Security Pills - Issue 36

Release Date: 27th February 2023 | Issue: 36 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

When I first created this newsletter, my idea was to share a few interesting links with friends and keep up with technical write-ups and cool research for myself. But almost 9 months have passed since we started this project, and we have already shared over 600 articles across different categories. It might not seem like a lot, but I'm encountering the same problem again - I can't remember which issue I published a specific article in, and I feel like I'm not helping to solve the problem of interesting content falling into oblivion. Therefore, I have decided to create a Security Pills Archive where all the links will be stored, and users can easily search for them using tags and specific keywords. What do you think of this idea?Other than that, it has been a calm week with no major hacks. I think we had more than enough excitement with the Platypus rollercoaster last week! But we have collected some interesting articles and vulnerabilities and prepared an engaging issue for you today. So, sit back, get comfortable, prepare a good cup of coffee ☕, and enjoy today's newsletter.

Return of the 0ktapus? #blockchain Opalsec writes on the incident that Coinbase suffered in early February when one of their employees had their credentials compromised. This attack seems to have some similarities with the 0ktapus campaign, which targeted customers of the identity provider Okta, obtaining nearly 10,000 accounts across over 130 organizations. Opalsec delves into the TTPs used and provides some suggestions to mitigate MFA bypasses.

A Primer On Slowable Encoders #blockchainNCC Group's Aleksandar Kircanski provides an introductory article on "Slowable Encoders," which are cryptographic transformations tradeoff-resistant, and are utilized in storage-oriented blockchains in their attempt to decentralize traditional cloud data storage solutions. Aleksandar explores the context of storage blockchains and the motivation behind the need for such functions.

How BlockSec Rescued Stolen Funds #blockchainThe BlockSec team recently helped several projects that suffered blockchain attacks over the past few months:

• Platypus Finance (~$2.4 millions USD) - The team identified a vulnerability in the attacker's contract and used it to approve a fixed number of USDC to the project's contract. Then, they upgraded the project's contract to transfer the funds from the attacker's contract.

• TransitSwap (~$246,000 USD) - BlockSec exploited the profanity tool vulnerability to recover the private key and transferred the funds back to the TransitFinance team.

• Saddle Finance (~$3.8 millions USD) - The team deployed a transaction pre-execution system that detected the attack and performed a front-running attack to recover the stolen funds.

How Many Bitcoin Confirmations is Enough? #blockchainJameson Lopp examines the risks associated with different confirmation thresholds for Bitcoin transactions and how they impact security. He introduces a confirmation risk calculator that provides a rough estimate of the risk that the dominant mining pool with the most hashrate could reorganize the blockchain after a certain number of transactions, potentially invalidating a payment. By using this calculator, Bitcoin users can determine the appropriate confirmation threshold to minimize the risk of payment failure.

Security Checks for EIP-4337 Based Account Abstraction Implementation #blockchainFairyproof provides insights into the security checks that should be considered when auditing a solution based on EIP-4337 and the five new concepts it introduces. EIP-4337 proposes the use of smart contract wallets instead of externally owned accounts (EOAs) as the primary account. The article discusses the importance of conducting thorough security audits of such solutions and highlights several key security checkpoints that should be considered.

Abusing Azure App Service Managed Identity Assignments #cloudsecSpecterOps' Andy Robbins introduces the Managed Identities feature, which allows developers to grant their applications access to Azure resources. Andy discusses the risks that can arise from improper usage and how attackers can exploit this service to not only attack a web application but also pivot through the entire Azure environment. Andy provides a real-life example of various attack paths that occurred in a customer's Azure environment and suggests different steps that should be considered to prevent such attacks.

Stack under attack: what we learned about handling DDoS attacks #engineeringStack Overflow's Josh Zhang reflects on the lessons learned from handling volume-based and application-layer DDoS attacks targeting the platform. Josh discusses the impact of the attacks and outlines how the Stack Overflow team worked together to mitigate bot attacks while providing insights into the strategies and tools used.

OWASP Kubernetes Top 10 #kubernetesSysdig's Nigel Douglas groups the OWASP Kubernetes Top 10 into three categories (Misconfigurations, Lack of visibility, and Vulnerability management) while diving into each OWASP risk, providing technical details on each threat and common mitigations.

Escaping misconfigured VSCode extensions #appsecTrail of Bits' Vasco Franco discusses some serious security vulnerabilities affecting the SARIF viewer and Live Preview VSCode extensions, as well as a vulnerability in VSCode itself that could enable attackers to steal a user's local files. Vasco dives into VSCode Webviews and shares some of the exploitation techniques used to exfiltrate information and achieve a broader impact. He also provides some tips for hardening VSCode Webviews to minimize the impact of vulnerabilities.

Dangerous Assumptions #appsecCodean's Thomas Rinsma and Kevin Valk research that uncovered a series of vulnerabilities in third-party packages (Feathers.js, Sequelize and SocketIO) that lead to critical security vulnerabilities.

Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer #appsecStar Labs' Ngo Wei details a vulnerability in the Cosmos DB Explorer that could allow an attacker to take over a victim user's Azure session and gain access to other cloud assets. The vulnerability is caused by a mistake in a regular expression used to check trusted origins, which allows a remote attacker to execute DOM-based XSS attacks.

Zero Transfer Phishing #blockchainCoinbases's Heidi Wilder and Peter Kacherginsky have written a three-part blog series on the 'zero transfer phishing attack' also known as poison transactions. In this attack, malicious actors create smart contracts that initiate zero-value token "transfers" from a victim's address to a spoofed address that resembles one previously used by the victim. 

1. Attack Analysis- Deep dive into the attack vector used and potential mitigations.

2. Phishing Campaigns- Identifying various campaigns on Ethereum blockchain with their respective indicators.

3. Hashlinked- Uncovering the threat actors behind one of the campaigns.

Jump Executes Counter Exploit Against Wormhole Exploiter #blockchainBlockworks' Dan Smith writes on a counter exploit used by Jump Crypto and Oasis to recover the funds stolen (~$225 millions) by the Wormhole Exploiter. Although Jump nor Oasis have publicly confirmed this, the on-chain evidence points out that the wallets involved in there counterattack were owned by Jump.

1. 🥇Hope Finance — Around $1.86 millions were stolen from Hope Finance on Monday due to an exist scam. Surprisingly the tx preparing the rug pull was approved by all three accounts on the team's multisig.

2. 🥈NFT Cloud — A vulnerability in the staking contract which did not check the staking status of $CloudNFT correctly resulted in a loss of ~$81k USD.

3. 🥉Revert Finance — On February 18th 2023, a total of just under $30k USD were stolen from users through a vulnerability in the V3Utils contract, which was used to inject a malicious router.

⌨️ Repositories

• Building Secure Smart Contracts — Trail of Bits has recently published a new repository that provides guidelines and best practices for writing secure smart contracts. The repository includes articles on how to use automated tools like Echidna or Manticore, as well as examples of common smart contract issues in Solana, Cairo, and Cosmos, among others.

• Smart Contract Security Verification Standard (SCSVS) — The checklist created to standardize the security of smart contracts has received a new update, including 3 new chapters, each operating in a slightly different area (General, Components, and Integrations).

• legitify — Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets.

🎙️ Podcasts

• The (Other) Problem with NFTs — In 2021 alone, scammers successfully stole 100 million dollar's worth of non-fungible tokens (NFTs). How are NFT collectors getting hacked?

📖 Writeups

• Let's build a Chrome extension that steals everything — Matt Frisbie provides a walkthrough on building a Chrome extension that steals as much data as possible while explaining the internals of the WebExtensions API.

• EKO2022 Enter the metaverse CTF Challenge 1: Phoenixtto — Emanuele Ricci has created a series of walkthroughs for the Enter the metaverse CTF. A mix between classical blcokchain challenges and new ones. This first challenge will help you understand the concepts behind metamorphic contracts and become more familiarized with the EVM.

• Building reliable EVM disassemblers — karma provides a deep dive into EVM disassembly and creates a step-by-step guide on how to build an EVM from scratch.

• Setting Up A Bridge With Foundry — haruxe provides an introduction to bridges and how a simple one-way bridge can be built for testing purposes with Foundry.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews