Security Pills - Issue 47

Release Date: 27th November 2023 | Issue: 47 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 ⚠️ Read this issue as a webpage to avoid the clipped email version

Hey there 👋,

What a week with all the OpenAI drama! It has been almost impossible to avoid reading about it in the news. Anyway, I hope they continue doing amazing things at Microsoft.

On the other hand, I’d like to ask for your feedback on the latest issues. Do you like Security Pills now more than before? Are there any sections you miss or specific content you would like me to present to the audience? I’m all ears!

As always, sit comfortably and enjoy today’s newsletter with a cup of coffee ☕️. For the best experience, I recommend checking out this edition on our website, as it’s very likely that the email got clipped by your email provider.

• 🛠️ Application Security — Building a free Burp Collaborator with Cloudflare Workers | Our Audit of PyPI | Introducing Bambdas | The problem with vulnerability reporting | arsenal.

• ⛓️ Blockchain — Top-10 Vulnerabilities in Substrate Blockchains | Account Abstraction Security Guide.

• 🛡️Blue Team — KQL Functions For Network Operations | latma | FARA.

• ☁️ Cloud Security — Azure CLI Leakage and Problematic Usage Patterns | The Cloud & App Security List | New Methods for Extending Local Breaches in Google Workspace.

• 🐳 Container Security — 7 Ways to Escape a Container | kubeshark | trivy | kubescape.

• 🤖 Machine Learning — The Architecture of Today’s LLM Applications | Demystifying Generative AI | Code Interpreter Data Exfiltration | ai-exploits.

• ⚔️ Red Team — Avoiding Kernel Triggered Memory Scans | Scheduled Task Tampering | ML Outplaying Orientated C2 Project.

• 📦️ Supply Chain — Attacking GitLab CI/CD via Shared Runners | Dozens of npm Packages Caught Attempting to Deloy Reverse Shell | The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets | dep-scan.

• 🕵️ Threat Hunting — How AWS Threat Intelligence Deters Threat Actors | Detecting Browser Credential Stealing | Open-Source-Threat-Intel-Feeds.

Building a free Burp Collaborator with Cloudflare Workers
Gabriel Schneider explains how to use Cloudflare Workers to receive external connections during your security assessment (e.g. exfiltrate data or track blind XSS payloads) and pipe the results to a Discord channel.

Our audit of PyPI
Trail of Bit's William Woodruff dives into the security of PyPI's warehouse and cabotage components, uncovering some areas of concerns such as weak signature verification, unintentional information leaks and weak cryptographic hashes, among others.

His audit highlights some challenges in large systems, reflecting how manual code review remains invaluable for catching inter-procedural and system-level flaws.

Introducing Bambdas
PortSwigger's Emma Stocks introduces Bambdas, a new feature in Burp Suite that allows users to customize its functionality using Java snippets from the UI. This offers new possibilities for user-driven customization, such as advanced custom filters for request and response analysis, including capabilities to identify specific cookie values or roles within JWT claims, among other examples.

The problems with vulnerability reporting
Cynthia Brumfield discusses how recent events have underscored the critical role of systems for reporting Common Vulnerabilities and Exposures (CVEs) in identifying and prioritizing flaws to prevent cyber compromises. However, these incidents also reveal the pitfalls of inadequate reporting and cataloging, which can result in missed opportunities to fix significant security issues.

The current opaque bug reporting system sometimes leads to the overclassification of harmless software bugs as vulnerabilities. This misclassification forces software companies to allocate resources to address these inaccuracies, impacting their operations. Despite the complexity of these issues, there are no straightforward solutions to improving vulnerability reporting systems.

🧰 Orange-Cyberdefense/arsenal
A quick inventory and launcher for security tools with the aim to simplify the use of all the hard-to-remember commands.

Top-10 Vulnerabilities in Substrate-based Blockchains Using Rust
Bloqarl discusses the top 10 vulnerabilities in Substrate-based blockchains using Rust (e.g. Insecure Randomness, Unbounded Decoding, Unsafe Arithmetic, and more) and provides insights into their impact and mitigation strategies.

Account Abstraction Security Guide
ChainLight provides an analysis of the different vulnerabilities discovered during the security audit of projects implemented using account abstraction (e.g. reuse of signed transactions, insufficient verification of generated signatures, incorrect calculations of gas repayment, etc.)

KQL Functions For Network Operations
Bert-Jan Pals explores the use of KQL functions for network operations, offering practical examples and tips for troubleshooting, filtering, counting, and regex operations on IP addresses in different log sources. It also highlights the limitations of IPv6 support in KQL functions.

🧰 silverfort-open-source/latma
A tool that collects authentication logs from domain and Azure AD environments to detect potential suspicious activity and lateral movement attacks in the AD environment or between cloud and on-prem. It visualizes the findings with diagrams depicting the lateral movement patterns.

🧰 bartblaze/FARA
A repository by Bart that contains a set of purposefully erroneous Yara rules that can be used to improve your rule writing skills.

All the Small Things: Azure CLI Leakage and Problematic Usage Patterns
Palo Alto Networks' Aviad Hahami revisits a vulnerability reported in the azure/login GitHub Action repository which could be used to leak Azure Application Variables to the GitHub build log. The issue now has been fixed and Microsoft has published a newer version which avoids echoing secrets, preventing leakages in CI pipeline logs, developer's machines, and log aggregators.

New Methods for Extending Local Breaches in Google Workspace
Bitdefender's Martin Zugec explores novel attack techniques in Google Workspace that enable escalation from a single compromised endpoint to a broader network breach. The article details vulnerabilities associated with Google Credential Provider for Windows (GCPW), including the exploitation of cloned machine passwords (Golden Image Lateral Movement), unauthorized access token requests by misusing OAuth 2.0 refresh tokens, and potential for password recovery by decrypting stored credentials.

The Cloud & App Security List
A comprehensive list of cybersecurity tools, segmented into categories like Identity, ASPM, SCA, SAST, secret scanning, IaC Security, and DAST.

7 Ways to Escape a Container
Ori Abargil provides an in-depth exploration of seven common techniques that can be used to breach container boundaries. The article highlights the minimal required Linux capabilities within the container and its setup to execute the escape.

🧰 kubeshark/kubeshark
An API traffic analyzer for Kubernetes providing real-time, protocol-level visibility into Kubernetes’ internal network, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters.

🧰 aquasecurity/trivy
A security scanner that look for known vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernets, code repositories, clouds and more.

🧰 kubescape/kubescape
An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters that scans YAML files, Helm charts and clusters. It includes risk analysis, security compliance, and misconfiguration scanning.

The architecture of today's LLM applications
GitHub's Nicole Choi, Alireza Goudarzi and Albert Ziegler discuss the emerging architecture of today's LLMs. The article cover the five major steps to build your own LLM application, e.g. focus on a single problem, choose the right LLM, customize a pre-trained LLM with techniques to adapt the LLM to specific tasks, set up the app's architecture and conduct online evaluations of your application.

Demystifying Generative AI - A Security Researcher's Notes
Roberto Rodriguez simplifies complex Generative AI concepts for security professionals, explaining neural networks, machine learning, and their roles in AI. He highlights the impact of foundation models and Transformers in AI applications, focusing on tokenization, embedding, and Retrieval Augmented Generation (RAG) for enhanced AI responses.

Code Interpreter Data Exfiltration
Evren Yalcin delves into how OpenAI's Code Interpreter feature and the navigate command can be used for data exfiltration and backdoor creation.

🧰 protectai/ai-exploits
A collection of exploits and scanning templates for responsibly disclosed vulnerabilities affecting machine learning tools.

These exploits, derived from real-world attacks on a range of tools, libraries, and frameworks in the ML domain, highlight the growing vulnerabilities in AI/ML systems. Complementing this repository, Protect AI's recent report offers a detailed examination of these vulnerabilities.

Process Injection - Avoiding Kernel Triggered Memory Scans
R-Tec's Fabian Mosch introduces the Caro-Kann technique, a method to circumvent kernel-triggered memory scans for process injections initiated by ETWti. This technique injects two shellcodes: a known encrypted malicious shellcode into a READ_WRITE protected memory page, and a custom, non-malicious shellcode into a READ_EXECUTE section. The latter, designed to perform innocuous actions that helps avoid detection during memory scans.

Persistence - Scheduled Task Tampering
Pentest Laboratories netbiosX explores the techniques of achieving persistence in Windows systems by tampering with scheduled tasks in the Windows Task Scheduler.

Turul: ML outplaying orientated C2 project
Atlan Digital's ML-based command and control (C2) project that utilizes machine learning algorithms to generate C2 traffic that can bypass traditional detection methods. Its aim is to reliably and consistently evade both Gartner Top EDRs but also to work in post exploitation against Network Detections and Response, Threat Hunting, Sandbox and other systems.

Attacking GitLab CI/CD via Shared Runners
Pulse Security' Denis Andzakovic illustrates how attackers can exploit vulnerabilities in GitLab's CI/CD environment through shared runners. He explains that malicious pipelines executed on shared runners can compromise information and access production systems. The article specifically delves into attacking the docker-in-docker executor in GitLab and executing poisoned pipeline attacks.

Dozens of npm Packages Caught Attempting to Deploy Reverse Shell
Phylum uncovers an attack campaign involving 48 npm packages. These packages, deceptively named to seem authentic, were concealed to execute its malicious code through various package lifecycle scripts and create a detached process running independently of the parent process to collect OS information and trigger a reverse shell.

The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets
Aqua's Yakir Kadkoda and Assaf Morag share how, by using GitHub's API, they were able to retrieve all entries containing .dockerconfigjson and .dockercfg, gaining access to 203 records with valid credentials. The research highlights the ineffectiveness of common secret scanners in detecting base64-encoded secrets. To mitigate this risk, the researchers suggest practices such as using environment variables, encrypting secrets at rest, employing secrets management tools like HashiCorp Vault, and regularly auditing and rotating secrets.

🧰 owasp-dep-scan/dep-scan
An open-source security audit tool designed for scanning project dependencies. It identifies known vulnerabilities and advisories, supporting local repositories and container images. Ideal for CI environments, it also generates Software Bill-of-Materials (SBOM) alongside Vulnerability Disclosure Report (VDR) details.

How AWS threat intelligence deters threat actors
AWS' Mark Ryland introduces MadPot a system built to discover and monitor threat activities and disrupt harmful activities whenever possible to protect AWS customers. This is achieved by launching the malware that it captures in a sandboxed environment, connecting information from different techniques and turning the results into threat patterns and taking further actions, such as disconnecting the threat actor's resources from the AWS network. The article also provides three examples of MadPot's effectiveness on his fight against botnets, the group Sandworm and the widely-reported state-sponsored threat actor Volt Typhoon.

Threat Hunting: Detecting Browser Credential Stealing
Four Core's Parth Gol delves into the world of browser credential stealing, sharing his methodology for detecting unauthorized browser file access and the necessary steps to configure auditing features in Windows. Parth provides a comprehensive look into the mechanisms of tools like Lazagne and HackerBrowserData, which adversaries use to extract browser credentials. He also outlines steps to prevent unauthorized attempts at extracting browser credentials, such as setting up event logging for process creation and file access, and creating Sigma rules to detect unauthorized executions, among other strategies.

🧰 Bert-JanP/Open-Source-Threat-Intel-Feeds
A list of Open Source freely usable Threat Intel feeds that can be used to perform threat hunting in your EDR or SIEM solution to hunt for malicious activity.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews