Last Week in Security (LWiS) - 2024-05-29
A special two week edition!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-13 to 2024-05-29.
News
- Stark Industries Solutions: An Iron Hammer in the Cloud - How Stark Industries Solutions emerged as a significant facilitator of cyberattacks by hosting proxy and VPN services used to conceal and carry out disruptive activities, including massive DDoS attacks targeting Ukraine and Europe, with ties to Russian hacking groups and cybercriminal activities.
- Black Basta ransomware is targeting critical infrastructure sectors - Black Basta ransomware, operated as a Ransomware-as-a-Service, has targeted over 500 organizations globally, significantly impacting 12 critical infrastructure sectors in the U.S., including healthcare, leading to disruptions like ambulance diversions and compromised electronic health records.
Techniques and Write-ups
- Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques - This blog outlines five NTLM relay attack vectors that aren't talked about enough.
- Injecting code into PPL processes without vulnerable drivers on Windows 11 - Discovering and utilizing a syscall, NtSystemDebugControl, to inject code into Protected Process Light (PPL) processes.
- Getting XXE in Web Browsers using ChatGPT - Exploiting XML and XSL functionalities in web browsers to test and demonstrate XXE vulnerabilities.
- Kerbhammer: Detecting Kerberos attacks with Suricata - Detecting Kerberos protocol attacks using the Suricata, highlighting methods to identify abnormal AS-REQ and AS-REP Roasting activities as potential security threats.
- The risk in malicious AI models: Wiz Research discovers critical vulnerability in AI-as-a-Service provider, Replicate - "...In the course of that work, we have discovered critical vulnerabilities that could have led to the leakage of millions of private AI models and apps. "
- Phish Sticks; Hate the Smell, Love the Taste -
- The 'Invisibility Cloak' - Slash-Proc Magic - This blog discusses on utilizing bind mounts to hide processes from the process list, examining how it's done, its forensic detectability.
- Offensive IoT for Red Team Implants (Part 2) - Use your Raspberry Pi Pico as a physical implant device for Red Team operations!
- JS-Tap Mark II: Now with C2 Shenanigans - This blog details updates to JS-Tap. It explains setting up JS-Tap with Gunicorn and nginx to handle more clients and introduces features for automated and repeated JavaScript payload deployment, improving usability.
- QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends) - CVE-2024-27130, an unauthenticated stack overflow bug allowing remote code execution. The team details their investigation and exploitation process, highlighting the NAS device's role in multi-user environments and its security implications.
- New Hires, Lost Keys & Lessons Learned (Passwordless Authentication Series, #3) - Palantir discusses their implementation of FIDO2 authentication via YubiKeys, focusing on the challenges and solutions for new hire onboarding and handling lost or broken authenticators. Nice to see these lessons learned shared amongst the community.
- Exploiting CVE-2024-32002: RCE via git clone - Technical write-up of git CVE-2024-32002. This one is triggered by cloning repositories with specially crafted submodules.
- Introducing BadDNS - Blog on a new tool released by Black Lantern. Used for subdomain takeover detection tool but covers other DNS related issues like zone transfers and NSEC walking as well.
- Foxit PDF “Flawed Design” Exploitation - Tradecraft against the biggest Adobe competitor, FOXIT.
Tools and Exploits
- nmap-did-what - Nmap Dashboard Mini Project. Don't sleep on what you can do with open-source and a little bit of glue!
- no-defender - A slightly more fun way to disable windows defender. (through the WSC api).
- DoubleDrive - A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files.
- RWX_MEMEORY_HUNT_AND_INJECTION_DV - Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.
- CVE-2024-27804 - POC for CVE-2024-27804.
- graphqlMaker - Finds graphql queries in javascript files.
- mystique-self-injection - An improvement and a different approach to Mockingjay Self-Injection.
- ETWInspector - An Event Tracing for Windows (ETW) tool that allows you to enumerate Manifest & MOF providers, as well as collect events from desired providers.
- OdinLdr - Cobaltstrike UDRL with memory evasion.
- SharpPersistSD - SharpPersistSD is focused on backdooring the remote machine so that persistency or code execution can be established later.
- baddns - Check subdomains for subdomain takeovers and other DNS tomfoolery.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Assumed Breach: The Evolution of Offensive Security Testing - This blog sparked another X/Twitter debate on whether assumed breach is still the "way to go".
- Keylogging in the Windows Kernel with undocumented data structures - Accessing the gafAsyncKeyState structure directly in kernel memory without using system APIs as a keylogger.
- Cloud Threat Landscape - New/cool resource by Wiz. The tools can come in clutch.
- Open Source Security Index - Cool initiative! Thoughts on how they calculate index scores?
- ruff - An extremely fast Python linter and code formatter, written in Rust.
- nimfilt - A collection of modules and scripts to help with analyzing Nim binaries.
- squeegee - A collection of tools using OCR to extract potential usernames from RDP screenshots.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.