Last Week in Security (LWiS) - 2020-02-24
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-02-17 to 2020-02-24.
MITRE ATT&CK techniques are in brackets after entries where appropriate.
News
- @hFireF0x has been on a rampage against Windows drivers. If you are looking for a driver to add to last weeks KDU or dsepatch, follow this user.
- Deepfakes are being used to spread misinformation. We all knew it was coming, but this appears to be the first major use of a deepfake in an influence operation. The 2020 US election will likely see a few more. (How good are deep fakes? Really good, powered by DeepFaceLab)
- Expect this to be used in attacks like the recent Israeli soldiers duped Hamas fake woman ruse.
- The C2 Matrix is out! This matrix compares the features of all the major C2 frameworks available today. This is a great resource for choosing a C2 framework, and it hope it stays updated.
- Estonian Foreign Intelligence published its 2019 annual report. It contains details of Russian and Chinese operations, both military and cyber. It also has well done infographics.
- Highlights by @_JakupJanda
- Apple will enforce a maximum certificate lifetime of 398 days on certificates issues from 2020-09-01 onward. If you are using Let's Encrypt this isn't an issue. Analysis here.
- Meanwhile Apple is sending subpoenas to people who have tweeted about using Corellium, and attempting to block the publication of a book written by former App Store manager Tom Sadowski, "App Store Confidential."
- Chinese Bitcoin investor loses 45MM USD in sim swapping attack. If you have more money in cryptocurrency than you would carry in your wallet, it's time to buy and use hardware wallet. Same rule applies for how much cryptocurrency you should keep on an exchange.
Techniques
- @danusminimus dropped the 4th part of his very through "Analyzing Modern Malware Techniques" blog. If you are interested in deeply technical malware reversing, this is a great read.
- MacOS Instrumentation for Insider Threats walks through using the basic security module of macOS to audit file access and potentially detect unusual file access patterns for post-compromise or insider threat detection. [T1005 Data from Local System]
- Bypass Windows 10 User Group Policy (and more) with this One Weird Trick - Clickbait title aside, this is a great find on how unprivileged users can bypass group policy, and even gain code execution or bypass AV. I won't be surprised when ransomware uses this to disable "protected" AV via the registry on reboot and then starts encrypting files. [T1112 Modify Registry]
- Detection: Detect a write of a "ntuser.man" file in a userprofile directory.
- Sysmon rule: <TargetFilename condition="end with">ntuser.man</TargetFilename> <!--Group Policy bypass-->
- Casey Smith (@subTee) demoed the ability to highjack arbitrary .Net assemblies using a runtime configuration and the probing functionality. This should be researched for its potential as a persistence technique and AV bypass.
- Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials has two good examples of post exploitation credential harvesting from applications (Microsoft Remote Desktop and Google Drive Backup and Sync) even when an application is protected by the "Hardened Runtime." [T1003 Credential Dumping]
- Open redirect to account takeover is a short writeup on how to convert an open redirect vulnerability to cookie stealing.
- Introduction To Modern Routing For Red Team Infrastructure - using Traefik, Metasploit, Covenant and Docker does what it says on the tin. The sometimes tricky traefik 2.0 rules-as-labels setup is explained in detail for Metasploit and Covenant.
Tools and Exploits
- GadetProbe is a Burp Extension from BishopFox that can aid in identifying remote Java Classpaths even with blind deserialization. Their writeup is worth a read. [T1190 Exploit Public-Facing Application]
- phsmem2profit is a tool from F-Secure that uses the winpmem driver to remotely access a Windows target's memory and extract credentials. Their blog post has the details. [T1003 Credential Dumping]
- CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS) exploits a deserialization issue and allows anyone authorized to view the SSRS to achieve remote code execution as nt servicereportserver. [T1190 Exploit Public-Facing Application]
- onedrive_user_enum allows the enumeration of Office365 domain users that have logged into OneDrive in the past. This provides a reliable enumeration method that is unmonitored and replaces the patched ActiveSync enumeration technique. [T1078 Valid Accounts]
- KittyLitter is a credential dumper service for Windows that binds to TCP, SMB, and MailSlot channels to communicate credential material to the lowest privilege attackers. This is likely not that useful for offensive engagements, but would be a great tool for attack and defend CTFs where a defender may be rolling creds and trying to kick you off a box. [T1003 Credential Dumping]
- GadgetToJScript, rasta-mouse fork, makes GadgetToJSscript more user friendly by allowing input files and reference assemblies on the command line instead of hardcoding them which required recompiling the tool. Rastamouse has a blog post that details the changes as well. [T1064 Scripting]
- IIS-Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker by 0x09AL of MDSec. The MDSec blog has details. [T1100 Web Shell]
- CVE-2020-1938 Apache Tomcat AJP file read PoC. Deserialization strikes again. [T1190 Exploit Public-Facing Application]
- Koppeling by Silent Break Security enables advanced DLL Hijacking (maintain stability of the source process, keep code execution within the process, and get around complexities involved in loader lock). Their blog post has all the details. [T1038 DLL Search Order Hijacking]
- inline_syscall is another header for C++ project on windows that allows for easy inlining of syscalls on windows. This project requires the use of clang, but does highly optimize and inline the direct syscalls. The first EDR to develop a generic detection for direct syscalls will likely have some unique detections. [TA0005 Defense Evasion]
- This joins SysWhispers, a less optimized but more user friendly library for direct system calls.
- @Cneelis's blog post which introduced the concept of direct syscalls.
- CVE-2020-8813 is simple exploit for a pre (if a guest has real time graph privilege - not default) and post authentication command injection vulnerability in the Cacti network monitoring web frontend. This is a 90's/early 2000's style command injection in a cookie; legacy software with legacy bugs. [T1190 Exploit Public-Facing Application]
- NoAmci uses DInvoke (from the SharpSploit update last week) to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). As the offensive community moves from PowerShell to .Net EDR has started to catch up and these types of bypasses are required against advanced EDR. [T1054 Indicator Blocking]
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- 3snake is a tool for extracting information from newly spawned processes on Linux. This could easily be weaponized to ship creds back to a C2 once a box is rooted.