Last Week in Security (LWiS) - 2020-07-20
Sophos XG 0day discovery by @ramoliks and @niph_, a D/Invoke primer by @_RastaMouse, EDR bypass via driver exploits by @matteomalvica, fooling facial recognition from @shawnshan26 and team, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-13 to 2020-07-20. MITRE ATT&CK techniques are in brackets where appropriate.
News
- SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers. This bug is interesting because it could be triggered by simply visiting a web page by a user that is using a Windows DNS server (i.e. AD). While this is a heap exploit and no public PoC exists yet (besides this DoS), researchers likely have already weaponized this vulnerability.
- Unpatched SAP Systems at High Risk for Potential Cyber Threats and Compliance Violations. If by "Compliance Violations" they mean unauthenticated remote code execution then yes, "Compliance Violations." Good find by Onapsis, but I really hate when companies lean so hard on these reports for marketing, even hiding the report itself behind an email signup. This CISA Alert has some details. Check for vulnerability with SAP_RECON.
- Who’s Behind Wednesday’s Epic Twitter Hack?. If you missed it, many high profile (Bill Gates, Barak Obama, Jeff Bezos, etc) twitter accounts tweeted about a Bitcoin scam last Wednesday. To me, the ability to snoop on direct messages seems more valuable than the ~$100,000 in Bitcoin the attackers received. TLDR: Twitter's internal Slack had credentials to an administration system that allowed the account access. Maybe the attackers used slack-watchman?
- TikTok says Australian users' data won't be shared with foreign powers. However, TikTok's own transparency report show that they, unsurprisingly, hand over a lot of data to governments when asked. The report makes no mention of requests from China.
- WhatsApp lawsuit against NSO Group spying can proceed, judge rules. This is an interesting ruling that could allow Facebook, who owns WhatsApp, to get details on NSO Groups clients. NSO Group has always walked a fine line, as they provide "exploitation as a service" vs the more legally defensible vulnerability sales.
- Homeland Security Worries Covid-19 Masks Are Breaking Facial Recognition, Leaked Document Shows. "The potential impacts that widespread use of protective masks could have on security operations that incorporate face recognition systems — such as video cameras, image processing hardware and software, and image recognition algorithms — to monitor public spaces during the ongoing Covid-19 public health emergency and in the months after the pandemic subsides." As seems to the be the case with most authoritarian issues, China is way ahead: Chinese authorities use gait analysis to identify citizens on CCTV (2018).
- Image "Cloaking" for Personal Privacy. This is great research that allows users to alter photos of faces to fool common AI/ML facial recognition technology while appearing almost unaltered to the human eye. I love research like this that is well presented and releases the code. So many potentially cool research papers never release their code, so bravo to @shawnshan26 and the Fawkes team.
- Iranian state hackers caught with their pants down in intercepted videos. The take away from this article is twofold: 1. Use a password manager (unique password per site) and 2FA, and 2. Open S3 buckets affect everyone, even the hackers. This group is considered an Advanced Persistent Threat (APT)...
- DEF CON Playable CTF Archives. Order of the Overflow has really done a great job with the DEF CON CTF in recent years. This site allows you to access and actually play past challenges from both the DEF CON CTF and the qualifier events.
- HoneyPoC: The fallout data after I trolled the Internet.... This is interesting because it shows just how hungry attackers are for the latest vulnerabilities. Likely access from DPRK and GRU cyber operators (with poor OPSEC) within days of a CVE release show that even if you are not staying current on the latest CVEs, the APTs are.
Techniques
- Sophos XG - A Tale of the Unfortunate Re-engineering of an N-Day and the Lucky Find of a 0-Day. You may recall the Sophos XG N-Day from early 2020, but it turns out there was more to the story. This very detailed write up by @ramoliks and @niph_ shows how their research into that exploit lead them to another unauthenticated remote code execution 0day. Bravo!
- Process Injection using DInvoke. @_RastaMouse demonstrates the differences between the standard P/Invoke and the new D/Invoke technique in C# and how it can be use to hide API calls from AV/EDR solutions.
- Masking Malicious Memory Artifacts Part II: Insights from Moneta. @_ForrestOrr doesn't post often, but when he does you owe it to yourself to read his posts. This is another well researched and written article, which contains offensive and defensive technique gold: "Interestingly, the takeaway concept from this analysis seems to be that attempting to detect such memory is nearly impossible with IOCs alone when the malware writer understands the landscape he is operating in and takes care to camouflage his tradecraft in one of the many existing abnormalities in Windows. Moneta provides a useful way for attackers to identify such abnormalities and customize their dynamic code to best leverage them for stealth. Similarly, it provides a valuable way for defenders to identify/dump malware from memory and also to identify the false positives they may be interested in using to fine-tune their own memory detection algorithms." Time to blend your tools in with the "false-positives" already present in Windows.
- Silencing the EDR. How to disable process, threads and image-loading detection callbacks.. @matteomalvica uses the hacker's favorite GigaByte driver to disable driver signature enforcement, then loading a custom driver that allows the selective disabling of kernel callbacks that EDR uses. Example code here. Looking for more driver exploitation for EDR bypass? Check out Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10. Drivers may be fertile ground for exploit research.
- Windows Server Containers Are Open, and Here’s How You Can Break Out. Symbolic Links strike again, this time allowing any code in a Windows Server Container to break out and have full control of the host. If you are running Windows Server Containers on Azure Kubernetes Service (AKS), this escape allows for lateral movement to other cluster nodes as well.
- The Fake Cisco. This report from F-Secure explores a counterfeit Cisco device in depth and discovers an exploit that allowed signature and platform verification to pass on fake devices - until it didn't. Very cool hardware hacking. [T1195.003 Supply Chain Compromise: Compromise Hardware Supply Chain]
- Persistent AWS access with role chain juggling. "Temporary credentials" may be used to issue more "temporary credentials," making them not so temporary.
- A Developer's Introduction to Beacon Object Files. Still confused about Beacon Object Files in Cobalt Strike 4.1? Christopher Paschen writes a good overview of what they are, why they are cool, and some tips and tricks to get started using them.
Tools and Exploits
- capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. Details on the Fireeye Blog.
- project-citadel is a free & open source alternative project management tool that offers basic task tracking through a Kanban board (think Trello).
- pwn-machine is a self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters. This is a first release, but it could become a very cool platform to help automate the backend stuff required to find interesting bugs. More information in this blog post.
- McAfee Total Protection (MTP) < 16.0.R26 Escalation of Privilege (CVE-2020-7283). Another AV allows for local privilege escalation due to symlink mishandling and overly permissive permissions. [T1068 Exploitation for Privilege Escalation]
- RequestAADRefreshToken obtains a refresh token for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account). An attacker can then use the token to authenticate to Azure AD as that user. More info on the Specter Ops blog.
- RuralBishop is practically a carbon copy of UrbanBishop by b33f, but all P/Invoke calls have been replaced with D/Invoke.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- GrammaTech Intermediate Representation for Binaries. This is a really cool use of and intermediate representation to modify binaries without source code. This technique could be use for more malicious ends as well.
This post is cross-posted on SIXGEN's blog.