Jul 06 2020 Last Week in Security (LWiS) - 2020-07-06

News

• Mobile APT Surveillance Campaigns Targeting Uyghurs. iOS security company Lookout releases this detail-packed 52-page report detailing a years-long hacking campaign.
• How Police Secretly Took Over a Global Phone Network for Organized Crime. French authorities managed to push malware to the endpoints of Encrochat, an encrypted phone system used by criminals. This is also a case for or against encryption backdoors, depending on how you see such a backdoor being used. Either way, competitors are already in place to take over from Encrochat, including Omerta.
• iOS 14 flags TikTok, 53 other apps spying on iPhone clipboards. The new iOS 14 beta has stronger clipboard controls which have exposed apps like TikTok and Reddit for reading anything in a user's clipboard.
• FreeDVDBoot - Hacking the PlayStation 2 through its DVD player. While the technology (PlayStation 2) isn't very relevant today, the technique used to play homebrew discs without modifying the PlayStation at all is very impressive (IFO parsing buffer overflow and multi-stage payload).
• Elastic Security opens public detection rules repo. The company behind Elasticsearch (and owners of Endgame EDR) release their detection rules. These are in yet another repository, and only work with the closed source (and very expensive) Elastic SIEM. For a more open, cross-platform solution, stick to sigma rules.

Techniques

• Dismantling BullGuard Antivirus’ online protection. @WPalant continues his tour of antivirus-browser interaction research with a seriously facepalm-able bypass and XSS for BullGuard. User education and sane browsing habits plus EDR are a much better combo than trying to put antivirus in the browser.
• When Multi-Factor Authentication Isn’t Enough – Bypassing MFA via Phishing walks through the install and use of evilginx2 for MFA phishing against Okta.
• Some DOS bugs while processing Microsoft LNK files is a good post not for the bugs themselves but for the process of how the bugs were found and the discussion of pe-afl vs Winafl.
• Using Binject - Binject is not new, but this writeup by @1njection shows the power of a fully armed and operational Death Star Binject and its potential for use in a gscript payload. For adversary emulation engagements using this in a phishing payload to spread persistence would be particularly nasty. This project from the Symbol Crash team is very impressive.
• Experiments in Extending Thinkst Canary – Part 1. "Deception" is a buzzword used to sell cyber solutions but it actually does work when implemented properly. EDR can give alerts that may or may not be tied to malicious activity, but if someone tries to exploit a honeypot that is 100% malicious. The signal-to-noise or confidence level of well implemented honeypot alerts is invaluable. In this post, @ollieatnccgroup discusses how he extends the open source Python Thinkst opencanary project to implement custom honeypot services.
• Art of bug bounty: a way from JS file analysis to XSS. This is a great post as it shows the full background and process that went into finding this specific bug.
• Living Off Windows Land – A New Native File "downldr". A new "LOLBin" for downloading arbitrary files on Windows 10. Lots of environments are monitoring for the well known certutil.exe LOLBin being used as a downloader, but I doubt many are looking for desktopimgdownldr.exe.
• GOing 4 A Run introduces a shellcode runner written in Go that implements a few evasion techniques (shellcode encryption, block DLLs, parent process spoofing). Borrow these techniques (and maybe add direct syscalls) for your custom in-house PE loader!
• Reading Windows Sticky Notes. Everyone has seen passwords written on sticky notes stuck to a monitor on an assessment, but what if target stores sensitive information on digital sticky notes as well? @two06 releases a SharpStick to read sticky notes on Windows.
• Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI. Taking advantage of how MSI and JARs are read, Ratty & Adwind actors manage to slip some JARs past signature validation using a simple but effective technique. Security-in-bits includes a Yara rule in this post to detect this technique.
• Bypassing CrowdStrike Endpoint Detection and Response uses XOR payload encryption/brute-forcing and NtQueueApcThread to get around CrowdStrike's detection of Process Hollowing. Well done; it's rare to see these write-ups as red-teamers don't want to burn their methods once they get one to work.

Tools and Exploits

• BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902). If you have any BIG-IP products you might already be compromised as public exploits dropped soon after the CVE announcement. More details here. Sigma rule here but it only works if your BIG-IP devices are pushing logs to your SIEM as the exploit traffic is encrypted. [T1190 Exploit Public-Facing Application]
• CVE-2020-2021: Post Exploit Analysis. Breathing easy after the BIG-IP/F5 news because you are running Palo Alto gear? Bad news, PAN-OS has a critical SAML signature verification bypass option available that if in place (unchecked) allows successful arbitrary logins. You know its bad when US CYBERCOM tweets about it.
• DLLHSC is a tool to generate leads and automate the discovery of candidates for DLL Search Order Hijacking by Context. Read their article about how it came to be and how it can be used. SpecterOps also has a new post on DLL Hijacking: Automating DLL Hijack Discovery.
• Would you like some RCE with your Guacamole?. Checkpoint releases details of an exploit that requires access to a machine that the Guacamole server connects to (i.e. compromised workstation or insider threat) which can be used to exploit the server and take over arbitrary remote desktop sessions. In this age of remote work, there are likely many large vulnerable instances.
• Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817). This is a permission issue during the install of a package where a malicious user (or actor that has compromised a machine with only user-level access) could gain root access if a package is installed by an administrator while the exploit is running in the background. [T1068 Exploitation for Privilege Escalation]
• Disclosure: Another macOS privacy protections bypass. The lax checks on code signatures allows malicious actors to copy signed and entitled applications, gut them - modifying their resources, and use them to access otherwise "protected" resources (i.e. Desktop, Contacts, ~/Library/Safari/*, etc).
• Windows Telemetry service elevation of privilege . While no compile-and-pwn proof of concept exists, the details in the post plus this bit of code should get you most of the way there. [T1068 Exploitation for Privilege Escalation]
• bof-vs-template is a template project for building Cobalt Strike BOFs in Visual Studio. There is also bof_helper from dtmsecurity if you prefer Python.
• so is a terminal interface for StackOverflow written in Rust. Save yourself a few clicks and get answers in your terminal.
• halfmoon is a front-end framework with a built-in dark mode, designed for rapidly building beautiful dashboards and product pages. I love the fact its designed to work without JavaScript (like this site)!
• Pwdb-Public is a repository of modern, frequently used passwords. If you are still using rockyou.txt, it's time to upgrade.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the sekey project, but rewritten in Swift with no external dependencies and with a handy native management app. If you have a Mac or manage Macs this is another level of protection for SSH keys, and Macs without a secure enclave can use other sources such as a Yubikey.
• velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries. A simple to deploy single binary agent and server for incident response.

This post is cross-posted on SIXGEN's blog.