Last Week in Security - 2025-01-27
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, Operations Research Analyst, Reverse Engineer, and Software Engineer.
Virginia Applicants:
Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2025-01-20 to 2025-01-27.
News
MasterCard DNS Error Went Unnoticed for Years - MasterCard recently fixed a DNS error that went unnoticed for years, which allowed for potential interception or diversion of Internet traffic. The error persisted for nearly five years until a security researcher registered the mistyped domain name, preventing it from falling into the wrong hands. The misconfiguration affected one of MasterCard's core Internet servers and could have potentially led to the interception of web traffic, sensitive information, and unauthorized access to encryption certificates. Despite the potential risks, MasterCard downplayed the severity of the error, and the security researcher was criticized for publicly disclosing the issue.
Salt Typhoon: the Other Shoe Has Dropped, but Consternation Continues - The United States government has sanctioned Sichuan Juxinhe Network Technology Co., LTD for its involvement in the Salt Typhoon cyber operations, believed to be linked to China. Sichuan Juxinhe shares characteristics with other front companies established by China's Ministry of State Security for cyber operations. Despite appearing as a legitimate business, Sichuan Juxinhe's limited digital footprint and focus on telecommunication system services raise suspicions of its true motives. Additionally, the company owns software copyrights, prompting questions about its activities and connections to the MSS.
Trump administration fires members of cybersecurity review board in ‘horribly shortsighted’ decision - The Trump administration fired members of the Cyber Safety Review Board and other advisory committees in a decision criticized as shortsighted. The move was part of a broader effort to eliminate advisory committees that were seen as undermining national security or the President's agenda. The decision has raised concerns about the administration's approach to cybersecurity and the protection of critical infrastructure.
DOJ indicts five in North Korean fake IT worker scheme - The Department of Justice has indicted five individuals, including North Korean nationals, for fraudulently obtaining remote credentials to work with American companies and generate revenue for Pyongyang. The scheme involved collecting over $866,000 in revenue from 10 U.S. companies and gaining employment from at least 64 American firms using forged and stolen identity documents. The FBI has uncovered a plot where North Korean IT workers were installed as remote employees to generate revenue for the DPRK regime and evade sanctions. This is part of ongoing efforts to disrupt North Korea's cyber-enabled schemes.
Techniques and Write-ups
Entra Connect Attacker Tradecraft: Part 2 - The article discusses Entra Connect Attacker Tradecraft and how an attacker can add credentials to a user in a different domain within the same Entra tenant. It outlines the process of creating links between metaverse objects and connector space objects, as well as how to take advantage of partially synced users to gain access to privileged accounts. The attacker must wait for the Entra Connect sync agent to run and link the Entra user to the on-premises target account before using methods to elevate privileges and potentially take over the account. Detection of this attack may be difficult, but there are signals to look for in the Entra connector space and metaverse projections.
Stealing HttpOnly cookies with the cookie sandwich technique - The "cookie sandwich" technique allows attackers to bypass the HttpOnly flag on certain servers by manipulating how web servers parse and handle cookies with special characters. This can expose sensitive information, such as HttpOnly session cookies. An example of stealing an HttpOnly PHPSESSID cookie using this technique is provided, involving XSS vulnerabilities and manipulating the order of cookies in the client's request. Paying close attention to cookie encoding and parsing behaviors is essential for safeguarding web applications against various attacks. Additional information and insights on web security can be found on the PortSwigger website.
Denuvo Analysis - This blog post provides an in-depth analysis of Denuvo, a digital rights management system used to protect video games from piracy. The post explains how Denuvo works, including its use of hardware identification, encryption, and user integrity checks. It also discusses the challenges faced by crackers in trying to bypass Denuvo's protection and offers insights into potential strategies for cracking Denuvo-protected games. The analysis suggests that Denuvo remains a formidable DRM solution with continued success in protecting games.
0-click "Deanonymization" Attack - A 15-year-old high school junior discovered a unique 0-click deanonymization attack that targets Signal, Discord, and other platforms, allowing attackers to grab a target's location within a 250-mile radius. The attack exploits Cloudflare's caching feature to pinpoint a user's location by identifying which datacenter cached a resource. The attacker can then use this information to track and monitor the user's location. Despite responsible disclosure to affected parties, Signal dismissed the report, and Discord shifted the blame to Cloudflare. Cloudflare patched the bug but the underlying risks remain, highlighting the need for users to stay informed and vigilant to minimize exposure.
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel - The authors discovered a security vulnerability in Subaru's STARLINK connected vehicle service that allowed unauthorized access to vehicles and customer accounts in the US, Canada, and Japan. They were able to remotely start, stop, lock, unlock, and track the location history of vehicles, as well as access personally identifiable information of customers. The vulnerability was reported and patched within 24 hours. The authors also demonstrated how they were able to take over an employee's account and track the location history of a vehicle over a year. They were able to unlock a friend's car as a proof of concept. The impact of the bug highlighted the lack of security in connected car systems and the broad access to personal information by employees.
WinVisor – A hypervisor- based emulator for Windows x64 user- mode executables - WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables created by Elastic Security Labs. It uses Microsoft's Windows Hypervisor Platform API to virtualize Windows x64 binaries. The project aims to provide a virtual environment for executing Windows x64 binaries, log syscalls, and enable memory introspection, although it is not designed to be a comprehensive and secure sandbox.
ETW Threat Intelligence and Hardware Breakpoints - ETW Threat Intelligence is crucial for modern Endpoint Detection and Response (EDR) solutions to detect malicious activity on Windows systems. Adversaries are using hardware breakpoints at the CPU level to bypass EDR detection systems stealthily by hooking functions and manipulating telemetry in userland. By leveraging NtContinue, attackers can set hardware breakpoints covertly without triggering ETW events, evading detection and maintaining stealth. This technique allows adversaries to evade traditional defenses, prevent AMSI scanning, and bypass ETW logging.
Seasoning email threats with hidden text salting - Cisco Talos has identified an increase in email threats using hidden text salting to evade detection systems. Hidden text salting involves inserting irrelevant characters into emails' HTML source to confuse parsers and filters. This technique has been observed in phishing emails impersonating well-known brands, evading language detection, and even smuggling HTML code to bypass detection engines. To mitigate these threats, advanced filtering techniques and reliance on visual features in addition to textual analysis are recommended.
CVE-2024-26230: Windows Telephony Service - It's Got Some Call-ing Issues (Elevation of Privilege) - The CVE-2024-26230 vulnerability in the Windows Telephony Service allows for an elevation of privilege on affected systems through a use-after-free exploit. By manipulating registry keys, an attacker can control memory allocation to create a fake object, triggering the vulnerability and gaining code execution. The exploit can be further escalated to load a malicious DLL, ultimately granting SYSTEM privileges.
SUSCTL (CVE-2024-54507) - A bug was discovered in the XNU Kernel of macOS 15.0, causing an invalid load when running a specific sysctl command. This bug allowed for the leakage of 2 bytes of kernel memory, potentially revealing sensitive data. The issue was reported to Apple and fixed in macOS 15.2 and iOS 18.2. The bug serves as a cautionary tale for kernel programmers to be aware of the consequences of memory accesses.
Attacks on Maven proxy repositories - The blog post discusses attacks on Maven proxy repositories, specifically targeting Sonatype Nexus and JFrog Artifactory. It outlines how specially crafted artifacts can lead to pre-auth remote code execution and poisoning of local artifacts. The vulnerabilities include stored XSS, archive expansion, path traversal, name confusion attacks, and disrupting internal metadata, leading to potential remote code execution. The post highlights the importance of securing these repository managers and the potential risks associated with using them in proxy mode.
Client Side Path Traversal (CSPT) Bug Bounty Reports and Techniques - Client Side Path Traversal (CSPT) bugs have gained attention, with reports detailing their impact. Renwa shares bug bounty findings from previous years, including a reflected XSS in cashback.opera.com leading to an account takeover and a DOM XSS in Reverb. Other reports cover vulnerabilities in Opera, a stored XSS in an activity page, and a client side path traversal leading to account takeover and XSS attacks. The post highlights techniques to exploit these bugs and recommends fixes for developers.
Vulnerability Archeology: Stealing Passwords with IBM i Access Client Solutions - Silent Signal Techblog conducted research on the IBM i platform, focusing on vulnerabilities in IBM i Access Client Solutions (ACS). They discovered that ACS stores Windows passwords as plaintext, making them easily accessible to attackers. The blog discusses the obfuscation techniques used by ACS to deceive security teams and highlights the risks posed by storing plaintext credentials.
API Hashing — Why Malware Loves (And You Should Care) - API hashing is a technique used by malware to disguise system calls and avoid detection by security tools. Malware like Cobalt Strike relies on API hashing to avoid being caught. By hashing function names, malware can make it difficult for security tools to detect malicious behavior. This technique involves hashing function names, dynamically resolving function addresses, and evading kernel-level security measures. Despite these defenses, malware like Cobalt Strike can still bypass security measures and execute malicious code stealthily.
0x07 - Introduction to Windows Kernel Race Conditions - This tutorial covers the exploitation of a Type Confusion vulnerability against Windows 11 (x64) through a Double Fetch technique. It explains the concept of race conditions in a high-level overview using a non-technical example involving a cooking game. The tutorial then delves into the technical details of the vulnerability, demonstrating how to identify the target files, understand the source code, and craft a proof of concept to exploit the vulnerability. The final result shows a successful exploitation of the double fetch vulnerability.
Learnpress Sensitive Information Exposure - Abrahack's blog post details the discovery of a medium-severity vulnerability in the LearnPress WordPress LMS Plugin that allows users to access sensitive course materials and bypass payment requirements. The vulnerability, which was identified in version 4.2.7.3 of the plugin, allowed unauthenticated users to download paid course content for free. The vendor fixed the vulnerability in version 4.2.7.4 after it was reported, and a CVE (CVE-2024-11868) was assigned for it.
Reading iOS Sandbox Profiles - The blog discusses the importance of understanding iOS Sandbox Profiles, which are configuration files that define restrictions for individual daemons in iOS to enhance system security. These profiles are critical for isolating apps and system processes from each other and restricting access to sensitive resources. The blog explains how to read and analyze Sandbox Profiles, detailing the structure, key rules, and components of the profiles, such as Mach IPC Filters, System Call Restrictions, and Mach Trap Filters. The analysis of Sandbox Profiles helps in identifying potential attack surfaces and vulnerabilities within the system, emphasizing the need for understanding and analyzing them for security purposes.
Operating Inside the Interpreted: Offensive Python - TrustedSec explores the potential of using Python for Windows malware deployment, highlighting the ease of installing Python from the Microsoft Store. They discuss the history of Python malware, the availability of Python on Windows, and the advantages of using Python for offensive purposes. The article also explains how to download and install Python from the Microsoft Store, offline scenarios for installation, using the Pip package manager, the Python standard library, including the ctypes module for unmanaged execution, and potential indicators of compromise inside Python. Overall, they propose Python as a valuable platform for malware deployment due to its versatility and ease of use.
Skibidi Java – The Infinite Loop in Java Collections; Edge Case to Java Universal DoS - Checkmarx discovered a security flaw in Java's core collection objects, which could lead to a Denial of Service (DoS) attack when exploited through Java serialization and circular references. This vulnerability, named Skibidi Java, could affect any Java deserializer handling standard collection types, posing a risk in systems that deserialize untrusted user-provided data. Checkmarx recommends implementing strict validation of serialized data, using custom deserializers to prevent circular references, and maintaining a strict allowlist of permitted classes for deserialization to mitigate this issue.
Modifying Certipy to Evade Microsoft Defender for Identity PKINIT Detection - In 2024, exploiting Active Directory Certificate Services (AD CS) was common for escalating privileges in an Active Directory environment. Microsoft Defender for Identity (MDI) improved its detection of suspicious certificate usage, including PKINIT authentication by tools like Certipy. By modifying the list of encryption types advertised by Certipy, one can evade MDI's detection and stay undetected when abusing vulnerabilities. However, this bypass is not foolproof, and additional detections could be created based on Impacket’s Kerberos implementation. It's recommended to test exploits in a lab environment to avoid security alerts.
A Cost Effective Covert Implant for Red Teamers - In red team engagements, gaining initial access to a network is crucial. Tools like USB Rubber Ducky can help deliver payloads remotely. Covert implants, like the O.MG 0Cable and Evil Crow Cable, blend in as everyday items to avoid detection. A low-cost implant can be integrated into a wired keyboard or mouse easily, using components like the Adafruit CH334F Mini 2-Port USB Hub and JST connectors. Microcontrollers like ESP32 S3 Zero can emulate HID devices for keystroke injection techniques.
Exploring WinRM plugins for lateral movement - In this blog, FalconForce explores how to use WinRM plugins for lateral movement, focusing on bypassing Microsoft Defender with WMI class. They discuss developing a basic WinRM plugin, exploring built-in WinRM plugins, and using WinRM to interact with WMI. The post also covers creating a lateral movement BOF using WinRM plugins and avoiding detection by Defender by using WMI class for file operations. Finally, FalconForce highlights the potential for future improvements in using WMI classes for service and registry operations, and mentions the importance of learning COM programming.
Linux Kernel TLS Part 1 - This blog post provides a deep dive into the Linux kernel's TLS implementation, highlighting how it works and discussing vulnerabilities that have been exploited in the past. It covers the initialization of TLS sockets, setting up encryption configurations, sending and receiving packets, and handling cryptographic algorithms. The post also identifies a vulnerability related to a race condition in asynchronous encryption and decryption operations, providing analysis and potential exploitation paths. Finally, it discusses a potential bypass for the issue by sending invalid data in packets to extend the race window for exploitation.
Linux Kernel TLS Part 2 - The blog discusses the Linux Kernel TLS vulnerabilities in commits related to encryption and decryption functions. It highlights issues such as a race condition between scheduling encryption and socket closure, handling backlogged crypto requests, and potential use-after-free vulnerabilities in async decryption. The root causes are identified, and patches are proposed to address these vulnerabilities by reordering work scheduling and improving error handling.
Tear Down The Castle - Part 1 - In this article, various security vulnerabilities and misconfigurations in Active Directory environments are highlighted. The focus is on issues related to Active Directory Certificate Services (AD CS), service accounts with excessive privileges, weak password policies, and the importance of PowerShell script block logging.
Malware development trick 44: Stealing data via legit GitHub API. Simple C example. - The article discusses a malware development technique involving stealing data using the GitHub API. The author provides a simple C example code to demonstrate how to send system information to a GitHub repository via the API. The process involves creating a GitHub issue, generating a token, defining GitHub credentials, and constructing a request body to post a comment on an issue.
form-action Content-Security-Policy Bypass And Other Tactics For Dealing With The CSP - The post discusses ways to bypass Content-Security-Policy (CSP) to exploit content injections like XSS and HTML injections. It demonstrates that even with CSP in place, applications can still be vulnerable to attacks due to configuration flaws. The post highlights tactics like form-action CSP bypass and dangling markup attacks that can be used to exfiltrate information from users' accounts, even with a properly configured CSP. It also emphasizes the importance of using the form-action directive and provides recommendations for better CSP configurations to mitigate these types of attacks.
Malicious extensions circumvent Google’s remote code ban - Malicious extensions have found ways to bypass Google's remote code ban by using various techniques, including injecting HTML code into web pages, abusing APIs, and opening new tabs. These extensions hide their malicious functionality by downloading configurations from web servers. The investigation revealed several groups of extensions associated with companies like Phoenix Invicta, Technosense Media Pvt. Ltd, and Sweet VPN, all engaging in spying on users and potentially harmful activities. Despite these findings, Google has yet to take action against these extensions, highlighting the challenges of regulating the Chrome Web Store.
NaN Of Your Business - My Favorite Unintended CTF Solution - The author shares their favorite unintended solution for a Capture The Flag (CTF) challenge called "NaN Of Your Business" from the Spokane Cyber Cup. The challenge involves exploiting the use of NaN (Not a Number) in floating point numbers to steal money from a bank system. A high school student named Seth Quast discovered this workaround by reading the documentation and using NaN to bypass withdrawal restrictions.
Exploit Me, Baby, One More Time: Command Injection in Kubernetes Log Query - Akamai has disclosed a critical remote code execution (RCE) vulnerability affecting Kubernetes environments on Windows, linked to improper log query handling. This issue allows attackers to exploit Kubernetes logs to execute arbitrary commands.
More XSS and Clickjacking in Yamcs v5.8.6 - VisionSpace has identified vulnerabilities in Yamcs v5.8.6, including cross-site scripting (XSS) and clickjacking flaws. These issues allow attackers to inject malicious scripts or manipulate user interactions, potentially compromising sensitive data.
Remote Code Execution via Man-in-the-Middle (and more) in NASA’s AIT-Core v2.5.2 - VisionSpace reports critical vulnerabilities in NASA's AIT Core v2.5.2, including remote code execution through man-in-the-middle attacks. Exploiting these flaws enables attackers to inject malicious commands or compromise system integrity.
Clone2Leak: Your Git Credentials Belong To Us - The article discusses vulnerabilities found in various Git-related projects by a security engineer at GMO Flatt Security Inc. These vulnerabilities include credential leakage due to improper handling of messages in the Git Credential Protocol in GitHub Desktop and Git Credential Manager. The article also mentions a vulnerability in Git LFS that allows for credential leakage. Mitigations have been implemented to address some of these issues, but vulnerabilities in GitHub CLI and broken credential helpers on GitHub Codespaces still exist. The article emphasizes the importance of improving security in Git-related projects and offers services for security assessment and testing.
Tools and Exploits
EvilBurp - The GitHub repository "EvilBurp" is an automated Evilginx phishlet creator extension for Burp Suite that assists with security testing and research by generating phishing scripts in a YAML format. The tool can capture domains from visited sites, detect authentication tokens, identify login form fields, and integrate with Burp Suite's context menu.
7-Zip Mark-of-the-Web Bypass Vulnerability [CVE-2025-0411] - POC - This GitHub repository contains Proof of Concept (POC) scenarios related to the CVE-2025-0411 vulnerability in 7-Zip, which allows remote attackers to bypass the Mark-of-the-Web protection mechanism. The vulnerability can be exploited by tricking a user into visiting a malicious page or opening a malicious file. The POC demonstrates how the vulnerability can be used to execute arbitrary code in the context of the current user.
IronEye - Welcome to your Rusty LDAP Swiss Army Knife - IronEye is a new Rust-based LDAP tool for penetration testers, combining multiple tools into one cross-platform package. It includes modules for domain reconnaissance, user enumeration, password spraying, and more. The tool is still in development, with plans for additional features like Kerberos spraying and DACL query logic.
CVE-2024-53691 - The GitHub repository C411e/CVE-2024-53691 contains information about a security vulnerability labeled as CVE-2024-53691, which allows remote attackers to gain root access and compromise the system. The vulnerability was discovered on April 22, 2024, and patched on September 7, 2024, affecting specific versions of QTS and QuTS hero software. Attackers can exploit the vulnerability by uploading a symlink through a ZIP file and executing shell commands to achieve remote code execution.
Gemini Web Navigator Experiments - The GitHub repository "gemini-web-navigator" contains experiments with Google Gemini's Vision capabilities for LLM driven web navigation and desktop manipulation. The project uses vision-based browser control to interact with web page elements and bypass non-captcha based anti-bot products. The approach involves using a desktop environment to control mouse and keyboard inputs, rather than browser events, to automate tasks on websites.
Injectly - Injectly is a self-hosted code injector app that simplifies managing and injecting scripts across multiple websites. It allows for dynamic updates of scripts, easy management of websites, and total control over data and functionality. The app uses Tailwind CSS for design, Node.js with Express.js for API and routing, and SQLite for data storage.
BaitRoute - Baitroute is a web honeypot library that creates vulnerable-looking endpoints to detect and mislead attackers. It serves realistic decoy vulnerabilities to waste attackers' time with false positive results. The library supports multiple languages and frameworks like Go, Python, and Javascript, and comes with ready-to-use rules that can be easily customized or added. It also allows for integration with SIEM systems for alerting and tracking attacker activity.
Threat Intel and Defense
Being a tool while using a tool - The author shares a case where they were fooled by the Total Commander tool while examining the Signal desktop client installer. The installer contained both Intel and ARM binaries, but Total Commander only displayed the first embedded archive, causing confusion. The case highlights the importance of verifying results with multiple tools, analyzing file formats, and using carving and static analysis tools to avoid misunderstandings and inconsistencies. It serves as a reminder to question what is seen and to analyze files thoroughly for anomalies.
Analyzing iOS Kernel Panic Logs - This blog post discusses the analysis of iOS Kernel panic logs, which occur when the operating system kernel encounters a fatal error. The blog outlines common causes of kernel panics, how to extract and analyze kernel panic logs, interpret the panic string, simplify the panic file, symbolicate kernel addresses, and identify the root cause of the panic. The analysis is essential for diagnosing and resolving system-level issues, especially for security researchers and developers. The blog also mentions the availability of on-demand courses on kernel panic analysis and low-level system debugging.
PlushDaemon compromises supply chain of Korean VPN service - ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN software installer with a backdoor implant called SlowStepper, which has over 30 components and is capable of extensive data collection and espionage. PlushDaemon has been active since 2019, targeting individuals and entities in various countries, including South Korea, Taiwan, China, the United States, and New Zealand. The group's sophisticated toolset and tactics make them a significant threat in the cybersecurity landscape.
Malicious NPM package deploys new infostealer malware - A malicious NPM package named "arcus-cmd-utils" was identified to contain infostealer malware targeting Chrome browser credentials and session tokens. The malware exfiltrates stolen data to a Discord server and was created by an NPM user named Zyrudev. The threat actor behind the package also published two other malicious packages, which were subsequently removed from NPM. Organizations are advised to use indicators of compromise to hunt for this threat in their environment and ensure the use of security tools to protect against malicious packages in software supply chains.
The J-Magic Show: Magic Packets and Where to find them - Black Lotus Labs at Lumen Technologies has discovered a backdoor attack known as J-magic targeting Juniper routers, allowing attackers to gain control, steal data, and deploy malicious software. The campaign, active from 2023 to 2024, targeted enterprise-grade routers serving as VPN gateways in various industries. The malware uses a passive agent scanning for specific "magic packets" in TCP traffic to establish control. Although sharing similarities with other malware families like SeaSpy, J-magic is considered a separate campaign focusing on JunoOS routers.
Threat hunting case study: PsExec - PsExec is a command-line utility part of Sysinternals for Microsoft Windows that threat actors use to install and execute programs on remote machines. It has been used by various threat groups, including state-sponsored and financially motivated cybercriminal groups. Intel 471 provides a case study on conducting threat hunts to detect potentially malicious use of PsExec by looking for artifacts such as randomly named executables and their associated parent processes. This method of threat hunting is more reliable than traditional indicators of compromise and can help organizations detect and respond to potential breaches.
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” - Sophos MDR has identified two separate ransomware campaigns using email bombing and "vishing" (voice phishing) on Microsoft Teams. The threat actors utilized Microsoft Office 365 functionality to gain access to organizations, with the aim of stealing data and deploying ransomware. The attacks involved overwhelming Outlook mailboxes with spam emails, posing as tech support to gain remote access to targeted computers, and deploying malicious payloads.
InvisibleFerret Malware: Technical Analysis - The article discusses the technical analysis of the InvisibleFerret malware, a North Korean activity that spreads through fake job interviews. The malware targets developers in the technological, financial, and cryptocurrency sectors by disguising itself as coding challenges or video call software. The analysis reveals that the malware seeks source code, wallets, and sensitive files, and exfiltrates information through various methods, including monitoring clipboard changes and capturing user data from browsers. The article emphasizes the need for caution when dealing with job offers and unknown software sources to stay safe from such malware threats.
Beware of Contacts through LinkedIn: They Target Your Organization’s Property, Not Yours - There have been reports of unauthorized access in Japan through LinkedIn, with attackers targeting organizations' property. The attacks are mainly carried out by the Lazarus attack group, with tactics such as pretending to be a recruiter and persuading targets to download malicious files. Organizations are advised to restrict the use of social networking sites on work devices and implement security measures to protect employees from such attacks. The blog post details specific operations by the Lazarus group targeting organizations in various countries, including defense contractors and cryptocurrency exchangers.
Tracking Adversaries: Ghostwriter APT Infrastructure - Cyber threat intelligence analysts use infrastructure pivoting to track adversaries in malware, phishing, and network exploitation campaigns. By analyzing threat data from public and private sector organizations, analysts can identify additional targets, tools, and insights about adversaries. For example, by examining the Ghostwriter APT infrastructure, analysts can link domains and IP addresses across multiple threat reports to attribute attacks to known adversaries. This type of analysis can reveal patterns in domain registration and hosting overlaps, helping to uncover unreported domains and related malware samples. Ultimately, this work helps to understand the capabilities and behaviors of threat actors behind cyber campaigns.
Targeted supply chain attack against Chrome browser extensions - Sekoia.io discusses a targeted supply chain attack on Chrome browser extensions, where attackers compromised developer accounts to upload malicious updates. These updates introduced spyware capabilities, enabling data exfiltration and user tracking. Users and organizations are urged to verify updates, monitor extension behavior, and implement stricter security measures to mitigate such threats.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Reverse Engineering Call Of Duty Anti-Cheat - The article discusses the reverse engineering of the Call of Duty anti-cheat system, TAC, which is user-mode and does not utilize kernel components. The anti-cheat uses various methods to prevent cheating, such as runtime API lookups, API hook detection, debug register checks, driver signing enforcement detection, detecting cheat logging, network traffic monitoring, encrypted custom syscalls, and detecting anti-debugger-hiding attempts. TAC also has features to detect external cheats, block Create Remote Thread technique, and dump exception handlers. The anti-cheat system is sophisticated and incorporates various mechanisms to maintain the integrity of the game environment.
Using GitHub Copilot From Inside GitHub Actions - The blog post explores using GitHub Copilot inside GitHub Actions to automate tasks like extracting data from submissions and updating files. The author details the GitHub Copilot API endpoints used to interact with the tool and writes a Python script to accomplish the task. The script is then integrated into a GitHub Action that automatically handles submissions, updates files, and creates pull requests. The author emphasizes that this is a fun experiment and not intended for production use.
The invalid 68030 instruction that accidentally allowed the Mac Classic II to successfully boot up - The story discusses a mistake in the ROM of the Macintosh Classic II that allowed it to boot up due to an undocumented 68030 instruction. The author explores how this instruction affects the CPU's registers and behavior on both MAME emulation and real hardware. They also experiment with modifying the ROM on a physical Classic II to confirm their findings. The article highlights the complexity and intricacies of hardware emulation and the discovery of undocumented processor behavior.
You Can't Trust Hackers, and Other Data Breach Verification Tales - Troy Hunt discusses his experience with a hacker who claimed to have a data breach from a popular electronics retailer. Hunt used his own verification methods to expose the scam and highlight the importance of verifying data breach claims.
Gift cards security research - The researcher conducted security research on gift cards and discovered multiple vulnerabilities in various applications. These vulnerabilities included race conditions leading to financial loss for companies, email HTML injections in gift card notifications, and promo code issues allowing for free items on unlimited orders. The researcher acquired over 30 gift cards for the research, revealing 9 vulnerabilities and earning $6,500. The article emphasizes the importance of exploring untapped attack surfaces, such as gift cards, and discusses the process of identifying and reporting vulnerabilities for bug bounty programs.
Millions of Accounts Vulnerable due to Google’s OAuth Flaw - Millions of American accounts are vulnerable to data theft due to a flaw in Google's OAuth system, especially for former employees of failed tech startups. The flaw allows attackers to access sensitive data from various services used by these organizations, including HR systems and interview platforms. Despite Google initially dismissing the issue, they eventually acknowledged it and are working on a fix. Downstream providers cannot mitigate this vulnerability unless Google implements proposed changes to their OIDC claims. The risk of password reset takeovers also exists, but measures such as disabling password-based authentication and enforcing 2FA can help mitigate this risk.
How to detect honeypots in AWS - This document provides a method to detect and avoid honeypots set up for access key IDs in an AWS environment by using Canary Tokens. By planting fake access keys that trigger alerts when used, security teams can gain valuable insights into attackers' actions. A caveat of this method is that it requires knowing the account ID beforehand, which can be deduced from the access key using a script devised by Tal Be'ery. By proactively spoofing the IMDS endpoint and using the script to verify the account ID, security teams can set up an effective honeypot detection system.
So You Want To Work in Cyber Security? - Overall, working in cyber security requires a combination of technical skills, a willingness to learn, strong communication skills, and the ability to think creatively and critically. It may not be easy, but for those who are passionate about hacking and protecting systems, it can be a rewarding and exciting career path.
VMware ESXi Logging & Detection Opportunities - Detect.fyi outlines detection opportunities for VMware ESXi, focusing on improving logging to identify malicious activity. The blog emphasizes the need for detailed log analysis to uncover potential threats like unauthorized access or misconfigurations. Recommendations include enabling verbose logging and monitoring key events to enhance incident detection and response for ESXi environments.