Last Week in Security - 2024-10-08

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.

Virginia Applicants:

• Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-09-30 to 2024-10-07.

News

• The 2024 Elastic Global Threat Report: Visibility enhanced - The 2024 Elastic Global Threat Report by Elastic Security Labs highlights the use of offensive security tools, misconfigured cloud environments, and the growing emphasis on Credential Access by threat actors. The report provides insights on malware trends, adversary tactics, cloud security, and generative AI.

• Protecting Democratic Institutions from Cyber Threats - Microsoft's Digital Crimes Unit has taken legal action to disrupt a Russian nation-state actor targeting civil society organizations through cyberattacks. By seizing infrastructure used by the actor, they aim to disrupt their operations and gather intelligence to improve security measures.

• Attackers exploit critical Zimbra vulnerability using cc’d email addresses - Attackers are exploiting a critical vulnerability in Zimbra mail servers to install a backdoor using maliciously formed emails. The vulnerability, CVE-2024-45519, allows attackers to execute commands when postjournal service is enabled. While exploitation is easy, researchers believe the attacks are not likely to result in mass infections due to the need to change default settings. Users are advised to install the patch and be cautious of suspicious email addresses.

• Vulnerability Disclosure Policy Platform: 2023 Annual Report - CISA's 2023 Annual Report on the Vulnerability Disclosure Policy (VDP) Platform highlights key findings from reports of vulnerabilities in U.S. government systems. It outlines the volume of disclosures, categories of vulnerabilities identified, and improvements in cybersecurity practices. The report emphasizes increased collaboration between the government and security researchers and encourages the continuation of coordinated vulnerability reporting to strengthen national cybersecurity. It also provides insight into trends and the overall effectiveness of the VDP in mitigating security risks.

• U.S. Wiretap Systems Targeted in China-Linked Hack - A recent China-linked cyberattack targeted U.S. wiretap systems, compromising telecommunications companies' networks used for legal surveillance, including criminal and national security investigations. The hack, conducted by a group called "Salt Typhoon," focused on collecting internet traffic from U.S. and potentially non-U.S. service providers. This breach, still under investigation, raises concerns about the scale of data exposure and China's increasing cyber capabilities. Microsoft and other cybersecurity firms are analyzing the attack, marking it as a major wake-up call for U.S. cyber defenses.

Techniques and Write-ups

• Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3) - The article discusses exploiting a 24-year-old buffer overflow in the glibc library through the PHP engine. It explains the process of converting a file read into remote code execution and showcases an exploit that can be used to hack the PHP engine blind without any output. The exploit involves manipulating PHP's heap to leak memory and eventually gain code execution. The article provides detailed steps on how to exploit the vulnerability and highlights the technical challenges involved in the process. It also emphasizes the importance of understanding PHP's engine and the possibilities of remote binary exploitation.

• Over Permissions in Salesforce Einstein and Unexpected Consequences - Salesforce announced Agentforce, their customizable AI agent builder, highlighting their AI products like Einstein Copilot. However, Salesforce's permissions management allows potential security risks, as non-admin users with flow editing permissions can manipulate Einstein's functionality and harm the entire organization. A real scenario demonstrates how a bad actor can exploit this loophole to send phishing emails from a user's email account, showcasing the potential consequences of over permissions in Salesforce Einstein. Zenity Labs warns organizations to prioritize security when adopting AI technologies.

• Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures - The post discusses the author's discovery of Windows Defender implementing new behavioral signatures to prevent patching of the amsi.dll::AmsiScanBuffer method, crucial for red team plans. The author experiments by modifying the patch to bypass the signature successfully initially, but later finds the new patch triggering the signature, indicating that Windows Defender is collecting data from patch events to generate new signatures. The author concludes that a new dynamic solution for patching AMSI will be needed to stay ahead of Windows Defender. Future experiments will focus on patch obfuscation and threat hunting techniques.

• Malware development trick 43: Shuffle malicious payload. Simple C example. - This blog post discusses a malware development trick of shuffling the malicious payload to make it unrecognizable, while retaining the same entropy. The author provides a simple C code example demonstrating how to shuffle and deshuffle the bytes of a file, as well as run the shuffled payload. The post emphasizes the importance of understanding this technique for malware researchers and red teamers, while raising awareness for blue teamers. The example includes calculations of Shannon entropy to show that the shuffled, deshuffled, and original payloads have the same entropy values.

• Airbus Navblue Flysmart LPC-NG issues - Airbus Navblue's Flysmart LPC-NG electronic flight bag (EFB) app had a security vulnerability that allowed attackers to modify important flight data files, potentially leading to safety risks such as runway excursions or tailstrikes. Despite being reported to Airbus, the company initially refused to fix the issue, framing it as a product improvement. After a long discourse, EASA, the European aviation safety regulator, stepped in and the vulnerability was finally fixed. The incident highlights the importance of data integrity in aviation security and the need for collaboration among stakeholders to address vulnerabilities.

• A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors - A year ago, the author purchased new Teleperm XS components on eBay, which are used in safety systems in Nuclear power plants. This led to a research paper titled "A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors" aimed at analyzing hypothetical cyber-physical attacks on safety systems of nuclear reactors. The paper provides technical analysis accessible to readers with varying levels of expertise and aims to dispel myths and increase public understanding of nuclear energy. It also discusses the importance of being prepared to deal with potential nuclear-related incidents.

• Cobalt Strike: A Cyber Assessment Challenge - The article discusses the importance of assessing cyber tools used by red teams, specifically focusing on Cobalt Strike versions 4.8+ in DoD red team operations. It highlights the challenges faced by red teams in evaluating tools for functionality and operational security. The authors developed a Python script, named EXSCAPE, to extract Beacon configurations from stageless Beacons generated with Cobalt Strike 4.8+. The research emphasizes the need for red teams to enhance their OPSEC practices and protect their tooling to prevent potential exposure of sensitive information. The article also outlines the findings and recommendations to assist red teams in making informed risk decisions about their tooling.

• COM Cross-Session Activation - The blog post discusses the concept of COM Cross-Session Activation, which involves using Microsoft Component Object Model (COM) to update software in the user context by communicating with a service running as SYSTEM. The post explains the technical details of how COM classes work and how they can be abused for cross-session privilege escalation. The author also highlights some CVEs related to this issue and shares their discovery of a vulnerability in the Google Update Service through COM cross-session activation. The post concludes with a reminder to update Chrome Updater and emphasizes the importance of auditing COM applications for potential privilege escalation issues.

• Exploiting AMD atdcm64a.sys arbitrary pointer dereference – Part 2 - HN Security has identified and confirmed vulnerabilities in the AMD atdcm64a.sys driver, including arbitrary MSR read and arbitrary pointer dereference. The team has created a proof of concept code to exploit these vulnerabilities, leaking the base address of ntoskrnl.exe and hijacking the execution flow. They have also demonstrated how to debug the driver using IDA Pro and plan to exploit the vulnerabilities for local privilege escalation in the next part of the series.

• Getting a Havoc agent past Windows Defender (2024) - The article explains a method for getting a Havoc agent past Windows Defender in September 2024 using offensive PowerShell techniques. The process involves generating a Havoc agent shellcode, converting it into shellcode, and bypassing the AMSI to execute it in memory. The author also emphasizes the need to allocate enough space to run the shellcode and discusses using a recent AMSI bypass tool to successfully execute the runner. In the end, the Havoc agent is successfully executed, and additional actions such as executing .NET binaries or dumping lsass are also demonstrated.

• Exploiting trust: Weaponizing permissive CORS configurations - Outpost24 offers a comprehensive Exposure Management Platform to remediate critical vulnerabilities, provides External Attack Surface Management, Web Application Security Testing, Cyber Threat Intelligence, Risk-based Vulnerability Management, and more. The article "Exploiting trust: Weaponizing permissive CORS configurations" delves into the vulnerabilities of Cross-Origin Resource Sharing (CORS) misconfigurations, providing case studies and best practices for detecting and exploiting these vulnerabilities. It emphasizes the importance of thorough scanning, considering all trusted domains, and not giving up when SameSite is not "None" to ensure proper security measures are in place.

• Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges - In the blog post "Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges" by Raúl Miján, the concept of class pollution in Ruby is explored through recursive merges that allow for the injection or modification of object attributes or methods. Three main cases of class pollution in Ruby are discussed, including scenarios like poisoning the object itself or escaping the object context to impact parent or unrelated classes. The post also delves into how popular libraries like ActiveSupport and Hashie in Ruby can be vulnerable to class pollution, highlighting the risks associated with these vulnerabilities and the potential impact on application security. The research conducted emphasizes the importance of understanding recursive merges and carefully managing data merges to mitigate the risk of class pollution in Ruby applications.

• Satellite Hacking - Satellite hacking has been around since the launch of the first satellite in 1957. Advances in satellite technology have led to security advancements such as quantum communication and space-based solar power. Recent attacks on satellites have shown vulnerabilities but also highlighted ethical hacking to improve security. Training courses like Introduction to Cybersecurity in Space Systems demonstrate how satellite hacking can occur and the potential impacts of attacks on satellite systems. Security measures need to be improved to protect satellites from cyberattacks.

• Kicking it Old-School with Time-Based Enumeration in Azure - TrustedSec has identified a time-based user enumeration flaw in Azure that allows attackers to identify valid users based on response times. This method was originally discovered in Microsoft Exchange back in 2014 and has since been used in various penetration tests. By measuring response times for login attempts with valid and invalid usernames, attackers can determine which usernames are valid, even though Basic Authentication has been disabled. This method, while not foolproof due to network congestion, can be a useful tool for enumerating users in Azure without being detected.

• Reverse Engineering and Dismantling Kekz Headphones - The author reverse engineers and dismantles Kekz headphones, focusing on the inner workings of the device and the encryption methods used. By analyzing the chips and encrypted files, they were able to clone cookies and decrypt content. They also discovered user data collection practices and privacy concerns related to geolocation data. Despite reaching out to the company regarding security concerns, they received no response. The author raises questions about the functionality of the Jieli chips, HID commands, and PII data stored in the Azure Cosmos database, suggesting further research is needed.

• Analysis of CVE-2024-43044 — From file read to RCE in Jenkins through agents - The article analyzes CVE-2024-43044, a vulnerability in Jenkins that allows for arbitrary file read leading to remote code execution. The vulnerability involves the communication between Jenkins controller and agents, allowing an attacker to read files from the controller. The post details the vulnerability, the patch introduced to address it, and provides information on how attackers can exploit the vulnerability to achieve remote code execution. The exploit involves crafting a remember-me cookie for an administrator account to gain access to the Script Console and execute commands. The exploit code is available for further analysis.

• SMTP Downgrade Attacks and MTA-STS - SMTP Downgrade Attacks can compromise email encryption during transmission by tricking senders into using cleartext instead of TLS. MTA-STS provides a solution by allowing mail servers to indicate support for encryption using trusted TLS certificates. However, adoption of MTA-STS by major providers is low, leaving password reset emails vulnerable to attacks. To encourage adoption, users can enable MTA-STS for their own domains and push for transactional email providers to support it. Google provides timely user feedback for messages delayed or failed due to MTA-STS, enhancing the user experience.

• The PrintNightmare is not Over Yet - The author discovered a way to bypass Point and Print (PnP) restrictions to protect against exploitation of PnP configurations. By spoofing the name of an approved print server, DNS spoofing could circumvent this protection. The author explored various solutions, including UNC Hardened Access and Print Driver exclusion list, to prevent attacks but found them to be insufficient or flawed. The key takeaway is that low-privileged users should not be allowed to install printer drivers to secure a Point and Print configuration. The author is curious about how the new Windows Protected Print (WPP) mode will address this issue.

• Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II - DEVCORE conducts Red Team Assessments, simulations of real-world attacks to identify vulnerabilities in enterprise systems and provide consultation on defensive strategies. They have uncovered critical vulnerabilities in leading products and services, contributed to international cybersecurity conferences, and offer services like Penetration Testing and Security Consulting. The series on Windows Kernel Streaming vulnerabilities explores exploitation techniques and highlights the importance of updating Windows systems to prevent attacks. DEVCORE emphasizes responsible disclosure, corporate social responsibility, and continual research into new vulnerability classes.

• Exploiting Visual Studio via dump files - CVE-2024-30052 - This blog post discusses a vulnerability (CVE-2024-30052) in Visual Studio that allows for arbitrary code execution when debugging dump files. The issue was reported to Microsoft in 2023 and a fix was provided in June 2024. By crafting a specially designed dump file with embedded source files, an attacker could potentially execute malicious code when opened by a developer in Visual Studio. The exploit involved using non-printable file extensions such as CHM, HTA, and PY to trigger code execution. Microsoft released a fix in Visual Studio 17.8.11 to address this vulnerability.

• Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) - The blog post discusses a critical vulnerability in the Ruby-SAML and OmniAuth-SAML libraries, which allows attackers to bypass SAML authentication mechanisms and gain unauthorized access by manipulating SAML responses. The vulnerability arises due to weaknesses in the verification of digital signatures used to protect SAML assertions. A patch has been made to address this vulnerability, emphasizing the importance of strict validation procedures in security protocols like SAML. Organizations using these libraries for authentication should ensure they are up to date to prevent potential attacks.

• Pwning LLaMA.cpp RPC Server - The author developed an RCE exploit for the LLaMA.cpp RPC Server, leveraging arbitrary read capabilities. The bugs were documented in a GitHub advisory and were fun to exploit. By overwriting a callback function, the author achieved RCE. The full exploit code is provided, allowing for remote shell access.

• PARAnoia - The concept of PARAnoia involves a full takeover of domain-joined computers by using a rogue domain controller to authenticate and gain access. The process involves extracting domain details, creating a rogue DC, exploiting the workstation, and performing various tests to gain administrative access. Ultimately, the attack demonstrates how a stolen or physically accessible computer can be fully compromised and backdoored, emphasizing the importance of safeguarding against NTLM hash capture to prevent such attacks in Active Directory/Windows-based enterprises.

• Exploring Integer Overflow — The realm of exploiting binaries - Integer overflow occurs when an arithmetic operation exceeds the storage capacity of a data type, leading to unexpected results. It has been a common issue in computing, especially in security-critical software, and has been exploited for memory corruption and buffer overflows. Vulnerabilities related to integer overflow have been frequently found in various software products, leading to memory errors and potential code execution. Applications vulnerable to integer overflow often involve fixed-size data types, inadequate input validation, lack of bounds checking, and dynamic memory allocation. These vulnerabilities can have severe consequences, such as denial of service, arbitrary code execution, and bypassing security checks. Real-world examples of integer overflow vulnerabilities include Adobe Flash Player, OpenSSL, Mozilla Firefox, and others.

• Low-Level Development on Retail Android Hardware - Reconnaissance and Prototyping a Bootloader - In the blog post, Tim discusses his attempt to port mainline Linux to a 2013 Samsung Galaxy Core Plus phone with an obscure Broadcom SoC. He focuses on developing a bootloader for the device, communicating via UART, loading S-BOOT into Ghidra, and enabling logging output. Tim also explores examining the boot flow, creating the first executable, and implementing a poor man's flow control for data transfer. He concludes with plans for future improvements, such as migrating to a reasonable build process and direct interfacing with hardware.

• Vesta Admin Takeover: Exploiting Reduced Seed Entropy in bash $RANDOM - The research on the Vesta control panel vulnerability highlights how reduced seed entropy in Bash’s random number generator can be exploited to gain administrative access. Attackers can predict the random password reset token due to insufficient entropy, leading to complete takeover of the VestaCP. The article provides a detailed breakdown of how this flaw affects the security of web hosting environments and recommends actions for patching or mitigating the vulnerability to prevent exploitation by malicious actors.

Tools and Exploits

• Merklemap - MerkleMap is a subdomain search engine that allows users to uncover hidden subdomains and SSL/TLS certificates from across the internet. The tool provides insights into an organization's digital assets and security posture by analyzing subdomains and certificates. Users can access real-time streams of newly discovered hostnames through the MerkleMap Live Domains API.

• Dangerzone - Dangerzone is a tool that converts potentially dangerous documents into safe PDFs by converting them in a sandbox environment without network access. It can also OCR the safe PDFs it creates and compress them to reduce file size. After conversion, Dangerzone allows you to open the safe PDF in a PDF viewer of your choice.

• x64 WINAPI Recursive Loader - The GitHub repository contains code for a recursive loader inspired by APT Linux/Kobalos malware. The code is for an x64 recursive loader for Windows 10 and Windows 11. It handles loading binaries and executing functions recursively, resolving APIs via NTDLL. The code also includes handling HTTPS requests with COM via the WinHttpRequest Object and various other functions for manipulating processes and data.

• IllusiveFog - The GitHub repository IllusiveFog contains an implant kit for Microsoft Windows networks that provides long-term stealthy access and reconnaissance capabilities. It is written in Python 2.7, C, and C++.

• Trickdump - "bof-flavour" branch - The 'bof-flavour' branch of TrickDump focuses on dumping lsass using NTAPIS and creating JSON and ZIP files, along with generating a Minidump later. It includes information on executing files using Cobalt Strike and running BOF files in Windows systems.

• NativeDump - "bof-flavour" branch - This GitHub repository is for the NativeDump project, specifically the "bof-flavour" branch which implements the same functionality as the main branch but uses BOF files. The project allows users to dump lsass using only Native APIs by hand-crafting Minidump files. Users can overwrite the Ntdll.dll library, use XOR encoding, and execute the files using tools like Cobalt Strike. The project also provides instructions on how to test the BOF file in Windows systems and interact with Meterpreter sessions.

• autodiscover_enum - The GitHub repository "nyxgeek/autodiscover_enum" provides a tool for time-based user enumeration via Basic Auth in Azure.

• SockFuzzer - GitHub project SockFuzzer is a comprehensive kernel fuzzing framework originally designed for the XNU kernel used in macOS and iOS. It has evolved to cover various kernel subsystems for efficient vulnerability discovery and reproduction. The project utilizes a unique approach by converting the XNU kernel into a library that can be "booted" and fuzzed in userspace. It includes components such as a custom scheduler, fuzzing engine, and test runner, and aims to comprehensively test the XNU kernel, continuously improve security, and demonstrate advanced fuzzing techniques in kernel research.

• frida_usb_dump - The GitHub repository piotrbania/frida_usb_dump contains a Frida script that can sniff and dump USB traffic on macOS. The script has been used to investigate the checkm8/checkra1n jailbreak in the past and dumps the data to a specified file path with markers for parsing.

• kartlanpwn - The GitHub repository latte-soft/kartlanpwn contains information and Proof-of-Concept (PoC) for CVE-2024-45200, a buffer overflow vulnerability known as "KartLANPwn" in Mario Kart 8 Deluxe. This vulnerability affects versions of the game up to and including v3.0.2 for China/Tencent and can potentially lead to user-mode remote code execution on peers' consoles. The repository provides details on the vulnerability, a demonstration of the PoC, and a Python script for crashing the game's process. The report was submitted to Nintendo via HackerOne, and a fix has been released alongside Mario Kart 8 Deluxe v3.0.3 for all regions except China.

• EDRenum-BOF - The GitHub repository mlcsec/EDRenum-BOF focuses on identifying common EDR processes, directories, and services through a simple Beacon Object File (BOF) of Invoke-EDRChecker.

• RPI - The GitHub repository Teach2Breach/rpi contains a Rust library for performing remote process injection, initially created for use in the Tempest c2 project. The library offers functions for interacting with Windows APIs, specifically NT APIs, for tasks such as process manipulation and code injection. Users can refer to the repository's main.rs file for a demonstration of how to inject shellcode into a target process using the RPI library. It is important to note that the RPI library does not handle process handle acquisition, allowing users to implement their preferred method. Additionally, the library utilizes dynamic resolution to access Windows APIs and outlines the steps involved in the process injection technique it uses.

• Zimbra - Remote Command Execution (CVE-2024-45519) - The GitHub repository Chocapikk/CVE-2024-45519 contains a guide on exploiting a vulnerability in Zimbra Collaboration (ZCS) that allows unauthenticated users to execute commands. The guide provides instructions on setting up a lab environment to reproduce the issue and execute the exploit.

• TeamViewer User to Kernel Elevation of Privilege - This repository contains an exploit proof of concept for vulnerabilities in TeamViewer that allow an unprivileged user to load an arbitrary Kernel Driver into the system, resulting in privilege escalation. The vulnerabilities are identified as CVE-2024-7479 and CVE-2024-7481. The exploit involves exploiting a flaw in TeamViewer's handling of driver installations, allowing for the loading of unauthorized drivers. By spoofing a TeamViewer client and connecting to the SYSTEM service, an attacker can trigger the installation of a malicious driver.

• I-Espresso - I-Espresso is a tool that allows users to create Portable Executable (PE) files from batch scripts by leveraging IExpress to spoof file extensions and evade detection. Users can customize their PE files and quickly generate them with minimal setup required.

• RustiveDump - RustiveDump is a tool built in Rust that dumps the memory of the LSASS process using only NTAPIs to create a minimal minidump file. It is built without relying on the C runtime (CRT) and supports XOR encryption and remote file transmission for added security. The tool bypasses standard APIs and uses NT system calls for all operations, allowing for a lean memory dump focused on essential data.

• RustBird - The repository "RustBird" contains code for implementing the Early Bird APC Injection technique in Rust, which is used to inject malicious code into Windows processes. The method involves inserting malicious code into a process during its early stages to evade antivirus detection. The repository provides instructions on generating a payload using MSFvenom and encrypting it with RC4, as well as testing results on AV/EDR software.

• SharpExclusionFinder - The SharpExclusionFinder tool is designed to find folder exclusions in Windows Defender using the command line utility MpCmdRun.exe as a low privileged user, without relying on event logs. The program allows users to scan for folder exclusions up to a specified depth, use multi-threading to speed up the process, and log errors and exclusion messages to a specified output file.

• VOIDMAW - basically an improved version of Voidgate, but without all of the previous limitations. A new bypass technique for memory scanners. It is useful in hiding problematic code that will be flagged by the antivirus vendors. This technique is compatible with all C2 beacons, it handles multithreaded payloads and it can handle executables generated by tools such as pe_to_shellcode, thus allowing it to run virtually any non .NET executables.

Threat Intel and Defense

• Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks - Check Point Research conducted an analysis to understand vulnerabilities in Windows drivers, revealing that many known vulnerable drivers share common design flaws. The research focused on drivers accessible by non-privileged users that could be exploited to perform privileged operations. The publication also highlighted potential solutions to remediate vulnerable drivers, including setting strong access restrictions and using Microsoft's vulnerable driver blocklist.

• 30th September – Threat Intelligence Report - The Threat Intelligence Report from Check Point Research on September 30, 2024, highlighted cyber-attacks on organizations such as MoneyGram, AutoCanada, and various government agencies. Vulnerabilities in NVIDIA Container Toolkit, Kia's web portal, and ChatGPT macOS app were also discussed. The report also mentioned malicious apps targeting mobile users to steal cryptocurrency and malware samples linked to the North Korean APT group Kimsuky. Threat intelligence reports identified the Storm-0501 threat group launching ransomware attacks on hybrid cloud environments in the US. The report emphasized the importance of security solutions like Point Threat Emulation and Harmony Endpoint in protecting against these threats.

• Whatchu looking for (starring SolarWinds Serv-U - CVE-2024-28995) - GreyNoise Labs analyzed data related to the SolarWinds Serv-U CVE-2024-28995 vulnerability, focusing on which files attackers were searching for. They discovered that while the most common requests were from vulnerability scanners and proofs of concept, there were also attackers trying to access private passwords and other data. The data was categorized into different groups based on the purpose of the files being searched for, such as Windows credential files, interesting config files, and Linux credential files. The analysis showed the creativity and persistence of attackers in searching for exploitable files, highlighting the value of targeted attacks compared to wide-scale attacks.

• Storm-0501: Ransomware attacks expanding to hybrid cloud environments - Microsoft has observed a cybercriminal group known as Storm-0501 launching ransomware attacks in hybrid cloud environments, targeting various sectors in the United States. The group uses commodity and open-source tools to conduct ransomware operations. They have been active since 2021 and utilize multiple ransomware payloads, including Embargo ransomware. Storm-0501 exploits weak credentials and over-privileged accounts to move from on-premises environments to the cloud, gaining persistent access and deploying ransomware. Microsoft provides mitigation guidance to help organizations protect their environments from such attacks.

• Lateral Movement - Remote Desktop Protocol (RDP) Event Logs - DFIR analysts should be aware of the use of Remote Desktop Protocol (RDP) for lateral movement in intrusions. RDP is a commonly used tool that can be exploited by threat actors to move laterally within a network. Event logs and IDs generated during RDP activity can be used to investigate and detect unauthorized connections. Specific event logs dedicated to RDP activity can provide valuable information, including source IP addresses and usernames. It is important to be familiar with these logs and correlating them with other artifacts to identify potential cases of lateral movement via RDP.

• Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning - Researchers at Palo Alto Networks identified an automated scanning tool called Swiss Army Suite (S.A.S) being used by attackers to perform vulnerability scans on web services. They detected unusual patterns in SQL injection attempts and found that the tool could potentially bypass web application firewalls. After investigating the tool further, they discovered it was not commercially available and was shared in underground forums, making it difficult to detect.

• Key Group: another ransomware group using leaked builders - Key Group, also known as keygroup777, is a financially motivated ransomware group targeting Russian users. They use leaked ransomware builders, negotiate with victims on Telegram, and primarily use the Chaos ransomware builder. The group has been active since at least 2022 and has been linked to the “huis” group in the shadow community. They have used a variety of ransomware variants, including Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/NoCry. The group's activities include spam raids, testing remote access Trojans, and engaging in ransomware attacks.

• Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware - Proofpoint researchers identified a campaign impersonating Royal Mail and delivering Prince ransomware, targeting people in the UK and the U.S. The emails contained a link to a ZIP file hosted on Dropbox, which led to the execution of JavaScript code that ultimately ran the ransomware. The ransomware claimed files were exfiltrated and demanded payment in Bitcoin for decryption, but lacked the capability to actually decrypt files. The ransomware is available on GitHub, where the creator offers customization services to bypass security measures. Organizations should be wary of email threats using tactics like these and train users to recognize and report suspicious activity.

• Are Telegram's New Policies Spooking Cybercriminals? - Telegram recently announced changes to its policies, including improved moderation to remove illegal activity and a commitment to disclose user data to authorities in response to valid legal requests. This change comes after the co-founder, Pavel Durov, faced charges in France for refusing to cooperate with authorities. While some cybercriminals are exploring alternative platforms, most are likely to continue using Telegram due to its extensive reach and features. However, individuals concerned with privacy may consider platforms like Signal and Session as viable alternatives.

• All that JavaScript for… spear phishing? - NVISO Labs has discovered a sophisticated spear phishing campaign that involves obfuscated JavaScript in HTML attachments to trick recipients into revealing sensitive information. The campaign uses HTML smuggling techniques to bypass security systems and deliver malicious content, ultimately leading to a phishing page that appears legitimate. The attackers have created multiple stages of encoding and obfuscation to evade detection and successfully lure targets into providing their login credentials.

• Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters - Malicious actors are targeting Roblox cheaters using infected PyPI packages, with Imperva identifying a malware campaign specifically aimed at game hackers. The campaign involves malicious Python packages uploaded to PyPI that exploit Roblox Da Hood game hackers, distributing harmful Windows binaries under the guise of cheat tools. The malware includes well-known information stealers like Skuld Stealer and Blank Grabber, highlighting the risks gamers face when downloading cheats and mods from untrusted sources. Imperva's research sheds light on the tactics cybercriminals use to target gaming communities and underscores the importance of cybersecurity measures to protect against malware infections.

• Separating the bee from the panda: CeranaKeeper making a beeline for Thailand - ESET Research has identified a new threat actor, CeranaKeeper, targeting governmental institutions in Thailand with data exfiltration activities. This China-aligned group uses a variety of tools and techniques to evade detection and extract sensitive documents, abusing services like Dropbox, OneDrive, and GitHub. Despite similarities with another group, Mustang Panda, ESET believes CeranaKeeper is a separate entity based on distinct organizational and technical differences. The group's relentless pursuit of data and evolving tactics make them a significant threat, with operations dating back to at least 2022.

• When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying - Attackers are exploiting GenAI infrastructure like AWS Bedrock to host their own chatbot applications for dark roleplaying, including sexual and violent content. They use common jailbreak techniques to bypass model content filtering. The attackers leverage hijacked infrastructure to avoid costs and use hijacked LLM resources. Permiso observed these attacks in AWS, specifically targeting Anthropic models, and similar attacks have been found targeting other cloud providers. The attacks are facilitated by exposed access keys, and Permiso has provided detailed research on the methods used by attackers and how to detect them.

• The Dark Knight Returns: Joker malware analysis - CERT Polska has recently analyzed new samples of the "Joker" mobile malware targeting Polish users in the Google Play Store. The malware operates in multiple stages, including identifying the user's country and mobile network, disabling Wi-Fi, subscribing to premium services without consent, intercepting SMS messages, and automating interactions with subscription pages. The malware uses encrypted communications, obfuscated code, and unauthorized access to sensitive user data, posing a serious threat to security, privacy, and finances. The CERT Polska team at NASK conducts scientific studies and provides IT services to address such cybersecurity threats.

• StealC Malware Analysis Part 1 - The Lexfo security blog is conducting a detailed analysis of the StealC Malware, focusing on reverse engineering and malware analysis. The first part of the analysis covers unpacking the packed malware sample and retrieving the C2 information. The blog provides detailed information on the prerequisites, tools, and techniques required for the analysis, including using sandboxes and emulators to extract the malicious code. The blog also offers insights into identifying packers, decrypting shellcode, and automating the extraction process using tools like MIASM.

• No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection - This article discusses how a new campaign monitoring system has uncovered four previously undisclosed DNS tunneling campaigns. DNS tunneling is a technique used by threat actors to encode data within DNS packet traffic. The monitoring system analyzes common attributes among tunneling domains to detect new campaigns. The article provides detailed case studies on the four discovered campaigns named FinHealthXDS, RussianSite, 8NS, and NSfinder.

• CUCKOO SPEAR Part 2: Threat Actor Arsenal - In the Cuckoo Spear Part 2 report by the Cybereason Security Services Team, the focus is on analyzing the NOOPDOOR and NOOPLDR malwares used by the APT10 threat actor in the Cuckoo Spear campaign. The report delves into the technical aspects of these malwares, detailing their functions, encryption methods, registry manipulations, code injections, and C2 client and server capabilities. The report also provides a list of Indicators of Compromise (IOCs) and suggests hunting queries to detect suspicious activities related to these malwares in an organization's network. Additionally, it emphasizes the importance of hiring a dedicated Incident Response team for containment, eradication, and recovery process upon discovering the presence of this threat actor in the network.

• tmate - Instant Terminal Sharing (or How To Backdoor a Linux Server) - This blog post discusses how cyber attackers have been using tmate as a tool to backdoor Linux servers after compromising them. It provides information on how to install and configure tmate, as well as how to detect traces of a tmate installation or ongoing session sharing. The post also highlights techniques for finding hidden tmate processes and mentions the possibility of finding traces in package manager log files. Additionally, it discusses the generation of session tokens and the use of SSH connections to VPS hosters as potential indicators of compromise.

• SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia - Securonix has uncovered an ongoing campaign by North Korea, dubbed SHROUDED#SLEEP, targeting Southeast Asia with stealthy malware. The threat actors used a custom PowerShell backdoor to gain full access to compromised machines. The campaign involves multiple layers of execution, persistence mechanisms, and a versatile backdoor/RAT called VeilShell. The attackers exploited AppDomainManager, used remote JavaScript execution, and employed Base64 encoding and Caesar ciphers to evade detection.

• Hadooken and K4Spreader: The 8220 Gang’s Latest Arsenal - This blog post covers the latest tools in the 8220 Gang’s arsenal: Hadooken and K4Spreader. These malware families are being used to expand the gang's cryptojacking activities by targeting unpatched Linux and cloud environments. Hadooken focuses on backdoor functionality, while K4Spreader helps propagate the attack by exploiting known vulnerabilities in cloud services. The post also highlights new attack tactics, techniques, and procedures (TTPs) used by the 8220 Gang to remain undetected.

• Bulbature, beneath the waves of GobRAT - This blog post discusses "Bulbature," a new malware variant linked to GobRat, a family of malware targeting Linux systems. It examines how Bulbature leverages multiple techniques for persistence and stealth, including advanced evasion strategies. The post highlights key infection methods, TTPs (tactics, techniques, and procedures), and the role of poorly secured systems in propagating the malware.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• A Guide To Subdomain Takeovers 2.0 - The "Guide to Subdomain Takeovers" explores the importance and implications of subdomain takeovers in bug bounty programs. The guide covers how to identify vulnerable services, examples of secure and vulnerable services, automating the process of finding subdomain takeovers using tools like Nuclei, exploiting subdomain takeovers for potential attacks like session hijacking and CSRF, and best practices for reporting subdomain takeovers to bug bounty programs. The guide emphasizes the need for vigilance and thorough testing when identifying and reporting subdomain takeovers in order to ensure the security of online services.

• Safe Ride into the Dangerzone: Reducing attack surface with gVisor - In this article, the collaboration between Google's gVisor team and the Dangerzone team is discussed, with the goal of reducing the attack surface for journalists when opening documents. gVisor is integrated into Dangerzone to enhance security by creating a separate layer that isolates the document conversion process from the Linux kernel. The article explains the technical aspects of how gVisor works and how it improves the security profile of Dangerzone, providing users with increased confidence in opening potentially suspicious documents. The integration of gVisor with Dangerzone involves running gVisor inside a container, and various security measures are implemented to enhance protection against potential threats.

• Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale - In this blog post, Bill Demirkapi discusses leveraging big data for discovering vulnerabilities at scale, focusing on two key areas: dangling DNS records and leaked secrets. He explores the risks introduced by cloud computing convenience, and shares findings from his research on widespread vulnerabilities in major organizations. Demirkapi also discusses the importance of addressing these vulnerabilities holistically and working with vendors to protect their customers. He provides recommendations for organizations to secure their systems and encourages collaboration among providers to address these common vulnerability classes effectively.

• Xintra - .NET Crash Dump Analysis - Xintra is a DFIR specialist with a background in offensive security who analyzes .NET crash dumps from a security perspective. The analysis includes investigating attacks involving .NET applications targeting IIS, focusing on two CVEs (Ivanti EPM SQLi RCE and a SharePoint Pre-Auth RCE chain). The post walks through the process of analyzing memory dumps using WinDbg, explaining key concepts and techniques along the way. The analysis involves understanding technical details of the CVEs, Windows internals, and leveraging tools like netext and WinDbg for in-depth analysis.

• The Exploit Development Lifecycle - The document BSides-Cbr-24.pdf is stored on Google Drive. It likely contains information or materials related to the BSides Canberra event that took place on the 24th edition. This document may include schedules, presentations, or other resources from the event.

• Anatomy of Pokemon glitches - Swissky delves into the world of InfoSec with an exploration of Pokemon glitches, specifically focusing on the anatomy of Pokemon Yellow glitches. By examining the inner workings of these glitches, Swissky showcases how memory manipulation and logic bug exploitation can be utilized to speed up gameplay. Through detailed instructions and requirements for replication, Swissky guides readers through various glitches such as the Long Range Trainer Glitch and the experience algorithm glitch. Additional bonuses include utilizing these glitches to capture Mew and battle Professor Oak in Pokemon Yellow. Through these adventures, Swissky demonstrates the intricacies of hacking into the world of Pokemon to enhance gameplay experiences.

• Modern iOS Pentesting: No Jailbreak Needed - The article discusses the challenges of conducting penetration tests on iOS apps without jailbreaking due to Apple's security enhancements and lack of community support for jailbreaking. The author shares a modern approach to iOS pentesting by leveraging debugger privileges and bypassing FairPlay DRM to gain access to an app's process and inspect its internal workings. The new method allows for testing on the latest iOS devices without the need for traditional jailbreaking, providing a creative solution to test app security effectively.

• VMK extractor for BitLocker with TPM and PIN - CyberForce Offensive Security has developed a VMK extractor for BitLocker utilizing TPM and PIN protection to simplify the boot process and protect encryption keys. By exploiting the default communication bus of the TPM, they were able to recover the VMK to decrypt a BitLocker volume. Through a combination of hardware and software tools, they successfully extracted the VMK and were able to mount the BitLocker volume. The article also discusses the process of obtaining the VMK from TPM data and the importance of protecting against insider threats when using a TPM and PIN protector.