November 7, 2021

0x02-W4421.md

News

• Predicting the Next OWASP API Security Top 10
  API security risk has dramatically evolved in the last two years. Jason Kent, Hacker-in-Residence at Cequence Security, discusses the top API security concerns today and how to address them.

• research!rsc: On “Trojan Source” Attacks
  

• Popular NPM Package Hijacked to Publish Crypto-mining Malware
  A popular JavaScript NPM library with over 6 million weekly downloads was hijacked to publish crypto-mining malware.

• A cyberattack paralyzed every gas station in Iran
  Ebrahim Raisi's remarks stopped short of assigning blame for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump.

• All Access Pass: Five Trends with Initial Access Brokers - Kela
  Victoria Kivilevich, Threat Intelligence Analyst

• Widespread security risk identified in phones and Bluetooth devices
  Approximately 40 percent of mobile phones may be compromised

Tools

• google/security-research: This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
  This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code. - google/security-research: This project ...

• edoardottt/cariddi: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more...
  Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more... - edoardottt/cariddi: Take a list of domains, crawl urls and scan for endpoints, se...

• MahdiMashrur/Awesome-Application-Security-Checklist at FAUN-Zeno1
  Checklist of the most important security countermeasures when designing, creating, testing your web/mobile application - MahdiMashrur/Awesome-Application-Security-Checklist at FAUN-Zeno1

• Building an end-to-end Kubernetes-based DevSecOps software factory on AWS | Amazon Web Services
  DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, […]

• Azure/SimuLand: Understand adversary tradecraft and improve detection strategies
  Understand adversary tradecraft and improve detection strategies - Azure/SimuLand: Understand adversary tradecraft and improve detection strategies

Articles

• Kubernetes Threat Modelling
  Every security team has to deal with one question: “Are my services/deployments secure?” Answering this is non-trivial, and involves understanding the threat vectors faced by the services.

• New Quishing Campaign Shows How Security Can Be Bypassed
  A new phishing campaign using QR codes exploits compromised hosts to send emails, and major services to maintain and host their phishing pages.

• Evolving Zero Trust—Lessons learned and emerging trends - Microsoft Security Blog
  Microsoft shares its updated position on the end-to-end implementation of a Zero Trust framework.

• NIST Special Publication (SP) 800-204C (Draft), Implementation of DevSecOps for a Microservices-based Application with Service Mesh
  Cloud-native applications have evolved into a standardized architecture consisting of multiple loosely coupled components called microservices (implemented as containers), supported by code for providing application services called service mesh. Both of these components are hosted on a container orchestration and resource management platform, which is called a reference platform in this document. Due to security, business competitiveness, and its inherent structure (loosely coupled application components), this class of applications needs a different application development, deployment, and runtime paradigm. DevSecOps (consisting of three acronyms for Development, Security, and Operations, respectively) has been found to be a facilitating paradigm for these applications with primitives such as Continuous Integration, Continuous Delivery, and Continuous Deployment (CI/CD) pipelines. These pipelines are workflows for taking the developer’s source code through various stages, such as...

• Defending Azure Active Directory with Azure Sentinel – Azure Sentinel 101
  Azure Active Directory doesn’t really need any introduction, it is the core of identity within Microsoft 365, used by Azure RBAC and used by millions as an identity provider. The thing about …

• CVE + MITRE ATT&CK® to Understand Vulnerability Impact | by Jon Baker | MITRE-Engenuity | Oct, 2021 | Medium
  Written by Jonathan Evans, Jon Baker, and Richard Struse.

• How to run your own admission controller on Kubernetes – NillsF blog
  I’ve done some work with a customer lately, where I helped them build a mutating admission controller on Kubernetes. The goal of this blog post is to explain what admission controllers are and how to deploy them on Kubernetes. To keep the content of the post manageable, the development of the admission controller itself is […]

• Serverless Threat Modelling 🚀
  How and why you should threat model your Serverless solutions on AWS, with visual examples of a real life walk through

Tutorial

• Finding gadgets like it's 2015: part 1
  We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification.

• Attacking and Securing CI/CD Pipeline
  strongATT&CK-like Threat Matrix for CI/CD Pipeline on GitHub:/strong https://github.com/rung/threat-matrix-cicd

---

Place: CODE BLUE 2021 OpenTalks at Tokyo Presenter: Hiroki SUEZAWA (https://www.suezawa.net) Abstract: With the popularization of Dev(Sec)Ops, the CI/CD (Continuous Integration and Delivery) environment is becoming more and more common in modern application development and infrastructure management. On the other hand, the security of the CI/CD pipelines itself has not been focused on as much as it should be from security perspective.

In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD pipelines. The purpose of this presentation is to share a comprehensive summary of both the attack methods often used against CI/CD pipelines and our insights in securing the CI/CD infrastructure. While we acquired some of this knowledge the hard way -- through direct incident response, we hope that our experience will be useful to anyone trying to proactively improve the security posture of their CI/CD pipelines.

• Universal Radio Hacker: Investigate Wireless Protocols like a Boss
  This article is from Open Source Tools edition, that you can download for free if you have an account on our website. Refers to URH version:  1.9.1 Contact: Johannes.Pohl90@gmail.com Andreas.Noack@hochschule-stralsund.de   Contents 1 Introduction 1.1 Motivation  . . . . . . . . . . . . . . .

IR & Reversing

• Flare-On 2021: PetTheKitty
  PetTheKitty started with a PCAP with two streams. The first was used to download and run a DLL malware, and the second was the C2 communications of that malware. The malware and the initial downloader user Windows Delta patches to exchange information. I’ll reverse the binary to understand the algorithm and decode the reverse shell session to find the flag.

• Android Patches Actively Exploited Kernel Bug
  Google’s Android November 2021 security updates plug 18 flaws in the framework and system components and 18 more in the kernel and vendor components.

• From Zero to Domain Admin
  This report will go through an intrusion from July that began with an email, which included a link to Google's Feed Proxy service that was used to download a malicious Word document. Upon the user enabling macros, a Hancitor dll was executed, which called the usual suspect, Cobalt Strike.

• InfoSec Handlers Diary Blog
  Video: Phishing ZIP With Malformed Filename, Author: Didier Stevens

• Anatomy of a Linux Ransomware Attack | LinuxSecurity.com
  Anatomy of a Linux Ransomware Attack - While 85% of ransomware attacks target Windows systems, Linux is becoming an increasingly popular ta