Security Pills - Issue 2

Release Date: 4 Jul 2022 | Issue: 2 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Good morning 👋,Thank you for the very good reception we had last week, it was amazing. I hope you have a great week.— Sebas

Your weekly prescription 💊

News

The hacking industry faces the end of an era

NSO Group, the world’s most notorious hacking company famous for its Pegasus spyware could soon cease to exist. Although the deal is far from certain, if it goes through it’s likely to involve the dismantling of NSO Group and the end of an era. The company and its technology will be folded into a unit within L3 Harris. Although they already have its own offensive cyber division, known as Trenchant.

How long will it take for rivals to rush and take NSO Group place? The market is bigger and more visible than ever before, encompassing hundreds of companies selling surveillance tech globally.

Google Warns of New Spyware Targeting iOS and Android Users

At this point you have probably heard of NSO Group and its (in)famous Pegasus surveillance malware. However, the surveillance-for-hire industry goes far beyond one company. Last Thursday, Google Threat Analysis Group (TAG) and Project Zero team published findings about a new iOS spyware attributed to the RCS Labs used to target people in Italy, Kazakhstan and Syria.

Google has published a technical report describing the details for both campaigns, Android and iOS

Crypto hedge fund Three Arrows Capital plunges into liquidation 

Three Arrows Capital, a cryptocurrency-focused hedge fund, has plunged into liquidation, deepening the crisis engulfing the global digital assets sector.

Articles

Managing Risk in Blockchain Deployments | Report #blockchain

Over the past few months we have seen an exponential growth on businesses that are considering the advantages of blockchains and decide to adopt them. These decisions often require to have a solid understand and mitigate the risks associated with operating a blockchain service, managing wallets and encryption keys, or relying on external APIs providers.

Trail of Bits has released a report that aims to provide decision-makers with the context necessary to assess these risks and plan to mitigate them. Report helps the reader to determine whether a blockchain is an appropriate technical solution for a given problem.

Fig. 1 — Should you use a blockchain?

Fake ‘Mining’ Scams: a Familiar Foe in a New Disguise #scam #blockchain

One of the recent investigations made by MetaMask involved a scam that used the promise of “mining” rewards to lure customers into depositing tokens on the platform. At first, scammers would show the users a considerable growth through these rewards but this was just a ruse, as the balance displayed was false and the scammers had been draining the user’s wallet whilst deceiving them into believing that their balance was actually growing.

Fig. 2 — Near $76 millions were stolen

The article explains how the scam does work, which essentially is a common unlimited token approval attack vector. Where the dapp attracts the user’s attention through the promise of a very high APY. As soon as the dapp has access to the wallet’s funds, it calls the transferFrom function, pulling the tokens straight out into another wallet.

Subsequently, users will receive additional requests to transfer more of the token into their wallet to keep on earning the high APY. As soon as the tokens are added, they are removed from the user’s wallet. All the while, the balance on the platform is increased to reflect the transfer and maintain the scam.

An in-depth look into the infrastructure supporting the ‘fake wallet’ phishing industry #scam #blockchain

MetaMask’s parent company, ConsenSys, reported in April 2021 that the wallet service had more than 5 million monthly active users. It stands to reason that MetaMask would be a prime target for fraudulent activity.

The article focuses primarily on the technological landscape of counterfeit wallets. There is not an established industrial supply chain in place. Remember to double-check the URL before trying to download an application or log-in to a service.

Golang Code Review Notes #programming #go

Go has become a language of many faces, its support for many architectures make it ideal for embedded and IoT projects, while the simplicity of goroutines make it ideal for web-based projects. As it gains traction and popularity, it is important to highlight some code constructs for security engineers to look out for.

Rather than going though each Go security bug category, the article highlight a couple of patterns that either tend to be high impact, obscure, too common, relatively unknown, just interesting or any combination of these.

Bypassing .NET Serialization Binders #dotnet #serialization

Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers. This blog post look into cases where this can fail and consequently allow a bypass validation, using two real-world vulnerabilities such as DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), which both allowed remote code execution.

CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response #aws #cloud CloudGoat is Rhino Security Lab’s tool for deploying a ‘vulnerable by design’ AWS infrastructure. They have introduced a new detection_evasion scenario, where you will attempt to move through anAWS environment, capturing flags at different points, all without being detected by automated systems.

Fig. 3 — Detection evasion scenario overview

In the past, CloudGoat have focused exclusively on exploiting misconfigured resources. While it is important to learn these techniques, it is also vital to understand what security mechanisms may have been deployed by a blue team into a cloud environment. This new scenario is the perfect example to recreate an educational playground to test your evasion skills.

Vulnerabilities and Bug Bounties

Pwn2Own 2021 Microsoft Exchange Exploit Chain | SlidesResearchers from Viettel Cyber Security have published a technical walkthrough on the three vulnerabilities found on Microsoft Exchange during the Pwn2Own contest which lead to Remote Code Execution. What most surprises me is that no authentication was required to execute this attack. That’s insane!

Exploiting Intel Graphics Kernel Extensions on macOS: A Pwn2Own 2021 Apple Safari Sandbox Escape 

Jack Dates from RET2 Systems found an integer overflow in Safari and an OOB Write to get kernel-level code execution and win USD$100,000 at Pwn2Own 2021.

Get comfy and enjoy a heck of a write-up. Really impressive the work done on this one.

Unrar Path Traversal Vulnerability affects Zimbra Mail

Zimbra has recently became a target of a 0-day attack campaign, likely conducted by a state actor who targeted European government and media instances. In this blog post, Sonar presents how their research team approached Zimbra by taking on the perspective of an APT group. As result, they discovered a 0-day vulnerability in the unrar utility, which ultimately allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.

Log4Shell Vulnerability in VMWare Leads to Data Exfiltration and Ransomware

Researchers at Trend Micro recently analyzed cases of Log4Shell being exploited in certain versions of VMware Horizon. The investigation revealed that many of these attacks resulted in data being exfiltrated from the infected systems but also, some of the victims were infected with ransomware.

The investigation, also conducted by Sentinel Labs, revealed that attackers could sideload DLLs through a command line utility in VMware.

The Chromium super (inline cache) type confusion

In this article Man Yue mo exploits CVE-2022-1134, a type confusion in V8, the JavaScript engine of Chrome that he reported in March 2022, as bug 1308360 and was fixed in version 100.0.4896.60. This bug allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site. The bug exists in the super inline cache (SuperIC) feature, which has a history of exploitable vulnerabilities

A Research Into Vulnerabilities in NFT Platforms 

Beosin has published a series of two articles explaining the vulnerabilities affecting NFT platforms. The first part (A Research Into NFT Whitelist Bypass Vulnerability) provides two real examples, where a flashloan and a problem with the allow list checks permitted someone to get 60,000 APE Coin airdrops and caused the NBAxNFT project pre-sale to sold out prematurely.

This second part deep dive into security issues affecting NFT platforms, and uses as example the TreasureDAO incident which resulted in the theft of 100+ NFT tokens.

XCarnival NFT lending protocol vulnerability analysis Few days ago, hackers exploited a critical flaw in the XCarnival project and made off with 3,087 ETH (about $3.1 million). The security team at SlowMist performed a research uncovering the security vulnerability exploited by the attackers.

Miscellaneous

ifuckinghatejira.com 

Reverse engineering and old Mario & Luigi game for funInteresting article explaining the steps followed to reverse engineer a Mario & Luigi MS-DOS video-game written in Pascal.

Resources

🎥 Videos

1. How to Audit a Smart Contract — 101 of smart contracts, and basic tooling for doing an audit.

2. Ringzer0 Back2Workshops — Ringzer0 provides advanced, hands-on training designed for cybersecurity professionals. Their instructors are top industry experts with a deep knowledge into a range of core issues, including vulnerability research, exploitation, malware writing, red teaming and practical attacks. Check. out their new workshops recently published:

   1. Hands-on Binary Deobfuscation - From Symbolic Execution to Program Synthesis — Arnau Gàmez I Montolio provides in this workshop a gentle introduction to the state-of-the-art approaches for modern binary de-obfuscation

   2. .Introduction to V8 JavaScript Engine Grammar-based Fuzzing — Patrick Ventuzelo gives a workshop on how to attack the V8 JavaScript Engine using grammar-based fuzzing.

   3. Security Automation for Electron Apps — Luca Carettoni provides a workshop focused on how to detect misconfigurations and vulnerabilities in ElectronJS-based applications using Electronegativity (a de-facto standard tool for identifying security anti-patterns in desktop apps built with web technologies).

⌨️ Repositories

1. fuzzuli — Fuzzuli is a URL fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.

2. RanSim — RanSim is a ransomware simulation script written in PowerShell. It recursively encrypts files in the target directory using 256-bit AES encryption. You can use RanSim to test your defenses and backups against real ransomware-like activity in a controlled setting

3. waymore — The idea behind waymore is to find even more links from the Wayback Machine than other existing tools. The biggest difference between waymore and other tools is that it can also download the archived responses for URLs on wayback machine so that you can then search these for even more information.

4. Chainwalker — ChainWalker is a smart contract scraper which uses RCP/IPC calls to extract the information. A small tool that can help us find contracts, extract the EVM code, and disassemble the opcodes. It allows us to select specific blocks or even specific contract balances.

🎙️ Podcasts

1. Decipher Security Podcast: John Hultquist — John Hultquist, VP of Mandiant Intelligence, talks about new Mandiant research that exposes a Chinese information operation campaign targeting U.S., Canadian and Australian rare earths mining companies, including a processing facility in Texas, and how these types of information operations can be detrimental to private companies.

2. Darknet Diaries: EP 120 Voulnet — In this episode, Jack Rhysider interviews Mohammed Aldoub, AKA Voulnet, the person who found a vulnerability on VirusTotal and Tweeted about it.

🧰 Workshops

Ringzer0 Hands-on Workshops — You are still on time to attend three free workshops this week!

1. A journey into malicious code tradecraft for windows (5 Jul) — Instructors will go through implants evolution from an attacker perspective, showing real examples to highlight what makes defenders’ life harder, use of a Virtual Machine is recommended

2. Hands-on reversing with Ghidra (6 Jul) — A short hands-on workshop that will cover the major features of Ghidra, strengths and weakness, and how it compares to similar tools.

3. Debugging with Emux (7 Jul) — A tour on using EMUX IoT Firmware Emulation Framework and how to debug an ARM and MIPS IoT Target.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews

If you liked this newsletter from Security Pills Newsletters, why not share it?