Last Week in Security (LWiS) - 2024-07-22
REx (@br0k3ns0und), EV charger exploits (@ret2systems), CerealKiller (@two06), payload encoding (@MoritzLThomas), responder honeypot (@lawndoc), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-07-15 to 2024-07-22.
News
CrowdStrike Incident
- Global Microsoft Meltdown Tied to Bad Crowdstrike Update - Overview in case you somehow missed it.
- Technical Details: Falcon Content Update for Windows Hosts - Not all that technical. Root cause analysis is hopefully coming. How this was not caught in a staged roll out will be interesting to read. Does CrowdStrike regularly push updates to 100% of customers?
- [Twitter/X] Theory that the Cobalt Strike update and its new named pipe feature was the driver for the CrowdStrike update - Interesting idea!
Kaspersky Lab Closing U.S. Division; Laying Off Workers - After the news that Kaspersky was banned not only for US government use but all sales in the US, this is the inevitable outcome.
Google URL Shortener links will no longer be available - Google kills another product, this time its the goo.gl URL shortener. Strange coming from a company that would be affected by link rot. In true Google fashion, the page that is linked as a replacement also has a deprecation notice.
[Twitter/X] Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024 - Modern iPhones, even on iOS 17.5.1 (current latest version), are vulnerable to data extraction "After First Unlock" (AFU) and even iPhone 15 series exploits are "Available in Cellebrite Advanced Services (CAS)." GrapheneOS seems to be the most secure against this particular attack vector. Power off your phone if you suspect it will be seized.
[PDF] State-Sponsored Russian Media Leverages Meliorator Software for Foreign Malign Influence Activity - The Dead Internet theory is becoming more real everyday. For now you can spray "ignore all previous instructions" but soon it will be hard to differentiate real and bot.
Techniques and Write-ups
- Punch Card Hacking - Exploring a Mainframe Attack Vector - Mainframes are more prevalent than you would think - they run the backends of many major companies. I would be terrified to do anything to a production mainframe, but this article can get you started and Hercules is an emulator you can test against.
- Introducing the REx: Rule Explorer Project - "This project provides a mechanism for interacting with various popular [yara] rule sets, in order to have a better understanding of the detection landscape, and quickly survey and compare multiple approaches." Think of it as the RedELK of yara?
- Breaking Instruction Hierarchy in OpenAI's gpt-4o-mini - "System instructions continue to be suggestions, rather than a security boundary. Do not depend on system instructions alone to protect sensitive information, tool invocations or the “identity” of your LLM Applications."
- Pwn2Own Automotive: CHARX Vulnerability Discovery - Abusing Subtle C++ Destructor Behavior for a UAF - The Ret2 Systems blog is always worth the read.
- The Security Principle Every Attacker Needs to Follow - In order to achieve objectives, attackers need to find flaws in the target's "security dependency graph." Sometimes a single flaw can bring the whole organization down. This is a high level, non-technical post.
- Phish Out of Water- Bypassing Web Proxies so Your Phish Don't Suffocate - SpecterOps has been putting out a ton of phishing related content recently. This one details 8 bypasses for modern email defenses.
- [PDF] Attacking Connection Tracking Frameworks as used by Virtual Private Networks - This paper introduces four attacks on VPN users that could be used to de-anonymize the VPN user is the attacker is connected to the same VPN server as the target and the attacker knows the target's public IP address. These feel like attacks that a government would pull off, not so much "normal" attackers.
- Securing The Chink in Kerberos' Armor, FAST! Understanding The Need For Kerberos Armoring - Some motivation for sysadmins to enable Kerberos Armoring.
- SAPwned: SAP AI vulnerabilities expose customers' cloud environments and private AI artifacts - Wiz Research uncovers vulnerabilities in SAP AI Core, allowing malicious actors to take over the service and access customer data.
- Capturing Exposed AWS Keys During Dynamic Web Application Tests - Ouch... "...identified several vulnerable HTTP requests that allow attackers to capture access keys and session tokens for a web application’s AWS infrastructure. Attackers could use these keys and tokens to access back-end IOT endpoints and CloudWatch instances to execute commands."
Tools and Exploits
- CerealKiller - .NET deserialization hunter.
- Hunt - MS word VBS macros for hunting for key words across files in a defined share.
- eyeballvul - future-proof vulnerability detection benchmark, based on CVEs in open-source repos.
- deep-tempest - Restoration for TEMPEST images using deep-learning (eavesdrop on HDMI from EMF via SDR).
- chunkloader - A chrome/Firefox extension to retrieve and load react javascript chunks all at once for a wide range of javascript techs.
- Respotter is a Responder honeypot! Catch attackers and red teams as soon as they spin up Responder in your environment.
- codasm - Payload encoding utility to effectively lower payload entropy.
- PwnedBoot - Using Windows' own bootloader as a shim to bypass Secure Boot.
- ZeroHVCI accomplishes arbitrary kernel read/writes/function calling in Hypervisor-Protected Code Integrity (HVCI) protected environments calling without admin permissions or kernel drivers.
- lemma - Remote CLI tools at your fingertips.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine - Missed this last week but it's a wild ride. JFrog found a GitHub token that provided access to the entire Python infrastructure and had it revoked in 17 minutes. Bravo!
- fragtunnel is a proof-of-concept (PoC) TCP tunnel tool that you can use to tunnel your application's traffic and bypass next-generation firewalls en route to the target.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.