Last Week in Security - 2024-09-23

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-09-16 to 2024-09-23.

News

• Pager detonations wound thousands, majority Hezbollah members, in suspected cyberattack - A cyberattack using explosive pagers wounded thousands of Hezbollah operatives in Lebanon, with around 4,000 being injured and 11 killed. Lebanese health officials reported 200 in critical condition. Hezbollah blamed Israel for the attack and threatened retaliation. Israel had been engaged in conflict with Hezbollah for several months, with tensions escalating. The attack was seen as a significant blow to Hezbollah and raised the possibility of a larger conflict.

• Additional Hezbollah devices explode across Lebanon - More Hezbollah devices exploded across Lebanon, causing hundreds of injuries and at least 20 deaths. This comes after thousands of Hezbollah members were wounded by exploding pagers the previous day. Unconfirmed reports suggest that Israel may be behind the attacks, with the Israel Air Force reportedly carrying out strikes in southern Lebanon. The situation is still developing.

• US government ‘took control’ of a botnet run by Chinese government hackers, says FBI director - The FBI took control of a botnet run by Chinese government hackers, targeting critical infrastructure in the US and overseas. The botnet was used to hide Chinese hacking activities and compromised over 385,000 unique US victim devices. This is part of the US government's efforts to counter Chinese-backed cyberattacks and prevent potential harm in future conflicts.

• People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (PDF) - This report discusses People's Republic of China (PRC)-linked cyber actors using a botnet infrastructure to conduct espionage and influence operations. It outlines specific tactics, techniques, and procedures (TTPs) observed in these operations, which target U.S. and allied networks. The report provides guidance on detection, mitigation, and steps to counter these threats.

• GreyNoise Reveals New Internet Noise Storm: Secret Messages and the China Connection - GreyNoise Intelligence has identified a new internet phenomenon called "Noise Storms" involving massive waves of spoofed traffic since January 2020. These events have puzzled cybersecurity experts and pose new risks that need attention from security professionals worldwide. The storms involve mysterious traffic patterns with potential connections to Chinese platforms, suggesting a sophisticated actor with specific goals. Despite ongoing research, the ultimate purpose of these Noise Storms remains unclear, prompting security leaders to reevaluate their defenses and tools for a strong security posture.

• Iran linked hacker group Handala Hack Team claim pager explosions linked to Israeli battery company - The Iran linked hacker group Handala Hack Team has claimed that pager explosions are linked to an Israeli battery company. They posted a statement on their Tor site detailing how the attacks were carried out, including contaminating batteries with explosives. Handala has also threatened to leak sensitive information from both the Israeli battery company and an Israeli X-ray inspection systems developer. While the claims have not been proven yet, Handala has a history of credible victim targeting.

• Enterprise ServiceNow Knowledge Bases at Risk: Extensive Data Exposures Uncovered - Enterprise ServiceNow knowledgebases are at risk of data exposure due to outdated configurations and misconfigured access controls. AppOmni's Chief of SaaS Security Research, Aaron Costello, conducted extensive research and found that many instances are exposing sensitive data unintentionally. ServiceNow has made some security updates, but knowledgebases remain vulnerable, so organizations should regularly check access controls and use business rules to protect their data.

Threat Intel and Defense

• 16th September – Threat Intelligence Report - The Threat Intelligence Report from Check Point Research on September 16, 2024, highlighted cyberattacks and breaches affecting organizations like the Port of Seattle, Fortinet, Highline Public Schools, French retail companies, and Kadokawa. Vulnerabilities and patches from Microsoft's September 2024 Patch Tuesday were also discussed, including critical flaws in Windows components and Microsoft products.

• A Look at the Residential Proxy Market - The residential proxy market is thriving, allowing users to access the internet through a range of devices in residential settings. These proxies offer anonymity and the ability to bypass geographical restrictions, but are also used by threat actors for illegal activities. Two prominent underground residential proxy providers, MangoProxy and LunaProxy, have been identified for their extensive IP address pools. However, the ethical implications and lack of transparency in the acquisition of these IP addresses raise concerns about potential exploitation by cybercriminals.

• Exotic SambaSpy is now dancing with Italian users - A new remote access trojan (RAT) called SambaSpy is targeting Italian users through a sophisticated infection chain that involves phishing emails and redirects to legitimate websites. The attackers behind the campaign have Brazilian Portuguese language connections, suggesting a possible origin from Latin America. SambaSpy is a Java-based RAT that can log keystrokes, steal browser credentials, and remotely control desktops.

• An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader - Mandiant Managed Defense identified a cyber espionage group known as UNC2970, suspected to have a North Korea nexus, using a Trojanized PDF reader to deploy a backdoor called MISTPEN. The group targets victims through phishing emails disguised as job openings from reputable companies, delivering malicious job descriptions in a password-protected ZIP archive. The backdoor is executed when the victim opens the PDF file with the trojanized SumatraPDF viewer, leading to the installation of the MISTPEN backdoor. The group has targeted victims in U.S. critical infrastructure verticals and utilizes modified versions of open-source software to carry out their attacks.

• Code of Conduct: DPRK’s Python- fueled intrusions into secured networks - This publication discusses the DPRK's use of Python and social engineering tactics to breach secure networks, highlighting their sophisticated cyber attacks. The Python script used by DPRK threat actors includes modules for executing system commands and writing/ executing local files, disguised as a coding challenge. The analysis uncovers how the script establishes communication with a remote server, enabling remote code execution and maintaining effective control over the infected machine.

• Storm on the Horizon: Inside the AJCloud IoT Ecosystem - This article discusses vulnerabilities found in Wi-Fi cameras, specifically the Wansview Q5, connected to the AJCloud IoT ecosystem. Despite the affordable cost of these devices, security was found to be lacking, leaving them open to exploitation. Through various research efforts, vulnerabilities in network communications, firmware, and application were discovered, allowing for remote access and control of the cameras. The vendors did implement some security controls, but also made critical mistakes such as unauthenticated cloud access and flaws in the P2P protocol. Recommendations were made to flash the cameras with open-source firmware for better security. Overall, these vulnerabilities affect millions of devices worldwide and pose significant risks to user data and privacy.

• Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool - This article discusses the discovery of a new post-exploitation red team tool called Splinter found on customer systems using Advanced WildFire's memory scanning tools. It highlights the importance of continuously tracking and detecting such tools to prevent them from falling into the hands of criminals. While Splinter is not as advanced as other tools like Cobalt Strike, it still poses a threat if misused.

• Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors - Unit 42 researchers have uncovered an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors named PondRAT, attributed to the Gleaming Pisces threat actor group. The campaign uploaded infected software packages to PyPI, a popular Python package repository, with the objective of compromising supply chain vendors and their customers. The backdoors give attackers remote access and control over infected systems. The campaign has been linked to Gleaming Pisces based on code similarities and previous research.

• UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks - UNC1860 is a threat actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS) that targets networks in the Middle East, particularly in government and telecommunications sectors. The group maintains specialized tooling and passive backdoors to gain initial access and persistent access to high-priority networks. UNC1860 collaborates with other Iran-based threat actors and utilizes custom malware controllers to provide remote access to victim networks. The group's main-stage backdoors, such as the Windows kernel mode driver, demonstrate its advanced capabilities in espionage and network attack operations.

• The Cloud is Darker and More Full of Terrors - In this blog post, Chris Farris discusses the concerning state of cloud security, highlighting incidents where companies have suffered major breaches due to inadequate security practices. Farris criticizes cloud providers for not prioritizing security measures and calls for better security practices from both organizations and cloud vendors. The post emphasizes the importance of enforcing multi-factor authentication and setting secure defaults in cloud environments to prevent data breaches. Ultimately, Farris warns that the public cloud, while convenient, poses significant security risks that need to be addressed.

• Acquiring Malicious Browser Extension Samples on a Shoestring Budget - This article discusses acquiring malicious browser extension samples on a limited budget, using free resources and simple cryptanalysis techniques. The author describes finding similar samples, acquiring the first sample, processing new samples, and analyzing extensions for changes in functionality over time. They also discuss resolving C2 domains from blockchain transactions and provide resources that reference some of the indicators of compromise. The author emphasizes the potential for legitimate research and learning using free tools and published information, but also advises caution when dealing with malicious content.

• -=TWELVE=- is back - In the spring of 2024, the Twelve group, specializing in encrypting and deleting victims' data, resurfaced after appearing on the -=TWELVE=- Telegram channel. The group uses hacktivist tactics and shares infrastructure with ransomware group, DARKSTAR, indicating they may belong to the same syndicate. Twelve employs publicly available tools, such as Cobalt Strike and mimikatz, to gain initial access to victims' infrastructure and exfiltrate sensitive information. The group's ultimate goal is to cause maximum damage by encrypting data and destroying infrastructure with wipers, without seeking financial gain.

• Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC - Earth Baxia, a threat actor group operating from China, targeted government organizations in Taiwan and other APAC countries using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. They deployed customized Cobalt Strike components and a new backdoor named EAGLEDOOR for information gathering and payload delivery.

• Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs - Censys conducted an analysis of Fox Kitten Infrastructure to uncover unique host patterns and potential new Indicators of Compromise (IOCs). The analysis revealed patterns among hosts connected to IOC IPs and domain IOCs listed in the advisory that could indicate future attacks. By studying profiles of hosts over time, Censys identified additional infrastructure that may be related to Fox Kitten. Defenders can use this information to monitor and block potentially malicious hosts and certificates. Despite attempts at obfuscation, patterns in digital infrastructure can provide valuable insights for cybersecurity defense.

• Shining a Light in the Dark – How Binary Defense Uncovered an APT Lurking in Shadows of IT - Binary Defense recently uncovered an Advanced Persistent Threat (APT) lurking in the shadows of IT. The threat originated from unmanaged AIX servers left exposed on the internet, providing an opportunity for attackers to launch an attack. The attackers used web shells, SSH keys, and reverse proxies to gain access and move laterally within the network.

• Prioritizing Detection Engineering - In the article, the author discusses the concept of prioritizing detection engineering within a security program. The author suggests an order of implementation for detection projects, focusing on getting logging in order, spending time on hardening, introducing high-quality detections and alerts, and focusing on management before diving into detection engineering. The author emphasizes the importance of incremental milestones and collaboration with existing management structures before dedicating resources to a full-blown detection engineering team. Overall, the article highlights the complexities of detection work and the need for careful prioritization and management.

• Examining Mobile Threats from Russia - This blog examines mobile threats from Russia, focusing on state-sponsored threat groups known for cyber-espionage, targeted intrusions, and disinformation campaigns. The threat groups target Android and iPhone users, delivering spyware and collecting credentials for mobile applications. The blog provides case studies of malware campaigns by Russian intelligence services, highlighting the sophistication and tactics used. Recommendations for high-value targets to protect against Russian mobile threats are provided, including using hardened OS and following OPSEC best practices.

• Analysis of Evolving Evasion Tradecraft in Commodity Malware and Command-and-Control Frameworks - This blog post from RevEng.ai examines evolving malware and command-and-control (C2) frameworks, focusing on their evasion techniques. It highlights how attackers are adopting advanced tradecraft, including anti-analysis tactics, obfuscation, and novel C2 infrastructures, to bypass modern detection tools exploring specific case studies and real-world examples to illustrate these strategies.

• “Marko Polo” Navigates Uncharted Waters With Infostealer Empire (PDF) - This report analyzes current cyber threat activity, highlighting advanced tactics, techniques, and procedures (TTPs) used by cybercriminals. It emphasizes evolving threats across various sectors, including ransomware, state-sponsored attacks, and sophisticated malware campaigns. The report underscores the importance of proactive threat intelligence and defense strategies to mitigate the impact of these growing threats.

Techniques and Write-ups

• The real slim shady || Ivanti Endpoint Manager (EPM) Pre-Auth RCE CVE-2024-29847 - A Critical CVE 9.8 vulnerability was reported on Ivanti Endpoint Manager (EPM) by SinSinology, leading to remote code execution. The exploit involves exploiting an insecure deserialization vulnerability in the EPM service which starts on a dynamic port. By bypassing certain security restrictions in .NET Remoting, attackers can achieve arbitrary file operations and remote code execution. James Forshaw's research on .NET exploitation techniques was instrumental in uncovering and exploiting this vulnerability. The exploit has been made available but with added complexity to deter malicious actors.

• CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability - CVE-2024-8190 is a command injection vulnerability in Ivanti Cloud Service Appliance (CSA) that was recently exploited in the wild, prompting investigation.

• Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence - In this post by Datadog Security Labs, the focus is on the potential misuse of Entra ID Administrative Units (AUs). AUs allow scoped role assignments within an Entra ID tenant, but attackers can abuse this feature for privileged persistence. The post details two scenarios where attackers could create sticky backdoor accounts or conceal permissions grants through restricted or hidden membership AUs. The post provides insights on how to detect and respond to the abuse of AUs, as well as recommendations for proper use of AUs. Additionally, the post includes information on testing methodologies to identify Entra ID roles and Microsoft Graph permissions related to hidden membership AUs.

• CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package - Tenable Research discovered a vulnerability in Google Cloud Platform called CloudImposer that could have allowed attackers to execute code on potentially millions of servers owned by Google and its customers. The vulnerability, known as a dependency confusion attack, was found in Google Cloud Composer, a managed service version of Apache Airflow. Tenable Research also found risky guidance in GCP documentation that could have put customers at risk.

• Attacking PowerShell CLIXML Deserialization - This article discusses an attack on PowerShell CLIXML deserialization, highlighting the risks and impact of such attacks, including remote code execution. The research findings were reported to Microsoft, and while the issue was reported as fixed, organizations still need to take precautions. Recommendations are provided for secure PowerShell development, IT operations, and mitigating vulnerabilities in PowerShell remoting and PowerShell Direct. The research explores various attack vectors and provides insights into securing PowerShell modules and reducing risks associated with deserialization vulnerabilities.

• Vulnerable Windows Driver In a Nutshell - This article provides an overview of vulnerable Windows drivers, their history, types, development process, interactions with the OS/kernel, and potential security risks. It discusses the importance of proper driver development and the need for signed drivers to prevent unauthorized access and attacks. A hypothetical vulnerability in driver code is explored, showing how improper access control to hardware registers could lead to exploits like disabling Secure Boot. Mitigation strategies, such as privilege verification and input validation, are suggested to prevent such vulnerabilities.

• Escalating from Reader to Contributor in Azure API Management - This blog post outlines how a user with Reader-level access to an Azure API Management resource was able to escalate their privileges to Contributor-level access by exploiting a bug in the Direct Management API. By accessing the ARM API with Reader privileges, the user could retrieve sensitive information such as subscription keys and client credentials.

• Security Flaw in AWS Transit Gateway Peering Attachments (Patched) - A security flaw in AWS Transit Gateway Peering attachments was discovered in late-July 2024 and promptly remedied by AWS. The exploit allowed unauthorized access to networks by bypassing the approval step for peering attachments.

• Linux malware development 2: find process ID by name. Simple C example. - In this post, the author provides a simple C example for finding the process ID by name in Linux for malware development. The code searches for a running process by scanning the /proc directory and retrieves the process ID of the target process if found. There are two functions implemented in the code, one for searching the process by name and the other for running the process finding logic. The author also discusses potential issues with finding process names and provides an updated version of the code that reads from /cmdline file for more reliable results.

• Exploring MSI Files: The Good, the Bad, and the Ugly - The article explores MSI files, discussing their purpose, structure, and use in software installation on Windows operating systems. It also covers the potential risks and attacks associated with MSI files, and provides strategies for detecting and mitigating malicious activity involving MSI files.

• Timer Callbacks Spoofing to Improve your SLEAP and SWAPPALA Untold - This blog discusses improving sleeping masks like SLEAP and SWAPPALA by using timer callbacks spoofing. The author explores techniques to hide memory mappings from memory scanners and avoid detection by tools like Hunt Sleeping Beacons. By modifying timer callbacks and leveraging asynchronous procedure calls (APCs), the author develops a more sophisticated approach to achieve their goals.

• Exploiting Chamilo during a Red Team engagement - During a Red Team engagement, Quarkslab identified multiple vulnerabilities in the open source e-Learning platform Chamilo, including Remote Code Executions. They were able to exploit vulnerabilities such as Arbitrary File Write, Path Traversal, Server Side Request Forgery, and Cross Site Scripting to achieve Remote Code Execution without authentication.

• Three-Headed Potato Dog - The blog post discusses research on using DCOM to coerce Windows systems to authenticate to other systems, potentially allowing for the relay of authentication to NTLM or Kerberos, such as in the case of AD CS over HTTP. The technique involves activating a COM class using a crafted storage object to establish connections that can be authenticated and relayed.

• NTLM Relaying – Making the Old New Again - The article discusses NTLM relaying techniques for privilege escalation in an on-prem environment, focusing on techniques such as lack of SMB signing and LDAP signing, and machine account quota. It provides step-by-step methods for exploiting these vulnerabilities, including creating a man-in-the-middle attack using ntlmrelayx. The article also includes remediation steps to safeguard against these attacks, such as enabling SMB and LDAP signing and setting the machine account quota to zero. Ultimately, the article aims to provide insights for both testers and defenders in Active Directory domains to prevent malicious activities.

• Understanding Tokens in Entra ID: A Comprehensive Guide - Tokens in Entra ID have different utilities and are not all equal in attractiveness to attackers. This blog aims to explain the primary differences between common types of tokens and the attacks they are susceptible to. It covers topics such as token hierarchy, different types of tokens (access tokens, SAML tokens, etc.), and the importance of refresh tokens in providing continual access to resources for attackers. The post also discusses the significance of Family of Refresh Tokens (FRT) and Primary Refresh Tokens (PRT) in allowing lateral movement and privilege escalation.

• The Curious Case Of MutantBedrog’s Trusted-Types CSP Bypass - MutantBedrog is a malvertiser known for disruptive forced redirect campaigns and a unique JavaScript payload that uses Trusted-Types and Content Security Policies (CSP) to bypass security measures and redirect users to scam landing pages. Through testing and investigation, it was discovered that MutantBedrog's payload can bypass CSP directives using Trusted Types, exploiting a browser logic bug rather than a security vulnerability. This highlights the importance of understanding browser security at a specification level and the challenges of implementing effective CSPs to protect against XSS and injection attacks, especially in ad-serving environments.

• Revisiting MiniFilter Abuse Technique to Blind EDR - The blog explores how Windows MiniFilter Altitude can be abused to blind EDR drivers, with a focus on bypassing mitigations developed by some vendors. By manipulating the load order and registry values of MiniFilter drivers, attackers can prevent EDR drivers like Microsoft Defender for Endpoint (MDE) from loading, allowing for the execution of malicious tools. The vulnerability still affects some vendors, and SOC teams are advised to monitor for suspicious registry changes and respond promptly.

• Extracting Credentials From Windows Logs - The article discusses extracting credentials from Windows event logs by creating a script to scrape credentials, defining regular expressions for extracting credentials, querying events, and parsing events for credentials. The script checks for plaintext credentials being passed to applications in various formats, extracts them, and outputs them for analysis. The article also highlights the usage of high-performance cmdlets and P/Invoke to improve event log queries. Finally, the script is demonstrated to extract credentials successfully from event logs for threat detection and analysis.

• Vulnerabilities in Open Source C2 Frameworks - The Include Security Research blog explores vulnerabilities in open source Command and Control (C2) frameworks used in network and red teaming assessments. These frameworks consist of agents, team servers, and clients, and can be prone to security risks like unauthenticated remote code execution. The blog highlights vulnerabilities in popular frameworks like Sliver, Havoc, Ninja, SHAD0W, and Covenant, emphasizing the importance of strict input validation and data boundaries to prevent exploitation.

• Proroute H685 4G router vulnerabilities - Pen Test Partners discovered two vulnerabilities in the Proroute H685t-w 4G Router that allow for authenticated command injection through the admin interface and reflected Cross-Site Scripting. The vulnerabilities can lead to unauthorized access, data manipulation, and complete control of the affected device.

• Vulnerabilities in Cellular Packet Cores Part IV: Authentication - This article discusses two vulnerabilities in the Microsoft Azure Private 5G Core (AP5GC) that have since been resolved. The first vulnerability, CVE-2024-20685, could lead to service outages, while the second vulnerability, ZDI-CAN-23960, could disrupt network operations by allowing an unauthenticated base station to override a legitimate one. These vulnerabilities highlight the importance of authentication between base stations and packet cores to prevent such attacks.

• How to Break Out of Hyper-V and Compromise your Admins - This blog post discusses novel attack scenarios targeting PowerShell Remoting and PowerShell Direct in Hyper-V environments, which can lead to privilege escalation and compromise of admins. The impact of these vulnerabilities includes arbitrary DNS lookups, remote code execution, and stealing Net-NTLMv2 hashes.

• SAP Hash Cracking Techniques - RedRays SAP Security Team specializes in SAP security solutions, including hash cracking techniques to uncover weak or outdated passwords stored in SAP systems. By understanding the hashing algorithms and database tables used by SAP, security professionals can retrieve and crack password hashes using tools like JohnTheRipper and Hashcat.

• Using YouTube to steal your files - This blog post details a researcher's exploration of using YouTube and Google Slides to potentially steal files from Google Drive. The researcher found ways to manipulate YouTube videos embedded in Google Slides to redirect users to external sites and exploit Google account login redirects. Ultimately, the researcher discovered a potential one-click clickjacking attack that could grant editor access to Drive files or folders.

• Laser Fault Injection for the Masses, Part 3 - In this article, the author discusses the use of Laser Fault Injection (LFI) for chip decapping, focusing on the various chip packaging formats and materials used in epoxy-based packages. The article explores the challenges and methods involved in decapping chips, such as chemical, mechanical, thermal, and laser decapping. The author introduces the use of a low-cost LFI rig for laser decapping, which allows for quick and efficient removal of the epoxy encapsulant, making the decapping process faster and more reliable. This dual-functionality of the LFI rig simplifies the process and makes it more accessible to a wider audience for hardware security testing.

• Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE - This article discusses a chain of three vulnerabilities that led to remote code execution in Microsoft Exchange Server. The vulnerabilities include arbitrary file write, arbitrary file read, and local DLL loading. By exploiting these vulnerabilities, the attacker was able to achieve RCE as SYSTEM. The article provides detailed technical information on how the vulnerabilities were chained together to achieve the attack.

• Applying Security Engineering to Make Phishing Harder - A Case Study - Doyensec was hired to perform a security review for a client offering a Communication Platform as a Service, focusing on social engineering attacks and phishing vulnerabilities. The audit revealed vulnerabilities such as file extension restriction bypass, subdomain crafting circumvention, antivirus scan bypass, HTML input handling issues, misleading Unicode domain rendering, URI and filename spoofing, and untrusted links navigation confirmation. Recommendations were made to mitigate these vulnerabilities and strengthen the platform's resilience against social engineering attacks. Such focused engagements are valuable additions to regular security assessments for enhancing platform security.

• gaining access to anyones browser without them even visiting a website - The author discovered a vulnerability in the Arc browser that allowed them to gain access to users' browsers without their knowledge, due to a flaw in Firebase authentication. By exploiting this vulnerability, the author was able to create malicious boosts with JavaScript payloads and compromise targeted websites. The vulnerability was reported to Arc, who quickly patched it and awarded a bounty. Arc has since switched off Firebase and implemented measures to prevent similar exploits in the future.

• A Journey From sudo iptables To Local Privilege Escalation - This article discusses the journey from using sudo iptables to local privilege escalation on a Linux machine. It explains how a low-privileged user can manipulate firewall rules to escalate their privileges and execute arbitrary commands as superuser. By injecting fake entries in the comments of iptables rules, they can overwrite legitimate entries and gain additional permissions.

• Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware) - This post discusses an attack chain called SpAIware, which involves injecting spyware into the long-term memory of the ChatGPT macOS application through prompt injection. This allows attackers to continuously exfiltrate user data from ChatGPT, posing a serious security risk. OpenAI has released a fix for the macOS app, but other clients like iOS remain vulnerable. Users are advised to update their apps, review stored memories, and follow OpenAI's guidelines for managing memories to prevent potential data breaches.

• Windows Kernel Pool Exploitation CVE-2021-31956 - Part 2 - In the blog post, the author discusses the exploitation of CVE-2021-31956 in Windows Kernel Pool. The technique presented by Corentin Bayet and Paul Fariello of Synacktiv requires just a four-byte overflow and supports a wide range of vulnerable chunk sizes. The exploitation involves modifying the chunk's pool header to allow for privilege escalation. The author details the steps taken to achieve this, including draining and spraying objects, creating gaps, triggering the vulnerability, creating fake pool headers, enabling Dynamic Lookaside List, leaking kernel pointers, and executing arbitrary reads for privilege escalation. The author also provides a video of the exploit in action and suggests further improvement ideas for the exploit.

• Outsmarting Copilot: Creating Hyperlinks in Copilot 365 - The article discusses how researchers were able to outsmart Copilot 365 by creating fully clickable hyperlinks in the chat, which could lead to potential security risks such as phishing or data exfiltration. By manipulating Copilot's Markdown formatting and using linguistic tricks, the researchers were able to successfully create a malicious hyperlink that bypassed Copilot's security mechanisms.

• CVE Wednesday - CVE-2024-20439 - The blog post discusses a recently discovered vulnerability, CVE-2024-20439, in Cisco Smart Licensing Utility, which involves a hardcoded static password that can be used to access licensing data. The author reverse engineered the vulnerability from a Cisco advisory and found the hardcoded password in the application's code.

• Binder Internals - This blog post explores the inner workings of Binder, a complex component in Android that facilitates communication between processes. It delves into the lifetime management of Binder objects, transaction stacks, workqueues, and the Binder Buffer Allocator. The post also introduces the libdevbinder library, which provides a simplified interface for researchers to interact with the Binder driver for experimentation and learning purposes. The post aims to empower security researchers to understand Binder better and potentially find vulnerabilities. The library, along with examples provided, aims to make researching Binder easier and more convenient.

• (Anti-)Anti-Rootkit Techniques II: Stomped Drivers & Hidden Threads - In the second part of the series on anti-rootkit techniques, the focus is on detecting malicious drivers mapped to unbacked memory and hidden threads. The post covers an evasion technique called driver "stomping," which involves loading a rootkit over an existing driver in memory and detecting it by comparing the driver's section on disk with its section in memory. Another evasion tactic involves attacking the flawed implementation of enumerating threads and their start addresses to hide from detection. A strategy to detect tampering involves finding inconsistencies in thread lists of Windows drivers to uncover hidden threads. The post also hints at implementing a threadless rootkit in the third part of the series.

• Adventures in Shellcode Obfuscation! Part 14: Further Research - this article explores advanced techniques for obfuscating shellcode to evade detection by security tools. It focuses on dynamic approaches to make detection harder, including altering offsets, leveraging obscure code flows, and experimenting with new payload delivery methods. The article also highlights the importance of continuous research to keep up with evolving defense mechanisms.

Tools and Exploits

• BEAR-C2 - Bear C2 is a collection of C2 scripts, payloads, and stagers utilized in simulated attacks by Russian APT groups. The tool incorporates various encryption methods to ensure secure communication between the payload and the operator machine. The C2 tool is still under development and requires the use of ngrok for completion. Additionally, specific payload execution techniques are outlined within the project, such as SmartScreen Bypass and Kinzhal, which perform various actions to evade detection and maintain persistence in the targeted system.

• CVE-2023-28324 - a proof of concept for a Remote Code Execution (RCE) vulnerability affecting Ivanti EPM AgentPortal. The vulnerability allows for the execution of arbitrary commands, as demonstrated in the provided proof of concept. The repository also includes a technical root cause analysis of the vulnerability.

• VICIdial Unauthenticated SQLi to RCE Exploit (CVE-2024-8503 and CVE-2024-8504) - This GitHub repository contains an exploit for two critical vulnerabilities in VICIdial: an Unauthenticated SQL Injection (CVE-2024-8503) and an Authenticated Remote Code Execution (CVE-2024-8504). The exploit allows an attacker to retrieve administrative credentials through SQLi and execute arbitrary code on the target server via an RCE attack.

• Introducing Azure Activity Log Axe: An Open-Source Tool to simplify and improve the analysis of Azure Activity logs - Permiso Security has introduced Azure Activity Log Axe, an open-source tool designed to simplify and improve the analysis of Azure Activity logs by addressing the inconsistency in grouping related events. The tool uses the "Axe Key" concept to provide a more reliable grouping mechanism, reducing the time and effort needed to analyze Azure Activity logs and enabling security teams to detect and respond to potential threats effectively.

• Binary Ninja Plugin: fix-stomped-imports - The Binary Ninja plugin fix-stomped-imports was created by LRQA Nettitude Labs to help reverse engineer a malware sample with a stomped PE header. The plugin reconstructs the Import Address Table so that API calls made by the malware can be statically analyzed. The plugin takes an IAT dump from x64dbg, creates relevant segments and sections, and updates the analysis to make it easier to understand the sample's behavior.

• JarPlant - a Java archive implant toolkit that allows users to inject malicious payloads into JAR files. It provides different implant types, like class-injector and spring-injector, for various purposes. The toolkit also supports custom implants and includes features for managing code changes, tracking work, and collaborating outside of code.

• cloudkicker - Cloudkicker is a self-hosted Azure OSINT tool that allows users to automate workflows, manage packages, find and fix vulnerabilities, and write better code with AI. It offers instant development environments, code change management, work planning and tracking, and collaboration features. It also includes enterprise-grade security and AI features, as well as 24/7 support. The tool can be hosted anywhere and does not require an account. It includes features like custom domains lookup, SharePoint/OneDrive Modern Auth enforcement, and ADFS Endpoint identification. Users can configure basic authentication and HTTPS to restrict access to the tool externally.

• binsider - allows users to analyze ELF binaries with features like static and dynamic analysis, string inspection, and hexdumps in a terminal user interface. The tool, described as a "Swiss army knife for reverse engineers," provides detailed documentation and a quickstart video for installation. Users can retrieve binary file information, analyze the ELF layout, extract strings, and view a hexdump dashboard.

• CVE-2024-40711 - a pre-auth exploit for CVE-2024-40711 related to Veeam Backup & Replication. The exploit was created by Sina Kheirkhah at watchTowr labs. The vulnerability allows for unauthenticated remote code execution and affects versions 12.1.1.56 and earlier.

• PoC - EXE or DLL or ShellCode - This GitHub repository contains a proof of concept (PoC) demonstrating an executable "exe" file that can be used like an exe, dll, or shellcode. The project aims to create a file with no imports, embed a shellcode to open "calc.exe", and have an exported function that executes the embedded shellcode. The project also includes creating a polyglot DOS Header and compiling it as well. Overall, it is a simple PoC showcasing the versatility of an executable file.

• NyxInvoke - a versatile Rust-based tool designed to execute .NET assemblies, PowerShell commands/scripts, and Beacon Object Files (BOFs) with built-in patchless AMSI and ETW bypass capabilities. It can be compiled as either a standalone executable or a DLL. The tool supports encrypted payloads with AES decryption and offers flexible input options. Additionally, NyxInvoke can be used to execute CLR assemblies, PowerShell commands or scripts, and BOFs, providing various modes of operation for each.

• Impacket 0.12.0 - Impacket 0.12.0 has been released on GitHub, featuring various fixes and enhancements such as improved Unicode data processing, Group Key Distribution Protocol implementation, and support for Kerberoasting without pre-authentication. The release also includes improvements to NTLMRelayX, DHCP encoding, LDAP Attack bugfixes, and added functionalities for SMB client interactions.

• MSSprinkler - MSSprinkler is a password spraying utility for organizations to test their M365 accounts from an external perspective. It uses a 'low-and-slow' approach to prevent locking out accounts and provides detailed information on accounts and tenant information. The tool is written in PowerShell and can be imported as a module, with no other dependencies.

• createdump - demonstrates how to leverage the WindowsApp createdump tool to obtain an lsass dump. The project provides instructions on how to copy the createdump executable from the WindowsApp folder to a folder of choice and execute it with admin rights to create an LSASS dump.

• Segugio - Segugio is a tool for executing and tracking critical steps in the malware detonation process, automating tasks that security analysts and specialists in cyber incident response would typically perform. It uses YARA rules to identify malware families and extract configuration data from memory in a dedicated analysis environment. Users can configure settings to define paths for YARA rules, Python scripts, and memory dump locations. The tool provides real-time summaries of processes involved in analyzing malware, making it easier to trace malicious behavior across processes. It also includes features like network fingerprinting, IoC identification, and process injection detection.

• zipslipper - contains code to create tar/zip archives that attempt to exploit the zipslip vulnerability. The code provides a utility to build these archives with options for relative extraction path, archive type (tar/zip), and verbose logging. Users can use this library on the command line and there are instructions on downloading a pre-built release or building it via the golang toolchain.

• Binwalk v3 - GitHub hosts the updated version of the Binwalk firmware analysis tool, now rewritten in Rust. It provides improved features such as JSON output summary, smarter file carving and extraction, and enhanced signature validation. The tool can be used to scan files, extract contents, generate entropy graphs, and save analysis results to JSON files.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Local LLM CTF & Lab - The article discusses a local LLM CTF research project by Bishop Fox that isolates functional expectations for large language models through a controller. The project aims to provide a service where privileged LLMs are protected through access control. It explores the use of different LLMs to handle customer queries and protect sensitive information. The article also highlights challenges and successes in implementing the project, as well as potential applications in client environments. Additionally, it includes insights on how to create a local LLM CTF challenge and discusses future development goals for the project.

• CVE Hunting Made Easy - CVE Hunting Made Easy outlines a methodology that allows individuals with coding knowledge to discover high-impact vulnerabilities in software. By automating the process and focusing on breadth rather than depth, the author was able to uncover 14 CVEs in just three Sunday afternoons. The approach involves using SAST tools, such as Semgrep, to analyze WordPress plugins for vulnerabilities and then triaging and validating the findings through exploitation. The author emphasizes the importance of shifting security left and encourages others to replicate the process with different software platforms.

• Console Cowboys: Navigating the Modern Terminal Frontier - TrustedSec explores new command line interface (CLI) tools that enhance productivity and efficiency in daily work. The blog showcases modern CLI tools that streamline tasks and make navigation faster and more precise. The post emphasizes the importance of mastering traditional command line tools before fully relying on new ones, especially when working with legacy systems. It highlights various CLI tools and their benefits, encouraging users to enhance their command line skills for better workflow and adaptability in different environments.

• Jailbreak your Enemies with a Link: Remote Execution on iOS - This article discusses the Trident exploit chain, which involved three zero-day vulnerabilities in iOS that allowed remote jailbreaking of iPhones, enabling the installation of spyware. The exploit chain exploited a vulnerability in WebKit, the browser engine used by iOS browsers, to gain remote code execution on victims' devices. The article delves into the technical details of how the exploit worked and how attackers could achieve arbitrary read-write access to memory, ultimately leading to the execution of malicious code on the device.

• How does OS affect binary exploitation - The operating system (OS) plays a significant role in binary exploitation by affecting techniques used in attacking vulnerabilities. Different OS architectures offer varying exploit opportunities due to differences in memory management, calling conventions, and security features. Understanding foundational OS topics like System V ABI, inter-process communication, threading, signaling, and security features like ASLR and stack canaries is crucial for effective binary exploitation. POSIX standardization facilitates the transfer of exploitation techniques across UNIX-like systems, but adaptation to the unique implementation details of each system is necessary. macOS and Linux have distinct methods for binary exploitation due to differences in how they manage system-level mechanics.

• Turning Everyday Gadgets into Bombs is a Bad Idea - In this blog post, the author discusses the ethical implications of turning everyday gadgets into bombs, highlighting the ease with which it can be done. The author condemns the practice, emphasizing the erosion of public trust in everyday objects and the potential dangers of such acts. They also discuss the technical details of how such explosive devices could be constructed and the challenges in detecting them. Additionally, the author raises concerns about the potential supply chain attacks that could be used to distribute these dangerous devices.