Jul 29 2024 Last Week in Security (LWiS) - 2024-07-29

News

• Introducing Llama 3.1: Our most capable models to date - Zuck continues his redemption arc with the release of the most powerful LLM with open weights. It's now available on Workers AI as well. Is OpenAI holding back a larger model? Will this prompt them to make it available? A "jailbreak" prompt for Llama 3.1 is already available.
• Here's How To Stop X From Using Your Data To Train Its AI - With the launch of the Memphis Supercluster training, X is using your data to train their AI. Here's how to opt out if you're on X and don't want to be part of the training set.
• PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem - Many manufacturers are shipping firmware with the default American Megatrends International (AMI) placeholder key. The AMI Secure Boot "master key", called the Platform Key (PK), was publicly exposed in a data leak of a downstream firmware vendor. Possession of this leaked key allows anyone to add EFI modules to the boot sequence even with Secure Boot enabled. Windows PoC video and Linux PoC video.
• Building security into the redesigned Chrome downloads experience - Google will now upload and scan files for users opted into Enhanced Protection. Interestingly, if the download is password protected, Chome will even prompt for the password and send that off to Google to unpack and scan the file. Good for security, but potentially a privacy/compliance issue. The password prompt can be skipped and the whole process is opt-in.
• How a North Korean Fake IT Worker Tried to Infiltrate Us - A North Korean agent managed to get hired at the phishing testing company KnowBe4. Strange that the agent would conduct and pass 4 video interviews and a background check (using a stolen US identity) only to try to load malware on their workstation immediately after it was received. The North Korean team responsible for landing the job is probably really upset with the team that was in charge of "post exploitation" for burning the access so fast.
• Wiz walks away from $23 billion deal with Google, will pursue IPO - It's got to take some serious conviction to walk away from a $23 billion deal.
• Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Access 3rd-Party Services - Single sign on is great, unless attackers can sign up for the SSO provider with your domain without proving ownership. This allows impersonation of a company on 3rd party sites that allow sign in with Google. Google has fixed the issue.
• [PDF] Kaspersky Laboratory Products Puts Networks and Data at Risk of Exploitation by Russian Intelligence Services - A heavily redacted report from the National Intelligence Council that broadly addresses the risks of Kaspersky. The report is from 2017 but was publicly released 2024-07-19.
• Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption - If you have ESXi servers that are domain joined, read this ASAP. TLDR: Adding users to the "ESX Admins" group == ESXI compromise. 😬
• Mid-year Doppelgänger information operations in Europe and the US - Some Russian TTP light reading. A look at Russian campaigns against the French.

Techniques and Write-ups

• Injecting Java In-Memory Payloads for Post-Exploitation - "This article will cover some tips and tricks that could be applied to inject such a payload, and to develop post-exploitation features that would allow altering the application behavior. This would be interesting to stay under the radar during post-exploitation, or to intercept plaintext credentials of privileged users authenticating to the compromised application."
• Pwn2Own Automotive: Popping the CHARX SEC-3100 - Part 2 of the blog introduced last week. This post covers exploit development for the CHARX SEC-3100, an AC charging controller, with an embedded Linux system.
• Deep Sea Phishing Pt. 1 - With this much phishing content coming out of Specter Ops recently I am starting to suspect they are building up for a product or service announcement around phishing.
• EDR Telemetry Blocking via Person-in-the-Middle Attacks - Block EDR telemetry reaching its cloud servers by performing a Person-in-the-Middle (PitM) attack and filtering telemetry packets.
• Anyone can Access Deleted and Private Repository Data on GitHub - You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.
• Revealing the Inner Structure of AWS Session Tokens - Reverse engineering analysis of AWS Session Tokens.
• Injecting Malicious Code into PDF Files and PDF Dropper Creation - Something to look at for your initial access tradecraft. Injecting JavaScript into a PDF file to download a file from a specific URL and establish C2.
• RDP Bitmap Cache - Piece(s) of the Puzzle - Friendly reminder of some of the artifacts you are leaving behind. Defenders, anyone analyzing these at scale in your enterprise and baselining RDP activity by your syadmins yet?

Tools and Exploits

• Specula - Turning Outlook Into a C2 With One Registry Change - Did you know that Outlook has access to the entire system via COM/vbscript and that a custom homepage URL can use those features? Specula uses this to turn Outlook into a C2 - some solid traitorware!
• VulnCheck go-exploit Goes Scanless - go-exploit-cache can now ingest shodan data or pcap data to find vulnerabilities without active scanning.
• GraphSpy - Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI. Not new but just added the ability to list and modify MFA methods!
• SyscallTempering improves upon the previous research and obtains a list of system calls that are not hooked by the currently running EDR solution (tested against sophos).
• thread_namecalling - Process Injection using Thread Name. Full blogpost here.
• edr_blocker - Blocks EDR Telemetry by performing Person-in-the-Middle attack where network filtering is applied using iptables. The blocked destination IP addresses are parsed based on the server name in TLS Client Hello packet and the provided blocked server name (or blocked string) list in the file.
• SessionExec - Execute commands in other Sessions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• KeyCredentialLink - Add Shadow Credentials to a target object by editing their msDS-KeyCredentialLink attribute.
• Invoke-ShareHunter - Enumerate the Domain for Readable and Writable Shares.
• SharpSelfDelete - PoC to self-delete a binary in C#.
• Welcome to Azure Charts! - Live visual exploration environment for Azure Cloud + ecosystem

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.