Security Pills - Issue 6

The great tech salary crash, Untangling KNOTWEED, Hunting for Mass Assignment Vulnerabilities

Release Date: 1 Aug 2022 | Issue: | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Hey there πŸ‘‹,Here we are another week. But we have been working on our blog and website, and it should be ready this week! We have decided to use Hugo as framework for both!Meanwhile, enjoy this week's newsletter, we have decided to use hashtags again to better organize and distribute our content. What do you think?

Do you prefer separated specific categories or hashtags?

Login or Subscribe to participate in polls.

Your weekly prescription πŸ’Š

  • #active-directory: Building and Attacking an Active Directory Lab with PowerShell, Orchestrating Deployment of Acttive directory hacklab with Ansible and Vagrant.

  • #advanced-persistent-threat: Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-day Exploits.

  • #adversary-simulation: Top 10 Open-Source Adversary Simulation Tools, Manipulating Windows Tokens With Golang.

  • #appsec: Hunting for Mass Assignment Vulnerabilities Using GitHub CodeSearch and grep.app, Building AppSec Pipeline for Continuous Visibility, Disclosing Information with a Side-Channel in Django, Exploiting GitHub Actions on Open-Source Projects, Atlassian Confluence Hardcoded Credentials Bug Actively Exploited.

  • #career: The Great Tech Salary Crash.

  • #container-security: Container Security Considerations: Security Best Practices and Common Threats.

  • #exploiting: Corrupting Memory without Memory Corruption, 10 Items of Windows Kernel Exploit Research from 2020/2021.

  • #red-team: Multi-Stage Offensive Operations with Mythic.

  • #smart-contracts: Moonbeam Missing Call Check Bugfix Review.

  • #spear-phishing: Spear Phishing on Modern Platforms.

Articles

Building and Attacking an Active Directory Lab with PowerShell #active-directoryExtensive guide by @myexploit2600 on how to create an Active Directory for testing purposes. 

Orchestrating Deployment of @myexploit2600's hacklab with Ansible and Vagrant #active-directory #orchestrationQuick overview on the PowerShell scripts and the Ansible playbook used to automate the deployment of the hacklab using the @myexploit2600 guide from the previous article.

Top 10 Open-Source Adversary Simulation Tools #adversary-simulation Adversary simulation is an emerging IT security technology that mimics the attacker's behavior and offers the capability to test an organization's resilience against an advanced attacker in a situation known as assumed breach. This article compares the most popular open source adversary simulation tools and help you chose the one that adapts better to your needs. 

Manipulating Windows Tokens With Golang #adversary-simulationThis article discusses the challenges that FourCore has faced while developing Windows agent around accessing, manipulating, and utilizing the different types of Windows Tokens via go, for their real-world cyber attack simulation product.

Spear Phishing on Modern Platforms  #spear-phishingOver the last few years, email filtering security solutions have evolved and implemented tough defenses to block as many scams as possible, however, security researchers have evolved in this space as well.This guide will walk you through how to set up infrastructure that is intended to bypass modern day platforms and successfully deliver a phishing email to an end user's inbox

Container Security Considerations: Security Best Practices and Common Threats #container-securityUnderstand container security challenges and learn about critical container security best practices, such as securing images, registries, etc.

A visual representation of defense-in-depth

A visual representation of defense-in-depth

Hunting For Mass Assignment Vulnerabilities Using GitHub CodeSearch and grep.app #appsecThis post discusses the process of searching top GitHub projects for mass assignment vulnerabilities. The author, Laurence Tennant, was able to get a security issue in freeCodeCamp and obtain all the coding certification.An interesting approach which explores the limitations imposed by the GitHub's search feature and how to use GitHub CodeSearch and grep.app for a better search on GitHub repositories. 

Building AppSec Pipeline for Continuous Visibility #appsecSaaS organizations need high-velocity engineering with multiple releases in a day. This environment tends to cause teams to block each other as they do not scale proportionally. As result, conventional security testing as a pre-release activity in a fast-paced continuous environment is not effective anymore.

 In this blog, we will explain our approach to building an application security pipeline for continuous security scanning using free and open-source tools for SASTDASTSCA, Secrets Scanning, and SBOM generation.

The objective of this initiative is to provide centralized visibility of the overall security posture of various production touching components within the organization. 

Overall Architecture

Overall Architecture

Hey, if this email was forwarded to you, or if you are coming from any other social media and have enjoyed our content, maybe you can support us by subscribing to our newsletter and forwarding this email.

Vulnerabilities and Bug Bounties

Corrupting Memory without memory corruption  #exploitingMan Yue Mo (@mmolgtm) explains in this article how to exploit a vulnerability in the ARM Mali GPU kernel driver and use it to gain arbitrary kernel memory access from an untrusted app on a Pixel 6. Once he has obtained arbitrary access to the memory, achieving root capabilities, and disabling SELinux is easy-peasy.What is most interesting about this issue is how the exploit abuses the memory management logic in the GPU to achieve arbitrary physical memory access, without hijacking the control flow throughout the exploitation of this issue. This causes that security mitigations like the kernel control flow integrity becomes ineffective. More important and unusual is that this bug is not the usual type of memory corruption vulnerability that we all are used to see getting exploited.

10 Items of Windows Kernel Exploit Research from 2020/2021 #exploiting

Disclosing Information with a Side-Channel in Django #appsecDuring a research on Django, the Sonar team discovered a way to trick the framework into disclosing sensitive information by interacting with how the data is sorted before displaying it in the interface. Even though this information is obtained through a side-channel based on its relationship with other unknown data, it was possible to perform this attack and extract sensitive information in a very reliable manner.

Exploiting GitHub Actions on Open-Source Projects #appsecGitHub Actions is a commonly used CI/CD pipeline for automated testing and deployment. While Actions make it easier to test and deploy, it also adds security risks to the project and its subsequent infrastructure if misconfigured. A vulnerable GitHub Action can be exploited to exfiltrate custom and in-built secrets, such as GitHubToken.The security team at Tinder has created an automation script that detects and flags vulnerable GitHub Actions. The article describes the common security risks in GitHub actions, the approach used to detect them and how to mitigate potential threats.

Multi-Stage Offensive Operations with Mythic #red-teamThis is an old article but I stumbled upon it and wanted to share it with you. The author, Kyle Avery, covers a multi-stage offensive operation using Mythic, a red teaming framework.

Atlassian Confluence Hardcoded Credentials Bug Actively Exploited #appsecLast week a critical issue affecting Atlassian Confluence was fixed. The flaw, a hardcoded credential vulnerability could be remotely exploited by an unauthenticated attacker to gain access to all non-restricted pages in Confluence. Despite the efforts made by Atlassian to fix the vulnerability the hardcoded credentials were released. The credentials were released in the Confluence Questions plugin, version 3.0.2. According to Atlassian, there are currently 8,000 installations of this plugin.

GreyNoise has created a tag and started monitoring for related activity, discovering a total of 110 unique IPs actively exploiting this vulnerability over the past week:

Unique IPs observed by GreyNoise

Unique IPs observed by GreyNoise

Moonbeam Missing Call Check Bugfix Review #smart-contractBack on May, pwning.eth submitted another vulnerability through Immunefi which could cause a direct theft of native assets in the Moonbeam network, such as Moonriver (MOVR) and Moonbeam (GLMR). The vulnerability could have impacted up to $100m in funds. This article from Immunefi presents an analysis on the issue and how it was fixed by the Moonbeam security team.I totally recommend you reading these bugfix review, specially, if you are thinking about a bug-hunting career in Web3. The knowledge you can obtain from these articles is in.

Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-day Exploits #advanced-persistent-threatThis blog details Microsoft's analysis of the observed KNOTWEED activity and related malware used in targeted attacks against European and Central American customers, which used multiple Windows and Adobe 0-day exploits.

Miscellaneous

The Great Tech Salary Crash #careerAndre Nader explains on this excellent piece some interesting stats and figures on the significant salary compression that is currently happening due to drops in equity valuations with FAANGs companies and how is this affecting to their employee's compensation, since a significant amount of total compensation across these companies is equity.

Pokemon Shellcode Loader #exploitingTechryptic wanted to mess with the blue team and decided to create a shellcode loader based on Pokemon names, and how many AVs would it elude on its way

 πŸ™ Support us

Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.

Resources

πŸŽ₯ Videos

  1. LiveOverflow - Self-Learning Reverse Engineering in 2022 β€” There exist some awesome tools nowadays to accelerate your self-education for reverse engineering. godbolt and dogbolt are amazing examples to quickly learn basic assembly and reversing.

  2. State of the Art of Ethereum Smart Contract Fuzzing in 2022 (EthCC5) β€” Patrick Ventuzelo from Fuzzing Labs presents his talk on why fuzz testing EVM start contracts can be challenging, why it is important and which EVM fuzzers are the best.

⌨️ Repositories

  1. mandiant/Azure_Workshop β€” A vulnerable-by-design Azure lab containing two attack paths with common misconfigurations. These vulnerabilities are intended to represent those found in live production environments and the attack vectors are intended to be as realistic as possible to real Threat Actors TTPs.

  2. WerWolv/ImHex β€” A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3AM.

  3. chris-anley/cq β€” Code Query, a universal code security scanning tool.

  4. silverhack/monkey365 β€” An Open Source tool to easily conduct Microsoft 365, Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs.

πŸŽ™οΈ Podcasts

  1. The Hacker Factory: From Software Developer to Penetration Tester, A conversation with Rob Ragan β€” Rob's interest in hacking started with 2600 Magazine and 2600 Groups. This fueled his curiosity and passion for technology and security.

  2. Darknet Diaries EP 121: Ed β€” In this episode we hear some penetration test storied from Ed Skoudis. We also catch up with Beau Woods from I am The Cavalry.

  3. Srsly Risky Biz #5 β€” In this episode Patrick Gray and Tom Uren will discuss the big stories affecting people in cyber policy: US DNI will monitor the commercial spyware industry, plus why the TSA's latest pipeline regulations won't achieve much and how rooftop solar became critical infrastructure.

  4. The Ransomware Files #9: Dr. Ransomware, Part 1 β€” The FBI's Most Wanted list for cybercrime has a recent entry, a person who U.S. prosecutors found to be the developer of ransomware applications called Jigsaw and Thanos, infecting organizations, and companies around the world.

🧡 Twitter Threads

  • 11 Soft Skills to Accelerate Your Career:

  • A few things to eliminate for a happier, healthier life:

πŸ“§ Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews