top of page

Last Week in Security - 2024-12-02


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-11-25 to 2024-12-02.

News

  • DOJ: Man hacked networks to pitch cybersecurity services - A man from Kansas City was indicted by the Department of Justice for hacking into computer networks and breaking into buildings to promote his cybersecurity services.

  • Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON - At CYBERWARCON, Microsoft shared intelligence on North Korean and Chinese threat actors. North Korean threat actors, such as Sapphire Sleet and Ruby Sleet, have been conducting cryptocurrency theft and phishing operations targeting satellite and weapons systems. Chinese threat actor Storm-2077, also known as TAG-100, conducts intelligence collection targeting government agencies and non-governmental organizations. Microsoft highlighted the challenges of tracking these threat actors and ways organizations can protect themselves. Microsoft also discussed how North Korean IT workers, operating abroad, present a triple threat by earning money for the regime, stealing sensitive data, and conducting identity theft with the help of facilitators.

  • Hacker in Snowflake Extortions May Be a U.S. Soldier - Two men have been arrested for extorting data from companies using Snowflake, a cloud data storage company, but a third suspect remains at large and is suspected to be a U.S. Army soldier stationed in South Korea. The hackers stole data from Snowflake accounts and extorted companies for ransom. The hacker, known as Kiberphant0m, has been publicly extorting victims and selling stolen data. The hacker's multiple cybercrime personas suggest they may have ties to the U.S. Army and are involved in various cybercriminal activities. The hacker denies being in the U.S. Army and claims it was a ruse to create a fictitious persona.

  • Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s Fast IDentity Online (FIDO) Implementation - The U.S. Department of Agriculture (USDA) successfully implemented phishing-resistant multi-factor authentication (MFA) using Fast IDentity Online (FIDO) technology to address the unique needs of its over 130,000 employees who couldn't rely on personal identity verification (PIV) cards. By adopting a centralized technology architecture and piloting FIDO solutions, USDA was able to provide secure authentication without passwords, reducing the risk of credential phishing attacks. The implementation of FIDO and a centralized approach allowed USDA to enforce phishing-resistant MFA for a large portion of its IT systems, showcasing the importance of organizations moving away from password authentication and adopting secure MFA technologies like FIDO.

  • Inside ExxonMobil's Alleged Hack-for-Hire Campaign Targeting Climate Activists - ExxonMobil is facing allegations of orchestrating a hack-for-hire campaign targeting climate activists and journalists, involving mercenary hackers and PR firms to discredit environmental advocates. The operation, known as Dark Basin, involved phishing emails and leaking stolen information to media outlets and court filings. The case highlights the industrialization of digital warfare in corporate disputes, with implications for advocacy and journalism. The investigation continues, while advocates call for stronger legal frameworks to address such hack-for-hire operations in the future.

Techniques and Write-ups

  • UDRL, SleepMask, and BeaconGate - The article discusses the features of UDRL, SleepMask, and BeaconGate in Cobalt Strike's Beacon tool. UDRL allows operators to replace the reflective loader with a custom implementation, while Sleep Mask can mask Beacon's memory. BeaconGate proxies API calls via Sleep Mask for additional evasion features. Developers can customize these features for advanced capabilities, and potential future developments may simplify and expand the usage of these tools.

  • 1 little known secret of ShellExec_RunDLL - The ShellExec_RunDLL API has a little known secret where it accepts a special command line argument that modifies the fMask value. By adding a question mark followed by a numerical value, the function will change the behavior of the function. This can be used to bypass certain checks and launch specific programs, such as Calculator, by manipulating the fMask value in the command line.

  • DeepSeek AI: From Prompt Injection To Account Takeover - A new AI reasoning model called DeepSeek AI was recently released by a Chinese lab, generating excitement in the AI community for its capabilities. During a pentesting test, a prompt injection led to the discovery of a cross-site scripting (XSS) vulnerability in the application. By exploiting this vulnerability, an attacker could take over a user's account. The issue was promptly reported and fixed by the DeepSeek team, demonstrating the importance of addressing security vulnerabilities in AI-powered applications.

  • Introducing NachoVPN: One VPN Server to Pwn Them All - NachoVPN, an open-source tool, has been released to demonstrate vulnerabilities in leading corporate VPN clients that can be exploited by attackers. It showcases how attackers can gain privileged access by manipulating client behaviors and executing arbitrary commands. The tool is platform-agnostic and encourages community contributions. Detailed advisories for vulnerabilities in Palo Alto GlobalProtect and SonicWall NetExtender have also been published to help organizations protect against these threats. The aim is to raise awareness and drive improvements in VPN client security.

  • badmalloc (CVE-2023-32428) - a macOS LPE - In Gergely's hack blog, he discusses his discovery of a bug called badmalloc (CVE-2023-32428) in macOS that allowed for Local Privilege Escalation (LPE). The bug involved a "magical" framework used for debugging application memory allocations, which could be exploited to write files with escalated privileges. Despite Apple's efforts to mitigate the bug, Gergely found ways to bypass them and exploit the vulnerability. He eventually received a bounty for his discovery, but had a frustrating experience with Apple's communication and handling of the situation.

  • Introduction to Fuzzing Android Native Components - The article discusses the importance of fuzzing Android native components in mobile applications due to the security risks posed by vulnerable code. It explains the use of AFL++ fuzzer and QEMU emulator to test for vulnerabilities in native code components. The process involves creating a harness to pass mutated inputs to the target function in the dynamic library of an Android application. The article provides detailed steps on setting up the environment, compiling code, running the fuzzing process, and analyzing the results to identify vulnerabilities. The ultimate goal is to enhance security practices in Android app development to prevent cyber threats.

  • Malicious NPM Package Exploits React Native Documentation Example - Checkmarx Security Research Team discovered a malicious npm package that exploited an example from React Native’s official documentation to trick developers into downloading their package, posing a security risk. The incident highlights the importance of verifying sources even when following trusted documentation. The community response was proactive in reporting the issue, emphasizing the need for vigilance in supply chain security. Checkmarx offers a Supply Chain Security solution to monitor suspicious activities and alert customers to potential threats.

  • “Free Hugs” – What to be Wary of in Hugging Face – Part 3 - Checkmarx discusses the potential risks and vulnerabilities associated with using Hugging Face, focusing on the potential for malicious models to be uploaded and loaded by unsuspecting users. The blog highlights specific methods for exploiting vulnerabilities in various integrated libraries supported by Hugging Face, such as TF1 malicious models and FastAI pickles. Despite reporting these issues to Hugging Face, the response indicated that users should not load models from repositories they don't know or trust. Checkmarx emphasizes the importance of securing application development from code to cloud and building trust between key stakeholders to mitigate security risks.

  • Create your own C2 using Python- Part 2 - This blog post discusses creating a C2 using Python, focusing on simplifying the user interface and adding new features such as listing files, sending and receiving files, and executing commands on the agent. The author emphasizes the ease of using Python for cross-platform functionality and provides code updates for both the implant/agent and C2 server. The post includes code snippets and a GIF demonstrating the new features, with a promise to explore more techniques in future posts.

  • Abusing AD-DACL: GenericWrite - This article explores how attackers can abuse the GenericWrite permission in Active Directory environments to update attributes, escalate privileges, and perform kerberoasting attacks. The lab setup and methods for exploitation are outlined, along with detection mechanisms and mitigation recommendations. Tools like Bloodhound, Net RPC, Powerview, and BloodyAD are used to demonstrate these attacks. Overall, the post provides security professionals with insights to recognize and defend against these common threats.

  • Remote Code Execution with Spring Properties - The article discusses a remote code execution vulnerability found in a Spring application that allows an attacker to exploit the file upload functionality to execute remote code. The vulnerability involves manipulating properties in the Spring application to control the execution flow and ultimately restart the server remotely. The author provides a proof of concept code and encourages other researchers to explore similar vulnerabilities in Spring applications. The exploit demonstrates the importance of securing file upload functionalities and being vigilant against potential remote code execution attacks.

  • Extending Burp Suite for fun and profit – The Montoya way – Part 8 - In this article, the focus is on extending Burp Suite using BChecks, a new feature that allows users to add checks to the Active and Passive Scanner without developing dedicated extensions. The article provides detailed instructions on how to create BChecks for detecting SQL Injection, Blind SQL Injection, and SSRF vulnerabilities. The author also gives tips on testing and improving these rules, as well as how to use Burp Suite scanner for efficient testing. The article concludes by pointing readers to the author's GitHub repository for the complete code and further examples of BChecks.

  • Group Policy Security Nightmares pt2 - The blog post discusses a Group Policy Object (GPO) configuration that copies a custom file from a remote share to local machines, affecting hostname resolution in Windows. The problem arises when the source file on the remote share is granted “Users” full control, allowing any authenticated user to potentially modify the file and introduce malicious entries. This configuration opens the door for abuse, enabling attackers to manipulate DNS records and conduct Man-in-the-Middle (MitM) attacks. The author has developed a tool to demonstrate how these vulnerabilities can lead to a complete Domain takeover.

  • Hacking with Curl! - The PentesterLab Blog discusses hacking techniques using the Curl tool to enhance web skills. It covers tricks for debugging Curl commands, testing for directory traversal vulnerabilities, and using Curl for file uploads. The article emphasizes the importance of mastering Curl for web development and security testing, and provides tips for saving favorite arguments and enhancing technical expertise. The blog encourages readers to explore its lessons on HTTP and continue practicing with Curl for a deeper understanding of web interactions.

  • From XSS Vulnerability to Full Admin Access - Haymiz shares a real-world engagement where he exploits a stored XSS vulnerability to gain admin access, despite cookie security measures. He bypasses CloudFlare protection and manipulates the HTML DOM to steal the administrator's cookie value in a web application built with Django. By sending XHR/AJAX requests, he extracts CSRF tokens and gains full admin access to the Django Admin page without phishing or referrals. This demonstrates the potential impact of simple vulnerabilities like XSS in advanced web applications.

  • Null problem! Or: the dangers of an invisible byte - GreyNoise Labs posted a blog about a vulnerability that involves using a null byte to bypass authentication on ASUS GT-AC2900 devices. The blog explained how null bytes are invisible and tricky to work with, and how using them incorrectly can lead to exploits not being executed properly. Despite the vulnerability being publicized, scanners trying to exploit it correctly have not been successful, while those sending broken payloads have been identified. GreyNoise Labs is trying to figure out the best way to handle this situation.

  • Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform - Cisco Talos researchers have discovered eight vulnerabilities in ClipSp, the driver at the core of Windows' Client License Platform, ranging from signature bypass to elevation of privileges and sandbox escape. ClipSp is a first-party driver on Windows 10 and 11 responsible for implementing licensing features and system policies. The driver is obfuscated and little public research exists on it. The vulnerabilities found could lead to sandbox escapes and significant impacts on compromised users if exploited. The research project was presented at HITCON and Hexacon, showcasing the importance of exploring less traveled paths in software security research.

  • Arbitrary web root file read in Sitecore before v10.4.0 rev. 010422 - The SCRT Team found an arbitrary web root file read vulnerability in Sitecore before version 10.4.0 rev. 010422, which had already been patched. They discovered that by indicating a whitelisted path in a parameter and appending a certain character followed by the file name, they could read arbitrary files from the web root. They reported this issue to Sitecore, who confirmed it had already been patched in version 10.4.1 rev. 010874 PRE.

  • Azure & Entra ID token manipulation - The blog discusses manipulating and comparing security tokens in the Microsoft Identity platform, focusing on access tokens and refresh tokens. It covers two attack scenarios - device code phishing and malware stealer attacks - and discusses tools and behaviors involved in token theft attacks. The blog also explains the differences between access tokens and refresh tokens, how they work, and how to refresh them in different scenarios. It provides examples and insights into token manipulation and token usage in offensive techniques, offering a detailed exploration of token mechanisms and API endpoints.

  • Mutation XSS: Explained, CVE and Challenge - The post discusses Mutation XSS, which involves exploiting differences between a sanitizer's parser and a browser's parser to execute malicious code. It explains various tricks and bypass techniques, including using namespaces, bugs in parsers, and altering output after parsing. Two examples of CVEs and a challenge are presented to showcase these concepts, highlighting the complexity and potential vulnerabilities in HTML sanitization. The post emphasizes the importance of thoroughly testing and ensuring the security of HTML sanitization methods.

  • Tales From The Crypt: Microsoft Unicode Collation Oddities Leading to Software Vulnerabilities - This article discusses a vulnerability in Microsoft SQL Server where a goblin emoji and an empty string are considered the same thing, leading to potential security issues. The article explores how this inconsistency in processing logic between an application and the database can be exploited to bypass authentication controls. The author provides code examples, explains the bug and its exploitation, and suggests ways to detect and remediate such vulnerabilities. The article also touches on the limitations of traditional penetration testing and the importance of understanding system behavior for effective security testing.

  • OtterRoot: Netfilter Universal Root 1-day - The post discusses the exploitation of a 1-day vulnerability in the Linux kernel's netfilter subsystem, leading to 0day-like capabilities for two months. The vulnerability allowed for a double-free bug due to a coding error, which was exploited to gain control of the kernel and elevate privileges. The post also details the process of exploiting the vulnerability in the KernelCTF LTS instance and developing a universal exploit that worked across different kernel builds without recompilation. The exploit was active for around two months before the patch was released by popular linux distributions.

  • CVE-2024-11477 Writeup - The write-up discusses a vulnerability in 7Zip related to the ZStandard compression library, known as CVE-2024-11477. The author outlines their process of analyzing the code, attempting to exploit the vulnerability, and encountering challenges such as getting a copy of 7Zip with symbols for debugging, setting breakpoints in a gdb session, and altering file bytes to manipulate the code behavior. They conclude that while they were able to trigger a SEGFAULT, they were unable to achieve code execution due to limitations in the code design. The author provides detailed explanations of their thought process and steps taken throughout the analysis.

  • 0x00 - Introduction to Windows Kernel Exploitation - This post is an introduction to Windows Kernel Exploitation, focusing on Windows 7 (x86) and Windows 10 (x64) with the goal of eventually working with Windows 11 (x64). The post provides a list of tools needed for the tutorial series, recommendations for free and paid resources for learning exploit development, and a table of contents for the topics covered. It also includes a practical example of a stack overflow exploit on Windows 7 (x86), showing how to identify a vulnerability, crash the system, and gain control over the instruction pointer to ultimately spawn a SYSTEM shell. The post concludes with a walkthrough of fixing a crash caused by a faulty return address in the shellcode.

  • Windows - Data Protection API (DPAPI) Revisited - Chromium based browsers have made changes to how they handle encryption of cookies, implementing a new method using a privileged COM object with SYSTEM privileges. This new method requires validation of the calling process before decrypting data, making it harder for attackers to access browser cookies using DPAPI user master keys. However, with local administrator privileges, attackers can work around this restriction. Chromium developers are also working on a new specification to make stolen cookies unusable on another device.

Tools and Exploits

  • KrbRelayEx - The GitHub repository decoder-it/KrbRelayEx contains a tool called KrbRelayEx, designed for performing Man-in-the-Middle attacks by relaying Kerberos AP-REQ tickets, enabling access to SMB shares or HTTP ADCS endpoints. It was created to explore the misuse of privileges granted to certain groups in Active Directory for modifying DNS records.

  • netcredz - NetCredz is a tool that extracts credentials from pcap files or live traffic without any dependencies. It supports various protocols such as NTLM, LDAP, HTTP, SMTP, SNMP, Telnet, FTP, and Kerberos, while also detecting DHCPv6 and LLMNR traffic. Inspired by PCredz, it offers features like filtering, regex search, and output to log files for analysis. The tool can be run with a pcap file or on a live network interface, and supports remote logging and backward compatibility with Python 2.

  • Nighthawk 0.3.3 – Evanesco - MDSec's Nighthawk 0.3.3 - Evanesco release introduces groundbreaking memory hiding features to enhance cyber attack simulations. The release includes innovative new features and bug fixes to improve cybersecurity resilience. The release also includes a Python API for automation and client-side scripting support, as well as enhancements to bypass Control-flow Enforcement Technology (CET) for more effective beaconing.

  • NachoVPN - NachoVPN is a malicious SSL-VPN server that demonstrates exploitation of SSL-VPN clients using a rogue VPN server. It supports various popular corporate VPN products and has a plugin-based architecture for community contributions.

  • Hannibal - Hannibal is a Mythic C2 agent written in x64 PIC C, designed to be used as a Stage 1 agent with a focus on initial foothold abilities. It is small, modular, and simple, providing education on position independent coding, agent design, Mythic agent development, and C programming for offensive and defensive resources. Hannibal can be installed with Mythic on a remote computer and has post-exploitation capabilities with various commands available.

  • shellcode-template - The GitHub repository contains a cmkr based win32 shellcode template for a unified build platform with a focus on production friendly structure and testing. The template aims to bridge the gaps between MSVC/VS & GNU/Make through clang and cmake. It is known to function well on Linux and should work on Windows with the proper compiler, cmake, and Python version.

  • WinDepends - WinDepends is a tool for analyzing Windows PE files and building hierarchical tree diagrams of dependent modules. It was created to fill the gap left by the discontinued development of Dependency Walker. The tool supports various features such as delay-load DLLs, ApiSet contracts, and C++ function name undecorating.

  • Eclipse - Eclipse is a proof of concept tool that can perform hijacking to load and run an arbitrary DLL in a desired process. It offers two modes: spawning a new process with a custom Activation Context or hijacking the Activation Context of an already running process. The tool requires a manifest file to create the malicious Activation Context, which can be used to modify the behavior of a process by redirecting the loading of DLLs. Eclipse can be used to disable features like ETW and AMSI in a process, as well as intercept calls and modify the execution of functions in a DLL.

  • havoc-gosecdump - The GitHub repository "havoc-gosecdump" contains a module that uploads the gosecdump binary to a temporary folder under Windows for use in attacking systems. The gosecdump command can be installed and used with parameters to dump SAM/LSA/DCC2 on a remote machine. This tool is intended to bypass EDR-type solutions and can be used to dump security credentials. There are options for uploading the binary and running it without creating a new process or using the "noconsolation" mode to avoid dropping the binary on the target machine.

Threat Intel and Defense

  • Bootkitty: Analyzing the first UEFI bootkit for Linux - ESET researchers have analyzed Bootkitty, the first UEFI bootkit designed for Linux systems. This bootkit is a proof of concept and has not been deployed in the wild. It disables kernel signature verification and preloads unknown ELF binaries into the Linux kernel during startup. Additionally, a related kernel module, BCDropper, has been identified, suggesting the same authors may have developed both. Bootkitty is signed with a self-signed certificate and highlights the evolving UEFI threat landscape beyond Windows systems. It is recommended to ensure UEFI Secure Boot is enabled and systems are up-to-date to prevent potential future threats.

  • Unemployfuscation - Grumpy Goose Labs discusses the increasing popularity of obfuscated PiKVM and TinyPilot devices and the security threats they pose, especially in the context of North Korean state-sponsored actors using similar technologies. The article provides detection methods for these devices, focusing on USB events and configuration descriptors. The post emphasizes the importance of recognizing and monitoring the use of such devices to prevent security breaches and potential consequences like termination.

  • RomCom exploits Firefox and Windows zero days in the wild - RomCom, a Russia-aligned group, was found exploiting zero-day vulnerabilities in Mozilla Firefox and Windows to deploy their backdoor. The exploit allowed them to execute arbitrary code on victims' computers without any user interaction. The group has been targeting various sectors worldwide, including governmental entities, the pharmaceutical sector, and the energy sector. ESET researchers reported the vulnerabilities to Mozilla and Microsoft, who released patches to mitigate the exploits. RomCom's sophisticated tactics highlight their advanced capabilities in cyber espionage and criminal activities.

  • Rockstar 2FA Phishing-as-a-Service (PaaS): Noteworthy Email Campaigns - The Rockstar 2FA phishing kit is being used in email campaigns with techniques like using legitimate services to host malicious links. Attackers are using QR codes, stolen email threads, and HTML obfuscation to trick users into clicking on phishing links.

  • Gaming Engines: An Undetected Playground for Malware Loaders - Check Point Research discovered a new technique using the Godot Engine in gaming to execute malicious GDScript, which goes undetected by most antivirus engines. The malware loader, known as GodLoader, has been utilized by threat actors since June 29, 2024, infecting over 17,000 machines. The malware is distributed through the Stargazers Ghost Network, a GitHub network that distributes malware. This technique allows threat actors to target and infect devices across multiple platforms, posing a significant threat to users of Godot-developed games. Cybercriminals are constantly evolving their tactics to increase infections, pushing them to stay undetected by using innovative methods to deliver and execute malicious code.

  • PSLoramyra: Technical Analysis of Fileless Malware Loader - PSLoramyra is a fileless malware loader that uses PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, evading detection. The malware establishes persistence through Windows Task Scheduler and executes stealthily with minimal system footprint. The blog post provides a technical analysis of PSLoramyra and its infection chain, showcasing its advanced capabilities and stealthy execution.

  • BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365 - This article discusses the importance of detecting and preventing incidents in M365, specifically focusing on phishing attacks. It emphasizes the need for updated anti-malware policies, configuring Defender for Office and Cloud Apps, and using KQL to adjust alert policies. The role of end users in detecting phishing is also highlighted, as well as the importance of maintaining anomaly detection policies and utilizing tools like Sentinel for better visibility. The article also provides insights into how to update email protection policies and configure threat and alert policies to prevent email-based attacks.

  • LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux - Bootkitty, the first UEFI bootkit for Linux, exploits the LogoFAIL image parsing vulnerabilities to infect the Linux kernel. This new threat highlights a shift in firmware-based threats towards Linux systems from Windows. The bootkit is capable of injecting rogue certificates into the UEFI firmware, bypassing Secure Boot protections. Vulnerable devices include models from Acer, HP, Fujitsu, and Lenovo, with evidence suggesting the exploit may have been tailored for specific hardware configurations. Customers using the Binarly Transparency Platform can receive code-guided detection to mitigate both the LogoFAIL vulnerabilities and malicious components of Bootkitty.

  • Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS) - Trustwave and Cybereason are actively monitoring the rise of Phishing-as-a-Service (PaaS) platforms like Rockstar 2FA, which employs varying techniques to launch social engineering attacks. The Rockstar 2FA phishing kit offers features like 2FA bypass, antibot protection, and theme customization for phishing campaigns, available for a subscription fee. The phishing campaigns associated with Rockstar 2FA use car-themed pages and various delivery mechanisms to target users, particularly those with Microsoft accounts.

  • Unmasking Browser Extensions — From Forensics to Security - Browser extensions are small software modules that enhance browser functionality by interacting with web pages. They can automate tasks, block ads, and provide additional features. The architecture of browser extensions consists of core files, content scripts, background scripts, UI components, browser APIs, and native messaging components. Security implications of browser extensions, such as over-permissioning, XSS vulnerabilities, CORS issues, native messaging risks, and MITM attacks, need to be carefully considered. Forensic analysis of browser extensions is important to identify and mitigate security risks, such as over-permissioning, malicious code injections, data exfiltration, and vulnerabilities in dependencies. Sandboxing and containment mechanisms in modern browsers restrict extension access to system resources, ensuring a secure browsing experience.

  • Analysis of Elpaco: a Mimic variant - The Elpaco ransomware variant is a customized version of the Mimic ransomware that abuses the Everything library for file discovery. It has a user-friendly GUI for customization by attackers, features for disabling security mechanisms and running system commands. The ransomware encrypts files with the ChaCha20 stream cipher and RSA-4096 asymmetric encryption, making decryption without the private key impossible. The attackers target a wide range of countries and continue to evolve their tactics, techniques, and procedures to evade detection and analysis.

  • Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft - The Checkmarx Security Research Team discovered a year-long NPM supply chain attack involving a malicious package called @0xengine/xmlrpc that combines crypto mining and data theft. The package evolved from a legitimate XML-RPC implementation to include malicious code, targeting sensitive data and mining cryptocurrency on infected systems. The attack was distributed through direct NPM installation and as a dependency in a legitimate-looking GitHub repository. The malware incorporated sophisticated evasion techniques and data exfiltration capabilities, highlighting the importance of thorough vetting and monitoring of open-source projects to mitigate supply chain risks.

  • Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV… - The article discusses various tools used by ransomware groups to disable or modify security solutions, such as EDRSilencer, EDRSandblast, and Kill AV. The research shows that ransomware groups often use techniques like Impair Defenses to bypass security measures. The article provides information on how to detect and prevent these tools, including using telemetry data and Sigma rules. It also mentions specific vulnerabilities in security software, such as Zemana AntiLogger, that have been exploited by threat actors to disable security solutions.

  • Detecting WiFi dumping via direct WinAPI calls and introduction to “Immutable Artifacts” - The article discusses the author's exploration of detecting WiFi dumping on Windows via direct WinAPI calls and the concept of "Immutable Artifacts." The author developed a C program to dump WiFi information using API calls and utilized Sysmon's Event ID 7 to detect unknown EXEs calling "wlanapi.dll." They also discussed how to detect password dumping using Powershell's ProtectedData functionality. The main point of the article is to challenge the reliance on known tools for detection and to focus on detecting artifacts that are always left behind by attackers. The author encourages writing detections that are immune to obfuscation and source code modifications.

  • CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks - CyberVolk is a hacktivist collective from India with pro-Russian leanings that is responsible for multiple ransomware attacks. They aim to launch attacks on public and government entities to serve Russian government interests. The group has promoted ransomware families like HexaLocker and Parano and is associated with other groups like AzzaSec and DoubleFace. The group is highly dynamic and volatile, constantly shifting alliances and tools to advance their causes. Understanding groups like CyberVolk is crucial for organizations to prepare and strengthen their defenses against cyber threats.

  • Stealth in the Cloud: How APT36's ElizaRAT is Redefining Cyber Espionage - APT36, also known as Transparent Tribe, has been evolving their cyber espionage tactics, targeting Indian government agencies, diplomatic personnel, and military installations. They have introduced a more sophisticated Windows Remote Access Trojan called ElizaRAT, which uses advanced evasion techniques and enhances command-and-control capabilities. The ElizaRAT malware has been involved in several campaigns, including the Slack, Circle, and Google Drive campaigns, using platforms like Slack, Google Drive, and Telegram for communication. APT36's use of cloud platforms and new payloads like ApolloStealer indicate a shift towards more flexible and modular malware deployment to collect sensitive data.

  • Dissecting JA4H for improved Sliver C2 detections - Palo Alto Networks discovered critical vulnerabilities in their firewall devices, leading to intrusions targeting their devices. Arctic Wolf Labs detected a threat campaign using JA4H fingerprints for detection. JA4H is used to fingerprint HTTP requests and can be customized for enhanced threat hunting. By analyzing JA4H fingerprints, additional C2 servers were uncovered, showcasing the effectiveness of JA4+ suite for threat detection.

  • The Curious Case of an Egg-Cellent Resume - In March 2024, an investigation took place after malicious activity was detected. Upon analysis, it was identified that a threat actor was able to infect and pivot from a user endpoint to two servers in the environment by submitting a job application that pointed to a resume lure..

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Why you should stay “professionally detached” from the vulns you find - Security research requires remaining professionally detached from the vulnerabilities you discover. Emotional responses can cloud judgment and lead to unprofessional behavior. Maintaining a detached, factual approach preserves your credibility, improves vendor relations, and allows you to focus on the bigger picture of making the digital world safer. By developing a professionally detached mindset, you can handle vendor responses with grace, protect your mental health, and continue contributing to a safer digital world.

  • From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities - The blog post discusses hidden risks of vulnerabilities in Endpoint Detection and Response (EDR) software, using Wazuh as a research target. The author discovered critical vulnerabilities, including a heap buffer overflow and a command injection vulnerability, which could lead to full network compromise. By exploiting these vulnerabilities, an attacker could gain remote code execution and execute arbitrary commands on both the management server and remote agents. The author recommends upgrading to the latest version of Wazuh and enabling additional security options to mitigate these risks. This highlights the importance of scrutinizing and securing security tools to prevent them from becoming high-value targets for attackers.

  • Making Monsters - Part 1 - In this article, the author introduces a development journal for creating an agent called Hannibal, designed to be used with Mythic for Red Team engagements. The agent is written in position independent C and communicates over HTTP using a custom protocol. The author discusses the advantages and drawbacks of using C for development and provides insights into setting up a development environment for building the agent. The article also touches on the use of MingW compiler, debugging in VSCode, and the differences between PIC and debug builds. The next part of the series will focus on agent architecture.

  • What's the Red Team doing to my Linux Box? - This GitHub repository contains material for a presentation titled "What's the Red Team doing to my Linux Box?" at BSides Vienna 2024. The material includes code to be run on a Debian 12 box, along with instructions and warnings. The code is designed to simulate a Red Team attack on a Linux system and includes hidden flags that need to be discovered without cheating. Users are advised to run the code on a separate box as it may take over.

  • https://linpeas.sh ownership - The linpeas.sh script version hosted on a specific domain was found to be sending information to a remote server without the knowledge of the project owners. The domain was not owned by anyone involved in the project, and it is not recommended to use it. The purpose of the information collection remains unclear, but it was noted that it was originally for educational purposes.

  • Under the microscope: Tony Hawk's Pro Skater 2 (PlayStation, Dreamcast) - The article explores hidden cheat codes in Tony Hawk's Pro Skater 2 for PlayStation and Dreamcast and the process of uncovering them using a Python script to attack the game's hashing function. The author successfully discovers previously unknown cheat codes through a combination of brute force methods and word list permutations. The article also discusses the effects of the newly discovered cheat codes, such as turning off player shadows and increasing the player's score by 10 times. The author credits various contributors for their assistance in the process.

RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

CONTACT US

We are here to help you meet your cybersecurity needs.

PHONE  |

FAX  |

EMAIL  |

ADDRESS  |

410-874-6446

410-630-3980

info@sixgen.io

185 Admiral Cochrane Dr | Suite 210
Annapolis, MD 21401

Thanks! Message sent.

For general inquiries about SIXGEN product and services please use this form.

To apply to SkillBridge, please visit the SkillBridge page here

NAICS Codes:
512110 | 519190 | 541330 | 541340 | 541511 | 541512 | 541513 | 541519 | 541611 | 541715 | 541990 | 611420 | 611430 | 611699 | 611710 | 921190

Contracts:

Screen Shot 2022-06-06 at 1.50_edited.jpg

2022 
Best Tech Startups in Annapolis

Defender_Winner.png

2022

Cybersecurity Defender of the

Year Winner

Download our Capabilities Sheet

2022 GHG Report

bottom of page