Latest web hacking tools – Q3 2021

We take a look at the latest additions to security researchers’ armoury

The benefits offered by the latest batch of open-sourced hacking tools are familiar godsends to DevOps or security teams, simplifying workflows, tackling human error through automation, and uncovering otherwise hard-to-find flaws.

A recent demonstration showed how to weaponize the humble USB cable, and a novel but simple way of deterring ransomware attacks emerged – in timely fashion – during the same month that the US Coloniel Pipeline attack netted the assailants a payout of $4.3 million (much of which may have been later seized by the US Department of Justice).

Here’s our roundup of the latest hacking tools available to pen testers, security teams, and DevOps personnel for the third quarter of 2021:

VSCode integration with Mitre ATT&CK framework streamlines code editing work

VSCode-ATT&CK is a plugin through which security analysts and researchers can interact with the Mitre ATT&CK framework without leaving their Visual Studio Code (VSCode) environments.

Developed and open sourced by managed detection and response vendor Red Canary, the extension for Microsoft’s popular code editor integrates with the Mitre ATT&CK framework and offers an integrated ATT&CK technique search command, among other features.

Red Canary detection engineer Thomas Gardner told The Daily Swig that the tool helps security teams “maintain focus within VSCode without having to leave the application and access information about ATT&CK via their browser”.

Read more about VSCode-ATT&CK

Jenkins Attack Framework helps red teams harden ‘soft targets’ in CI/CD environments

Jenkins Attack Framework (JAF) helps pen testers and red teamers uncover ways in which the popular automation server can be abused.

Released by Accenture, the tool automates and simplifies many common, and some less common, Jenkins attack techniques.

Jenkins, an open source CI/CD pipeline that often stores powerful credentials and proprietary code, has historically not been securely configured by default, often rendering it “a soft target”, JAF developer Shelby Spencer, formerly of Accenture, told The Daily Swig.

Read more about Jenkins Attack Framework

Deadshot uncovers all-too-common DevOps blunders made when uploading code to GitHub

A free tool that warns developers when they inadvertently include sensitive information in their code before it’s uploaded to a repository was launched by security specialists at communications technology company Twilio.

Deadshot monitors GitHub pull requests in real time and flags potentially sensitive data that surfaces in code, as well as “changes to sensitive functionality”.

A ‘deploy and forget’ tool, it runs in every commit and should alert project owners before any data leaves the organization – a potentially invaluable benefit after Twilio security expert Yashvier Kosaraju observed that most published secrets come “from unsuspecting developers that unknowingly committed them to GitHub”.

Read more about Deadshot

DIY malicious USB cable for $30

Hackers – ethical or otherwise – can make their own keystroke-injecting USB cable for around $30, according to a blog post from Daniel Scheidt, information security consultant at German cybersecurity firm r-tec.

Scheidt documented how he did just that, implanting a UNIFY receiver into an innocent-looking USB cable – which, incidentally, would still charge your phone – in order to inject keystrokes.

In building this ‘Evil Logitech’ keyboard, the researcher acknowledged the groundwork laid by Luca Bongiorni’s similar USBSamurai, Rogan Dawes’ LOGITacker, which enumerates and tests Logitech wireless input devices for vulnerabilities, and Marcus Mengs’ ‘munifying’, which extracts AES link encryption keys and device RF addresses of paired devices from a Logitech receiver dongle via USB.

Read more about ‘Evil Logitech’ USB cable

Cyrillic keyboard simulation thwarts Russia-affiliated ransomware attacks

Unit221B founder Lance James released a Windows batch script to help organizations dupe ransomware into believing they are based in Russian-speaking regions and therefore are less likely to be attacked.

The short, clickable script adds a Russian language reference in the Windows registry keys to make it appear that the Windows PC has a Russian keyboard installed, circumventing the need to download relevant script libraries from Microsoft.

Most ransomware strains – but certainly fewer malware overall – fail to install if they detect a Russian or Ukrainian keyboard, reflecting the recognition among Russian-affiliated cybercrime gangs that attacks on home soil could spark unwanted attention from Russian law enforcement.

Visit the Russian Keyboard Registry Script GitHub repo

PREVIOUS EDITION Latest web hacking tools – Q1 2021