Sep 21 2020 Last Week in Security (LWiS) - 2020-09-21

News

• First death reported following a ransomware attack on a hospital. A patient that had to be diverted due to ransomware affecting a hospital in Germany dies. The cyber and physical world are merging, with all the good and bad that brings.
• Sysmon v12.0 was released which includes the ability to do clipboard monitoring. Be aware that this will store passwords or other secrets that make it into the clipboard.
• Two Iranian Nationals Charged in Cyber Theft Campaign Targeting Computer Systems in United States, Europe, and the Middle East. Part of the US strategy against foreign hackers has been to call them out and charge individual operators. In this case it is two Iranians who have operated since at least 2013 and attacked civilian, industry, and government targets.
• US charges five hackers from Chinese state-sponsored group APT41. The name-and-shame campaign continues, this time targeting the Chinese APT 41. It's important to note that these are charges for hacking private companies for non-intelligence related reasons (i.e. intellectual property theft), as the US likely doesn't want to make "legitimate" spying illegal.
• GitHub CLI 1.0 is now available. GitHub rolls out a cross-platform command line tool written in Go. Now you can perform all your GitHub actions without having to leave the terminal. This was true before using raw git, but now you can do things like manage merge requests, issues, and more from the command line.
• The art and science of detecting Cobalt Strike. Cisco Talos researches spent some time getting very familiar with Cobalt Strike and produced more than 50 new snort and ClamAV signatures. Read this and get to work in Artifact Kit to ensure these rules won't catch you.
• merlin 0.9.0 release adds new features and agent types, but my favorite addition has to be the live JA3 signature modification capability for agents. Very cool!

Techniques

• Aruba Clearpass RCE (CVE-2020-7115). Argument injection is an under appreciated bug class, but it is more powerful and more widespread than most researchers realize. In this case Daniel uses some nifty tricks to get a root reverse shell.
• Building a custom Mimikatz binary shows how red teamers can take open source tools, and modify the source code to bypass most static detections. You'll have to do some more work for advanced EDR detections based on dynamic or behavioral analysis.
• Are You Docking Kidding Me?. In this post, Leo Pitt shows the macOS equivalent of using LNK files on Windows to persist in the Dock on macOS. The post ends with a very thorough detection section.
• Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness. Beacon object files (BOFs) are a new capability in Cobalt Strike that allow for compiled code to run in the context of a beacon. This post introduces two exploits and a bunch of situational awareness BOFs to get you started.
• Implementing Direct Syscalls Using Hell’s Gate. Instead of baking your syscall numbers into your binary (and having to keep a list of them for every OS), use the Hell's Gate technique (LWiS 2020-06-08) to determine them dynamically. PoC here.
• MacOS Injection via Third-Party Frameworks. This is some great macOS research by Adam Chester that shows how apps that use debugging pipes (like Fiddler or VSCode) for injection as well as Electron apps for Transparency, Consent, and Control (TCC) bypass/obfuscation.
• MemFuck: Bypassing User-Mode Hooks. Sometimes you want to remove ALL the usermode hooks from your process by unmapping everything you can. In that case this project is for you - it uses some really interesting tricks to unmap DLLs and then use direct syscalls. PoC here.
• I Like to Move It: Windows Lateral Movement Part 2 – DCOM. Dominic Chell shows how DCOM can be used for lateral movement in a Windows network, including using Excel 4 macros for lateral movement.

Tools and Exploits

• DLLsForHackers generates Dlls that can be used for side loading and other attack vectors. This Dll will (maybe) not cause deadlock since it only use functions that are DllMain safe (unlike many other tools/DLL hijacking techniques). For a potentially more mature tool, see Koppeling.
• tmpmail is a command line utility that allows you to create a temporary email address and receive emails to the temporary email address. It uses 1secmail's API to receive emails. Prefer python? pydispo has you covered.
• AMSI.fail is a C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. Check out the live site: www.amsi.fail.
• sshiva is a C# application that allows you to run SSH commands against a host or list of hosts.
• DiscerningFinch collects an array of OS specific string constants and then attempts to use those to brute-force decrypt the inner binary. If it succeeds it loads the inner binary into memory passing along any command line arguments that may exists. If it fails, it prints out a .NET-looking error message as feedback.
• Firefox for Android LAN-Based Intent Triggering. The SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack can be leveraged by attackers on the same WiFi network and manifests as applications on the target device suddenly launching, without the users' permission, and conducting activities allowed by the intent. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• HTTP Toolkit is a cross platform, open source, HTTP MitM proxy. This looks super powerful, and easy to use. For HTTP request monitoring and modification, this looks easier to use than Burp Suite.
• MoveScheduler focuses on lateral movement via several different methods of scheduling tasks: Win32_ScheduledJob (C#), Win32_Scheduledjob (PowerShell), TaskScheduler Library, and PS_ScheduleTask.

This post is cross-posted on SIXGEN's blog.