Last Week in Security (LWiS) - 2021-02-22

Ubuntu LPE (@Gr33nh4t), open source FIDO2 ๐Ÿ”‘ (@SoloKeysSec), new ways to copy shellcode in VBA (@TheXC3LL), unconventional exploitation (@itm4n), harvesting hashes (@domchell), M1 mac malware (@ForensicITGuy), BOFs outside of CS (@TrustedSec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-15 to 2021-02-22.

News

  • Solo V2 โ€” Safety Net Against Phishing. Everyone knows FIDO2 keys are the best defense against credential phishing, but until now all the solutions have been closed source and expensive. Solokey's Solo V2 looks to change all that with an affordable, NFC capable, open source FIDO2 key. I have no affiliation with Solokey - just a fan of what they are doing. Note: the open source firmware has been audited.
  • Sandworm intrusion set campaign targeting centreon systems. In a three year long campaign, Sandworm used webshells and a Linux backdoor to access information technology providers, including web hosting providers. Based on Sandworm's history of targeting industrial control systems, ransomware, and highly public attacks (2018 winter olympics), perhaps this was just an effort to get free redirectors and payload hosting.
  • Brave Browser leaks your Tor / Onion service requests through DNS. This isn't the first issue with Tor and Brave (CVE-2020-8276), and likely won't be the last. Mixing Tor and a standard browser is a recipe for disaster.
  • Clipping Silver Sparrowโ€™s wings: Outing macOS malware before it takes flight. MacOS specific malware, including an arm compiled variant, uses the old favorite malicious pkg installer to infect victims. MalwareBytes claims it has seen the malware on nearly 30,000 endpoints, while the Red Canary team says it has no evidence the malware has conducted any post-exploitation activities.

Techniques

Tools and Exploits

  • CIMplant is a C# port of WMImplant which uses either CIM or WMI to query remote systems. It allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM. CIMplant requires local administrator permissions on the target system. More information in this post.
  • endgame is an AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet. Compared to other AWS offensive tools, endgame have a much wider range of supported services (18 vs 11 for the official AWS Access Analyzer). Of note, the "original" repo (salesforce) and the author's repo (kmcquade) have both been taken down. Sadly, Salesforce has a reputation for this kind of thing.
  • pcp is a command line peer-to-peer data transfer tool based on libp2p. It differs from others (like croc) because it uses IPFS instead of a centralized sever.
  • AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. More information in the blog post.
  • OffensivePipeline allows you to download, compile (without Visual Studio), and obfuscate C# tools for Red Team exercises.
  • Swift-Attack is the macOS equivalent of atomic red team. It contains unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.
  • SharpLAPS is a C# executable that will retrieve the LAPS password from the Active Directory. It must be executed from either a Domain Administrator or an account with ExtendedRight or Generic All Rights.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. More information here.
  • horusec s an open source tool that performs static code analysis to identify security flaws during the development process. Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, and Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history.

This post is cross-posted on SIXGEN's blog.