Last Week in Security (LWiS) - 2024-02-26
ConnectWise Vulnerabilities, open buckets (@pfiatde), SCCM takeover (@garrfoster), cloud to on-prem pivot (@chiragsavla94), WMI persistence (@Gr1mmie), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-19 to 2024-02-26.
News
ConnectWise ScreenConnect Vulnerabilities - What is there to say about this except 🤦.
Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates - LockBit is now the third major ransomware takedown. Love to see it.
New Leak Shows Business Side of China's APT Menace - This is about the i-SOON leak from last week (which has been removed from GitHub...). See also: Srsly Risky Biz: China's free market espionage machine and Unmasking I-Soon.
Keep your phone number private with Signal usernames. "You will still need a phone number to register for Signal." SimpleX is still the winner when it comes to fully anonymous chat/audio/video calls.
FTC hits Avast with $16.5 million fine over allegations of selling users' browsing data - "extremely detailed re-identifiable data". This is interesting coming from an endpoint security vendor who's business is consumer based.
iMessage with PQ3: The new state of the art in quantum-secure messaging at scale - Apple continues to up its game with security. Do push notifications next please.
Techniques and Write-ups
- Cloud storage - never fails to surprise - Some truly horrific finds in the world of open bucket storage.
- “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution - Java deserialization and JNDI Injection, classics.
- Multi-modal prompt injection image attacks against GPT-4V - Prompt injections come for images and soon, video.
- Pluralistic: How I got scammed (05 Feb 2024) - Don't ever get too cocky and thing it can't happen to you just because you work in security. Cory literally writes books on scams. At least it wasn't $50,000 in a shoe box.
- SCCM Hierarchy Takeover with High Availability - SCCM is the gift that keeps on giving.
- re: Zyxel VPN Series Pre-auth Remote Command Execution - At least this SSL VPN pre-auth RCE is "limited" to an "unusual configuration."
- Pivoting from Microsoft Cloud to On-Premise Machines - This is the opposite direction of the typical lateral movement path, but as everything goes "cloud-first" it may become the more common path.
- Initial Access Operations Part 1: The Windows Endpoint Defense Technology Landscape - Looking forward to this series. Initial access is certainly one of the fastest moving targets for the offsec community.
- Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns - Serverless infrastructure being used by TAs to deliver payloads? Ya don't say.... Great write-up by Talos. Appreciate the statistics on how often they're seeing this.
- AWS Ransomware - Moving ransomeware operations to cloud infrastructure. Let the cycle continue!
- Extending (and Detecting) PersistAssist: Act II - WMI event subscriptions are usually not as detected as more popular persistence mechanisms on Windows in my experience.
- Hello: I'm your ADCS server and I want to authenticate against you - A fresh potato drop (ADCSCoercePotato) and new coercion method. Mind the limitations, as DFSCoerce will likely be more applicable, but good to have options!
- Extracting PEAP Credentials from Wired Network Profiles - A deep dive into DPAPI and even some Ghidra reversing to extract wired PEAP credentials from Windows.
Tools and Exploits
- RepoReaper - RepoReaper is an automated tool crafted to meticulously scan and identify exposed .git repositories within specified domains and their subdomains.
- CVE-2023-7235: OpenVPN 2.x GUI privilege escalation possible if installed outside default installation path on Windows - Less commonly seen than "enterprise" VPNs, OpenVPN is still prevalent.
- CrimsonEDR - Simulate the behavior of AV/EDR for malware development training.
- brutespray - Bruteforcing from various scanner output - Automatically attempts default creds on found services.
- SpawnWith - An experimental Beacon Object File (BOF) that provides an alternative to the spawnas and inject commands.
- Bloodhound CE JSON Uploader - A small go tool to upload JSON files to the BloodHound community edition API.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- SploitScan - is a sophisticated cybersecurity utility designed to provide detailed information on vulnerabilities and associated proof-of-concept (PoC) exploits.
- greenmask - PostgreSQL dump and obfuscation tool.
- wddbfs - Mount a sqlite database as a filesystem.
- ADeleg - Active Directory delegation management tool
- Projected File System - Solid write up on the ProjFS provider which provides various types of data to access with I/O APIs.
- 365Inspect - A PowerShell script that automates the security assessment of Microsoft Office 365 environments.
- go-secdump - Tool to remotely dump secrets from the Windows registry
- SmuggleFuzz - A customizable and rapid HTTP downgrade smuggling scanner written in Go.
- AzureAssess - "...gain a comprehensive understanding of your Azure resources and their security configurations."
- Subdominator - "The Internets #1 Subdomain Takeover Tool"
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.