Jan 10 2024 Last Week in Security (LWiS) - 2024-01-10

QR phishing (@pfiatde), SOCKS as C2 via SSH on Windows (@n00py1), Google Account takeover with persistence (@e11i0t_), Bitwarden access without password (@RedTeamPT), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-01 to 2024-01-10.

News

This AI Chatbot is Trained to Jailbreak Other Chatbots. When the AIs fight, humans win?
Twitter Hacks
- Mandiant's X (Twitter) Account Hacked to Promote Crypto Scam
- SEC says 'compromised' account to blame for tweet approving Bitcoin ETF
Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking. And you thought Microsoft primary refresh tokens were powerful...
NPM registry prank leaves developers unable to unpublish packages. A package that depended on every package on npm eventually got a circular dependency going and could not be removed. This also caused all public packages to be unable to be removed for a while.

Techniques and Write-ups

The Mac Malware of 2023 👾 - A technical deep dive into every new macOS malware specimen of 2023.
Crafting Malicious Pluggable Authentication Modules for Persistence, Privilege Escalation, and Lateral Movement - How PAM (Pluggable Authentication Modules) can be harnessed to create malicious binaries for capturing credentials to use in persistence, privilege escalation, and lateral movement.
Entra ID Connect Arbitrary Password Overwrite - Did you compromise the AADConnect Server and want to pivot to Azure without having to crack NT hashes? Overwrite any users NT hash with an attacker-controlled value and give yourself access to the organizations Azure subscription as the compromised user.
Research Uncovers AWS Account Numbers Hidden in Access Keys - Some recent updates to trufflehog because of "...simple base-32 decoding and bit shifting can transform any AWS access key credential type into the corresponding account number."
Automating Managed Identity Token Extraction in Azure Container Registries - Azure Container Registries (ACRs) can have attached Managed Identities and you can create malicious tasks in the ACR that generate and export tokens for the Managed Identities. New function added to MicroBurst.
PRT Abuse from Userland with Cobalt Strike - How to acquire an Azure AD Single Sign-On session from a non-privileged user session on a victim host. The token is later used to enumerate Azure AD via ROADTools.
Phishing mobile devices, with DeviceCode phishing and QR codes. Get yourself some Primary-Refresh-Tokens and plunder the GraphAPI.
Exploring Counter-Strike: Global Offensive Attack Surface. Good exploit development content. Disappointing vulnerability management by Valve.
The SOCKS We Have at Home. As EDR gets better "C2s" that are just network bridges are becoming more popular.
SafeHandle vs IntPtr. How safe are your C# handles?
Cypher Queries in BloodHound Enterprise. Don't worry, it applies to open source BloodHound too.
Bitwarden Heist - How to Break Into Password Vaults Without Using Passwords. If Windows Hello was enabled (fixed in October 2023) for Bitwarden, DPAPI could be used to extract a key that would unlock the vault without any user authentication or biometric prompts.
How I pwned half of America's fast food chains, simultaneously.. To be fair it was the AI hiring chat bots/backend for a bunch of fast food chains, but still.

Tools and Exploits

CVE-MAKER - Tool to find CVEs and Exploits. It's a CLI.
SharpGhostTask - A C# port from Invoke-GhostTask.
Handly - Abuse leaked token handles. Token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain.
SSH-Snake - A self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
Swarm - Formerly known as axiom, swarm is the next generation of distributed cloud scanning and attack surface monitoring.
Moriarty - Moriarty is a comprehensive .NET tool that extends the functionality of Watson and Sherlock, originally developed by @_RastaMouse. It is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
pendulum - Linux Sleep Obfuscation.
CanaryTokenScanner - CanaryTokenScanner is a script designed to proactively identify Canary Tokens within office documents (docx, xlsx, pptx).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

One Supply Chain Attack to Rule Them All - How self-hosted runners + supply chain attack led to these bounty hunters pwning a ton of orgs. Dope write-up!
sessionprobe - A multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.
msoffcrypto-tool - Python tool and library for decrypting MS Office files with passwords or other keys.
ContinuousMage - Continuousmage is automated testing PoC for the Mythic framework.
jsluice - Extract URLs, paths, secrets, and other interesting bits from JavaScript.
COFF-Loader - A reimplementation of Cobalt Strike's Beacon Object File (BOF) Loader.
DirtyCLR - An App Domain Manager Injection DLL PoC on steroids and it came with a blog post.
deskhop - Fast Desktop Switching Device.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.