Security Pills - Issue 11

Incident Response in AWS, Vulnerability in TikTok, Analysis of a Python malware

Release Date: 5 September 2022 | Issue: 11 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Hey there đź‘‹,Hope you have been doing well and had a wonderful weekend! We are about to hit the 3-months mark, I couldn't have imagined this when I first started this newsletter as an experiment.It has been a long week, but I had the opportunity to attend the Blockchain Summit 2022 from SANS and spent the whole weekend doing downhill. I think I've never felt such rush of adrenaline before on any other sport I have tried.What about you? How was your week? đź’Š

  • Articles: Incident Response in AWS, SingPass RASP Analysis Pt.1, Restricting Libraries in JVM Compute Platforms, ModernLoader Delivers Multiple Stealers, Cryptominers and RATs, Bootkitting Windows Sandbox, GraphQL Batching Attacks: Turbo Intruder, A Technical Analysis of Pegasus for Android Pt.1, An Incomplete Look at Vulnerability Databases and Scoring Methodologies, NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack, Snakes on a Domain: An Analysis of a Python Malware Loader, The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach, So You Wanna Pwn The Kernel?, SudoRare Incident Analysis.

  • Vulnerabilities and Bug Bounties: Blind Exploits to Rule WatchGuard Firewalls, Vulnerability in TikTok Android App Could Lead to One-Click Account Hijacking, SATisfying Our Way Into Remote Code Execution in the OPC UA Industrial Stack, Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl, Analysis of a Go Web Assembly Vulnerability.

  • Resources:

    • Videos: Nahamsec - Smart Contract Series: Intro to Smart Contracts, How I Hacked Etherscan, Binary Diffing with Ghidra, John Hammond - Protocol Wars: NEAR, The Bad Jump Design and 30 FPS Gravity of TNMT: Behind the Code.

    • Repositories: jscyte, Ziion, Fissure, SCMKit.

    • Security Tips: Common web3 hacks and scams, Best security practices when starting a web3 project, Improve API endpoints discovery.

  • Hashtags Used in this Issue: #active-directory, #appsec, #apt, #architecture, #cloud-security, #exploiting, #incident-response, #mobile, #purple-team, #research, #smart-contracts

Incident Response in AWS #incident-responseEverything needs credentials specially when talking about cloud applications. When talking about cloud providers, these credentials could give you access to view or modify a cloud infrastructure. Something important to consider when responding to an incident is to know what the attacker has changed. This is exactly what Chris Farris has discussed in his talk at BSides Atlanta last week, how to handle an incident in AWS. This article provides a thorough analysis on what to do when the incident involves your AWS cloud infrastructure.You can also find the slides here.

Recommended architecture to get core telemetry into a SIEM

Recommended architecture to get core telemetry into a SIEM

SingPass RASP Analysis Pt.1 #mobileRomain Thomas started a research on the SingPass application (an app managed by the Government Technology Agency, used to drive Singapore's Smart Nation) which turned out to be obfuscated and protected with Runtime Application Self-Protection (RASP). This article is a dive deep into interesting RASP features implemented within the app from a reverse engineering perspective (Jailbreak and Frida detection, native code obfuscated, etc.) and how Romain managed to defeat those security mechanisms while providing some insights on potential RASP design weaknesses.

Restricting Libraries in JVM Compute Platforms #architectureDatabricks has published this interesting piece of article exploring the challenges of using third party libraries in the Scala and Java languages and propose solutions to isolate them when needed.

ModernLoader Delivers Multiple Stealers, Cryptominers and RATs #aptCisco Talos has recently observed three campaigns delivering a variety of threats (ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims).The actors used a variety of techniques to spread the attack across a targeted network and eventually dropped other pieces of malware to enable various stages of their operations. The final payload appeared to be ModernLoader, which acts as a remote access trojan (RAT) that collects system information and deploys different modules.This article, is the technical analysis conducted by the Cisco Talos team

ModernLoader campaign modules

ModernLoader campaign modules

Bootkitting Windows Sandbox #researchBack in 2019, Microsoft added a feature to Windows called Windows Sandbox, which according to Microsoft:

Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine.

The sandbox can be useful for malware analysis, but it can also be used for kernel research and drive development. This article explores how it is possible to intercept the boot process and patch the kernel during startup with a bootkit.

GraphQL Batching Attacks: Turbo Intruder #appsecGraphQL allows for multiple queries to be sent to the server in one single request to reduce the number of requests that the server has to process. A batching attack refers to abusing this batch query feature to perform many GraphQL operations within one single web request. The batching attack helps facilitate brute force attacks by reducing the total number of potential requests needed to be successful, reducing the overall attack time and complexity. Sensitive functionality such as verification of authentication codes (Two-Factor Authentication), login functionality, username enumeration, and identifier enumeration are prime candidates to be abused in GraphQL.

A Technical Analysis of Pegasus for Android Pt.1 #mobileAt this point almost everyone is familiar with Pegasus, the spyware developed by the NSO group that has been repeatedly analyzed by Amnesty International and CitizenLab. In this occasion, CyberMasterV, has reverse engineered a specimen of the spyware for Android and shared his detailed notes in this series of three articles. This first part describes how the application gets initialized (including its configuration), which applications are targeted by Pegasus, commands related to the core functionality and how it can remote itself from a compromised device. The author recommends the read of this article along with the initial research conducted by Lookout in this paper

Content stolen by Pegasus

Content stolen by Pegasus

An Incomplete Look at Vulnerability Databases and Scoring Methodologies #appsecIn this article, Chris Hughes, takes an incomplete look at the current landscape of Vulnerability Databases and Scoring Methodologies. The author explores and revisits some of the fundamental databases and scoring methodologies currently in use in the industry as well as some that are beginning to emerge as the digital landscape evolves.

NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack #active-directoryPerforming an NTLM downgrade attack to obtain a NTLMv1 hash from a victim's computer is a challenging attack vector. Adam Crosser and Derya Yavuz have written this article that dives deep into the NTLM specification and messages using the NTLMParse utility.

Snakes on a Domain: An Analysis of a Python Malware Loader #incident-responseHuntress recently investigated a suspicious link file persisting in a user's startup folder. After some initial investigation, they found the link was executing a malicious Python script used to inject a remote access trojan (RAT) onto the system. Along the journey, the Huntress team found a total of six consecutive payloads and some new offensive tooling with no detections on VirusTotal.

Visual representation of the malware encountered

Visual representation of the malware encountered

The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach #purple-teamPurple team exercises are an even more popular offensive testing activity for vendors and internal teams to perform. Done well, they bring together the knowledge of threat actor tradecraft from the 'red' side of the house, with the defensive focus of the 'blue' side, to assess, develop and maintain defensive capability.This article written by Alfie Champion compares an atomic vs. scenario-based purple teaming approach where he considers an alternative approach to a traditional scenario-based purple team. An approach where, instead of an end-to-end chain, we take each tactic and generate a list of the techniques we deem to be most important for testing.

So You Wanna Pwn The Kernel? #researchSam (@sam4k) has written in this article his insights and recommendations on getting into Linux kernel vulnerability research and exploit development. A very detailed and thorough guide.

SudoRare Incident Analysis #smart-contractsSudoRare, a self-proclaimed NFT AMM, committed an exit scam within 24 hours of deploying their smart contract that resulted in the loss of $852k. The developer of SudoRare deployed an upgrade on the project's smart contract which implemented a 'backdoor' that allowed the draining of funds. Stolen funds were sent to 3 EOAs where the scammer will likely look to launder the assets.

Funds transferred to 3 EOAs

Funds transferred to 3 EOAs

Blind Exploits to Rule WatchGuard Firewalls #exploitingEarly this year, WatchGuard firewalls have been under attack multiple times, most notably by the Russian APT Sandworm and their malware, Cyclops Blink. Over the course of 4 months, the company released three firmware updates, patching numerous critical vulnerabilities.

Charles Fol was about to start a red team engagement when he decided to start looking for bugs on WatchGuard firewalls. A race against the clock had just started!

After some time, Charles discovered 5 vulnerabilities - 2 of them patched along the way - and built 8 different exploits, obtaining an unpatched pre-authentication remote root 0-day on every WatchGuard Firebox/XTM appliance.This article is the result of his journey.

Vulnerability in TikTok Android app could lead to one-click account hijacking #mobileMicrosoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise users’ accounts with a single click. Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.

SATisfying Our Way Into Remote Code Execution in the OPC UA Industrial Stack #exploitingThe JFrog Security team recently participated in the Pwn2Own Miami 2022 hacking contest, which focuses on Industrial Control System (ICS) security. Apart from the vulnerabilities they disclosed as part of the pwn2own competition, they managed to identify eight additional security vulnerabilities affecting the Unified Automation C++ Based OPC UA Server SDK.

This article details two of the disclosed vulnerabilities (Information leakage and Heap Overflow) which could be chained by an attacker to achieve remote code execution on UA's C++ OPC demo server.

Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl #cloud-securityThis article contains the details of the lightning talk given by Eugene Lim (@spaceracoon) at DEF CON 30 Cloud Village

Countless applications rely on Amazon Web Services’ Simple Notification Service for application-to-application communication such as webhooks and callbacks. To verify the authenticity of these messages, these projects use certificate-based signature validation based on the SigningCertURL value. Unfortunately, a loophole in official AWS SDKs allowed attackers to forge messages to all SNS HTTP subscribers.

A typical SNS use case, a2a fanout pattern

A typical SNS use case, a2a fanout pattern

Analysis of a Go Web Assembly Vulnerability (CVE-2021-38297) #exploitingAlthough this Go vulnerability was initially discovered in October 2021, the JFrog Security Research team observed many new Docker containers still vulnerable to this exploit. This article elaborates on the prerequisites for exploiting this Go vulnerability, which allows an attacker to override an entire WASM (WebAssembly) module with its own malicious code and achieve WASM code execution and explores mitigation strategies for developers that cannot upgrade their Go instance(s) to a recent version with the fix.

🙏 Support us

Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.

🎥 Videos

⌨️ Repositories

  • evilsocket/jscyte — A tool that abuses the node.js inspector mechanism to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if their debugging capabilities are disabled.

  • halborn/Ziion — Open-source, end-to-end, pre-compiled, multi-architecture, multi-protocol blockchain security testing and development solution.

  • ainfosec/FISSURE — Open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, etc.

  • h4wkst3r/SCMKit — Source Code Management Attack Toolkit that can be used to attack SCM systems. Currently supports GitHub Enterprise, GitLab Enterprise and Bitbucket Server.

đź’ˇ Security Tips

  • @xrexinc â€” On common web3 hacks and scams and how to prevent them.

  • @drdr_zz — On best security practices when starting a web3 project.

  • @ReconOne — On how you can improve API endpoints discovery.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews