Last Week in Security (LWiS) - 2023-06-15
A months worth of news, techniques, tools and exploits!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-05-22 to 2023-06-15.
News
MOVEIt
- Barracuda Urges Replacing — Not Patching — Its Email Security Gateways. Yikes.
- Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign. Also yikes.
- Operation Triangulation: iOS devices targeted with previously unknown malware. Related: Russian FSB Accuses U.S. of Hacking Thousands of iPhones in Russia
- Announcing the Chrome Browser Full Chain Exploit Bonus. $180,000 for a full chain Chrome exploit? Seems low.
- Time to challenge yourself in the 2023 Google CTF!
- Google Trust Services ACME API available to all users at no cost
- Kali Linux 2023.2 Release (Hyper-V & PipeWire)
- Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
- VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors
Techniques and Write-ups
- Messing Around With AWS Batch For Privilege Escalations
- Abusing undocumented features to spoof PE section headers
- CodeQL zero to hero part 2: getting started with CodeQL
- [PDF] UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests. Finally a paper that actually released the source code.
- How I choose a security research topic
- A More Complete Exploit for Fortinet CVE-2022-42475
- Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM). Don't skip this one.
- Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
- Ligolo: Quality of Life on Red Team Engagements
- Red Team Story Time!. You don't even need code execution to get impactful data compromise.
- CVE-2022-32902: Patch One Issue and Introduce Two
- Pre-authenticated RCE in VMware vRealize Network Insight CVE-2023-20887
- Understanding Telemetry: Kernel Callbacks
- Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Great "new" initial access method.
- Bypassing An Industry-Leading WAF and Exploiting SQLi
- OneDrive to Enum Them All
- Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver
- can I speak to your manager? hacking root EPP servers to take control of zones
Tools and Exploits
- CVExploits Search - Your comprehensive database for CVE exploits from across the internet.
- cloudfoxable - Create your own vulnerable by design AWS penetration testing playground.
- CVE-2023-2825 - GitLab CVE-2023-2825 PoC. This PoC leverages a path traversal vulnerability to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
- CVE-2023-20887 - VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887).
- elevationstation - elevate to SYSTEM any way we can!
- SharpFtpC2 - A Streamlined FTP-Driven Command and Control Conduit for Interconnecting Remote Systems.
- limba - compile-time control flow obfuscation using mba.
- Banshee - Experimental Windows x64 Kernel Driver/Rootkit.
- RDPCredentialStealer - steals credentials provided by users in RDP using API Hooking with Detours in C++.
- HiddenDesktop - HVNC for Cobalt Strike.
- DropSpawn_BOF - CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking.
- Terminator - Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes.
- superman - Kill processes protected by antivirus during offensive activities.
- Blackout - kill anti-malware protected processes (BYOVD).
- EPI - Process injection through entry points hijacking.
- Ruy-Lopez This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- mcfridafee
- plane - Open Source JIRA, Linear and Height Alternative. Plane helps you track your issues, epics, and product roadmaps in the simplest way possible.
- PythonMemoryModule - pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory.
- deepsecrets - Secrets scanner that understands code.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.