April 2022 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

Latest Updates in Cloud Sector

A Manual to Handle Flipkart Vulnerabilities Wisely

Ever wondered how Flipkart’s AppSec core culture manages vulnerabilities? The fundamental flaw with just patching a bug is that it only fixes one instance, and the total ecosystem does not get immunized to it. Flipkart being a tech behemoth has a massive software footprint, similar to a human the application goes through multiple phases of growth, development, disease, recovery, and immunization. Even after infusing proper security immunity into Flipkart in each phase of the Software Development Life Cycle (SDLC), the vulnerabilities are inevitable. While the team works on fixes for all kinds of vulnerabilities, there have been recurrences of the similar or same issue in other places. The article highlights Flipkart's current process of dealing with such issues.

Kubernetes Goat: Interactive Kubernetes Security Learning Playground

With a goal of being hands-on, high-quality content, and relevant to the real world—Kubernetes Goat has intentionally designed vulnerable scenarios to demonstrate the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud-native environments. Keeping in mind its tough to learn and understand Kubernetes Security, they have created more than 20 scenarios covering attacks, defenses, best practices, tools, and more to provide practical knowledge to the community. The playground is accessible to anyone interested in learning about Kubernetes Security for free such as attackers, defenders, and developers by a simple single-click browser-based online called Kubernetes Goat for free.

AWS Lambda Function URLs: Built-in HTTPS Endpoints for Single Function Microservices

Described exceptionally well in Alex Casalboni’s article—Lambda Function URLs lets anyone add HTTPS endpoints to any Lambda function and optionally configure Cross-Origin Resource Sharing (CORS) headers. Since these applications are composed of multiple serverless functions that implement business logic, each function is mapped to API endpoints, methods, and resources using services such as Amazon API Gateway and Application Load Balancer. The new feature has made it easy to focus on what matters, it is a simple way to configure HTTPS endpoints in front of a function without having to learn, configure and operate additional services besides Lambda.

Latest Updates in Infrastructure

Lenovo UEFI firmware driver bugs affect over 100 laptop models

With a total of three security issues discovered by ESET researchers, two of them allow an attacker to disable the protection for the SPI flash memory chip—where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer (OEM). The third vulnerability identified as CVE-2021-3970 could allow a local hacker to execute arbitrary code with elevated privileges. However, detecting these vulnerabilities is feasible by advanced techniques like UEFI integrity checks, analyzing the firmware in real-time, or monitoring the firmware behavior and the device for suspicious activity.

Cyberattack On Hawaii Undersea Communications Cable Thwarted By Homeland Security

An international hacking group targeted infrastructure on Oahu by breaching a private company’s servers that manage an oceanic undersea cable that connected Hawaii and the Pacific region. Based on a received tip, Homeland Security Investigations (HSI) agents were able to identify the attack and took precautions to block the access. They identified an international hacking group responsible for the attack and worked with international law enforcement partners in multiple countries to arrest a suspect. The potential criminal charges and intentions of the international hacking group were not revealed by the investigators. However, it is safe to say that there are no immediate threats as of now nor have they faced any damages/disruptions to the critical telecommunications infrastructure.

A Blueprint For Evading Industry Leading Endpoint Protection In 2022

In adversary simulations, a key challenge in the “initial access” phase is bypassing the detection and response capabilities (EDR) on enterprise endpoints. Commercial command and control frameworks provide unmodifiable shellcode and binaries to the red team operator that are heavily signed by the endpoint protection industry—in order to execute that implant, the signatures both static/behavioral of that shellcode need to be obfuscated. This article lays out a collection of techniques that if combined together can be used to bypass industry-leading enterprise endpoint protection solutions. Techniques such as Shellcode encryption, Escaping the (local) AV sandbox, Import table obfuscation, and much more are covered with the ultimate goal of executing malicious shellcode.

Latest Updates in Web Application

Spring4Shell: Spring Users Face New, Zero-Day Vulnerability

After disclosing the first security issue, CVE-2022-22963 a SpEL expression injection bug in Spring Cloud Function; a second Remote Code Execution (RCE) bug named ‘Spring4Shell’ or ‘SpringShell’ has recently been discovered in Spring Framework’s Java-based Core module. An exploit code was posted by a Chinese-speaking developer for a zero-day vulnerability in Spring Framework, while the exploit code’s committ has been deleted, the action might have come too late. The code once translated appeared to show how unauthenticated attackers could trigger RCE on target systems. While potential severe must meet certain conditions for an app to be exploitable. Rapid7 along with others and Spring.io confirmed the existence of the zero-day vulnerability.

SVG Server Side Request Forgeries (SSRFs) & Saga Of Bypasses

A web-based analytics solution app that dealt with research institutions worldwide to analyze new, emerging research trends, and create reports. These reports could also be prepared with the data visuals and be shared with co-researchers in DOCX, PDF, and PNG formats. In terms of a PNG image, after replacing the content with the “h1” tag, the server did not have any validation/output encoding and could let one see the “h1” tag injected successfully. Since HTMLi worked correctly, it was easier to retrieve the file content. In this blog, Preetham Bomma shares his recent experiences with SVG, HTML to PDF SSRF, and bypasses for the patches applied.
Link: https://infosecwriteups.com/svg-ssrfs-and-saga-of-bypasses-777e035a17a7

New Node Package Manaer (npm) Flaws Let Attackers Better Target Packages for Account Takeover

Software Supply Chain attacks have increased by 650% in 2021 on top of year-over-year growth of 430% in 2020 where attackers injected malicious code into benign packages. Although there are several ways an attacker can gain access to the desired package, one method is to obtain one of the package maintainers’ credentials. It's also crucial to note that npm packages with a large number of maintainers are at a higher risk of abuse. It’s up to developers to minimize the attack surface and make account takeover more challenging for attackers. The articles by Yakir Kadkoda summaries the details of nmp packages research and examine the security risks of direct and transitive dependencies.


About the Expert

Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info

Prashant Mahajan

Prashant Mahajan is a Director at Payatu Australia Pty Ltd. He has over a decade of experience with various aspects of Information Security including penetrating testing, vulnerability analysis, digital forensics, and incident response. He is also a developer of open-source tools such as ADRecon and AzureADRecon, a founder member of Null - The Open Security Community, and a frequent speaker at industry events and trainings.