Last Week in Security (LWiS) - 2024-06-03
F5 TLS MITM (@lowercase_drm + @myst404_), WASM phishing tool (@JumpsecLabs), MS Recall info (@GossiTheDog), Checkpoint path traversal (@watchtowrcyber), smbclient-ng (@podalirius_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-29 to 2024-06-03.
News
- Detecting and Preventing Unauthorized User Access - Snowflake, CrowdStrike, and Mandiant, are providing a joint statement related to their ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts. It was previously reported that Snowflake itself had a breach. It looks like its just a bunch of Snowflake customers that are getting breached.
- [PDF] GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns - A detailed report on how an APT operates. While the malware itself is not impressive (batch scripts), it likely was somewhat effective. Take a look at the phishing lures for inspiration on your next red team operation.
- [PDF] Surveilling the Masses with Wi-Fi-Based Positioning Systems - Apple's database of WiFi router locations aids Apple devices in locating themselves, but having a fairly accurate location of every WiFi router every Apple device has ever seen is a pretty powerful intelligence tool if queried correctly and the data presented well.
Techniques and Write-ups
- Stealing everything you've ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster. - Security implications of Recall. Microsoft capturing and storing screenshots? What could go wrong? This is the best keylogger/screenshot tool for a red-teamer, built right into the OS.
- To Infinity and Beyond! - A perspective around EDR limitations and purple teams.
- PyPI crypto-stealer targets Windows users, revives malware campaign - Another day, another malicious PyPI package! This does some recon, persistence and crypto-theft.
- Abusing the SeRelabelPrivilege - How SeRelabelPrivilege allows you to take ownership of a resource which opens up privilege escalation opportunities. A PoC is available.
- WASM Smuggling for Initial Access and W.A.L.K. Tool Release - Initial access with (currently working) evasion via WASM (HTML smuggling). PoC dropped as well!
- Check Point - Wrong Check Point (CVE-2024-24919) - A simple POST request and you've got a nasty path traversal.
- Protecting your devices from information theft: Keylogger detection using Windows API behaviors Elastic EDR released enhanced features for detecting keyloggers by monitoring windows APIs and utilizing some "new behavioral" detection rules. Worth testing in your Ludus instance with our ludus_elastic_container role.
- Things you wish you didn't need to know about S3 - If you manage or protect AWS resources, this one is for you. Some S3 misconfigurations you should be aware of.
- Building a Verifier DLL - A method for injecting DLLs into processes to monitor and modify their behavior by Pavel Yosifovich.
- How a Single Vulnerability Can Bring Down the JavaScript Ecosystem - A cache poisoning DoS on the NPM registry. Pretty cool!
- Rise of the Planet of the Agents 🤖: Creating an LLM-Based AI Agent from Scratch! - The journey of creating a LLM-based AI agent.
- EDR Internals for macOS and Linux - Good read on EDR evasion for macOS and linux. The blog highlights capabilities and weaknesses of EDR against macOS and linux platforms.
- Post-Exploiting an F5 Big-IP: root, and now what? - Load balancers can often seen valuable traffic. This blog shows how to set up a Machine-in-the-middle (MITM) attack and compromise sensitive information from the applications being load-balanced.
- CVE-2024-27822: macOS PackageKit Privilege Escalation - A little bit tricky, as you have to poison the user's .zshenv file and wait for a .pkg install for the exploit to work, but if you are on a macOS system with some time, it's a valid technique!
- iOS 16.5.1 safari RCE Analysis (CVE-2023-37450) - We've seen lots of write-ups on V8 javascript engine bugs, but not many on Apple's AbstractInterpreter in WebKit. It's an old bug, but good information.
Tools and Exploits
- RtlClone - Implementing RtlCloneUserProcess using NtCreateUserProcess, detailing undocumented APIs for process cloning.
- RelabelAbuse - Simple POC for exploiting SeRelabelPrivilege
- WALK_WebAssembly_Lure_Krafter - A web assembly (WASM) phishing lure generator based on pre-built templates and written in Rust with some GenAI assistance. W.A.L.K. aims at aiding with initial access during red teams and phishing exercises leveraging WASM smuggling techniques.
- ansible-havoc - Scripts to deploy Havoc on Linode and setup categorization and SSL.
- Cadiclus - Privilege Escalation Tool for Linux Systems that use PowerShell.
- CVE-2023-6702 - Chrome Renderer 1day RCE via Type Confusion in Async Stack Trace (v8ctf submission).
- smbclient-ng - is a fast and user friendly way to interact with SMB shares.
- CVE-2024-4358 - Progress Telerik Report Server pre-authenticated RCE chain (CVE-2024-4358/CVE-2024-1800).
- goLAPS - Retrieve LAPS passwords from a domain. The tools is inspired in pyLAPS.
- browser.lol - This free service launches a browser inside your browser. They are certainly logging activity, but a nice service for opening suspect links without sensitive information. Tip: use the v6 link to get a better experience. You can self host your own version with kasm workspaces.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Recover an ADCS platform from compromise - Microsoft guidance on recovering your AD CS environment after it's been compromised. We all know you popped ESC# today... Give it a read and then add this to your finding resources!
- VirtualGHOST - This repository contains a PowerShell script leveraging VMWare PowerCLI to identify unregistered VMWare Virtual Machines (VMs) that are powered on by comparing the list of VMs registered in the inventory (vCenter or ESXi) vs. those that are powered on.
- NetWrapper - Simple netexec wraper with html repport.
- State of WiFi Security in 2024 - Doing oWireless pentesting? Must read!
- julep - Open-source alternative to Assistant's API with a managed backend for memory, RAG, tools and tasks. ~Supabase for building AI agents.
- flightsim - A utility to safely generate malicious network traffic patterns and evaluate controls.
- Invoke-SessionHunter - Retrieve and display information about active user sessions on remote computers. No admin privileges required.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.