Jan 06 2025 Last Week in Security (LWiS) - 2025-01-06

News

• [PDF] BeyondTrust RMM breach leads to US Treasury breach - The best example of traitorware yet? This is too recent to be related to the sanctions for Integrity Tech, a Beijing-based cybersecurity company.
• [PDF] Summary Judgment in WhatsApp vs NSO Group case - The court held NSO Group liable for breaching WhatsApp’s terms of service, which prohibit malicious or illegal use, such as reverse engineering, decompiling software, or sending harmful code.
• Ending OCSP Support in 2025 - Online Certificate Status Protocol has always been pretty broken (leaks your domain requests, soft-fails when unreachable anyway), so this is a step forward.
• A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says - Phone and SMS should be considered fully compromised at this point. Use Signal or SimpleX.

• Fortified’s Central Command Platform Named "Healthcare Cybersecurity Solution of the Year" Sponsored - The MSSP platform integrates Advisory Services and Threat Defense (SOC) Managed Services into a single, cohesive application, offering a comprehensive suite of tools that enable healthcare providers, payors, and other healthcare clients to monitor threats, manage risk registers, gain insights from analytics, and react to real-time alerts through desktop and mobile applications. Learn more and see it in action today!

Techniques and Write-ups

• TokenSmith – Bypassing Intune Compliant Device Conditional Access - Entra ID conditional access is a complex system, and the need to allow devices to go from non-compliant to compliant allows for attackers to get full MSGraph tokens even on non-intune compliant devices. Note that cookies and the user's password/MFA are still required.
• Uncovering GStreamer secrets - 29 vulnerabilities discovered thanks to a custom input corpus generator for the MP4 format.
• All I Want for Christmas is a CVE-2024-30085 Exploit - A really great breakdown of a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver. There are actually two separate overflows and some head-fu to pull this exploit off. Code here: CVE-2024-30085.
• The many ways to obtain credentials in AWS - A summary of the various ways computer services on AWS obtain their credentials. This is knowledge that btoh attackers and defenders can gain to get an upper hand on the side that doesn't have this knowledge.
• Password Spraying with Selenium and Fireprox - A little manual unlike tools like CredMaster but this seems like a good exercise for those looking to understand modern password spraying tradecraft. TLDR - You almost always have to cycle your IP address and worry about those source IP addresses. Many identify API GW in their audit logs. AWS API GW alternatives are pretty hot right now.
• NFS Security: Identifying and Exploiting Misconfigurations - There aren't many blog posts around abusing NFS. This is a great introduction to those interested. NFS is still a popular protocol to come across on internal pentests. ALso came with a tool drop:nfs-security-tooling.
• LDAPNightmare: SafeBreach Labs Publishes First Proof-of-Concept Exploit for CVE-2024-49113 - The LDAP vulnerability patched last month has a crash proof of concept available. The race to remote code execution is on! PoC: CVE-2024-49113.
• NTSockets - Downloading a file via HTTP using the NtCreateFile and NtDeviceIoControlFile syscalls - This post demonstrates how to create TCP sockets and transmit/receive data using only ntdll exports.
• Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) - Ooof. This one hits the impact box hard. Imagine distributing a malicious template and getting RCE on many hackers assessment devices. Great find!
• I’m watching you! How to spy Windows users via MS UIA - Exploiting Windows accessibility framework to stealthily monitor user activity, including password managers and messaging apps.
• Mastering Modern Red Teaming Infrastructure — Part 2: Building Stealthy C2 Infrastructure with Sliver and Re-director - Surprise: Using Cloudflare to proxy your traffic. Cloudflare is cracking down on abuse so I'm curious how long this will last. Good walkthrough to anyone looking for a step-by-step guide.
• Cacheract: The Monster in your Build Cache - A GitHub actions post-exploitation technique that abuses the cache. The scary part is once it has permissions, it adds itself to the cache, and as long as the action runs once every 7 days, it could persist forever. Code: Cacheract.
• SSD Advisory – cldflt Heap-Based Overflow (PE) - A nice Windows local privilege escalation that took third place in TyphoonPWN 2024.
• Static Keys, Shattered Security Dreams: A CVE-2024–5764 Story - A writeup of multiple issues in the Sonotype Nexus Cache including path traversal and issues with the older OrientDB system.

Tools and Exploits

• aad-bofs - AzureAD beacon object files.
• dylight is a project that loads macOS dynamic libraries (dylibs) from the internet over HTTP and injects within the local process.
• VladimiRED - is a C# port of Mockingjay injection technique to be used with AppDomainManager Injection Method.
• sccmhound - A BloodHound collector for Microsoft Configuration Manager.
• aad-bofs - This repository contains a collection of BOFs for various Azure AD attacks.
• TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetration tests with the tokens generated working out of the box with many popular Azure post exploitation tools.
• LitterBox - A sandbox environment designed specifically for malware development and payload testing.
• sharp-execute - Executing .NET Files from an Unmanaged Process with Manual CLR Loading.
• userland-exec - Userland exec replaces the existing process image within the current address space with a new one. It mimics the behavior of the system call execve, but the process structures describing the process image remain unchanged. In other words, the process name reported by system utilities will retain the old process name.
• PanGP_Extractor - Tool to extract username and password of current user from PanGPA in plaintext.
• Blackfyre - Blackfyre is an open-source platform designed to standardize and streamline binary analysis. It provides tools and APIs for extracting, analyzing, and storing binary data in a disassembler-agnostic and architecture-agnostic format. This enables consistent workflows for advanced reverse engineering tasks powered by AI/ML, NLP, and LLMs.
• Krueger - Proof of Concept (PoC) .NET tool for remotely killing EDR with WDAC.
• LitterBox - Sandbox approach for malware developers and red teamers to test payloads against detection mechanisms before deployment.
• hashcrack-ai - Hashcrack-AI is an automated python script that is designed to use GPU instances provided by https://vast.ai, to deploy a Dockerized Hashcat CUDA instance https://github.com/dizcza/docker-hashcat.
• trust-validator - Validates priv escalation of AD trusts.
• DLLHound - Find potential DLL Sideloads on your windows computer.
• Know-Normal-S1 - Helps to "Know Normal" by comparing artifacts from an alert against the enterprise. Based on SANS 508 concept.
• PoCEntraDeviceComplianceBypass - Simple pure PowerShell POC to bypass Entra / Intune Compliance Conditional Access Policy.
• DRSAT - Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machines.
• Cacheract - GitHub Actions Cache Native Malware - for Educational and Research Purposes only.
• CodeQL-Community-Packs - Collection of community-driven CodeQL query, library and extension packs. More info: Announcing CodeQL Community Packs.
• SCCMSiteCodeHunter - A utility for querying SCCM (System Center Configuration Manager) management points and site servers using LDAP.
• CVE-2024-49112 - LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49112.
• btexec - Execute shellcode via Bluetooth device authentication.
• Spyndicapped - COM ViewLogger — new malware keylogging technique.
• DOMspy - A web security research tool for DOM testing. A chrome extension now.
• MLOKit is a toolkit that can be used to attack MLOps platforms by taking advantage of the available REST API. This tool allows the user to specify an attack module, along with specifying valid credentials (API key or stolen access token) for the respective MLOps platform. Read the full report here: [PDF] Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SharpExShell automates the DCOM lateral movement technique which abuses ActivateMicrosoftApp method of Excel application.
• InstaTools - Ansible Script to install my favorite Tools.
• NachoVPN - A delicious, but malicious SSL-VPN server 🌮.
• CVE-2024-35176 - CVE-2024-35176 poc full.
• lc3-vm - Write your own virtual machine for the LC-3 computer!.
• SharpExShell - SharpExShell automates the DCOM lateral movement technique which abuses ActivateMicrosoftApp method of Excel application.
• powerview.py - Just another Powerview alternative.
• OFFAT - The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
• SharpRDPHijack - A proof-of-concept Remote Desktop (RDP) session hijack utility.
• AttackRuleMap - Mapping of open-source detection rules and atomic tests.
• egressinator - Find what egress ports are allowed.
• Azurepwn.ps1 - Azure post-exploitation work

Resources

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.