Weekly in Security 202246

2022-11-14 to 2022-11-21

2 min read - 416 words

Introduction

Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-11-14 to 2022-11-21.

Vulnerabilities

F5 BIG-IP CSRF

Rapid7 has some fun research that achieves Remote Code Execution on F5 BIG-IP and BIG-IQ devices. The problem is an API endpoint that lacks Cross-Site Request Forgery (CSRF) protections, and these endpoints can be called from a script running on a visited webpage. The attack is to trick an admin into loading such a page, and then hijacking the existing session cookie to call the API.

Interesting Reads

Infosys leaked FullAdminAccess AWS key

The whole story. stared with a strange looking pull request on a repo of Tom Forbes. In this repo Tom collects metadata information for PyPi. The package the user was trying to remove seemed to be an internal packages of Infosys. The package was probably published by accident back in Februar 2021. Tom was still able to download the realse file, specified in the metadata. At the top of the file, embedded as string constants, was an AWS access key and AWS secret key This should have usually been revoked, but Tom tried and found it still to be active. They provided access to an S3 bucket with a folder called John_Hopkins_Hospital and presumably some files containing clinical data. Looking at the IAM permissions for the credentials the key had AdministratorAccess and could perform all IAM action on all services. Such a key would not be used for development. The story continued, when the user from above submitted a takedown request for a random file on pypi-data. So, in the end and absence of any security contact at Infosys Tom simply revoked the key. This would usually be a no go, but in this case seemed like the best thing to do, with regards to the clinical data.

Log4Shell used by Nemesis Kitten

The Washington Post had an article about explotiation of Log4Shell. According to CISA, the hackers exploited the Log4Shell vulnerability in an unpatched VMware Horizon server The agencies had until December 28 to complete the vulnerability mitigation. The hacking group compromised the target in early as February.

Tools

Orange cyberdefense mindmap

Quite a helpful reference for pentesting Active Directory.

Orange-Cyberdefense/ocd-mindmaps

Pafish

Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do

a0rtega/pafish

Can I secure… Digital Life

canisecure.com provides quick and easy guides to secure things like devices and websites.

[krakensecuritylabs/canisecure](https://github.com/krakensecuritylabs/canisecure