February 13, 2022

CyberSecNews Weekly - 0x16-W0722

News

• QR codes on Twitter deliver malicious Chrome extension
  ISO file downloads are advertised via QR codes on Twitter and on supposedly free gaming sites, but they don’t contain what they promise.

• CVE-2022-0435: Remote Stack Overflow in Linux Kernel TIPC Module since 4.8
  

Tools

• XSSearch
  XSSearch is a comprehensive reflected XSS tool built on selenium framework in python language. It contains more than 3000 payloads for automating XSS attacks and validating XSS endpoint.

• kube-hunter
  Hunt for security weaknesses in Kubernetes clusters

• firedrill
  firedrill is a malware simulation harness for evaluating your security controls

• authorizer
  An open source authentication and authorization system.Bring your database and have authentication microservice ready in few clicks

Articles

• Shadow Credentials
  Microsoft has introduced Windows Hello for Business (WHfB) to replace traditional password based authentication with a key based trust model. This implementation uses PIN or Bio-metrics which are linked to a cryptographic certificate pair to allow users on the domain to access resources.

• PPE — Poisoned Pipeline Execution
  Running malicious code in your CI, without access to your CI

• Bypassing the AWS WAF protection with an 8KB bullet
  The AWS WAF and Shield service can be used to protect web applications against a lot of different types of attacks. However, it has a limitation on the size of the packet that it can inspect that could result in attackers being able to bypass its protection features.

• Attack trend alert: AWS-themed credential phishing technique
  They’re at it again. This time attackers are phishing for credentials by sending fake AWS log-in pages to unsuspecting users. Find out how our crew identified and triaged a phishing email.

Tutorial

• Internet-Wide Study: State Of SPF, DKIM, And DMARC
  A very detailed about how SPF, DKIM and DMARC work and how they are (mis)configured in 2.2 bilion domains

• Assume Role Logic
  How Assume Role functionality works cross account and in the same account.

• eBPF: Block Linux Fileless Payload “Malware” Execution with BPF LSM
  

• Docker network sniffing and attacking techniques
  

• Enabling Zero Trust with Azure network security services
  

• How to deploy AWS Network Firewall to help protect your network from malware
  

IR & Reversing

• How Docker Made Me More Capable and the Host Less Secure
  After Docker released a fix for CVE-2021-21284, it unintentionally created a new vulnerability that allows a low-privileged user on the host to execute files from Docker images