💊 Security Pills - Issue 53

Release Date: 22nd January 2024 | Issue: 53 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 🛠️ Application Security

📑 It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable | 👤 Jon Williams 
A technical write-up describing two unauthenticated denial-of-service vulnerabilities, with the potential for remote code execution, affecting SonicWall next-generation firewalls.

You can also get a proof of concept to determine whether a device is vulnerable without crashing it.

🧰 Burp-Montoya-Utilities | 👤 Corey Arthur
A collection of utilities for building extensions using Burp's Montoya API

🧰 ezghsa | 👤 Christopher Sang
A command-line tool for summarizing and filtering vulnerability alerts on GitHub users, organizations or specific set of repositories.

🛡️ Blue Team

📑 Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors | 👤 Mauricio Velazco 
This guide focuses on detecting and mitigating initial access techniques used by threat actors in Microsoft 365 environments. It outlines the data sources available for M365 monitoring, demonstrates how to simulate these techniques, and explains how teams can effectively detect them using Splunk.

📑 Combating Emerging Microsoft 365 Tradecraft: Initial Access | 👤 Matt Kiely
This article explains how the Huntress team built their innovative approach to combating initial access threats in Microsoft 365. By integrating with Spur, they enhance their event data, adding contextual information to IP addresses associated with user activities to identify potential threats. This analysis is then used to develop new detectors, focusing on anomalous user locations, defensive evasion via VPNs, and credential stuffing incidents in M365.

 ☁️ Cloud Security

📑 Python-Based Malware Targeting Cloud and Payment Services | 👤 Alex Delamotte 
FBot is a multi-function malware that focuses on hijacking cloud, SaaS, and web services, with a secondary focus on obtaining accounts to conduct spamming attacks.

📑 Best practice rules for Amazon Web Services | 👤 TrendMicro 
A collection of over 750 cloud infrastructure configuration best practices for Amazon Web Services. This growing list includes AWS security, configuration, and compliance rules, along with instructions for auditing services through the AWS console or CLI and guidance on remediation to ensure compliance and governance of your cloud infrastructure.

Also, check out the best practice rules for Microsoft Azure and Google Cloud environments.

🧰 aws-scps-for-sandbox-and-training-accounts | 👤 Michael Kirchner
A collection of example Service Control Policies (SCPs) that are useful for sandbox and training AWS accounts.

🗳️ Container Security

📑 Automating Managed Identity Token Extraction in Azure Container Registries | 👤 Karl Fosaaen 
A detailed analysis of creating a malicious Azure Container Registry (ACR) task, which can be exploited by attackers to generate and export tokens for any Managed Identities attached to the ACR.

You can also check the tool included in MicroBurst that automates this path attack.

📑 Kubernetes security: Safeguarding your container kingdom | 👤 Red Canary 
An overview of Kubernetes security, including the components of a Kubernetes environment and the "4Cs" model of cloud-native security. It discusses the different threat categories and considerations for code, container, and cluster security, highlighting potential vulnerabilities and attack vectors.

📑 Deep dive into AWS CloudShell | 👤 Aidan Steele
The author explores AWS CloudShell's new capability to run Docker containers, delving into the inner workings of the environment. This includes examining container escape and credential retrieval.

🧰 oci-seccomp-bfp-hook | 👤 Valentin Rothberg
An OCI hook designed to generate seccomp profiles by tracing the syscalls made by a container. The generated profile will permit all the syscalls executed and deny every other syscall.

 🤖 Artificial Intelligence

📑 Demystifing LLMs and Threats. Based off of my presentation for CSA | 👤 Caleb Sima 
This is a comprehensive overview of LLMs, explaining how they work, their application in enterprise settings, and the threats and mitigations associated with AI/ML.
You can also view the video version.

📑 LVE Repository | 👤 LVE Project
A repository for the community to document, track and discuss Language Model Vulnerabilities and Exposures (LVEs).

 📱 Mobile

📑 Emulating, Patching, and Automating | 👤 Jeroen Beckers
A step-by-step guide on decrypting custom encrypted strings in an Android arm64 app, including creating a test app, using the Ghidra emulator for manual intervention, and automating the decryption process with Python.

📑 Detecting iOS malware via Shutdown.log file | 👤 Maher Yamout
An overview of the Shutdown.log file on iOS devices and how it can be used to detect malware infections such as Pegasus.

The author has published several Python scripts that automate the analysis process by helping to extract, analyze, and parse the Shutdown.log artifact.

📑 Android-based PAX POS vulnerabilities | 👤 Adam Kliś & Hubert Jasudowicz 
This technical walkthrough covers six different vulnerabilities, ranging from local code execution to privilege escalation and bootloader downgrade, affecting the POS device made by PAX Technology. It’s likely one of the most commonly used devices in recent years in my area 😅.

⚔️ Red Team

📑 How to protect Evilginx using Cloudflare and HTML Obfuscation | 👤 Jack Button | 📚 10min.
A step-by-step guide on how to protect Evilginx, from being flagged as deceptive by combining Cloudflare's "under attack mode" and HTML obfuscation techniques.

📑 Calling Home, Get Your Callbacks Through RBI | 👤 Lance Cain & Alexander DeMine | 📚 22min.
A technical deep dive that discusses methods to bypass remote browser isolation (RBI) technology during offensive assessments, focusing on payload ingress, command and control (C2) egress, and RBI bypass techniques.

🧰 Realm | 👤 Hulto
A cross-platform red team engagement platform with a focus on automation and reliability

🧰 cve-maker
A CLI tool to find CVEs and their respective exploits using NIST, ExploitDB and GitHub databases.

📦 Supply Chain

📑 Identify Slack Workspace Names from Webhook URLs | 👤 Joseph Leon | 📚 2min.
An introduction to whoamislack, a tool to enumerate Slack workspace names from Slack webhook URLs.

📑 Deceptive Deprecation: The Truth About npm Deprecated Packages | 👤 Ilay Goldman & Yakir Kadkoda | 📚 9min.
A discussion on the deceptive deprecation gap in npm packages, where many maintainers deprecate their packages instead of addressing security flaws. A practice that leaves developers unaware of vulnerabilities, thereby creating opportunities for attackers

The authors also introduce their tool, the Dependency Deprecation Checker, which scans a package.json file and checks for dependencies that rely on deprecated packages.

📑 The State of Software Supply Chain Security 2024 | 👤 Reversing Labs | 📚 42min.
This detailed report covers supply chain security and the trends in malicious dependencies. It reveals a significant increase in malicious packages on platforms such as npm and PyPI, and emphasizes the need for improved security measures.

🕵 Threat Hunting

📑 Intelligence Failure in Threat Detection | 👤 Amitai Cohen 
This article explores intrusion detection through the lens of branching timelines, aiding defenders in assessing whether an incident has truly occurred and in understanding the adversary's access and subsequent actions. The author offers advice on managing the complexities of threat detection, which includes identifying critical bottlenecks, broadening detection scopes both forward and backward in time, and prioritizing strategies for detection backlogs effectively.

📑 Under the Radar: Your Detections are missing logs — every single run | 👤 Alex Teixeira 
An exploration on the impact of time-sensitive parameters in detection rules and the common time inconsistencies that can occur in log telemetry, such as wrong log origin clocks, incorrect log time extraction, and time delays/latency. The author suggests to focus on index time instead of log time for certain detections and implementing delayed detections to account for delayed events

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews