- Vulnerable U
- Posts
- šļø Vulnerable U | #075
šļø Vulnerable U | #075
ESX Admin VMware vulnerability, DEFCON parties, Specula Outlook C2 tool, Chrome makes it harder for malware to steal cookies, Android malware all over, and record breaking ransomware
Matt Johansen
August 01, 2024
Read Time: 6 minutes
Can you feel that?
I can smell itāthe recycled cigarette smoke filling the air, the 120-degree heat with 0% humidity, and the guys slapping stacks of ābusiness cardsā on the street.
Hacker summer camp is upon us. Who is all Vegas bound? What talk, workshop, party, village, etc., are you most excited about? Reply to this email to let me know.
Iāll see some of you there? Iāve got a few dozen T-shirts to give away if you show me youāre subscribed. :)
ICYMI
šļø Something I wrote: Been thinking a lot about building up good talent.
š§ļø Something I heard: AI Plankton singing Pink Pony Club just absolutely scratches my brain in the right parts.
š£ Something I think youāll dig: I got a demo of Material in the early days and remember saying: āThis is just how Google should work out of the boxā*
š¤ Something I said: Itās always wild to me that malware still sneaks into the official Google Play store for Android phones.
š Something I read: Daniel Miessler is at it again and released something I can see being a big shift in how humans and AI interact and level up, heās calling it Substrate.
*Sponsor
š£ Sponsor
Get the most from your security teamās email alert budget
Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.
Material Security takes a pragmatic approach to email security ā stopping new flavors of phishing and pretexting attacks before reaching the userās mailbox, while searching through everyone elseās mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view.
Free up more of your alert budget so your team can spend it on what really matters. See how much time you can give back to your security team with Material.
Vulnerable News
In today's WTF?!?!? moment
When a ESXi server is domain-joined, it assumes any "ESX Admins" group & its members should have full admin rights.
So.... anyone who can create & manage a group in AD, can get full admin rights to the VMware ESX hypervisors!
microsoft.com/en-us/securityā¦ā Sean Metcalf (@PyroTek3)
4:52 PM ā¢ Jul 29, 2024
TL;DR on the WTF here: domain-joined VMware ESXi hosts look for an 'ESXi Admins' group. Like by that name, the string, not ID numbers or anything. And then assign admin privileges to its membersā¦ Well attackers figured this out, and guess what they started naming groups upon lateral movement?
Here is an example in the wild of a full attack tree breakdown:
I love these TTP writeups out of Microsoft and this ESX thing is just mind blowing to me that the name is treated as gospel. Full writeup has a lot more examples. (read more)
Go through and sign up for things today! Iām sure these reg sheets will start closing soon. (read more)
Anything can be a C2 if you try hard enough! Cool tool and bit of training put out by TrustedSec on how they use Outlook to run commands from a privileged process during engagements. (read more)
Google Chrome is leveling up its defenses against cookie theft infostealer malware with a new security feature for Windows users. In Chrome 127, the browser will introduce App-Bound Encryption primitives, which tie data encryption to app identity. This enhancement prevents malicious applications from accessing sensitive data like cookies, even when running under the logged-in user's privileges.
The new App-Bound Encryption system requires attackers to gain system privileges or inject code into Chrome to access encrypted data, making their actions more detectable by antivirus software. This protection is particularly beneficial for enterprise environments where users lack administrator privileges. Google plans to extend this security measure to passwords, payment data, and other persistent authentication tokens in future releases. While this update marks a significant step in combating infostealer malware, Google emphasizes the need for ongoing collaboration within the security community to address evolving threats and strengthen operating system protections. (read more)
I get asked a lot for BlackHat and DEFCON advice, like how best to approach the con. And a lot of worrying about being hacked and all that jazz. Nathaniel does a really good break down here.
Forget the obvious advice about staying hydrated and wearing deodorant. He gets it right by saying it's all about "Hallway Con," the unofficial networking goldmine where the real insights are shared.
Have fun, soak up knowledge, and apply what you learn to your own unique challenges. (read more)
Krebs just dropped some knowledge about how expired domain names are becoming prime targets for cybercriminals. Turns out, when companies let their domains lapse, bad actors swoop in, register them, and use them for all sorts of nefarious purposes. Intercepting emails, setting up phishing sites, and even impersonating legit businesses. He highlights a case where a major healthcare provider accidentally let 14 domains expire, potentially exposing sensitive patient data. (read more)
A massive phishing campaign dubbed "EchoSpoofing" has been exploiting a weakness in Proofpoint's system, potentially affecting thousands of organizations. The attackers are cleverly bypassing email authentication checks by using legitimate domains and spoofing display names.
The campaign's been running since at least May 2023, targeting C-suite execs and finance teams with malicious PDF attachments. The researchers at Guard.io who uncovered this mess found over 120 unique PDF samples and 90 phishing domains. (read more)
Zimperium's zLabs team has uncovered a malware campaign targeting Android users across multiple countries. These bad actors are disguising their malicious apps as innocent utilities like QR code scanners and PDF readers. Once installed, the malware goes to town, swiping SMS messages, contact lists, and call logs.
What's particularly interesting is how this malware operates. It's using Firebase as its command and control server, which is pretty clever since it helps the malware blend in with legitimate app traffic. (read more)
You know those fake popups on your phone claiming your phone has a virus? Download this antivirus! Download this Chrome updater! Well besides being fake scams, some of them actually have remote access trojans under the hood. This new one popped up in May 2024 and seems to be out of Romania, called BingoMod.
Funny part is that once it pops you, it sets up a remote connection at which point a human actually needs to manually kick off the money transfers, after which it starts to erase itself to cover tracks. (read more)
Well, it looks like Microsoft's Azure cloud services got hit with a massive DDoS attack, causing widespread outages across their global network. The attack was on Azure's DNS infrastructure and it left users unable to access various Microsoft services for several hours. (read more)
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay