Last Week in Security (LWiS) - 2024-07-08
👻 Ghostscript exploit (@thomasrinsma), CSPT2CSRF (@maxenceschmitt), Puppet Forge pwn (@adnanthekhan), WhatsUp Gold RCE+privesc (@SinSinology), UDRL-less beacon (@naksyn), EDRPrison (@senzee1984), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-07-01 to 2024-07-08.
News
- Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) - If you've ever used Authy your phone number has likely been leaked.
- SO-CON 2024 Youtube Playlist - All the talks from SpecterOps Con 2024 are available!
- Kuba Gretzky: Keynote: A Smooth Sea Never Made a Skilled Phisherman - The x33fcon keynote and demo of upcoming Evilginx Pro is available.
- The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did. - "DHS acknowledges that the board needs more resources and investigative muscle." CISA's budget for 2024 is $2,800,000,000 (2.8 billion USD), DHS's is $103.2 billion.
- CloudSorcerer - A new APT targeting Russian government entities - "...cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph". COM objects + Microsoft Graph API. Not a TTP seen or mentioned in the 2024 threat reports disclosed by vendors earlier this year.
- New options for granular network policy - For the tailscale users, IP sets are a thing now. Check it out!
Techniques and Write-ups
- EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent - In the age of advanced EDR, what if you just didn't allow the EDR to communicate? The next step of this research would be to profile the EDR and determine "check ins" vs "detections" and only filter out detections so the machine still reports green on the EDR dashboard.
- Exploring Compiled v8 Javascript Usage in Malware - You've probably heard about javascript "web assembly" but did you know you can compile javascript into V8 bytecode (assuming your javascript engine is Chrome/Node's V8)? Malware authors are taking advantage of antivirus blinds spots for V8, as it's just-in-time compilation is hard to monitor and signature. View8 is the tool that aided in the analysis.
- CVE-2024-29510 - Exploiting Ghostscript using format strings - Gostscript underpins most document conversion libraries, so this code execution and sandbox escape vulnerability is pretty severe.
- Github Actions Exploitation: Untrusted Input - More CI/CD exploitation on the largest code hosting platform.
- Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Client-Side Path-Traversal vulnerabilities have been long overlooked, but can be used to do some interesting Cross-Site Request Forgery attacks.
- VBA: overwriting R/W/X memory in a reliable way - The VBA masters are at it again.
- RoguePuppet - A Critical Puppet Forge Supply Chain Vulnerability - A GitHub Actions CI/CD misconfiguration within Puppet Lab's public GitHub repositories allowed anyone with a GitHub account to push official modules to Puppet Forge. If you use Puppet you should be pinning your packages to specific, known good, versions.
- WhatsUp Gold Pre-Auth RCE GetFileWithoutZip Primitive - Unauthenticated path traversal leads to unauthenticated remote code execution. Don't worry, there is a privilege escalation in WhatsUp Gold too.
- SnailLoad - Remote Network Latency Measurements Leak User Activity - The latency of loading resources from an "attacker" controlled server while doing other network activities can sometimes reveal your other activity. Curious how much "noise" (other machines, etc) this technique can tolerate, and the papers states that faster connections are less prone to traffic classification. "I need this 1Gb/1Gb plan for security" is now valid?!
- Raising Beacons without UDRLs and Teaching them How to Sleep - Calling the DLL's entry point twice with a different dwReason value to trigger different behavior is cleaver. Lots of good technical detail in this post. DojoLoader is the PoC.
- Like Shooting Phish in a Barrel - Some good ideas on getting around link crawlers.
- Dumping LSA secrets: a story about task decorrelation - Crowdstrike prevention bypass to dump LSA. Might still work!
- Detecting Lateral Movement in Entra ID: Cross Tenant Synchronization - Includes some detection engineering logic for defenders/purple teamers.
Tools and Exploits
- EDRPrison - Leverage a legitimate WFP callout driver to prevent EDR agents from sending telemetry.
- View8 - Decompiles serialized V8 objects back into high-level readable code.
- DojoLoader - Generic PE loader for fast prototyping evasion techniques.
- FlowAnalyzer - FlowAnalyzer is a tool to help in testing and analyzing OAuth 2.0 Flows, including OpenID Connect (OIDC).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ETWListicle - List the ETW provider(s) in the registration table of a process.
- runpe-x64 - RunPE adapted for x64 and written in C, does not use RWX.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.