Last Week in Security (LWiS) - 2020-02-24

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-02-17 to 2020-02-24.

MITRE ATT&CK techniques are in brackets after entries where appropriate.

News

  • @hFireF0x has been on a rampage against Windows drivers. If you are looking for a driver to add to last weeks KDU or dsepatch, follow this user.
  • Deepfakes are being used to spread misinformation. We all knew it was coming, but this appears to be the first major use of a deepfake in an influence operation. The 2020 US election will likely see a few more. (How good are deep fakes? Really good, powered by DeepFaceLab)
  • The C2 Matrix is out! This matrix compares the features of all the major C2 frameworks available today. This is a great resource for choosing a C2 framework, and it hope it stays updated.
  • Estonian Foreign Intelligence published its 2019 annual report. It contains details of Russian and Chinese operations, both military and cyber. It also has well done infographics.
  • Apple will enforce a maximum certificate lifetime of 398 days on certificates issues from 2020-09-01 onward. If you are using Let's Encrypt this isn't an issue. Analysis here.
  • Chinese Bitcoin investor loses 45MM USD in sim swapping attack. If you have more money in cryptocurrency than you would carry in your wallet, it's time to buy and use hardware wallet. Same rule applies for how much cryptocurrency you should keep on an exchange.

Techniques

Tools and Exploits

  • GadetProbe is a Burp Extension from BishopFox that can aid in identifying remote Java Classpaths even with blind deserialization. Their writeup is worth a read. [T1190 Exploit Public-Facing Application]
  • phsmem2profit is a tool from F-Secure that uses the winpmem driver to remotely access a Windows target's memory and extract credentials. Their blog post has the details. [T1003 Credential Dumping]
  • CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS) exploits a deserialization issue and allows anyone authorized to view the SSRS to achieve remote code execution as nt servicereportserver. [T1190 Exploit Public-Facing Application]
  • onedrive_user_enum allows the enumeration of Office365 domain users that have logged into OneDrive in the past. This provides a reliable enumeration method that is unmonitored and replaces the patched ActiveSync enumeration technique. [T1078 Valid Accounts]
  • KittyLitter is a credential dumper service for Windows that binds to TCP, SMB, and MailSlot channels to communicate credential material to the lowest privilege attackers. This is likely not that useful for offensive engagements, but would be a great tool for attack and defend CTFs where a defender may be rolling creds and trying to kick you off a box. [T1003 Credential Dumping]
  • GadgetToJScript, rasta-mouse fork, makes GadgetToJSscript more user friendly by allowing input files and reference assemblies on the command line instead of hardcoding them which required recompiling the tool. Rastamouse has a blog post that details the changes as well. [T1064 Scripting]
  • IIS-Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker by 0x09AL of MDSec. The MDSec blog has details. [T1100 Web Shell]
  • CVE-2020-1938 Apache Tomcat AJP file read PoC. Deserialization strikes again. [T1190 Exploit Public-Facing Application]
  • Koppeling by Silent Break Security enables advanced DLL Hijacking (maintain stability of the source process, keep code execution within the process, and get around complexities involved in loader lock). Their blog post has all the details. [T1038 DLL Search Order Hijacking]
  • inline_syscall is another header for C++ project on windows that allows for easy inlining of syscalls on windows. This project requires the use of clang, but does highly optimize and inline the direct syscalls. The first EDR to develop a generic detection for direct syscalls will likely have some unique detections. [TA0005 Defense Evasion]
    • This joins SysWhispers, a less optimized but more user friendly library for direct system calls.
    • @Cneelis's blog post which introduced the concept of direct syscalls.
  • CVE-2020-8813 is simple exploit for a pre (if a guest has real time graph privilege - not default) and post authentication command injection vulnerability in the Cacti network monitoring web frontend. This is a 90's/early 2000's style command injection in a cookie; legacy software with legacy bugs. [T1190 Exploit Public-Facing Application]
    • Only affects PHP < 7.2 and Cacti < 1.2.10 (not released as of 2020-02-24; 0day)
    • Demo
    • Patch
  • NoAmci uses DInvoke (from the SharpSploit update last week) to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). As the offensive community moves from PowerShell to .Net EDR has started to catch up and these types of bypasses are required against advanced EDR. [T1054 Indicator Blocking]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 3snake is a tool for extracting information from newly spawned processes on Linux. This could easily be weaponized to ship creds back to a C2 once a box is rooted.