Last Week in Security (LWiS) - 2021-01-25

DNS C2 sandwiches (@__Masq__), VBA process dumper (@JohnWoodman15), Windows Printer + NTLM relay fun (@aionescu + @eyal_karni), VM detection trick (@gsuberland), Anti-debugging with jobs (@JustasMasiulis), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-18 to 2021-01-25.

News

  • Urgent Security Notice: Probable SMA 100 Series Vulnerability. SonicWall, and its customers, had a bad weekend after the hardware VPN vendor announced there was a probably 0day being actively exploited in the wild and the only mitigation was to allowlist known good clients. Today the update the statement to indicate that besides the NetExtender product, all SonicWall products may be affected. To add insult to injury, @_darrenmartyn dropped the "0day" (patched in 2015) that Phineas Fisher used to completely dismantle Hacking Team and Cayman Trust Bank. The code is on github and exploits the ancient shellshock vulnerability.
  • Meet Raspberry Silicon: Raspberry Pi Pico now on sale at $4. Raspberry Pi drops their own custom microcontroller chip, a dual core Cortex-M0+ with 264kb of RAM. They also brought in partners to help with software and support MicroPython and TensorFlow Lite Micro. Full datasheet here, and SDK documentation is available as well (C/C++, and Python). Want other languages? It won't be long; Rust has already been ported and more are sure to follow.
  • Snort 3 officially released. This release brings claims of greater speeds, more efficient rules, a new plugin system, and more. This post has a breakdown of the differences between Snort 2 and Snort 3.
  • Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop. Microsoft details the link between the Solar Winds backdoor and multiple Cobalt Strike loaders used for hands-on-keyboard exploitation activities. The use of "commodity" red team tools after such a well executed backdooring is a bit strange. Either one group handed off access to a less advanced group for "effects" on targets or perhaps the threat actors hoped the discovery of Cobalt Strike would not trigger an in depth incident response that would burn the Solar Winds backdoor.
  • New campaign targeting security researchers. This one feels close to home. A threat actor has been baiting security researchers with fake PoCs (I even linked one of the fake YouTube demos last week) and getting them to open malicious Visual Studio projects that infect their systems when built. Even more scary, there are reports of fully patched Windows 10 and Chrome visitors to the honeypot "exploit research blog" getting infected as well. If you read this blog, it might be worth checking your machine for the IOCs at the end of this article.
  • Linux is now completely usable on the Mac mini M1. This is a huge step, and perhaps one day all the performance optimizations in the M1 will be available to Linux. Code here. There is also the Asashi Linux project which is aiming to make Linux usable on Apple Silicon.
  • Linux Lockscreen Bypass News

Techniques

  • Shellcode Injection using Nim and Syscalls. Nim is the latest language to be embraced by the offensive security community, and as it gains popularity more advanced and low level techniques are being ported to Nim. This post uses NimlineWhispers to enable direct syscalls on Windows in Nim.
  • Silencing Microsoft Defender for Endpoint using firewall rules. As more enterprises enable Windows Defender for Endpoint (aka Windows Defender ATP) red teams will need to check for and adjust their post-exploitation activity accordingly. If an attacker has local admin privileges, firewall rules can selectively block the host from communicating with Microsoft cloud endpoints responsible for the advanced reporting in Security Center. Like any other security solution, lack of data should be an indicator.
  • DNS C2 Sandwich: A Novel Approach. By sending a base64 encoded query sandwiched between two legitimate queries in a DNS request, you can fool some (zeek and Suricata < 6) network monitoring tools.
  • When vulnerable library is actually your physical book
  • Malicious VBA Macro’s: Trials and Tribulations. VBA/macros remain a useful phishing tool and this post discusses how to call the Windows API via VBA, the issues involved, and how to get a pure VBA reverse shell and memory dumper down to zero Virus Total detections. While the reverse shell or memory dumper may not be immediately useful, the Windows API use and obfuscation techniques can be applied to other VBA projects.
  • Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678). The Windows print spooler is the gift that keeps on giving. This time, the IRemoteWinSpool MSRPC interface is abused in combination with NTLM relaying to install a malicious printer driver and "print" a document to it. A PoC based on impacket is coming soon.
  • MSSQL Lateral Movement. While most MSSQL techniques require xp_cmdshell, this one loads the CLR and then a .NET executable remotely. A tool to help generate a standalone shellcode execution executable with all the requirements (connection string, SHA512 hash, etc) is available here.
  • VM Detection Tricks, Part 1: Physical memory resource maps. This is some cool research that eschews the typical methods of VM detection (cpu cores, memory size, drivers, etc) and instead goes for something much harder to spoof, and much less signatured - Physical memory resource maps. This is a great potential detection you should consider implementing in your next red team tool.
  • Syscalls with D/Invoke. Syscalls are hot. D/Invoke is hot. The combination is even hotter.
  • Windows Exploitation Tricks: Trapping Virtual Memory Access. James Forshaw is one of the grandmasters of unique Windows exploits. This one is low level, but worth the read if you are doing Windows exploit development.
  • Process on a diet: anti-debug using job objects. This one is a bit limiting, as it requires small programs with limited dynamic allocations to work properly, but the use of built in Windows systems to prevent debugging is always fun.
  • The Secret Parameter, LFR, and Potential RCE in NodeJS Apps. This one is for the web app testers and bug bounty hunters out there. The magic/horror of JavaScript allows for some strange behavior and potentially and RCE (if the version of handlebars is old enough and you can upload a template file to then include as a layout). This post reminds me of one of my favorite security conference talks.

Tools and Exploits

  • Appx_Blog is a PoC for a Windows LPE that exists if a drive has multiple partitions. Not very common, but may be useful as it is a 0day. Demo here; there is a short blog post as well.
  • Bughound is a static code analysis tool for Java and PHP based on Elasticsearch. Details here.
  • lsass is a Cobalt Strike Beacon Object File to dump lsass memory but uses a snapshot of lsass memory to do the minidump which may help evade some AV/EDR products.
  • JXA-RemoveQuarantine is a JXA script based on research by Jeff Johnson on leveraging TextEdit to remove quarantine attributes on files. It does create a brief pop up on macOS > 10.13.
  • delete-self-poc is a PoC that shows a way to delete a locked file, or current running executable, on disk in Windows. This is a common tactic on Linux, but it was previously impossible to delete a running binary on Windows.
  • SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter. Full blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

This post is cross-posted on SIXGEN's blog.