Oct 28 2024 Last Week in Security (LWiS) - 2024-10-28

News

• Delta sues CrowdStrike over software update that prompted mass flight disruptions - Let the games begin. Do we see in the future of companies like Fortinet/Avanti? "...after a global outage in July caused mass flight cancellations, disrupted travel plans of 1.3 million customers and cost the carrier more than $500 million."
• Security research on Private Cloud Compute - Apples new bounty program has a ton of $ possibilities!
• Linus Torvalds affirms expulsion of Russian maintainers - Some maintainers of the Linux kernel have been removed due to their associate with Russia.
• The end of the i386 kernel and images - The i386 architecture has long been obsolete, and from this week, support for i386 in Kali Linux is going to shrink significantly: i386 kernel and images are going away. Images and releases will no longer be created for this platform.
• Operation Overload Impersonates Media to Influence 2024 US Election - "...Using fake news, fact-checking sites, and AI-generated audio, it seeks to manipulate public opinion by impersonating trusted media organizations."
• Embargo ransomware: Rock’n’Rust - Ransomware group Embargo is testing and deploying a new Rust-based toolkit. The interesting observation here is that differences in deployed versions, bugs, and leftover artifacts suggest that these tools are under active development.
• Introducing Shadowsocks Obfuscation for WireGuard - Mullvad VPN has introduced Shadowsocks. Shadowsocks is a protocol that obfuscates traffic which aims to make it harder for firewalls to detect and block VPN traffic.

Techniques and Write-ups

• ZombAIs: From Prompt Injection to C2 with Claude Computer Use - Anthropic released "Claude Computer Use" and this researcher got to work! TLDR - They code execution by asking the prompt to run their sliver agent. Worth noting it's still in BETA as of the day of this LWiS post.
• 💰Systematic Destruction (Hacking the Scammers pt. 2) - Security researcher is targetting and exploiting those pesky holiday scammers. They were able to find a vulnerability in the scammers custom application.
• How I Accessed Microsoft’s ServiceNow — Exposing ALL Microsoft Employee emails, Chat Support Transcripts & Attachments - Fun read on how a researcher found a way to access Microsoft's ServiceNow instance, which exposed all Microsoft employee internal email requests, support ticket transcripts, incidents & live agent support chats. No bounty for the researcher though!
• AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover - Wild finding by the Aqua team that affected 1% of the AWS Cloud Development Kit (CDK) users. Disclosure to remediation took around 5 weeks.
• Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach - Blog post on how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.
• Offensively Groovy - If you compromise a Jenkins server during one of your engagements, this read is for you. This blog is a good primer into post-exploitation after you've compromised a Jenkins server.
• Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs - At what point do we stop accepting the risk of exposing these SSL VPNs to the public? At what point do we switch vendors?

Tools and Exploits

• ExecutePeFromPngViaLNK - Extract and execute a PE embedded within a PNG file using an LNK file.
• Chrome-App-Bound-Encryption-Decryption - Tool to decrypt App-Bound encrypted keys in Chrome 127+, using the IElevator COM interface with path validation and encryption protections.
• udpz - Speedy probe-based UDP service scanner.
• OctoC2t - Simple C2 using GitHub repository as comms channel.
• KernelCallbackTable-Injection-PoC - Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow.
• SkyScalpel - SkyScalpel is an open-source framework for JSON policy parsing, obfuscation, deobfuscation, and detection in cloud environments. It provides flexible and highly configurable mechanisms to handle JSON-level obfuscation, IAM policy transformations, and the detection of evasive obfuscation techniques in cloud security contexts.
• AuthStager - AuthStager is a proof-of-concept tool that generates a custom stager shellcode that authenticates to the stager server using an authentication token.
• ShareFouine - This python script allows you to easily navigate into Sharepoint using UNIX like commands.
• TypeLibWalker - This is a new way of persistence on Windows machines using TypeLib. TypeLib persistence technique.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• openbas - Open Breach and Attack Simulation Platform.
• pyLootApacheServerStatus - A script to automatically dump all URLs present in /server-status to a file locally.
• LOLSearches - Living off the land searches for explorer and sharepoint.
• goopts - goopts, a Go library to parse arguments given in command line to a program.
• DGPOEdit - Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines.
• UniGetUI - UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managers.
• skyvern - Automate browser-based workflows with LLMs and Computer Vision.
• Bindable Microservices with Cloudflare Workers - three files, one command, boom - you have a backend. Cloudflare is magic!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.