💊 Security Pills - Issue 54

Release Date: 29th January 2024 | Issue: 54 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 🛠️ Application Security

📑 Web LLM attacks | 👤 PortSwigger 
Another great write-up from PortSwigger on attacking and defending applications that leverage Large Language Models (LLMs). They have created four different hands-on labs to practice your skills in exploiting LLM APIs, conducting indirect prompt injection attacks, and abusing insecure output handling in LLMs.

📑 30 new Semgrep rules | 👤 Matt Schwager & Sam Alws
A brief summary on Trail of Bits' latest Semgrep rules, featuring a deep dive into two of its lesser-known feature; Semgrep's generic mode for flexible, regex-like searches and native YAML support for enhanced configuration file analysis.

📑 Stop Deploying Web Application Firewalls | 👤 Mac Chaffee 
I love this piece and couldn't agree more with the author. Nowadays, there are better techniques that render even the most advanced WAFs entirely obsolete. Not to mention, they can be easily bypassed, have been the cause of previous security breaches, and are just annoying with their high rate of false positives. You may be interested in exploring other alternatives like isolation, immutability, static analysis, or capability-based security.

📑 Announcing cvemap from ProjectDiscovery | 👤 Brendan O'Leary 
ProjectDiscovery has released a new tool that integrates data from CISA's Known Exploited Vulnerabilities Catalog (KEV), the Exploit Prediction Scoring System (EPSS), and official PoCs from GitHub. It also incorporates CVEs reported on HackerOne, monitors live exposure on the Internet, and evaluates GitHub and OSS popularity data, alongside nuclei templates for precise CVE fingerprinting.

🛡️ Blue Team

📑 ADCS Attack Paths in BloodHound | 👤 Jonas Bülow Knudsen 
This article breaks down the ESC1 domain escalation requirements and explains how to leverage BloodHound to identify attack paths involving ESC1 abuse.

📑 Don’t Leave Me on Read: The Efficacy of Dynamic Honeypots for Novel Exploitation Discovery | 👤 GreyNoise 
An interesting approach to setting up vulnerable software in a honeypot to catch exploits for a CVE for which there is no public proof of concept yet.

🛠 Linux-Incident-Response
A comprehensive cheatsheet for incident response and live forensics in Linux environments.

 ☁️ Cloud Security

📑 EC2 Privilege Escalation Through User Data | 👤 Nick Frichette 
Nick explains a simple yet effective technique for escalating privileges to root after gaining access to an EC2 instance. This method involves leveraging the modify-instance attribute permission (ec2:ModifyInstanceAttribute) to modify the script that runs each time the EC2 instance restarts. Additionally, he discusses modifying user data scripts sourced from an S3 bucket, which is feasible if the IAM role is excessively permissive and allows writing to that location.

📑 Manage Kubernetes Secrets with Crossplane and External Secrets | 👤 Alex Souslik 
A step-by-step guide on how to securely store Kubernetes secrets in AWS Secret Manager using Argo CD, Crossplane, and External Secrets Operator.

📑 Google Cloud Incident Response Cheat Sheet | 👤 Noah McDonald & Wes Guerra
A one-stop-shop poster that provides practitioners with the required steps and resources for effectively managing security incidents in GCP.

📑 AWS Account Security Onboarding Mind Map | 👤 Artem Marusov
A mind map prepared to act like a checklist when onboarding new AWS accounts into an existing AWS organization. It describes the minimal required set of security measures that need to be applied to any AWS account before it starts being used.

📑 Azure Logs: Breaking Through the Cloud Cover | 👤 Nathan Eades 
A comprehensive guide on how to best interpret and demystify the complexity of Azure's logging.

 🗳️ Container Security

📑 Kubernetes Scheduling And Secure Design | 👤 Francesco Lacerenza & Lorenzo Stella 
A deep dive into limiting opportunities for lateral movement within your Kubernetes environment by adopting a security-oriented scheduling strategy.

🛠️ buildg | 👤 Kohei Tokunaga 
An interactive debugger for Dockerfiles, featuring source-level inspection, breakpoints & step execution, and support for IDEs such as VS Code and Emacs, among others.

 🤖 Artificial Intelligence

📑 Improving LLM Security Against Prompt Injection: AppSec Guidance For Pentesters and Developers | 👤 Abraham Kang | 📚 31min.
The article focuses on the security risk of prompt injection in LLM apps and provides guidance on mitigating this risk. It recommends using role-based APIs and secure system prompt design guidelines to separate user and system content and create specific and clear prompts. The article also highlights the importance of monitoring and tuning system prompts, using the latest LLM models, and considering preflight prompt checks.

📑 Using Multi-Modal Large Language Models For Breaking CAPTCHAs | 👤 Aashiq Ramachandran | 📚 4min.
A multi-modal LLM-powered agent that automatically solves CAPTCHAs using Google Gemini Vision Pro. You can test it with its python tool, 🛠 i-am-a-bot.

🛠 chatgpt-source-watch | 👤 Glenn Grant
Analyze the evolution of ChatGPT's codebase through time with curated archives and scripts

⚔️ Red Team

📑 GraphStrike: Using Microsoft Graph API to Make Beacon Traffic Disappear | 👤 Alex Reid 
An in-depth analysis of the research and designing process behind 🛠 GraphStrike, a tool suite for use with Cobalt Strike that enables Beacons to utilize Microsoft Graph API for HTTPS C2 communications.

📑 Phishing Microsoft Teams for initial access | 👤 Luke Jennings 
After detailing the use of Slack for initial access, lateral movement, and persistence, Luke now shifts focus to Microsoft Teams, exploring user and link preview spoofing techniques to achieve similar effects. These methods involve sending external invites with convincing display names, forging links that appear legitimate, and creating link previews that obscure the true source, thereby increasing the likelihood of successful phishing attacks and credential harvesting.

🛠 frameless-bitb | 👤 Wael Al Masri
A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft.

📦 Supply Chain

📑 Secure software supply chain for OCI Artifacts on Kubernetes | 👤 SparkFabrik
The importance of securing the software supply chain is emphasized in this article, especially in the context of cloud-native development and the utilization of OCI artifacts on Kubernetes. It discusses various vulnerabilities and potential attacks that can occur throughout the supply chain, including dependency confusion, the insertion of malicious code, and the compromise of update servers.

📑 Introducing MavenGate: a supply chain attack method for Java and Android applications | 👤 Oversecured
The team at Oversecured conducted a research on the potential for supply chain attacks within the mobile ecosystem, discovering 3,710 Maven packages linked to an expired domain available for purchase. This vulnerability could allow for the hijacking of multiple projects and the injection of malicious code into applications through their dependencies, potentially impacting major companies like Google, Facebook, Signal, among others.

🕵 Threat Hunting

📑 Cloud Threat Landscape: A Cloud Threat Intelligence Database | 👤 Wiz Research
Covering 107 incidents, featuring profiles on 96 threat actors, and cataloging over 100 distinct attack techniques, Wiz Research presents a specially curated public instance of its internal cloud threat intelligence database. This resource offers detailed summaries of publicly disclosed cloud security incidents and campaigns, providing insights into threat actors known for compromising cloud environments and detailing the tools and techniques they use, along with the technologies they frequently target.

📑 Bulletproof Hosting: A Critical Cybercriminal Service | 👤 Intel 471 
This article explores how seasoned cybercriminals function as BPH providers and shares the inner workings of their operations.

📑 How to detect LOLbins abuse in the wild | 👤 Tess Mishoe & Rachel Schwalk 
An in-depth discussion on LOLbins (living-off-the-land binaries) and methods for detecting their malicious use. Given the nature of these binaries, it becomes quite challenging to discern what is normal behavior for these binaries and what should raise concerns. In fact, Red Canary's 2022 data reveals that 35% of all malicious and suspicious detections involved LOLBins.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews