Last Week in Security - 2024-11-18
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, Operations Research Analyst, Reverse Engineer, and Software Engineer.
Virginia Applicants:
Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-11-11 to 2024-11-18.
News
VMware Fusion and Workstation are Now Free for All Users - VMware Fusion and Workstation are now available for free to all users, including commercial, educational, and personal users. The paid versions of these products, Workstation Pro and Fusion Pro, are no longer available for purchase. Current subscribed customers will continue to receive support until the end of their contract term. The free version of the products will include all features of the paid version and will be supported through online resources and community forums.
Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them - Global companies are unknowingly paying North Koreans who are posing as legitimate workers to infiltrate organizations worldwide. These workers are generating substantial revenue that directly funds North Korea's weapons programs. Unit 42 has developed a guide for network defenders to detect these operatives through a multi-faceted strategy that includes enhanced IT asset management and strengthened security awareness. They recommend implementing a risk matrix tailored to each organization's environment to identify red flags and prevent the exfiltration of sensitive data.
Massive MOVEit Vulnerability Breach: Hacker Leaks Employee Data from Amazon, McDonald’s, HSBC, HP, and Potentially 1000+ Other Companies - A hacker exploited a critical vulnerability in MOVEit, a file transfer software, leading to a massive data breach exposing employee data from prominent companies like Amazon, McDonald’s, HSBC, and HP, among others. The leaked data includes employee directories with detailed personal information, putting individuals at risk of phishing, identity theft, and social engineering attacks.
Biden Asked Microsoft to “Raise the Bar on Cybersecurity.” He May Have Helped Create an Illegal Monopoly. - President Joe Biden asked tech companies to improve cybersecurity, prompting Microsoft to offer free upgrades and consulting services to the government. While this boosted government cybersecurity, it also helped Microsoft solidify its hold on federal business and sideline competitors. Legal and contracting experts raised concerns about the legality of these deals, as they may violate federal procurement and antitrust laws. The White House distanced itself from Microsoft's offer and stated that agencies were responsible for accepting it. Critics worry that this concentration on Microsoft leaves the government vulnerable.
Inside the DemandScience by Pure Incubation Data Breach - Troy Hunt discusses a data breach at DemandScience by Pure Incubation, where over 183 million records were put up for sale on a hacking forum. The data aggregator company sells personal information obtained from public sources, and Hunt found his own information in the breach. Many individuals are not concerned about their data appearing in breaches, but some believe they should be notified. Hunt emphasizes the importance of understanding how personal data is used and the potential consequences of its exposure.
Lessons from a Honeypot with US Citizens’ Data - Lessons were learned from a honeypot with US citizens' data to identify vulnerabilities and threats, with a focus on protecting the 2024 US Presidential Election. The honeypot attracted attackers using tools like FFUF and Masscan, highlighting the importance of strong access controls and prompt application of security patches to mitigate cyber risks. Monitoring dark web activity and utilizing honeypots can provide insights into emerging threats and help strengthen the security of critical systems.
Biohackers Encoded Malware in a Strand of DNA - A group of biohackers has encoded malware in a physical strand of DNA, demonstrating a potential threat to computer systems. The researchers at the University of Washington showed that DNA can carry malicious software, which can corrupt gene-sequencing software and take control of a computer. While this attack is not currently practical, it represents a potential future threat as DNA sequencing becomes more common and handled by third-party services. The research highlights the need to consider cybersecurity risks in computational biology systems and the possibility of DNA-based computer attacks in the future.
Rand Paul has plans to kneecap the nation’s cyber agency - Senator Rand Paul, set to chair the Senate Homeland Security Committee, has announced plans to either eliminate or significantly reduce the powers of the Cybersecurity and Infrastructure Security Agency (CISA), citing concerns over its approach to misinformation and alleged free speech infringements. While Paul is likely to encounter bipartisan resistance, he has signaled potential hearings and scrutiny of CISA’s role in misinformation efforts. CISA defends its mission, emphasizing its focus on securing U.S. infrastructure.
Techniques and Write-ups
Release-Drafter To google/accompanist Compromise: VRP Writeup - Adnan Khan discovered a vulnerability in the release drafter action that could lead to a supply chain attack. He reported the issue to Google's VRP and the action's maintainers. The vulnerability could allow attackers to modify tags associated with the action, compromising downstream users. Khan created a proof of concept to demonstrate the vulnerability and highlighted the importance of using third-party GitHub Actions by SHA instead of mutable tags to avoid such attacks.
CVE-2024-47575 Technical Analysis - CVE-2024-47575 is a critical vulnerability in FortiManager that allows an attacker to execute arbitrary code or commands via specially crafted requests. The flaw is exploited by registering a new "local device" with a serial number, granting the attacker Remote Code Execution (RCE) on FortiManager. By decrypting the firmware and manipulating the FGFM protocol, an unauthenticated attacker can reach the vulnerable code path and achieve RCE with root privileges. Patches are available and should be applied immediately to prevent exploitation.
Offset-free DSE bypass across Windows 11 & 10: utilising ntkrnlmp.pdb - This blog post discusses a method for bypassing driver signature enforcement (DSE) on Windows 11 and 10 by utilizing ntkrnlmp.pdb to eliminate the need for static offsetting. The technique allows for the dynamic bypass of DSE across multiple Windows versions without causing system instability. By parsing ntkrnlmp.pdb and downloading corresponding PDB files, the exploit can patch kernel functions, load unsigned drivers, and restore original protections, enabling red teams to perform more effective engagements. The method simplifies payload delivery, facilitates stealth operations, and preserves system availability by avoiding BSOD incidents.
Bipolar Disorder: Pivoting with TailScale - The article discusses using TailScale, a VPN solution, for pivoting in a post-exploitation context, allowing attackers to move around networks and bypass restrictions. The process involves installing TailScale on compromised machines, configuring routing and NAT settings, and using it to gain access to hidden network segments. The tool is praised for its ease of use, NAT traversal capabilities, versatility, cross-platform support, and flexibility in network management. However, the article also warns against using TailScale for malicious purposes, as it can be used by attackers to infiltrate and bypass traditional defense mechanisms, requiring a deep understanding of networking and detailed configuration.
Exploiting KsecDD through Server Silos - An admin-to-kernel technique involving the KsecDD driver was discovered earlier this year, allowing LSASS to execute arbitrary kernel code with limitations involving LSASS and Server Silos. The author's proof-of-concept revealed that only LSASS can access the KsecDD driver due to Server Silo constraints, leading researchers to investigate Server Silos to work around this limitation. By manually creating a Server Silo and connecting to KsecDD, researchers were able to execute arbitrary code in kernel space. However, they encountered a limitation of only being able to run the exploit four times before triggering a kernel crash, prompting further research to overcome this issue.
Blinded by Silence: How Attackers Disable EDR - Endpoint Detection and Response systems (EDRs) are crucial for modern cybersecurity, providing real-time threat visibility and response capabilities. Attackers can disable EDRs using tools like EDRSilencer and NimBlackout, leading to reduced visibility and delayed threat detection. Tools like EDRSilencer and EDRSandBlast use Windows Filtering Platform (WFP) to block communication of EDRs, allowing attackers to maintain access without detection. Monitoring for specific signals and indicators can help defenders detect these evasive tactics and enhance their detection capabilities. Several open-source and threat actor tools, like AuKill, demonstrate the evolving tactics used to bypass EDRs and pose significant challenges to cybersecurity defenders.
Killing Filecoin nodes - Trail of Bits identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed attackers to crash a node and trigger a denial of service. The issue was caused by incorrect validation of an index, leading to an out-of-range panic. Filecoin is a network for storing and retrieving files built on the IPFS protocol, and vulnerabilities like this highlight the importance of using unsigned integers and proper validation practices in blockchain node development. Lotus and Venus fixed the issue by casting to unsigned integers, and developers are advised to follow similar practices to prevent similar problems in their codebase.
The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking - Team82 conducted research on the security of the OvrC cloud platform, revealing 10 vulnerabilities that allowed attackers to execute code on OvrC cloud-connected devices. The vulnerabilities affected OvrC Pro and OvrC Connect, impacting devices such as cameras, routers, and home automation systems. By exploiting these vulnerabilities, attackers could access and control devices, posing a risk to user data and businesses. SnapOne and CISA addressed the vulnerabilities, improving the security of the platform. The research highlighted common security weaknesses in IoT devices and the importance of securing cloud-connected devices.
Firefox Animation CVE-2024-9680 - Dimitri Fourny analyzed a recent Firefox vulnerability, CVE-2024-9680, which was patched in Firefox 131.0.2. The vulnerability allowed for code execution in the content process by exploiting a use-after-free issue in animation timelines. Fourny detailed how the vulnerability could be triggered and exploited, despite limited public information and the absence of a Proof of Concept. Fourny's analysis revealed that the bug was successfully patched by Firefox, preventing potential exploitation in the future.
Arbitrary Write Privilege Escalation - CVE-2024-50804 - G3tSyst3m's Infosec Blog discusses an arbitrary write privilege escalation vulnerability, CVE-2024-50804, found in MSI Center Pro software for MSI branded machines. The vulnerability allows for an elevation of privilege to SYSTEM due to how files are handled by the MSI.CentralServer.exe process. The blog details the discovery of the vulnerability, communication with MSI to develop a patch, and a walkthrough of the exploit. After contacting MSI in September 2024, the patched version of the software was released to the Microsoft store on November 14, 2024.
x64 Assembly & Shellcoding 101 - Part 5 - In this blog post, the author discusses x64 Assembly & Shellcoding, specifically focusing on dynamically locating kernel32 and collecting PE Export Table info. The code includes steps to locate GetProcAddress, LoadLibraryA, ExitProcess, user32.dll, and MessageBoxA addresses. The author notes that the code for dynamically locating kernel32 is longer than the other sections, but overall, the process is not too complicated. The post concludes with the creation of shellcode using C++ to execute the operations outlined in the code. Additionally, the author hints at future topics such as sockets and a reverse shell.
x64 Assembly & Shellcoding 101 - Part 6 - In part 6 of x64 Assembly & Shellcoding 101, the author delves into writing a reverse shell using x64 assembly, acknowledging the complexity of the task. They provide code snippets and explanations on setting up sockets, initiating socket connection, and creating the STARTUPINFOA structure. The post ends with a handcrafted reverse shell ready for use. The author hints at Part 7, where they will dynamically locate APIs without using EXTERNS.
Bypass GuardDuty Pentest Findings for the AWS CLI - The article discusses how to bypass GuardDuty Pentest Findings for the AWS CLI by modifying the User-Agent string in AWS API requests to avoid triggering alerts. GuardDuty is a threat detection service that monitors for malicious activity, including common penetration testing Linux distributions. By using Burp Suite as a proxy and modifying the User-Agent string, it is possible to make requests to the AWS API without raising suspicions from defenders or triggering GuardDuty alerts. This method allows cloud Penetration Testers and Red Teamers to interact with AWS services without leaving suspicious artifacts in logs.
Babble Babble Babble Babble Babble Babble BabbleLoader - Intezer offers an Autonomous SOC Platform that utilizes AI automation for triage, investigation, remediation, and escalation of serious threats. They provide a solution to connect security tools, including for reported phishing, endpoint alerts, SIEM alerts, and SOAR playbooks. Intezer also offers solutions for service providers, such as MSSPs, to scale their operations. BabbleLoader is a sophisticated and evasive loader that challenges traditional and AI-based detection systems through techniques like junk code insertion, metamorphic transformations, and dynamic API resolution. It is designed to deliver stealers into memory, making it difficult to detect and analyze.
Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 - Fortinet FortiManager experienced a severe vulnerability, CVE-2024-47575, allowing unauthorized control of all Fortinet FortiGate appliances. The vulnerability was actively exploited in the wild since June, leading to mass exploitation and potential breaches. WatchTowr team discovered further vulnerabilities in FortiManager codebase, including a privilege escalation flaw termed 'FortiJump Higher.' Despite Fortinet releasing a patch, there are concerns about its effectiveness, prompting WatchTowr to disclose the vulnerabilities. The blog raises questions about Fortinet's patching process and overall code quality, emphasizing the importance of continuous security testing.
Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown) - Citrix's Virtual Apps and Desktops system has been found to have a bug chain that could potentially lead to Remote Code Execution (RCE), with a focus on exploiting the flaws related to Citrix Session Recording. By taking advantage of misconfigured Microsoft Message Queuing (MSMQ) permissions and using BinaryFormatter deserialization, attackers could exploit this system to gain access and execute arbitrary code. Additionally, the system's exposure of MSMQ over HTTP adds another layer of vulnerability. The disclosure process involved detailed testing and communication with Citrix, with the company eventually releasing a fix for the vulnerabilities. These issues highlight the importance of continuous security testing and monitoring to protect against emerging threats and vulnerabilities.
Everyday Ghidra: Ghidra Data Types — Creating Custom GDTs From Windows Headers — Part 2 - The article discusses how to create custom Ghidra Data Types (GDTs) from Windows headers, focusing on NDIS data types. It explains the importance of data types in reverse engineering and walks through the process of defining custom data types using Ghidra's C Header Parser. The article also explores a workaround method involving preprocessing headers using a compiler before importing them into Ghidra, resulting in more accurate decompilation results and improved analysis of binaries. By following these steps, users can enhance their reverse engineering capabilities and interpret critical data types more efficiently.
Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE - The Arc Browser had multiple vulnerabilities, including UXSS, Local File Read, Arbitrary File Creation, and Path Traversal that could lead to Remote Code Execution. By exploiting the browser's boost creation feature, an attacker could create malicious boosts with access to sensitive system files. Additionally, by using path traversal, the attacker could create arbitrary files and execute code on the victim's machine. The vulnerabilities were reported and patched, with a bounty awarded to the researcher who discovered them.
Creating a Nix Workflow to Fuzz netconsd - The author created a Nix workflow to fuzz test the `netconsd` software after being inspired by a blog post by Fady Othman. The workflow was designed to make it easy for others to reproduce and use for fuzz testing. The author found persistent mode fuzzing to be easier than expected and while they did not discover any significant vulnerabilities, they found the experience valuable. In addition to their fuzzing work, the author is also writing a book on effective writing for software developers.
SoftBank RP562B Wi-Fi Mesh under the Microscope - A Security Analysis - NeroTeam Labs conducted a vulnerability analysis on the SoftBank Wi-Fi Mesh RP562B, identifying several security flaws including Missing Authentication for Critical Function, OS Command Injection, and Exposure of Sensitive Information. The vulnerabilities allow unauthorized access to the network, execution of arbitrary shell commands, and leakage of sensitive system information. They recommend fixes such as implementing authentication requirements, input validation, and encryption of XML configuration parameters. Exploits for these vulnerabilities are available on GitHub.
Microsoft Dev Tunnels: Tunnelling C2 and More - Attackers are utilizing Microsoft Dev Tunnels, legitimate tools, for malicious activities to establish undetected C2 channels. The Dev Tunnels allow developers to expose services running locally to remote hosts through Microsoft infrastructure, creating opportunities for abuse by threat actors. Detection of C2 activity using Dev Tunnels is challenging, as the binary does not need to be present on the target host, making it difficult to detect on network-based telemetry. Dev Tunnels can also be used for persistent access by exposing ports like RDP and SSH, providing threat actors with a way to establish remote access and evade detection by blue teams.
How split() Can Prevent None Exploitation in JWT Validation - The blog discusses how utilizing the split() function can prevent None exploitation in JWT validation. The code example provided ensures that the token is split into exactly three parts, preventing empty trailing strings. The importance of understanding string handling in JWT validation for effective security code reviews is emphasized, highlighting the potential vulnerabilities that well-intentioned improvements can introduce. The blog is written by the Founder and CEO of PentesterLab, emphasizing the need for scrutinizing assumptions about code behavior in security assessments.
GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487) - A vulnerability in GitHub Enterprise's SAML implementation was discovered, allowing attackers to bypass SAML authentication and gain unauthorized access. The flaw was reported to GitHub and a patch was released under the CVE-2024-9487 and CVE-2024-4985 identifiers. By manipulating signatures and encrypted assertions, attackers could exploit the vulnerability to access user accounts. The ProjectDiscovery blog provides a detailed analysis of the vulnerability, including a proof of concept and templates for detecting and exploiting the issue.
How AitM phishing kits evade detection: Part 2 - Attackers are constantly evolving their techniques to defeat detections based on page signatures, specifically focusing on login pages of popular identity providers like Microsoft and Google. They use a variety of evasion strategies, including DOM obfuscation, visual obfuscation, and techniques like dynamic text decoding, image element obfuscation, and logo substitution to make their malicious pages look visually identical but differ significantly in underlying code. These tactics aim to thwart automated detection tools and stay one step ahead of defenders, highlighting the ongoing cat-and-mouse game between attackers and security professionals.
Pishi: Coverage guided macOS KEXT fuzzing. - Pishi is a coverage-guided macOS KEXT fuzzing tool developed through research focusing on Linux kernel security and macOS/iOS. The tool uses static binary rewriting to instrument XNU kernel and macOS KEXTs at basic block level, aiming to guide fuzzing towards vulnerabilities. The researcher delved into the complexities of decoding and parsing image files in Apple's ImageIO framework, particularly focusing on the High Efficiency Image File Format (HEIF). The blog post discusses the challenges and methodologies of instrumenting basic blocks, optimizing performance, and additional features such as data flow coverage, sharing coverage for remote attack surfaces, and further resources for binary-level coverage analysis and data flow sensitive fuzzing. Overall, the goal is to make fuzzing approachable and effective for macOS kernel and drivers.
Reproducing CVE-2024-10979: A Step-by-Step Guide - This blog post provides a step-by-step guide on reproducing the vulnerability CVE-2024-10979 in PostgreSQL, where environment variable mutations are incorrectly allowed from trusted code. It includes instructions on setting up PostgreSQL functions, compiling a C function, and testing the vulnerability. The importance of applying security patches promptly is highlighted, and the guide is intended for educational purposes only. It emphasizes the need to keep PostgreSQL installations up-to-date with the latest patches to protect against vulnerabilities.
Fault Injection – Down the Rabbit Hole - HN Security is exploring fault injection attack techniques to understand their potential. They offer training courses to help fortify security defenses and safeguard digital assets. The articles describe techniques, such as voltage glitching, to perform fault injection on chips like the ESP32. The author uses a script to emulate fault injection in a virtual environment using Ghidra for CPU emulation and analyzes the results to interpret the effects of the injected faults. The ultimate goal is to better understand and improve security defenses against fault injection attacks.
Attacking JWT with Self-Signed Claims - JSON Web Tokens (JWTs) are commonly used for passing authorization information in applications and APIs. This post discusses lesser-known attacks against JWT using self-signed claims. Attackers can exploit vulnerabilities in the JWS headers, specifically with public key validation, to generate self-signed tokens that may be accepted by the server. The post provides step-by-step instructions on how to generate keys for the attack and demonstrates how to modify claims in a JWT to impersonate users and gain elevated permissions in a vulnerable application. It also suggests practicing these techniques in lab environments to understand and mitigate potential vulnerabilities.
Linux Kernel Vsock 1-day Analysis - After participating in POC 2024 and Pwn2Own Ireland 2024, the author of the blog has allocated time to analyze new attack surfaces in the Linux kernel for kernelCTF. They focus on vulnerabilities exp196 and exp197 related to VirtIo, but have not successfully reproduced them yet. The analysis identifies a bug pattern where the kernel forgets to update objects after freeing them, leading to a potential vulnerability (CVE-2023-5345). The author explores how the vulnerable function can be triggered and encounters challenges due to locking issues. They plan to continue investigating and update the blog with any new progress.
Linux Kernel Perf CVE-2023-6931 Analysis - The Linux Kernel Perf CVE-2023-6931 vulnerability involves a size mischeck issue in the kernel's perf event creation process. The vulnerability occurs when the cumulative read size for group events is not validated, leading to potential kernel panics. To exploit the vulnerability, the author allocates multiple objects and a buffer in kmalloc-2048, targeting function pointer members to control RIP and bypass KASLR. Heap shaping is used to stabilize the exploitation process, making it more reliable.
A Quick Note for Perf CVE-2024-46713 - The blog post discusses a race condition vulnerability (CVE-2024-46713) found in the Linux perf subsystem. It provides details on the Perf Ring Buffer and AUX Region mechanisms, explaining how the vulnerability can be exploited. The root cause of the vulnerability is identified as the use of the wrong lock in the code. The post also mentions that the vulnerability cannot be exploited in the kernelCTF environment due to the lack of support from the enabled PMUs.
ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI - In a recent study by Palo Alto Networks researchers, two vulnerabilities were discovered in Google's Vertex AI platform that could allow attackers to escalate privileges and exfiltrate models. By deploying a malicious model, attackers could gain access to sensitive ML and LLM models, potentially putting critical assets at risk. The study highlights the importance of implementing strict controls on model deployments and emphasizes the need for oversight and validation of all models before deployment. Palo Alto Networks has shared these findings with the Cyber Threat Alliance to help protect customers from such threats.
The cost of a NAND chip off attack is 170.87€ - The cost of a NAND chip-off attack is 170.87€, with tools becoming more affordable for hardware attacks. The attack involves physically removing the NAND memory from a target board, reading and possibly writing to it. The process can be done relatively quickly with tools such as a digital microscope, hot air station, programmer, flux, solder paste, and solder wick. Recovering the firmware can reveal vulnerabilities and enable further exploitation, such as achieving remote code execution. Additional steps may be needed to modify and solder the flash contents back to the target.
Abusing AD-DACL: AllExtendedRights - This post discusses the exploitation of Discretionary Access Control Lists (DACL) in Active Directory environments through the AllExtendedRights permission, which can be used by attackers to elevate privileges and compromise critical resources. The lab setup, methods of exploitation, and detection mechanisms are outlined, along with recommendations for mitigating vulnerabilities. Tools such as Bloodhound, Net RPC, Powerview, and BloodyAD are used to demonstrate how this permission can be abused to change passwords and conduct attacks. Security professionals are provided with insights to recognize and defend against these threats.
Abusing AD-DACL: ForceChangePassword - This post discusses the exploitation of Discretionary Access Control Lists (DACL) using the ForcePasswordChange permission in Active Directory environments. It outlines the lab setup needed to simulate these attacks, methods mapped to the MITRE ATT&CK framework, and detection mechanisms for identifying suspicious activities related to ForcePasswordChange attacks. The post also provides recommendations for mitigating these vulnerabilities and equips security professionals with insights to recognize and defend against these threats.
Parrot Anafi Drone Reverse Engineering - The article discusses the reverse engineering of the communication between the Parrot Anafi drone and its controller through Wi-Fi. By setting up an ARP spoofing attack and analyzing the packets using tools like Wireshark, the researchers were able to understand the signals for initiating takeoff and landing sequences. They were also able to send their own commands to the drone without using the controller, demonstrating the potential vulnerabilities in the drone's network protocols. Spamming commands could disrupt the drone's normal operation, highlighting the importance of studying IoT device security.
Beyond good ol’ Run key, Part 144 - The author discovered that when the Acrobat Reader program starts, it checks a specific folder for .api files which are loaded as DLLs. The program expects to find two legitimate .api files in the folder, but any *.api file dropped there will be executed. This could potentially be used for malicious purposes by dropping a malicious DLL in the folder.
AdobeFips – Adobe Reader Lolbin - The author discovered that Adobe Reader contains a program called AdobeFips.exe, which is actually an OpenSSL client signed by Adobe. This allows users to run OpenSSL commands directly from Adobe Reader, enabling various features such as downloading files, encryption, and reverse shell capabilities. The author found this discovery to be both engaging and fascinating.
Skeletons in the Closet: Legacy Software, Novel Exploits - Praetorian recently discovered a critical security vulnerability in Ivanti Endpoint Manager software that allowed for privilege escalation through code injection. By manipulating the Host header, the team was able to run system commands with Administrative privileges. Despite reporting the issue to Ivanti, no CVE was awarded due to the software being end-of-life. This incident highlights the importance of regularly patching and testing legacy systems to prevent exploitation of vulnerabilities. Additionally, it emphasizes the need for companies to have robust vulnerability disclosure programs and bug bounty programs to encourage researchers to report security flaws.
Making Sense of Kubernetes Initial Access Vectors Part 2 - Data Plane - In the blog post, the focus is on Kubernetes data plane access, including applications running on the cluster, container images, and execution-as-a-service workload types. The post discusses potential initial access vectors for attackers, such as exploiting vulnerabilities in applications and container images, as well as security measures to contain and prevent unauthorized access. It emphasizes the importance of using security boundaries, Pod Security Standards, network policies, and proper image verification to secure Kubernetes clusters. Additionally, it highlights the risks associated with NodePort services, container image trust, and execution-as-a-service infrastructure, providing recommendations to enhance security in these areas.
Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane - Kubernetes is a popular system for deploying workloads in cloud-native environments, but it faces security threats, such as unauthorized access to the control plane. This blog series discusses initial access vectors to Kubernetes clusters, focusing on the control plane. Risks include misconfigurations in API access and Kubelet API access, which could lead to cluster compromise. Detection and prevention strategies are outlined to help operators and security professionals secure their clusters. The next post will cover data plane access vectors.
Linux Kernel Perf CVE-2023-5717 Quick Analysis - The Linux Kernel Perf CVE-2023-5717 is a vulnerability that affects the Linux perf subsystem, leading to an out-of-bounds write due to inconsistencies between parent and child events. The patch for this vulnerability addresses issues related to event inheritance and ensures that all events are properly inherited to prevent recursive event hierarchies. The root cause of the vulnerability lies in the timing window between detaching sibling and child events, which can result in an out-of-bounds write if the sibling counts differ between the parent and child groups.
x64 Assembly & Shellcoding 101 - Conclusion - G3tSyst3m concludes the x64 Assembly & Shellcoding 101 series by coding a reverse shell in pure x64 assembly. The blog post covers the familiar x64 assembly prologue, function name lookup, and locating various APIs like LoadLibraryA, ExitProcess, CreateProcessA, and more. The post also delves into creating a socket, connecting to an attacker box listener, and executing commands with cmd.exe. The series wraps up with a discussion on compiling the code, obtaining shellcode, and potential future paid offerings for advanced x64 assembly courses.
Security Flaws in Rakuten 5G Turbo R2314M-JP - An In-Depth Analysis - The Rakuten 5G Turbo R2314M-JP home router is vulnerable to multiple security flaws, including Missing Authentication for Critical Function, OS Command Injection, and Exposure of Sensitive Information. These vulnerabilities could allow attackers to gain full control over the device, execute arbitrary commands, and access sensitive information. The recommended fixes include implementing authentication for critical functions, validating input parameters, and encrypting sensitive information. Exploits for these vulnerabilities are available on GitHub, and users are advised to take measures to secure their devices.
WebAssembly Is All You Need - Exploiting Chrome and the V8 Sandbox 10+ times with WASM - This presentation explores vulnerabilities in Chrome's V8 JavaScript engine, demonstrating over ten ways to exploit the V8 sandbox using WebAssembly (WASM). The document discusses how WASM’s interaction with the V8 engine can create openings for attackers to bypass isolation measures, highlighting potential risks for modern browsers.
The Definitive Guide to Linux Process Injection - Akamai's guide on Linux process injection explains techniques for injecting code into Linux processes, including popular methods like ptrace, LD_PRELOAD, and direct memory manipulation. It details how attackers utilize these techniques to alter processes for espionage, privilege escalation, and persistence. The guide also explores ways to detect and mitigate these risks effectively.
Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes - Group-IB’s analysis of the Lazarus APT group details advanced evasion tactics used to mask operations, with methods including multi-stage payload delivery and hiding malware in legitimate software. These techniques allow Lazarus to target various sectors while reducing detection.
Tools and Exploits
Carseat - This GitHub repository contains a Python implementation of GhostPack's Seatbelt situational awareness tool called Carseat. The tool includes various modules for remote execution, requiring privileged access to the target host. Users can run single commands, multiple commands simultaneously, or grouped commands with arguments. The tool accepts passwords, hashes, or kerberos tickets for authentication and provides a range of modules for collecting information about a target system.
fancy-cat - The GitHub repository "freref/fancy-cat" is a PDF reader designed for terminal emulators using the Kitty image protocol. This project is actively being developed and allows for keymap and option customization through a config file. Users can install the necessary dependencies and run the program to view and interact with PDF files in a terminal environment.
Bjorn - Bjorn is a network scanning and offensive security tool designed for the Raspberry Pi with a 2.13-inch e-Paper HAT. It can discover network targets, identify open ports and services, and perform tasks like brute force attacks and file stealing. Bjorn also supports custom attack scripts and can provide real-time updates through its display and web interface.
Exploit-Street - contains a complete list of Local Privilege Escalation (LPE) exploits for Windows, starting from 2023. The creator mentions the lack of such a list on the internet and encourages contributions via pull requests if any exploits are missing.
CVE-2024-50340 Adapted EOS Exploit - This is a GitHub repository containing an exploit for Symfony CVE-2024-50340, which allows attackers to force Symfony applications into debug mode by appending a specific query to the URL. The vulnerability can be exploited to remotely access a Symfony application's source code, environment variables, request logs, and execute arbitrary code.
ShadowDumper - Shadow Dumper is a tool used in penetration testing and red teaming to dump LSASS memory, employing advanced techniques to access sensitive data. It offers various methods for memory extraction.
Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCE - This GitHub repository contains an exploit for the Citrix Virtual Apps and Desktops (XEN) Unauthenticated Remote Code Execution vulnerability. The exploit allows for remote code execution on vulnerable systems running Citrix Virtual Apps and Desktops versions 7 2402 LTSR and earlier.
WhatsApp-Spy - GitHub repository for the WhatsApp Spy app shows that it is designed to monitor and log on-screen texts when users open WhatsApp, Instagram, or Messenger. It sends logs to Discord or Telegram without the need for port forwarding.
Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0 - NetSPI’s PowerHuntShares 2.0 release offers new features for Windows network share enumeration, focusing on automation, detection, and risk assessment. This update enables security teams to identify and manage risky shares in larger network environments more effectively, improving visibility and response capabilities.
Threat Intel and Defense
HawkEye Malware: Technical Analysis - HawkEye malware, also known as PredatorPain, is a long-lived keylogger that has evolved to include additional functionalities. It has been distributed on the dark web and used in phishing campaigns to steal company data. HawkEye's delivery methods are diverse, but its behavior remains consistent, involving dropping files in temporary paths, establishing persistence, and conducting various malicious activities. The malware can steal keyboard and clipboard data, gather system information, steal credentials, detect security software, and exfiltrate stolen information through various methods. HawkEye is a versatile and powerful tool that continues to be used by various threat actors.
New PXA Stealer targets government and education sectors for sensitive information - The Cisco Talos blog has discovered a new information-stealing campaign called PXA Stealer targeting government and education sectors in Europe and Asia. The attacker, believed to be Vietnamese, is selling stolen credentials and tools on a Telegram channel. The attacker uses complex obfuscation techniques for the batch scripts in the campaign and aims to steal sensitive information such as online account credentials, financial data, and more. The PXA Stealer program has various capabilities, including decrypting browser master passwords, targeting cryptocurrency wallets, and collecting Discord tokens and Facebook ad account data. The attacker exfiltrates stolen data through a ZIP archive sent to their Telegram bot.
New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9 - A new zero-detection variant of the Melofee backdoor from the Winnti group has been detected targeting Red Hat Enterprise Linux (RHEL) 7.9. This variant includes upgrades such as an RC4-encrypted kernel driver for stealth, improved persistence, and function ID design. Despite being undetected on VirusTotal, the backdoor has been found to have a low detection rate. It is believed to be used by high-value targets, and network administrators are advised to look for specific artifacts to detect and remove it.
LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign - BlackBerry Research and Intelligence Team identified an evolution in the LightSpy malware campaign by APT41, featuring the DeepData framework for enhanced data theft capabilities. DeepData includes 12 specialized plugins for stealing sensitive information from victims in Southern Asia, such as messaging platforms, email, browser data, and network information. APT41, attributed to Chinese cyber-espionage group, is associated with government interest areas like healthcare, telecommunications, and technology.
ETW Forensics - Why use Event Tracing for Windows over EventLog? - Event Tracing for Windows (ETW) is a powerful tool for forensic investigations on Windows operating systems, offering more detailed and in-depth information than traditional EventLogs. ETW can detect suspicious behavior and allows for real-time event monitoring and analysis. The structure of ETW includes providers, consumers, sessions, and controllers, with more than 1,000 default providers available for investigation purposes. ETW events are saved in a specific format and can be recovered from memory using tools like the ETW Scanner for Volatility3. By analyzing recovered ETW events, investigators can uncover valuable information related to malware infections, network communications, and more.
“Free Hugs” – What To Be Wary of in Hugging Face – Part 1 - The blog post "Free Hugs" discusses potential risks in the Hugging Face platform, which hosts GenAI models. It explores security vulnerabilities in the platform, particularly related to malicious content and dangerous coding practices. The post warns against trusting the content host and maintainer, as well as the importance of validating code configurations.
Towards utilizing BTF Information in Linux Memory Forensics - The blog post discusses the use of BTF information in Linux memory forensics to generate profiles for analyzing memory images. The author introduces the BPF Type Format (BTF) and explains how it can be used to extract information from raw memory images without the need for debug packages. The post outlines the methods and tools used to generate profiles and evaluates their effectiveness in driving analysis plugins. It also addresses the issue of symbol types and proposes a solution for automating the generation and maintenance of a mapping between symbols and types. The author highlights the potential benefits of further development and implementation of the approach.
Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - Check Point Research continues to track the activities of WIRTE, a threat actor affiliated with Hamas, in the Middle East despite ongoing conflicts in the region. WIRTE has expanded beyond espionage to conduct disruptive attacks, targeting entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia. The group has been linked to disruptive attacks using custom malware like SameCoin, showing clear overlaps in code with wiper malware targeting Israeli entities. The group's tactics include domain naming conventions, communication via HTML tags, and redirection to legitimate websites, with a focus on politically motivated cyber-espionage and sabotage in the region.
Malware Spotlight: A Deep-Dive Analysis of WezRat - Check Point Research provides an in-depth analysis of the WezRat malware, attributing it to the Iranian cyber group Emennet Pasargad. The malware has been active for over a year and has gained additional modules, demonstrating ongoing development. The latest version of WezRat was recently distributed in a phishing campaign impersonating the Israeli National Cyber Directorate. The malware can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Emennet Pasargad has been responsible for cyber operations in the US, France, Sweden, and Israel, posing a threat to various entities worldwide.
Ymir: new stealthy ransomware in the wild - Kaspersky has discovered a new ransomware called Ymir, which was used in conjunction with RustyStealer in a recent incident. The Ymir ransomware has evasive features and uses PowerShell remote control commands to gain access to systems. The attackers used various tools for malicious actions before deploying Ymir. Kaspersky provides a detailed analysis of Ymir, its tactics, techniques, and procedures, as well as indicators of compromise. The ransomware incident involved the deployment of Ymir after attackers gained control of multiple systems using RustyStealer, highlighting the need for improved response strategies beyond endpoint protection platforms.
Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack - Unit 42 researchers have identified a North Korean IT worker cluster involved in phishing attacks using malware-infected video conference apps, likely operating from Laos. The cluster has exploited a US-based IT services company to apply for jobs and secure positions at major tech companies. This highlights the shift of North Korean IT workers from stable income-seeking activities to more aggressive malware campaigns. Organizations are advised to strengthen hiring screening processes, implement monitoring for insider threats, and evaluate outsourced services to mitigate risks.
New Campaign Uses Remcos RAT to Exploit Victims - FortiGuard Labs has detected a new phishing campaign using Remcos RAT to exploit victims. The campaign begins with a phishing email containing a malicious Excel document that exploits CVE-2017-0199 to download and execute an HTA file, leading to the deployment of Remcos RAT on the victim's device. Remcos is a commercial remote administration tool that allows threat actors to remotely control victims' computers and collect sensitive information.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Learnpress SQLi - Abrahack discusses discovering SQL injection vulnerabilities in the LearnPress WordPress LMS Plugin, highlighting two critical CVEs - CVE-2024-8529 and CVE-2024-8522. By exploring endpoint code, Abrahack identified opportunities to manipulate SQL queries through improper sanitization of HTTP parameters, ultimately gaining control to read anything in the database. This experience led Abrahack to find vulnerability hunting in WordPress plugins to be a thrilling experience, showcasing the importance of ongoing security efforts in plugin development. Abrahack plans to continue exploring vulnerabilities in future posts and hopes to inspire others to engage in finding WordPress plugin vulnerabilities.
Defending the Tor network: Mitigating IP spoofing against Tor - In late October, the Tor network experienced a coordinated IP spoofing attack that triggered abuse reports aimed at disrupting the network. Thanks to a joint effort from the Tor community, the source of the attack was identified and shut down on November 7th. While the attack had a limited impact on the Tor network, it caused stress for relay operators. The Tor Project is working to support operators in getting their accounts reinstated and assisting providers in unblocking IPs for Tor directory authorities.
Novel Inception/SRSO exploitation method - The README.md file on the Google security research GitHub repository discusses a novel Inception/SRSO exploitation method that allows control over the full return address stack (RAS) on AMD Zen 3 and Zen 4 CPUs. By injecting a PhantomJMP and PhantomCALL in the pipeline, researchers were able to exploit SRSO, with varying requirements for Zen 3 and Zen 4. They also proposed a mitigation strategy involving clearing the RSB before the first return instruction after a dispatch serializing instruction to reduce the risk of the vulnerability. Additionally, the researchers discovered a method to chain gadgets for constructing a disclosure primitive on the CPUs, which was different from the method presented in the Inception paper.
PoisonTap - Samy Kamkar created the PoisonTap tool, which can exploit locked computers over USB by siphoning cookies, exposing internal routers, and installing web backdoors. The tool, using a Raspberry Pi Zero and Node.js, emulates an Ethernet device to steal HTTP cookies and sessions from popular websites. This allows the attacker to access the user's cookies and install persistent backdoors even after the device is removed. PoisonTap can also manipulate DNS servers and gain remote access to internal routers. To secure against PoisonTap, it is recommended to use HTTPS exclusively, enable the secure flag on cookies, and limit access to USB and Thunderbolt ports.
A Roadmap to Security Game Testing: Finding Exploits in Video Games - This guide provides a detailed roadmap for security game testing in the video game Sword of Convallaria, focusing on finding exploits for bug bounty programs. The author walks through reverse engineering the game, including extracting and analyzing game data, converting Lua bytecode, understanding the network protocol, and conducting security testing. The guide aims to enhance skills in identifying vulnerabilities in video games to contribute to a more secure gaming environment. The author also encourages sharing the guide and reaching out for any questions or insights on security testing.
I Want a “Red Teaming”: Why Terminology Matters - The article discusses the importance of terminology in security testing, particularly in the context of Red Teaming assessments. Different types of security tests are defined, including Baseline Security Assessments, Attack Simulation Assessments, Red Team Assessments, and Purple Team Assessments. The choice of assessment depends on the organization's objectives, maturity of defenses, and detection capabilities. It is emphasized that Red Team Assessments are not suitable for organizations without a Security Operations Centre (SOC) or attack detection capabilities. The budget for a security test also influences the choice of assessment, with different types of assessments recommended based on the organization's needs and budget.
Breaking Control Flow Flattening: A Deep Technical Analysis - Control flow flattening (CFF) is a code obfuscation technique that hides the flow of program execution. The blog post discusses a Binary Ninja plugin that automatically defeats CFF by analyzing the dispatcher and state variable in the code. The plugin uses graph theory and mathematical proofs to recover the original control flow structure from the flattened code. The author also plans to enhance the deobfuscator by integrating more sophisticated symbolic execution capabilities and improving pattern recognition for different obfuscator variants.
Comments