Last Week in Security (LWiS) - 2020-12-14

Great breach analysis (@FireEye), HTTPS Signing in Burp (@sanktjodel), Ghidra VirusTotal plugin (@kasifdekel), Dynamic API hook evasion (@matterpreter), EDR hook detection in VBA (@TheXC3LL), Kerberos Bronze Bit attack (@jakekarnes42), PtH methods (@n00py1), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-12-07 to 2020-12-14.

News

  • Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. This is the first good example of some proper hacking we've seen in a long time. The past few years have seen reporters and cybersecurity companies slap the "Advanced Persistent Threat" (APT) label on any group capable of getting a shell in a corporate environment which has weakened the term. This analysis took a village, and it shows. Excellent technical detail that exposes the lengths this actor went to prevent detection. Last week started as a PR disaster for FireEye, but the fact they were seemingly the only affected organization to detect this activity may end up actually being a big PR win. If you only read one thing this week, it should be this technical report. Lots of good tradecraft within. For defenders, load up the sunburst_countermeasures and get to hunting. Krebs has an overview of the potential scope of the compromise here.
  • Unauthorized Access of FireEye Red Team Tools. The big news story of the week was the compromise of FireEye by an advanced adversary - until the SolarWinds news broke. The loss of their Red Team tools feels like a red herring; you wouldn't use your Ocean's Eleven level crew/tools to steal lock picks from an Amazon warehouse. There were no 0days, and most tools appeared to be based on open source tools. The real target is likely access to the hardware/software supply chain - FireEye has lots of network devices in interesting places - as well as the Red Team report data. Why spend a lot of time finding vulnerabilities when you can pinch the reports? BishopFox has analysis on the tools based on the countermeasures FireEye released.
  • Suspected Russian hackers spied on U.S. Treasury emails. The software supply chain is an underrated attack vector. Compromise of a supplier and the ability to backdoor updates could give an attacker access to hundreds of high value networks in a single move. This is fallout from the SolarWinds news, and shows just how many organizations were affected.
  • CentOS Project shifts focus to CentOS Stream. "Shifts focus" is a polite way to say "abandons commitment to stability." CentOS 8 is now EOL 2021-12-31 instead of the previously stated 2029-05-31 - a casual 7.5 year change. rocky-linux looks poised to take up the "100% bug-for-bug compatible with RHEL" cause and is backed by the CentOS founder. IBM's acquisition of Red Hat is not getting off to a good start.
  • ms-teams-rce. This is a great example of the potential dangers of Electron. An XSS bug lead to cross platform RCE. Unfortunately, Microsoft gave this the lowest severity rating and also said that Electron apps (like Teams) are out of scope. Not a good look. Simply viewing a chat could trigger the RCE. The bugs were patched in October 2020.
  • rizin is a new fork of radare2 that states its purpose is to focus on stability and inclusiveness. They also brought the team behind Cutter which is a nice cross-platform C++ GUI frontend. Will be interesting to see how this fork goes.
  • Improving DNS Privacy with Oblivious DoH in 1.1.1.1. This is a good step toward private DNS lookups. It is basically a limited and fast Tor network for DNS-over-HTTPS queries with proxies that can't see content and resolvers that only see requests from proxies. I hope it is adopted into the cloudflared stub resolver soon.
  • Good-bye ESNI, hello ECH!. As someone very interested in ESNI this is a great progress! The new advances like the HTTPS resource record type and Hybrid Public Key Encryption address the issues with ESNI. ECH and Oblivious DoH give me hope for some privacy in the otherwise surveillance ridden dystopian cyberpunk future.
  • Use Secure LDAP to log into macOS with Google credentials. Google has had this ability via the Google credential provider for Windows for some time, but this is new to macOS (without using Jamf Connect). This should be useful to Google Workspace centric shops.

Techniques

  • Alternative ways to Pass the Hash (PtH). Pass-the-Hash is one of the classic lateral movement techniques for Windows environments. @n00py1 shows some lesser known methods such as WinRM, RDP, smbclient, LDAP, Pass-the-Ticket, mount, SSH, and resource based constrained delegation.
  • ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again. Containers prove to be a weak security boundary again (the UAC of linux!?). This post dives into the inner workings of containerd-shim to pull out a nice vulnerability. Exploit drops 2021-01-11.
  • State of the art of network pivoting in 2019. Don't be fooled by the title, the post is a fresh translation of a blog post from last year with lots of good content.
  • Adventures in Dynamic Evasion. This is a forward-looking post that describes how to profile and dynamically evade user mode API hooking with a two staged implant. The first stage just detects the hooks and reports back, and the C2 delivers a custom second stage that has direct syscalls in place of the hooked functions. SHAPESHIFTER is the PoC, and the Demo is here.
  • Red Teamer Plays with JARM. SalesForce's JARM was a interesting addition to the Blue Team toolkit, and in this post Mudge shows that the CobaltStrike JARM fingerprint is infact the Java 11 TLS stack's fingerprint. But if you're reading this, you have all your teamservers behind redirectors anyway, right?
  • Microsoft on-premises to the cloud using Seamless Single Sign-On. If you can execute code on a machine where a user is logged into Azure-AD, you can extract the ticket granting ticket of the user and the HTTP ticket granting service ticket. With these two tickets and a local policy change on your attacker VM you can load these tickets into memory with mimikatz and log into Azure or Microsoft 365 as the user! Thalpius' tool Kerberos now includes this as an option!
  • AS_REP Roasting vs Kerberoasting is a good post if you need a quick refresher on either AS_REP or kerberoasting with practical command examples and brief mitigations.
  • Tutorial of ARM Stack Overflow Exploit against SETUID Root Program. There are lots of stack overflow walkthroughs for x86 and even x86_64 but not as many for ARM. This is a good one that includes partial RELO (ASLR) and NX. As more IoT (and Apple computers!) move to ARM, this flavor of exploit will grow in popularity. Grab a raspberry pi and follow along!
  • 4 Free Easy Wins That Make Red Teams Harder. This has some good quick wins for blue teams, and also should make red teams think about evolving their tradecraft to include things that aren't covered by these four easy wins.
  • Watchcom discovers new Cisco Jabber vulnerabilities. This should sound familiar (LWiS 2020-09-07) as this company found the previous RCE bug in Cisco Jabber. It looks like the patch was a bandaid because when they did a verification audit the root cause remained and three new CVEs fell out. Another reminder that a patch is not always the death of a bug.
  • CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation. This one is a bit complicated (Kerberos always is) but if you have access to a domain machine, the password hash of a service account, and that service account is allowed to perform constrained delegation to another service, you're in luck! You can use this vulnerability to authenticate to the second service as any user.

Tools and Exploits

  • HTTPSignatures is a Burp Suite extension implementing the Signing HTTP Messages draft protocol. This allows Burp Suite users to seamlessly test applications that require HTTP Signatures. More details in this blog post.
  • Windows Cloud Filter Arbitrary File Creation EoP. James Forshaw drops a nice little Windows LPE that abuses the Cloud Filter driver used in mounting cloud file systems like OneDrive to create arbitrary files in protected directories. A simple PoC is included, but getting it to LPE is an exercise left for the reader. The vulnerability was patched 2020-12-08.
  • PsExec Local Privilege Escalation. This one requires an attacker to create the PSEXECSVC named pipe before the PsExecSvc starts, which gives them write access to it. Since the service blindly accepts commands via that pipe, the attacker is able to execute programs as SYSTEM. Code here.
  • VTgrepGHIDRA is a non official VirusTotal plugin for Ghidra which integrates VTGrep into Ghidra, facilitating the searching for similar code, strings, or sequences of bytes.
  • SirepRAT was just updated to support Python3. This tool exploits the Sirep Test Service that’s built into the Windows IoT Core image.
  • WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands to be used against Windows/AD environments. It's like GTFOBins or LOLBAS for Windows/AD exploitation.
  • VBA Macro to detect EDR Hooks is exactly that.
  • DoppelGate is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. It's named DoppelGate due to the borrowing of ideas/techniques used in Process Doppelganging and the Hell's Gate technique.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Maltiverse is a (currently) free IOC search engine.
  • SnitchDNS is a database driven DNS Server with a Web UI, written in Python and Twisted, that makes DNS administration easier with all configuration changed applied instantly without restarting any system services. One of its main features is the logging of all DNS queries allowing the discovery of network traffic endpoints, and it can also be used to implement canary tokens as it supports notifications via e-mail, web push, Slack, and Teams.
  • xcyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system. It provides a web page to view the data as well as a machine-readable format (JSON and CSV) that can be immediately usable in other systems such as SIEMs to enrich observed executions with contextual data.
  • Twake is a collaborative platform which improves teamwork. A self-hosted slack with video chat and collaborate document editing.

This post is cross-posted on SIXGEN's blog.