Aug 17 2020 Last Week in Security (LWiS) - 2020-08-17

News

• Internet Explorer and Windows zero-day exploits used in Operation PowerFall. Two 0days were used in this campaign that targeted a South Korean company, a user-after-free in IE 11 on Windows 10, and an elevation of privilege related to kernel memory handling. Even if you are on Windows 10, Internet Explorer is a bad idea.
• Russian GRU 85th GTsSSDeploys PreviouslyUndisclosed Drovorub Malware. The NSA and FBI tear down Russian Linux malware and dig into all the details in this 39 page (!) report. They specifics on the server configuration shows that they had access to live C2 nodes. This tactic of naming and shaming nationstate malware started with the US CYBERCOM twitter, and its good to see it carry over into well researched reports.
• New Developments: Retiring CTP and Introducing New Courses. CTP/OSCE are soon to be retired and replaced with three separate courses that must be complete to earn a "new OSCE." While I agree that OSCE is out of date, it does introduce good content, and I'm sure students will not be excited to have to pay for 3 courses to earn a certificate that used to be one. However, Offensive Security provides the best reasonably priced, hands on, recognized certificates out there (besides rastamouse's Red Team Ops).
• Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE. Another instance of the RFC not matching implementation. Base station (eNodeB) implementations of VoLTE reuse keystreams for concurrent calls, allowing a malicious actor to capture a call, place another, and use the keystream from the second to decrypt the first. Demo here.
• Microsoft Put Off Fixing Zero Day for 2 Years. Brian Krebs digs into CVE-2020-1464, an issue with how Windows validates file signatures commonly used to execute jar based attacks. Triage is hard, but this seems like an issue that should have been fixed much faster.

Techniques

• Defending Your Malware is a post by the author of shad0w that serves as a great primer on modern Windows antivirus/EDR evasion techniques.
• SNIcat: Circumventing the guardians. Given my interest in SNI, this post was interesting. They use the SNI and then subsequent return or non-return of the server certificate to send data to a server, even if the domain has been blocked by an intercepting firewall. Interesting technique, but also extremely loud. Code here.
• SassyKitdi: Kernel Mode TCP Sockets + LSASS Dump. This post describes a kernel mode payload for Windows NT called "SassyKitdi" (LSASS + Rootkit + TDI). This payload is of a nature that can be deployed via remote kernel exploits such as EternalBlue, BlueKeep, and SMBGhost, as well as from local kernel exploits, i.e. bad drivers. This exploit payload is universal from (at least) Windows 2000 to Windows 10, and without having to carry around weird DKOM offsets. A cool project that attacks LSASS dumping from a lower level.
• Abusing MacOS Entitlements for code execution. This post shows interesting ways of persisting (or potentially gaining initial access) on macOS by abusing "weak" entitlements.
• Death from Above: Lateral Movement from Azure to On-Prem AD. This is very cool research from @_wald0 on how to use Azure AD to execute code as SYSTEM on any endpoint managed by ConfigMgr/Intune/Endpoint Manager. The cloud is a scary place.
• FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking. The EDR hooking arms race started by Dumpert gets a new weapon with the release of firewalker.
• CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!. Another good example of a patch not killing a bug. This is a bypass for CVE-2020-1048, and for the good work gets the best CVE number of the year. PoC here and here.

Tools and Exploits

• eidc32proxy. Is a pure Go proxy for eidc32 proximity systems. It allows for "skeleton key" credentials to operate locks without logging to the controler. Check out the demo here.
• sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. This is inspired by Google's Santa but doesn't require a kernel extension (which is not allowed in macOS 11) and has more features.
• Zolom is a C# executable with embedded Python that can be used reflectively to run python code on systems without Python installed. Yo dawg, I heard you like high level languages ...
• SharpEDRChecker checks running processes, process metadata, DLLs loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
• A Change of Mythic Proportions. Apfell C2 is now Mythic C2 which better reflects how adaptable it is. This update is a big one, so if you have checked out Apfell in the past, be sure to take another look.
• Windows-Setup-EoP. This is an exploit for a time of check/time of use vulnerability in the windows "feature update" (i.e. 1909 to 2004) process. Demo here.

• VMProtect Tools

  • vmpattack is a VMProtect to Virtual-machine Translation Intermediate Language (VTIL) lifter. This can help get VMProtected binaries into a state that will help with analysis.
  • NoVmp is a project devirtualizing VMProtect x64 3.0 - 3.5 (latest) into optimized VTIL and optionally recompiling back to x64 using the VTIL library.

• wacker is the first (I think?) tool for WPA3 dictionary attacks!
• CVE-2020–14979: Local Privilege Escalation in EVGA Precision X1. Poorly written drivers are the gift that keep on giving. In this case, local privilege escalation is the gift. This driver is included in Screwed-Drivers.
• dnsfserv is a fileserver over DNS, with wrapper library and example stager. You never know when you might be in a super restricted env and need to stage over DNS.

This post is cross-posted on SIXGEN's blog.