Last Week in Security - 2024-07-29
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.
Virginia Applicants:
Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-07-22 to 2024-07-29.
News
KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware - KnowBe4 discovered that a North Korean operative posing as a software engineer bypassed their background checks and attempted to plant malware using a Raspberry Pi on his first day. The security team quickly detected and contained the threat, preventing any access to KnowBe4 systems. The incident highlights the sophisticated tactics of North Korean operatives who infiltrate companies under fake identities to earn money and support illegal programs.
CrowdStrike CEO summoned to explain epic fail to US Homeland Security committee - CrowdStrike CEO George Kurtz has been summoned to testify before the US House Committee on Homeland Security regarding a faulty software update that caused a global IT outage. The update crashed Windows systems, leading to disruptions in key sectors such as aviation, healthcare, banking, and emergency services. The committee is seeking answers on how the incident occurred and what mitigation steps CrowdStrike is taking. The incident was caused by a malware signature update issued by CrowdStrike's Falcon software, which runs at a low level within the Windows kernel and resulted in widespread system crashes.
Phish-Friendly Domain Registry ".top" Put on Notice - ICANN has issued a warning to the Chinese company responsible for the ".top" domain registry, urging them to improve their systems for managing phishing reports and suspending abusive domains. The company has until mid-August 2024 to show progress or risk losing their license to sell domains. A recent report found that ".top" domains were the second most common suffix used in phishing websites in the past year. ICANN criticized the registry for their lack of response to phishing attack reports. The registry operated by Jiangsu Bangning Science & Technology Co. Ltd. has not responded to requests for comment. The report also highlighted an increase in phishing sites hosted through the InterPlanetary File System (IPFS), making it harder to take down such sites. Domain registrars and registries could reduce the number of phishing sites by flagging customers who register large volumes of domains at once. ICANN usually only sends enforcement letters when recipients ignore private notices or fail to pay membership fees, with a majority of warning letters citing non-payment as a reason.
Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks - AI-powered voice cloning technology is being used by scammers for vishing attacks to steal money and sensitive information. Attackers can use AI voice spoofing to gain initial access, move laterally within a network, and escalate privileges. Organizations can defend against these threats by educating employees, using source verification, and implementing future technical considerations such as digital watermarking and real-time detection tools. Mandiant has conducted controlled red team exercises using AI voice spoofing to demonstrate the effectiveness of these attacks, highlighting the need for heightened security measures.
What I learned from the ‘Microsoft global IT outage’ - The author, Kevin Beaumont, woke up to discover that CrowdStrike, a cybersecurity vendor, caused the largest IT outage ever by pushing out a faulty product update that broke nearly 9 million Windows systems. The media incorrectly attributed the outage to Microsoft. Beaumont argues that cybersecurity vendors have too much power and lack transparency and accountability. He calls for more transparency, accountability, and independent testing in the cybersecurity industry to prevent incidents like the CrowdStrike outage in the future. Beaumont also criticizes the spread of conspiracy theories surrounding the incident and emphasizes the need for customers to demand better from cybersecurity vendors.
Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer - On July 22, 2024, CrowdStrike Intelligence identified a Word document containing macros that download an unidentified stealer, known as Daolpu, which impersonates a Microsoft recovery manual. The malware collects credentials from Chrome and Mozilla browsers and sends them to a command-and-control server. CrowdStrike recommends communicating only through official channels, checking website certificates, training users to avoid untrusted sources, and enabling download protection in browsers.
CrowdStrike blames a test software bug for that giant global mess it made - CrowdStrike blames a test software bug for a massive global crash of 8.5 million Windows machines. The bug was in the Content Validator, which failed to prevent the release of a faulty template instance. This led to out-of-bounds memory reads and Windows operating system crashes. CrowdStrike has promised to test future content more rigorously and provide release notes in the future.
Falcon Content Update for Windows Hosts - CrowdStrike released a content configuration update for Windows sensors, which resulted in a Windows system crash on July 19, 2024. The issue was caused by a bug in the Content Validator, allowing problematic content to be deployed. CrowdStrike is taking steps to prevent this from happening again, including improving testing and error handling. Impacted hosts can be identified and remediated using various methods outlined in the guidance hub. Third-party vendors are also providing support for impacted customers.
How a North Korean Fake IT Worker Tried to Infiltrate Us - KnowBe4, a cybersecurity company, discovered that a fake IT worker from North Korea tried to infiltrate their systems by posing as a legitimate employee. The individual used a stolen identity and AI-enhanced fake photo to pass background checks and interviews. The company's security controls detected the malware-loaded workstation before any data was compromised. KnowBe4 shared the incident to raise awareness about the importance of vetting processes and continuous security monitoring to prevent insider threats and cyberattacks.
APT45: North Korea’s Digital Military Machine - APT45 is a North Korean cyber operator that has been active since 2009, initially focusing on espionage campaigns against government agencies and defense industries. The group has since expanded into financially-motivated operations, including the suspected development of ransomware. APT45 has targeted critical infrastructure, nuclear research facilities, and healthcare and pharmaceutical companies, reflecting the regime's changing priorities. The group's use of malware tools and attribution to North Korea's Reconnaissance General Bureau suggest state sponsorship. The group's activities are expected to continue aligning with North Korea's geopolitical interests.
Secure Boot is completely broken on 200+ models from 5 big device makers - Secure Boot, a security feature meant to protect against BIOS-dwelling malware, has been compromised on over 200 device models from major manufacturers like Acer, Dell, Gigabyte, Intel, and Supermicro. A cryptographic key used in Secure Boot was leaked in 2022, allowing anyone with privileged access to execute malware during system boot. The compromise raises doubts about the integrity of Secure Boot on over 300 additional device models from various manufacturers, as the keys cannot easily be revoked without potentially bricking a large number of devices. This situation highlights the challenges of maintaining security in complex supply chains and the practical limitations of revoking compromised security keys.
"If you have knowledge, let others light their candles in it." - Sharing lessons learned from cybersecurity incidents and near misses is crucial for improving overall security. By openly discussing how attacks occurred, the measures taken, and the outcomes, organizations can learn from each other and strengthen their defenses. This transparency, encouraged by governments and regulators, fosters a collaborative environment where mistakes are acknowledged, and collective resilience is built, benefiting the entire cybersecurity ecosystem.
New Chrome Feature Scans Password-Protected Files for Malicious Content - Google's Chrome web browser has introduced a new security feature that scans password-protected files for potential malicious content. The feature includes detailed warnings for suspicious and dangerous files, allowing users to make informed decisions. Users can opt-in for automatic deep scans and send password-protected files for scanning to Safe Browsing.
Techniques and Write-ups
Stargazers Ghost Network - Check Point Research identified the Stargazers Ghost Network, a sophisticated operation that distributes malware through GitHub accounts. The network involves multiple accounts that distribute malicious links and perform other actions to appear legitimate. The network acts as a 'Distribution as a Service,' allowing threat actors to share malware. The network has distributed various malware families and has a large number of active Ghost accounts. The network minimizes losses through the use of multiple accounts and automated processes. They have conducted successful campaigns targeting social media users and have operated publicly since 2024, making a significant profit. The network's operations make it difficult to detect malicious content on platforms like GitHub, and future ghost accounts powered by AI could pose even more challenges for detection. To protect against such threats, users must keep systems updated, verify links before clicking, raise cybersecurity awareness, and consult security specialists if needed.
Accelerating Analysis When It Matters - This post discusses how security professionals can quickly analyze multiple malware samples using malware configuration parsing to identify malware families and extract network indicators of compromise. An example is provided where a Bitbucket repository containing 10 malware samples from a threat actor was identified through this analysis. Using tools like Advanced WildFire's Malware Configuration Extraction (MCE) system can speed up the analysis process and help protect customers. The post emphasizes the importance of accelerating malware analysis to detect and counter malicious software efficiently. Customers using Palo Alto Networks products such as Cortex XDR and XSIAM are better protected from the threats discussed in the article.
Injecting Java in-memory payloads for post-exploitation - In this detailed article, the author discusses injecting Java in-memory payloads for post-exploitation, focusing on exploiting vulnerabilities in Java applications like Bitbucket and Confluence. The techniques involve injecting payloads in the JVM, interacting with web-based applications, and manipulating components to alter application behavior. The author provides practical examples and scenarios, highlighting the importance of detecting and mitigating such payloads for blue teams.
Exploiting Broken Authentication Control In GraphQL - The article discusses the importance of addressing security concerns in GraphQL APIs as its adoption grows in enterprise systems. A vulnerability was identified in a financial application that used a GraphQL API, allowing unauthorized access with administrative privileges. The attack exploited broken authentication and authorization controls, emphasizing the need for proper validation of user-supplied data in GraphQL to prevent such vulnerabilities. The article highlights the significance of addressing basic security practices effectively to prevent recurring vulnerabilities like broken access controls.
Recursive Amplification Attacks: Botnet-as-a-Service - A recent client engagement revealed an attack path in a startup's data platform that could be exploited for Distributed Denial of Service (DDoS) attacks. By using the platform's public source API and ETL capabilities, an attacker could create a recursive amplification attack, potentially leading to a Botnet-on-Demand. The lack of enforced rate limits and vulnerabilities in the platform's sandbox environment allowed for the exploitation of these security flaws, demonstrating the importance of strict rate limits for SaaS data platforms to prevent such attacks. The client has since implemented upper-bound rate limits and other security measures to mitigate the risk.
How to Bypass EDR With Custom Payloads - In this article, the author discusses the importance of using custom payloads to bypass endpoint detection and response (EDR) protections when phishing. Custom payloads are better than stock shellcode because they are less likely to be recognized by EDR software. The author provides examples of writing a custom reverse shell implant and emphasizes the importance of keeping implants simple and modular to avoid detection. The article also covers encryption techniques and environment keying to protect the implant and ensure it only runs on intended targets.
Malware and cryptography 30: Khufu payload encryption. Simple C example. - This post explores using the Khufu Feistel cipher for encrypting malware payloads, with a simple C example provided. The Khufu algorithm operates on blocks of data split into two halves and undergoes rounds resembling a Feistel network. The encryption and decryption functions are implemented, demonstrating how to encrypt and decrypt shellcode block by block. The resistance of the Khufu cipher to differential cryptanalysis is discussed, along with the potential for key recovery in a chosen plaintext attack. This post serves as a resource for malware researchers, programmers, and cybersecurity professionals.
Tips for SOCLess Oncall - The article discusses tips for handling alerts in a SOCLess (Autonomic Security Operations) environment, where alert triage is decentralized to system experts. It emphasizes the need for an adaptive, agile, and highly automated approach to threat management to avoid overwhelming security teams with alerts. The article also highlights the importance of setting up a taxonomy for alerts, automation maturity, and minimally lovable automation to improve alert handling efficiency. It suggests implementing Crowdalert's platform for Alert Verification, Prioritization, Dispatch, and Identity Visibility for better alert management.
WhatsApp trick: Android malware can impersonate PDF file - A security issue was discovered in WhatsApp Messenger for Android that allows attackers to disguise malicious Android apps as PDF files shared in chat. This could trick users into downloading and installing harmful applications. The bug can only be exploited using WhatsApp's API, not by sending a crafted payload within the app. This issue has been reported to Facebook's security team but was not considered a security vulnerability. It is important for users to be aware of this deceptive trick and to be cautious when receiving files in WhatsApp.
Vulnerabilities in LangChain Gen AI - Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework. The flaws could allow attackers to execute arbitrary code and access sensitive data. LangChain has since issued patches to address these vulnerabilities. The article provides a detailed technical analysis of the security issues and offers guidance on mitigating similar threats. Palo Alto Networks encourages users to update to the latest version of LangChain to ensure protection from these vulnerabilities.
Unveiling the Scam: How Fraudsters Abuse Legitimate Blockchain Protocols to Steal Your Cryptocurrency Wallet - Check Point Research has identified that fraudsters are using legitimate blockchain protocols to conduct sophisticated scams. They exploit platforms like Uniswap and Safe.global to trick users into transferring their cryptocurrency assets to the attackers' wallets. By leveraging the trust and functionality of well-established platforms, scammers are able to disguise their malicious activities and make detection and prevention more challenging. It is important for users to verify the legitimacy of contracts and transactions, avoid blindly accepting requests, and stay informed about the latest scams to protect their digital assets from such advanced fraudulent schemes.
Breaking Instruction Hierarchy in OpenAI's gpt-4o-mini - OpenAI's gpt-4o-mini has made safety improvements regarding "Instruction Hierarchy" to prevent loopholes. Despite these updates, system instructions are not a security boundary and can be easily overridden. Prompt injection attacks can bypass system instructions and extract sensitive information. OpenAI's approach does not address the security implications of injecting untrusted data into system or user messages. Developers should not solely rely on system instructions for security and must be cautious of prompt injection vulnerabilities.
3 ways to get Remote Code Execution in Kafka UI - In the GitHub blog post, the author explores three critical vulnerabilities in Kafka UI that can lead to Remote Code Execution (RCE). The first vulnerability (CVE-2023-52251) involves RCE via Groovy script execution, while the second vulnerability (CVE-2024-32030) allows for RCE via JMX connector. The third vulnerability (CVE-2023-25194) enables RCE via JndiLoginModule. The blog post details how these vulnerabilities can be exploited and emphasizes the importance of upgrading to version 0.7.2 of Kafka UI, where these vulnerabilities have been patched.
The Security Principle Every Attacker Needs to Follow - The article discusses the importance of the Clean Source Principle in attack paths for red team operations. It explains how identity-driven offensive tradecraft focuses on abusing identity and access management to achieve offensive goals. By emphasizing the need for security dependencies to be as trustworthy as the object being secured, attackers can uncover and exploit new attack paths. The Clean Source Principle guides attackers in identifying and navigating complex hybrid environments to achieve their objectives.
From RA Group to RA World: Evolution of a Ransomware Group - RA Group, now known as RA World, has shown increased activity since March 2024, with a focus on exfiltrating data from victims before encrypting it and using it as leverage for ransom demands. The group has targeted organizations primarily in the healthcare and manufacturing sectors, with the US being the most affected country. Palo Alto Networks provides protections against RA World's ransomware, including cloud-delivered security services and advanced URL filtering. There are possible connections between RA World and the Chinese threat group BRONZE STARLIGHT, but these are unverified with low confidence. Mitigations and protections are outlined for organizations potentially impacted by RA World.
Pwn2Own Automotive: Popping the CHARX SEC-3100 - In the Pwn2Own Automotive event, exploits were demonstrated on the CHARX SEC-3100 controller service by exploiting unsafe C++ destructor ordering during process teardown. A use-after-free bug was leveraged to gain remote code execution, with an ASLR bypass method involving BSS spraying to improve the probability of success. The exploit chain involved crafting fake objects in memory, controlling list traversal, and eventually achieving arbitrary code execution through call-oriented programming gadgets. The overall exploit flow required brute-force guesses for ASLR slides but resulted in successful exploitation in under a minute on average.
View State, The unpatchable IIS forever day being actively exploited - View state exploitation, specifically in the context of a Microsoft Exchange server, has been discussed in detail, including how to exploit it and how to detect and remediate it. The process involves acquiring machine keys, crafting a malicious view state, executing an attack, detecting potential compromises through event logs, and resetting the machine keys in case of a compromise. Various scripts and tools are available to assist in this process. Remember to back up before making any changes to the machine keys.
Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android - ESET researchers discovered a zero-day exploit, called EvilVideo, that targeted Telegram for Android, allowing attackers to send malicious payloads disguised as videos. The vulnerability was reported to Telegram and patched on July 11, 2024. The exploit could trick users into installing malicious apps disguised as multimedia files. While the vulnerability has been fixed, it is important to stay vigilant against similar threats in the future.
A hex editor and nothing to lose - Binary patching Golang to fix net/http - The article discusses using a hex editor to patch Golang code at the assembly level to modify behavior in the standard library, specifically in the net/http package. The author identifies an issue where Golang's net/http object canonicalizes headers, affecting proxy behavior. They provide a detailed walkthrough of how they patched the code at the assembly level to fix the issue and explain the process step by step. The article emphasizes how understanding assembly language can allow users to modify code on their systems. Additionally, the author demonstrates the same process on an aarch64 system and explains how the same principles can be applied to different architectures.
(CVE-2024-1837) Singtel RT5703W Unauthenticated Command Injection RCE via Login Vulnerability - The Singtel WI-FI 6 ROUTER RT5703W has an unauthenticated OS Command Injection vulnerability that allows attackers to execute arbitrary commands with root privileges. The vulnerability is in the login process of the admin panel, where the username value is inserted into a command string that is later executed as a system command. An exploit script in Python3 is provided to demonstrate the vulnerability, allowing attackers to start a telnet service and gain a shell. Mitigation measures include ensuring the newline character is included in the sanitization list and checking server access logs for suspicious activity.
(CVE-2024-1838) Singtel RT5703W Authenticated Command Injection RCE via SetLoginPwd Vulnerability - A high severity authenticated command injection vulnerability (CVE-2024-1838) exists in the Singtel WI-FI 6 ROUTER RT5703W, allowing an attacker with LAN access to execute arbitrary OS commands with root privileges. The vulnerability occurs during the password changing process in the admin panel, where the user-supplied password is inserted into a command string that is later executed. A Python3 exploit has been created to demonstrate the vulnerability, which allows an attacker to start a telnet service at port 31337. The issue can be mitigated by using functions like execve() instead of concatenating user input together for command execution. Detection of exploitation can be done by monitoring the server's access logs for suspicious POST requests to the vulnerable endpoint.
JNDI Injection Remote Code Execution via Path Manipulation in MemoryUserDatabaseFactory - The blog post discusses a method to achieve remote code execution via a JNDI injection in MemoryUserDatabaseFactory. The author found the vulnerability independently and describes the process in detail, including exploiting object lookup process and manipulating paths. The post includes code snippets and a proof of concept for the attack. The vulnerability requires specific libraries and conditions to be present in the target application for successful exploitation.
EDR Telemetry Blocking via Person-in-the-Middle Attacks - Tier Zero Security in New Zealand explores effective EDR telemetry blocking through Person-in-the-Middle network filtering attacks. By conducting ARP spoofing and using iptables, attackers can hide alerts from the SOC team by blocking telemetry packets. The blog explains how the PitM attack works, the challenges of blocking EDR telemetry on victim hosts, and introduces a custom Python tool called the EDR Telemetry Blocker that uses Scapy to parse TLS handshakes and drop packets based on destination IP addresses. The tool was tested against Microsoft Defender for Endpoint and CrowdStrike, with instructions on how to block telemetry from these services. It also provides tips on mitigating PitM attacks and gaining access to internal networks.
Impact of FrostyGoop ICS Malware on Connected OT Systems (PDF) - FrostyGoop, discovered by Dragos in April 2024, is the ninth industrial control systems (ICS) specific malware and the first to use Modbus TCP communications to impact operational technology (OT). It was used in a cyber attack on a district energy company in Lviv, Ukraine, causing a two-day heating outage. Given the widespread use of Modbus devices, this threat underscores the urgent need for ICS network visibility and monitoring of Modbus traffic.
NO_WILDCARD: How I discovered the Organization ID of any AWS Account - The author of the post discovered how to find the Organization ID of any AWS account by exploiting VPC Endpoint Policies, which AWS later changed to prevent this technique. By creating a VPC Endpoint for EventBridge, the author was able to determine the Organization ID of an arbitrary AWS account within 5 minutes. This finding led to AWS implementing significant changes to prevent similar exploitation in the future.
Automating enumeration of missing reply URLs in Azure multitenant apps - The blog post discusses the automation of enumeration of missing reply URLs in Azure multitenant apps, highlighting the risks of unregistered reply URLs and how they can be abused for impersonation and tenant takeover. The post introduces a tool that can enumerate single and multitenant applications without user interaction, using PowerShell scripts and APIs to determine the types of reply URLs and their vulnerabilities. The tool automates the process of identifying vulnerable reply URLs, improving the security of Azure applications against potential attacks by third-party providers.
from 0xc000142 to understanding windows login setup - The author recounts their journey from exploring a Windows login setup with a custom authentication package, delving into understanding Windows authentication mechanisms and access tokens. They encountered issues with ACLs on desktop and station objects, leading to debugging and finding solutions. The blog post ends with a discussion on the correct approach to using network logon and fixing the issues encountered. The author plans to continue exploring the authentication package development in future posts.
Hiding Linux Processes with Bind Mounts - The article discusses a technique for hiding Linux processes using bind mounts by overlaying the directory for the evil process with a different directory. Instead of creating a spoofed directory, the author suggests using existing directories from other processes, such as kernel processes, to effectively hide the evil process. The article provides a refined approach for detecting and unmounting the bind mounted directories, ensuring that the evil process can be revealed again if needed. The technique is highlighted as a useful tool for red teamers and a helpful trick for blue team analysts.
Anyone can Access Deleted and Private Repository Data on GitHub - GitHub allows anyone to access data from deleted and private repositories, even after they have been deleted. This poses a significant security risk for organizations using GitHub, as sensitive information can be accessed by unauthorized parties. This vulnerability, known as Cross Fork Object Reference (CFOR), allows users to access commit data from repositories, including private and deleted forks. This issue extends beyond GitHub, highlighting the need for increased awareness and security measures to protect sensitive data.
AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments - Unit 42 researchers developed an AI tool to detect Broken Object-Level Authorization (BOLA) vulnerabilities in the Easy!Appointments web application. They found 15 BOLA vulnerabilities in Easy!Appointments, which could allow low-privileged users to view and manipulate appointments created by more privileged users. The researchers collaborated with the vendor to patch the vulnerabilities in the latest version of Easy!Appointments. Organizations are advised to upgrade to version 1.5.0 or later immediately to mitigate the risks. The use of APIs is increasing, leading to a rise in API vulnerabilities like BOLA, making it crucial for organizations to stay vigilant and update their software promptly.
Vulnerabilities in AI Agents - Vulnerabilities in AI agents, such as LLM systems, have been identified by LRQA Nettitude Labs. These vulnerabilities can include command injection in agent tools, JSON injection, and SSRF in AI agents browsing websites. LRQA Nettitude Labs has a team of AI security researchers dedicated to identifying and mitigating these vulnerabilities to ensure clients are protected against emerging risks in the rapidly evolving field of artificial intelligence. They offer red team training and other resources to help individuals and organizations stay ahead of potential threats in AI technology.
Thread Name-Calling – using Thread Name for offense - Check Point Research (CPR) has introduced the Thread Name-Calling technique as a new injection method to implant shellcode into a running process on Windows. The technique bypasses traditional endpoint protection measures by using APIs like GetThreadDescription and SetThreadDescription. By abusing these APIs, attackers can inject code into a remote process without being detected by common security products. The method involves remote memory allocation, writing, and execution of shellcode using APC calls on existing threads within the target process. This technique can be used for offensive purposes like hiding code implants and conducting remote code injections.
Google Colab AI: Data Leakage Through Image Rendering Fixed. Some Risks Remain. - Google Colab AI, now called Gemini, had a vulnerability that allowed data leakage through image rendering which has been fixed. However, there are still some risks remaining, such as potential data exfiltration through clickable hyperlinks. The issue was reported to Google but was not rewarded, and the company has implemented some mitigations, although there are still some security concerns remaining. The risk of scams, phishing, and data leakage through prompt injection is still a concern for users of Google Colab AI.
The tap-estry of threats targeting Hamster Kombat players - ESET researchers have uncovered malicious threats targeting players of the popular Hamster Kombat clicker game, which has gained popularity among cryptocurrency enthusiasts. Cybercriminals are taking advantage of the game's success by distributing Android spyware and fake app stores that deliver unwanted advertisements. Additionally, Windows users are being targeted with GitHub repositories distributing Lumma Stealer cryptors under the guise of offering gaming automation tools. The rise of threats surrounding Hamster Kombat highlights the need for caution when downloading games from unofficial sources.
How to Use Python in Hacking - Python programming is highlighted as a valuable skill for cybersecurity professionals, particularly in automating tasks, writing custom tools, extending existing projects, fixing broken exploits, and emulating adversarial network traffic. The article also provides resources and advice on learning Python and advancing in the cybersecurity field.
DoNex/DarkRace Ransomware Decryptor - Sector 7 was asked by the Dutch Police to help with creating a decryptor for the DoNex/DarkRace ransomware, which was found to have a vulnerability in its encryption process. The ransomware uses a stream cipher without generating a new key for each file, making it possible to recover encrypted files with the correct keystream. The ransomware encrypts files based on their size, with certain files potentially being left unencrypted due to a bug. Sector 7 has developed a decryptor that can recover all files encrypted by the ransomware, which can be downloaded for free from No More Ransom.
SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining - Wiz Research has identified a cryptomining campaign called SeleniumGreed that exploits exposed Selenium Grid services for malicious purposes. The threat actor targets vulnerable instances of Selenium Grid, leveraging features of the Selenium WebDriver API to run Python scripts that download a XMRig cryptominer. Organizations are advised to implement network security controls, such as limiting network access and enabling basic authentication, to defend against this threat. Wiz offers tools like the Dynamic Scanner and Runtime Sensor to help detect and respond to such attacks in cloud environments.
Multiple Vulnerabilities in the Deep Sea Electronics DSE855 - Trend Micro's Zero Day Initiative discovered multiple vulnerabilities in the Deep Sea Electronics DSE855 communications device, including authentication bypass, buffer overflows, and denial of service issues. The bugs were found in the software version 1.1.0 and hardware version 4.00 of the device. Despite reporting the vulnerabilities to the vendor and following up multiple times, the issues were not patched within the standard 120-day timeframe, leading to their publication as zero-day advisories in June. The blog post provides a detailed analysis of the vulnerabilities and the interactions with Deep Sea Electronics regarding responsible disclosure.
How to Make Adversaries Cry: Part 1 - The passage describes how cognitive computing is changing the way doctors diagnose and treat diseases by utilizing artificial intelligence and machine learning algorithms. It explains how these technologies can analyze vast amounts of data from medical records, research studies, and other sources to provide more accurate and personalized healthcare recommendations. The integration of cognitive computing in healthcare is expected to improve patient outcomes and streamline medical processes.
Studying 0days: How we hacked Anki, the world's most popular flashcard app - discovered a zero-day vulnerability in Anki, the popular flashcard app, that allowed for remote code execution. Despite initial skepticism about Anki's security, the researchers found that addons, not flashcards themselves, were the vulnerable point. After 10 days of analysis and development, including a break for holidays, they were able to exploit the vulnerability. The discovery highlights the importance of continually assessing and improving the security of popular software applications.
We hacked Anki - 0 day exploit from studying someone elses flashcards - Two individuals found multiple security exploits in Anki, a popular flashcards program, by studying shared decks that contained malicious code. The exploits ranged from getting system information to full remote code execution. They were able to create files, read files, and execute arbitrary code using LaTeX and Javascript. The most serious exploit allowed for remote code execution in Anki on Windows through MPV, but required specific circumstances to work. The individuals disclosed the exploits to Anki and fixes were implemented promptly. They also highlighted the importance of updating Anki and being cautious when importing shared decks to avoid potential security risks.
PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem - PKfail is a security issue affecting the UEFI ecosystem, where untrusted Platform Keys undermine Secure Boot security. The Binarly REsearch Team discovered that test Platform Keys generated by American Megatrends International were being used in production devices, leaving them vulnerable to exploitation. Recommendations to mitigate PKfail include generating and managing Platform Keys securely and replacing test keys with properly generated ones. Users should stay informed about firmware updates and apply security patches to protect themselves from PKfail vulnerabilities.
ConfusedFunction: A Privilege Escalation Vulnerability Impacting GCP Cloud Functions - Organizations using Google Cloud Platform's Cloud Functions are at risk of a privilege escalation vulnerability named ConfusedFunction, discovered by Tenable. This vulnerability allows attackers to gain access to excessive permissions through the default Cloud Build service account attached to the Cloud Function deployment process. Although Google Cloud has partially remediated the issue for new accounts created after mid-June 2024, existing instances are still affected. Tenable advises organizations to monitor and take preventive action to address this vulnerability.
Double Dipping Cheat Developer Gets Caught Red-Handed - A cheat developer for the game Escape From Tarkov, known for the cheat EvolvedAim, was caught double-dipping by selling a cheat with an information stealer bundled with it. The cheat developer targeted adult players, stealing personal information and potentially gaining access to companies worldwide. CyberArk offers identity security solutions to help organizations protect their workforce, high-risk users, desktops, servers, and external access. The cheat developer's malicious actions were uncovered by CyberArk Labs, showcasing the dangers of using cheats with malware.
Linux Shellcoding - The article discusses the importance of Linux Shellcoding for security professionals, explaining how shellcode can be used in penetration testing and red teaming to exploit vulnerabilities and evade detection. It covers topics such as low-level operations, payload for exploits, evasion techniques, and understanding the x86 Intel register set. The tutorial provides examples of writing shellcode to spawn a Linux shell, avoiding null bytes, and utilizing system calls in assembly programs. The author, a malware developer, emphasizes the importance of mastering these techniques for creating effective malware tools.
Revealing the Inner Structure of AWS Session Tokens - This article discusses the research done on the inner structure of AWS Session Tokens, which were previously a black box. The researchers were able to decode the tokens, analyze their contents, and test their resilience against forging attacks. The findings include the identification of cryptographic primitives used, discovery of multiple token variants, and the creation of tools to manipulate token fields. The research highlights the importance of understanding authentication protocols and calls for AWS to make their protocols open standard for security assessment.
Brute Ratel C4 Badger Used to Load Latrodectus - The article discusses the analysis of the Brute Ratel C4 Badger used to load Latrodectus, a malware loader suspected to be a successor to the IcedID malware. The Brute Ratel C4 framework is known for its ability to bypass EDR solutions. The article explains the process of how the Brute Ratel C4 Badger loads the Latrodectus malware into memory, including details of the encryption and evasion techniques used. The author provides a breakdown of the techniques employed by the malware to evade EDR solutions and gather system information. Additionally, indicators of compromise are provided for detection purposes.
Tools and Exploits
Chunk Loader - Chunk Loader is a Chrome/Firefox extension that helps security researchers and bug bounty hunters load and analyze JavaScript chunks from specified URLs in React applications. It allows users to customize the file extension and base path for chunk files, persist settings across browser sessions, and automatically find chunks in _buildManifest.js files. To use the extension, users must clone the repository, load it in Chrome, and follow the steps outlined in the instructions. Contributions to the project are welcome, and it is licensed under the MIT License.
CODASM - CODASM is a payload encoding utility that lowers payload entropy effectively. It generates legit-looking shellcode to embed arbitrary payloads in the .text section of binaries. The tool is a Python script that supports MSVC & MINGW without any specific Python dependencies. It allows encoding data into pseudo ASM instructions and comes with overhead ranging from 80-120%. Users can clone the repository locally to use the tool and follow the provided usage instructions to encode and compile payloads. Additionally, users can contribute to the project by forking the repository, implementing changes, and creating pull requests.
ZeroHVCI - Defeating HVCI without admin privileges or a kernel driver - ZeroHVCI is a project on GitHub that allows for arbitrary kernel read/writes and function calling in Hypervisor-Protected Code Integrity (HVCI) environments without needing admin privileges or a kernel driver. It leverages CVE-2024-26229 for kernel read/writes and uses a project by Dmytro Oleksiuk for HVCI-compliant kernel function calling. This project can be used for various purposes such as memory-hacking against anti-cheats and as a toolkit against AVs/EDRs/XDRs. The project is credited to Eric Egsgard and Dmytro Oleksiuk.
SessionExec - SessionExec is a tool that allows users to execute specified commands in other Sessions on Windows Systems, either targeting a specific session ID or all sessions, with the option to suppress command output. The tool is inspired by the EOP COM Session Moniker exploit code released by James Forshaw. Users must have SYSTEM privileges to run this tool successfully, and it can be used for various tasks such as checking sessions, running commands on specific sessions, and potentially compromising a domain. The tool is still in the Proof of Concept stage and is being developed further.
Benign Hunter - The GitHub repository "BenignHunter" is a tool that automates workflows, manages packages, finds and fixes vulnerabilities, and helps developers write better code with AI. It can also help with code changes, work planning, and collaboration outside of coding. The tool was created to identify benign native APIs that are not hooked by EDRs, providing sample output to help target specific EDRs. The tool opens a handle to NTDLL, parses exported functions, and checks for hooks to determine which APIs are deemed benign.
Ronin 2.1.0 finally released! - Ronin 2.1.0 has been released after nearly a year of development, bringing new libraries and commands for various security tasks. The update includes new networking and OSINT database models, a DNS proxy library, an automated browser library, and more. Ronin is a free and Open Source toolkit for security research and development, offering tools for tasks such as encoding/decoding data, scanning for vulnerabilities, and managing databases. Users can install Ronin using a bash script or manual instructions, and update it by running gem update ronin. Support for snap images is currently being upgraded to be compatible with Ruby 3.1.-contributed by a new core-team member. Users are encouraged to consider donating to Ronin to support the development of high-quality security tools.
Reply URL Brute - The GitHub repository "reply-url-brute" contains a tool developed by FalconForceTeam to enumerate unregistered reply URLs for single and multitenant apps in Azure. The tool automates the process of checking for vulnerable reply URLs by querying service principals, enriching reply URLs, and determining the availability of resources. Users need to provide specific information and cookies before running the script, and the tool provides verbose output, allowing users to identify vulnerable reply URLs that return tokens without consent. The script can take time to run, depending on the number of service principals and scopes tested.
pwntainer - This GitHub repository contains a Docker container with all required CTF tools for cybersecurity competitions. The repository provides instructions for building and running the container, as well as notes on debugging x86_64 binaries on Apple Silicon. It also mentions using QEMU as an alternative due to known issues with Docker on Mac. Additionally, the repository includes information on how to install and set up the necessary tools for using the container.
EDR Telemetry Blocker - The GitHub repository TierZeroSecurity/edr_blocker offers a tool that blocks EDR telemetry by performing a Person-in-the-Middle attack with network filtering using iptables. The tool parses blocked destination IP addresses based on the server name in the TLS Client Hello packet and a provided list of blocked server names or strings. Users can run the tool with specified arguments to perform ARP poisoning against victim hosts and block EDR telemetry. Detailed usage instructions and commands are provided in the repository.
Gouge: Gouge for URLs! - Gouge is a Burp Suite extension written in Python that extracts URLs from webpages and their associated JS files. Users can download the extension, add it to Burp Suite, and start extracting URLs by clicking the "Gouge" button. To build Gouge, Python must be installed on the computer and the required dependencies can be installed using pip. Contributions to Gouge, such as suggestions or improvements, can be made by opening an issue or submitting a pull request on the Gouge GitHub repository.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Deep-tempest: Using Deep Learning to Eavesdrop on HDMI from its Unintended Electromagnetic Emanations - The GitHub repository "deep-tempest" focuses on using deep learning to enhance the quality of TEMPEST images that capture unintended electromagnetic emanations from video displays. The project aims to improve the recovery and readability of text from these images. The repository also provides access to the source code, dataset, and instructions for replicating the work using Python and GNU Radio. Additionally, the project includes a guide on how to execute image capturing, inference, and training processes using a deep learning architecture.
Punch Card Hacking – Exploring a Mainframe Attack Vector - Mainframes are crucial for handling high volume workloads like credit card transactions and airline reservations, but few security professionals understand their complexities. This article explores a method for penetration testing mainframes using punch cards and JCL syntax. By submitting jobs via FTP, testers can exploit vulnerabilities and debug errors to gain access and execute various commands on mainframes. This technique opens up a new attack vector for security assessments on these powerful machines.
Introducing the REx: Rule Explorer Project - The REx project, or Rule Explorer Project, is a collection and breakdown of popular open security detection rules for analysis and exploration using the Elastic stack. The Detection Engineering Threat Report (DETR) is a visual component of the project that provides insights into the detection landscape in a report format. The project aims to provide a platform for analyzing rules and the detection engineering ecosystem in new ways, focusing on rule development, the threat landscape, and unique changes over time. The goal is to offer different perspectives and help users understand the detection landscape better.
Cybersecurity and the accountability black hole - The blog post discusses the concept of accountability in cybersecurity, highlighting how responsibility is often shifted and blurred in the industry. It explores the lack of liability in End User License Agreements (EULAs) for software and cloud services, as well as the role of CISOs in accepting risk without facing consequences. The post suggests the need for regulation to incentivize secure products and discusses the idea of capping legal costs and liability. Overall, the author questions whether accountability in the cybersecurity world is being actively avoided.
HotPage: Story of a signed, vulnerable, ad-injecting driver - In a recent study, a sophisticated Chinese browser injector, HotPage, was found to deploy a signed driver capable of injecting code into remote processes and intercepting browser traffic. Despite being marketed as an "Internet café security solution" aimed at Chinese-speaking individuals, the malware actually displayed game-related ads and sent computer information to the company's server. The driver's lack of access restrictions allowed for potential privilege escalation, posing a significant security risk. Microsoft removed the offending driver from the Windows Server Catalog following a coordinated disclosure process. ESET technologies have detected this threat as HotPage.
RDGAs: The Next Chapter in Domain Generation Algorithms - RDGAs, or registered domain generation algorithms, are a new technique being used by threat actors to covertly create millions of new domains for malicious purposes. Traditional DGAs have evolved into RDGAs, making them harder to detect and defend against. Threat actor Revolver Rabbit has registered over 500k domains on .bond TLD using RDGA patterns. The security industry has largely overlooked RDGAs, but organizations should implement automated detection to protect their networks.
Dreo Cloudcutter - The GitHub repository ouaibe/dreo-cloudcutter describes how to locally control Dreo fans without relying on cloud services, using Home Assistant. It includes information on hacking the fan firmware, reversing the UART protocol, and building an ESPHome integration. The process involves dumping the firmware, understanding the communication protocol, and updating the fan's software. The guide warns against the risks of bricking the fan and recommends caution when attempting these modifications on other fan models. The author does not plan to maintain the project actively but encourages others to fork and contribute.
Hardware and firmware reverse engineering primer: dissecting an FPV and video surveillance platform - Subreption is a company that specializes in hardware and firmware reverse engineering, particularly focusing on information assurance and secure communications. They have a history of successfully identifying security vulnerabilities in widely used systems and products, such as those developed by Microsoft and Apple. In a recent project, Subreption dissected an FPV and video surveillance platform to understand its operating system, hardware interfaces, and device-specific configurations. Through reverse engineering, they were able to activate the USB power and wireless interface, enabling further development on the platform. They adhere to fair use and legal guidelines, utilizing Section 103(f) of the Digital Millennium Copyright Act to validate their reverse engineering efforts.
I hacked a card printer software (CVE-2024-34329) - The author hacked a card printer software (CVE-2024-34329) to demonstrate privilege escalation on Windows. By analyzing the software's behavior, they found that a missing DLL could be loaded from a folder which a regular user has write access to. They created a malicious DLL to exploit this vulnerability and achieved privilege escalation on their local computer. The security bulletin for the vulnerability can be found on the Entrust website.
Why Good Security Fails: The Asymmetry of InfoSec Investment - Investing in good security can lead to a false sense of security, causing organizations to cut back on funding and maintenance which can lead to security incidents. This gradual erosion of controls can have a significant impact on security effectiveness over time. To counteract this, organizations should monitor the health of their security resources, deliver incremental benefits, build support for security, and make resource scarcity more visible. Without proactive measures, security resources will gradually decline and potentially lead to significant failures.
Comments