Last Week in Security - 2024-12-10
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, Operations Research Analyst, Reverse Engineer, and Software Engineer.
Virginia Applicants:
Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-12-02 to 2024-12-09.
News
Kyrus Tech and SIXGEN Join Forces to Create Preeminent Mid-Tier Across the Digital Battlespace - SIXGEN has acquired Kyrus Tech, a specialized software development firm, to enhance its mission of delivering advanced products and platforms for national security and critical infrastructure sectors. This partnership marks the fourth addition to Washington Harbour's platform, focusing on modern digital warfare solutions. The integration of Kyrus' specialized capabilities with SIXGEN's offerings aims to address the complex digital threat landscape and provide tailored solutions for the U.S. Government. Washington Harbour Partners supports SIXGEN's vision of becoming a top-tier solutions provider across the digital battlespace.
Why Phishers Love New TLDs Like .shop, .top and .xyz - Phishing attacks have increased by nearly 40% in the last year, with a significant portion targeting new generic top-level domains (gTLDs) like .shop, .top, and .xyz due to their low prices and minimal registration requirements. These new gTLDs only make up 11% of the market but accounted for 37% of cybercrime domains reported between September 2023 and August 2024. Registrars for these new gTLDs offer cheap or free registration with little verification, making them attractive to scammers. Despite this trend, ICANN is planning to introduce even more new gTLDs, which could create further opportunities for cybercriminals.
Supply Chain Attack Detected in Solana's web3.js Library - A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the @solana/web3.js library, potentially stealing private keys from developers and users. Developers are advised to audit their projects, rollback or update to safe versions, and regenerate compromised keys. Socket, a tool for open source security, can help users check if their code is affected. The attack has caused an estimated $130K - $160K in stolen assets, but major wallets and apps were not affected due to quick removal of the compromised versions.
Novel phishing campaign uses corrupted Word documents to evade security - A novel phishing campaign is using corrupted Word documents to evade security measures, allowing threat actors to steal credentials.
First-ever Linux UEFI bootkit turns out to be student project - A Linux UEFI bootkit named Bootkitty, discovered by ESET researchers, was found to be a student project created as part of a cybersecurity training program at KITRI in South Korea. The bootkit serves as a proof of concept for exploiting Linux systems at boot-up and expands the UEFI attack path beyond Windows. While not currently a real threat, the bootkit could be used as inspiration for future attackers, highlighting the importance of being prepared for potential threats. The project aims to raise awareness in the security community about potential risks and encourage proactive measures to prevent similar threats.
FBI Warns iPhone And Android Users—Stop Sending Texts - The FBI and CISA are warning iPhone and Android users to stop sending texts and start using encrypted messaging and phone calls due to ongoing cyberattacks from China. The attacks have compromised U.S. communication networks, highlighting the vulnerabilities of SMS and basic RCS messaging. Users are advised to use fully encrypted platforms like Signal for secure communication.
Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage - A Russian nation-state actor known as Secret Blizzard has been compromising infrastructure, including that of the threat activity cluster Storm-0156, for espionage operations. They have used the tools and infrastructure of other threat actors for their operations, targeting government and defense-related organizations worldwide. Secret Blizzard's tactics include leveraging the access of other adversaries, such as Storm-0156, to establish footholds on networks of interest. Microsoft Threat Intelligence is actively monitoring and notifying affected customers to help secure their environments against this threat.
Senators Warn the Pentagon: Get a Handle on China’s Telecom Hacking - Senators Ron Wyden and Eric Schmitt are urging the Pentagon to investigate the fallout from the Salt Typhoon espionage campaign, which involves Chinese hacking of US telecoms. The FBI and CISA have confirmed that a China-linked hacking group has been embedded in major US telecom companies for over a year, targeting high-profile individuals and government agencies. The senators are concerned about the vulnerabilities in US telecom infrastructure and are calling for stronger cybersecurity measures to protect against surveillance threats.
US senators vow action after briefing on Chinese Salt Typhoon telecom hacking - U.S. government agencies briefed senators about China's hacking campaign, dubbed "Salt Typhoon," targeting American telecommunications networks. The campaign reportedly involved the theft of telephone call data and audio intercepts from major providers like Verizon, AT&T, and T-Mobile. Agencies participating in the briefing include the FBI, the Director of National Intelligence, and the Cybersecurity and Infrastructure Security Agency (CISA). This effort underscores rising concerns over the scale of the intrusion and its implications for national security. U.S. officials and experts highlight the challenges in eliminating such threats, with no clear timeline for fully securing telecom networks from these intrusions
Techniques and Write-ups
Pentesting Salesforce Communities - This blog post provides a detailed account of a recent penetration test conducted on Salesforce Communities, focusing on common and lesser-known vulnerabilities that led to an account takeover. The author explores techniques, plugins, tools, and resources used during the testing process, highlighting the importance of understanding Salesforce security controls, HTTP request formats, Aura components, and APEX classes. The post also delves into issues such as object permission problems, broken access control on custom classes, and other potential attack vectors within Salesforce Communities, offering insights, examples, and recommendations for pentesting Salesforce environments.
Zero-day Attack Uses Corrupted Files to Bypass Detection: Technical Analysis - This article discusses how attackers use corrupted files to bypass detection by security systems. It provides a technical analysis of how this method works, using examples of corrupted files such as docx documents and archives. The article explains how security software fails to detect these corrupted files due to their structure being manipulated by attackers, making it difficult for detection systems to identify the file type.
Harvesting GitLab Pipeline Secrets - The blog discusses the risk of harvesting GitLab pipeline secrets by scanning job logs for credentials. It highlights common misconfigurations that can lead to leakage of sensitive information and introduces Pipeleak, a tool that automatically scans job logs for secrets. Pipeleak can search both textual output and artifacts generated by the jobs, providing a way to identify and abuse newly discovered credentials. It also offers additional features such as GitLab runners enumeration and CI/CD variables enumeration.
CSPT the Eval Villain Way! - This blog post discusses how to use Eval Villain to find and exploit Client-Side Path Traversal (CSPT) vulnerabilities. It provides a step-by-step guide on using Eval Villain to discover CSPT bugs and how to instrument the target code for exploitation. The post also mentions using the right tools for the job, such as Maxence's Burp Extension for CSPT and other tools like Eval Villain and HTTP Mock extension in Burp. The aim is to help debug and exploit CSPT vulnerabilities effectively.
Windows Sockets: From Registered I/O to SYSTEM Privileges - This post discusses a vulnerability called Registered I/O in the afd.sys Windows driver, which was patched in August 2024. The vulnerability allows for exploitation to gain SYSTEM privileges. The post describes the exploitation process, starting with an overview of the Registered I/O extension for Winsock, and then detailing the steps for exploiting the vulnerability through heap spraying and triggering the use-after-free vulnerability. The exploit allows for arbitrary read and write access, potentially leading to privilege escalation to SYSTEM level.
Write, debug and execute BOFs using bof-launcher (part 1) - The bof-launcher allows users to write, debug, and execute Buffer Overflow (BOF) programs in Zig, C, and assembly language on Windows and Linux platforms. It requires the Zig compiler package and supports cross-compilation. Users can clone the bof-launcher repository, build BOFs for various platforms, and execute sample BOFs. The tutorial covers building BOFs in ReleaseSmall and Debug configurations, debugging in WinDbg, Visual Studio, and gdb, and hints at future posts on passing arguments and using the bof-launcher library in external projects.
The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!) - This blog discusses a project where a team spent 15 years hacking passwords in order to test security measures and build team culture. The project aimed to highlight the importance of strong passwords and the vulnerabilities of common practices. The team's findings emphasized the need for continuous improvement in online security measures.
“Free Hugs” – What to be Wary of in Hugging Face – Part 4 - The article discusses the potential risks of using malicious models on the Hugging Face platform and the limitations of model scanners in detecting them effectively. It highlights the vulnerabilities in the PickleScan tool and ways to bypass it using built-in Python dependencies. The recommendation is to avoid pickles and older Keras versions, opting for safer protocols like SafeTensors instead. The importance of thoroughly reviewing supplemental code and trusting models from reputable vendors is emphasized to ensure security. Checkmarx, a leader in application security, offers solutions to secure application development from code to cloud and address the needs of enterprises in improving security.
Bridging the Gap: Elevating Red Team Assessments with Application Security Testing - The blog post discusses the importance of incorporating application security expertise into Red Team assessments to better simulate modern adversaries' tactics and techniques. By leveraging minimal access for maximum impact, recognizing low-impact vulnerabilities through vulnerability chaining, developing exploits, and diverse skill sets, organizations can proactively defend against evolving threats. Case studies demonstrate the impact of application security support in enhancing the effectiveness of Red Team assessments and highlight the value of collaboration between the Red Team and the AppSec Team. By identifying and addressing vulnerabilities across the entire attack surface, businesses can strengthen their security posture and minimize the risk of breaches.
Malware and cryptography 35: encrypt payload via Treyfer algorithm. Simple C example. - This post explores the use of the Treyfer algorithm in encrypting and decrypting payloads for malware development. The Treyfer algorithm is a lightweight block cipher designed for limited computational resources. The post provides a simple C example of how to implement the algorithm for encryption and decryption. While Treyfer is not commonly used in real-world cryptographic systems, it can be useful for educational purposes or experimental projects where strong security is not a priority. The post serves as a practical case study for malware researchers and programmers.
Missing URL Structure: Mistake or a Masterfully Effective Tactic? - Cofense explores the tactic of missing URL structure in phishing campaigns, highlighting how threat actors can bypass Secure Email Gateway protections. By removing URL protocols, attackers can trick users into entering their credentials on fake login pages. Cofense emphasizes the importance of combining human-vetted intelligence with automated tools to effectively combat evolving phishing techniques. Their Managed Phishing Threat Detection and Response (MPDR) platform offers a solution to prevent credential theft and protect company infrastructure.
Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats - The JFrog platform offers flexible cloud deployment solutions, AI/ML development, release lifecycle management, and holistic software supply chain security. They provide services such as curating open-source packages, source code scanning, software composition analysis, and infrastructure as code security. They warn users about the vulnerabilities in Machine Learning clients and "safe" model formats that can be exploited by attackers to gain access and manipulate organizational ML clients and services. They emphasize the importance of never loading untrusted ML models, even from seemingly safe formats, to protect against potential security breaches.
Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day - WatchTowr discovered vulnerabilities in Mitel MiCollab platform, including an Authentication Bypass and an Arbitrary File Read, along with an SQL injection vulnerability. These vulnerabilities could allow attackers to access sensitive information and compromise the system. Mitel acknowledged the issues and released patches for some vulnerabilities but did not address all of them within the disclosed timeframe. It is essential for organizations to continuously test for vulnerabilities to ensure the security of their systems.
Obfuscating Office Macros to Evade Defender - The article demonstrates a method to obfuscate VBA macros in Office files in order to evade Microsoft Defender. The author uses Python and a Windows VM to create the document and a Kali VM to host a reverse shell. They recommend using a specific Python script for obfuscation and caution against using custom VBA scripts. The process involves creating and saving the obfuscated VBA, embedding it in an Office document, and executing a reverse shell. Despite the success, the author warns that this method may still be detected by other antivirus vendors and EDRs.
Linux Malware Development: Building a one liner TLS/SSL-Based reverse shell with Python - This blog post by Mohit Dabas explores the development of a one liner TLS/SSL-based reverse shell with Python for Linux malware. The reverse shell allows for secure communication between the client and server, using self-signed certificates. The post covers the process of generating keys, certificates, and client code, as well as starting the server and handling client commands. The code can be found on a GitHub repository for reference.
Shiny Vulnerabilities in R's Most Popular Web Framework - The post discusses two vulnerabilities found in Shiny, the most popular web framework for R programming language. The first vulnerability is a denial of service issue caused by a WebSocket parsing bug that leads to an infinite loop. The second vulnerability is a weak random number generator used for generating session tokens, potentially allowing unauthorized access to download URLs. It concludes with a recommendation for a fix to ensure the integrity of session-specific routes.
Gem::SafeMarshal escape - In December 2024, the Gem::SafeMarshal escape on nastystereo.com was discussed, detailing how it was implemented in Ruby and how it could be escaped to execute arbitrary commands. The escape involved manipulating lists of permitted classes and exploiting instance variable handling to achieve deserialization with unrestricted classes. By crafting a specific payload, arbitrary command execution could be achieved through a deserialization gadget chain.
CORS Vulnerabilities in Go: Vulnerable Patterns and Lessons - The blog covers discoveries of CORS vulnerabilities in Go code, with examples of vulnerable patterns and lessons learned. The vulnerable code allowed bypassing security checks by manipulating domain names. The blog also highlights other examples of vulnerable checks found in codebases on GitHub. The author emphasizes the importance of secure coding practices and suggests language-level functions/methods to improve security.
Bypassing WAFs with the phantom $Version cookie - The article discusses how modern cookie parsers can be abused to bypass web application firewalls (WAFs) by using techniques such as downgrading cookie parsers with the $Version attribute, injecting malicious cookie attributes, and using quoted cookie values to hide payloads. It also explores how to bypass WAFs by manipulating cookie values and splitting cookies. The article suggests steps to prevent parser discrepancy vulnerabilities in cookies, such as disabling legacy support for RFC2109 and rigorously validating user inputs. The article concludes with a recommendation to follow PortSwigger for more security insights and to stay updated on techniques for escalating vulnerabilities in real-world scenarios.
CloudGoat Official Walkthrough Series: ‘sqs_flag_shop’ - The CloudGoat Official Walkthrough Series by Rhino Security Labs explores the 'sqs_flag_shop' scenario, where users attempt to move through an AWS environment and perform privilege escalation against the Glue service to capture a flag. The walkthrough provides step-by-step instructions for creating the scenario, enumerating user policies, assuming new roles, analyzing web applications, and sending SQS messages. This exercise offers insights into AWS penetration testing and encourages contributions to the open-source CloudGoat project. Rhino Security Labs is a respected security assessment firm specializing in cloud pentesting, network pentesting, web application pentesting, and phishing.
NativeBypassCredGuard - Bypassing Credential Guard in 2024 - NativeBypassCredGuard is a tool created by ethical hacker Ricardo J. Ruiz Fernández to bypass Credential Guard by patching WDigest.dll using NTAPI functions. The tool locates and patches specific values in WDigest.dll, forcing plaintext credential storage in memory and allowing easy retrieval by dumping the LSASS process. It also has the capability to remap the ntdll.dll library to bypass user-mode hooks and security mechanisms. The tool uses various NTAPI functions to achieve these tasks and provides options for reading current values, writing new values, and remapping the ntdll library.
Discovering a Deserialization Vulnerability in LINQPad - During a red team adversarial attack simulation, a deserialization vulnerability was discovered in LINQPad, a .NET scratchpad application commonly used by developers. The vulnerability was found by analyzing the application's code and using a tool to graph the relationships between functions. A proof-of-concept exploit was then developed and disclosed to the vendor, who quickly released a fix for the issue. Ultimately, the right decision was made to disclose the vulnerability, leading to a timely patch for the issue in LINQPad.
Linux Kernel ICMPv6 & CVE-2023-6200 - The Linux Kernel ICMPv6 subsystem has a vulnerability known as CVE-2023-6200, which is a race condition issue. Limited information is available about this vulnerability, so the author analyzed it to understand how to identify such bugs. The patch for this vulnerability is a revert, and the actual fix that enhances the previous one can be found in the code. The vulnerability stems from a race window during the creation of route objects, leading to a potential use-after-free (UAF) situation if not handled properly. The author learned a lot from analyzing this vulnerability and found it interesting, even though reproducing it fully proved challenging.
RACE Conditions in Modern Web Applications - RACE conditions are a common vulnerability in modern web applications that occur when multiple code components operate simultaneously in a shared environment, leading to unpredictable outcomes. PortSwigger's white paper introduced new methods to exploit RACE conditions in web applications, making them more accessible for testing and identification. GuidePoint Security has successfully identified and exploited RACE conditions in scenarios such as account lockout bypass and overdrawn bank accounts, highlighting the significance of mitigating these vulnerabilities through secure code reviews, application architecture reviews, and regular security assessments.
Abusing AD-DACL: WriteDacl - This blog post discusses the exploitation of Discretionary Access Control Lists (DACL) using the WriteDacl permission in Active Directory environments, allowing attackers to gain unauthorized access or modify permissions. The methods to simulate these attacks are outlined, with tools mapped to the MITRE ATT&CK framework for clarity. Detection mechanisms, recommendations for mitigation, and lab setups for different scenarios are provided to help security professionals recognize and defend against these threats effectively. The post also details various methods and tools that can be used for exploiting WriteDacl permissions and the potential risks associated with them.
Yer a Wizard! Tagging Hard-coded Credentials Can Lead to Finding Magic (Numbers) - GreyNoise researchers can tag hard-coded credentials from setups like HSQLDB for FileCatalyst Workflow, leading to finding vulnerabilities like CVE-2024-6633. By analyzing network traffic, a detection rule for Suricata is created to identify potential security risks. This process involves dissecting protocol details and referencing source code to enhance rule accuracy for threat detection.
Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris) - MDSec's red team uncovered a vulnerability in the Symantec Management Agent that allowed them to extract Account Connectivity Credentials (ACCs) from the system. By leveraging their expertise in cyber attack simulations, they were able to demonstrate the potential security risks associated with default configurations of the ACC. By decrypting policy data and understanding the encryption process, they were able to exploit the vulnerability to extract the ACC credentials, demonstrating the importance of implementing best practices for securing sensitive information like ACCs.
Multiple vulnerabilities in Delmia Apriso 2019 to 2024 - Multiple vulnerabilities have been discovered in Delmia Apriso versions 2019 through 2024, a Manufacturing Operations Management (MOM) and Manufacturing Execution System (MES) solution edited by Dassault Systèmes. These vulnerabilities include pre and post-authentication .NET object deserialization issues, allowing for remote code execution on affected servers. Synacktiv identified the vulnerabilities and notified Dassault Systèmes, who confirmed the issues and assigned CVE numbers. Remediation guidelines and patch packages are available for affected versions.
Detailing the Attack Surfaces of the WolfBox E40 EV Charger - The article details the attack surfaces of the WolfBox E40 EV Charger, a Level 2 electric vehicle charging station designed for residential use. It discusses the hardware components, mobile application, firmware extraction, BLE analysis, network traffic analysis, and potential vulnerabilities of the device. The researchers found potential vulnerabilities in the communications module and noted encrypted local communications using a Tuya-specific protocol. They also mentioned the importance of reviewing the mobile application for security vulnerabilities.
LabsAI’s EDDI project path traversal - XBOW, a security research platform, discovered a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI project, an open-source conversational AI middleware. This vulnerability could allow attackers to access sensitive files on the server. Despite exploring various attack vectors, XBOW ultimately exploited the vulnerability by manipulating the botFilename parameter in the project's file handling endpoint. The discovery underscores the importance of secure coding practices and input validation in software development.
(QR) Coding My Way Out of Here: C2 in Browser Isolation Environments - The blog post discusses browser isolation, a security technology that separates web browsing activity from a user's local device by running the browser in a secure environment and streaming the visual content to the user's device. Mandiant demonstrates a new technique to circumvent browser isolation for C2 purposes using machine-readable QR codes. By using QR codes to send commands from an attacker-controlled server to a victim device, attackers can bypass typical command-and-control tactics in browser isolation environments. The blog post also highlights the importance of monitoring for anomalous network traffic and browsers in automation mode as part of a comprehensive cyber defense strategy.
Decrypting CryptProtectMemory without code injection - In the blog post, the author discusses the function CryptProtectMemory used to encrypt sensitive memory in applications without providing a key. They dive into the implementation of the encryption process, including the derivation of symmetric keys from process creation time and process cookies. The author also explores decrypting protected memory in another process without injecting code, providing steps and a proof of concept tool. Additionally, they mention usermode decryption using syscalls and accessing kernel memory for viewing encrypted data.
Demystifying ASLR: Understanding, Exploiting, and Defending Against Memory Randomization - The article "Demystifying ASLR: Understanding, Exploiting, and Defending Against Memory Randomization" by Nikhil Gupta covers the basics of Address Space Layout Randomization (ASLR), its implementation, and how attackers can bypass it. The article emphasizes the importance of using ASLR for lawful and ethical purposes only, and not for unauthorized access or illegal hacking. It discusses the technical details of how ASLR works, its benefits in defending against exploits, and provides practical examples of exploiting ASLR weaknesses through buffer overflow and Return-Oriented Programming (ROP) attacks. The article also explores future advancements in ASLR, alternatives or complementary techniques like DEP, CFI, stack canaries, and KASLR, as well as the importance of combining multiple security mechanisms for a robust defense against memory-based attacks.
Handling Arbitrarily Nested Structures with Burp Suite - Erik Szinai wrote a blog post for Silent Signal about handling arbitrarily nested structures with Burp Suite. During a security assessment, they found that Burp couldn't detect the structure of a Base64-encoded XML due to a character causing issues. To solve this, they developed a customizable extension that can detect and handle nested data structures efficiently. The extension uses a tree data structure to represent the encodings and allows for easy modification of parameters and insertion points. The extension also includes a GUI for user-friendly interaction. The extension is available on GitHub for public use and contributions.
Exploring CORS Vulnerabilities in Rust: Patterns and Bypasses - The blog post explores CORS vulnerabilities in Rust, highlighting patterns and bypasses that can be easily identified in code. Similar to vulnerabilities in Go, examples of vulnerable Rust code can be found on GitHub. The blog also discusses a unique strategy where the code checks if the header ends with a specific value, which can be easily bypassed. Despite Rust not being immune to these vulnerabilities, they can be easily discovered in codebases.
Exploiting Public AWS Resources - CLI Attack Playbook - The playbook "Exploiting Public AWS Resources Programmatically" outlines various techniques to exploit misconfigured AWS resources that are publicly accessible. These techniques are meant to be executed programmatically by an external administrator. The document is divided into two categories: services that can be found with minimal effort and those that require additional information. Examples include listing and reading S3 buckets, accessing private API Gateways, and interacting with Lambda functions. Readers are also invited to contribute additional services that can be exploited in a similar manner.
Terminal DiLLMa: LLM-powered Apps Can Hijack Your Terminal Via Prompt Injection - The article discusses how LLM-powered apps can hijack terminals through prompt injection using ANSI escape codes. These codes can modify the behavior of terminal emulators and have been exploited for security vulnerabilities in the past. The author demonstrates various attack scenarios, such as data leakage via clickable links and writing to the user's clipboard. Mitigation strategies include encoding output and careful handling of control characters. Developers are advised to be cautious when incorporating LLM output in their applications due to the potential for arbitrary data manipulation.
0x01 - Killing Windows Kernel Mitigations - This post delves into a detailed explanation of bypassing Windows kernel mitigations in Windows 10 and Windows 11 using raw assembly code. The author provides insights into techniques to bypass Stack Execution Prevention (SMEP) and Virtualization-Based Security (VBS), along with the release of a Proof of Concept Return-Oriented Programming (ROP) chain for universal bypass. The post also includes demonstrations of code snippets and explanations on finding and using ROP gadgets, finding kernel base addresses, and crafting a PoC to achieve code execution by flipping memory protection bits dynamically. The author successfully tests the bypass technique on the latest build of Windows 11, showcasing its effectiveness.
ExecCmd64 lolbin - The article discusses an interesting executable file found in the ASRock Polychrome RGB software folder that accepts command line arguments. The ExecCmd64.exe file is signed by ASROCK INC. with a signing date of 3/16/2023. It can be used as a lolbin proxy, making it potentially useful for malicious activities.
zizmor would have caught the Ultralytics workflow vulnerability - A vulnerability in the Ultralytics workflow allowed an attacker to compromise their CI and make malicious releases to PyPI, including a crypto miner. The attacker exploited a weakness in Ultralytics' workflow trigger and injected malicious code into a custom action, leading to compromised releases on PyPI. The attacker used a puppet account and exfiltrated data, including API tokens, to carry out the attacks. Ultralytics must revoke all compromised credentials and improve their security controls to prevent future incidents.
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - A security engineer at Flatt Security discovered a vulnerability in the OpenWrt firmware supply chain that allowed for compromising devices through a truncated SHA-256 collision and command injection. By exploiting these issues, an attacker could force users to upgrade to a malicious firmware, potentially compromising their devices. The engineer reported the vulnerability to the OpenWrt team, who promptly fixed the issues and released a notification to users. The article highlights the importance of addressing such vulnerabilities and the need for robust security assessments and testing services.
Everyday Ghidra: Symbols — Prescription Lenses for Reverse Engineers — Part 1 - In this blog post, the author discusses the importance of symbols in reverse engineering and how they can help clarify disassembled code. They explain how symbols provide a more intuitive representation of a program's state and can be used in Ghidra to aid in understanding the program's behavior. The author also explores different sources of symbol information, such as exports and imports, and how type information can provide additional clarity in reverse engineering. The post concludes with a teaser for part 2, which will discuss how Ghidra can automate symbol acquisition.
Section Order, MASM, and the .text$mn Subsection - The author was searching for a way to write position-independent shellcode and developed a framework for generating x86 and x64 shellcode for user-mode and kernel-mode. They discovered that subsections can be created within sections to order code and data. While working on the framework, they found that MASM inserts a placeholder into section names, impacting the section order. The author found a workaround by using an alias keyword within the segment directive to control section names. The purpose of subsections like .text$aa in MSVC is to allow for ordering of code within the .text section for the CRT.
On the Applicability of the Timeroasting Attack - The author discusses the Timeroasting attack, a new method in Active Directory environments where an attacker can query a domain controller for NTP responses encrypted with machine account NT hashes. By using pre-created computer accounts or reset machine accounts with potentially non-random passwords, the attacker can gain initial access to an AD environment. The author describes their experience using the attack on a client's domain controller and highlights the applicability of the attack in gaining authenticated access. The attack can be performed using hashcat to crack NT hashes and exploit vulnerabilities in the NTP protocol.
Cobalt Strike Postex Kit - The Cobalt Strike Postex Kit was introduced in the CS 4.10 update along with BeaconGate. It allows for post-ex execution in two ways - inline execution with Beacon Object Files (BOFs) and fork & run with reflective DLLs (rDLLs). The kit provides a template for building custom rDLLs, communicating with them, and integrating them with CS's job architecture. It includes features like named pipe communication and handling long-running tasks. The kit also allows for customization and interaction with Beacon through Aggressor functions.
Breaking the perimeter by exploiting routing-based SSRF via a misconfigured load balancer - The blog post discusses the discovery and exploitation of a vulnerability through routing-based SSRF via a misconfigured load balancer. The author discovered the vulnerability through asset discovery and vulnerability discovery processes. They were able to access the internal network and scan it, finding potential open ports and services. The vulnerability was reported and classified as high severity due to the potential consequences of unauthorized access to the internal network. The author emphasizes the importance of thorough recon, reporting multiple vulnerabilities found during the exploitation, and carefully considering how to approach reporting findings.
New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader - The DamageCard attack exploits vulnerabilities in SD card readers to target system memory directly, bypassing traditional attack vectors. The attack involves using the direct memory access (DMA) capabilities of SD cards to compromise devices.
Tools and Exploits
CVE-2024-8672: Authenticated Contributor Remote Code Execution in Widget Options Plugin - The Widget Options WordPress plugin version 4.0.7 and earlier is vulnerable to an Authenticated (Contributor+) Remote Code Execution (RCE) attack. This vulnerability allows authenticated users with contributor level access or higher to execute arbitrary PHP code on the server. Attackers can exploit this by injecting malicious PHP code using the widget feature.
PSXecute - PSXecute is a 32-bit MIPS I virtual machine designed to execute payloads without requiring additional executable memory. It is based on a PlayStation 1 emulator and includes a syscall bridge to call external APIs from arbitrary DLLs. The VM can be compiled on Linux using LLVM passes and supports writing payloads in C with Windows headers included. Example payloads include creating a process, displaying a message box, listing running processes, and getting OS information. The project is a fun demonstration that alternative architectures, such as RISC-V, can be used for offensive purposes.
ShadowHound - ShadowHound is a collection of PowerShell scripts for Active Directory enumeration that doesn't require malicious binaries like SharpHound. It utilizes native PowerShell capabilities and offers two methods for data collection: using the Active Directory module or direct LDAP queries. The scripts can handle large domains, enumerate certificates, support alternate credentials, and provide data conversion for BloodHound compatibility. Additionally, there are tools available to split and process the collected data for use with BloodHound.
SilentLoad - GitHub repository for SilentLoad, a tool for "service-less" driver loading that loads drivers through NtLoadDriver by setting up the service registry key directly. This tool is intended for engagement in BYOVD scenarios where service creation creates an alert.
Enumprotections BOF - This GitHub repository contains a Beacon Object File (BOF) tool called Enumprotections_BOF that can be used to enumerate system processes, their protection levels, and additional information such as service relation, user, session, and path. The tool can help identify potential candidates for exploring SYSTEM level DLL hijacks.
NativeBypassCredGuard - NativeBypassCredGuard is a tool that bypasses Credential Guard by patching WDigest.dll using only NTAPI functions. It locates a specific pattern in the DLL file, calculates necessary memory addresses, and forces plaintext credential storage in memory. The tool uses various NTAPI functions to achieve this and can optionally remap the ntdll.dll library to bypass user-mode hooks and security mechanisms. It is designed for 64-bit systems and may not work if lsass cannot be accessed or the PEB structure is not readable.
Our secret ingredient for reverse engineering - The article discusses the development of the hrtng plugin for IDA Pro by Kaspersky GReAT, designed to aid with malware reverse engineering. The plugin adds various features to IDA Pro, such as string decryption and decompiling obfuscated assemblies. The article provides a detailed walkthrough of using the plugin to reverse engineer a complex malware sample, covering topics like shellcode analysis, decrypting data, API hashing, and code obfuscation. The plugin automates complex reverse engineering tasks and can be a valuable tool for malware analysis workflow.
On-Demand BOF - TrustedSec has released a new on-demand class called Building BOFs, where you can learn how to confidently develop BOFs and access two previously unreleased BOFs. The team aims to provide more specialized and niche topics in the field of offensive security, recognizing the need for in-depth knowledge in various offensive areas.
OAuth Labs: OAuth 2.0 Vulnerabilites - OAuth Labs has created a project called OAuth Labs for internal training and hands-on learning experiences focused on OAuth 2.0 vulnerabilities. The lab explores common vulnerabilities in OAuth 2.0 and allows users to practice exploiting and defending against them. By understanding and addressing these vulnerabilities, developers and security professionals can enhance security skills and promote best practices in OAuth 2.0 implementation. The lab is designed to empower users to build more secure applications and protect user data effectively in the digital world.
BootExecute EDR Bypass - GitHub repository "BootExecuteEDR" contains code that exploits the Boot Execute feature in Windows, allowing native applications to run before the operating system fully initializes. Attackers have historically used this method for persistence, bypassing security mechanisms like antivirus and endpoint detection and response (EDR) systems. The code demonstrates how to disable Endpoint Security Products by running a binary before the win32k subsystem initialization.
SuperdEye - SuperdEye is an implementation of the HellHall technique in pure Go and Go Assembler. It scans hooked NTDLL and retrieves the Syscall number to perform an indirect Syscall, bypassing AV/EDR hooks on functions. The package exposes functions for Indirect Syscalls and is compatible with official Windows Syscalls. Contributions to add more Syscalls are welcome. Other similar tools in Go include BananaPhone and Acheron, each with their own approach to Syscall manipulation.
Hackvertor EAN-13 and TOTP tags for web-application penetration testing with Burp - Pentagrid AG has developed custom Hackvertor tags for web-application penetration testing with Burp Suite, including EAN-13 and TOTP tags. The EAN-13 tag calculates the check-digit of EAN-13 numbers, while the TOTP tag generates time-based one-time passwords for second-factor authentication. These tags can be easily accessed and used within the Hackvertor extension in Burp Suite, providing automated data conversions and increased test coverage during security analysis. Users can also create and submit their own custom tags to the Hackvertor tag store.
Threat Intel and Defense
It’s Baaack… Credit Card Canarytokens are now on your Consoles - Credit card Canarytokens are now available on consoles, allowing users to create a credit card token that will alert them if it is ever used. The tokens provide a unique way to detect fraudulent activity and can be deployed in various ways throughout an organization. After some challenges with finding a provider, Thinkst was able to partner with AirWallex to issue the tokens with a custom pricing model. The tokens expire over time and allow for testing to ensure alerting functionality without risking fraud.
Immutable Artifacts — Enabling RDP Connections - The article discusses using the "Immutable Artifacts" methodology to detect and enable/disable RDP connections on a Windows machine. It focuses on specific registry keys related to RDP settings and demonstrates how changing these settings can be detected using Procmon. The article also mentions attempting to bypass detection using WMIC commands, but emphasizes the importance of setting the "fEnableWinStation" key to 1 for successful RPD connections. Detection methods through Event ID 4657 and Sysmon event ID 13 are also highlighted.
Inside Akira Ransomware’s Rust Experiment - Check Point Research analyzed the Akira ransomware's Rust version that specifically targets ESXi servers. They examine the construction and control flow of the ransomware and discuss the challenges in analyzing Rust binaries. The ransomware utilizes Rust features and in-line code to encrypt files and contains a sophisticated command-line interface. The malware authors used a mix of third-party libraries and native Rust features to implement encryption, and the malware exhibits complex assembly and control flow due to aggressive in-lining of code. The report highlights the challenges of analyzing Rust binaries and the need for improved tooling in the realm of reverse engineering.
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT - The article discusses a campaign called Horns&Hooves that delivers malicious scripts disguised as email attachments to install NetSupport RAT and BurnsRAT. The attackers targeted over a thousand private users, retailers, and service businesses primarily in Russia starting from March 2023. The campaign involved distributing JScript scripts in ZIP archives with names related to requests and bids to deceive users. The scripts download decoy documents and legit software to install remote access tools like NetSupport RAT for malicious purposes. The attackers behind the campaign are linked to the TA569 group, selling access to infected computers to other cybercriminals for various malicious activities.
Threat Assessment: Howling Scorpius (Akira Ransomware) - Howling Scorpius is a ransomware group behind the Akira ransomware-as-a-service, which targets small to medium-sized businesses in various sectors across North America, Europe, and Australia. The group employs a double extortion strategy, exfiltrating critical data before encryption. The ransomware group has been actively upgrading and enhancing its tools, posing a greater risk to organizations. Palo Alto Networks offers cloud-delivered security services to protect against Akira ransomware and recommends contacting the Unit 42 Incident Response team if affected. The threat assessment details the technical analysis of Howling Scorpius operations and provides indicators of compromise for the Windows and Linux variants of Akira ransomware.
Shattering the Rotation Illusion: Part 1 - Code Hosting & Version Control Platforms - Clutch's blog post discusses the importance of securing non-human identities (NHIs) in code hosting and version control platforms like GitHub and GitLab. They conducted experiments to show how quickly exposed secrets, such as AWS access keys, can be exploited by attackers. The post highlights the differences in exploitation rates between GitHub and GitLab, with GitHub being more vulnerable due to higher scanning activity by attackers. Clutch's research emphasizes the need for a new approach to security beyond just secret rotation, as attackers move quickly and can exploit exposed secrets faster than defensive measures can respond.
The Day We Unveiled the Secret Rotation Illusion - Clutch's blog post, "The Day We Unveiled the Secret Rotation Illusion," exposes the fallacy of secret rotation as a security measure and highlights the limitations of current practices in protecting against cyber threats. Through a detailed experiment involving leaking various non-human identities (NHIs) and observing how quickly they were exploited by attackers, Clutch demonstrates the need for a paradigm shift in cybersecurity strategies.
Gafgyt Malware Broadens Its Scope in Recent Attacks - The Gafgyt malware, traditionally targeting IoT devices, has recently been observed attacking misconfigured Docker servers. This represents a shift in its behavior. Trend Micro offers solutions to enhance security posture and mitigate risks associated with potential exploitations. Security best practices include implementing strong access controls, monitoring for unusual activities, and staying informed about software vulnerabilities.
Snowblind: The Invisible Hand of Secret Blizzard - Lumen's Black Lotus Labs has uncovered a campaign orchestrated by the Russian-based threat actor "Secret Blizzard" infiltrating 33 command-and-control nodes used by a Pakistani-based actor. Secret Blizzard deployed malware into Afghan government networks and gained access to Pakistani workstations, acquiring data and exposing vulnerabilities in security products. The group also targeted Indian networks, utilizing malware families such as CrimsonRAT. This sophisticated operation involved shifting blame and maintaining secrecy, highlighting the ongoing threat of Russian cyber activities. Black Lotus Labs continues to monitor and block traffic related to these threat actors, recommending strong security measures and collaboration within the cybersecurity community.
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks - Trend Micro has discovered Earth Minotaur, a threat actor using the MOONSHINE exploit kit to target vulnerabilities in Android messaging apps and install the DarkNimbus backdoor for surveillance. The attack chain involves social engineering tactics to trick victims into clicking malicious links, which leads to the installation of the backdoor on Android devices. DarkNimbus is a cross-platform backdoor that also targets Windows devices. To prevent such attacks, users are advised to exercise caution when clicking on suspicious links and keep their applications updated to protect against known vulnerabilities.
DroidBot: Insights from a new Turkish MaaS fraud operation - Cleafy Labs discovered a new Android Remote Access Trojan called DroidBot in late October 2024, targeting banking institutions, cryptocurrency exchanges, and national organizations primarily in European countries. DroidBot combines spyware-like features with dual-channel communication for enhanced resilience and flexibility. The malware is linked to Turkish-speaking developers and an evolving MaaS operation, offering affiliates advanced capabilities and a builder tool for customized malware versions. The operational model of DroidBot resembles a Malware-as-a-Service (MaaS) scheme, posing a significant threat to financial institutions and other high-value targets across multiple regions.
Ultralytics publishes malicious PyPi packages - Ultralytics recently published malicious PyPi packages, versions 8.3.41 and 8.3.42, that installed crypto miners on affected hosts. This was achieved through a sneaky attack leveraging GitHub pull requests. The attacker, using the username openimbot, injected commands into GitHub Actions workflow, leading to unauthorized execution of malicious code. Users are advised to uninstall the compromised versions and switch back to 8.3.40. It is also recommended to disable GitHub's auto-merge feature and closely monitor for suspicious activity to prevent similar attacks in the future.
Automated Network Security with Rust: Detecting and Blocking Port Scanners - This article discusses how to use Rust to build an automated network security system to detect and block port scanners. It explores the Netfilter framework in the Linux kernel, userspace tools, and the concept of queuing packets for userspace processing. The article also includes a demonstration of banning IP addresses that try to reach multiple closed ports in a row using Rust programming language. Additionally, it covers the implementation of the ban mechanism using nftables and highlights performance optimizations. The article concludes by mentioning that nftables already has similar capabilities and encourages readers to explore the full source code on GitHub.
End-of-Year PTO: Days Off and Data Exfiltration with Formbook - Cofense intercepted a malicious phishing email disguised as an HR notice about end-of-year leave approvals, which aimed to steal sensitive information using FormBook malware. The email contained red flags such as an external sender warning and suspicious links, indicating its malicious intent. The malware, once downloaded and executed, used AutoIt and FormBook to collect credentials, log keystrokes, and exfiltrate data from the victim's system. To defend against such threats, it is essential for organizations to train employees on recognizing phishing attempts and malware, verify email sources, inspect links before clicking, and be cautious of urgent requests.
Moonlock’s 2024 macOS threat report - In Moonlock's 2024 macOS threat report, it is highlighted that macOS is becoming a prime target for cybercriminals due to its increasing market share. The report discusses the growing threat landscape, the use of AI tools for malware development, the rise of malware-as-a-service (MaaS), and the evolution of stealers targeting macOS. The report also compares malware statistics from 2023 to 2024, showing trends in adware, backdoors, exploits, ransomware, and stealers. The report provides a detailed analysis of the evolution of AMOS Stealer and offers key takeaways on how to stay safe from evolving macOS threats.
Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed - A Russian programmer, Kirill Parubets, had spyware covertly implanted on his phone by Russian authorities after being released from custody. The spyware allowed the operator to track his location, record phone calls, and access encrypted messages. The spyware, similar to the Monokle family, was likely created by reusing code from Monokle. The incident highlights the risk of device tampering by security services and the importance of seeking expert analysis after regaining custody of a confiscated device. The investigation was a joint effort between The Citizen Lab and The First Department, a legal assistance organization.
Deepfake Fraud: How AI is Bypassing Biometric Security in Financial Institutions - this blog post discusses the increasing use of deepfake technology in fraud campaigns. Deepfakes, which involve creating synthetic media such as realistic voice or video mimicking real individuals, are being employed by cybercriminals to impersonate company executives, business partners, or other trusted individuals. This technique enables sophisticated social engineering attacks, including convincing phishing schemes and financial frauds. The article highlights real-world incidents, strategies employed by attackers, and recommendations for organizations to safeguard against such threats, such as implementing multi-factor authentication, employee training, and robust verification processes.
Anatomy of Celestial Stealer: Malware-as-a-Service Revealed - this blog post on Trellix delves into Celestial Stealer, a Malware-as-a-Service (MaaS) offering that enables threat actors to launch credential theft and data-exfiltration campaigns. This malware specifically targets web browsers, messaging platforms, and cryptocurrency wallets. The post includes technical insights into its functionality, distribution methods, and detection strategies.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
The fascinating security model of dark web marketplaces - The dark web marketplaces have evolved since the fall of Silk Road, with the most trusted marketplace operating successfully since May 2020, thanks to its exceptional operational security. The security model includes JavaScript-free captchas, PGP-based 2FA, and private mirrors for users. The marketplace uses Monero instead of Bitcoin for transactions, and the admin emphasizes humanist-liberal values. The marketplace's security measures, design decisions, and focus on drug products are detailed, highlighting a complex and potentially controversial operation.
Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges - This blog post by Red Rain Security details the author's experiences and insights into offensive machine learning attacks, particularly adversarial attacks. It includes challenges faced and strategies learned, along with a breakdown of techniques used to manipulate AI models. The post covers three challenges related to adversarial attacks on AI/ML models, providing hands-on insights for readers without formal education in the field. The challenges explored include crafting adversarial images, adversarial OCR attacks, and evasion attacks using gradient descent, showcasing real-world applications and practical use cases for these techniques.
Exploring Anti-Phishing Measures in Microsoft 365 – Pt. 2 - Microsoft modified the "First Contact Safety Tip" to better resist attacks by malicious actors. The changes include new attributes with the "revert" keyword in the CSS code. Despite the modifications, it is still possible to hide or alter the disclaimer, but the gray bar is always visible. An attacker could potentially set the email background to the same gray color to make it harder for a victim to detect anything suspicious.
Building A Router Pt-1: Researching The Platforms - At Arch Cloud Labs, the project involves researching platforms for building a custom router operating system. Popular choices include OpenWrt, Tomato, and PfSense. The focus is on OpenWrt due to its robust developer documentation and wide router support. Hardware options for OpenWrt include OpenWrt One, Gl-iNet AX1800, and Raspberry Pi Compute Module 5. Each device presents a unique opportunity for a side project and learning experience in embedded systems development. The next phase involves building an image and assessing the devices' functionality. Ultimately, building, debugging, and troubleshooting home electronics can help reduce e-waste and give users more control over their devices.
Extracting Credentials From Windows Logs - this post delves into methods for extracting sensitive credential information from Windows event logs, often overlooked in organizational security. It discusses how plaintext credentials, used during command-line operations like user management or database access, can be captured from these logs.