Last Week in Security (LWiS) - 2020-06-29

1,566 hijackable DLLs in Windows 10 from @Wietze, a Bitdefender RCE from visiting a website by @WPalant, CobaltStrike Beacon Object File implementations start dropping (like @ilove2pwn_'s), a Docker Desktop for Windows LPE from @spaceraccoonsec, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-22 to 2020-06-29. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Cobalt Strike 4.1 – The Mark of Injection. The beacon object files feature teased last week has been released along with improved safe-inject and more tunable SMB and TCP traffic parameters to defeat signature based detections.
  • 2020 Worldwide Developers Conference. Apple announced a lot, but the big news was the 2-year transition of macOS to custom ARM chips. iOS exploit developers just got a whole new target space! The A12X powered Developer Transition Kits (ARM based Mac Mini) have started to arrive, and it's only a matter of time before security researchers get their hands on some.
  • WireGuard Merged Into OpenBSD. Get ready for native WireGuard in the kernel in pfSense and OPNSense firewalls.
  • Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools. "Network Injection" attacks and rouge cell towers, this thorough report from Amnesty International lays out in detail how NSO Group assisted the Moroccan government in performing exploitation of journalists. The evidence of NSO Group willfully ignoring how its products are used is mounting, and I wouldn't be surprised if they are next up on Phineas Fisher's hit list.

Techniques

Tools and Exploits

  • ChopChop is a CLI for scanning endpoints and identifying exposition of services/files/folders through the webroot. Add this to your tool list for web assessments or bug bounties.
  • Max is a command line tool to interact with the Neo4j database that powers BloodHound. This tool allows easy access to users and groups with lots of good built in filters. It also allows raw Cypher queries against the database for advanced users. [T1087.002 Account Discovery: Domain Account]
  • SharpHungarian is a rough proof of concept that uses comments on a VirusTotal file for command and control. [T1102.002 Web Service: Bidirectional Communication]
  • FileSearcher is an unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough. Find those Passwords.txt or Passwords.xlsx files easily with this tool. [T1005 Data from Local System]
  • Clippi-B is an unmanaged assembly clipboard stealer for use with CobaltStrike or any other unmanaged CLR loader (i.e. shad0w). [T1115 Clipboard Data]
  • pencode is a tool that helps you to create payload encoding chains. It has been designed to be used in automation wherever it is required to apply multiple encodings to a payload (and possibly inserting the payload to a template in between). This will be helpful for web application penetration testers or bug bounties.
  • browsertunnel is a tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser's debugging tools, is not blocked by a page's Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios. [T1071.004 Application Layer Protocol: DNS]
  • CVE-2020-10665 is a proof of concept for Docker Desktop Local Privilege Escalation on Windows. This is the same researcher from last week's Starbucks writeup. Well done! [T1068 Exploitation for Privilege Escalation]
  • CVE-2020-1054 is a proof of concept for a Windows 7 kernel vulnerability that leads to local privilege escalation. Blog post with details here. [T1068 Exploitation for Privilege Escalation]
  • BananaPhone is a pure-go implementation of using direct syscalls in the spirit of HellsGate (LWiS 2020-06-08). [T1027.005 Obfuscated Files or Information: Indicator Removal from Tools]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • aviary.sh is a minimal distributed configuration management in bash. Each host periodically fetches the latest version of the inventory to see what roles it should be performing. If you have struggled with Ansible, Chef, Puppet, or Salt in the past or they were just too much for a simple configuration management job, give aviary.sh a shot. Need slightly more power but don't wan't to step all the way up to the "major" configuration managers? pyinfra might be what you are looking for.
  • Flatseal is a graphical utility to review and modify basic permissions from your Flatpak applications. If last week's news about Flatpak security got you worried, Flatseal can help audit applications or modify them for malicious redistribution during an assessment.

This post is cross-posted on SIXGEN's blog.