🕵️📱 Mysterious iPhone reboots, Tor under attack, Citrix Unauth RCE (@SinSinology), GitHub Actions attack (@adnanthekhan), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-11-04 to 2024-11-12.
News
- Defending the Tor network: Mitigating IP spoofing against Tor - Attackers used spoofed IP packets to trigger automated abuse complaints against Tor relay providers. Many people host Tor relays as they are "safe" in that the shuttle encrypted traffic between other Tor nodes, and thus are typically not subject to abuse complaints. For technical details see the post One weird trick to get the whole planet to send abuse complaints to your best friend(s).
- PAN-SA-2024-0015 Important Informational Bulletin: Ensure Access to Management Interface is Secured - This is a strange "there may be an exploit" bulletin. Get your management interfaces secured either way.
- The Open Source AI Definition - 1.0 - Lots of controversy on this definition of "Open Source" AI. Some are not happy. I personally agree with Bruce Schneier that "open weights" is a much better term for this type of AI.
- VMware Fusion and Workstation are Now Free for All Users - After being acquired by Broadcom, VMware has not done well in the court of public opinion after raising prices and killing off the free tier of the popular ESXi hypervisor. It looks like they are backtracking with this move. The damage is likely already done, as many businesses are actively migrating to alternatives. Ludus is built on the open source KVM/Proxmox.
- Police Freak Out at iPhones Mysteriously Rebooting Themselves, Locking Cops Out - Law enforcement claims that iOS 18 is causing iPhones to communicate with each other and reboot. Occam's Razor would suggest that perhaps iOS 18 is just buggy, crashes, and reboots. However, it has later been reported that this is a feature of iOS 18.1 where iPhones will reboot if not unlocked for 4 days. The iPhone to iPhone communication almost certainly not the cause of the reboots.
Techniques and Write-ups
- Life on a crooked RedLine: Analyzing the infamous infostealer's backend - Deep technical details on the Redline backend that was taken down last week.
- Attackers Abuse DocuSign API to Send Authentic-Looking Invoices At Scale - Clever use of "3rd party" emailers that are likely allowlisted by targets to deliver phishing content.
- CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging - Attackers drop a "pivotbox" TinyCore Linux virtual machine run by QEMU to bypass detections and expand access into Windows networks.
- Group Policy Security Nightmares pt 1 - A post on how Group Policy can be misconfigured to create security issues in Windows Active Directory networks.
- A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities - Applications on macOS have a complex sandbox system based on entitlements, and by really digging into it, Mickey Jin found a lot of vulnerabilities.
- Filling up the DagBag: Privilege Escalation in Google Cloud Composer - If you can get write access to a Google Cloud Composer bucket, you can execute arbitrary command execution in the composer pipeline.
- Release-Drafter To google/accompanist Compromise: VRP Writeup - A good example of an in-the-wild GitHub Actions attack.
- Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown) - Watchtowr has been on a tear recently, and this one is a classic .NET deserialization exploit, but with a twist of jumping protocols - from HTTP to MSMQ. This feels like a CVSS 10.
Tools and Exploits
- Command Injection Vulnerability in 'name' parameter for D-Link NAS - Unauthenticated remote code execution against a four different network attached storage devices, with over 60,000 on the internet.
- CVE-2024-44258 - Proof of concept of a symlink vulnerability within the ManagedConfiguration framework and the profiled daemon in Apple devices. When restoring a crafted backup, the migration process fails to validate whether the destination folder is a symbolic link (symlink), leading to unauthorized file migration into restricted areas.
- Carseat is a python implementation of Seatbelt. This tool contains all (all minus one technically) modules in Seatbelt that support remote execution as an option.
- ShadowDumper is a powerful tool used to dump LSASS memory, often needed in penetration testing and red teaming. It uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory. [Note: feels largely AI generated]
- BlindBrute is a highly customizable Python tool designed for blind SQL injection attacks. It supports multiple detection methods, including status code, content length, keyword comparison, and time-based. It also allows for flexible payload injection using headers, query strings, request data, and raw HTTP request templates, making it adaptable to a wide range of scenarios.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ZombAIs: From Prompt Injection to C2 with Claude Computer Use - AI is the new hot topic, and soon AI models will be interacting with your computer, potentially with malicious prompt injection controlling them.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.