Security Pills - Issue 2
Do you need a blockchain?, Apple Safari sandbox escape, $76m stolen in scams
Release Date: 4 Jul 2022 | Issue: 2 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor📌 Simple Cloud. Happier devs. Better results. Businesses grow faster when developers can build on the simple, affordable cloud they love. DigitalOcean has the cloud computing services you need, with predictable pricing, robust documentation, and scalability to support your growth at any stage. I personally use DigitalOcean to deploy my axiom infrastructure for reconnaissance. Build and deploy repeatable infrastructure focused on offensive and defensive security was never easier.
Good morning 👋,Thank you for the very good reception we had last week, it was amazing. I hope you have a great week.— Sebas
Your weekly prescription 💊
News: The hacking industry faces the end of an era, Google warns of new spyware targeting iOS and Android users, Crypto hedge fund Three Arrows Capital plunges into liquidation.
Articles: Managing risk in Blockchain deployments, Fake 'mining' scams, Golang code review notes, Bypassing .NET serialization binders, CloudGoat detection_evasion scenario.
Vulnerabilities and Bug Bounties: Pwn2Own 2021 Microsoft Exchange exploit chain, Exploiting intel graphics kernel extensions on macOS, Unrar path traversal vulnerability, Log4Shell vulnerability in VMWare, The chromium super type confusion, A research into vulnerabilities in NFT platforms, XCarnival NFT vulnerability.
Miscellaneous: ifuckinghatejira, Reverse engineering an old Mario & Luigi game for fun
Resources: Ringzer0 Back2Workshops, Decipher Security Podcast, Darknet Diaries #120 Voulnet.
NSO Group, the world’s most notorious hacking company famous for its Pegasus spyware could soon cease to exist. Although the deal is far from certain, if it goes through it’s likely to involve the dismantling of NSO Group and the end of an era. The company and its technology will be folded into a unit within L3 Harris. Although they already have its own offensive cyber division, known as Trenchant.
How long will it take for rivals to rush and take NSO Group place? The market is bigger and more visible than ever before, encompassing hundreds of companies selling surveillance tech globally.
At this point you have probably heard of NSO Group and its (in)famous Pegasus surveillance malware. However, the surveillance-for-hire industry goes far beyond one company. Last Thursday, Google Threat Analysis Group (TAG) and Project Zero team published findings about a new iOS spyware attributed to the RCS Labs used to target people in Italy, Kazakhstan and Syria.
Google has published a technical report describing the details for both campaigns, Android and iOS
Three Arrows Capital, a cryptocurrency-focused hedge fund, has plunged into liquidation, deepening the crisis engulfing the global digital assets sector.
Over the past few months we have seen an exponential growth on businesses that are considering the advantages of blockchains and decide to adopt them. These decisions often require to have a solid understand and mitigate the risks associated with operating a blockchain service, managing wallets and encryption keys, or relying on external APIs providers.
Trail of Bits has released a report that aims to provide decision-makers with the context necessary to assess these risks and plan to mitigate them. Report helps the reader to determine whether a blockchain is an appropriate technical solution for a given problem.
Fig. 1 — Should you use a blockchain?
Fake ‘Mining’ Scams: a Familiar Foe in a New Disguise #scam #blockchain
One of the recent investigations made by MetaMask involved a scam that used the promise of “mining” rewards to lure customers into depositing tokens on the platform. At first, scammers would show the users a considerable growth through these rewards but this was just a ruse, as the balance displayed was false and the scammers had been draining the user’s wallet whilst deceiving them into believing that their balance was actually growing.
Fig. 2 — Near $76 millions were stolen
The article explains how the scam does work, which essentially is a common unlimited token approval attack vector. Where the dapp attracts the user’s attention through the promise of a very high APY. As soon as the dapp has access to the wallet’s funds, it calls the transferFrom function, pulling the tokens straight out into another wallet.
Subsequently, users will receive additional requests to transfer more of the token into their wallet to keep on earning the high APY. As soon as the tokens are added, they are removed from the user’s wallet. All the while, the balance on the platform is increased to reflect the transfer and maintain the scam.
MetaMask’s parent company, ConsenSys, reported in April 2021 that the wallet service had more than 5 million monthly active users. It stands to reason that MetaMask would be a prime target for fraudulent activity.
The article focuses primarily on the technological landscape of counterfeit wallets. There is not an established industrial supply chain in place. Remember to double-check the URL before trying to download an application or log-in to a service.
Golang Code Review Notes #programming #go
Go has become a language of many faces, its support for many architectures make it ideal for embedded and IoT projects, while the simplicity of goroutines make it ideal for web-based projects. As it gains traction and popularity, it is important to highlight some code constructs for security engineers to look out for.
Rather than going though each Go security bug category, the article highlight a couple of patterns that either tend to be high impact, obscure, too common, relatively unknown, just interesting or any combination of these.
Bypassing .NET Serialization Binders #dotnet #serialization
Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers. This blog post look into cases where this can fail and consequently allow a bypass validation, using two real-world vulnerabilities such as DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), which both allowed remote code execution.
CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response #aws #cloud CloudGoat is Rhino Security Lab’s tool for deploying a ‘vulnerable by design’ AWS infrastructure. They have introduced a new detection_evasion scenario, where you will attempt to move through anAWS environment, capturing flags at different points, all without being detected by automated systems.
Fig. 3 — Detection evasion scenario overview
In the past, CloudGoat have focused exclusively on exploiting misconfigured resources. While it is important to learn these techniques, it is also vital to understand what security mechanisms may have been deployed by a blue team into a cloud environment. This new scenario is the perfect example to recreate an educational playground to test your evasion skills.
Vulnerabilities and Bug Bounties
Pwn2Own 2021 Microsoft Exchange Exploit Chain | SlidesResearchers from Viettel Cyber Security have published a technical walkthrough on the three vulnerabilities found on Microsoft Exchange during the Pwn2Own contest which lead to Remote Code Execution. What most surprises me is that no authentication was required to execute this attack. That’s insane!
Jack Dates from RET2 Systems found an integer overflow in Safari and an OOB Write to get kernel-level code execution and win USD$100,000 at Pwn2Own 2021.
Get comfy and enjoy a heck of a write-up. Really impressive the work done on this one.
Zimbra has recently became a target of a 0-day attack campaign, likely conducted by a state actor who targeted European government and media instances. In this blog post, Sonar presents how their research team approached Zimbra by taking on the perspective of an APT group. As result, they discovered a 0-day vulnerability in the unrar utility, which ultimately allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.
Researchers at Trend Micro recently analyzed cases of Log4Shell being exploited in certain versions of VMware Horizon. The investigation revealed that many of these attacks resulted in data being exfiltrated from the infected systems but also, some of the victims were infected with ransomware.
The investigation, also conducted by Sentinel Labs, revealed that attackers could sideload DLLs through a command line utility in VMware.
Beosin has published a series of two articles explaining the vulnerabilities affecting NFT platforms. The first part (A Research Into NFT Whitelist Bypass Vulnerability) provides two real examples, where a flashloan and a problem with the allow list checks permitted someone to get 60,000 APE Coin airdrops and caused the NBAxNFT project pre-sale to sold out prematurely.
This second part deep dive into security issues affecting NFT platforms, and uses as example the TreasureDAO incident which resulted in the theft of 100+ NFT tokens.
XCarnival NFT lending protocol vulnerability analysis Few days ago, hackers exploited a critical flaw in the XCarnival project and made off with 3,087 ETH (about $3.1 million). The security team at SlowMist performed a research uncovering the security vulnerability exploited by the attackers.
Reverse engineering and old Mario & Luigi game for funInteresting article explaining the steps followed to reverse engineer a Mario & Luigi MS-DOS video-game written in Pascal.
🙏 Support us
How to Audit a Smart Contract — 101 of smart contracts, and basic tooling for doing an audit.
Ringzer0 Back2Workshops — Ringzer0 provides advanced, hands-on training designed for cybersecurity professionals. Their instructors are top industry experts with a deep knowledge into a range of core issues, including vulnerability research, exploitation, malware writing, red teaming and practical attacks. Check. out their new workshops recently published:
Hands-on Binary Deobfuscation - From Symbolic Execution to Program Synthesis — Arnau Gàmez I Montolio provides in this workshop a gentle introduction to the state-of-the-art approaches for modern binary de-obfuscation
Security Automation for Electron Apps — Luca Carettoni provides a workshop focused on how to detect misconfigurations and vulnerabilities in ElectronJS-based applications using Electronegativity (a de-facto standard tool for identifying security anti-patterns in desktop apps built with web technologies).
fuzzuli — Fuzzuli is a URL fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.
RanSim — RanSim is a ransomware simulation script written in PowerShell. It recursively encrypts files in the target directory using 256-bit AES encryption. You can use RanSim to test your defenses and backups against real ransomware-like activity in a controlled setting
waymore — The idea behind waymore is to find even more links from the Wayback Machine than other existing tools. The biggest difference between waymore and other tools is that it can also download the archived responses for URLs on wayback machine so that you can then search these for even more information.
Chainwalker — ChainWalker is a smart contract scraper which uses RCP/IPC calls to extract the information. A small tool that can help us find contracts, extract the EVM code, and disassemble the opcodes. It allows us to select specific blocks or even specific contract balances.
Decipher Security Podcast: John Hultquist — John Hultquist, VP of Mandiant Intelligence, talks about new Mandiant research that exposes a Chinese information operation campaign targeting U.S., Canadian and Australian rare earths mining companies, including a processing facility in Texas, and how these types of information operations can be detrimental to private companies.
Ringzer0 Hands-on Workshops — You are still on time to attend three free workshops this week!
A journey into malicious code tradecraft for windows (5 Jul) — Instructors will go through implants evolution from an attacker perspective, showing real examples to highlight what makes defenders’ life harder, use of a Virtual Machine is recommended
Hands-on reversing with Ghidra (6 Jul) — A short hands-on workshop that will cover the major features of Ghidra, strengths and weakness, and how it compares to similar tools.
Debugging with Emux (7 Jul) — A tour on using EMUX IoT Firmware Emulation Framework and how to debug an ARM and MIPS IoT Target.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.
If you liked this newsletter from Security Pills Newsletters, why not share it?