FortiGate exploit (@watchtowrcyber), Azure admin approval bypass (@PedroGabaldon), dylib 💉 in Teams (@Coiffeur0x90), Ivanti Connect Secure vuln (@buffaloverflow), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-07 to 2024-10-14.
News
- U.S. Wiretap Systems Targeted in China-Linked Hack - Adversaries using "lawful" backdoors for access. Remember this story the next time a politician demands a backdoor on end-to-end encryption to "protect the children" or whatever the rallying cry of the day is.
- Operation Middlefloor: Disinformation Campaign Targets Moldova Ahead of Presidential Elections and Eu Membership Referendum - Current events are used to initiate cyber attacks. The use of "feedback forms" to gather detailed information about victims for further targeting is an interesting move and shows a level of sophistication and persistence above the standard cybercriminal.
- Lamborghini Carjackers Lured by $243M Cyberheist - Some impressively poor OPSEC on display here. The lack of any tact in using the stolen funds also didn't help the criminals/now-victims. Cryptocurrency remains the wild west.
- Collapse of National Security Elites' Cyber Firm Leaves Bitter Wake - IronNet was once valued at $3 billion when it IPO'd in 2021 despite never being profitable, relying on the name of its founder former NSA head Keith Alexander. Is IronNet the Theranos of cybersecurity?
- Insecure Deebot robot vacuums collect photos and audio to train AI - Hopefully there will be a market of fully-offline capable IoT devices as consumers become aware of the risks of these internet connected sensor platforms in their homes, but based on the rise of social media, the average consumer cares little for privacy.
Techniques and Write-ups
- Exploiting Microsoft Teams on macOS during a Purple Team engagement - macOS tradecraft posts are rare, and tradecraft that works on the latest Microsoft Teams and macOS 14.4 (Sonoma) is even more rare. This post covers post-exploitation actions on macOS using Teams to bypass macOS TCC (Transparency, Consent, and Control) as well as persistence.
- Beyond the good ol' LaunchAgents - 34 - launchd boot tasks - More macOS tradecraft, but this one requires a TCC bypass or root and a SIP (System Integrity Protection) bypass.
- Bypass Azure Admin Approval Mode for User Consent Workflow When Enumerating - Skip the admin approval workflow by issuing yourself a token for an existing application with the entitlements you need, like SharePoint Online Web Client Extensibility.
- Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 - The watchtowr labs researchers find yet another vulnerability in an SSL VPN.
- Ivanti Connect Secure - Authenticated RCE via OpenSSL CRLF Injection (CVE-2024-37404) - Another SSLVPN vulnerability, this time authenticated arbitrary code execution as root.
- EKUwu: Not just another AD CS ESC ESC15 coming in hot! Certipy PR has been submitted.
- Issuing Custom Security Attributes in Entra ID tokens - In this blogpost, the author demonstrates how to use the custom claims provider functionality of Entra ID custom authentication extensions in order to issue Custom Security Attributes as claims.
- How I found a P2 Misrouting issue affecting all Google Cloud Load Balancers - "...By crafting unconventional HTTP requests, I stumbled upon a flaw that reveals sensitive bucket names and opens the door for attackers to exploit load balancers in unexpected ways.". Always fun to read about cloud vulnerabilities.
- When USBs Attack: Exploring the Underbelly of Malicious LNK Files - If you're still doing physicals and wanted to know a little bit more about how USBs can be used as initial access payloads, give this a read!
- HijackLoader evolution: abusing genuine signing certificates - CTI read on how tools like recaptcha-phish - were weaponized by attackers.
- DLL Sideloading - Good writeup on the topic. Summarizes the differences between hijacking, sideloading, proxying, etc. Good read if you need a good intro to these concepts.
- How to inspect TLS encrypted traffic - Good walkthrough for attackers and defenders.
Tools and Exploits
- Voidmaw - A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).
- Proxll - Tool designed to simplify the generation of proxy DLLs while addressing common conflicts related to windows.h.
- Sharelord - .NET Assembly that creates network shares, sets ACE entries for directories, sets share perms, and deletes shares. Learning project for C#.
- TrailDiscover - An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references and security implications.
- orc2timeline - orc2timeline extracts and analyzes artifacts contained in archives generated with DFIR-ORC.exe to create a timeline from them.
- CVE-2024-9465 - Proof of Concept Exploit for CVE-2024-9465 (Palo Alto Expedition unauthenticated SQL injection).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- pssrecon - Small tool to perform SCCM recon and enumerate a Primary Site Server (PSS) or Distribution Point (DP) over winreg. This can enumerate useful information such as the Site Database, whether a DP allows anonymous access, if a DP is PXE enabled and the location of Management Points (MP) in the site.
- misconfig-mapper - Misconfig Mapper is a fast tool to help you uncover security misconfigurations on popular third-party services used by your company and/or bug bounty targets!
- MiniKvm_public - This repo contains all the code and documentation for the MiniKvm project and the CH9329 controller.
- Aggressor-Aggregator - A helper script for consolidating Aggressor and BOF repositories into a single CNA for Cobalt Strike.
- ADcheck - Assess the security of your Active Directory with few or all privileges.
- gocrack - GoCrack is a management frontend for password cracking tools written in Go.
- Living Off Security Tools - It was only a matter of time. Let's not forget Iscariot Suite. Not sure if this project will take off or not but we will track it.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. 4