top of page

Last Week in Security - 2024-12-24


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-12-16 to 2024-12-23.

News

  • Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm - new research has found that a web hacking service called 'Araneida' is selling stolen credential sets using a cracked version of a powerful commercial web app vulnerability scanner. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which has been traced back to a Turkish IT firm. The service allows paying customers to conduct offensive reconnaissance on target websites, scrape user data, and find vulnerabilities for exploitation. The service is being advertised on multiple cybercrime forums and has been linked to criminal activities, including selling payment card data and providing services to Chinese state-sponsored hacking groups.

  • Trump administration wants to go on cyber offensive against China - The Trump administration's security advisor is advocating for offensive cyberattacks on China, citing the need to impose costs and consequences on private and nation state actors. The administration is considering involving the private sector in these efforts to defend against cyber threats. However, it is unclear what specific actions will be taken and how they will be implemented in response to Chinese cyber threats. There is concern about escalating tensions and a potential cyber arms race between the US and China.

  • BOD 25-01: Implementing Secure Practices for Cloud Services - The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD 25-01) requiring federal agencies to implement secure practices for cloud services. The directive aims to combat the increasing threats targeting cloud environments by developing Secure Configuration Baselines and assessment tools. Agencies must deploy these tools, integrate with CISA's monitoring infrastructure, and remediate deviations from secure configurations to reduce risks and improve cybersecurity resiliency.

  • Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials - This article discusses MUT-1244, a threat group that exploits vulnerabilities in offensive security tools used by red teams to target organizations. This group focuses on breaching environments by leveraging these tools against their intended users, such as security professionals, demonstrating a concerning evolution in cyberattack strategies.

  • Mobile Communications Best Practice Guidance (PDF) - This document from CISA provides guidance on mobile communications security, emphasizing best practices to protect sensitive information during mobile usage. It addresses threats like interception, eavesdropping, and unauthorized access, recommending measures such as encrypted communications, strong authentication methods, and device management policies. The guide also highlights risks associated with public Wi-Fi, unsecured networks, and mobile malware, urging organizations to implement security frameworks for mobile device usage.

Techniques and Write-ups

  • A Nifty Initial Access Payload - The blog post discusses the challenges of running code on a victim machine during red teaming engagements, especially when faced with Endpoint Detection and Response software. The author describes a detailed process of developing a custom payload using an outdated screenshot tool as a way to execute malicious code in a signed process. Through trial and error, the author ultimately succeeds in creating a payload that can be delivered via a web page and run in the victim's system. The key takeaways include the importance of custom extension handlers for phishing, the effectiveness of running code in a signed process, and the persistence required to overcome obstacles in developing custom payloads.

  • CVE-2024-6197 Curl and Libcurl: Use-after-Free on the Stack - The JFrog Security Research Team Leader reported on the CVE-2024-6197 vulnerability affecting Curl and Libcurl, which is a Use-after-Free on the Stack issue. While it could potentially lead to remote code execution, the conditions for exploitation are specific and unlikely to be achieved in a real-world setup. The vulnerability affects versions from 8.6.0 to 8.8.0, and mitigations have been implemented by glibc and musl in most Linux distributions to prevent RCE.

  • Concealing Payloads: Hiding Shellcode in Image Files with Python and C/C++ - The blog post discusses how to hide shellcode payloads in image files using Python and C/C++. It explains how to embed shellcode into image files, store them in the resources section of a binary file, and extract the hidden payload for stealthy delivery. The technique allows for discreet payload execution and storing sensitive information without altering the image's appearance, making it harder to detect by security tools. The post also provides code examples and steps to follow for readers to try out the concept themselves.

  • Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger - Trend ZDI researchers analyzed the Tesla Wall Connector EV Charger, noting its hardware components and firmware. They found potential attack surfaces, such as exposed ports and communication with servers. The device's firmware was extracted and analyzed, revealing details about its functionality. The researchers look forward to discussing further security implications at the Pwn2Own Automotive event. Stay tuned for more updates on security vulnerabilities and exploit techniques.

  • Uncovering GStreamer secrets - In this blog post, the author details the vulnerabilities uncovered in the GStreamer library, an open source multimedia framework widely used in Linux distributions. By building a custom fuzzing generator targeting MP4 files, the author discovered 29 new vulnerabilities in GStreamer, with most of them affecting the MKV and MP4 formats. The author explains the challenges of fuzzing media files due to their large size and outlines the alternative approach of generating an initial input corpus from scratch to improve the fuzzing process. The author then describes the implementation of a custom input corpus generator for the MP4 format, highlighting the steps involved in creating diverse input samples for effective vulnerability discovery.

  • Malware and cryptography 36 - random sbox generation algorithms: Fisher-Yates shuffle. Simple C example. - This post discusses the use of the Fisher-Yates shuffle algorithm for generating random sboxes in cryptography, which play a critical role in block cipher cryptography. The post provides a simple C example of implementing the Fisher-Yates shuffle to generate a random permutation of numbers. It also demonstrates how this algorithm can be integrated into the Khufu algorithm for key generation in a payload encryption implementation. The post highlights the importance of generating cryptographically secure sboxes for encryption algorithms to ensure resistance against attacks.

  • Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration - Unit 42 researchers have discovered new vulnerabilities in the Azure Data Factory Apache Airflow integration, allowing attackers to gain unauthorized write permissions to a DAG file or compromise a service principal. These vulnerabilities pose a significant risk to organizations using Azure Data Factory, as attackers could gain shadow admin control, leading to data exfiltration and unauthorized access. The vulnerabilities include misconfigured Kubernetes RBAC, weak authentication for Geneva, and misconfigured secret handling. Attackers could potentially manipulate these flaws to control the Airflow cluster and related infrastructure, highlighting the importance of carefully managing service permissions and monitoring third-party services. Mitigation strategies are outlined to safeguard cloud environments from similar threats. The article also details an attack scenario where attackers could exploit the vulnerabilities to gain access to the Airflow integration and manipulate data assets within the Azure environment, potentially causing significant damage to the infrastructure.

  • Escalating privileges to read secrets with Azure Key Vault access policies - Users with the Key Vault Contributor role in Azure can escalate their privileges to read and modify Key Vault contents by adding themselves to access policies, contrary to Microsoft's intended restrictions. Datadog reported this finding to Microsoft, who updated documentation to clarify the risk. It is recommended to avoid using Key Vault access policies and limit Key Vault Contributor role assignments to mitigate this security risk. Datadog's CSPM tool can help detect key vaults that rely on an access policy permissions model.

  • Unsafe Archive Unpacking: Labs and Semgrep Rules - During an internship with Doyensec, the author researched unsafe archive unpacking in various programming languages, highlighting vulnerabilities and providing safe alternatives. The research focused on path traversal issues that could lead to security risks if not properly handled, with proof-of-concept examples in different languages. Semgrep rules were developed to automatically detect vulnerable implementations, and web application labs were created to test for decompression attacks. The author also reflects on their internship experience with Doyensec, emphasizing the importance of methodology and collaboration in bug hunting.

  • Under the Radar: Exploring Spring Boot Actuator Misconfigurations - Wiz Threat Research has investigated misconfigurations in Spring Boot Actuator endpoints that can lead to the exposure of sensitive data and even remote code execution. They found that 1 out of 4 environments with publicly exposed Actuators had misconfigurations. These misconfigurations can lead to serious security risks, such as exposing credentials and allowing attackers to gain unauthorized access. The blog provides actionable insights on how organizations can protect themselves from these risks and highlights common misconfigurations, such as exposed HeapDump files and Gateway endpoints leading to RCE.

  • Security ProbLLMs in xAI's Grok: A Deep Dive - The article discusses security vulnerabilities in xAI's Grok chatbot, including prompt injection, data exfiltration, conditional attacks, disinformation, and ASCII smuggling. These vulnerabilities can compromise the confidentiality, integrity, and availability of user data. The post highlights the flaws in Grok's security posture and the potential risks associated with using the chatbot. Recommendations are provided to mitigate these threats, including removing hidden Unicode tags, implementing Content Security Policies, and exercising caution when engaging with third-party content. Overall, while Grok's features are impressive, its security measures need improvement to protect users from potential exploitation.

  • Using DInvoke and Sliver to Evade OpenEDR and Escalate Privileges - The author explores evading the Xcitium OpenEDR EDR solution on a Windows machine while running Windows Defender, escalating privileges to a High Integrity User, and dumping machine credentials using DInvoke and Sliver. By dynamically loading API calls and obfuscating code, the author creates a shellcode loader and a Sliver C2 beacon to bypass detection. The author successfully evades detection by OpenEDR and Defender, obtains administrator privileges, dumps credentials, and bypasses UAC to achieve a high integrity shell, demonstrating the effectiveness of the evasion techniques used.

  • The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit - Google's Project Zero team collaborated with Amnesty International and Google's Threat Analysis Group to analyze exploit artifacts provided by TAG, leading to the discovery of 6 vulnerabilities in a Qualcomm driver over 2.5 months. The blog post details the bugs discovered, including a refcount leak and UAF issues, and hypothesizes the ITW exploit strategy from the logs. The bugs discovered highlight the importance of auditing chipset drivers for security vulnerabilities and demonstrate the negative implications of the current third-party vendor driver security posture on Android devices. Two of the bugs remain unfixed by Qualcomm 145 days after reporting.

  • Snowy Days & The Malware Packing Ways - The post "Snowy Days & The Malware Packing Ways" by Magic Bytes delves into the topic of packers used by malware authors to compress and encrypt binaries to evade detections. The post covers the basics of packers, types of packers, how packed binaries are generated, techniques used by packers, detecting packed binaries, and manually unpacking a UPX protected binary. It also includes a bonus section on implementing a simple packer in C. The author emphasizes the importance of understanding packers to analyze and defeat them in malware samples.

  • CVE-2024-55956 Analysis - CVE-2024-55956 is a critical vulnerability that allows an unauthenticated attacker to import and execute arbitrary commands on the host system by leveraging the default settings of Cleo's Autorun directory. This vulnerability was exploited in the wild in December 2024 targeting Cleo file transfer products. Rapid7 observed enumeration and post-exploitation activity associated with this vulnerability and confirmed that it can lead to remote code execution. The vendor released a patch, version 5.8.0.24, to address this vulnerability. Successful exploitation of CVE-2024-55956 can leave artifacts in log files and allows an attacker to execute malicious OS commands on the target system.

  • delivr.to’s Top 10 Payloads (Dec ‘24): Pastejacking, Image-less QR codes and Concatenated Zip Archives - The article discusses delivr.to's Top 10 Payloads in December 2024, including topics such as Pastejacking, Image-less QR codes, Concatenated Zip Archives, and more. The list highlights various innovative methods used by adversaries to deliver malicious code, steal credentials, and evade defenses. Each payload is accompanied by detailed explanations and examples, allowing readers to test their defenses against these evolving threats.

  • ADFS Entra Lab with Ludus - This blog walks you through setting up an ADFS lab using Ludus for testing and experimentation. It includes automation methods for integrating Microsoft 365 apps with ADFS and offers flexibility in lab structure. The lab uses Ansible roles to manage software and configurations, enabling a wide range of experimentation, such as Golden SAML attacks and hybrid cloud setups. The blog highlights the ease of setting up the lab with Ludus and provides guidance on integrating third-party applications for Single Sign-On using ADFS.

  • Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) - The article discusses the use of PyRIT, an open-source framework released by Microsoft, to assess the security and safety of Large Language Models (LLMs). LLMs, such as ChatGPT and OpenAI models, have vulnerabilities that attackers can exploit, such as data disclosure and code execution. PyRIT automates red teaming tasks against LLMs to uncover issues like bias, prohibited content, and security vulnerabilities. The article provides a step-by-step guide on installing PyRIT, obtaining API keys for Crucible and OpenAI, and attacking a Crucible challenge using the framework. It concludes by mentioning future blog posts that will delve deeper into attacking LLMs and AI models.

  • How an obscure PHP footgun led to RCE in Craft CMS - An obscure PHP footgun in Craft CMS allowed for unauthenticated Remote Code Execution, due to a default configuration in PHP that allowed command line arguments to be passed through the query string. The vulnerability was promptly fixed by the Craft CMS team, but it highlighted the potential security issues that can arise from certain PHP behaviors.

  • Malware Series: Process Injection Mapped Sections - TrustedSec discusses using shared memory sections for process injection to execute code in remote processes. They demonstrate the method in C and C#, showing how to create views of memory sections and copy shellcode into them to execute in the remote process. The process involves creating a section of memory, mapping it into local and remote processes, copying the shellcode, and creating a new thread in the remote process to execute the code. This technique allows attackers to inject and run code in another process using shared memory sections.

  • Exploring vulnerable Windows drivers - The post explores the result of research on vulnerable Windows drivers, specifically the Bring Your Own Vulnerable Driver technique, and how threat actors use these drivers to escalate privileges, load unsigned code, and bypass endpoint security tools. It also discusses modern Windows mitigations such as Virtualization-Based Security, HVCI, Kernel Control Flow Guard, and Kernel shadow stack to protect against kernel exploitation. The post concludes with recommendations to mitigate the risks associated with legacy drivers and detect potential campaigns using the BYOVD technique.

  • The Windows Registry Adventure #5: The regf file format - In the latest update from Project Zero at Google, Mateusz Jurczyk discusses the regf file format used to encode registry hives on Windows systems. The regf format is unique in that it represents a registry subtree on disk and in memory simultaneously, eliminating the need for reparsing. Despite not having an official specification from Microsoft, the format's design has posed challenges and vulnerabilities over the last 30 years. Jurczyk highlights the importance of understanding the regf format for security and optimization purposes.

  • x64 Call Stack Spoofing - The blog discusses the implementation of x64 call stack spoofing, building upon previous return address spoofing techniques. It breaks down the technique into simpler parts, explaining how to create synthetic stack frames to mask the origin of API calls. By spoofing the call stack, security solutions monitoring call stacks can be tricked into not detecting tampering with return addresses. The post also covers dynamically calculating the size of a function's stack and configuring arguments for target APIs, ultimately restoring the stack back to its original state after executing the API.

  • Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript - The Threat Research Center developed an algorithm that uses large language models (LLMs) to generate new variants of malicious JavaScript code to evade detection by security tools. Criminals can use LLMs to obfuscate existing malware, making it harder to detect. By retraining their malicious JavaScript classifier on LLM-rewritten samples, they have improved detection rates and deployed a new detector in their Advanced URL Filtering service. These tactics help protect against evolving threats and improve defenses against AI-based attacks.

  • Exploring Crystal language - Ricardo J. Ruiz Fernández, an ethical hacker with various certifications, decided to explore the Crystal programming language, which is high-performance and statically-typed with Ruby-inspired syntax. He successfully ported NativeDump and TrickDump to Crystal, allowing for the execution of Windows API calls through C bindings and low-level system capabilities. Additionally, he created CrystalDump and a port of TrickDump in Crystal, inspired by the potential of Crystal highlighted in a blog post called "Crystal Malware." These tools enable dumping processes, accessing OS information, and manipulating memory regions using NTAPI functions. Furthermore, he developed a tool to remap the ntdll.dll library and generate Minidump files in the attack system.

  • Hacking Kerio Control via CVE-2024-52875: from CRLF Injection to 1-click RCE - This article discusses the discovery of security vulnerabilities in Kerio Control, a popular firewall and UTM product, which can be exploited for 1-click Remote Command Execution attacks. The vulnerabilities, related to HTTP Response Splitting, were initially deemed low severity but were later found to have a higher impact. By exploiting these vulnerabilities, an attacker could potentially gain root access on the firewall.

  • Exploring Vulnerabilities in the SDLS Implementation of NASA’s CryptoLib - The article explores vulnerabilities in the implementation of NASA's CryptoLib for the Space Data Link Security Protocol (SDLS), detailing how these vulnerabilities can be exploited to bypass SDLS and gain control of a spacecraft. The vulnerabilities include an out-of-bounds read vulnerability, improper control of dynamically-managed code resources, and the ability to decrypt spacecraft operator telecommands without the key. Mitigations and patches are proposed for these vulnerabilities, and the importance of security in the verification and validation strategy is discussed. Responsible disclosure and mitigation efforts are also highlighted in the article.

  • Philosophy of Nietzsche: Pivoting on Windows using Nebula - The article discusses a method for pivoting on Windows using Nebula, an overlay network. It details the process of configuring the network, enabling Internet Connection Sharing, and running PowerShell scripts to route traffic to target networks. The author emphasizes the need for information security specialists to use this method responsibly and within legal boundaries. The practicality of the approach is demonstrated with commands and tools to verify connectivity and perform services scans. The article also draws inspiration from Friedrich Nietzsche's philosophy, highlighting his compassion and suffering as depicted in his life.

  • TokenSmith – Bypassing Intune Compliant Device Conditional Access - TokenSmith is a tool that bypasses Intune compliant device conditional access by generating Entra ID access and refresh tokens. The tool was developed based on a discovery made by security researchers, which allows attackers to access resources without meeting compliance requirements. The tool can be used for offensive engagements and covert adversary simulations. The author emphasizes using the information for educational purposes only and warns against misuse. JUMPSEC Labs, the company behind TokenSmith, offers penetration testing services and cyber incident exercising.

  • Windows Server 2022 and MsMpEng.exe - The blog post discusses using Procmon in a boot mode to analyze the Windows Defender process MsMpEng.exe on Windows Server 2022, revealing what file names and paths it checks. The author expresses surprise at the lack of documentation on this behavior, as Windows Defender signatures are easily decompilable. The post includes a list of paths and file names.

  • I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny - McDonald's API flaws in India allowed users to order food for a penny, hijack deliveries, track orders, and access sensitive information. The vulnerabilities were found and reported through a bug bounty program, leading to prompt fixes and a reward for the researcher. The flaws did not compromise user accounts or payment information, and McDonald's India has assured the public that the system is now secure for use.

  • Exploiting Reflected Input Via the Range Header - The author discusses exploiting reflected input via the Range Header in order to make unexploitable vectors fully exploitable by forcing the server to send only the attack section from a document. By combining desync, header injection, and XSS attacks, the author aims to insert malicious code into responses sent back to victims. The attack chain involves finding endpoints with reflected input and responses to the Range header, which can be difficult to defend against due to the benign nature of individual steps. Understanding how these issues can be assembled into a working attack chain is crucial for detection and mitigation.

  • Weaponizing WDAC: Killing the Dreams of EDR - Weaponizing WDAC can be used to block telemetry sources and security solutions like EDR sensors, allowing adversaries to operate without constraints. By applying a specially crafted WDAC policy with remote administrative privileges, EDR sensors can be stopped from running. This attack technique can be executed locally or remotely, and mitigations include enforcing WDAC policies through group policy and following the principle of least privilege to restrict permissions. Detection of malicious policies is difficult, so efforts to mitigate attacks are strongly recommended.

  • Create your own C2 using Python- Part 3 - In Part 3 of the Create your own C2 series, the author introduces new features to the Python-driven C2 tool, such as escalating privileges from medium to high integrity, migrating into another process, bypassing UAC, and elevating to SYSTEM level permissions using ElevationStation. The blog post includes instructions on how to set up and use these new features, as well as provides links to download the necessary files and code from GitHub. The author emphasizes the programmatic soundness of the UAC bypass technique and highlights the fun and utility of the new features added to the C2 tool.

  • Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150 - The blog discusses a JWT algorithm confusion vulnerability (CVE-2024-54150) found in a C library, allowing attackers to exploit insufficient verification of signature types. The vulnerability arises from conflating HMAC and asymmetric key verification, potentially leading to unauthorized access. The author provides examples of code exploiting the vulnerability and emphasizes the importance of challenging assumptions in code reviews to uncover vulnerabilities. The blog encourages a curious and critical mindset when conducting code reviews to identify overlooked security risks.

  • A Little More on LKM Persistence - The article discusses a method for persisting a Linux LKM rootkit across reboots by leveraging the depmod command. The author demonstrates how to hide the evil module name in the depmod files to prevent detection of the rootkit. They also explore using diff to detect the hidden object and suggest using overlayfs hacks for easier investigation. The article concludes by recommending using a script to load the rootkit instead of relying on depmod.

  • Everyday Ghidra: Symbols — Automatic Symbol Acquisition with Ghidra — Part 2 - The blog post discusses how to automatically acquire symbols with Ghidra to improve analysis, mentioning the configuration of public symbol servers and how to leverage remote symbol servers. It also explains how to manually load symbols and how to configure Ghidra to download symbols automatically during analysis. The post emphasizes the importance of symbols in enhancing reverse engineering and provides tips on how to maximize the analysis results by utilizing symbols effectively.

  • IE DCOM to LFI - The article explores using DCOM to facilitate lateral movement on a machine, specifically focusing on leveraging Local File Inclusion (LFI) to access user credentials. It details the process of finding DCOMs on a machine using PowerShell, initializing COM objects, and interacting with Internet Explorer's COM object to read local files. By exploiting a hidden function in the IE COM object, the attacker can potentially extract sensitive information and gain access to the system. While remote code execution (RCE) functions were not found, LFI proves to be a viable attack vector for lateral movement.

  • Cacheract: The Monster in your Build Cache - In December 2024, Adnan Khan released a new blog post about a malware tool called Cacheract that can reside within build caches and persist in GitHub Actions CI/CD configurations. Cacheract automates the process of cache poisoning and can execute arbitrary code on the system. It takes advantage of GitHub Hosted Linux runners and cache hits to achieve persistence and potentially compromise the integrity of build pipelines.

  • Windows Server 2025 and MsMpEng.exe - The author has compared the paths accessed by Windows Defender on Windows Server 2022 and Windows Server 2025, noting that the log file is much longer for the newer version. The author found this exercise interesting and informative.

  • 0x03 - Approaching the Modern Windows Kernel Heap - The article discusses approaching the modern Windows Kernel Heap by attempting exploitation on Windows 11 (x64) after successfully exploiting a UaF vulnerability in Windows 7 (x86). It covers obtaining necessary information, using Ghidra for crafting exploits, dealing with object size changes, and techniques like Kernel Heap Fengshui and using Chlorine for Pool Control. The article also delves into VulnDev's methods and implementing them into the exploit, leading to successful exploitation and achieving code execution to obtain a SYSTEM shell on Windows 11.

  • Sideloading external scripts: a code golf challenge - Johan Carlsson created a code golf challenge involving sideloading external scripts for XSS attacks with a character limit of 256. Participants were tasked with loading a script from an external source to execute arbitrary code. Various solutions were submitted, with the winning solution involving browser abuse and frameable pages. The challenge highlighted different XSS techniques and side channels for payloads, ultimately showcasing the creativity and knowledge of the participants. Carlsson concluded by acknowledging the contributions and inviting further ideas for improving the payloads.

  • DigiEver Fix That IoT Thing! - this blog discusses vulnerabilities in Digiever IoT devices, specifically in their firmware, which expose them to potential attacks. Researchers highlight issues like weak default passwords, unpatched software, and insecure communication protocols, which allow attackers to exploit these devices for data theft or as part of botnets.

  • [Research] COM Object - Part 2 (DCOM)(EN) - Part 2 of the research on COM objects focuses on DCOM, which is used for Lateral Movement during Red Team or internal penetration testing. DCOM allows COM objects to be used on a remote computer as if they were local, and the activation methods for COM servers can be set as DLL or EXE files. The article also explains how to find vulnerable COM objects in a specific program by checking for objects running with system privileges and accessible with user privileges. The next part will cover tools and vulnerabilities related to COM objects.

  • Exploiting Second Order SQL Injection with Stored Procedures - blog explores second-order SQL injection attacks through stored procedures and DNS-based egress. The attack involves injecting malicious SQL into stored procedures, which is later executed indirectly, often bypassing traditional input sanitization. By leveraging DNS-based egress techniques, attackers can exfiltrate data through DNS queries, avoiding detection by common network monitoring tools.

Tools and Exploits

  • ZigStrike - ZigStrike is a powerful Payload Delivery Pipeline developed in Zig, with various injection techniques and anti-sandbox features to bypass advanced security solutions. It includes a custom payload builder for easy payload selection and construction.

  • Svartalfheim - The project involves executing shellcode to download a remote payload and execute it in memory, using Nt API calls, indirect syscalls, and return address spoofing.

  • CrystalDump - GitHub project "CrystalDump" is a port of NativeDump written in Crystal lang, designed to dump the lsass process using only NTAPI functions. It utilizes functions like NtOpenProcessToken and NtAdjustPrivilegesToken to enable the SeDebugPrivilege privilege, NtGetNextProcess and NtQueryInformationProcess to handle the lsass process, and RtlGetVersion to get OS information. The tool also supports remapping ntdll.dll using certain NTAPI and Kernel32 functions.

  • ScheduleRunner - The GitHub repository Hackcraft-Labs/ScheduleRunner contains a C# tool that provides flexibility to customize scheduled tasks for both persistence and lateral movement in red team operations. The tool allows users to create, delete, edit, execute, and query scheduled tasks, as well as perform lateral movement using scheduled tasks. It also includes an evasion technique to hide scheduled tasks. The tool supports features such as specifying task names, programs, schedules, arguments, folders, authors, descriptions, user accounts, and evasion techniques. Additionally, it includes functionality to utilize the hiding scheduled task technique used by threat actors like HAFNIUM.

  • Misconfiguration Manager: Detection Updates - SpecterOps team members have updated the Misconfiguration Manager: Detection Updates to help defensive operators identify attacks targeting Microsoft's Configuration Manager. The project includes guidance on monitoring application deployments, group membership changes, read access to directories, and connections to named pipes. The goal is to empower defenders with knowledge to secure their Configuration Manager implementations and prevent compromise.

  • burpference - The GitHub repository dreadnode/burpference is a research project that aims to add features to Burp Suite for offensive web application engagements. The project involves capturing in-scope HTTP requests and responses from Burp's proxy history and sending them to a remote API in JSON format. The extension, which is open-source, features automated response capture, flexible configuration options, and support for custom system prompts and API keys.

  • LOTTunnels - Living Off The Tunnels (LOTTunnels) is a community project that aims to document digital tunnels that can be used for malicious purposes such as data exfiltration and shell access.

  • SCCMHound - SCCMHound is a C# BloodHound collector for Microsoft Configuration Manager that collects session information from Configuration Manager's users and computers. The tool requires an MCM administrator account with sufficient access to query user and computer information, and it offers various collection methods to gather different types of data.

  • Krueger - Krueger is a PoC .NET tool created to remotely kill Endpoint Detection and Response (EDR) systems using Windows Defender Application Control (WDAC). By utilizing WDAC, an adversary with administrative permissions can prevent the EDR service from starting on boot by placing a WDAC policy on the target device and performing a remote reboot. Krueger can be run from memory, eliminating the need to load a WDAC policy from disk, and includes an embedded WDAC policy within the .NET assembly for easier execution.

  • GimmeShelter - The GitHub repository "GimmeShelter" contains a script for situational awareness that helps identify how and where to run implants. The script analyzes unusual modules and private memory pages with RWX permissions in specific programs like Microsoft VS Code and Mozilla Firefox.

  • CVE-2024-56145: Craft CMS Exploitation Tool - This GitHub repository contains an exploit tool for an unauthenticated Remote Code Execution (RCE) vulnerability on CraftCMS when the PHP `register_argc_argv` config setting is enabled. The tool allows attackers to exploit the vulnerability using specially crafted payloads, automated FTP server, and reverse shell payload generation.

  • Slack Jack - The GitHub repository "slack_jack" contains a tool called Slack Jack, which is designed for ethical hacking and security testing purposes. It allows users to hijack a Slack bot using its token and perform various enumeration and exploitation activities. The tool provides a command-line interface for interacting with Slack's API endpoints, facilitating actions like sending messages and managing bot activities. Users must have a Slack bot token with appropriate permissions and a Slack workspace to test against.

  • Flyphish - The GitHub repository VirtualSamuraii/flyphish contains an Ansible playbook that allows cyber security consultants to deploy a phishing server in the cloud for security assessments. The playbook installs and configures Gophish and Postfix servers on a virtual machine in the cloud, and removes default IOCs for OPSEC purposes. Users must have a Linux instance in the cloud with a public IPv4 address, purchase a domain and set DNS records, install Ansible on their machine, and run the playbook to deploy the phishing server.

  • HellBunny - HellBunny is a shellcode loader written in C and Assembly that uses direct or indirect syscalls to evade EDR hooks. It can be built as an EXE, DLL, or XLL and offers features for adaptability. The project aims to understand the Windows operating system architecture and techniques used by EDR software, such as calling the NtAPI directly, performing system calls, and resolving system service numbers. Additionally, it supports local and remote injection and includes features like custom DLL entry points and string hashing algorithms.

  • TokenSmith - TokenSmith is a tool that generates Entra ID access and refresh tokens for use in offensive engagements, covert adversary simulations, and penetration tests. The tokens generated by TokenSmith work seamlessly with popular Azure post exploitation tools. Users can customize the tokens generated using additional flags and can integrate them with various open source offensive tooling.

  • AzureAD beacon object files - This GitHub repository contains a collection of Beacon Object Files (BOFs) used for Azure AD attacks that have been tested during engagements.

Threat Intel and Defense

  • Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations - C.A.S hacktivists are targeting Russian and Belarusian organizations using rare RATs, with the goal of causing maximum damage, including reputational harm. They exploit vulnerabilities in public services and utilize free tools. The group also collaborates with other hacktivist groups and shares infrastructure and tools. Their attacks involve gaining initial access through vulnerabilities, using rare RATs like Revenge RAT and Spark RAT, and employing destructive techniques like data encryption and destruction.

  • Effective Phishing Campaign Targeting European Companies and Institutions - Unit 42 researchers investigated a phishing campaign targeting European companies, including those in Germany and the UK, to harvest account credentials and take over victims' Microsoft Azure infrastructure. The campaign used fake forms created with HubSpot Free Form Builder and targeted roughly 20,000 users. The threat actor also used advanced techniques like VPN proxies and new Autonomous System Numbers to evade detection, showing a sophisticated approach to hacking. The researchers collaborated with HubSpot and compromised organizations to develop mitigation strategies and protect potential victims.

  • LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory - This article discusses the use of LDAP for malicious purposes by threat actors targeting Active Directory environments. It provides examples of how nation-state and cybercriminal groups abuse LDAP attributes for reconnaissance and exploitation. The article also highlights the challenges of differentiating between benign and malicious LDAP activity and provides detection strategies, such as monitoring LDAP logs for suspicious queries. It also mentions tools like AdFind, ADRecon, and SharpHound that threat actors use for LDAP enumeration. The article emphasizes the need for understanding and monitoring LDAP enumeration to mitigate risks and secure directory services.

  • Unpacking Diicot - Evolving Campaign Targeting Linux Environments - Wiz Threat Research discovered a new malware campaign targeting Linux environments attributed to the Diicot threat group. This campaign showcases significant advancements compared to previous iterations and targets Linux systems in various sectors. The malware includes improvements such as modified UPX headers and behavior tailored to the environment. Diicot utilizes techniques like custom UPX packers, Internet scanning, and cryptomining malware. The malware campaign targets Linux-based machines running OpenSSH with weak credentials, posing a risk of compromise and potential malicious activity. Wiz offers solutions to detect and remediate compute instances with misconfigured SSH to protect against evolving threats like the Diicot malware campaign.

  • Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs - Proofpoint observed the advanced persistent threat TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. The attack chain used alternate data streams in a RAR archive to deliver RAT malware families for espionage, namely WmRAT and MiyaRAT. The campaign is almost certainly intelligence collection efforts in support of a South Asian government’s interests. Proofpoint provides insights and tools for defenders to identify and defend against intrusions from TA397.

  • Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads - Securonix has identified a phishing campaign called FLUX#CONSOLE, where threat actors are exploiting tax-themed lures to deliver backdoor payloads using Windows Management Console. The attackers are using MSC files and advanced obfuscation techniques to execute stealthy malware. The campaign involves the abuse of MSC files, DLL sideloading, scheduled tasks for persistence, and advanced obfuscation techniques. The attackers are able to establish C2 communication and exfiltrate data, with the primary target believed to be in Pakistan.

  • Detection Engineer’s Guide to Powershell Remoting - Powershell Remoting is a feature in Windows that allows remote command execution, making it essential for system administrators. However, it can be exploited by attackers to move laterally and execute malicious scripts. Monitoring Windows Event Logs and Sysmon can help detect suspicious activity related to Powershell Remoting. By understanding how attackers enable and use Powershell Remoting, organizations can better safeguard against cyber threats. SnapAttack offers a platform for threat hunting and detection engineering to proactively defend against potential abuse of Powershell Remoting.

  • Incident Response in Microsoft Entra ID (formerly Azure AD) - The blog discusses incident response actions for a compromised user account scenario within Microsoft Entra ID, focusing on preventing the incident from spreading. The author tests and validates response actions, such as resetting passwords and blocking users, to revoke sessions and prevent further unauthorized access. The blog also explores the limitations of response actions, like access through legacy API endpoints, and emphasizes the importance of thorough validation and testing of incident response procedures. The author recommends implementing response actions like revoking sessions to effectively respond to compromised user accounts.

  • “DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising - Guardio Labs uncovered a large-scale fake captcha campaign that distributed the Lumma info-stealer malware, highlighting the dark side of internet advertising. The campaign relied on a single ad network to reach over 1 million daily ad impressions and cause thousands of daily victims to lose their accounts and money. Through detailed analysis, the origins of the campaign were traced to a specific ad network service, Monetag, part of PropellerAds' network. The investigation revealed the complex web of threats associated with malvertising and the fragmented accountability in the ad ecosystem. Stronger proactive measures are needed to protect internet users from such malicious campaigns.

  • CoinLurker: The Stealer Powering the Next Generation of Fake Updates - CoinLurker is a sophisticated stealer that is behind the next generation of fake updates, using advanced obfuscation techniques to evade detection. The webinar highlighted Morphisec's Adaptive Exposure Management for Managed Services, Windows Endpoints, Servers & Workloads, and Linux Server Protection. The blog discusses the evolution of fake update campaigns, the tactics used by CoinLurker, and strategies for defense. Morphisec's Moving Target Defense technology aims to stop attacks early without relying on outdated methods. The company also offers incident response services and protection against supply chain and browser attacks.

  • Recent Cases of Watering Hole Attacks, Part 1 - The blog discusses recent cases of watering hole attacks, particularly focusing on a case in Japan where a university research laboratory website was exploited in 2023. The attack involved displaying a fake Adobe Flash Player update screen on the website, leading users to download and execute malware onto their computers. The malware used in the attack displayed a decoy document and injected a DLL file into the Explorer process. The group behind the attack remains unknown, but the blog also mentions other attacks conducted by the same group using different malware and techniques. The blog aims to raise awareness about security measures in light of the increasing number of targeted attacks.

  • Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces - The phishing platform Rockstar 2FA experienced technical failures, leading to its disruption. As a result, a similar platform called FlowerStorm emerged, showing similarities in structure and operation. FlowerStorm targets organizations primarily in the US, Canada, UK, Australia, and Italy, with a focus on the service industry. While there is no concrete link between Rockstar 2FA and FlowerStorm, it is suggested that they share a common ancestry due to similarities in their operations.

  • Attackers exploiting a patched FortiClient EMS vulnerability in the wild - Attackers have been exploiting a FortiClient EMS vulnerability to infiltrate networks, targeting a Windows server with open ports associated with FortiClient EMS. The vulnerability allows attackers to execute unauthorized code or commands through SQL injection. Kaspersky's GERT team identified the attacker's TTPs and indicators, including attempts to access registry hives and execute remote monitoring tools. The attackers used tools like ScreenConnect and AnyDesk to upload additional payloads for discovery and lateral movement. The incident highlights the importance of patching vulnerabilities and implementing alert notifications and patch management to protect against cyber incidents.

  • Lazarus group evolves its infection chain with old and new malware - The Lazarus group has targeted a nuclear-related organization with a new malware campaign called "Operation DreamJob". They have evolved their infection chain by delivering archive files containing multiple types of malware to employees, including a downloader, loader, and backdoor. The malware includes old and new samples such as MISTPEN, LPEClient, RollMid, CookieTime, and a new modular backdoor called CookiePlus. The group uses various tactics to evade detection, such as disguising malware as legitimate software and using compromised web servers as command and control servers.

  • Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy - The blog discusses how virtual offices have revolutionized business operations by providing flexibility and cost-effectiveness. However, it also highlights how virtual offices can be exploited by cybercriminals to establish shell companies and hide illicit activities. The misuse of virtual office services creates challenges for regulators and businesses in distinguishing between legitimate enterprises and fraudulent ones. The blog provides insights into investigative techniques and patterns of abuse in virtual office and hosting services, emphasizing the need for collaboration, stricter regulations, and enhanced due diligence to combat cybercrime effectively.

  • Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs - this blog discusses a new attack chain by the threat actor TA397, delivering espionage-focused remote access trojans (RATs). This chain uses phishing emails that exploit legitimate services like Google Drive and Dropbox to host payloads. The campaign employs malicious macros in Microsoft Office documents, bypassing some email filtering systems. TA397 targets sectors like government and education, focusing on intelligence collection.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Threat Actor Interview: Spotlighting on Pryx – Admin of the Hellcat Ransomware Group - Pryx, an admin of the Hellcat Ransomware Group, was interviewed about his motivations, strategies, and tools used in cyber operations. He discussed innovative techniques like server-side stealers and Tor-based command-and-control systems. Pryx mentioned his interest in targeting U.S. and Israeli sectors, and shared a failed attempt to deploy ransomware on China Life Insurance. He also emphasized the importance of speed and preparedness during breach operations. Pryx highlighted the use of encryption, air-gapped systems, and secure communication tools for operational security.

  • Linternals: Exploring The mm Subsystem via mmap [0x01] - The author of Linternals series is back after a break, exploring the mm subsystem through the mmap system call. The post covers an overview of memory management, key structures and functions of the mm subsystem, and delves into the implementation of mmap system call in the kernel. Security measures like permissions checks and locking are highlighted, with a plan to continue exploring deeper into the mm subsystem in future posts. The post also mentions a remote use-after-free vulnerability in the TIPC networking stack in the kernel.

  • CAN Flipper hack a car? - Hackster.io is hosting a livestream event discussing the topic of whether the Flipper Zero device can hack a car's CAN network. The tutorial demonstrates how to use a Flipper Zero paired with a CAN bus Add-On to access and interact with a car's CAN network, emphasizing the importance of cybersecurity in automotive design. The tutorial also provides information on accessing real-time data from a vehicle's OBD2 port and warns about the potential dangers of connecting to a car's ECU network. Overall, the aim is to educate about the vulnerabilities of CAN networks in modern vehicles and encourage ethical research in the field of automotive cybersecurity.

  • Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey - this blog explores a vulnerability in MSI installers involving the repair functionality, which could allow attackers to escalate privileges to the SYSTEM level. The post details how attackers can manipulate the repair process to execute arbitrary commands with elevated privileges by abusing improperly secured configurations in MSI packages. The blog provides a technical walkthrough of the attack, demonstrates proof-of-concept exploitation, and offers mitigation strategies, such as ensuring proper permissions and signing packages.

  • From Informational to Critical: Chaining & Elevating Web Vulnerabilities - this blog post highlights the discovery of a critical vulnerability by chaining multiple low-severity findings during a web application pentest. The vulnerability involved manipulating an API endpoint to escalate privilege and access sensitive data. Through methodical testing and leveraging seemingly benign issues, the team identified a serious flaw that could compromise the application.

Comments

RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

CONTACT US

We are here to help you meet your cybersecurity needs.

PHONE  |

FAX  |

EMAIL  |

ADDRESS  |

410-874-6446

410-630-3980

info@sixgen.io

185 Admiral Cochrane Dr | Suite 210
Annapolis, MD 21401

Thanks! Message sent.

For general inquiries about SIXGEN product and services please use this form.

To apply to SkillBridge, please visit the SkillBridge page here

NAICS Codes:
512110 | 519190 | 541330 | 541340 | 541511 | 541512 | 541513 | 541519 | 541611 | 541715 | 541990 | 611420 | 611430 | 611699 | 611710 | 921190

Contracts:

Screen Shot 2022-06-06 at 1.50_edited.jpg

2022 
Best Tech Startups in Annapolis

Defender_Winner.png

2022

Cybersecurity Defender of the

Year Winner

Download our Capabilities Sheet

2022 GHG Report

bottom of page