💊 Security Pills - Issue 55

Release Date: 5th February 2024 | Issue: 55 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 🛠️ Application Security

📑 Points Of Intersection Explorer | 👤 Francesco Lacerenza & Michele Lizzit
Doyensec has released PolEx, a Visual Studio Code extension that aids in analyzing the interactions between code and infrastructure in cloud-oriented applications. It identifies and visualizes points of intersection (POIs) where the code interacts with the underlying cloud infrastructure, helping security engineers quickly identify security vulnerabilities.

📑 A Recipe for Scaling Security | 👤 David Dworken
A look into Google's approach to scaling security and improving code at scale, providing insights into mindset shifts, data collection, and tools used. It also highlights the successful rollouts of various security features and their impact on Google's overall security, measuring adoption over time, and more.

📑 HTTP Downgrade attacks with SmuggleFuzz | 👤 Charlie Smith
SmuggleFuzz is a command-line tool designed to assist in identifying HTTP downgrade attack vectors by providing detailed response information and customisable detection methods.

🛠 Known Exploited Vulnerabilities (KEV) Detector
A tool that automates the detection of known exploited vulnerabilities through a single command. It includes vulnerabilities from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and bug bounty programs.

🛡️ Blue Team

📑 Detect threats using Microsoft Graph activity logs | 👤 Fabian Bader 
In this first part, Fabian explains the methods for detecting offensive security tools like AzureHound, GraphRunner, and PurpleKnight using Microsoft Graph Activity Logs. Additionally, he has developed a set of analytics rules for Microsoft Sentinel, designed to effectively identify the use of such tools in your environment.

📑 Defending against the Attack of the Clone[d website]s! | 👤 Jacob Torrey
The article introduces two new versions of the Cloned Website Canarytoken that can detect Man-in-the-Middle (MitM) phishing attacks. It explains the limitations of the previous JavaScript-based token and presents the new CSS-based token as an alternative. The article also provides a step-by-step guide on how to install the CSS token into an Azure Entra ID login portal.

 ☁️ Cloud Security

📑 CIEM Part 1: How least privilege leads to a false sense of security | 👤 Robert de Meyer
Robert de Meyer explains the challenges one may face when trying to manage Identity and Access Management (IAM) in AWS. The article discusses the core elements of a policy, the extended AWS policy model, and the process of deriving an effective policy. The author also explores the challenges of implementing least privilege in larger AWS environments.

📑 Sys:All Google Kubernetes Engine Risk | 👤 Roi Nisimi
The Orca Research Pod discovered a dangerous loophole in Google Kubernetes Engine (GKE) that could allow an attacker with any Google account to take over misconfigured GKE clusters.The Orca team identified 250,000 active GKE clusters in the wild, with hundreds of them containing secrets that enable lateral movement and sensitive data access.

 🤖 Artificial Intelligence

📑 Exploring Defensive Challenges with Artificial Intelligence: From Traditional to Generative | 👤 Jose Rodriguez
This article explores various artificial intelligence (AI) methods and their evolving roles in the security industry. A key aspect of this exploration is understanding how these AI methods are integrated into the incident response lifecycle, an essential framework in cybersecurity.

📑 Firewalling Large Language Models with Llama Guard | 👤 Romain Aviolat 
Romain introduces Llama Guard, a tool that mitigates prompt injection vulnerabilities in Large Language Models (LLMs) by sanitising input and output. It explores how Llama Guard can be used to secure a simple LLM chat-bot and highlights its capabilities and customisation options.

📑 Machine Learning Engineering Open Book 
An open collection of methodologies to help with successful training of large language models and multi-modal models.

🛠️ fabric | 👤 Daniel Miessler
An open-source framework for augmenting humans using AI.

⚔️ Red Team

📑 Setting up my AWS RedTeam Active Directory Lab For Your Own Use And Practise | 👤 Phil Keeble |📚 17min
A guide on setting up an AWS RedTeam Active Directory lab, allowing users to practice various Active Directory attacks with tools like Covenant and Impacket, and includes pre-configured attack types such as kerberoasting, constrained delegation, and pass-the-hash.

📑 BOFHound: Session Integration | 👤 Matthew Creel | 📚 13min.
A look into new BOFHound-compatible BOFs along with practical examples, that will allow an operator to take a manual and targeted approach to attack path mapping that relies on BloodHound's HasSession and AdminTo edges.

🛠 TeamsBreaker | 👤 ASOT Lab
A tool designed for automating the sending of phishing messages to victims. By default, Teams shows a warning message whenever a message is received from a user of another organization, but this tool uses different methods for bypassing this limitation.

You can read more about the techniques used in their 🔖 whitepaper.

🛠️ electroniz3r | 👤 Wojciech Reguła 
Despite macOS's TCC (Transparency, Consent, and Control) system offering enhanced privacy by restricting access to sensitive resources, vulnerabilities have historically been identified. However, exploiting these through zero-day attacks in red team exercises remains impractical. This new tool by Wojciech abuses Electron's default configuration, allowing code execution in the context of Electron apps installed on a target machine, thereby inheriting their TCC permissions. As it doesn't alter the files of those apps, it can also bypass the new macOS Ventura App Protection mechanism.

You can check out Wojciech's talk, 'ELECTRONizing macOS Privacy - A New Weapon in Your Red Teaming Armory,' at DEFCON 31.

🛠 SOAPHound | 👤 Nikos Karouzos
A custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.

📦 Supply Chain

📑 Forging signed commits on GitHub | 📚 4min.
A vulnerability in an internal GitHub API that could be exploited by attackers to trick the internal API into signing commits as any user.

📑 OIDC for GitHub Actions | 👤 Cloud Security Partners | 📚 10min
A guide on how to implement OpenID Connect (OIDC) for GitHub Actions, providing a more secure alternative for authentication when compared to utilising traditional access keys.

📑 Cycode Discovers a Supply Chain Vulnerability in Bazel | 👤 Elad Pticha | 📚 10min
Cycode found a supply chain vulnerability in Bazel, an open-source software tool used for building and testing software. The vulnerability allowed for command injection in a dependent action used in GitHub Actions workflows, potentially enabling malicious actors to insert harmful code into the Bazel codebase, create a backdoor, and affect the production environment of anyone using Bazel.

🕵 Threat Hunting

📑 Memory Scanning for the Masses | 👤 Axel Boesenach & Erik Schamper |📚 5min.
A user-friendly memory scanning Python library that allows for more efficient memory scanning by filtering regions based on memory attributes, such as read, write, and execute permissions. Skrapa is designed to work on both Linux and Windows systems and includes features like configurable scanning, regex and YARA support, and user callback functions.

📑 Analyzing a C2 agent | 📚 16min
This analysis delves into a command and control (C2) agent, focusing on the macro dropper used for malware delivery. It discusses attackers' evasion techniques, including obfuscation and file extraction, and suggests mitigation strategies to block malicious macros and safeguard against C2 threats.

You can also check out the 🔖 second part, which focuses on statically analyzing the binary and obtaining indicators of compromise.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews