Last Week in Security (LWiS) - 2024-06-03

F5 TLS MITM (@lowercase_drm + @myst404_), WASM phishing tool (@JumpsecLabs), MS Recall info (@GossiTheDog), Checkpoint path traversal (@watchtowrcyber), smbclient-ng (@podalirius_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-29 to 2024-06-03.

News

  • Detecting and Preventing Unauthorized User Access - Snowflake, CrowdStrike, and Mandiant, are providing a joint statement related to their ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts. It was previously reported that Snowflake itself had a breach. It looks like its just a bunch of Snowflake customers that are getting breached.
  • [PDF] GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns - A detailed report on how an APT operates. While the malware itself is not impressive (batch scripts), it likely was somewhat effective. Take a look at the phishing lures for inspiration on your next red team operation.
  • [PDF] Surveilling the Masses with Wi-Fi-Based Positioning Systems - Apple's database of WiFi router locations aids Apple devices in locating themselves, but having a fairly accurate location of every WiFi router every Apple device has ever seen is a pretty powerful intelligence tool if queried correctly and the data presented well.

Techniques and Write-ups

Tools and Exploits

  • RtlClone - Implementing RtlCloneUserProcess using NtCreateUserProcess, detailing undocumented APIs for process cloning.
  • RelabelAbuse - Simple POC for exploiting SeRelabelPrivilege
  • WALK_WebAssembly_Lure_Krafter - A web assembly (WASM) phishing lure generator based on pre-built templates and written in Rust with some GenAI assistance. W.A.L.K. aims at aiding with initial access during red teams and phishing exercises leveraging WASM smuggling techniques.
  • ansible-havoc - Scripts to deploy Havoc on Linode and setup categorization and SSL.
  • Cadiclus - Privilege Escalation Tool for Linux Systems that use PowerShell.
  • CVE-2023-6702 - Chrome Renderer 1day RCE via Type Confusion in Async Stack Trace (v8ctf submission).
  • smbclient-ng - is a fast and user friendly way to interact with SMB shares.
  • CVE-2024-4358 - Progress Telerik Report Server pre-authenticated RCE chain (CVE-2024-4358/CVE-2024-1800).
  • goLAPS - Retrieve LAPS passwords from a domain. The tools is inspired in pyLAPS.
  • browser.lol - This free service launches a browser inside your browser. They are certainly logging activity, but a nice service for opening suspect links without sensitive information. Tip: use the v6 link to get a better experience. You can self host your own version with kasm workspaces.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Recover an ADCS platform from compromise - Microsoft guidance on recovering your AD CS environment after it's been compromised. We all know you popped ESC# today... Give it a read and then add this to your finding resources!
  • VirtualGHOST - This repository contains a PowerShell script leveraging VMWare PowerCLI to identify unregistered VMWare Virtual Machines (VMs) that are powered on by comparing the list of VMs registered in the inventory (vCenter or ESXi) vs. those that are powered on.
  • NetWrapper - Simple netexec wraper with html repport.
  • State of WiFi Security in 2024 - Doing oWireless pentesting? Must read!
  • julep - Open-source alternative to Assistant's API with a managed backend for memory, RAG, tools and tasks. ~Supabase for building AI agents.
  • flightsim - A utility to safely generate malicious network traffic patterns and evaluate controls.
  • Invoke-SessionHunter - Retrieve and display information about active user sessions on remote computers. No admin privileges required.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.