May 01 2023 Last Week in Security (LWiS) - 2023-05-01

ML packer classification (@accidentalrebel), DLL unlinking (@christophetd@infosec.exchange), Apache Superset and Papercut RCEs (@Horizon3Attack), SushiSwap hack (@Dooflin5), macOS LPE (@patch1t), macros in 2023 (@ptrpieter), nanodump update (@s4ntiago_p), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-04-17 to 2023-05-01.

News

Triple Threat: NSO Group's Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains. Good thing we have Rapid Security Response?
Google Authenticator now supports Google Account synchronization. This was a huge downside to using the Goole provided MFA code generation app. Lost, stolen, or simple device upgrades were a struggle. I have been pushing Raivo OTP, an open source MFA app with encrypted seed synicning support because of the drawbacks for Google's own app. They release says that the new sync feature makes MFA codes "more durable by storing them safely in users' Google Account," but does not explicitly say if the seeds will be symetrically encrypted. Does this open a new level of compromise to Google Account takeovers? Can attackers sync the seeds to a device without an authenticator specific password? Like always, FIDO2 keys and Advanced Protection are the answer.
Mullvad VPN was subject to a search warrant. Customer data not compromised. The feds showed up with a warrant, but left without taking anything. Commercial VPNs have a very narrow use case, and if your threat model warrents one, you probably shouldn't trust any one provider.
3CX Breach Was a Double Supply Chain Compromise. Yo dawg, I heard you like supply chain compromises...
Git security vulnerabilities announced. No surprise that GitHub found some git vulnerabilities. Update your git clients today!
Zyxel security advisory for OS command injection vulnerability of firewalls. Unauthenticated remote command execution in a firewall... You had one job.
Microsoft shifts to a new threat actor naming taxonomy. Ah yes... Standards.
An open letter. The UK's Online Safety Bill could destroy end-to-end encryption in the UK. Privacy is a human right.

Techniques and Write-ups

Windows secrets extraction: a summary. Excellent overview of the current state of windows credential material extraction.
I hack, U-Boot. A very detailed and technical post on the most common bootloader in the embedded space.
Classifying Malware Packers Using Machine Learning. ML models have gotten very good at clasifying images (thanks im part to your capcha clicks), why not covert binaries to images and have the ML classify them?
Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB. This won't be effective against EDR in the kernel (Defender, Crowdstrike, etc), but could be useful to hide from userspace detections.
How to Proxy VM Traffic through Burp Suite. A simple trick, but if you weren't aware of the system wide proxy setting in Windows, this is a useful tip.
Securely Hosting User Data in Modern Web Applications. Ever wonder why domains like githubusercontent.com or googleusercontnet.com exist? For your protection!
CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution. Always change the default key values! Developers, generate random values on first startup to prevent this.
PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise. If only all patch diffs were this simple. Good write up from initial news to full RCE.
Eating 4 Day Old Sushi - Replicating the SushiSwap Hack. DeFi continues to be the ultimate black hat bug bounty.
CVE-2023-23525: Get Root via A Fake Installer. Fake installers could use the permission granted by users during install to gain root access. Update to macOS 13.3 to apply the fix.
Finding XSS in a million websites (cPanel CVE-2023-29489). Good web vulnerability hunting process in this post. If you liked that you'll also enjoy Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera.
Never Connect to RDP Servers Over Untrusted Networks. You can collect Net-NTLMv2 without showing a certificate warning (MitM) to the user. Microsoft says this is "by design" and won't fix it.
Creating an IR Nightmare Drop Box. A good drop box can be crucial to success on a physical engagement. For bonus points, wire this up with LoRa as a Side Channel.
So you think you can block Macros?. Macros aren't quite dead yet. Turns out it's pretty hard to completely lock down an arbitrary scripting system that enterprises rely on for business.
Stealing GitHub staff's access token via GitHub Actions. A ten second sleep was all it took to steal some access tokens. Well done!
NightHawk Memory Obfuscation. What's old is new again. titanldr-ng has a Cobalt Strike compatible variant (check out Obf.c).
Avast Anti-Virus privileged arbitrary file create on virus quarantine (CVE-2023-1585 and CVE-2023-1587). You either die a hero or...
Process injection in 2023, evading leading EDRs. Vincent always drops succinct, high quality content.

Tools and Exploits

Introducing BloodHound 4.3 — Get Global Admin More Often. More Azure and MS Graph features!
ScareCrow. Not a new tool but a big update to the payload creation framework for v5.0.
nanodump - Not new, but the recent updates allows for PPL dumping!
DCVC2 - A Golang Discord C2 unlike any other. DCVC2 uses RTP packets over a voice channel to transmit all data leaving no operational traces in text chats.
maskcat - Utility tool for Hashcat Masks and Password Cracking.
mac-monitor - Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

highlight - highlight.io: The open source, full-stack monitoring platform. Error monitoring, session replay, logging and more. I haven't seen a self-hostable web session recording system before highlight.
KeePwn - A python tool to automate KeePass discovery and secret extraction.
Maintaining this site fucking sucks. This guy needs my blog CI/CD pipeline. When I finish a blog post it's one command to publish it and set up the env for next week. Maybe, just maybe, you don't need all that javascript (hint: there isn't a single line of functional javascript on this site).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.