Last Week in Security (LWiS) - 2024-03-11
Midnight Blizzard vs Microsoft, Fuzzer dev (@h0mbre_), Browserless Entra flow (@_wald0), SCCM one-stop-shop (@subat0mik + @_Mayyhem + @garrfoster), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-04 to 2024-03-11.
News
- Incognito Darknet Market Mass-Extorts Buyers, Sellers - Getting your darknet market shutdown is the worst thing that can happen right? What if the market operators then extort both the buyers and sellers? We'll see if this becomes the largest darknet market data dump ever on April 1st.
- Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard - Russian actors are still all up in Microsoft, this time using "secrets of different types" to gain access to source code and "internal systems."
- Chinese National Residing in California Arrested for Theft of Artificial Intelligence-Related Trade Secrets from Google - Defendant allegedly pilfered technology from Google while secretly working for two PRC-based technology companies.
Techniques and Write-ups
- Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities) - Digital locks are vulnerable to a variety of attacks, but for most threat models a brick is a bigger threat than an exposed debug port.
- Fuzzer Development 3: Building Bochs, MMU, and File I/0 - Must read series if you are at all interested in fuzzers.
- YARP as a C2 Redirector - C2 redirectors via the YARP project. This was the solution built my microsoft for internal engineers to use as a reverse proxy. Potential option for your team to explore if you're migrating away from apache/nginx rewrite rules.
- MacOS Malware Dev - This article explores macOS malware development, covering the architecture, security features, and coding practices. Good read!
- Leaking NTLM Credentials Through Windows Themes - This was patched in January (CVE-2024-21320) but serves as a reminder that NTLM will continue to be a pain point until eliminated.
- Git-Rotate: Leveraging GitHub Actions for Password Spraying - Good way to burn your github account but this outside the box thinking is awesome.
- Power Query for Red Teamers: Unleashing the Potential of M Language and Macros - This blog post explores Power Query's potential for red teamers, emphasizing the M language for data manipulation and macros for actionable insights.
- Network tunneling with… QEMU? - Creative way of using QEMU for internal access.
- Smishing with EvilGophish - Using EvilGophish to send those pesky texts. I wonder how many red teams are actually simulating/emulating this attack vector.
- Browserless Entra Device Code Flow - Performing every step in Entra's OAuth 2.0 Device Code flow — including the user authentication steps — without a browser!
- Hijacking & Spoofing Context Menu Options - Hijacking SentinelOne's “Scan For Threats” context menu option and creating your own option for persistence.
- Unwelcome Guest: Abusing Azure Guest Access to Dump Users, Groups, and more - Friendly reminder of what guest access can do for your organization. Guest access enumeration and attack vectors have been around for quite some time.
- Event Tracing for Windows (ETW): Your Friendly Neighborhood IPC Mechanism - Using ETW as your C2 communication channel? Wicked. No PoC was released but does spark some discussions and thoughts on how lateral movement traffic should look like to avoid detection.
- Misconfiguration Manager: Overlooked and Overprivileged - :fire: The Specterops team is crushing it. This introduces an SCCM Attack matrix and standardizes SCCM attack naming.
- Building a AITM attack tool in Cloudflare Workers (174 LOC) - The research on MITM detection and attacks keeps ramping up. This gist (cloudflare-worker-proxy.js) contains the PoC. Very powerful attack.
- CVE-2024-21378 — Remote Code Execution in Microsoft Outlook - NetSPIs write-up on how they discovered CVE-2024-21378 which is an authenticated RCE vulnerability via synced form objects.
- NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To - Unpatched SSRF details disclosed for ChatGPT-Next-Web . Seems like a popular open-source project for those wanting to get a chatGPT UI.
- WebAssembly Smuggling: It WASM't me - Take your HTML smuggling to the next level with web assembly. Now your smuggling can make the whitehouse happy since you can write it in Rust.
Tools and Exploits
- Parasite-Invoke - Hide your P/Invoke signatures through other people's signed assemblies
- ADeleginator - A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory
- Misconfiguration Manager - Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
- yasha - Yet another security header analyzer.
- nemesis - Nemesis agent for Mythic.
- NimPlant v1.3 - "a lot of code refactoring and various enhancements."
- brew-lpe-via-periodic - Brew Local Privilege Escalation exploit on Intel macOS.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Are We Helping? Interesting perspective. Thought provoking notes about the current state of infosec.
- Freyja Purple Team Agent - Freyja is a Golang, Purple Team agent that compiles into Windows, Linux and macOS x64 executables.
- Introducing CloudGrappler: A Powerful Open-Source Threat Detection Tool for Cloud Environments - Potential framework for those smaller teams that need a solution to look for known evil in their cloud environments. The question is, where do you get those indicators while they're still relevant?
- gitlab-secrets - This tool analyzes a given Gitlab repository and searches for dangling or force-pushed commits containing potential secret or interesting information.
- dockerc - container image to single executable compiler.
- PoolParty - A set of fully-undetectable process injection techniques abusing Windows Thread Pools.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.