Last Week in Security (LWiS) - 2020-04-13
"Anonymous" COVID-19 contract tracing, abusing system errors for binary obfuscation, a self-paced crypto CTF, the weekly windows privesc, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-06 to 2020-04-13. MITRE ATT&CK techniques are in brackets where appropriate.
News
- IDA Home is coming! The "Ghidra Effect" is pushing Hex-Rays to innovate, and while details are light, this is inevitably a good thing for the reverse engineering community. However, the Home edition will only support one processor family, and is $365 a year (no decompiler). The biggest advantage is the inclusion of IDAPython while unlocks a deep community of user-created tools for IDA.
- A Decade of Rats is a report from Blackberry that details advanced persistence threats targeting Linux endpoints.
- Google and Apple team up for contract tracing while trying to preserve privacy. Even with "anonymous" tracking, this data will likely be weaponized in unforeseen ways.
Techniques
- Extracting TLS keys from an unwilling application quickly walks through the process of injecting a DLL into a process to dump SSL keys and provides the code to do so.
- Windows Server 2008R2-2019 NetMan DLL Hijacking is a detailed writeup by itm4n on how a DLL hijacking vulnerability was found on all versions of Windows Server from 2008R2 to 2019 that can be triggered by a normal user with an interactive session or Network/Local Service. If you land on a Windows server box, this will more than likely get you SYSTEM. [T1068 Exploitation for Privilege Escalation]
- CryptoHack is a CTF platform for learning modern cryptography. Dust off CyberChef or better yet their custom docker container and get to cracking! This is a very well done CTF that you can complete at your own pace.
- CVEAC-2020: Bypassing EasyAntiCheat integrity checks is a short article on patching the "EasyAntiCheat.sys" driver used by games like Apex Legends but is generally applicable to Windows driver reversing (think AV/EDR). [T1054 Indicator Blocking]
- Ebfuscation: Abusing system errors for binary obfuscation uses intentional errors and calls to get_last_error() to obfuscate strings in a binary. This technique flattens the call graph and can even cause errors in some disassemblers. A PoC tool is available here and the technique is reminiscent of the movfuscator. [T1066 Indicator Removal from Tools]
Tools and Exploits
- Ghost-In-The-Logs is a tool that leverages a kernel driver to disable Event Tracing for Windows (ETW). This can enable or disable all logging, so use it sparingly! [T1054 Indicator Blocking]
- GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects. [T1500 Compile After Delivery]
- nessus-database-export is a script to export Nessus results to a relational database for use in reports, analysis, or whatever else. This can be used to find a specific vulnerability across many scans, searching for text across all scans, seeing stats across date ranges, or as the backend for a custom web app.
- Slingshot C2 Matrix Edition is a virtual machine from the makers of the C2 matrix that comes with many C2 frameworks preinstalled. A SANS login is required for download. [TA0011 Command and Control]
- Gunslinger is a hunting tool that is based around URLScan's Search API. Gunslinger can crawl URLScan for JavaScript files that match a set of user-defined rules and reports the information back to Slack. Of note, the URLScan API is free and this tool may be useful for continuous monitoring of your web properties to alert of javascript or other changes.
- frankenstein provides a virtual environment to fuzz wireless firmwares using the CYW20735 Bluetooth evaluation board. This is a cool tool to explore Bluetooth firmware bugs.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- 18 GitLab features are moving to open source. GitLab might be feeling the pressure from GitHub as they make their free offering even better with the following features that used to be paid-only: Related issues, Export issues, Issue board focus mode, Service desk, Web Terminal for Web IDE, File syncing to the web terminal, Design Management, Package Managers, Canary deployments, Incremental rollout, Feature flags, Deploy boards, Support for multiple Kubernetes clusters, and Network policies for container network security.
- Project Send is a free, open source software that lets you share files with your clients, focused on ease of use and privacy. It supports clients groups, system users roles, statistics, multiple languages, detailed logs, and much more! Docker container here.
This post is cross-posted on SIXGEN's blog.