- Security Pills
- Posts
- Security Pills - Issue 3
Security Pills - Issue 3
Apple's lockdown mode, How hackers got into Axie Infinity, Following the trail of $100 millions
Release Date: 11 Jul 2022 | Issue: 3 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Good morning 👋,
Welcome to another weekly issue, hope you are doing great!
— Sebas
Your weekly prescription 💊
News: Apple introduces the Lockdown mode, How a fake job offer took down the world's most popular crypto game, Cluster of +1.2k malicious NPM packages.
Articles: When Pentest Tools go Brutal: Red-Teaming tool being abused by malicious actors, Account hijacking using 'dirty dancing' in sign-in Oauth-flows, One I/O ring to rule them all: A full read/write exploit primitive on Windows 11, The $100 million horizon hack: Following the trail through Tornado Cash to North Korea, Unorthodox lateral movement: Stepping away from standard tradecraft, From misconfigured certificate template to domain admin, Diving in UAC, A Diamond in the Ruff.
Vulnerabilities and Bug Bounties: From NtObjectManager to PetitPotam, Revisiting Pegaus on iOS9, Automating binary vulnerability discovery with Ghidra and Semgrep.
Miscellaneous: The open cloud vulnerability & summary issue database
Resources: Pass the Salt 2022, Talking about the APT29 phishing tactics, jira-mobile-ssrf-exploit, bypass-url-parser.
News
Apple expands industry-leading commitment to protect users from highly targeted mercenary spywareApple has presented the Lockdown Mode, an extreme optional protection for the very small number of users who face grave, targeted threats to their digital security, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.

Fig.1 - Apple Lockdown menu
What happens under the hood is that iOS and MacOS will turn off some of their internal services and functionalities that are commonly targeted by threat actors to compromise the devices.
How a fake job offer took down the world's most popular crypto game Back in March, Axie Infinity lost $540 million in crypto. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed. However, a reporter from cryptocurrency news site The Block has conducted a research and discovered that hackers duped a senior engineer at Axie Infinity into applying for a job at a fictitious company using a malicious PDF document, a scheme for which North Korean hackers are known to excel at.

Fig. 2 - The scheme resulted in the loss of $540 million in crypto earlier this year
Cluster of +1.2k malicious NPM packagesCheckmarx SCS team has detected over 1200 npm packages released to the registry over a thousand different user accounts. The company said almost all packages include a miner functionality intended to be triggered from within another program. Checkmarx has also created an online tracker project where all the information related to this attack is shared and updated

Fig. 3 - Checkmarx has identified 1283 NPM malicious packages
New Repeater features to help you test more efficientlyPortSwigger has finally introduced groupable tabs for Burp Repeater, they also have added a search function within Repeater and Intruder and the ability to color-coding the tabs.

Fig. 4 - I've never seen Burp so colorful before
Articles
When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors #red-team #aptUnit 42 detected an Advanced Persistent Threat (APT) associated with Brute Ratel C4 (BRc4), an adversary emulation framework developed by a former Crowdstrike and Mandiant security engineer.
A thoroughly detailed blog on Brute Ratel C4 by Palo Alto. Proper Actions have been taken to against the found licenses which were sold in the Black Market. As for existing customers, #BRc4 v1.1 release will change every aspect of IOC found in the previous releases.
— Paranoid Ninja (Brute Ratel C4) (@NinjaParanoid)
2:57 PM • Jul 5, 2022
Account hijacking using 'dirty dancing' in sign-in Oauth-flows #oauthFrans Rosén goes through three different scenarios found in the wild where authorization codes or tokens could leak to an attacker by combining response-type switching, invalid state and redirect-uri quirks using OAuth.
The $100 Million Horizon Hack: Following the Trail Through Tornado Cash to North Korea #blockchainOn June 24th, over $100 million in crypto assets was stolen from Horizon Bridge, including Ether, Tether, Wrapped Bitcoin and BNB. The thief used Uniswap to convert part of the assets into a total of 85,837 ETH. At this moment, the hacker has so far sent 41% of the stolen crypto assets into the Tornado Cash mixer. There are strong indications that North Korea's Lazarus Group may be responsible for this theft.

Fig. 5 - Trail after Horizon hack
One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11 #windowsIn this article Yarden covers the post-exploitation technique presented at TyphoonCon 2022. Although there are no 0-days involved, there's a method to turn an arbitrary write, or even an arbitrary increment bug in the Windows kernel into a full read/write of kernel memory.
From Misconfigured Certificate Template to Domain Admin #active-directory #windowsLab to get familiarized with ECS1 privilege escalation technique, which demonstrates how it is possible to elevate from a regular user to domain administrator in a Windows Domain by abusing over-permissioned Active Directory Certificate Services (ADCS) certificate templates.
Unorthodox Lateral Movement: Stepping Away from the Standard Tradecraft #red-team During red team operations or any other form of internal penetration test, moving from one host to another is often essential to compromise critical assets and reach the engagement's objectives. This talk provides insights into a variety of techniques, both new and revisited classics that were proven to work and evade most of the detections in highly scrutinized environments.

Fig. 6 - Takeaways
Diving in UAC #windows #uacWindows come with two types of users, standard, and administrator, where processes run by administrators are elevated processes and those run by standard users are non-elevated. However, whether in the corporate environment or with a home computer, people tended to be part of administrator users. In practice, privilege is a poison unless you know how to manage it, and most attacks in the wild wouldn't be possible if the account that accomplished the attack was not an account with administrator privileges. This article dives deep into UAC and how it does work
A Diamond in the Ruff #red-team #attack-simulationTrustedSec revisits the Diamond PAC Attack presented at Blackhat in 2015. The research presented in this article is a journey on forging tickets and how this technique can be weaponize.
Vulnerabilities and Bug Bounties
From NtObjectManager to PetitPotamWindows RPC enumeration, discovery and auditing via NtObjectManager. The article explores the vulnerable RPC interfaces that lead to PetitPotam, how RPC interfaces have changed over the past year and overcome some common RPC auditing pitfalls.
Revisiting Pegasus on iOS9This article revisits the kernel bugs NSO Group's Pegasus Spyware exploited in iOS version 9.3.4 and earlier. Although the vulnerabilities were patched six years ago, Zach wanted to understand the challenges of the exploit development process, exploiting the bugs reliably and weaponizing the attack vector.Author also recommends the following articles to have a better understanding the kernel vulnerabilities exploited by Pegasus:
Automating binary vulnerability discovery with Ghidra and SemgrepRaptor has released some of this tools to help automate vulnerability discovery tasks via static analysis techniques:
Rhabdomancer a simple Ghidra script that locates all calls to potentially insecure API functions in a binary.
Haruspex, is a Ghidra script that is able to extract all pseudo-code generated by the Ghidra decompiler in a format that should be suitable to be imported into an IDE or parsed by static analysis tools.
Semgrep rules to help auditors identify potential bugs and locate hotspots in C/C++ code on which to focus their attention.
Miscellaneous
The Open Cloud Vulnerability & Summary Issue DatabaseAn open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Sahil Bloom on 20 'old fashioned' ways to stand out 🧵
Some things will never go out of style.
20 “old fashioned” ways to stand out (in your career, business, or life):
— Sahil Bloom (@SahilBloom)
12:38 PM • Jul 9, 2022
🙏 Support us
Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.
Resources
🎥 Videos
Pass The Salt — The congress dedicated to free software and security has released the conferences presented this 2022.
Reversing Malware:Talking about the APT29 Phishing Tactics — Ippsec goes above and beyond on reverse engineering APT29 , associated with Brute Ratel C4. (BRc4).
⌨️ Repositories
DeFiHackLabs — 36 DeFi incidents that can be reproduced using Foundry framework. Great resource for learning purposes.
DeFiVulnLabs — Web3 solidity security training focused on identifying vulnerabilities in code and how to exploit them using Foundry.
AssetNote/jira-mobile-ssrf-exploit — Exploit for the Jira full-read server-side request forgery vulnerability affecting the mobile plugin in Jira Data Center and Server (CVE-2022-26135).
Koh — A C# and Beacon Object File (BOF) toolset that allows for the capture of user credential material via purposeful token/logon session leakage.
gitgat — A tool using Open Policy Agent policies to evaluate Github's organization, repositories, and user account's security
bypass-url-parser — Tool by @TheLaluka to bypass 40X protected pages using a variety of payloads.
steampipe-mod-aws-perimeter — An AWS perimeter checking tool that can be used to look for resources that are publicly accessible, shared with untrusted accounts, have insecure network configurations, and more.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, it would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.
Thanks,Sebas@0xroot | @secpillsnews
If you liked this newsletter from Security Pills Newsletters, why not share it?