• tl;dr sec
  • Posts
  • [tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks

[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks

Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.

Author

Clint Gibler
April 22, 2020

Hey there,

I hope you’re doing well!

By the way, if you’ve got some free time and are wondering how you can help, the COVID Alliance has a number of open job reqs.

My friend and frequent conference buddy Tanya Janca has launched a learning platform dedicated to teaching Application Security, DevSecOps, and Cloud Security. Between #MentoringMonday, her involvement in OWASP (e.g. DevSlop), and her overall boundless enthusiasm and positivity, Tanya is a great asset to the security community.

I like seeing when good people are aiming to fund their efforts, so that they can sustainably continue to share knowledge and resources 👍 Check it out!

EmacOS

I recently got a new laptop and I was poking around to see how people preferred to install Emacs on macOS, as there are a few options (e.g. several from homebrew, Aquamacs, etc.).

I decided to go with railwaycat/homebrew-emacsmacport after reading a few overviews on Stack Exchange and Reddit.

Let me know if you have strong preferences about this :)

I actually use VS Code for much of my coding these days, but I use org-mode for task tracking and note writing.

📜 In this newsletter...

🔗 Links:

  • AppSec: C experts panel AMA, open source tools from RSA 2020, ZAP GitHub Action, adding LibreSSL to OSS-Fuzz, RubyGems typosquatting attack to steal cryptocurrency

  • Instrumentation: Frida <> Burp Suite extension, web interface for hooking Java classes and methods using Frida

  • Network Security: Test if your ISP is doing BGP securely, Netflix is using TLS 1.3

  • Cloud Security: Free course: "breaking and pwning apps and servers on AWS and Azure," tool to find suspicious uses of temporary AWS tokens, tool for self-service creation and deletion of AWS accounts, using AWS Config to automate logging of web ACLs, general availability of Google Cloud's OS patch management service, ensuring S3 bucket policies meet best practices using Terraform Sentinel

  • Container Security: Open source cloud native workload protection platform, website for Kubernetes RBAC best practices, Kubernetes Webhook Authentication server

  • Red Team: VM to try many C2 frameworks, IDA Home for $1/day, tool to watch GitHub commit stream to extract author details and secrets, abusing Firefox features to get command execution in enterprise environments

  • Blue Team: 5 steps to make getting FedRAMP less painful

  • Politics: A proposal to defeat coordinated inauthentic behavior at scale

AppSec

C Experts Panel – Ask us anything about C
HN thread featuring a number people with decades of C experience, who are on the C standards committee, have written books about it, etc., including my friend Robert Seacord, whose No Starch book Effective C is coming out soon!

Open Source Tools from RSAC 2020
A massive list of open source tools referenced in various RSAC talks.

Automate Security Testing with ZAP and GitHub Actions
There’s now a ZAP baseline scan GitHub Action that can be used to periodically scan a public web app or public or private repos. It maintains and updates an active issue in the relevant GitHub repo with the latest scan results.

LibreSSL and OSS-Fuzz
Andrea Brancaleoni of Doyensec integrated LibreSSL into OSS-Fuzz, which identified 14+ new vulnerabilities and got a $10,000 bounty. Also, Doyensec gives its consultants 25% research time, which is pretty rad 🤘 

RubyGems typosquatting attack hits Ruby developers with trojanized packages
Over 700 malicious packages were uploaded over the course of a week in February. The rogue packages contained a malicious script that, when executed on Windows computers, hijacked cryptocurrency transactions by replacing the recipient’s wallet address with one controlled by the attacker (clipboard hijacking). A Windows PE file was included in the repos with a PNG extension, which was then renamed to EXE and executed.

All the 700 rogue packages had names where the attacker copied legitimate package names but replaced hyphens with underscores or underscores with hyphens.

This might explain why the packages were not blocked by RubyGems, which does use an anti-typosquatting mechanism based on Levenshtein distance rules that was added in response to past incidents. The rogue gems discovered by ReversingLabs were downloaded more than 95,000 times until being taken down.

More detailed write-up by ReversingLabs here.

Instrumentation

Brida 0.4 is out!
Brida (source) is a Burp extension that bridges Burp Suite and Frida, a popular dynamic instrumentation toolkit. This version includes a number of Frida hooks for common tasks and some usability improvements.

m0bilesecurity/RMS-Runtime-Mobile-Security
“A powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime,” powered by Frida. “You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, and load custom scripts.”

Network Security

Is BGP safe yet? No.
There have been a number of BGP hijacks (or “accidents”) over the past few years in which Internet traffic was redirected to flow through Russia or China. Cloudflare created this site with useful info, interactive diagrams, and a one click button to see if your ISP is implementing BGP safely. 💯 

How Netflix brings safer and faster streaming experience to the living room on crowded networks using TLS 1.3
Netflix now supports TLS 1.3. The article provides a nice overview of TLS 1.3:

  • All key exchange algorithms support Perfect Forward Secrecy

  • All weak ciphers have been removed and only Authenticated Encryption with Associated Data is used

  • The entire handshake is signed, including cipher suite negotiations and extensions being sent (prevents downgrade attacks)

  • The handshake only requires one round trip

Netflix ran some tests, and it turns out TLS 1.3 is yielding even better performance for users! Most importantly, now nation state adversaries won’t know how many times you binged Tiger King.

Cloud Security

Breaking and Pwning Apps and Servers on AWS and Azure
Appsecco released the contents of a training course. “The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing and OSINT engagements which take the student through the journey of discovery, identification and exploitation of security weaknesses, misconfigurations and poor programming practices that can lead to complete compromise of the cloud infrastructure. The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing.”

cyberark/SkyWrapper
“Analyzes behaviors of temporary tokens created in a given AWS account. The tool aims to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account.”

iann0036/aws-account-controller
Tool for self-service creation and deletion of sandbox-style accounts. “The account manager is a custom app that SSO users can access to create accounts or delete previously created accounts on-demand.” More: Automating AWS Account Deletion.

Enable automatic logging of web ACLs by using AWS Config
Blog from AWS on how to use AWS Config, with its auto-remediation functionality, to ensure that all web ACLs have logging enabled.

Protect your running VMs with new OS patch management service
General availability announcement for Google Cloud’s OS patch management service, which can be used to “apply OS patches across a set of VMs, receive patch compliance data across your environments, and automate installation of OS patches across VMs—all from one centralized location.”

Enforcing AWS S3 security best practice using Terraform Sentinel
“Terraform Enterprise/Cloud is a secure and reliable Infrastructure as Code pipeline, with preventative guardrails to make sure resources generated via this pipeline are in line with your organization’s security and operational guidelines.”

This blog post describes how to use Terraform Enterprise/Cloud to govern the S3 provisioning process and find S3 buckets not compliant with AWS S3 security best practices (Sentinel rules on GitHub). Sentinel is “an embedded policy-as-code framework integrated with the HashiCorp Enterprise products. It enables fine-grained, logic-based policy decisions, and can be extended to use information from external sources.”

We’ve seen this idea of Compliance / Policy-as-Code theme in a number of tl;dr sec issues now, from blog posts by AWS to Chef Inspec. This one of the Big Trends™ in forward-thinking security programs right now, which I also called out in my BSidesSF slides: moving away from identifying vulnerabilities, and moving towards defining what your code or environment should look like, and continuously enforcing these “invariants.”

Container Security

deepfence/ThreatMapper
Open source community version of the Deepfence cloud native workload protection platform. Features:

  1. Visualization: Visualize kubernetes clusters, virtual machines, containers and images, running processes, and network connections in near real time.

  2. Runtime Vulnerability Management: Perform vulnerability scans on running containers & hosts as well as container images.

  3. Container Registry Scanning: Check for vulnerabilities in images stored on Docker private registry, AWS ECR, Azure Container Registry and Harbor registries. Support for more container registries including JFrog, Google container registry will be added soon.

  4. CI/CD Scanning: Scan images as part of existing CI/CD Pipelines like CircleCI, Jenkins.

  5. Integrations with SIEM, Notification Channels & Ticketing: Ready to use integrations with Slack, PagerDuty, HTTP endpoint, Jira, Splunk, ELK, Sumo Logic and Amazon S3.

Deepfence Architecture

Deepfence Architecture

RBAC.dev
“A site dedicated to good practices and tooling around Kubernetes RBAC.” Talks and articles, tooling, generators and operators, interactive queries, and visualization.

appscode/guard
A Kubernetes Webhook Authentication server that allows you to log in using various auth providers, including a static token file, Github, Gitlab, Google, Azure, LDAP, and Azure Active Directory.

Red Team

Slingshot C2 Matrix Edition
A VM image to make it easy to try some of the most popular command and control frameworks. Comes with Covenant, Empire3 with Starkiller, Faction, Koadic, Merlin, Metasploit, SilentTrinity, and Sliver pre-installed.

IDA Home, from our passion to yours
Hex-rays released IDA Home, a starter version of IDA for $1/day ($365/year). Maybe feeling the pressure from Ghidra?

x1sec/commit-stream
commit-stream drinks commit logs from the Github event firehose exposing the author details (name and email address) associated with Github repositories in real time. OSINT / Recon uses for Redteamers / Bug bounty hunters:

  • Uncover repositories which employees of a target company is commiting code (filter by email domain)

  • Identify repositories belonging to an individual (filter by author name)

  • Chain with other tools such as trufflehog to extract secrets in uncovered repositories.

Abusing Firefox in Enterprise Environments
Lengthy blog post by MDSec on a technique that “abuses legacy Firefox functionality to achieve command execution in enterprise environments. These capabilities can be used for lateral movement, persistence and defense evasion during penetration testing and red team operations.”

This research was inspired following an internal penetration test, when an insecure configuration was discovered in an Active Directory Group Policy. Several files with the cfg, js, jsm extensions were deployed by the SCCM server to user workstations.

The security issue was that the compromised domain user had Full Control rights on the files stored in the GPO, which were then subsequently deployed by SCCM to the Mozilla Firefox installation folder for all computer objects within the OU where the GPO was applied.

 Blue Team

5 steps to getting FedRAMP right (the first time)
I’ve talked with a few companies working on getting FedRAMP certified. It. is. not. fun. “Implementing a FedRAMP system and obtaining a Moderate or High Impact Authority to Operate (ATO) takes most organizations between 12 and 18 months.” This article has some high level practice advice.

Politics

Defeating Coordinated Inauthentic Behavior at Scale
Disinformation campaigns on social media platforms seem to be increasing, despite the best efforts by talented engineers.

This article argues that current approaches (using heuristics and/or machine learning) will fundamentally never succeed, as they rely on being able to enumerate “badness.” Soatok argues that instead news should by default be categorized as “unvetted,” and require a team of volunteers to vet material before it is “trusted.” Armies of volunteers have been shown to do other impressive, large scale efforts (e.g. Wikipedia), and Soatok lists a few details that make volunteer approval less likely to be abused.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint