Security Pills - Issue 7
Determining Malicious Probabilities Through ASNs, Nomad Bridge Exploit, From XSS to RCE
Release Date: 8 Aug 2022 | Issue: 7 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there👋,Hope you had a great weekend!Last weekwe published our site and blog... what?! You didn't hear about it? Go and check it out at https://securitypills.news
Articles: How Passwordless Works, New Era of Phishing Payloads, Risky Business: Determining Malicious Probabilities Through ASNs, Azure Threat Research Matrix, A defender's MITRE ATT&CK cheat sheet for Google Cloud Platform, Using Process Creation Properties to Catch Evasion Techniques, A Threat Modeling Field Guide, How I Met Your Beacon: Brute Ratel, Hacking Together an ASM Platform Using ProjectDiscovery Tools, Shedding Smart Contract Storage with Slither.
Vulnerabilities and Bug Bounties: Researching Open Source apps for XSS to RCE flaws, GitLab Project Import RCE Analysis, Hijacking Email with Cloudflare Email Routing, The Defrauded Fraud Proof of A Bitcoin Bridge, Cross-Chain Vulnerabilities & Bridge Exploits in 2022, Nomad Bridge Exploit Incident Analysis.
Videos: Fireside chat with MetaMask founders, CloudSec Playlist, NahamSec: Snyff Talks About Hacking, Learning and Creating PentesterLab.
Podcasts: Dr. Ransomware Part 2, A 40-Year-Old Backdoor.
Repositories: Inventory, dnsReaper, ghidra-frida-hook-gen, PersistenceSniper, Paranoid Crypto, BARK.
Hacking Tips: Getting Active Directory through Cisco IP Phones, Getting RCE in Jetty apps with a XML file, Bypass on ContentProvider.openFile(), Using ffuz effectively.
Tags used in this issue: #appsec, #blue-team, #cloud-security, #infrastructure, #phishing, #red-team, #smart-contracts, #threat-modeling
How Passwordless Works #infrastructureInteresting article explaining how passwordless authentication can be implemented using modern technologies such as Web Authentication (WebAuthn), while at the same time providing better user experience and security than the traditional password-based approach.
New Era of Phishing Payloads. #phishingBack on July, Microsoft announced that macros will be blocked by default in all Office documents downloaded from the internet. This article discusses Microsoft's latest security measure against macros and how threat actors may adapt to alternate initial Access TTPs post macro deprecation.
Risky Business: Determining Malicious Probabilities Through ASNs. #infrastructureAkamai researchers have been analyzing autonomous system numbers (ASNs) to assess the risk of large swaths of the internet. Using different characteristics of these ASNs may determine the probability of attackers being found using IPs within these ASNs.
A subset of Akamai DNS traffic for a single day
As curiosity, an analysis of traffic indicates that 'likely malicious' ASNs make up fewer than 2% of all IPv4 addresses online, while ASNs in the 'potentially malicious' category make up fewer than 5% of all IPv4 addresses on the internet, yet they receive more than 18% of internet traffic.
Azure Threat Research Matrix. #cloud-securityThe Azure Threat Research Matrix (ATRM) has as purpose to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs).
A defender's MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP). #cloud-security100% of cloud incidents identified in 2022 Q1 were caused to cloud misconfigurations and long-lived credentials. As these incidents were investigated, a pattern emerged in the tactics used by attackers against GCP.
GCP Mind Map for Investigations and Incidents
Expel has created a guide to help you identify potential attacks and quickly map them to ATT&CK tactics.
Using process creation properties to catch evasion techniques #blue-teamMicrosoft has developed a detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This article presents a detailed analysis of how this process execution class works and how it takes advantage of Windows functionalities to evade detection. It also presents a peek into the research, design and engineering concerns that went into the development of this detection mechanism.
The Enchiridion of Impetus Exemplar: A Threat Modeling Field Guide #threat-modelingAn extensive and detailed guide on Threat Modeling, detailing the current and future methodologies and few commonly encountered supporting resources that these threat modeling methodologies generally rely on.
How I Met Your Beacon: Brute Ratel #red-teamPart three of this series where MDSec analyzes the Brute Ratel C2. A framework under scrutiny as it has been allegedly abused by APT29. This article provides a deep understanding on how this C2 can be generically detected in our infrastructure, by analyzing its loader, the footprint that is left behind, the obfuscation and sleep strategy used and more.
Hacking Together an ASM Platform Using ProjectDiscovery Tools. #appsecThis article provides a walkthrough on how to build a quick attack surface monitoring (ASM) platform using ProjectDiscovery tools, MongoDB and Redis for scan data and scan queues. The ASM utility is divided into 5 modules, summarized in the diagram below:
PDiscovery Bot Diagram
Shedding Smart Contract Storage with Slither. #smart-contractsAn article by Troy Sargent explaining the boundaries of slither-read-storage, a tool that retrieves storage slot(s) of a single variable or of entire contracts and uses it to dive deep into some use cases.
Hey, if this email was forwarded to you, or if you are coming from any other social media and have enjoyed our content, maybe you can support us by subscribing to our newsletter and forwarding this email.
Researching Open Source apps for XSS to RCE flaws. #appsecCross-Site Scripting (XSS) issues are probably one of the most encountered vulnerabilities affecting web applications, still one of the most underrated ones. This article describes Aleksey's journey, on changing the impact associated with XSS issues by achieving Remote Code Execution (RCE) via XS on Open Source applications such as Evolution CMS, FUDForum and GitBucket
Gitlab Project Import RCE Analysis (CVE-2022-2185). #appsecwcbowling found that the GitLab's Project Imports feature was affected by a remote code execution vulnerability. The article explores the research process followed by STAR Labs to debug and analyze this vulnerability, providing a detailed walkthrough on how to successfully exploit it.
Hijacking email with Cloudflare Email Routing #appsecAlbert Pedersen discovered a critical vulnerability in Cloudflare's Email Routing Service, which allowed anyone to modify the routing configuration of any domain using the service. Attackers could have exploited this issue to override the destination address to their own email address and ready any email sent to the victim's domain.
The Defrauded Fraud Proof of A Bitcoin Bridge. #smart-contractsFollow pwning.eth on another trip into the uncertain darkness of collateralization. In this article he explains a couple security issues affecting the Interlay BTC bridge and explores the over-collateralization technique applied in DeFi protocols and used to enable the minting of a synthesized asset from another base asset.
Cross-Chain Vulnerabilities & Bridge Exploits in 2022. #smart-contractsThere have been five cross-chain bridge attacks that have led to losses of $1,317,00,00 (near the 57% of the total losses in Web3 in 2022). A problem that seems to be originated by a mix between the security vulnerabilities inherent in cross-chain bridges coupled with the lack of expertise on implementing proper security countermeasures
Major Bridge Attacks in 2022
Cross-chain bridges combine multiple structures, including a custodian, debt issuer and an oracle. This makes cross-chain bridges exposed to multiple attack avenues for hackers to exploit.
The article summarizes the attacks that affected throughout this 2022 the Ronin Bridge, Wormhole Bridge, Harmony, Qubit and the recent Nomad exploit, which caused a monetary loss of $190 millions. A painful reminder just how devastating cross-chain bridge exploits can be.
Nomad Bridge Exploit Incident Analysis #smart-contractsEarly in August, the Nomad bridge, a protocol allowing users to move digital assets between different blockchains, suffered an attack which cuased a loss of around $190 millions worth of assets.
Nomad Bridge Attacks txs
The attackers were able to bypass the message verification process and drain the tokens from the bridge contract. This article is a detailed walkthrough on the attack flow and exploitation process.
🙏 Support us
Fireside chat with MetaMask founders Dan Finlay and Aaron Davis — Meet MetaMask founders as they chat with Taylor Monahan about how they met, the story of the wallet, and future ideas.
CloudSec 2022 — Youtube playlist for fwd:cloudsec is finally online. Great discussions about all the major cloud platforms, both attack and defense research, pros and cons of different security strategies, and generally the types of things cloud practitioners want to know.
trickest/inventory — Asset inventory on public bug bounty programs.
punk-security/dnsReaper — Subdomain takeover tool built with an emphasis on accuracy, speed and a really considerable set of signatures.
census/ghidra-frida-hook-gen — An extension for Ghidra which supports function-level hooking (when hooking the first address of a function), and arbitrary address hooking (when hooking inside a function).
last-byte/PersistenceSniper — A Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.
google/paranoid_crypto — This tool checks for well-known weaknesses on cryptographic artifacts such as public keys, digital signatures, and general pseudorandom numbers.
BlooudHoundAD/BARK — The BloodHound Attack Research Kit, is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. The script currently focuses on Microsoft's Azure suite products and services and does not require 3rd party dependencies.
The Ransomware Files #10: Dr. Ransomware, Part 2 — The story continues on this second part, The FBI's Most Wanted list for cybercrime has a recent entry, a person who U.S. prosecutors found to be the developer of ransomware applications called Jigsaw and Thanos, infecting organizations, and companies around the world.
Malicious LIfe: A 40-Year-Old Backdoor — Ken Thompson is a legendary computer scientist who in 1983 described a nifty hack that could allow an attacker to plan almost undetectable malicious code inside a C compiler. Surprisingly, it turns out a very similar hack was also used in the SolarWinds attack.
💡 Hacking Tips
snovvcrash on getting Active Directory access when a Cisco IP Phone is nearby
ptswarm sharing a tip for getting RCE in Jetty apps with just one XML file
_bagipro discovered a new bypass in the ContentProvider.openFile() method in Android to access private information using a content provider.
reconone_ shares an interesting thread on using ffuz tool effectively.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.