August 2021 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

by Anant Shrivastava

Latest Updates in Cloud Sector


Ransomware Attack: Ensuring Data Durability

With every day increased Ransomware attacks, it has become a high-level concern for organizations and individuals. But, where there is a will, there is a way! An exceptional strategic documentation listing ransomware protention with two best options - S3 Object Locks and Replication Policies. Data durability of 99.999999999% of objects over a period of the year, S3 stores copies of the data redundantly across 3 AZs, meaning even if two entire AZs in a region get destroyed at the same time, the data will safe. When it comes to Replication Policies, the approach focuses on creating backups and ensuring the backups are segregated from the primary data.




NSA & CISA - Kubernetes Hardening Guidance

In recent times containerization has taken the world for a stride. With large-scale containerization, the need for orchestration is becoming a necessity and hence the meteoric rise of Kubernetes environments (aka k8s). The rise is not just big but it’s widespread even within the governmental setups which were earlier considered the last players to embrace newer technologies. This has resulted in US govt agency CISA taking note of the situation and releasing official guidance on how to harden the k8s environments.




GCP OAuth Token Hijacking in Google Cloud

In a world of locked rooms, the man with the key is king! A complete layout that maps Google Cloud Platform (GCP) compromise on the user device, which allows the attackers to conveniently steal and misuse the cached credentials in spite of enabled Multiple Factor Authentication (MFA). It exhibits how MFS does not apply to OAuth token refreshers for cached credentials, reusing existing GCloud CLI sessions to gain access to multiple GCP environments, and many more.




Windows 365: Dumping User's Credentials Plaintext

In terms of the newly introduced Microsoft Windows 365 Cloud PC, a major downfall of credential exploitation was spotted by Benjamin Deply, a security expert. Benjamin launched the Mimikatz tool, an open-source project, that allows gathering credential data from the Windows system through a malicious program and dumps the Microsoft Azure plaintext credentials for logged-in users. There is also a solution in the form of 2FA and Windows Defender Remote Credential Guard to protect the users, but Windows 365 has yet to support it.




Defcon: Cloud Village Playlist

This Defcon marked the 3rd year of Cloud village which is a laser-focused smallish event around cloud security, There was an array of talks dealing with various cloud environments in the village both from an offense and defense perspective check out Defcon29 Cloud Village Playlist for Day 1, Day 2 and Day 3 that talks about offensive and defensive aspects of cloud in-depth.




Latest Updates in Infrastructure


Microsoft: Sharing the First SimuLand Dataset

Hooray! Microsoft is being open about its dataset for adversarial research. Earlier Microsoft released “Simuland” which allowed one to set up its own infrastructure for security research and practice ground to simulate attacks. However, it has gone one step further and released a sample data mapped of scenarios where attacks have happened removing the need to the full environment. It is beneficial to people as it provides them easier access to the logs, understands the attacks as well as perform better detection.




Technical Advisory: Pulse Connect Secure - RCE

Covid times have made VPN’s one of the Quasi essential entities. This also means there is a renewed focus on research around exploiting VPN software. One such effort resulted in a finding where Pulse Connect Secure appliances are affected by a remote code execution and privilege elevation bug. The appliance suffers from an uncontrolled archive extraction vulnerability allowing a valid admin user to overwrite arbitrary files and gain full root-level access on the appliance and removing all restrictions applied via VPN configurations. The requirement of a valid admin user does limit the exposure of the bug however caution should be taken as these are public-facing devices with a larger set of privileges and access.




Guide Leaked: Conti Pentester

While the pentesters and professionals of the world at times held the secrets closer to the chest to have something up their sleeves if needed, Malware service providers are much more generous in sharing the knowledge. This was recently confirmed by the leaked playbooks provided by the Conti Ransomware gang to its operators which in lengths detailed how to perform various operations once inside the network. The level of details on the guide could put many professional pentesting outfits to shame. On one side such documents in public will help to raise the overall standard of the infosec world on the other consider it a wake-up call ransomware gangs are not here to just play they are serious and far more organized.




Proxyshell: A New Attack Surface on MS Exchange

Because 3 bugs are better than 1. Proxyshell is a combination of 3 vulnerabilities found in Microsoft Exchange, a service used in Microsoft Ecosystem for emails. The vulnerability leads to unauthenticated users to full remote compromise. Meaning, it allows the hacker to read private emails, gain information as well as send emails on behalf of authorized persons without their knowledge In short, complete compromise of confidentiality and integrity.




Razor Bug lets you become a Windows 10 Admin

Haven’t spotted this news on Twitter? Earlier in the month of August, a Razer Synapse zero-day vulnerability was published on Twitter, that allowed users to gain admin privileges of Windows 10 by simply plugging in a Razer keyboard or mouse. The local privilege escalation bug allowed users to gain System access on a Windows device, which is the highest privilege allowing any individual complete control over the system and to install anything including malware.




Share



About the Expert

Author

Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info