top of page

Last Week in Security - 2024-07-15


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-07-08 to 2024-07-15.

News

  • People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action - The People’s Republic of China (PRC) Ministry of State Security APT40 is a state-sponsored cyber group that has targeted organizations in various countries, including Australia and the United States. The group conducts malicious cyber operations for the PRC Ministry of State Security (MSS). A recent advisory from multiple security agencies outlines the techniques and activities of APT40, including exploiting vulnerabilities in widely used software and using compromised devices as operational infrastructure. The advisory provides case studies of APT40’s techniques in action against victim networks and recommends mitigation strategies, such as patching systems, implementing network segmentation, and enforcing least privilege access.

  • CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth - In early 2023, the Cybersecurity and Infrastructure Security Agency conducted a red team assessment against a Federal Civilian Executive Branch organization, highlighting the importance of defense-in-depth. The red team gained access through exploiting vulnerabilities in a Solaris enclave and phishing efforts in the Windows environment. The assessment revealed insufficient controls, network segmentation, trust relationships, and communication issues hindering the organization's network defenders. Recommendations were provided to mitigate identified issues and improve security practices, emphasizing the importance of secure software design.

  • Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm - The Office of Public Affairs at the Justice Department led efforts to disrupt a covert Russian government-operated social media bot farm that spread disinformation in the US and abroad. The Justice Department announced the seizure of domain names and search of social media accounts used by Russian actors to create the AI-enhanced bot farm.

  • Microsoft Patch Tuesday, July 2024 Edition - Microsoft released software updates to fix 139 security holes in various products, with two zero-day vulnerabilities being actively exploited. One flaw allows attackers to increase account privileges on Windows Server 2022 systems, while the other affects the MSHTML engine in Internet Explorer. Security experts recommend prioritizing these patches, particularly for a remote code execution flaw in Windows Remote Desktop. Businesses using SQL Server 2014 are urged to update as it reaches the End of Support date, and users are advised to stay current with security updates and back up data before applying patches.

  • CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook - A zero-click remote code execution (RCE) vulnerability, CVE-2024-38021, was discovered in Microsoft Outlook by Morphisec researchers. This vulnerability poses a severe risk as it could allow unauthorized access and data breaches without user interaction. Microsoft has released a patch for this vulnerability, and Morphisec recommends updating all Microsoft Outlook and Office applications immediately to mitigate the risk. Their Automated Moving Target Defense (AMTD) technology can help reduce the risk of exploitation from vulnerabilities like CVE-2024-38021.

  • The July 2024 Security Update Review - Zero Day Initiative reviewed the July 2024 security updates from Microsoft and Adobe. Adobe released three patches addressing seven vulnerabilities, while Microsoft released 139 new CVEs in various components. Microsoft's patches included fixes for critical vulnerabilities like Windows Hyper-V Elevation of Privilege and Windows Remote Desktop Licensing Service Remote Code Execution. There were also fixes for information disclosure, denial of service, spoofing, and security feature bypass bugs. The next Patch Tuesday will be on August 13.

  • The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did. - The Cyber Safety Review Board, established by the President after the SolarWinds breach, failed to investigate the underlying weakness in Microsoft software that led to the hack. The board did not probe SolarWinds for its second report, instead focusing on a different 2023 attack. The board's lack of investigation into Microsoft's role in the SolarWinds breach has raised concerns about its effectiveness and ability to hold government agencies accountable for cybersecurity failures. Critics argue that the board's current structure, lack of independence, and limited resources hamper its ability to address critical cybersecurity issues effectively.

  • AT&T Unlawful access of customer data - AT&T recently experienced unlawful access of customer data where phone call and text message records of nearly all AT&T cellular customers from May 1, 2022, to October 31, 2022, were illegally downloaded. The data did not include personal details such as Social Security numbers or dates of birth, but did include phone numbers and call/text counts. The access point has been secured, and AT&T is working with law enforcement to address the issue and notify affected customers.

  • Hackers Steal Phone, SMS Records for Nearly All AT&T Customers - Crooks stole phone call and text message records for nearly all AT&T customers, exposing approximately 110 million people. The stolen data includes call and text interactions, but not personal information like Social Security numbers. AT&T delayed disclosing the breach for national security reasons and is working with federal investigators to address the incident. This breach highlights the need for stronger security measures in protecting customer data.

  • AT&T Discloses Breach Customer Data - AT&T disclosed on July 12, 2024, that there was unauthorized access to customer data from a third-party cloud platform. The company provided recommendations and resources for affected customers. CISA encourages customers to review the AT&T article for additional information and follow necessary guidance to protect personal information.

  • Hackers use PoC exploits in attacks 22 minutes after release - Hackers are quick to use proof-of-concept exploits in attacks shortly after release, as shown in a Cloudflare report covering activity between May 2023 and March 2024. The report highlights emerging threat trends and the speed at which attackers weaponize vulnerabilities such as CVEs.

Techniques and Write-ups

  • Obfuscating Linux Symbols: a novel approach to evade static analysis in Linux malware. - Their services include penetration testing, data protection training, security assessments, and compliance services. In a technical blog post, they discuss obfuscating Linux symbols to evade static analysis in Linux malware. By using a hashing function and resolving system functions dynamically, they demonstrate how to hide malicious functionality from detection mechanisms.

  • Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling - Cisco Talos has discovered malicious email campaigns using HTML smuggling to disguise JavaScript code within HTML attachments. Threat actors target specific industry verticals, with human resources, insurance, and healthcare companies being the most targeted. They use various evasion techniques, such as encryption and obfuscation, to bypass email gateways. Talos is releasing open-source tools to reverse encoded JavaScript code in HTML attachments for improved detection. The blog post also discusses techniques threat actors use, such as manipulating file extensions and obfuscating JavaScript code, to evade detection and deliver malware.

  • Today I Learned - kernel.modules_disabled - The kernel.modules_disabled parameter in the Linux kernel is a security feature that prevents the loading and unloading of kernel modules to protect against attacks like rootkits. Mandiant discovered the REPTILE rootkit being used by attackers as part of their toolset. By enabling this feature, attempts to load or unload kernel modules will fail, making it harder for attackers to manipulate the system at a low level. However, this setting is disabled by default and can only be enabled permanently with a reboot.

  • Don't Click Evil.txt: CVE-2024-30050 and Other Windows Silliness - The article discusses various vulnerabilities in Windows that allow attackers to bypass security prompts and execute arbitrary code. These vulnerabilities involve flaws in handling shortcuts, malformed network share filenames, and inconsistencies in file types. By exploiting these vulnerabilities, attackers can trick users into running malicious files without any warnings. Microsoft has released patches to address some of these issues, but there are still opportunities for future research in this area.

  • Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) - Check Point Research discovered threat actors using novel tricks to lure Windows users for remote code execution by using Internet Shortcut files with Internet Explorer. These attackers exploited a zero-day vulnerability (CVE-2024-38112) to target victims, using a combination of techniques to make victims believe they were opening a PDF file while downloading and executing a malicious .hta application.

  • PhishNet: Cybersquatting Hunting with Python and APIs - The article discusses the issue of cybersquatting and how it can be used for malicious purposes such as phishing. The author presents a Python script called PhishNet that utilizes various APIs to monitor and analyze potentially malicious domain permutations. The script generates detailed reports on domains, including information on DNS records, IP reputation, domain availability status, and more. By using APIs like dnstwister, urlscan, domainr, Virustotal, ipinfo, and whois55, users can quickly identify and track potentially harmful domains. The script is a valuable tool for cybersecurity professionals to combat cyber threats like phishing attacks.

  • Drink Like a Phish: How to Make Your Phishing Sites Blend In - The article discusses the importance of making phishing sites blend in to avoid detection by bots. It explains how scanning tools can quickly identify web servers, and provides tips on protecting phishing sites from being flagged as malicious by security vendors. The article also covers common mistakes to avoid when setting up phishing sites, such as responding with phishing content to every HTTP request and using new domains for phishing. Additionally, it suggests using techniques like serving benign content by default and utilizing browser-in-the-middle attacks to deceive web proxies.

  • Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (2/2) - This article emphasizes clean code and quality-assured AI-assisted code to improve software security. Recommendations include disabling certain features and switching to Gitea for better maintenance. Sonar has provided patches and guidance for protecting Gogs instances from potential attacks resulting from the vulnerabilities.

  • Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine - JFrog's binary secret scanning technology helped prevent a potential catastrophic supply chain attack by identifying and reporting a leaked access token with administrator access to key Python repositories. This incident highlights the importance of shifting right in secrets detection by also scanning binary artifacts, not just source code. The JFrog Security Research team quickly alerted PyPI's security team, who revoked the token within 17 minutes, preventing any potential damage. This case underscores the need for comprehensive secrets detection methods and the importance of using modern access token formats for better visibility and security.

  • Pwn2Own: WAN-to-LAN Exploit Showcase - The Claroty Team82 participated in the Pwn2Own 2023 Toronto IoT hacking contest and showcased how an attacker can compromise a device on the wide-area network and move to the local network to compromise an IoT device. They exploited TP-Link ER605 routers and Synology BC500 IP cameras. The vulnerabilities they discovered allowed for remote code execution and bypassing NAT protection. They explained their research in a two-part series, detailing their techniques for exploiting routers and moving from the WAN to the LAN. They also shared how they prepared to pivot to a LAN attack after gaining full remote root access to the router.

  • plORMbing your Prisma ORM with Time-based Attacks - This article explores how to exploit the Prisma ORM to leak sensitive data using time-based attacks. It discusses the vulnerabilities in Prisma, demonstrates how relational filtering attacks can leak data, and explains how time-based attacks can be constructed and detected. The article introduces a tool called "plORMber" to assist with time-based exploitation of ORM Leak vulnerabilities. Future research areas and limitations of the project are also outlined. The series concludes with the release of plORMber as a proof-of-concept for automating time-based attacks on Prisma.

  • Wardriving Introduction & Kismet 6 GHz - The article discusses wardriving, a hobby of mapping unsecured Wi-Fi networks or networks with vulnerabilities for later exploitation. It mentions the Wigle database where users can upload signal data and search for signals in a given location. The article then provides a guide on using Kismet to capture signals on the 6 GHz band for wardriving, including configuring the software and running it in Wardrive mode. It concludes by mentioning upcoming posts in the wireless series.

  • Sorry, ChatGPT Is Under Maintenance: Persistent Denial of Service through Prompt Injection and Memory Attacks - This blog post discusses how ChatGPT can be vulnerable to persistent denial of service attacks through prompt injection and memory attacks. Attackers can manipulate ChatGPT by injecting malicious memories, causing it to become unusable and refuse future responses. Users can mitigate this by inspecting and removing suspicious memories or disabling the memory feature. The post also mentions the need for tools to observe AI memory for malware and viruses.

  • Exploring Compiled V8 JavaScript Usage in Malware - Check Point Research has been investigating the usage of compiled V8 JavaScript by malware authors, which assists attackers in evading static detections and hiding their original source code. They developed a tool called View8 to decompile V8 bytecode to a readable language for analysis. The tool has been used to analyze malicious compiled V8 applications, revealing various malware types with low detection rates. Threat actors have been leveraging V8 bytecode in malware, such as ChromeLoader, ransomware, and shellcode loaders, to carry out malicious activities while evading detection.

  • VBA: overwriting R/W/X memory in a reliable way - The article discusses how to overwrite R/W/X memory in a reliable way using VBA techniques. The author, known as Adepts of 0xCC, presents a solution to add stability to the technique previously discussed in another post. By utilizing fake function calls and discovering strings in the memory region, placeholders can be used to seed the memory region with a small loader. This allows for the execution of shellcode without risking corruption or crashes. The technique is presented as a refined and more stable method for executing code in VBA.

  • WhatsUp Gold Pre-Auth RCE GetFileWithoutZip Primitive (CVE-2024-4885) - A path traversal vulnerability in the latest version of Progress WhatsUp Gold was discovered, leading to remote code execution, allowing attackers to manage endpoints, execute commands remotely, and potentially access an entire network. By exploiting the .NET services, attackers can manipulate configurations to trigger a remote code execution exploit. The exploit allows attackers to send a malicious request, retrieve a poisoned response, and gain control over the system, potentially leading to unauthorized access and data exfiltration. The exploit was detailed in a proof of concept by Sina Kheirkhah of SummoningTeam, with a focus on exploiting the vulnerability for remote code execution.

  • WhatsUp Gold SetAdminPassword Privilege Escalation (CVE-2024-5009) - A privilege escalation vulnerability was discovered in the WhatsUp Gold software, which allows attackers to escalate their privileges by overwriting the administrator password. This vulnerability can be exploited locally and unauthenticated. A proof of concept exploit was provided by Sina Kheirkhah of Summoning Team. The vulnerability was reported to Zero Day Initiative, who published an advisory on July 3rd.

  • dirDevil: Hiding Code and Content Within Folder Structures - TrustedSec explores a method for hiding data within folder structures, creating a fileless storage solution. By encoding data into folder names, data can be stored in a way that is not easily detected by traditional AV or DLP software. While this technique can hide data effectively, it may not have practical real-world applications due to the need for code execution and potential issues with file size when using compression methods like ZIP. Nonetheless, the exercise demonstrates the creative ways data can be hidden on a system.

  • Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - The author discovered a bug in a web3-related bug bounty program that allowed an attacker to steal NFTs from users on the site by exploiting a Client Side Template Injection (CSTI) vulnerability. By injecting a series of specific templates into the site's bid table, the author was able to construct a payload that executed arbitrary JavaScript code, leading to a successful exploit. Despite facing challenges due to the limitations of the vulnerability, the author's persistence paid off, highlighting the importance of thorough research in hacking. The vulnerability could have been used to steal NFTs by manipulating bid amounts, illustrating the impact of such exploits.

  • Introducing a New Vulnerability Class: False File Immutability - The article introduces a new vulnerability class called False File Immutability in Windows, highlighting the risks of incorrect assumptions in file security. It discusses how this vulnerability can be exploited to achieve arbitrary code execution with kernel privileges. The article also explores how this vulnerability affects different aspects of the Windows system, including paging, code integrity, and user-mode applications. Mitigation strategies and the disclosure timeline for the vulnerability are also shared in the article.

  • A Race to the Bottom - Database Transactions Undermining Your AppSec - Database transactions are a crucial part of modern applications, but they can introduce vulnerabilities if not implemented correctly. The article discusses a common code pattern involving database transactions that can lead to exploitable race conditions. By exploiting concurrency in database transactions, an attacker can manipulate account balances, potentially overdraw account balances. Mitigating these vulnerabilities involves setting proper isolation levels in transactions and implementing strategies such as pessimistic or optimistic locking. Testing results indicate that certain isolation levels in databases are vulnerable to race conditions, highlighting the importance of secure transaction handling in applications.

  • GitHub Actions exploitation: repo jacking and environment manipulation - The article discusses GitHub Actions exploitation through repo jacking and environment manipulation, highlighting three common misconfigurations that can be leveraged to gain write access to a repository or extract sensitive secrets. Real-world instances from popular open-source projects are provided to illustrate these vulnerabilities. The vulnerabilities include repo jacking, setting environment variables in workflows, and using deprecated commands that can lead to arbitrary code execution. Various examples of vulnerable workflows and potential exploitation techniques are outlined, emphasizing the importance of robust measures to prevent unauthorized manipulation of environment variables.

  • Asia's SMS stealers: 1,000 bots and one study - A study conducted by PT ESC Threat Intelligence revealed the presence of over 1,000 Telegram bots used for SMS stealing in Asia, primarily in Indonesia. The research identified two core malware types, SMS Webpro and NotifySmsStealer, which were used for mass attacks on users, particularly in Bangladesh and India. The attackers used phishing tactics to distribute malware disguised as various applications, including bank apps and online services. While most attacks targeted Indonesia, unique cases of malware were also detected in India and Bangladesh, showcasing a wider geographical impact of the threat. The study highlights the need for users to be cautious of downloading files from unknown sources and to verify app permissions before installation to protect themselves from such attacks.

  • Chaining Three Bugs to Access All Your ServiceNow Data - A series of vulnerabilities in ServiceNow, assigned CVEs CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217, allowed for full database access and control over MID servers. The exploits leveraged weak namespace handling and insufficient file path validation to achieve arbitrary code execution and access sensitive configuration files, bypassing existing security mechanisms.

  • DarkGate: Dancing the Samba With Alluring Excel Files - The article discusses a DarkGate malware campaign that used Microsoft Excel files to distribute malicious software from public-facing SMB file shares. DarkGate has evolved into a malware-as-a-service offering, with various capabilities such as hidden virtual network computing and remote code execution. The article also provides an analysis of the DarkGate malware, including its evasion tactics and anti-analysis techniques. It emphasizes the need for robust cybersecurity defenses to combat the evolving threat posed by DarkGate.

  • Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution - The blog post details the discovery of a critical Remote Code Execution (RCE) vulnerability in Evernote's application that stems from a JavaScript injection into a PDF file, allowing attackers to execute commands and files invisibly. The exploitation chain begins with the integration of a PDF plugin in Evernote, which ultimately leads to the RCE vulnerability in Electron's IPC communication. By exploiting the exposed ipcRenderer API and BrokeBridge listener, the attacker can execute arbitrary code, leading to potential malicious activities like downloading and executing malicious scripts. The post highlights the journey of reverse-engineering and debugging to exploit the vulnerability for RCE.

  • Fickle PDFs: exploiting browser rendering discrepancies - The article discusses how PDF files can be manipulated to exploit browser rendering discrepancies, leading to different prices being displayed in different browsers. By abusing widget annotations in the PDF file, users can create render discrepancies and change the displayed price. The research showcases how different browsers handle PDF rendering, with examples from Google Chrome, Safari, and Firefox. It also provides code snippets for creating hybrid PDFs with different prices displayed in different browsers.

  • Exploiting Enterprise Backup Software For Privilege Escalation: Part Two - The blog series explores vulnerabilities in Macrium Reflect software that can be exploited for privilege escalation. It delves into the practical aspects of exploitation, focusing on using kernel heap exploitation primitives to build an effective exploit. The goal is to escalate privileges through a kernel driver by manipulating the token object. The process involves conducting heap reconnaissance, preparing the payload, and strategically allocating the write primitive buffer to trigger the exploit. The successful exploitation leads to elevated privileges for a targeted process, highlighting the importance of prompt fixes for such vulnerabilities.

  • 10 Years of Windows Privilege Escalations with Potatoes - Gitub repo containing privilege escalation demos.

  • Dynamics 365 Business Central - A Journey With Ups and Downs - The author shares their journey with Dynamics 365 Business Central, highlighting the discovery of vulnerabilities, the process of reporting them to Microsoft, and their decision to donate the bounty to charity. They detail their setup and technology analysis, including exploring the on-premises installation files. The author delves into hunting for vulnerabilities in Json deserialization, finding gadgets for potential exploitation, and ultimately, finding an entrypoint for executing a payload without authentication. They also discuss challenges faced, such as the obsolescence of BinaryFormatter in .NET Core.

  • Charting the IOCs - The article discusses the importance of understanding and tracking command-and-control (C2) locations to defend against cyber threats. It emphasizes the need to know your enemy and provides insights into where and how threat actors operate. The author explains how to track C2 servers through domain names and IP addresses, and highlights patterns in enemy infrastructure to help network defenders block and detect attacks. Additionally, the article provides tools and recommendations for network defenders to block or monitor malicious infrastructure.

  • LeHack 2024 - NetExec workshop writeup - The author participated in LeHack 2024's NetExec workshop, focusing on compromising an Active Directory environment and becoming a Domain Admin of 2 domains using NetExec. They came in second, but are determined to win next year. The workshop involved running NetExec on the IP range to identify machines on the network and adding the IPs to a file for further actions. Additionally, the FQDN of the machines was added for name resolution.

  • $3,094 Bounty Awarded and 150,000 WordPress Sites Protected Against Arbitrary File Upload Vulnerability Patched in Modern Events Calendar WordPress Plugin - A bounty of $3,094 was awarded to a researcher who discovered and reported an Arbitrary File Upload vulnerability in the Modern Events Calendar WordPress plugin, protecting 150,000 WordPress sites. The vulnerability allowed authenticated users to upload arbitrary files and potentially execute remote code. A firewall rule was provided to users for protection, the plugin developer released a patch on July 8, 2024, and users are urged to update to the patched version. Wordfence runs a Bug Bounty Program for WordPress plugins and themes, offering rewards for vulnerability submissions.

  • SaladCat: Distributed Password Cracking on the Cheap Using Salad Cloud - The author used Salad Cloud to create a distributed hashcat cracking setup for password cracking, which worked effectively and cost only $10 to run for an hour. The setup involved using Hashtopolis and building a script called SaladCat to easily deploy hashcracking agents on Salad Cloud's network. The author found that Salad Cloud was a better option than Vast.ai for this project due to its ease of scaling, billing, and flexibility. Further exploration of Salad Cloud from technical and cybersecurity perspectives is planned for future blog posts.

  • The Wild West of Proof of Concept Exploit Code (PoC) - The blog discusses the history of exploit code and the risks associated with running untrusted code without proper verification. It goes on to analyze a recent discovery of a critical vulnerability in OpenSSH's server and the challenges faced in exploiting it. The blog also delves into a detailed analysis of a backdoor discovered in a heavily modified version of a Golang Command and Control framework, highlighting the complexity and sophistication of modern cyber attacks targeting cybersecurity researchers. The post concludes with a reminder to be cautious and thorough in evaluating and running exploit code to prevent falling victim to malicious attacks.

  • How Much Does a Penetration Test Cost? - Penetration testing, also known as pen testing, is a proactive cybersecurity measure that aims to identify and fix vulnerabilities in systems before they are exploited by hackers. The cost of penetration testing depends on factors such as scope, complexity, type of tests, methodology, experience of the tester, and reputation of the testing company. Costs can range from $5,000 for basic tests in smaller organizations to $100,000 for high-end tests in large organizations with critical assets. Investing in penetration testing is crucial for proactive vulnerability identification, cost-effective security measures, compliance with industry standards, enhancing security posture, and building trust and reputation.

  • Thwacking DDOS with AWS WAF - The article discusses using AWS WAF to protect against DDOS attacks, focusing on layer 7 attacks that target applications. It explains the different motivations behind DDOS attacks and the categories of tools used. The article also delves into the features of AWS Shield Standard and Shield Advanced for DDOS protection. It provides practical tips on using AWS WAF for DDOS prevention, including creating rules based on patterns specific to the attack and monitoring and tuning those rules. Additionally, it covers various rule features, actions, and limitations of AWS WAF for effective DDOS mitigation.

  • Firmware Security: Alcatel-Lucent ALE-DeskPhone - This blog post discusses the analysis of firmware security in an Alcatel-Lucent ALE-DeskPhone, focusing on potential security vulnerabilities. The analysis reveals a TOCTOU vulnerability that allows for local privilege escalation and access to sensitive files by low-privileged users using symbolic links. The post also mentions responsible disclosure of these issues to the manufacturer, resulting in patched firmware versions. Additionally, the post mentions previous research on similar vulnerabilities in Mitel desk phones and security issues with Microsoft Teams Direct Routing.

  • How to Install Lineage on Your Android Device - The article by BHIS provides a detailed guide on how to install LineageOS on an Android device. It explains the benefits of LineageOS, the precautions to take before installation, and the tools needed for the process. The installation involves unlocking the bootloader, flashing the recovery image, and installing LineageOS and other apps through sideloading. The article also includes recommendations for optional packages to install and offers assistance for any users who may need help during the installation process.

  • Unauthenticated SSRF on Havoc C2 teamserver via spoofed demon agent - The article describes a vulnerability in the Havoc C2 teamserver where unauthenticated attackers can create a TCP socket and read and write traffic through it. The vulnerability allows attackers to leak the origin IP of the teamserver, abuse it as a redirector, and route traffic through any listening socks proxies. By spoofing a demon agent registration, attackers can exploit this vulnerability to perform SSRF attacks. The article provides a detailed explanation of how to exploit this vulnerability by registering an agent, opening a socket, writing to it, and retrieving the data, ultimately achieving unauthenticated full read SSRF. It also recommends authenticating beacons and implementing heavy network restrictions to mitigate the risk of exploitation.

  • Rewriting completely the GameSpy support from 2000 to 2004 using Reverse Engineering on EA and Bungie Games - This article by João Vitor (@Keowu) documents the process of reverse engineering GameSpy support in EA and Bungie games from 2000 to 2004. The author aims to bring back classic games like Battlefield 1942 and Halo CE by rewriting their server lists. The article provides detailed steps and source code for researchers and fans to revive and enjoy these games once again. The author also explores security vulnerabilities in the games, such as abusing server serial keys to disconnect players.

  • Remote Session Enumeration via Undocumented Windows APIs - The author discusses remote session enumeration using undocumented Windows APIs by specifying a target host, opening a handle to the remote host, and enumerating session information. The author encounters challenges with understanding the API functions and structures but successfully extracts session information such as usernames and session states. Despite discrepancies in the function prototypes, the author is able to extract the necessary information from the byte arrays to achieve the desired outcome. The source code for the project is available on the author's GitHub page.

Tools and Exploits

  • Blast-RADIUS - Blast-RADIUS is a vulnerability that affects the RADIUS protocol, allowing a man-in-the-middle attacker to forge a valid protocol accept message without brute-forcing passwords or shared secrets, potentially granting unauthorized access to network devices and services. This vulnerability impacts all RADIUS implementations using non-EAP authentication methods over UDP. System administrators of networks using RADIUS should check with vendors for patches and follow best practices for RADIUS configuration. The attack combines a novel protocol vulnerability with an MD5 chosen-prefix collision attack and improvements in speed and space. Recommended mitigations include requiring a Message-Authenticator attribute in every packet and eventually transitioning to RADIUS over TLS for modern cryptographic security guarantees.

  • CVE-2024-4885 - This is a GitHub repository containing an exploit for CVE-2024-4885, an unauthenticated remote code execution vulnerability in Progress WhatsUp Gold. The exploit allows for the execution of commands on the vulnerable system and finding a web shell for further access. The project maintains that it is for academic research and defensive techniques development only and should not be used for unauthorized attacks.

  • CVE-2024-5009 - This GitHub project contains an exploit for CVE-2024-5009, a vulnerability that allows for privilege escalation in the Progress WhatsUp Gold software. The exploit, created by Sina Kheirkhah, generates a new admin password to demonstrate the impact of the vulnerability. The project emphasizes responsible use and academic research purposes, not for malicious attacks.

  • View8 - View8 is a tool that decompiles serialized V8 bytecode objects back into high-level readable code. It utilizes a patched compiled V8 binary to parse and disassemble these objects, producing a textual output similar to JavaScript. The tool can automatically detect the V8 bytecode version of the input file and search for a compatible disassembler binary, or it can work with already disassembled files. Users can specify export formats and use various options for processing disassembled files.

  • DojoLoader - DojoLoader is a GitHub repository for a generic PE loader that allows for fast prototyping of evasion techniques. It was initially created to prototype sleep obfuscation techniques with a Cobalt Strike payload, aiming to reduce debugging time. The loader features download and execution of (xored) shellcode from HTTP or a file, dynamic IAT hooking for Sleep function, and different sleep obfuscation techniques to evade detection. It can be used with Cobalt Strike Beacon by generating a UDRL-less payload using the provided cna in the Utils folder.

  • MS-SharePoint-July-Patch-RCE-PoC - The GitHub repository testanull/MS-SharePoint-July-Patch-RCE-PoC contains code related to a Remote Code Execution Proof of Concept for a July patch in Microsoft SharePoint. The repository offers features for automating workflows, hosting and managing packages, finding and fixing vulnerabilities, and collaborating outside of code. It also includes AI-powered developer platform, enterprise-grade security and support features, and resources for CI/CD & Automation, white papers, and webinars. Users can provide feedback and save searches to filter results more efficiently.

  • FlowAnalyzer - FlowAnalyzer is a tool designed to assist in testing and analyzing OAuth 2.0 Flows, including OpenID Connect. It provides notebooks to execute the flows and a directory with explanations for each flow. However, the tool is not meant for formal authentication or authorization checks in applications. For production code, it is recommended to use the Microsoft identity platform authentication libraries. The tool also covers topics like JSON Web Tokens and libraries for token signing/verification.

  • NetExec v1.2.0 feature rundown - Version 1.2.0 of NetExec, named ItsAlwaysDNS, includes various new modules and features such as DNS options, credential looting for software like SCCM, PuTTY, and more, LDAP queries for obsolete operating systems and active users, and SMB modules for Printerbug and ADCS hunting. The powershell command execution has been reworked and now supports tab-completion if installed with pipx. The release is also now available on Kali Linux. The detailed changes and standalone binaries can be found on the Github page.

  • Graphpython - Graphpython is a modular Python tool for cross-platform Microsoft Graph API enumeration and exploitation, focusing on Entra ID, Office 365, and Intune services. It covers external reconnaissance, authentication/token manipulation, enumeration, and post-exploitation. The tool provides various commands for red team and cloud assumed breach operations, including obtaining graph tokens, user enumeration, device management, and more. It offers a comprehensive solution for interacting with the Microsoft Graph API for red team activities.

  • ADSpider - The GitHub repository "DrunkF0x/ADSpider" contains a tool to monitor changes in Active Directory using replication metadata and Update Sequence Number. It excludes certain events, outputs in list format, and allows for the creation of an XML file with the output. The tool is a PowerShell module for Active Directory and should be run from a domain user's session. It provides features such as excluding specific Active Directory objects, setting a time interval for requests, and displaying previous captured XML files.

  • RemoteSessionEnum - The purpose of this project was to attempt to replicate the functionality of qwinsta /server: utilizing the largely undocumented Windows Station (WinSta) API.

  • GPT4o Captcha Bypass - a CLI tool for testing various types of captchas using Python and Selenium. It utilizes OpenAI GPT-4 to assist in solving the captchas. Users can clone the repository, install required Python packages, and run the tool with different captcha types such as text, complicated text, Google's reCAPTCHA, and puzzle captchas. The tool can bypass reCAPTCHA and slider captchas in an average of 10 attempts.

  • Havoc-C2-SSRF-poc - an exploit for the Havoc C2 0.7 Teamserver SSRF vulnerability. The exploit works by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver, allowing attackers to leak origin IPs and more. The exploit can be run using the provided Python script with various options for customization. There are no releases published for this exploit on GitHub.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Dumping LSA secrets: a story about task decorrelation - The blog post discusses the process of dumping LSA secrets during an internal assessment, despite facing obstacles from an EDR. It explains how to exploit decorrelation attacks to bypass EDR blocks and retrieve Windows boot keys without dumping the SYSTEM hive. The technique involves breaking the attack into smaller steps to avoid detection and successfully decrypt secrets. The author recommends using decorrelation to bypass EDRs and achieve successful information retrieval.

  • Hiding in plain sight: Modifying process names in UNIX-like systems - This blog post discusses the technique of modifying process names in UNIX-like systems to evade detection by malware. The technique, observed since the 1980s with the Morris worm, involves changing process names dynamically. The post explores various ways malware disguises itself on Linux, BSDs, and Solaris systems. It also delves into the technical aspects of how processes can modify their names and offers insights into detecting such tampering. The post also touches on the limitations of changing process names in BSDs and Solaris systems and hints at future posts covering rootkit installation methods and process name retrieval on other systems like Solaris.

  • PySkyWiFi: completely free, unbelievably stupid wi-fi on long-haul flights - In this article, the author describes his experience creating PySkyWiFi, a tool that allows users to access the internet on long-haul flights without paying for wifi by using their airmiles account as a tunnel. The author explains how he developed prototypes for instant messaging and live updates using airmiles accounts, which eventually led to the creation of PySkyWiFi, a simplified version of the TCP/IP protocol. The article also includes details on how PySkyWiFi works, tips for optimizing bandwidth, and potential future enhancements. The author ends by reflecting on the productivity and novelty of his experience using PySkyWiFi on a flight.

  • Dealing With API Hashing Using Qiling in Ghidra - The blog post discusses dealing with API hashing in malware samples using Qiling in Ghidra. API hashing is used to obfuscate API calls in samples, making reverse engineering challenging. Different techniques like HashDB, debugging, instrumentation, and emulation are discussed to handle API hashing. The post explores using Qiling Emulation Framework in Ghidra to resolve API hash calls in malware samples like REvil, Zloader, and Dridex. The post includes Python scripts for emulating API hash resolving functions and adding labels/comments in Ghidra. Emulation issues, implementation of missing API calls, and optimization tips for emulating API hash resolving are also discussed.

  • SO-CON 2024 Playlist - In 2024, Google LLC is testing new features on YouTube to improve policy and safety. This includes updates to how the platform works, such as the NFL Sunday Ticket. These changes are being discussed at the SO-CON 2024 event.

  • Get-UnixUserPassword - This GitHub repository contains a script that finds accounts with unixUserPassword in the domain, converts them to clear-text, and displays them using Powershell/ADSI/LDAP. This tool can be used by red teams for potential credentials harvesting and by blue teams to clear/remove passwords from accounts or modify ACL. It has no dependencies and is designed for use in Active Directory environments.

  • Resurrecting a dead Dune RTS game - The blog post details the process of resurrecting the dead Dune RTS game Emperor: Battle for Dune through a patch called EmperorLauncher. The patch enables high resolution support, online multiplayer, and coop campaign mode, among other improvements. Technical details of reverse engineering, patching the game, fixing resolution issues, multiplayer setup, and integrating shared internet components are explained. Additionally, the process of creating a UI and polishing the game for a better user experience is discussed. The goal of the project is to preserve the game for players to enjoy in the future.

コメント


RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page