Week 39, September 25-October 1, 2023
Week 39, September 25-October 1, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
A phishing campaign targeted Ukrainian Military personnel, tricking them with drone manuals to steal sensitive information. In another instance, a new cyber threat named EvilBamboo emerged, targeting Tibetans, Uyghurs, and Taiwanese individuals, moving from simple lure tactics to deploying spyware for espionage. Unveiling a geopolitical dimension, a report disclosed China-Nexus attacks on Southeast Asian government entities, clustering them into three distinct attack patterns. Microsoft made headlines by enhancing security with the roll out of Passkeys support in Windows 11, a move towards bolstering user security. Lastly, a critical JetBrains TeamCity flaw was discovered that could potentially expose source code and build pipelines to attackers, signaling a call for urgent remediation in affected systems.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
REC2 (Rusty External Command and Control) is a client-server tool designed to facilitate auditors in executing commands through VirusTotal and Mastodon APIs, leveraging the Rust programming language. This tool supports a range of operating systems including Windows, Linux, and macOS, providing a platform for managing remote implants (clients) on these systems. By utilizing third-party APIs, REC2 establishes encrypted communication channels using AES between the server and the implants, enabling the execution of tasks on target systems while maintaining a level of stealth. This setup not only allows for the monitoring and retrieval of pending jobs but also the execution and secure transmission of task results through the aforementioned APIs. The use of these external channels as intermediaries adds an additional layer of anonymization to the operations, thus mitigating the risk of tracing activities back to the user. This tool, while powerful, is intended for educational purposes and emphasizes legal and responsible use in its disclaimer, urging adherence to all applicable laws and guidelines.
The Vcenter Comprehensive Penetration and Exploitation Toolkit is a robust suite designed to facilitate comprehensive penetration testing efforts against Vcenter environments. In its version 0.0.3, the toolkit is engineered to function across Windows and Mac operating systems with recommended use on Python3.9. The toolkit is organized into various modules addressing specific vulnerabilities like CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2022-22954, and CVE-2022-22972 among others. Each module is structured to exploit the targeted vulnerabilities, with additional features for information gathering directly from URLs and utilizing local file read if available. For instance, the CVE-2021-21972 module is designed to automate the exploitation process by trying various exploitation chains to successfully upload files. The toolkit provides a visual interface using PyQt5 for ease of operation, although this leads to a significantly large executable file size post-packaging. It also offers a post-exploitation module to generate scripts locally with a simple button click, easing the process of further penetration efforts. The toolkit is projected for long-term maintenance with a community-driven approach for improvements, bug fixes, and inclusion of new exploitation methods, encouraging users to contribute via pull requests or issue submissions on its GitHub repository. While it serves a different purpose compared to other similar tools like VcenterKiller, it provides a more localized and graphical interface for penetration testers to exploit Vcenter vulnerabilities either within an internal network or externally, aiding in a deeper understanding of the vulnerabilities, and gaining experience through the tool development and exploitation process.
Nysm is a stealth post-exploitation container tool designed to leverage eBPF (Extended Berkeley Packet Filter) to create a concealment layer for offensive tools against the scrutiny of System Administrators. This tool presents a unique approach to making eBPF invisible to itself, thereby helping offensive tools evade detection. nysm achieves stealth by intercepting and manipulating the outputs of a range of system and security tools including bpftool, ps, top, sockstat, ss, rkhunter, chkrootkit, lsof, and auditd among others. It primarily hides new eBPF programs, maps, links, Auditd generated logs, PIDs (Process IDs), and sockets. By manipulating the data returned by system calls and system utilities, it creates a facade that obscures the activities of the offensive tools running inside it.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.