Feb 26 2024 Last Week in Security (LWiS) - 2024-02-26

News

• ConnectWise ScreenConnect Vulnerabilities - What is there to say about this except 🤦.

  • ConnectWise ScreenConnect: Authentication Bypass Deep Dive
  • Unauthenticated RCE exploit module for ConnectWise ScreenConnect (CVE-2024-1709)
  • A Catastrophe For Control: Understanding the ScreenConnect Authentication Bypass

• Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates - LockBit is now the third major ransomware takedown. Love to see it.

• New Leak Shows Business Side of China's APT Menace - This is about the i-SOON leak from last week (which has been removed from GitHub...). See also: Srsly Risky Biz: China's free market espionage machine and Unmasking I-Soon.

• Keep your phone number private with Signal usernames. "You will still need a phone number to register for Signal." SimpleX is still the winner when it comes to fully anonymous chat/audio/video calls.

• FTC hits Avast with $16.5 million fine over allegations of selling users' browsing data - "extremely detailed re-identifiable data". This is interesting coming from an endpoint security vendor who's business is consumer based.

• iMessage with PQ3: The new state of the art in quantum-secure messaging at scale - Apple continues to up its game with security. Do push notifications next please.

Techniques and Write-ups

• Cloud storage - never fails to surprise - Some truly horrific finds in the world of open bucket storage.
• “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution - Java deserialization and JNDI Injection, classics.
• Multi-modal prompt injection image attacks against GPT-4V - Prompt injections come for images and soon, video.
• Pluralistic: How I got scammed (05 Feb 2024) - Don't ever get too cocky and thing it can't happen to you just because you work in security. Cory literally writes books on scams. At least it wasn't $50,000 in a shoe box.
• SCCM Hierarchy Takeover with High Availability - SCCM is the gift that keeps on giving.
• re: Zyxel VPN Series Pre-auth Remote Command Execution - At least this SSL VPN pre-auth RCE is "limited" to an "unusual configuration."
• Pivoting from Microsoft Cloud to On-Premise Machines - This is the opposite direction of the typical lateral movement path, but as everything goes "cloud-first" it may become the more common path.
• Initial Access Operations Part 1: The Windows Endpoint Defense Technology Landscape - Looking forward to this series. Initial access is certainly one of the fastest moving targets for the offsec community.
• Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns - Serverless infrastructure being used by TAs to deliver payloads? Ya don't say.... Great write-up by Talos. Appreciate the statistics on how often they're seeing this.
• AWS Ransomware - Moving ransomeware operations to cloud infrastructure. Let the cycle continue!
• Extending (and Detecting) PersistAssist: Act II - WMI event subscriptions are usually not as detected as more popular persistence mechanisms on Windows in my experience.
• Hello: I'm your ADCS server and I want to authenticate against you - A fresh potato drop (ADCSCoercePotato) and new coercion method. Mind the limitations, as DFSCoerce will likely be more applicable, but good to have options!
• Extracting PEAP Credentials from Wired Network Profiles - A deep dive into DPAPI and even some Ghidra reversing to extract wired PEAP credentials from Windows.

Tools and Exploits

• RepoReaper - RepoReaper is an automated tool crafted to meticulously scan and identify exposed .git repositories within specified domains and their subdomains.
• CVE-2023-7235: OpenVPN 2.x GUI privilege escalation possible if installed outside default installation path on Windows - Less commonly seen than "enterprise" VPNs, OpenVPN is still prevalent.
• CrimsonEDR - Simulate the behavior of AV/EDR for malware development training.
• brutespray - Bruteforcing from various scanner output - Automatically attempts default creds on found services.
• SpawnWith - An experimental Beacon Object File (BOF) that provides an alternative to the spawnas and inject commands.
• Bloodhound CE JSON Uploader - A small go tool to upload JSON files to the BloodHound community edition API.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SploitScan - is a sophisticated cybersecurity utility designed to provide detailed information on vulnerabilities and associated proof-of-concept (PoC) exploits.
• greenmask - PostgreSQL dump and obfuscation tool.
• wddbfs - Mount a sqlite database as a filesystem.
• ADeleg - Active Directory delegation management tool
• Projected File System - Solid write up on the ProjFS provider which provides various types of data to access with I/O APIs.
• 365Inspect - A PowerShell script that automates the security assessment of Microsoft Office 365 environments.
• go-secdump - Tool to remotely dump secrets from the Windows registry
• SmuggleFuzz - A customizable and rapid HTTP downgrade smuggling scanner written in Go.
• AzureAssess - "...gain a comprehensive understanding of your Azure resources and their security configurations."
• Subdominator - "The Internets #1 Subdomain Takeover Tool"

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.