Last Week in Security (LWiS) - 2020-04-20

A new hardware hacking device from @zhovner, building an adversary simulation lab with @_xpn_, an ADIDNS tunneling technique from @elad_shamir, LLVM obfuscation by @polarply, and tons of new tools!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-13 to 2020-04-20. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • GitHub is now free for teams - private repositories with unlimited collaborators are now available to all GitHub accounts and the price of the paid plan drops to $4 per user per month. Microsoft is shoveling cash into the Github furnace to ensure dominance. To what end remains to be seen, but in the short term users benefit.
  • Riot Games offers $100,000 for kernel exploit in anti-cheat. Riot Games (developers of league of legends) is offering a lot of money if anyone is able to execute code in the Windows kernel via their new "Vanguard" anti-cheat driver. Hacker One doesn't list a bounty if you can show "Vanguard" is being used as a backdoor; Riot Games is wholly owned by Chinese conglomerate holding company Tencent.
  • tfp0 bug and exploit teased for iOS 13.4.1 on A13. Big if true, this screenshot shows uname -a output for the latest iOS on the latest iPhone processor which means Qihoo 360 likely has a powerful iOS 0day on their hands.
  • AiR-ViBeR: Exfiltrating Data from Air-GappedComputers via Covert Surface ViBrAtIoNs shows that there is yet another way to slowly leak information out of air-gapped networks, this time via vibrations caused by the variations of case fans and detected with an off the shelf cell phone on the same table. Demo video here. [TA0009 Collection]
  • Binary Ninja adds a decompiler. Hot on the heals of the Hex Ray's IDA Home announcement Binary Ninja adds a decompiler to their free cloud offering (graph view only) and offline disassemblers (graph view and linear). Keep up the great work Vector 35!
  • Buyer beware—that 2TB-6TB “NAS” drive you’ve been eyeing might be SMR brings to light a rumor that has been gaining credibility. Despite being marketed as "NAS" drives, nearly all 2TB-6TB drives (yes - even WD Reds) are Shingled Magnetic Recording (SMR) drives. This has a huge impact on write speed and this technology was previously reserved for "archive" or "backup" drives. Seagate has confirmed that none of its IronWolf or IronWolf Pro drives use SMR, but are as cagey as the other major manufacturers about all other drives. This recent bout of shady practices is in the shadow of likely price fixing by the three major drive manufacturers since the Thailand flood of 2011. High capacity SSDs cannot come fast enough.
  • Flipper Zero hardware hacking tool announced. This is a really cool looking piece of kit that, if they can deliver, will be an essential for every hacker's go-bag. It claims to have the capability to do everything from being a 433/868 MHz transceiver, 125kHz RFID cloner, InfraRed transceiver, Bad USB, iButton cloner, and have compatibility with the Arduino IDE. Big promises but I will be in line as soon as the kickstarter opens in May.

Techniques

  • Methodology for Static Reverse Engineering of Windows Kernel Drivers takes the reader through the process of identifying drivers on targets, setting up a Ghidra environment to work with Windows drivers (setting up the symbols needed for analyzing drivers), finding the driver entry, and reversing functions. n4r1b's blog has even more Windows driver reversing.
  • DNS Peer-to-Peer Command and Control with ADIDNS is a method of using Active Directory-Integrated DNS Zones (ADIDNS) records in restrictive corporate networks to bypass locked down outbound firewalls. Adding an ADIDNS entry (available to any authenticated domain user), tunneling with a helper C# tool, and a little socat allows a Cobalt Strike beacon to relay though another Cobalt Strike beacon via DNS. [T1048 Exfiltration Over Alternative Protocol]
  • Kerberos Delegation - Hackndo is back with another great article on Active Directory, this time focusing on the different types of kerberos delegation.
  • Designing The Adversary Simulation Lab by Adam Chester is a deep dive into the tools and technologies MDSec choose to build a deployable lab for their adversary emulation course and contains some insights on desired state configuration, terraform, and the intricacies of AWS. Adam even provides a demo lab!
  • Build your first LLVM Obfuscator. Ever wanted to venture into the depths of the LLVM compiler's intermediate representation to obfuscate a binary without changing the source code? This article introduces LLVM and walks through a string obfuscator. This technique could be expanded and used on open source red team tools as part of an AV/EDR bypass. [T1027 Obfuscated Files or Information]

Tools and Exploits

  • BlockBlock 1.0 Beta is an open source rewrite of the persistence monitor for macOS that uses the Endpoint Security Framework. If you are using the 0.9.x BlockBlock, you will have to manually uninstall and install this version. [TA0003 Persistence]
  • pwndrop is a self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV from the maker of evilginx2. The UI is beautiful and the feature road map looks good. Read more on his blog. [T1192 Spearphishing Link]
  • burp-exporter is a Burp Suite extension to copy a request to the clipboard as multiple programming languages functions.
  • xioc extracts indicators of compromise from text, including "escaped" ones like hxxp://banana.com, 1.1.1[.]1 and phish at malicious dot com. This is a useful tool for automating "threat intelligence" pipelines.
  • remove-zoom-macos - Zoom's recent security woes have you thinking twice about that app install? This script removes everything Zoom put on your mac, even the things the official uninstaller leaves behind.
  • Jamf-Attack-Toolkit is a suite of tools to facilitate attacks against the Jamf macOS management platform. Check out the accompanying blog post and slides. [T1133 External Remote Services]
  • meshmembers is a tool to organize a mesh network of redirectors and allow the state of the network to be actively maintained by each node. [T1188 Multi-hop Proxy]
  • vmware_vcenter_cve_2020_3952 is an exploit for last week's CVE-2020-3952 in vCenter 6.7 that allows an unauthenticated attacker to add themselves as an Administrator to a vCenter if it was upgraded from 6.5 or earlier to 6.7 (fresh installs not affected). [T1190 Exploit Public-Facing Application]
  • ROADtools is an Azure AD exploration framework (Rogue Office 365 and Azure (active) Directory tools). It currently contains a great recon tool with an Angular UI for exploring an Azure AD. Blog and stream here.
  • SweetPotato is a rewrite of JuciyPotato (Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019) that is now compatible with execute-assembly with some extras. [T1068 Exploitation for Privilege Escalation]
  • quicksql is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • OffensiveCSharp is a great collection of offensive C# tooling that can be used post-exploitation on Windows targets. Check the readme for a description of each tool.
  • Brim is a desktop application to efficiently search large packet captures and Zeek logs. It loads pcaps much faster than wireshark but allows detailed analysis of flows in wireshark with a single click.
  • qrpc allows you to transfer files over wifi from your computer to your mobile device by scanning a QR code without leaving the terminal. It's bi-directional and can receive files from a phone with a handy web uploader.

This post is cross-posted on SIXGEN's blog.