Last Week in Security - 2024-10-01
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.
Virginia Applicants:
Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-09-23 to 2024-09-30.
News
Fake job offers. When a job opportunity turns into a nightmare - This article discusses the rise of fake job offers as a sophisticated form of phishing that targets professionals in critical industries, including software developers. These fake job offers are designed to infect victims' devices with malware and steal valuable information, such as access credentials and cryptocurrencies. The article provides strategies for companies to prevent and respond to these attacks, including social engineering tests, cloud security audits, vulnerability management, red team services, and incident response services. It also warns about the increasing threat of deepfakes in the context of fake job offers.
Telegram Changes Policy, Says It Will Provide User Data to Authorities - Telegram has updated its privacy policy to say that it will now provide user data, such as IP addresses and phone numbers, to law enforcement agencies in response to valid legal orders. This marks a significant shift for the social network app, which has previously been known for its strong stance on user privacy. The change follows the arrest of Telegram's CEO in August, partly due to the company's refusal to hand over data in response to lawful orders.
U.S. Indicts 2 Top Russian Hackers, Sanctions Cryptex - The US has indicted and sanctioned two top Russian hackers, including the alleged proprietor of the cybercrime store Joker's Stash, which sold stolen payment cards. The government also indicted and sanctioned a top Russian cybercriminal known as "Taleon," whose cryptocurrency exchange Cryptex was involved in money laundering. The indictments reveal the sophisticated and widespread nature of cybercrime, especially with the use of cryptocurrency for money laundering. The US has offered rewards for information leading to the arrests and/or convictions of the hackers.
Cups Overflow: When your printer spills more than Ink - CUPS printing system vulnerabilities were disclosed by security researcher Simone Margaritelli, affecting UNIX-based systems like Linux, macOS, BSDs, ChromeOS, and Solaris, allowing for remote code execution. Exploiting the vulnerabilities via IPP and mDNS can lead to arbitrary command execution. Elastic Security Labs provides detection and mitigation strategies for organizations to protect against potential exploitation of these vulnerabilities, emphasizing the urgency of addressing the issue. The vulnerabilities have a critical severity level, with recommendations to disable certain services, block specific ports, update CUPS, and enhance user and group configurations for further security. Detection and hunting queries are provided to uncover suspicious activity linked to these vulnerabilities.
Remote execution exploit chain in CUPS: Overview, detection, and remediation - A remote code execution exploit chain in Common Unix Printing System (CUPS) was disclosed, allowing arbitrary code execution through UDP port 631 under specific conditions. Potentially hundreds of thousands of internet-facing systems are vulnerable, requiring updates or disabling CUPS if not needed for printing. The attack chain involves vulnerabilities in CUPS components, requiring a user-triggered print job for successful exploitation. Datadog can help identify exploitation attempts and vulnerable hosts through network monitoring and cloud security management.
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities - The blog by Tenable addresses the frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26. The vulnerabilities include issues with libcupsfilters, libppd, cups-browsed, and cups-filters, which could allow attackers to execute arbitrary code. While there was some exploitation detected after public disclosure, there were no known zero-day exploits prior to disclosure, and patches or mitigations are not yet available. Organizations are advised to disable and remove CUPS from vulnerable systems as a precaution.
Unix CUPS Unauthenticated RCE Zero-Day Vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177): All you need to know - On September 26th, multiple unauthenticated Remote Code Execution (RCE) vulnerabilities in Unix CUPS were disclosed with identifiers CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, affecting Linux distributions. These vulnerabilities allow attackers to execute arbitrary commands by creating a new malicious printer and triggering code execution when a print job is sent. While Red Hat initially rated one of the vulnerabilities as critical, they later lowered the severity due to factors mitigating the risk. Linux distributions have released fixes for these vulnerabilities, and mitigation can be accomplished by disabling the cups-browsed service or blocking traffic to UDP port 631 and DNS-SD traffic.
You're probably not vulnerable to the CUPS CVE - The CUPS CVE vulnerability primarily affects the cups-browsed component, which enables printer discovery. Most servers are not typically vulnerable to this, but desktop systems may be at risk. To check for vulnerability, you can use commands like systemctl status and sudo lsof. Disabling the cups-browsed service can prevent potential issues until patches are released. It is recommended not to expose the printing service to the public. Patches will be published soon, but in the meantime, taking precautionary measures should help protect your systems.
Google & Arm - Raising The Bar on GPU Security - Google and Arm are collaborating to enhance GPU security by addressing hardware-level vulnerabilities. This partnership focuses on improving the security of GPUs used in devices like smartphones and computers, which are increasingly targeted by attackers. The initiative aims to raise the security standards for future GPU designs by integrating advanced protection mechanisms and reducing potential attack surfaces. This effort reflects a broader commitment to safeguarding users from sophisticated cyber threats.
Eliminating Memory Safety Vulnerabilities at the Source - Google's Online Security Blog discusses the importance of eliminating memory safety vulnerabilities through a secure-by-design approach, focusing on transitioning to memory-safe languages. The post shows how prioritizing Safe Coding for new code can reduce overall security risks and lead to a significant decline in memory safety vulnerabilities. The Android team's shift to memory-safe languages has resulted in a decrease in the percentage of memory safety vulnerabilities, showcasing the effectiveness of this approach in enhancing software security. They recommend improving interoperability and leveraging existing code investments, while also highlighting the need for selective use of proactive mitigations and proactive detection in conjunction with Safe Coding.
Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug - Researchers discovered a flaw in a Kia web portal that allowed them to track millions of cars, unlock doors, and start engines remotely. This bug is part of a larger issue affecting multiple car manufacturers, revealing poor web security for vehicles. The researchers found similar vulnerabilities in other carmakers' websites, leading to concerns about potential theft, stalking, and data leaks. Kia has reportedly fixed the bug, but the wider problem of web-based vulnerabilities in the automotive industry remains unresolved.
NIST: No More Regular Password Resets and Arbitrary Complexity Rules - The latest version of NIST's password guidelines recommends that credential service providers and verifiers do not impose arbitrary complexity requirements for passwords and do not require password resets at regular intervals. This is to improve security for users and make things easier for IT and security teams. The new guidelines also recommend using longer passwords and allowing the use of spaces, as length is the biggest obstacle for password cracking. These changes aim to make it more difficult for attackers to compromise passwords.
Threat Intel and Defense
Staying a Step Ahead: Mitigating the DPRK IT Worker Threat - Mandiant has been tracking and reporting on IT workers operating on behalf of North Korea since 2022, who pose as non-North Korean nationals to gain employment in various industries to generate revenue for the regime. These workers engage in malicious cyber intrusions and employ various tactics to evade detection, with facilitators playing a crucial role in enabling their activities. Organizations are urged to increase awareness and implement strategies to detect and disrupt DPRK IT worker activity, such as conducting stringent background checks and monitoring for technical indicators.
23rd September – Threat Intelligence Report - The Threat Intelligence Report from Check Point Research on September 23, 2024, highlighted several significant cyber attacks and breaches, including the ransomware attack on the Providence Public School District and a data breach at Dell. Vulnerabilities in Mozilla Foundation, VMware, and Cisco Smart Licensing Utility were also addressed in the report. Check Point Research observed a 32% increase in cyberattacks targeting healthcare organizations and identified a phishing campaign exploiting Google Apps Script macros. Additionally, the report detailed a cyber operation linked to Iran's Ministry of Intelligence and Security targeting telecommunications and government organizations in the Middle East.
Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG - ANY.RUN has discovered a new ransomware called Kransom, which uses DLL-sideloading to hijack the popular RPG game Honkai: Star Rail. The ransomware encrypts files using a simple XOR encryption algorithm with a weak key and displays a ransom note impersonating the game's developer.
How the Necro Trojan infiltrated Google Play, again - The Necro Trojan has infiltrated popular applications on Google Play, Spotify mods, and WhatsApp mods, infecting millions of Android devices. The Trojan uses a multi-stage loader with steganography and obfuscation techniques to hide its malicious payload. The attackers behind the Trojan are constantly updating and distributing new modules, making it a highly adaptable threat.
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware - Kryptina RaaS started as a free tool on public forums and evolved to be actively used in enterprise ransomware attacks, particularly by Mallox affiliates. In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina. The commoditization of ransomware tools, like Kryptina, complicates malware tracking as affiliates blend different codebases into new variants.
Pull Your SOCs Up - TrustedSec's blog post "Pull Your SOCs Up" discusses the importance of identifying and resolving obstacles in cyber defense teams to help them reach the next level of growth. The post emphasizes the need for teams to focus on being right, not fast, when investigating security alerts and to combat burnout by tuning out false positives and reducing workload. It also highlights the value of learning opportunities, such as training and scheduled testing, for analysts to improve their skills. Effective communication within the team and with other departments is key to building trust and evolving as cyber defenders.
HTML Smuggling: How Blob URLs are Abused to Deliver Phishing Content - Trustwave's 2024 report highlights alarming trends in insider threats and phishing-as-a-service. The HTML smuggling technique is being used to deliver phishing content by encoding it in Base64 strings and creating blob URLs. This allows cybercriminals to bypass security measures and distribute harmful content covertly. The rise of HTML smuggling in phishing attacks poses a major concern for security systems as it can easily slip through detection mechanisms.
Email, Email on the Wall, Who Sent You, After All? - The Compass Security Blog discusses the importance of analyzing email headers to prevent Business Email Compromise (BEC) attacks, which are financially damaging. The blog post takes a fictional scenario of an email threat involving cupcakes from a CFO to explain the process of tracing email headers to verify the sender's authenticity. The blog highlights the use of SPF, DKIM, and DMARC protocols to enhance email security, and recommends being cautious of suspicious emails and verifying any changes in payment information or requests.
Inside SnipBot: The Latest RomCom Malware Variant - SnipBot is a new variant of the RomCom malware family with advanced evasion techniques and code obfuscation methods. It was first discovered in April and has been observed attempting to exfiltrate files from victim systems. The malware operates in stages, using an initial downloader to execute commands and download additional modules onto a system. Palo Alto Networks offers protection against SnipBot through its security products. The threat actor behind SnipBot has been active since at least 2022, engaging in activities like ransomware, extortion, and targeted credential gathering.
Tracking cloud-fluent threat actors - Part one: Atomic cloud IOCs - This blog post focuses on the importance of mastering cloud-specific indicators of compromise (IOCs) for enhanced threat detection, particularly in cloud environments. It discusses various types of cloud-specific IOCs, such as container images, AWS account IDs, IAM user names, and user agent strings. The post emphasizes the significance of incorporating these IOCs into threat intelligence feeds and detection mechanisms to improve the security of cloud environments. Additionally, it provides strategies for utilizing atomic cloud IOCs effectively and highlights how Wiz can assist in this process.
Derailing the Raptor Train - In mid-2023, Black Lotus Labs discovered a large botnet called "Raptor Train," operated by Chinese threat actors, consisting of over 60,000 compromised devices such as routers, cameras, and storage servers. The operators manage the botnet through a sophisticated control system called "Sparrow," allowing for activities like exploitation, remote management, and DDoS attacks. Black Lotus Labs has observed this botnet targeting entities in the US and Taiwan, with a potential DDoS capability being preserved for future use. The report provides insights into the network architecture, exploitation campaigns, and the operational use of the Raptor Train botnet.
Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale - Threat actors are leveraging Docker Swarm and Kubernetes in a cryptojacking campaign, targeting Docker Engine API and moving laterally to Docker Swarm, Kubernetes, and SSH servers. The campaign exploits Docker for initial access, deploys a cryptocurrency miner, and retrieves and executes malicious payloads for lateral movement. The threat actors operate Docker Hub accounts hosting malicious images, and use various techniques to compromise Kubernetes, Docker, and SSH servers. Datadog Security Research has observed similarities to activities attributed to TeamTNT, but attribution is challenging due to the use of shell scripts.
Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam - The article discusses how threat actors are abusing third-party infrastructure to send spam, such as by manipulating web forms and exploiting vulnerabilities in email systems. Attackers are also testing credentials obtained from data breaches to send spam. The article provides examples of how spammers exploit various web forms and Google applications to send unsolicited emails. To combat these attacks, companies can educate users about phishing scams and encourage them to use unique passwords and password managers to protect their accounts. Additionally, the article highlights some recent malware discoveries by Cisco Talos.
Wallet Scam: A Case Study in Crypto Drainer Tactics - Check Point Research (CPR) uncovered a malicious app on Google Play designed to steal cryptocurrency, marking the first time a drainer has targeted mobile users exclusively. The app exploited the trusted name of the WalletConnect protocol to deceive users and steal approximately $70,000 in cryptocurrency from victims. The app remained undetected for over five months and used advanced social engineering and the MS Drainer toolkit to steal digital assets from victims. The malicious app targeted over 150 users and used deceptive techniques to trick users into authorizing fraudulent transactions.
Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy - Unit 42 researchers uncovered two malware samples used by the Sparkling Pisces threat group, including an undocumented keylogger called KLogEXE and an unknown variant of a backdoor named FPSpy. These samples enhance Sparkling Pisces' already extensive toolkit, showing the group's continuous evolution and increasing capabilities. By understanding the mechanics of these malware pieces, organizations can better prepare and defend against such threats.
10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More - The article discusses the technique of DLL Hijacking, which has been used for about a decade to force legitimate applications to run malicious code. It explores the purpose of DLL Hijacking, the different ways it can be used, and the internal structure of malicious DLLs. The article also provides various preventative tools and approaches available for developers to prevent malicious actors from abusing their applications with this technique, including using digital signatures to verify the integrity of loaded DLLs.
How to Intercept Data Exfiltrated by Malware via Telegram and Discord - This article explains how to intercept data exfiltrated by malware via Telegram and Discord. It provides a step-by-step guide on obtaining information related to threat actors' activities using the Telegram API, including parsing a Telegram chat and forwarding messages. It also touches on using Discord webhooks for data retrieval. The article includes Python scripts for automation and examples from sandbox sessions for practical application.
From 12 to 21: how we discovered connections between the Twelve and BlackJack groups - The analysis focuses on the BlackJack group, a hacktivist group targeting Russian organizations, and their similarities with the Twelve group. Both groups use publicly available tools like Shamoon wiper and LockBit ransomware, as well as common remote access tools like AnyDesk and PuTTY. The analysis shows overlapping tactics, techniques, and procedures (TTPs) between the two groups, suggesting they may belong to a single cluster of activity aimed at inflicting damage on Russian organizations. The report provides details on the malware samples, legitimate tools, and commands used by both groups, indicating a unified cluster of hacktivist activity.
Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz - Sniper Dz is a phishing-as-a-service platform that offers free admin panel access to generate phishing pages targeting popular brands. They hide phishing content behind public proxy servers and use obfuscation techniques to evade detection. The platform exfiltrates stolen credentials to a centralized infrastructure owned by Sniper Dz. Users can access phishing pages hosted on Sniper Dz infrastructure or download templates to host on their own servers. Palo Alto Networks customers are better protected through advanced URL filtering and DNS security.
Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse - A sophisticated Linux malware campaign targeting vulnerable servers was uncovered by Elastic Security Labs, involving cryptomining, DDoS attacks, and potential money laundering using gambling APIs. The threat actors utilized a variety of tools and malware, including KAIJI and RUDEDEVIL, to exploit system resources for malicious purposes. The malware campaign involved the deployment of multiple malware families, custom-written malware, and the use of GSOCKET and Telegram for stealthy communication. Elastic Security Labs recommended various defensive measures, such as keeping detection rules updated, enabling prevention mode in Elastic Defend, monitoring alerts and logs, conducting threat hunting, implementing WAFs, enforcing strong authentication for SSH, writing secure code, and regularly patching and updating systems.
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware - The Nitrogen campaign was responsible for deploying the Sliver and Cobalt Strike beacons through the BlackCat ransomware intrusion, initiated by a malicious version of Advanced IP Scanner downloaded from a fake website. The threat actor performed various malicious actions, including lateral movement, credential dumping, and exfiltration of data using tools like Restic. Scheduled tasks, registry key modifications, and process injections were used for persistence and to facilitate the ransomware deployment. The threat actor also utilized Cobalt Strike for post-exploitation activities and established command and control through HTTP services on specific ports. The attack culminated in the deployment of the BlackCat ransomware across the network, encrypting files and leaving ransom notes.
SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites - this post details a major watering hole campaign, "SilentSelfie," targeting Kurdish websites. Attackers used malicious scripts to exploit visitors, specifically aiming at political activists and ethnic groups. The blog discusses the tactics, techniques, and procedures (TTPs) used in the campaign, including infrastructure and payload delivery methods. It also highlights how SilentSelfie was discovered and provides recommendations for improving website security to prevent such attacks.
Inside the Dragon: DragonForce Ransomware Group - this blog discusses the emergence of the DragonForce ransomware group, which primarily targets vulnerable systems in Southeast Asia and the Middle East. The group uses a unique combination of politically motivated hacktivism and financial cybercrime, demanding ransom while also making political statements. DragonForce exploits vulnerabilities in critical infrastructure, employing sophisticated ransomware techniques, and focusing on spreading messages related to its hacktivist agenda. The blog details their attack methods, highlighting the evolving nature of the threat and providing mitigation strategies.
Techniques and Write-ups
Open to Exploitation: The Security Risks of Unauthenticated Pager Networks - Pager networks, like POCSAG, are still widely used in critical sectors such as healthcare and industrial control systems, despite being vulnerable to spoofing and message injection attacks. Recent incidents, such as the 2024 pager explosions in Lebanon, have highlighted the security flaws in these networks. With readily available equipment, anyone can intercept and inject messages into these systems, posing a significant security risk. The ease of spoofing messages on these networks emphasizes the need for stronger security measures or transitioning to more secure technologies in sensitive environments to prevent malicious exploitation.
Kerberos IV - Delegations - In the Kerberos IV - Delegations post, the focus is on exploring Kerberos delegations, discussing the different types of delegation, their use cases, and potential security implications. These include Unconstrained Delegation, KCD Kerberos Only, Protocol Transition, and Resource-Based Constrained Delegation. The post also delves into the abuse of delegations, such as impersonation and lateral movement, and provides best practices for detecting and mitigating such risks. Additionally, the post includes a step-by-step analysis of the communication flow in various delegation scenarios and provides tools and techniques for exploiting misconfigurations in delegation settings.
Help Scout - Mass assignment vulnerability on inbox settings - A mass assignment vulnerability was discovered in Help Scout's API endpoint for updating shared inbox settings, allowing attackers to send emails from arbitrary addresses without passing an identity verification step. This could be exploited for spear-phishing attacks by spoofing email addresses with specific domains already configured on Help Scout. The vulnerability could be used to send malicious emails that pass SPF and DKIM verification, as the spoofed domain name was already set up to allow Help Scout as a sender. The issue was reported to Help Scout for resolution.
UEFI is the new BIOS - UEFI is the new BIOS and presents new challenges in platform firmware design. Leviathan Security Group is focusing on UEFI reverse engineering, vulnerability discovery, and exploit development. They are building expertise in finding and exploiting UEFI vulnerabilities to better secure the firmware security supply chain. UEFI has introduced Secure Boot technologies like UEFI Secure Boot, Intel Boot Guard, and Intel BIOS Guard to protect platform firmware integrity from firmware and hardware vulnerabilities. The blog series aims to provide foundational knowledge on UEFI vulnerabilities and exploit development.
A few notes on AWS Nitro Enclaves: Attack surface - AWS Nitro Enclaves are a powerful tool for isolating sensitive workloads in cloud applications, but they come with potential security pitfalls that developers must be aware of. Trail of Bits has scrutinized the attack surface of Nitro Enclaves, highlighting key security risks and best practices for mitigation. Developers deploying Nitro Enclaves should pay attention to virtual socket security, randomness sources, side-channel attack mitigations, time management, attestation practices, and NSM driver security to ensure the security of their deployments. It is important to treat enclaves as a single trust zone, implement end-to-end security, mitigate side-channel risks, verify entropy sources, use the right time sources, and follow robust attestation practices.
Proxying Your Way to Code Execution – A Different Take on DLL Hijacking - In this blog post by Black Hills Information Security, the author discusses a different take on DLL hijacking called DLL proxying. DLL hijacking exploits the way Windows applications search for and load DLLs, allowing attackers to execute arbitrary code. DLL proxying, on the other hand, relies on misconfigurations in folder access controls to allow attackers to forward traffic from their malicious DLL to a legitimate one, effectively creating a proxy between the application and the DLL. Despite Microsoft acknowledging the vulnerabilities, they have chosen not to fix them, leaving organizations vulnerable to these attacks.
Hacking Kia: Remotely Controlling Cars With Just a License Plate - In 2024, a group of hackers discovered vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. They were able to obtain personal information and add themselves as invisible users on the victim's vehicle. The hackers built a tool to demonstrate the impact of these vulnerabilities by taking over vehicles remotely and controlling them. The vulnerabilities were reported to Kia, fixed, and never exploited maliciously.
Attacking UNIX Systems via CUPS, Part I - The article discusses attacking UNIX systems via CUPS, focusing on targeting GNU/Linux systems for remote code execution (RCE) vulnerabilities. It explores the cups-browsed service, stack buffer overflows, race conditions, IPP, PPD files, foomatic-rip vulnerabilities, and a remote command execution chain. The author details their findings and struggles with responsible disclosure, including arguments with developers and the CERT. The research culminates in a fully working exploit, with a 9.9 CVSS severity, and plans for future research on Apple macOS systems.
CUPS disclosure leaked online - The CUPS disclosure was leaked online by the original author, @evilsocket, on GitHub. The vulnerability affects several components of the CUPS printing system and can allow remote attackers to execute arbitrary code on the target host. The vulnerability has been reported to the vendor, OpenPrinting, and steps are being taken to address the issue. Some users are concerned about the impact on various GNU/Linux distributions and Apple devices. The public release of the exploit code has raised some ethical concerns about responsible disclosure.
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation - The blog discusses the evolution of Red Teaming tools in response to advancements in Endpoint Detection and Response (EDR) systems. It explores the use of a custom polymorphic engine and virtualization techniques to evade detection and analysis, such as dynamic behavior monitoring. These advanced techniques have been successful in Red Teaming exercises, allowing attackers to remain undetected in heavily monitored environments. The blog also serves as a call to action for security vendors to continue improving their products to stay ahead of sophisticated attacks like these.
Exploiting Android Client WebViews with Help from HSTS - Sean Pesce discovered a one-click account takeover vulnerability in the Tokopedia Android app involving URI parsing issues and custom WebViews, only exploitable through a payload hosted on a web domain in Google's HSTS preload list. By exploiting URL-parsing vulnerabilities, Pesce reveals his HSTS+HTTPS Redirection service tool. Through an in-depth exploration of the vulnerability, he demonstrates the potential for exploiting Android client WebViews and highlights the important role of HSTS in preventing attacks.
A step-by-step guide to writing an iOS kernel exploit - Alfie CG provides a step-by-step guide on writing an iOS kernel exploit, focusing on physical use-after-free vulnerabilities. The exploit involves triggering a physical use-after-free to gain access to kernel memory, allocating IOSurface objects in kernel memory, and manipulating pointers within the objects to achieve arbitrary kernel read and write primitives. The exploit is demonstrated on iOS 15.6 and above, with potential limitations on iOS 16 and arm64e devices. The blog post also mentions future plans for developing more stable read and write primitives for a jailbreak.
Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35% of Cloud Environments - Wiz Research has found a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, affecting AI workloads running on NVIDIA GPUs in containers, impacting over 35% of cloud environments. The vulnerability allows attackers to escape containers and gain access to the underlying host system, posing a serious security risk to sensitive data and infrastructure. NVIDIA has released a patch for the affected product, and organizations are advised to update to version 1.16.2 to mitigate the risk. The research highlights the importance of prioritizing security in AI infrastructure and tooling, as well as the limitations of container isolation in securing applications.
CVE-2024-38856 – Apache Ofbiz RCE - CVE-2024-38856 is a remote code execution vulnerability in Apache OFBiz version 18.12.14 that allows unauthenticated attackers to execute code. The exploit involves encoding commands in Base64 and sending them via HTTP POST requests to the `ProgramExport` endpoint, bypassing security measures. SecureLayer7 has developed a framework for scanning and exploiting this CVE, emphasizing the importance of thorough security implementations to prevent authentication bypass and potential remote code execution. The analysis provides steps for mitigating the risk and highlights the need for proper input validation and authentication checks in application security.
Direct Memory Access (DMA) attacks. Risks, techniques, and mitigations in hardware hacking - DMA attacks are a powerful class of attacks that give read and write access to a target system's memory, bypassing the main CPU to gain kernel privileges. These attacks can be conducted remotely and do not require physical access to the system. Mitigations for DMA attacks include disabling or requiring user authentication for DMA-capable connections, BIOS and boot protection, and utilizing IOMMU hardware to restrict memory access for DMA-capable devices. Despite advancements in protection measures, enterprise systems and remote networks remain vulnerable to DMA attacks.
Fuzzing confused dependencies with Depfuzzer - The practice of integrating open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust in software development has become common. However, managing external dependencies introduces security and maintainability considerations. DepFuzzer is a tool inspired by dependency confusion incidents that helps identify failing dependencies in projects by automating the detection of vulnerabilities. By scanning projects and checking dependencies against a public database, DepFuzzer helps ensure that dependencies are sourced correctly and not exposed to supply chain attacks. Future improvements to DepFuzzer will include support for additional package managers and reducing false positives.
LummaC2: Obfuscation Through Indirect Control Flow - This blog post discusses a control flow obfuscation technique used by the LummaC2 stealer malware. The technique involves customized control flow indirection to manipulate the malware's execution, making it difficult for reverse engineering tools to analyze. The post details an automated method for removing this protection layer, called symbolic backward slicing, to deobfuscate the malware samples. The post also explains the different types of dispatcher blocks and how they are used by the obfuscator, as well as the process of recovering original instructions and control flow in deobfuscation. The post concludes with indicators of compromise and implications for malware analysis.
New Gemini for Workspace Vulnerability Enabling Phishing & Content Manipulation - HiddenLayer Research has published a blog exploring the vulnerabilities of Google's Gemini for Workspace, an AI assistant integrated across various Google products. The blog highlights the risk of indirect prompt injection attacks, where users and third parties can manipulate the assistant to produce misleading responses. Proof-of-concept examples show how these attacks can occur across platforms like Gmail, Google Slides, and Google Drive, enabling phishing attempts and content manipulation. Despite Google viewing certain outputs as "Intended Behaviors," the vulnerabilities emphasize the need for vigilance when using AI-powered tools like Gemini for Workspace.
Default 404 Pages - The article discusses default 404 pages on various web frameworks and languages, highlighting how they can be used to gain information about the technology stack behind a web application. It provides examples of default 404 pages from different platforms such as Apache, Ruby on Rails, Microsoft, Python, Go, PHP, Java, and .NET. The author, 0xdf, explores how analyzing these default pages can be useful for exploiting vulnerabilities in web applications.
CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability Deep-Dive - The article discusses a security vulnerability in SolarWinds Web Help Desk (CVE-2024-28987) that allows remote attackers to read and modify sensitive information. It also highlights the importance of software development best practices such as avoiding "magic strings" in code. The article provides details on the vulnerability discovery process, the exposure and risk associated with it, and the steps taken by SolarWinds to address the issue. Horizon3.ai's NodeZero platform is mentioned as a solution to verify and mitigate the vulnerability.
Exploiting AMD atdcm64a.sys arbitrary pointer dereference – Part 1 - The article discusses the process of exploiting the AMD atdcm64a.sys driver to achieve local privilege escalation. The author describes the discovery of vulnerabilities in the driver, including an arbitrary MSR read and an arbitrary pointer dereference. The vulnerabilities were reported to AMD's product security team, who stated they would not be issuing a CVE ID or a security notice due to the outdated nature of the software package. The author walks readers through the process of setting up a Windows 11 VM for analysis and using tools like IDA Pro to reverse engineer the driver and identify vulnerabilities.
Zimbra - Remote Command Execution (CVE-2024-45519) - A critical security vulnerability (CVE-2024-45519) was discovered in the widely used Zimbra email and collaboration platform, allowing unauthenticated attackers to execute arbitrary commands. The vulnerability was patched, with the new version introducing input sanitization to prevent command injection. Administrators are urged to apply the latest patches promptly and properly configure settings to prevent unauthorized access. A Nuclei template was created for automated vulnerability detection, highlighting the importance of proactive security measures in safeguarding email and collaboration platforms.
Against: Pentesting MikroTik Routers - The article focuses on the postexploitation tactics that can be used against MikroTik routers, including techniques such as IP scanning, MAC address analysis, DNS cache usage, and more. It explains how attackers can gather information about network devices and use it to plan further attacks within the network. The importance of understanding RouterOS configuration, vulnerabilities, and network hardware security is highlighted, with a warning against illegal use of the knowledge shared in the article. The article also provides helpline numbers for individuals struggling with mental health issues.
Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall - At Assetnote, they provide a platform for Continuous Asset Discovery, Asset Enrichment, and Exposure Monitoring to help customers understand and reduce their attack surface. They offer expertise in offensive security research and cover a wide range of traditional and cloud platforms. The company recently discussed the vulnerabilities caused by the Great Firewall and offers a testing tool to check for vulnerability. Customers can request a demo to learn more about Assetnote and how they can improve their security posture.
CVE-2024-36435 Deep-Dive: The Year’s Most Critical BMC Security Flaw - The Binarly Research Team has uncovered a critical security flaw, CVE-2024-36435, in BMC firmware used in data center infrastructure that can be exploited remotely by threat actors. The vulnerability allows for remote execution of arbitrary code without authentication credentials. Exploiting this flaw can lead to unauthorized access to the BMC operating system and potential manipulation of the boot process for persistence. This highlights the ongoing challenge of ensuring security in BMC products and the importance of implementing secure-by-design principles.
Exploiting Exchange PowerShell After ProxyNotShell: Part 4 – No Argument Constructor - This article discusses the exploitation of vulnerabilities in Exchange PowerShell after the ProxyNotShell attack. The author describes a new conversion mechanism in PowerShell Remoting that allowed them to find three more vulnerabilities, including XXE and NTLM relaying. By leveraging the no-argument constructor conversion, they were able to extend the attack surface and gain privilege escalation. This will be the last post in the Exchange PowerShell Remoting series, with future posts focusing on vulnerabilities in Microsoft SharePoint.
Punching Passphrases - The post discusses the concept of passphrases as a unique target for hash cracking, highlighting their difficulty due to their length and construction. It provides tips for creating strong passphrases, such as using random words, mutating them, and adding special characters. The post also delves into techniques for handling passphrases, such as parsing text, regramming n-grams, and transforming text to target passphrases effectively. Finally, it emphasizes the importance of complexity and user training in password security, showcasing various examples of passphrases found in research.
Probing Slack Workspaces for Authentication Information and other Treats - The blog post discusses how unauthenticated requests to Slack workspaces can reveal authentication information such as two-factor authentication status, approved domains, and SSO status. The author introduces Slack Watchman's 'unauthenticated probe' feature to gather information from Slack workspaces without needing authentication. The post highlights how red and blue teams can use this information for offensive engagements or to strengthen security measures. It also warns about potential risks, such as old or free email domains being approved for workspace access. The author recommends using Slack Watchman to enhance cybersecurity in Slack workspaces.
CVE-2024-6769: Poisoning the Activation Cache to Elevate From Medium to High Integrity - The blog discusses two chained bugs, the first being a DLL Hijacking bug and the second being an Activation Cache Poisoning bug. The first stage was presented at Ekoparty 2023, explaining how a MEDIUM INTEGRITY user could be elevated to have limited HIGH PRIVILEGES. The second stage involves exploiting the Activation Cache to achieve full escalation from limited HIGH INTEGRITY to full Administrator. The process involves sending a crafted message with an embedded XML manifest to the CSRSS server, which then reads and validates the manifest to load a fake imm32.dll, allowing the attacker to gain full Administrator privileges.
Backdooring Azure Automation Account Packages and Runtime Environments - this blog explores how attackers can backdoor Azure Automation account packages and runtime environments. It details methods for exploiting Azure Automation accounts to persist malicious code, bypassing detection mechanisms, and covers practical techniques for both offensive security and defensive strategies to identify, mitigate, and protect against such backdoors in cloud environments.
Tools and Exploits
Ghostwriter v4.3: SSO, JSON Fields, and Reporting with BloodHound - Ghostwriter v4.3 has been released with new features such as SSO integration, JSON field support, and reporting with BloodHound Community Edition (BHCE). The refreshed SSO feature makes it easier to configure and use single sign-on with Ghostwriter. The addition of JSON fields allows for the inclusion of external data in reports, with a case study showing how to integrate BHCE data into Ghostwriter reports. Templates can be created using Jinja2 templating and the Ghostwriter API to generate reports with the imported data. Overall, Ghostwriter v4.3 offers significant enhancements and new possibilities for users.
CVE-2024-7965 - This GitHub repository contains a Proof of Concept (PoC) for CVE-2024-7965, which is a vulnerability in the V8 engine that specifically affects ARM64 architecture.
CVE-2024-40431+CVE-2022-25479 chain for EOP - The GitHub repository contains a rough skeleton for a chain exploit (CVE-2024-40431+CVE-2022-25479) for an elevation of privilege (EOP) data-only attack. The creators plan to eventually develop it into a full EOP exploit.
Aggressor-NTFY - This GitHub repository, sudonoodle/Aggressor-NTFY, provides a way to receive Cobalt Strike notifications via the NTFY application. The code allows for automated notifications from a Cobalt Strike teamserver to be sent to NTFY, running in headless mode for consistent delivery. Users can add the subscription to their NTFY app on iOS, Android, or Desktop to receive these notifications.
CloudShovel - CloudShovel is a tool designed to search for sensitive information within public or private Amazon Machine Images (AMIs), following research done on AWS CloudQuarry. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data.
winacl - GitHub's winacl is a cross-platform Go library for working with ntSecurityDescriptor. It offers features such as automating workflows, hosting and managing packages, finding and fixing vulnerabilities, and creating instant development environments.
PPLrevenant - The GitHub repository "itm4n/PPLrevenant" demonstrates a proof-of-concept that uses the BYODLL technique to bypass LSA protection and execute arbitrary code within Protected Processes on Windows. The technique is explained in a blog post series titled "Ghost in the PPL."
remotechrome - The GitHub repository "zimnyaa/remotechrome" provides a Proof of Concept for remotely dumping Chrome cookies using the atexec and CDP tools. The usage of the tool includes various command line options for targeting a specific user or domain, resolving the Chrome data directory, and specifying authentication methods.
Broken Hill: A Productionized Greedy Coordinate Gradient Attack Tool for Use Against Large Language Models - The blog post discusses the GCG attack, a technique to bypass restrictions on large language models (LLMs), and introduces Broken Hill, an automated tool for generating prompts to manipulate LLMs.
FaceDancer - FaceDancer is an exploitation tool that creates hijackable, proxy-based DLLs by exploiting the COM-based system DLL image loading. It performs two main functions - Recon: scans a DLL to create an export definition file for proxying, and Attack: creates a malicious DLL containing shellcode to proxy valid function requests to a legitimate DLL. This tool utilizes various methods for DLL hijacking to execute embedded shellcode while proxying valid requests for DLL functions to the legitimate DLL, bypassing application whitelisting controls.
CVE-2024-36435.py - The GitHub repository ToolsAndPoCs contains a Python script for exploiting a buffer overflow vulnerability in Supermicro BMC IPMI firmware (CVE-2024-36435). The script sets target and command values to try to guess the vulnerability and execute code to pop registers and move data. This vulnerability allows for arbitrary code execution on the affected system.
Proof of Concept for Watchguard SSO Agent Vulnerabilitites (CVE-2024-6592, CVE-2024-6593, CVE-2024-6594) - This is a GitHub repository for a client implementation of the WatchGuard SSO Agent Protocol used for security research, specifically targeting vulnerabilities with the CVE identifiers 2024-6592, 2024-6593, and 2024-6594. The repository contains scripts that can be used to issue arbitrary commands to SSO clients, retrieve log files, and calculate authentication bypass secrets.
Azure Storage Account Reverse Shell - This GitHub Action sends a reverse shell from a runner via Azure Storage Account blobs, allowing for communication with an internet-connected device running Python. It can be used for Red Team exercises or testing self-hosted runners. Users need to set up an Azure Storage Account, generate a SAS token, and configure the client script to initiate the reverse shell. The interaction involves writing prompts to Azure Storage, polling for new commands, and executing them.
EDR-Antivirus-Bypass-to-Gain-Shell-Access - This GitHub repository contains code for bypassing EDR and antivirus solutions using a memory injection technique to gain shell access. The code executes shellcode that spawns a reverse shell, evading detection by security mechanisms.
cupshax - The GitHub repository "RickdeJager/cupshax" provides a proof of concept for a CUPS exploit. The code allows for injecting commands into the CUPS printing system and must be run on a machine on the same network as the target. The exploit uses Python and can be configured to execute different commands.
Blogpost: CVE-2024-6769 Poisoning the activation cache to elevate from medium to high integrity - This GitHub repository discusses an exploit involving activation cache poisoning to escalate privileges from medium to high integrity. It consists of two stages, with the first stage involving a DLL hijacking bug and the second stage involving activation cache poisoning managed by the CSRSS server. The blogpost provides a detailed explanation of the exploitation steps, including remapping the ROOT drive, poisoning the activation cache, and loading a crafted DLL to achieve full escalation to Administrator privileges on Windows systems. The exploit has been successfully tested on various Windows versions, and a functional Proof of Concept is provided.
CVE-2024-38200 - This GitHub repository discusses the CVE-2024-38200 Microsoft Office NTLMv2 Disclosure Vulnerability, which allows for the capture of NTLMv2 hashes using Office URI schemes. By exploiting this vulnerability, an attacker can potentially escalate privileges and perform a relaying attack against a Domain Controller server. The vulnerability can be mitigated by adjusting Internet Properties settings and updating Office applications to block automatic NTLM authentication over HTTP.
Nameless C2 - A C2 with all its components written in Rust - Nameless C2 is a project with all components written in Rust, aimed at creating a small Windows implant with unique features. It is recommended to build the server on Debian and the terminal and implant on Windows.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Is Tor still safe to use? - The Tor Project has addressed concerns about the de-anonymization of an Onion Service user using an old version of the application Ricochet, stating that Tor Browser remains secure for users. They urge users to keep software updated and emphasize the protection offered by newer versions of the application. The Tor network has implemented measures to address potential risks and increase network health, encouraging community involvement to help diversify and grow the network. The organization continues to prioritize user privacy and work towards a decentralized internet.
Shellcode: Windows on ARM64 / AArch64 - The post discusses using ARM64 assembly on Windows devices, specifically focusing on the evolution of Windows on ARM architecture since Windows RT in 2012 to Windows 11 in 2024. The author explains the challenges faced by developers in compiling binaries for ARM devices and highlights the improvements made in Windows 10 and 11, such as native support for ARM64 applications and emulation of x86 applications. The post also delves into the use of FASMG for writing shellcode and provides examples of creating simple console and GUI applications in ARM assembly. It concludes with a discussion on setting up FASMG on Windows and additional topics related to computer security.
Skeleton Cookie: Breaking into Safeguard with CVE-2024-45488 - An authentication bypass vulnerability known as "Skeleton Cookie" was discovered in the Safeguard for Privileged Passwords product, allowing attackers to gain full administrative access to the virtual appliance, extract passwords, and achieve Remote Code Execution. The vulnerability was identified by exploiting Microsoft DPAPI internals and can be used to decrypt session cookies. By leveraging DPAPI and manipulating backup files, attackers can carry out actions like modifying settings, extracting passwords, and executing arbitrary code on the appliance. The vendor has acknowledged the issue and plans to address it in their upcoming release.
GitHub Notification Emails Hijacked to Send Malware - GitHub notification emails are being hijacked to send malware to open-source developers. Attackers create fake security vulnerability notifications, tricking users into clicking on malicious links that download malware onto their systems. The malware used in this attack is a loader that executes an executable file containing LummaStealer, a malware designed to steal sensitive data from victims' devices. This attack highlights weaknesses in GitHub's notification emails and Windows security measures.
Ruby-SAML pwned by XML signature wrapping attacks - Ruby-SAML has been compromised by XML signature wrapping attacks, impacting GitLab and other systems. The vulnerability allows attackers to log in as any user. The issue lies in the SAML specification, which complicates the process of cryptographically signing XML documents. To fix this, SAML library authors should disregard the flawed spec and focus on implementing a more secure approach. It is recommended to treat XML signatures as a relic and follow a de-facto protocol when processing SAML payloads for enterprise single-sign-on systems.
Fixing an Elgato HD60 S HDMI capture device with the help of Ghidra - Downtown Doug Brown shares a detailed story about fixing an Elgato HD60 S HDMI capture device using Ghidra. The process involved diagnosing hardware issues, identifying faulty chips, and uncovering firmware issues related to LED control. Doug also reflects on the complexity of firmware development and the challenges of repairing electronic devices. Despite the convoluted process, Doug successfully restores the device's functionality and discovers potential software bugs in the LED animations.
Vanguard x VALORANT: How the anti-cheat team continues to evolve as cheaters do. - The Vanguard anti-cheat team, led by Jose “the3” Chavez, continues to evolve to combat cheaters in VALORANT on both PC and Console. Over the past 4 years, they have banned over 3.6 million accounts for cheating, with an emphasis on automated detections. They are also working on implementing new security features to further prevent cheating. On the Console side, the team faced challenges with detecting input spoofing devices used by cheaters to mimic controllers. Despite initial difficulties, they have seen success in detecting and banning cheaters on the Console version of the game. The team also emphasizes the importance of account security measures, such as updating passwords and enabling Two-Factor Authentication to protect against compromised accounts.
Reverse-engineering a three-axis attitude indicator from the F-4 fighter plane - Ken Shirriff's blog discusses reverse-engineering a three-axis attitude indicator from the F-4 fighter plane, which uses a rotating ball to show the aircraft's orientation in three axes. The indicator was used to track the aircraft's position during high-speed maneuvers and was a key instrument in the F-4 Phantom II fighter jet. The blog post details the mechanical and electrical construction of the indicator, including how it rotates in three axes, the motors used to move the ball, and the servo loops that control the motors. The post also explores the pitch trim adjustment and the complexity of the indicator compared to modern digital displays in newer aircraft.
Comments