A 🧵I wanted to share one of my more recent successful red team campaigns so others can test & tabletop

The client, like many others recently, implemented an approved internal AI interface for code questions and searches

This was essentially a wrapped chatGPT UI + file search The site was 3rd party developed and has several implementations before rolling out in stages to all departments

For this scenario the goal was to compromise a separate dev and finance team with limited access in order to gain access to the production environment and financials

Fam

It's 11pm and the VC bros next to me are starting a company and are gonna roll out WordPress as their CRM, and they think they can manage it themselves with a Microsoft Azure cloud and MongoDB. None of them have admin experience

💀💀💀💀 This is at a hotel bar

They are in the carbon footprint reduction industry, I have no clue wtaf that involves but it sounds like a lot of cold calling and selling people materials from what I heard

Hello,

Are these your sandboxes leaking out information that allows attackers to visibly fingerprint your environment and evade analysis?

This 🧵is a deep dive into this method and why I find it relatively primitive yet, elegant & efficient as a sandbox system bypass.





For those watchful eyes, they might have noticed the leaked information in the above screenshot is XML format of the entire system settings.

How much settings? 118,000 bytes worth detailing everything from Hardware, Firmware, BIOS, manufacturers, PNP devices, printers etc.

PSA In the last week I have seen 3 examples of a relatively new strategy targeting telcos & iPhones of victims

With the increased measures against SIM Swapping, it seems attackers are switching over to 2 other methods to compromise phones

- Call Forwarding
- Parental Tools Both attacks are similar in which attackers (likely related to Lazarus) are either social engineering telcos or using an insider at these companies to conduct these attacks.

In all of these cases it was leading up to ATO of iCloud and/or password managers

So for all my followers who are wondering why TikTok is being investigated and potentially banned is because of several reasons heres a 🧵

A. they used data from their app to geolocate whistleblower journalists and physically go to their location

B. They violated policy on data Harvesting by using their inapp browser instead of the supplied mobile browser, this obtains much more data than what is normally collected and it's shady practices

C. They have repeatedly been caught using methods that get information using your phones gyroscope and other

So I've been just been briefed on a very disturbing trend of events that I think everyone should know.

Ransomware attackers have been targeting legal firms quite heavily in the last 6 months or so.

I thought this was because pretty poor security, but there's much more.

A 🧵 A large portion of announced ransomware attacks have hit medium sized law firms very heavily, by some metrics close to 12% targeted are law offices

Just learned the attackers are also extorting the clients or pretending to be the law firm and asking for lawyer or retainer fees.

This will be a thread discussing a real world breach involving a drone delivered exploit system that occurred this summer

Some details I am not able to discuss, however for the blue teams & red teams out there I hope this provides a good measure of capability.

🧵🚁 🎮🖥️🦠 During this summer an east coast company specializing in private investments detected unusual activity on their internal confluence page that was originating on their own network.

The team isolated the confluence server and began incident response.

I was gonna do a talk about this class of vulnerability but I dont have the time nor the health, so I'll just drop 0day:

Hopefully someone can run with this instead and make a tool or talk

Node.JS processing and private node.js packaging is not just present in Adobe...

A 💦🧵

https://twitter.com/mttaggart/status/1511804863293784064

Logitech and NVIDIA also package their own custom Node.js with their tools LogiOptions & Geforce Experience

So what does this mean?

It means by editing JS files on a machine you can get SYSTEM or Kernel privileges.

Thats right by editing text files -> SYSTEM/Kernel

Why? How?

This 🧵 will be a break down of the IOCs and sus activity triggers of the LAPSUS breach of Sitel / Syke based on the DFIR documents so that blue teams can set up their own monitoring IOC #1 Possible Unusual RDP Access

- Identify Users, Devices Who Do Not Normally use RDP to Access other Devices & RDP reputation
- Was RDP initialized at an unusual time?
- Likely N/A for this but does RDP client have unusual traits (keyboard layout, resolution, local time)

#PSA I want to talk about a #cybersecurity vector that I hardly ever see discussed here or much anywhere else and that is #bribery for paid access.

Outside of ransomware groups offering insiders ransom payment cuts to insiders, there is hardly any discussion of this topic. I have encountered a real world incident where an individual was approached by another individual to perform a malicious action equivalent to corporate espionage.

The figure offered the individual a 6 digit offer in order to perform this action

PSA If you haven't focused on the #Nvidialeaks and you work with any defense in depth teams, please take the time to today

For ones it appears Nvidia driver signing controls & certs were leaked & private API that allows for potential abuse

Attackers already planning to use this

https://twitter.com/AntiCheatPD/status/1498709708068331524?t=14sjx_Ps1q_5WMmsfAFZEw&s=19

Helped uncover a massive cyber incident today affecting multiple residential complexes and built in switches and infrastructure.

It appears the attackers were trying to reroute and intercept numerous individuals WFH residential traffic.

Add this to your threat list Residential complexes have their own built in routing for fiber.

After plugging in a new device into the residential facility preconfigured using ISP setup, after 24 hours noticed unknown devices being directly connected to subnet of the victims router.

#Log4J Worm is ITW

@vxunderground has a sample of the self propagating worm using log4j as a vector.

It installs a Mirai bot which makes sense to targeting embedded Linux devices

Looks like it uses user-agent for exploitation and modifies the binary before sending (?) From what I can quickly reverse engineer it looks like this malware is targeting mainly Huawei routers

Very very similar to CVE-2017-17215

For reference:

securitynews.sonicwall.com/xmlpost/new-wa…

This is a reminder to ask my friends here, please take Omicron seriously.

As someone who has dealt with having chronic illness for years that are nearly identical to long COVID symptoms; it is really really hard

Quality of life is something you don't appreciate until it's lower I have #fibromyalgia and some days I can't physically get out of bed, and that's because of pain, or fatigue.

My pain comes in 2 types:
Phantom Sunburn
Torture Compression

The 1st feels identical to like an Arizona sunburn, except no skin color and putting on aloe doesn't help

#log4j theoretical worm depending on propegation speed might just blend in with the noise for a while.

Ideally right now reducing attack surface should be everyone's top priority

Unfortunately we are dealing with a bug with unprecedented vectors. Everyone right now shouldn't even focus on worm capabilities because exploitation is so wide spread right now it doesn't even increase your risk level, attackers are doing nearly identical to what worm activity would be like.

Traffic congestion and network bottlenecking tho...

#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.

Self propagating with the ability to stand up a self hosted server on compromised endpoints.

In addition to spraying traffic, dropping files, it will have c2c Biggest hurdle appears to be implementing a JDK gadget to enable code execution on limited env.

That is currently being researched by several groups.

#Log4J Data Exfiltration & Env Var List 🧵

I will use this thread to discuss env variables I have seen being used in the wild alongside log4j exploitation from both remote & in local subnets

This isn't a complete list but it will give you an idea what attackers are looking at In addition to the AWS variables I have discussed earlier I am also seeing these:

For Hadoop I am seeing threat actors attempt to query the following env vars

HADOOP_HOME
HADOOP_CLIENT_OPTS
HADOOP_SHELL_EXECNAME
HADOOP_USER_PARAMS
HADOOP_SECURE_CLASSNAME
HADOOP_SECURE_USER

PSA: attackers aren't just using #log4j attacks on internet facing devices.

Groups I'm monitoring are going back to compromised networks and using it on subnets and on internal devices *very* successfully

Insider threat is also an viable avenue of exploitation Update: here's what vectors internal threat actors are using to gain access via #log4j exploits:

Email/inbox monitoring services
Network inspectors
Internal web servers
SSL inspectors
Couchdb(?) Logging services
Asset management services
XML parsing services

To add on to what @dildog is referencing with AWS vars and log4j

Here is a list of the AWS envs that I've seen attackers attempt to dump from the target machine

docs.aws.amazon.com/cli/latest/use… For reference:

https://twitter.com/dildog/status/1469786190144585729?t=DgkQ7pfgkqG2H9qMj9y_7A&s=19

Can confirm this phase just started

https://twitter.com/caseyjohnellis/status/1469476148618805249

Ransomware groups have started posting successful exploits on a number forums and chats

While they are doing recon they are literally tossing up cryptominers so they maximizing profits.

Ever want to test systems & see if your password is ever stored/sent in plaintext?

Make it: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I am on the phone with a vendor right now because my test account is in an inoperable state.

🧐 Vendors gonna hate me tonight.