- Security Pills
- Posts
- π Security Pills - Issue 52
π Security Pills - Issue 52
π How to break into password vaults without using passwords | π One Supply Chain Attack to Rule Them All | πΆβπ«οΈ Fuzzing and Bypassing the AWS WAF
Sebas Guerrero
January 15, 2024
Release Date: 15th January 2024 | Issue: 52 π | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hello π,
I hope you had a great week! Today's issue is special as it marks our first year of sending Security Pills! π
I'm really grateful to have you as a reader. Your time and interest keep me motivated to continue delivering this weekly issue directly into your inbox.
Enjoy today's issue!
π οΈ Application Security β π How to break into password vaults without using passwords| π Panic!! At the YAML! | π§° vulnerable-apps.
π‘οΈBlue Team β π Detecting Office365 Attacker-in-the-Middle attempts in Azure | π Ghost in the Web Shell | π Real-time LDAP Monitoring for Linux & OpenLDAP | π§° honeydet.
βοΈ Cloud Security β π Bypass Cognito Account Enumeration Controls | π Fuzzing and Bypassing the AWS WAF | π§° cdk-goat.
π³ Container Security β π Real Time Threat Detection for Kubernetes with Atomic Red Tests | π Deep dive into the new Amazon EKS Cluster Access Management features | π§° dive.
π€ Machine Learning β π Introducing the GPT Store | π Prompt engineering | π§° galah.
π± Mobile β π Fake Lockdown Mode | π Aidrop tracing.
βοΈ Red Team β π Writing a C2 Implant | π EvilSlackbot: A Slack Attack Framework.
π¦οΈ Supply Chain β π Enforcing Device Trust on Code Changes | π How to automate GitHub Actions pinning across your repos | π One Supply Chain Attack to Rule Them All | π§° cargo-unmaintained | π§° gato.
π΅οΈββοΈ Threat Hunting β π Threat actors misuse OAuth applications to automate financially driven attacks | π Silly EDR Bypasses and Where to Find Them
π Bitwarden Heist - How to break into password vaults without using passwords | π€ RedTeam Pentesting |π 19 min.
This article discusses a vulnerability in Bitwarden's Windows Hello implementation, which allowed for the remote theft of all credentials from the password vault. Although Bitwarden addressed the issue and mitigated the vulnerability in April 2023, the technical details surrounding its exploitation remain quite interesting.
π Panic!! At the YAML | π€ Ron Bowes | π 17 min.
This article provides an overview of SnakeYAML deserialization vulnerabilities and explains how to build a vulnerable application to understand these types of attacks and their causes. The author also offers multiple advisories and resources associated with this vulnerability for deeper insight.
π§° vulnerable-apps | π€Kinnaird McQuade
A collection of over 100 deliberately vulnerable web applications and APIs, which can be used as a pentest practice lab.
π Detecting Office365 Attacker-in-the-Middle attempts in Azure | π€ Niels Hofmans | π 11 min.
A detection trick to start alerting on Office365 account compromise in Azure by using a canary URL and checking the referer HTTP request header against a whitelist, providing an easy detection use case with low noise and high value.
π Ghost in the Web Shell: Introducing ShellSweep | π€ Michael Haag | ποΈ 11 min.
A tool designed to detect and flag potential web shells. It scans multiple directories and file extensions, determining the probability of files being malicious based on their entropy
π LDAP Watchdog: Real-time LDAP Monitoring for Linux and OpenLDAP | π€Joshua Alexander | ποΈ 7 min.
A real-time linux-compatible LDAP monitoring tool for detecting directory changes, providing visibility into additions, modifications, and deletions for administrators and security researchers.
π§° honeydet | π€ James Brine
A signature based, multi-threaded honeypot detection tool in Golang, which can be run either as a web server, a CLI or a web API and supports hex, string and regex detection methods on TCP and UDP.
π§° osqtool | π€Chainguard
A tool for automated testing, generation and manipulation of osquery packs.
π Bypass Cognito Account Enumeration Controls | π€ Nick Frichette | ποΈ 4 min.
An article on how attackers can leverage the cognito-idp:SignUp API call to bypass the Prevent User Existence Errors configuration in Amazon Cognito, enabling them to determine whether a user account exists.
π Fuzzing and Bypassing the AWS WAF | π€ Daniele Linguaglossa | ποΈ 6 min.
The Sysdig Threat Research Team bypassed the AWS WAF using a specialised DOM event. To achieve this they developed a fuzzer, drawing on PortSwigger's XSS reference, to automate the identification of unfiltered tags and attributes. These elements were then combined to create effective payloads that could bypass the firewall's detection. The team utilised Selenium to confirm the execution of these payloads, simulating user interactions and monitoring functions like 'alert', 'prompt', and events such as 'click', and 'focus'.
After all this process, the Sysdig team identified that the onbeforetoggle event wasn't caught by the WAF!
π§° cdk-goat | π€Avishay Bar
A vulnerable AWS Cloud Development Kit (CDK) infrastructure, primarily designed to showcase the deployment of a containerized vulnerable application (DVPWA) within an AWS environment.
π Better Together: Real Time Threat Detection for Kubernetes with Atomic Red Tests & Falco | π€Nigel Douglas | ποΈ 13 min.
A step-by-step guide on how the open-source Falco tool can detect Atomic Red Team tests in real time within Kubernetes environments.
π Deep dive into the new Amazon EKS Cluster Access Management features | π€Christophe Tafani-Dereeper & Martin McCloskey | ποΈ 16 min.
A discussion on the new Amazon EKS Cluster Access Management feature, which simplify granting and managing access to EKS clusters by using the AWS API. The authors also discuss threat detection opportunities based on the newly available CloudTrail events associated with this feature.
π§° dive | π€ Alex Goodman
A tool for exploring a Docker image, layer contents, and identify how to shrink the size of your Docker/OCI image
π Introducing the GPT Store | π 3 min.
OpenAI introduces the GPT Store, allowing ChatGPT Plus, Team, and Enterprise users to access and utilize custom GPTs created by the community and partners.
π Prompt engineering | π€ OpenAI |π 29 min.
A collection of strategies and tactics designed to improve the performance of large language models like GPT-4. It includes techniques such as providing specific instructions, using delimiters, and compensating for the model's weaknesses with other tools.
π§° galah | π€ Adel Karimi
An LLM-powered web honeypot using the OpenAI API.
π Fake Lockdown Mode | π€Hu Ke & Nir Avraham | ποΈ 10 min.
A post-exploitation tampering method that falsely replicates the visual indicators of iOS Lockdown Mode. This technique has not yet been observed in the wild and requires the device to have been previously compromised.
π Airdrop tracing β A Few Thoughts on Cryptographic Engineering | π€ Matthew Green | ποΈ 13 min.
This attack is not exactly new, dating back to 2019 when researchers reverse-engineered the Apple AirDrop protocol and discovered several privacy concerns (You can read the resulting paper here). However, recent news claims that Chinese authorities have exploited this vulnerability to identify senders sharing 'unauthorized content' over AirDrop, potentially suppressing its use in China and Hong Kong
π Maelstrom #4: Writing a C2 Implant | π€ Michael Ranaldo & Mez0 | π 30 min.
An article that delves into the background and development of offensive and defensive techniques around implants, as well as the functions and code required for a contemporary Stage 0 and Stage 1.
π EvilSlackbot: A Slack Attack Framework | π€Andrew Steinberg |π 6 min.
A Slack attack framework that allows users to send spoofed messages, phishing messages, and file attachments, as well as search for secrets within Slack workspaces.
π Enforcing Device Trust on Code Changes | π€ Griffin Choe |ποΈ 11 min.
Discover how Figma has built a custom commit signature verification system that ensures changes merged into sensitive branches in GitHub and deployed to production originate from trusted company devices
π How to automate GitHub Actions pinning across your repos, for better security | π€ Juan Antonio Osorio & Jakub Hrozek | ποΈ 11 min.
A quick overview of how Minder can assist in automatically enabling and enforcing common GitHub security settings for your repositories. This is especially useful with the new open-source command-line utility, Frizbee, designed to pin GitHub Actions to a checksum and scale this security practice across all the repositories of an organization.
π One Supply Chain Attack to Rule Them All | π€Adnan Khan | ποΈ 24 min.
A masterclass on the risks associated with using self-hosted runners on public repositories, and how a misconfiguration in GitHub's own actions/runner-images repository exposed secrets and provided access to GitHub's internal infrastructure. A vulnerability that could have been exploited to conduct a supply chain attack against every GitHub customer using hosted runners.
π§° cargo-unmaintained | π€ Trail of Bits
Find unmaintained packages in Rust projects automatically using heuristics, rather than relying on users to manually submit them to the RustSec Advisory Database.
π§° gato | π€ Adnan Khan
An enumeration and attack tool that allows blue teamers and offensive security practitioners to identify and exploit pipeline vulnerabilities within a GitHub organization's public and private repositories. The tool has post-exploitation features to leverage a compromised personal access token in addition to enumeration features to identify poisoned pipeline execution vulnerabilities against public repositories that use self-hosted GitHub Actions runners.
π Threat actors misuse OAuth applications to automate financially driven attacks | π€ Microsoft Threat Intelligence | π 20 min.
This article discusses how threat actors compromise user accounts through phishing or password spraying attacks and then create or modify OAuth applications with high-privilege permissions. These permissions are used to deploy virtual machines for cryptocurrency mining, establish persistence through business email compromise, and launch spamming activities using the organization's resources and domain name.
π Silly EDR Bypasses and Where To Find Them | π€ Marcus Hutchins | ποΈ 14 min.
Hutchins continues his series on techniques for bypassing EDR hooks. This time, he includes time-of-check to time-of-use (TOCTOU), hardware breakpoints, and intentional exceptions. He also publishes EDRception, a proof of concept for abusing exception handlers to hook and bypass user mode EDR hooks.
You can also check out the first part of his series, where he reviews Windows system calls and how they are implemented through a series of call stacks.
π§ Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.
Thanks,
Sebas
@0xroot | @secpillsnews