdstrike has issued a fix, but the recovery process is expected to take time. The incident disrupted various industries, including airlines, financial institutions, hospitals, and businesses online. The outage also impacted emergency services, medical providers, and infrastructure in multiple countries. Social media reactions were swift and critical, with many users expressing frustration over the disruption caused by the bad update.

• Google Cloud Security - H2 2024 Threat Horizons Report (PDF) - Google cloud threat security report.

• Cisco Secure Email Gateway Arbitrary File Write Vulnerability - A vulnerability in Cisco Secure Email Gateway could allow an attacker to overwrite arbitrary files on the underlying operating system by sending a specially crafted email attachment. There are no workarounds available, but Cisco has released software updates to address this issue. Customers should check if they are running a vulnerable release of Cisco AsyncOS and update their Content Scanner Tools to versions 23.3.0.4823 or later to mitigate the risk. Cisco Secure Email Cloud Gateway users do not need to take any action as Cisco will deploy the fixed version automatically.

Techniques and Write-ups

• One Proxy to Rule Them All - Gigaproxy addresses the challenge of IP rotation across multiple targets by using AWS Lambda and API Gateway to provide a scalable and cost-effective solution for pentesters and red teamers. Unlike Fireprox, which is limited to a single endpoint, Gigaproxy allows for targeting multiple endpoints without needing to create separate API Gateway endpoints for each URL, making it more efficient for large-scale testing.

• SharpHound Detection - BloodHound utilizes SharpHound as a data collector to discover hidden relationships in Active Directory, allowing for lateral movement and domain escalation. SharpHound can be run in memory from an implant during operations and has different versions written in C#, PowerShell, Python, and Rust. Detection opportunities exist for defensive teams when SharpHound is executed, including monitoring API calls and event IDs generated during execution. EDRs can identify SharpHound's execution, but threat actors may modify the tool to evade detection, requiring a multi-layer defense approach for reliable detection.

• Process Injection is Dead. Long Live IHxHelpPaneServer - In this article, the author discusses the limitations of process injection techniques and introduces a new mechanism called cross-session activation to execute code in another user's session without the need for injection. The article explains the algorithm for creating COM objects in another user's session and how to leverage the IHxHelpPaneServer interface to execute files on behalf of another user. The author provides a program that utilizes the IStandartActivator interface to create a COM object in another session and execute files. This method allows for code execution in the context of another user without using process injection.

• CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks - Trend Micro's Zero Day Initiative discovered CVE-2024-38112 being exploited by APT group Void Banshee to target Windows users through Internet Explorer in zero-day attacks, resulting in the Atlantida Stealer being used to steal sensitive data. Trend Micro promptly reported this vulnerability to Microsoft, leading to a patch being released. This attack highlights the risk posed by unsupported Windows relics like Internet Explorer and the importance of proactively identifying and addressing attack surfaces to improve overall security posture. Trend Micro offers various security solutions to protect against such zero-day attacks and safeguard organizations from cyber threats.

• GitHub Actions exploitation: self hosted runners - In this series of articles on GitHub Actions exploitation, the focus is on self-hosted runners and the potential vulnerabilities they can introduce. By allowing external users to execute code on self-hosted runners, attackers could gain access to internal networks and sensitive information. The use of non-ephemeral runners increases the risk of backdooring and persistent access. Examples from vulnerable repositories such as Haskell and Scroll illustrate the dangers of allowing arbitrary code execution on self-hosted runners. These vulnerabilities were identified using the octoscan tool.

• Remote Code Execution on Pyres Termod before 10.04w - A vulnerability in Pyres Termod before version 10.04w allowed for remote code execution on the server hosting the application. The issue was due to default credentials in the web interface for badge administration. The vulnerability has been fixed in version 10.04w, but prior versions are still at risk. Attackers could exploit this to execute arbitrary commands and gain privileged access on the server.

• Phish Out of Water - The article discusses the challenges of bypassing web proxies to ensure successful phishing campaigns. It highlights various bypass techniques such as using exceptions, embedding files in HTML, password-protecting ZIP files, utilizing FTP and WebDAV, MIME trickery, changing file extensions, and dealing with magic numbers. The article also addresses the mark of the web issue and suggests ways to bypass it. Ultimately, it emphasizes the importance of adapting to evolving defenses and using social engineering tactics to successfully deliver phishing payloads.

• Exploiting a Generative AI Chatbot – Prompt Injection to Remote Code Execution (RCE) - NetSPI's agents have explored how to exploit generative AI chatbots through prompt injection, demonstrating potential vulnerabilities in chatbots that could lead to remote code execution and unauthorized access to sensitive resources. They emphasize the importance of implementing robust security controls and conducting security testing for AI-powered applications.

• Killer Ultra Malware Targeting EDR Products in Ransomware Attacks - A malware known as Killer Ultra, discovered by ARC Labs, has been targeting endpoint detection and response (EDR) products in ransomware attacks. This malware terminates processes for popular security tools, clears event logs, and leverages a vulnerability in Zemana AntiLogger to disable security software. Killer Ultra also has capabilities for post-exploitation activities, such as downloading tools remotely and executing processes. ARC Labs has provided tactical threat intelligence on Killer Ultra to help organizations enhance their detection and response strategies.

• One Weird Trick Being Used Against Android Devices - This article discusses a recent malware threat called BadPack targeting Android devices. The malware alters headers in APK files to obstruct analysis, making it difficult for security tools to detect. The post examines the techniques used by BadPack and how it evades analysis tools. It also explains how Android devices still run the malware despite issues in extracting the content. The post concludes with recommendations on how to protect against such threats and how Palo Alto Networks can help in mitigating the risks.

• Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2 - Team82 participated in the Pwn2Own 2023 Toronto IoT hacking contest and successfully exploited TP-Link ER605 routers and Synology BC500 IP cameras. They demonstrated how an attacker can compromise a device on the wide-area network and move to the local network to compromise an IoT device. By exploiting a vulnerability in the Synology BC500 IP camera's web server, they were able to gain full control over the camera and execute arbitrary code. The vulnerabilities were fixed by Synology in firmware version 1.0.7-0298.

• One Shell To Rule Them All - The article discusses the importance of the reverse shell technique in offensive security, proposing a new tool to address issues with existing tools. The tool aims to provide a secure connection, work on various systems, and be easy to use. It involves creating small ELF files, implementing encryption and hashing algorithms, and using MTLS for secure connections. The process includes sending and verifying payloads to establish a secure reverse shell connection. The author, Daniel Cooper, is a Security Consultant at Tanto Security.

• Linux Detection Opportunities for CVE-2024-29510 - A remote code execution vulnerability in Ghostscript is being exploited in Linux systems, affecting popular software like ImageMagick and LibreOffice. To detect this vulnerability, tools like auditd and Sysmon for Linux can be used to monitor system events and track suspicious activities. The exploitation of Ghostscript allows attackers to execute arbitrary commands and opens up opportunities for phishing through LibreOffice documents. It is crucial to patch vulnerabilities promptly and enhance detection capabilities on Linux systems to respond to malicious activities effectively. Codean Labs has created a Proof of Concept for testing this vulnerability, highlighting the importance of proactive threat-informed defense in securing widely used software against sophisticated exploits.

• New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns - The recent MuddyWater campaigns, attributed to an Iranian threat group affiliated with the MOIS, have increased their activities in Israel since the beginning of the Israel-Hamas war. They use phishing campaigns from compromised email accounts to deploy legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect, and recently a new backdoor named BugSleep. BugSleep is a tailor-made backdoor designed to execute commands and transfer files between compromised machines and the C&C server. Check Point Research has provided detailed analysis of MuddyWater's recent techniques, tactics, and procedures, including the BugSleep backdoor and the abuse of Egnyte file-sharing service.

• Encoding Differentials: Why Charset Matters - The webinar focuses on the importance of charset in encoding for code quality and security. It highlights techniques that attackers can use to inject JavaScript code by manipulating the character encoding in web responses. The blog post details how browsers determine character encoding and explains how attackers can exploit vulnerabilities in ISO-2022-JP encoding.

• Analysis of KakaoTalk's Secret Chat E2EE Feature - The blog post discusses weaknesses in KakaoTalk's end-to-end encryption (E2EE) feature, including issues with missing ciphertext integrity, missing E2EE security goals, a central public-key database, missing user notification, and lack of LOCO server authentication. These vulnerabilities potentially allow for MITM attacks and unauthorized access to encrypted messages. Additionally, the post highlights the political context in South Korea that led to the development of KakaoTalk's E2EE feature in response to government surveillance concerns. The author recommends using more secure E2EE chat apps for high-risk users.

• GCP - Enumerate Org/Folder/Project Permissions + Individual Resource Permissions - This article discusses how to enumerate permissions for organizations, folders, projects, and individual resources in cloud platforms like AWS and Google Cloud Platform. It provides insight into using the testIamPermissions API call and tools like GCPwn to discover permissions. It also explores the process of enumerating over 9500 permissions on resources to identify the permissions a user has within a specific project or resource.

• Malware development: persistence - part 25. Create symlink from legit to evil. Simple C example. - In this post, the author discusses how attackers can create symbolic links to redirect Windows Accessibility features to malicious files for persistence. The post includes a detailed C example demonstrating the process of setting privileges, changing file ownership, setting ACLs, deleting a file, and creating a symbolic link using the Windows API. The author emphasizes that the technique is complex and requires careful handling of permissions and user IDs. The post is intended for educational purposes and aims to raise awareness among cybersecurity professionals about this type of attack.

• Give Me the Green Light Part 1: Hacking Traffic Control Systems - The author discusses their findings on vulnerabilities in traffic control systems and their attempt at responsible disclosure. They found a vulnerability in a web interface of a traffic controller that allowed unauthorized access and changes to be made. After reporting the vulnerability to the vendor, they received a dismissive response from the General Counsel. Despite the lack of cooperation from the vendor, the author decided to disclose the issue publicly and received support from the community. They also successfully obtained a CVE for the vulnerability. The next part of the series will explore setting up traffic controllers at home and the NTC/IP protocol.

• Give Me the Green Light Part 2: Dirty Little Secrets - The blog post delves into the vulnerabilities of traffic control systems, specifically focusing on Econolite and Intelight controllers. The author used brute force methods to gain access to the controllers via telnet and SSH, and discovered security flaws in the web applications. By utilizing SNMP and NTCIP protocols, the author was able to manipulate the controllers' settings and extract sensitive information such as usernames and passwords. The post also highlights the potential risks of using default credentials and exposing telnet to the internet in transportation systems.

• How to Bypass Golang SSL Verification - CyberArk offers a range of identity security solutions and services, including privileged access management and endpoint privilege security. In a blog post, they discuss how to bypass Golang SSL verification to examine HTTPS requests in plain text for security flaws. The post provides insights on manually removing SSL verification or using a Python script to do so, highlighting the importance of understanding source code and patching vulnerabilities to enhance security.

• Identity Crisis: The Curious Case of a Delinea Local Privilege Escalation Vulnerability - The article discusses a local privilege escalation vulnerability discovered by the CyberArk Red Team in Delinea Privilege Manager. The vulnerability allowed unprivileged users to execute arbitrary code as SYSTEM. CyberArk responsibly disclosed the vulnerability to Delinea, which then released a fixed agent version. The article also highlights CyberArk's identity security solutions, including their AI capabilities, platform, and services, aimed at helping organizations secure their workforce, external access, IT administrators, cloud operations teams, and more.

• Threat Actor Masquerades as Hacktivist Group Rebelling Against AI - A new cybercriminal threat group, NullBulge, has been identified by SentinelOne. The group targets AI- and gaming-focused entities, using tactics such as injecting malicious code into legitimate software distribution mechanisms and distributing malware through platforms like GitHub and Hugging Face. NullBulge has been masquerading as a hacktivist group rebelling against AI, but their actions indicate a profit-driven motive behind their attacks. The group has also targeted popular platforms like Disney and BeamNG, delivering LockBit ransomware payloads to victims.

• Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks - FIN7, a cybercrime group originating from Russia, has been active since 2012 and has evolved from using POS malware to focusing on ransomware operations and launching its own Ransomware-as-a-Service programs. The group recently enhanced its operations by utilizing EDR bypasses and automated attacks, such as SQL injection attacks. They have also developed tools like AvNeutralizer to tamper with security solutions. FIN7's activities are difficult to attribute due to their use of multiple pseudonyms and collaboration with other cybercriminal entities. Defender efforts are needed to counteract the group's evolving tactics in the criminal underground market.

• Securing The Chink in Kerberos’ Armor, FAST! Understanding The Need For Kerberos Armoring - Kerberos, a network security protocol, has evolved over the years to version 5 but is still vulnerable to attacks. Microsoft's implementation of Kerberos in Active Directory includes mechanisms like Kerberos Armoring to enhance security. Kerberos Armoring, also known as FAST, encrypts Kerberos authentication process to prevent offline dictionary attacks, replay attacks, and Man-in-the-Middle attacks. Implementing Kerberos Armoring in Windows Server 2012 and higher is important to secure Kerberos exchanges and prevent unauthorized access to resources.

• Demystifying Hollow Process Injection - Hollow Process Injection is a stealthy malware technique that involves injecting malicious code into a legitimate process to evade detection by security mechanisms. Attackers create a suspended instance of a trusted process, overwrite its code with malicious code, and then resume the process to carry out harmful activities. To mitigate this technique, organizations can apply security patches, use antivirus software, practice user awareness, and implement the principle of least privilege. Understanding how hollow process injection works is crucial for organizations to protect their systems from attacks.

• How insecure is Avast Secure Browser? - The Avast Secure Browser has been found to have several security vulnerabilities, including pre-installed extensions with unnecessary permissions that weaken security mechanisms. The lack of ad blocking privacy and messaging extensions allow for potential data collection and manipulation. The onboarding experience includes various rules that can nag users to switch search providers and enable extensions. Overall, the browser raises concerns about user privacy and security, leading to skepticism about its effectiveness as a secure browsing option.

• Security's Achilles' Heel: Vulnerable Drivers on the Prowl - The article discusses the increasing trend of cyber threats exploiting vulnerabilities in drivers, specifically the BYOVD method, which allows attackers to bypass security measures and gain unrestricted access to systems. It emphasizes the importance of ongoing testing and vigilance to identify and mitigate vulnerabilities. The article also highlights the proactive approach taken by Security Joes in identifying vulnerable drivers and provides recommendations for protecting against such attacks. It categorizes different techniques used by threat actors to exploit vulnerable drivers and provides insights on detection opportunities and recommendations for safeguarding against such threats.

• This Meeting Should Have Been an Email - The Objective-See Foundation, a non-profit 501(c)(3) organization, is supported by Palo Alto Networks. They recently analyzed a new Mac malware called MiroTalk.dmg, which is believed to be created by North Korean hackers. The malware targets users by posing as job hunters and stealing data from browsers, keylogging, and installing additional payloads. The foundation provides free open-source security tools like BlockBlock and LuLu to help thwart the threat, emphasizing the importance of using tools to protect against malware attacks.

• SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts - Wiz Research uncovered vulnerabilities in SAP AI Core, allowing malicious actors to access customer data and private AI artifacts. The vulnerabilities allowed attackers to gain access to customers' cloud environments and compromise internal artifacts. The research findings were reported to SAP and fixed before any customer data was compromised. The research highlights the importance of enhancing isolation and sandboxing standards when running AI models in order to secure managed AI platforms.

• Container Breakouts: Escape Techniques in Cloud Environments - The article discusses various container escape techniques in cloud environments, including user-mode helpers, privilege escalation using SUID, runtime sockets, log mounts, and sensitive mounts. These techniques allow attackers to gain unauthorized access to the host system from within a container. The article also explains how to detect and mitigate these escapes, as well as provides real-world detection examples using Cortex XDR. Additionally, it highlights the importance of understanding these risks and implementing security measures in container environments.

• The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel C4 and an enhanced version of PGoShell - The Patchwork group has recently updated its arsenal, using new tools like Brute Ratel C4 and an enhanced version of PGoShell in attacks for the first time. This APT group primarily targets government, defense, and diplomatic organizations in East Asia and South Asia. The Brute Ratel C4 tool is a red team framework with functionalities similar to Cobalt Strike, while PGoShell, developed in Go language, offers remote shell capabilities and other functionalities. These tools were used in an attack targeting entities associated with Bhutan, showcasing the group's advanced capabilities in weaponizing their malware.

• Windows Installer, exploiting Common Actions - The blog post discusses a vulnerability in Windows Installer that allows for privilege escalation through Custom Actions. Custom Actions are used to extend the functionality of the installation process and can be exploited by a standard user to alter command execution and potentially inject commands. The issue was reported to Microsoft but deemed non-reproducible, leading to continued exposure to potential exploitation. The vulnerability affects the latest Windows Insider Preview build and could be useful for pentesters for Local Privilege Elevation or as a persistence mechanism.

• Detecting Process Injection - The article discusses the techniques used by adversaries to execute code stealthily in memory, focusing on process injection as a common method. It explains the steps involved in process injection, including loading a PE file from disk, identifying a sacrificial process, allocating virtual memory, writing virtual memory, and executing the payload. The author also highlights the evasion techniques used by advanced threat actors to circumvent detection and suggests security controls like antivirus/antimalware, application isolation, and event tracing for Windows to detect and prevent process injection.

• Unconstrained Delegation in Active Directory - Unconstrained delegation in Active Directory is a feature that allows a computer, service, or user to impersonate any other user and access resources across the entire network without restrictions. During a recent security assessment, Praetorian engineers encountered a user object configured with these privileges, allowing them to escalate to Domain Administrator. The recommended mitigation is to avoid enabling unconstrained delegation and use alternative configurations like constrained delegation or resource-based constrained delegation to limit the scope of impersonation. Additional measures, such as disabling the `spoolsrv` service on sensitive systems, can help mitigate the risk associated with forced authentication.

• Malware and cryptography 29: LOKI payload encryption. Simple C example. - This post explores using the LOKI symmetric-key block cipher encryption algorithm to evade antivirus engines by encrypting payloads. The LOKI algorithm was proposed as an alternative to DES by Australian cryptographers. The post provides a simplified C example of how the LOKI encryption and decryption functions work, along with code to encrypt and decrypt shellcode using LOKI. The post also includes instructions on how to run the payload and discusses the effectiveness of using encryption to evade detection by antivirus engines.

• Fraudster’s Fumble: From Phish to Failure - The passage discusses the importance of setting realistic and achievable goals in order to experience a sense of accomplishment and fulfillment. The author emphasizes the need for individuals to break larger goals into smaller tasks to make them more manageable and attainable. By creating a plan and taking small steps towards a goal, individuals can build confidence and motivation to continue working towards their desired outcomes.

• How to Analyze Malicious MSI Installer Files - Intezer offers an Autonomous SOC Platform that uses AI automation for triage, investigation, remediation, and escalation of serious threats. Users can easily connect their security tools with Intezer for analyzing reported phishing, endpoint alerts, SIEM alerts, and SOAR playbooks. Intezer's solution helps MSSPs scale their operations by providing AI-powered threat analysis and detection. The blog also provides a detailed guide on how to analyze malicious MSI installer files, which are commonly used by threat actors to deliver and execute malicious payloads by embedding harmful code within legitimate-looking packages. Tools like msitools, msidump, and MSI Viewer can be used to manually analyze MSI files for potential threats. Additionally, Intezer's AI-powered platform can be used to analyze and extract malicious payloads from MSI files efficiently.

• Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites - A team of hackers discovered a critical vulnerability in thousands of Google Cloud-hosted websites related to HTTP Request Smuggling. They were able to compromise services like Identity-Aware Proxy (IAP) and gain critical impact on vulnerable hosts. The hackers identified a novel class of HTTP Request Smuggling vulnerabilities, specifically TE.0 smuggling, and shared their findings on how to test for and exploit it. After reporting the issue to Google, they were rewarded with a bounty of $8,500. This discovery highlights the importance of persistence and creative thinking in cybersecurity research.

• Auditing GitLab: Public Gitlab Projects on Internal Networks - The article discusses the security vulnerabilities in self-hosted GitLab instances on internal networks, specifically focusing on public projects that can be accessed without authentication. It provides a detailed guide on how to identify and exploit these vulnerabilities using tools like Nuclei and Gitleaks. The article also offers suggestions for remediation and prevention, such as removing sensitive data from source code, setting projects to private, and implementing code scanning pipelines. Additionally, it encourages contributing to open-source projects for further security enhancements.

• Command and Control (C2) Servers 101 - This article from GreyNoise Labs provides an introductory overview of Command and Control (C2) servers in cybersecurity. It explains how attackers use C2 infrastructure to maintain control over compromised systems and carry out malicious activities. The article also discusses the different types of C2 architectures, evasion techniques, and detection methods. Additionally, it highlights the importance of automated tools like GreyNoise for identifying and prioritizing threats in a cybersecurity investigation.

• APT41 Has Arisen From the DUST - The Advanced Persistent Threat group APT41 has been observed targeting organizations in the global shipping and logistics, media and entertainment, technology, and automotive sectors. They have successfully infiltrated and maintained unauthorized access to multiple networks since 2023, using a variety of tools and techniques to exfiltrate data. APT41's operations have targeted various sectors and industries, utilizing tactics ranging from financially motivated activities to state-sponsored espionage. Their recent activities, including the deployment of the DUSTTRAP dropper, demonstrate their evolving and sophisticated techniques.

• Pwn2Own Automotive: CHARX Vulnerability Discovery - The blog post discusses the discovery of vulnerabilities in the Phoenix Contact CHARX electric vehicle charger during the Pwn2Own Automotive event. The researchers found two bugs in the controller agent service, one causing a null dereference and the other resulting in a use-after-free during process teardown. These vulnerabilities could potentially be exploited for malicious purposes. The post provides details on the bugs and mentions that a follow-up post will cover the exploitation process. The full exploit code is available on GitHub for reference.

• Jailbreaking RabbitOS: Uncovering Secret Logs, and GPL Violations - The blog post discusses the process of jailbreaking RabbitOS on the Rabbit R1 device, revealing secret logs and violations of the GPL license by Rabbit Inc. The author details their reverse-engineering efforts and explains the boot process of the R1 device. They also address concerns about excessive user data logging and the lack of security measures on the device. Additionally, the author releases an experimental Tethered Jailbreak tool to assist researchers in accessing their own R1 devices. Rabbit Inc. swiftly addressed the logging issue prior to the publication of the article, but has not responded to inquiries about GPL compliance.

• Stardew Valley PRNG Seed Cracking - Interrupt Labs explored the process of reverse engineering the Nintendo Switch version of Stardew Valley to develop two tools: Stardew Seed Cracker and a tool to predict future events based on the PRNG seed. The Switch version of the game uses the JKISS PRNG, with slight modifications. The Seed Cracker tool uses the Traveling Cart stock information to crack the seed, while the Predictor tool supports various random events in the game. Future plans include adding support for other platforms, more events, and the new 1.6 update.

• Access Approved: What Are Access Control Vulnerabilities? - Access control vulnerabilities occur when the mechanisms governing access to resources or actions within a system or application are weak or improperly implemented, allowing unauthorized users to gain access to sensitive data. These vulnerabilities can stem from flawed software, misconfigurations, or human error, and can have severe repercussions such as unauthorized access to sensitive information or complete system compromise. Preventative measures include implementing security measures early in the Software Development Life Cycle, enforcing least privilege, unifying access controls, and regularly auditing and testing for vulnerabilities. TCM Security offers services to help organizations address and mitigate access control vulnerabilities.

• CVE-2019-8805: Apple EndpointSecurity framework Privilege Escalation - CVE-2019-8805 is a privilege escalation vulnerability found in macOS Catalina 10.15 by Scott Knight due to validation problems in the EndpointSecurity framework. This vulnerability allows any application to execute arbitrary code with system privileges. The analysis involves reverse engineering endpointsecurityd and the SystemExtensions framework using Hopper, identifying the core issue in the shouldAcceptConnection method. By exploiting this vulnerability, an attacker can escalate their privileges to root by following a specific set of steps outlined in the exploit code provided. The vulnerability has been patched post-analysis, with the SystemExtensions framework now checking client entitlements before accepting connections.

• OWASP TOP 10: Security Misconfiguration #5 – CORS Vulnerability and Patch - The article discusses the OWASP CORS vulnerabilities and best practices for mitigation. It explains the concept of same origin policy and CORS (Cross-Origin Resource Sharing) in web applications. The article also provides examples of cross-origin scenarios and how CORS headers work. A scenario demonstrating the exploitation of CORS vulnerability is detailed, along with mitigation techniques such as proper configuration of the Access-Control-Allow-Origin header. Additionally, the article highlights the importance of client-side validation and the risks associated with spoofing the Origin header. Overall, implementing these strategies can help mitigate CORS vulnerabilities and enhance web application security.

• Sign-in with World ID: XSS and ATO via OIDC Form Post Response Mode - A critical vulnerability was found in the Sign-in with World ID implementation during a meetup with Tools for Humanity and the German HackerOne Club. The vulnerability affected the Response Mode and could allow malicious actors to take over end-user accounts at third-party applications. The XSS vulnerability was discovered and exploited by bypassing the Content Security Policy and Web Application Firewall. The vulnerability potentially allowed attackers to obtain sensitive OIDC tokens for account takeovers.

• Type confusion attacks in ProseMirror editors - Type confusion attacks in ProseMirror editors were discovered during an audit of the Outline knowledge base management package, leading to a stored XSS vulnerability. The vulnerability allows authenticated users to insert malicious JavaScript payloads into documents that can then be executed by other users. The Outline team quickly addressed the specific XSS vulnerability and recommended users to upgrade to the latest version of ProseMirror and Outline to prevent similar attacks in the future. The post also discusses the ProseMirror content model, rendering process, and recommendations for mitigating type confusion attacks.

• Malware Development, Analysis and DFIR Series - Part IV - In this post, the author discusses the essentials of windows forensics, including filesystems and artefacts important for Digital Forensics and Incident Response (DFIR) investigations. They explore the history and features of Windows filesystems like FAT and NTFS, as well as the significance of the registry in storing vital configuration data. The post covers various registry keys and hives that provide valuable information for forensic analysis, such as user profiles, software installations, network configurations, and application executions. The author emphasizes the importance of leveraging these artefacts in investigating security incidents, responding to data breaches, and enhancing organizational security.

• Capturing Exposed AWS Keys During Dynamic Web Application Tests - The blog discusses how attackers can capture access keys and session tokens for a web application's AWS infrastructure through vulnerable HTTP requests. These keys and tokens can be used to access back-end IOT endpoints and CloudWatch instances to execute commands. The article also highlights the importance of not sending sensitive information, such as CloudWatch logs, to external parties and provides recommendations on how to securely interact with AWS infrastructure. The authors aim to raise awareness on common design flaws in web applications' relationship with their back-end AWS infrastructure.

• What is your compliance Kryptonite - Compliance with security standards can be frustrating, and everyone has their own 'Kryptonite' when it comes to compliance issues. Some common challenges include organizations questioning new security controls, misconceptions about compliance frameworks, and difficulties in understanding requirements. Service providers play a crucial role in compliance, but accuracy in documenting support for customer security controls is often lacking. The industry may need to hold service providers more accountable to improve compliance documentation and support. Consulting services are available to help navigate these complex compliance challenges.

Tools and Exploits

• gigaproxy - The GitHub repository "Sprocket-Security/gigaproxy" offers a proxy solution called Gigaproxy that allows users to target multiple hosts at a time. Users need an AWS account with credentials, as well as some software tools and scripts to build and start the proxy infrastructure. The proxy can be started via the command line with specified arguments, and users can test its functionality by running commands to retrieve public IPs, use security testing tools, and proxy specific CLI tools with exported environment variables.

• Cobalt Strike 4.10: Through the BeaconGate - Cobalt Strike 4.10 introduces BeaconGate, the Postex Kit, and Sleepmask-VS. It allows operators unprecedented control and flexibility by decoupling Beacon from its WinAPI calls and introducing the ability to forward Windows API calls via Sleepmask. This release also includes improvements to host rotation, job architecture, and Java support. Security updates, quality-of-life changes, and improved user interface are also part of the update. Licensed users must download version 4.10 from scratch as the existing 4.9 update application cannot be used for the upgrade.

• One Shell To Rule Them All - The GitHub repository "oneshell" is a reverse shell listener and payload generator designed to work on most Linux targets. It provides an automated workflow for creating an encrypted reverse shell connection using only the tools available on the target machine. The tool emphasizes the need for secure connections and mutual TLS for data transfer.

• Mythic 3.3 Beta: Rise of the Events - The Mythic 3.3 Beta introduces a new eventing system that allows for automation of tasks and actions. Command augmentation containers streamline the process of running Beacon Object Files (BOFs) across different agents. Other updates include auto triage tracking, custom authentication options, invite links for operators, dead callback estimation, and an overhaul of the consuming containers page. These features offer improved functionality and customization for users of Mythic.

• Collateral Damage - The GitHub repository "exploits-forsale/collateral-damage" contains a kernel exploit for Xbox SystemOS using CVE-2024-30088. The exploit targets Xbox One and Xbox Series consoles running specific kernel versions. It involves using a Game Script UWP application as an initial entry point and requires certain steps to place the payload on the Xbox console. The exploit is not fully reliable and may fail in some cases. The developers suggest potential future enhancements such as side loading support and launching unsigned non-UWP processes.

• IHxExec - GitHub repository for a process injection alternative called IHxExec, which allows users to execute arbitrary code on behalf of another user. The repository also emphasizes features such as automating workflows, managing packages, finding vulnerabilities, writing better code with AI, and collaborating outside of code. It also mentions enterprise-grade security and AI features, as well as 24/7 support.

• Nim-Backdoor - The Nim-Backdoor Python program generates a Nim program that functions as a backdoor for remote command execution on both Linux and Windows systems. It is designed to evade detection by popular antivirus software like Microsoft Defender, Bitdefender, and Kaspersky. Users must have Python 3.6 or above and the Nim compiler installed to use this tool.

• PwnedBoot - The GitHub repository "PwnedBoot" demonstrates a proof-of-concept payload that can use Windows' own bootloader to bypass Secure Boot on Windows 10. By replacing a specific file and disabling Driver Signature Enforcement, users can load the payload early in the boot process to execute custom instructions or boot into a different operating system.

• AlterLoadDll - The GitHub repository "FunnyWhaleDev/AlterLoadDll" allows users to load DLL files with undocumented functions and debug symbols. It offers features such as automation, package hosting, vulnerability detection, and code collaboration. The repository also mentions enterprise-grade security and AI features, as well as 24/7 support. Users can provide feedback and customize their search results using saved searches.

• Responder Honeypot - Respotter is a tool designed to detect and catch attackers and red teams using Responder in your environment. It uses LLMNR, mDNS, and NBNS protocols to search for active instances of Responder and can send alerts via webhooks to Slack, Teams, or Discord. Additionally, Respotter can identify vulnerable hosts susceptible to credential theft from Responder and similar tools. The project provides detailed information on configuration and deployment and was originally created by lawndoc.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD - The article discusses the challenges and issues with Coordinated Vulnerability Disclosure (CVD), particularly in relation to Microsoft's recent patch release and communication with researchers. Lack of transparency, miscommunication, and disagreements between vendors and researchers have raised concerns about trust and coordination in the disclosure process. The article highlights the importance of open and transparent communication in the industry, as well as the need for vendors to improve their response and collaboration with researchers. The Zero Day Initiative will be launching the Vanguard Awards to recognize outstanding work in CVD and promote positive changes in the industry.

• CVE-2024-22274: Authenticated Remote Code Execution in VMware vCenter Server - This GitHub repository contains information about CVE-2024-22274, which is an authenticated remote code execution vulnerability in VMware vCenter Server. The vulnerability allows a malicious actor with administrative privileges on the vCenter appliance to run arbitrary commands on the underlying operating system as the "root" user. The repository includes a PDF file with details on the vulnerability and the exploitation process.

• pdf-exploit - GitHub rzte/pdf-exploit is a repository that integrates recent vulnerabilities in PDF parsers to create malicious PDF documents. The tool allows for the execution of arbitrary JavaScript code and includes exploits for PDF.JS and Foxit Reader. It also demonstrates how to use the submitForm feature in pdfium to steal the file path of a PDF document. The repository does not have any releases published yet.

• PumpBin - GitHub - PumpBin is an Implant Generation Platform that automates workflows, hosts and manages packages, finds and fixes vulnerabilities, and provides AI-powered developer tools. It offers enterprise-grade security features, AI features, and 24/7 support. PumpBin allows cybersecurity researchers to easily generate final implants by following its guidelines and distributing them to offensive personnel, streamlining the process of creating digital weapons.

• carroot: rabbitOS tethered jailbreak - Carroot is a tethered jailbreak tool specifically designed for devices running the RabbitOS operating system. This tool allows users to gain additional privileges and access to customize their devices. It is important to note that tethered jailbreaks require the device to be connected to a computer each time it is rebooted in order to maintain the jailbreak.

• Pi-Hole core - Blind Server-Side Request Forgery (SSRF) can lead to Remote Code Execution (RCE) - Blind Server-Side Request Forgery (SSRF) in Pi-Hole allows an authenticated user to make internal requests to the server through the "gravity_DownloadBlocklistFromUrl()" function, potentially leading to remote code execution (RCE). The vulnerability arises from the ability to download files from a local IP address like 127.0.0.1 using various protocols accepted by the "curl" command, such as "ftp://", "smb://", and "gopher://". By exploiting this vulnerability with a specially crafted payload, an attacker can communicate with internal servers and achieve RCE, as demonstrated with a redis server in this case. The vulnerability can be mitigated by updating Pi-Hole and monitoring internal requests for suspicious activity.

• Phantom Secrets: Undetected Secrets Expose Major Corporations - Phantom Secrets: Undetected Secrets Expose Major Corporations is a detailed research blog exposing hidden secrets in source code repositories. The blog explores different scenarios where secrets remain exposed even after being removed, and provides strategies for uncovering these hidden secrets using new scanning methods. The research found that almost 18% of potential secrets may be missed by current scanning tools. Recommendations for mitigating these risks include using specific scanning tools, deleting secrets from pull request references, and addressing dangling remote tracking branch references. Aqua Security offers a Cloud Native Application Protection Platform (CNAPP) to help secure enterprise workloads in cloud native environments.

• Reverse engineering eBPF programs - This post explores the fundamentals of eBPF, including its architecture, instruction set, verifier, and maps. It discusses reverse engineering by dissecting a small eBPF rootkit to understand the complexities of analyzing eBPF-based programs. The post also highlights eBPF use cases and the Kubernetes gap in CNAPPs. Lastly, it introduces a high-severity remote code execution vulnerability in OpenSSH's server.

• Invoke-DumpMDEConfig - The GitHub repository "BlackSnufkin/Invoke-DumpMDEConfig" contains a PowerShell script designed to extract and display Microsoft Defender configuration and logs, including protection history and Exploit Guard protection history. The script does not require admin privileges to run and provides options to output the data in list, table, or CSV format. It is a tool for automating security analysis of Microsoft Defender settings without the need for elevated permissions.

• Darkside - This GitHub repository contains a C# AV/EDR Killer tool that uses a less-known Rogue Anti-Malware Driver 3.3. The developer warns that this driver is not present in loldrivers or Windows blocklist at the time of writing, but Microsoft may block it soon. The tool can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, or WDAC enabled. The developer advises on how to load and start the driver, and suggests blocking it through WDAC or waiting for Microsoft to do so. The tool aims to limit local privileges, audit and prevent privilege escalation attacks.