Sep 11 2023 Last Week in Security (LWiS) - 2023-09-11

Zero-click iOS exploits (@citizenlab), in-the-wild Chrome 0day, physical/mobile RE writeup (@elttam), Linux LPE (@SidewayRE), Protected Process Dumper (@tastypepperoni), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-08-28 to 2023-09-11.

News

Mullvad on Tailscale: Privately browse the web - In case the Tailscale/Mullvad fans missed it.
Active North Korean campaign targeting security researchers - Researchers have been and will always be a target. Share with those starting out in security research as well. You opened that project in a disposable VM, right?
DEF CON 31 recordings are out! - In case you missed it.
BLASTPASS NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild. Another zero click for iOS? Perhaps this prompted the new Apple Security Research Device Program.
Google is aware that an exploit for CVE-2023-4863 exists in the wild.. Not to be left out of the 0day fun, Chrome also got an update to in-the-wild 0day.
Results of Major Technical Investigations for Storm-0558 Key Acquisition. So a debug log contained the key due to a race condition, and it eventually got moved to a compromised machine (or so they think). Did the Storm-0558 actors get "lucky?" I suppose, but if you aren't waiting for a debug log containing the key by having compromised workstations, you won't get "lucky." And then to figure out how to use it to pillage emails from government customers... clearly this APT is serious.

Techniques and Write-ups

Leveraging VSCode Extensions for Initial Access - Targeting developers? Try this for initial access.
Bypassing Defender's LSASS dump detection and PPL protection In Go - A little PPL bypass with sysinternal drivers. Sysinternal drivers tend to flag against EDRs so test before use. Blog came with a tool.
4,500 of the Top 1 Million Websites Leaked Source Code, Secrets - Friendly reminder to include repos and source-code analysis in your recon workflow. Don't forget to try API keys even if they came from a previous commit, the developer may or may not have revoked those keys...
GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more! - "A new versatile attack vector: spoofing GPO location through the gPCFileSysPath attribute." Check out the GPOddity tool release as well.
Lolbins for connoisseurs… Part 2 - Follow up to part 1. Good reminder that LOLbins may be used by other third-part software. This could break basic detections.
Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking - "...introduced the User-Defined Reflective Loader Visual Studio (UDRL-VS) template"
RE of LR3 - Peeking under the bonnet of the Litter Robot 3. Great, in depth, physical and mobile app hacking.
Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023. A great Linux LPE write up and exploit code as well. This is the first LPE I've seen written in Go!
From NTAuthCertificates to “Silver” Certificate. Some novel if not too sneaky persistence for a Windows domain.
Shadow Wizard Registry Gang: Structured Registry Querying. Full steam ahead with the structured data train. Really excited to watch (and help?) Nemesis expand. The day tools adapt to it as the industry standard we'll know it has won.

Tools and Exploits

guestlist - Labor day release from a DEF CON 31 talk. A tool for identifying guest relationships between companies.
ETWListicle - List the ETW provider(s) in the registration table of a process.
Issue 2451: Windows: System Drive Replacement During Impersonation EoP. Windows LPE patched 2023-08-14 with PoC.
Introducing Session Hijacking Visual Exploitation (SHVE): An Innovative Open-Source Tool for XSS Exploitation. This is the coolest browser tool since the OG beef and Shadow Workers.
Introducing Free Attack Surface Recon API by RedHunt Labs. Limited for now but free!
caldera-ot - Caldera OT Plugin & Capabilities.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

PurpleOps - An open-source self-hosted purple team management web application.
Sekiryu - Comprehensive toolkit for Ghidra headless.
Supernova - Real shellcode encryption tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.