- Security Pills
- Posts
- Security Pills - Issue 49
Security Pills - Issue 49
Blind CSS Exfiltration, Extracting Training Data from ChatGPT, How Adversaries Infiltrate AWS Cloud Accounts
Sebas Guerrero
December 11, 2023
Release Date: 11th December 2023 | Issue: 49 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there π,
Hope you all had a great weekend. Have you been using the Notion database? I would love to hear your feedback!
Just a heads-up: next week's issue will be our last before we take a short break for the Christmas holidays. Iβm planning to use this time to bring in some new features and fine-tune our newsletter. Don't worry, we'll be back on January 8th!
As always, sit comfortably and enjoy todayβs newsletter with a cup of coffee βοΈ . I suggest visiting our website to view this edition in full, as there's a good chance that your email service may have clipped the content.
π οΈ Application Security β Log4Shell - Different avenues of exploitation | Blind CSS Exfiltration | DNS-Analyzer | sessionprobe.
βοΈ Blockchain β A Guide to Solana for Ethereum Analysts | evmole.
π‘οΈBlue Team β Detecting Resource-Based Constrained Delegation Abuse | How to Rotate Leaked API Keys | Attack Surface Reduction Generator.
βοΈ Cloud Security β Preventing Accidental Internet-Exposure of AWS Resources | Using Falco to Create Custom Identity Detection | How adversaries infiltrate AWS cloud accounts | Awesome-Azure-Pentest | cloudtrail2sightings.
π³ Container Security β What Is GitOps and Why Is It (Almost) Useless? | Considerations for Keeping Images Up to Date.
π€ Machine Learning β Extracting Training Data from ChatGPT | Guidelines for secure AI system development | Using AI to Automatically Fuzz Rust Projects from Scratch | azurechat.
π± Mobile Security β Frida-Labs | dexcalibur.
βοΈ Red Team β Creating an OPSEC safe loader for Red Team Operations | Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates | Making Okta do keylogging for you | ADOKit | m365-fatigue.
π¦οΈ Supply Chain β Hijackable Go Module Repositories | How GitLbaβs Red Team automates C2 testing | kubeclarity.
π΅οΈ Threat Hunting β From Threat Report to (KQL) Hunting Query | From Logs to Detection | Dots do matter.
Log4Shell - different avenues of exploitation
Oleksandr Velykyi revisits the Log4Shell vulnerability, highlighting its continued threat through deserialization attacks. He specifically demonstrates how certain patched versions (1.8.0_372) remain vulnerable, and recommends upgrading the Log4j2 library itself and place the servers behind a WAF while the upgrading process takes place.
Blind CSS Exfiltration: exfiltrate unknown web pages
PortSwigger's Gareth Heyes writes on content exfiltration using CSS attribute selectors (including the new :has selector). Gareth also delves into techniques for extracting substantial data volumes via @import chaining and shares a blind CSS exfiltration tool.
π§° DNS-Analyzer
Timo Longin's Burp extension for finding DNS vulnerabilities in web applications. The author has also published an in-depth guide on how to use the tool.
π§° sessionprobe
Built by Florian Walter, this multi-threaded tool assists in evaluating user privileges in web applications. Intended for use with Burp Suite, it utilizes a user's session token to assess access to a list of URLs, highlighting potential authorization issues. Additionally, it deduplicates URL lists and provides real-time logging and progress tracking.
A Guide to Solana for Ethereum Analysts
Andrew Hong provides a guide for Ethereum analysts to understand Solana, covering transactions, contract patterns and protocol counterparts and explaining the differences in concepts such as blocks, accounts, instructions, and program types.
π§° evmole
A tool by Maxim Andreev to extract function selectors from EVM bytecode (tested on Solidity and Vyper contracts), including unverified contracts. An online version is also available for testing.
Detecting Resource-Based Constrained Delegation Abuse
Stephan Wolfert provides a thorough analysis of how to monitor Windows event logs to detect RBCD (Resource-Based Constrained Delegation) attacks. He emphasizes the importance of specific Event IDs: 4769 for Kerberos service ticket requests, 5136 for modifications in directory service objects, and 4741 for the creation of computer accounts. Wolfert outlines a detailed approach to identifying RBCD abuse, offering guidance on establishing a detection system with varying levels of importance to alert of potential RBCD abuses.
How to Rotate Leaked API Keys
Truffle Security offers an open-source collection of API key rotation tutorials for various platforms including Azure, GCP, AWS, Slack, and more. The tutorials provide detailed, step-by-step guidance for remedying a leaked API key security issue.
Attack Surface Reduction Generator
Michael Haggis shares a toolkit for mastering ASR rules in Microsoft Defender. The project includes a user-friendly configurator for ASR rules, complete with PowerShell command generation, and a suite of scripts for evaluating ASR rule effectiveness, among other features.
Preventing Accidental Internet-Exposure of AWS Resources
Kevin Hock details strategies for preventing accidental Internet exposure of AWS resources in VPCs. He advises against using Internet Gateways, while offering alternatives to support Egress use-case, like Transit Gateway, PrivateLink with a proxy, Gateway Load Balancer with Firewall, VPC Sharing, and IPv6 Egress. Each option is evaluated for cost, complexity, and security efficacy, aiding in secure network design in AWS environments.
Using Falco to Create Custom Identity Detections
Nigel Douglas explores the use of Falco's Okta plugin for enhancing Identity Threat Detection & Response (ITDR) in cloud environments. The article highlights Falco's adaptable rule logic and its ability to create custom rules from Okta audit logs for early threat detection.
Nigel provides a practical example building custom Falco rules to identify potential insider threats and contrasts Falco's efficiency against traditional logging solutions, being one of the caveats how time-consuming can be handling the entire process of manually executing Okta search queries in the web UI of some vendors and managing intricate detection scripts which often results in coverage gaps.
By the same token: How adversaries infiltrate AWS cloud accounts
Red Canary's Thomas Gardner and Cody Betsworth describe how adversaries infiltrate AWS cloud accounts by abusing the Secure Token Service (STS). They dissect how attackers achieve persistence by manipulating short and long-term tokens, leveraging API calls like sts:AssumeRole and sts:GetSessionToken. To counter these threats, the authors suggest strategies like logging CloudTrail event data into a data lake and creating alerts for role chaining events. Additionally, the authors highlight key events to monitor, providing practical insights for detecting compromised identities.
π§° Awesome-Azure-Pentest
A curated list of useful tools and resources for penetration testing and securing Microsoft cloud platform Azure.
π§° cloudtrail2sightings
Built by Zack Allen, this tool converts cloudtrail data to MITRE ATT&CK Sightings, assuming that all the data that it processes comes from an incident, or from attacks in your environment.
What Is GitOps And Why Is It (Almost) Useless?
Andrii Chepik evaluates GitOps, underscoring its inefficiencies in managing diverse environments and handling secrets securely. He contrasts this with the more robust and streamlined approach of CI Ops, particularly in terms of security and cluster management.
You can explore the first part of this series, where Andrii Chepik offers more insights into the nature of GitOps and reasons why it may not suit all scenarios.
Considerations for Keeping Images Up to Date
This article from Chainguard focuses on best practices for updating container images. It underlines the need to grasp semantic versioning (X.Y.Z) for naming and versioning images, and recommends using tags for managing various image versions. Additionally, the article recommends automating updates and suggests using digests for more reliable updates with the digesta-bot tool that automates this process.
Extracting Training Data from ChatGPT
Researchers at Google DeepMind and other institutions have published a paper demonstrating a method to extract several megabytes of ChatGPT's training data for just $200, defying the model's alignment and privacy safeguards.
You can check their paper for additional work on open-source and semi-closed-source models.
Guidelines for secure AI system development
A PDF document that offers guidelines and recommendations on the 4 key areas of secure AI system development: secure design, secure development, secure deployment, and secure operation & maintenance.
Using AI to Automatically Fuzz Rust Projects from Scratch
Kudelski's Nils Amiet introduces Fuzzomatic, an AI-powered tool for automatically generating and refining fuzz targets in Rust projects. Leveraging advanced models like gpt-3.50-turbo and gpt-3.5-turbo-16k, Fuzzomatic demonstrates proficiency in building fuzz targets from scratch and identifying bugs. Nils highlights its efficacy by sharing results from its application on the top 50 most-starred GitHub Rust projects, and discusses Fuzzomatic's dual utility in continuous security enhancement within CI/CD pipelines and proactive bug detection through fuzzing.
π§° azurechat
A tool powered by Azure Open AI Service that allows organizations to deploy a private chat environment within their Azure Subscription. Key features include chatting over data and files, with network traffic being fully isolated within the user's network. The solution can also be integrated with internal services.
π§° Frida-Labs
Ajin Deepak publishes a series of challenges designed for learning Frida for Android, e.g. calling static methods, hooking constructors or calling native functions, among others. Each challenge is accompanied by its own solution, so you can progress without getting stuck.
π§° dexcalibur
An Android reverse engineering platform with a focus on automation in instrumentation. It enables runtime decompilation and disassembly of bytecode, facilitates the search for specific patterns, and processes the gathered data, among many other features.
Creating an OPSEC safe loader for Red Team Operations
Nettitude's Thanos Tserpelis shares a new method for bypassing EDR known as CreateThreadPoolWait using ntdll.dll instead of kernel32.dll. Thanos reviews some choices often used by loaders and presents a loader that uses indirect syscalls via the Tartarus' Gate method.
Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates
Akamai's Ori David discusses new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers. These attacks allow attackers to spoof DNS records, potentially leading to credential theft or full domain compromise. The article provides best practices for configuring Microsoft DHCP servers to mitigate these attacks and introduces a tool for detecting risky DHCP configurations.
Making Okta do keylogging for you
Push Security's Luke Jennings explains how how Okta's AD synchronization can be exploited for credential theft. He describes two methods: first, phishing for credentials using a valid, attacker-created Okta tenant, and second, capturing credentials through a watering-hole attack on an already compromised SaaS application.
π§° ADOKit
IBM X-Force Red's Brett Hawkins has published this toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. The tool allows the user to specify an attack module, along with valid credentials for the respective Azure DevOps Services instance. The attack modules supported include reconnaissance, privilege escalation and persistence.
You can get full details on the techniques used by ADOKit in this whitepaper.
π§° m365-fatigue
A tool that automates the authentication process for Microsoft 365 by bombarding the user with MFA requests and storing the access token once MFA is approved. It is designed for use in social engineering, red teaming, and penetration testing scenarios targeting O365/MS-Online users in Azure.
Hijackable Go Module Repositories
VulnCheck's Jacob Baines analyzed the Go module ecosystem and discovered nearly 15,000 repositories vulnerable to repojacking due to GitHub username changes and account deletions. Baines details in this article the algorithm they use to track more than 20 million Go module-versions and demonstrates the ease with which an attacker could hijack the source of a Go module that has been moved or deleted.
How GitLab's Red Team automates C2 testing
Josh Feehs details GitLab's approach to enhancing red team operations using Continuous Mage. This project involves creating a suite of pytest tests for the Mythic C2 framework, ensuring the functionality of the Mythic server and various Mythic-compatible agents. It also integrates GitLab CI/CD pipelines for automatic testing after each code update. This enables iterative development and rapid validation of updates to Mythic or Mythic-compatible C2 agents.
π§° kubeclarity
A tool for detection and management of Software Bill of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for improving your supply chain security.
From Threat Report to (KQL) Hunting Query
Bert-Jan Pals breaks down the process of transforming threat intelligence reports into effective KQL hunting queries. He guides readers on gathering relevant Indicators of Compromise (IOCs) and employing strategies to effectively detect ransomware threats.
From Logs to Detection: Using Snowflake and Panther to Detect K8s Threats
Snowflake's Kyle Derevyanik details using the Kubernetes API audit log for identifying threats, providing examples and strategies for dealing with common risks like unauthorized pod execution, cron job creation and the creation of a privileged pod, among others. Additionally, Kyle shares a Panther detection pack for Kubernetes, including rules and policies mentioned in the article.
Dots do matter: Why dots in Gmail addresses impact Google Workspace investigations
Megan Roddie delves into a particular aspect of Gmail log analysis, highlighting how dotted Gmail addresses can influence the logging of events in Google Workspace Investigations.
π§ Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.
Thanks,
Sebas
@0xroot | @secpillsnews