Security Pills - Issue 50

Release Date: 18th December 2023 | Issue: 50 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to hello@securitypills.news with your ad idea to get started!

 ⚠️ Read this issue as a webpage to avoid the clipped email version

Hey there 👋,

Hope your weekend was great! I went snowshoeing this weekend — what a fantastic experience!

This will be the last issue for the year, but no worries, we'll be back on January 8th with some new features and improvements. I'm so excited to share with you what I've been building over the past few months.

As always, sit comfortably and enjoy today’s newsletter with a cup of coffee ☕️ . I recommend browsing our website to see the entire edition, since it's possible that your email provider might have trimmed some of the content.

• 🛠️ Application Security — Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari | Finding that one weird endpoint with Bambdas | TInjA.

• 🛡️Blue Team — Understanding Crucial Windows Processes | Navigating the Maze of Incident Response | A Comprehensive Analysis of Outlook Attack Vectors.

• ☁️ Cloud Security — AWS Organizations Defaults & Pivoting | Detect Runtime Security Threats in Amazon ECS and AWS Fargate | AWS Summarize Account Activity.

• 🐳 Container Security — The Elastic Container Project for Security Research | terraform-null-lable: The why and how it should be used.

• 🤖 Machine Learning — 2024 AI Predictions and Considerations | Synthetic Recollections | damn-vulnerable-llm-agent.

• ⚔️ Red Team — Process Injection Using Windows Thread Pools | Decompiler Explorer | avred.

• 📦️ Supply Chain — Recommended Practices for Managing OSS and SBOM | +1500 HuggingFace API Tokens were exposed.

• 🕵️ Threat Hunting — Cloudypots: Uncovering Novel Attack Techniques | EDR Telemtry | adversary-emulation-library.

Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari
Intruder's Daniel Thatcher shares some techniques to achieve reliable, split-second DNS rebinding in Safari using delayed DNS responses and in Chromium-based browsers using AAAA prioritisation. Thatcher's research further reveals how iFrames in Chrome can be used to bypass Private Network Access controls, allowing requests to private networks over HTTP from publicly loaded pages.

Finding that one weird endpoint, with Bambdas
PortSwigger's James Kettle showcases various Bambdas that can be used to uncover unusual behaviors in HTTP endpoints, leading to potential vulnerabilities. Including large redirect responses, responses with multiple closing HTML tags, incorrect content-length, and malformed HTTP headers among others.

You can find a collection of Bambdas curated by PortSwigger and the community here.

🧰 TInjA
A CLI tool for testing web pages for template injection vulnerabilities and supports 44 of the most relevant template engines for eight different programming languages. You can test the tool on this playground with different security measures such as sandboxes, encodings and denylists.

Understanding Crucial Windows Processes: Differentiating Normal Operations from Red Flags
This article shares insights on essential Windows processes such as smss, csrss, and wininit, offering guidance on differentiating normal operations from potential security red flags using tools like Process Explorer for effective monitoring and analysis.

Navigating the Maze of Incident Response
A comprehensive 74-page guide by Microsoft Security detailing best practices and recommendations for structuring an effective incident response team. It includes roles and responsibilities, processes, and strategies to efficiently handle incidents and mitigate risks.

The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors
Check Point Research's Haifei Li examines various attack vectors in Outlook. The article classifies these into three types: the straightforward hyperlink attacks, the more complex attachment attacks, and the sophisticated advanced attacks involving email reading and special objects. Li emphasizes the risks associated with each, particularly the high security threats posed by advanced attacks that activate without direct user interaction.

AWS Organizations Defaults & Pivoting
Scott Weston and Nick Frichette delve into the default settings of AWS Organizations and how they can be utilized by pentesters and red teamers for strategic pivoting within cloud infrastructures. Their focus includes leveraging account creation, trusted access, and delegated admin roles.

For a deeper dive, Scott Weston's detailed articles on pivoting within AWS organizations can be found here and here.

Detect runtime security threats in Amazon ECS and AWS Fargate, new in Amazon GuardDuty
Amazon Web Service's Sébastien Stormacq introduces Amazon GuardDuty ECS Runtime Monitoring, a new service for detecting security threats in Amazon ECS and AWS Fargate. Utilizing machine learning, anomaly detection, and network monitoring, this feature identifies potential runtime threats such as unauthorized file access, process execution, and network connections in ECS clusters on AWS Fargate and Amazon EC2.

🧰 aws-summarize-account-activity
A tool that analyzes CloudTrail data of a given AWS account and generates a summary of recently active IAM principals, API calls they made and regions that were used. The summary is written to a JSON output file and can optionally be visualized as PNG files.

You can also read Michael Kirchner's accompanying articles on how to get an overview of activities going on within an AWS account and visualizing API call activity in your AWS account.

The Elastic Container Project for Security Research
The Elastic Security Labs team introduces the Elastic Container Project, an open-source tool for easily setting up a local Elastic Stack environment using Docker Compose. Ideal for testing and security research, the project streamlines the deployment of Elastic Stack components and ensures a secure, TLS-encrypted setup.

terraform-null-label: the why and how it should be used
Masterpoint's Matt Gowie delves into the terraform-null-label module, a key solution for establishing a unified naming and tagging standard in an engineering organization's infrastructure. Matt highlights how this module effectively streamlines and simplifies infrastructure management across various projects, emphasizing its importance in large-scale, complex environments

2024 AI Predictions and Considerations
Kudelski's Nathan Hamiel offers a forward-looking analysis of AI trends for 2024. The author highlights anticipated challenges in adopting generative AI within organizations, raises awareness about the security and privacy risks of deep AI integration, and underscores the growing focus on the environmental and sustainability aspects of generative AI technologies, among other predictions.

Synthetic Recollections
WithSecure Donato Capitella explores the risks of prompt injection in LLMs within production environments. He details how attackers could manipulate LLM-powered agents to alter their intended actions, potentially leading to harmful outcomes.

🧰 damn-vulnerable-llm-agent
A sample chatbot designed by WithSecure to experiment with prompt injection attacks in ReAct agents. It is powered by a Large Language Model (LLM) ReAct agent and has been implemented with Langchain.

Process Injection Using Windows Thread Pools
SafeBreach's Alon Leviev details the use of Windows thread pools in process injection, presenting eight new undetectable techniques for triggering malicious execution through legitimate actions. These methods surpass existing techniques in flexibility and stealth, eluding detection by five leading EDR solutions. You can also check Leviev's research in his Black Hat EU 2023 talk and access the related tool on the PoolParty GitHub repository.

🧰 Decompiler Explorer
An interactive online tool designed by Vector35, for analyzing and comparing outputs from various popular decompilers, such as Ghidra, IDA Pro, and Binary Ninja.

🧰 avred
A tool by Dobin Rutishauser for red teamers that identifies which parts of a file are detected by an antivirus. It offers detailed context for each match, including section names, verification processes, and references to disassembled code or data. This helps in targeting weaker matches for effective obfuscation.

For a deeper dive, check out Dobin's presentation Analyzing And Reverse Engineering Antivirus Signatures at HITB 2023, and experiment with avred online.

Recommended Practices for Managing Open Source Software and Software Bill of Materials
A 43-page paper published by the NSA about managing open-source software and SBOMs.

You can also read Aquia’s Chris Hughes article, Managing Open Source and SBOM's, where Hughes offers insights into the NSA's guidelines, covering the four key areas (OSS Management, Creating and Maintaining a Company Internal Secure OSS Repository, OSS Maintenance, Support and Crisis Management and SBOM Creation, Validation, and Artifacts).

+1500 HuggingFace API Tokens were exposed
Lasso Security's Bar Lanyado found during his research 1681 valid API tokens on Hugging Face and GitHub. This vulnerability exposed top-tier organizations such as Meta, Microsoft, Google, and VMware. These tokens provided potential access to manipulate repositories and datasets, enabling training data poisoning and unauthorized access to proprietary models and datasets, posing a threat to the integrity of widely-used machine learning models.

Cloudypots: Our Latest Method for Uncovering Novel Attack Techniques
Cado Security's Nate Bill introduces Cloudypots, an advanced honeypot system employing OpenStack to operate high-interaction VMs for detecting unique attack techniques.

Cloudypots integrates vulnerable services in VMs, uses Thinkst canary tokens for monitoring, and employs a guardrail system with comprehensive security measures and network analysis. This approach has successfully uncovered nearly 200 compromises, mainly from Docker and Jupyter environments, discovering significant threats such as the Qubitstrike and OracleIV campaigns.

🧰 EDR Telemetry
A list of telemetry features from EDR products and other endpoint agents such as Sysmon broken down by category. You can also read the accompanying article written by Kostas and check the comparison table for various EDR products.

🧰 adversary-emulation-library
A library of adversary emulation plans enabling organizations to test their defensive capabilities against real-world threats.

It includes two types of emulation plans: 'Full Emulation,' which provides a comprehensive method for emulating a specific adversary’s tactics from initial access to exfiltration, and 'Micro Emulation,' which focuses on replicating compound behaviours observed across multiple adversaries, such as remote code execution or DLL sideloading.

For additional insights, explore the accompanying articles on the Adversary Emulation Library and Micro Emulation Plans.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews