Apr 08 2024 Last Week in Security (LWiS) - 2024-04-08

Evilginx + GoPhish (@mrgretzky), Ghostwriter updates (@cmaddalena), Intune EPM privesc (@synzack21 + team) 🎣 page bot defense (@fin3ss3g0d), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-01 to 2024-04-08.

News

Pixel Update Bulletin—April 2024 - "There are indications that the following may be under limited, targeted exploitation." Update those Pixels!
The Incognito Mode Myth Has Fully Unraveled - Google settles a lawsuit about Incognito Mode by agreeing to delete "billions of data records" the company collected while users browsed the web using Incognito mode. This implies that the data was tagged as being collected while the browser was in incognito mode.
Fighting cookie theft using device bound sessions - Cookie theft from Chrome based browsers could get more difficult on computers with a TPM.

Techniques and Write-ups

EvilGophish's Approach to Advanced Bot Detection with Cloudflare Turnstile - Using commercial products designed to stop bots to protect phishing infrastructure from scanners and bots is clever. Why re-invent the wheel?
Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting - You can do CodeQL scanning and even development in Codespaces all from your browser. The era of the centralized, time-share, computer is back! Mainframes got replaced with "the cloud" and web browsers are the new IBM 3270 terminals.
Ghostwriter v4.1: The Custom Fields Update - The Ghostwriter documentation automation web-app just got a lot more customizable, as you can extend the data models easily in 4.1, and now any formatted text fields support Jinja2 templates!
Getting Intune with Bugs and Tokens: A Journey Through EPM - 4 Specter Ops hackers looked into Microsoft Intune Endpoint Privilege Management (EPM) and found a privilege escalation vulnerability.
Kobold Letters - Why HTML emails are a risk to your organization - You can use the kobold-letter class to hide text in an email until it is forwarded. A powerful primitive for phishing.
Em Eye: Eavesdropping on Security Camera via Unintentional Rf Emissions - This is pretty incredible. Using just a software defined radio, amplifier, and antenna the researchers could recreate images from many cameras with decent fidelity at up to 5.5 meters away. Code is available at: EMEye_Tutorial.
From HTTP to RCE. How to leave a backdoor in IIS - This one has to be translated to English but it's still a good write up on IIS webshells.
Foreign Entra Workload Identities: A Security Boundary Risk? - This article explores an example of how Microsoft Entra workload identities can inadvertently extend the security boundary of a Entra tenant to a foreign tenant.
SSHishing - Abusing Shortcut Files and the Windows SSH Client for Initial Access - Windows shortcut files can be used to allow targets to SSH to you (careful) which can aid in initial access or lateral movement objectives

Tools and Exploits

Security Advisory YSA-2024-01 YubiKey Manager Privilege Escalation - "any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks."
Burp2API - Converting your Burp Suite projects into JSON APIs.
nimfilt - A collection of modules and scripts to help with analyzing Nim binaries.
Evilginx 3.3 - Go & Phish - Evilginx has an official integration with GoPhish!
APK Downloader - APK downloader from few sources
No-Consolation - A BOF that runs unmanaged PEs inline. Updated this week to automatically encrypt and store binaries in memory which allows multiple runs of the same binary without having to send it to target each time.
interceptor - Sample Rust Hooking Engine.
Aplos - Aplos an extremely simple fuzzer for Windows binaries.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

CVE-2024-28085 - WallEscape vulnerability in util-linux.
VolWeb - A centralized and enhanced memory analysis platform.
secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers.
kasld - Kernel Address Space Layout Derandomization (KASLD) - A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).
SignSaboteur - Burp Suite extension for editing, signing, verifying various signed web tokens
Blauhaunt - A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in Security Incidents and Threat Hunts
Physsec Methodology A public, open source physical security methodology
Microsoft-Extractor-Suite - A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
Microsoft-Analyzer-Suite - A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID
ARL - Injecting a DLL into a process directly from memory rather than from disk

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.