Last Week in Security - 2024-11-26

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, Operations Research Analyst, Reverse Engineer, and Software Engineer.

Virginia Applicants:

• Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-11-20 to 2024-11-25.

News

• Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape - Proofpoint researchers have identified a growing social engineering technique called ClickFix, which is being used by various threat actors to lure users into downloading malware by tricking them into copying and running PowerShell commands. This technique has been observed in multiple campaigns targeting different industries and organizations. The effectiveness of this technique lies in preying on people's desire to be helpful and independent, bypassing security measures by having the victim infect themselves. Organizations are advised to train users on identifying and preventing exploitation through this technique to enhance their security posture.

• Joint statement by the Foreign Ministers of Finland and Germany on the severed undersea cable in the Baltic Sea - The Foreign Ministers of Finland and Germany have issued a joint statement expressing deep concern over the severed undersea cable in the Baltic Sea. They highlight the need for a thorough investigation of the incident, which raises suspicions of intentional damage and underscores the volatility of the times. The ministers emphasize the importance of safeguarding critical infrastructure for the security and resilience of their societies, amidst threats from both Russia's actions in Ukraine and hybrid warfare.

• US lawyers will reportedly try to force Google to sell Chrome and unbundle Android - US lawyers are reportedly planning to force Google to sell Chrome and unbundle Android as part of an effort to break up the company's search monopoly. The Department of Justice is preparing to propose requirements that include separating Android from Search and Google Play, sharing more information with advertisers, and banning exclusive contracts. Google's regulatory affairs VP has criticized the DOJ's actions as going beyond the legal issues of the case.

• Fintech Giant Finastra Investigating Data Breach - Fintech giant Finastra is investigating a data breach involving the theft of information from its internal file transfer platform, with over 400 gigabytes of data being sold by a cybercriminal. The breach does not impact customer operations currently, but the company is implementing secure file sharing platforms and conducting investigations. The cybercriminal, known as abyss0, attempted to sell the stolen data on the dark web, but has since disappeared. Finastra has experienced breaches in the past, including a ransomware attack in March 2020.

• Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization - The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment of a critical infrastructure organization to assess their cybersecurity capabilities. The red team was able to gain access and compromise the organization's domain and sensitive business systems due to insufficient technical controls and lack of network layer protections. Lessons learned include the need for continuous training for staff, implementing secure software configurations, and the importance of addressing known vulnerabilities. Recommendations include implementing network segmentation, monitoring, and implementing secure by design principles for software manufacturers.

• Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack - Russian spies from the APT28 hacking group used a new technique to remotely breach a Wi-Fi network by hijacking a laptop across the street from their intended target. This "nearest neighbor attack" allowed them to access their target's network without physically being close to the building. The hackers were able to infiltrate multiple networks via Wi-Fi, showing a new level of sophistication in their cyber attacks. This breach highlights the need for improved Wi-Fi security measures for high-value targets to prevent similar attacks in the future.

• Feds Charge Five Men in ‘Scattered Spider’ Roundup - Five men have been charged by federal prosecutors in Los Angeles for their involvement in a hacking group called Scattered Spider, which conducted cyber intrusions at major U.S. technology companies between 2021 and 2023. The group specialized in SMS-based phishing attacks targeting employees of tech firms to steal cryptocurrency. The members of the group, aged 20 to 25, used phishing websites that mimicked company authentication pages and obtained personal information to access cryptocurrency accounts. The indictment includes charges such as wire fraud, conspiracy, aggravated identity theft, and if convicted, each defendant could face up to 20 years in federal prison.

• Understanding the Efficacy of Phishing Training in Practice - This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, it analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. The results suggest that these efforts offer limited value.

• Imagine a land in which Big Tech can't send you down online rabbit holes or use algorithms to overcharge you - China is cracking down on algorithms that create internet echo chambers, push highly homogeneous content, and use discriminatory pricing. The Cyberspace Administration of China wants to prevent tech providers from encouraging internet addiction and increase transparency in algorithm use. Businesses have until the end of the year to self-correct their practices or face penalties. China aims to limit mobile device usage for minors and ensure they only see "nice content" online.

Techniques and Write-ups

• Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 - In 2024, new vulnerabilities named CVE-2024-0012 and CVE-2024-9474 were discovered in Palo Alto Networks SSLVPN appliances, allowing for command injection and privilege escalation. The vulnerabilities were actively exploited, prompting Palo Alto to release patches and improve security measures. The vulnerabilities could be chained together to achieve superuser access, highlighting the importance of analyzing vulnerabilities under active exploitation. It was found that an authentication bypass and privilege escalation were used in a chain to gain access, exposing weaknesses in the Palo Alto appliance's security. A Nuclei template was released to check for affected hosts, emphasizing the need for continuous security testing.

• Extending Burp Suite for fun and profit – The Montoya way – Part 7 - HN Security offers services to help safeguard digital assets and fortify security defenses. In the latest installment of "Extending Burp Suite for fun and profit - The Montoya way - Part 7," the focus is on setting up the environment, inspecting and tampering with HTTP requests and responses, and using the Collaborator in Burp Suite plugins. The article provides a step-by-step guide on modifying an extension to detect serialization issues using the Collaborator tool, which allows for reliable detection of vulnerabilities that may be difficult to identify otherwise. The article also discusses the importance of monitoring Collaborator interactions and offers tips on continuing to monitor for interactions related to payloads sent to the target application. Future articles will cover how to use BChecks to extend Burp Suite Active and Passive Scanner for adding checks that aren't too complex.

• CVE-2024-10524 Wget Zero Day Vulnerability - JFrog offers a platform to protect against the Zero Day Wget Vulnerability, allowing for end-to-end visibility, security, and control in software supply chain management. They provide solutions for AI/ML development and deployment, release lifecycle management, open-source package curation, and more. JFrog partners can access resources for cloud deployment, source code scanning, and infrastructure security. A CVE-2024-10524 Wget Zero Day Vulnerability was discovered and responsibly disclosed by JFrog's security team, leading to a patch in Wget version 1.25.0. Users are encouraged to update to this version to avoid potential attacks associated with the vulnerability.

• Lateral Movement - Remote Desktop Protocol (RDP) Artifacts - This blog post discusses the importance of investigating lateral movement using Remote Desktop Protocol (RDP) artifacts. The author explains various artifacts found on both the target and source systems, such as RDP Bitmap Cache, UserAssist, RecentApps, Jumplists, Prefetch, Shimcache, Amcache, Terminal Server Client Registry key, BAM/DAM, and Default RDP File. By analyzing these artifacts, investigators can piece together a timeline and determine if RDP was used for lateral movement during an incident. The post emphasizes the need to use multiple artifacts to tell the whole story and enhance the accuracy and confidence of the analysis.

• The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform - The blog post discusses new attack techniques in domain-specific languages (DSLs) of popular policy-as-code (PaC) and infrastructure-as-code (IaC) platforms, specifically in the Open Policy Agent (OPA) and Terraform. The post explores how attackers can manipulate these DSLs through third-party code to compromise cloud identities, enable lateral movement, and exfiltrate data. The techniques involve supply-chain attacks, credential exfiltration, environment variable exfiltration, data exfiltration using DNS tunneling, and executing malicious code via data sources and provisioners. Mitigations and best practices to defend against such attacks are also provided.

• Linux LKM Persistence - The article discusses Linux LKM (Loadable Kernel Module) persistence mechanisms and provides a step-by-step guide on how to load a kernel module at boot time using the Diamorphine rootkit as an example. The author demonstrates how to hide the module using a "magic string" and how to update configuration files to ensure the module loads automatically upon system reboot. The article also discusses how to detect the presence of an LKM rootkit by checking kernel taint flags and provides a script for interpreting the flags. The overall focus is on using persistence mechanisms to run programs in user space on a Linux system.

• Patching .so files of an installed Android App - The article discusses how to patch .so files of an installed Android app with root access without altering the signature, focusing on native code. It explains the process of installing Android native libraries, and provides a tutorial on writing binary patches in C. It also touches on challenges faced during a pentest of an Android app with a complex RASP and explores options for patching files directly inside the APK. Additionally, it discusses using U-Boot to extract boot images and mentions techniques for extracting app data from Android 12/13 using CVE-2024-0044.

• Reverse Engineering iOS 18 Inactivity Reboot - iOS 18 introduced a new security feature called inactivity reboot, which reboots the device after a certain period of inactivity. This feature is designed to protect user data by locking keys secured by the Secure Enclave Processor (SEP) until the passcode is entered. The feature triggers a reboot after 3 days of inactivity, regardless of the device's wireless connectivity. It is a powerful security measure against both thieves and forensic analysts, as it makes it harder to access decrypted data on the device. The feature also has implications for law enforcement and can impact the way they extract data from seized devices.

• Local Admin In Less Than 60 Seconds (Part 1) - The article discusses the exploitation of Active Directory using NTLM relay attacks, specifically focusing on gaining local admin privileges in less than 60 seconds. The attack leverages the LDAP protocol to modify specific attributes of objects. The article highlights the importance of default configurations in Domain Controllers for the attack's success and explains the process of using WebDAV to escalate privileges as a low-privileged domain user. Additionally, it explores the use of PKINIT for Kerberos authentication and S4U2self attacks for impersonating users and gaining admin access.

• Writing Beacon Object Files Without DFR - The blog discusses the development of Beacon Object Files (BOFs) without the need for Dynamic Function Resolution (DFR) prototypes in the code. It explains how symbol redefining with Objcopy can be used to manage imports in BOFs. The post also explores the process of writing BOFs like normal C programs and managing DFR aspects separately outside of the source code using Objcopy. Additionally, it delves into the raw file structure of COFFs and how symbol renaming can be achieved through various methods. Overall, the blog highlights the importance of decoupling constraints from software development to make the code more generic and easier to work with.

• Exploring the DOMPurify library: Bypasses and Fixes (1/2) - This article explores multiple bypasses in the DOMPurify library, focusing on versions 3.1.0, 3.1.1, and 3.1.2. It explains how client-side HTML sanitizers work and why mutation XSS is possible due to HTML parsing discrepancies. The bypasses include deep nesting, second-order DOM clobbering, and an "elevator" HTML mutation. The article also discusses the fixes implemented in DOMPurify 3.1.0, 3.1.1, and 3.1.2 to address these bypasses. Additionally, it introduces a triple HTML parsing bypass discovered in collaboration with other researchers. The fixes introduced by DOMPurify are explained, addressing HTML attribute vulnerabilities.

• Azure CLI Token Leak - The Azure CLI was vulnerable to a registry server confusion attack in its Azure Container Registry (ACR) module, allowing an attacker to leak the token of the principal and gain access to all Azure resources. The bug was fixed in November 2023, but there are concerns about the potential vulnerabilities in applications using Azure CLI. The severity of the issue was marked as medium by MSRC, and while a fix was implemented, there are ongoing discussions about the need for a CVE or similar disclosure. It is recommended to keep Azure CLI updated and limit permissions to reduce the impact of such vulnerabilities.

• Making a Powershell Shellcode Downloader that Evades Defender (Without Amsi Bypass) - In this tutorial, lainkusanagi demonstrates how to create a Powershell shellcode downloader that evades Defender without using Amsi bypass. The process involves modifying a Powershell shellcode runner to download and run shellcode while avoiding detection by Defender. By obfuscating certain parts of the code using Invoke-Obfuscation, the shellcode successfully evades detection and allows for the execution of any shellcode saved as a .bin file. Ultimately, this method can be used to bypass Defender and run potentially malicious code, though further improvements may be necessary to maintain evasion capabilities.

• Relaying Kerberos over SMB using krbrelayx - Relaying Kerberos authentication over SMB using krbrelayx was once considered impossible, but researchers have proven otherwise. The technique involves tricking a client to send an Kerberos message for another service, which can be relayed. Tools like krbrelayx have been developed to easily execute this attack. This method can be used to compromise domains, especially in scenarios where servers only allow Kerberos authentication. Regularly monitoring DNS records containing the marshaled string is recommended as a mitigation measure.

• Extracting Plaintext Credentials from Palo Alto Global Protect - During a Red Team engagement, the author found plaintext credentials stored in memory on Palo Alto Global Protect logs, which could be easily extracted using debugging tools. This security flaw allows for easy credential theft and lateral movement within the network. The author criticizes Palo Alto for storing credentials in plaintext, violating basic security principles, and creating unnecessary security risks. The author also provides a proof of concept for extracting these credentials from memory and suggests impersonating the client to extract data directly from panGPS for a more stealthy approach.

• Leveling Up Fuzzing: Finding more vulnerabilities with AI - Google's Open Source Security Team has reported 26 new vulnerabilities to open source projects, including a critical one in the OpenSSL library, using AI-generated and enhanced fuzz targets. This milestone in automated vulnerability finding shows the potential of AI in strengthening internet infrastructure security. The team has been focusing on improving the AI's ability to generate relevant prompts, fix compilation issues, run fuzz targets, and triage crashes, with the goal of fully automating the vulnerability discovery and patching process. Their work is integrated into OSS-Fuzz and aims to help defenders find and fix vulnerabilities before they can be exploited.

• NTLM Privilege Escalation: The Unpatched Microsoft Vulnerabilities No One is Talking About - Morphisec recently hosted a webinar on building adaptive cyber resilient cloud environments and offers a range of services for managed services providers. They provide protection for Windows and Linux endpoints, servers, and workloads. The webinar also highlighted the importance of moving target defense to combat evolving cyber threats. Additionally, vulnerabilities in Microsoft products, particularly related to NTLM authentication, were discussed, emphasizing the need for businesses to take proactive steps to mitigate risks associated with these vulnerabilities.

• Spelunking in Comments and Documentation for Security Footguns - The Include Security team explores security footguns in comments and documentation during security assessments, looking for hidden security bugs in third-party libraries. Examples include unexpected behaviors in Elixir and Python libraries, as well as security implications in the Golang standard library. These issues, although not always classified as security vulnerabilities, can lead to security bugs in the right context. It is important to document and create rules around these behaviors to raise awareness and prevent unintentional security issues when using third-party libraries.

• Finding Access Control Vulnerabilities with Autorize - The article discusses access control vulnerabilities and how they can be identified using Autorize. It explains the different types of access control vulnerabilities, the setup required to use Autorize, and how to analyze the results obtained. The article also provides examples of access control vulnerabilities identified using Autorize, such as Insecure Direct Object Reference (IDOR). Overall, the article emphasizes the importance of detecting and addressing access control vulnerabilities during web application penetration tests.

• Local privilege escalation in Windows Velociraptor service - A local privilege escalation vulnerability was discovered in the Velociraptor service on Windows. The installer file for Velociraptor granted dangerous permissions to standard users, allowing them to modify ACLs and potentially execute commands as SYSTEM. A patch was released to address the issue, but users could still exploit the vulnerability by replacing the binary and creating a new user with administrator privileges. This arbitrary code execution vulnerability could be used to escalate privileges on the machine.

• Exploring Javascript events & Bypassing WAFs via character normalization - In this blog post, 0x999 explores the concept of Javascript events and discusses how they can be used to bypass Web Application Firewalls (WAFs) through character normalization. The author provides insights and examples on how this technique can be employed to overcome security measures and potentially execute malicious actions on websites. This post delves into the technical aspects of manipulating Javascript events and highlights the potential risks associated with WAF evasion techniques.

• Azure DevOops 0x01 – It is not my machines, it is your code! - Azure DevOops 0x01 discusses the importance of securing Azure DevOps environments, which are commonly used for agile software development. The blog series explores common misconfigurations, the complex permission model, and the potential risks of unauthorized access. The post also delves into the use of Personal Access Tokens (PATs) to interact with the Azure DevOps Services REST API, highlighting the importance of securing secrets and monitoring telemetry for improved security. The blog series aims to provide insights into potential attack scenarios and ways to enhance defense mechanisms in Azure DevOps environments.

• Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples - This article explores various lateral movement techniques for macOS, including SSH key theft, Apple Remote Desktop, and Remote Apple Events, with real-world examples and detection opportunities. It discusses how attackers can exploit SSH keys and ARD to move laterally within a network, as well as leveraging RAE for remote command execution. The article emphasizes the importance of implementing strong security measures to protect macOS environments from malicious lateral movement activities and provides recommendations for detecting suspicious activity. Additionally, it highlights the protection provided by Palo Alto Networks products and offers XQL queries to hunt for lateral movement in macOS environments.

• Complete guide to finding more vulnerabilities with Shodan and Censys - This article serves as a complete guide for beginners on how to find vulnerabilities using internet search engines like Shodan and Censys. The importance of reconnaissance in bug bounties and pentests is highlighted, along with basic and advanced search operators to filter and find interesting assets. The article covers various use cases such as finding subdomains, authentication panels, directory listings, sites running specific technologies, and more. By following the methodologies and utilizing the tools mentioned in the article, beginners can improve their reconnaissance skills and potentially find valuable bugs.

• From an Android Hook to RCE: $5000 Bounty - The author successfully reverse-engineered a popular Android application, achieved Remote Code Execution (RCE), and earned a $5000 bounty from the vendor. They encountered challenges with SSL pinning, encryption, and traffic interception, eventually using DNS data exfiltration to extract data from the server. By exploiting the vulnerability, they were able to execute JavaScript code on the remote server and showcase potential attacks, such as sending SMS messages without authentication. The author's experience highlights the importance of persistence, creativity, and thorough testing in bug bounty hunting.

• Leveraging An Order of Operations Bug to Achieve RCE in Sitecore 8.x - 10.x - An order of operations bug in Sitecore 8.x - 10.x allowed for remote code execution (RCE) by exploiting .NET ViewState deserialization. Assetnote's Security Research team discovered and reported this vulnerability, which was patched by Sitecore in August 2024. By leveraging this bug, attackers could read arbitrary files from the local system, including backups. Assetnote's Attack Surface Management platform helps customers stay informed about such vulnerabilities and reduce their attack surface to prevent exploitation. Customers can customize the platform to meet their specific security needs and benefit from continuous asset discovery and real-time exposure monitoring.

• New AMSI Bypss Technique Modifying CLR.DLL in Memory - Practical Security Analytics LLC has developed a new AMSI bypass technique targeting CLR.DLL to load malicious binaries into memory undetected. This technique involves modifying the string "AmsiScanBuffer" in memory to prevent the Common Language Runtime (CLR) from passing reflectively loaded .NET modules to the installed antivirus. The post details the research process, assessment of target functions, implementation steps, and obfuscation of the bypass using SpecterInsight Payload Pipelines. The bypass has been implemented in C, C#, and PowerShell, providing options for red teamers to evade AMSI detection.

• Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst - The Project Zero team at Google recently worked on a project involving macOS kernel extension fuzzing for AV1 video decoding. They used IDA and TinyInst to extract and run the kernel code in userspace and identified issues in the AV1 parsing code inside the AppleAVD kernel extension. The project aimed to create a simple userspace kernel extension fuzzing tool that could be adaptable to other pieces of kernel code, highlighting the potential for finding vulnerabilities in macOS systems. Three issues found during the research were reported to Apple for further investigation.

• Linux malware development 3: linux process injection with ptrace. Simple C example. - In this blog post, the author discusses Linux malware development using process injection with ptrace, a system call that allows debugging of remote processes. The author provides a detailed tutorial on how to attach to a running process, inject custom shellcode, and restore the original state after execution using a simple C example. The use of ptrace and its functionality in process injection is explained, with a practical example demonstrating how ptrace can be used for malicious purposes. The post also emphasizes the importance of understanding these techniques for malware researchers, Linux programmers, and those interested in Linux kernel programming.

• SSRF & URI validation bypass in 2FAuth - XBOW discovered a critical vulnerability in the open-source 2FAuth web app, allowing for Server Side Request Forgery (SSRF) bypass in the OTP preview feature. The vulnerability could be exploited to access sensitive information in cloud environments. XBOW detailed their process of identifying and exploiting the vulnerability, eventually bypassing MIME type validation using SVG files. The 2FAuth team worked to address the vulnerability, and the issue was assigned the identifier CVE-2024-52598.

• Repo swatting attack deletes GitHub and GitLab accounts - A security researcher discovered a new attack called "repo swatting" targeting developer accounts on GitHub, GitLab, and Gitea, allowing attackers to delete accounts or repositories. The attack involves uploading a malicious file to a user's repository and then reporting the user for abuse, leading to account deletion. Both GitHub and GitLab have made changes to mitigate this attack, but the risk of similar vulnerabilities persists. Anonymity, ease of execution, potential for abuse, and difficulty in mitigation are key factors making repo swatting a powerful threat to software developers.

• CosmicSting: A Critical XXE Vulnerability in Adobe Commerce and Magento (CVE-2024-34102) - The CosmicSting vulnerability, a critical XXE vulnerability in Adobe Commerce and Magento, has been identified (CVE-2024-34102) by the Splunk Threat Research Team. This flaw allows attackers to potentially execute remote code and access sensitive files through unauthenticated REST API endpoints. The exploit leverages improper input validation and unsafe handling of XML data during deserialization. Splunk provides detection opportunities and mitigation strategies to protect organizations using Adobe Commerce or Magento from potential exploitation attempts. Patching, enhanced monitoring, and network-level protections are recommended to address this vulnerability.

• Stop Using Predictable Bucket Names: A Failed Attempt at Hacking Satellites - The article discusses the risks of using predictable bucket names in cloud infrastructure, specifically in AWS services like S3. The author discovered potential security vulnerabilities related to bucket namesquatting and found discrepancies in the creation of region-specific buckets across different AWS services. Despite not finding any exploitable scenarios, the author emphasizes the importance of checking and securing company buckets to prevent potential attacks. AWS has started including random suffixes in service bucket names to make them non-predictable, highlighting the importance of security over convenience in cloud engineering. Readers are encouraged to review their company's buckets for vulnerabilities and implement controls to prevent unauthorized access.

• OAuth Non-Happy Path to ATO - The author discovered a non-happy path in the OAuth implementation of a bug bounty program, where they were able to exploit a vulnerability in the authentication flow. By manipulating parameters and redirects, they were able to bypass normal authentication steps and ultimately take over a victim's account. The author reported the vulnerability to the company's security team, who recognized the severity of the issue and rewarded the author with a bounty for their findings.

• Create your own C2 using Python- Part 1 - The blog post discusses the author's fascination with Metasploit in their youth and how it sparked their interest in Cybersecurity. The author introduces the idea of creating a custom Command and Control (C2) framework using Python, emphasizing that it will be a basic, non-encrypted TCP socket based C2. The post includes code snippets for setting up the C2, interacting with zombie agents, and demonstrating its functionality. The author also hints at incorporating more advanced features in future posts.

• Ruby 3.4 Universal RCE Deserialization Gadget Chain - A blog post from 2018 shared the first universal gadget chain to exploit Ruby deserialization, with new versions of Ruby sometimes breaking these chains. The infosec community has consistently released new gadget chains to address these breaks. The most recent chain works against Ruby 3.4-rc but there are three improvements being investigated, including loading the URI module and executing arbitrary commands with control over ARGV. Additional improvements are being investigated to avoid exceptions raised in the gadget chain.

• How To Use MSSQL CLR Assembly To Bypass EDR - CLR, or Common Language Runtime, is a component of the .NET Framework integrated into MSSQL servers since SQL Server 2005. In this scenario, a weak password allowed a hacker to inject shellcode into the database, gaining control over the MSSQL Server. To bypass EDR detection, one can compile a CLR assembly using Visual Studio Installer, create a stored procedure using CRL feature of MSSQL, generate and execute shellcode, and convert its format using a Python script. This method successfully evaded EDR detection in the MSSQL database.

• Breaking out of VRChat using a Unity bug - This article discusses how a Unity bug in VRChat allowed the author to break out of the game's virtual reality environment. The bug exploited the game's scripting language, Udon, to allocate abnormally large textures and gain access to memory outside of the game's sandbox. The author then details how they used this exploit to set up an arbitrary read/write primitive and run shellcode to escape the game. The bug has since been patched, and the author emphasizes that this vulnerability is specific to VRChat and not indicative of other Unity games.

Tools and Exploits

• TokenCert - TokenCert is a C# tool that creates a network token using a provided certificate instead of passwords, inspired by Synacktiv's research on evading Microsoft Defender for Identity PKINIT detection. It allows for authentication and impersonation using certificates, avoiding abnormal behaviors. The tool generates events like successful logins and authentication ticket requests.

• make_token_cert BOF

• Moodle-Scanner - The LuemmelSec/Moodle-Scanner is a tool that scans Moodle for vulnerabilities and versions. It gathers data directly from developer resources to ensure it stays up to date.

• Linux ELF BOF Template - The GitHub repository "chryzsh/linux_bof" contains core files for creating ELF Beacon Object Files for Linux, which are compiled C programs that can execute within an Outflank C2 process to extend the Linux implant with new post-exploitation features. This repository provides a template for creating these ELF BOFs. It offers additional navigation options and is part of Outflank's OST offering.

• PanGPA_Extractor - The GitHub repository t3hbb/PanGP_Extractor contains a tool that can extract the username and password of the current user from the PanGPA in plaintext under Windows. This tool is a proof of concept to demonstrate the extraction of this sensitive information, which is stored in memory as plaintext. The tool can be run without requiring special privileges.

Threat Intel and Defense

• One Sock Fits All: The use and abuse of the NSOCKS botnet - The Black Lotus Labs team at Lumen Technologies has identified the use and abuse of the NSOCKS botnet, which is tied to the ngioweb botnet and used by criminal groups for malicious activities such as DDoS attacks, credential stuffing, and phishing. The NSOCKS botnet has over 35,000 bots in 180 countries, with the majority originating from the ngioweb botnet that infects small office/home office routers and IoT devices. Lumen has taken steps to block traffic associated with the ngioweb botnet, release indicators of compromise, and collaborate with industry partners to mitigate this threat.

• FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications - The article discusses FrostyGoop, an OT-centric malware that impacted critical infrastructure in Ukraine in early 2024. The malware uses Modbus TCP communications to disrupt industrial control systems, causing damage to the environment. The article provides a detailed analysis of FrostyGoop's malware samples, network communications, and targeted infrastructure. It also highlights the growing threat of OT malware and the importance of implementing security measures to prevent and mitigate attacks.

• Scammer Black Friday offers: Online shopping threats and dark web sales - Kaspersky's online shopping threat report for 2024 highlights the continued growth of e-commerce and the increasing risks faced by consumers, especially during peak shopping seasons like Black Friday. The report focuses on phishing attacks, scam campaigns, fake mobile apps, and stolen data sold on the dark web. Cybercriminals target users with fake websites, emails, and ads, aiming to steal personal and financial information. The report emphasizes the importance of consumer vigilance, stronger security measures, and staying informed about the evolving threats in the online shopping landscape.

• Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 - Operation Lunar Peek is a high-profile threat related to CVE-2024-0012 and CVE-2024-9474, with Palo Alto Networks tracking exploitation activity and providing fixes for the vulnerabilities. The risk can be reduced by securing access to the management web interface and restricting it to trusted internal IP addresses. Threat activity has increased following the public release of technical insights, and Unit 42 recommends monitoring for suspicious activity and updating to receive the latest patches. Customers are urged to follow best practice deployment guidelines and reach out to support for assistance with potential compromises.

• Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware - Unit 42 researchers have identified the threat group Ignoble Scorpius as distributors of BlackSuit ransomware, which emerged in May 2023 as a rebrand of Royal ransomware. The group targets organizations globally, with a significant ransom demand that can amount to 1.6% of the victim's annual revenue. Unit 42 provides proactive threat hunting and incident response services to help organizations defend against Ignoble Scorpius. The report also includes detailed information on the tactics, techniques, and procedures (TTPs) used by the threat group.

• Identify Infrastructure Linked To LockBit 3.0 Ransomware Affiliates By ZoomEye Enhanced New Syntax - LockBit 3.0 is a Ransomware operated through a RaaS model, with independent hackers known as affiliates using the software to conduct attacks. These affiliates target various companies and institutions, primarily in sectors such as finance, manufacturing, healthcare, and aviation. Using data from reports released by CISA, the article utilizes ZoomEye's enhanced syntax to identify infrastructure linked to LockBit 3.0 affiliates, focusing on IP addresses and SSL certificate fingerprints. The analysis uncovers multiple IP addresses suspected to be related to LockBit, based on various characteristics such as SSL certificates and port information.

• Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices - Water Barghest is a threat actor group that exploits vulnerabilities in IoT devices to turn them into profitable assets through automation and monetization techniques. Their botnet uses automated scripts to compromise vulnerable devices, deploy malware, and register them as proxies, all within as little as 10 minutes. Despite maintaining a low profile for over five years, Water Barghest's activities were uncovered due to operational mistakes and a misjudgment, such as using a zero-day vulnerability against Cisco routers. Their highly automated operations highlight the importance of securing IoT devices to prevent them from being exploited.

• Hunting Malicious Shortcut (.LNK) Files Using the VirusTotal API - The article discusses using the VirusTotal API to hunt for malicious shortcut files and tailor analytics for threat hunting. It covers the methodology for gathering malicious LNK samples, analyzing the data, and building threat hunt analytics using Microsoft Defender for Endpoint (MDE) with KQL. The focus is on leveraging external intelligence to identify trends in threat actor activity and improving proactive approaches to identifying anomalous activity within environments. The post provides detailed insights on utilizing the VT corpus, analyzing command line parameters in shortcut files, and visualizing frequency analysis to detect potential initial access via shortcut files.

• How to create a Detection Engineering Lab — Part 1 - This blog post outlines how to create a Detection Engineering Lab, focusing on setting up the infrastructure in a cloud environment using Digital Ocean and Docker. The lab is designed to help security professionals test, build, and fine-tune detection logic in a safe environment. Part 1 covers setting up a Digital Ocean account, creating an SSH key, and setting up a Docker droplet with increased virtual memory settings. Part 2 will cover deploying the Elastic stack, setting up a virtual machine, and creating a detection rule.

• Creating Resilient Detections - The article discusses the importance of creating detections that are resilient to common SIEM problems like ingest lag and query failure. It explains how ingest delay can create blind spots in detections and offers solutions such as using ingest time instead of event time in queries. It also explores options for addressing query platform failures, such as health monitoring and resubmission, overlapping lookback windows, and adjusted query lookback. Additionally, a script is provided to help measure ingest delay blind spots.

• “Free Hugs” – What to be Wary of in Hugging Face – Part 2 - This article discusses the potential risks associated with using Hugging Face models, particularly in terms of model serialization protocols. It highlights the dangers of running code in models and explores how PyTorch and TensorFlow handle serialization, as well as the security implications of using legacy serialization formats. The article also provides recommendations for judging models by their format and emphasizes the importance of trusting the maintainer of the model.

• DPRK IT Workers | A Network of Active Front Companies and Their Links to China - North Korea operates a network of IT workers through front companies to evade sanctions and generate revenue for the regime. The workers pose as professionals from different countries to secure remote jobs and freelance contracts in software development and other tech areas. These front companies are often based in China, Russia, Southeast Asia, and Africa, and help North Korean workers launder earnings through online payment services and Chinese bank accounts. The US government has disrupted several of these front companies and linked them to a larger network of organizations in China. Implementing robust vetting processes is essential for organizations to prevent inadvertent support of such illicit operations.

• Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine - ESET researchers have identified the Linux malware, WolfsBane, linked to the Gelsemium APT group, showing a shift towards targeting Linux systems. The backdoors, tools, and rootkits discovered are designed for cyberespionage targeting sensitive data and enabling prolonged intelligence gathering. The connection between WolfsBane and Gelsevirine, as well as FireWood and Project Wood, indicates the involvement of the China-aligned Gelsemium group. The increasing focus on Linux malware suggests a response to improved Windows security measures, resulting in more exploitation of vulnerabilities in Linux-based systems.

• MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users - Datadog Security Labs has uncovered a malicious campaign, designated MUT-8694, targeting Windows users through npm and PyPI package repositories. The attacker distributes infostealer malware using legitimate services like GitHub and Replit, posing as legitimate packages through typosquatting. The malware, including Blank Grabber and Skuld Stealer, targets Roblox developers and Discord users for credential theft.

• Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations - The blog post discusses GLASSBRIDGE, a group of companies operating networks of fake news sites spreading pro-PRC influence across the globe. These companies create inauthentic content aligned with the political interests of China, targeting audiences outside the country. Google has blocked over a thousand GLASSBRIDGE-operated websites from appearing on Google News features for violating policies. These companies use newswire services to distribute content, with Shanghai Haixun Technology being the most prolific in supporting pro-China IO campaigns. Other companies such as Times Newswire and Shenzhen Bowen Media are also involved in spreading pro-PRC narratives through fake news sites. Overall, the inauthentic news sites operated by GLASSBRIDGE demonstrate the use of deceptive tactics to spread propaganda and influence audiences.

• Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell - The Knownsec 404 Advanced Threat Intelligence team discovered an attack campaign by the APT-K-47 organization using the topic of “Hajj”, utilizing a CHM file to execute a malicious payload. The team suspects that the sample is an upgraded version of Asynshell, used by the organization since 2023. They have classified Asyncshell into four versions based on changes in features and have been closely tracking the organization's movements and weapons, including ORPCBackdoor, walkershell, and MSMQSPY. The organization has cleverly disguised service requests to control the final shell server address, showing the importance they place on Asyncshell.

• Cracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader - The Splunk Threat Research Team analyzes the Braodo Stealer, a Python malware that steals sensitive information using obfuscation techniques to evade detection. The malware is distributed through popular developer platforms like GitHub and GitLab, and uses Telegram bots as command-and-control channels. The analysis breaks down the loader mechanisms, obfuscation strategies, payload behavior, and detection techniques, providing insights for security professionals to identify and mitigate this evolving threat effectively. The blog includes details on the malware's tactics, such as using registry run keys for persistence, capturing screen images, collecting clipboard data, harvesting browser credentials, and exfiltrating data over a C2 channel like Telegram. Additionally, the post provides detection analytics to help security teams identify and respond to Braodo Stealer activity.

• Bypassing the Bypass: Detecting Okta Classic Application Sign-On Policy Evasion - Okta Classic Application Sign-On Policy Evasion vulnerability allowed attackers with valid credentials to bypass application-specific sign-on policies by modifying their user-agent string, enabling unauthorized access. Splunk provides detection capabilities through predefined analytic stories, correlation searches, and advanced hunting queries. Organizations are advised to enhance identity monitoring, implement behavior-based detection, develop robust hunting programs, establish strong baselines, and maintain comprehensive device and user-agent inventories to improve security posture.

• Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign - The BlackBerry Research and Intelligence Team discovered a cyber espionage campaign targeting the Pakistan Navy, involving a sophisticated infostealer called Sync-Scheduler. The campaign used malicious Thunderbird extensions and fake emails to trick users into downloading malware. While similarities were found with other threat groups, there was not enough evidence for attribution. The investigation highlights the need for regular user awareness training, endpoint protection solutions, and threat intelligence to defend against such attacks. Additionally, the campaign demonstrated advanced tactics and persistence in targeting government and defense sectors in the region.

• Detection of “evil-winrm” - "Evil-winrm" is a post-exploitation tool used for interacting with Windows systems via Windows Remote Management (WinRM). WinRM is a Windows service that allows remote management of systems via the Web Services Management (WS-Man) protocol. Detection of evil-winrm can be done through Powershell Module Logging, which generates artifacts in the Event Viewer. By creating a detection rule based on specific fields, like command name and process path, security professionals can identify malicious activity using evil-winrm.

• From JinxLoader to Astolfo Loader: The Evolution of a Cyber Threat - JinxLoader is a malware loader distributed via phishing emails to deploy additional malware on compromised Windows and Linux systems. Originally sold on Hack Forums, it has evolved into Astolfo Loader, rebranded and rewritten in C++ for improved performance. Both loaders focus on delivering additional malware efficiently. Astolfo Loader includes advanced anti-analysis measures and connects to malicious C2 servers. MaaS operations like Astolfo Loader exemplify the proliferation of complex malware via easily accessible hacking forums.

• RobotDropper Automates the Delivery of Multiple Infostealers - BlackBerry Research and Intelligence Team has identified a phishing campaign that delivers multiple infostealers to victims' systems using Trojanized MSI files. The campaign, known as RobotDropper, utilizes DLL sideloading to execute LegionLoader and distribute various malicious programs. The malware is spread through pirated software and cloud hosting providers, with over 400 unique malicious MSI files uploaded since June 2024.

• DFIR Breakdown: Kerberoasting - Kerberoasting is a technique used by attackers to obtain credentials by exploiting normal Kerberos behavior in an Active Directory environment. Domain controllers are key in detecting this attack as they contain important information related to user authentication. Cyber Triage can help in detecting Kerberoasting activity by automatically collecting and scoring artifacts related to the attack. Detection of this attack can be challenging due to its offline brute force nature and reliance on exploiting Kerberos protocol. Using tools like Cyber Triage can simplify and enhance the process of investigating and analyzing Kerberoasting attacks.

• Helldown Ransomware: an overview of this emerging threat - This explores the Helldown ransomware, an emerging threat targeting Windows systems. It delves into the malware's capabilities, infection vectors, and behavior, such as data encryption and ransom demands. The analysis highlights its use of sophisticated evasion techniques and provides guidance on prevention and detection strategies.

• When Guardians Become Predators: How Malware Corrupts the Protectors - blog post explores how malware can exploit and corrupt security tools that are designed to protect systems. This concept highlights an advanced threat where attackers use software flaws or integration weaknesses in protective solutions to further compromise environments. Techniques and case studies demonstrate how these malicious tactics evolve, urging organizations to enhance monitoring and resiliency in their defenses.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? - The blog explores the presence and roles of women in Russian-speaking cybercrime networks, highlighting that women play significant but often overlooked roles in the underground world. It discusses how gender dynamics in Russian-speaking cybercrime are shaped by socio-economic factors in Russia, Ukraine, and Belarus. The case studies of female cybercriminals, like Alla Witte and Yuliya Pankratova, shed light on the evolving roles of women, from technical positions to leadership roles in hacktivist-like groups aligned with state interests. Overall, the blog aims to provide a nuanced understanding of the complex gender dynamics in Russian-speaking cybercrime.

• Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation - AI and large language models are revolutionizing the cybersecurity world by helping attackers and defenders make sense of vast amounts of security data. Using tools like Guardrails, AI can process unstructured data, such as social media job titles or files containing credentials, to extract valuable information. Case studies demonstrate how AI can be used to improve red teaming activities, such as correlating user accounts and finding high-value targets in Active Directory, while also suggesting defense strategies for organizations. Despite some limitations, the use of AI in adversarial emulation and defense shows promise in enhancing security practices.

• Phishing by Design: Two-Step Attacks Using Microsoft Visio Files - Perception Point's researchers have identified a new type of phishing attack that uses Microsoft Visio files (.vsdx) and SharePoint to embed malicious URLs and steal credentials. This two-step attack method involves sending emails from compromised accounts with attachments that lead to a SharePoint-hosted Visio file containing a hidden URL. Victims are instructed to click on the URL by holding the Ctrl key, which redirects them to a fake Microsoft login page to steal their credentials. This sophisticated evasion tactic exploits user trust in familiar tools and evades detection by standard email security platforms.

• WebVM 2.0: A complete Linux Desktop Environment in the browser via WebAssembly - WebVM 2.0 is a Linux Desktop Environment that runs in the browser using WebAssembly, allowing for virtual machines on the web. It includes a C++ to Wasm/JS compiler and Java runtime for browsers. The technology utilizes CheerpX, a virtualization engine, to run unmodified Linux x86 binaries in the browser sandbox. It also incorporates a low-latency disk backend for data storage and private networking via Tailscale VPN. Additionally, it supports the Linux KMS API and Xorg for graphical applications. The release is open source and aims to improve performance and expand capabilities in the future.

• Sketchy Cheat Sheet - Story of a Cloud Architecture Diagramming Tool gone wrong - In this blogpost, the author recounts their experience discovering and reporting a series of vulnerabilities and misconfigurations in Google's Architecture Diagramming Tool. The vulnerabilities included unauthorized access to Google Cloud Platform (GCP) resources, cross-site scripting (XSS) attacks, insecure storage practices using Firebase, and the ability to access and manipulate source code. The severity of these findings led to the service being quarantined and ultimately decommissioned in October 2024. The author highlights the responsible disclosure process and shares insights for educational purposes.

• Breaking the most popular Web Application Firewalls in the market - A blog post details the process of breaking the SQL injection and cross-site scripting rules of popular Web Application Firewalls (WAFs) like ModSecurity. The post includes bypass techniques for different WAFs, such as blind time-based injections and UNION-based injections, along with XSS bypasses. A universal SQL injection bypass technique that works across multiple WAFs is also discussed. The post highlights the challenges faced in bypassing WAFs and the use of different techniques to achieve successful bypasses.

• How XBOW found a Scoold authentication bypass - XBOW, a security organization, found a critical CVE in Scoold, an open-source Q&A platform used by companies like Cisco and IBM. The vulnerability allowed an attacker to bypass authentication and access sensitive information. XBOW detailed their discovery and exploitation of the vulnerability, including finding an authentication bypass and successfully reading arbitrary files on the server. Scoold developers quickly released a patch to fix the issue, and XBOW is excited to share more vulnerabilities they have found in the future.

• Prompt Injecting Your Way To Shell: OpenAI's Containerized ChatGPT Environment - This blog explores the capabilities of interacting with OpenAI's containerized ChatGPT environment through prompt injections, file management, and extracting GPT instructions. It highlights the controlled sandbox environment, allowing users to upload, execute, and move files within ChatGPT's container. It also discusses the implications of accessing GPT instructions and downloading knowledge data, emphasizing transparency and security considerations. Additionally, it explains why OpenAI considers certain sandbox activities as intentional features rather than security vulnerabilities, providing insights for bug hunters and security enthusiasts.

• ADCS Attack Techniques Cheatsheet - This document is a cheatsheet for ADCS attack techniques, with different abuse scenarios listed along with the prerequisites required for each technique. It includes information on exploiting vulnerabilities in Certificate Authorities (CAs) and Certification Templates (CTs) to gain control of the PKI system. Various tools and resources are also mentioned for checking and exploiting these vulnerabilities. Many of the techniques mentioned involve manipulating permissions, exploiting weak mappings, or abusing certificates to compromise the security of ADCS systems.

• Modifing Impacket to avoid detection - Notion is a comprehensive workspace that allows users to centralize their notes, tasks, wikis, and databases all in one platform. With a variety of tools available, Notion helps individuals stay organized and productive by providing a space to manage all aspects of their work and personal lives. Users can customize their workspace to suit their specific needs and preferences.

• Handling Cookies is a Minefield - This article discusses the complexities and inconsistencies in how cookies are handled by different programming languages, browsers, and servers. The author explores the challenges that arise from the ambiguity in cookie specifications, resulting in potential errors and failures on websites. The article suggests that updating the cookie specification to align with modern standards and clarifying how systems should handle cookies could lead to a more reliable and consistent experience for users. The author also acknowledges the assistance of various individuals in researching and understanding the nuances of cookie handling.

• PagedOut #5 (PDF) - This PagedOut issue explores topics including cybersecurity, programming, and technical challenges. It offers practical guides, code snippets, and in-depth analysis on advanced hacking techniques, software development, and system vulnerabilities. Key themes include exploit development, process injection, reverse engineering, and cloud security strategies.

• New Zero-Day Vulnerability Detected: CVE-2024-43451 (PDF) - This ClearSky Security report on CVE-2024-4351 provides an in-depth analysis of a zero-day vulnerability exploited in the wild. The report details the technical workings, exploitation techniques, potential impact on affected systems, and mitigation strategies for organizations. It highlights threat actor behaviors and offers actionable recommendations to strengthen defenses against similar exploits.