Last Week in Security - 2024-11-05

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, and Reverse Engineer.

Virginia Applicants:

• Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-10-28 to 2024-11-04.

News

• Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives - Google Threat Intelligence Group discovered a Russian hybrid espionage and influence operation called UNC5812, which targets potential Ukrainian military recruits through malware delivered via Telegram. The operation aims to compromise recruits' devices using malware and deliver anti-mobilization narratives to undermine Ukrainian military mobilization efforts. The campaign involves malware delivery through Windows and Android applications, as well as influence activities soliciting content to discredit the Ukrainian military. Google has taken steps to protect users from the malware and has shared its findings with Ukrainian authorities to disrupt the campaign.

• Change Healthcare Breach Hits 100M Americans - Change Healthcare, a healthcare giant in the U.S., experienced a ransomware attack in February 2024, resulting in the theft of personal, financial, and healthcare records of approximately 100 million Americans. The breach led to disruptions in the healthcare system for months. The parent company, United Health Group, incurred significant costs as a result of the breach. The stolen data was offered for sale by ransomware affiliate groups, leading to concerns about potential identity theft. The breach notification letter offers victims two years of credit monitoring and identity theft protection services.

• The Karma connection in Chrome Web Store - The Karma connection in Chrome Web Store revealed that multiple extensions, including Hide YouTube Shorts, were found to be malicious, with components tracking user behavior and affiliate fraud. These extensions were linked to Karma Shopping Ltd., a company with multiple employees and significant venture capital funding. The extensions were found to be collecting browsing data and selling it to third parties without clear user consent, potentially violating GDPR regulations. Despite attempts to report these extensions, it remains unclear whether any action will be taken to address the issue.

• Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files - Microsoft has identified a large-scale spear-phishing campaign conducted by a Russian threat actor group called Midnight Blizzard. The campaign involves sending highly targeted emails containing signed Remote Desktop Protocol (RDP) configuration files to individuals in various sectors. The goal of the operation is likely intelligence collection, and the threat actor has been known to target governments, NGOs, and IT service providers. Microsoft is actively investigating and providing updates on this ongoing campaign, and has released recommendations to mitigate the threat, such as strengthening operating environments, endpoint security, and antivirus configurations.

• Sources: College helmet communications on unencrypted frequencies - In college football, it has been revealed that coach-to-player in-game communications have been occurring on unencrypted frequencies, raising concerns about potential compromises. The Big 12 conference has instructed schools to send their helmet communication devices for a software update to provide encryption. While some schools have taken steps to address the issue, others maintain that the risk of gaining a competitive advantage through accessing opponent's communications is low due to the complexity of decoding and relaying information in real time.

• Digital Detritus: The engine of Pacific Rim and a call to the industry for action - The article discusses the danger posed by obsolete and unpatched hardware and software in the cybersecurity industry, using the example of the Pacific Rim attacks. It highlights the importance of initiatives like CISA's Secure by Design and Secure by Demand to improve software quality and security. The author emphasizes the need for cybersecurity vendors to take responsibility for security outcomes, share best practices, and collaborate to address the Digital Detritus problem. The article also provides lessons learned from the Pacific Rim incident and suggests ideas for improving infrastructure inertia and reducing cybersecurity risks.

• Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns - Sophos X-Ops has conducted a five-year investigation tracking China-based threat actors targeting perimeter devices, including Sophos firewalls. The investigation includes a timeline of notable activity of threat actors, response to their activities, and third-party reports providing attribution information. The threat actors targeted devices with internet-facing web portals, exploited vulnerabilities, deployed malware, and used various techniques for persistence, privilege escalation, and command and control. The investigation also involved collaborations with other organizations and the sharing of IOCs to aid defenders in detecting and responding to the threats.

• Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network - Microsoft has observed Chinese threat actor Storm-0940 using credentials obtained from password spray attacks from a covert network known as CovertNetwork-1658. Storm-0940 targets organizations in North America and Europe, such as government organizations, think tanks, and law firms. The CovertNetwork-1658 consists of compromised SOHO routers and is used by multiple Chinese threat actors. Microsoft provides mitigation recommendations to defend against password spraying and increase awareness of this threat.

• The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices - A report by Sophos reveals a sophisticated multi-year APT campaign targeting edge devices, exploiting network perimeter vulnerabilities to infiltrate high-value targets. The campaign demonstrates the growing focus of APT actors on internet-facing devices like VPNs and routers.

• Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information - A former Disney employee allegedly hacked into a third-party menu creation software used by Walt Disney World’s restaurants and altered allergy information on menus to falsely claim that foods with peanuts were safe for people with allergies. The suspect, Michael Scheuer, also changed menu text to Wingdings and added profanity to menus. The hacking occurred after Scheuer was fired by Disney and used passwords he still had access to on different systems. The menus were caught by Disney before they were distributed to restaurants.

• Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory - Okta issued a security advisory regarding a vulnerability in the AD/LDAP Delegated Authentication system that allowed users to authenticate with a stored cache key of a previous successful authentication if the username was over 52 characters long. The vulnerability was identified on October 30, 2024, and was resolved on the same day. Okta recommended implementing MFA and enrolling users in phishing-resistant authenticators to prevent future security breaches. The vulnerability was introduced in a standard Okta release on July 23, 2024, and was discovered internally on October 30, 2024.

Techniques and Write-ups

• Privilege escalation through TPM Sniffing when BitLocker PIN is enabled - The SCRT Team Blog discusses privilege escalation through TPM sniffing when BitLocker PIN is enabled. This attack takes advantage of weaknesses in the way discrete TPMs are connected to motherboards, allowing decryption keys to be captured during the boot process. The blog post details the process of breaking BitLocker protection using this method and the research project to understand how BitLocker works with a TPM and PIN. The post also discusses the limitations of multi-factor authentication with BitLocker and suggests monitoring for suspicious activities on workstations to prevent privilege escalation.

• ASLR, bypass techniques, and circumvention impacts - ASLR randomizes memory addresses used by system and application processes to make it harder to predict the location of specific code. Multiple bypass techniques, such as memory disclosure, brute force attacks, return-oriented programming (ROP), and ASLR on 32-bit systems, can circumvent ASLR. These techniques exploit weaknesses in ASLR implementation and can be mitigated through improved ASLR implementations and other mechanisms like control flow integrity (CFI) and data execution prevention (DEP).

• Engineering WCF Hacks - Silent Signal conducted a project to create more robust and maintainable tools for testing WCF-based applications. They faced challenges with network restrictions, limited tools for testing WCF services, and the complexity of the WCF framework. They developed a solution involving Kaitai parser, net.tcp-proxy, and HTTP proxies to handle serialization and deserialization of WCF messages. Despite some challenges with authentication and handling multiple clients, they believe their tool is a significant step forward in uncovering vulnerabilities in WCF services.

• When WAFs Go Awry: Common Detection & Evasion Techniques for Web Application Firewalls - In this blog post MDSec provides insights into the vulnerabilities and shortcomings of Web Application Firewalls (WAFs). They discuss how WAFs work, common attack vectors they cannot defend against, and different models and types of WAFs. The post also delves into techniques for detecting and bypassing WAFs, including using obfuscation, encoding, and manipulation of HTTP request headers. Real-world case studies demonstrate advanced WAF evasion techniques against popular platforms like Azure Application Gateway, Cloudflare, CloudFront, and F5 BIG-IP ASM.

• Exploiting Fortune 500 Through Hidden Supply Chain Links - The blog post discusses how Lupin & Holmes discovered a supply chain attack targeting Consul, an open-source tool by HashiCorp, and its impact on a major Fortune 500 company. By using their tool, Depi, Lupin & Holmes identified vulnerabilities in the connections between dependencies in software supply chains. They responsibly disclosed the issue to the affected company, which promptly addressed it and awarded Lupin & Holmes a bug bounty of $17,000. The collaboration exemplified the importance of engaging with ethical hackers to enhance software security and mitigate risks effectively.

• More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence - Threat actors are exploiting platforms like Confluence to send malicious emails and steal user credentials. Cofense offers solutions to detect and respond to phishing attacks that traditional security measures may miss. By using trusted domains and deceptive tactics, threat actors are able to evade security measures and compromise user data. Cofense's Managed Phishing Detection and Response services help identify and analyze these tactics to protect organizations from email security threats.

• Exploring Google Cloud Default Service Accounts: Deep Dive and Real-World Adoption Trends - This article explores the security risks associated with default service accounts in Google Cloud, which often grant privileged permissions to cloud workloads. It discusses how attackers can retrieve service account credentials from the metadata server and use them to access resources, such as Google Cloud Storage and container images. The article also provides insights into the adoption trends of default service accounts in Google Compute Engine instances and Google Kubernetes Engine clusters, and offers recommendations on how to prevent and mitigate these risks. Datadog's security tools can help identify instances using insecure service accounts and provide insights into overly permissive access permissions.

• New crazy payloads in the URL Validation Bypass Cheat Sheet - The URL Validation Bypass Cheat Sheet has been updated with new crazy payloads, including techniques for bypassing IP validation and CORS validation. The cheat sheet now supports new formats for representing IPv4 and IPv6 addresses, as well as special encodings for IP formats. A new payload targeting discrepancies in userinfo parsing has been added, along with updates for bypassing CORS validation checks. The web security community is thanked for their contributions to keeping the cheat sheet up to date.

• Anatomy of an LLM RCE - The passage discusses the importance of self-discipline in achieving success. It emphasizes the ability to control one's actions and thoughts in order to stay focused on long-term goals. Self-discipline allows individuals to overcome obstacles, improve productivity, and maintain a positive mindset. It is seen as a key factor in reaching personal and professional goals.

• What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE - In this blog post, the author discusses discovering a 0-click pre-auth root remote code execution vulnerability in CyberPanel v2.3.6. They provide insights into the authentication checks, Django framework, and security vulnerabilities within the codebase. The author also shares details on finding and bypassing security middleware to exploit the RCE vulnerability. Additionally, they challenge readers to find their own bug in the codebase.

• KEV + CWE = Attack Vector - The article discusses how Known Exploitable Vulnerabilities (KEV) can be mapped to Common Weakness Enumerations (CWE) to identify attack vectors in API hacking. The author explains how vulnerabilities are ranked and categorized based on their prevalence and severity, leading to the creation of CWE Top 10 KEV Weaknesses list. By understanding these mapped vulnerabilities, API hackers can prioritize their testing efforts and improve their hacking methodology to detect and exploit weaknesses effectively. The author encourages readers to join The API Hacker Inner Circle for more insights and industry news.

• Cracking into a Just Eat / Takeaway.com terminal with an NFC card - The author purchased a Just Eat/Takeaway.com terminal for $25 and attempted to access its features. After exploring various options, the author discovered that NFC tags could be used to open specific apps on the device. By creating an NFC card to open a specific file manager app, the author was able to install additional apps on the terminal and access hidden menus. The author also discovered a way to extract the system files from the device for further exploration. The process outlined in the article can be used to gain root access to the device for modding and gaming purposes.

• Writing a BugSleep C2 server and detecting its traffic with Snort - Security researchers analyzed a new remote access tool called BugSleep, which uses a bespoke command and control protocol. The blog demonstrates reversing the BugSleep protocol, writing a C2 server, and detecting its traffic with Snort. The C2 protocol uses integer and string types for communication, and the blog details the functions for handling C2 communications. Snort rules are developed to detect BugSleep traffic, using flowbits to chain beacons with commands for more reliable alerts. Indicators of compromise are provided, and Snort SIDs are published to cover BugSleep traffic.

• Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024 - During the Pwn2Own event in Cork, Ireland in October 2024, hackers attempted to exploit various hardware devices, including the Synology TC500 security camera which was found to have a format string vulnerability. Despite modern security measures, the vulnerability remained exploitable under specific conditions, leading to arbitrary code execution. The exploit involved manipulating the format string to control memory writes and constructing a Return-Oriented Programming (ROP) chain on the stack. The vulnerability was patched before the competition, preventing the exploit from being executed during Pwn2Own.

• Weaponize Your Word – Malicious Template Injection - The article discusses the use of malicious template injection as a technique to deploy malware via Microsoft Word. It provides a step-by-step guide on how to create a malicious template file and deliver it to a target system. The article also covers detection methods for this type of attack and suggests ways to mitigate the risk. Additionally, it includes information about other cybersecurity topics and services offered by JUMPSEC.

• No Cap Cracking: Hash Cracking Training Resources - The article discusses the release of new training resources for hash cracking presented at the Security BSides Cayman Islands conference. The training focuses on improving offline hash recovery methodologies and includes a Password Transformation Tool (PTT) project and an OpenHashAPI (OHA) project. The PTT tool helps create custom rules and wordlists for password cracking, while the OHA project stores and maintains hashes and plaintext in a centralized database. The release of these projects aims to enhance password cracking techniques and improve security practices for practitioners and enthusiasts.

• CVE-2024-21683: RCE in Confluence Data Center and Server - CVE-2024-21683 is a critical Remote Code Execution (RCE) vulnerability found in Confluence Data Center and Server, due to unsafe exposure of Java classes in the scripting environment. The vulnerability is triggered when user-controlled input is evaluated within the Rhino scripting engine. The patched versions address this issue by limiting access to safe JavaScript objects and removing dangerous Java classes. It is crucial for Confluence users to upgrade to the fixed version or follow recommended workarounds to prevent exploitation.

• Using AFL++ on bug bounty programs: an example with Gnome libsoup - The blog post discusses using AFL++ on bug bounty programs, specifically focusing on the Gnome libsoup library. The author details their experience finding a bug in libsoup for a public bug bounty program, highlighting the use of custom harnesses and AFL++ tools. The post covers setting up a custom environment for fuzzing, writing basic harnesses, and analyzing coverage to find bugs efficiently. The author reports submitting the bug to the Gnome bug bounty program, which resulted in the award of two bounties for the reported vulnerabilities.

• Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey - An individual discovered a bug in an enterprise VPN solution that allowed for arbitrary JavaScript execution. They later revisited the bug and developed an exploit using a 17-year-old version of SpiderMonkey. By chaining operations, they were able to execute arbitrary byte code and control memory in order to leak information and eventually gain shell access. The process involved manipulating different types of values and data structures to achieve their goal. The author reflects on the learning process and suggests improvements for future challenges.

• Fuzzing between the lines in popular barcode software - Trail of Bits found serious bugs through fuzzing in the ZBar barcode scanning library, including an out-of-bounds stack buffer write and a memory leak that could lead to arbitrary code execution and denial-of-service attacks. The library had not been extensively fuzzed before, prompting Trail of Bits to use sanitizer and fuzzer instrumentation to find these vulnerabilities. They recommend fuzzing unsafe code, limiting attack vectors, configuring software for specific tasks, and using sanitizer instrumentation as essential steps in improving software security.

• Local Privilege Escalation in SAP - A local privilege escalation vulnerability was discovered in SAP systems, specifically in the binary file 'icmbnd'. This vulnerability allows users to manipulate the file and write into arbitrary files, potentially elevating their privileges. Security note 3438085 was released to address this issue, and users are advised to update their systems to prevent unauthorized access. This vulnerability could be exploited by malicious actors to gain root access to the system.

• Breaking free from the chains of fate - Bypassing AWSCompromisedKeyQuarantineV2 Policy - Permiso Security has released their 2024 Survey Report on identity security, focusing on detecting account takeover, assessing identity risk, securing non-human identities, reducing excessive privileges, removing zombie identities, securing AI infrastructure, monitoring insider threats, and detecting compromised credentials. The blog article discusses the AWSCompromisedKeyQuarantineV2 Policy, which aims to limit damage caused by leaked credentials but has several limitations that threat actors can bypass. Permiso also developed an open-source tool called "SkyScalpel" to combat policy obfuscation in cloud environments. They also introduced "CloudTail," another open-source tool for long-term cloud log retention and searchability. Permiso emphasizes the need for a shake-up in identity security practices given recent breaches in major companies.

• “CrossBarking” — Exploiting a 0-Day Opera Vulnerability with a Cross-Browser Extension Store Attack - Guardio discovered a vulnerability in the Opera browser that allows malicious extensions to access Private APIs, enabling actions like screen capturing and account hijacking. They demonstrated how easy it is to create and distribute a malicious extension through the Chrome Store, highlighting the challenges in browser security. By exploiting this vulnerability, they created a puppy-themed extension that could manipulate browser settings and hijack DNS configurations. The vulnerability was fixed by Opera in September 2024, and Guardio emphasizes the need for strict monitoring of browser extensions to prevent such attacks.

• LoadLibrary madness: dynamically load WinHTTP.dll - The article discusses the use of dynamic loading of WinHTTP.dll to avoid raising events and telemetry that can detect malicious activity. The author implements a custom loader to avoid these events, but encounters issues with specific functions not working. Through debugging and reverse engineering, the author discovers that the custom loader fails to register entries in the loader's data structures, leading to errors. The author ultimately solves the problem by implementing features to add entries to the loader's data structures, demonstrating the complexity of integrating custom code with the Windows operating system.

• EV code signing with .pfx in 2024 - In 2024, the process of obtaining an EV Code Sign certificate for signing Microsoft Windows drivers involves setting up a small company, purchasing the certificate from a recommended vendor like GlobalSign, and going through a vetting process. However, the process can be convoluted and expensive, leading some to seek alternative solutions such as using a FIPS-compatible YubiKey for code signing. Some individuals have even resorted to reverse engineering the legacy Internet Explorer JavaScript to create their own Certificate Signing Request (CSR) and bypass the traditional vetting process. After overcoming numerous challenges and frustrations, they are finally able to sign their drivers and move forward with the next steps.

• Maestro: Abusing Intune for Lateral Movement Over C2 - This article discusses the challenges of using Intune admin privileges for lateral movement from a C2 agent, detailing obstacles such as lack of cleartext passwords, MFA requirements, and token manipulation. The author introduces Maestro, an open-source tool that automates these processes to execute scripts, applications, and queries on Intune-enrolled devices. The article also includes a walkthrough of using Maestro with the Mythic C2 framework for executing tasks on target devices, as well as future plans for enhancing Maestro's functionality and detecting potential attacks.

• RCE Vulnerability in QBittorrent - A Remote Code Execution (RCE) vulnerability was discovered in qBittorrent where SSL certificate validation errors were ignored for 14 years until the default behavior was changed in version 5.0.1 released recently. The vulnerability could be exploited through malicious executable loader, arbitrary URL injection, RSS feeds, and decompression library attacks, potentially allowing attackers to execute remote commands. Users are advised to update to version 5.0.1 manually to mitigate the risk, or switch to alternative torrent clients like Deluge or Transmission. The vulnerability has been assigned a CVE, but it remains unclear if the maintainers will release a security advisory on Github.

• Looking into the Nintendo Alarmo - Gary is investigating the Nintendo Alarmo, a new alarm clock released by Nintendo that can wake users up with sounds from their favorite games. He bought one to delve into its inner workings, discovering that it has features like Wi-Fi for updates and a presence sensor. By reverse engineering the firmware and using techniques like decrypting files and exploiting vulnerabilities, Gary was able to run custom code on the Alarmo without opening it up. Despite encountering some security mechanisms like readout protection and Secure Access mode, he made progress in exploring and manipulating the device's software.

• Discovering Hidden Vulnerabilities in Portainer with CodeQL - The article discusses the use of CodeQL to discover hidden vulnerabilities in Portainer, a tool for managing Kubernetes and Docker environments. It identifies blind Server-Side Request Forgery (SSRF) vulnerabilities and an insecure AES-OFB implementation through code analysis. The vulnerabilities were reported to Portainer and fixed in subsequent releases. The article emphasizes the importance of using tools like CodeQL to systematically uncover and address security issues in software.

• GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI - GreyNoise Intelligence has discovered zero-day vulnerabilities in IoT-connected live streaming cameras with the help of AI, highlighting the urgent need for stronger cybersecurity defenses. The vulnerabilities could allow attackers to seize control of the cameras, view and manipulate video feeds, disable camera operations, and launch denial-of-service attacks. The discovery, made possible by GreyNoise's AI technology, showcases the power of AI in accelerating vulnerability discovery and making the internet safer. Security teams can benefit from GreyNoise's AI-driven anomaly detection to identify new threats and vulnerabilities that traditional systems may miss. The discovery underscores the importance of combining human expertise with AI technology in cybersecurity research to detect and stop sophisticated threats at scale.

• A Brief Look at FortiJump (FortiManager CVE-2024-47575) - Bishop Fox has uncovered a command injection vulnerability (CVE-2024-47575), known as FortiJump (FortiManager), which has been exploited in the wild since June 2024. The vulnerability allows unauthorized access to the FortiManager central management device. The research team set up a lab environment to analyze the exploit and found that the vulnerability could potentially be a serious threat if left unpatched. They recommend immediate patching and restricting access to the FortiGate-to-FortiManager (FGFM) port. Bishop Fox is a leader in offensive security and offers a range of services to enhance security posture, including application penetration testing, red team evaluations, and compliance assessments.

• IT Security Research by Pierre - The IT Security Research by Pierre identified four vulnerabilities in the ibmsecurity library, including insecure communications, hardcoded passwords, and uninitialized variables. These vulnerabilities could allow an attacker to compromise IBM Security Verify Access infrastructure. Despite being reported to IBM in February 2023, the vulnerabilities were only patched in April 2024 after a challenging communication process with IBM. An attacker could intercept admin credentials on the network to compromise the authentication infrastructure, emphasizing the importance of applying security patches and enabling certificate validation.

• 32 vulnerabilities in IBM Security Verify Access - Pierre discovered 32 vulnerabilities in IBM Security Verify Access, affecting versions less than 10.0.8. These vulnerabilities include issues such as authentication bypass, local privilege escalation, insecure setuid binaries, outdated OpenSSL, and hardcoded PKCS#12 files. The vulnerabilities could potentially allow attackers to gain unauthorized access to resources and compromise security. IBM Security Verify Access offers a range of security features, but these vulnerabilities highlight the importance of regularly updating software to protect against potential security risks.

• Tale of Zendesk 0 day and a potential 25K $ bounty - The author discovered a template injection vulnerability in Zendesk that allowed for data exfiltration from support portals. By exploiting this issue, the author was able to potentially earn a bounty of $25,000 from vulnerable programs. The vulnerability was reported to Zendesk and was classified as a "Medium - Business Logic Issue" with a reward of $750. Overall, the author earned $13,300 from 17 reports submitted to individual programs, highlighting the importance of bug bounty programs in ensuring cybersecurity.

• Ghostscript wrap-up: overflowing buffers - This blog details a vulnerability in Ghostscript, specifically an overflow issue that can lead to serious security risks, including potential remote code execution. The article covers how the flaw impacts buffer management in the Ghostscript interpreter, commonly used for processing PostScript and PDF files.

• Exploiting Weaknesses in Entra ID Account Synchronization to Compromise the On-Prem Environment - This blog explores how weaknesses in Entra ID account synchronization can expose on-premises environments to compromise. The analysis highlights how misconfigurations and synchronization flaws in hybrid identity environments can allow attackers to escalate privileges from the cloud to on-premises Active Directory.

Tools and Exploits

• Introducing zizmor: now you can have beautiful clean workflows - Zizmor is a new tool for finding security setups in workflows, particularly focusing on GitHub Actions. It can detect common security issues such as template injection, credential persistence, and known vulnerabilities in third-party actions.

• ExecutePeFromPngViaLNK - This allows users to extract and execute a Portable Executable (PE) file embedded within a PNG file using an LNK file. The extracted PE file is encrypted and injected as an IDAT section to the end of a specified PNG file. The repository includes instructions on how to create the embedded PNG file and generate the extraction LNK file, with demos available for executing DLL and EXE files.

• Chrome App-Bound Encryption Decryption - The GitHub repository xaitax/Chrome-App-Bound-Encryption-Decryption contains a tool to decrypt App-Bound encrypted keys in Chrome 127+ using the IElevator COM interface with path validation and encryption protections. The tool can decrypt keys stored in the Local State file of supported Chromium-based browsers such as Google Chrome, Brave, and Microsoft Edge.

• udpz - UDPz is a fast, portable, cross-platform UDP port scanner written in Go that aims to provide a speedy and efficient tool for scanning UDP services across multiple hosts. It utilizes goroutines and channels for flexible concurrent scans, offering logging capabilities and custom probe definitions for different UDP services. The tool supports loading IP addresses, CIDR ranges, and hostnames, and also offers SOCKS5 proxy support for UDP tunneling.

• OctoC2t - The GitHub repository "deletehead/OctoC2t" demonstrates a simple Command and Control (C2) system that uses a GitHub repository as a communication channel. The project provides instructions on how to develop your own agent to interact with the system.

• Kernel Callback Tables for Process Injection - The GitHub repository contains a Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow. The technique involves redirecting a process's execution flow by replacing function pointers with malicious ones, typically triggered by Windows messages. The process allows adversaries to maintain persistence and evade detection by masking malicious payloads under legitimate processes. The repository provides step-by-step instructions for locating the PEB, Kernel Callback Table, and performing the injection process efficiently using assembly functions.

• SkyScalpel - SkyScalpel is an open-source framework for parsing and detecting obfuscated JSON policies in cloud environments. It is built on a custom C# JSON tokenizer and syntax tree parser, offering insights into evasive obfuscation techniques. It provides interactive and CLI support, as well as AWS Action expansion functionalities for simplifying AWS Action names. SkyScalpel aims to empower defenders to detect and neutralize obfuscation techniques in cloud security contexts.

• AuthStager - AuthStager is a tool on GitHub that generates custom stager shellcode with request authentication for enhanced security in the staging process. It can be used for authorized security testing to generate stager shellcode or executable formats with configurable token expiration.

• TypeLibWalker - The GitHub repository CICADA8-Research/TypeLibWalker describes a TypeLib persistence technique for Windows machines. The tool analyzes CLSIDs to detect potential Typelib libraries for hijacking, focusing on insecure permissions on registry keys associated with TypeLib and unsafe permissions on TypeLib on disk. Users can use this technique to achieve persistence on a host by prescribing a payload with commands to execute. The tool aims to provide a new way of achieving persistence on Windows machines using TypeLib.

• BOFHound: AD CS Integration - BOFHound can now parse Active Directory Certificate Services (AD CS) objects manually queried from LDAP for review and attack path mapping within BloodHound Community Edition (BHCE). BOFHound is not a Beacon object file (BOF) but a tool that runs offline from the target network. It aims to provide granular control over LDAP queries for visualization in BloodHound. The update includes AD CS object parsing, demonstrating how to query relevant LDAP objects and visualize attack paths in BHCE.

• Hooker - GitHub repository named "Hooker" is simple code to detect userland hook setup by the EDR on your process.

• AV/EDR Lab Environment Setup - This GitHub repository provides references for setting up an AV/EDR Lab environment to help with malware development. The resources include tools for emulating features of paid EDRs, detecting manual syscalls, collecting telemetry data, bypassing signature detection, and understanding EDR internals. It also lists free trials and open source EDR products for testing and comparison.

• CVE-2024-46538 - This GitHub repository contains a proof-of-concept for CVE-2024-46538, which is a cross-site scripting (XSS) vulnerability in pfsense v2.5.2 that allows attackers to execute arbitrary web scripts. The vulnerability lies in the lack of filtering in the $pconfig variable in interfaces_groups_edit.php, enabling attackers to execute arbitrary commands against an administrator.

• Maestro - Maestro is a post-exploitation tool that allows for lateral movement over C2 by interacting with Intune/EntraID without needing the user's password or Azure authentication flows. It simplifies interactions with Azure services and enables attacks between on-prem and Azure environments. Maestro features real-time PowerShell script execution, device query execution, privilege management enumeration, and sponsorship support for open-source development.

Threat Intel and Defense

• Inside the Open Directory of the “You Dun” Threat Group - The DFIR Report examined an open directory associated with the Chinese-speaking "You Dun" threat group, uncovering details of their activities. The threat actors were found to be using various tools such as WebLogicScan, Vulmap, and Cobalt Strike for scanning, exploitation, and ransomware attacks targeting organizations in several countries. The group also utilized the Viper C2 framework, and their activities included reconnaissance, web exploitation, privilege escalation, and ransomware deployment. The report provides detailed insights into the threat actor's tactics and infrastructure, shedding light on their malicious activities.

• Detection of Impacket’s “PSExec.py” - The article discusses the detection of Impacket's "PSExec.py", a Python-based implementation of remote command execution functionality commonly used in penetration testing and security research. The tool replicates the functionality of Microsoft's PsExec and requires administrator-level access on the target machine. The tool creates an executable file with a random name, uploads it to a writable network share, creates a service with a random name, runs the service, and removes artifacts after execution. The article also details the artifacts left behind in Windows Event Logs and File System (MFT) during the process.

• Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses - Elastic Security Labs analyzed how MaaS Infostealers adapted to Google Chrome's Application-Bound Encryption scheme in Chrome 127 to bypass security controls and steal valuable user data such as cookies. The infostealers used techniques like remote debugging, process memory reading, and leveraging Chrome vulnerabilities to extract sensitive information.

• Lumma/Amadey: fake CAPTCHAs want to know if you’re human - Cybercriminals are using fake CAPTCHAs to distribute Lumma and Amadey Trojans, primarily targeting gamers and spreading through various online resources such as adult sites and file-sharing services. The malicious CAPTCHA redirects users to infected sites, where they are prompted to perform unsafe actions that lead to malware infections. The Lumma stealer steals cryptocurrency wallet files and browser data, while the Amadey Trojan steals credentials and substitutes crypto wallet addresses with those controlled by attackers. Over 140,000 users encountered ad scripts in this campaign, with users in Brazil, Spain, Italy, and Russia being most affected.

• CloudScout: Evasive Panda scouting cloud services - CloudScout is a toolset used by the Evasive Panda APT group to steal data from cloud services, targeting organizations in Taiwan. The toolset utilizes stolen web session cookies to access and exfiltrate data from services like Google Drive, Gmail, and Outlook. The modules are deployed by the MgBot malware framework and were detected in incidents involving a government entity and a religious institution in Taiwan. Evasive Panda has a history of cyberespionage operations targeting countries and organizations opposing China's interests.

• Packers and Crypters in Malware and How to Remove Them - This article discusses Packers and Crypters in malware and how to detect and remove them. It explains the different types of protectors, such as packers and crypters, and provides methods and tools to identify them. The article also covers unpacking different types of packers, such as SFX, MSI files, and NSIS installers, using various tools. Additionally, it discusses how to analyze and decrypt encrypted scripts using tools like AutoIt-Ripper. Lastly, it touches upon packers like NetReactor, Themida, and VMProtect, which support code virtualization and make analysis more complex.

• Attacker Abuses Victim Resources to Reap Rewards from Titan Network - An attacker exploited the Atlassian Confluence vulnerability CVE-2023-22527 to connect servers to the Titan Network for cryptomining. The attacker used public IP lookup services and system commands to gather information about compromised machines. They downloaded shell scripts to install Titan binaries and connect to the Titan Network for rewards.

• Silencing the EDR Silencers - This blog covers methods attackers use to bypass Endpoint Detection and Response (EDR) software, detailing techniques like “EDR silencers,” which disable or evade security monitoring. The blog provides insights into how these evasion methods work and suggests defenses to maintain EDR efficacy and protect against sophisticated malware techniques targeting EDR systems.

• ValleyRAT Insights: Tactics, Techniques, and Detection Methods - ValleyRAT is a remote access Trojan (RAT) that primarily targets Chinese-speaking users through phishing campaigns. It evades detection by loading its components in stages and remains hidden on the target system. The Splunk Threat Research Team has analyzed various variants of ValleyRAT to extract its tactics, techniques, and procedures (TTPs) and has developed detection methods to defend against this malware. The blog also provides insights into ValleyRAT's behavior, including its persistence mechanisms, evasion tactics, command and control methods, and more, to help security analysts and Splunk customers identify and mitigate this threat.

• Loose-lipped neural networks and lazy scammers - Attackers are using large language models (LLMs) to automate the creation of phishing pages that mimic reputable organizations like social networks or banks in order to steal credentials from victims. The use of LLMs in creating these fake websites can leave telltale signs, such as first-person apologies and refusals to follow instructions, indicating that the content is generated by a model. These artifacts can help in tracking attackers' use of LLMs in automating fraud and require systems for analyzing metadata or page structure for detection. As LLM technology advances, it will become increasingly difficult to distinguish between human-written and machine-generated content on scam pages.

• Mounting memory with MemProcFS for advanced memory forensics - MemProcFS is a tool that allows for mounting memory dumps and browsing them like file systems, simplifying the analysis of complex memory structures in memory forensics. It provides access to volatile data such as running processes and network connections, aiding investigators in analyzing suspicious activities like malware or unauthorized access. By using tools like MemProcFS, investigators can extract crucial evidence from RAM memory, enhancing forensic investigations. This tool, along with others like Volatility 2 and Volatility 3, offers a comprehensive approach to memory forensics, improving the depth and accuracy of investigations.

• PythonRatLoader: The Proprietor of XWorm and Friends - Cofense has uncovered sophisticated attack campaigns, such as the PythonRatLoader distributing multiple types of malware like XWorm, VenomRAT, AsyncRAT, and DCRat.

• Cyber Threat Intelligence for Autodidacts - Cyber Threat Intelligence (CTI) analysts have diverse backgrounds and roles that can vary depending on the organization they work for. The path to becoming a CTI analyst can come from various routes, such as security operations, law enforcement, or reskilling from other professions. CTI teams differ in structure and focus, with analysts working for vendors, companies, or government agencies. Understanding key frameworks and resources in CTI is crucial, as is creating detailed threat actor profiles and threat landscape reports. Responding to Requests for Information (RFIs) and handling indicators of compromise (IOCs) are also essential responsibilities for CTI analysts. Building a network and staying updated on industry resources and events are important in the CTI field.

• RedLine and Meta: The Story of Two Disrupted Infostealers - The Intel 471 blog discusses the disruption of two infostealers, RedLine and Meta, which are types of malware used to steal valuable data from computers. Police infiltrated the back-end systems of these infostealer programs, resulting in the seizure of domains and servers supporting the malware. The disruption action, called Operation Magnus, recovered millions of compromised victim credentials and led to arrests of individuals connected to the infostealers. Despite the disruption, RedLine activity has only slightly decreased, indicating that the malware may still be in use through alternate channels.

• Jumpy Pisces Engages in Play Ransomware - Unit 42 has identified the North Korean state-sponsored threat group Jumpy Pisces collaborating with the Play ransomware group in a recent ransomware incident. This marks a shift in tactics for Jumpy Pisces, known for cyberespionage, financial crime, and ransomware attacks. The group gained initial access in May 2024 and deployed Play ransomware in September. This collaboration highlights a potential trend of North Korean threat groups participating in broader ransomware campaigns.

• An Introduction to Operational Relay Box (ORB) Networks - Unpatched, Forgotten, and Obscured - Team Cymru introduces the concept of Operational Relay Box (ORB) networks, which are covert networks used by threat actors, often associated with China. These networks consist of operational relay boxes that function like a combination of a Virtual Private Network (VPN) and a botnet, providing enhanced anonymity and allowing attackers to remain undetected. ORB networks make it challenging for defenders to trace attacks back to their source and require specialized strategies for defense, such as proactive threat hunting and implementing a Zero Trust architecture.

• EMERALDWHALE:  15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files - Sysdig's Threat Research Team discovered a global operation called EMERALDWHALE that targeted exposed Git configurations, resulting in the theft of over 15,000 cloud service credentials. The stolen credentials belonged to various cloud service providers, email providers, and other services, with the primary goal being phishing and spam. The attack highlighted the importance of monitoring and securing credentials, as well as the need for real-time cloud security solutions to detect and respond to threats faster than attackers can complete them.

• Threat actors use copyright infringement phishing lure to deploy infostealers - Threat actors are using a copyright infringement phishing lure to deploy infostealers in a campaign targeting Facebook business and advertising account users in Taiwan. The phishing emails impersonate legal departments of well-known companies and use fake PDF files to deliver malware that collects credentials and data. The threat actor evades detection by using Google's Appspot domains, short URLs, Dropbox, obfuscation techniques, and embedding information stealers into legitimate binaries.

• Typosquat Campaign Targeting Puppeteer Users - On Halloween eve in 2024, a typosquat campaign targeting developers using popular libraries like Puppeteer was detected, with 287 malware packages identified so far. The attacker used obfuscated Javascript to execute malicious code during package installation, including interacting with an Ethereum smart contract to fetch an IP address. The campaign aims to trick developers into installing these packages, showcasing evolving tactics in supply chain attacks. The Phylum Research Team is actively tracking and taking down these malicious software packages.

• CSI Forensics: Unraveling Kubernetes Crime Scenes - this article discusses how to conduct Digital Forensics and Incident Response activities in a Kubernetes container environment, using tools like Falco and Argo to automate the process of checkpointing containers for analysis. They provide detailed steps on how to conduct both static and dynamic analysis on container checkpoints to uncover and understand malicious activities in cloud environments.

• TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit - Unit 42 Incident Response discovered an extortion actor's toolkit during EDR evasion testing, where the threat actor attempted to bypass Cortex XDR. The threat actor used rogue systems to install the Cortex XDR agent, testing an AV/EDR bypass tool called EDRSandBlast. Through investigation, Unit 42 identified the threat actor's tools and files, unmasking their identity. The report provides details on the attack, the bypass tool, and how Unit 42 researchers identified the threat actor.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Vehicle forensics decrypting the data memory of modern cars - Vehicle forensics involves decrypting the data memory of modern cars to analyze accidents, tampering, and criminal offenses. Experts use state-of-the-art technology to visualize the digital traces within vehicles and decode the data collected, such as CAN bus data, telemetry, and infotainment data. Vulnerabilities in vehicles, such as cyber attacks through the CAN bus system, highlight the importance of forensic investigations to understand and protect against potential security risks. As vehicles become more complex and digitally connected, forensic analysis plays a crucial role in investigating incidents and protecting data privacy.

• Web Browser Engineering - Web Browser Engineering is a book that explains how web browsers work by building a basic browser in Python. It covers topics such as loading pages, viewing documents, running applications, and modern browser features. The book will be published by Oxford University Press and includes information on history of the web, constructing an HTML tree, handling buttons and links, running interactive scripts, and more. The authors, Pavel Panchekha and Chris Harrelson, provide a comprehensive overview of web browser engineering.

• Systematic Destruction (Hacking the Scammers pt. 2) - In "Systematic Destruction (Hacking the Scammers pt. 2)," the author continues their investigation into a scamming operation targeting USPS users. They uncover the creator of the scamming kit, an individual making money off unsuspecting victims. By reverse engineering obfuscated PHP code, they discover encryption methods used to store usernames and passwords in the database. The author also reveals how scammers are being scammed by the creator of the kit, who can access admin panel data and victim information. The investigation uncovers a network of copycat campaigns, server management tools used by scammers, and a command and control server operated by the kit's creator. The author plans to report their findings to the US Postal Inspector and collaborate with volunteers to analyze the data collected.

• Bindable Microservices with Cloudflare Workers - On October 25, 2024, Starbase introduced bindable microservices with Cloudflare Workers, allowing developers to segment their application logic into feature-specific services for a more scalable architecture. Using Cloudflare Workers, developers can create and manage microservices, seamlessly binding them together. This approach helps to avoid risks and provides benefits such as edge computing and low-latency communication. By breaking down the application into smaller, independent services, teams can stay lean, iterate quickly, maintain focus, and ship quickly. StarbaseDB provides an example of how to use microservices effectively, offering optional add-ons like user authentication to simplify development. Through a step-by-step guide, developers can create and bind microservices in Cloudflare Workers to improve application scalability and development efficiency.

• Non-Uniform Distribution of VS Weapon Traits - The author discovered a potential bug in Destiny's loot system by using a crowd-sourcing tool to track perk drops in the game. They found that certain perk combinations on weapons were dropping at lower rates than expected. This issue was not limited to a specific weapon, suggesting a broader problem with the RNG system in Destiny. The author urges Bungie to investigate further and address any potential issues to ensure fair gameplay for all players.

• One weird trick to get the whole planet to send abuse complaints to your best friend(s) - Delroth's homepage discusses a strange incident where someone is using his server's IP address to send abuse complaints to random internet machines. After investigating, he discovers that the source IP addresses are being spoofed, leading to the abuse complaints. This attack is not specific to Tor and highlights the ongoing issue of IP spoofing on the internet. Delroth shares his observations and concerns about the lack of enforcement of security measures, such as BCP38 and RPKI, to make the internet safer for everyone. He also provides insights on how to respond to abuse complaints in such situations.

• tmp.0ut Volume 4 Call For Papers - The text contains information about the official Call For Papers for the tmp.0ut zine. They are seeking original research in various areas related to ELF files, Unix security, reverse engineering, and hacker culture. Submissions should be emailed as text files, not executable binaries, and the deadline for submission is December 15th, 2024. Beginner-level content is encouraged, and all papers will be reviewed by the team with notifications sent out in the first half of 2025. Contact information is provided for any questions regarding submissions.