Last Week in Security (LWiS) - 2024-03-18
Windows patch diffing (@clearbluejar), FileCatalyst RCE (@Nettitude_Labs), Windows/Frida course (@FuzzySec), Tor WebTunnel bridges (@torproject, Pixel 7/8 Pro exploit (@_simo36), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-11 to 2024-03-18.
News
- Stay ahead of the game with the latest updates to the Microsoft 365 Developer Program - Changes in M365 Developer program. What used to be a free M365 developer subscription is now a pay walled service; it requires an active subscription to Visual Studio Enterprise.
- Nuclei v3.2 Release with Authenticated Scanning, Advanced Fuzzing & more - Authenticated scanning support is great. Nuclei is a great example of the power of open-source.
- Open Release of Grok-1 - This is the raw base model checkpoint from the Grok-1 pre-training phase, which concluded in October 2023. This means that the model is not fine-tuned for any specific application, such as dialogue. It's up to you to determine if this is a PR play as Grok isn't useful for much that other smaller open source models can't do.
- SVG Files Abused in Emerging Campaigns - How TAs are using SVGs for HTML smuggling.
- Tor's new WebTunnel bridges mimic HTTPS traffic to evade censorship - A new censorship resistant method to connect to the Tor network!
- Using socially responsible marketing to fund non-commercial open source security tools - I dig this and it's working since they are getting "free" marketing out of it right now.
- New course: "Windows Instrumentation with Frida" - @FuzzySec is a well know researcher who has put out great content and tools. Excited to dig into this offering.
Techniques and Write-ups
- Attacking Android - Blog post some common attack vectors if you're assessing Android environments.
- Summoning RAGnarok With Your Nemesis - A Nemesis powered Retrieval-Augmented Generation (RAG) chatbot.
- Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data - Write-up on vulnerabilities found during this research on ChatGPT ecosystem including 0-click attacks. Note these flaws are in the earlier "plugins" not the custom "GPTs" feature commonly seen today.
- 2024 Threat Detection Report - Red Canary's 2024 Threat Detection Report. Emphasis on "Detection". Take a look at their most commonly identify tools. If you're a red teamer using unmodified versions of those tools, consider yourself caught. Another interesting comment in this report: "Our new industry analysis showcases how adversaries reliably leverage the same small set of 10-20 techniques against organizations, regardless of their sector or industry.". Red teamers don't need a bunch of fancy techniques. Stick to a few OPSEC friendly/effective techniques and focus on your objectives.
- Discovering Deserialization Gadget Chains in Rubyland - Write-up that details the process and insights gained from creating a Ruby deserialization gadget chain from scratch, utilizing libraries such as action_view, active_record, dry-types, and eventmachine, to demonstrate deserialization exploitation in Ruby apps.
- Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty” - Technical analysis of some recent patched and unpatched (sigh) Fortinet vulnerabilities. Of course there is unauthenticated RCE as root...
- Azure Deployment Scripts: Assuming User-Assigned Managed Identities - Over-permissioned deployment Scripts and User-Assigned Managed Identities enables privilege escalation.
- Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns - How poor OPSEC by threat actors against AWS burned them. IoCs at the end for all defenders.
- LTair: The LTE Air Interface Tool - LTair, a tool that allows NCC Group to perform different attacks on the LTE Control Plane via the air interface. Niche assessment type. Looks neat but the tool isn't actually released yet?
- Patch Tuesday Diffing: CVE-2024-20696 - Windows Libarchive RCE - A nice post on patch diffing Windows DLLs.
- CVE-2024-25153: Remote Code Execution in Fortra FileCatalyst - String obfuscation will not save you from logic bugs like path traversal.
- [PDF] GhostRace: Exploiting and Mitigating Speculative Race Conditions - These speculative execution style bugs have seemingly no end.
Tools and Exploits
- BlueSpy - Proof of concept to record and replay audio from a bluetooth device without the legitimate user's awareness.
- Introducing AzurEnum - The latest Azure tool - Intended to give pentesters/red teamers a good idea of the main security issues of an azure tenant and its permission structure. The code is here.
- Gungnir - Gungnir is a command-line tool written in Go that continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates.
- SymProcAddress - Zero EAT touch way to retrieve function addresses (GetProcAddress on steroids)
- anfs - Asynchronous NFSv3 client in pure Python
- Pixel_GPU_Exploit - Android 14 kernel exploit for Pixel7/8 Pro.
- GamingServiceEoP - Exploit for arbitrary folder move in GamingService component of Xbox. GamingService is not default service. If service is installed on system it allows low privilege users to escalate to system.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Mythic Community Overview - Mythic agent capability matrix. Cool project for those that develop their own agents for Mythic.
- localsend - An open-source cross-platform alternative to AirDrop
- FindMeAccess - Finding gaps in Azure/M365 MFA requirements for different resources, client ids, and user agents. The tool is mostly based off Spray365's auditing logic.
- PurpleLab - PurpleLab is an efficient and readily deployable lab solution, providing a swift setup for cybersecurity professionals to test detection rules, simulate logs, and undertake various security tasks, all accessible through a user-friendly web interface
- DetectDee - Hunt down social media accounts by username, email or phone across social networks.
- Moriarty - Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
- Miaow - Project Miaow is a prove of concept to escalate privileges in Microsoft Azure using an ARM template deployment
- Payload Wizard - AI assistant that utilizes GPT language models to interpret and generate cybersecurity payloads 🪄. Github repo is here.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.