CyberWeekly 13' July | Issue #5
Evernote RCE, Windows Remoting, CVE-2021-40444, MSHTML, Pentesting AD, Reverse engineering .NET, WGU, Global AppSec 2024 Lisbon, Universal RCE, False File Immutability, EvilnoVNC, STOK, Polyfill.io
📰 News
RADIUS/UDP vulnerable to improved MD5 collision attack
Researchers have discovered an improved chosen-prefix collision attack on MD5 that allows an attacker with access to RADIUS/UDP traffic to forge an "Access-Accept" packet from a legitimate "Access-Reject" response, granting unauthorized administrative access to devices using RADIUS for authentication.
The attack, dubbed "Blast-RADIUS", exploits weaknesses in how MD5 is used in the RADIUS "Response Authenticator" and can be executed in under 5 minutes using a cluster of aging CPUs and low-end GPUs.
Mitigations include transitioning to RADIUS over TLS (RADSEC) which provides end-to-end encryption and integrity protection, and applying vendor patches for RADIUS/UDP deployments that cannot be immediately upgraded to RADSEC.
The attack affects all non-EAP authentication modes of RADIUS/UDP and highlights the need to move away from protocols relying on outdated cryptography like MD5.
Australia Instructs Government Entities to Examine Technology for Risk of Exposure to Foreign Control
Issued under the Protective Security Policy Framework (PSPF) to ensure the protection of Australian government assets and information. To provide guidance on the management of protective security risks and the implementation of protective security measures.
Applies to all Australian government agencies, including departments, statutory authorities, and other entities. Includes specific directions on risk management, security awareness, physical security, personnel security, and information security.
Requires agencies to develop and maintain protective security policies and procedures in accordance with the directions.
Agencies must report on their compliance with the directions and provide regular updates to the Protective Security Coordination Centre (PSCC).
Joint Advisory from International Intelligence Agencies on Chinese APT Group Activity
APT40 is a state-sponsored cyber group from the People's Republic of China (PRC) that has targeted organizations in various countries, including Australia and the United States.
APT40 rapidly exploits newly disclosed vulnerabilities in widely used software like Log4J, Atlassian Confluence, and Microsoft Exchange within hours or days of public release.
APT40 prefers exploiting vulnerable public-facing infrastructure over techniques requiring user interaction, and places a high priority on obtaining valid credentials.
APT40 regularly uses web shells for persistence and has evolved its techniques to use compromised small-office/home-office (SOHO) devices as operational infrastructure and last-hop redirectors.
Case Study 1:
In mid-2022, APT40 successfully compromised an organization's network by exploiting a custom web application, enumerating the network, and using stolen credentials to move laterally and exfiltrate data.
The group employed techniques like web shell deployment, Kerberoasting, and mounting SMB shares to achieve their objectives.
The investigation revealed the organization was likely deliberately targeted by APT40 rather than falling victim opportunistically.
Case Study 2:
In early 2022, APT40 compromised another organization's network, gaining initial access through a vulnerable internet-facing application and using stolen credentials to move laterally and exfiltrate data.
The group used techniques like web shell deployment, credential theft, and data exfiltration over command-and-control channels.
The investigation found the organization was likely deliberately targeted by APT40.
📑 Blog Reads
Windows Remoting: Difference between psexec, wmiexec, atexec, *exec
CVE-2021-40444 - RCE in Microsoft's MSHTML browser rendering engine | MerkSpy
Recent Supply Chain Cyberattacks and lessons learnt from that
📹️ Videos
Is Western Governors University (WGU) Worth It? By Tyler Ramsbey
Global AppSec 2024 Lisbon By OWASP Foundation
How to Get Pentesting Experience By The Cyber Mentor
Live Recon: Hacking With STOK By NahamSec
📚 Recommended Reading
Universal Code Execution by Chaining Messages in Browser Extensions
Introducing a New Vulnerability Class: False File Immutability
⚒️ Tools
EvilnoVNC - Ready to go Phishing Platform. Unlike other phishing techniques, EvilnoVNC allows 2FA bypassing by using a real browser over a noVNC connection. This tool allows us to see in real time all of the victim's actions, access to their downloaded files and the entire browser profile, including cookies, saved passwords, browsing history and much more.
Graphpython - A modular Python tool for cross-platform Microsoft Graph API enumeration and exploitation. It builds upon the capabilities of AAD-Internals (Killchain.ps1), GraphRunner, and TokenTactics(V2) to provide a comprehensive solution for interacting with the Microsoft Graph API for red team and cloud assumed breach operations.
🔬 Research
SpiralShard: Highly Concurrent and Secure
Without the sponsors and partners, hacklido wouldn't be where it is now, So we would like to thank them.
Sponsors:
Community Partners:
If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via email@hacklido.com to discuss with us!