Last Week in Security (LWiS) - 2024-08-26
"USDoD" doxed, VEH research (@passthehashbrwn), Defender exclusions (@dazzyddos), CSS history leak (@TheXC3LL), Cobalt Strike DNS listeners (@VirtualAllocEx), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-08-19 to 2024-08-26.
News
- Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts - CISA, ODNI, and FBI report that Iran has been targeting presidential campaigns through cyber operations and social engineering, aiming to exploit societal tensions and undermine confidence in democratic institutions.
- FAA Proposes New Cybersecurity Standards For Aircraft - The FAA is looking to standardize how it will incorporate cybersecurity standards for airworthiness. It also introduces a new term "intentional unauthorized electronic interactions (IUEI)."" The dense 36 page PDF available in the post.
- Pulaski County Man Sentenced for Cyber Intrusion and Aggravated Identity Theft - "The Defendant committed cyber intrusions, by hacking into state death registry systems to fake his own death to avoid paying his child support obligations". Seems like it would be easier to just pay your child support. Brings back memories from this DEF CON 23 talk.
- SolarWinds Web Help Desk 12.8.3 Hotfix 2 - Welcome back Solarwinds. "Fixes SolarWinds Web Help Desk Hardcoded Credential Vulnerability."
- Hundreds of online stores hacked in new campaign - Malwarebytes researchers uncovered a new digital skimming campaign targeting hundreds of Magento-based online stores, where attackers injected malicious code to steal customers' payment information during checkout, affecting over 1,100 unique users across multiple compromised websites.
- United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations - Interesting. Uncle Sam cracking down on "failure to meet cybersecurity requirements". I wonder if this trend will continue.
- New Cheana Stealer Targets VPN Users Across Multiple Operating Systems - Don't feel too smug if you're a macOS or Linux user (arch btw) watching the constant stream of Windows malware, some threat actors are equal opportunity exploiters.
- USDoD Hacker Behind $3 Billion SSN Leak Reveals Himself as Brazilian Citizen - The dude who leaked all those SSN was doxed and then he came clean. TLDR - Luan G, 33 year old from Brazil with < 100 Instagram followers.
Techniques and Write-ups
- Cobalt Strike - DNS Listener - A nice and up-to-date article by @VirtualAllocEx on how to setup Cobalt Strike DNS listeners using Azure DNS Redirectors and GoDaddy. Isn't External C2 (via "known good" providers) the standard?
- You just got vectored - Using Vectored Exception Handlers (VEH) for defense evasion and process injection - Manually manipulating Windows Vectored Exception Handlers (VEH) to evade detection and perform threadless process injection. Code here.
- Adversary at the Door - Initial Access and what's currently on the menu - A good intro/explanation into initial access topics most red teamers deal with daily. If you're new to initial access tradecraft, this is a great place to start!
- C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza - Hex-Rays 9.0 introduces support for displaying C++ exception wind and unwind metadata in MSVC/x64 targets, providing reverse engineers with valuable insights into object types, structure relationships, and inheritance hierarchies that were previously hidden or difficult to discern.
- Mixing watering hole attacks with history leak via CSS - "CSS will bring you more shells than C," is a bold introduction. The use of CSS to create a fake captcha and leak browser history is pretty wicked though.
- PEAKLIGHT: Decoding the Stealthy Memory-Only Malware - Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.
- Intercepting Mobile Application Traffic with Caido and Frida - Good walkthrough for the new Caido user crew.
- SMB security hardening in Windows Server 2025 & Windows 11 - Good reference to add in some of your finding templates for reporting.
- BlackSuit Ransomware - Always fun to read about ransomware group YOLO tradecraft. If it works it works!
- Creating Kernel Object Type (Part 1) - How to create a custom kernel object type called "DataStack" in Windows using undocumented APIs.
- NTLM Credential Theft in Python Windows Applications - Horizon3 with some research and vulns from open-source tooling. This research focuses on leaking NTLMv2 hashes from various applications.
- Unveiling Mac Security: A Comprehensive Exploration of Sandboxing and AppData TCC - From BlackHat 2024, Zhongquan Li presents a comprehensive exploration of macOS security mechanisms, revealing multiple vulnerabilities in sandboxing, quarantine protection, and TCC systems, demonstrating how seemingly harmless bugs can be chained into powerful exploit techniques for sandbox escapes and unauthorized data access across macOS versions 10.15 to 15.0.
- Abusing Exclusions To Evade Detection - Some interesting techniques to leak Defender exclusions as an unprivileged user.
Tools and Exploits
- ipapocket - Python library for interacting with FreeIPA network protocols.
- CVE-2024-3183-POC - POC for CVE-2024-3183 (FreeIPA Rosting).
- CVE-2024-38856-EXP - CVE-2024-38856 is a pre-authentication flaw in Apache OFBiz that can lead to remote code execution
- CAPs - Scripts to enumerate and report on Entra Conditional Access.
- CVE-2024-38054 - Windows LPE in the Kernel Streaming WOW Thunk Service Driver takes you from user straight to SYSTEM.
- CVE-2024-38063 - Crash PoC for CVE-2024-38063 (RCE in tcpip.sys on Windows).
- IDA_PHNT_TYPES - Converted phnt (Native API header files from the System Informer project) to IDA TIL, IDC (Hex-Rays).
- New-ScheduledTaskSession.ps1 - A way to execute code remotely in the context of a scheduled task process. PoC aims to bypass NETWORK logon limitations like the Windows Update API.
- USP - Establishes persistence on a Linux system by creating a udev rule that triggers the execution of a specified payload (binary or script).
- rwgopack - Example Linux based packer for ELF binaries that uses ZLib to compress and then XOR cipher single byte key the payload while creating a self unpacking binary.
- Common-PIN-Analysis-from-haveibeenpwned.com - "I gathered data from haveibeenpwned.com for every common PIN and how often it is used. I am sharing with you a complete wordlist sorted by the most popular PINs first. Feel free to download it and test your favorite PIN to see how popular it is among everybody."
- VeilTransfer - VeilTransfer is a data exfiltration utility designed to test and enhance the detection capabilities. This tool simulates real-world data exfiltration techniques used by advanced threat actors, allowing organizations to evaluate and improve their security posture.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- C2_INFRA_WORKSHOP_DEFCON32_RED_TEAM_VILLAGE - C2 Infrastructure Automation. This repository contains the materials for the C2 Infrastructure Automation workshop at DEF CON 32 Red Team Village.
- WindowsDowndate - A tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities.
- Navigating the Uncharted: A Framework for Attack Path Discovery - Elad Shamir presents a framework for discovering both known and unknown attack paths. Worth a read!
- Security Monitoring Antipatterns - This article discusses common antipatterns in security monitoring, such as overemphasizing data collection, focusing solely on network data, and chasing new technologies without addressing the basics. We see this all the time in environments. Client gets pwned while they have a bunch of "Advanced Monitoring" solutions but the basics just aren't there.
- Conferences DEF CON 32 workshop focused on the Windows DLL Loading internals.
- Inside Xerox WorkCentre: Two Unauthenticated RCEs - Always a good day when you can persist off the printers!
- Check-Point-SE-Lab - A multi-cloud, scalable, modular, IaC lab built with Python, Terraform, Ansible, and Docker.
- BAADTokenBroker - BAADTokenBroker is a post-exploitation tool designed to leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.
- saas-attacks - Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown.
- Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster - A tool designed to help orgs track down and deal with old/stale Active Directory objects.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.