November 14, 2021

CyberSecNews Weekly - 0x03-W4521

News

• Lightweight Cryptography | CSRC | CSRC
  NIST has published a call for algorithms (test vector generation code) to be considered for lightweight cryptographic standards. This was needed by the fast rising of highly-constrained devices that powered IoT systems that struggling using cryptographic alghoritms designed for server/desktop computing. After two rounds, 10 candidates were selected over 57.

• American spy hacked Booking.com, company stayed silent
  Hacker ‘Andrew,’ who had close ties with American intelligence services, accessed thousands of hotel reservations in Middle-Eastern countries. Booking.com did not report the data breach to customers or authorities.

• Zero-Day Disclosure: PAN GlobalProtect CVE-2021-3064
  On November 10, 2021 Palo Alto Networks (PAN) provided an update that patched CVE-2021-3064 which was discovered and disclosed by Randori. The impact of this CVE can be hughe because PAN GlobalProtect is a product used by many huge companies and public institutions.

• Microsoft urges Exchange admins to patch bug exploited in the wild
  Another bug of MS Exchange on prem in the wild.

• BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released
  CISA is urging vendors to patch, given the release of public exploit code & a proof of concept tool for bugs that open billions of devices – phones, PCs, toys, etc. – to DoS & code execution. This exploit is affecting many vendors and devices and it may be still unpatched yet.

• Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog | JFrog
  BusyBox is a lightweight Linux platform that is very common in embedded devices. This team found 14 vulnerabilities, most of them driving to DoS. This is a very interesting writeup to understand the phases for discover and exploit a new vulnerability.

Tools

• CarveSystems/smbls: A simple Impacket-based tool to check a set of credentials against many Windows hosts and get permission for SMB shares.
  A simple Impacket-based tool to check a set of credentials against many Windows hosts and get permission for SMB shares.

• microsoft/restler-fuzzer: RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
  RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

• malware-ioc/rakos at master · eset/malware-ioc
  A collection of IoC useful to detect Rakos, a malware targeting embedded devices.

Articles

• Serverless Threat Modelling 🚀
  How and why you should threat model your Serverless solutions on AWS, with visual examples of a real life walk through.

• Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond
  HTTP request smuggling was discovered in 2005, but it's now revamping. This is a pratical explanation about how it's work and how use it to bypass restrinctions, rate limits and perform cache poisoning.

• r2c blog — Semgrep: a static analysis journey
  Semgrep is one of the most famous tool in the scope of AppSec. This is a tale about how an academic project for the Linux kernel evolved into a multilingual security tool

• The Invisible JavaScript Backdoor – Certitude Blog
  Using Unicode "invisible" characthers is a well-know technique used for phishing. Here the author shows how to use it to insert a invisible backdoor inside a JS codebase

Tutorial

• Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor
  

• Finding and Fixing DOM-based XSS with Static Analysis
  

• BOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcode
  

• Containers in a nutshell — ähm pod! Containers in a pod
  Containers orchestration and DevSecOps explained in a K8S scenario.

• How I Escalated a Time-Based SQL Injection to RCE
  

• The Principles of DevSecOps
  DevSecOps is one of the last hot topics in cybersecurity. This is an introduction about this methodology.

IR & Reversing

• A detailed analysis of the STOP/Djvu Ransomware
  

• Six Palestinian organizations hacked with NSO Group’s Pegasus Spyware
  

• AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
  AT&T Alien Labs™  has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.