Renegade Security

Share this post

🐂 Renegade Security | NO. 3 (Standard Edition)

blog.mosesfrost.com

🐂 Renegade Security | NO. 3 (Standard Edition)

A Moses Frost Newsletter

Moses Frost
Feb 21, 2022
3
Share this post

🐂 Renegade Security | NO. 3 (Standard Edition)

blog.mosesfrost.com

The last few weeks were hectic for me, and as such, the Newsletter had to take a back seat. This week we return to some normalcy, I won’t get into the specifics, but I will mention that these newsletters are more of a labor of love, and I’d much rather put out quality than quantity. Here are some thoughts for the last few weeks. If, and I do mean if, Russia goes to war with Ukraine, then I suspect there would be a pretty large Cyber contingent. In a previous life when I was over at the previous company, they had plenty of visibility into what was going on in that country. While they have posted a blog recently around attacks, they also have history going back years. Take a look at those posts, this is actually not recent, but from the eyes of that country, systemic, persistent, and consistent since they took portions of that country.

Everything old is new Department

Before getting into all the Technical news, Sunday morning I saw this interesting youtube video. It’s a 15 minute watch, but also a quick read on twitter. While I understand why the company operates this way, I can just see all the mistakes they are making and know that they have a long way to go culturally before they come to the same conclusions. I suspect from a security standpoint, we will see TONS of bugs. Here is the link, its basically what is like to work at Tiktok (China) vs Facebook (US): https://twitter.com/LucasOuYang/thread/1493408428626100226. Here is one red flag: No unit tests.

There was a recent bit of how to read uninitialized memory in HTTP stacks recently in a Heartbleed like fashion, this time focused on HTTP3. This style of attacks a not new, in fact there was an issue in NodeJS years ago, this function still exists today.

While we are at it, how about write.exe in Windows? I believe this data back to Windows 1.0?

Twitter avatar for @0gtweet
Grzegorz Tworek @0gtweet
"write.exe" is just ShellExecute() to wordpad.exe. And ShellExecute() reads HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths before reading HKLM. Which means, you can use "write" to launch anything if you create "wordpad.exe" subkey. And it explains why I love Windows.🙃
10:18 AM ∙ Feb 18, 2022
869Likes217Retweets

Speaking of old and new, backwards compatibility may plague us all for quite sometime, here is the Amazon Web Services version of the issue. It appears, AWS IDMSv2 transition will be difficult:

Twitter avatar for @BenReser
Ben Reser @BenReser
v4.0.0 of the #Terraform AWS Provider came out today. It moves the provider to using IMDSv2. If you're running in a container on an EC2 instance you'll need to increase the HttpPutResponseHopLimit to 2. If you don't you'll get errors about "no valid credential sources."
12:34 AM ∙ Feb 11, 2022
114Likes32Retweets

Crypto … To the moon? Derpartment (SIC).

What happens if the underlying network isn’t secure? BGP used to steal coins.

Watch this video, tell me your thoughts. It’s two hours, I know I know. But I will say, if you want to know whats going on right now with Crypto currencies, and NFTs, maybe this will give you a different, and dark, perspective.

I understand that there is a TON of Twitter in this newsletter, but this one is important. OpenSea NFTs were hacked en masse. The video above can show you somewhat why. To be frank, it has to do with a Solidity smart contract that appears to be stealing the code.

Twitter avatar for @MikeBurgersburg
Dirty “Sicko” Bubble @MikeBurgersburg
This is what a hack looks like 👀 X2Y2 or something else, 578 Ethereum (~$1.7 million) transferred from dozens of wallets through @opensea to a hacker. In addition to possibly millions worth of #NFTs...
Image
Twitter avatar for @MikeBurgersburg
Dirty “Sicko” Bubble @MikeBurgersburg
IT'S OPEN SEASON ON @OPENSEA AS SYSTEM HACKED, USERS TAKEN FOR MILLIONS IN ETHEREUM AND #NFTs @Bitfinexed @SilvermanJacob @molly0xFFF @zachxbt @coffeebreak_YT https://t.co/IrFErtC2NR https://t.co/yIJ31WePrE
1:13 AM ∙ Feb 20, 2022
181Likes82Retweets

Windows Red Team Department

Someone released a OneDrive Logs (ODL) forensics tool, I suspect we can use this for red team as well.

YAAB (Yet Another AMSI Bypass).

Azure Security Guardrails, automate the deployment of hundreds of buttons.

Need to hide in windows? .NET Persistence Tool

Rootsecdev on Twitter posted this cheat sheet.

Find interesting strings in memory by hooking processes.

Cloud Security Department

“Updated February 8, 2022: Amazon GuardDuty for EKS Protection no longer enabled by default.”

Remote Desktop Web Access (RDS Web) Recon Tool:

Twitter avatar for @podalirius_
Podalirius @podalirius_
[#thread 🧵] I'm proud to present #RDWArecon, a python tool to automatically extract information (#ActiveDirectory domain name, server name, version) about #Microsoft Remote Desktop Web Access (RDWA) application! 🥳🎉 This is quite useful for the recon phase of a #pentest.
5:07 PM ∙ Feb 7, 2022
109Likes29Retweets


Share this post

🐂 Renegade Security | NO. 3 (Standard Edition)

blog.mosesfrost.com
Comments
TopNew

No posts

Ready for more?

© 2023 Moses Frost
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing