Last Week in Security - 2024-11-12

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, Operations Research Analyst, Reverse Engineer, and Software Engineer.

Virginia Applicants:

• Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-11-04 to 2024-11-11.

News

• DocuSign's Envelopes API abused to send realistic fake invoices - DocuSign’s Envelopes API has been exploited by attackers to send convincing phishing emails disguised as invoices. The tactic uses authentic DocuSign domains and branding to bypass email security and increase trust, potentially leading recipients to download malicious attachments or links. DocuSign is working to address the issue by implementing enhanced security measures.

• Canadian Man Arrested in Snowflake Data Extortions - A 25-year-old man from Ontario, Canada named Connor Riley Moucka has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. The hackers targeted companies with sensitive customer data stored in their Snowflake accounts. Moucka has ties to a prolific cybercriminal group named UNC5537 and is facing multiple indictments in the U.S. One of his partners, John Erin Binns, was arrested in Turkey. Moucka, also known as Judische, claimed to have made $4 million in extortions and targeted several types of companies, including business process outsourcing firms and managed service providers. Operating under several aliases, Moucka has a history of involvement in cybercrime, harm communities, and extremist groups. His arrest signals a crackdown on cybercriminals and extremist activities.

• MSSP Market Update: CompTIA Sold to Private Equity - CompTIA, a non-profit trade organization for channel businesses, has sold a portion of itself to private equity firm H.I.G. Capital and Thoma Bravo. Following the transaction, CompTIA will operate as a for-profit company while the existing member-based non-profit organization will continue its services to the IT industry. The transaction is expected to close in early 2025 and is subject to regulatory approval.

• From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West - North Korean threat actors are using the Contagious Interview and WageMole campaigns to land remote jobs in Western countries, evading financial sanctions against North Korea. The Contagious Interview campaign focuses on stealing data while WageMole helps the threat actors secure remote jobs. The threat actors have improved their malware capabilities, expanded to target both Windows and macOS systems, and successfully infected over 100 devices. The WageMole campaign involves creating fake identities, using generative AI to acquire jobs, and earning money through professional skills to bypass economic sanctions. Robust security measures are needed to protect against these evolving threats.

• Police Freak Out at iPhones Mysteriously Rebooting Themselves, Locking Cops Out - Law enforcement officials are concerned about iPhones mysteriously rebooting themselves and becoming harder to unlock, possibly due to a new security feature in iOS 18. The reboots occur when the phones are removed from a cellular network, making them more secure against password cracking tools. The exact reason for the reboots is unclear, but experts speculate that Apple may have introduced this feature.

Techniques and Write-ups

• HuntingCallbacks – Enumerating the Entire system32 - The blog post focuses on the concept of HuntingCallbacks, which involves enumerating potential callback opportunities within the system32 directory of Windows APIs. The post discusses the methodology of scanning for potential target Windows APIs that support callback opportunities and provides a detailed analysis of the process as well as future improvements for the tool.

• AWS CLI Tips and Tricks - This article provides tips and tricks for using the AWS CLI, focusing on efficient ways to work with S3 objects, modifying the CloudTrail Log User-Agent, and utilizing AWS Organizations Defaults. It also covers techniques for preventing expensive API actions, IAM unique identifiers, and accessing metadata and user data. The article further explores strategies for escalating privileges, stealing credentials, exfiltrating data, and bypassing security controls in AWS environments. Additional sections cover similar tactics for Google Cloud Platform and Azure Active Directory, as well as advanced techniques for manipulating Terraform and other services.

• Introducing lightyear: a new way to dump PHP files - lightyear is a new tool that leverages PHP filters to efficiently dump PHP files by creating an error-based oracle. It improves on existing techniques by optimizing the process of dumping files, identifying base64 digits, and reducing payloads. The tool is able to dump larger files faster and in more situations, overcoming limitations of previous methods. By utilizing new algorithms and techniques, lightyear is able to improve the speed and efficiency of exploiting blind file read primitives in PHP.

• Automating Deobfuscation of XorStringsNet - The text discusses automating the deobfuscation of XorStringsNet, a tool used to encrypt strings in .NET assemblies. The process involves locating the encryption module, extracting the global key, and decrypting the strings using a decryption algorithm. The text also mentions a bug in XorStringsNet that only uses the first byte of the encryption key. To patch the assembly, calls to the decryption function need to be replaced with instructions that do not mess up the stack. Overall, the goal is to create a fully automated malware deobfuscation pipeline for XorStringsNet binaries.

• Hacking Millions of companies around the world with 10$: A Massive Software Supply Chain Attack - Lupin & Holmes discusses the importance of protecting the software supply chain, highlighting the risks associated with open-source dependencies and the potential for supply chain attacks. They developed Depi, a Software Supply Chain Security tool, to detect security threats, including account takeovers. They provide examples of how attackers can exploit vulnerabilities, such as through expired email domains, and share their experiences in detecting and addressing these risks through Depi. The interconnected nature of the software supply chain emphasizes the need for proactive monitoring and protective measures to mitigate threats and strengthen supply chain resilience.

• Effective Techniques for AWS Ransomware - The blog post discusses effective techniques for carrying out ransomware attacks on AWS resources, including encrypting data using KMS keys and revoking access until a ransom is paid. The post outlines steps to create and replicate KMS keys, encrypt EBS volumes and RDS snapshots, and re-encrypt S3 objects. The author also discusses the potential legal implications and ways to prevent such attacks, emphasizing the need for increased security measures in the cloud. The post concludes with a warning about the vulnerability of AWS accounts to ransomware attacks and the importance of reevaluating threat models in the cloud.

• Pwn3D: Abusing 3D Models for Code Execution - The blog post discusses how a security researcher discovered a code injection vulnerability in UltiMaker Cura, a popular 3D printing software. The vulnerability allowed for malicious code execution through manipulating 3MF models, resulting in potential supply chain attacks. The researcher responsibly disclosed the issue to UltiMaker, who promptly fixed the vulnerability and released a patch. Checkmarx, the company behind the blog post, provides application security solutions and services to help enterprises secure their software development lifecycle. They highlight the importance of software supply chain security and their commitment to addressing vulnerabilities across the entire application footprint.

• (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments - In a recent blog post, Mandiant Red Team demonstrated how attackers can abuse Intune permissions to gain lateral movement and privilege escalation within Microsoft Entra ID environments. By compromising Entra ID service principals, attackers can add credentials and compromise existing service principals. The blog post also provides remediation steps and recommendations to prevent and detect these types of attacks, including reviewing permissions, enabling multiple admin approval for Intune, enabling Microsoft Graph API activity logs, and utilizing capabilities provided by Workload ID Premium licenses.

• Escalating from Reader to Contributor in Azure API Management pt II - Binary Security has discovered vulnerabilities in Azure API Management that allow attackers to escalate privileges from a Reader role to gaining full control of the service. Some fixes have been implemented by Microsoft, but others are still hidden behind the "Disable old API versions" toggle. By exploiting bugs in the ARM API, attackers with Reader permissions can perform unauthorized operations in APIM. These vulnerabilities, including access to subscription keys and other secrets, can lead to a complete compromise of the APIM service from a starting point of Reader privileges. Microsoft's responses to the reported issues have been lacking, and it is recommended to implement network-level access restrictions to protect against such vulnerabilities in Azure services.

• Local Admin + Disconnected RDP Sessions - The article discusses the security risks of gaining local administrator privileges and accessing disconnected RDP sessions. The author demonstrates how easy it is to steal a disconnected RDP session once local administrator privileges are obtained. The demo video shows how a new domain admin account can be added using a disconnected session. The article emphasizes the importance of logging out of RDP sessions to prevent unauthorized access.

• Evade IP blocking by using residential proxies - In this blog post, Dana Epp discusses how to evade IP blocking by using residential proxies. Residential proxies route internet traffic through real devices and IP addresses assigned by ISPs, making it appear more legitimate. By setting up Burp Suite to use residential proxies, API hackers can test APIs more effectively and maintain access to restricted endpoints. Additionally, Epp provides advanced tips on using mobile proxies and choosing countries with limited IP addresses to further evade IP blocking. By integrating residential proxies into their testing toolkit, hackers can stay ahead of evolving defenses and conduct API testing more stealthily.

• .Net Hooking with Frida and Fermion (Part 2) - The article discusses .Net hooking using Frida and Fermion, focusing on reading arguments passed to functions. The author encountered challenges in reading variables, but found a solution through ChatGPT's advice. They shared examples of Frida code for reading .Net variables, highlighting differences in handling instance functions and static methods. The article provides insights and code snippets to help readers understand and start their own .Net hooking projects.

• Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail - The blog "Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail" by Sonar discusses the limitations of relying solely on server-side HTML sanitization to prevent XSS attacks in web applications. The blog emphasizes the importance of implementing client-side sanitization to ensure that untrusted input is processed securely, as server-side parsing algorithms may vary across different environments. It also outlines the challenges of HTML parsing and the potential vulnerabilities that can arise from using outdated parsers. The blog suggests using a more restrictive HTML policy or third-party libraries like DOMPurify for client-side sanitization until a standardized browser-native solution is developed.

• Mind the v8 patch gap: Electron's Context Isolation is insecure - The blog post highlights potential security vulnerabilities in Electron's context isolation, particularly for apps that are not regularly updated. It discusses how V8 exploits can bypass context isolation and access dangerous APIs within the isolated context. It also provides insights for bug hunters and developers on issues they may encounter with context isolation. The post emphasizes the importance of updating Electron promptly and enabling sandboxing to enhance security measures.

• Pwning the Chip8 Emulator with Blind Format Strings - Luca Bertozzi continues his exploration of exploiting the Chip8 Emulator with blind format strings, having realized that blind format string exploits are possible. He outlines the process of leaking memory addresses, manipulating values, and overwriting GOT entries to achieve arbitrary code execution. The exploit involves generating a malicious ROM that spawns a calculator, with the author sharing the exploit code and reflecting on the learning experience of the project.

• Breaking Down Multipart Parsers: File upload validation bypass - The article discusses potential bypass techniques for multipart parsers used in web application firewalls, such as PHP, Node.js, Python, and OpenResty Lua parsers. These techniques involve manipulating the format of file uploads to bypass validation rules. The author also mentions challenges and vulnerabilities associated with multipart parsers, highlighting the need for stricter adherence to RFC guidelines for robust validation of user input. Various bypass examples are provided for popular WAFs and load balancers, showcasing the vulnerabilities in multipart parsers. The article concludes by emphasizing the importance of understanding the weaknesses in multipart parsers to ensure the security of web applications.

• Ruby's String Slice is Broken - Two bugs have been discovered in Ruby's implementation of extracting substrings, which result in incorrect return values that could lead to security vulnerabilities. The bugs involve incorrect handling of index and length arguments in the `slice` method, causing unexpected behavior. The bugs exist in versions 2.0.0 to the latest (3.3.1), and can be triggered using strings with UTF-8 encoding. Additional details and examples can be found in the Ruby documentation for String.

• Group Policy Security Nightmares pt 1 - Group Policies are important for managing and controlling an Active Directory network environment, but misconfigurations can lead to security vulnerabilities. In this blog post, the author describes a situation where users were granted full control over a registry key related to the 7-Zip installation, potentially allowing for malicious code execution. The author demonstrates how a custom DLL could be used to exploit this vulnerability, highlighting the importance of thoroughly understanding the potential impact of GPO configurations to prevent security vulnerabilities.

• A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities - The blog post explores sandbox escape vulnerabilities in macOS, focusing on overlooked attack surfaces in XPC services. The author discovered multiple vulnerabilities and exploits to bypass sandbox restrictions. They discuss issues such as inadequate entitlement checks, path traversal vulnerabilities, and flaws in the archive and extraction processes. The author also highlights Apple's response to the reported vulnerabilities, including patches and mitigation measures. Additionally, there is a discussion on expanding the research to find more sandbox escape vulnerabilities.

• Beating the dead horse, only to inject it some more… - The author discusses injecting code into the Windows process by manipulating window message handling procedures. They demonstrate how to redirect code execution using the Window Long Pointer and show examples of injecting code into different windows. The author emphasizes that even though this attack method has been known for over 20 years, it is still relevant and exploitable by attackers in various scenarios.

• Multiple Vulnerabilities in the Mazda In-Vehicle Infotainment (IVI) System - Multiple vulnerabilities have been discovered in the Mazda In-Vehicle Infotainment (IVI) system, specifically the Mazda Connect Connectivity Master Unit (CMU) system, which could be exploited by connecting a specially crafted USB device. These vulnerabilities could lead to arbitrary code execution with root privileges. The vulnerabilities include SQL injection, command injection, lack of authentication in the boot process, and lack of code signing on the VIP MCU. The exploitation of these vulnerabilities could result in compromising the infotainment system, gaining persistence, and potentially impacting vehicle safety. The vulnerabilities remain unpatched by the vendor, highlighting the importance of considering system security and testing complete production systems in all operational modes.

• Java(Script) Drive-By, Hacking Without 0days - Imperva offers a range of security solutions, including application security, data security, and DDoS protection. The article discusses the potential risks associated with the File System Access API in Google Chrome, which could allow attackers to execute arbitrary code on a user's machine. The author explores how this API could be abused through exploitation and symlinks, highlighting the importance of responsible disclosure and the need for enhancements to address these vulnerabilities. Imperva's security solutions aim to protect businesses from various cyber threats, including bad bots and DDoS attacks.

• CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging - Securonix recently identified a new tactic in malware staging called CRON#TRAP, where attackers use emulated Linux environments to maintain a stealthy presence on victim's machines. The attackers deploy a custom-made emulated QEMU Linux box, disguised through phishing emails, to create a backdoor connecting to an attacker-controlled C2 server. This campaign is concerning as the attackers can operate undetected within the emulated Linux environment. The attackers use tools like QEMU and Chisel to create covert communication channels and tunnel through firewalls, making detection challenging for traditional antivirus solutions. To protect against such attacks, it is recommended to avoid downloading files from unsolicited sources, monitor for script-related activity in world-writable directories, and deploy robust endpoint logging capabilities.

• Beyond RCE: Autonomous Code Execution in Agentic AI - This blog post discusses the author's exploration of Autonomous Code Execution (ACE) in Agentic AI, specifically in the context of Anthropic's Computer Use. The author utilized basic prompt injection and phishing techniques to manipulate the AI model into performing malicious actions, such as opening a calculator app. Despite encountering limitations and security warnings, the author highlights the potential risks associated with agentic systems and the importance of implementing proper security measures. The research, conducted in a day and a half, serves as a cautionary example of the implications of autonomous code execution in AI technologies.

• Uncovering Apple Vulnerabilities: The diskarbitrationd and storagekitd Audit Story Part 1 - The Kandji Threat Research team audited the macOS diskarbitrationd and storagekitd system daemons and uncovered vulnerabilities such as sandbox escapes and privilege escalations. These vulnerabilities were reported to Apple and have since been fixed. The team presented their findings at IT Security conferences and are releasing a blog series detailing the vulnerabilities. The first part of the series covers a specific vulnerability (CVE-2024-44175) that allowed attackers to escape the sandbox and escalate their privileges. Apple quickly addressed the issue in macOS Sequoia 15.1 beta 2 by enforcing restrictions on symbolic links and ensuring proper user verification.

• Malware and cryptography 34: encrypt payload via DFC algorithm. Simple C example. - In this post, the author explores using the Decorrelated Fast Cipher (DFC) algorithm to encrypt and decrypt malware payloads. They provide a simple C example that demonstrates how to implement the DFC encryption and decryption functions step by step. The DFC algorithm, though not selected as the AES standard, is known for its strong security features against cryptanalysis. However, vulnerabilities have been identified through differential attacks, which weaken the cipher's structure. The author hopes this post will be useful for malware researchers, programmers, and cybersecurity professionals alike.

• Salamander/MIME - Salamander/MIME is a technique that exploits a vulnerability in S/MIME encryption, allowing different recipients to receive different messages from the same ciphertext. This can be used for phishing attacks or other malicious purposes. Currently, there is no easy fix for this issue, and email clients like Thunderbird, Evolution, and Outlook have not taken immediate action to address it. To prevent Salamander/MIME reliably, changes would need to be made to the S/MIME specification.

• Evasive ZIP Concatenation: Trojan Targets Windows Users - A report by Perception Point discusses a new evasive tactic used by threat actors involving ZIP file concatenation to target Windows users. By appending multiple ZIP archives into a single file, attackers can hide malicious payloads in parts of the archive that some ZIP readers cannot access, allowing them to evade detection. The report provides a detailed analysis of how popular ZIP readers handle concatenated ZIP files and how this tactic can be exploited in real-life attacks to deliver trojan malware undetected. Perception Point's anti-evasion algorithm, the Recursive Unpacker, is highlighted as a solution to detect and extract hidden threats in concatenated ZIP files.

• Upcoming hardening in PHP - In an upcoming hardening for PHP, improvements have been made to make it harder for attackers to exploit vulnerabilities in PHP's heap. Techniques have been implemented to prevent arbitrary code execution through function pointer overwrites and improved allocation methods. Additional measures have been taken to improve security, such as increasing randomness in file names and preventing remote file inclusion attacks. It is recommended to keep PHP stacks updated to benefit from these security enhancements. There is a suggestion that more focus should be put on fixing vulnerabilities rather than optimizing exploitation techniques.

• Unpacking Snake Keylogger - this article examines the Snake Keylogger, a highly customizable malware designed to steal sensitive information by recording keystrokes, capturing screenshots, and collecting data. The post discusses its delivery methods, such as malicious email attachments, and techniques used to evade detection, including file obfuscation.

• Filling up the DagBag: Privilege Escalation in Google Cloud Composer - This blog explores privilege escalation in Google Cloud Composer, highlighting ways attackers may gain elevated permissions within Google Cloud Platform (GCP). The article delves into potential vulnerabilities, such as misconfigurations and insecure permissions, offering insights into how attackers leverage these weaknesses. Strategies for preventing privilege escalation, like secure configuration practices and permissions management, are also recommended.

• Machine Learning Bug Bonanza – Exploiting ML Services - JFrog's security research team has been focusing on finding and disclosing bugs in machine learning (ML) related open source projects, resulting in the discovery of 22 unique software vulnerabilities. These vulnerabilities include issues in ML frameworks and tools that could be exploited by attackers to compromise enterprise systems. The vulnerabilities range from server-side vulnerabilities like hijacking ML model registries to client-side vulnerabilities that could lead to code execution when ML models are loaded. JFrog plans to explore these vulnerabilities further in a two-part blog series.

Tools and Exploits

• lightyear - lightyear is a tool that allows users to dump files in challenging conditions using PHP filters. It can be used to dump any file using a blind file read primitive in PHP. Users can test the implementation by running specific commands and resume dumps if interrupted. The tool also provides a docker file for testing in a simple Apache+PHP environment.

• convoC2 - The GitHub repository "convoC2" is a Command and Control infrastructure that allows Red Teamers to remotely execute system commands on compromised hosts through Microsoft Teams. It infiltrates data into hidden span tags in Teams messages and exfiltrates data through Adaptive Cards image URLs. The lack of direct communication between the attacker and victim, combined with Teams log files not being scanned by antivirus, makes detection more difficult. The infrastructure requires setting up a Teams channel with a Workflow Incoming Webhook and obtaining victim and attacker IDs and authentication token to authenticate messages.

• coffeeldr - The GitHub repository "coffeeldr" is a modern and lightweight COFF loader written in Rust, designed to run COFF files on Windows supporting both 32-bit and 64-bit architectures. It offers features like memory management, dynamic relocation handling, and CLI integration. Users can load COFF files from disk or memory buffers and execute them by specifying the entry point.

• early-cascade injection - This GitHub repository contains a proof-of-concept implementation of the early cascade injection technique based on a blog post by Outflanks. The code includes hardcoded offsets/pointers and was tested on Microsoft Windows.

Threat Intel and Defense

• Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT - This report by Check Point Research focuses on APT36, a threat actor known as Transparent Tribe, which targets Indian government organizations using the ElizaRAT malware. The report details the evolution of ElizaRAT and its advanced evasion techniques. The malware utilizes cloud services like Google Drive, Telegram, and Slack for command and control communication and also introduces a new stealer payload called ApoloStealer. The report highlights the group's deliberate efforts to enhance their malware for intelligence gathering and espionage, with a focus on data collection and exfiltration.

• Automatically Detecting DNS Hijacking in Passive DNS - The article discusses the automatic detection of DNS hijacking, a method used by cybercriminals to redirect users to malicious servers by modifying DNS records of domain names. The process involves processing a large number of DNS records daily and using a machine learning model to predict and detect DNS hijacking. The article provides examples of DNS hijacking incidents, including hijacking of a Hungarian political party's domain, a utility company, an ISP, a research center, and a university for illicit gambling. Palo Alto Networks offers protection against DNS hijacking through its Advanced DNS Security services.

• Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond - Wiz Research explores phishing tactics, focusing on the threat actor 0ktapus. By investigating phishing campaigns and domains used by 0ktapus, researchers showcase methods for detection and analysis. Techniques such as application fingerprinting, network profiling, and domain registration analysis are highlighted. Recommendations include enforcing MFA, single sign-on, and monitoring for suspicious authentication to protect against phishing attacks. Additionally, leveraging DNS hosting patterns and domain registration analysis can help uncover new phishing domains. Ongoing vigilance and the use of these techniques can aid in detecting future phishing campaigns by 0ktapus and other threat actors.

• Unwrapping the emerging Interlock ransomware attack - Cisco Talos Incident Response recently uncovered an emerging Interlock ransomware attack where the attacker used various components in the delivery chain to conduct big-game hunting and double extortion attacks. The attacker primarily used RDP to move laterally within the victim's network and exfiltrate data using Azure Storage Explorer. Talos assesses with low confidence that Interlock ransomware may have emerged from Rhysida ransomware operators or developers. The attack methodology, TTPs, and ransomware behavior show similarities with Rhysida ransomware, indicating a possible affiliation between the two groups.

• Silent Skimmer Gets Loud (Again) - Unit 42 researchers have identified the resurfacing of the Silent Skimmer threat actor group targeting organizations involved in payment infrastructure. The adversary compromised web servers using tactics like exploiting vulnerabilities in Telerik UI to gain access and dump payment information. They used techniques like mixed mode assemblies, installing reverse shells, and creating malware-laden Python scripts. The threat actor also leveraged tools like GodPotato and Cobalt Strike for post-exploitation activities. The researchers observed similarities between this campaign and previous ones, highlighting the need for organizations to patch vulnerabilities and stay vigilant.

• BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence - SentinelOne has observed a suspected DPRK threat actor targeting Crypto-related businesses with novel multi-stage malware, called Hidden Risk. This campaign uses fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file. The threat actor, attributed to BlueNoroff, uses a novel persistence mechanism abusing the Zsh configuration file to maintain persistence on infected macOS machines. The campaign is part of a series of attacks by North Korean-affiliated threat actors targeting cryptocurrency-related businesses, showing an evolution in tactics to bypass Apple security technologies and acquire valid Apple developer accounts.

• AsyncRAT’s Infection Tactics via Open Directories: Technical Analysis - This article provides a technical analysis of AsyncRAT's infection tactics through open directories. It covers two methods used to distribute the malware through publicly accessible files, highlighting how attackers constantly adapt to infect victims. The analysis includes deobfuscated VBS scripts, PowerShell files, and scheduled tasks used in the infection process.

• CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits - Check Point Research is tracking an ongoing phishing campaign known as CopyRh(ight)adamantys, which uses a copyright infringement theme to distribute the Rhadamanthys stealer. The campaign targets organizations across various regions and impersonates companies in the Entertainment/Media and Technology/Software sectors. The latest version of Rhadamanthys (0.7) includes an AI-powered OCR module, but it uses older machine learning technology instead. The campaign appears to be financially motivated and utilizes automation to maximize its reach and success rates.

• Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign - Bengal cat lovers in Australia were targeted by a Gootloader campaign, where fake cat websites were used to deliver malware through search engine optimization tactics. The Gootloader campaign evolved into an initial access as a service platform, with the primary payload being Gootkit, a remote access Trojan. The campaign used SEO poisoning to deliver malicious payloads to victims, with the goal of establishing a persistent foothold in their network environment. Sophos conducted a threat hunt campaign to identify and analyze the Gootloader instances, providing technical details of the campaign and the malware's behavior.

• New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency - The SteelFox Trojan is a new crimeware bundle that imitates popular software products like Foxit PDF Editor and AutoCAD to spread malware. It uses stealer and miner malware to extract sensitive data and mine cryptocurrency from infected devices. The campaign targets a wide range of users globally, with most affected users in Brazil, China, Russia, and other countries. To protect against threats like SteelFox, users are advised to install applications from official sources and use reliable security solutions.

• Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus - EclecticIQ researchers identified a malvertising campaign linked to the LUNAR SPIDER threat actor group using Latrodectus to deliver the Brute Ratel C4 malware. This Russian-speaking group has been active since 2009 and is known for developing high-profile malware families like IcedID. The group has connections with other ransomware groups and has recently shifted to using Brute Ratel C4 instead of IcedID. The campaign targeted financial services using SEO poisoning to infect victims with the malware. The collaboration and shared infrastructure between LUNAR SPIDER and other ransomware groups were also highlighted.

• Steam Account Checker Poisoned with Infostealer - A script called "steam-account-checker" targeting Steam users was found on Github. The script was obfuscated to hide malicious code, which was decoded using Fernet encryption. The decoded payload installs a module, saves another payload to a file in %APPDATA%, and executes it, collecting data and exfiltrating it to a specific URL. This serves as a reminder to be cautious of code downloaded from Github as it may contain malicious elements.

• Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2 - Threat hunters have uncovered an ongoing threat campaign called "VEILDrive" that exploits Microsoft services like Teams, SharePoint, Quick Assist, and OneDrive for command and control purposes. The threat actor used a unique OneDrive-based C&C method embedded in Java-based malware to evade detection by traditional security tools. The attacker targeted multiple organizations, likely originating from Russia, and shared their findings with Microsoft to shut down the actor's infrastructure. The malware used in the campaign lacked obfuscation but was able to evade detection by modern security mechanisms, highlighting the need to revisit detection strategies. The report provides detailed insights into the attack methods and recommends proactive threat hunting and monitoring to mitigate similar threats in the future.

• Detecting CVE-2020-0688 Remote Code Execution Vulnerability on Microsoft Exchange Server - TrustedSec detected a Remote Code Execution vulnerability (CVE-2020-0688) on Microsoft Exchange servers in February 2020, which allows attackers to execute embedded commands. The vulnerability affects all Exchange Servers until a patch was released. The exploit involves sending a specially crafted payload to the server, triggering the execution of malicious commands as SYSTEM. Indicators of compromise include unusual SYSMON Event IDs and logs showing suspicious GET requests with __VIEWSTATE variables. TrustedSec's Research Team verified the validity of proof of concept exploits for this vulnerability.

• Strengthening Local Admin Security in Windows 11 with Local Administrator Protection - The blog discusses a new feature in Windows 11 Insider build called Local Administrator Protection which aims to eliminate always-on admin rights by using a hidden elevation mechanism to provide just-in-time privileges when needed. This feature creates a System Managed Admin Account dynamically linked to the primary admin account to ensure elevated operations run in a separate context. It provides a more secure environment for privileged operations compared to traditional split tokens and mitigates the risk of compromised local admin rights. Instructions on how to enable Administrator Protection are also provided.

• QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns - The article discusses the introduction of a new modular framework known as QSC in cyberespionage campaigns by the CloudComputating group. The framework is utilized for targeted attacks on organizations, particularly in the telecom sector, with components such as the Loader, Core module, Network module, File Manager module, and Command Shell module. The CloudComputating group has also deployed a new backdoor named GoClient alongside the QSC framework. The article delves into the deployment, post-compromise activities, and lateral movement tactics used by the threat actors, attributing the activities to the CloudComputating group.

• Life on a crooked RedLine: Analyzing the infamous infostealer’s backend - ESET researchers have analyzed the backend modules of the infamous RedLine Stealer malware-as-a-service operation, which was recently taken down by international authorities. The malware operates on a MaaS model, allowing affiliates to buy a control panel to generate malware samples and collect information. The analysis reveals that RedLine and its clone, META Stealer, share the same creator and infrastructure, and both have been disrupted by law enforcement. The research provides insight into the inner workings and global reach of these infostealer operations.

• Threat Campaign Spreads Winos4.0 Through Game Application - A threat campaign is spreading the advanced malware framework Winos4.0 through gaming-related applications, including installation tools and speed boosters. The malware is capable of executing various actions and maintaining control over compromised systems. Users are advised to be cautious when downloading applications and only use software from trusted sources.

• Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations - Earth Estries is a threat actor group utilizing various tactics, techniques, and tools, such as malware like Zingdoor and Snappybee, in their cyber operations. They employ two distinct attack chains involving tools like PsExec, Cobalt Strike, Trillclient, Hemigate, and Crowdoor to maintain persistence, perform lateral movement, and steal credentials. Earth Estries also utilizes attack surface risk management and advanced container scanning to protect against threats in cloud-native environments.

• Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware - Checkmarx details a novel supply chain attack using Ethereum smart contracts to deploy cross-platform malware. This tactic exploits the decentralized nature of Ethereum to evade detection and spread malware across various platforms. The attack underscores the growing threat within cryptocurrency ecosystems, leveraging contracts for hidden, malicious payloads across supply chains.

• ClickFix tactic: Revenge of detection - This blog discusses the "ClickFix" tactic, where attackers evade detection by manipulating URL shorteners to disguise malicious links in emails. This tactic leverages "cloaking," allowing hackers to deliver malware-laden links that avoid security measures. SEKOIA highlights how this approach bypasses conventional defenses and emphasizes the need for adaptive detection and email filtering strategies to counter such evolving techniques.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Hacking 700 Million Electronic Arts Accounts - In June 2021, it was reported that hackers had gained access to approximately 700 million Electronic Arts (EA) player accounts, including personal information and source code for popular games. The hacker, Sean Kahler, was attempting to sell the stolen information on underground forums. EA stated that they had since taken steps to enhance security measures and are working with law enforcement to investigate the breach. Kahler has a history of hacking and was previously convicted for similar offenses.

• STUBborn: Activate and call DCOM objects without proxy - The article discusses the use of the STUBborn tool to interact directly with DCOM objects on Windows without using proxy DLLs. The tool allows for custom RPC clients to connect to DCOM objects and interact with their interfaces. By exploring COM internals and using custom RPC clients, the tool can instantiate objects and perform operations without relying on the COM proxy machinery. This method can be used for forensics purposes and offers potential for further exploration of Windows internals.

• Keyrings dump with keydump: Extracting SSSD cleartext credentials - The article discusses a method of extracting SSSD cleartext credentials by using keydump to dump keyrings on Linux. The process involves injecting shellcode into the target process to read and extract keys, specifically passwords stored by sssd. The attack can be prevented by blocking ptrace or using security modules like SELinux or Apparmor. The article provides a detailed explanation of the process and includes references to related resources and tools.

• Under the microscope: Ecco the Dolphin — Defender of the Future - The article discusses cheat codes in the Dreamcast game Ecco the Dolphin: Defender of the Future, where special features can be unlocked by entering specific names when saving the game. By reverse-engineering the encoding scheme using Ghidra and Python, the author identified cheat names and their corresponding effects such as unlocking all levels, immortality mode, and debug display. The author also explores the game's memory snapshot and explains how they were able to uncover the cheat functionality through analysis and brute force testing.

• Flare-On 11 Challenge Solutions - The Flare-On 11 challenge has concluded with only 275 out of 5,300 players successfully completing all 10 stages. The challenge authors are thanked for their great puzzles and solutions, with some stages proving to be favorites among participants. The difficulty curve was smoother this year, with more people falling off at stages 5, 7, and 9. Vietnam had the most finishers this year, followed by the USA. The solutions for each challenge are available on the Google Cloud blog.

• Chrome Stealer - This blog post details the decryption process of Chrome saved passwords using C/C++ by the author. The process involves extracting the encryption key and decrypting the passwords stored in the SQLite database using AES-256 encryption. The author also mentions the use of external libraries such as Libsodium for decryption. The post concludes with a reminder about ethical use of the tool and credits to external resources used in the process.