Attack & Defend #2: Framework to Use LLMs Securely, Stratus Red Team Tool, SWAT, and Cost of Data Breach 2023

View this email in your browser

👩‍💻 This Week in Attack & Defense

4,500 of the Top 1 Million Websites Leaked Source Code and Secrets: Security researchers collaborated to scan the Alexa Top 1 Million Websites for leaked secrets and discovered that 4,500 of the most heavily visited websites in the world publicly exposed their git directory, which often contained the entire private source code for a given website. AWS and GitHub keys accounted for 45% of all leaked credentials and third-party email marketing services accounted for a large percentage of the leaked keys.

Japan’s Cybersecurity Agency was Hacked for Months: Japan's National Center of Incident Readiness and Strategy for Cybersecurity (NISC) has confirmed that it was hacked for as long as nine months. The Chinese military is suspected to be behind the breach, which was discovered in June 2023. Email conversations were exposed to unauthorized parties, and there were also "suspicious phone calls and emails" from people posing as employees of Japan's NISC.

Multiple Notepad++ Flaws Let Attackers Execute Arbitrary Code: Several Buffer Overflow vulnerabilities have been discovered in Notepad++ that can be exploited by threat actors for malicious purposes. The vulnerabilities are based on heap buffer write overflow and heap buffer read overflow on some functions and libraries used by Notepad++ software

Sourcegraph Discloses Data Breach Following Access Token Leak: Code search and navigation platform Sourcegraph announced last week that it has experienced a data breach after an engineer accidentally leaked an admin access token. Sourcegraph account email addresses for community members and license owners were obtained. No other customer info, including private code, passwords, usernames, or other PII, was accessible.

Cost of a Data Breach Report 2023: IBM's 2023 installment of their annual Cost of a Breach report has brought up some interesting trends such as the average cost of a breach rose once again to $4.45 million, increasing 15% over the last three years. It also has an industry-specific focus and detailed findings across topics such initial attack vectors, data breach lifecycle, cloud breaches, and threat intelligence.

💻 MITRE D3FEND: Exception Handling Pointer Validation

Exception Pointer Handler Validation, also known as Exception Handler Validation, is a security technique that verifies the validity of a referenced exception handler pointer. When a process encounters an exception, it calls an exception handler to handle the exception. The exception handler’s location can be determined differently based on the operating system. In Windows, the exception registration record, containing a pointer to the next exception registration record and a pointer to the handler, is stored at the start of the Thread Information Block.

The validation process checks if the exception handler is present in a list of valid exception handlers before it is called. If the handler is not found in the list, other defensive techniques like Process Termination or Executable Blacklisting may be invoked. However, this validation does not ensure the integrity or security of the exception handler’s code, but only confirms that it could be a valid exception handler called by the program.

When would I use Exception Handler Point Validation?

The source of valid exception handlers can be generated at runtime, during compilation, or as a binary patch. If the program file can be altered by an attacker, they could bypass the security measures by replacing it with their desired program. Additionally, if an attacker has already overwritten the code of a valid exception handler through other program functionality, this validation would not prevent arbitrary code execution.

SafeSEH, a security feature, can be applied to executable files or modules to protect against certain types of exception handler exploits. However, if SafeSEH is not applied to all modules, attackers may still call unprotected modules’ code as exception handlers, leading to potential vulnerabilities.

How does Exception Handler Point Validation link to the ATT&CK framework?

The “Exception Pointer Handler Validation” technique can be linked to the MITRE ATT&CK framework in the following ways:

1. T1187 – “Forced Authentication”
   In the ATT&CK framework, T1187 refers to the technique of forcing the target system to authenticate to a service provider with credentials obtained through alternative means. While the direct connection between “Exception Pointer Handler Validation” and “Forced Authentication” may not be immediately apparent, the key here lies in how attackers can exploit weaknesses in exception handling mechanisms to gain unauthorized access and perform actions that would otherwise require proper authentication.

   
   

2. T1507 – “Dynamic-link Library Injection”
   T1507 in the ATT&CK framework involves the injection of malicious code into a running process by abusing dynamic-link library (DLL) loading mechanisms. In some cases, attackers can manipulate exception handling to facilitate the injection of malicious DLLs. By exploiting vulnerabilities in the exception handler chain, attackers may gain the ability to execute their malicious code within the context of a legitimate process, leading to potential escalation of privileges or code execution.

   
   

3. T1055 – “Process Injection”
   T1055 encompasses a variety of techniques where adversaries inject code into a running process, often to evade defenses or gain execution in a different context. While not directly related, there may be cases where attackers abuse exception handling mechanisms to facilitate process injection. This could be achieved by corrupting exception handler pointers or leveraging buffer overflows to overwrite return addresses and redirect control flow to the injected code.

Interested in reading further? Click the link below to find out which tools you can use for Exception Handler Pointer Validation.

🚀 Treasure Trove

If you’re one of the curious security ninjas, this is the place to discover useful offensive and defensive security resources. Here’s a selection of Blue Team and Red Team tools and resources this week.

Blue Team

facebookincubator/TTPForge: A framework created by Meta's Purple Team to facilitate the development, automation, and execution of Tactics, Techniques and Procedures (TTPs).

beruangsalju/shell-backdoor: A massive list of shell backdoors.

elastic/SWAT: A tool for simulating malicious behavior against Google Workspace, mapped against the MITRE ATT&CK framework.

How InfoSec uses the Elastic Stack for vulnerability management: How the Elastic Stack can be utilized as a data management platform for vulnerability management. Clement outlines the three main components of their vulnerability management architecture and explains how to automate the process of retrieving, enriching, and sharing scan results with different teams.

HashiCorp Vault Observability - Monitoring Vault at scale: Strategies for architecting a comprehensive Vault monitoring approach, including log analysis, telemetry analysis, and API and synthetic monitoring.

Red Team

OWASP/wrongsecrets: A vulnerable application that offers concrete instances of improper secret storage practices. A comprehensive collection of 35 challenges spanning Docker, Kubernetes, minikube, and various cloud providers (AWS, GCP, and Azure).

allpaca/chrome-sbx-db: A collection of Chrome Sandbox Escape POCs/exploits for learning.

onhexgroup/Vulnerable-WordPress: A collection of vulnerable WordPress plugins updated monthly that can be used for Nuclei template development, exploit development, or learning purposes.

Attacking JS engines: Fundamentals for understanding memory corruption crashes: Basic concepts of browser exploitation, focusing on Firefox's JavaScript engine, SpiderMonkey. Pedro also outlines concepts including heaps, garbage collectors, JIT compilers, and in-memory structures.

Stratus-red-team: Stratus-red-team is a tool for emulating offensive attack techniques in a controlled manner on cloud environments for the purpose of testing detection and response. Attacks are organized by cloud provider and category of attack. Each attack has a comprehensive wiki page with a MITRE ATT&CK mapping, description, and example detections. The recently released v2.9.0 includes new techniques for ransomware simulation.

📑 Blue Team MasterClass: Tutorials & Guides

Okta Cross-Tenant Impersonation: Prevention and Detection: In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.

Threat actors are using social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, gaining access to the cloud-based identity access management (IAM) service and moving laterally through targeted networks from there. Okta warns about how common this threat is and how to prevent it.

How to use KAPE for Digital Forensics on Windows: Cyberattacks are on the rise year-on-year and Attackers are using different techniques to clear the traces after the attacks. It’s essential to use the right tools and methods to identify attacks and prevent further attacks. Kroll Artifact Parser and Extractor (KAPE) parses and extracts Windows forensics artifacts. This tool significantly shortens the amount of time reaction to an incident needs, providing critical material from either a live system or a storage device prior to when the imaging process would finish.

KAPE serves two primary purposes, 1) collect files and 2) process the collected files as per the provided options. To perform a better analysis and collect Artifacts, get started with this post to understand the KAPE tool and see how it works.

🤖 LLMs + Attack & Defend

A framework to securely use LLMs in companies - Part 1: Overview of Risks

Part 1 of a multi-part series on using LLMs securely within your organisation. This post as part of a multi-blog series provides a framework to categorize risks based on different use cases and deployment type when using LLMs within your organization.

Depending on how the LLMs are deployed (training an in-house LLM v/s 3rd party LLMs) and how the LLMs are used (by individuals to supercharge their work v/s integrating with LLM APIs in applications), the risks LLMs pose will change. This post outlines key risks and helps prioritize them based on your organization’s use case. 

Using LLMs to reverse JavaScript variable name minification: This post describes how to reverse minified JavaScript using LLMs like ChatGPT and llama2 while keeping the code semantically intact.

1. Unminify and prettify the code.

2. Ask the LLM to describe the intent and a better name for variables.

3. Use Babel to do the renaming, which can effectively rename a JavaScript variable within its scope by operating on the code's Abstract Syntax Tree (AST), preserving how the code works.