Security Pills - Issue 45

Release Date: 13th November 2023 | Issue: 45 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Hey there 👋 ,

I hope you are doing well. It has been a while since our last issue, but hopefully, you've missed us. We have decided to make some changes to our newsletter… but I won’t spoil the surprise for you. Discover it for yourself!

As always. sit comfortable and enjoy today’s newsletter with a cup of coffe ☕️ .

Feel free to reach out to me if you are experiencing any issues with today’s issue!

• 🛠️ Application Security — The Single-Packet Attack | Abusing OAuth | Client-Side JS Instrumentation | Gsec.

• ⛓️ Blockchain — Account Abstraction Wallet Vulnerability | State of the Art for web3 Malware | Front-Running | How to Create Web3 Incident Response Plan.

• ☁️ Cloud Security — Detect Transitive Access to Sensitive GCP Resources | Introduction to AWS ABAC | 5 Things You May Not Know About AWS IAM | Detection of Inbound SSO Persistence in GCP.

• 🐳 Container Security — How to Traceroute Kubernetes pod-to-pod Traffic | Security Considerations for Running Containers on Amazon ECS | EKS Cluster Games | localtoast.

• 🤖 Machine Learning — Everything I’ll Forget About Prompting LLMs | Offensive ML Framework | Increasing Transparency in AI Security | Using LLMs to Reverse JS Variable Name Minification.

• 📱 Mobile — Analysis of Obfuscation in Apple FairPlay | OAuth Account Takeover | Exploiting the iPhone 4.

• ⚔️ Red Team — Abusing Slack for Offensive Operations | pandora | OffensiveGo.

• 📦️ Supply Chain — Unpinnable Actions | Supply Chain Threats | Raven.

• 🕵️ Threat Hunting — Ransomware & Data Extortion | Building a Phishing Campaign with Gophish | macOS Malware | Aftermath.

The single-packet attack: making remote race-conditions 'local'
PortSwigger's James Kettle details the single-packet attack as applied to various protocols, including HTTP/3, HTTP/1.1, WebSockets, and SMTP. He shares alternatives for situations where the attack isn't feasible and provides guidelines for adapting it to other protocols.

Oh-Auth - Abusing OAuth to take over millions of accounts
Salt Security's Aviad Carmel describes a lack of token verification in the OAuth implementations of Vidio, Bukalapak, and Grammarly, potentially allowing unauthorized access to millions of accounts.

Client-side JavaScript Instrumentation
Doyensec's Dennis Goodlett writes about client-side JavaScript instrumentation and the methodology that he uses for identifying security issues within large and complex codebases. Dennis also introduces Eval Villain, a web extension for instrumenting JavaScript by hooking native and non-native JavaScript functions across all pages and frames before their usage.

🧰 Gsec — A web security scanner and exploitation engine based on custom scanners and Nuclei templates.

First Account Abstraction wallet vulnerability
Fireblocks' Oren Yomtov discusses an ERC-4337 account abstraction vulnerability in the Unipass smart contract wallet, which allowed for a full account takeover and draining of funds. Fireblocks worked with Unipass to mitigate the vulnerability and patch all the vulnerable wallets by being the first to exploit the issue.

State of the art of detection evasion, for web3 malware
Report published by Forta that explores the latest advancements in evasion techniques used in certain smart contract attacks. This document offers real-world examples and proof-of-concepts, highlighting methods like spoofing, morphing, and obfuscation, among others.

Front-Running In Blockchain: Real-Life Examples & Prevention
Hacken's Saylik Seher and Malanii Oleh discuss front-running attacks in DeFi, detailing displacement, suppression, and insertion attacks, the use of MEV bots, and various mitigation strategies for both platforms and users to protect against these attacks.

How to Create a Web3 Security Incident Response Plan
Halborn's Rob Behnke delves into the essentials of formulating a plan to respond effectively to emergency situations in Web3. He covers everything from identifying scenarios that qualify as security incidents, to defining critical roles, evaluating security threats through live debugging sessions, implementing defensive security measures, and conducting post-mortem analyses to gather information for vulnerability disclosure statements, among other topics.

Detect transitive access to sensitive Google Cloud resources
P0 Security' Komal Dhull describes transitive access issues in Google Cloud when users with certain permissions authenticate as service accounts, gaining unintended access to all the IAM resources tied to those accounts​. Komal details the IAM permissions enabling this access, detection methods and how to identify risky service accounts.

Introduction to AWS Attribute-Based Access Control
NCC's Rennie deGraaf provides an introduction to Attribute-Based Access Control (ABAC) in AWS. The article explains how ABAC differs from traditional Role-Based Access Control (RBAC), how to use tags to implement ABAC and some of its current limitations.

5 Things You May Not Know About AWS IAM
devoteam's Jérémie Rodon shares 5 facts you probably don't know about AWS IAM

Detection of Inbound SSO Persistence Techniques in GCP
Google's Peter Solagna discusses the detection of inbound single sign-on (SSO) persistence techniques in Google Cloud Platform (GCP), focusing on monitoring and identifying the creation or update of SSO profiles, workforce identity pools, and workload identity pools using GCP logs and log sinks.

How to Traceroute Kubernetes pod-to-pod Traffic
Globant's Alain Reguera explore the intricacies of Kubernetes networking and delves into the fundamental principles and mechanisms that govern pod-to-pod communication within a cluster. The article focuses on the Kubernetes networking model within the context of VirtualBox's default networking layout.

Security considerations for running containers on Amazon ECS
Amazon's Mutaz Hajeer, Ibtissam Liedri, and Temi Adebambo offer six recommendations for improving container security on Amazon ECS, including managing access with IAM policies, securing the network with network segmentation and encryption, implementing secrets management with AWS Secrets Manager, securing container images by scanning them and enabling ECR tag immutability, among others.

Announcing the EKS Cluster Games
Wiz's Nir Ohfeld and Ronen Shustin publish this cloud security Capture the Flag (CTF) event, designed to educate participants on common Amazon EKS security issues through five different real-world scenario challenges.

🧰 localtoast — A scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner.

Everything I'll forget about prompting LLMs
Hrishi Olickel shares an in-depth look at using efficient prompts instead of fine-tuning LLMs. Hrishi provides various strategies for creating well-structured prompts that can enhance output reliability and reduce costs, while delving into areas such as understanding prompt complexity and prompt structure

Welcome to the Offensive ML Framework
Adrian Wood shares this amalgam of tactics, techniques and procedures (TTPs) on different offensive ML attacks encompassing the ML supply chain and adversarial ML attacks. Adrian has divided the framework into three main categories, OffensiveML for red team purposes, AdversarialML to cover attacks against ML and Supply Chain Attacks which encompasses attacks on unique ML upstreams.

Increasing transparency in AI security
Google's Mihai Maruseac, Sarah Meiklejohn and Mark Lodato share two new ways to make information about AI supply chain security universally discoverable and verifiable, so that AI can be created and used responsibly. The authors describe in this article how ML model creators can protect against ML supply chain attacks by using SLSA and Sigstore.

Using LLMs to reverse JavaScript variable name minification
Jesse Luoto writes about how to reverse minified JavaScript code using LLMs like ChatGPT and llama2 while keeping the code semantically intact.

Analysis of Obfuscations Found in Apple FairPlay
Nicolo delves into the workings of Apple FairPlay and shares some of the protection mechanisms and obfuscation techniques found within user-space daemons running FairPlay, the DRM system used by Apple.

One Scheme to Rule Them All: OAuth Account Takeover
Ostorlab's Mohamed Benchikh delves into the exploitation of OAuth account takeovers using app impersonation through custom scheme hijacking. An overlooked vulnerability pattern affecting most OAuth providers and many popular applications.

Exploiting the iPhone 4
Phillip Tennen shares a 6-part series on building a jailbreak for iOS 4, focusing on bypassing traditional development tools by exploiting a boot ROM vulnerability. Philllip delves into some of the technical challenges he faced.

Abusing Slack for Offensive Operations
SpecterOps' Matt Creel explores the changes implemented by Slack in the past years and reexamine avenues to achieve Slack access from ceded access on both macOS and Windows hosts.

🧰 pandora — A red team tool that assists into extracting/dumping master credentials and entries from different password managers, including Windows 10 desktop applications, browsers, and browser plugins. By Efstratios Chatzoglou.

🧰 OffensiveGo — Offensive tools and utilities rewrote in Golang that can be used by red teamers during an engagement

Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
Palo Alto's Yaron Avital reveals in his article that simply pinning a GitHub Action to a specific commit SHA does not ensure consistent code execution. He explains this through examples like unpinned Docker containers and composite Actions that permit the execution of bash or other Actions.

SLSA - Supply chain threats
A really well documented introduction with real-world examples of possible attacks throughout the supply chain and how SLSA can help.

🧰 Raven — A tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database.

Ransomware & Data Extortion Landscape
Orange Cyberdefense's Simone Kraus provides an analysis of ransomware groups' defensive evasion techniques, focusing on the LockBit ransomware group's use of specific tools for disabling or modifying security tools. The author emphasizes the importance of developing robust detection methods and monitoring various data sources, such as command execution, driver loads, and Windows Registry Key modifications, to detect and prevent ransomware attacks.

Building a Phishing Simulation Campaign with Gophish Framework
Altodia Utomo provides comprehensive walkthrough on building a phishing simulation campaign with Gophish and highlights the importance of regularly testing and educating employees to protect organisations from real-world threats.

Legitimate Exfiltration Tools
Synacktiv's Nathanael Ndong discusses the evolving threat landscape and the use of legitimate administration tools by threat actors for data exfiltration. Nathanael also provides detection methods and artifacts to identify the presence and use of these tools.

macOS Malware: A Deep Dive into Emerging Trends and Evolving Techniques
Sentinel One's Phil Strokes details some of the major macOS malware discovered recently and how threat actors are adapting and evolving to ensure successful compromise when targeting Apple’s desktop platform.

🧰 Aftermath — A free macOS incident response framework.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews