May 25 2020 Last Week in Security (LWiS) - 2020-05-25

News

• Privacy News

  • Why is This Website Port Scanning me? Websockets are being used for "anti-fraud" scans of website user's local machines. The theory is that if a user is running a VNC or other remove desktop server, they may be part of a botnet/click farm operation I suppose. If you are a developer this could be especially dangerous. In Firefox, setting network.websocket.max-connections to 0 will disable websockets, but lots of modern web applications rely on them.
  • Abusing WebRTC to Reveal Coarse Location Data in Signal abused WebRTC on both iOS and Android in order to reveal the user's ENDS client subnet, which could reveal a rough location (~400 mile radius). The bug has been patched in the latest version of Signal.

• macOS 10.15 Catalina notarization news

  • Catalina is checking notarization of unsigned executables started the firestorm, bringing to light that macOS sends the hash of every executable not whitelisted in System Preferences as a "Developer Tool" to Apple.
  • How my application ran away and called home from Redmond is an example of arguably more invasive behavior on Windows. Additionally, "SmartScreen" also profiles and reports "usual" executions to Microsoft.
  • This effectively gives Apple a list of binaries being run by every user, without a way to disable it (besides going fully offline).
  • Inside the NSA’s Secret Tool for Mapping Your Social Network shows the power of massive metadata collection, and its ability for misuse. Perhaps tomorrow Apple receives a request for all users that have run the Tor browser in your country.
  • A happy medium would be to push a bloom filter of known hashes to end users and perform local lookups, only sending hashes that don't hit the bloom filter to Apple for further analysis. This is what Google Chrome does for phishing site lookups (until Enhanced Safe Browsing Protection is enabled). Users should also be given the ability to opt out of such features.

• New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks With up to 1000x traffic amplification, this will likely see exploitation soon. If you are responsible for DNS severs, patch them quickly.
• GitLab 13.0 released with many new changes. The biggest for most users will likely be the new "Deploy to Amazon ECS" that makes AWS a first class citizen for deployments and monitoring on par with previously supported Google Cloud.
• Enhanced Safe Browsing Protection now available in Chrome will check uncommon URLs in real time. Phishing against Chrome users just got harder.
• Jailbreak for iOS 11.0-13.5 for all iOS devices released. After a few tough iOS releases, the jailbreaking scene is back in full force. First checkra1n, and now a fast, reliable jailbreak for every iOS device on the latest, signed version. Hats off to the hackers that have kept pushing Apple despite new security additions to iOS (i.e. Pointer Authentication). Why release this 0day now? Perhaps the iOS 14 leak gave the jailbreak developers enough insight to see that it was patched. Add build.frida.re to your cydia repo list and start hacking those iOS apps! [T1068 Exploitation for Privilege Escalation]

Techniques

• Distrusting the patch: a run through my first LPE 0-day, from command injection to path traversal. Great writeup from @matteomalvica showing the powerful technique of patch diffing to determine if patches address the root issues or only stop one known variant. [T1068 Exploitation for Privilege Escalation]
• Windows 10 quietly got a built-in network sniffer. The Windows 10 October 2018 Update included pktmon.exe. In the 10 May (build 2004) update, it includes live packet output and the ability to convert to pcapng format. If that isn't available, Microsoft's Windows Network Monitor can be used to view the ETL file that is generated. It's disappointing but not unexpected for Microsoft to use their own syntax for filters instead of the industry standard BPF.
• Ragnar Locker ransomware deploys virtual machine to dodge security. To avoid endpoint protection, Ragnar ships a copy of Sun xVM VirtualBox from 2009 and a stripped-down version of the Windows XP SP3 (MicroXP v0.82). This virtual machine is booted and all local disks, connected removable drives, and mapped network drives on the physical machine are mapped into the VM where the actual Ragnar ransomware runs and encrypts the files. As someone who glues tools together to achieve operational objectives, I have to respect the creative problem solving demonstrated here. [T1066 Indicator Removal from Tools]
• How to use Trend Micro's Rootkit Remover to Install a Rootkit. So much goes wrong with Trend Micro's Rootkit Remover its worth reading the full article. The VW "Dieselgate"-style hack the driver uses to pass Microsoft's checks is especially egregious. Add this to your toolkit as a signed kernel driver that allows for arbitrary shellcode execution.

Tools and Exploits

• ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection using TLS certificate with elliptical curve cryptography. Think of it as Meterpreter with Autoroute + Socks4a, but more stable and faster. This can be used stand-alone or incorporated into an in-house Go tool. [TA0008 Lateral Movement]
• njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
• axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting. If you are a Digital Ocean user and want an easy way to spin up red teaming or bug bounty infrastructure, this may be the tool for you.
• Cisco AnyConnect < 4.8.02042 privilege escalation through path traversal. It wouldn't be last week in security without a Windows local privilege escalation. This standalone C# exploit uses DLL hijacking with vpndownloader.exe, the update binary for Cisco AnyConnect. I suspect this particular exploit will be useful for many months as enterprises are slow to update their VPN clients. [T1068 Exploitation for Privilege Escalation]
• WerTrigger is a powerful new primitive to weaponize file write exploits. Prior to Windows 10 1909 there was the DiagHub DLL loading primitive, but since then we have only had UsoDllLoader. Now there is another option, and when the next file write exploit is found that allows unprivileged users to write files to C:WindowsSystem32, WerTrigger will be there to pop the SYSTEM shell. [T1068 Exploitation for Privilege Escalation]
• XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully running the code. [T1066 Indicator Removal from Tools]
• shotlooter is a recon tool that finds sensitive data inside the screenshots uploaded to prnt.sc.
• petaqc2 is a .NET Core/Framework RAT that uses websockets as Command & Control (C2) channels. It's designed to provide a Proof of Concept (PoC) websocket malware to the adversary simulation exercises (Red & Purple Team exercises).
• quickreg is an experimental search engine for developers. It searches a curated subset of the web: official docs and community-driven sources. No JS, cookies, tracking, external requests or data collecting.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• guardedbox Online client-side manager for secure storage and secrets sharing. This could be useful for sharing scope lists, reports, or other sensitive information with clients that don't use PGP or are unable to use your encrypted email solution.
• jaeles is a powerful, flexible, and easily extensible framework written in Go for building your own Web Application Scanner.
• maddy is a composable all-in-one mail server. If you have ever spent half a day setting up a phishing mail server by hand, the short setup docs for maddy should get you excited. Two commands (and DNS setup) and you have DKIM, SPF, DMARC, MTA-STS, DANE, and STARTTLS Everywhere.

This post is cross-posted on SIXGEN's blog.