Last Week in Security (LWiS) - 2020-08-10

A new telemetry inspection tool by @Jackson_T, macOS goodies from @_D00mfist and @patrickwardle, subdomain finding enhancement from @TheXC3LL, malleable droppers from @s0lst1c3, true red teaming from @pruby, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-03 to 2020-08-10.

News

  • Exposing and Circumventing China's Censorship of ESNI. While I can't say this is a direct consequence of my DEF CON talk putting ESNI in the "mainstream" infosec media, the timing is suspect. I hope that TLS 1.3 adoption picks up to a point where this kind of censorship is too costly to be effective. In the meantime, workarounds are being researched.
  • U.S. Government Contractor Embedded Software in Apps to Track Phones (Paywall - Non-paywall here). SDKs and advertising identifiers can be used to track users across apps, and likely across phones. This feature is being sold to whomever can pay. While this has always been the case, seeing it spelled out is a bit frightening. iOS 14 brings additional privacy protections which might help curb this type of tracking, but the middle ground between "secluded privacy obsessed person" and "all your info is available to anyone who can pay" is becoming nonexistent.
  • The Current State of Exploit Development, Part 1. Ever wonder why you aren't popping shells unauthenticated on remote systems like you used to? This post walks through legacy and some modern exploit mitigations that are making the attacker's life harder.
  • Rewards for Justice – Reward Offer for Information on Foreign Interference in U.S. Elections. This is pretty interesting, "up to" $10 million for identifying or locating a person that is hacking US elections for a foreign government. Is the Department of State issuing letters of marque again?!

Techniques

  • Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners. Forrest Orr is back to drop more fileless malware knowledge. If you only read one thing this week, read this post. .Net DLL hollowing looks to be a weakness of all the tested memory scanners due to high false positives. Use this to your advantage when writing your next red team tool.
  • Building a lab with Server 2019 Server Core and PowerShell …then attacking it! If you don't have an AD lab setup yet, this is the guide you were waiting for.
  • Persistent JXA explores the strange world of "Javascript for Automation" on macOS and introduces a few persistence mechanisms for developer machines. Code here.
  • The Art Of Mac Malware is an online, free book from Patrick Wardle about macOS malware. It's collaborative, so review and add your knowledge! Be sure to check out his DEF CON talk which includes a very slick logic bug chain for sandbox escape here.
  • Ghostscript SAFER Sandbox Breakout (CVE-2020-15900). This is pure adversary emulation goodness. Red teamer needs a shell, researches a technology, fuzzes the technology, pwns the technology (0day), and shells the target. If you wonder why true red team/adversary emulation engagements are more expensive than a "vulnerability scan" where they hand you Nessus results, this is why. Well done @pruby.
  • Routopsy – Hacking Routing with Routers. Stop ping sweeping /16 networks and use the vulnerable routers to tell you about the actual ranges instead! Once you find a good target, use the same vulnerable routers to to inject a malicious route and get traffic from that target. Congratulations, you are now the router. The potential impact of this is pretty big. Consider what would happen if a target suddenly resolved every domain to a fake SSO page you control? The sensepost team gets extra credit for including two vulnerable scenarios as docker-compose files in the repo so you can test out the tool in your lab.
  • Exploiting vBulletin: “A Tale of a Patch Fail” is a great example of how a patch is not always the end of a bug's life. In this case vBulletin 5.0 to 5.4 can be exploited with a single curl command.
  • Chaining multiple vulnerabilities to exfiltrate over 250GB of PIA. These kinds of articles are amazing, but so rare. An actual exploit chain used against a real company. New tricks and tools to be found in this one.
  • Digging further into the Primary Refresh Token. The AD whisperer drops another post. This time he the explores inner workings of the CloudAP plug-in in lsass, the cryptographic keys used to authenticate with the PRT. These are accompanied by new features in ROADtools to interact with the PRT cookie and the new mimikatz version.

Tools and Exploits

  • TelemetrySourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows. This will be super helpful for your AV/EDR lab.
  • Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities. This is top shelf exploitation. Browse to a website, get kernel execution. When I dream of "advanced nation state" exploits this is what I dream of. The talk isn't avaialbe yet, but the slides are.
  • go-sharp-loader. Pack your favorite .NET executables into this loader and run them from memory. Add some encryption for better AV evasion.
  • Octopus v1.0 stable: Cobalt Strike deployment & much more!. Not a new tool, but stable 1.0 is a big step. I love the concept behind a "pre-operation C2" as its what the best APTs are doing.
  • estigmergio.py infers prefixes/suffixes/common substrings inside a list of subdomains and build a dictionary. This is the kind of custom tooling that sets you apart from all the other bug hunters. Well played @TheXC3LL.
  • Bug-Bounty-Colab uses Google Collab as a "VPS" for bug bounties, much like penglab did (LWiS 2020-06-15). I wonder how long Google will allow this?
  • dropengine is a malleable payload generation framework. In practical terms, it allows you to define payloads using different modules (interfaces, crypters, decrypters, encryption keys, decryption keys, executors, and mutators) to rapidly generate a variety of payloads. It also includes support for environmental keying, which will keep your payloads undetected for longer by only executing on the desired targets without manual reversing. When delivering a binary to an unknown environment with possible EDR, this will prove very handy.
  • Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication - BlueRepli. Android will allow access to contacts and other information via Bluetooth with no user interaction for at least one major manufacturer, and the rest it is a single prompt. Expect both law enforcement and malicious actors to take advantage of this. iOS is not affected.
  • vx includes a new HellsGate example written is pure assembly for dynamically extracting and invoking syscalls from in-memory modules on Windows. This could be used in your custom tooling to implement the HellsGate technique.
  • Spooler contains the tools developed during the Print Spooler research which was presented at Black Hat USA 2020 and DEF CON 28 Safe Mode ("A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven").
  • mole is a framework for identifying and exploiting out-of-band application vulnerabilities. The client is used to create payloads during manual testing and automatically injects tokens into the predefined payloads. The mole server then listens for and alerts when these out-of-band payloads are triggered. Useful for testing XSS, XXE, PDF, and OOXML vectors.
  • mkhtaccess_red. Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • overlord Overlord provides a python-based console CLI which is used to build Red Teaming infrastructure in an automated way. The user has to provide inputs by using the tool’s modules (e.g. C2, Email Server, HTTP web delivery server, Phishing server etc.) and the full infra / modules and scripts will be generated automatically on a cloud provider of choice. Currently supports AWS and Digital Ocean.
  • Turning on network protection. Did you know Microsoft Defender has a built in network protection feature? Enable it with a simple registry change, and pay no mind to the references to Defender ATP, it works on regular Windows 10 installs.
  • Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
  • PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc. It currently supports 37 unique ATT&CK techniques. Blog posts here.
  • reconness creates a platform to allow continuous recon (CR) where you can set up a pipeline of recon tools (Agents) and trigger it base on schedule or events.
  • IntelOwl is for everyone who needs a single point to query for info about a specific file or observable (domain, IP, URL, hash). Put in your API keys for all the services you manually query, and then have a single endpoint for getting information about indicators in your environment.
  • CSharpWinRM move laterally with WinRM from a CSharp binary (or better - in memory execution).
  • AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.

This post is cross-posted on SIXGEN's blog.