May 06 2024 Last Week in Security (LWiS) - 2024-05-06

Entra to on-prem (@_dirkjan), new bloodhound edges (@Jonas_B_K ), Chrome type confusion (@_manfp), GitHub RCE via actions (@Creastery), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-29 to 2024-05-06.

News

FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data - The real question is how much did these companies profit from this data before they were caught?
BBC presenter's likeness used in advert after firm tricked by AI-generated voice - It's happening. Deep-phishing perhaps is the term? Are you/your customers ready? Can you simulate this attack?
JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories - "nearly 20% of these public repositories (almost three million repositories!) actually hosted malicious content." :grimacing"
A recent security incident involving Dropbox Sign - Where the juciy data goes, so go the attackers. This was an acquisition (HelloSign) from 2019, no it should have been fully integrated into DropBox's security practice.
Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme - A Ukrainian national was sentenced today to 13 years and seven months in prison and ordered to pay over $16 million in restitution for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments. A rare conviction in the ransomware scene.
What's new in Windows Server 2025 (preview) - Microsoft has decided to change the default on #pre2k computer accounts and has removed the checkbox entirely in upcoming server releases.

Techniques and Write-ups

Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes - Per usual, amazing post by Dirk-Jan. Passwordless persistence and Entra-ID <-> On-Prem tradecraft. Must read.
Uncharmed: Untangling Iran's APT42 Operations - Tradecraft details including their use of social engineering for initial access and credential harvesting. NGOs and journalists are being targeted.
SCCM Exploitation: Compromising Network Access Accounts - An article on how fruitful Network Access Accounts are along with some mitigation and detection guidance. Even comes with wazuh and elastic parsers and rules! Thorough work.
ADCS Attack Paths in BloodHound — Part 2 - New edges introduced with ADCS support in bloodhound.
How I hacked into Google's internal corporate assets - Spoiler alert: dependency confusion. Has anyone used technique on a red team?
CVE-2024-2887: A Pwn2own Winning Bug in Google Chrome - Type confusion in web assembly leads to shellcode execution in the V8 sandbox.
Why sneak when you can walk through the front door - A Love letter to Password Spraying against M365 in Red Team Engagements - Great advice on performing a responsible password spray. The internal phish post-access is especially deadly.
Manual LDAP Querying: Part 2 - Be careful with these (and Sharphound) as mature defenders will detect strange queries (like the SPN query).
Code Injection to RCE with .NET - A real-life write up on a web app .NET injection and how it was turned into RCE.
Sleeping Safely in Thread Pools - A new-to-red-teams (seen in the wild) technique to protect sleeping treads with thread pools.
It's Morphin' Time: Self-Modifying Code Sections with WriteProcessMemory for EDR Evasion - This post introduces a novel self-injection technique for EDR evasion.
Identifying Cross References with Capstone Disassembler and PEFile - Learn how to programmatically identify cross-references in malware code using Capstone Disassembler and PEFile in Python.
Leash the Hounds: How to Stop LDAP Recon Attacks - Strategies to mitigate LDAP reconnaissance attacks using the LDAP Firewall for enhanced security and efficient auditing. ldapfw is the tool.
DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation" - Examples of basic OPSEC mistakes during red team assessments.
CFG in Windows 11 24H2 - Explore how Windows 11's 24H2 update integrates Control Flow Guard with hotpatching to enhance system security and efficiency.
Tale of Code Integrity & Driver Loads - The article discusses how the Core Isolation user setting in Windows affects the process of driver loading, particularly focusing on Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell - 2MB of env variables from production Github.com and RCE. What a bug!
Virtualizing iOS on Apple Silicon - Some impressive low level hacking.

Tools and Exploits

okta-terrify - Okta Verify and Okta FastPass Abuse Tool.
cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
KExecDD - Admin to Kernel code execution using the KSecDD driver.
Python-Beacon - Python files to aide with shellcode execution.
PPPwn - PPPwn - PlayStation 4 PPPoE RCE.
SharpGraphView - Microsoft Graph API post-exploitation toolkit.
symbolizer-rs - A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Hypervisor-Detection - Detects virtual machines and malware analysis environments.
wstunnel - Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available.
puter - 🌐 The Internet OS! Free, Open-Source, and Self-Hostable.
Installomator - Installation script to deploy standard software on Macs.
blint - BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
(The) Postman Carries Lots of Secrets Don't sleep on Postman secrets!
QCSuper - QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
proxybroker2 - The New (auto rotate) Proxy [Finder | Checker | Server]. HTTP(S) & SOCKS 🎭.
JS-Tap - JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients.
git-rotate - Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blocking.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.