Last Week in Security (LWiS) - 2020-05-04

Wormable account takeover via GIF in MS Teams by @CyberArk, asynchronous password spraying in C# by @ustayready, NTLM relay improvements from @SecureAuth, Chrome extension hacking and defense by @IAmMandatory, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-27 to 2020-05-04. MITRE ATT&CK techniques are in brackets where appropriate.


  • iOS Sandbox escape "Psychic Paper" 0day released. It turns out having 4 custom XML parsers leads to trivial sandbox escape. The patch ironically adds two additional parsers. I would hope Apple is screening App Store apps to prevent this from being abused.
  • Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams. Subdomain takeover combined with the way Teams includes GIFs allowed the Cyberark team to exfiltrate user's json web tokens which allows them to scrape messages if a user views their GIF. This is extra powerful because the JWT also allows the attacker to impersonate the victim and send the GIF to all contacts, essentially making this vulnerability wormable. [T1193 Spearphishing Attachment]
  • FCC Scrutinizes Four Chinese Government-Controlled Telecom Entities. The FFC issues show cause orders to China Telecom Americas, China Unicom Americas, Pacific Networks, and ComNet demanding explanation of why the FCC should not initiate proceedings to revoke their authorizations. These Telecoms have 30 days to prove their operations and subsidiaries are "not subject to the influence and control of the Chinese government."
  • #OBTS v3.0 Talks & Photos All the slides from the macOS security conference "Objective by the Sea" have been posted.
  • Other "Weeks"
  • Sysmon v11 Released and includes file delete monitoring and archive to help responders capture attacker tools and adds an option to disable reverse DNS lookup. This will be huge for defenders allowing them to easily get samples of malware that only exists on disk for a short period of time.


Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • ParamSpider helps discover http parameters by mining parameters from the dark corners of Web Archives.
  • wxHexEditor is a great cross platform free and open source hex editor.
  • DbgShell is a PowerShell front-end for the Windows debugger engine.
  • ysoserial fork is a fork of the official great ysoserial project with some improvements added to create payloads for the Burp Suite plugin Java Deserialization Scanner and more generally to speed-up and improve the detection and the exploitation of Java serialization issues with ysoserial.

This post is cross-posted on SIXGEN's blog.