Last Week in Security (LWiS) - 2020-03-30
Hacktivist Bug Bounty payout, Wireguard releases 1.0, a C2 concealer tool for Cobalt Strike, a new Android runtime manipulation tool, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-23 to 2020-03-30. MITRE ATT&CK techniques are in brackets where appropriate.
Need a project while working from home? @Random_Robbie published a list of WordPress plugins that call shell_exec. Have fun!
News
- VPN bypass vulnerability in Apple iOS - A ProtonVPN community member did his own investigation and realized that iOS does not kill existing connections when a VPN is connected, which could allow long-lived connections such as Apples Push Notification Service to continue outside the VPN. To mitigate, toggle Airplane Mode once the VPN is connect to force all connections to drop and reconnect. This issues is not present in corporate Always-on VPN profiles delivered via device management.
- Rare BadUSB attack detected in the wild against US hospitality provider show that APTs are trying all avenues of attack. In this case a USB and gift card were mailed to a business with a letter enticing the user to open a product list on the USB. However, the USB was a keystroke injector which used PowerShell to download a JScript-based bot. If USB drops/BadUSB attacks aren't part of your adversary emulation offerings, they should be.
- Phineas Fisher Says They Paid $10,000 Bounty to Person Who Hacked Chilean Military This is the first payout of the "Hacktivist Bug Hunting Program," and interestingly Phineas reached out to the hackers to offer a bounty. On the lack of hacktivist activity recently Phineas said, "there's a time for everything, a time to hack will come."
- Whitehouse releases 5G security strategy and keeps it short and high level. A "much more detailed" implementation plan is said to be on the way, according to a senior administration official.
- ZecOps teases CVE-2020-0769 for local privilege escalation. The SMB v3 compression bug from the 2020-03-16 LWiS can also be leveraged for local privilege escalation. A Spanish researcher beat them to it with a PoC however. [T1068 Exploitation for Privilege Escalation]
- Type 1 Font Parsing Remote Code Execution Vulnerability is a classic Windows remote code execution bug in the font parser, specifically atmfd.dll. This bug affects Adobe Type 1 PostScript format fonts, and is being actively exploited. Microsoft claims that Windows 10 is at low risk due to mitigations in the OS, but has manual mitigations for earlier operating systems.
- The Logic Behind Russian Military Cyber Operations is a well researched paper from Booz Allen Hamilton that details the public information related to 33 of the GRU's cyber operations at a high level. Direct link.
- WireGuard 1.0.0 for Linux 5.6 Released. This fast UDP based VPN is much simpler than OpenVPN and now that it has reached 1.0 and is included by default in Linux I hope to see tools support it. While the VPN itself is great, there is no good solution for user and key management yet.
Techniques
- Setting Up CI and CD for Tauri is a writeup on how the Tauri team used GitHub actions to handle everything from vulnerability audit to release publishing and everything in between. Tauri itself is an interesting project looking to solve the systemic issues with cross-platform desktop apps like Electron.
- Arbitrary file DACL overwrite to SYSTEM shell. This is a great trick that uses a named pipe with a path traversal string to turn a DACL overwrite into a primitive that can drop a DLL in system32 and then be called by UsoDllLoader. C# version here. [T1068 Exploitation for Privilege Escalation]
- MageCart is getting trickier by faking a Google analytics script tag, and even serving the actual Google analytics javascript if the referrer header doesn't match a pwned site.
- Corellium ordered to hand over unredacted source code before 2020-03-31. The iOS emulation company, in legal hot water for months, faces a new hurdle. I hope there can be a reasonable resolution to this, but based on the extreme measures Apple is pursuing, it doesn't look good.
- CVE-2020-8816 – Pi-hole Remote Code Execution is worth the read not for the exploit, but the technique. Nate walks through the challenges of character restricted command injection and creative use of POSIX shell parameter expansions to achieve remote code execution.
- AS_REP Roasting is a rarely seen but potentially powerful dangerous kerberos setting that allows hash dumping without any prior access or authentication. [T1208 Kerberoasting]
Tools and Exploits
- C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. [T1001 Data Obfuscation]
- TamperETW is a 64 bit PoC based on the blog post from last week about hooking Windows ETW telemetry to hid .NET actions. This PoC blocks assembly load events by hooking EtwEventWrite using native system calls. EDR will likely have a tough time with this. [T1054 Indicator Blocking]
- ppdump-public uses Zemana AntiMalware Engine To Open a Privileged Handle to a Privileged Process or Privileged Process Low (PPL) and inject MiniDumpWriteDump() shellcode. It even comes with an aggressor script for easy integration with Cobalt Strike. [T1003 Credential Dumping]
- changeling is a feature morphing tool that allows you to build dynamic payloads without having to constantly recompile. With correctly designed payload binaries, this tool can quickly swap out resources to change shellcode, settings, etc on the fly.
- redirect.rules dynamically generates a redirect.rules file that will redirect Sandbox environments away from a payload hosting/C2 server to a site of your choosing. It combines a ton of User-Agent rules and IP space for known malware analysis companies to help keep your payload undetected for longer. The output rules work on Apache 2.4+ but it would be fairly easy to convert the output to nginx or iptables block rules. [T1090 Connection Proxy]
- Runtime Mobile Security is a Frida powered web interface for maniputlating Android Java Classes and Methods at runtime. A comparable iOS tool would be passionfruit and for a powerful CLI tool that supports both Android and iOS, check out objection. [T1055 Process Injection]
- Grandstream UCM62xx SQL Injection - Tenable drops an unauthenticated remote code execution exploit for the IP-PBX phone system. Over 10,000 of these show up on Shodan. Need more IoT exploits? Raelize released five for the end-of-life D-Link DSL-2640B here including hard coded credentials and Getting root on a Zyxel VMG8825-T50 router is a great breakdown of the process from unboxing to root shell. [T1190 Exploit Public-Facing Application]
- Lockless is a C# tool that allows for the enumeration of open file handles and the copying of locked files. [T1005 Data from Local System]
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- dive is a tool for exploring each layer in a docker image interactively in a terminal user interface. It's great for showing what changes at each layer, and can be integrated with continuous integration to ensure space efficiency remains high. It is a great tool to explore containers for possible supply chain risk, especially if the containers are only provided as docker archives. [T1195 Supply Chain Compromise]
This post is cross-posted on SIXGEN's blog.