Last Week in Security (LWiS) – 2024-06-24

News

• (X/Twitter) CVE-2024-30078 (Windows Wi-Fi Driver RCE) details – Looks like the bug is in handling VLAN (802.1Q) tags?
• Arm64EC – Build and port apps for native performance on Arm – Microsoft is allowing developers to run both native ARM code and emulated x86_64 code in the same process at the same time on their new ARM builds of Windows. An impressive engineering feat, and probably a nightmare for EDR.
• Biden bans US sales of Kaspersky software over Russia ties – The Russian affiliated EDR is soon to be completely banned in the US. It was previously banned from federal government networks in 2017.
• Advance Auto Parts confirms data breach exposed employee information – “…their data was stolen from a third-party cloud database environment”. 3rd party risk FTW.
• Google: Stop Burning Counterterrorism Operations – Interesting read. National security vs Google.
• Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract – $11.3 million to settle claims of failing to meet security standards in a federal contract for New York’s rental assistance program during the COVID-19 pandemic.
• Cloaked and Covert: Uncovering UNC3886 Espionage Operations – Mandiant has uncovered operations by UNC3886, a suspected China-linked espionage group, targeting global strategic orgs with custom malware and exploiting 0-day vulnerabilities in FortiOS and VMware.
• KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO – KrebsOnSecurity faces a defamation lawsuit after exposing the dubious practices and fake CEO of the data broker Radaris, which has been involved in deceptive marketing and privacy concerns.

Techniques and Write-ups

• SCCM Exploitation: Evading Defenses and Moving Laterally with SCCM Application Deployment – Solid write-up on SCCM tradecraft using cobalt strike and open-source tooling.
• plORMber Your Django ORM – “allowing un-validated user inputs into “safe” ORM methods could introduce a security risk.” There are a few different ways to exploit ORM functions if the input isn’t sanitized that allow for data theify (leaking password hashes, etc).
• Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models – Everyone is “doing AI,” but can LLMs hack anything? Google Project Zero decided to find out. Answer: sort of, if the bugs are unambiguous and easly reachable. AI is not going to replace security researchers for a while.
• CVE-2024-27815 – Using _MSIZE instead of MLEN leads to a case where an attacker can write up to 255 bytes of data into a data field that is only 224 bytes long (and a kernel crash of course).
• GrimResource – Microsoft Management Console for initial access and evasion – Initial access vectors continue to evolve. The latest use MSC files and execute code as mmc.exe. For an example see: grimresource.msc.
• Fuzzer Development 4: Snapshots, Code-Coverage, and Fuzzing – If you’ve been keeping up with this series you know what to expect. Detailed, technical fuzzing content.
• MacDevOpsYVR 2024 – Electron Security – Electron has enabled many cross-platform applications (by shipping web browsers with them), but also can in some cases be hijacked for malicious purposes like TCC bypass. Lectricus can detect these misconfigurations programatically.
• Feeding the Phishes – If you’ve done an engagement that involved phishing targets behind a secure email gateway, you know the issues presented in this post. Some good ideas for getting around email gateways are presented.
• How Twitch Helper Can Be Used for Privilege Escalation – on macOS many applications install a “helper” which can do privileged actions, but if they aren’t properly protected these helpers can lead to privilege escalation.
• Using machine learning to detect bot attacks that leverage residential proxies – Residential proxies are a password spraying cheat code right now. Looks like Cloudflare is trying to combat this.
• Mobile OAuth Attacks – iOS URL Scheme Hijacking Revamped – Researchers identified a vulnerability in iOS where any app could hijack accounts via OAuth and Custom URL Schemes, potentially affecting numerous apps and a core iOS feature.
• (PDF) Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem – A report on China’s offensive ecosystem, detailing how vulnerability research works in China and its “hack for hire” culture.
• Exploiting GCP Cloud Build for Privilege Escalation – Exploit Google Cloud’s Cloud Build service to escalate privileges and execute lateral movements within a GCP environment by manipulating the cloudbuild.yaml configuration file.

Tools and Exploits

• RedFlag – RedFlag uses AI to identify high-risk code changes. Run it in batch mode for release candidate testing or in CI pipelines to flag PRs and add reviewers. RedFlag’s flexible configuration makes it valuable for any team.
• MSC_Dropper – is a Python script designed to automate the creation of MSC (Microsoft Management Console) files with customizable payloads for arbitrary execution. This tool leverages a method discovered by Samir (@SBousseaden) from Elastic Security Labs, termed #GrimResource, which facilitates initial access and evasion through mmc.exe.
• gimmick – Section-based payload obfuscation technique for x64.
• DOSVisor – x86 Real-Mode MS-DOS Emulator using Windows Hypervisor Platform.
• Lifetime-Amsi-EtwPatch – Two in one, patch lifetime powershell console, no more etw and amsi!
• FetchPayloadFromDummyFile – Construct a payload at runtime using an array of offsets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren’t released last week but are new to me. Perhaps you missed them too!

• SigmaPotato – SeImpersonate privilege escalation tool for Windows 8 – 11 and Windows Server 2012 – 2022 with extensive PowerShell and .NET reflection support.
• month – 🌒 Shell command obfuscation to avoid detection systems.
• Sn1per – Attack Surface Management Platform.
• nerve – Instrument any LLM to do actual stuff.
• archipelago – T-Guard is an innovative security operations center (SOC) solution that leverages the strength of leading open-source tools to provide robust protection for your digital assets.
• goaccess – GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.
• VR_roadmap.md – Becoming a Vulnerability Researcher roadmap
• reverst – Reverse Tunnels in Go over HTTP/3 and QUIC.
• Image Location Search – Could be cool for some OSINT practitioners out there.
• LogHunter – Opsec tool for finding user sessions by analyzing event log files through RPC (MS-EVEN).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.