Last Week in Security - 2024-10-28

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, and Reverse Engineer.

Virginia Applicants:

• Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-10-21 to 2024-10-28.

News

• Google Warns of Samsung Zero-Day Exploited in the Wild - Google's Threat Analysis Group has warned of a zero-day vulnerability in Samsung's mobile processors that has been exploited in the wild for arbitrary code execution. Tracked as CVE-2024-44068, the issue was patched in Samsung's October 2024 security fixes and is a use-after-free bug that can escalate privileges on vulnerable Android devices. The exploit chain involves the attacker being able to execute arbitrary code in a privileged process, leading to a Kernel Space Mirroring Attack and breaking Android kernel isolation protections. This zero-day exploit is part of an escalation of privilege chain and has been utilized by threat actors.

• Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs - A zero-day vulnerability in FortiManager is being exploited by nation states for espionage through MSPs. The vulnerability allows for remote code execution on the FortiManager device, which can then be used to access downstream FortiGate firewalls and networks. Despite the widespread exploitation, FortiNet had not released a CVE or public disclosure at the time this article was written, leading to concerns about transparency and customer protection. Mitigations include disabling the FGFM protocol and monitoring for abnormal traffic on ports 541 and 542.

• Largest Retail Breach in History: 350 Million “Hot Topic” Customers’ Personal & Payment Data Expose — As a Result of Infostealer Infection - A massive breach involving the personal and payment data of 350 million Hot Topic customers was exposed by a threat actor known as "Satanic". The breach was a result of an Infostealer infection that targeted an employee at a company called Robling, which handles retail data. The stolen data included customer information, payment details, and loyalty points, posing risks of identity theft and financial fraud. This breach highlights the significant threat of Infostealer infections in cybersecurity and the need for better protection measures.

• The Red Dragon Searches for Pearls Through Quantum Tunneling – But You’ve Got the Wrong Paper - Chinese researchers have potentially discovered a new quantum-annealing algorithm that could compromise symmetric encryption algorithms, according to a paper published in September 2024. The research focuses on attacking lightweight encryption ciphers using the D-Wave Advantage quantum processor. The findings suggest a new class of quantum annealing algorithms surpassing traditional methods in solving complex optimization tasks, raising concerns about the future of cryptography. The paper has since been removed from the Chinese Journal of Computers, sparking speculation about the sensitivity of the topic and the potential implications of the research.

• Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland - Hackers exploited 52 zero-day vulnerabilities on the first day of Pwn2Own Ireland, earning significant cash prizes. A new Windows driver signature bypass allowed for kernel rootkit installs, while new Cisco ASA and FTD features blocked VPN brute-force attacks. The event showcased high-stakes hacks and rewards, with participants competing for the "Master of Pwn" title.

• Anthropic's latest Claude model can interact with computers – what could go wrong? - Anthropic's latest Claude model, Claude 3.5 Sonnet, has the capability to interact directly with computers, enabling a wide range of new applications. This expansion in functionality allows the model to reason about the state of the computer and take actions such as invoking applications or services. However, this advancement comes with unique risks, such as prompt injection attacks and conflicts with user instructions. A public beta test is being offered for developers to experiment with these new computer use tools, but precautions are advised to minimize potential risks.

Techniques and Write-ups

• Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails - this blog delves into the tricks used in callback phishing emails, which involve sending emails with fake customer service hotlines to lure victims into calling and revealing personal information. The blog discusses various evasion techniques used in phishing emails, such as text obfuscation, image-based spam, and use of legitimate payment platforms to send fake invoices. The blog also provides tips on how individuals and organizations can protect themselves from falling victim to these scams.

• Malware and cryptography 33: encrypt payload via Lucifer algorithm. Simple C example. - This post explores using the Lucifer block cipher on malware development to encrypt the payload, with a simple C example provided. The Feistel network, created by Horst Feistel in 1971, is explained as a vital concept in modern cryptography. The Lucifer encryption process involves bifurcating the plaintext, applying transformations, XORing the results, and using S-boxes, permutations, and key schedules for security. The source code demonstrates how to implement Lucifer encryption and decryption functions in practice, with examples of encrypting plaintext and a payload. It also discusses the susceptibility of Lucifer to certain cryptanalytic attacks.

• TCC bypasses via launch services - this blog post discusses a TCC bypass vulnerability via launch services, which was disclosed at Black Hat Europe 2022. The technique allowed for arbitrary applications to be registered for handling specific file types, granting access to sensitive files like AddressBook or iMessages database. The exploit took advantage of TCC's inability to differentiate between files opened by launch services or by a user. The author detailed the methods used to set their app as responsible for certain file extensions and trigger the vulnerability.

• CVE-2024-41874 Technical Analysis - The assessment conducted by remmons-r7 on CVE-2024-41874 highlights a critical unauthenticated remote code execution vulnerability affecting Adobe ColdFusion versions before Update 16. The vulnerability allows an attacker to execute arbitrary code in the context of the current user by providing crafted input to the application. The assessment details how the vulnerability can be triggered and its implications, including the ability to control global scope structs.

• Attacking APIs using JSON Injection - The blog post discusses a real-world example of exploiting JSON injection vulnerability in Samsung devices, leading to code execution. It highlights the importance of understanding how JSON parsers handle data, as inconsistencies can lead to vulnerabilities. The post provides examples of security issues in JSON parser interoperability and explains how to exploit JSON injection to manipulate application behavior. It emphasizes the need for thorough vetting of how JSON objects are processed in APIs to ensure security.

• Offensively Groovy - In a recent red team engagement, the author compromised a Jenkins user and investigated Groovy for post-exploitation tasks. They explored host enumeration, file reading, and other operations in Groovy. The author also delved into using JNA for interacting with native Windows APIs and demonstrated how to list processes and perform code execution. Additionally, examples of loading DLL files and creating a service using JNA were provided. Overall, Groovy offers powerful functionality for network enumeration and exploitation.

• CVE-2024-8260: SMB Force-Authentication Vulnerability in OPA Could Lead to Credential Leakage - Tenable Research discovered a SMB force-authentication vulnerability in Open Policy Agent (OPA) that could lead to credential leakage. This vulnerability affected both the OPA CLI and the OPA Go SDK. By passing an arbitrary UNC share instead of a Rego rule or bundle, an attacker could leak the NTLM credentials of the OPA server's local user account to a remote server.

• From Exploit to Extraction: Data Exfil in Blind RCE Attacks - In the blog post, the author discusses a blind Remote Code Execution (RCE) attack where an attacker has to find a way to extract data without the ability to use out-of-band techniques. The attacker uses time delays to identify characters in the response by sending commands to the server. The author then shows how they automate this process using Python and BurpSuite. The blog ends with a demonstration of the exploit in action and encourages readers to practice, tweak the code, and make the exploit their own.

• Mapping attack surface for Azure initial access - This blog post explores various methods that threat actors commonly use to gain initial access to Azure. It discusses techniques such as unauthenticated mapping of the attack surface, employee phishing, Azure App Services compromise, sensitive information in public blob containers, inadvertent disclosure, password spraying, and re-using stolen credentials from past data breaches.

• Abuse SCCM Remote Control as Native VNC - Abuse SCCM Remote Control features to establish a VNC-like connection on SCCM-managed systems without user consent or notifications, allowing for lateral movement and shadow monitoring. By modifying WMI class properties, remote control settings can be changed remotely without needing plaintext passwords. The technique can be used in red team engagements, even in environments where SCCM Remote Control is disabled. A tool called SCCMVNC.exe has been developed to facilitate this process and disable user consent requirements and notifications via WMI.

• ShadyShader: Crashing Apple Devices with a Single Click - Imperva has discovered a vulnerability called ShadyShader that can crash Apple devices with a single click. This flaw exploits the GPU drivers on iPhones, iPads, and macOS computers with M-series chips, overwhelming the GPU and causing the system to crash. The vulnerability can be exploited through malicious webpages, text messages, emails, or QR codes and can also impact other devices with GPUs. Imperva recommends updating devices to the latest versions and disabling JavaScript to mitigate the exploit.

• Hijack the TypeLib. New COM persistence technique - The article discusses a new COM persistence technique called Hijack the TypeLib, which exploits the Component Object Model (COM) system for code execution. By hijacking the necessary registry keys, attackers can force a process to execute their code using the LoadTypeLib() function. The article explains the relationship between COM and TypeLib, how to identify suitable targets, and provides a tool for automating the process of detecting vulnerable registry entries. This method can be used for achieving persistence on a computer and bypassing detection by traditional security measures.

• Concealing payloads in URL credentials - The article discusses concealing payloads in URL credentials, specifically focusing on how to exploit this vulnerability in Chrome and Firefox browsers. It explains the differences between document.URL and location properties and how to manipulate the username and password properties within anchor elements. The article also highlights the potential for more advanced exploitation by combining these techniques with DOM clobbering. It concludes by mentioning that Safari discards URL credentials, and the examples provided only work on Chrome and Firefox.

• Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction - The article introduces a jailbreaking technique called Deceptive Delight, which tricks large language models (LLMs) into generating unsafe content. The technique involves engaging the LLMs in an interactive conversation that gradually bypasses their safety guardrails. By embedding unsafe topics among benign ones, the attacker can elicit the LLMs to generate harmful content. The article provides insights into the effectiveness of the technique, ASR rates, and strategies to mitigate jailbreaking risks. It also discusses the importance of prompt engineering and content filters to strengthen AI models against such attacks.

• HTML Smuggling - HTML smuggling is a technique where attackers embed and download malicious files through HTML or JavaScript on a website, bypassing traditional email or web filters. This method makes it difficult to detect and prevent the attack, as blocking JavaScript or HTML features could disrupt legitimate website functions. Defending against HTML smuggling is complex, as it requires a multi-layered security approach to mitigate the risk. Organizations should implement additional security measures to protect against this type of attack, despite the challenges in fully preventing it. Lutra Security offers testing services to assess and improve IT security against HTML smuggling and other threats.

• Investigating volatile data with advanced memory forensics tools – part 1 - The article discusses the importance of investigating volatile data in RAM using advanced memory forensics tools. Memory forensics can provide valuable insights, such as running processes, network connections, encryption keys, and user activity, that are crucial for real-time investigations. The article compares Volatility 2 and Volatility 3, highlighting the improvements in Volatility 3, including symbol-based analysis and support for modern OS versions. It also emphasizes the benefits of using both Volatility 2 and Volatility 3 in investigations to achieve comprehensive memory analysis.

• Climbing The Ladder | Kubernetes Privilege Escalation (Part 1) - The article "Climbing The Ladder | Kubernetes Privilege Escalation (Part 1)" discusses the threat of Kubernetes privilege escalation and how attackers target Kubernetes environments to gain unauthorized control. It explains various techniques such as Account Manipulation and Valid Accounts, as well as the abuse potential of system pods within an attack chain. The article emphasizes the importance of understanding Kubernetes Role-Based Access Control (RBAC) and how misconfigurations in RBAC roles can lead to privilege escalation. It also highlights the risks associated with system pods and the need for proactive security controls in Kubernetes environments.

• ZombAIs: From Prompt Injection to C2 with Claude Computer Use - Anthropic recently released Claude Computer Use, allowing AI to control a computer autonomously, posing risks of prompt injection attacks. The author demonstrates how to use prompt injection to make Claude download malware and join a Command and Control server. With Claude being tricked into running bash commands to launch malicious files, the risks of autonomous AI systems processing untrusted data are highlighted. This blog post serves as a warning about the potential dangers of ZombAIs, compromised AI-powered systems.

• Bluetooth Low Energy GATT Fuzzing - This blog post discusses Quarkslab's fuzzer for Bluetooth Low Energy GATT layer and the vulnerabilities found through it. The post delves into the BLE protocol, ATT and GATT layers, and specific vulnerabilities identified in BLE stacks such as Espressif and Sony. Quarkslab reported these vulnerabilities to the respective companies and received responses about how they are addressing the issues. The post also highlights the collaboration between Quarkslab and companies to fix the vulnerabilities and enhance overall security in Bluetooth technology.

• Bench Press: Leaking Text Nodes with CSS - The author explores a technique to leak the content of an HTML text node using CSS, highlighting the limitations of current CSS injection techniques. The technique involves measuring height using animation timelines, assigning unique heights to letters, iteratively removing letters, calculating height differences, and exfiltrating the letters to an attacker server. The method is Chrome-only for now and relies on locally available fonts to be calibrated correctly. Despite some limitations, the author finds it an interesting use of modern CSS for client-side web exploits.

• SQL Injection Polyglots - The article discusses SQL injection polyglots, which are payloads that can detect variations of vulnerabilities with a single request, reducing the number of tests needed. Examples of polyglots for different databases like MariaDB/MySQL and SQLite are shared, showing how they can be used to achieve true results in different contexts. Different strategies for SQL injection optimization are also mentioned in the article, emphasizing the importance of testing polyglot requests alongside non-polyglot ones.

• Attacking browser extensions - Browser extensions, such as those used in Firefox and Chromium, have become common tools for enhancing the browsing experience. However, these extensions can be vulnerable to attacks due to their structure and permissions. Vulnerabilities such as Cross-Site Scripting and Server-Side Request Forgery can be exploited by attackers to compromise the security of an extension and potentially gain control over a user's browsing experience. To mitigate these risks, developers can use tools like CodeQL to identify and address security issues in their extensions. Users should also be cautious when installing extensions, understanding the permissions they grant and regularly updating them to reduce the likelihood of security breaches.

• SELinux bypasses - In this blog post, the author explores bypassing SELinux on Android devices through kernel exploitation, focusing on devices like Samsung and Huawei. They discuss various bypass methods such as disabling SELinux, overwriting permissive map, overwriting AVC cache, SELinux initialization, overwriting mapping, and removing hooks. The author also provides insight into the implementation details and challenges faced on different devices while attempting these bypass methods. Additionally, they touch upon SELinux protection on Huawei and Samsung devices, as well as privilege escalation techniques.

• Exploiting CVE-2018-3048 for arbitrary code execution - Two researchers, Vlad and Reuben, analyzed the CVE-2018-3048 vulnerability in the ChakraCore JavaScript engine and exploited it to achieve arbitrary code execution. They explored how ChakraCore handles integers and floats, as well as the representation of arrays in memory. By triggering the vulnerability through type confusion and creating an arbitrary read/write primitive, they were able to bypass CFG using a return address overwrite technique. This allowed them to gain code execution and build a ROP chain to execute the WinExec API and launch calc.exe as a proof of concept, demonstrating the exploit's potential for further refinement.

• Tales from the Call-Gate: An SMM Supervisor Vulnerability - In a blog post on October 24, 2024, IOActive Labs detailed a vulnerability in AMD systems related to the SMM Supervisor, specifically involving x86 Call-Gates. The vulnerability allows for privilege escalation, with potential for an attacker to take control of Ring-0 privileges. The issue was reported to AMD and a CVE was issued in 2023. The blog post provides technical details on the vulnerability and how it can be exploited, highlighting the importance of platform security.

• 'Reflections on Trusting Trust', but completely by accident this time - The blog post discusses the complexity of compilers, focusing on a miscompilation bug in LLVM's loop vectorizer. The bug was found through an exhaustive testing process and involved generating incorrect vector shuffles due to a specific sequence of passes in the optimization pipeline. The post details the steps taken to reproduce and diagnose the bug, highlighting the intricate interactions between different optimization passes and how a seemingly minor change can lead to unexpected behavior. Ultimately, the bug was fixed, underscoring the challenges in modern compiler development and the importance of thorough testing.

• Oracle VM VirtualBox 7.0.10 r158379 Escape - The post discusses CVE-2023-22098, a vulnerability in Virtio-net for Oracle VM VirtualBox 7.0.10 r158379 that allows escaping from the virtual machine. It explains the Virtio-net device's communication mechanisms and provides a step-by-step guide on setting up a debugging environment, writing an exploit, triggering the bug, and identifying memory structures to develop a reliable PoC. The exploit involves exploiting an out-of-bounds write to gain control of the execution flow and potentially execute shellcode. Additionally, it explores the possibility of dynamically resolving the address of RTMemProtect for further exploitation.

• Memory Management - Part 1: Virtual memory and Paging concepts - Memory management in operating systems involves allocating and managing limited memory resources efficiently. Virtual memory is a technique that creates an illusion of a larger memory space for processes by dividing it into smaller pieces called pages. Different page sizes like small (4 KB), large (2 MB), and huge (1 GB) pages are used in modern systems to balance performance and flexibility. The page table hierarchy in the Intel x86-64 architecture consists of four levels - PML4, PDPT, PDT, and PT - for address translation. Control registers like CR3 play a crucial role in managing paging systems. Practical examples in Windbg demonstrate how virtual addresses are translated to physical addresses using page table entries and CR3 values. Another method involves calculating physical addresses using the PFN formula in Windows to map virtual addresses to physical memory locations.

• CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android - CVE-2024-44068 is a use-after-free vulnerability in the Samsung m2m1shot_scaler0 device driver in Android. The exploit allows an attacker to execute arbitrary code in a privileged process, potentially leading to an Elevation of Privilege (EoP) attack. The vulnerability was discovered by Xingyu Jin and Clement Lecigne from Google Devices & Services Security Research. The exploit involves manipulating I/O memory mapping and executing firmware commands in a specific sequence to trigger the vulnerability. Mitigation strategies include reviewing object reference count management and closely monitoring IOCTL calls for suspicious activity.

• AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover - The article discusses a security issue related to the AWS Cloud Development Kit (CDK) that could allow attackers to gain administrative access to a target AWS account. This issue was identified by Aqua Security and reported to AWS, who released fixes to address the vulnerability. The article also provides recommendations for cloud admins to enhance security practices, such as treating AWS Account IDs as sensitive information, using conditions in IAM policies, and avoiding predictable S3 bucket naming. Aqua Security offers a comprehensive Cloud Native Application Protection Platform (CNAPP) to secure containerized cloud native applications from development to production.

• Using Nix to Fuzz Test a PDF Parser (Part One) - Fuzz testing is a technique for uncovering bugs in software, but it can be time-consuming to set up. The author used Nix to streamline the process by creating a Nix configuration that simplifies fuzz testing with a single command. By compiling a PDF reader from source and using the honggfuzz fuzz testing tool, the author was able to find an unpatched bug in the PDF renderer. The Nix workflow automates the process of downloading dependencies, building the software, generating test inputs, and identifying crashes caused by the test inputs.

• PowerShell Web Access: Your Network's Backdoor in Plain Sight - PowerShell Web Access (PSWA) is a feature in Windows Server that provides a web-based PowerShell console for remote management tasks. While it offers convenience for system administrators, it can be exploited by malicious actors to gain unauthorized access to networks. Recent Cybersecurity Advisory highlights ongoing exploitation by Iran-based cyber actors against U.S. and foreign organizations using PSWA. Understanding how PSWA can be enabled, configured, and misused, and proactively monitoring for suspicious activities using tools like Splunk can help defenders strengthen their defenses against potential threats. Splunk offers security analytics and content to help organizations detect, investigate, and respond to PSWA-related threats.

• Adversarial SysAdmin - The Key to Effective Living off the Land - Andy Gill, also known as ZephrFish, discusses the concept of Adversarial SysAdmin and Living off the Land Searches (LOLSearches) to aid Red Teams in their strategies. He emphasizes the use of built-in tools like Explorer and SharePoint to hunt for credentials and sensitive data within an environment. The article provides practical examples of advanced search operators and queries for searching scripts, credentials, AI-related files, and more. ZephrFish also shares insights on building a home lab for security testing and explores WinSxS and DLL hijacking in other blog posts.

• An Update on Windows Downdate - SafeBreach provides a Breach and Attack Simulation platform that helps organizations enhance their cybersecurity posture and minimize business risk. A SafeBreach researcher discovered a vulnerability in Windows called Windows Downdate, which allows for the revival of a patched Driver Signature Enforcement (DSE) bypass. By downgrading components, attackers can compromise security controls and gain unauthorized access. The researcher also explored ways to disable Windows virtualization-based security, even when protected with UEFI locks. This research highlights the importance of monitoring and detecting downgrade procedures to prevent security threats.

• A deep dive into Linux’s new mseal syscall - The blog post discusses Linux's new mseal syscall introduced in the 6.10 kernel release, which provides memory sealing protection to prevent unauthorized modifications to memory regions during program runtime. The syscall allows developers to make memory regions immutable, preventing malicious permissions tampering and memory unmapping attacks. The post goes into detail about how the syscall works, its implementation in the kernel, and how it mitigates exploit scenarios such as tampering with permissions and data-only exploits. It also discusses how software developers can integrate and leverage mseal to enhance the security of their applications.

• How I Accessed Microsoft’s ServiceNow — Exposing ALL Microsoft Employee emails, Chat Support Transcripts & Attachments - The author accessed Microsoft's ServiceNow by exploiting leaked credentials obtained from a specialized search engine. They were able to access sensitive information such as employee emails, chat support transcripts, and attachments. Despite reporting the issue to Microsoft, they did not receive a bounty reward. The author highlights the lack of adaptability in cybersecurity programs and the importance of incentivizing researchers to disclose vulnerabilities.

• Modifying a Tool to Make a PE Loader that Evades Defender - The author repurposed the BetterSafetyKatz tool to load any PE executable file and obfuscate it in order to evade Windows Defender. By modifying the code to remove the high integrity check and making changes to how the tool fetches and extracts files, they were able to successfully load a meterpreter reverse shell without triggering Defender. While the shell worked well, some functionalities like loading the kiwi module could still be caught by Defender's behavioral detection, emphasizing the need for caution when using such evasion techniques.

• .Net Hooking with Frida and Fermion - The author explores .Net hooking using Frida and Fermion in a recent assessment, utilizing knowledge from a Windows Instrumentation course. They decompile a .Net binary to examine its features and functions, but face challenges due to JIT compilation shifting function addresses. To address this, the author creates a .Net DLL with exported functions to enumerate and call functions at runtime, which they then use in conjunction with Frida to successfully intercept and manipulate a function in the binary. The process involves creating the DLL, utilizing Fermion with Frida, and ultimately achieving the desired interception and manipulation of the target function.

• Azure – Code Execution Through Machine Configuration - Azure offers a feature called Machine Configuration, which allows users to audit or configure operating system settings as code for machines running in Azure and hybrid Arc-enabled machines. This feature can be exploited by attackers to execute arbitrary code on Azure managed machines without requiring specific permissions. By using this technique, attackers can escalate from the Azure Cloud to on-premises environments. The attack can be disguised as a compliance check and is difficult to detect, making it a valuable tool for Red Team assessments.

• SSD Advisory – Common Log File System (CLFS) driver PE - This advisory covers a vulnerability in Windows' Common Log File System (CLFS) driver that enables privilege escalation. Attackers can exploit this flaw to execute code with high privileges, posing risks for system integrity. The advisory includes technical details and suggests mitigation steps.

• CVE-2024-26926 Analysis - The analysis of CVE-2024-26926 reveals a vulnerability in the Linux kernel related to the XFRM (IPsec) subsystem, which allows for arbitrary code execution due to improper memory handling. This issue particularly impacts kernel versions that use XFRM, potentially giving attackers unauthorized control on targeted systems. The report provides technical details and exploit steps.

• Social Engineering Stories: One Phish, Two Vish, and Tips for Stronger Defenses - This blog shares real-world social engineering cases, exploring tactics attackers use to exploit human psychology and trick employees into granting access. These stories provide valuable insights into the methods hackers employ and underscore the importance of employee training in preventing breaches.

• The Windows Registry Adventure 4: Hives and the registry layout - this post delves into complex aspects of the Windows Registry and explores four Registry hives critical for system configuration, performance, and application settings. The analysis provides insights into vulnerabilities and security implications related to these hives.

Tools and Exploits

• Introducing CloudTail: An Open-Source Tool for Long-term Cloud Log Retention and Searchability - CloudTail is an open-source tool designed to help enterprises enhance the long-term retention and searchability of cloud logs, without the need for expensive SIEM solutions. It allows users to selectively preserve significant cloud events from AWS and Azure through config-based event filtering and flexible data storage. CloudTail stores logs in their raw format locally and facilitates easier searching capabilities through key event attributes. Users can tailor the monitoring to specific needs and track a curated list of key events for security operations.

• Secure_Stager - The GitHub project Secure_Stager is an x64 position-independent shellcode stager that verifies the stage it retrieves before executing it, providing protection against man-in-the-middle attacks. The stager ensures the validity of the retrieved stage by using MD5 checksum verification and XOR encryption. It can be integrated into Cobalt Strike and offers functionality that the built-in stager does not provide. Currently, the stager only supports HTTPS connections, and future updates may include proxy awareness and customization options for request headers.

• EDR Telemetry Project - The EDR Telemetry Project is a platform for comparing EDR telemetry capabilities across different systems. Users can gain insights, make informed decisions, and enhance their understanding of EDR telemetry through detailed comparisons.

• SCCMVNC - The GitHub repository "SCCMVNC" contains a tool that allows users to modify SCCM remote control settings on client machines, enabling remote control without permission prompts or notifications. Users can remotely configure these settings without needing access to the SCCM server. The tool simplifies the process of connecting to SCCM-managed systems using a VNC-like connection, without the need for additional malicious modules. Instructions are provided for reading existing SCCM remote control settings, re-configuring settings, and connecting to the host using the native SCCM Remote Control tool.

• Rigour: An IoT Scanner Inspired by Shodan.io - Rigour is an IoT scanning tool inspired by Shodan.io that identifies and reports on devices connected to the internet. It uses ZMap and ZGrab to conduct large-scale network scans, retrieve service banners, and detect vulnerabilities. Rigour offers both REST and streaming APIs for data access, as well as a user interface for data visualization.

• servicelens - ServiceLens is a Python tool that analyzes services linked to Microsoft 365 domains by scanning DNS records. It categorizes the identified services into Email, Cloud, Security, and more. The tool provides a detailed summary of the services found.

• Nuke It From Orbit - The GitHub repository "Nuke It From Orbit" (nifo) provides a tool that can remove antivirus and endpoint detection and response (AV/EDR) software from Windows machines with physical access. The tool corrupts files to prevent the software from starting up and does not require administrative privileges. Users can generate a script to run on Linux to execute the removal process.

• ShareFouine - The GitHub repository "ShareFouine" offers a Python script that allows users to navigate Sharepoint using UNIX-like commands, providing access to commands such as going to a specific Sharepoint site or OneDrive, displaying content, and downloading files.

• CVE-2024-40431+CVE-2022-25479 chain for EOP(DATA ONLY ATTACK) - The GitHub repository SpiralBL0CK/CVE-2024-40431-CVE-2022-25479-EOP-CHAIN contains a chain for exploiting CVE-2024-40431 and CVE-2022-25479 to achieve Elevation of Privilege using a data-only attack against the Realtek SD Card Reader driver.

• gcp-ctf-workshop - This repository contains code used to set up a misconfigured Google Cloud Platform (GCP) project that is vulnerable to attacks, designed for a workshop on CTF challenges. The setup uses terraform to create cloud resources and generates credential files for the challenges. Participants can use the provided information and hints to experiment with the challenges in their own GCP project.

• SmuggleShield - SmuggleShield is a browser extension that aims to provide basic protection against HTML smuggling attacks by detecting common patterns.

• LOLESXI - LOLESXi is a project that lists binaries and scripts available in VMware ESXi that adversaries use in their operations, compiled from open-source threat research.

• Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability - A vulnerability in Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series allows an attacker to access an affected system using static credentials. Cisco has released software updates and workarounds to address this issue.

• VAC kernel-mode bypass - The GitHub repository contains a fully working kernel-mode VAC bypass that intercepts VAC syscalls to spoof results and bypass memory integrity checks. The bypass allows loading unsigned DLL into game memory space and performing patches on game modules without being detected by signature/heuristic checks.

Threat Intel and Defense

• Detection of Impacket’s “ATExec.py” - Impacket is a Python class suite used for interacting with network protocols, including SMB and MSRPC, with the ability to construct and parse packets. ATExec is a tool within Impacket that connects to a target host via RPC to execute commands, creating and deleting tasks in the process. The tool generates random task names, triggers the task, retrieves and deletes the output file, and may leave artifacts in the C:\Windows\System32\Tasks directory if it crashes before completion. The tool writes command results to a temp file and deletes it afterward, but if it crashes, the file may not be deleted.

• ViperSoft Stealer - The author noticed Powershell windows opening and closing on their secondary computer, prompting them to investigate further. They found a cryptostealer code using a DGA to generate domains and check their TXT records. They decoded the malicious code and found that it scans for cryptocurrency-related information on the PC but only informs the C&C server.

• Hunting for Remote Management Tools: Detecting RMMs - This blog post discusses the prevalence of Remote Management and Monitoring (RMM) tools in organizations, especially with the rise of remote work. The post highlights the challenges of detecting and identifying multiple RMM tools used in an organization and provides insight into how to tackle this challenge, including removing duplicate entries through grouping. The post also includes a detailed explanation of the query process using the Kusto Query Language (KQL) to hunt for RMMs through SIEM logs.

• Latrodectus: A year in the making - Latrodectus was first discovered in October 2023 and has been in heavy development since then. It is a loader/downloader malware with ties to the infamous IcedID loader. The developers have released multiple new versions in a short time span, indicating ongoing development. The malware employs various anti-analysis techniques, string encryption, persistence mechanisms, and C2 communication methods.

• Threat actor abuses Gophish to deliver new PowerRAT and DCRAT - A threat actor recently abused the open-source phishing toolkit Gophish to deliver new payloads called PowerRAT and DCRAT, as discovered by Cisco Talos. The campaign involves modular infection chains through Maldoc or HTML-based infections, targeting Russian-speaking users. The PowerRAT payload is a PowerShell remote access tool with the ability to execute further PowerShell scripts, while the DCRAT payload is a modular RAT designed for remote control access and information stealing tasks. The threat actor delivers these payloads through malicious Word documents and HTML files containing JavaScript, utilizing various techniques to infect victim machines and establish persistence.

• How Virtual Hard Drive Files are Bypassing your Secure Email Gateway & AntiVirus Scanners - Threat actors are evading detection from Secure Email Gateways and antivirus scanners by embedding malicious content within virtual hard drive files like .vhd and .vhdx, which can be opened in Windows to mount the virtual image as a physical volume. These files are being used in email campaigns to deliver malware like Remcos RAT and XWorm RAT. Additionally, antivirus detection rates for malicious content within virtual hard drive files are lower compared to embedded malicious files, making them an effective method for attackers to bypass security measures.

• Grandoreiro, the global trojan with grandiose ambitions - Grandoreiro is a well-known Brazilian banking trojan that has been active since 2016, enabling threat actors to perform fraudulent banking operations. The trojan has evolved over the years, expanding its targets to 1,700 banks and 276 crypto wallets in 45 countries. It has also developed new tricks like using 3 DGAs for C2 communications and monitoring user mouse behavior to bypass security measures. The malware operates as Malware-as-a-Service, with newer versions using advanced encryption techniques like AES with CTS. Despite some arrests, Grandoreiro continues to be a significant global financial threat, targeting organizations and individuals primarily in Mexico, Brazil, Spain, and Argentina.

• Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East - Earth Simnavaz, also known as APT34, is a cyber espionage group that has been actively targeting entities in the Middle East, particularly in the energy sector. They use sophisticated tactics, including deploying backdoors on Microsoft Exchange servers and exploiting vulnerabilities for privilege escalation. Their recent activities show a focus on abusing vulnerabilities in key infrastructure in geopolitically sensitive regions to establish a persistent foothold for future attacks.

• The Crypto Game of Lazarus APT: Investors vs. Zero-days - Lazarus APT, a highly sophisticated threat actor, used a decoy MOBA game to steal cryptocurrency and user data. The attackers exploited zero-day vulnerabilities in Google Chrome to gain control over victim's PCs. Kaspersky detected and reported the attack, which involved social engineering tactics and the use of generative AI. The attackers also created a fake game called DeTankZone, which was actually a stolen version of a legitimate game called DeFiTankLand.

• Threat Spotlight: WarmCookie/BadSpace - WarmCookie/BadSpace is a malware family that has been distributed since April 2024, primarily through malspam and malvertising campaigns. It offers functionality for persistent access in compromised networks and is often used to deliver additional malware. The threat actor behind WarmCookie has also been associated with CSharp-Streamer-RAT and Resident backdoor.

• DarkComet RAT:Technical Analysis of Attack Chain - The article provides a technical analysis of the DarkComet RAT, a Remote Access Trojan used by attackers to remotely control systems, steal sensitive data, and execute malicious activities. The analysis includes details on how the malware alters file attributes, communicates with malicious domains, modifies process privileges, gathers system information, and interacts with the system's display and clipboard. DarkComet's capabilities allow attackers to evade detection, maintain persistence on infected systems, and control them remotely.

• Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) - In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances by a threat actor known as UNC5820. This exploitation allowed the threat actor to execute arbitrary code or commands against vulnerable FortiManager devices. The threat actor exfiltrated configuration data from FortiGate devices managed by the exploited FortiManager, potentially compromising enterprise environments.

• Embargo ransomware: Rock’n’Rust - ESET researchers have discovered Embargo ransomware, a novice ransomware group testing and deploying a new Rust-based toolkit called Rock'n'Rust. This group targets high-profile victims and tailors their tools to each victim's environment, abusing Safe Mode to disable security solutions. Embargo is suspected of operating as a RaaS provider, and their tools, MDeployer and MS4Killer, are still in active development, with logical bugs disrupting their functionality. The group's choice of programming language, Rust, suggests a sophisticated level of development, and they show the ability to quickly modify and recompile their tools during active intrusions.

• Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview - In September 2024, Datadog Security Research discovered malicious npm packages linked to Tenacious Pungsan, a DPRK threat actor associated with the Contagious Interview campaign targeting US tech job-seekers. The malware found in the packages was identified as the BeaverTail infostealer and downloader, known to be used by DPRK-linked threat actors. The samples were obfuscated to target developers who misremembered legitimate package names, highlighting the risk of supply chain attacks in the open source software ecosystem.

• Cloud Malware | A Threat Hunter’s Guide to Analysis, Techniques and Delivery - Cloud malware poses a distinct threat to cloud services, targeting specific environments and services through various means like credential harvesting and automation of spam messages. Researchers face challenges in analyzing and categorizing cloud threats due to the unique delivery methods and goals of attackers.

• macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools - The article discusses the discovery of a macOS ransomware sample called macOS.NotLockBit, which exhibits credible file locking and data exfiltration capabilities. The malware masquerades as LockBit ransomware and appears to be developed by a different threat actor. The evolution and testing of various versions of the ransomware are described, along with indicators of compromise. The threat remains small but is a significant development in macOS security.

• TeamTNT’s Docker Gatling Gun Campaign - TeamTNT, a hacking group, is launching a campaign targeting cloud native environments by exploiting Docker daemons to deploy malware and cryptominers. They are using Docker Hub to store and distribute their malware and renting victims' computational power for cryptomining. The campaign involves aggressive detection methods and the use of Sliver malware for command and control.

• Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus - this blog post on Errorfather's deployment of the Cerberus malware highlights how this actor uses innovative concealment techniques to hide Cerberus, a powerful banking trojan. By targeting Android devices, the malware focuses on stealing banking credentials, intercepting SMS, and bypassing two-factor authentication. Errorfather's method leverages fake applications and cloaking tactics to avoid detection.

• The Crypto Game of Lazarus APT: Investors vs. Zero-days - Lazarus APT has developed a cryptocurrency-stealing malware disguised as a legitimate tank game. Distributed via trojanized applications, this malware targets Windows systems to compromise crypto wallets and collect user credentials. The operation showcases Lazarus’ adaptive techniques to exploit interest in games and cryptocurrencies, blending advanced obfuscation tactics with social engineering.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability. - A fake attachment in an email exploiting the CVE-2024-37383 vulnerability in Roundcube mail server was discovered by threat intelligence experts. The vulnerability allows attackers to execute JavaScript code on the user's page and potentially steal credentials and sensitive information. Cybercriminals have targeted Roundcube Webmail before, and organizations are advised to update their software regularly to prevent such attacks. The attack described in the article cannot be linked to known actors, but highlights the ongoing threat posed by vulnerabilities in widely used email clients like Roundcube.

• Query WinGet software installer data with PowerShell - The blog post discusses how to query WinGet software installer data using PowerShell. The author shows how to retrieve information about software installations from the WinGet repository and output the details. The script allows users to select and query specific applications, view installation information, and export results to a file. It also includes error handling and requirements for running the script in PowerShell v7. Overall, the blog provides a helpful guide for IT professionals interested in WinGet software installations.

• CVE-2024–45186: Unauthenticated SSTI bug in Filesender exposes MySQL & S3 credentials and other configuration variables, potentially leaking all (sometimes encrypted) user uploaded files. Dutch Universities affected. - A critical unauthenticated Server Side Template Injection (SSTI) bug in Filesender exposed MySQL & S3 credentials and configuration variables, potentially leaking encrypted user uploaded files. Dutch Universities were affected by this bug, which was responsibly disclosed and patched by the Filesender team. The bug was discovered and reported by a security researcher who highlighted the importance of security by design and continuous testing of open-source projects. The bug was fixed through a series of hotfixes and patches, and the incident was transparently disclosed in a blog post.

• Breaching the Data Perimeter: CloudTrail as a mechanism for Data Exfiltration - The article discusses a vulnerability in AWS that allowed for data exfiltration using CloudTrail. The author found a significant difference in behavior between S3 and other AWS services, which could have been exploited by an attacker post-compromise to exfiltrate data undetectably. AWS has since fixed this issue. The author recommends using cloud canaries to enhance security and detect intrusions effectively.

• This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands - Checkmarx discusses a new supply chain attack technique called Command-Jacking, which targets open source ecosystems. Attackers can exploit entry points in packages to execute malicious code when specific commands are run, posing a risk to both individual developers and enterprises. By understanding and addressing these risks, developers can better defend against supply chain attacks. Checkmarx offers the One Platform and security solutions to help protect enterprises from such threats.

• Retrofitting encrypted firmware is a Bad Idea™ - Retrofitting encrypted firmware in Lexmark printers was initially a challenge, but with persistence and backdoor installation, a hacker was able to successfully decrypt the root filesystem key. By reverse engineering the WTM firmware running on the printer, the hacker was able to intercept and decrypt the root filesystem key, allowing for arbitrary code execution on the device. Despite attempts by vendors to add obfuscation and encryption to prevent hacking, determined individuals can still find ways to bypass these security measures. The process of uncovering the encryption key highlights the intricacies of firmware hacking and the vulnerabilities that exist in closed-source proprietary devices.