Security Pills - Issue 51

Release Date: 8th January 2024 | Issue: 51 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Hello 👋,

I hope you had a fantastic holiday break and a wonderful New Year. I went on a hike this weekend, got caught in a snowstorm, and have spent the last few days sick—a great way to start the year 😅.

I can't wait to introduce the new things I've been working on throughout this holiday break and share them with you all.

As always, sit comfortably and enjoy today's newsletter with a cup of coffee ☕️. I recommend browsing our website to see the entire edition, since it's possible that your email provider might have trimmed some of the content.

• 🛠️ Application Security — Parsing MSDN for (Documented) Technique Development | Leverage OSQuery for Discovery and Enumeration | Scanning Vulnerability Management Across Thousands of Services | Intercepting MFA, Phishing and Adversary in The Middle Attacks.

• 🛡️Blue Team — Honeypots with VCluster and Falco | Introducing YARA-Forge | Unveiling VISS: A Revolutionary Approach to Vulnerability Impact Scoring.

• ☁️ Cloud Security — AWS Security Services Best Practices | Cloud Services as Exfiltration Mechanisms | flowpipe | AWSAttacks.

• 🐳 Container Security — iam-eks-user-mapper | eraser.

• 📱 Mobile — Frinet: Reverse-Engineering Made Easier | 4-year campaign backdoored iPhones | tamarin-c | flutter-spy.

• ⚔️ Red Team — Active Directory and internal Pentest Cheatsheets | Ghidriff: Ghidra Binary Diffing Engine | Weaponizing DHCP DNS Spoofing |Kerberos: Key OPSEC Tactics for Red & Blue Teams.

Parsing MSDN for (Documented) Technique Development | 📚️ 3 min.
Signal Labs' Christopher Vella writes on alternative methods for discovering Windows APIs without relying solely on reverse engineering. Vella outlines how Microsoft's official documentation, specifically naming conventions in API parameters, can be a rich source for technique development, illustrating how Google searches and scrutiny of SDK headers can uncover APIs related to specific functionalities like file paths or process operations.

Leverage OSQuery for Discovery and Enumeration | 📚️ 7 min.
Darkwaves' Taha Draidia explores the use of Osquery for system enumeration, avoiding reliance on Living Off the Land Binaries (LOLBins). While primarily focused on Windows, the techniques are applicable to other platforms. The article highlights the versatility of Osquery for security monitoring and introduces OSqueryED, a tool demonstrating Osquery's interactive shell capabilities for detailed Windows machine enumeration.

Scaling vulnerability management across thousands of services and more than 150 million findings | 📚️ 8 min.
GitHub's Stephan Miehe provides an insightful walkthrough on GitHub's approach to scaling vulnerability management, emphasizing automation of repeatable tasks and integration within existing developer systems like GitHub PR workflow and Issues.

The article outlines key requirements and best practices for systematic risk reduction, including clear accountability and the use of analytics to prioritize actions. It also introduces Security Findings, GitHub's internal tool that deduplicates findings from various sources such as GitHub Advanced Security and bug bounty programs. This tool offers custom views for different contexts, efficiently manages exceptions, and integrates with Slack for streamlined communication.

Intercepting MFA. Phishing and Adversary in The Middle attacks | 📚️ 10 min.
Pen Test Partners' Adam Harwood discusses the rise of adversary in the middle (AITM) attacks, where attackers intercept multi-factor authentication (MFA) tokens through phishing and manipulation of conditional access policies. Adam provides a high-level overview of the attack methodology and suggests security measures to prevent such attacks, including training employees to identify suspicious emails, using password managers, implementing geographical restrictions, and enabling anti-phishing policies and URL filtering.

Honeypots with vcluster and Falco: Episode II | 📚️ 12 min.
Sysdig's Jason Andress discusses the development of honeypots using vcluster and Falco, along with other open-source tools. The article focuses in overcoming certain limitations by adopting a cloud-native approach on AWS EC2, and introducing active response mechanisms, specifically through Falco Talon and Falcosidekick, to automate actions in response to triggered Falco rules.

Introducing YARA-Forge. Streamlined Public YARA Rule Collection | 📚️ 8 min.
Nextron Systems' Florian Roth unveils YARA Forge, a new tool to efficiently manage and analyze YARA rules. It evaluates rules for consistency and performance, offering optimized rulesets. Currently, YARA Forge incorporates rules from 20 public repositories, streamlining the process of accessing and using high-quality rules.

Unveiling VISS: a revolutionary approach to vulnerability impact scoring | 📚️ 2 min.
Zoom's Roy Davis introduces the Vulnerability Impact Scoring System (VISS), a novel OSS project aiming to reshape vulnerability assessment and incident response. Differing from the Common Vulnerability Scoring System (CVSS), which focuses on worst-case scenarios from an attacker's viewpoint, VISS assesses vulnerabilities from a defender's perspective, emphasizing actual impact over theoretical risks.

You can also check the complete VISS specification for additional information.

AWS Security Services Best Practices | 📚️ 2 min.
An AWS guide on optimally configuring key AWS security services. The initial release of this guide delves into Amazon Detective, GuardDuty, Inspector, Macie, and AWS Security Hub, offering detailed best practices.

Cloud services as exfiltration mechanisms | 📚️ 7 min.
Airwalk Reply's Costas Kourmpoglou presents an ingenious method for attackers to exfiltrate sensitive data from a network without permissions, circumventing data perimeter IAM conditions.

The technique involves sending a request to an attacker-controlled S3 bucket with the exfiltration data included. Interestingly, even if the request is denied, the data is still captured via S3 server access logging and then delivered to the attacker's logging bucket, effectively leaking the information.

🧰 flowpipe 
A cloud scripting engine that enables automation and workflow orchestration across multiple clouds. It allows users to connect cloud data to people and systems through email, chat, and APIs, and supports running containers and custom functions as part of complex workflows.

🧰 AWSAttacks 
A curated collection of Indicators of Compromise (IoCs) by Himanshu Anand that can aid in the early detection and mitigation of AWS-related threats.

You can also read the companion blog post

🧰 iam-eks-user-mapper 
A tool to automatically give selected AWS IAM users access to your Kubernetes cluster by syncing IAM groups and updating the aws-auth configmap in the cluster.

🧰 eraser 
A tool to help Kubernetes admins remove a list of non-running images from all Kubernetes nodes in a cluster.

Frinet: reverse-engineering made easier | 📚️ 10 min.
Synacktiv's Louis Jacotot and Martin Perrier present a Frida-based tracer for easier reverse engineering across platforms. Integrating Frida with Tenet, Frinet addresses the limitations of static and dynamic analysis, facilitating better execution trace exploration and generation, especially for complex, multi-architectural systems. The tool includes an adapted Tenet plugin with advanced features like Call Tree view and Memory Search, offering a comprehensive solution for vulnerability research and root cause analysis.

4-year campaign backdoored iPhones using possibly the most advanced exploit ever | 📚️ 4 min.
A sophisticated hacking campaign lasting four years targeted iPhones using four zero-day vulnerabilities, including exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

For an in-depth exploration, read the research from Boris Larin, Leonid Bezvershenko, and Georgy Kucherin) in their detailed analysis.

Further insights are also available in their presentation at the 37th Chaos Communication Congress (37C3).

🧰 tamarin-c
A tool by Thomas Roth for exploring USB-C on Apple devices using the Tamarin C Hardware.

You can also check out Thomas' presentation at the 37th Chaos Communication Congress (37C3).

🧰 flutter-spy
A tool designed to provide code analysis and data extraction capabilities from Flutter apps, including API endpoints, URLs, used packages, environment variables and config files among others.

Active Directory and Internal Pentest Cheatsheets | 📚️ 7 min.
A collection of cheatsheets that cover various aspects of internal penetration testing, including enumeration, privilege escalation, lateral movement, persistence, and more.

Ghidriff: Ghidra Binary Diffing Engine | 📚️ 20 min.
An open-source Python package by clearbluejar that leverages the Ghidra software reverse engineering framework to provide a command-line binary diffing capability for patch diffing, and output the result to Markdown. The article also covers the evolution and significance of binary diffing tools and delves into some of the features implemented in ghidriff.

Weaponizing DHCP DNS Spoofing | 📚️ 10 min.
Akamai's Ori David provides an in-depth analysis of exploiting DHCP DNS Dynamic Updates in Microsoft DHCP servers. Ori describes the methodology for DHCP enumeration, identifying servers, and deducing settings like Name Protection status and DHCP DNS Dynamic Updates configuration. The article also introduces DDSpoof, a Python tool designed to execute and study these attacks.

Kerberos: Key OPSEC Tactics for Red & Blue Teams | 📚️ 5 min.
Intrinsec's Pierre Livet delves into the Kerberoasting attack method. He explains how attackers extract service tickets for accounts with SPNs using tools like Rubeus and then crack these tickets offline to discover weak passwords. Livet also highlights the importance of understanding encryption algorithms in these attacks.

Additionally, the article covers methods to conduct Kerberoasting more covertly and strategies for detecting such discreet attacks.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews