Mar 16 2020 Last Week in Security (LWiS) - 2020-03-16

Covid-19 as a lure, using OSINT to find John McAfee (again), another wormable SMB vulnerability (think WannaCry), and tons of new tools!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-09 to 2020-03-16. MITRE ATT&CK techniques are in brackets where appropriate.

Stuck in self-quarantine? Movies for hackers is a great list of movies and shows for hackers and cyberpunk types.

News

Apple's T2 Chip is vulnerable to checkra1n which could lead to unlimited attempts to decrypt a FileVault protected volume if an attacker has physical access. This leads to an interesting question: Did Apple know about the bug and subsequent fix on the A12 chip or was it patched coincidently? If they did know about it, why are they still shipping Macs with the flawed T2 which is built on the vulnerable A10 chip?
Finding a problem at the bottom of the Google stack details the process a Google site reliability engineer took as they traced down an issue from frontend to the datacenter. An interesting story of the kinds of issues you can have at Google-scale.
CVE-2020-8597 is a bug in the Point-to-Point Protocol (PPP) daemon for linux which allows for an unauthenticated attacker to cause a stack based buffer overflow. Right now the only PoC is a denial of service (crash) but this will likely be weaponized soon. Patch your VPNs! [T1190 Exploit Public-Facing Application]
avscript from the infamous Tavis Ormandy contains an interactive shell that lets you test Avast's custom javascript interpreter on Linux for vulnerability research. Yes, Avast ships a custom javascript interpreter and runs untrusted javascript through it. Since this came out Avast has disabled the interpreter globally.
Covid-19/Corona: Threat Actor Campaigns catalogs the many instances of threat actors leveraging the global pandemic to spread malware. Standard anti-phishing rules apply, even in a pandemic. [T1192 Spearphishing Link]

Techniques

Finding McAfee: A Case Study on Geoprofiling and Imagery Analysis is a case study of one man's quest to determine the location of John McAfee from a single image and tweet and serves as a good example of the OSINT work that can be done with what seems like very little information. At least this time he wiped the EXIF data to make it a little harder.

Tools and Exploits

Advanced process monitoring techniques in offensive operations from Outflank introduces Ps-Tools, an advanced process monitoring toolkit for offensive operations. These tools are useful to investigate and keep an eye on compromised hosts and alert when defenders show up and start investigating your tooling. The Ps-Tools are listed below. [T1005 Data from Local System]
- Psx: Shows a detailed list of all processes running on the system.
- Psk: Shows detailed kernel information including loaded driver modules.
- Psc: Shows a detailed list of all processes with Established TCP connections.
- Psm: Show detailed module information from a specific process id (loaded modules, network connections e.g.).
- Psh: Show detailed handle information from a specific process id (object handles, network connections e.g.).
- Psw: Show Window titles from processes with active Windows.
CVE-2020-0978 is going to be one to remember like MS08-067 and MS17-010; kernel RCE in Windows 10 1903/1909 via a buffer overflow in SMB3's new compression capability means this is wormable and we will likely see something like WannaCry/Not-Petya. [T1190 Exploit Public-Facing Application]
- PoC
- Scanner
- Mitigation
IceBox is a modified virtualbox for windows or linux that enables live, stealthy tracing and debugging on any kernel or user process. It is currently limited to one CPU per virtual machine, which may cause issues with environmental checks in malware. Perhaps this could be combined with VBoxHardenedLoader or antivmdetection.
- Demo
Windows Privilege Escalation Exploits! I feel bad for any exploit dev who has been sitting on Windows LPE 0days as they aren't worth much any more. [T1068 Exploitation for Privilege Escalation]
- CVE-2019-1458 Windows LPE Exploit is a kernel exploit that works on x64 systems Windows 7 up to but not including Windows 10. You only get one shot per reboot, and it may cause instability, so try any of the 30 other LPEs your target is likely vulnerable to before this one. Alternative PoC with details here.
- CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC details a privileged file operation abuse in Windows 10 that leads to elevation of privilege to SYSTEM. PoC
harbian-audit has been updated to support hardening Debian 10 and CentOS 8.
pickl3 is another credential phishing tool for Windows. It is nicely packaged as a refelctive DLL and comes with a cna script for Cobalt Strike. For another option, see SharpLoginPrompt. [T1056 Input Capture]
Crescendo is a swift based, real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework. This could be the start of an open source macOS based EDR tool!
Callidus is a new O365 C2 framework written in .NET core (C#) that supports C2 via Outlook, OneNote, or Microsoft Teams. [T1102 Web Service]
Zelos is a comprehensive binary emulation platform written in python for linux binaries. x86, x86_64, ARM, and MIPS binaries are supported, with Unicorn providing CPU emulation.
Starkiller is a frontend for the PowerShell Empire fork maintained by BC Security. Along with the improvements in the 3.1 release of PowerShell Empire, Starkiller allows for easy multi-user interaction with a common C2 server. More details available on the BC Security Blog.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

saferwall is a self-hosted open source malware analysis platform; basically a self-hosted virus total. Once you acquire AV licenses, saferwall will spin up all the infrastructure to do malware scanning across 12 major AVs!