Last Week in Security - 2024-08-20

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-08-12 to 2024-08-19.

News

• Six 0-Days Lead Microsoft’s August 2024 Patch Push - Microsoft released updates to fix 90 security vulnerabilities, including six zero-day flaws actively exploited by attackers. The flaws include local privilege escalation vulnerabilities and remote code execution flaws. One vulnerability allows malware to bypass security features in Windows. It is recommended for Windows users to install security updates promptly and back up data before updating. The updates primarily focus on Windows components, Office products, and Azure services, but do not specifically target Group Policy or Intune.

• Inside the "3 Billion People" National Public Data Breach - Troy Hunt discusses a major data breach involving National Public Data, a data aggregator, where a threat actor has published personal information of billions of people. The breach includes names, addresses, social security numbers, and other personal details. Multiple parties had access to the data before it was leaked, and legal action has been taken against National Public Data. The data has been circulating on the dark web, and there are questions about its legitimacy and origin. Hunt decided to include the breach in his "Have I Been Pwned" database as an unverified breach to inform those affected.

Threat Intel and Defense

• EastWind Campaign: New CloudSorcerer attacks on government organizations in Russia - The EastWind campaign targeted Russian government organizations and IT companies using phishing emails with malicious attachments to deliver malware such as CloudSorcerer, APT31, and APT27 tools. The attackers used Dropbox and social media sites as Command and Control servers, and also deployed a new implant named PlugY.

• Ransomware attackers introduce new EDR killer to their arsenal - Sophos analysts discovered a new EDR-killing utility called EDRKillShifter being used by ransomware attackers targeting an organization with RansomHub ransomware. The tool failed to disable Sophos protection, but the attackers attempted to run the ransomware, which also failed due to CryptoGuard. EDRKillShifter works by executing with a password string to decrypt and execute a final payload, written in Go, that exploits vulnerable drivers to disable EDR protection. The final payloads vary, with similarities in behavior but different vulnerable drivers being exploited.

• Update from the Ransomware Trenches - Guidepoint security's analysis on INC Ransomware threat group leveraging the Restic open-source backup solution for data exfiltration.

• Today I Learned - WebDAV Cache - The blog post discusses the discovery of an open directory containing malware and the analysis of a LNK file found within it using LECmd.exe. It reveals the next stage in the infection chain and highlights the use of WebDAV connections via a DLL started with rundll32.exe. The post also mentions the presence of files retrieved from remote WebDav servers to the local system, referencing previous discussions on the topic. Overall, the author reflects on learning new information and standing on the shoulders of giants in the field.

• Emerging phishing campaign targeting AWS accounts - The Wiz Threat Research Team identified a new phishing campaign targeting AWS accounts. The phishing email contained a link to a fake AWS login page designed to steal credentials. Security teams are advised to disable root logins, use MFA, and enforce least privilege strategies to protect against such attacks. The phishing domain has been taken down, but security measures should still be implemented to prevent future incidents.

• Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments - Unit 42 researchers found an extortion campaign targeting cloud environments, leveraging exposed environment variable files to compromise organizations. Attackers scanned more than 230 million targets, targeting 110,000 domains. The attackers used automation techniques to ransom data from compromised cloud storage containers, accessing credentials and deploying lambda functions to scan for more targets. Mitigations include enabling logging, following the principle of least privilege, and using temporary credentials.

• GRIT Ransomware Report: July 2024 - In July 2024, GuidePoint Security observed significant changes in the ransomware landscape. LockBit, though struggling due to international sanctions, showed signs of recovery, while RansomHub continued to dominate with a high victim volume. Emerging groups like FOG and ElDorado made bold entrances, while the US saw fewer ransomware attacks compared to previous months. Notably, Italy experienced a surge in attacks, possibly due to its higher ransom payment rates. The report also highlights the importance of accurate threat intelligence, citing Pryx as a group misidentified as ransomware, underscoring the need for careful data curation.

• Iranian backed group steps up phishing campaigns against Israel, U.S. - Iranian-backed threat actor APT42 has intensified its targeted phishing campaigns against high-profile users in Israel and the U.S., including government officials, political campaigns, diplomats, and think tanks. The group, associated with Iran's IRGC, has been targeting accounts related to the U.S. presidential election, demonstrating a multi-pronged effort to support Iran's political and military objectives. Google's Threat Analysis Group has disrupted APT42's activities, including resetting compromised accounts, sending warnings to targeted users, and blocking malicious domains and URLs. The group uses various tactics, such as hosting malware, phishing pages, and malicious redirects, to trick users into divulging their credentials and gaining access to their accounts.

• Sophos MDR hunt tracks Mimic ransomware campaign against organizations in India - Sophos MDR hunt has identified a new threat activity cluster called STAC6451 in India targeting organizations using Microsoft SQL Server. The cluster exploits exposed servers to deploy ransomware, using tactics like abusing SQL Servers for unauthorized access and creating backdoor accounts for lateral movement. The threat actors use tools like Cobalt Strike Beacons and Mimic ransomware binaries. Sophos MDR has observed the cluster targeting Indian organizations, with a focus on automating different stages of their attack to swiftly compromise multiple victims. The cluster's level of sophistication is moderate, but they have shown persistence in their activity. Recommendations include avoiding exposing SQL servers to the internet, disabling xp-cmdshell, and using application control to block potentially unwanted applications.

• Strategies Used by Adversaries to Steal Application Access Tokens - This blog post explores the strategies used by adversaries to steal application access tokens in cloud and containerized environments, leading to privilege escalation and compromise of the environment. It discusses techniques like stealing API tokens, phishing with OAuth, and exploiting federated sessions.

• The End of an Era: Understanding the Security Risks of NTLM - Microsoft has announced the deprecation of NTLM, including all its versions, by 2027 due to significant security risks and vulnerabilities. Despite its historical significance, NTLM's weaknesses make it a prime target for attackers, enabling malicious access and lateral movement. Organizations face challenges in transitioning to more secure protocols like Kerberos and mitigating the risks associated with NTLM. Silverfort offers solutions for identity protection, privileged access management, and visibility into NTLM usage to help organizations secure their systems and data in an evolving digital landscape.

• Beyond the wail: deconstructing the Banshee infostealer - BANSHEE Stealer is a macOS-based malware that targets system information, browser data, and cryptocurrency wallets, posing a severe risk to macOS users. Despite its high price compared to other stealers, BANSHEE Stealer stands out in the market for its capabilities and versatility, targeting multiple browsers and extensions. While the malware lacks sophisticated obfuscation, its focus on macOS systems and extensive data collection make it a significant threat that requires attention from the cybersecurity community.

• Tusk: unraveling a complex infostealer campaign - The Tusk campaign is a complex infostealer campaign orchestrated by Russian-speaking cybercriminals using multiple sub-campaigns to imitate legitimate projects. The campaign involves hosting initial downloaders on Dropbox to deliver infostealers and clippers to victim's machines, along with phishing techniques to steal sensitive information like credentials. There are three active sub-campaigns identified, along with 16 inactive sub-campaigns, showcasing the threat actor's ability to rapidly create and deploy new malicious operations. The campaign highlights the advanced capabilities of the threat actors, their reliance on social engineering techniques, and the need for continuous monitoring and proactive defense strategies to mitigate these evolving threats.

• Abusing the “search-ms” URI protocol handler - The article discusses a sophisticated malware campaign that exploits the Windows search functionality through the "search-ms" URI protocol handler. Attackers craft HTML files to prompt users to open Windows Explorer, leading to the execution of malicious scripts and compromising the system. By using methods like WebDAV and obfuscated batch files, threat actors can bypass traditional security measures. The abuse of the "search-ms" protocol handler demonstrates a method for deploying malware and the registry key WordWheelQuery can be used to trace search queries and identify suspicious activities.

• Decoding a Cobalt Strike Downloader Script With CyberChef - This article discusses how to decode a Cobalt Strike downloader script using CyberChef and VsCode. The script was found on Malware Bazaar and had multiple layers of obfuscation that were removed using CyberChef. The process involved decoding URL encoding, removing excessive spacing, and decoding base64 content. The resulting decoded content revealed the script's functionality as a downloader and included the address of the next stage file. Overall, the article demonstrates techniques for analyzing malware and extracting threat intelligence from malicious scripts.

• Fighting Ursa Luring Targets With Car for Sale - A Russian threat actor known as Fighting Ursa used a car for sale advertisement as a lure to distribute backdoor malware targeting diplomats. This campaign began in March 2024 and utilized public and free services to host various stages of the attack. The group is associated with Russian military intelligence and classified as an advanced persistent threat.

Techniques and Write-ups

• Reverse Engineering for Noobs Part 1 - Reverse engineering tutorial with cool ASCII art.

• Comparing Cloud WAFs in 2024 - In 2024, a comparison of cloud-based Web Application Firewalls (WAFs) was conducted, focusing on the ability to block common web attack patterns and custom attacks. Different criteria were used including capabilities to mitigate DDoS attacks and utilize AI/machine learning methods. While WAFs are effective in stopping generic attacks, they are not a substitute for secure development practices. Collaboration between application developers and WAF deployment is essential for optimal effectiveness. Additional safeguards and comprehensive security strategies are recommended for modern enterprises.

• Tony Hawk’s Pro Strcpy - In summary, the author details their exploration of a strcpy bug in Tony Hawk’s Pro Skater 4 that leads to exploit development on various gaming consoles. They exploit the bug to gain code execution on the original Xbox, develop a software exploit for the Xbox 360, and port the exploit to other platforms like PS2 and GameCube. The author also delves into the historical context of game console hacking and the challenges and successes they encountered throughout their exploration. The full source code and patched game save files are available for further exploration.

• Indirect Prompt Injection: Advanced Manipulation Techniques - The article discusses advanced manipulation techniques using Indirect Prompt Injection (IPI) to trick Microsoft Copilot into executing various commands, such as printing emojis, answering questions, or searching the web. The author demonstrates how to give Copilot new assignments and control its actions by crafting specific prompts. The article highlights the potential dangers of AI manipulation, as attackers could exploit this vulnerability to cause harm, such as altering bank details or directing users to malicious websites. The author warns readers about the security risks associated with AI technology and emphasizes the importance of being vigilant against malicious attacks.

• Listen to the whispers: web timing attacks that actually work - The article discusses the importance and effectiveness of web timing attacks for exploiting vulnerabilities on websites. The Director of Research shares novel attack concepts, tools, and case studies to demonstrate the practicality of timing attacks. The research focuses on techniques such as discovering hidden attack surfaces, blind injections, and misconfigured reverse proxies. The article also provides recommendations for defending against timing attacks and emphasizes the need for understanding the inner workings of systems to prevent exploitation.

• Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit - The article discusses a new attack technique called single-packet attack for exploiting race conditions, but it has limitations in terms of request size. To overcome this, the author introduces IP fragmentation and TCP sequence number reordering to extend the attack's capabilities. By using these techniques, the author was able to send 10,000 requests in a short amount of time and bypass rate-limiting in one-time token authentication. The article emphasizes the potential of these techniques in exploiting vulnerabilities that are difficult to exploit using traditional methods.

• Will the real #GrimResource please stand up? – Abusing the MSC file format - Outflank Security discusses how the MSC file format can be exploited to execute arbitrary code through MMC, leading to initial access or lateral movement. The technique, known as GrimResource, was researched as part of their Outflank Security Tooling (OST) offering. They explain the discovery process, the history of MSC file format abuse, and the technical details behind executing code within MMC using ActiveX controls and HTML documents. The technique, available only to vetted customers, bypasses security restrictions and allows for in-process shellcode loading.

• SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement - SCCMSecrets.py is a tool that exploits SCCM policies distribution to harvest credentials, gain initial access, and move laterally in Active Directory environments. It can be used to retrieve sensitive information such as account credentials from secret policies. The tool can impersonate registered SCCM devices and pivot across different device collections to uncover additional secrets. The tool aims to identify misconfigurations related to policies distribution and privilege escalation vectors. It is a comprehensive attack tool built upon existing SCCM research and can be used by pentesters to map and report on vulnerabilities in SCCM environments.

• Copilot Vulnerable to RCE: A New Attack Vector Into The Enterprise - A recent vulnerability in Microsoft Copilot for M365 allows an external attacker to take full control over it, potentially accessing sensitive data, executing plugins, and manipulating references for social engineering. The attack can be initiated through a single email, Teams message, or calendar invite. Microsoft is working on mitigations, but the vulnerability is concerning. It is recommended to treat AI apps like experimental drugs and be cautious of the risks they present. Addressing promptware is crucial to manage this new attack vector effectively.

• Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities - Server-Side Template Injection (SSTI) vulnerabilities in web applications allow attackers to inject malicious code into server-side templates, potentially leading to unauthorized data access or server compromise. These vulnerabilities are increasingly prevalent, with high-profile platforms like Atlassian Confluence and CrushFTP being targeted. Fuzzing techniques are used to identify vulnerabilities and exploit them, with attackers using obfuscation techniques like base64 encoding to evade detection. Advanced attack scenarios include cryptojacking, where attackers mine cryptocurrency using compromised server resources.

• SSH Tunnelling to Punch Through Corporate Firewalls – Updated take on one of the oldest LOLBINs - The article discusses the use of SSH tunnelling as a method to bypass corporate firewalls and access networks for pentesting or adversary simulation. It mentions different techniques and tricks to establish a tunnel using SSH, including domain fronting and alternative egress ports. The article also provides information on the availability of the OpenSSH client on Windows machines and emphasizes the importance of monitoring and securing endpoints to prevent misuse of SSH.

• Sleeping With the Phishes: Hiding C2 With Stealthy Callback Channels - The article discusses the challenges of setting up a custom command and control (C2) implant and ensuring successful communication with the implanted device. It explores different methods of hiding C2 communication using stealthy callback channels such as HTTP(S), DNS, ICMP, SMTP, DNS over TLS and HTTPS, living off trusted sites, STUN, TURN, and mixed callbacks. The goal is to blend in with existing network traffic to avoid detection and ensure successful communication with the implanted device for red teaming purposes.

• From object transition to RCE in the Chrome renderer - The blog post discusses an exploitation of a type confusion bug in Chrome (CVE-2024-5830) that allows remote code execution (RCE) in the renderer sandbox by visiting a malicious site. The post delves into object maps, transitions, and deprecations in V8, explaining how updating a deprecated map can lead to a dictionary map, causing OOB access and eventually enabling arbitrary read and write in the V8 heap. Additionally, the post explores bypassing the V8 heap sandbox by modifying API objects, causing type confusions in Blink objects and achieving arbitrary code execution in the Chrome renderer process.

• Front-End Frameworks: When Bypassing Built-in Sanitization Might Backfire - Front-End frameworks like React, Angular, and Vue.js provide protection against Cross-Site Scripting (XSS) vulnerabilities by automatically escaping untrusted content. However, bypassing this built-in sanitization can be dangerous and developers must ensure that any inserted raw HTML content is safe. Sonar provides code quality analysis tools to help developers ensure clean code, reduce technical debt, and improve security. A case study involving the finance application Firefly III highlights the risks of bypassing sanitization and the potential for Client-Side Path Traversal vulnerabilities. The vulnerability was fixed with Firefly III version v6.1.1, demonstrating the importance of properly sanitizing raw HTML data.

• Compromising Microsoft's AI Healthcare Chatbot Service - Tenable Research discovered critical vulnerabilities in the Azure Health Bot Service, allowing access to cross-tenant resources. Microsoft confirmed the vulnerabilities and rolled out fixes to all affected services and regions. Tenable researchers discovered another vulnerable endpoint used for validating data connections but reported the issue to Microsoft, with fixes available shortly after. No evidence of exploitation was found, highlighting the importance of traditional web application and cloud security mechanisms in the era of AI-powered services.

• ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts - Cloud Cybersecurity Research has identified a security vulnerability in GitHub Actions artifacts that could lead to the compromise of GitHub repositories and potentially provide high-level access to cloud environments. This vulnerability is caused by misconfigurations and security flaws that allow artifacts to leak tokens, including GitHub tokens and third-party cloud service tokens. The research focuses on the discovery of vulnerable public repositories, including those owned by major companies. The potential impact of insecure usage of GitHub Actions artifacts is discussed, along with tools and methods to protect against this threat.

• UnOAuthorized: Privilege Elevation Through Microsoft Applications - Semperis has discovered a privilege escalation vulnerability in Entra ID that allowed attackers to perform unauthorized actions beyond expected authorization controls. The vulnerability involved the ability to add and remove users from privileged roles, such as the Global Administrator role. Additionally, Semperis found that certain Microsoft application service principals were allowed to perform privileged actions despite having no official permission to do so. The company reported its findings to Microsoft and worked with them to address the vulnerabilities. Organizations using Semperis' Directory Services Protector will receive a security indicator to check for and report credentials assigned to vulnerable Microsoft applications.

• Harnessing LLMs for Automating BOLA Detection - The post discusses using large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities in web applications. Traditional methodologies like fuzzing and static analysis are ineffective in detecting BOLAs, making manual detection the standard approach. By combining LLMs with heuristics, the methodology enables fully automated BOLA detection at scale. The research has uncovered BOLA vulnerabilities in both internal and open-source projects, demonstrating the potential of AI in revolutionizing vulnerability detection in security research. Additionally, the post emphasizes the need for vigilance and proactive strategies in cybersecurity to counter potential threats posed by AI technology.

• You Can’t Spell WebRTC without RCE - Part 3 - In the final part of the blog series, Margin Research explores how synthetic vulnerabilities were injected into Signal and WebRTC to exfiltrate the Signal database from a victim's phone. Limitations of the exploit were discussed, such as the size restrictions on leaked data chunks and the use of a debug Signal-iOS build. Indicators of compromise (IOCs) related to user interface behavior, network activity, and database usage were also analyzed. Third-party messaging apps like Signal lack some IOCs found in iMessage, making in-the-wild exploitation less observable. The blog series provides in-depth technical details on iOS exploitation and recommends a defensive perspective to better understand IOCs from the target's point of view.

• CVE-2024-38428 Wget Vulnerability: All you need to know - The blog discusses the CVE-2024-38428 Wget vulnerability, a critical security issue affecting GNU's Wget tool up to version 1.24.5. The vulnerability allows for attacks such as phishing, SSRF, and MiTM, potentially leading to resource restriction bypass, sensitive information exposure, and malware installation. The blog provides in-depth details on how the vulnerability can be exploited and recommends mitigating the issue by updating to a fixed version or implementing mitigation strategies. The JFrog DevOps platform is confirmed to not be vulnerable to this CVE.

• Wormable Substack XSS - The post discusses a stored Cross-Site Scripting (XSS) vulnerability found in Substack that allowed for arbitrary JavaScript to be executed when viewed by users. A proof-of-concept was developed that posted a note to a victim's account without user intervention. The vulnerability was caused by a type confusion issue in ProseMirror, which was mitigated by upgrading ProseMirror and TipTap. Recommendations are provided for users of ProseMirror and TipTap to upgrade and review node and mark specs to address the vulnerability. The timeline of events leading to the discovery and mitigation of the vulnerability by Substack is detailed, with Calif, a security consultancy firm, being involved in the process.

• QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share - SafeBreach Labs researchers discovered ten vulnerabilities in Google's Quick Share data transfer utility, leading to an innovative remote code execution (RCE) attack chain for Windows. By manipulating the application-layer communication protocol, they were able to identify and exploit these vulnerabilities. Google fixed the vulnerabilities and issued two CVEs. The researchers shared their findings with the security community to help mitigate potential risks associated with these vulnerabilities. They also developed tools and attack content for the SafeBreach platform for further validation and research.

• Hacking a Secure Industrial Remote Access Gateway - The blog post describes the security vulnerabilities found in the industrial remote access solution Ewon Cosy+ that allow unauthenticated attackers to gain root access to the device. The vulnerabilities discovered include OS command injection, a persistent XSS vulnerability, and hard-coded cryptographic keys. By exploiting these vulnerabilities, attackers can hijack VPN sessions and gain administrative access to the device. The post also highlights the importance of robust security measures for industrial remote access solutions and recommends updating Ewon Cosy+ devices to the patched firmware versions provided by the manufacturer.

• Indirect prompt injection in the real world: how people manipulate neural networks - Indirect prompt injection is a method where users manipulate language models to execute different instructions than intended. This can lead to various outcomes, such as changing search engine results, altering job application responses, or inserting hidden messages in resumes. While some use prompt injection for fun or protest, there are potential security risks involved, especially with indirect injections coming from third-party sources. To protect against such attacks, it is essential to assess the risks involved and implement security measures to filter inputs and outputs of language model systems.

• Ghost in the PPL Part 1: BYOVDLL - The blog post discusses the concept of BYOVDLL (Bring Your Own Vulnerable DLL) to bypass LSA protection in Userland and load an arbitrary DLL in LSASS. The author explores the challenges faced while developing a proof-of-concept and details the process of loading a vulnerable version of the KeyIso DLL in LSASS. By registering a custom Key Storage Provider, the author successfully exploits vulnerabilities to gain arbitrary code execution within a protected LSASS process.

• CVE-2024-28056: Exploit an AWS Amplify Vulnerability in Same-Account Scenarios - A vulnerability was discovered in AWS Amplify that exposed IAM roles to takeover in certain scenarios. Changes were made to IAM and STS APIs to address the issue, but same-account role assumption using Cognito remains a potential exploit. To exploit the vulnerability, specific steps involving AWS CLI commands can be followed to generate IAM credentials for the vulnerable role. It is recommended to delete or update vulnerable roles in order to prevent exploitation.

• CVE-2024-20419: Cisco Smart Software Manager On-Prem Password Change Vulnerability - Cisco Smart Software Manager On-Prem has a critical vulnerability (CVE-2024-20419) that exposes systems to unauthorized password changes. An attacker can exploit this weakness by sending specially crafted HTTP requests to change any user's password without proper authentication. Cisco has released patches for affected versions, and administrators are urged to apply them to avoid potential exploitation, especially since proof-of-concept exploit code is now available.

• Splitting the email atom: exploiting parsers to bypass access controls - The article discusses how email parsing discrepancies can be exploited to bypass access controls and even gain Remote Code Execution (RCE) using encoded-word and Punycode attacks. The author shares their methodology of probing, observing, encoding, and exploiting to find vulnerabilities. They also provide tools like Hackvertor tags and Turbo Intruder scripts to automate the exploitation process. The research resulted in successful exploitation of systems like Github, Zendesk, and Gitlab, leading to fixes for the identified vulnerabilities. Additionally, the article highlights the importance of validating email addresses and not relying solely on email domains for authorization.

• Dismantling Smart App Control - The article discusses weaknesses in Windows Smart App Control and SmartScreen that allow attackers to gain initial access without security warnings. Attackers can bypass these security controls by signing malware with code-signing certificates, hijacking the reputation of trusted applications, or tampering with file reputations. The article also provides detection logic and countermeasures to help defenders identify and mitigate these attacks until a patch is available. In conclusion, security teams should carefully scrutinize downloads in their detection stack and not rely solely on OS-native security features for protection.

• GitHub Actions exploitation: Dependabot - This article discusses a new GitHub action exploitation technique using the Dependabot GitHub app to compromise repositories by pushing arbitrary code. Dependabot is a GitHub app that scans repositories for vulnerabilities in dependencies and suggests updates. The article details how this vulnerability was discovered and provides examples of real-world exploitation scenarios. It also highlights the importance of secure workflows and the potential risks associated with third-party apps like Dependabot.

• From Exploits to Forensics: Unraveling the Unitronics Attack - Team82 has published research on Unitronics' integrated PLCs/HMIs following critical infrastructure attacks at water treatment facilities in the US and Israel. They developed tools, PCOM2TCP and PCOMClient, to extract forensics information from Unitronics devices and uncovered two new vulnerabilities. The attacks were attributed to the Iran-linked CyberAv3ngers group, who defaced the Unitronics devices and left threatening messages.

• Links and materials for Living off Microsoft Copilot - This post provides links and materials for a talk at BlackHat USA 2024 titled "Living off Microsoft Copilot". It includes demonstrations on manipulating sensitive data, phishing attacks, and bypassing security measures using Copilot. It also offers offensive security tools for leveraging Copilot in Microsoft 365 environments. Additionally, it mentions other researchers and their work in AI security and jailbreaking.

• Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE - Microsoft researchers have discovered multiple vulnerabilities in OpenVPN that can be exploited by attackers to achieve remote code execution (RCE) and local privilege escalation (LPE). These vulnerabilities could allow attackers to gain full control over targeted endpoints and potentially result in data breaches and unauthorized access to sensitive information. Microsoft reported the vulnerabilities to OpenVPN in March 2024 and worked with them to release patches to address the issues. It is recommended that OpenVPN users apply the latest security updates and take steps to mitigate potential exploitation risks associated with these vulnerabilities.

• Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! - The article discusses an attack surface known as Confusion Attacks within Apache HTTP Server, highlighting architectural issues and technical debts within Httpd. The research uncovers three types of Confusion Attacks, nine new vulnerabilities, 20 exploitation techniques, and over 30 case studies. These attacks exploit hidden semantic ambiguity within Apache HTTP Server, leading to various security risks, including access control bypass, server-side source code disclosure, local gadget manipulation, and arbitrary handler invocation. Additionally, the article mentions other vulnerabilities such as Windows UNC-based SSRF and SSRF via full control of RewriteRule Prefix. The research aims to shed light on the potential security risks posed by architectural issues in Apache HTTP Server.

• Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex (and their cloud...) - During Pwn2Own Automotive 2024 in Tokyo, exploits were demonstrated against three different EV chargers, including the ChargePoint Home Flex. The research on the ChargePoint Home Flex revealed vulnerabilities that allowed for arbitrary code execution via Bluetooth. Despite facing competition, the team was able to develop new exploit chains, including intercepting cloud communication and executing commands on the device remotely via SSH. These vulnerabilities highlight the importance of security in smart devices like EV chargers.

• How Hackers Steal Your RFID Cards - The passage discusses the challenges faced by business owners in the wake of the COVID-19 pandemic, such as reduced foot traffic and changing consumer behaviors. Many businesses have had to adapt by offering online or delivery services, implementing health and safety measures, and reevaluating their business models. Despite the difficulties, some businesses have found ways to thrive by embracing innovation and leveraging technology.

• Mixing watering hole attacks with history leak via CSS - The article discusses using history leak via CSS in conjunction with watering hole attacks, specifically targeting users based on their browsing history. By tracking users who have visited specific platforms or websites, attackers can narrow down their target list and deploy tailored payloads, increasing the chances of success and avoiding detection. By manipulating CSS to hide text and create a faux captcha, attackers can covertly engage with users and potentially gain access to sensitive information. The technique allows for a more surgical approach to targeting users, increasing the likelihood of a successful attack.

• Oops I UDL'd it Again - TrustedSec discovered a new phishing technique using UDL files, typically used for testing database connections. By manipulating the UDL file, attackers can trick users into revealing their credentials. The technique involves changing the port to bypass firewall restrictions and capturing credentials through Responder.

• Exploiting Lambda Functions for Fun and Profit - Praetorian discovered a vulnerability in a client’s platform that used Lambda functions to sandbox untrusted code builds. The Lambda runtime API allowed attackers to access sensitive data within the client’s AWS environment. Praetorian recommended implementing security controls, such as restricting access to the runtime API and implementing AWS NACLs, to mitigate the risk of unauthorized access to sensitive data. Lambda functions, though ephemeral, do not provide complete isolation from a security perspective, requiring complex security controls for protection.

• Account Takeover via Broken Authentication Workflow: Free Lifetime Streaming! - A blog post by Praetorian discusses a critical account takeover vulnerability discovered in a streaming platform. The vulnerability, related to insecure authentication, allowed attackers to take over any account on the platform by manipulating the login workflow. Praetorian recommends implementing server-side token generation and backend logic to mitigate such vulnerabilities and protect users' sensitive information. The post emphasizes the importance of secure authentication mechanisms to prevent financial losses and maintain the integrity of digital services.

• Windows Downdate: Downgrade Attacks Using Windows Updates - SafeBreach Labs researcher discovered a vulnerability in Windows Update process that allows for downgrade attacks, turning fully patched systems into vulnerable ones. This research showcased how to exploit this vulnerability to bypass security features and elevate privileges on Windows machines. The implications of this research extend beyond Windows and serve as a reminder for all OS vendors to be vigilant against downgrade attacks. Microsoft was informed of these findings and has been actively working on mitigations. SafeBreach has integrated these attack techniques into their platform to help organizations test their defenses against such attacks.

• Version Tracking in Ghidra - LRQA Nettitude Labs discusses version tracking in Ghidra, a tool for reverse engineering binaries. When newer versions of a binary are released, the Version Tracking tool can save time by applying markup from previous versions to the latest one. The process involves creating a session, running correlators to find matches between source and destination binaries, and applying the markup. The tool helps ensure that previous annotations and understanding of a binary's behavior are not lost when new versions are released.

• SSRF: A complete guide to exploiting advanced SSRF vulnerabilities - SSRF vulnerabilities are a severe web security threat, allowing attackers to access internal infrastructure. This guide explains how to identify and exploit SSRF vulnerabilities, including bypassing host and protocol whitelists. Various techniques, such as exploiting blind SSRFs and using DNS rebinding, are discussed. Intigriti offers bug bounty programs and pentesting services to help businesses protect their brand and data.

• BloodHound Operator — Dog Whispering Reloaded - In this blog post from August 2024, the author discusses a new PowerShell module called BloodHound Operator that interacts with the BloodHound REST API to automate tasks. The post covers the differences between the old and new versions of BloodHound, how to authenticate to the API, and how to get started with the BloodHound Operator module. The author also provides examples of using the module to query data from BloodHound, emphasizing the ease of automation with the new tool. The post concludes by inviting readers to reach out with any questions about the tool.

• How to Handle Development Projects in a Pentest Company - The article discusses the challenges faced by pentest companies when handling development projects, such as maintaining and organizing scripts written by different team members in various programming languages. It emphasizes the importance of having a developer handbook to ensure consistency, knowledge transfer, and ease of onboarding new team members. The handbook covers sections like code of conduct, defining programming languages, code styles, editors, version control, project setup, testing, CI/CD, documentation, security, performance, and learning resources. The article also provides insights into how to automate the generation of the handbook using tools like GitHub actions and pandoc.

• IoT firmware emulation and device fingerprinting challenges - IoT firmware emulation and device fingerprinting present challenges, as gathering information on a device can be difficult without direct access to exposed services. Emulating firmware can help with device fingerprinting and vulnerability finding, but technical constraints and proprietary code can make it tricky. The article focuses on emulating a Zebra RFID reader for device fingerprinting, but tools like firmadyne may face issues with emulating binaries correctly. Despite difficulties, identifying the model of an IoT device is important for targeted support and maintenance, although challenges like hardware interactions and emulating SNMP daemons may arise.

• Vestaboard: Exploring Broken Access Controls and Privilege Escalation - Security firm Rhino Security Labs conducted research on the Vestaboard web platform and identified instances of Broken Access Controls and Privilege Escalation. The vulnerabilities allowed unauthorized users to access and modify content on other Vestaboards and escalate their privileges.

• Indirect Prompt Injection: From Initial Success to Robustness - The blog discusses Indirect Prompt Injection (IPI) as a way to manipulate LLM applications, particularly Microsoft Copilot, by crafting instructions within documents sent to the application. The author provides examples of successfully tricking Copilot into printing emojis instead of providing the requested information, demonstrating the effectiveness of IPI. They also show how they targeted specific questions, such as requesting bank details, and ultimately achieved a robust and reliable IPI method by mentioning Copilot by name in the instructions. The blog concludes by hinting at further potential uses for IPI beyond emojis.

• Patch Diffing Microsoft Windows Wi-Fi Driver Vulnerability (CVE-2024-30078) - Part 1 - Microsoft released a patch in June 2024 for a Remote Code Execution (RCE) vulnerability in the Windows Wi-Fi driver. An unauthenticated attacker within range of the target computer’s wireless network adapter could exploit the vulnerability by sending a specially crafted wireless network packet. The patch diffing process involves analyzing the patched and unpatched files for Windows 11 version 23H2 to determine the specific function that was updated to address the vulnerability. The examination focuses on the Dot11Translate80211ToEthernetNdisPacket function, which translates 802.11 wireless frames to Ethernet NDIS packets, and involves reverse engineering to understand the changes made to address the vulnerability.

• Hacking Beyond.com — Enumerating Private TLDs - The author discovered during a red team assessment that owning top-level domains (TLDs) can lead to finding vulnerabilities in a target. Unable to find a tool to enumerate owned TLDs, the author created tldfinder in collaboration with ProjectDiscovery to discover TLDs, related subdomains, and domain names. The tool has three discovery modes: TLD, DNS, and Domain, and allows for active DNS brute force and passive querying of data sources. Users can add API keys to improve results and the tool aims to help identify vulnerabilities in organizations owning multiple TLDs.

• CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections - The Zero Day Initiative discovered an exploit, CVE-2024-38213, that allows bypassing Windows web protections, leading to remote code execution. The exploit named copy2pwn involves copying files from WebDAV shares without Mark-of-the-Web protections. Threat actors have been increasingly using WebDAV shares to host payloads, bypassing security mechanisms like Windows Defender SmartScreen. Users need to be aware of these vulnerabilities and take precautions to prevent copy2pwn attacks.

• Ghost in the Wireless: An introduction to Airspace Analysis with Kismet - The blog "Ghost in the Wireless: An introduction to Airspace Analysis with Kismet" by Black Hills Information Security introduces practical analysis of wireless communications using Kismet. It explains how wireless communications work by transmitting waves of various frequencies and provides a detailed walkthrough on setting up the tool for analyzing 802.11x traffic. The blog also covers setting up an adapter and software to view WIFI signals, monitoring surrounding airspace, and interpreting data collected by Kismet. It concludes with a foundation for advanced wireless analysis and plans to cover identifying rogue access points and launching active attacks against networks in future installments.

• A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability - This blog post provides a detailed analysis of CVE-2023-2163, a vulnerability found in the eBPF subsystem of the Linux Kernel. The post outlines the process of discovering and fixing the vulnerability, highlighting the importance of thorough vulnerability assessments and timely patches. The authors aim to raise awareness about the potential risks associated with eBPF and advocate for proactive security measures in the Linux Kernel.

• Writing a PE Loader for the Xbox in 2024 - In 2024, the author embarked on the challenge of writing a PE Loader for the Xbox, facing obstacles such as dealing with thread-local storage and reinventing the wheel. The loader was needed to run arbitrary code on the Xbox One system and bypass code integrity checks. A Reflective PE Loader was developed in Rust, with a focus on addressing complex issues like TLS data and preventing crashes in hijacked applications. The loader was successfully used to launch exploits, elevate privileges, and run custom applications on the Xbox, achieving the goal of loading complex programs.

• RAG Poisoning: All You Need is One Document - The article discusses the concept of RAG poisoning, which is an attack on RAG-based LLM applications that involves providing false or poisoned information to manipulate the AI's responses. It explains how attackers can craft a simple document to trick RAG applications like Microsoft Copilot into providing incorrect answers to specific questions. The implications of RAG poisoning in the business context are highlighted, emphasizing the potential dangers of relying too heavily on AI for decision-making. The article concludes with a narrative example of how a user named Jane successfully poisons Microsoft Copilot to mislead a colleague.

• Hiding in plain sight (part 2) - Abusing the dynamic linker - This article discusses a defense evasion technique on Solaris and BSD systems that involves borrowing process names to avoid detection. The technique is extended to Linux with additional anti-forensic behaviors. By manipulating environment variables and the dynamic linker, threat actors can hide malicious code within legitimate processes. The article provides code examples and details on how to detect and prevent this technique. Detection can be done through system calls telemetry and monitoring shared libraries. The article also highlights the importance of monitoring for unusual behavior and artifacts that may indicate process masquerading.

• From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements - This blog post discusses how incident response artifacts can be leveraged by red team operators for offensive cyber security purposes. It explores the types of artifacts that can be collected, the insights they provide, and the benefits of using them to refine red team techniques. The author also introduces a proof of concept tool called KNOCKOUT, developed in C# to automate the collection of artifacts.

• OWASP Top 10 : Penetration Testing with SOAP Service and Mitigation - This document provides information on various penetration testing services such as OWASP Top 10, Mobile Application Security, Thick Client Penetration Testing, VoIP Penetration Testing, and more. It also discusses common vulnerabilities in SOAP services such as SQL injection, command injection, XML injection, SOAP action spoofing, and SOAP parameter DOS attack. Mitigation strategies for these vulnerabilities are also mentioned. Additionally, the importance of securing WSDL, conducting thorough testing for web services, and maintaining confidentiality, integrity, and authenticity in web applications are highlighted.

• Redirect attack on Shadowsocks stream cipher - A vulnerability in the Shadowsocks stream cipher allows attackers to decrypt encrypted packets using a redirect attack. This means that sensitive information can be easily accessed by monitoring traffic. The vulnerability affects all official implementations of Shadowsocks except for shadowsocks-libev, which supports AEAD ciphers. To protect against attacks, it is recommended to use AEAD ciphers and strong passwords.

Tools and Exploits

• SCCM HTTP Looter - The SCCM HTTP Looter tool is designed to find interesting files stored on System Center Configuration Manager (SCCM/CM) shares via HTTP(s). This tool provides a way to access files on SCCM distribution points using HTTP/S when SMB access is restricted. By parsing directory listings and downloading files based on user-specified criteria, the tool can retrieve files from SCCM DP servers. It offers an alternative method for accessing files on SCCM shares and is particularly useful when SMB access is limited.

• keywa7 - The keywa7 tool bypasses firewall's Application Based Rules, allowing users to connect to any IP, port, and application. It exploits Next Generation Firewalls like Cisco FTD by creating a custom tunnel for data exchange. Users can test their vulnerability using a simple telnet test. The tool is intended for educational purposes only, and the author does not take responsibility for any misuse.

• Arcane - Arcane is a secure remote desktop application for Windows with a server written in PowerShell and a client written in Python/QT6. It offers features like remote desktop streaming, mouse and keyboard control, network traffic encryption, and clipboard synchronization. The project is currently in beta and not recommended for production environments. It also includes options for installing and running the server and viewer, as well as features like view-only mode, multiple viewer collaboration, and file transfer capabilities.

• PowerOfTcb - This directory covers how to use SeTcbPrivilege for educational purpose.

• GhostWrite - The GhostWrite vulnerability affects T-Head XuanTie C910 and C920 RISC-V CPUs, allowing attackers to read and write any part of a computer's memory and control peripheral devices. Disabling the vector extension in the CPU can mitigate the vulnerability but impacts performance. The vulnerability was discovered through differential fuzz-testing by researchers at the CISPA Helmholtz Center for Information Security. Devices affected include personal computers, laptops, and cloud servers with the vulnerable CPUs. Mitigating measures and impacts on performance are discussed, and no evidence of exploitation in the wild has been reported.

• Gato (Github Attack TOolkit) - Gato-X is an advanced GitHub Attack Toolkit that automates enumeration and exploitation techniques for security research purposes. It is a fork of the original Gato tool developed by Adnane Khan and others. Features include automated self-hosted runner attacks, scanning for vulnerabilities, injection and pwn request enumeration, and more.

• TLDFinder - The GitHub repository projectdiscovery/tldfinder is a tool for discovering top-level domains (TLDs), associated domains, and related domain names. It offers features such as TLD-based DNS lookups and reverse domain lookups. Users can install the tool using a specific command and utilize various switches to customize their domain discovery process.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Zeroday on Github Copilot - Marlon Fabiano (Astrounder) identified and reported two zero-day vulnerabilities in GitHub Copilot that could potentially allow for the alteration of the model's behavior and leakage of developers' data. One vulnerability involved direct prompt injection, allowing for malicious manipulation of Copilot's responses. The other vulnerability was an indirect prompt injection via the @workspace plugin, which could lead to unauthorized actions within the workspace. GitHub promptly addressed these issues to ensure the security and reliability of Copilot as a development tool. The incident highlights the importance of maintaining secure development environments and constant vigilance in the face of evolving security challenges in AI-assisted tools.

• How a GraphQL Bug Resulted in Authentication Bypass - A GraphQL bug in an e-commerce application API allowed an attacker to bypass authentication and gain administrative access to edit promotional content. The bug was discovered by J. Francisco Bolivar, who used GraphQL as an alternate channel to escalate privileges. Authentication bypass vulnerabilities in GraphQL APIs are common due to the flexible and complex nature of the schema design. To avoid such bugs, it is important to secure authentication and authorization correctly in GraphQL APIs by specifying permissions for each query and mutation and removing unnecessary functionality. This severe vulnerability was reported and fixed through the HackerOne bug bounty program.

• Hacking a 2014 tablet... in 2024! - Roger managed to hack and unlock a 2014 Amazon Fire tablet, which features a unique MediaTek SoC. Despite the device's age, Roger was able to analyze the firmware, root the device, and exploit the Preloader to upload his own payload. He was also able to unlock the bootloader and even build a stable custom ROM based on LineageOS 12.1 for the device. Roger's journey provided valuable insights into MediaTek devices and low-level functionality.

• FAQ: The tragedy of low-level exploitation - The blog post discusses the challenges of pursuing a career in low-level exploitation in the cybersecurity industry. It mentions that jobs focusing solely on low-level exploitation are rare and mostly limited to intelligence and espionage agencies. Opportunities for low-level exploitation are also limited in pentesting and internal security teams, as most vulnerabilities can be fixed without the need for complex exploits. The post also highlights the importance of vulnerability research and bug bounties in the industry, but notes that pursuing a career in low-level exploitation may require significant time investment and specialized skills.

• Why exploits prefer memory corruption - In the blog post, the author discusses why exploits tend to prefer memory corruption over other vulnerabilities. They argue that memory corruption is the simplest way for attackers to manipulate a target system and achieve their goals, especially when exploiting end-user devices. The author believes that memory corruption techniques will continue to dominate real-world exploitation, even as the shift towards memory-safe languages makes memory unsafety bugs rarer. They make a distinction between memory corruption and memory unsafety vulnerabilities and explain how memory corruption allows attackers to access a strongly connected component, enabling them to manipulate a program's memory state. .