top of page

Last Week in Security - 2024-09-16


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-09-09 to 2024-09-16.

News

  • Bug Left Some Windows PCs Dangerously Unpatched - Microsoft released updates to fix 79 security vulnerabilities in its operating systems, including a critical bug that left some Windows 10 systems dangerously unpatched against actively exploited vulnerabilities. Two zero-day flaws were also disclosed, affecting Windows and Office, allowing attackers to bypass security features.

  • Fake recruiter coding tests target devs with malicious Python packages - Fake recruiters are targeting developers with malicious Python packages in an ongoing campaign known as VMConnect. The attackers pose as employees of major financial firms to lure developers into participating in fake job interviews. The malicious packages contain code that executes malware on the developer's system, with evidence suggesting the campaign is still active.

  • New Feature Alert: Access Archived Webpages Directly Through Google Search - Google Search now allows users to access archived versions of webpages directly through the Internet Archive's Wayback Machine. This new feature makes it easier for users to explore the history of the web and access previous versions of websites. The collaboration between Google and the Internet Archive emphasizes the importance of web archiving and preserving online history for future generations. However, links to archived webpages may not be available for certain sites that have opted out or violate content policies.

  • Notice of Recent Security Incident - Fortinet recently experienced a security incident where an unauthorized individual gained access to a limited number of files stored on a third-party cloud-based shared file drive, affecting less than 0.3% of customers.

  • Green Berets Hijacked WiFi To Control Home Security System Then Vanish In Mock Raid - U.S. Army Green Berets conducted a mock cyber infiltration operation in Sweden by breaching a WiFi network to disable a building's security systems and simulate a raid using electronic warfare gear. The exercise showcased the specialized intelligence-gathering capabilities of special operations forces as they prepare for high-end fights. The integration of cyber warfare capabilities into tactical military operations is becoming increasingly important, with potential applications in intelligence recovery, rescue missions, and direct action raids.

  • CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments (PDF) - The CISA FY23 Risk and Vulnerability Assessment (RVA) report provides an analysis of cybersecurity threats and risks identified during assessments conducted throughout the fiscal year. It highlights common vulnerabilities found in organizations, such as misconfigurations, weak credentials, and unpatched systems, and offers recommendations to mitigate these risks.

Threat Intel and Defense

  • TIDRONE Targets Military and Satellite Industries in Taiwan - TIDRONE, an unidentified threat cluster linked to Chinese-speaking groups, has shown significant interest in military-related industries in Taiwan, particularly drone manufacturers. These threat actors deploy advanced malware toolsets such as CXCLNT and CLNTEND through ERP software or remote desktops. The attacks involve remote access tools, user account control bypass techniques, and other malicious activities to disable antivirus products.

  • BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar - BlindEagle, a threat actor targeting organizations and individuals in South America, specifically in Colombia and Ecuador, has been using the BlotchyQuasar RAT to steal payment-related data from the Colombian insurance sector. The attack chain typically starts with phishing emails impersonating the Colombian tax authority, leading victims to download a ZIP archive containing the BlotchyQuasar payload. This RAT is heavily obfuscated to evade detection and carries out various malicious activities, including keylogging, monitoring of banking services, and stealing information from applications.

  • The Curious Case of an Open Source Stealer: Phemedrone - Phemedrone is an open-source stealer available on Telegram that targets Russian users and services. It encrypts logs with RSA + AES, has high configurability, and regularly updates its panel and builder. The malware targets various browsers, crypto wallets, Discord tokens, files, VPN providers, and more, with a focus on stealing sensitive information.

  • There's Something About CryptBot: Yet Another Silly Stealer (YASS) - Intezer recently analyzed a new infostealer called Yet Another Silly Stealer (YASS), which has similarities to CryptBot but also distinct characteristics, highlighting the evolving nature of cybersecurity threats.

  • Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware - A threat assessment report by Palo Alto Networks highlights a new ransomware group called Repellent Scorpius that distributes Cicada3301 ransomware. The report provides a technical analysis of the ransomware and its tactics, such as double extortion and recruitment of partners through a RaaS affiliate program. The report also mentions historical incidents involving data exfiltration and details the new version of the encryptor.

  • Crimson Palace returns: New Tools, Tactics, and Targets - Sophos has observed a Chinese cyberespionage operation, named Operation Crimson Palace, targeting government organizations in Southeast Asia. The operation involves the use of various security threat activity clusters and tools to compromise networks and exfiltrate data.

  • Threat Assessment: North Korean Threat Groups - This threat assessment focuses on North Korean threat groups, specifically those under the Reconnaissance General Bureau of the Korean People's Army, known as the RGB. They have at least six distinct threat groups that develop malware for various operations, such as intelligence gathering and cyber heists. The article provides an overview of 10 malware families used by these groups across different operating systems.

  • 9th September – Threat Intelligence Report - On 9th September, Check Point Research released their Threat Intelligence Report discussing various cyber attacks and breaches. Attacks included those on German air traffic control agency, Transport for London, US semiconductor supplier Microchip Technology, Planned Parenthood, Avis, and CBIZ Benefits & Insurance Services. The report also highlighted vulnerabilities and patches, as well as threat intelligence reports on hacking groups involved in the #FreeDurov campaign and Russian GRU Unit 29155 activities.

  • Threat Hunting Case Study: Uncovering FIN7 - FIN7 is a financially motivated threat group located in Eastern Europe and Russia, known for payment card fraud, banking malware, and ransomware activity. Despite arrests in 2018, FIN7 continues to operate and develop new tools to evade detection.

  • DragonRank, a Chinese-speaking SEO manipulator service provider - Cisco Talos has disclosed a new threat called DragonRank, which primarily targets countries in Asia and Europe, utilizing PlugX and BadIIS for SEO rank manipulation. DragonRank exploits web application services to deploy a web shell and launch malware to collect system information and launch credential-harvesting utilities. The group operates by compromising Windows IIS servers to manipulate search engine rankings and drive traffic to scam websites. DragonRank offers black hat SEO services and promotes their business online with a Chinese and English commercial website.

  • Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 2) - In Part 2 of the guide to investigating a malicious USB device, the authors walk through setting up a virtual machine for Digital Forensics and Incident Response (DFIR). They emphasize the importance of isolating the VM from the host system to prevent data leaks and malware spread. The article also covers challenges with USB passthrough and integrating a write blocker to ensure data integrity during forensic analysis.

  • Phishing Pages Delivered Through Refresh HTTP Response Header - Unit 42 researchers have observed large-scale phishing campaigns using a refresh entry in the HTTP response header. Attackers send malicious links in emails that automatically refresh or reload a webpage without user interaction, deceiving victims into entering their credentials. The attackers target individuals in the global financial sector, internet portals, and government domains.

  • Earth Preta Evolves its Attacks with New Malware and Strategies - Earth Preta has enhanced its attacks with new malware variants, tools, and strategies. They are utilizing worm-based attacks, spear-phishing campaigns, and tools like FDMTP and PTSOCKET to improve control and data exfiltration capabilities. Their activities are focused on specific countries and sectors within the APAC region, with a particular emphasis on government entities.

  • CosmicBeetle steps up: Probation period at RansomHub - CosmicBeetle is a threat actor that has recently developed a custom ransomware called ScRansom. They have been active since at least 2020 and have been targeting SMBs globally, particularly in Europe and Asia. CosmicBeetle has been observed using the leaked LockBit builder and may be affiliated with the new ransomware gang RansomHub.

  • Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research discovered a new set of malware used in targeted attacks against various Iraqi entities, including government networks. The malware includes a passive IIS backdoor, DNS tunneling, and C2 communication via compromised email accounts. The campaign has ties to Iranian threat actors, particularly APT34, and features unique Command and Control mechanisms. The malware families, Spearal and Veaty, have similarities to previous APT34 attacks in the Middle East, indicating a consistent actor behind these operations.

  • Defend against vampires with 10 gbps network encryption - Learn how attackers can easily tap into your network cables and sniff your data, even on fiber optic lines. By encrypting all Ethernet traffic on-the-fly with tools like Wireguard and VXLAN, you can defend against these attacks with very little performance loss. Implementing a solution like a "wormhole" project, combining 802.1q trunk links and VPN-like encryption, can secure your LAN-to-LAN connections.

  • ScriptBlock Smuggling - PowerShell's Script Block Logging records and logs all scripts and commands executed within PowerShell, both legitimate and potentially malicious. ScriptBlock Smuggling is a technique that allows attackers to bypass AMSI and spoof messages in the ScriptBlock logs. By enabling PowerShell logging options, forensic traces of this technique can be identified. Despite attempts to obfuscate malicious code, defenders can still detect traces of it, making the effectiveness of ScriptBlock Smuggling questionable.

  • Monitoring High Risk Azure Logins - Monitoring High Risk Azure Logins is crucial for detecting potential business email compromises and other security threats. Using Azure AD Identity Protection (now Entra Identity Protection), risk levels are categorized as low, medium, or high, with specific indicators like atRisk labels for potential threat actors. By closely monitoring these alerts and investigating anomalies, organizations can catch events earlier in the attack chain and mitigate potential security risks.

  • Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media - Trustwave's Distributed Denial of Truth (DDoT) report explores how social media is being weaponized to manipulate public opinion through influence operations. The report highlights alarming trends in insider threats and phishing-as-a-service in the financial services sector.

  • Hadooken Malware Targets Weblogic Applications - Hadooken malware was discovered targeting Weblogic servers, dropping a cryptominer and a Tsunami malware.

  • From Amos to Poseidon | A SOC Team’s Guide to Detecting macOS Atomic Stealers 2024 - The article discusses the rise of macOS Atomic Stealers targeting Mac users and how they have evolved and spread throughout 2024. Various versions of stealers like Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer have been developed by competing teams of crimeware retailers.

  • The Duality of the Pluggable Authentication Module (PAM) - a new Pluggable Authentication Module (PAM) malware is being used in targeted attacks. The malware is employed to gain persistence on Linux systems by abusing PAM, which allows attackers to intercept authentication credentials. This method provides stealth and ensures long-term access to the compromised system, avoiding detection by traditional security tools. This blog details the attack techniques, the malicious code's behavior, and mitigation strategies to prevent PAM abuse.

  • A glimpse into the Quad7 operators’ next moves and associated botnets - an analysis of the Quad7 operators, highlighting their evolving tactics and botnet infrastructure. The operators are linked to multiple botnets and malware strains, aiming to expand their control over compromised systems. The article discusses the group's recent activities, their methods of persistence, and potential future moves, offering insights into how they maintain and grow their network.

  • Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT - this blog post details an Excel-based attack delivering the fileless Remcos RAT (Remote Access Trojan). It uses Excel macros to inject malicious code into the system memory, evading detection. The attack relies on fileless techniques, making it difficult for traditional security tools to identify. Remcos RAT provides attackers with complete control over the infected device, allowing data theft and persistent surveillance.

Techniques and Write-ups

  • Companion scanner for mockingjay injection - The article discusses the mockingjay injection technique, a method to inject and execute shellcode undetected by modern anti-virus software by exploiting vulnerable DLLs with default RWX memory sections. The author describes developing a tool to find loadable DLLs with RWX regions by recursively searching directories for .dll files, loading the DLLs using 'LoadLibraryA', and using VirtualQuery to check memory protections and locate RWX regions. The algorithm successfully identified RWX regions in libraries such as ruby 3.1 and 3.3.

  • Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711) - Veeam Backup & Replication, a popular enterprise backup solution, was found to have a vulnerability (CVE-2024-40711) that allowed for remote code execution (RCE) without authentication.

  • Decrypting and Replaying VPN Cookies - The article discusses the vulnerability of VPN authentication tokens to session hijacking and the ability to reconstruct profiles and replay them with third-party VPN clients. It explores how an always-on VPN configuration stores authentication material, leading to the potential for adversaries to steal and replay credentials. The article delves into reverse engineering the encryption and key derivation process of Palo Alto's GlobalProtect client, showcasing how to decrypt cookies and bypass compliance checks.

  • Browser Stored Credentials - Modern web browsers have the capability to store credentials in an encrypted format, improving password hygiene for organizations. Threat actors focus on accessing credentials stored in browsers, rather than attempting to retrieve them from the lsass process.

  • Getting code execution on Veeam through CVE-2023-27532 - The blog post discusses the CVE-2023-27532 vulnerability in Veeam, which initially allowed for retrieval of encrypted credentials but was later found to potentially allow for arbitrary code execution. The post details the process of investigating and exploiting the vulnerability, including attempts to bypass whitelists and blacklists, and ultimately achieving code execution on the Veeam server.

  • CVR: The Mines of Kakadûm - details a critical vulnerability found in Google's Cloud Virtual Machines (CVM). The vulnerability allowed attackers to escape the guest environment and access the hypervisor, compromising the entire host system. The post explains how the security team detected and mitigated the flaw, sharing insights into the discovery process and patching the issue.

  • Once and Forever: WhatsApp’s View Once Functionality is Broken - Meta's WhatsApp introduced a "View Once" feature as a privacy tool to allow users to send media that would disappear after being viewed once. However, a security researcher found that this feature was implemented negligently, allowing malicious users to save and distribute the media. Despite responsible disclosure, the issue was already being exploited, prompting the researcher to make it public. The flaws in the implementation allow for easy bypassing of the "View Once" restriction, leading to concerns about false privacy on the platform.

  • Exploring an Experimental Windows Kernel Rootkit in Rust - Details of an experimental Windows kernel rootkit exploration in Rust, demonstrating various techniques and features. The rootkit project lacked some features but showcased the power of the Rust programming language for security applications. Techniques like hiding processes, elevating token privileges, disabling driver signature enforcement, and manipulating kernel callbacks were also explained.

  • When Certificates Fail: A Story of Bypassed MFA in Remote Access - The author recounts a story from a penetration test of a customer’s Citrix infrastructure where they identified a vulnerability that allowed bypassing multi-factor authentication using client certificates. The system extracted the UPN from the certificate during mTLS authentication but did not verify that the user logging in was associated with the certificate. This allowed anyone with a valid certificate to authenticate with just a username and password, bypassing MFA.

  • Introduction to Android Bytecode Exploitation (Part 1) - Android is a popular target for exploitation due to its wide usage, but it comes with security mechanisms like permissions and ASLR. The attack surface for Android is large, including intent systems, socket communication, and JNI usage. This blog series explores exploitation techniques specific to Android at the bytecode level, which is an area that has not received much research. The goal is to understand how memory errors affect the security of Android apps and to identify potential vulnerabilities that can be exploited. Various techniques for dynamic app analysis and debugging are explained, with a focus on exploiting vulnerable native libraries through bytecode injection.

  • We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI - A security research group spent $20 to acquire an expired domain, which inadvertently made them administrators of the .MOBI domain. They discovered that various systems, including mail servers, cyber security tools, and Certificate Authorities, were querying their WHOIS server. They also realized that they could undermine the TLS/SSL certificate verification process by providing their email address, potentially leading to interception of traffic or impersonation of servers.

  • ADCS Attack Paths in BloodHound — Part 3 - In this article, the author discusses how they have incorporated Active Directory Certificate Services (ADCS) objects into BloodHound to identify attack paths, including techniques such as ESC6, ESC9, and ESC10 domain escalation. They explain the concept of implicit certificate mapping and how it can be abused to escalate privileges in Active Directory. The article also covers new features, requirements, and remediation steps related to these attack paths, as well as providing details on the implementation of these techniques in BloodHound.

  • Putting Our Hooks Into Windows - TrustedSec discusses a malware technique involving setting Windows hooks to log keystrokes or inject code into remote processes. They demonstrate this method in C and C#, explaining how it works and providing code examples. They also discuss reversing the code using tools like Ghidra and dnSpy. This technique can be used for malicious purposes, including keylogging and injecting DLLs into remote processes, but it has limits and may be detected by security products.

  • Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey - The article discusses the vulnerability of repair functions in Microsoft Windows MSI installers that can allow local attackers to escalate their privileges to SYSTEM rights. It explains how attackers can exploit this vulnerability, and introduces an open-source analyzer tool named "msiscan" to help detect potential security issues.

  • Living off the land, GPO style - this blog post discusses the ability to edit Group Policy Object (GPOs) from non-domain joined computers using native Group Policy editor tools. The post details the steps taken to trick the Group Policy Manager MMC snap-in into believing the computer was domain joined, showing how to overcome tools that insist on being domain joined for Active Directory access.

  • Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS - The author discovered a zero-click vulnerability in macOS Calendar that allows attackers to add or delete files within the Calendar sandbox environment, potentially leading to malicious code execution. By exploiting this vulnerability, attackers can compromise users' sensitive iCloud Photos data. The exploit chain involves injecting multiple files to evade the sandbox, gaining remote code execution, and accessing iCloud Photos. Apple has fixed some of the vulnerabilities, but the original arbitrary file write and delete vulnerability remains unresolved.

  • Malware and cryptography 32: encrypt payload via FEAL-8 algorithm. Simple C example. - The post discusses using the FEAL-8 algorithm to encrypt and decrypt payloads in malware development. The algorithm was developed by Akihiro Shimizu and Shoji Miyaguchi from NTT Japan as an alternative to DES with a stronger round function. The post provides a simple C example of how the encryption process works, including key generation, encryption logic, decryption logic, and shellcode encryption.

  • Exploiting Exchange PowerShell After ProxyNotShell: Part 2 - ApprovedApplicationCollection - In this blog post, the author discusses a vulnerability in Microsoft Exchange Server, CVE-2023-36756, which allows authenticated attackers to achieve remote code execution by uploading a web shell. The vulnerability exploits a path traversal issue in the Windows utility extrac32, which was not patched by Microsoft. The author demonstrates how an attacker can chain together different vulnerabilities to achieve full compromise in Exchange.

  • A journey through KiUserExceptionDispatcher - Maurice is working on an emulation environment that emulates the entire user-space, not just the target application, by creating syscall implementations outside the emulator. He delves into exception handling, specifically the KiUserExceptionDispatcher, and encounters challenges with stack layout and function unwinding. Through debugging and research, he successfully implements exception support in his emulator and learns a lot about Windows internals in the process. Despite the challenges, Maurice finds the journey to be a refreshing break from implementing syscalls and enjoys the investigation into exception handling.

  • Why Django’s [DEBUG=True] is a Goldmine for Hackers - Leaving DEBUG=True in a Django application can expose sensitive information to hackers, making it a goldmine for exploitation. Attackers can use automated tools to identify vulnerable Django sites and extract valuable data such as stack traces, request and response data, and database information. They can leverage this information to carry out targeted attacks like SQL injection or session hijacking.

  • Dynamic HTTP(S) Payload Stager - The blog post discusses a Dynamic HTTP(S) Payload Stager developed to automate updating decryption variables when working with shellcode loaders. The author provides a Python script and instructions for hosting the file containing variables on a web server. The Stager code is customizable and offers flexibility in generating unique URLs to avoid detection by defensive measures. The post also suggests storing multiple domains in arrays and obfuscating IP addresses for C2 callbacks.

  • Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions - Orca Security conducted a PoC exploit on typosquatting in GitHub Actions, creating fake organizations with similar names to popular actions to trap developers into running malicious code. They found that developers easily fell victim to typosquatting, potentially allowing for the injection of malicious code into applications. GitHub flagged and suspended only one fake organization after three months.

  • Ghost in the PPL Part 3: LSASS Memory Dump - The blog post discusses the process of dumping the LSASS memory in Windows security research. The author explores the challenges involved in invoking MiniDumpWriteDump function and finding a suitable candidate function within LSASS. The author also explains a unique way of loading an arbitrary DLL into LSASS using the Autodial feature of the WinSock2 API. Additionally, the author addresses the issue of resolving addresses dynamically to improve the reliability of the exploit. Overall, the post provides insights into advanced userland exploitation techniques and concludes with a reflection on the limitations of the exploit chain.

  • AutoIt Credential Flusher - A new technique has been observed where stealers force victims to enter credentials into a browser, which are then stolen by traditional stealer malware. This technique involves launching the victim's browser in kiosk mode and navigating them to a targeted service login page, such as Google, to pressure them into entering their credentials. The credentials are then stored in the browser's credential store and can be stolen by the stealer malware. This credential flusher technique is used in conjunction with other malware, such as Amadey and StealC, to steal credentials from victims.

  • The delayed import-table phantomDLL opportunities - The article discusses the concept of delayed imports in native OS PE files, where APIs are loaded only when called for the first time. It explores the possibility of phantomDLL opportunities, where some DLLs listed as delayed imports do not actually exist on the system. The author examines the potential research opportunities and concludes that while executable files with phantom DLLs are approachable, DLLs importing these phantom DLLs are less promising.

  • GAZEploit - Researchers have discovered a new attack called GAZEploit that can infer eye-related data from avatar images to reconstruct text entered via gaze-controlled typing on VR/MR devices. By capturing and analyzing virtual avatar videos, attackers can remotely determine typed keys based on eye aspect ratio and gaze estimation. Using a recurrent neural network, the attack can achieve high accuracy in identifying keystrokes during typing sessions. The algorithm also maps gaze points to specific keys on a virtual keyboard, achieving a top-5 character prediction accuracy of 100%. The GAZEploit attack has been proven effective for various typing scenarios including message input, password input, email address/URL input, and passcode (PIN) input.

  • Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation - This article explains a technique for domain privilege escalation by hijacking SQL Server credentials through the use of SQL Agent jobs. Attackers exploit misconfigurations in SQL Server environments by injecting their malicious code into SQL Agent jobs, which often run with elevated privileges. This method allows them to capture domain credentials and escalate their access within a network, leading to potential lateral movement and further exploitation.

  • Feeld dating app: Your nudes and data were publicly available - This article details the testing methodology and findings from testing the security controls implemented on a dating mobile app called Feeld.

  • Adventures in Shellcode Obfuscation! Part 13: Calculating Offsets - This article explores techniques for shellcode obfuscation, specifically focusing on calculating memory offsets dynamically. The article dives into how attackers can use offsets to locate and execute malicious payloads without relying on static addresses, which can help evade detection. It discusses the challenges associated with calculating these offsets during runtime and presents solutions using assembly code and register manipulation. The goal is to make the shellcode more resilient and harder to analyze by security tools.

Tools and Exploits

  • Lostxlso: Multi-Vulnerability Scanner - Lostxlso is a multi-vulnerability scanner tool designed to detect web application vulnerabilities such as Local File Inclusion (LFi), Open Redirects (OR), SQL Injection (SQLi), and Cross-Site Scripting (XSS). It offers features like improved performance through multi-threading, customizable payloads, and user-friendly command-line interface.

  • netscan - NetScan CLI is a command-line tool that retrieves and analyzes IP address information, providing detailed subnet and organization data using various online services. It utilizes multiple WHOIS data sources to retrieve CIDR blocks and organization names for given IP addresses, offering options for searching specific organizations and outputting raw data.

  • NtDumpBof - a tool for automating the creation and downloading of minidump files using CALLBACK_FILE and CALLBACK_FILE_WRITE. These minidump files can then be parsed using Mimikatz for further analysis.

  • GhostStrike - GhostStrike is a C++ tool for ethical hacking and Red Team operations that allows users to deploy stealthy reverse shells using advanced process hollowing techniques on Windows systems. The tool features dynamic API resolution, cryptographic key generation, and control flow flattening to evade detection by security tools. Users can configure GhostStrike by creating a Ngrok service, generating a Sliver C2 implant, converting to .bin and C++ shellcode, and compiling the code with a C++ compiler.

  • COMThanasia - GitHub repository "COMThanasia" contains a set of programs designed for analyzing common vulnerabilities in COM objects. These tools automate workflows, manage code changes, track work, and collaborate outside of coding. The tools can detect vulnerabilities such as incorrect access control and registry rights in COM objects, as well as identify new elevation monikers for potential UAC bypasses. The programs also allow users to explore and analyze COM objects, find potential candidates for UAC bypass, and check for interesting methods that can be abused for privilege escalation.

  • Remote Wrapper - an extensible Mythic Wrapper that allows payload wrapping to occur on a remote host using Azure Service Bus for communication. It simplifies the process of wrapping payloads with specific dependencies. Installation of the wrapper can be done through the mythic-cli tool with various options such as installing the main branch, a specific branch, or from a locally cloned folder.

  • Impacket ZSH Integration - scripts for ZSH integration with Impacket, a tool used for Pentesting Active Directory from Linux. Users can clone the repository, configure their terminal, set up a SOCKS proxy, and manage Kerberos tickets for network traffic. The repository aims to reduce friction and streamline the workflow for Pentesters.

  • Introducing Burp Suite’s game-changing performance update - Burp Suite has released a game-changing performance update that includes key enhancements to improve speed and efficiency. The update includes reduced sorting times for tables, faster loading of large project files, improved loading times in the HTTP history, and reduced memory usage in tools like Intruder. These improvements aim to optimize the user's workflow and make manual testing more efficient.

  • Performance Improvements to table sorting and Repeater - Burp Suite has recently made significant performance improvements in table sorting and the Repeater tool. These enhancements have led to reduced processing times, minimized memory usage, and a smoother user experience. With changes such as multidimensional sorting and lazy loading of UI components, Burp Suite now offers faster sorting times and improved responsiveness.

  • Disconnected GPO Editor - a Disconnected GPO Editor that allows editing of domain GPOs from non-domain joined machines. It works by injecting a C# library into MMC to trick Group Policy Manager into thinking the user is a domain user. Users must install Windows Remote Server Administration Tools on the non-domain joined host to use the tool. The tool can be used to launch Group Policy Manager and edit specific GPOs without using the manager snap-in.

  • DD-Oriented-Programming - a PoC for injecting arbitrary code using a malicious shared object library in Linux systems. The PoC utilizes the Linux proc filesystem and various system entries to achieve its goal.

  • GlobalUnProtect - a tool that allows users to decrypt GlobalProtect configuration and cookie files. It can be run either as standalone or in-memory, and collects all data to an in-memory zip file. The tool extracts information such as user names, portals, user domains, and cookies from the GlobalProtect data files. It also provides instructions on how to connect via OpenConnect using the extracted data.

  • MaLDAPtive - a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation, and detection, with a custom-built C# LDAP parser and a PowerShell wrapper. The framework is released in two stages, with the obfuscation module being delayed for a few months to give defenders time to implement detection rules. The project also includes an interactive mode for menu-driven exploration of functions, along with a telemetry module for gathering LDAP telemetry in a lab environment.

  • reCAPTCHA Phish - code for phishing with a fake reCAPTCHA, recreating a social engineering and phishing lure seen in August/September 2024. The code includes CSS and JavaScript to mimic the real reCAPTCHA button and execute commands, with the option of using an HTA file for a more convincing charade. The code aims to trick users into copying and pasting a malicious command into the Windows Run dialog box. The repository also mentions potential uses for the code, such as embedding it as a widget or creating a public domain tool.

  • Introducing Bettercap 2.4.0: CAN-Bus Hacking, WiFi Bruteforcing and Builtin Web UI - Bettercap 2.4.0 introduces new features such as CAN-Bus hacking, WiFi bruteforcing, and a built-in Web UI. The CAN module allows users to read, write, and fuzz raw frames, as well as decode OBD2 PIDs with a built-in decoder. The WiFi bruteforcer targets low-hanging fruit by using wordlists for password attacks on routers and printers. The Web UI is now integrated as a module, making it easier to use.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • PhysMem(e): When Kernel Drivers Peek into Memory CVE-2024-41498 - RevEng.AI researchers discovered a vulnerability in the Windows IOMap64.sys driver (CVE-2024-41498) that allows a malicious user to read/write the entire physical memory (RAM). The post provides a technical analysis of the driver, explains how threat actors target vulnerable drivers to gain kernel privileges, and offers a PoC to demonstrate exploitability. Windows has implemented Driver Signature Enforcement to prevent loading of malicious drivers, but threat actors now use signed drivers with known vulnerabilities. A walkthrough of dynamic analysis and a PoC development process is also provided.

  • Cracking OneDrive's Personal Vault - The article discusses the process of gaining access to OneDrive's Personal Vault, which is a protected area in OneDrive where sensitive files are stored. The author explores how the vault is stored on a Windows device using BitLocker encryption and reveals the steps to unlocking the vault using an external key file. The process involves assigning a drive letter, saving the key, and using it to unlock the vault to access its contents. The author also mentions a script that can automate the key-saving process for future use.

  • Keyhole - Researchers at MASSGRAVE discovered a bug named "Keyhole" that allowed for a highly effective DRM bypass on Microsoft Store apps and Windows editions. By exploiting vulnerabilities in the CLiP system, they were able to manipulate license blocks and create new licenses for Windows activation. This bug was later reported to Microsoft and patched, but the researchers shared their findings to encourage further exploration of CLiP. Additionally, they found similarities between CLiP and the Xbox One's DRM system, suggesting a potential link between the two.

  • ghmlwr - a pet-project whose main purpose is to index malicious (or suspicious) GitHub repositories.

  • Writing a system call tracer using eBPF - The article discusses writing a system call tracer using eBPF (Extended Berkeley Packet Filter) technology, which allows running custom programs within the kernel. It covers the basics of low-level programming, eBPF programs, and C language. The process involves writing eBPF programs and a loader to trace system calls by using tracepoints and BPF maps. The loader reads the path of the ELF file to be traced, spawns a child process, loads the BPF objects into the kernel, and attaches them to trace system calls. The article includes code snippets and explanations for writing the eBPF programs and loader.

Comments


RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page