Last Week in Security (LWiS) - 2020-11-23

New macOS C2 (@cedowens), Nim implant (@NotoriousRebel1), x64 AMSI bypass in VBA (@rd_pentest), VBA purging tool (@h4wkst3r/@AndrewOliveau), macOS privesc via MS Teams (@theevilbit), Kali tool developer partnership (@kalilinux/@byt3bl33d3r), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-16 to 2020-11-23.

News

  • SO-CON 2020 was last Friday and had a ton of good talks. Recordings are available on the conference site for 30 days, and YouTube after that.
  • Airbnb Executive Resigned Last Year Over Chinese Request for More Data Sharing. AirBnB is sharing booking data from the moment a reservation is made with China. This gives a lot of lead time to "set up" an apartment or house for surveillance. Any large tech company will soon have to face this decision of what to do about Chinese requests. We have seen how anyone who is unwilling to cooperate is blocked, and then an internal Chinese only copy is propped up.
  • Firefox 83 introduces HTTPS-Only Mode. Long time users of the HTTPS Everywhere extension from the EFF will be happy to have this feature available in the browser itself. This feature attempts to load all pages and resources via HTTPS first, instead of the usual HTTP request, 304 redirect, and HTTPS request flow normally seen. There may also be a speed up as one less request/response has to be processed. Chrome has no plans to implement a similar feature.
  • Standing up for developers: youtube-dl is back. I didn't expect this. Github/Microsoft has reinstated youtube-dl forks that remove the tests using copyright protected material. They have also changed their DCMA takedown process and created a developer defense fund. This is probably the best response I could have hoped for, and while I'm still leery of Microsoft's ultimate intentions with GitHub, for now at least it is a positive relationship.
  • Kali Linux 2020.4 Release. ZSH is now the default shell, a few new tools and version bumps, but the coolest feature is the private partnership with @byt3bl33d3r of the amazing CrackMapExec exclusive to Kali and GitHub sponsors for 30 days after each release.
  • ARM-based macOS can run iOS apps + network traffic/cert store is tied to macOS = perfect for iOS app hacking. This isn't really a new capability, since you could proxy web traffic through Burp on a macOS already. Having it all one one machine makes things slightly easier I suppose.
  • ZeroSSL offers free TLS certificates. Just like Let'sEncrypt, ZeroSSL now offers free 90 days certificates via the ACME protocol, including wildcard certificates.

Techniques

Tools and Exploits

  • Assetnote Wordlists. When performing security testing against an asset, it is vital to have high quality wordlists for content and subdomain discovery. This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet, generated fresh each month!
  • IAMFinder enumerates and finds users and IAM roles in a target AWS account. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment. Upon successfully identifying an IAM role, IAMFinder can also check if this role can be assumed anonymously. The tool was developed during a red team exercise and it implemented the technique described in this blog.
  • Ghostwriter v2.0 Release. Ghostwritter is becoming a serious red team management tool. If you haven't looked into it before, it has some great new features that may help your team's workflow. There are adaptors for CobaltStrike and other tools like CobaltStrikeToGhostWriter.
  • BloodHound 4.0 - Azurehound. This is a major feature release for BloodHound, including support for Azure attack primitives in the attack graph with new nodes and edges. There is a nice cheatsheet for the new Azure functionality.
  • SwiftSpy is a macOS keylogger, clipboard monitor, and screenshotter written in Swift. Be aware it will cause TCC (Transparency, Control, and Consent) popups!
  • DInvisibleRegistry is an implementation of the null byte Run key persistence technique implemented in C# with direct syscalls via D/invoke.
  • VDM is a library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. Currently the project is using gdrv.sys but can be adapted to use any driver that allows for physical memory read and write by writing 4 wrapper functions.
  • HeapsOfFun, an AMSI VBA bypass via the heap, gets an update for x64. Details here.
  • reg_hunter is a blueteam operational triage registry hunting/forensic tool written in Rust.
  • MachoDecrypt will decrypt mach-o binaries on iOS. Requires a jailbroken iPhone.
  • exclude-cdn a tool to filter out CDN hosts from a list consisting of IP's, URL's, and Domains passed via stdin. Useful for bug bounties or external penetration tests.
  • Kaspersky_Safe_Money_LPE is an 0day in the Kaspersky "Safe Money" protected browser. Pure AV schadenfreude. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • screenity. The most powerful screen recorder & annotation tool for Chrome. It can record your desktop as well, and output to gif. Perfect for those PoC gifs!
  • rehex is a cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else.

This post is cross-posted on SIXGEN's blog.