Jun 15 2023 Last Week in Security (LWiS) - 2023-06-15

News

MOVEIt

• Patch Diffing Progress MOVEIt Transfer RCE (CVE-2023-34362)
• MOVEIt Transfer RCE Part Two (CVE-2023-34362)
• MOVEit! An Overview of CVE-2023-34362
• CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief (Updated)
• MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise

• Barracuda Urges Replacing — Not Patching — Its Email Security Gateways. Yikes.
• Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign. Also yikes.
• Operation Triangulation: iOS devices targeted with previously unknown malware. Related: Russian FSB Accuses U.S. of Hacking Thousands of iPhones in Russia
• Announcing the Chrome Browser Full Chain Exploit Bonus. $180,000 for a full chain Chrome exploit? Seems low.
• Time to challenge yourself in the 2023 Google CTF!
• Google Trust Services ACME API available to all users at no cost
• Kali Linux 2023.2 Release (Hyper-V & PipeWire)
• Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
• VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors

Techniques and Write-ups

• Messing Around With AWS Batch For Privilege Escalations
• Abusing undocumented features to spoof PE section headers
• CodeQL zero to hero part 2: getting started with CodeQL
• [PDF] UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests. Finally a paper that actually released the source code.
• How I choose a security research topic
• A More Complete Exploit for Fortinet CVE-2022-42475
• Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM). Don't skip this one.
• Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
• Ligolo: Quality of Life on Red Team Engagements
• Red Team Story Time!. You don't even need code execution to get impactful data compromise.
• CVE-2022-32902: Patch One Issue and Introduce Two
• Pre-authenticated RCE in VMware vRealize Network Insight CVE-2023-20887
• Understanding Telemetry: Kernel Callbacks
• Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Great "new" initial access method.
• Bypassing An Industry-Leading WAF and Exploiting SQLi
• OneDrive to Enum Them All
• Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver
• can I speak to your manager? hacking root EPP servers to take control of zones

Tools and Exploits

• CVExploits Search - Your comprehensive database for CVE exploits from across the internet.
• cloudfoxable - Create your own vulnerable by design AWS penetration testing playground.
• CVE-2023-2825 - GitLab CVE-2023-2825 PoC. This PoC leverages a path traversal vulnerability to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
• CVE-2023-20887 - VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887).
• elevationstation - elevate to SYSTEM any way we can!
• SharpFtpC2 - A Streamlined FTP-Driven Command and Control Conduit for Interconnecting Remote Systems.
• limba - compile-time control flow obfuscation using mba.
• Banshee - Experimental Windows x64 Kernel Driver/Rootkit.
• RDPCredentialStealer - steals credentials provided by users in RDP using API Hooking with Detours in C++.
• HiddenDesktop - HVNC for Cobalt Strike.
• DropSpawn_BOF - CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking.
• Terminator - Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes.
• superman - Kill processes protected by antivirus during offensive activities.
• Blackout - kill anti-malware protected processes (BYOVD).
• EPI - Process injection through entry points hijacking.
• Ruy-Lopez This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• mcfridafee
• plane - Open Source JIRA, Linear and Height Alternative. Plane helps you track your issues, epics, and product roadmaps in the simplest way possible.
• PythonMemoryModule - pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory.
• deepsecrets - Secrets scanner that understands code.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.