top of page

Last Week in Security - 2025-01-06


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-12-23 to 2025-01-06.

News

  • Breaking: Cyberhaven Chrome Extension Compromised in Holiday Attack Campaign - A Cyberhaven employee was successfully phished, leading to the deployment of a malicious Chrome extension during the holiday season, potentially compromising user data. This breach highlights how trusted security tools can be weaponized against users, especially during times when security teams are understaffed. The attack involved phishing an employee, gaining access to Chrome Web Store credentials, and publishing a malicious version of the extension to exfiltrate sensitive information to an attacker-controlled domain. Researchers suspect connections to other compromised Chrome extensions, suggesting a broader campaign may be at play.

  • Israel's spy agency, Mossad, spent years orchestrating Hezbollah walkie-talkie, pager plots - Israel's Mossad orchestrated a years-long operation to trick Hezbollah into buying explosive pagers and walkie-talkies, which were used in a devastating attack in Lebanon.

  • New 'OtterCookie' malware used to backdoor devs in fake job offers - New malware called OtterCookie is being used by North Korean threat actors in the Contagious Interview campaign to target software developers through fake job offers. The malware is delivered through a loader that infects targets through Node.js projects or npm packages, as well as Qt or Electron applications. OtterCookie establishes secure communications with its command and control infrastructure, allowing threat actors to steal sensitive information like cryptocurrency wallet keys and exfiltrate clipboard data. Software developers are advised to verify information about potential employers and be cautious when running code on personal or work computers as part of a job offer.

  • White House: Salt Typhoon hacks possible because telecoms lacked basic security measures - The White House has identified nine telecom companies impacted by the Salt Typhoon hacks, attributing the breach to a lack of basic cybersecurity measures. Anne Neuberger, the White House's deputy national security adviser for cyber and emerging technology, emphasized the need for telecom companies to improve their cybersecurity by implementing measures such as threat-hunting guides and network hardening. The attackers, believed to be state-affiliated actors from China, targeted the phones and data of high-profile individuals, prompting the White House to call for improved cybersecurity regulations for the telecom sector.

  • US Treasury says it was hacked by China in 'major incident' - The US Treasury Department was hacked by Chinese state-sponsored hackers, breaking into systems and accessing employee workstations and some unclassified documents. The breach was deemed a "major incident" and the department, along with other agencies, is investigating the impact of the hack. China denied involvement and called the accusations baseless, stating they oppose all forms of hacking. The hack is part of a series of security breaches in the US attributed to China, and the Treasury Department is working with cybersecurity agencies to assess the overall impact.

  • Cyberhaven Extension Compromise - The Cyberhaven Chrome extension was compromised in a holiday season attack, as detailed in Secure Annex's report. The attackers used phishing tactics to breach a Cyberhaven employee's credentials and gain access to Chrome Web Store accounts. A malicious version of the extension was then uploaded, allowing attackers to exfiltrate sensitive user data. Researchers suggest this is part of a broader campaign targeting other Chrome extensions.

  • U.S. Army Soldier Arrested in AT&T, Verizon Extortions - A 20-year-old U.S. Army soldier, Cameron John Wagenius, was arrested for extorting sensitive customer call records from AT&T and Verizon. Wagenius was caught due to bragging about his activities, and his mother was unaware of his criminal behavior. He now faces serious charges and could be sent to a maximum-security prison. The incident highlights the importance of internal security measures and the risks associated with insider threats in cybersecurity.

  • Over 3.1 million fake "stars" on GitHub projects used to boost rankings - Researchers have identified over 3.1 million fake "stars" on GitHub projects used to boost rankings and increase visibility for scams and malware repositories.

  • Chinese hackers targeted sanctions office in Treasury attack - Chinese hackers targeted the Office of Foreign Assets Control (OFAC) in a major cybersecurity incident, breaching the Treasury Department's network through the BeyondTrust remote support platform. The hackers were likely collecting intelligence on potential sanctions targets. Chinese state-backed group "Salt Typhoon" was also linked to recent breaches of U.S. telecom firms. The U.S. government has taken steps to secure its networks and ban China Telecom's operations in response to these cyber threats.

Techniques and Write-ups

  • Golang in Disguise: Building Evasive Loader In Go - The article discusses the development of an evasive shellcode loader in Go, which aims to bypass detection mechanisms used by AV/EDR tools. The loader fetches and decrypts AES-encrypted shellcode from a server, and executes it stealthily using indirect syscalls provided by the Acheron tool. The process involves fetching encrypted shellcode, decrypting it, and executing it using indirect syscalls, ultimately creating an evasive loader in Go for testing against EDRs.

  • NFS Security: Identifying and Exploiting Misconfigurations - The article discusses NFS security, including identifying and exploiting misconfigurations. The authors, Philipp Tekeser-Glasz and Michael Eder, developed tools to analyze NFS security vulnerabilities and issue disclosures to affected projects. They provide recommendations for securing NFS environments, as well as tools for detecting and addressing misconfigurations.

  • The Feasibility of Using Hardware Breakpoints To Extend the Race Window - The feasibility of using hardware breakpoints to extend the race window in Linux kernel exploitation is explored. Hardware breakpoints can be set to trigger exceptions when a specified memory address is accessed, allowing for stable triggering. While only 4 hardware breakpoints can be set at a time, context-switching to the parent process during the exception can allow for updating and achieving a similar effect. However, attempting to switch to another process when a trap is triggered was ultimately found to be unsuccessful. Hardware breakpoint traps do not perform time-consuming operations, making it unlikely to extend the race window using this method.

  • Malware and cryptography 38 - Encrypt/decrypt payload via Camellia cipher. S-box analyses examples. Simple C example. - This post explores the use of the Camellia cipher in encrypting and decrypting payloads in malware development. The Camellia cipher is a symmetric key block cipher developed by Mitsubishi Electric and NTT Corporation. The post provides a simple C example for implementing the encryption and decryption process using Camellia. It also includes analyses such as S-box analyses, linear approximation table, and avalanche effect measurements for understanding the resistance of the cipher to cryptographic attacks. The post concludes by discussing the implications of different analysis values and suggests ways to align the implementation with the full Camellia algorithm specification for better security.

  • Remote Memory Access in Linux - The blog post explores remote memory access in Linux, discussing methods for accessing memory of another process and how the page fault handler distinguishes between local and remote memory access. It details the execution flow for both local and remote memory access, including validation steps and handling of Copy-On-Write (COW) pages. The post also explains how the COW mechanism works in Linux when duplicating memory-related objects for forked processes or new namespaces.

  • Hiding behind the library line — Go malware development - The author explores injecting code into native libraries in Go malware development while working on a reverse engineering challenge. They found that analysts often overlook built-in libraries in Go because it is statically linked, but discovered a way to inject code by modifying the Go compiler. After facing challenges with directly injecting assembly code into the executable, they compiled their own version of Go and successfully injected code to drop and execute files. This process involved locating the right function in the source code and adding the code accordingly.

  • Active Directory Pentesting Using Netexec Tool: A Complete Guide - This guide provides a comprehensive overview of Active Directory pentesting using the Netexec tool, which is a versatile tool for AD enumeration and exploitation. The tool allows testers to test account existence, authenticate using hashes, enumerate users and groups, and exploit vulnerabilities in AD services. Each command in the tool is explained in detail, along with its purpose and usage, and how it can be mapped to the MITRE ATT&CK framework for Active Directory pentesting.

  • Static Keys, Shattered Security Dreams: A CVE-2024–5764 Story - The article discusses how a Red Team discovered a vulnerability in a Sonatype Nexus Repository 3 instance, leading to the revelation of the CVE-2024–5764 issue. The exploit involved a static encryption key hidden in the source code, allowing sensitive information to be decrypted. The article also discusses the implications of the vulnerability, Sonatype's response, and the importance of re-encrypting passwords to enhance security.

  • MoNotificationUxStub.exe lolbin - The MoNotificationUxStub.exe file is a LOLBin that can be exploited for code execution on Windows Server 2025 by tricking it to load a non-existing library and substituting it with our own code. This requires TrustedInstaller rights to write to the folder. This technique falls under "living off the land" category of cyber attacks.

  • MLEngineStub.exe lolbin - The MLEngineStub.exe file is a LOLBIN (Living Off the Land Binary) that will attempt to locate a non-existing executable on Windows 2025. By placing our own executable in that location, it will be executed. The only limitation is that only TrustedInstaller can write to this folder.

  • la57setup.exe & OOBEFodSetup.exe lolbin - La57setup.exe and OOBEFodSetup.exe are lolbins that, when run on Windows Server 2025, attempt to load a non-existing library from a specific path. This behavior falls under the category of living off the land techniques.

  • 3 little secrets of netsh.exe - The article discusses three little-known secrets of netsh.exe, focusing on additional opportunities for DLL loading using command line syntax and Alias file processing. The author emphasizes the importance of testing hypotheses in a clean environment to avoid contamination of evidence and incorrect conclusions. The lesson learned is to continue digging for more information while also being cautious of potentially misleading findings.

  • Behind the Scenes: Understanding CVE-2022-24547 - The article discusses CVE-2022-24547, a privilege escalation vulnerability in CastSrv.exe that allows attackers to gain elevated privileges by creating arbitrary folders within another user's account. The vulnerability occurs due to unchecked folder creation and full DACL permissions. The article explains the exploitation process and provides steps to protect against the vulnerability.

  • Malware Development Part 12: APC Injection Via NtTestAlert - In this article, the author explores APC Injection via NtTestAlert, a technique used in malware development. The article discusses the role of NtTestAlert in facilitating APC injection, as well as the mechanics behind this advanced approach. The article also provides code examples and a practical demonstration of how to implement APC-based process injection.

  • Non-Intrusive Web Recon: Techniques from Chrome DevTools Recorder - The article discusses non-intrusive web reconnaissance techniques using Chrome DevTools Recorder. The tool allows for capturing user interactions without interfering with the application's functionality by isolating its scripts in separate worlds. Lessons from the Recorder have influenced the design of security tools at Flatt Security, ensuring they don't disrupt the application's behavior. By leveraging isolated worlds, tools can effectively gather insights from web applications without causing any interference.

  • All I Want for Christmas is a CVE-2024-30085 Exploit - The article discusses a heap-based buffer overflow vulnerability, CVE-2024-30085, affecting the Windows Cloud Files Mini Filter Driver. By crafting a custom reparse point, an attacker can trigger the buffer overflow to leak kernel pointers and escalate privileges to gain NT AUTHORITY\SYSTEM access. The exploit plan involves triggering the vulnerability twice to gain kernel pointer leaks, arbitrary reads and writes, and ultimately gain full system privileges. The exploit involves manipulating objects in the paged pool, ALPC handle tables, and PipeAttributes to achieve the escalation of privileges and execute code.

  • Malware and cryptography 37 - Nonlinearity. Walsh Transform. Simple C example. - This post discusses the concept of nonlinearity in S-blocks and how it can be analyzed using the Walsh transform, a subtype of Fourier transformation. The Walsh transform measures the correlation of a binary sequence with linear functions, crucial for cryptography. The post includes a simple C example to calculate the nonlinearity of custom S-boxes using the Walsh transform. The program demonstrates how to compute the nonlinearity values for different S-box examples, such as the AES S-box and custom S-boxes. It also highlights the importance of nonlinearity in cryptographic primitives for resisting linear cryptanalysis.

  • From Arbitrary File Write to RCE in Restricted Rails apps - The blog post discusses how the research team at Conviso AppSec discovered a technique to achieve remote code execution (RCE) in Rails applications with restricted environments by exploiting an arbitrary file write vulnerability. By abusing the cache mechanism of the Bootsnap library used in Rails, they were able to overwrite cache files with malicious content and achieve RCE. The post details the steps taken to exploit the vulnerability and restart the server to execute the malicious code.

  • I was always there from the start - The blog post discusses the process of creating a bootkit, which is a type of malware that infects the system during the boot process. The goal of the bootkit is to patch the Windows kernel and remain undetected by anti-virus software. The post explains the use of UEFI firmware for bootloaders and drivers, as well as the different services provided by UEFI. The bootkit hooks into the bootloader using the ExitBootServices function and patches the IoInitSystem function in the kernel to display "Hello World." The post highlights the complexity and power of bootkits and the importance of security measures like Secure Boot.

  • Performing AD LDAP Queries Like a Ninja - The article discusses performing AD LDAP queries like a "ninja" and the challenges of detecting these queries in Active Directory. It explains the different types of LDAP logging in Active Directory and how they can be bypassed. The article also provides tips for maximizing LDAP query logging for threat detection.

  • Reverse Engineering The Stream Deck Plus - The article discusses the process of reverse engineering the Stream Deck Plus, to remove the dependency on proprietary software. The author outlines the inspection process using tools like Wireshark, and how images and button presses are transmitted over the wire. The article also introduces the DeckSurf SDK to interact with the Stream Deck Plus device, providing a sample C# code for managing events and setting images on the device.

  • Delinea Protocol Handler - Remote Code Execution via Update Process (CVE-2024-12908) - The Delinea Protocol Handler used in Secret Server facilitates communication and provides files for launchers. A vulnerability in the sslauncher URL handler could allow remote code execution on a user's machine. An attacker could exploit this by tricking a user into visiting a malicious page or opening a malicious document. The issue was patched in Secret Server version 11.7.000049, and a bypass for domain approval checks was also discovered.

  • Übermensch: Bypassing NAT when pivoting on Windows with Nebula - The article discusses advanced NAT pivoting techniques on Windows using Nebula to access internal networks by leveraging Hole Punching and ICS. It details the process of establishing a connection between an attacker and a compromised host behind NAT. Through UDP Hole Punching and Internet Connection Sharing, the attacker gains access to the victim's internal network. The step-by-step guide includes instructions on setting up Nebula, configuring the network, enabling ICS, and conducting impact tests to demonstrate successful pivoting from the Internet to internal networks. The research draws inspiration from Friedrich Nietzsche’s philosophical concept of "Übermensch."

  • Simple Prompts to get the System Prompts - AI wrappers are commonly used, but their security is often overlooked. Developers add prompts to guide AI models towards the desired output, but attackers can trick the models into generating system prompts. Strategies to get system prompts include repeating the prompt, expanding it, enclosing it in Markdown, converting it to base64 or python code. These methods can help bypass limits set by developers, but AI models can be imperfect and vulnerable to exploitation.

  • Walkthrough Series - Walkthroughs of solving the Flare-On Reverse Engineering Challenge (2024) from start to finish including commentary.

  • Microsoft 365 Copilot Generated Images Accessible Without Authentication -- Fixed! - Microsoft 365 Copilot had a vulnerability where generated images were accessible without authentication, but it has been fixed. The system prompt for the chatbot has evolved over time, with new features and changes being introduced. The lack of authentication in cloud-based systems poses a security threat, and it is important to prioritize security in the rapid deployment of new features. The chatbot has specific guidelines and limitations for its responses and capabilities to ensure safety and accuracy.

  • Reviving the Fork Bomb - Fork bombing is a type of denial-of-service attack that overwhelms a system by creating an exponential number of processes. It originated as a prank in the Unix community and can crash a system within seconds. Implementations in languages like Bash, C, and Python exist, and there are detection and prevention mechanisms like setting process limits and monitoring tools.

  • Smuggling payloads and tools in, using WIM images - Attackers can smuggle payloads and tools into a target using WIM images, a method similar to using virtual drive images. WIM images can be mounted read-only, making it difficult to delete files once they are exposed to the operating system. Despite attempts to manipulate the WIM image to redirect to a different file, the system still reads from the original neutral WIM image. The assumption that there are no 'File Created' events for files in WIM images is incorrect, as the system recreates the directory structure triggering these events. Additionally, WIM images are not truly mounted as read-only, as files and directories can be easily deleted.

  • Smuggling payloads and tools in, using WIM images, Part 2 - WIM files can contain more than one image, allowing for the smuggling of payloads and tools. By using Dism commands, multiple images can be added to a single WIM file and split into smaller chunks. Despite attempts to hide data within Alternate Data Streams and Extended Attributes, the file may still be detected by antivirus software. It is important to pay attention to the capabilities of WIM files and the potential for evading detection.

  • Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability - The article introduces the "Bad Likert Judge" technique, which is a multi-turn technique that can bypass safety guardrails in large language models (LLMs) to generate harmful responses. By asking the LLM to act as a judge and score the harmfulness of responses using a Likert scale, attackers can manipulate the model into generating harmful content. The technique has been tested on six state-of-the-art text-generation LLMs and has shown to increase the attack success rate by more than 60%. The article emphasizes the importance of implementing content filtering systems alongside LLMs to mitigate jailbreak attempts and prevent the generation of harmful or inappropriate content.

  • Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) - Wiz's engineering team discovered a high-severity signature verification bypass in Nuclei, an open-source security tool, which could lead to arbitrary code execution. The vulnerability, CVE-2024-43405, was responsibly disclosed to ProjectDiscovery, who released a patched version to address the issue. The vulnerability highlights the importance of parser consistency and robust verification mechanisms to prevent malicious exploitation of tools like Nuclei. By running Nuclei in isolated environments and validating template sources, organizations can reduce the risk of exploitation and maintain a secure security scanning workflow.

  • Building a RuntimeInstaller Payload Pipeline to Evade AV Detection - In this post, Practical Security Analytics LLC demonstrates how to build a runtimeinstaller payload pipeline to evade antivirus detection. The pipeline generates a .NET loader payload that can bypass AV detection and application controls. Various steps, such as defining parameters, generating the source payload, adding an anti-malware scan interface bypass, and obfuscating class, method, and variable names, are involved in the process. The pipeline is executed either through the SpecterInsight UI or by making a web request, resulting in a small, obfuscated payload that can be run with InstallUtil.exe. The effectiveness of the pipeline is tested by submitting the payload to VirusTotal for detection analysis.

  • GPU-accelerated hash cracker with Rust and CUDA - In this blog post, the author discusses the implementation of a GPU-accelerated hash cracker using Rust and CUDA. They provide a detailed explanation of how GPUs work and their applications, as well as the implementation of MD5 in Rust. The post also covers integrating CUDA code with Rust code, benchmarking the hash cracker, and optimizing the code for better performance. The author concludes with suggestions for future improvements, such as testing different block sizes and multi-hash cracking capabilities. The post is part of a cybersecurity blog and is licensed under CC BY 4.0.

  • Dumping Memory to Bypass BitLocker on Windows 11 - The article discusses a method for bypassing BitLocker encryption on Windows 11 by extracting FVEK keys from memory using a UEFI application called Memory-Dump-UEFI. The process involves abruptly restarting the target system, creating a bootable USB device, and analyzing the memory dumps to locate sensitive information. The article also mentions techniques to mitigate memory degradation and potential issues with secure boot. The author provides detailed steps for executing the bypass and recovering FVEK keys, emphasizing the need to understand Microsoft's implementation of BitLocker through kernel-level debugging.

  • CVE-2024-54819 - I Librarian Server Side Request Forgery - The author discusses their experience with disclosing a vulnerability (CVE-2024-54819) in I Librarian server, highlighting the lack of response and cooperation from the maintainers. The vulnerability allows for Server-Side Request Forgery (SSRF) due to improper input validation. The author provides a detailed explanation of the vulnerability and how it can be exploited, emphasizing the importance of proper validation and network protection. The post includes technical details and a sample exploit using curl.

  • Cross Cache Attack CheetSheet - Cross-cache attacks in Linux kernel exploitation can transfer a UAF from one object to another, even if they are allocated from different slabs. The Theori team shared details of their kernelCTF exploitation using cross-cache attacks. The process involves steps like spraying objects, allocating victim objects, recycling slabs, and triggering UAF. Techniques like SLUBStick can be used to determine the state of slab caches for successful exploitation. Evaluation of these attacks can be done by measuring kmalloc latency and observing time peaks.

  • DoubleClickjacking: A New Era of UI Redressing - DoubleClickjacking is a new type of UI Redressing attack that takes advantage of double-click sequences, allowing attackers to trick users into authorizing malicious applications or making account changes without their knowledge. This technique bypasses traditional clickjacking protections, posing a significant risk to websites and browser extensions. Developers can mitigate the risk of DoubleClickjacking by implementing a protective library on sensitive pages and by enforcing user interaction before enabling critical buttons. Long-term solutions may involve browsers adopting new standards to defend against this type of exploitation.

  • How is my Browser blocking RWX execution? - The author discovered a security feature implemented in a popular browser that acts like an EDR by hooking a key Windows API to check thread creation at runtime. This feature prevents the execution of RWX shellcode, even when injected successfully, by redirecting thread creation through a custom DLL within the browser that checks the memory attributes of the thread's address. If the memory address is not a valid value, the thread start point is changed to a sinkhole, effectively neutralizing the execution of the thread. The author believes this feature to be a security control to make exploit development harder for applications like browsers that have sensitive memory areas.

  • 0x04 - Introduction to Windows Kernel Write What Where Vulnerabilities - This article provides an introduction to Windows Kernel Write What Where vulnerabilities, which are considered one of the most powerful types of vulnerabilities. The author explains the concept using a non-technical example involving SpongeBob and Patrick from the show "SpongeBob SquarePants." The article includes a detailed walkthrough of exploiting a Write What Where vulnerability on Windows 7 (x86) and adapting the exploit for Windows 11 (x64). The author also provides code snippets and a step-by-step guide for exploiting the vulnerability on both platforms, highlighting the differences between the two versions.

  • Some Casual Notes for CVE-2024-26921 - CVE-2024-26921 is a vulnerability in the network subsystem that has been demonstrated to be exploitable in kernelCTF. The vulnerability occurs when a socket is created and certain functions are called, ultimately leading to a use-after-free vulnerability. The root cause of the issue lies in a defrag netfilter hook function that can be triggered, resulting in the freeing of an object and subsequent use of that freed object, leading to the UAF.

  • Hat Trick: AWS introduced same RCE vulnerability three times in four years - Amazon's AWS Neuron SDK has introduced the same remote code execution vulnerability multiple times over the past four years due to flawed install instructions using the "extra-index-url" parameter. Despite being notified of the issue in 2022 and 2020, Amazon has not fully addressed the problem by still including the flawed instructions in their documentation. This repeated mistake raises questions about Amazon's approach to security and highlights the importance of thoroughly reviewing code before implementation to ensure security. Giraffe Security, the group that discovered the vulnerability, encourages users to be cautious and thorough when using code from reputable sources like AWS.

  • PandoraFMS v7.0NG.777.3 Remote Command Execution (CVE-2024-11320) - An RCE vulnerability (CVE-2024-11320) was found in PandoraFMS v7.0NG.777.3 during a code review. The vulnerability allowed remote command execution through LDAP authentication. By injecting a payload into the authentication settings and initiating an LDAP authentication process, a reverse shell could be executed. An exploit code was developed to automate the process of exploiting the vulnerability. The vulnerability was fixed in version 777.5 of PandoraFMS.

  • I’m watching you! How to spy Windows users via MS UIA - The article discusses how to spy on Windows users using the Microsoft User Interface Automation framework. The framework allows for automation of Windows GUI tasks, and the article explores its components, such as elements, properties, and events. The author also shares a proof of concept tool called Spyndicapped, which utilizes the framework to spy on users. The article provides insights into event handling, working with the COM classes, and developing a stealth logger for tracking user activities on Windows applications.

  • World’s First MIDI Shellcode - The blog post details the author's journey in reverse engineering their Yamaha PSR-E433 synth to gain remote code execution via MIDI messages in order to play a video on its LCD. The author first explored the internals of the synth, then experimented with different approaches to gain access to the firmware, ultimately discovering a MIDI shellcode that allowed them to manipulate the display data on the LCD. Despite facing challenges such as low data transfer efficiency and artifacting, the author was able to successfully display video on the LCD through MIDI commands. The author also outlines potential future directions for the project, such as further exploring the chip's MMIO region and DSP capabilities.

  • LDAPNightmare: SafeBreach Labs Publishes First Proof-of-Concept Exploit for CVE-2024-49112 - SafeBreach Labs has published the first proof-of-concept (PoC) exploit for CVE-2024-49112, dubbed "LDAPNightmare." This vulnerability affects Microsoft’s Lightweight Directory Access Protocol (LDAP) and allows privilege escalation by exploiting unsafe configurations in specific LDAP implementations. Attackers can leverage this flaw to execute malicious actions on LDAP servers, potentially leading to unauthorized data access and system compromise.

Tools and Exploits

  • POCEntraDeviceComplianceBypass - This GitHub repository contains a simple PowerShell proof of concept that demonstrates how to bypass Entra / Intune Compliance Conditional Access Policy using the Intune Portal client ID and a special redirect URI. By following the steps outlined in the script, users can bypass the policy and obtain access and refresh tokens, which can be used for further actions such as enumerating the whole tenant.

  • StoneKeeper - StoneKeeper C2 is an experimental EDR evasion framework released by fin3ss3g0d for research purposes.bThe project contains examples of modern Windows malware tactics and serves as a learning opportunity for malware and C2 development.

  • SCCMSiteCodeHunter - The SCCMSiteCodeHunter utility is a tool that helps query SCCM management points and site servers using LDAP. It allows users to connect to a domain and perform LDAP queries to retrieve site codes. The program supports LDAPS for secure queries and includes debugging options for troubleshooting.

  • LitterBox - The GitHub repository "LitterBox" offers a sandbox environment for malware developers and red teamers to test payloads against detection mechanisms before deployment. The platform provides automated analysis through a web interface, monitoring process behavior and generating comprehensive runtime analysis reports. Users are advised to use the tool in isolated testing environments.

  • Cascade Injection in Zig - The GitHub repository 0xsp-SRD/0xsp.com contains a file called "cascade_injection" which is part of the ZigStrike toolkit. Users need to place a file called shell.bin in the same folder to utilize this tool. This tool allows for cascade injection in Zig programming language.

  • ida2py - The GitHub repository "junron/ida2py" provides an intuitive query API for IDA Pro, allowing for easier access to global variables and data types within IDAPython.

  • LDAP Nightmare - LdapNightmare is a Proof of Concept (PoC) tool that tests a vulnerable Windows Server against CVE-2024-49113, a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that allows for remote code execution. The exploit leverages the vulnerability to crash target Windows Server systems by interacting with their Netlogon Remote Protocol (NRPC) and LDAP client. The script initiates an LDAP server, triggers the vulnerability with a specially crafted response, and causes the victim server to crash.

  • btexec - The GitHub repository btexec is a tool that allows for the execution of shellcode via Bluetooth device authentication. The program checks if Bluetooth is enabled on the victim machine, searches for nearby Bluetooth devices, and triggers the device to authenticate to the victim machine, executing the shellcode. This process does not require any user interaction and does not display popups to the user. The tool is designed for use in environments where there are multiple Bluetooth devices nearby, such as offices and coffee shops.

  • PugRecon - Used to query resolved and validated subdomains.

  • Memory-Dump-UEFI - This GitHub repository contains a UEFI application for dumping the contents of RAM, intended for use in forensics or other purposes. The application can be flashed onto a USB device and booted live, with instructions provided for running it from the UEFI shell.

  • CF-Hero - CF-Hero is a reconnaissance tool developed to uncover the origin IP addresses of web applications protected by Cloudflare. It utilizes various data sources such as current and historical DNS records, related domain correlation, Censys, Shodan, and SecurityTrails to identify potential origin IPs. The tool validates findings to minimize false positives through response analysis. Users can run CF-Hero with different parameters to include additional scanning options like Shodan, SecurityTrails, or custom settings like HTTP method and User-Agent configuration. The tool also supports JA3 randomization to bypass Cloudflare's JA3 hash blocking in some cases.

  • ACEshark - ACEshark is a utility aimed at quickly extracting and analyzing Windows service configurations and Access Control Entries, removing the reliance on non-native binaries like accesschk.exe. It can help identify potential privilege escalation vectors by analyzing service permissions for specific users or across all groups and accounts. ACEshark operates by starting an HTTP/HTTPS server as a listener for service configurations and Access Control Entries, generating a detailed analysis log file.

  • Spyndicapped - The GitHub project Spyndicapped by CICADA8 Research Team introduces a new malware keylogging technique called COM ViewLogger. This technique uses the Windows User Automation framework to spy on users and log their activities. The project includes handlers for capturing GUI changes such as data input, text copying, and data modification. It also provides examples of looting KeePass and parsing Telegram, Slack, and WhatsApp messages.

Threat Intel and Defense

  • Recent Cases of Watering Hole Attacks, Part 2 - In this blog post from JPCERT/CC, recent cases of watering hole attacks are discussed, with a focus on a media-related website that was exploited in 2023. The attack involved the download of malware through a tampered website, with malicious code embedded in the website and malware downloaded via an LZH file. The malware used in the attack, SQRoot, downloads plugins from a C2 server and communicates with the server in an encrypted manner. The attack group behind this watering hole attack is unknown, but past malware file names and a Web shell used in the attack have been associated with APT10.

  • Meduza Stealer Analysis: A Closer Look at its Techniques and Attack Vector - The Meduza Stealer is an information-stealing malware that targets personal and financial data by employing evasion techniques to bypass detection. Splunk's Threat Research Team analyzed the malware's tactics and techniques, such as virtualization/sandbox evasion, encrypted files, system location discovery, and credential theft from web browsers and registries.

  • Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition - GreyNoise conducted a study on benign internet scanners in November 2024, focusing on organizations performing mass scanning of IPv4 space. The study aimed to understand the scanning patterns and behaviors of these benign scanners, as they play a crucial role in identifying vulnerabilities before malicious actors. The analysis revealed that different scanners exhibited distinct scanning patterns, with varying fleet sizes and approaches to discovering new hosts. Understanding these patterns is essential for security teams to differentiate between routine internet background noise and potential malicious activity.

  • Cloud Atlas seen using a new tool in its attacks - Cloud Atlas has been observed using a new backdoor tool called VBCloud in their attacks in 2024. This tool is used to steal data through phishing emails that exploit vulnerabilities to download and execute malware code. The attackers use a series of scripts and modules, such as VBShower and PowerShower, to infiltrate systems, exfiltrate files, and collect system information. The attacks primarily target users in Eastern Europe and Central Asia, with phishing emails being the initial access point for the malware.

  • Sclpfybn Monetization Scheme - The blog post from Secure Annex discusses a monetization scheme dubbed "SCLPFYBN," which leverages compromised systems and resources for profit. The campaign is characterized by its use of advanced methods to bypass detection and its focus on maximizing financial gain through targeted breaches. Key strategies include exploiting vulnerabilities in enterprise systems and integrating with broader malicious campaigns.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Redirecting RIP: How VEH Leaves Modern Antiviruses in the Dust - VEH (Vectored Exception Handling) is a feature in Windows that allows custom exception handlers to be implemented at a low level, which can be used for security research and bypassing antivirus or EDR systems. By using VEH, malware can register a custom exception handler to intercept exceptions before they reach the antivirus, allowing for the execution of shellcode without triggering alarms. This technique manipulates the Instruction Pointer (RIP) to redirect the CPU to execute the shellcode, avoiding the need to create a new thread which could be detected by security software. While this basic example demonstrates the concept of VEH evasion, more advanced implementations are possible and can be explored further.

  • Caution During Cybersecurity Engagements - This post discusses the importance of exercising caution during cybersecurity engagements to avoid leaving behind traces or using malicious tools that can compromise a client's infrastructure. Examples include using backdoored tools, leaving web shells behind, and causing denial-of-service incidents. It emphasizes the need for responsible practices such as using strong passwords, removing temporary files, and seeking client approval before executing risky exploits. The author highlights the need for ongoing learning and awareness in the field of cybersecurity to prevent inadvertent harm to clients.

  • Building A Router Pt-2: Building OpenWrt - This blog post from Arch Cloud Labs provides a guide on building an OpenWrt image for a physical device. The post covers setting up a development environment and building the firmware image for a target device. The process involves cloning OpenWrt, customizing the image, and executing commands to build the firmware. The post also suggests further steps such as benchmarking different routers to identify performance.

  • Scraping By: My YouTube Data Adventure - The author offered to help Mats, the creator of a YouTube channel, with data scraping. Mats requested data scraping directly from YouTube for a video idea, which led to challenges and dead-ends before eventually finding success. The author initially tried using the YouTube API but faced limitations, eventually pivoting to an anonymous scraping solution using yt-dlp. Despite encountering obstacles such as bot detection and a Redis crash, the author ultimately developed a resilient system for scraping and processing YouTube data. The journey highlighted the importance of respecting platform policies and ethical alternatives, as well as embracing failure as a learning opportunity.

  • Are League of Legends Skins Pay-To-Win? - The author conducted a technical analysis to determine if premium skins in League of Legends have any impact on gameplay. By reverse engineering the game's replay format and network protocol, they were able to collect and analyze data on skins used in matches. The preliminary results suggest that while some skins may provide minor advantages, the expensive skins do not significantly impact performance. The author also outlines potential future projects using replay data, such as a jungle route tracker and a script detector.

  • The Nightmare Before Christmas: An arbitrary file download on Zoo-Project - XBOW discovered a critical CVE involving an arbitrary file download on the open-source Zoo-Project, which was swiftly fixed by the project maintainers. XBOW's approach involved analyzing the source code and performing dynamic tests to identify and exploit the vulnerability.

  • Debugging memory corruption: Who wrote ‘2’ into my stack?! - The text discusses debugging memory corruption in Unity, with a focus on identifying who wrote '2' into the stack.

RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

CONTACT US

We are here to help you meet your cybersecurity needs.

PHONE  |

FAX  |

EMAIL  |

ADDRESS  |

410-874-6446

410-630-3980

info@sixgen.io

185 Admiral Cochrane Dr | Suite 210
Annapolis, MD 21401

Thanks! Message sent.

For general inquiries about SIXGEN product and services please use this form.

To apply to SkillBridge, please visit the SkillBridge page here

NAICS Codes:
512110 | 519190 | 541330 | 541340 | 541511 | 541512 | 541513 | 541519 | 541611 | 541715 | 541990 | 611420 | 611430 | 611699 | 611710 | 921190

Contracts:

Screen Shot 2022-06-06 at 1.50_edited.jpg

2022 
Best Tech Startups in Annapolis

Defender_Winner.png

2022

Cybersecurity Defender of the

Year Winner

Download our Capabilities Sheet

2022 GHG Report

bottom of page