Last Week in Security (LWiS) - 2020-03-30

Hacktivist Bug Bounty payout, Wireguard releases 1.0, a C2 concealer tool for Cobalt Strike, a new Android runtime manipulation tool, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-23 to 2020-03-30. MITRE ATT&CK techniques are in brackets where appropriate.

Need a project while working from home? @Random_Robbie published a list of WordPress plugins that call shell_exec. Have fun!

News

Techniques

Tools and Exploits

  • C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. [T1001 Data Obfuscation]
  • TamperETW is a 64 bit PoC based on the blog post from last week about hooking Windows ETW telemetry to hid .NET actions. This PoC blocks assembly load events by hooking EtwEventWrite using native system calls. EDR will likely have a tough time with this. [T1054 Indicator Blocking]
  • ppdump-public uses Zemana AntiMalware Engine To Open a Privileged Handle to a Privileged Process or Privileged Process Low (PPL) and inject MiniDumpWriteDump() shellcode. It even comes with an aggressor script for easy integration with Cobalt Strike. [T1003 Credential Dumping]
  • changeling is a feature morphing tool that allows you to build dynamic payloads without having to constantly recompile. With correctly designed payload binaries, this tool can quickly swap out resources to change shellcode, settings, etc on the fly.
  • redirect.rules dynamically generates a redirect.rules file that will redirect Sandbox environments away from a payload hosting/C2 server to a site of your choosing. It combines a ton of User-Agent rules and IP space for known malware analysis companies to help keep your payload undetected for longer. The output rules work on Apache 2.4+ but it would be fairly easy to convert the output to nginx or iptables block rules. [T1090 Connection Proxy]
  • Runtime Mobile Security is a Frida powered web interface for maniputlating Android Java Classes and Methods at runtime. A comparable iOS tool would be passionfruit and for a powerful CLI tool that supports both Android and iOS, check out objection. [T1055 Process Injection]
  • Grandstream UCM62xx SQL Injection - Tenable drops an unauthenticated remote code execution exploit for the IP-PBX phone system. Over 10,000 of these show up on Shodan. Need more IoT exploits? Raelize released five for the end-of-life D-Link DSL-2640B here including hard coded credentials and Getting root on a Zyxel VMG8825-T50 router is a great breakdown of the process from unboxing to root shell. [T1190 Exploit Public-Facing Application]
  • Lockless is a C# tool that allows for the enumeration of open file handles and the copying of locked files. [T1005 Data from Local System]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • dive is a tool for exploring each layer in a docker image interactively in a terminal user interface. It's great for showing what changes at each layer, and can be integrated with continuous integration to ensure space efficiency remains high. It is a great tool to explore containers for possible supply chain risk, especially if the containers are only provided as docker archives. [T1195 Supply Chain Compromise]

This post is cross-posted on SIXGEN's blog.