Last Week in Security (LWiS) - 2024-03-25
CI/CD attacks (@bishopfox), IdP pwnage (@_xpn_), on-prem exchange attacks (@Jonas_B_K), Windows privesc (@p1k4l4), SCCM in GOAD (@M4yFly), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-18 to 2024-03-25.
News
- Unveiling malware behavior trends - Analyzing a Windows dataset of over 100,000 malicious files by Elastic Security Labs.
- Introducing STAR-FS The Bank of England announced the introduction of a new regulatory framework, STAR-FS, to support the financial sector in its cyber resilience operations.
- GoFetch - A new vulnerability baked into Apple's M-series of chips that allows attackers (and/or userspace applications) to extract secret keys from Macs. It looks like there are mitigation flags that can be set to mitigate this for sensitive cryptographic calls. Time will tell if they are effective/implemented.
- The US Department of Justice is suing Apple — read the full lawsuit here - Will this lead to a more open iOS? Maybe, but it will be years before anything (if anything) changes.
Techniques and Write-ups
- (Anti-)Anti-Rootkit Techniques - Part I: UnKovering mapped rootkits - Part I of a series, that will showcase various anti-rootkit techniques, known through anti-rootkits or anti-cheats, and their implementations in unKover.
- naively bypassing new memory scanning POCs - This blog focuses on in-memory evasion from both offensive and defensive angles, and introduces a simple but effective method to avoid detection by leveraging behaviors similar to legitimate JIT (Just-In-Time) compilation processes
- Poisoned Pipeline Execution Attacks: A Look at CI-CD Environments - This attack vector is 🔥. Internal red teams: Add supply chain to your existing red team roadmap if you haven't already.
- Identity Providers for RedTeamers - A look at popular cloud-based Identify Providers and their attack primitives. Awesome work by Adam Chester of (now) SpecterOps. Very practical to modern operations against SaaS/Remote friendly companies.
- Weaponizing Windows Thread Pool APIs: Proxying DLL Loads Using I/O Completion Callbacks - Proxying DLL loads using the Windows thread pool API with C++/assembly.
- CVE-2024-1212: Unauthenticated Command Injection - In Progress Kemp LoadMaster - Write-up on the Progress Kemp LoadMaster load balancer Unauthenticated command injection vulnerability. A bash script that calls a binary that runs shell commands with system, what could go wrong?
- NamespaceHound: protecting multi-tenant K8s clusters - Open-source tool for detecting the risk of potential namespace crossing violations and anonymous access opportunities in multi-tenant clusters. NamespaceHound is the tool.
- Kerberos I - Overview - Every attackers friend, kerberos. This start of a series on the topic.
- From Error to Entry: Cracking the Code of Password-Spraying Tools - An analysis of the current password spraying tooling and limitations in the error codes they handle. Good reminder for tool authors!
- Abusing the DHCP Administrators Group to Escalate Privileges in Windows Domains - DHCP Administrator to DA under certain conditions.
- Deactivating Cortex XDR via repair function - Without tamper protection its trivial to deactivate Cortex.
- SCCM / MECM LAB - Part 0x0 - An SCCM lab lands in the GOAD universe. A great resource, but you are locked into the rigid setup of GOAD.
- Using Tailscale for persistence - Some great traitorware!
- Read code like a pro with our weAudit VSCode extension - vscode-weaudit is the new VSCode extension from the code auditing pros at Trial of Bits.
Tools and Exploits
- WhoIsWho - Alternatives to the command whoami
- dropper- Project that generates Malicious Office Macro Enabled Dropper for DLL SideLoading and Embed it in Lnk file to bypass MOTW
- Perfect DLL Proxy - Perfect DLL Proxying using forwards with absolute paths. [I'm partial to Spartacus]
- Jigsaw - Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
- IoDllProxyLoad - DLL proxy load example using the Windows thread pool API, I/O completion callback with named pipes, and C++/assembly
- OpenTIDE - Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat Detections.
- HttpRemotingObjRefLeak - Additional resources for leaking and exploiting ObjRefs via HTTP .NET Remoting CVE-2024-29059.
- Pwned by the Mail Carrier - Compromising exchange with some defensive guidance on adjusting ACEs to limit Exchange's AD permissions and establishing security boundaries for Tier Zero assets. Jonas is on a tear lately.
- Another Dll Proxying Tool - DLL proxying for lazy people
- nimvoke - Indirect syscalls + DInvoke made simple.
- ActionsCacheBlasting - Proof-of-concept code for research into GitHub Actions Cache poisoning.
- CVE-2023-36424 - Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- SO-CON 2024 - SO-CON 2024 presentations released. Videos coming soon!
- The Top 100+ Developer Tools 2023 - Looking for a research target inspiration? "This year we analyzed well over 12 million data points shared by you - the StackShare community - to bring you these rankings."
- Devika - Devika is an Agentic AI Software Engineer that can understand high-level human instructions, break them down into steps, research relevant information, and write code to achieve the given objective. Devika aims to be a competitive open-source alternative to Devin by Cognition AI.
- VoiceCraft: Zero-Shot Speech Editing and Text-to-Speech in the Wild - VoiceCraft is a token infilling neural codec language model, that achieves state-of-the-art performance on both speech editing and zero-shot text-to-speech (TTS) on in-the-wild data including audiobooks, internet videos, and podcasts. The model weights aren't out yet but should be by the end of the month. This is going to make vishing deadly.
- lumentis - AI powered one-click comprehensive docs from transcripts and text.
- Cobalt Strike Resources - Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection.
- bincapz - Enumerate binary capabilities, including malicious behaviors.
- Mutual TLS (mTLS) Go client - How to build an mTLS Go client that uses the Windows certificate store.
- Windows vs Linux Loader Architecture - Side-by-side comparison of the Windows and Linux (GNU) Loaders.
- Twikit - Simple API wrapper to interact with twitter's unofficial API. You can log in to Twitter using your account username, email address and password and use most features on Twitter, such as posting and retrieving tweets, liking and following users. Curious on how long this will last.
- tracecat - 😼 The AI-native, open source alternative to Tines / Splunk SOAR.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.