Last Week in Security (LWiS) - 2020-06-01

A new HTTP tool from @pdiscoveryio, @TheXC3LL writes about a novel process injection technique for Windows, a new way to hide data in the registry by @Jackson_T, @CurtBraz shows off a trick for keeping phishing sites alive for longer, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-25 to 2020-06-01. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Israeli cyber chief: Major attack on water systems thwarted. A cyber attack was reportedly detected and thwarted in real time and had it not be chlorine or other chemicals could have been mixed into the water source in the wrong proportions and resulted in a “harmful and disastrous” outcome. Israel's national cyber chief said, “Cyber winter is coming and coming even faster than I suspected. We are just seeing the beginning.”
  • Return of the iOS sandbox escape: lightspeed's back in the race!! Synacktiv describes the old-but-new XNU bug that was re-introduced in iOS 13 and was the basis for last week's iOS 0day based jailbreak. [T1068 Exploitation for Privilege Escalation]
  • Zero-day in Sign in with Apple Speaking of Apple's mistakes, this one is quite bad. When requesting a JSON web token during the "Sign in with Apple" process, swapping the email for another user would return a valid JWT that can authenticate to the 3rd party service. This is the equivalent to editing a cookie from "user" to "admin" and getting the admin page. How this got through internal testing and into production is beyond me. [T1078 Valid Accounts]
  • LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage describes how a novel side-channel vulnerability can lead to leaking the most significant bit of the nonce and eventually breaking ECDSA, including NIST curves like P-192 (P-256 is vulnerable in theory). Curve25519 contains a countermeasure against this attack, but, "its exact efficacy against side-channel attacks in [this] context is not entirely clear."
  • Releasing the CAPTCHA Cracken. Despite the name there is no tool release, but F-Secure Labs shows off its ability to automate the CAPTCHA in use with the Office 265 Outlook Web Application, allowing its red team to attempt password stuffing. If you solely rely on CAPTCHA to stop bots/automated tools, it's time to rethink your strategy. Demo here.

Techniques

Tools and Exploits

  • httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • Seatbelt, while technically not a new tool got a huge rewrite. Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. [T1082 System Information Discovery]
  • BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. [T1040 Network Sniffing]
  • angry_gadget - This tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL). If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!
  • ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry. Use this (or atomic-red-team) to test your SEIM, EDR, or SOC response.
  • EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (DLL or EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files. [T1193 Spearphishing Attachment]
  • sgn Shikata ga nai encoder ported into go with several improvements including 64 bit support, smaller decoder stub, no visible loop condition, decoder stub obfuscation, and safe register option. Build this into your in house packer for better obfuscation. [T1066 Indicator Removal from Tools]
  • Corporate_Masks are 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting. [T1078 Valid Accounts]
  • AMSITrigger will identify all of the malicious strings in a powershell file, by repeatedly making calls to AMSI using AMSIScanBuffer, line by line. On receiving an AMSI_RESULT_DETECTED response code, the line will then be scrutinised to identify the individual triggers. [T1066 Indicator Removal from Tools]

This post is cross-posted on SIXGEN's blog.