Security Pills - Issue 12
How Bridges Compare, Fork Bomb for Flutter, Hacking Helium Crypto Miner
Release Date: 12 September 2022 | Issue: 12 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there 👋,Hope you all had a great weekend!Today marks 3 months since we started this newsletter. Time flies!Just another busy week over here... Scammers creating new schemes and techniques to fool users with malware and phishing sites. An in-depth analysis from Coinbase Threat Intelligence team on the Celer Network BGP hijacking attack, which caused almost $235,000 in funds to get stolen. The famous portable multi-tool Flipper Zero got a buffer overflow exploited on its NFC file loader, and someone discovered remote code execution on the Helium crypto miner, this and much more in this week's newsletter!
Articles: Bypass Credential Exfiltration Detection, How Scammers are Stealing Your Crypto with RedLine Malware, Vulnerability Management in Go, Immunefi's Guide to Crypto Phishing Attacks, Celer Bridge Incident Analysis, Security Stack-Up: How Bridge Compare, Hacken Research: Enterprise Adoption of Blockchain Technology, Ryuk Ransomware: History, Timeline, and Adversary Simulation, Sensitive Command Token: So Much Offense in my Defense, How to Turn Security Research Into Profit: A CL.0 Case Study, Reviewing macOS Unified Logs.
Vulnerabilities & Bug Bounties: A Dangerous Way To Fix Integer Overflow in Solidity, Shiba Inu Cloud Credentials Leaked in a Major Security Breach, Using Hackability to Uncover a Chrome Infoleak, Fork Bomb for Flutter, Exploiting Flipper Zero's NFC File Loader, Hacking My Helium Crypto Miner, WordPress Core: Unauthenticated Blind SSRF, Exploiting Laravel Based Applications with Leaked APP_KEYs and Queues, Avalanche Remote Network Crash.
Repositories: solidity-audit-template, wappalyzergo, dontgo403, subdomain-brute
Podcasts: Darknet Diaries Ep. 123: NewsWires, Malicious Life: Leo Kuvayev - The Czar of Spammers
Tags used in this issue: #appsec, #cloud-security, #exploiting, #incident-response, #mobile, #smart-contracts, #vulnerability-management
Bypass Credential Exfiltration Detection #cloud-securityA common technique when exploiting AWS environments is leveraging SSRF, XXE, command injection, etc. to steal IAM credentials from the metadata service of a EC2 instance. However, this can trigger an alert, as GuardDuty can detect when IAM credentials are being used outside a EC2 instance. This article details how you can use your own EC2 instance while routing traffic through VPC endpoints to bypass the GuardDuty security mechanisms.
How Scammers Are Stealing Your Crypto with RedLine Malware #smart-contractsScammers have been soliciting their victims to participate in beta testing and promote crypto projects. By tricking their victims into downloading an executable, scammers were scanning victim's computer for files containing keywords such as 'wallet' and sending those files back to the scammer's servers so they could steal user's funds. This article is an analysis made by the Slowmist security team on how scammers were attacking their victims.
Vulnerability Management for Go #vulnerability-managementGo provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. This article provides an overview of what's available today and next steps for this project.
Current workflow for vulnerability management
Immunefi's Guide to Crypto Phishing Attacks #smart-contractsWhen it comes to crypto hacks and heists 90% of all cyberattacks begin with a phishing email, according to a recent research from Trend Micro. In this article, Immunefi reviews some of the most sophisticated phishing attack trends, sharing some insights from Russian forums where these attacks are being offered.
Celer Bridge incident Analysis #smart-contractsCoinbase shares on this article critical lessons about the nature of the Celer Bridge compromise, attacker on-chain and off-chain techniques and tactics during the incident, as well as security tips for similar projects and users.
Security Stack-Up: How Bridges Compare #smart-contractsCrypto bridge protocols are used to connect chains that otherwise have no means of communicating and syncing on state. In terms of security risk, bridges are a big target. A single bug can lead to the loss of most or all of the bridge's funds and without a focus on security, it is inevitable that more oversights, and therefore exploits and losses, will occur.
This article discusses and compares bridge security along three axes: Trust Assumptions, Code Quality and Safety Features. The first two relate to how well a bridge factors outsources of vulnerability in its trust layer and its source code. The last corresponds to whether a protocol acknowledges it can and will inevitably have vulnerabilities-no matter how careful it is-and builds in additional safeguards to minimize the potential for user harm.
Code quality assurance for most popular bridge protocols
Hacken Research: Enterprise Adoption of Blockchain Technology #smart-contractsWeb3 ecosystems are designed to replace centralized infrastructure and allow every user to maintain complete control over the data, irrespective of whether they are interacting with an application or another user.
The use of blockchain solutions is not limited to web3 platforms. Decentralized, secure, transparent, and immutable blockchain combined with smart contract capabilities enable the automation of various operations while maintaining data integrity throughout the process. This article is a research conducted by Hacken on how companies adopt blockchain and identify use cases for cybersecurity.
Public companies that use blockchain technology by industry
Ryuk Ransomware: History, Timeline, And Adversary Simulation #incident-responseThis article entails the complete attack flow of the Ryuk ransomware group, allowing security practitioners to test their security posture against the full range of techniques and procedures that Ryuk used.
Ryuk actions mapped to Mitre ATT&CK
Sensitive Command Token - So Much Offense in my Defense #incident-responseThe team at Thinkst wanted to see if they could figure out a way to generate an alert on their console when a suspicious command was executed on a compromised system without interfering with the original command execution. Helping companies detect when they have been breached before the attackers dig in. This article explains their Sensitive Command CanaryToken solution.
CanaryToken Triggered for whoami.exe
How to Turn Security Research Into Profit: A CL.0 Case Study #appsecJames Kettle, director of research at PortSwigger, takes a concise look at the most effective strategies for avoiding duplicate findings or no vulnerable systems when researching on a promising hacking technique or security vulnerability. Using the CL.0 desync attack class recently explored in the Browser-Powered Desync Attacks article, James provides some thorough advice on how to turn a piece of research into profit.
Reviewing macOS Unified Logs #incident-responseApple has introduced a key change to how logging is done on their systems. This new logging system replaced common Unix logs with macOS Unified Logs. These logs can provide forensic investigators a valuable artifact to aid in investigating macOS systems or other Apple devices. This article provides an overview of the Unified Logs and the challenges presented in using them during an investigation.
A Dangerous Way to Fix Integer Overflow in Solidity #smart-contractsdApp is a defensive programming challenge in Solidity where each level is inspired from real-life security incidents. Users are committed to fix vulnerable smart contracts. However, Pedram discovered that a considerable number of submissions for the 'dApp Start Here' level were still vulnerable, as users swapped a int32 variable with uint, which caused the contract to still be vulnerable as uint is an alias for uint256 and it has a fixed range which could still cause an integer overflow.
Shiba Inu Cloud Credentials Leaked in a Major Security Breach #smart-contractsPingsafe's research framework discovered a leaked Shiba Inu AWS account credential on a public code repository. The credentials, exposed for a couple days, provided access to part of Shiba's cloud infrastructure.
Fork Bomb for Flutter #mobileFlutter is an open-source SDK from Google for developing cross-platform applications. Philip Nikiforov from PT Swarm has conducted an extensive research on how to reverse engineer flutter applications, analyze patches for DartVM and has developed a tool to assist researchers on their analysis to mobile applications built with Flutter.
Exploiting Flipper Zero's NFC File Loader #exploitingFlipper Zero is a self-described portable multi-tool for pentesters and geeks in a toy-like body. The device comes with several built-in applications to transmit and receive sub-1GHz frequencies, such as RFID, NFC, and Bluetooth.
This post demonstrates a buffer overflow in Flipper Zero’s NFC file loader.
Buffer Overflow crashing Flipper
Hacking My Helium Crypto Miner #smart-contractsHelium is a cryptocurrency project based on a wireless network built by people all around the world. Those who help expanding the network by adding a hotspot receive the Helium cryptocurrency coin. The author of this article (Wesley Neelen) decided to order one of the Helium miners and hack it, achieving remote code execution.
WordPress Core - Unauthenticated Blind SSRF #appsecWordPress is probably the world's most popular content management system. This adoption makes it a top target for threat actors and security researchers, but also for vulnerability brokers who sometimes offer up to $300,000 for critical security vulnerabilities.
This has forced WordPress to perform an exhaust source code review on their code base. However, researchers from Sonar have found a surprisingly simple vulnerability in WordPress's implementation of pingbacks. While the impact associated to this issue is low, the related vulnerable code pattern is interesting to document
Steps to successfully exploit the vulnerability
Exploiting Laravel Based Applications with Leaked APP_KEYs and Queues #appsecLaravel is a widespread open-source PHP web framework. This framework uses an environment file which contains numerous sensitive Laravel configuration settings, including the application's APP_KEY. This parameter is used for multiple security-related tasks, but in the past, knowing this attribute was a reliable way to gain remote code execution through the creation of a malicious XSRF token. Since Laravel 5.6.30, this is no longer possible as cookie serialization has been disabled by default, however, Timo Müller explores in this article some alternative attack vectors that attackers might be able to exploit with a leaked environment file.
Avalanche Remote Network Crash #smart-contractsRemote Denial of Service vector affecting the Avalanche network due to an improper deserialization of a x509 certificate. The issue, already fixed, could have taken down the entire Avalanche network. Now that the embargo has ended, Péter Szilágyi has published the technical details.
🙏 Support us
The Dark Forest EP0: $1B Multichain Vulnerability & PoC Explained — On January 10th, 2022, a critical vulnerability was found on Multichain (formally known as Anyswap). The bug was promptly disclosed by the Debaub team, preventing what could have been the largest malicious hack in history.
Price Manipulation Attacks From First Principles — Chainlink Hackathon with Tincho, Ethereum security researcher and former lead security auditor at Open Zeppelin on a presentation about price manipulation and oracle attacks.
Browser Exploitation Introduction – This stream includes retired content from the SANS SEC760 "Exploit Dev" course. It will focus on Use After Free exploitation of an outdated Internet Explorer version.
Nahamsec - Smart Contract Series Ep2. Launching Your First Smart Contract, Token and NFT – Nahamsec continues with his series on Smart Contracts, talking this time on how to write and deploy your own smart contract on Solidity, creating an ERC-20 token and some vulnerabilities along the way.
MarioPoneder/solidity-audit-template — Setup for writing Solidity smart contracts as well as auditing/testing external contracts.
projectdiscovery/wappalyzergo — A high performance go implementation of Wappalyzer Technology Detection Library.
devploit/dontgo403 — A tool to bypass 40X errors.
hazemeldoc/subdomain-brute — A multithreaded fast tool to perform active subdomain enumeration that does not ignore NODATA responses returned from DNS servers but re-test them.
Darknet Diaries Ep. 123: NewsWires — Investing in the stock market can be very profitable. Especially if you can see into the future. This is a story of how a group of traders and hackers got together to figure out a way to see into the future and make a lot of money from that.
Malicious Life: Leo Kuvayev - The Czar of Spammers — Cyber criminals, aren’t “good” people; in most cases, they do have their own personal boundaries. Every once in a while, you encounter a criminal who’s different. Someone who seems not to have limits at all. A ruthless person, for whom the goal truly justifies the means. Leo Kuvayev is that kind of a person - and that made him so successful as a cyber-criminal. But even a genius criminal can go just one step too far.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.