Last Week in Security (LWiS) - 2024-05-29

A special two week edition!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-13 to 2024-05-29.

News

  • Stark Industries Solutions: An Iron Hammer in the Cloud - How Stark Industries Solutions emerged as a significant facilitator of cyberattacks by hosting proxy and VPN services used to conceal and carry out disruptive activities, including massive DDoS attacks targeting Ukraine and Europe, with ties to Russian hacking groups and cybercriminal activities.
  • Black Basta ransomware is targeting critical infrastructure sectors - Black Basta ransomware, operated as a Ransomware-as-a-Service, has targeted over 500 organizations globally, significantly impacting 12 critical infrastructure sectors in the U.S., including healthcare, leading to disruptions like ambulance diversions and compromised electronic health records.

Techniques and Write-ups

Tools and Exploits

  • nmap-did-what - Nmap Dashboard Mini Project. Don't sleep on what you can do with open-source and a little bit of glue!
  • no-defender - A slightly more fun way to disable windows defender. (through the WSC api).
  • DoubleDrive - A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files.
  • RWX_MEMEORY_HUNT_AND_INJECTION_DV - Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.
  • CVE-2024-27804 - POC for CVE-2024-27804.
  • graphqlMaker - Finds graphql queries in javascript files.
  • mystique-self-injection - An improvement and a different approach to Mockingjay Self-Injection.
  • ETWInspector - An Event Tracing for Windows (ETW) tool that allows you to enumerate Manifest & MOF providers, as well as collect events from desired providers.
  • OdinLdr - Cobaltstrike UDRL with memory evasion.
  • SharpPersistSD - SharpPersistSD is focused on backdooring the remote machine so that persistency or code execution can be established later.
  • baddns - Check subdomains for subdomain takeovers and other DNS tomfoolery.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.