Last Week in Security (LWiS) - 2021-02-01

Sudo LPE (@bl4sty), Cobalt Strike patching for evasion (@_xpn_), web bruteforcing (@Xst3nZ), customizing phishlets (@Bb_hacks), Kerberos LPE on Linux (@xassiz), shared file C2 (@scriptmonkey_), homograph tool (@evilsocket), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-25 to 2021-02-01.

News

  • NAT Slipstreaming v2.0: New Attack Variant Can Expose All Internal Network Devices to The Internet. This updated version of Samy Kamkar's work from last fall shows how a new primitive, H.323 ALG, is used to create holes in a NAT device which allow access to arbitrary IPs/ports behind it from the internet. Demo here.
  • International Action Targets Emotet Crimeware. "Operation Ladybird" saw the raiding and arrests at multiple locations across Europe linked to Emotet operators. They even release a video of one such raid.
  • A Look at iMessage in iOS 14. With iMessage being a standard target for 0 or 1 click exploits, Apple has introduced a new "BlastDoor" service and other improvements to make these attacks much more difficult.
  • Top macOS researcher escapes the rat race. Patrick Wardle has been the go-to guy for macOS research and malware analysis. He has given countless conference talks, found just as man 0days, and is now publishing all his macOS utilities as open source under the GPL. This "sponsorship" model of security research is interesting, and I hope it enables more people to focus on interesting problems while also giving back to the community that supports them.
  • What went wrong with America’s $44 million vaccine data system?. I fully admit this is a difficult problem to solve. But is it a $42 million no-bid contract difficult problem? Has America learned nothing from the healthcare.gov fiasco? The sad reality is there is likely a team of overworked developers at Deloitte trying their best to make VAMS work, and they will see almost none of that $42 million.
  • OSWatcher updated and organized into GitHub org. This project captures the changes between operating system versions as git commits, which makes it easy to pinpoint exactly when a file was added to an OS, along with lots of metadata about the files. This is a project that can help both red and blue teams as it provides foundational information about target operating systems.

Techniques

  • A tale of EDR bypass methods. If you only click one link from this week's blog, click this one. It's a full recap of the last two years of EDR bypasses for Windows with detail on each method. Lots of things to explore from this one if you haven't been keeping a close eye on EDR bypasses.
  • Tailoring Cobalt Strike on Target. Cobalt Strike beacons have to be configured before delivery, but in strict environments a wrong user agent can start an investigation and potentially loose access. @_xpn_ shows how red teamers can perform some basic recon on target and then patch a Cobalt Strike beacon to blend in before the first connection to C2 is ever made. Demo here, code here.
  • From N-day exploit to Kerberos EoP in Linux environments. This is textbook advanced adversary emulation. Faced with a fully up to date Red Hat machine, the BlackArrow red team researched and developed a working exploit for an Nday with no public PoC. Their PoC is available on GitHub.
  • Introducing FComm – C2 Lateral Movement. FComm provides an additional communication method for the PoshC2 framework. It provides a way to circumvent certain lateral movement limitations using file-based communications. This is a neat way to communicate in a restricted environment where two machines have common access to files (usually via a file share). This can be slow, but has the advantage of no visible TCP/IP connection to defenders. FComm has been merged into PoshC2.
  • BitLocker touch-device lockscreen bypass. This is the second lockscreen bypass using a similar technique in a short time. Once you get the narrator to jump to the windows behind the lockscreen, an attacker can execute code from a thumb drive fairly easily. Demo here. Do not leave your devices unattended, but especially do not leave your devices powered on an unattended.
  • Customizing an existing evilginx phishlet to work with modern Citrix. This is a great post that shows what really happens on engagements. Find a tool, spin it up, test it out - failure. Troubleshoot, fail, troubleshoot fail, repeat until success. I'm storing this one away for my next use of evilginx2 against a constantly changing login portal.

Tools and Exploits

  • Heap-based buffer overflow in Sudo (CVE-2021-3156). While it sounds similar to CVE-2019-18634 (LWiS 2020-02-10) this vulnerability affects default configurations, and has been around for 9 years. I suspect an exploit for this will become the DirtyCow of 2021. There is a good writeup that uses a fake libnss load to get a shell, and a PoC from a different source. Want to play with different exploits? Grab docker-CVE-2021-3156. Funny enough, while testing this exploit another minor issue in Sudo was discovered.
  • ditto is a tool for IDN homograph attacks and detection. This could make your next phishing engagement really blend in.
  • web-brutator if a fast, modular, web interface bruteforcer. Sometimes you want to throw some credentials at a web login without writing all the boilerplate. This includes modules for many known content management systems and makes it easy to write your own custom brute-forcing module.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • ProcDOT turns thousands of monitored activities into a big behavioral picture - actually a graph - which can be interactively explored making behavioral malware analysis as efficient as it never was before. It takes in Procmon and pcap to generate the graph.

This post is cross-posted on SIXGEN's blog.