Last Week in Security (LWiS) - 2020-04-13

"Anonymous" COVID-19 contract tracing, abusing system errors for binary obfuscation, a self-paced crypto CTF, the weekly windows privesc, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-06 to 2020-04-13. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • IDA Home is coming! The "Ghidra Effect" is pushing Hex-Rays to innovate, and while details are light, this is inevitably a good thing for the reverse engineering community. However, the Home edition will only support one processor family, and is $365 a year (no decompiler). The biggest advantage is the inclusion of IDAPython while unlocks a deep community of user-created tools for IDA.
  • A Decade of Rats is a report from Blackberry that details advanced persistence threats targeting Linux endpoints.
  • Google and Apple team up for contract tracing while trying to preserve privacy. Even with "anonymous" tracking, this data will likely be weaponized in unforeseen ways.

Techniques

Tools and Exploits

  • Ghost-In-The-Logs is a tool that leverages a kernel driver to disable Event Tracing for Windows (ETW). This can enable or disable all logging, so use it sparingly! [T1054 Indicator Blocking]
  • GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects. [T1500 Compile After Delivery]
  • nessus-database-export is a script to export Nessus results to a relational database for use in reports, analysis, or whatever else. This can be used to find a specific vulnerability across many scans, searching for text across all scans, seeing stats across date ranges, or as the backend for a custom web app.
  • Slingshot C2 Matrix Edition is a virtual machine from the makers of the C2 matrix that comes with many C2 frameworks preinstalled. A SANS login is required for download. [TA0011 Command and Control]
  • Gunslinger is a hunting tool that is based around URLScan's Search API. Gunslinger can crawl URLScan for JavaScript files that match a set of user-defined rules and reports the information back to Slack. Of note, the URLScan API is free and this tool may be useful for continuous monitoring of your web properties to alert of javascript or other changes.
  • frankenstein provides a virtual environment to fuzz wireless firmwares using the CYW20735 Bluetooth evaluation board. This is a cool tool to explore Bluetooth firmware bugs.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 18 GitLab features are moving to open source. GitLab might be feeling the pressure from GitHub as they make their free offering even better with the following features that used to be paid-only: Related issues, Export issues, Issue board focus mode, Service desk, Web Terminal for Web IDE, File syncing to the web terminal, Design Management, Package Managers, Canary deployments, Incremental rollout, Feature flags, Deploy boards, Support for multiple Kubernetes clusters, and Network policies for container network security.
  • Project Send is a free, open source software that lets you share files with your clients, focused on ease of use and privacy. It supports clients groups, system users roles, statistics, multiple languages, detailed logs, and much more! Docker container here.

This post is cross-posted on SIXGEN's blog.