Security Pills - Issue 8

Tracking users via Instagram in-app browser, OFAC sanctions Tornado Cash, Cisco Talos shares insights on recent cyberattack

Release Date: 15 Aug 2022 | Issue: | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Hey there  👋,Hope you all had a great time at DEFCON and BSides Vegas!We published the first three levels of Ethernaut for those of you who may be interested on learning the basics on Solidity!, Check out our blog!

  • Articles: iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser, Concealed Code Execution: Techniques and Detection, Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling, After the Advisory, Enhancing Subdomain Enumeration - ENTs and NOERROR, Discovering Domains via a Timing Attack on Certificate Transparency, Automata: A General-Purpose Automation Platform, Auditing Crypto Wallets, Tracking Funds Laundered by Tornado Cash, TradFi, Meet DeFi: Breaking Down the Economics of DeFi Hacks, OFAC Sanctions Popular Ethereum Mixer Tornado Cash for Laundering Crypto Stolen by North Korea's Lazarus Group, Tracing the Twitter Hack Bitcoins.

  • Vulnerabilities and Bug Bounties:  Attacking Titan M with Only One Byte, From Shared Dash to Root Bash: Pre-Authenticated RCE in VMWare vRealize Operations Manager, Google Cloud Shell - Command Injection, Cross-Function Re-Entrancy in the Wild, The Cloud has an Isolation Problem: PostgreSQL Vulnerabilities Affect Multiple Cloud Vendors, Cisco Talos Shares insights Related to Recent Cyber Attack on Cisco, Liferay Revisited: A tale of $20k, Several Malicious Packages on PyPI detected.

  • Resources

    • Videos: Code Review vs Dynamic Testing explained with Minecraft, Discover Vulnerabilities in Intel CPUs, Ethereum Protocol Security Assessments (w/ Halborn). 

    • Podcasts: Malicious Life: Designed by criminals, for criminals, Risky Biz Soap Box: Okta's Brett Winterford on session cookie theft and mitigations  

    • Repositories: DashOverride, gitleaks-action, gorilla. 

    • Hacking Tips: Discovering Log4j vulnerability at scale,  Best SSRF bypass list, Achieving persistence on Windows,

  • Tags used in this issue:  #appsec, #cloud, #hardware-hacking, #incident-response, #privacy, #red-team, #smartcontracts.

iOS Privacy: Instagram and Facbook can track anything you do on any website in their in-app browser #privacyFelix Krause has done an extensive research on how the iOS Instagram and Facebook applications render all third party links and ads within their app using a custom in-app browser. This raises some concerns as they can track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap. Apple published as part of iOS 14.5 the App Tracking Transparency functionality, which would let the user choose whether an app could track a user's activity across other companies' apps and websites for the purposes of advertising or sharing with data brokers. A functionality that according to Meta, was costing Facebook $10 billion a year.

How instagram injects the pcm JavaScript file

How instagram injects the pcm JavaScript file

The article explores how iOS Instagram and Facebook apps are overcoming this restriction by injection certain JavaScript files into the in-app browser.

Concealed Code Execution: Techniques and Detection #red-teamThis article encompasses many months of dedicated research by diversenok, and covers a wide range of concealed code execution techniques and investigates the related internal mechanisms that make them possible on Windows systems.

The techniques for concealing code execution became the favorite tool in Advanced Persistent Threat actor's arsenal because of the remarkable stealth benefits they can provide against conventional security mechanisms. Understanding how these techniques operate under the hood and having access to open-source proof-of-concept implementations that reproduce the corresponding behavior greatly helps with detection engineering and aids in incident response investigations.

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling #appsecJames Kettle shares his latest research on turning a victim's web browser into a desync delivery platform, exposing single-server websites and internal networks. The article also describes how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. James also shares a methodology combining browser features and custom open-source tooling, including free online labs to help master this new attack vector.

After the AdvisoryLately, there has been some concern around dependencies as they bring complexities into a project. Popular open source packages are often used directly or indirectly by a significant portion of the packages within an ecosystem. As a result, a vulnerability in a popular package can have a massive impact across an entire ecosystem. This article details a couple of large profile incidents and discuss some of the differences observed on different software ecosystems.

Enhancing Subdomain Enumeration - ENTs and NOERROR #appsecSubdomain enumeration is a key component during the reconnaissance phase of an engagement. This article provides some techniques to enhance subdomain enumeration by including a special DNS node that is often ignored.

Discovering Domains via a Timing Attack on Certificate Transparency #appsecArseniy from PT Swarm has discovered a flaw in the way some TLS certificates might be deployed, which would allow anyone to discover all domain names used by the same server. The article describes a new technique for discovering domain names and how to apply this technique in threat intelligence, penetration testing and bug bounty.

Getting timestamp from a leaf certificate

Getting timestamp from a leaf certificate

Automata: A General-Purpose Automation Platform #automationShoeb Patel explains how he ended up building Automata, a platform to easily create and run arbitrary and powerful workflows that during their execution, can also store data and invoke alerts. The article also details other iterations prior Automata and what lessons he learnt throughout the process. 

Automata workflow

Automata workflow

Auditing Crypto Wallets #smartcontracts

The recent NFT buzz has inspired more crypto-currency companies to venture into self-custody wallets. Although many early crypto proponents remain wary of “owning JPEGs”, NFTs have converted many crypto skeptics and present a new use case for smart contract platforms. This is the perfect time for engineers who have developed and audited self-custody wallets for years to share their hard-won wisdom with the next generation of wallet-makers. This article is not an exhaustive methodology for wallet auditing but highlights a few areas of concern.

Tracking Funds Laundered by Tornado Cash #smartcontractsThe rapid development in the crypto ecosystem has also led to the rise of incidents in the crypto industry. According to the research conducted by MistTrack, 80% of stolen funds were deposited into Tornado.Cash, a mixer protocol used to hide digital trail.On September 26, 2020, KuCoin announced a suspicious withdrawal for substantial quantities of crypto assets from their exchange hot wallet address. The combined stolen assets exceeded over $270M.

Funds moved between hacker addresses

Funds moved between hacker addresses

This article is an investigation done by Slowmist on how the hackers used Tornado.Cash to launder the stolen funds in this attack, focusing on how the hackers converted these funds to ETH and transferred them to Tornado.Cash, and analyze the transactions for clues on where the stolen funds may have gone.

TradFi, Meet DeFi: Breaking Down the Economics of DeFi Hacks #smartcontractsThis blog post equips readers with a framework to identify deadly economic flaws in DeFi.  The team at Zellic takes apart some of DeFi’s biggest economic hacks, analyze them from an economic perspective, as opposed to a smart contract perspective, and draw conclusions on how economic vulnerabilities can be spotted and avoided.

OFAC Sanctions Popular Ethereum Mixer Tornado Cash for Laundering Crypto Stolen by North Korea's Lazarus Group #smartcontractsThe U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned the popular Ethereum mixer Tornado Cash adding it to the SDN list with 38 unique cryptocurrency addresses. OFAC pointed to Tornado's role in laundering over $455 million worth of cryptocurrency stolen from Axie Infinity's Ronin Bridge protocol by the North Korea-affiliated hacking organization, Lazarus Group.

Cryptocurrency received

Cryptocurrency received

Only a 18% came from sanctioned entities, while just under 11% were funds stolen from other cryptocurrency services and protocols.

Tracing the Twitter Hack Bitcoins (An Update from Elliptic) #smartcontractsBack in July, Twitter suffered a major breach allowing hackers to post fraudulent tweets through 130 compromised accounts. Using the giveaway scam technique, attackers defraud a total of $121,000 in Bitcoin.

Flow of bitcoins out of the hacker's wallet

Flow of bitcoins out of the hacker's wallet

Few weeks ago, the attacker emptied the wallet. The diagram above shows the flow of bitcoins out of the hacker's wallet. Elliptic has conducted a thorough analysis on the laundering process, where various techniques have already been used such as the use of mixers, splitting the funds into smaller amounts through numerous transactions. However, most of the funds are yet to be spent or cashed-out.

Hey, if this email was forwarded to you, or if you are coming from any other social media and have enjoyed our content, maybe you can support us by subscribing to our newsletter and forwarding this email.

Attacking Titan M with Only One Byte #hardware-hackingDamiano Melotti and Maxime Rossi Bellom provide details on CVE-2022-20233, the latest vulnerability they found on Titan M, a security chip introduced by Google in their Pixel smartphone. The article explains how they found this vulnerability, using emulation-based fuzzing with AFL++ in Unicorn mode, and how they achieved code execution on the chip.

From Shared Dash to Root Bash: Pre-Authenticated RCE in VMWare vRealize Operations Manager #appsecSteven Seeley  (mr_me) identified a handful of security vulnerabilities in VMWare impacting their vRealize Operations Management Suite (vROps) solution. As result of the research project, he was able to achieve a pre-authenticated remote root exploit chain through the combination of different vulnerabilities.

Attack flow used to exploit the vulnerabilities

Attack flow used to exploit the vulnerabilities

The article details each one of the issues discovered by Steven and how he managed to achieve a pre-authenticated RCE on VMware vRealize Operations Manager (vROPS).

Google Cloud Shell - Command Injection #appsecBugra found a command injection vulnerability affecting the Cloud Shell terminal. By tampering one of the URL parameters, Bugra was able to inject python code and obtain a remote shell on the target.

Command injection triggered in Cloud Shell

Command injection triggered in Cloud Shell

Cross-Function Re-Entrancy in the Wild #smartcontractsA re-entrancy vulnerability was identified in Spool, a vault acting like a middleware for DeFi. The issue affected one of the withdrawal options available, where attackers could double their withdrawal amount by re-entering the function twice. The issue, reported through Immunefi was immediately fixed after the team was notified about the security vulnerability.

The Cloud has an Isolation Problem: PostgreSQL Vulnerabilities Affect Multiple Cloud Vendors #cloudWiz Research found multiple vulnerabilities in famous PostgreSQL-as-a-Service offerings of multiple cloud vendors. These vulnerabilities were the result of the modifications introduced by cloud vendors into the project to make it fit their needs. This article focuses on the technical details of the research conducted and reveals the exploration of the infrastructure done on Google Cloud Platform (GCP) to successfully exploit the same type of vulnerability.

Cisco Talos Shares Insights Related to Recent Cyber Attack on Cisco #incident-responseBack on May, a Cisco employee credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim's browser were being synchronized. Through voice phishing attacks, the attacker ultimately succeeded in achieving an MFA push acceptance, granting access to VPN in the context of the targeted user. The attacker then attempted to maintain access and pivot into other systems within the environment. The present article contains the research done by the Cisco Talos and Cisco Security Incident Response (CSIRT) teams. An interesting read to understand how the attacker approached the target.

Liferay Revisited: A tale of $20k #appsecInteresting article where the authors went from a Tomcat jkstatus to exploit a Liferay 6 JSON Web Service Pre-Auth RCE bypassing Akamai on a Fintech company. 

Several Malicious Packages on PyPI detected #appsecCloudGuard Spectral detected 10 malicious packages on PyPI which installed info-stealers that were used by attackers to steal developer's private data and personal credentials.

 🙏 Support us

Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.

🎥 Videos

⌨️ Repositories

  • sourceincite/DashOverride — Pre-authenticated RCE exploit for VMware vRealize Operations Manager.

  • gitleaks/gitleaks-action — SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

  • d4rckh/gorilla — wordlist tool with functionalities like building wordlists based on patterns, build wordlist based on a web page words and extending existing wordlists using mutations.

🎙️ Podcasts

  1. Malicious Life: Designed by criminals, for criminals — Operation trojan shield. The Anom was the holy grail of dark, illegal communication: a mobile phone that could send encrypted messages, and even included a secret Kill-Switch to foil attempts by law enforcement agents to get to its contents. Thousands of criminals used the Anom, certain that they were completely safe from the police... They were wrong.

  2. Risky Biz Soap Box: Okta's Brett Winterford on session cookie theft and mitigations — Okta’s APAC CISO and former Risky Biz editor Brett Winterford talks about how attackers are getting much better at swiping session cookies via real-time phishing and malware.

💡 Hacking Tips

  • @ReconOne_ on discovering Log4j vulnerability at scale.

  • @0dayCTF on best SSRF bypass list

  • @snovvcrash on looking for a legitimate way of achieving persistence on Windows

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews