Security Pills - Issue 46

Release Date: 20th November 2023 | Issue: 46 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 ⚠️ Read this issue as a webpage to avoid the clipped email version

Hey there 👋,

Hope you all had a great weekend. I'm really excited to move things forward with the newsletter and generate new content around it. During the weekend, I've been implementing a few functionalities around Security Pills to speed up a few things, so I can focus on bringing quality content to you and a few other things down the pipeline!

As always. sit comfortable and enjoy today’s newsletter with a cup of coffee ☕️. For the best experience I recommend checking out this edition on our website, it’s very likely that the email got clipped by your email provider.

I hope you have an incredible week and enjoy Thanksgiving to those who are in the States!

• 🛠️ Application Security — Pludering Postman with Porch Pirate | 50 Shades of Vulnerabilities | Are We Doing Vulnerability Management All Wrong? | Session Hijacking Visual Exploitation.

• ⛓️ Blockchain — A Collection of EVM Tracing Information for Easy Reference | A Deep Dive Into our Storage Layout Extractor | A Crisis Handbook for Smart Contract Hacks.

• 🛡️Blue Team — Scaling Detection and Response Operations at Coinbase | CVE Watcher | FalconHound.

• ☁️ Cloud Security — Terraform Security Best Practices | State of Cloud Security | Lambda Extensions: Exploring Misuse Scenarios and Status Red Team Module Development.

• 🐳 Container Security — Post-Exploiting a Compromised ETCD | Kubernetes Security Observability & Runtime Enforcement | Key Takeaways From the 2023 Kubernetes Security Report | Multi Tool Kubernetes Pentest Image.

• 🤖 Machine Learning — Adversarial Attacks on LLMs | Multi-modal Prompt Injection Image Attacks Against GPT-4V | BIML Interactive Machine Learning Risk Framework | The Security Toolkit for LLM Interactions.

• ⚔️ Red Team — Abusing GDB Features for Data ingress & Egress | The Triforce of Initial Access.

• 📦️ Supply Chain — YouShallNotPass! Hardening CI/CD Pipelines on Mission Critical Environments | CI/CD Secrets Extraction, Tips and Tricks | SLSA - Supply Chain Threats.

• 🕵️ Threat Hunting — The Wiki-Slack Cyberattack Analysis | Hunting Vulnerable Kernel Drivers | osquery-defense-kit.

Plundering Postman with Porch Pirate
Mand Consulting Group's Dominik Penner introduces Porch Pirate, a comprehensive Postman recon and framework that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams.

50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
Aqua's Ilay Goldman and Yakir Kadkoda share their methodology for detecting potential security issues in open-source projects before they become public knowledge by analyzing GitHub activity and NVD entries. The authors use cases like Log4Shell to illustrate these vulnerabilities and proposes strategies for mitigating early exploitation risks in the open-source community such as proactive GitHub scanning and runtime protection.

Are we doing vulnerability management all wrong?
Justin Pagano discusses the over-reliance on reactive vulnerability management strategies in the industry and advocates for a more proactive approach.He outlines the Proactive Vulnerability Patch Management Lifecycle (PVPM), a continuous process designed to create effective auto-patching workflows that address vulnerabilities quickly without awaiting scans. This approach is enhanced by integrating the Stakeholder-Specific Patching Prioritization (SSPP) framework, which aids in determining the order and priority for developing auto-patching workflows for different software.

🧰 Session Hijacking Visual Exploitation
A tool by Doyensec’s Raúl Miján that facilitates session hijacking through the injection of malicious JavaScript code. For a more comprehensive insight. Check as well Raúl’s introductory article on Session Hijacking Visual Exploitation (SHVE).

A Collection of EVM Tracing Information for Easy Reference
A comprehensive collection of EVM tracing information, including different tracers, trace methods, node client support, RPC provider support, ecosystem tooling support, and example tracer data.

A Deep Dive into our Storage Layout Extractor
smlXL's Tal introduces the Storage Layout Extractor, a tool used to recover the storage layouts of solc-compiled contracts without the need for source code. He discusses the strategy and pipeline, and highlights some details around execution and type-checking.

A Crisis Handbook for Smart Contract Hacks
A comprehensive checklist and guide for responding to a smart contract hack, covering actions to perform immediately, analysis steps, post-incident actions, etc.

Scaling Detection and Response Operations at Coinbase
Coinbase's James Dorgan writes a three-part blog series covering some of the strategies and systems that Coinbase's CSIRT has implemented to investigate and respond to threats more effectively. James provides in-depth insights into integrating context into detection logic through both machine and user profiling, deploying automated remediation for high-risk threats, and employs a Slackbot for efficient alert triage.

🧰 CVE Watcher
A security tool that uses the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released and underscore the window of opportunity for attackers to harvest this information and develop exploits. By Aqua Nautilus' Ilay Goldman and Yakir Kadkoda.

🧰 FalconHound
A blue team multi-tool that allows you to utilise and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. By FalconForce's Olaf Hartong.

See also Olaf's technical article about FalconHound and some use case examples.

Terraform Security Best Practices
Sysdig's Nigel Douglas outlines essential security practices for using Terraform. He emphasizes the importance of secure credential management, frequent key rotation, and enforcing the principle of least privilege access policies. Additionally, Douglas highlights the necessity of keeping Terraform modules updated and securely managing state files, among other recommendations.

State of Cloud Security
Datadog's analysis of security data from thousands of cloud users uncovers persistent challenges, such as widespread use of static, long-lived credentials and insufficient MFA enforcement, impacting a significant portion of AWS IAM users. The report also emphasizes the low adoption of IMDSv2 in AWS, and highlights the risks associated with publicly exposed virtual machines and excessive privileges in cloud workloads.

Lambda Extensions: Exploring Misuse Scenarios and Stratus Red Team Module Development
Adan Álvarez discusses how Lambda extensions provide attackers with an easily exploitable method to compromise AWS Lambda functions. These extensions can persist across Lambda invocations and operate independently, enabling attackers to gain persistent access and control over the execution environment and the processed data. Highlighting this vulnerability, the author introduces LambdaSpy, a proof of concept that demonstrates the interception and modification of Lambda invocation events and has integrated this technique into the Stratus Red Team tool.

Post-exploiting a compromised etcd – Full control over the cluster and its nodes
NCC's Luis Toro discusses the potential risks and vulnerabilities associated with a compromised etcd in a Kubernetes cluster. As Luis describes, since it is not subject to role restrictions or AdmissionControllers, compromising etcd easily jeopardizes not only the cluster but also its underlying infrastructure, including all nodes where a kubelet is deployed.

Kubernetes Security Observability & Runtime Enforcement
Isovalent's Thomas Graf announces the release of Tetragon 1.0, a Kubernetes-native tool designed for advanced security observability and runtime enforcement. By leveraging eBPF for in-kernel filtering, Tetragon achieves significant reductions in performance overhead, while providing thorough monitoring and logging of network events.

Key Takeaways from the 2023 Kubernetes Security Report
Wiz's Shay Berkovich and Rotem Lipowitch highlight the low container security maturity and the increasing security risks in Kubernetes environments, evidenced by the fact that new clusters are attacked within 22 minutes of creation. The research, based on over 200,000 cloud account scans, reveals that only 9% of clusters use network policies for in-cluster traffic separation, indicating a lack of adoption of the main security features.

The authors propose proactive measures such as continuous external exposure scanning, regular vulnerability remediation, and the aggressive use of in-cluster separation controls with smart namespace-based isolation and RBAC.

🧰 Multi Tool Kubernetes Pentest Image
A docker image that contains all the most popular and necessary tools for pentesting a Kubernetes cluster. By Sergey Kanibor.

Adversarial Attacks on LLMs
OpenAI's Lilian Weng writes a deep dive into five types of adversarial attacks on large language models (LLMs)—token manipulation, gradient-based attacks, jailbreak prompting, human, and model red-teaming. These methods aim to trigger LLMs into producing undesirable content. The author not only details these attack methodologies but also discusses potential defenses to prevent such attacks

Probably one of the most thorough and detailed articles that I've seen on adversarial attacks, a must-read for understanding LLM security! 🤯

Multi-modal prompt injection image attacks against GPT-4V
Simon Willison describes various image-based prompt injection attacks on GPT-4 Vision, such as visually hiding the injection within an image and using it for data exfiltration. Simon also reflects on how prompt injection attacks remain a stubbornly unsolved problem, since LLMs are gullible and differentiating between 'good' and 'bad' instructions is currently an intractable problem.

BIML Interactive Machine Learning Risk Framework
The Berryville Institute of Machine Learning has created this interactive framework that identifies 78 specific risks associated with a generic ML system.

🧰 The Security Toolkit for LLM Interactions
A comprehensive tool designed to fortify the security of LLMs by offering sanitisation, detection of harmful language, prevention of data leakage and resistance against prompt injection attacks. By Oleksandr Yaremchuk and Marc Jermaine.

Abusing gdb Features for Data Ingress & Egress
Jared Stroud explores how to abuse gdb's debuginfo feature to create data communication paths for data exfiltration and tool ingress.

The Triforce of Initial Access
TrustedSec's Melvin Langvik discusses the pivotal role of specific tools in gaining initial access in Microsoft Office environments. Melvin highlights the combined use of Evilginx, ROADtools, and TeamFiltration, supported by the Bobber script, as a 'Triforce' for effective Red Team operations.

YouShallNotPass! Hardening CI/CD pipelines on mission critical environments 
Kudelski's Pierre Dumont presents the development of YouShallNotPass (YSNP), an open-source tool crafted to improve the security of GitLab and GitHub pipeline executions. YSNP serves as a gatekeeper, verifying job executions against predefined criteria, including repository permissions, approved Docker images, and pre-approved jobs, among others. Additionally, Pierre outlines three key use cases where YSNP effectively thwarted potential threats, such as runner hijacking, malicious modification of the repository, and user impersonation.

CI/CD Secrets Extraction, Tips and Tricks
Synacktiv's Hugo Vincent and Theo Louis-Tisserand describe the inner mechanisms of CI/CD pipeline secrets extraction by presenting different scenarios on Azure DevOps and GitHub, such as extracting secrets from Azure RM service connection or using OpenID connect trust relationships in GitHub. The authors also describes some bypass techniques against hardened environments and have published Nord Stream, a tool to automate this process.

SLSA - Supply chain threats
A really well documented introduction with real-world examples of possible attacks throughout the supply chain and how SLSA can help.

The Wiki-Slack Cyberattack Analysis
Esentire's Keegan Keplinger and Joe Stewart analyze the Wiki-Slack Attack, a social engineering technique that exploits formatting errors in Slack's rendering of Wikipedia links to redirect users to attacker-controlled websites.

Hunting Vulnerable Kernel Drivers
VMWare's Takahiro Haruyama details the process used to identify vulnerable kernel drivers that grant firmware access via port I/O and memory-mapped I/O. The article focuses on drivers, including those for legacy hardware, that remain in use despite lacking active support. As Haruyama explains, these drivers present a unique attack vector, since Windows allows loading drivers with expired or revoked certificates.

🧰 osquery-defense-kit
More than 250+ production-ready osquery queries for detection & incident response. The detection queries are formulated to return zero rows during normal expected behavior, so they can be configured to generate alerts when rows are returned.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews