top of page

Last Week in Security - 2025-01-21


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2025-01-13 to 2025-01-20.

News

  • BIScience: Collecting browsing history under false pretenses - BIScience is a data broker that collects user browsing history through browser extensions under false pretenses, selling the data to third parties. They claim to only collect anonymized data, but evidence shows that they collect raw data, putting user privacy at risk. BIScience and partner extensions exploit loopholes in Chrome Web Store policies to transfer and sell user data, misleading users with vague privacy policy disclosures and consent prompts. There is a call for stricter enforcement of existing policies and increased transparency to protect user privacy in the browser extension ecosystem.

  • Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions - Microsoft Threat Intelligence discovered a new macOS vulnerability, CVE-2024-44243, that allows attackers to bypass Apple's System Integrity Protection (SIP) by loading third-party kernel extensions. Bypassing SIP can lead to serious security implications, such as rootkit installation and bypassing Transparency, Consent, and Control (TCC) measures. Microsoft shared the findings with Apple through Coordinated Vulnerability Disclosure, and a fix was included in an Apple update in December 2024.

  • Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf observed a campaign targeting Fortinet FortiGate firewall devices with publicly exposed management interfaces. Threat actors gained unauthorized access, created accounts, and made configuration changes. The campaign involved vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement. Arctic Wolf identified indicators of compromise and recommended monitoring for jsconsole activity, web management traffic, and SSL VPN logins from VPS hosting providers.

  • 2022 zero day was used to raid Fortigate firewall configs. Somebody just released them. - In 2022, a zero-day vulnerability was used to exploit Fortigate firewall configs, and recently Belsen Group released configs from over 15k unique devices. The released data includes passwords, digital certificates, and firewall rules. Despite patches in 2022, organizations may still be vulnerable as the data was gathered years ago. It is recommended to check for CVE-2022-40684 and assess the risk of exposed firewall rules. The authenticity of the data has been verified, with most affected devices running vulnerable firmware versions.

  • Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers - The Justice Department and FBI conducted an international operation to delete malware used by China-backed hackers known as "Mustang Panda" and "Twill Typhoon." The operation removed PlugX malware from over 4,200 infected U.S. computers, with the goal of proactively disrupting cyber threats. The operation was led by French law enforcement and a private cybersecurity company, with the FBI providing notice to affected U.S. computer owners and encouraging the use of anti-virus software to prevent reinfection.

  • Chinese Innovations Spawn Wave of Toll Phishing Via SMS - Residents across the United States are receiving SMS messages from scammers pretending to be toll road operators, warning of fines for unpaid toll fees. The surge in SMS spam is linked to new features in a popular phishing kit from China that allows scammers to spoof toll road operators in various U.S. states. The phishing attacks target customers of toll facilities in different states, and the scammers aim to collect payment card information to use for fraudulent purchases or money laundering. These phishing kits are part of a trend where Chinese cybercriminal groups are moving from other types of scams to toll road scams. The FBI advises recipients to ignore or delete these messages and report them, as visiting the phishing site can lead to the compromise of personal information.

  • Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity - This Executive Order aims to strengthen and promote innovation in the nation's cybersecurity. It focuses on defending digital infrastructure, securing vital services, and addressing threats, particularly from China. The order includes operationalizing transparency and security in third-party software supply chains, improving cybersecurity of federal systems, enhancing federal communications security, promoting security with and in artificial intelligence, and combatting cybercrime and fraud. Additionally, it aligns policy with practice, addresses national security systems, and takes steps to combat malicious cyber-enabled activities.

  • Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise - The U.S. Department of the Treasury has sanctioned a Shanghai-based cyber actor and a Sichuan-based cybersecurity company for their involvement in cyber attacks on U.S. telecommunication and internet service provider companies. The cyber actor, Yin Kecheng, was associated with the recent compromise of the Department of the Treasury’s network. The sanctions are part of a series of actions aimed at combatting malicious cyber activities by Chinese state-backed actors. The sanctions block all property and interests in property of the designated persons in the U.S. and prohibit transactions involving them.

Techniques and Write-ups

  • Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C - Halcyon has identified a new ransomware campaign targeting Amazon S3 buckets by abusing AWS's Server-Side Encryption with Customer Provided Keys (SSE-C). This attack demands ransom payments for AES-256 keys to decrypt data, with recovery impossible without the attacker's key. Organizations can mitigate this threat by restricting SSE-C usage, auditing AWS keys, implementing advanced logging, and engaging with AWS support. The attack highlights the need for securing AWS keys and access tokens for organizations relying on Amazon S3 for data storage.

  • Critical Vulnerabilities in SimpleHelp Remote Support Software - Horizon3.ai discovered critical vulnerabilities in SimpleHelp remote support software, allowing attackers to compromise servers and client machines. SimpleHelp quickly patched these vulnerabilities after disclosure. Users are urged to upgrade to the latest version to prevent exploitation. The vulnerabilities included path traversal, arbitrary file upload leading to remote code execution, and privilege escalation from technician to server admin.

  • 7 Overlooked recon techniques to find more vulnerabilities - Reconnaissance is crucial in bug bounty and pentesting, and using unique methods to gather data can help find more vulnerabilities. This article discusses 7 overlooked recon techniques, including bruteforcing, virtual host enumeration, forced browsing with different HTTP methods, JavaScript file monitoring, crawling with different user-agent headers, finding related assets with favicon hashes, and looking up legacy versions of JavaScript files. By combining these techniques with other web application testing methods, researchers can uncover more security vulnerabilities and earn rewards.

  • Chart Builder LFI - The blog post discusses the discovery and analysis of a critical vulnerability in the Chartify – WordPress Chart Plugin, which allows unauthenticated attackers to perform Local File Inclusion (LFI) attacks. The author found the vulnerability during an offsite security assessment and identified potential entry points in the source code related to unauthenticated access. The vendor addressed the issue by implementing sanitization of HTTP GET parameters in version 2.9.5, and the CVE was assigned as CVE-2024-10571.

  • Story of a Pentester Recruitment 2025 - Silent Signal Techblog shared the story of a recruitment challenge for pentesters in 2025. They created a challenge called Mushroom, a simple web application with vulnerabilities for candidates to exploit. The challenge involved finding vulnerabilities like XSS and SQL injection and providing solutions in a report. The company highlighted the importance of fundamental understanding of technologies and risk assessment skills in penetration testing. They also emphasized the need for clear remediation guidance in pentest reports. Candidates were expected to demonstrate logical thinking, knowledge of their strengths and weaknesses, and a willingness to learn. The company acknowledged that admitting when you don't know something is okay and encouraged candidates to recognize their mistakes.

  • Analysis of Python's .pth files as a persistence mechanism - Analysis of Python's .pth files reveals how they can be used as a persistence mechanism to deploy a backdoor on a system. Starting with Python 3.5, lines in .pth files starting with "import" followed by a space or tab are executed, allowing for malicious code to run when a module is imported. The blog post investigates this backdooring technique and its implementation, highlighting the stealthy nature of using .pth files for persistence. Additionally, the $PYTHONPATH environment variable can be exploited to inject malicious code into Python modules, raising concerns about detection by security teams.

  • How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud - The study discovered more than 1,700 public DKIM keys shorter than 1,024 bits, considered insecure. The researchers successfully cracked a 512-bit DKIM key by factoring the RSA modulus using cloud computing and open-source tools. Despite major email providers rejecting the compromised key, some accepted it, highlighting the importance of using secure key lengths. The researchers recommend email providers reject signatures from keys shorter than 1,024 bits and urge domain owners to update outdated DKIM records to meet security standards.

  • CVE-2025-0063 SQL Injection Vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform - There is a CVE-2025-0063 SQL Injection Vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform due to insufficient input validation in certain Remote Function Call (RFC) enabled function modules. Attackers with basic user privileges can exploit this vulnerability to manipulate database queries on the Informix database, compromising the system's confidentiality, integrity, and availability. Immediate action is required to apply security patches and review authorizations related to RFC calls to mitigate the risk.

  • Command Line Underdog: WMIC in Action - In this blog post from TrustedSec, the author discusses using WMIC as an alternative shell for command line operations, particularly in scenarios where common tools like PowerShell and cmd.exe are blocked. The post provides an overview of WMIC commands and demonstrates how to use WMIC for various tasks such as gathering system information, managing processes, querying the registry, and interacting with remote systems. The author also mentions that WMIC is being phased out in future versions of Windows.

  • Intune Attack Paths — Part 1 - Intune is a Microsoft service for endpoint management, with efforts to push administrators towards its use. It is attractive to adversaries due to its high privileges. Intune devices can be managed separately from Entra devices, with distinct RBAC systems and permissions. Intune allows for arbitrary command execution through script packages, with potential for abuse. Adversaries can track user logins through various data sources within Intune, enabling targeted attacks. Ongoing research will explore more abuse primitives and attack paths within the Intune platform.

  • Being a good CLR host – Modernizing offensive .NET tradecraft - This blog post discusses the importance of implementing CLR customizations to modernize offensive .NET tradecraft, specifically in the context of executing .NET assemblies in memory on compromised endpoints. The post covers how red teams can bring their .NET execution harnesses into the current decade by taking control over aspects of the CLR, such as memory management, and implementing a custom assembly loading manager. The post also details an AMSI bypass technique using CLR customizations to load assemblies in memory without triggering AMSI scans. The post provides a proof-of-concept for implementing these techniques and emphasizes the need for defenders to understand these tactics to build effective defense-in-depth strategies.

  • Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL injections - Microsoft Configuration Manager (ConfigMgr) versions 2403, 2309, and 2303 are vulnerable to unauthenticated SQL injections. These vulnerabilities allow attackers to execute arbitrary SQL queries with high privileges on the site database, potentially leading to the takeover of deployments and execution of arbitrary commands on the underlying server. Exploitation can be achieved through manipulation of client messages sent to the endpoint, resulting in unauthorized access to sensitive information. Microsoft has released hotfixes to address the issue, but successful exploitation may not be easily detectable in log files.

  • Exploring Heap Exploitation Mechanisms: Understanding the House of Force Technique - The article explores the House of Force technique for heap exploitation and provides an overview of heap memory, dynamic memory allocators, glibc, and memory allocation functions. The House of Force technique involves manipulating the top chunk's size field to control memory allocations and potentially execute arbitrary code. The article outlines the steps involved in executing the House of Force technique, including calculating the wraparound distance, overflowing the heap, and exploiting malloc hooks for popping a shell.

  • The effect of granting Azure Reader role on Azure Container Registry instances - Granting the Azure Reader role at the subscription or resource group level allows users to pull container images from Azure Container Registry instances, potentially revealing sensitive data. The default permissions granted by this role can lead to unintended access to confidential information within container images. A demonstration in a lab environment confirmed that users with the Reader role at the subscription level can successfully download container images from an Azure Container Registry instance. This poses a security risk as sensitive data stored in the images may be exposed. To mitigate these risks, it is recommended to limit role assignments, avoid storing sensitive data in container images, isolate the registry in a dedicated subscription, restrict network access, implement conditional access policies, and monitor activity logs.

  • Hack The Emulated Planet: Vulnerability Hunting Planet WGS-804HPT Industrial Switch - Team82 Research used the QEMU emulator to uncover three vulnerabilities in the Planet WGS-804HPT Industrial switch, allowing for remote code execution. The vulnerabilities included buffer overflow and command injection flaws, which were used to develop exploits for the device. By emulating critical components of the switch, vulnerabilities were identified and disclosed to the vendor for remediation. Vulnerability hunting using emulators like QEMU is crucial for cybersecurity research, especially when physical access to the equipment is not available.

  • Outsmarting the Watchdog: How can Adversaries evade Sigma Rule Detection during a Kerberos Golden Ticket Attack? - The blog post explores how adversaries can evade Sigma Rule Detection during a Kerberos Golden Ticket Attack by employing obfuscation techniques. By emulating a realistic attack and applying various obfuscation methods, it was found that 99.99% of alerts generated by Sigma rules can be successfully evaded. Techniques such as renaming files, code removal, identifier renaming, and code splitting were used to obfuscate the attack and evade detection. Despite the effectiveness of these techniques, Sigma rules still serve as a valuable layer of security in detecting malicious behavior when used as part of a defense-in-depth strategy.

  • Finding SSRFs in Azure DevOps - Binary Security discovered three SSRF vulnerabilities in Azure DevOps, which were reported to Microsoft. The vulnerabilities were identified during a client engagement where the team tested Azure and DevOps environments for vulnerabilities and privilege escalations. Exploitation techniques using DNS rebinding and CRLF injection were demonstrated. Microsoft issued bounties for the reported vulnerabilities.

  • Tarbomb Denial of Service via Path Traversal - Praetorian discovered a path traversal vulnerability in a legacy feature of a web application that allowed an attacker to upload a maliciously compressed file, causing a denial of service. By exploiting this vulnerability along with an undocumented file upload feature, Praetorian was able to demonstrate a proof-of-concept exploit that could degrade system performance and disrupt operations.

  • Reviewing the Attack Surface of the Autel MaxiCharger: Part One - The Zero Day Initiative is reviewing the attack surface of the Autel MaxiCharger AC Wallbox Commercial in preparation for the upcoming Pwn2Own Automotive contest. The internal components of the charger, such as the power board, main board, 4G board, and NFC and LED board, are examined for vulnerabilities. The hardware includes components like ARM Cortex-M4 microcontrollers, STM32, ESP32, and more, with various test points for probing and potential security risks. The blog post provides detailed information on the hardware components and hints towards potential areas for vulnerability research.

  • Reviewing the Attack Surface of the Autel MaxiCharger: Part Two - This blog post reviews the attack surface of the Autel MaxiCharger, focusing on software versions, network traffic analysis, Bluetooth low energy connections, and potential attack surfaces such as the undocumented USB C port, SIM card tray, and RFID reader. The post provides information obtained through reverse engineering and experimentation, aiming to inspire vulnerability research.

  • Malware and cryptography 39 - encrypt/decrypt payload via DES-like cipher. Simple C example. - This article explores using DES-like ciphers in malware development to encrypt/decrypt payloads, providing a simple C code example. The post discusses the Data Encryption Standard (DES), its susceptibility to attacks, and the implementation of a simplified version of a DES-like cipher. The code includes key components such as permutation tables, substitution boxes, and round key generation. The author demonstrates the encryption and decryption process of the payload, as well as the potential detection of malware by antivirus engines.

  • From arbitrary pointer dereference to arbitrary read/write in latest Windows 11 - HN Security successfully exploited an arbitrary pointer dereference in Windows 11, bypassing security features like SMEP and KVA Shadowing to achieve arbitrary code execution in kernel mode. With the introduction of new security features in Windows 11, including Hypervisor-protected code integrity (HVCI) and kernel Control Flow Guard (kCFG), the exploit had to be modified to continue performing data-only attacks. By creating a Windows 11 VM with VBS enabled on VMware, the exploit was able to elevate token privileges and perform other data-only attacks. The use of the I/O Ring technique allowed for arbitrary read/write in kernel space to bypass kCFG and achieve privilege escalation.

  • Write, debug and execute BOFs using bof-launcher (part 2) - This blog post discusses how to write, debug, and execute more complicated BOFs (Buffer Overflow Exploits) that expect arguments passed by the user using the bof-launcher library. It demonstrates how to use bof-launcher C API to load object files, parse arguments, and run BOFs programmatically. The blog also explores using BOFs as plugins, treating them as building blocks for a larger system, and hints at running BOFs in separate threads or processes in future posts. Additionally, it mentions the possibility of creating a chain of BOFs by passing output as input between different BOFs.

  • Bypassing disk encryption on systems with automatic TPM2 unlock - Automatic disk unlocking with TPM2 can be vulnerable to attackers who have brief physical access to a system. By exploiting the lack of LUKS identity verification in TPM2 setups, attackers can decrypt disks and execute malicious code. The vulnerability lies in the initrd's lack of filesystem authenticity verification, allowing attackers to confuse the system and gain access to the encrypted data. Implementing PCR 15 verification or using a TPM PIN can help mitigate this security risk. Multiple real system examples, including Fedora and NixOS, demonstrated the exploit potential and the need for enhanced security measures.

  • Exploring the Kubernetes API Server Proxy - The author explores the lesser-known feature of the Kubernetes API server, which allows it to act as an HTTP proxy server with security implications. The API server proxy can be used to access pods, services, and nodes in the cluster, and can be configured to access any port. There are potential security risks, such as bypassing blocklists and escalating privileges, so careful access control and firewalling are important for cluster operators.

  • Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344 - ESET researchers discovered a vulnerability, CVE-2024-7344, that allows bypassing UEFI Secure Boot on most UEFI-based systems, enabling the execution of untrusted code during system boot. The vulnerability was found in a UEFI application signed by Microsoft's third-party UEFI certificate, allowing attackers to deploy malicious UEFI bootkits even on systems with UEFI Secure Boot enabled. The issue has been fixed by affected vendors, and Microsoft revoked the old, vulnerable binaries in a recent update.

  • Reproducing CVE-2024-9042: Command Injection in Windows Kubernetes Nodes - A vulnerability, CVE-2024-9042, was discovered in Windows Kubernetes nodes allowing for command injection. By exploiting the NodeLogQuery feature, an attacker could execute malicious commands on Windows nodes. The attack requires specific permissions and network access to the Kubelet endpoint.

  • Windows BitLocker -- Screwed without a Screwdriver - A bug in Windows BitLocker, known as Bitpixie, allows attackers to access encrypted disk files without needing to disassemble the laptop. The exploit involves downgrading the Windows Boot Manager and extracting the disk encryption key. Mitigations include using pre-boot authentication, adjusting PCR configuration, or applying a specific Windows update. The vulnerability affects all Secure Boot-protected BitLocker partitions, except those with specific mitigations in place. This research was presented at a conference and tested using QEMU virtualization.

  • On Secure Boot, TPMs, SBAT, and downgrades -- Why Microsoft hasn't fixed BitLocker yet - This blog post delves into the issues surrounding BitLocker security on Windows systems, particularly focusing on the ability to break into BitLocker through a bootloader downgrade. The complexity arises from the interaction between Secure Boot, TPMs, PCRs, and Secure Boot certificates. Microsoft has not fixed the issue due to the challenges involved in balancing security and usability, along with complications in implementing changes to address vulnerabilities. Solutions such as Secure Version Numbers (SVN) and Secure Boot Advanced Targeting (SBAT) are being introduced to enhance security through revocation capabilities and secure boot standards. Various attacks against BitLocker, both hardware and software-based, are discussed to highlight the challenges in achieving secure encryption with TPMs.

  • The Key to COMpromise - Pwning AVs and EDRs by Hijacking COM Interfaces, Part 1 - The article discusses vulnerabilities in Antivirus (AV) and Endpoint Detection and Response (EDR) products that could allow privilege escalation, impacting the overall security of systems. The focus is on exploiting COM interfaces to gain access and escalate privileges between front-end and back-end processes. The authors demonstrate how COM hijacking can be used to inject code into the front-end process, enabling communication with the back-end process and potentially allowing for high-level privileges. The article also outlines a methodology for identifying and exploiting COM interfaces, as well as exploiting named pipe communication for privilege escalation.

  • A Journey of Limited Path Traversal To RCE With $40,000 Bounty! - The author successfully escalated a limited path traversal to RCE on a top platform, earning a $40,000 bounty. By exploring a subdomain with unique responses, discovering admin passwords in log files, and utilizing the Groovy console, they achieved RCE. The author emphasizes treating bug hunting like a game, thorough testing on subdomains, and focusing on quality over quantity in bug reports for higher rewards.

  • 0x06 - Approaching Modern Windows Kernel Type Confusions - The article discusses the exploitation of a Type Confusion vulnerability in the Windows 7 kernel and the attempt to exploit the same vulnerability in the Windows 11 kernel. The author provides a detailed account of writing the exploit, the plan of attack, and the challenges faced during the process. The article delves into the details of memory operations, paged memory summary, and the implementation of the exploit. Ultimately, the author successfully executes the exploit, but highlights the need for patience and timing in order to ensure its reliability.

  • MacOS TCC Bypass - The researcher discovered a MacOS vulnerability (CVE-2024-44175) that allows attackers to bypass the Transparency, Consent, and Control (TCC) framework, which manages app permissions for accessing sensitive user data. The vulnerability involves a directory traversal attack in the diskarbitrationd daemon that enables unauthorized mounting into TCC-protected directories. By bypassing client-side mount path validation, attackers can exploit the vulnerability to perform a TCC bypass and sandbox escape. Apple has patched this vulnerability in macOS Sequoia 15.0 by implementing path resolution within diskarbitrationd when handling requests and adding a validation process to block attacks involving symbolic links or directory traversal elements. Another TCC bypass vulnerability was also identified in File Provider, allowing attackers to intercept and manipulate file operations without triggering a TCC prompt, potentially accessing sensitive data paths like iCloud backups.

  • SSD Advisory – Palo Alto Expedition RCE (regionsDiscovery) - this advisory details a remote code execution (RCE) vulnerability in Palo Alto Networks' Expedition migration tool. The flaw, found in the "RegionsDiscovery" function, allows an attacker to execute arbitrary code remotely on vulnerable systems. This critical issue arises due to inadequate input validation, enabling attackers to exploit the tool by sending crafted requests.

  • Security through transparency: RP2350 Hacking Challenge results are in - The Raspberry Pi Foundation has announced the results of the RP2350 hacking challenge, an initiative designed to test the security of their RP2040 microcontroller through transparency. Participants from the global security community were invited to identify vulnerabilities in the chip, with the challenge uncovering several security weaknesses. The findings have provided valuable insights for enhancing the chip's security in future designs.

  • If you think you blocked NTLMv1 in your org, think again - this blog delves into a critical NTLMv1 bypass vulnerability in Active Directory, showcasing how legacy authentication protocols can be exploited. The post explains how NTLMv1's weak cryptographic mechanisms enable attackers to intercept and crack authentication requests, potentially gaining unauthorized access to sensitive resources. It highlights real-world attack scenarios, such as pass-the-hash attacks and relay attacks, that leverage this vulnerability.

Tools and Exploits

  • Sunder - GitHub repository for a Windows rootkit called Sunder, designed to work with BYOVD exploits. The rootkit is modeled after the Lazarus Group's FudModule rootkit and targets Dell's dbutil_2_3.sys driver. It contains various payloads such as token stealing, token escalation, and ACL editing. The rootkit also includes instructions for deployment and usage on Windows systems, as well as potential improvements for operational use.

  • vhost-fuzzer - The GitHub repository "vhost-fuzzer" is a high-performance tool designed to discover virtual hosts by testing different host headers against IP addresses. It supports fast concurrent scanning, custom path testing, response filtering, and efficient memory management. Users can specify input files for IPs and hostnames, set parameters for scanning, and view detailed request/response information in verbose mode. The tool automatically adjusts concurrency levels, prefixes paths with "/", and skips certificate verification for HTTPS connections.

  • CVE-2024-49138-POC - This is a proof of concept exploit for the CVE-2024-49138 vulnerability, which is actively exploited by threat actors. The exploit targets Windows 11 23h2 and includes a detailed analysis of the ntoskrnl.exe and clfs.sys files used in testing. By compiling and running the exploit, it is possible to obtain a system shell and elevate privileges.

  • Evilbytecode-Gate - Evilbytecode-Gate is a project that resolves Windows System Service Numbers (SSNs) using two methods: analyzing the Guard CF Table in ntdll.dll and parsing ntoskrnl.exe for Zw-prefixed system calls. It provides mechanisms for locating SSNs of Windows API functions, such as extracting SSNs and function jump addresses from the Guard CF Table and analyzing the kernel export table for Zw-prefixed system calls.

  • Draugr - The GitHub repository NtDallas/Draugr contains a BOF template for CobaltStrike to perform a synthetic stack frame, which is useful for evading detection by some Endpoint Detection and Response (EDR) systems. The template allows for the quick execution of API calls with the ability to retrieve return values and spoof return addresses to mimic a thread start. Users can customize the template by editing code sections and adjusting the modules used to find gadgets and fake frames.

  • Introducing BloodHound CLI - BloodHound CLI is a new tool developed by SpecterOps to help install and manage BloodHound instances. It is written in Go and can be cross-compiled to support Windows, macOS, and Linux. The tool simplifies installation and server management, allowing users to easily pull logs and monitor containers. It also helps with retrieving the initial password for the default admin user. BloodHound CLI offers commands for configuration, installation, logs, and more.

  • Collabfiltrator - GitHub repository for a tool called Collabfiltrator that allows users to exfiltrate blind Remote Code Execution and SQL injection output over DNS via Burp Collaborator. The tool supports various RCE and SQLi targets, provides instructions for usage, and includes features like faster performance, SQLi DNS exfiltration, dark mode compatibility, and more. It is written in Java using Portswigger's Montoya API and is compatible with Burp Suite Professional 2024.11.2 or later.

  • BOF WinRM client - The GitHub repository "FalconForceTeam/bof-winrm-client" contains a Cobalt Strike BOF that implements a WinRM shell client using Windows APIs. Users can interact with the shell client by running commands. The tool allows for the automation of certain tasks and collaboration outside of code.

  • BetterNetLoader - This is a version of NetLoader to execute .NET Assemblies in memory and bypassing ETW and AMSI, except this version uses Hardware Breakpoints to bypass defenses. It places 2 Hardware Breakpoints: one on AmsiScanBuffer and another on NtTraceEvent to effectively disable these two functions part of AMSI and ETW respectively.

Threat Intel and Defense

  • Autopsy Hardening Guide: Part 2 - In this blog post, Maloney discusses how to harden an Autopsy Multi-user Cluster by encrypting passwords and improving security measures. The guide includes steps for setting up a multi-user cluster, configuring ActiveMQ with encrypted passwords, and securing the web-console. By following these steps, users can enhance the security of their Autopsy Multi-user Cluster.

  • One Mikro Typo: How a simple DNS misconfiguration enables malware delivery by a Russian botnet - There was a large-scale Russian botnet operation discovered by Infoblox Threat Intel that delivers malware via spam campaigns using spoofed sender domains. This botnet uses compromised MikroTik routers to send malicious emails that appear to come from legitimate domains. The botnet consists of approximately 13,000 compromised devices and 20,000 domains and is capable of launching various malicious activities, such as DDoS attacks, data theft, and phishing campaigns. A misconfiguration in the SPF records of domains allowed the threat actor to bypass traditional email protection measures, highlighting the importance of proper DNS configurations for cybersecurity.

  • Best EDR Of The Market V3 - BEOTM Kernel Driver is introduced on January 14, 2025, marking a significant advancement from previous versions, shifting operations from user mode to kernel mode. The driver utilizes kernel telemetry capabilities for enhanced detection methods and analysis. Key features include monitoring events data, preventing process tampering, tracing system calls via alternative handlers, detecting C2 artifacts like Sliver & Metasploit, and experimental shadow stacks against stack spoofing. The driver also prevents credentials dump and allows for modulation of detection methodologies, with a focus on issue reporting for bug fixes. The project aims to contribute to open-sourcing methods for leveraging operating system telemetric capabilities for detectability.

  • The Database Slayer: Deep Dive and Simulation of the Xbash Malware - The Xbash malware, discovered in 2018, is a sophisticated threat that targets critical databases like MySQL, PostgreSQL, and OracleDB, using Python as its primary language for development. A simulation of the Xbash malware attack on various databases demonstrates the destructive capabilities of this malware and the importance of securing organizational assets.

  • VMware ESXi Logging & Detection Opportunities - The article discusses the unique challenges of detecting threats in VMware ESXi environments, which often process critical data without effective security controls. The author explores the log sources available in ESXi systems, focusing on shell events and API logs. They provide examples of common adversary techniques, such as enabling SSH access and deleting virtual machine snapshots. The author also introduces the ESXi Testing Toolkit, a Python-based CLI tool that automates adversarial tests and detection rule development. Additionally, Sigma rule-based detections for various ESXi security events are shared.

  • One Active Directory Account Can Be Your Best Early Warning - This blog discusses how one Active Directory account can provide early warning of adversarial activities through detection engineering. It demonstrates how to set up a lab environment on Microsoft Azure and engineer detections for AD enumeration, Kerberoasting, and password spraying. The blog also includes PowerShell commands, Kusto query language examples, and guidance on building alerts to detect malicious activity in Active Directory.

  • Gootloader inside out - Gootloader malware uses social engineering to infect computers by manipulating search results and linking to malicious content through fake online message boards. The malware operates mainly on compromised WordPress servers and a central "mothership" server. Researchers reconstruct how Gootloader's server-side operations work by analyzing open-source tools and code. The malware uses obfuscation and malicious SEO tactics to deliver payloads and maintain control over compromised websites. Despite the complex nature of Gootloader, collaborative research efforts have helped uncover its methods and indicators of compromise.

  • Detecting Abuse of VSCode Remote Tunnels - This post discusses the abuse of VSCode Remote Tunnels by threat actors, detailing how they are being utilized in campaigns. The feature allows developers to expose their coding environment externally and share it with colleagues. Threat actors deliver malicious files to users, setting up tunnels to gain access to remote hosts for executing commands and running scripts. The post also provides insights on detecting and preventing abuse of VSCode Remote Tunnels, including monitoring for specific behaviors and implementing Group Policy settings for restrictions.

  • RansomHub Affiliate leverages Python-based backdoor - GuidePoint Security identified a threat actor using a Python-based backdoor to maintain access to compromised endpoints, leading to RansomHub encryptors being deployed on the network. The backdoor had unique indicators of compromise and was deployed through Remote Desktop Protocol lateral movement. The malware involved obfuscation and was able to establish a tunnel based on the SOCKS5 protocol to enable lateral movement in the network. The threat actor also utilized AI-assisted code creation to maintain and distribute the malware. Various C2 IP addresses associated with the Python backdoor were identified and shared for detection.

  • Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI - XLab observed a large-scale DDoS attack targeting the distribution platforms of the Chinese game Black Myth: Wukong. The botnet involved in the attack operation referred to itself as AISURU and later as AIRASHI. The AIRASHI botnet has characteristics such as exploiting vulnerabilities in routers, using encryption and authentication protocols, and demonstrating stable DDoS attack capabilities. The botnet targets various industries globally without a clear targeting strategy and continuously updates its samples to enhance its capabilities. Its network protocol involves HMAC-SHA256 and CHACHA20 algorithms for encryption and message verification.

  • Tracking cloud-fluent threat actors - Part two: Behavioral cloud IOCs - Behavioral Cloud IOCs are indicators based on patterns of activity that suggest malicious intent in cloud environments. These indicators focus on how attackers exploit systems rather than just the tools they use. By monitoring behavioral IOCs, organizations can detect malicious activity such as unauthorized access attempts or privilege escalation.

  • Potential Stealer: Purrglar in Progress - Kandji's Threat Research team discovered a potential stealer named Purrglar that focuses on capturing Chrome and Exodus wallet-related files by querying the macOS Keychain. The intentions of this potential malware are unclear as it appears to still be in development. The blog post dives into how Purrglar accesses sensitive data, captures files, and uploads them to a local host URL.

  • Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated Jan. 17) - The threat brief discusses two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, found in Ivanti products that allow attackers to achieve remote code execution and escalate privileges. The report details specific attacks observed in the wild, including tools used and steps taken by attackers.

  • Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations - Intezer's threat bulletin reports on a series of attacks targeting Chinese-speaking organizations using weaponized software. The attacks are attributed to the Silver Fox APT group, known for targeting Chinese-speaking individuals and organizations with sophisticated malware like ValleyRAT. The attackers use legitimate software to deliver malicious payloads.

  • IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 - Trend Micro has been monitoring a large-scale DDoS attack orchestrated by an IoT botnet since the end of 2024, targeting companies globally. The botnet exploits vulnerable IoT devices like wireless routers and IP cameras and uses malware variants derived from Mirai and Bashlite. The attacks include various DDoS methods and proxy services, with a wide geographical dispersion of targets in North America and Europe.

  • New Star Blizzard spear-phishing campaign targets WhatsApp accounts - A new spear-phishing campaign conducted by the threat actor Star Blizzard targets WhatsApp accounts, marking a shift in their tactics to gain access to sensitive information. The campaign involves sending emails impersonating US government officials and directing recipients to join a WhatsApp group, with the goal of accessing their account data. Microsoft Threat Intelligence has been monitoring the activity and recommends vigilance and implementing security measures to protect against such attacks. The campaign, while short-lived, underscores the threat actor's resilience and ability to adapt to evade detection.

  • Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service - A recent report uncovers "Sneaky 2FA," a new phishing-as-a-service (PaaS) platform designed to bypass two-factor authentication (2FA). This advanced adversary-in-the-middle (AiTM) tool enables attackers to intercept and hijack user sessions in real time, rendering 2FA protections ineffective. Targeting high-profile industries, the service provides a user-friendly interface, templates, and automated functionalities, lowering the technical barrier for cybercriminals.

  • Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations - The report details the "Double Tap" campaign, attributed to a Russia-nexus APT potentially linked to APT28. This cyber espionage operation targets Central Asian and Kazakh diplomatic entities, focusing on sensitive geopolitical and diplomatic information. Using tailored phishing emails and malicious attachments, the attackers deploy custom malware to maintain persistent access and exfiltrate data.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Experimenting with Stealer Logs in Have I Been Pwned - Troy Hunt has added stealer logs to the Have I Been Pwned database, allowing users to see which websites their credentials have been exposed on. Individuals can verify their email address to access this information, while organizations can monitor domains to pull a list of exposed websites via a new API. The stealer logs contain vast amounts of personal information gathered by malware on infected machines, but the data may not always be accurate due to criminals providing the information. Hunt has also added the extracted passwords from the stealer logs to the Pwned Passwords service for users to check if their passwords have been compromised.

  • Part 16: Tool Description - In Part 16, the author discusses the difficulty in describing the functionality of a specific tool, using examples to illustrate that a tool can implement multiple independent techniques or procedures. The article delves into the concept of dependency graphs and how they can be used to evaluate equivalency between different samples or tools. The author explores how changing parameters in a tool can lead to different procedures being executed, highlighting the complexity of understanding the behavior of a tool. The article emphasizes that a tool cannot be easily described using a single chain of functions, and provides insights into analyzing the behavior of tools in a more comprehensive manner.

  • Chrome Web Store is a mess - The article discusses the problems with Google's management of the Chrome Web Store, highlighting issues with malicious and problematic browser extensions. It describes Google's lack of rigorous moderation and enforcement, resulting in a messy and potentially dangerous environment for users. The author suggests that Google needs to invest more manual effort into cleaning up the store and addressing policy violations. There is also a discussion about potential measures to improve the situation, such as raising the developer fee or requiring proof of identity. Overall, the article calls for more transparency and action from Google to make the Chrome Web Store safer for users.

  • CVE-2024-50603: Aviatrix Network Controller Command Injection Vulnerability - CVE-2024-50603 is a command injection vulnerability in the Aviatrix Network Controller that allows unauthenticated attackers to remotely execute arbitrary code. The vulnerability was discovered in Aviatrix Controller 7.x through 7.2.4820 due to improper neutralization of special elements used in an OS command. After a thorough analysis, a proof of concept was demonstrated by exploiting the vulnerability to execute a malicious function. The vulnerability was reported to Aviatrix, and a patch was released to address the issue, with customers notified and a new release provided.

  • Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit - A fake Proof of Concept (PoC) exploit for the LDAPNightmare vulnerability is being used to distribute information-stealing malware. This attack lures security researchers into downloading and executing malicious software. Security measures, awareness, and best practices are recommended to protect against fake repositories containing malware.

  • Tetris in a PDF - The author created a playable version of Tetris inside a PDF document using JavaScript. The PDF can be opened in compatible desktop browsers like Firefox and Chromium-based browsers. The author explains the technical details of how they implemented the game and discusses potential limitations and possibilities for running other games, like DOOM, in a PDF format. There is a discussion about the security implications of running JavaScript in PDFs and the trend towards treating PDFs as more static documents.

  • Vigilante Justice on GitHub - The article discusses how vigilante justice can be carried out on GitHub by manipulating commit graphs of other users using leaked credentials. The author explains the conditions under which this can be done and suggests using this power for good, such as warning others about malicious users. However, it also warns about the potential for abuse, highlighting the need for stronger authentication mechanisms.

  • Investigating an "evil" RJ45 dongle - A user investigates claims of an "evil" RJ45 dongle purchased from China preloaded with malware, but discovers that the device is likely harmless and simply contains self-extracting drivers. The investigation involves reverse-engineering the hardware and using Google Translate to uncover the purpose of the device's flash memory. Ultimately, the conclusion is that the dongle is not malicious, and the investigation highlights the importance of thorough research before jumping to conclusions about potentially harmful hardware.

  • ExecutePeFromPngViaLNK - this project demonstrates a novel technique for embedding and executing PE (Portable Executable) files from PNG images via Windows LNK (shortcut) files. This approach leverages steganography to hide malicious payloads within image files and combines it with the exploitation of LNK files to execute the payload. The repository includes proof-of-concept code

Comments

RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

CONTACT US

We are here to help you meet your cybersecurity needs.

PHONE  |

FAX  |

EMAIL  |

ADDRESS  |

410-874-6446

410-630-3980

info@sixgen.io

185 Admiral Cochrane Dr | Suite 210
Annapolis, MD 21401

Thanks! Message sent.

For general inquiries about SIXGEN product and services please use this form.

To apply to SkillBridge, please visit the SkillBridge page here

NAICS Codes:
512110 | 519190 | 541330 | 541340 | 541511 | 541512 | 541513 | 541519 | 541611 | 541715 | 541990 | 611420 | 611430 | 611699 | 611710 | 921190

Contracts:

Screen Shot 2022-06-06 at 1.50_edited.jpg

2022 
Best Tech Startups in Annapolis

Defender_Winner.png

2022

Cybersecurity Defender of the

Year Winner

Download our Capabilities Sheet

2022 GHG Report

bottom of page