Jul 27 2020 Last Week in Security (LWiS) - 2020-07-27

NTLM relaying via Citrix Workspace by @_EthicalChaos_, access the entire AD database via Exchange with a new tool from @_mohemiv, a new Go based C2/Agent from @paragonsec and team, phishing tips from @lorentzenman, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-20 to 2020-07-27. MITRE ATT&CK techniques are in brackets where appropriate.

News

Blackbaud hack: More UK universities confirm breach. Software supply chain hits Blackbaud and therefore many of its customers. It turns out extortionware (ransomware + stealing data) was used to get Blackbaud to pay the ransom/extortion and once the hackers had been paid, they had given "confirmation that the copy [of data] they removed had been destroyed". Unfortunately there is no way to verify that, and any data that was taken has to be assumed lost.
Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers. This is scary for anyone who uses an SDK or third party software (everyone). The software supply chain is vulnerable, and there are no great solutions to both update third party code quickly and stay secure. [T1195.002 Supply Chain Compromise: Compromise Software Supply Chain]

Techniques

Engineering antivirus evasion (Part II). Scrt shows how it is possible to accurately replace function calls in C/C++ code-bases without using regexes to hide API import and allow meterpreter to bypass ESET Nod32.
Raining SYSTEM Shells with Citrix Workspace app. @_EthicalChaos_ uses NTLM relaying with Citrix workspace to get SYTEM shells. Poc is here.
Battelle Publishes Open Source Binary Visualization Tool. CantorDust enables the rapid visualization of unknown binary data with Ghidra, allowing for rapid visual inspection of unknown binaries.
Attacking MS Exchange Web Interfaces. @_mohemiv drops serious knowledge, providing an overview of current Exchange attacks, and introducing a new tool to allow the lookup of Distinguished Name Tags from the domain controller using Exchange RPC. [T1087.002 Account Discovery: Domain Account]
To Click or Not to Click?. Step up your phishing game with these tips from @lorentzenman. [T1566.002 Phishing: Spearphishing Link]
Malware Analysis - These in-depth posts show some current campaigns and the techniques they are using. If you are in adversary emulation, be sure to add them to your assessments.
Writing an iOS Kernel Exploit from Scratch. If you ever want to do iOS exploit development, this is required reading. All the nitty gritty steps from setting up the environment to analyzing the bug and finally writing the exploit are covered.
House of Io – Remastered. This post describes a mechanism for bypassing the Safe-Linking heap mitigating in GLibc 2.32 and greater under specific circumstances.
Designing and Implementing PEzor, an Open-Source PE Packer. Phra walks through the process of writing a robust (syscall inlining, user-land hook removal, LLVM obfuscation, polymophic generation, etc) PE loader. Excellent work.
Abusing Azure AD SSO with the Primary Refresh Token. The AD whisperer himself Dirk-jan (@_dirkjan) is back to drop valuable knowledge. Here he explains how SSO works with Primary Refresh Tokens, and what some of the implicit risks are of using SSO. He demonstrates how attackers can abuse this if they have access to a device which is Azure AD joined or Hybrid joined to obtain long-lived tokens which can be used independently of the device and which will in most cases comply with even the stricter Conditional Access policies. Dirk-jan also kindly released a tool to help you do all this: ROADtoken.
Tool Release: Sinking U-Boots with Depthcharge. This is a very cool tool from nccgroup for physical assessments against devices running the U-boot bootloader.
SharePoint and Pwn :: Remote Code Execution Against SharePoint Server Abusing DataSet. SharePoint continues to deserialize all kinds of data and deserialization continues to deliver shells.

Tools and Exploits

Boomerang is a tool to expose multiple internal servers to web/cloud. This project is in early stages, and has no authentication or encryption, but may provide a good base if you are looking to write your own tunneling agent with Go.
RpcSsImpersonator is an Administrator or Network Service to SYSTEM privilege exploit for Windows.
Malwarebytes-Disabler injects shellcode into a malwarebytes process which allows a user to disable "Malware Protection" even if the Malwarebytes administrator has set a password to protect this setting from being changed. [T1562.001 Impair Defenses: Disable or Modify Tools]
SpaceRunner enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace and includes AMSI patching. [T1562.006 Impair Defenses: Indicator Blocking]
KITT-O365-Tool is a tool designed to make working O365 Business Email Compromise investigations easier and more efficient for DFIR and SOC analysts by pairing the power of PowerShell cmdlets with the ease of use of a GUI.
DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux. It is entirely written in Golang with a front end written in Vue.js. This is a very impressive 1.0 release!
vopono is a tool to run applications through VPN tunnels via temporary network namespaces. This allows you to run only a handful of applications through different VPNs simultaneously, whilst keeping your main connection as normal.
dazzleUP is a tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. It uses the Windows Update Agent API instead of WMI (like others) when finding missing patches, and comes with a CobaltStrike cna script. [T1068 Exploitation for Privilege Escalation]
CVE-2020-15778 is a simple command injection in openssh <= 8.3p1. If you have access to a linux host without shell access but only scp access, you just got shell access.
Carbuncle is a tool for interacting with outlook interop during red team engagements; enumerate, read, monitor, and send email.

This post is cross-posted on SIXGEN's blog.