Feb 17 2020 Last Week in Security (LWiS) - 2020-02-17

Last Week in Security (LWiS) is a summary of the interesting cyber security news, techniques, tools and exploits from the previous week. This post covers 2020-02-10 to 2020-02-17.

Now with MITRE ATT&CK techniques in brackets where appropriate!

News

The US Attorney General indicted four suspected Chinese PLA members for the Equifax breach in 2017. The indictment states that the attackers wiped log files daily and routed traffic through dozens of servers in nearly 20 countries. Of note, one photo appears to be from a laptop camera, which indicates a possible "hack back" operation or potentially prior access by US intelligence.
CIA and BND (German CIA+NSA) owned and subverted the Swiss cryptography company Crypto AG from 1970 to 2018. Supply chain risk just got another poster child. Alex Stamos (former Yahoo/Facebook security exec) shared the time a Hardware Security Module (HSM) was... tampered with prior to delivery. Still not scared of Huawei? Hmm? [T1195]
@_dirkjan, the AD whisperer, revealed that CVE-2020-0665 was patched on Tuesday and is able to use "kerberos magic" to bypass forest security boundaries. More to come in April. Note this is unrelated to @harmj0y's forest trust research. [TA0008]
Security Key News
- Google open sources titan security key firmware as OpenSK, a rust application for Tock OS running on a Nordic nRF52840 dongle.
- snopf is a new open source USB "password tool" that works differently than a Yubikey or Google's Titan. It generates a password from a master seed based on parameters passed to it and emulates a keyboard to input the password when a physical button is pressed.
@Fox0x01 is back at it! Understanding trusted execution environments and ARM TrustZone is a great resource on how Trusted Execution Environments work on modern Android phones and their attack surface.
The Joshua Schulte trial (accused leaker of CIA tools "Vault 7") is underway and already contains some OPSEC fails. It appears Joshua downloaded TAILS and searched for disk wiping and MD5 sum utilities right after a USB was delivered from Amazon. Multiple levels of fail here, but if you buy a book on hiding bodies the day your spouse goes missing, the jury doesn't need to see the body to think you did it... [T1488]
unc0ver 4.0.1 is out, with support for iOS 13.1-13.3 on A12 and A13 (iPhone XS series, 11, and 11 Pro). This is the first time these devices have been supported by a jailbreak tool as checkra1n only supports i-devices up to the iPhone X. [T1068]
ImageMonkey, an open source repository of classified and tagged images, just surpassed 100,000 images. It is all available for free and even has an API. If you are doing any ML classification training involving images (or just learning ML and need data sets) this is a great resource.
US Cert has released 7 new detailed malware reports on DPRK malware, as well as releasing samples via Virus Total. These reports include code snippets on decoding C2 traffic and yara rules in addition to standard IOCs.

Techniques

Ruben Boonen (@FuzzySec) and The Wover (@TheRealWover) released their BlueHatIL 2020 talk: Staying # and Bringing Covert Injection Tradecraft to .NET. This talk covers why C# is the natural successor to Powershell in today's offensive security environment. This talk covers a new API for code injection they have an open Pull request to SharpSploit. I am excited to develop against this and see others do the same! [T1055]
- Slides
- Video
Netgear put their TLS private key in some router firmware images so they could dynamically sign routerlogin.net. This opens up some fun potential attacks if you own DNS or a gateway.
- Original finding
- Blog Post
In memory execution of .NET with meterpreter by Thomas Hendrickson of Praetorian [T1086]
Hexacorn is at it again, this time loading COM objects with rundll32.exe's -localserver argument. [T1175]
Lateral movement via MSSQL: a tale of CLR and socket reuse is a great write up of how a red team developed a custom tool to reuse a MSSQL socket to implement a socks5 proxy and hit servers behind the DMZ that were accessible to the MSSQL server. mssqlproxy available on github. [TA0008]
Deep Dive into Real-World Kubernetes Threats presents techniques for attacking Kubernetes pods. Next time you see k8s on an engagement, this may be a good starting point. [T1190]
Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments presents an overview and common issues with GGP and how they can be exploited, including lateral movement.
NTT Group released a great course on practical malware deobfuscation. This course goes through obfuscation principles, the theory and practice of obfuscated code analysis, and even data-flow analysis and SAT/SMT-based binary analysis. This is high quality training quality material, thanks NTT Group! [T1140]

Tools and Exploits

VirusTotal releases an official Plugin for IDA Pro 7. It enables you to search for bytes, strings, similar code, or similar functions against the worlds largest collection of binaries to help your analysis. Standard VT licenses allow 90 days retrospection and Threat Hunter PRO allows for 1 year retrospection. [T1140]
Hashcat can now crack zip files using PKZIP at an insane rate of 22.7 ZettaHash/s on a single 2080Ti. Any PKZIP password shorter than 20 characters is not safe.
Bloodhound 3.0 released! Slides and Demos are available, as is a companion blog. Updates below. [T1482]
- Powershell Remoting (port 5985/5986).
- Control of Group Managed Service Account. Allows reading of plaintext password remotely by authorized principles
  
  GMSAPasswordReader
  
  Defenders audit DC permission with BloodHound and look for event ID 2947 in the Direct Service log to detect this technique
- SID History - This is the property used for Golden Ticket attacks, now visible in BloodHound 3.0
- OU Control - Adds the ability to push ACEs to OUs
- SharpHound total rewrite (based on .NET 4.5) that gives ~30% faster LDAP collection (600k computers in a few hours!), better caching, and more accurate data collection
- Various quality of life improvements: large graph drawing warning, improved dark mode, improved node data display, etc
- During the webinar, the BloodHound team mentioned this great BloodHound Cypher cheatsheet for common queries
- Best detection is to find "loud LDAP talkers" because the collection of lots of LDAP data is a primitive that cannot be changed for BloodHound to work
Mimikatz was updated last week to dump creds from Chrome, and it also works with the new Edge beta (Chromium based). [T1503]
Windows Local Privilege Elevation Exploits. Is anyone not SYSTEM at this point? It seems like a new LPE is dropped every day! [T1068]
- CVE-2020-0683 - Windows MSI “Installer service” Elevation of Privilege. This was patched on tuesday, but (surprise) another symbolic link handling bug, this time within MSI packages being installed, allowed an unprivileged attacker to write to arbitrary files. Like all LPEs this requires code to already be executing on the target, but looks like a nice solid LPE for the new year.
  itm4n's writeup
  
  PoC
  
  Weaponization: implement the PoC in C# and run a DLL with UsoDllLoader, then clean up.
  
  Generic Detection: Alert on file creation or symlinking of C:\windows\system32\WindowsCoreDeviceInfo.dll
- Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) disclosed by pentagrid. If you are on a windows box, look for anything with PCL6 in the driver name and you can likely get SYSTEM.
  Writeup and PoC
  
  List of affected drivers
- AMD User Experience Program Launcher from Radeon Software is vulnerable to an insecure file move which leads to LPE
  Writeup
  
  PoC (amd_eop_poc)
  
  Vulnerable Versions: AUEPLauncher (<= 1.0.0.1), AUEPMaster (<= 1950.15.1.117)
  
  Weaponization: Same as CVE-2020-0683, C# version that can be run in memory and only drop the WindowsCoreDeviceInfo.dll to disk
  
  Generic Detection: Alert on file creation or symlinking of C:\windows\system32\WindowsCoreDeviceInfo.dll
- PrivescCheck is a fresh PowerShell v2 script that aims to be a dependency free yet feature filled Windows privesc checker.
Inspired by Orange Tsai's SSL VPN research, @plopz0r found 6 (!) vulnerabilities in SonicWall devices, including 3 pre-auth (SQLi for authenticated sessions, a classic buffer overflow, and a path traversal [existence only]). Patch your SonicWalls! [T1133]
KDU is a seriously impressive project that abstracts away the hard part of getting kernel execution on windows by leveraging vulnerable drivers that are compiled into a single executable. It works on everything from Windows 7 to Windows 10 20H2, even with SecureBoot enabled. It wouldn't be hard to take this project and weaponize it, especially if you have a driver 0day on your hands. Top marks to hfiref0x. [T1068]
- This joins dsepatch, another driver signing enforcement cradle and gdrv-loader from last week, but dsepatch requires you provide your own vulnerable driver.
xgo: Cross compiling Go (golang) is easy in theory, but as soon as you start extending Go with C-based languages or modules, things get complicated. xgo makes building a go project for all targets as easy as xgo github.com/[user]/[go-project].

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

SysmonTools is a powerful collection of tools for investigating Sysmon and pcap logs.
Go (golang) is a great language for a number of reasons, but one drawback can be binary size. goweight is a tool that shows you what is taking up space in your compiled golang binaries, which allows you to make informed choices about dependancies.
npq npq is a drop in replacement for npm that adds a bunch of safety and vulnerability checks. It won't save you from someone cleverly backdooring a package, but it will at least check for known vulns and metrics like age and number of downloads. A baby step forward for the dumpster fire that is javascript dependency management. [T1195]