Last Week in Security (LWiS) - 2024-10-28
Delta Sues Crowdstrike (@CrowdStrike), Jenkins Post-Exploitation (@TrustedSec), PE embedded within a PNG (@MalDevAcademy), Prompt Injection to C2 (@wunderwuzzi23), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-21 to 2024-10-28.
News
- Delta sues CrowdStrike over software update that prompted mass flight disruptions - Let the games begin. Do we see in the future of companies like Fortinet/Avanti? "...after a global outage in July caused mass flight cancellations, disrupted travel plans of 1.3 million customers and cost the carrier more than $500 million."
- Security research on Private Cloud Compute - Apples new bounty program has a ton of $ possibilities!
- Linus Torvalds affirms expulsion of Russian maintainers - Some maintainers of the Linux kernel have been removed due to their associate with Russia.
- The end of the i386 kernel and images - The i386 architecture has long been obsolete, and from this week, support for i386 in Kali Linux is going to shrink significantly: i386 kernel and images are going away. Images and releases will no longer be created for this platform.
- Operation Overload Impersonates Media to Influence 2024 US Election - "...Using fake news, fact-checking sites, and AI-generated audio, it seeks to manipulate public opinion by impersonating trusted media organizations."
- Embargo ransomware: Rock’n’Rust - Ransomware group Embargo is testing and deploying a new Rust-based toolkit. The interesting observation here is that differences in deployed versions, bugs, and leftover artifacts suggest that these tools are under active development.
- Introducing Shadowsocks Obfuscation for WireGuard - Mullvad VPN has introduced Shadowsocks. Shadowsocks is a protocol that obfuscates traffic which aims to make it harder for firewalls to detect and block VPN traffic.
Techniques and Write-ups
- ZombAIs: From Prompt Injection to C2 with Claude Computer Use - Anthropic released "Claude Computer Use" and this researcher got to work! TLDR - They code execution by asking the prompt to run their sliver agent. Worth noting it's still in BETA as of the day of this LWiS post.
- 💰Systematic Destruction (Hacking the Scammers pt. 2) - Security researcher is targetting and exploiting those pesky holiday scammers. They were able to find a vulnerability in the scammers custom application.
- How I Accessed Microsoft’s ServiceNow — Exposing ALL Microsoft Employee emails, Chat Support Transcripts & Attachments - Fun read on how a researcher found a way to access Microsoft's ServiceNow instance, which exposed all Microsoft employee internal email requests, support ticket transcripts, incidents & live agent support chats. No bounty for the researcher though!
- AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover - Wild finding by the Aqua team that affected 1% of the AWS Cloud Development Kit (CDK) users. Disclosure to remediation took around 5 weeks.
- Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach - Blog post on how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.
- Offensively Groovy - If you compromise a Jenkins server during one of your engagements, this read is for you. This blog is a good primer into post-exploitation after you've compromised a Jenkins server.
- Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs - At what point do we stop accepting the risk of exposing these SSL VPNs to the public? At what point do we switch vendors?
Tools and Exploits
- ExecutePeFromPngViaLNK - Extract and execute a PE embedded within a PNG file using an LNK file.
- Chrome-App-Bound-Encryption-Decryption - Tool to decrypt App-Bound encrypted keys in Chrome 127+, using the IElevator COM interface with path validation and encryption protections.
- udpz - Speedy probe-based UDP service scanner.
- OctoC2t - Simple C2 using GitHub repository as comms channel.
- KernelCallbackTable-Injection-PoC - Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow.
- SkyScalpel - SkyScalpel is an open-source framework for JSON policy parsing, obfuscation, deobfuscation, and detection in cloud environments. It provides flexible and highly configurable mechanisms to handle JSON-level obfuscation, IAM policy transformations, and the detection of evasive obfuscation techniques in cloud security contexts.
- AuthStager - AuthStager is a proof-of-concept tool that generates a custom stager shellcode that authenticates to the stager server using an authentication token.
- ShareFouine - This python script allows you to easily navigate into Sharepoint using UNIX like commands.
- TypeLibWalker - This is a new way of persistence on Windows machines using TypeLib. TypeLib persistence technique.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- openbas - Open Breach and Attack Simulation Platform.
- pyLootApacheServerStatus - A script to automatically dump all URLs present in /server-status to a file locally.
- LOLSearches - Living off the land searches for explorer and sharepoint.
- goopts - goopts, a Go library to parse arguments given in command line to a program.
- DGPOEdit - Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines.
- UniGetUI - UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managers.
- skyvern - Automate browser-based workflows with LLMs and Computer Vision.
- Bindable Microservices with Cloudflare Workers - three files, one command, boom - you have a backend. Cloudflare is magic!
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.