Last Week in Security (LWiS) - 2020-03-23
VMWare exploits including a macOS privesc, XPC abuse in macOS, the first WiFi kr00k PoC, and many great new tools like Invoke-SharpLoader in this week's Last Week in Security.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-16 to 2020-03-23. MITRE ATT&CK techniques are in brackets where appropriate.
News
- COVID-19 Cyber Attacks is a up to date tracker of offensive cyber campaigns that have leveraged the COVID-19 pandemic. Stay alert!
- npm is joining GitHub as GitHub becomes the centralized behemoth of the software development world. Microsoft's famous motto of embrace, extend [you are here], and extinguish is in full force. It remains to be seen if this is a net positive for software development, but I have my doubts.
- CVE-2020-3947 dropped, a use-after-free that allows a guest to execute code on the host in VMWare Workstation, Fusion, Horizon Client, and Remote Console for Windows. No exploit or PoC available yet. [T1068 Exploitation for Privilege Escalation]
- vSphere 7 – Launch Recap & Links is a run down of the vSphere 7 and related announcements from VMware.
- The Inside Scoop on a Six-Figure Nigerian Fraud Campaign is a wild ride through the back alleys of the internet as Check Point Research tracks down a Nigerian fraudster.
- Malware Bazaar is a new free service by abuse.sh that serves as an alternative to virus total that aims to only categorize malware and where samples are available for free (even for commercial use!).
- WireGuard enabled in Debian testing. This is a great step for WireGuard, a VPN protocol many see as the future for VPNs. Ubuntu has had WireGuard available in the default apt repositories since 19.04.
Techniques
- Abusing & Securing XPC in macOS apps is a talk by Wojciech Reguła from the macOS conference "Objective by the Sea" that explores the inter-process communication mechanism XPC for local privilege escalation and unsigned dylib injection. [T1068 Exploitation for Privilege Escalation]
- Demo of dylib injection and XPC trickery to bypass the LuLu firewall
- A secure example of a privileged XPC service was provided as well.
- How Offensive Actors Use AppleScript For Attacking macOS show examples of how AppleScript can be used for persistence, anti-analysis, browser hijacking, spoofing, and more.
- Analyzing SUID Binaries from Grimm is a great blog on how to find vulnerable SUID binaries on macOS. Grimm used this process to find a local privilege escalation in VMware Fusion. Even with the recent patch, VMware Fusion 11.5.2 is still vulnerable. [T1068 Exploitation for Privilege Escalation]
- Hiding Your .NET – ETW introduces a simple patch for the Event Threading for Windows (ETW) function "EtwEventWrite" to prevent any loaded .NET assemblies from appearing in any ETW stream, to include the properties windows of Process Explorer. Code for unmanaged and managed (in-line in the blog) processes is available for x86. x64 is an exercise left to the reader. Bonus points for patching the ETW functions to only filter out your indicators, or replaying the ETW signatures of known begin Windows .NET assemblies to fool EDR. [T1054 Indicator Blocking]
- What’s Wrong With This Account? Or How To Tell Fake Accounts From Real Ones is a good resource for investigating accounts, but also provides a blue print for red teamers on how to avoid creating accounts that look suspicious for phishing campaigns or other social engineering.
- Dir create to SYSTEM describes a few methods of using the ability to create directories on Windows to get a code running as SYSTEM. This should help some exploit devs stuck with a dir-create primitive but no way to weaponize it. [T1068 Exploitation for Privilege Escalation]
Tools and Exploits
- MSOLSpray is a password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. [T1110 Brute Force]
- r00kie-kr00kie is the first tool to exploit the Kr00k (CVE-2019-15126) WiFi attack where many chips set the packet encryption key to all zeros when de-authenticated, but still send all the packets in the send buffer. It is possible to leak a few packets from busy clients each time you de-auth them. Think of it as heart bleed for WiFi, but much more disruptive to the end user. The Hexway Blog has a detailed explanation.
- MemProcFS evolves direct memory access (DMA) attacks to their GUI based final form by mounting memory contents as a virtual file system allowing you to use normal tools like hex editors on live memory. It even comes with Python and C/C++ API bindings. [T1200 Hardware Additions]
- Egalito: Layout-Agnostic Binary Recompilation is an interesting presentation by David Williams-King on a binary recompiler that lifts linux (x86-64, aarch64, and experimental RISC-V) ELF binaries to an intermediate language, applies modifications (i.e. patches, function trampolines, etc), and recompiles back to a binary. The spirit of this project is for binary hardening and after the fact patching, but I can see it being the basis of an advanced binary obfuscator or a tool to repurpose existing binary malaware automatically. All the code is GPL-3 and on GitHub.
- LDAPFragger: Command and Control over LDAP attributes introduces a tool for C2 via LDAP to use in environments where LDAP queries to a shared AD are allowed from both an isolated network and network with internet access. The C# project is available on GitHub. [T1094 Custom Command and Control Protocol]
- PDBRipper is a utility for extract an information from PDB-files, the Program Database multi-stream symbol file which contains lots of useful information about a binary.
- LeakLooker-X is a GUI for discovering, browsing, and monitoring databases that leverages Binary Edge. [TA0007 Discovery]
- gTunnel is a new tunneling solution written in golang. It may be useful as a base for how to implement tunneling in a custom golang access tool. [T1090 Connection Proxy]
- Invoke-SharpLoader loads encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and executes it there. Very useful AV/EDR evasion tool. [T1500 Compile After Delivery]
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- dsdump is an improved nm + objective-d/swift class-dump. If you have worked with macOS or iOS binaries and tried to use the various forms of class dump, you know the issues with the change from objective-c to swift had on their output. dsdump has fixed these issues and provided even more options and output! Derek Selander provides a very in depth writeup on the inner workings as well.