Last Week in Security (LWiS) - 2024-11-04
WAF bypasses (@MDSecLabs), sastsweep (@_chebuya), Early Cascade injection (@DaWouw), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-28 to 2024-11-04.
News
- Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus - Cybercrime is adapting to the high corporate emphasis of Cobalt Strike detections/preventions.
- Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files - Russian threat actor is performing some intelligence collection operations. It's making headlines since threat actors are using a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.
- U.S. Joins International Action Against RedLine and META Infostealers - US Department of justice and a European coalition have teamed up to disrupt Redline and META infosealers in Operation Magnus.
- tmp.0ut Volume 4 Call For Papers - The site lists the areas they are looking for, including beginner-level content for some areas.
- From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code - Google is using large language models for bug hunting, and found an exploitable SQLite buffer overflow.
- KDE Linux - The KDE group releases their own Arch Linux based OS, not to be confused with KDE neon, which is Ubuntu based.
- Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory - A username longer than 52 characters could cause a hash collision with cached authentication under certain conditions.
- MSSP Market Update: CompTIA Sold to Private Equity - The acquisitions in the training space continue, last week was Offsec, this week is CompTIA.
- Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds - The Canada Revenue Agency discovered that threat actors obtained confidential data used by one of the country's largest tax preparation firms, H&R Block Canada.
Techniques and Write-ups
- Exploiting Fortune 500 Through Hidden Supply Chain Links - Supply chain will continue to be an issue for a good while. If you're a red teamer, you should be adding this to your toolkit. This article walks through a dependency confusion vulnerability in HashiCorp's Consul which affected fortune 500.
- BOFHound: AD CS Integration - TL;DR: BOFHound can now parse Active Directory Certificate Services (AD CS) objects, manually queried from LDAP, for review and attack path mapping within BloodHound Community Edition (BHCE).
- Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study From Pwn2own Ireland 2024 - Some hardcore format string exploitation in the face of modern security measures such as Address Space Layout Randomization (ASLR), Position Independent Executables (PIE), Non-Executable memory (NX), and Full Relocation Read-Only (Full RelRO).
- Inside the counter-offensive tactics, techniques, and procedures used to neutralize China-based threats - Sophos did a little "Defend Forward" and dropped "implants" (not malware 🤣) on devices used by Chinese exploit developers to watch them as they developed their new exploits. Check out the timeline for a detailed breakdown of their operations.
- TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit - Another example of security vendors using their access to monitor threat actors. If you're a red team developer, and aren't using Ludus' testing mode you are exposing your tooling.
- When WAFs Go Awry: Common Detection & Evasion Techniques for Web Application Firewalls - Background and bypasses for web application firewalls.
- Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection - After some background on process creation in Windows and Early Bird APC injection, a new process injection technique - Early Cascade injection - is introduced. However, outflank will "will not make the source code of this project public" but you can pay them for it 😉.
- Living off the land - A quick post on using Microsoft Software Center UI to elevate from Administrator to SYSTEM.
- Beyond the good ol' LaunchAgents - 35 - Persist through the NVRAM - The 'apple-trusted-trampoline' - This can only be used with System Integrity Protection (SIP) is disabled, so its not all that practical, but its a good look into what is possible with NVRAM.
Tools and Exploits
- rustmerger - A robust command-line tool built in Rust that makes merging and deduplicating text files a breeze. Whether you're dealing with small files or massive datasets, this tool handles the heavy lifting with parallel processing and smart error handling.
- CVE-2024-46538 - PfSense Stored XSS leads to remote code execution, proof of concept.
- OpenHashAPI - OpenHashAPI (OHA) is designed to store and maintain hashes and plaintext in a centralized database. OHA is written in Go and designed for containerized deployment. For more information see [PDF] No Cap Cracking: Improving Offline Hash Recovery Methodologies.
- sastsweep - Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets.
- Cable - .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation.
- rustclr is a powerful library for hosting the Common Language Runtime (CLR) and executing .NET binaries directly with Rust, among other operations.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- microsocks - a SOCKS5 service that you can run on your remote boxes to tunnel connections through them, if for some reason SSH doesn't cut it for you.
- Hijack the TypeLib. New COM persistence technique - Introduces TypeLibWalker to persist via TypeLib hijacking on Windows.
- Scrapegraph-ai - Python scraper based on AI.
- Through the Looking Glass - A small post about tunnelling UDP over TCP and WireGuard Site-to-Site VPN configurations.
- noir - Attack surface detector that identifies endpoints by static analysis.
- chartdb - Free and open-source database diagrams editor, visualize and design your DB with a single query.
- sidekick - Bare metal to production ready in mins; your own fly server on your VPS.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.