top of page

Last Week in Security - 2024-12-17


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-12-09 to 2024-12-16.

News

  • China's Salt Typhoon recorded top American officials' calls, says White House - Chinese cyberspies from Salt Typhoon targeted high-level US political figures' calls, stealing a large amount of records and private communications. The operation focused on government officials and corporate intellectual property, with the possibility of compromising law enforcement wiretapping systems. This has raised concerns about the larger threat posed by China in infiltrating American telecom systems, with a Senate Commerce subcommittee investigating the issue further. The espionage campaign is expected to be a major topic of discussion during the upcoming hearing on "Communications Networks Safety and Security."

  • Patch Tuesday, December 2024 Edition - In the Patch Tuesday edition for December 2024, Microsoft released updates to fix 70 security holes, with one vulnerability being actively exploited. The zero-day exploit involves the Windows Common Log File System (CLFS) driver, which could allow attackers to gain system-level privileges. There have been numerous zero-day vulnerabilities in CLFS in recent years, with concerns about ransomware authors taking advantage of these flaws. Microsoft has also patched a critical remote code execution flaw in the Lightweight Directory Access Protocol (LDAP) with a high CVSS score. System admins and end users are advised to install the updates to protect their systems.

  • Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine - Microsoft Threat Intelligence has observed Russian actor Secret Blizzard using tools and infrastructure from other threat actors to compromise targets in Ukraine. Secret Blizzard co-opted tools from a cybercriminal campaign to download their custom malware onto target devices associated with the Ukrainian military. The actor's tactics include spear phishing, server-side compromises, and using Amadey bots to deploy their custom Tavdig backdoor. Secret Blizzard has targeted a variety of sectors, with a focus on gaining long-term access for intelligence collection. Organizations are advised to strengthen their defenses against such threats by implementing specific security measures outlined by Microsoft.

  • DOJ indicts 14 North Koreans who fraudulently earned $88 million working for US firms - The Department of Justice has indicted 14 North Koreans for fraudulently earning $88 million while working for US companies by stealing identities of US citizens and obtaining employment illegally. The North Korean nationals were charged with crimes related to wire fraud, money laundering, and identity theft for their actions between 2017 and 2023. The men earned at least $88 million through employment as IT workers and also extorted companies by threatening to leak proprietary information. The indictment is part of efforts by US authorities to stop similar campaigns used by North Korea to earn money and access sensitive information.

Techniques and Write-ups

  • An offensive Rust encore - HN Security is offering their services to help improve security and safeguard digital assets. The article discusses Rust programming language and how it can be both powerful and approachable. It provides resources for intermediate-level Rust developers to enhance their skills and introduces a new offensive security tool called blindsight, which helps in dumping Windows credentials in Active Directory environments. The tool is a proof-of-concept and is not recommended for real-life scenarios due to its lack of advanced anti-detection features.

  • SPA is for Single-Page Abuse! - Using Single-Page Application Tokens to Enumerate Azure - The blog post discusses using Single-Page Application (SPA) tokens to enumerate Azure in a security assessment. The author shares insights and a workflow for using SPA tokens to access Azure resources, focusing on Microsoft Office and Azure Portal SPAs. The process involves capturing refresh tokens from network traffic, noting client IDs, and authenticating with ROADTools to enumerate the Azure tenant. The author, Lance B. Cain, is a Senior Consultant at SpecterOps with experience in Red Teaming and Penetration Testing, specializing in cloud and macOS technologies.

  • Oasis Security Research Team Discovers Microsoft Azure MFA Bypass - The Oasis Security Research Team discovered a critical vulnerability in Microsoft Azure's Multi-Factor Authentication system, allowing attackers to bypass it and gain unauthorized access to user accounts. This flaw was reported to Microsoft and has since been resolved. Organizations are advised to enable MFA, monitor for leaked credentials, and add mail alerts for failed MFA attempts to enhance security. Oasis Security specializes in identity and cloud-native security, aiming to uncover vulnerabilities and collaborate with vendors to strengthen security across the industry.

  • Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623) - Threat actors are actively exploiting a vulnerability (CVE-2024-50623) in Cleo Harmony, VLTrader, and LexiCom software that allows for remote code execution through arbitrary file write. Cleo attempted to patch the vulnerability but did not do so correctly, leading to continued exploitation. The vulnerability can be bypassed by manipulating the serial number validation process, allowing attackers to read and write arbitrary files. Huntress discovered threat actors using arbitrary file write to achieve remote code execution on unpatched installations. Cleo is working on a new patch, but in the meantime, mitigations can be implemented to limit the attack surface.

  • SolarWinds Access Rights Manager: One Vulnerability to LPE Them All - The Zero Day Initiative discovered multiple vulnerabilities in SolarWinds Access Rights Manager, including pre-auth RCE and local privilege escalation vulnerabilities. One specific vulnerability allowed for pre-auth arbitrary file deletion, which could lead to local privilege escalation on domain-joined Windows machines. This vulnerability could be exploited remotely, allowing an attacker to escalate privileges on any Windows machine in the domain. SolarWinds has since patched these vulnerabilities and users are urged to update their software.

  • Uncovering Apple Vulnerabilities: diskarbitrationd and storagekitd Audit Part 2 - Kandji's Threat Research team conducted an audit on macOS diskarbitrationd and storagekitd system daemons, discovering vulnerabilities that were reported to Apple and subsequently fixed. In part two of their blog series, they discussed a vulnerability that allowed for sandbox escape and bypassing TCC by mounting over the user's TCC directory. They demonstrated the exploitation using a debugger and explained how Apple addressed the issue in macOS Sequoia 15.0 by moving path resolution to the daemon side and enhancing sandbox checks.

  • Citrix Denial of Service: Analysis of CVE-2024-8534 - The article discusses the analysis of the Citrix Denial of Service vulnerability CVE-2024-8534, specifically related to the RDP Proxy feature in Citrix NetScaler. The analysis involved reverse-engineering the patch and attempting to determine if the memory corruption could lead to remote code execution. The vulnerability allows an unauthenticated attacker to remotely force a system restart, leading to a denial of service. The team used various methods, including fuzzing and debugging, to understand the vulnerability and provide insights to customers through their Attack Surface Management platform. They were unable to determine the exact root cause but were able to gain valuable insights into the configuration and operation of Citrix NetScaler.

  • API Testing with Insomnia and Burp Suite: An Alternative to Postman - This blog post on WafflesExploits discusses how to use Insomnia and Burp Suite for API testing and hacking as an alternative to Postman. The guide covers setting up Insomnia, capturing API requests with mitmproxy, converting them to OpenAPI 3.0 format, and integrating Insomnia with Burp Suite for detecting vulnerabilities. It also includes tips on organizing requests, setting up folders for scripts and tokens, and testing for improper asset management vulnerabilities. The post was inspired by a need for a Postman alternative and aims to provide a comprehensive guide for API testing.

  • The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices - Team82 has discovered 10 vulnerabilities in devices manufactured by Ruijie Networks, specifically in its Reyee cloud management platform and Reyee OS network devices. These vulnerabilities could potentially allow attackers to execute code on cloud-enabled devices, giving them control over thousands of devices. An attack called Open Sesame was devised, allowing attackers to exploit devices in close physical proximity through the cloud. Ruijie has addressed the vulnerabilities, and no action is required by users. The vulnerabilities include exposure of private information, weak credentials, improper handling of permissions, insecure storage of sensitive information, exposure of resources, weak password recovery mechanism, improper neutralization of wildcards, server-side request forgery, premature release of resources, and use of inherently dangerous functions.

  • The Ruby on Rails json Juggling Attack - The json juggling attack targets JSON parsing in Ruby on Rails by exploiting a vulnerability in the code that handles conflicts between different types of JSON request bodies. This attack allows an attacker to bypass authorization by submitting JSON that can be interpreted in multiple ways. A Rails Parameter Testing Setup Dockerfile is provided to demonstrate how Rails applications can be vulnerable to this attack. Additional security-related questions are also discussed, such as the precedence order of different data sources and ways to protect against attacks.

  • Tales from the cloud trenches: Unwanted visitor - In this article, Datadog Security Labs discusses an intrusion involving an unwanted visitor in a cloud environment, specifically targeting Amazon Simple Email Service (SES). The attacker used various techniques to maintain persistence, such as creating backdoors, assuming roles from external accounts, and using temporary credentials. The attacker's activities focused on privilege escalation and evading detection. Datadog offers suggestions for detecting similar attacks and provides rules within their Cloud Security Management system to identify suspicious activity in an AWS environment. The article highlights the use of Stratus Red Team to reproduce attack techniques and emphasizes the importance of monitoring and securing cloud environments against evolving threats.

  • Attacking Cortex XDR from an unprivileged user perspective - In late 2023, the SCRT Team launched a service where customers could fund research on vulnerabilities in products they use, such as Cortex XDR. They identified two vulnerabilities in Cortex XDR that allowed unprivileged users to escalate privileges and disable the agent. After reporting these vulnerabilities to Palo Alto, they were acknowledged and fixed, with advisories published in 2024. This collaborative approach highlights the importance of combining resources to enhance security.

  • Climbing the Azure RBAC Ladder - This blog post explores common techniques used by threat actors to escalate privileges and move laterally within Azure environments by abusing RBAC roles. Attackers often exploit misconfigurations, improper permissions, and vulnerabilities in identity management to gain higher-level permissions. The post discusses how threat actors can abuse Managed Identities, Key Vaults, Azure DevOps, Storage Accounts, and Logic Apps to escalate privileges. It also provides suggestions for defenders on how to secure Azure environments, including implementing least privilege access, monitoring for unusual activities, and enforcing MFA.

  • Exploring AWS STS AssumeRoot - This article explores the AWS Security Token Service (STS) AssumeRoot API operation, which allows users to retrieve temporary credentials for the root account of a member account in an AWS organization. The article discusses the potential abuse of this API, provides a threat scenario using Terraform and Python code, and explores detection and hunting opportunities within Elastic’s SIEM. It also highlights best practices for using AssumeRoot, such as limiting permissions, enforcing MFA, and enabling monitoring with CloudTrail and Security Hub.

  • DOM Purify - dirty namespace bypass - In this article, the author discusses a method for bypassing DOMPurify's sanitization of SVG files by exploiting a flaw in the regular expression used to check attribute names. By inserting a custom namespace and attribute, an attacker can achieve XSS. The author reported this issue to DOMPurify developers, who quickly fixed it by updating the regular expression. This bypass technique could also impact custom tags, although it was not specifically tested in the context of SVG files.

  • Meta’s Data: Meta’s WhatsApp Fix for View Once and its Impact on Metadata - Meta's WhatsApp feature "View Once" was found to be easily bypassed, allowing recipients to forward, share, and copy media sent with this feature. After this issue was responsibly disclosed, Meta silently released a fix for the problem. The fix addressed the core issue, preventing unauthorized access to "View Once" content, but it also increased the amount of unencrypted metadata exposed to WhatsApp's server, posing potential privacy risks. Despite not being a perfect solution, the fix was considered a significant improvement.

  • Abusing AD-DACL: WriteOwner - In this blog post, the exploitation of Discretionary Access Control Lists (DACL) using the WriteOwner permission in Active Directory environments is discussed. The WriteOwner permission can be abused by attackers to change the object owner to an attacker-controlled user and take over the object. Various methods for exploiting this permission, such as granting ownership and full control, as well as detection and mitigation strategies, are detailed. Additionally, lab setups and tools for simulating these attacks are provided, offering security professionals insights to recognize and defend against these threats.

  • How easily access cards can be cloned and why your PACS might be vulnerable - Access cards used in physical access control systems (PACS) can be easily cloned, making the system vulnerable to unauthorized entry. PACS consist of tokens, readers, controllers, and servers, which work together to control access to buildings. A good PACS system uses encryption and custom encryption keys to secure authentication data, making it difficult for attackers to clone cards. However, many systems still use default encryption keys, leaving them open to exploitation. It is important to properly configure PACS to ensure security and prevent unauthorized access.

  • Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland - In December 2024, InfoSect detailed their successful exploitation of the Lorex 2K Indoor Wifi security at Pwn2Own Ireland, highlighting a pre-authentication stack-based buffer overflow vulnerability. The competition included various targets such as routers, surveillance systems, and smart speakers. They faced challenges due to limited access to the device and application whitelisting, but managed to bypass it using a technique to execute custom code. After discovering useful pointers, they developed a strategy involving incremental exploitation to achieve arbitrary writes and ultimately gain control of the device. They stressed the importance of preparation and flexibility in cybersecurity competitions.

  • Hacking AI Applications: From 3D Printing to Remote Code Execution - This blog post discusses the process of hacking AI applications, focusing on creating a 3D printing application and exploiting its vulnerabilities. The author shares their journey of building an AI native application called KachraCraft to automate 3D modeling. They discuss techniques such as prompt injection, system prompt disclosure, and novel methods of exfiltrating data. The post emphasizes the importance of considering security implications when using AI-powered tools and the need for robust defenses in AI applications. The author plans to open-source KachraCraft as a reference for building secure AI applications.

  • Far From Random: Three Mistakes From Dart/Flutter's Weak PRNG - A weak PRNG in Dart led to multiple vulnerabilities in popular projects like the Dart SDK, Proton Wallet, and SelfPrivacy. In the Dart SDK, the weak PRNG led to an exploit that allowed attackers to steal files from developers. Proton Wallet had a vulnerability where recovery phrases were easily guessed, and SelfPrivacy had predictable passwords generated using a weak PRNG. These vulnerabilities were all caused by the same root issue of using a non-cryptographically secure PRNG. The vulnerabilities were reported to the respective companies, and fixes were made to address the issues.

  • Attacking Entra Metaverse: Part 1 - In this blog post series, the SpecterOps team explores attacker tradecraft around the syncing mechanics between Active Directory and Entra in the Entra Metaverse. They demonstrate how complete control of an Entra user can compromise the on-premises user, highlighting the importance of the Entra Tenant as the trust boundary. The post explains the mechanics of Entra Connect Sync and how attributes can flow between Entra and Active Directory, showcasing the potential for abuse with primitive techniques like adding a key to a user. The post sets the stage for future discussions on cross-domain attacks and emphasizes the need for understanding and managing attack paths in Azure Active Directory.

  • 0x02 - Introduction to Windows Kernel Use After Frees (UaFs) - This article introduces the concept of Windows Kernel Use After Frees (UaFs) and focuses on exploiting vulnerabilities in Windows 7 (x86) with minimal mitigations in place. It explains UaFs as a bug class where memory is accessed after it has been freed, using a non-technical analogy. The article then delves into the source code to identify and exploit UaF vulnerabilities within Windows Kernel functions, ultimately leading to code execution. It provides a summary of the functions involved in the exploit and concludes with a sample exploit code to demonstrate hijacking execution flow and gaining shell access.

  • Shell Script Compiler (shc) - Shell Script Compiler (shc) is a tool used by threat actors to compile shell scripts into binary form, making them harder to trace and debug. shc uses anti-debugging techniques such as ptrace to prevent tracing by external debuggers. While shc obfuscates scripts and encrypts them into binary form, forensic analysis can still reveal traces of the original script. Additionally, shc can be partially circumvented in certain scenarios, allowing traces of the original command to be found.

  • Breaking the Air Gap Through Hardware Implants - Praetorian demonstrated how a hardware implant can be used to breach the air gap in IoT devices without a wireless component, by adding wireless capabilities to a device through a hardware implant during a security assessment. They used small microcontrollers and boards to create a wireless implant that could extract data from the device in a real-world scenario. This creative approach to security assessments challenges assumptions and explores new attack paths to uncover vulnerabilities that others might miss. It exemplifies Praetorian's proactive and innovative approach to cybersecurity.

  • Exploiting Misconfigured Terraform Cloud OIDC AWS IAM Roles - The article discusses exploiting misconfigured Terraform Cloud OIDC AWS IAM roles, specifically focusing on the past and present misconfigurations and how to exploit them programmatically. The misconfigurations allow anyone to assume a role, and even though changes have been made by AWS to enforce restrictions, roles can still be misconfigured with an asterisk in the organization's name. The article provides steps on how to create a backdoored role with administrator permissions and assume it from an external AWS account.

  • Diving deep into Jetbrains TeamCity Part 2 - Analysing CVE-2024-24942 leading to unauthenticated Path Traversal - The article delves into the details of CVE-2024-24942, a path traversal vulnerability in JetBrains TeamCity. It explains the process of constructing an exploit for Authentication Bypass and Path traversal. The author encourages readers to refer to previous editions of the TeamCity vulnerability series for background knowledge. By examining the patched versions of the affected files, the article demonstrates how the vulnerability was addressed through additional checks and validations. Through dynamic debugging, the article explores the interception process for authentication, highlighting how a flawed implementation allowed for path traversal and unauthorized access to files.

  • Messenger Group Call DoS for iOS - The write-up discusses a denial-of-service (DoS) bug that affected Messenger for iOS, allowing for the crashing of the app during group calls by sending invalid emoji reactions. The bug was discovered and analyzed using reverse engineering tools like Frida and Ghidra. The root cause of the bug was identified as a lack of input validation in the code. The issue has since been patched in the latest version of Messenger for iOS, but older versions may still be vulnerable. Additionally, a new iOS decompilation tool called Malimite was introduced and utilized to improve the analysis of the vulnerable code.

  • Databricks JDBC Attack via JAAS - The Databricks JDBC driver has a vulnerability that allows for remote code execution through the krbJAASFile parameter. An attacker can exploit this flaw by tricking the victim into using a specially crafted connection URL. To demonstrate this vulnerability, a proof of concept (PoC) was created using a web server to serve malicious content. This PoC showcases how a remote code execution can be triggered through JNDI injection.

  • Hacking Car Cameras Through The Cloud - The article discusses vulnerabilities in smart car appliances, specifically car cameras, that allow unauthorized access to location history and videos. The author found flaws in the device binding process and the debind process, which could lead to theft of cameras and unauthorized access. The issues have been confirmed and fixed by one vendor, but not by another. The author suggests disconnecting devices from the internet until the vulnerabilities are addressed.

  • Tic TAC - Beware of your imaging - This blog post discusses a Remote Code Execution vulnerability found in an Open Source Bio-Medical tool that is actively used in universities and labs for medical standard imaging. The vulnerability allows for injection of malicious python code when importing DICOM files, but has since been fixed. The post explains how the exploit works and the steps to create a malicious DICOM file. It also highlights the importance of securing Open Source tools in the medical field and investing time in finding and fixing vulnerabilities to make critical technologies safer.

  • CVE-2024-55557 - Weasis 4.5.1 - CVE-2024-55557 affects Weasis 4.5.1 due to insecure encryption methods, leading to full credentials disclosure. The attacker can exploit this vulnerability by decrypting the password using the hardcoded key and base64 gzip encoded password. By gaining access to the server or Weasis port, an attacker can read the persistence file containing sensitive data and decrypt it offline. The vulnerability lies in the CryptoHandler class handling encryption and decryption using Blowfish and UTF-8 characters, allowing unauthorized users to access proxy credentials. To replicate the attack, the attacker needs to read the hardcoded key, access the persistence file locally or remotely, and decrypt the password using appropriate methods.

  • From CVE to Template: The Future of Automating Nuclei Templates with AI - ProjectDiscovery has implemented an AI-driven system to automate the creation of Nuclei templates for new vulnerabilities, reducing the time between disclosure and template availability. The process involves fetching the latest CVEs, extracting POC details using AI, generating templates, and reviewing them for accuracy. Challenges include summarizing POC from various sources and addressing inaccuracies in CVE data. Future enhancements include training custom AI models and integrating automated testing of generated templates. The goal is to enhance cybersecurity by encouraging community collaboration and innovation.

  • Stored Cross-Site Scripting (XSS) in 2FAuth - XBOW discovered a stored Cross-Site Scripting (XSS) vulnerability in the open-source 2FAuth application, which is used for managing two-factor authentication accounts. To exploit the vulnerability, XBOW analyzed the source code and identified the QR code processing functionality as a potential entry point for the attack. By uploading a malicious SVG file, XBOW was able to trigger an XSS vulnerability in the application, highlighting the importance of proper validation and sanitization of user input. This research showcases the steps taken by XBOW to uncover and exploit the vulnerability, providing valuable insights for security professionals.

  • Android's CVE-2022-20201 (InstalldNativeService) - The writer attempted to hack their old, unpatched OnePlus phone using CVE-2022-20201, a vulnerability in Android's InstalldNativeService. The vulnerability allows for leaking memory and exploiting an Out-of-Bound access issue. Despite not being able to fully exploit the vulnerability, the writer was able to demonstrate memory leaks from the InstalldNativeService. The fix for this vulnerability was introduced in the Pixel June 2022 Bulletin.

  • CVE-2024-11477 Writeup - This writeup details a critical integer underflow vulnerability in the Zstandard decompression function of 7-Zip. This flaw, identified in versions 24.05 through 24.07, allows for remote code execution when a user opens a maliciously crafted compressed file.

Tools and Exploits

  • ldapx - GitHub has a flexible LDAP proxy called ldapx that can inspect and transform all LDAP packets generated by other tools in real-time. The tool can be used to apply different middlewares to LDAP packets, including filters, attribute transformations, and baseDN changes. It provides a built-in shell for adjusting settings and viewing packet statistics. The tool is designed for use in Active Directory environments but can potentially work in other LDAP environments as well. Contributions to the tool are welcome, and it is meant for authorized security testing, troubleshooting, and research purposes.

  • Out of Band Update: Cobalt Strike 4.10.1 - Cobalt Strike 4.10.1 is an out of band update to fix issues discovered in the previous version. The update addresses problems such as client disconnections with multiple team server connections, crashes with x86 beacons on Windows 11, and truncated user agent names with WinHTTP beacons. The Mutator Kit in the Arsenal Kit has also been updated. Licensed users can download the new version, and those who need to update their license for an existing CS 4.10 environment can obtain a new authorization file. Customers are encouraged to report any additional issues to Cobalt Strike's support team.

  • QuickResponseC2 - QuickResponseC2 is a Command & Control Server that uses QR codes to send and receive commands to remote systems. It operates stealthily, allowing covert communication between attackers and victims. The tool includes a lightweight HTTP server for communication, and a simple command-line interface for ease of use. Users can send commands encoded as QR codes, with results being returned in the same manner for further analysis. The tool is ideal for security assessments and penetration testing without alerting security defenses.

  • External-C2-Teams - The GitHub repository contains the Brute Ratel External C2 (Microsoft Teams) project, which is designed to allow operators to hide implant output inside legitimate network traffic. The setup instructions include creating an Azure infrastructure with specific requirements for users and licenses. The project also includes advice on setting up the Bruteratel listener and things to avoid while using the C2, such as not changing the listener HTTP headers and avoiding sending large files over HTTP.

  • Pytune - Pytune is a post-exploitation tool for enrolling a fake device into Intune with multiple platform support. It allows red teamers to enroll a fake device to Entra ID and Intune, steal device configurations like VPN and Wi-Fi settings, and bypass Entra ID Conditional Access policy. Users can also download installer files for apps, track compliance status, and leak domain computer credentials if hybrid autopilot is enabled. Pytune also enables users to download Win32 apps and PowerShell scripts, and retire the fake device from Intune for clean-up. It is a proof of concept tool provided without any warranty.

  • QoL-BOFs: Quality of Life Beacon Object Files - This GitHub repository contains a curated collection of public Beacon Object Files (BOFs) designed to improve productivity and efficiency during red team engagements. The repository aggregates BOFs from various sources and adds extra useful ones as submodules for easy cloning. Users can clone the repository and its submodules correctly using specific commands. The curated BOFs aim to simplify submodule management, provide seamless updates, and include contributions from trusted developers and projects in the community.

  • ShadowShell - GerhardBotha97 is a user on GitLab who has a project called shadowshell. The project was last updated on December 11, 2024. The user offers a free trial for the project and provides clone URLs for copying.

  • Unwrapping BloodHound v6.3 with Impact Analysis - The SpecterOps team recently released BloodHound v6.3, which includes new features and enhancements to help users visualize attack paths and reduce identity risk. Updates to BloodHound Enterprise include a revamped Posture page, improved analysis algorithm, and granular risk measurement. BloodHound Common updates include a Node/Edge Label toggle and a new CoerceToTGT Edge Type. Additional improvements and bug fixes were also made, along with recommendations for upgrading SharpHound and AzureHound. Users can sign up for the BloodHound Live: Monthly Release Recap for more information.

  • Mythic C2 Profile that allows agents to communicate over GitHub - This GitHub repository contains a Mythic C2 Profile that enables agents to communicate over GitHub through issue comments and file pushes. Setting up this C2 profile involves several steps and users are encouraged to read the documentation thoroughly. The C2 server code is written in Python and contributions are welcome. The GitHub C2 Profile currently supports specific agents. © 2024 GitHub, Inc.

  • Rusty-Telephone - This GitHub project, called Rusty-Telephone, is a proof-of-concept tool designed to exfiltrate data over audio output from remote desktop sessions using covert channels. It encodes files into audio signals using frequency-shift keying modulation and error correction techniques for reliable transmission. Users can clone the repository, build sender and receiver binaries, set up audio loopback devices, and begin transmitting data between systems. The tool utilizes the Rust programming language, digital signal processing, and various audio loopback drivers to achieve its functionality.

  • LexiCrypt - LexiCrypt is a shellcode encryptor tool that uses a substitution cipher with a randomly generated key to transform raw shellcode bytes into words. These words can then be embedded into code templates in various programming languages to disguise the shellcode and potentially bypass detection mechanisms. The tool is currently intended for use on Windows platforms only and plans to support Linux and custom wordlists in the future. LexiCrypt automates the process of encoding and decoding shellcode and provides ready-to-compile snippets in languages like C++, Rust, C#, Go, and VBScript/WScript.

  • Decrypting Full Disk Encryption with Dissect - Fox-IT's incident response tool Dissect was made open source in 2022 and has since been used by many companies. The latest version of Dissect, 3.17, now supports decrypting Full Disk Encryption, such as with Microsoft’s BitLocker or Linux's LUKS. This article provides a demo of using Dissect to decrypt information from a disk protected with BitLocker and extract specific files. It also shows how Dissect can be used with LUKS on Linux systems. Additionally, Dissect allows for the decryption of entire disks, providing a wider range of tools to be used on the decrypted data.

  • Windows Tooling Updates: OleView.NET - The Project Zero team at Google has made updates to a Windows tool called OleView.NET in version 1.16. This tool is designed to discover security vulnerabilities in Windows COM, such as privilege escalation and remote code execution. The updates include improvements to researching COM services, formatting interface definitions, and calling interface methods. Users can access the tool through PowerShell or a GUI to analyze and interact with COM objects. The tool aims to streamline the process of identifying and testing vulnerabilities in Windows COM services.

  • KrakenMask - GitHub repository for KrakenMask, a sleep obfuscation tool that uses APC with gadget-based evasion to bypass current detection methods. The tool detects VirtualProtect calls using APC and returns to NtTestAlert, with the return address of VirtualProtect set as the address of a call NtTestAlert gadget. The tool includes detection rules for VirtualProtect and has also added callstack masking during delay to evade HuntBeaconSleep-NG.

  • Test AMSI Provider - The GitHub repository jborean93/AmsiProvider contains a test implementation of an AMSI Provider in C#. The provider is designed to log the raw AMSI scan and notify requests from client applications. It is a proof of concept and test code with no guarantee of quality. The provider can be used as a registered COM server and is capable of logging data sent to AMSI, such as requests from PowerShell. The repository includes instructions on how to build and install the provider, as well as how to uninstall it.

  • Shrike - Shrike is a tool written in pure nim for hunting and injecting RWX 'mockingjay' DLLs. It recursively searches directories for DLLs with RWX sections, provides analysis on them, and can inject shellcode if suitable. Shrike is distributed as a nimble package and offers various build options for customization. It is primarily used for research and analysis purposes.

  • Malimite - Malimite is an iOS decompiler built on top of Ghidra decompilation to help researchers analyze and decode IPA files. It offers direct support for Swift, Objective-C, and iOS resources, and can be used on Mac, Windows, and Linux. Users can contribute to the project by making a pull request, adding an example to the Wiki, reporting errors or issues, suggesting improvements, or sharing the tool with others. Malimite is licensed under the Apache 2.0 License and is aimed at the iOS Reverse Engineering community.

  • NoDelete - NoDelete is a tool designed for malware analysis that locks a folder where malware drops files before deleting them. The tool allows users to monitor and lock directories, view paths, open folders, restore original folder permissions, and create log files for validation. This project is intended for personal study of Qt and C++ with future improvements planned.

  • RustSoliloquy - RustSoliloquy is a Rust implementation of Internal-Monologue, a technique for capturing NetNTLM hashes without accessing LSASS, using SSPI for NTLM negotiation and native APIs for core operations. The project aims to deepen understanding of NTLM authentication and offers configurable options for different functionalities like token extraction, registry settings adjustments, and logging. RustSoliloquy is meant for educational and research purposes only, and responsible use is advised. Contributions and feedback are welcomed by the project.

  • USB Horsemen of the HID Apocalypse - In 2024, the USB Horsemen of the HID Apocalypse were released as fuzzing tools to find vulnerabilities in Human Input Device handling logic. These tools involve key mashing, mouse movement, and clicking to test systems. They were created using the Arduino IDE and can be run on various dev boards. The purpose of these tools is to provide a practical and fun example of creating functional tools to uncover bugs.

  • BootExecute EDR Bypass - Boot Execute allows native applications—executables with the NtProcessStartup entry point and dependencies solely on ntdll.dll—to run prior to the complete initialization of the Windows operating system. This occurs even before Windows services are launched. Because these native applications execute before security mechanisms are fully operational, this presents an opportunity to disrupt antivirus (AV) and endpoint detection and response (EDR) systems by deleting critical application files as we run with SYSTEM privileges.

Threat Intel and Defense

  • How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables - In the world of cloud computing, serverless technology has revolutionized how applications are developed and deployed. However, adversaries can exploit serverless services to access sensitive data stored in environment variables, such as API keys and credentials. By setting up malicious serverless functions, attackers can gain unauthorized access to cloud services and resources. To mitigate these risks, organizations should implement best practices like using secret management services, encrypting environment variables, and monitoring serverless logs for unusual activities. Keeping environment variables secure is crucial in preventing unauthorized access and maintaining data integrity in cloud environments.

  • Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercrimals - A new zero-detection PHP backdoor named Glutton, associated with the Winnti group, was discovered distributing malicious payloads targeting cybercriminals. The backdoor is highly modular, capable of functioning independently or sequentially to form a comprehensive attack framework. While attributed to the Winnti group, Glutton's lack of stealth and simplistic implementation introduce uncertainties. The attackers behind Glutton appear to be targeting systems within the cybercrime market, turning the tools of cybercriminals against them. Measures to identify and neutralize potential infections by Glutton are recommended to mitigate the threat posed by this backdoor.

  • Declawing PUMAKIT - PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and communicate with command-and-control servers. It consists of a dropper, memory-resident executables, an LKM rootkit, and a shared object (SO) userland rootkit, activating under specific conditions. The rootkit module utilizes syscall hooking, unique privilege escalation methods, and memory-resident execution to maintain persistence and control while hiding its files and directories. Elastic Security Labs has created a YARA signature to detect PUMAKIT and continues to monitor its behavior for new variants and updates.

  • Careto is back: what’s new after 10 years of silence? - Recent attacks by the Careto APT, also known as The Mask, have been discovered after 10 years of silence. The attacks are highly sophisticated and target high-profile organizations. The attackers use complex implants and zero-day exploits to infect their targets. One attack in Latin America in 2022 involved implanting the MDaemon email server and spreading the FakeHMP implant inside the network. The same organization was also targeted in 2019 with advanced attacks by Careto2 and Goreto frameworks. The attacks show that Careto is still powerful and capable of developing sophisticated malware and infection techniques.

  • Mitigating NTLM Relay Attacks by Default - Microsoft has announced a significant security update to mitigate NTLM relay attacks by default, improving protection for enterprise networks. NTLM relay attacks exploit authentication protocols to intercept and misuse credentials, often leading to privilege escalation. The update enforces Extended Protection for Authentication (EPA) across services, ensuring NTLM usage is bound to specific contexts and cannot be relayed.

  • Inside a New OT/IoT Cyberweapon: IOCONTROL - Team82 obtained a sample of a custom-built IoT/OT malware called IOCONTROL used by Iran-affiliated attackers to target Israel- and U.S.-based OT/IoT devices. The malware has been used to attack various devices such as IP cameras, routers, PLCs, and firewalls, among others, from vendors like D-Link and Hikvision. IOCONTROL is part of a global cyber operation against Western IoT and OT devices, with the attackers using unique communication channels over MQTT for command-and-control infrastructure. The malware includes a backdoor for persistence and a secure MQTT communication protocol for controlling the infected devices.

  • Attack Exploiting Legitimate Service by APT-C-60 - In August 2024, JPCERT/CC confirmed an attack conducted by the APT-C-60 group against an organization in Japan. The attack involved sending emails with malware disguised as a job application. The malware was spread through legitimate services like Bitbucket and StatCounter, with malware persistence achieved through COM hijacking. Similar attacks targeting East Asian countries including Japan, South Korea, and China have been reported, with common features such as the use of legitimate services and malware persistence. The blog post provides details on the flow of the malware infection, analysis of the downloader, analysis of the backdoor, and campaigns involving the same type of malware.

  • Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels - Chinese APT group engaged in cyberespionage known as Operation Digital Eye targeted large IT service providers in Southern Europe from late June to mid-July 2024. The attackers used Visual Studio Code and Microsoft Azure infrastructure for command and control purposes to evade detection. The group potentially had a shared vendor or digital quartermaster maintaining their tools. The campaign was disrupted in its initial phases by SentinelLabs and Tinexta Cyber. The use of Visual Studio Code for command and control purposes is relatively rare in the wild, with this being the first observed instance of a Chinese APT group using this technique.

  • Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation - The article discusses a new packer-as-a-service called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and has been used to pack over 2,000 malicious payloads. The operators charge $20 per file to pack, and the majority of customers are malware operators using various families. The article provides technical analysis on how HeartCrypt works and how the malicious code is injected into legitimate binaries. It also discusses the malicious campaigns using HeartCrypt, including targeting Latin American countries and using LummaStealer. The article concludes by highlighting the need for proactive threat hunting and how Palo Alto Networks customers are better protected from these threats.

  • Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials - A threat actor named MUT-1244 targeted offensive actors, leaking over 390,000 credentials believed to be for WordPress accounts. The actor used phishing campaigns, trojanized GitHub repositories, and malicious attack tools to compromise their victims, including security researchers and pentesters. The investigation uncovered how the attacker gained access to sensitive information, exfiltrated credentials, and targeted security professionals. This incident highlights the importance of vetting tools and staying vigilant against cyber threats.

  • XRefer: The Gemini-Assisted Binary Navigator - XRefer is an open-source tool designed to assist analysts in navigating and understanding binaries during malware reverse engineering. It offers two navigation paradigms: cluster-based navigation that breaks down binaries into functional units, and context-aware code navigation that dynamically updates based on the current function being analyzed. XRefer provides a persistent companion view in IDA Pro, supports language-specific analysis, and integrates with external data sources like API traces. It is available on Mandiant's GitHub repository and is compatible with IDA <= 8.3 or IDA >= 9.0. Future developments include extending cluster analysis, implementing path-independent clustering methodologies, and adding support for other language modules.

  • Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite - Elastic Security Labs discovered a new intrusion set targeting Chinese-speaking regions, known as REF3864, which uses the SADBRIDGE loader and GOSAR backdoor. The SADBRIDGE loader deploys a Golang-based reimplementation of the QUASAR backdoor, known as GOSAR. This backdoor is under active development and targets Chinese-speaking victims through campaigns masquerading as legitimate software like Telegram and the Opera web browser. GOSAR extends QUASAR's capabilities with additional features and cross-platform support for Windows and Linux systems. The malware employs various techniques like DLL side-loading, injection, and evasion to avoid detection and establish persistence.

  • Oh No Cleo! Malichus Implant Malware Analysis - The Huntress platform has discovered a new family of malware named Malichus, targeting Cleo software through a multi-stage attack chain. The malware includes capabilities for post-exploitation and file manipulation, indicating a sophisticated threat actor.

  • Analysis of Nova: A Snake Keylogger Fork - The Any.Run analysis of Nova Keylogger reveals it as a stealthy and effective malware used for credential theft and espionage. Distributed via phishing emails, Nova Keylogger employs obfuscation techniques to evade detection. Once activated, it logs keystrokes, captures screenshots, and exfiltrates sensitive information to command-and-control servers.

  • Trust Hijacked: The Subtle Art of Phishing Through Familiar Facades - this article explores the tactics of cybercriminals exploiting customer trust by impersonating legitimate brands and platforms. Threat actors use a variety of methods, including phishing campaigns, fake websites, and social engineering, to deceive users and steal sensitive data such as credentials and payment information. The report highlights that attackers often leverage compromised infrastructure, such as legitimate hosting services or trusted domains, to make their campaigns appear credible. These tactics are part of a broader trend in cybercrime, focusing on exploiting user trust to bypass conventional security measures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Forget PSEXEC: DCOM Upload & Execute Backdoor - The blog post outlines a new DCOM lateral movement attack called "DCOM Upload & Execute" that allows for remote writing of custom payloads to create an embedded backdoor. The attack leverages COM and DCOM interfaces, bypassing the need for IDispatch-based interfaces. By uploading and executing payloads in the victim's GAC, the attack establishes a backdoor for communication and control. The research underscores the importance of defending against such stealthy attacks and recommends Deep Instinct's deep learning framework for cybersecurity prevention.

  • Event Log Manipulations - Time slipping - The article discusses techniques for manipulating event logs, focusing on time slipping, where an attacker alters the system's clock or file dates to disrupt timestamp integrity. The impact on incident analysis and forensics is explained, along with evasion tactics for SIEM detections. Examples of log anomalies and detection methods, including using event IDs and examining system changes, are provided. The importance of maintaining timeline control and correlating detection rules for accurate alerts is emphasized. The article concludes with tips for enhancing detection accuracy and the significance of defenders' vigilance in managing timelines.

  • Reading Between the Lines: A Guide to Thoughtful Learning in Security - The blog post discusses the importance of thoughtful learning in security by using a specific example of a Ruby on Rails attack. It emphasizes the need to go beyond just understanding the immediate impact of an article and instead focus on what can be learned from it, what patterns can be applied to other contexts, and why certain things may have been missed. The post encourages readers to take the time to reflect on the content they consume in order to improve their skills and uncover insights that others may miss.

  • ChatGPT isn’t a decompiler… yet - The author attempted to use ChatGPT to create a magic decompiler for PowerPC assembly, specifically for the Super Smash Bros. Melee decompilation project. They found ChatGPT was able to generate C code that was logically similar to the assembly, but unable to substantially improve the match score. Despite fine-tuning efforts, the model did not generalize well outside of the training set and did not become a magic decompiler. The author is considering alternate explorations for the future.

  • Finding and utilising leaked code signing certificates - In this blog post, the author discusses how to find and utilize leaked code signing certificates, including cracking their passwords and using them to sign malware. The process is explained in four chapters, from finding certificates using tools like VirusTotal to reporting abuse to certificate authorities like Sectigo. The author demonstrates signing malware for both Windows and MacOS and highlights the importance of responsible disclosure measures. Ultimately, the author's efforts led to a leaked certificate being revoked by Sectigo after it was found to be involved in malicious activity.

  • filesec.io - It is important to keep informed about the latest file extensions being used by attackers in order to stay protected from potential threats. By staying up-to-date, individuals and organizations can better defend themselves against cyberattacks. Contributions to this effort are welcome and appreciated. Theme credits for this initiative go to the original creators.

Comments


RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page