Last Week in Security (LWiS) - 2020-08-17

Azure AD to on-prem lateral movement by @_wald0, a new Windows un-hooking project from @peterwintrsmith, 🔥 Russian Linux malware analysis from @NSACyber, modern AV evasion primer from @_batsec_, dumping LSASS from the kernel by @zerosum0x0, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-10 to 2020-08-17.


  • Internet Explorer and Windows zero-day exploits used in Operation PowerFall. Two 0days were used in this campaign that targeted a South Korean company, a user-after-free in IE 11 on Windows 10, and an elevation of privilege related to kernel memory handling. Even if you are on Windows 10, Internet Explorer is a bad idea.
  • Russian GRU 85th GTsSSDeploys PreviouslyUndisclosed Drovorub Malware. The NSA and FBI tear down Russian Linux malware and dig into all the details in this 39 page (!) report. They specifics on the server configuration shows that they had access to live C2 nodes. This tactic of naming and shaming nationstate malware started with the US CYBERCOM twitter, and its good to see it carry over into well researched reports.
  • New Developments: Retiring CTP and Introducing New Courses. CTP/OSCE are soon to be retired and replaced with three separate courses that must be complete to earn a "new OSCE." While I agree that OSCE is out of date, it does introduce good content, and I'm sure students will not be excited to have to pay for 3 courses to earn a certificate that used to be one. However, Offensive Security provides the best reasonably priced, hands on, recognized certificates out there (besides rastamouse's Red Team Ops).
  • Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE. Another instance of the RFC not matching implementation. Base station (eNodeB) implementations of VoLTE reuse keystreams for concurrent calls, allowing a malicious actor to capture a call, place another, and use the keystream from the second to decrypt the first. Demo here.
  • Microsoft Put Off Fixing Zero Day for 2 Years. Brian Krebs digs into CVE-2020-1464, an issue with how Windows validates file signatures commonly used to execute jar based attacks. Triage is hard, but this seems like an issue that should have been fixed much faster.


Tools and Exploits

  • eidc32proxy. Is a pure Go proxy for eidc32 proximity systems. It allows for "skeleton key" credentials to operate locks without logging to the controler. Check out the demo here.
  • sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. This is inspired by Google's Santa but doesn't require a kernel extension (which is not allowed in macOS 11) and has more features.
  • Zolom is a C# executable with embedded Python that can be used reflectively to run python code on systems without Python installed. Yo dawg, I heard you like high level languages ...
  • SharpEDRChecker checks running processes, process metadata, DLLs loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
  • A Change of Mythic Proportions. Apfell C2 is now Mythic C2 which better reflects how adaptable it is. This update is a big one, so if you have checked out Apfell in the past, be sure to take another look.
  • Windows-Setup-EoP. This is an exploit for a time of check/time of use vulnerability in the windows "feature update" (i.e. 1909 to 2004) process. Demo here.
  • VMProtect Tools
    • vmpattack is a VMProtect to Virtual-machine Translation Intermediate Language (VTIL) lifter. This can help get VMProtected binaries into a state that will help with analysis.
    • NoVmp is a project devirtualizing VMProtect x64 3.0 - 3.5 (latest) into optimized VTIL and optionally recompiling back to x64 using the VTIL library.
  • wacker is the first (I think?) tool for WPA3 dictionary attacks!
  • CVE-2020–14979: Local Privilege Escalation in EVGA Precision X1. Poorly written drivers are the gift that keep on giving. In this case, local privilege escalation is the gift. This driver is included in Screwed-Drivers.
  • dnsfserv is a fileserver over DNS, with wrapper library and example stager. You never know when you might be in a super restricted env and need to stage over DNS.

This post is cross-posted on SIXGEN's blog.