Jun 16 2020 Last Week in Security (LWiS) - 2020-06-15

A new tunneling tool from @shantanukhande, new rootkit tradecraft and kernel mode payload from @zerosum0x0, XSS via copy and paste by @securitum_com, @ZecOps drops a Windows 10 unauth RCE, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-08 to 2020-06-15. MITRE ATT&CK techniques are in brackets where appropriate.

News

WHID is a GSM-enabled WiFi HID injector that is now available on AliExpress for just $37.90.
SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost affects Windows 10 1903 and 1909 (1909 until KB4560960 from 2020-06-09, 1903 after KB4512941 from 2019-08-30, and before KB4560960). It's a critical vulnerability (unauthenticated remote code execution), but the impact is limited to a subset of Windows versions.
SMTP Injection in Gsuite allowed Zohar Shachar to spoof email from any @google.com address. This is a great find, and proof that there is still Bug Bounty gold even in the most popular applications.
Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert. This is the second time this honey pot has been written about, but this time the attackers appear to be much more sophisticated. The attackers deployed ransomware early, but waited until the compromised as many systems as possible before detonating it for maximum effect. Would your environment have caught them early enough to prevent disaster?
Microsoft Patch Tuesday, June 2020 Edition. Krebs is always my go-to source for the Patch Tuesday round up.

Techniques

Red Team: Using SharpChisel to exfil internal network. Building off his post last week on wrapping Go in C#, @shantanukhande shows how to use Chisel to tunnel out of a network using websockets hosted by CloudFlare. This one is sure to give network defenders a hard time.
"Heresy's Gate": Kernel Zw*/NTDLL Scraping + "Work Out": Ring 0 to Ring 3 via Worker Factories. Not a vulnerability, but rather rootkit tradecraft to execute private syscalls and a new kernel mode exploit payload.
AirDrop Forensics is a good dive into AirDrop, where to find AirDrop artifacts on macOS systems, how to analyze them, as well as how Bluetooth makes it possible for anyone nearby to guess your email & phone number.
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers. This writeup is a summary of research on issues in handling copying and pasting in: browsers, popular WYSIWYG editors, and websites which can lead to cross site scripting. Perhaps a new watering hole vector?
Effectiveness of Linux Rootkit Detection Tools is a masters thesis that tests common rootkit detection capabilities against various kernel mode and user mode rootkits. If nothing else it provides a single source of build steps for popular open source linux rootkits.
PE Parsing and Defeating AV/EDR API Hooks in C++ This post is a look at defeating AV/EDR-created API hooks with code available here.

Tools and Exploits

penglab - Abuse of Google Colab for fun and profit. Google Colab is a free cloud service based on Jupyter Notebooks for machine-learning education and research. It provides a runtime fully configured for deep learning and free-of-charge access to a robust GPU. I'm surprised it took this long to get abused.
Windows Local Privilege Escalation [T1068 Exploitation for Privilege Escalation]
- Windows: Insecure CSharedStream Object EoP The great @tiraniddo develops his 8 month old "Won't Fix" Windows local privilege escalation bug into a full blown normal user to SYSTEM PoC. Expect to see this weaponized and in use in by next week and have a long shelf life.
- VirtToPhys is a small PoC to demonstrate how you can calculate the physical address for a kernel virtual address when exploiting driver bugs that allow you to map physical memory. VirtToPhys uses MsIo.sys, a WHQL signed driver that gives you colorful lights on your RAM (yes, seriously), CVE-2019-18845.
- SuRestore.cpp - If you find yourself in the Backup Operators group, this little gem based on older research may be able to get you a SYSTEM shell.
- spoolsystem is a CNA script for Cobalt Strike which uses @itm4n Print Spooler named pipe impersonation trick (LWiS 2020-05-18) to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).
libimobiledevice is a collection of projects that allow for cross-platform protocol library to access iOS devices. This is the first release after a three year hiatus, and sees the release of two new tools, libirecovery and idevicerestore.
SearchOutlook is a C# tool to search through a running instance of Outlook for keywords.
choose is a human-friendly and fast alternative to cut and (sometimes) awk. This may prove useful for cleaner pipelines for automated reconnaissance, etc.
SharpBlock is a method of bypassing EDR's active projection DLL's by preventing entry point execution. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage in Go by CloudFlare. Use this to store things securely in the cloud - think DropBox but encrypted locally before upload.
Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS. The tool is based on returned status code.
urlcrazy generates and tests domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
PowerSharpPack is many useful offensive CSharp Projects wrapped into Powershell for easy usage.
revp is a C++ reverse HTTP proxy that works on Linux, Windows, and macOS.

This post is cross-posted on SIXGEN's blog.