Evading MDI (@yaumn_), TAP->NTLM (@_dirkjan), ELF verifier (@kev169), Kerberos delegation + 🦀 in beacons (@_RastaMouse), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-06 to 2024-05-13.
News
- Proton Mail Discloses User Data Leading to Arrest in Spain - People trusting VPNs is still wild.
- Ascension hospitals report 'disruptions' to clinic operations following suspected cyber attack - Ascension is one of the largest hospital systems in Illinois, with 150 care sites and 14 hospitals, including Ascension St. Francis in Evanston.
- A joint statement from UniSuper CEO Peter Chun, and Google Cloud CEO, Thomas Kurian - When the Google Cloud CEO has to make a statement, you know it's a big deal. UniSuper, an Australian superannuation fund, had their entire Google Cloud account deleted in "an isolated, one-of-a-kind occurrence." They were saved only because they kept a backup totally outside of Google Cloud. This will be a wild one for your tabletop exercises.
- How Did Authorities Identify the Alleged Lockbit Boss? - Last week global law enforcement arrested the alleged leader of the LockBit ransomware gang (known online as "LockBitSupp"). Krebs has the details on how they tracked him down.
Techniques and Write-ups
- TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak - With a little-used DHCP option, an attacker in a position to send DHCP responses to a vitim (real or through a rogue DHCP server) can push specific routes that will allow them to see traffic that the user believes is protected by a VPN.
- CVE-2024-21115: An Oracle Virtualbox Lpe Used to Win Pwn2own - Great, detailed write up of an out-of-bounds write leading to arbitrary WinExec -- not quite arbitrary code execution thanks to control flow guard.
- Understanding and Evading Microsoft Defender for Identity Pkinit Detection - If you want to not stand out, it's always best to look exactly like native tools. To achieve this, try the new tool: Invoke-RunAsWithCert - A PowerShell script to perform PKINIT authentication with the Windows API from a non domain-joined machine.
- Marshal Like a Boss With Reflective Loading in C# - This post shows how reflective loading can be combined with storing a DLL in resources to marshal functions from it into managed runtime without the need of dropping any artifacts on disk.
- Custom Beacon Artifacts - Blog post explaining how to create custom Beacon artifacts for Cobalt Strike by modifying and building executable templates in C++ and Rust, allowing for the injection and execution of Beacon shellcode in memory without detection.
- When "Phish-Proof" Gets Hooked - How a red team revealed a vulnerability in Okta FastPass, by exploiting the transition from the Loopback flow to the Custom URL flow, bypassing anti-phishing protections. So much Okta tradecraft lately.
- Lethal Injection: How We Hacked Microsoft's Healthcare Chat Bot - Multiple vulnerabilities in Microsoft's Azure Health Bot service that could have allowed unauthorized access to sensitive infrastructure and medical data. All patched. Cool work!
- Today I Learned - Zsh History Timestamps - In Zsh, commands executed during a session are logged with timestamps, but these timestamps reset upon reboot or session closure, making it useful for incident response in systems where Zsh is the default shell.
- Abusing Azure Logic Apps - Part 1 - Looking forward to this series. How attackers can abuse storage account privileges linked with a logic app to gain unauthorized access, execute system commands, and create workflows, focusing on the relationship between logic apps and storage accounts.
- Looking back at the past 4 months - For those thinking about starting to become a full time bug bounty hunter. An anecdote.
- Bypassing WAFs to Exploit CSPT Using Encoding Levels - How to exploit Client Side Path Traversal (CSPT) vulnerabilities by bypassing Web Application Firewalls (WAFs) using different encoding levels to execute attacks such as cross-site scripting (XSS).
- Kerberos Delegation Test App - Rasta built a ASP.NET Core to understand Kerberos protocol by capturing and decrypting real traffic.
- The Structure and Taxonomy of a Detection Knowledge Base - The importance of documentation in detection engineering.
- Schneider Electric APC Easy UPS RCE - Java RMI Applevel Deser for JEP>=290 - RCE those pesky UPS devices all over your internal pentest.
- Digging for SSRF in NextJS apps - The blog post explores the potential for SSRF vulns in NextJS applications due to misconfigurations, particularly focusing on the _next/image component and demonstrating how attackers can exploit these weaknesses to perform SSRF attacks, including a detailed explanation of bypassing security measures and a newly discovered SSRF vulnerability that was assigned CVE-2024-34351.
- Hacking Apple - SQL Injection to Remote Code Execution - Researchers from ProjectDiscovery identified a critical SQL injection vulnerability in Apple's Book Travel portal using Mura/Masa CMS, led to RCE, and responsibly disclosed it. Wicked!
- Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes - Temporary passwords can give access to long term keys! Great writeup from Dirk-jan as always.
- Poisoning Pipelines: Azure DevOps Edition - DevOps and CI/CD solutions have come under fire recently, and this post shows how to abuse Azure DevOps to execute arbitrary code.
- Emulation with Qiling - Qiling has some cool features, like the ability to fake file systems, hook functions, and even modify registers on the fly. This post shows how to use Qiling to emulate NEXXT Polaris 150 travel router.
- XZ Utils Made Me Paranoid - If you too are paranoid due to the XZ backdoor incident, check out VerifyELF a tool to validate that there are no hooks installed into the running processes, and if there are to print out that there is and what offset the first difference is, or print out all differences.
Tools and Exploits
- IconJector - Unorthodox and stealthy way to inject a DLL into the explorer using icons.
- TrollDump - Injects a 64-bit managed DLL into a 64-bit managed or unmanaged process using setwindowshook.
- pgdsat - PostgreSQL Database Security Assessment Tool.
- grype - A vulnerability scanner for container images and filesystems.
- parsnip - Parsnip is a program developed to assist in the parsing of protocols using the open source network security monitoring tool Zeek.
- vulnrichment - A repo to conduct vulnerability enrichment.
- ImmoralFiber - Fibers are an optional and largely undocumented component of the Windows operating system, existing only in user mode.
- IPPrintC2 - PoC for using MS Windows printers for persistence / command and control via Internet Printing.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Raspberry Pi Connect - "...a secure and easy-to-use way to access your Raspberry Pi remotely, from anywhere on the planet, using just a web browser."
- C-from-Scratch - A roadmap to learn C from Scratch.
- regulator - Automated learning of regexes for DNS discovery.
- confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems.
- ashirt-server - Adversary Simulators High-Fidelity Intelligence and Reporting Toolkit.
- bsides-nashville-identity-crisis - Identity Crisis: Combating M365 Account Takeovers at Scale (BSides Nashville 2024).
- Survivorship Bias and How Red Teams Can Handle It - Not the first time I've heard this before.
- gcp-iam-brute - GCP IAM Brute is a tool that leverages the testIamPermissions feature in Google Cloud Platform (GCP) to perform fuzz testing for different permissions within GCP.
- stalker - Stalker, the Extensible Attack Surface Management tool.
- cloudmapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
- waymore - Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan & VirusTotal!.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.