Last Week in Security - 2024-09-05
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.
Virginia Applicants:
Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-08-26 to 2024-09-02.
News
Hackers use AppDomain Injection to drop CobaltStrike beacons - A recent wave of attacks beginning in July 2024 has utilized a rare technique called AppDomain Manager Injection to weaponize .NET applications on Windows, making detection difficult. These attacks are likely linked to the Chinese state-sponsored group APT 41, targeted government and military organizations in Asia and involve the delivery of a ZIP archive containing a malicious MSC file that executes code without user interaction through a method called GrimResource.
DOJ OIG Releases Management Advisory Memorandum of Concerns Identified with the FBI’s Inventory Management and Disposition Procedures of Electronic Storage Media - The Department of Justice Office of the Inspector General released a memo outlining concerns with the FBI's inventory management and disposition procedures for electronic storage media containing sensitive information. They found that the FBI does not always account for loose electronic storage media, does not mark extracted media with appropriate classification, and does not physically secure media slated for disposal. The OIG made three recommendations to improve the FBI's management in this area, which the FBI agreed to implement.
New 0-Day Attacks Linked to China’s 'Volt Typhoon' - Researchers have discovered a new zero-day vulnerability being exploited by malicious hackers in Versa Director Software, utilized by Internet and IT service providers. The attacks are linked to a Chinese cyber espionage group named Volt Typhoon, focusing on infiltrating critical U.S. networks. Versa has issued a security advisory urging customers to deploy a patch to fix the vulnerability, which allows attackers to upload files to vulnerable systems. Black Lotus Labs has identified backdoors in affected systems and linked the activity to Volt Typhoon, known for zero-day attacks targeting IT infrastructure providers. The group has been previously identified by security organizations such as the NSA and FBI for its sophisticated tactics.
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations - Iran-based cyber actors, associated with the Government of Iran, are continuing to exploit U.S. and foreign organizations to collaborate with ransomware affiliates and conduct network exploitation activities. These actors target organizations in various sectors, including education, finance, healthcare, and defense. The actors use tactics such as exploiting vulnerabilities in networking devices to gain access to victim networks and collaborate with ransomware affiliates to deploy ransomware.
When Get-Out-The-Vote Efforts Look Like Phishing - Multiple media reports warned Americans about a phishing scam disguised as a voter registration text message. The messages were sent by a California political consulting firm as part of a well-meaning get-out-the-vote effort but had the hallmarks of a phishing campaign. The firm, Movement Labs, targeted underrepresented groups to help them register to vote, but the messages violated key election outreach principles and caused confusion and mistrust among recipients. Despite intentions to increase voter turnout, the campaign resulted in chaos, reduced turnout, and potential harm to democracy.
Proof-of-concept code released for zero-click critical IPv6 Windows hole - Proof-of-concept code has been released for a critical IPv6 Windows vulnerability with a 9.8 CVSS score that allows remote code execution. The vulnerability affects Windows 10, Windows 11, and Windows Server systems. Microsoft issued a patch for the vulnerability on Patch Tuesday, but some admins may have delayed installation.
North Korean hackers exploited Chrome zero-day to steal crypto - North Korean hackers exploited a zero-day vulnerability in Chrome-based browsers to target organizations and steal cryptocurrency. The hackers were affiliated with a group known as Citrine Sleet, which primarily targets financial institutions associated with cryptocurrency. The hackers used a flaw in Chromium's core engine to exploit the vulnerability, enabling them to install malware and gain complete control over the targeted victims' data. This incident highlights the ongoing threat posed by North Korean government hackers to steal crypto to fund their nuclear weapons program.
Researcher sued for sharing data stolen by ransomware with media - A security researcher was sued for sharing data stolen by ransomware with the media after the City of Columbus suffered a ransomware attack.
Threat Intel and Defense
BlackSuit Ransomware DFIR Report - In December 2023, a BlackSuit ransomware intrusion was observed, starting with a Cobalt Strike beacon execution. The threat actor used various tools such as Sharphound, Rubeus, and SystemBC, along with built-in system tools for lateral movement and discovery. Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server. The ransomware was deployed 15 days after initial access, with various activities such as kerberoasting, LSASS memory access, and reconnaissance conducted during the intrusion.
HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat - In June 2024, a macOS version of the HZ Rat backdoor was discovered targeting users of China's DingTalk and WeChat. The backdoor collects data such as WeChat ID, email, phone number, and organizational information from DingTalk users. It establishes connections to command and control servers and has the capability to move laterally across networks. The backdoor was found to be active and may be used for future attacks. The backdoor also uses private IP addresses for communication and C2 servers were located mostly in China.
My Methodology to AWS Detection Engineering (Part 2: Risk Assignment) - In Part 2 of the blog series on AWS Detection Engineering, the focus is on Risk Assignment. The author discusses the logic needed for risk assignment, including initial filters, severity, fidelity, and base risk score calculations. The methodology involves assigning risk scores using a correlation search and sending the information to the risk index using the collect command.
26th August – Checkpoint Threat Intelligence Report - The Threat Intelligence Report from Check Point Research on August 26, 2024, highlighted several major cyberattacks and breaches, including incidents at Halliburton, Microchip Technology, Oregon Zoo, Toyota, and Columbus, Ohio. Vulnerabilities in Microsoft applications and a critical vulnerability in a WordPress plugin were also reported.
Attack tool update impairs Windows computers - Sophos News reported that an attack tool called Poortry, used by ransomware gangs to impair Windows computers, has continued to evolve despite attempts to stop it. The tool exploits vulnerabilities in Windows drivers to disable endpoint protection software. Developers of Poortry have been using various techniques to bypass Microsoft's attestation signing process and continue to add features to evade detection. The tool, along with its loader Stonestop, has evolved into a dangerous threat with the ability to delete critical EDR components. Sophos X-Ops has published indicators of compromise related to Poortry on GitHub.
BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks - The BlackByte ransomware group combines established tradecraft with newly disclosed vulnerabilities to carry out ongoing attacks. They use tactics like exploiting CVE-2024-37085 to bypass security protections and self-propagate ransomware. Cisco Talos Incident Response has observed BlackByte using victim's credentials and exploiting vulnerabilities in VMware ESXi. BlackByte's progression in programming languages and use of vulnerable drivers present challenges for defenders, who are advised to implement MFA, audit VPN configurations, and disable NTLM where possible.
Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 1) - In this blog post, JUMPSEC Labs presents a two-part guide to investigating a malicious USB device, with Part 1 focusing on prerequisites and preparation work. The incident involved a mysterious USB drive found at an organization, prompting a Digital Forensics and Incident Response (DFIR) investigation. The team followed ACPO Principles of Digital Based Evidence, took steps to preserve evidence, documented everything, and configured a safe investigation environment using a virtual machine. The post emphasizes the importance of following proper procedures and principles in forensic investigations.
I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation - Mandiant has uncovered an Iranian counterintelligence operation aimed at collecting data on Iranians and domestic threats collaborating with foreign intelligence agencies, particularly in Israel. The campaign used fake recruiting websites with Israel-related lures to gather personal and professional information from targeted individuals. Mandiant believes this operation was conducted on behalf of Iran's regime and may be used to persecute Iranians involved in human intelligence operations against the country. The activity started in 2017 and targeted Iranian dissidents, activists, human rights advocates, and Farsi speakers.
The Emerging Dynamics of Deepfake Scam Campaigns on the Web - Researchers at Palo Alto Networks' Threat Research Center have uncovered numerous scam campaigns using deepfake videos featuring public figures in multiple languages targeting different countries, such as Canada, Mexico, France, Italy, Turkey, Czechia, Singapore, Kazakhstan, and Uzbekistan. These campaigns are believed to be orchestrated by a single threat actor group and often involve fake investment schemes and government-sponsored giveaways.
Exploring the VirusTotal Dataset | An Analyst’s Guide to Effective Threat Research - The VirusTotal dataset stores a vast collection of files, URLs, domains, and IPs submitted by users worldwide, making it a valuable resource for threat research. Users can interact with the platform through the GUI for manual interaction or the API for programmatic interaction, with the API offering expanded querying capabilities and the ability to retrieve more extensive information.
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits - State-backed attackers and commercial surveillance vendors have been observed using the same exploits in recent watering hole attacks on Mongolian government websites, with APT29 suspected of being linked to the campaigns. The exploits targeted iOS and Google Chrome users, leveraging n-day vulnerabilities to steal credential cookies.
Linux Detection Engineering - A Sequel on Persistence Mechanisms - In this article by Elastic Security Labs, they explore advanced Linux persistence techniques such as init systems, system V init, Upstart, run control scripts, message of the day, udev, package managers, Git, process capabilities, and system binary hijacking. They provide a hands-on approach using PANIX to implement these techniques and discuss detection strategies and hunting methods for each. The goal of the article is to educate defenders and security researchers on Linux detection engineering and enhance their understanding of Linux persistence mechanisms.
Exposing Security Observability Gaps in AWS Native Security Tooling - The blog post discusses the gaps in AWS Native Security Tooling, specifically focusing on AWS IAM Access Analyzer. Despite common misconceptions, IAM Access Analyzer's main function is to identify resources shared with external entities.
Hunting Specula C2 Framework and XLL Execution - The Specula C2 framework allows for interactive operations within Outlook by setting a custom homepage that calls out to a Python web server. It can load and execute XLL files, enhancing its capabilities for conducting attacks. By understanding the techniques used by Specula, such as registry manipulation and COM object utilization, organizations can strengthen their cybersecurity defenses against this advanced threat.
The art and science behind Microsoft threat hunting: Part 3 - Microsoft Incident Response outlines the strategies and methodologies used in cyberthreat hunting in both pre- and post-compromised environments. They leverage three types of threat intelligence - strategic, operational, and tactical - to understand cyberattackers and their techniques, improving incident response preparedness.
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations - Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor named Tickler in attacks against targets in various sectors in the US and UAE. Peach Sandstorm also continued conducting password spray attacks against the educational sector. Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps and facilitates intelligence collection for Iranian state interests. To protect against Peach Sandstorm activity, organizations can implement various security measures and best practices recommended by Microsoft.
TLD Tracker: Exploring Newly Released Top-Level Domains - The TLD Tracker investigated 19 new top-level domains (TLDs) released in the past year and found large-scale phishing campaigns, distribution of potentially unwanted programs, and other malicious activities. They identified a correlation between the general availability dates of new TLDs and their popularity. Palo Alto Networks offers solutions like Advanced DNS Security and Advanced URL Filtering to protect against these threats.
The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” - Proofpoint researchers identified a malware campaign named "Voldemort" designed for espionage, impersonating tax authorities and targeting organizations globally. The malware uses Google Sheets for command and control, unique attack techniques, and unusual methods for data exfiltration. The threat actor remains unidentified, with a focus on information gathering and potential intelligence gathering. The campaign combines sophisticated capabilities with basic techniques, making it difficult to assess the overall threat actor's intentions and capabilities. Defense recommendations include restricting access to external file sharing services and monitoring suspicious activity related to the campaign.
Techniques and Write-ups
Pentest: From Customer to Full Application Takeover - Zeyad Azima shares a pentesting project where he found a vulnerability in a financial solution platform that led to a full application takeover. Initially, he discovered a blind XSS vulnerability on the mobile application and tried to steal the admin's cookies, but failed due to security measures. He then found a CSRF vulnerability that allowed him to add a new user and steal a token from the admin dashboard to escalate privileges and gain full control over the application. By chaining these vulnerabilities together, he successfully demonstrated a complete application takeover.
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information - This post discusses a vulnerability in Microsoft 365 Copilot that allowed for the theft of a user's personal information through a series of attack techniques. The exploit involved prompt injection, automatic tool invocation, and data exfiltration via hidden Unicode tags in clickable hyperlinks. The author disclosed the exploit to Microsoft in early 2024 and received approval to share the report, highlighting the need for mitigation measures to prevent such attacks in the future. Microsoft worked on a fix for the vulnerability, but specific details around the mitigation were not disclosed.
Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle - RedTeam Pentesting discovered a remote code execution vulnerability in Moodle, a popular learning platform. They were able to exploit this vulnerability by bypassing sanitization attempts and using mathematical expressions to execute arbitrary commands. The vulnerability was reported to the Moodle security team and has been fixed in recent versions. RedTeam Pentesting advises against using functions like eval() for user input, as they can lead to security risks.
CVE-2024-37888 – CKEditor 4 Open Link plugin XSS - CVE-2024-37888 is a vulnerability in the CKEditor 4 Open Link plugin that allows attackers to execute arbitrary JavaScript code in a user's browser. This vulnerability was discovered during a NetSPI client engagement and is not an issue with CKEditor 4 itself. The Open Link plugin version 1.0.4 is affected, and the fix is available in version 1.0.5. It is recommended to update the plugin to prevent exploitation. This highlights the importance of thorough testing and security vigilance in software applications.
CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability - The CVE-2024-37079 vulnerability in VMware vCenter Server allows remote attackers to execute arbitrary code due to an integer underflow issue. By sending a crafted DCERPC packet to the target server, attackers can trigger a heap buffer overflow. This can lead to the execution of malicious code in the context of the vulnerable service. While the vulnerability has been patched by the vendor, it is critical for users to apply the update to prevent potential exploitation.
3CX Phone System Local Privilege Escalation Vulnerability - Praetorian performed proactive vulnerability research on the 3CX Phone Management System and found a local privilege escalation vulnerability in the Windows version of the application. They also identified a post-authentication arbitrary file read vulnerability. The vulnerabilities could potentially allow an attacker to compromise the application and execute code as NT AUTHORITY\SYSTEM. Praetorian reported the vulnerabilities to 3CX and the local privilege escalation issue was assigned CVE-2024-25085. Additionally, they found a Linux-specific vulnerability in the management console's Terminal feature, which allowed for arbitrary file read and command execution.
Pwn2Own Automotive 2024: Hacking the JuiceBox 40 - At the Pwn2Own Automotive 2024 competition in Tokyo, exploits were demonstrated against three different EV chargers, including the JuiceBox 40 Smart EV Charging Station. The researchers focused on vulnerabilities in the WiFi processor of the JuiceBox and discovered a critical vulnerability, CVE-2024-23938, that allowed for arbitrary code execution. They used a multi-stage exploit chain to gain control over the device and were successful in their demonstration. The researchers also highlighted the importance of IoT device security and the risks of end-of-life software support for such devices. Silicon Labs has not provided a fix for the vulnerability in Gecko OS, as it is in end-of-life status.
Careful Where You Code: Multiple Vulnerabilities in AI-Powered PR-Agent - The blog post discusses multiple vulnerabilities found in an open source LLM application called PR-Agent, used for reviewing git pull requests. These vulnerabilities include prompt injection, API key leak, and the ability to leak secrets and access permissions. The vulnerabilities could allow for privilege escalation, exfiltration of secrets, and unauthorized actions on repositories. Despite attempts to report the vulnerabilities to the vendor, no response was received, leading to the public release of the findings. Recommendations include updating permissions, denying write access to certain scopes, and reviewing PR-Agent configurations.
Sky’s the Limit – Quick Analysis and Exploitation of a Chrome ipcz TOCTOU Vulnerability - The blog post discusses an exploit of a TOCTOU vulnerability in Chrome's ipcz IPC mechanism, allowing for sandbox escape. The vulnerability was reported by Google Project Zero and fixed in Chrome 114. The exploit involved manipulating message payloads to trigger a controlled heap corruption primitive.
Meta Bug Bounty — Fuzzing “netconsd” for fun and profit - part 1 - Fady Othman shares his experience of writing a fuzz harness for Meta's open source project "netconsd" in C++. He explains the process of finding and calling the functions responsible for processing network input, ultimately leading to the discovery of a heap overflow bug in part 2 of the series. The fuzzing process involves creating a struct, processing the packet, and destroying the struct using the ncrx library.
Meta Bug Bounty — Fuzzing "netconsd" for fun and profit — part 2 - In this part 2 of the Meta Bug Bounty series, the author explores the message format used by the kernel netconsd and how messages can be split into fragments. The author modifies the fuzz harness to take into account message splitting and creates a function to parse multiple messages in the test case files.
Analysis of two arbitrary code execution vulnerabilities affecting WPS Office - ESET researchers discovered two arbitrary code execution vulnerabilities in WPS Office for Windows (CVE-2024-7262 and CVE-2024-7263) that were being exploited by APT-C-60, a cyberespionage group aligned with South Korea. The vulnerabilities allowed the group to target East Asian countries by weaponizing the vulnerabilities in a malicious document that exploited flaws in WPS Office. A coordinated disclosure process led to the patching of both vulnerabilities, with technical details provided in a blog post. Users of WPS Office for Windows are strongly advised to update their software to the latest release to mitigate the risks associated with these vulnerabilities.
Bypassing airport security via SQL injection - The article discusses how SQL injection was used to bypass airport security processes such as the Known Crewmember (KCM) and Cockpit Access Security System (CASS). The vulnerability allowed unauthorized individuals to access the sterile area without screening and even add new employees to airlines, potentially gaining access to cockpit areas. The issue was reported to the Department of Homeland Security, but there were challenges in disclosing the problem and receiving a proper response from TSA officials. The TSA initially denied the vulnerability but eventually took action to address the issue.
WordPress GiveWP POP to RCE (CVE-2024-5932) - A PHP Object Injection vulnerability was found in the WordPress Plugin GiveWP, allowing for Remote Code Execution (RCE) in versions <= 3.14.1. The vulnerability was exploited by constructing a chain of actions triggered through the ajax action. By manipulating the donation form ID and nonce, an attacker could execute arbitrary code on the server. The exploit involved creating a serialized object with controlled properties and utilizing a gadget to complete the chain for the RCE payload. The vulnerability was used in conjunction with a reverse shell to demonstrate the impact of the exploit.
Using Veeam metadata for efficient extraction of Backup artefacts (2/3) - In this series of articles, the author explores using Veeam metadata for efficient extraction of backup artifacts with Velociraptor. They discuss parsing backup chain metadata files and metadata embedded in VBR's storage files to remotely access forensic artifacts in backups. The goal is to extend the time horizon for investigations using Veeam backups while minimizing network bandwidth usage. The author also shares a pipeline for remote collection of forensic data from Veeam backups using free and open-source tools and Velociraptor.
Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold CVE-2024-6670 - The author discovered an unauthenticated SQL injection vulnerability in WhatsUp Gold that allowed for an authentication bypass and potential remote code execution. By exploiting this vulnerability, the author was able to decrypt and override the administrator's password, allowing unauthorized access to the system. The exploit involved sending a POST request to a specific DLL method that encrypted and stored data in the database, which could be used to update the administrator password field. The exploit details and proof of concept are available on the Summoning Team's blog, with credit given to the author's friend and Zero Day Initiative for their support.
Evil MSI. A story about vulnerabilities in MSI Files - The article discusses vulnerabilities in MSI files, which are commonly used by software manufacturers for program distribution. The format allows for easy installation and distribution of components. Various vulnerabilities can be found in MSI files, such as DLL hijacking and path abusing, which can lead to privilege escalation. The article explains how to analyze MSI files for vulnerabilities using tools and techniques like searching for leftover passwords and custom actions abuse. It also discusses the MSI file repair mechanism and ways to detect and exploit vulnerabilities for privilege escalation.
Implementing Kernel Object Type (Part 2) - In this blog post, Pavel Yosifovich discusses how to implement a new kernel object type by looking at existing kernel object types, such as Semaphore and Section, to understand the necessary functionality. He explains the process of creating a new object type in user and kernel modes, using native API conventions. The post includes code examples and diagrams to demonstrate the implementation of creating a DataStack object, including handling object creation and opening existing objects through user and kernel modes.
Tools and Exploits
USP - The GitHub repository "grahamhelton/USP" contains a Go program that establishes persistence on a Linux system by creating a udev rule that triggers the execution of a specified payload (binary or script). The program offers two trigger options: executing the payload when a USB device is inserted or during system boot. Users can customize the behavior using flags when running the script with root privileges. Additionally, there is an option to remove the established persistence. This program allows users to automate the execution of a payload on a Linux system for specific use cases.
CVE-2024-38063 - The GitHub repository contains a proof of concept (poc) for CVE-2024-38063, which is a remote code execution (RCE) vulnerability in tcpip.sys. The poc includes instructions on how to modify and run the script to trigger the vulnerability. It describes the technical details of the vulnerability and provides strategies to exploit it. The vulnerability requires IPv6 capability on the target system and the ability to coalesce packets, but does not require heavy load situations or specific settings on the target system. Troubleshooting steps are provided in case the exploitation is not successful.
Exploiting the Windows Kernel via Malicious IPv6 Packets (CVE-2024-38063) - A vulnerability in tcpip.sys was discovered post-Windows patch release, allowing remote exploitation of the kernel via IPv6, with a 9.8 CVSS score. The patch analysis revealed a single code change that led to the issue. The exploit involved crafting IPv6 packets with specific options to trigger a vulnerability in the kernel parser, potentially leading to a buffer overflow and ASLR bypass. Despite facing challenges and difficulties in triggering the bug reliably, the research provided valuable insights into exploiting the kernel via IPv6.
CVE-2024-3183-POC - This GitHub repository contains a Proof of Concept (POC) for CVE-2024-3183, which allows a low-privileged user to obtain password hashes of all domain users in FreeIPA for offline brute force attacks. The POC includes steps to request TGT tickets, find salts, and brute force passwords to gain access to user accounts. This vulnerability highlights the importance of enterprise-grade security features and the need to fix vulnerabilities to protect sensitive information.
ipapocket - The GitHub repository "c2micro/ipapocket" contains a Python library for interacting with FreeIPA network protocols, providing low-level programmatic access through an object-oriented API.
CVE-2024-38856-EXP - The GitHub repository contains an exploit for CVE-2024-38856.
CAPs - This GitHub repository contains scripts to enumerate and report on Entra Conditional Access. The scripts require an account with delegated read-only permissions to the Graph Command Line Tools for Microsoft Graph PowerShell. The scripts generate reports on statistics, list Conditional Access Policies, categorize them into best practice categories, and check for misconfigured policies.
rwgopack - This GitHub repository contains an example Linux-based packer for ELF binaries that compresses using ZLib and uses XOR cipher with a single byte key to create a self-unpacking binary.
VeilTransfer - VeilTransfer is a data exfiltration utility that helps organizations test and improve their security posture by simulating real-world data exfiltration techniques. It supports multiple exfiltration methods such as MEGA, Github, SFTP, WebDAV, and more.
Ghostwriter Tool Integration - Ghostwriter v3.0.0 introduced a GraphQL API to ease tool integration, allowing external entities to query and manipulate Ghostwriter's data. The API, powered by the Hasura GraphQL Engine, offers operations to fetch data, manipulate data, and allow real-time data retrieval. The API can be explored through the Hasura console or safely with Postman. The Python Operation Log Generator script leverages GraphQL mutation operations to create and populate operation logs in Ghostwriter. The script involves authentication, client creation, and executing operations using the GraphQL API to link the generator to Ghostwriter efficiently.
Mythic 3.3 — Out of Beta - Mythic 3.3 has been released out of Beta after six weeks of feedback. New features include an updated file media renderer, improvements to the file browser, active callback highlighting, interactive task searching, preferred tasking views, and networking options. These updates were made based on user feedback, with a special thanks to Lee for providing valuable input. Users can provide feedback, feature requests, bug reports, or comments on Mythic, its agents, or C2 profiles on Twitter or in the BloodHound Slack.
NamedPipeMaster - NamedPipeMaster is a tool designed for analyzing and monitoring named pipes. It includes components for direct server interaction, DLL-based API hooking, and system-wide monitoring. The tool allows for proactive and passive interactions with named pipes, collects detailed communication data, and features specific API hooks for event searches. It supports features such as DLL injection, monitoring named pipe activities, and interactive modes for various named pipe interactions.
CVE-2024-5274 - Chrome zero day POC leading to code execution.
SeamlessPass - SeamlessPass is a tool that leverages Kerberos tickets to obtain Microsoft 365 access tokens using Seamless SSO for organizations with Desktop SSO enabled. The tool can be installed from PyPI or the source code and can be used for further interaction with Microsoft 365 services via APIs or other tools like ROADTools and AADInternals. SeamlessPass allows users to obtain access tokens in situations where the user's clear-text password is unavailable by using compromised user credentials or other forms of access.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza - This blog entry discusses the hidden treasure trove of information found in C++ exception metadata, specifically focusing on how it can aid in reverse engineering C++ programs. The metadata, present in constructors, ensures proper cleanup of locally-held stack objects in the event of exceptions. By enabling and interpreting this metadata, analysts can gain insight into the structure, nesting relationships, and inheritance of objects, making the process of structure recovery more efficient and accurate. While metadata is most beneficial when analyzing constructors, it can still provide valuable information in non-constructor functions by clarifying object lifetimes and facilitating the application of types to variables.
Intercepting Mobile Application Traffic with Caido and Frida - The author discusses intercepting mobile application traffic using Caido and Frida for a research project on the iHealth Nexus Pro Body Composition Scale. They explain the process of using Caido as an HTTP proxy tool to intercept traffic, encountering issues with certificate pinning, and using Frida to bypass it. The author modifies the mobile application using Frida's gadget library, enabling them to intercept and analyze the application's data flow. They conclude by discussing the benefits of using this method for discovering vulnerabilities in mobile APIs and understanding IoT systems.
Unveiling Mac Security: A Comprehensive Exploration of Sandboxing and AppData TCC - Zhongquan Li's blog post delves into the comprehensive exploration of Mac security, focusing on sandboxing and AppData TCC. The post discusses various vulnerabilities and exploits, including the manipulation of quarantine flags, quarantine protection on macOS, permission granting mechanisms, and the impact of AppData TCC on exploit development. The post also touches on the need for a blocklist in addition to an allowlist for protecting sensitive data from N-Day vulnerabilities in outdated app versions. Overall, the post provides insights into Mac security vulnerabilities and exploit techniques, with a focus on bug hunting and fuzzing in Apple products.
Abusing Exclusions To Evade Detection - This blog post discusses how attackers can abuse exclusions in antivirus and EDR solutions, like Microsoft Defender AV, to evade detection. Exclusions are commonly used to optimize performance and reduce false positives but can create security blind spots if not managed carefully. Attackers can enumerate exclusions using PowerShell and leverage this information to strategically abuse folder, process, and extension based exclusions to run malicious activities undetected. Best practices for setting exclusions are also shared to mitigate risks associated with abusing exclusions.
ALBeast Security Advisory by Miggo Research - Miggo Research has identified a critical configuration-based vulnerability called ALBeast affecting applications using AWS Application Load Balancer for authentication, which can lead to authentication and authorization bypass. Miggo Research has discovered over 15,000 potentially impacted applications using this feature and has provided recommendations to mitigate the risk. AWS has updated their authentication feature documentation to address this vulnerability, but customers must implement the recommended changes to ensure protection. Miggo offers an Application Detection and Response platform to help understand application behaviors and map weaknesses in modern distributed application architectures.
The Hunt for ALBeast: A Technical Walkthrough - Miggo discovered a critical configuration-based vulnerability called ALBeast that allows attackers to bypass authentication and access applications directly, particularly if they are exposed to the internet. They reported this issue to AWS and collaborated with them on the disclosure and remediation process. ALBeast can impact applications hosted on AWS or other cloud providers and has been found in over 15,000 potentially vulnerable applications. AWS has since updated their documentation to address these vulnerabilities, but applications must update their code to be protected. The shared responsibility model plays a role in addressing these issues, and organizations need to follow best practices to ensure security.
Provisioning cloud infrastructure the wrong way, but faster - The blog discusses the dangers of using AI-generated cloud infrastructure provisioning code, which often contains security flaws such as hard-coded passwords and weak random values. The author recommends that cloud providers block common security vulnerabilities in AI-generated code and that AI tool vendors make it harder for users to inadvertently create insecure infrastructure. The blog also emphasizes the importance of conducting thorough security assessments in large automated infrastructure deployments to identify and address potential weaknesses beyond just hard-coded credentials.
Crafting the Perfect Prompt: Getting the Most Out of ChatGPT and Other LLMs - Black Hills Information Security provides tips for crafting the perfect prompt to maximize the effectiveness of AI-driven tools like ChatGPT and other LLMs. Understanding the different types of prompts, from simple queries to conversational prompts, can help in obtaining accurate and relevant responses. Setting the context, providing task-specific knowledge, and examples are key elements in formulating effective prompts for LLMs. Ultimately, the responsibility lies with the user to supervise and refine the output generated by LLMs to ensure accuracy and appropriateness.
Apeman - The GitHub repository hotnops/apeman is an AWS Attack Path Management Tool called "Walking on the Moon" which helps automate workflows, manage packages, find and fix vulnerabilities, create dev environments, write better code with AI, manage code changes, plan and track work, and collaborate outside of code. It also includes features for CI/CD & Automation, white papers, ebooks, webinars, and funding open source developers. The tool offers enterprise-grade security and AI features, along with 24/7 support. Detailed instructions are provided for setting up and using the tool, including initializing the AWS schema, ingesting and analyzing data, and accessing the tool through a browser.
PANIX - PANIX is a highly customizable Linux persistence tool designed for security research, detection engineering, penetration testing, and more. It offers a variety of features for simulating and researching Linux persistence mechanisms and is supported on popular distributions like Debian, Ubuntu, and RHEL. Users can automate workflows, find and fix vulnerabilities, create dev environments, and collaborate outside of code using PANIX. The tool is meant for authorized security testing and research purposes only, and misuse for malicious activities is not condoned.
Unprotected container registries - The article discusses the growing threat of unprotected container registries in the software development ecosystem. Despite the availability of secure options like Docker Hub, many organizations leave their private registries unsecured, leading to data exposure and security risks. The author conducted scans revealing thousands of unprotected registries, highlighting the urgent need for improved security measures and awareness. The article also includes technical details on how attackers can exploit open registries and emphasizes the importance of securing these repositories to protect the digital infrastructure.
OpenSSH Backdoors - In 2002, an OpenSSH backdoor attack was attempted by replacing the source code on ftp.openbsd.org with a backdoored version, but was quickly caught due to checksum discrepancies. The attackers' motives were likely for fun and mayhem. In contrast, the more recent xz-utils backdoor attempt in 2024 was more sophisticated, targeting the build system and having a specific intelligence-gathering objective. Both attacks highlight the vulnerability of open-source projects to supply chain attacks. Defenses against supply chain attacks may involve reducing attack surface and compartmentalization through sandboxing techniques. There is a growing interest in improving supply chain security, but more work needs to be done to address this evolving threat.
Comments