Last Week in Security (LWiS) - 2020-06-22
Bypassing CSP with Google Analytics by @amirshaked, @itm4n drops yet another Windows LPE, @OptivSourceZero/@Tyl0us advance the state of the art in Windows domain password spraying, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-15 to 2020-06-22. MITRE ATT&CK techniques are in brackets where appropriate.
News
- CobaltStrike: Beacon Object Files - CobaltStrike continues to deliver advanced adversary emulation capabilities. This update brings the ability for a beacon to run compiled code in its own context, with beacon itself taking care of linking and loading the object file. This provides massive OPSEC advantages over forking a new process, but does come with a few downsides - crashing your shiny new BOF crashes your beacon. I expect lots of new techniques to come out with BOF implementations in the future to frustrate AV/EDR. Demo here.
- Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks. The Australian Government has officially stated that a "sophisticated state-based actor" is targeting the Australian government and Australian companies. While they don't name a country, it doesn't take an expert in foreign policy to pick China as the overwhelming favorite for this attack.
- Dark Basin Uncovering a Massive Hack-For-Hire Operation. Citizenlab exposes BellTroX, an Indian hack-for-hire firm, due to their shockingly bad OPSEC. Using your own real CV to test a URL shortener?! The reader is left to wonder how many similar operations are taking place, but with better OPSEC. Want to know more? The great Risky Business has a feature podcast all about it.
- FBI used Instagram, an Etsy review, and LinkedIn to identify a protestor accused of arson. Another OPSEC fail; if Bellingcat can do good OSINT, law enforcement can too. Wearing a shirt you can only get from an Etsy seller means your address is one subpoena away. Looks like the alleged arsonist didn't read OPSEC for Activists: #5 - Choose your clothing carefully.
- Apple plays Godfather in Mafia-esque shakedown of developers. This is the same battle Spotify has been fighting. It boils down to Apple demanding 30% of signup fees for signups in an app on iOS. That is perhaps at the edge of reasonable, but now they are removing apps that have signups outside the app but have no ability to sign up in app (think Netflix, Spotify, etc). This policy is inconsistently enforced, and targeting a very vocal David Heinemeier Hansson is a mistake. Apple then sent out this message to developers before WWDC! First the Coreillium debacle and now this? Who is making these calls at Apple?
- Hacking Starbucks and Accessing Nearly 100 Million Customer Records. A proxy between the Starbucks frontend and backend allowed researches to access a Microsoft Graph instance with nearly 100 million customer records. They reported the issue as soon as they verified they could access the base records, but there were lots of interesting endpoints that didn't get explored and would likely have been even more damaging. The $4,000 bounty for this seems extremely low.
- Flatpak - a security nightmare. App distribution on Linux isn't great, and Flatpak from RedHat tried to solve that. Sadly, it looks as though they have some significant work to do on the security front.
- 19 Zero-Day Vulnerabilities Amplified by the Supply Chain. The so-called "Ripple 20" vulnerabilities effect the TCP/IP library by Treck, Inc. Never heard of Treck's TCP/IP library? I hadn't either, but it's in everything from the UPS in your server rack, your printer, and the infusion pump in your operating room. Remote code execution with a malformed IPv4 packet is about as bad as a vulnerability gets, but the really scary vulnerability is the RCE from a nearly RFC compliant DNS response. State backed attackers or others with the ability to do DNS cache poisoning are going to be very excited by this. Expect to see these vulnerabilities in network attached UPSs and other IoT devices on assessments for the next decade. @SwitHak has put together a list of vulnerable vendors/devices as well as network detection rules: BlueTeam CheatSheet.
Techniques
- Exfiltrating User’s Private Data Using Google Analytics to Bypass CSP. Think your strict content security policy will save you from a compromised 3rd party (a la magecart)? @amirshaked shows how the almost certainly whitelisted Google Analytics can be used to exfiltrate arbitrary data from pages (credit card details, etc).
- Detecting PoshC2 – Indicators of Compromise. The authors of PoshC2 have published IOCs for the default setup of PoshC2 that should help defenders catch lazy adversaries.
- Just another Recon Guide for Pentesters and Bug Bounty Hunters. This is a fairly complete breakdown of the recon process for bug bounties or black-box web assessments.
- Using Frida For Windows Reverse Engineering. DarunGrim adds Windows symbol lookup to Frida 12.9.8 which allows for better Windows hooking and debugging.
- Exploring search connectors and library files in Windows. Sheds some light on little known files used by Windows, .searchConnector-ms and .library-ms. These XML files could be leveraged in a phishing campaign to get a user to open a WebDAV location or post-compromise to change where users save files.
- Abusing Windows Telemetry for Persistence. Once you get local admin on a modern Windows machine (7/2008R2 or newer), the telemetry feature can provide persistence without being visible in Autoruns (the go-to persistence finder for Windows). Under the hood it leverages the Telemetry Scheduled Task and will run your payload once every ~24 hours. [T1053.005 Scheduled Task]
- macOS Post Summary. Technically no new content, but this collection of macOS resources is a great start to any red or blue teamer looking to understand the strange BSD-based world of macOS. As more startups and businesses move to macOS, red and blue teams will be expected to keep up.
- Sysmon Image File Name Evasion. Due to the way Sysmon checks file names (image names) by pulling from the EPROCESS struct, an executable can spawn a process and modify its EPROCESS block to appear to be a legitimate Windows binary. This can be useful for evading sysmon rules that whitelist processes like C:\Windows\system32\smss.exe. [T1027.005 Indicator Removal from Tools]
- Hardcoded secrets, unverified tokens, and other common JWT mistakes. Next time you come across a JSON Web Token during an engagement, be sure to check this site to see if there are any easy wins.
Tools and Exploits
- Digging Your Talons In – New Take On Password Guessing. The researches at Optiv spent some time seriously considering how to do password guessing right, and boy did they develop quite a tool. Talon takes password guessing attacks to a new level with tricks like not sending an encryption type with a TGT request to kerberos which allows username enumeration without any failed logons (i.e. won't lock accounts). It also intelligently detects account lockouts over both kerberos and LDAP, and will rotate attempts between different domain controllers if multiple are present. Best of all, both the Kerberos TGT request and LDAP BIND auth request are not logged by default. Spray away! [T1078.002 Valid Accounts: Domain Accounts]
- Composr CMS Remote Code Execution. This post shows the process of finding and exploiting a PHP unserialize function to achieve unauthenticated remote code execution. [T1190 Exploit Public-Facing Application]
- USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$. If the O.MG cable is out of your price range, this might be more your style. All in this cable and the wireless dongle is less than $25 as long as you are willing to solder it up yourself. [T1200 Hardware Additions]
- OutlookSend is a C# tool to send emails through Outlook from the command line or in memory. Designed to be used through execute-assembly in your favorite C2 Framework (i.e. CobaltStrike). Use this in companion with last week's SearchOutlook.
- Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. Cyberark has a great writeup with demo on their blog. This is going to automate a lot of work on your next assessment with AppLocker; it even takes screenshots and generates a report! Cyberark neutered the tool a bit by not including the DLLs or other files used to pop shells, but I'm sure the community will fork and update the project soon. Blue teams using AppLocker should use this for self-assessment, and determine how to detect bypasses using other tools. [Thanks to @StevoLowson for the tip!]
- ADSearch is a tool written for cobalt-strike's execute-assembly command that allows for more efficient querying of AD. [T1087.002 Account Discovery: Domain Account]
- CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability. At this point @itm4n has made it into the hall of fame of Windows exploiters. This week sees yet another local elevation of privilege vulnerability, using Windows Defender's log rotation mechanism to delete an arbitrary directory. From directory deletion to SYSTEM shell gets you the rest of the way. By setting the defender update source to the local machine, the log can be filled in ~40 minutes. This post is very thorough and walks through the entire process of finding the vulnerability - top notch reporting.
- avcleaner is a C/C++ source obfuscator for antivirus bypass. The researchers at SCRT really got into the weeds of clang/LLVM with this tool and came out with a FUD meterpreter. The blog post is very much worth a read.
This post is cross-posted on SIXGEN's blog.