Last Week in Security - 2024-08-12

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past couple weeks. This post covers 2024-07-29 to 2024-08-12.

News

• Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails - An unknown threat actor exploited a flaw in Proofpoint's email routing to send millions of spoofed phishing emails impersonating popular companies. The campaign, named EchoSpoofing, used SPF and DKIM signatures to bypass security protections. The attacker sent messages from SMTP servers on VPS, complying with authentication measures to imitate legitimate domains. Proofpoint addressed the issue by providing corrective instructions to customers and urging VPS providers and email service providers to limit spamming capabilities. The campaign was not attributed to any known threat actor, and no customer data was exposed.

• Improving the security of Chrome cookies on Windows - This new App-Bound Encryption feature aims to protect users from malware that steals sensitive data by encrypting data tied to app identity, making it more difficult for attackers to access. Enterprises with roaming profiles may need to adjust their configurations to support this new protection.

• Don’t Let Your Domain Name Become a “Sitting Duck” - Researchers have found that over a million domain names are vulnerable to cybercriminals due to authentication weaknesses at web hosting providers and registrars. This vulnerability allows cybercriminals to take over domains and use them for malicious activities like sending spam and phishing emails. This issue has been ongoing for years and still persists, with security experts urging for stricter verification measures to prevent domain takeovers. Multiple large hosting and DNS providers are still susceptible to this authentication weakness, leaving domains at risk of being hijacked for malicious purposes.

• Microsoft need to be transparent about customer impacting DDoS attacks - Microsoft has been experiencing customer impacting DDoS attacks that are causing network outages for Azure and Microsoft 365. Despite these incidents, Microsoft has not been transparent about what is happening. After being called out by the Associated Press, Microsoft released a blog post, but did not promote it on social media. The lack of transparency has caused concern as another attack is currently ongoing, with Microsoft once again failing to disclose details to customers.

• Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement - Multiple SMTP services are vulnerable to spoofing attacks due to insufficient enforcement, allowing authenticated users and trusted networks to send emails with spoofed sender information. This vulnerability can be exploited by authenticated remote attackers to spoof the identity of a sender using hosted service providers. Various vulnerabilities were identified in the authentication and verification processes provided by SPF, DKIM, and DMARC protocols. Recommendations include verifying the identity of authenticated senders against authorized domain identities, using reliable methods to ensure consistency between network sender identity and message header, and implementing additional security measures such as S/MIME and PGP for high fidelity email authentication. Fixes and statements from vendors are ongoing to address the vulnerability.

• Begging for Bounties and More Info Stealer Logs - Troy Hunt received an email claiming to have leaked user credentials from his service, but upon further investigation, it was found to be data from info stealer logs. These logs were used to attempt scams on companies by demanding bug bounties. Hunt received a large set of stealer logs from Telegram containing millions of unique email addresses, which he made searchable on Have I Been Pwned to help identify victims and potential scams. He is working on ways to make this data useful for organizations while also addressing privacy concerns.

• Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption - Ransomware operators are exploiting a vulnerability in ESXi hypervisors to gain full administrative permissions, allowing them to encrypt the file system and potentially exfiltrate data. Microsoft researchers identified the vulnerability and disclosed it to VMware, who released a security update to address it. Organizations are advised to install the update, monitor for suspicious activity, and protect highly privileged accounts to prevent exploitation. Ransomware operators are increasingly targeting ESXi hypervisors, making them a favored target due to limited visibility and protection from security products. Microsoft provides mitigation and protection guidance, along with detection and hunting queries for customers to safeguard against these attacks.

• DigiCert Revocation Incident (CNAME-Based Domain Validation) - DigiCert recently experienced a certificate revocation incident due to the lack of an underscore prefix in random values used in some CNAME-based domain validations. This impacted approximately 0.4% of domain validations and required the revocation of affected certificates within 24 hours. DigiCert has taken preventive actions to consolidate and review random value generators, enhance the user experience, embed compliance team members in sprint teams, increase test coverage, and open source DCV for community review to prevent similar incidents in the future.

• Threat actor impersonates Google via fake ad for Authenticator - A threat actor impersonated Google through a fake ad for Google Authenticator, tricking users into downloading malware. The ad appeared to be from an official source verified by Google, but in reality, it led to a fake site for Authenticator hosting malicious software. The malware, DeerStealer, is designed to steal personal data, emphasizing the importance of being cautious when clicking on ads and only downloading software from official sources. Malwarebytes has blocked access to the fake Authenticator website and detects the payload as Spyware.DeerStealer.

• Delta CEO: ‘When was the last time you heard of a big outage at Apple?’ - Delta Air Lines CEO Ed Bastian blamed Microsoft and CrowdStrike for a $500 million outage that occurred on July 19th, caused by a CrowdStrike update. Bastian criticized Microsoft's platform as fragile and questioned when was the last time Apple had a big outage. Delta has hired legal representation to seek damages from the two companies. CrowdStrike shareholders have also filed a proposed class action lawsuit against the company. Bastian criticized the flaw that caused the issue and CrowdStrike's deployment processes, emphasizing the need for thorough testing in mission-critical operations.

• Windows Security best practices for integrating and managing security tools - This blog post discusses Windows security best practices for integrating and managing security tools, focusing on the recent CrowdStrike outage and the root cause analysis. It explains why security products use kernel-mode drivers and how Windows provides safety measures for third-party solutions. The post also highlights Microsoft's collaboration with third-party security vendors through the Microsoft Virus Initiative to ensure compatibility with Windows updates and address reliability issues. Additionally, it discusses Windows security features enabled by default in Windows 11 and how customers can deploy Windows in a higher security mode to increase reliability.

Threat Intel and Defense

• Mandrake spyware sneaks onto Google Play again, flying under the radar for two years - A new version of Mandrake Android spyware was discovered on Google Play after flying under the radar for two years. The spyware was found in five different applications with over 32,000 installs. The spyware uses advanced obfuscation techniques, sandbox evasion, and encryption methods. The threat actors behind Mandrake have evolved their tactics to avoid detection and have been able to stay undetected by security vendors.

• Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access - Stressed Pungsan, a DPRK-aligned threat actor, used npm to distribute malicious packages "harthat-hash" and "harthat-api" containing code to install additional malware. The malicious packages are linked to MOONSTONE SLEET, another DPRK-aligned group. Datadog's Security Research team discovered and tracked these packages, providing insight into the threat actor's methods. Datadog's Software Composition Analysis can help users check for and mitigate the impact of these malicious packages on their systems.

• Brief Overview of the DeerStealer Distribution Campaign - Mohamed Talaat, a cybersecurity researcher and malware analyst, discusses the Brute Ratel C4 Badger framework, which is used for adversarial attack simulation and penetration tests. He details how the BRC4 framework can bypass endpoint detection and response solutions and how it was used to load the Latrodectus malware loader. Latrodectus is a sophisticated malware loader believed to be a successor to IcedID. The article provides a technical analysis of how the BRC4 badger loads the Latrodectus malware and evades EDR solutions. The final payload of the BRC4 framework is designed to gather system information, encrypt it, and send it to command and control servers, utilizing various EDR evasion techniques.

• Detection Rules & MITRE ATT&CK Techniques - The article discusses the importance of accuracy and precision in mapping detections to the MITRE ATT&CK framework for effective threat detection. It highlights common errors in mapping and provides recommendations for improving accuracy and precision.

• Protect Your Copilots: Preventing Data Leaks in Copilot Studio - The article discusses how to protect against data leaks in Copilot Studio, a platform for creating chatbots. It highlights security risks such as unauthorized access and misconfigured Copilots that can lead to data leakage. The post suggests security controls like enabling Data Loss Prevention (DLP) to safeguard organizational data. It also provides insights on creating custom Copilots, authentication options, enumeration techniques, and mitigations to prevent data leaks. Enterprises are advised to enable DLP and other security controls to prevent data leaks from Copilots and evaluate their risk tolerance.

• 29th July – Threat Intelligence Report - The Threat Intelligence Report from Check Point Research on July 29th highlighted several significant cyber attacks and breaches, including ransomware attacks on the Superior Court of Los Angeles and Acadian Ambulance. There were also reports of cyber-attacks on Ukraine's Main Intelligence Directorate targeting Russia's banking system and a German MEP being targeted with commercial spyware. Vulnerabilities were identified in popular applications like Anki and ServiceNow, while Check Point Research also reported on a network of GitHub accounts distributing malware and a trend of increasing sophistication in cryptocurrency scams. Subscribe to their Cyber Intelligence Reports for the latest updates.

• CyberVolk Ransomware - CyberVolk, a hacktivist group aligned with Russia, launched a new ransomware variant in July 2024. They are currently involved in a campaign against Spain in response to the arrest of members of the group noName57(16). The group, along with 70 others, are targeting Spain in a "holy war" following the arrests. The ransomware, identified as CyberVolk, targets English-speaking users and demands $1000 in BTC for decryption. The ransomware appears to contain code from the Babuk ransomware group, and further attacks are expected.

• APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike - APT41 has likely compromised a Taiwanese government-affiliated research institute using ShadowPad and Cobalt Strike malware. The campaign started in July 2023 and involved the delivery of customized tools for post-compromise activities. Cisco Talos assesses with medium confidence that the attack was carried out by Chinese threat actors, based on their tactics, techniques, and procedures (TTPs). The attackers used various techniques to gain access, including exploiting vulnerabilities, dropping backdoors, and harvesting credentials for information gathering and exfiltration. Additionally, the attackers used a Cobalt Strike loader written in GoLang to evade detection by Windows Defender.

• DNS Early Detection - Breaking the Black Basta Ransomware Kill Chain - Black Basta ransomware has impacted numerous organizations globally, including healthcare sectors. Infoblox was able to identify and block malicious domains associated with Black Basta ransomware early on, providing protection to its customers and preventing data theft, fines, and legal impacts.

• BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor - Elastic Security Labs identified a new Windows backdoor called BITSLOTH that uses Background Intelligent Transfer Service (BITS) for command and control. The malware has various capabilities like keylogging, screen capture, execution of commands, and data collection. The backdoor was used in an intrusion into a South American government's Foreign Ministry and has been in development since December 2021. BITSLOTH employs no obfuscation and includes features like persistence via BITS jobs. Elastic Security Labs created YARA rules to identify BITSLOTH and provided observables for detection.

• Detecting evolving threats: NetSupport RAT campaign - Cisco Talos is actively tracking a malware campaign that uses NetSupport RAT for persistent infections, evading detection through obfuscation and updates. They provide defense strategies using tools like Snort. The campaign utilizes fake browser updates to trick users into downloading a stager that installs NetSupport manager agent onto the victim's machine. The PowerShell script extracts a payload into a random path, establishing persistence with basic registry entries. Snort rules are used for detection, leveraging file content abstraction to create wider-reaching signatures for NetSupport RAT files. Cisco Talos provides ongoing monitoring of this evolving threat.

• Threat Actor Abuses Cloudflare Tunnels to Deliver RATs - Proofpoint has observed an increase in malware delivery via Cloudflare Tunnel abuse, with threat actors delivering remote access trojans (RATs) for financial gain. These actors modify tactics to evade detection and improve efficacy, using Cloudflare tunnels to deliver malware like Xworm, AsyncRAT, and VenomRAT. The attackers leverage temporary infrastructure to scale operations and use Python scripts for malware delivery. Organizations should restrict access to external file sharing services and be vigilant against suspicious activity.

• Less is More or Less - In the field of Detection Engineering and Threat Hunting, quality is more important than quantity. The article discusses the tendency for people.

• Phishing targeting Polish SMBs continues via ModiLoader - ESET researchers have detected multiple phishing campaigns targeting small and medium-sized businesses in Poland using ModiLoader malware. The phishing emails contain malicious attachments that deliver various malware families, including Rescoms, Agent Tesla, and Formbook. The attackers impersonate existing companies and employees to increase the success rate of the campaigns, with compromised accounts and servers used to spread malware and collect stolen data. These phishing campaigns have been ongoing in Central and Eastern Europe in 2024, with attackers adapting their tactics and using different malware families.

• Mid-year Doppelgänger information operations in Europe and the US - HarfangLab's blog post discusses mid-year Doppelgänger information operations conducted by Russian actors in Europe and the US from June to July 2024. The operations involve impersonating popular news websites to spread disinformation on social media. The report highlights the use of bots on platforms like Twitter for dissemination and the interconnected nature of these operations with cybercrime networks. Additionally, the analysis reveals a bias towards conservative economic policies and socially restrictive viewpoints in the content distributed by the Doppelgänger operations.

• RDP Bitmap Cache - Piece(s) of the Puzzle - RDP Bitmap Cache is an often overlooked artifact that can provide valuable insights during a digital forensic investigation. This artifact stores commonly seen images from RDP sessions to optimize connection speed. Tools like BMC-Tools, RDP Cache Stitcher, and RDPieces can be used to extract and parse the cache files. While not a silver bullet, analyzing RDP Bitmap Cache can reveal valuable information, especially in cases where traditional logs and telemetry are not available. It is recommended to include RDP Bitmap Cache analysis in forensic investigations, especially when RDP activity is suspected.

• Scammer Abuses Microsoft 365 Tenants, Relaying Through Proofpoint Servers to Deliver Spam Campaigns - In March 2024, Proofpoint researchers identified spam campaigns being relayed through a small number of their customers' email infrastructure by sending spam from Microsoft 365 tenants, with the abuse of a modifiable email routing configuration feature on Proofpoint servers being the root cause. Proofpoint quickly took action to inform and protect their customers, making changes to prevent further unauthorized relay abuse. They also collaborated with the wider security community to share their findings and improve security measures. As a result of these actions, no customer data was exposed, and no data loss occurred.

• UNC4393 Goes Gently into the SILENTNIGHT - UNC4393, a threat group primarily using BASTA ransomware, has been active since mid-2022 and has targeted over 40 organizations across various industries. The group has evolved from using standard tools to custom malware and has shown a preference for partnerships with initial access brokers. UNC4393's tactics include using BEACON for persistence, leveraging BASTA for ransomware attacks, and exfiltrating data using RCLONE. The group's adaptability and operational proficiency pose a significant challenge for defenders, making it crucial for organizations to understand and mitigate UNC4393's operations.

Techniques and Write-ups

• Specula - Turning Outlook Into a C2 With One Registry Change - TrustedSec has discovered that making a simple Registry change in Outlook can turn it into a C2 agent, allowing attackers persistent access to networks. Despite being a known issue, this technique continues to be a weak point in many networks. TrustedSec is releasing their framework, Specula, to bring attention to this attack path and help organizations develop preventions. They recommend preventive measures such as using the New Outlook version, removing vbscript engine in Windows 11, and using Group Policy Object settings to disable WebView. Monitoring for URL changes in specific registry locations can help detect home page attacks.

• Racing round and round: The little bug that could - The article discusses a kernel vulnerability found by a researcher during the Pwn2Own competition, detailing the bug hunting process and the logic error that allowed for exploitation on a fully updated Windows 11 machine. The vulnerability revolves around the Microsoft Kernel Streaming Service and involves inter-process communication that can lead to use-after-free scenarios. The researcher delves into how the bug was discovered, the origins of the bug, and Microsoft's patching approach.

• Remote Process Enumeration with WTS Set of Windows APIs - In this blog post, the author explains how to code a tool in C++ to gather information about running processes on a remote system, without using complete framework tools. The post covers using Windows API ToolHelp functions for local enumeration and Windows Terminal Services (WTS) APIs for remote enumeration. It also discusses the need for impersonation to access processes on a Domain Controller due to permission constraints, highlighting the versatility of Windows APIs in local and remote environments.

• OSEP Unleashed. The advance of in-memory payload execution - The article discusses the advance of in-memory payload execution as a method to bypass antivirus software during penetration testing. It outlines different techniques for running payloads entirely in memory, such as using C# functionality, converting to base64, using fibers, and reflective loading of code into memory. The article also explores running native code, using JScript, and shellcode injection methods to execute code in memory. The author emphasizes the importance of experimenting and creativity in finding new ways to execute code in memory while bypassing antivirus detection.

• Stockholm Syndrome: Accurate network testing - This article discusses the importance of caution when pentesting networks to ensure the security analysis does not disrupt the customer's infrastructure. It covers topics such as ARP and NetBIOS scanning, traffic analysis, and conducting MITM attacks safely. The article also provides tips on optimizing scanning speed, handling MITM attacks, and selecting hardware for effective testing. Additionally, it emphasizes the need to restore ARP tables after an attack and to be mindful of potential risks when exploiting Cisco Smart Install on switches.

• Malware and cryptography 31: CAST-128 payload encryption. Simple C example. - In this post, the author explores the use of the CAST-128 block cipher for encrypting payloads in malware development. The post provides a simple C example demonstrating encryption and decryption processes using CAST-128. The author goes through the key generation, encryption, and decryption processes, as well as includes examples of shellcode encryption and running. Additionally, the post discusses evasion techniques such as function call obfuscation and hashing function names to evade detection by antivirus engines. The post concludes that while CAST-128 may not be as widely used as AES, it remains a robust encryption algorithm with resistance against known cryptographic attacks.

• Drop the Mic (CVE-2019-1166) - CVE-2019-1166, also known as "Drop the Mic," is a vulnerability in Microsoft Windows that targets the NTLM authentication protocol. It allows an attacker to bypass the NTLM Message Integrity Check and downgrade security features, potentially gaining access to sensitive information. Praetorian was able to exploit this vulnerability during a security assessment, demonstrating the importance of patching systems and using stronger authentication protocols like Kerberos. The company recommends regular monitoring for signs of tampering or unusual activity to prevent attacks.

• Escalating Privileges in Google Cloud via Open Groups - NetSPI has acquired Hubble and added CAASM to enhance asset visibility and attack surface management. The NetSPI Platform offers services to secure web, mobile, thick, and virtual applications, as well as APIs. They also provide services like secure code review, SaaS security assessment, and cybersecurity maturity assessment to help organizations improve their security posture. They have also identified a potential privilege escalation vulnerability in Google Cloud related to open groups and have provided guidance on prevention and remediation.

• Teaching the Old .NET Remoting New Exploitation Tricks - CODE WHITE is a hacking group focused on security intelligence and public vulnerability lists, specializing in exploiting vulnerabilities in technologies such as .NET Remoting. They have uncovered new exploitation tricks in .NET Remoting servers, specifically targeting Apache log4net. These tricks include bypassing security restrictions, coercing servers to serialize objects, and exploiting remote code execution capabilities. CODE WHITE has reported these issues to Microsoft and the log4net team, who are working on fixes for the vulnerabilities. Their discoveries highlight the importance of continuous exploration and understanding of technology to uncover hidden aspects and improve security.

• Who Knew? Domain Hijacking Is So Easy - Researchers at Infoblox and Eclypsium have discovered a widespread attack vector in the domain name system (DNS) called Sitting Ducks, where cybercriminals can easily hijack domains without being noticed. The attack is being exploited by over a dozen Russian-nexus threat actors to conduct malicious activities like malware delivery and phishing campaigns. The attack leverages misconfigurations in DNS and web hosting providers, making it difficult to detect. Recommendations are provided for domain owners, registrars, DNS providers, and regulators to mitigate the risks of Sitting Ducks attacks.

• Extending Burp Suite for fun and profit – The Montoya way – Part 6 - The article discusses how to extend Burp Suite using the Montoya API to add custom active and passive checks to the scanner. It demonstrates how to develop an extension to identify Java deserialization issues and exploit vulnerabilities in Apache Commons Collections 3 libraries. The article also covers the development of scan checks for the active and passive scanners, and provides tips on testing and using the plugins effectively.

• Oracle Retail Xstore Suite: pre-authenticated path traversal - The Oracle Retail Xstore Suite has a vulnerability that allows for pre-authenticated path traversal, which could be exploited by an attacker to access sensitive files or steal authentication data. Oracle has acknowledged the issue and plans to address it in their next Critical Patch Update. The vulnerability can be used to browse the file system, retrieve sensitive technical information, or steal NTLMv2 authentication data. Oracle Retail Xstore Suite is a point-of-sale application used for day-to-day transactions and store activities.

• From opcode to code: how AI chatbots can help with decompilation - The article discusses how AI chatbots can assist in decompiling PHP scripts that are protected by commercial encoders, which encode the source code into Zend Engine opcodes. The author developed a tool to extract and disassemble the opcodes from encoded scripts, and then used Microsoft's Copilot chatbot to decompile the opcodes into PHP code. The quality of code decompilation using AI chatbots can vary, but overall, they can simplify the process of reading opcode listings.

• Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 - The Zero Day Initiative has seen an increase in link following vulnerabilities submitted to their program, providing insight into how these vulnerabilities are exploited on Windows systems. Techniques for privilege escalation using legacy functionality within Windows have been identified through over 20 vulnerabilities discovered. The blog series discusses methods for exploiting link following vulnerabilities, such as creating denial-of-service conditions and local privilege escalation.

• Deep Sea Phishing Pt. 2: Making Your Malware Look Legit to Bypasses EDR - The blog discusses techniques for evading EDR by making malware look like legitimate software. It covers different levels of legitimacy, from unsigned binaries to using help desk software and remote desktop applications. The article emphasizes the importance of blending in with trusted sources to bypass EDR effectively. It also mentions the use of screen sharing apps and meeting software for ceding access, along with the potential of using remote desktop software for gaining access to internal networks. Ultimately, the key takeaway is to use legitimate software for illegitimate purposes to bypass EDR successfully.

• Heap exploitation, glibc internals and nifty tricks. - Quarkslab's blog discusses heap exploitation, glibc internals, and nifty tricks used in a Heap pwn challenge at HitconCTF Qualifiers 2024. The challenge involved understanding glibc malloc internals and exploiting the heap to gain shell access. The blog explains how to leverage vulnerabilities like buffer overflow, Use After Free, and double-free to manipulate free lists in glibc and gain code execution. It also covers techniques to bypass protections in glibc 2.31 and provides a detailed walkthrough of the exploit used in the challenge, including getting heap and libc leaks, tcache poisoning, and achieving arbitrary code execution.

• Catching Shells Without Infrastructure Using "Open" Tor Relays. - The article discusses a method of catching connect-back shells or implant beacons without infrastructure by using "open" Tor relays. The concept involves using Tor hidden services to establish connections between the attacker and the target through a tor2web gateway. The article provides a basic implementation using a reverse shell in C and Python, demonstrating how to use non-HTTP protocols over Tor using SOCKS proxies. The approach emphasizes minimalism and simplicity, showcasing a proof of concept rather than a fully functional toolkit. The article also mentions alternative methods such as using the Tor project's Arti library or Veilid network for communication and explores the possibility of using other anonymity networks for similar purposes.

• Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover - In this article, the SpecterOps team discusses an OPSEC-conscious approach to the takeover of port 445 using targeted NTLM relay attacks. By leveraging specific primitives and avoiding the need to load drivers or modules into LSASS, attackers can control inbound SMB-based traffic. The article provides technical details on disabling the LanmanServer service, loading drivers, and understanding the binding process to control traffic on the target port. The team also shares tools to automate the abuse of this technique and highlights operational usage notes for disabling services on compromised Windows hosts while operating over C2.

• Hacking Salesforce Lightning: A Guide for Bug Hunters - This article is a guide for bug hunters looking to hack Salesforce Lightning by identifying common security misconfigurations that can lead to vulnerabilities. It discusses how Salesforce Experience Cloud is used by software teams to manage customer relationships and outlines the risks of improper access controls and file uploads in the platform. The article provides recommendations for securing Salesforce Communities, such as restricting access for unauthorized users and setting file upload restrictions. It also mentions the importance of using official tools like Salesforce Code Analyzer and Health Check to ensure security best practices are followed.

• Create your own custom implant - This blog post discusses the creation of a custom implant in C for evasive purposes. The implant interacts with a C2 server through GET and POST requests and includes an interactive shell. Tests against AV/EDRs showed that the implant was not detected. It is recommended to compile the implant with Mingw, adjust constants for the C2 server and domain, and incorporate guardrails to avoid running in a restricted environment.

• Bypassing Rockwell Automation Logix Controllers’ Local Chassis Security Protection - Team82 discovered a security bypass vulnerability in Rockwell Automation ControlLogix devices that allowed attackers to bypass trusted slot features and send elevated commands to the PLC CPU. The vulnerability was fixed by Rockwell Automation, and users were urged to apply the fix immediately. Team82 also released a Snort rule to detect attempts to bypass security protection on devices using the CIP protocol. Overall, the vulnerability exposed critical control systems to unauthorized access over the CIP protocol but was addressed by Rockwell Automation.

• CVE-2024-39877: Apache Airflow Arbitrary Code Execution - The article discusses the CVE-2024-39877 vulnerability in Apache Airflow, which allows authenticated DAG authors to execute arbitrary code in the scheduler context. The vulnerability arises from improper handling of the doc_md parameter, which is rendered using Jinja2 templates. By injecting malicious Jinja2 expressions, attackers can execute Python code. The article provides a guide on setting up a vulnerable Airflow environment to reproduce the vulnerability and explains how the code injection works. It also emphasizes the importance of proper data handling and sanitization to prevent such vulnerabilities.

• (CVE-2024-7008) Calibre Reflected Cross-Site Scripting (XSS) - The CVE-2024-7008 vulnerability involves a reflected Cross-Site Scripting (XSS) issue in the Calibre e-book software's content server, allowing attackers to execute their JavaScript code in a victim's browser. By crafting a malicious URL, an attacker can manipulate a user into performing actions on the Calibre server. The issue stems from improper handling of user input in the generation of HTML content. Users are advised to ensure input sanitization to prevent such attacks. STAR Labs SG Pte. Ltd. researcher Devesh Logendran reported this vulnerability.

• (CVE-2024-7009) Calibre SQLite Injection - A vulnerability (CVE-2024-7009) in Calibre allows a user with privileges to perform full-text searches to inject arbitrary SQL code into the search query, potentially accessing sensitive information in SQLite databases on the server's filesystem. The attacker can also perform limited file writes to the filesystem. This can lead to unauthorized access of username and password information used for authentication on the content server. The issue can be mitigated by sanitizing parameters before using them in query strings and implementing parameterized queries. Devesh Logendran from STAR Labs discovered this issue.

• Persisting on Entra ID applications and User Managed Identities with Federated Credentials - This blog post by dirkjanm.io covers persisting on Entra ID applications and User Managed Identities using federated credentials, a less explored topic in offensive security. The concept of federated credentials involves trusting another Identity Provider to authenticate applications, allowing access to workloads outside of Azure. The post introduces a new utility, roadoidc, to set up a minimal Identity Provider. Attackers can use this method to configure credentials on Entra ID applications and Azure User Managed Identities, potentially leading to persistence or privilege escalation.

• Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry - Unit 42 researchers have identified a broken object-level authorization vulnerability in Harbor, a cloud-native container registry, impacting versions prior to 2.9.5. This vulnerability, tracked as CVE-2024-22278, allows users with a Maintainer role to perform privileged actions that should only be allowed for users with a ProjectAdmin role. Harbor has released fixes in versions v2.9.5, v2.10.3, and v2.11.0 to address this vulnerability. Organizations are advised to update immediately to mitigate potential risks. Additionally, Unit 42 offers Cloud-Delivered Security Services to help protect against such vulnerabilities.

• Why Hackers Should Learn C# - Hackers should learn C# because it is a modern, open-source programming language that is widely used in many organizations for various purposes. Understanding C# can help in creating ad-hoc applications that may outperform tools written in Python. Possessing a background in C# and .NET can increase the likelihood of identifying vulnerabilities during penetration testing. Additionally, having programming skills, specifically in C#, can help hackers find new attack vectors and improve the performance of their scans or brute-force attacks. TCM Security offers a "C# 101 for Hackers" course to help individuals get started with learning C#.

• Using conflicting objects in Active Directory to gain privileges - Active Directory uses a multi-master replication model with decentralized infrastructure. Conflicting objects known as "CNF" objects can occur when two objects with the same name are created in the same container within a short period of time. Attackers can manipulate this process to gain admin access to newly joined machines by creating conflicting objects on demand. By creating a fake machine account, attackers can potentially control the real machine and elevate their privileges through Resource-Based Constrained Delegation. Proper monitoring and cleaning of conflicting objects in Active Directory are essential to prevent such attacks.

• LayeredSyscall – Abusing VEH to Bypass EDRs - LayeredSyscall leverages Vectored Exception Handlers (VEH) to bypass Endpoint Detection and Response (EDR) systems by generating a legitimate call stack and using indirect syscalls. This tool allows for the creation of a legitimate call stack before performing an indirect syscall, supporting up to 12 arguments. It uses VEH to set up hardware breakpoints and handle syscall breakpoints, enabling the bypass of user-land EDR hooks. The tool was tested against Sophos Intercept X EDR with success in bypassing detection. This technique provides a different approach to bypassing EDRs, but further testing against different EDRs and detection techniques is necessary.

• Poisoning the SSM Command Document Well - The author discovered a vulnerability in Datadog's AWS Systems Manager (SSM) Command Documents that allowed for command execution on managed nodes. By creating and publishing "poisoned" documents with a different Account ID, the author was able to successfully trick users into running malicious commands. Datadog quickly addressed the issue and updated their documentation. The author highlights the importance of closely reviewing SSM Command Document contents and suggests best practices for vendors and customers to mitigate similar security risks.

• Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 2 - The Zero Day Initiative discusses techniques for privilege escalation on Windows, focusing on using alternate data streams to bypass assumptions and exploit vulnerabilities in antivirus products like ESET Smart Security and VIPRE Advanced Security. By creating links at strategic times and manipulating file attributes, attackers are able to escalate privileges and delete arbitrary files. These techniques reveal flaws in impersonation implementations and highlight the importance of evaluating products for vulnerabilities. The blog also mentions other vulnerabilities discovered using alternate data streams and teases upcoming discussions on additional techniques and debugging tools.

• Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3 - In this blog series by Zero Day Initiative, techniques for privilege escalation on Windows are discussed. The authors share a technique for exploiting vulnerabilities with the Windows Task Scheduler and a tool for debugging protected processes. They also address difficulties faced during disclosures with vendors, including Intel and PaperCut, highlighting issues of misrepresentation and downplaying of vulnerabilities. Several vulnerabilities have been discovered and disclosed, with some remaining unpatched, and the blog series aims to inspire others to identify and report vulnerabilities to ZDI.

• (CVE-2024-6781) Calibre Arbitrary File Read - The CVE-2024-6781 vulnerability in Calibre allows unprivileged adversaries to exploit software vulnerabilities to perform arbitrary file read through relative path traversal in versions <= 7.14.0. The vulnerability can be exploited by an unauthenticated attacker with basic authentication disabled on the Calibre content server. A functional exploit in Python3 is included in the report to demonstrate the arbitrary file read. It is recommended to properly sanitize user-supplied input to prevent path traversals and check server access logs for potential exploitation.

• (CVE-2024-6782) Calibre Remote Code Execution - A critical vulnerability (CVE-2024-6782) in Calibre allows unprivileged adversaries to perform remote code execution. The vulnerability lies in the Calibre Content Server, allowing for unauthenticated remote code execution in versions <= 7.14.0. The exploit can be triggered through user-controlled arguments in the search functionality, enabling arbitrary execution of Python code. A sample exploit script has been provided, and precautions include implementing proper access controls and monitoring access logs for potentially malicious activity. The vulnerability was discovered by Amos Ng of STAR Labs, who also identified other security issues in Calibre.

• An Introduction to GCPwn – Part 1 - An introduction to GCPwn, a python-based framework for pentesting GCP environments, was also discussed, which aims to consolidate exploit scripts for GCP attack vectors and manage multiple credentials within one framework. Steps for installing GCPwn, adding credentials, picking modules, and checking permissions were outlined in detail.

• Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos - The article discusses the exploitation of new attack surfaces in Layer 2 of Radio Access Technologies, specifically targeting vulnerabilities in the protocols used in Samsung Exynos smartphones. The researchers identified and exploited multiple vulnerabilities in the baseband software, leading to arbitrary remote code execution. They developed a proof-of-concept exploit using heap shaping techniques and a "Baseband Space Mirroring Attack" to achieve code execution without knowing the exact firmware version.

• Windows AppLocker Driver LPE Vulnerability – CVE-2024-21338 - A Windows AppLocker Driver Local Privilege Escalation (LPE) Vulnerability with the CVE-2024-21338 designation has been detailed by Crowdfense in a write-up by a new researcher on their team. The vulnerability involves an untrusted pointer dereference issue in the Windows AppLocker driver, which can be exploited to achieve powerful privileges. By bypassing Supervisor Mode Execution Prevention (SMEP) and Kernel Control Flow Guard (kCFG), an attacker can execute arbitrary code in the kernel space, leading to a complete takeover. The exploit involves overwriting pointers and leveraging system calls to gain elevated privileges and execute a SYSTEM shellcode.

• MITMing the Xbox 360 Dashboard for Fun and RCE - In the late 2000s and early 2010s, the author and friends were heavily involved in Xbox hacking, exploring game betas and internal tools. They discovered different URL paths serving various "dashboard channels" on the Xbox 360, leading to the discovery of beta dashboard channels and internal Xbox employee dashboards. Through a Man-in-the-Middle attack, they were able to access internal Xbox environments, obtaining Xbox LIVE Gold offers for discounted prices and exploring the Preview Tool which allowed for arbitrary code execution on the dashboard. Despite learning how to disable signature checks, they mostly stuck to their usual hacking methods, gaining access to Xbox employee-only content and insights into the dashboard workings.

• The “Fake” Potato - The blog post discusses the exploration of the DCOM objects for potential abuse. The author discovers that the "ShellWindows" DCOM application can be abused locally by a standard user, allowing for arbitrary execution of commands. However, a bug is identified where non-administrative users are denied access due to missing permissions on the explorer process. The issue is reported to Microsoft and fixed in a security update. The author humorously refers to the exploit as the "Fake" Potato, highlighting its difference from previous exploits.

• An Opinionated Ramp Up Guide to AWS Pentesting - This guide provides an opinionated ramp-up guide to AWS pentesting, focusing on pentesting the customer's side of the shared responsibility model. It includes recommendations for learning resources, strategies for skill development, and tips for success in cloud pentesting. The guide emphasizes the importance of continuous learning and staying updated on AWS security news and developments. The ultimate goal is to apply these skills in practical pentesting scenarios and contribute to the field of cloud security.

Tools and Exploits

• Specula - Command and control framework created by TrustedSec that leverages Outlook and is initiated by a single registry key change..

• smbtakeover - The GitHub repository "zyn3rgy/smbtakeover" contains a technique to unbind and rebind 445/tcp on Windows without loading a driver, module into LSASS, or rebooting the target machine. The technique is implemented to ease the burden of SMB-based NTLM relays during C2 operations. The implementation includes PoCs in both Python and BOF format, and operational usage notes are provided to help understand the impact of disabling services. Instructions for setting up and using the Python implementation are given in the repository.

• SyscallTempering - Syscall Tempering is a tool created to improve upon the syscall tampering module provided by maldevacademy.com. It works by setting hardware breakpoints at system call instructions and replacing spoofed arguments with the ones desired. The tool generates a list of unhooked system calls, tampering a randomly chosen benign call with up to 11 null arguments. This proof of concept successfully launches the calculator under the supervision of Sophos EDR, with the potential for expanding to other EDR solutions.

• Unlock enhanced API scanning with Burp Suite - Burp Suite is a web vulnerability scanner that offers different editions for professional, enterprise, and community users. It now includes enhanced API scanning features to help identify vulnerabilities in APIs more efficiently. Users can test APIs without hosting definition files, identify accessible APIs, scan a wider range of endpoints, and scan APIs that require authentication. Future updates will include the ability to parse API definition files, bulk import API targets, and support SOAP APIs. Users can provide feedback on the current features and suggest new ones for future updates.

• Bypass bot detection - The GitHub repository "PortSwigger/bypass-bot-detection" contains a Burp Suite extension that mutates ciphers to bypass TLS-fingerprint based bot detection. Users can install the extension from the repository or build it from sources. The extension allows users to change network settings in Burp Suite to bypass bot detection measures based on TLS fingerprints. The extension includes different modes, such as using specific cipher suites and user-agent headers, as well as a brute force mode that tries different combinations of TLS protocol versions and cipher suites.

• GeoServer Exploit for CVE-2024-36401 - The GitHub repository "Chocapikk/CVE-2024-36401" contains an exploit for the Remote Code Execution vulnerability in GeoServer, a Java-based software server used for viewing, editing, and sharing geospatial data. The vulnerability exists in versions earlier than a specific version and can allow unauthenticated users to execute arbitrary commands as root on the system running GeoServer. The exploit script provided in the repository allows users to individually target systems or scan multiple URLs for the vulnerable GeoServer versions. The exploit is for educational purposes only, and the author disclaims any responsibility for any damage caused by its use.

• Local KDC for Windows - The GitHub repository jborean93/LocalKdc provides information on how to use a Kerberos Key Distribution Center (KDC) on a non-domain joined host. The code in the repository is a proof of concept and does not cover all use cases. By running a local KDC on a Windows host, it is possible to configure Windows to use a locally running KDC for Kerberos authentication without joining it to a domain. The repository includes a C# project that runs a DNS, LDAP, and KDC service on localhost and configures the DNS Name Resolution Policy Table (NRPT) to redirect DNS queries. It is necessary to have the .NET 8.0 SDK to build and run the project.

• URL Requester - URL Requester is a tool for performing HTTP requests to multiple URLs with features like proxy support, rate limiting, and SQL injection testing capabilities. It can handle GET, POST, PUT, and DELETE requests, include custom headers and cookies, rotate user agents, and use proxies for anonymity. The tool also implements rate limiting and retry failed requests, with options to export results in CSV, JSON, or XML formats. It is specifically designed for testing SQL injection vulnerabilities and provides detailed logging with colored output for readability.

• Hunstman - The GitHub repository "mlcsec/huntsman" provides an email enumerator, username generator, and context validator for hunter.io, snov.io, and skrapp.io APIs. It confirms email and first/last name context within source URIs, generates usernames based on common name combinations, validates emails with Entra ID, and identifies social media accounts associated with target emails. The tool can be installed using pip from PyPI or cloned from GitHub. It offers various commands for interacting with the APIs of hunter.io, snov.io, and skrapp.io for gathering actionable data for engagements.

• DockerSpy - DockerSpy is a tool that searches for images on Docker Hub and extracts sensitive information like authentication secrets and private keys. Docker Hub is a cloud-based repository where developers can store, share, and distribute container images. Open Source Intelligence (OSINT) on Docker Hub helps to identify exposed secrets in Docker images to prevent security breaches and enhance overall security posture. DockerSpy works by obtaining information from Docker Hub and using regular expressions to inspect the content for sensitive data. It is intended for educational and research purposes only.

• Hybrid Attack Paths, New Views and your favorite dog learns an old trick - SpecterOps introduces Hybrid Attack Paths in BloodHound, allowing for connections between Azure and Active Directory. The new feature generates edges between synced users, enabling easier analysis of potential attack paths in hybrid environments. Additionally, BloodHound Enterprise receives UI improvements, such as a new attack paths view with enhanced readability and granularity. Dark mode is also introduced for both Community Edition and Enterprise versions of BloodHound.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Find and execute WinAPI functions with Assembly - The article discusses creating shellcode in x64 Assembly to find and execute WinAPI functions manually without relying on fixed addresses. It covers topics such as the PEB structure, PE file structure, Export Address Table, and Windows x64 calling convention. By navigating through memory structures and pointers, the article demonstrates how to find and execute functions like WinExec (Windows built-in calculator). The process involves accessing the PEB structure, PEB_LDR_DATA, loaded modules, ExportTable, and EAT to ultimately execute the desired function. The article also highlights the limitations of shellcode, the importance of following Windows x64 calling convention, and the benefits of understanding low-level access to WinAPI functions for malware analysis.

• Government Contractor’s Ultimate Guide to CUI - TrustedSec's Government Contractor’s Ultimate Guide to Controlled Unclassified Information (CUI) provides comprehensive information on how government contractors must protect CUI, including mandated safeguards and labeling requirements. Contractors working with the US federal government or entities requiring CUI protection may be confused about complying with regulations such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) frameworks. Misrepresenting CUI protection or mishandling CUI can result in severe penalties and liabilities under the False Claims Act, emphasizing the importance of taking CUI protection obligations seriously. Contractors should understand CUI program origins, structure, nuances, and obligations when determining their compliance requirements and safeguards.

• WifiForge – WiFi Exploitation for the Classroom - WifiForge is a program developed by Black Hills Information Security to create a virtual environment for students to learn WiFi hacking safely. It eliminates the need for physical hardware and can be run in a Docker container. The program provides pre-built labs and tools for various exploits, including a lab for cracking WEP keys. WifiForge is easy to set up and use, making it a convenient solution for classroom learning.

• Injecting Malicious Code into PDF Files and PDF Dropper Creation - The article discusses injecting malicious code into PDF files and creating a PDF dropper using JavaScript. It explains how PDF files can execute JavaScript code and explores the tools and methods used for this purpose. The process involves adding JavaScript to the PDF and creating a C2 connection. The article includes code examples and instructions for creating and testing the manipulated PDF file. It also mentions that this method can deceive even Gmail's scanning process and provides a GitHub link for the code.