Last Week in Security - 2025-02-12
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Appian Software Engineer, Computer Network Operator Developer, Data Scientist, DevOps Engineer, Full Stack Developer, HPC Software Engineer, Information Security Analyst, Operations Research Analyst, Reverse Engineer, System Engineer Mid-Senior, Systems Security Engineer, and Web Developer/Software Engineer.
Virginia Applicants:
Available opportunities: DevSecOps Engineer, Red Team Operator - Senior, and Ruby Developer.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2025-01-27 to 2025-02-03.
News
US Treasury says it was hacked by China in 'major incident' - The US Treasury Department was hacked by Chinese state-sponsored hackers, breaking into systems and accessing employee workstations and some unclassified documents. The breach was deemed a "major incident" and the department, along with other agencies, is investigating the impact of the hack. China denied involvement and called the accusations baseless, stating they oppose all forms of hacking. The hack is part of a series of security breaches in the US attributed to China, and the Treasury Department is working with cybersecurity agencies to assess the overall impact.
Cyberhaven Extension Compromise - Secure Annex is a platform for managing and securing enterprise browser extensions. The platform helps prevent compromise of browser extensions, specifically focusing on Cyberhaven Extension Compromise. By using Secure Annex, organizations can better protect their browser extensions and ensure the security of their network and data.
U.S. Army Soldier Arrested in AT&T, Verizon Extortions - A 20-year-old U.S. Army soldier, Cameron John Wagenius, was arrested for extorting sensitive customer call records from AT&T and Verizon. He was working with a Canadian cybercriminal known as Kiberphant0m. Wagenius was caught due to bragging about his activities, and his mother was unaware of his criminal behavior. He now faces serious charges and could be sent to a maximum-security prison. The incident highlights the importance of internal security measures and the risks associated with insider threats in cybersecurity.
Over 3.1 million fake "stars" on GitHub projects used to boost rankings - Researchers have identified over 3.1 million fake "stars" on GitHub projects used to boost rankings and increase visibility for scams and malware repositories. Bad Tenable plugin updates caused issues for Nessus agents worldwide. The US sanctioned a Chinese company linked to the Flax Typhoon hackers. Apple offered $95 million in a settlement for Siri privacy violations. A new DoubleClickjacking attack exploits double-clicks to hijack accounts. Microsoft Bing showed misleading Google-like pages for 'Google' searches. It is advised for Windows 10 users to upgrade to avoid security issues, and there are guides available on virus removal and accessing the Dark Web using the Tor Browser.
Chinese hackers targeted sanctions office in Treasury attack - Chinese hackers targeted the Office of Foreign Assets Control (OFAC) in a major cybersecurity incident, breaching the Treasury Department's network through the BeyondTrust remote support platform. The hackers were likely collecting intelligence on potential sanctions targets. Chinese state-backed group "Salt Typhoon" was also linked to recent breaches of U.S. telecom firms. The U.S. government has taken steps to secure its networks and ban China Telecom's operations in response to these cyber threats.
Techniques and Write-ups
Übermensch: Bypassing NAT when pivoting on Windows with Nebula - The article discusses advanced NAT pivoting techniques on Windows using Nebula to access internal networks by leveraging Hole Punching and ICS. It details the process of establishing a connection between an attacker and a compromised host behind NAT. Through UDP Hole Punching and Internet Connection Sharing, the attacker gains access to the victim's internal network. The step-by-step guide includes instructions on setting up Nebula, configuring the network, enabling ICS, and conducting impact tests to demonstrate successful pivoting from the Internet to internal networks. The research draws inspiration from Friedrich Nietzsche’s philosophical concept of "Übermensch."
Simple Prompts to get the System Prompts - AI wrappers are commonly used, but their security is often overlooked. Developers add prompts to guide AI models towards the desired output, but attackers can trick the models into generating system prompts. Strategies to get system prompts include repeating the prompt, expanding it, enclosing it in Markdown, converting it to base64 or python code. These methods can help bypass limits set by developers, but AI models can be imperfect and vulnerable to exploitation.
Walkthrough Series - The YouTube channel Flare-On 2024 showcases content related to NFL Sunday Ticket. The channel is operated by Google LLC and features a variety of videos focused on football. Users can test new features and explore how YouTube works on the platform.
Microsoft 365 Copilot Generated Images Accessible Without Authentication -- Fixed! - Microsoft 365 Copilot had a vulnerability where generated images were accessible without authentication, but it has been fixed. The system prompt for the chatbot has evolved over time, with new features and changes being introduced. The lack of authentication in cloud-based systems poses a security threat, and it is important to prioritize security in the rapid deployment of new features. The chatbot has specific guidelines and limitations for its responses and capabilities to ensure safety and accuracy.
Reviving the Fork Bomb - Fork bombing is a type of denial-of-service attack that overwhelms a system by creating an exponential number of processes. It originated as a prank in the Unix community and can crash a system within seconds. Implementations in languages like Bash, C, and Python exist, and there are detection and prevention mechanisms like setting process limits and monitoring tools. It is important to use fork bombs for educational purposes and not for malicious intent, as deploying them on unauthorized systems is illegal.
Smuggling payloads and tools in, using WIM images - Attackers can smuggle payloads and tools into a target using WIM images, a method similar to using virtual drive images. WIM images can be mounted read-only, making it difficult to delete files once they are exposed to the operating system. Despite attempts to manipulate the WIM image to redirect to a different file, the system still reads from the original neutral WIM image. The assumption that there are no 'File Created' events for files in WIM images is incorrect, as the system recreates the directory structure triggering these events. Additionally, WIM images are not truly mounted as read-only, as files and directories can be easily deleted.
Smuggling payloads and tools in, using WIM images, Part 2 - WIM files can contain more than one image, allowing for the smuggling of payloads and tools. By using Dism commands, multiple images can be added to a single WIM file and split into smaller chunks. Despite attempts to hide data within Alternate Data Streams and Extended Attributes, the file may still be detected by antivirus software. It is important to pay attention to the capabilities of WIM files and the potential for evading detection.
Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability - The article introduces the "Bad Likert Judge" technique, which is a multi-turn technique that can bypass safety guardrails in large language models (LLMs) to generate harmful responses. By asking the LLM to act as a judge and score the harmfulness of responses using a Likert scale, attackers can manipulate the model into generating harmful content. The technique has been tested on six state-of-the-art text-generation LLMs and has shown to increase the attack success rate by more than 60%. The article emphasizes the importance of implementing content filtering systems alongside LLMs to mitigate jailbreak attempts and prevent the generation of harmful or inappropriate content.
Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) - Wiz's engineering team discovered a high-severity signature verification bypass in Nuclei, an open-source security tool, which could lead to arbitrary code execution. The vulnerability, CVE-2024-43405, was responsibly disclosed to ProjectDiscovery, who released a patched version to address the issue. The vulnerability highlights the importance of parser consistency and robust verification mechanisms to prevent malicious exploitation of tools like Nuclei. By running Nuclei in isolated environments and validating template sources, organizations can reduce the risk of exploitation and maintain a secure security scanning workflow.
Building a RuntimeInstaller Payload Pipeline to Evade AV Detection - In this post, Practical Security Analytics LLC demonstrates how to build a runtimeinstaller payload pipeline to evade antivirus detection. The pipeline generates a .NET loader payload that can bypass AV detection and application controls. Various steps, such as defining parameters, generating the source payload, adding an anti-malware scan interface bypass, and obfuscating class, method, and variable names, are involved in the process. The pipeline is executed either through the SpecterInsight UI or by making a web request, resulting in a small, obfuscated payload that can be run with InstallUtil.exe. The effectiveness of the pipeline is tested by submitting the payload to VirusTotal for detection analysis.
GPU-accelerated hash cracker with Rust and CUDA - In this blog post, the author discusses the implementation of a GPU-accelerated hash cracker using Rust and CUDA. They provide a detailed explanation of how GPUs work and their applications, as well as the implementation of MD5 in Rust. The post also covers integrating CUDA code with Rust code, benchmarking the hash cracker, and optimizing the code for better performance. The author concludes with suggestions for future improvements, such as testing different block sizes and multi-hash cracking capabilities. The post is part of a cybersecurity blog and is licensed under CC BY 4.0.
Dumping Memory to Bypass BitLocker on Windows 11 - The article discusses a method for bypassing BitLocker encryption on Windows 11 by extracting FVEK keys from memory using a UEFI application called Memory-Dump-UEFI. The process involves abruptly restarting the target system, creating a bootable USB device, and analyzing the memory dumps to locate sensitive information. The article also mentions techniques to mitigate memory degradation and potential issues with secure boot. The author provides detailed steps for executing the bypass and recovering FVEK keys, emphasizing the need to understand Microsoft's implementation of BitLocker through kernel-level debugging.
CVE-2024-54819 - I Librarian Server Side Request Forgery - The author discusses their experience with disclosing a vulnerability (CVE-2024-54819) in I Librarian server, highlighting the lack of response and cooperation from the maintainers. The vulnerability allows for Server-Side Request Forgery (SSRF) due to improper input validation. The author provides a detailed explanation of the vulnerability and how it can be exploited, emphasizing the importance of proper validation and network protection. The post includes technical details and a sample exploit using curl. The author expresses frustration at the lack of acknowledgment for their contribution to improving software security.
Cross Cache Attack CheetSheet - Cross-cache attacks in Linux kernel exploitation can transfer a UAF from one object to another, even if they are allocated from different slabs. The Theori team shared details of their kernelCTF exploitation using cross-cache attacks. The process involves steps like spraying objects, allocating victim objects, recycling slabs, and triggering UAF. Techniques like SLUBStick can be used to determine the state of slab caches for successful exploitation. Evaluation of these attacks can be done by measuring kmalloc latency and observing time peaks.
DoubleClickjacking: A New Era of UI Redressing - DoubleClickjacking is a new type of UI Redressing attack that takes advantage of double-click sequences, allowing attackers to trick users into authorizing malicious applications or making account changes without their knowledge. This technique bypasses traditional clickjacking protections, posing a significant risk to websites and browser extensions. Developers can mitigate the risk of DoubleClickjacking by implementing a protective library on sensitive pages and by enforcing user interaction before enabling critical buttons. Long-term solutions may involve browsers adopting new standards to defend against this type of exploitation.
How is my Browser blocking RWX execution? - The author discovered a security feature implemented in a popular browser that acts like an EDR by hooking a key Windows API to check thread creation at runtime. This feature prevents the execution of RWX shellcode, even when injected successfully, by redirecting thread creation through a custom DLL within the browser that checks the memory attributes of the thread's address. If the memory address is not a valid value, the thread start point is changed to a sinkhole, effectively neutralizing the execution of the thread. The author believes this feature to be a security control to make exploit development harder for applications like browsers that have sensitive memory areas.
0x04 - Introduction to Windows Kernel Write What Where Vulnerabilities - This article provides an introduction to Windows Kernel Write What Where vulnerabilities, which are considered one of the most powerful types of vulnerabilities. The author explains the concept using a non-technical example involving SpongeBob and Patrick from the show "SpongeBob SquarePants." The article includes a detailed walkthrough of exploiting a Write What Where vulnerability on Windows 7 (x86) and adapting the exploit for Windows 11 (x64). The author also provides code snippets and a step-by-step guide for exploiting the vulnerability on both platforms, highlighting the differences between the two versions.
Some Casual Notes for CVE-2024-26921 - CVE-2024-26921 is a vulnerability in the network subsystem that has been demonstrated to be exploitable in kernelCTF. The vulnerability occurs when a socket is created and certain functions are called, ultimately leading to a use-after-free vulnerability. The root cause of the issue lies in a defrag netfilter hook function that can be triggered, resulting in the freeing of an object and subsequent use of that freed object, leading to the UAF.
Hat Trick: AWS introduced same RCE vulnerability three times in four years - Amazon's AWS Neuron SDK has introduced the same remote code execution vulnerability multiple times over the past four years due to flawed install instructions using the "extra-index-url" parameter. Despite being notified of the issue in 2022 and 2020, Amazon has not fully addressed the problem by still including the flawed instructions in their documentation. This repeated mistake raises questions about Amazon's approach to security and highlights the importance of thoroughly reviewing code before implementation to ensure security. Giraffe Security, the group that discovered the vulnerability, encourages users to be cautious and thorough when using code from reputable sources like AWS.
PandoraFMS v7.0NG.777.3 Remote Command Execution (CVE-2024-11320) - An RCE vulnerability (CVE-2024-11320) was found in PandoraFMS v7.0NG.777.3 during a code review. The vulnerability allowed remote command execution through LDAP authentication. By injecting a payload into the authentication settings and initiating an LDAP authentication process, a reverse shell could be executed. An exploit code was developed to automate the process of exploiting the vulnerability. The vulnerability was fixed in version 777.5 of PandoraFMS.
I’m watching you! How to spy Windows users via MS UIA - The article discusses how to spy on Windows users using the Microsoft User Interface Automation framework. The framework allows for automation of Windows GUI tasks, and the article explores its components, such as elements, properties, and events. The author also shares a proof of concept tool called Spyndicapped, which utilizes the framework to spy on users. The article provides insights into event handling, working with the COM classes, and developing a stealth logger for tracking user activities on Windows applications.
World’s First MIDI Shellcode - The blog post details the author's journey in reverse engineering their Yamaha PSR-E433 synth to gain remote code execution via MIDI messages in order to play a video on its LCD. The author first explored the internals of the synth, then experimented with different approaches to gain access to the firmware, ultimately discovering a MIDI shellcode that allowed them to manipulate the display data on the LCD. Despite facing challenges such as low data transfer efficiency and artifacting, the author was able to successfully display video on the LCD through MIDI commands. The author also outlines potential future directions for the project, such as further exploring the chip's MMIO region and DSP capabilities.
Threat Intel and Defense
Sclpfybn Monetization Scheme - Secure Annex analyzes monetization strategies identified during research on the compromised "Reader Mode" extension. The investigation highlights how threat actors exploit these extensions to generate revenue, potentially through methods such as injecting advertisements, collecting user data, or redirecting traffic. The article underscores the importance of monitoring and securing browser extensions to prevent unauthorized monetization and protect user privacy.
Tools and Exploits
LDAP Nightmare - LdapNightmare is a Proof of Concept (PoC) tool that tests a vulnerable Windows Server against CVE-2024-49113, a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that allows for remote code execution. The exploit leverages the vulnerability to crash target Windows Server systems by interacting with their Netlogon Remote Protocol (NRPC) and LDAP client. The tool requires the installation of specific Python packages and allows for configuration of various parameters to exploit the vulnerability. The script initiates an LDAP server, triggers the vulnerability with a specially crafted response, and causes the victim server to crash.
btexec - The GitHub repository btexec is a tool that allows for the execution of shellcode via Bluetooth device authentication. The program checks if Bluetooth is enabled on the victim machine, searches for nearby Bluetooth devices, and triggers the device to authenticate to the victim machine, executing the shellcode. This process does not require any user interaction and does not display popups to the user. The tool is designed for use in environments where there are multiple Bluetooth devices nearby, such as offices and coffee shops.
PugRecon - This message is inviting readers to query some subdomains, suggesting that they are all resolved and validated. It is signed off with the creator's name and a heart emoji.
Memory-Dump-UEFI - This GitHub repository contains a UEFI application for dumping the contents of RAM, intended for use in forensics or other purposes. The application can be flashed onto a USB device and booted live, with instructions provided for running it from the UEFI shell. The repository also includes scripts for setting up an EDK2 development environment on Linux distributions. The developer recommends taking steps to preserve the contents of RAM, such as shorting the reset pins on the motherboard or physically cooling the RAM.
CF-Hero - CF-Hero is a reconnaissance tool developed to uncover the origin IP addresses of web applications protected by Cloudflare. It utilizes various data sources such as current and historical DNS records, related domain correlation, Censys, Shodan, and SecurityTrails to identify potential origin IPs. The tool validates findings to minimize false positives through response analysis. Users can run CF-Hero with different parameters to include additional scanning options like Shodan, SecurityTrails, or custom settings like HTTP method and User-Agent configuration. The tool also supports JA3 randomization to bypass Cloudflare's JA3 hash blocking in some cases.
ACEshark - ACEshark is a utility aimed at quickly extracting and analyzing Windows service configurations and Access Control Entries, removing the reliance on non-native binaries like accesschk.exe. It can help identify potential privilege escalation vectors by analyzing service permissions for specific users or across all groups and accounts. ACEshark operates by starting an HTTP/HTTPS server as a listener for service configurations and Access Control Entries, generating a detailed analysis log file. It is essential to use this tool responsibly and with explicit permission, as unauthorized use against hosts is illegal.
Spyndicapped - The GitHub project Spyndicapped by CICADA8 Research Team introduces a new malware keylogging technique called COM ViewLogger. This technique uses the Windows User Automation framework to spy on users and log their activities. The project includes handlers for capturing GUI changes such as data input, text copying, and data modification. It also provides examples of looting KeePass and parsing Telegram, Slack, and WhatsApp messages.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Debugging memory corruption: Who wrote ‘2’ into my stack?! - The text discusses debugging memory corruption in Unity, with a focus on identifying who wrote '2' into the stack. It also mentions the Unity Asset Store, Center of Excellence, and values of inclusion and diversity. The copyright information states that Unity Technologies owns the trademarks associated with Unity, and personal information will not be sold or shared. Other names and brands are the trademarks of their respective owners.
Comments