Attack & Defend #6: AWS MadPot HoneyPot, Osquery Defense Kit, and Building a Red Team Infrastructure

View this email in your browser

👩‍💻 This Week in Attack & Defense

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks: A zero-day vulnerability in all versions of Exim mail transfer agent allows unauthenticated attackers to gain remote code execution on Internet-exposed servers. The vulnerability is due to an Out-of-bounds Write weakness found in the SMTP service, which can lead to software crashes or corruption of data following successful exploitation.

'Looney Tunables' Bug Opens Millions of Linux Systems to Root Takeover: Attackers can now gain root privileges on millions of Linux systems — by exploiting an easy-to-exploit, newly discovered buffer overflow flaw. The flaw poses a significant risk of unauthorized data access, system alterations, potential data theft, and complete takeover of vulnerable systems, especially in the IoT and embedded computing space.

Amazon CloudFront Announces Security Recommendations: AWS WAF will now surface security recommendations in the CloudFront console based on the configuration of your CloudFront distribution. You can also estimate the price of AWS WAF security protections using the built-in pricing calculator when making your selection in the CloudFront console.

AWS’ MadPot Honeypot Operation Corrals Threat Actors: AWS’s sophisticated suite of tools – called MadPot – comprises myriad monitoring sensors and automated response features can detect and trap bad actors. The honeypot operation is being used to capture hackers’ malware, collect threat intelligence from it, and thwart the attack before it can compromise AWS’ network or the cloud provider’s customers.

ShellTorch- Multiple Critical Vulnerabilities in PyTorch Model Server (TorchServe): Threatens Countless AI Users :A security research team has announced the discovery of critical vulnerabilities (including CVE-2023-43654) that can lead to full chain Remote Code Execution. It found thousands of publicly exposed instances, including several in some of the world’s largest organizations — open to unauthorized access and insertion of malicious AI models and potentially a full server takeover. Mitigation steps and a free tool to minimize exposure are available in the post.

🚀 Treasure Trove

If you’re one of the curious security ninjas, this is the place to discover useful offensive and defensive security resources. Here’s a selection of Blue Team and Red Team tools and resources this week.

Blue Team

chainguard-dev/osquery-defense-kit: Production-ready detection & response queries for osquery. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

How Security Professionals are Being Attacked - A study of malicious CVE proof of concept exploits in GitHub: PoCs for exploits are often shared on platforms like GitHub. However, there’s no guarantee that the PoCs are trustworthy, and don’t contain additional functionality. This academic paper reviewed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, and found 4,893 malicious repositories out of 47,313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent).

peasead/elastic-container: Stand up a 100% containerized Elastic stack, TLS secured, with Elasticsearch, Kibana, Fleet, and the Detection Engine all pre-configured, enabled and ready to use, within minutes.

fox-it/dissect: An incident response framework built from various parsers and implementations of file formats. Dissect allows you to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs. Works in the same way regardless of the underlying container, filesystem, or OS.

Red Team

evilsocket/jscythe: Abuse the Node.js inspector mechanism to force any Node.js/Electron/v8 based process to execute arbitrary JavaScript code even if their debugging capabilities are disabled, by Simone Margaritelli. Works on Discord, Slack, etc.

RedTeamPentesting/kbtls: A library for creating mutually trusted client and server certificates based on a pre-shared connection key.

Building a Red Team Infrastructure: Secure Systems Engineering GMBH’s André Tschapeller explores the essential components needed for robust red teaming infrastructure. This post provides an overview of the system as a whole then dives into each separate element, including the C2 infrastructure, HTTPS and DNS redirectors, and using GoPhish in conjunction with a postfix redirector for the phishing server.

🤖 Infosec Concepts & Strategies

10 Bot Detection Tools for 2023: Bots can scrape your website content, spam comments, take down your website with DDoS attacks, and try to force their way into your user or corporate accounts. These 10 tools can help you distinguish human traffic from bot traffic, allowing them to identify and stop all types of bot and fraud threats.

NIST CSF vs. ISO 27001: Understanding the Key Differences: Trying to decide which framework is best can be confusing at times, but what we know is both NIST CSF and ISO 27001 provide key cybersecurity measures to protect from incoming threats and ensure the business is compliant. This post will demystify NIST CSF and ISO 27001, shedding light on their distinctive characteristics and discover which one aligns best with your organization’s unique cybersecurity needs.

Lighting the Exfiltration Infrastructure of a LockBit Affiliate: An investigative report into a LockBit extortion incident that took place in Q3 2023 and uncovers connections between a range of cybercriminal activities, highlighting some of the constants characterizing a dangerous threat actor operating deeply in the digital underground. The report presents findings from examining the exfiltration infrastructure associated with one of the most notorious LockBit affiliates, which has also been tracked by CISA.

📑 MasterClass: Tutorials & Guides

How to Stop Vulnerable Driver Attacks: Ransomware actors are leveraging vulnerable drivers to tamper with endpoint security products. This tutorial describes how Elastic Security has released 65 YARA rules to detect vulnerable driver abuse.

Macro-level ATT&CK Updates: This guide from Splunk presents updated data on the frequency of MITRE ATT&CK technique observations across cyber incidents from 2020 to 2023. The analysis covers the concentration of techniques across different ATT&CK matrices and identifies the top consensus technique reporting in 2023. 0EUSZ.

A Guide to IAM Compliance: This comprehensive article explores IAM and IAM compliance, why it’s important, and why it needs to be a core component of your security and compliance program. This also discusses specific requirements for the cloud and how your organization can prepare to demonstrate proof of IAM compliance for auditors.

2023 State of API Security Report and Global Findings: This survey investigates API data breaches, API sprawl, ownership, governance, zero trust, and the path to a secure future. This study gathered insights from 1,629 respondents across over 100 countries and six major industries. One of the highlights is that 74% of organizations have had at least three API-related data breaches in the past two years.