Last Week in Security (LWiS) - 2021-03-15

Bloodhound Enterprise (@_wald0), reproducing ProxyLogon (@amlweems), Wireshark 1-click RCE (@positive_sec), free IOC API (@abuse_ch), VM detection trick (@gsuberland), IoT 🐚s via PCI (@_p0ly_), opensource AirTags (@Sn0wfreeze), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-08 to 2021-03-15.

News

  • Proxylogin fallout
  • Bloodhound Enterprise. From the creators of BloodHound, a SaaS technology that continuously identifies and quantifies the most critical Active Directory choke points. Measurable, practical remediation guidance enables the elimination of millions of attack paths within your existing Active Directory architecture. The product is scheduled for release this summer (2021) and I am excited to see it help organizations lock down their AD environment.
  • OVH data centre destroyed by fire in Strasbourg – all services unavailable. This is your weekly reminder that the cloud is just someone else's computer. Backups still matter!
  • Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity. Let's Encrypt but for code signing. Most importantly: "sigstore will be free to use for all developers and software providers, with sigstore’s code and operation tooling being 100% open source." This is a good step that I hope lots of developers use. Imagine being able to subscribe to a monitor service for all the dependancies in your project. The transparency may also provides an OSINT opportunity for red teams. You can monitor the progress of the tools on GitHub.
  • A Hacker Got All My Texts for $16. A layered network of providers eventually allows the complete re-routing of SMS messages, with no verification or notification to the end user (since fixed by the one provider tested). The fact that 3 separate companies were involved means that there are APIs that allow this with no verification. What would it take for an attacker to either find a new provider that does not do verification or create their own to gain access to the APIs? If a services offers app based (or better, hardware key based) multifactor authentication, choose it over SMS every time.
  • Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System. This report on the closed source tracking system (and upcoming AirTags) that will help locate lost devices by using every Apple device with Bluetooth as a global sensor has some flaws. However, it's clear that care was taken in the design to preserve privacy more so than other similar systems (e.g. Tile). Don't want to wait for AirTags? Build your own now using openhaystack. Due to the private design of the Apple system, it will be hard (impossible?) to prevent this kind of third party use.
  • Introducing ThreatFox. ThreatFox is a community driven project from the creator of abuse.ch and MalwareBazaar where security researchers and threat analysts can share indicators of compromise (IOCs) with the infosec community for free, and without the need of a registration.
  • Whitelist Me, Maybe? “Netbounce” Threat Actor Tries A Bold Approach To Evade Detection. Imagine being so confident in your malware, you email it directly to one of the 2 vendors that have marked you malicious in VirusTotal and ask to be whitelisted. No such luck this time, but how many times has it worked?
  • A Spectre proof-of-concept for a Spectre-proof web. It's pretty wild that the Google team managed to get Spectre working via Javascript in a sandboxed browser, but perhaps the most interesting bit of this post is, "in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes."

Techniques

Tools and Exploits

  • git: malicious repositories can execute remote code while cloning. As someone who clones a lot of git repos, this one is personal. From the advisory: On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Update your git clients! Windows has LFS enabled by default and is vulnerable (other OSs have to enable LFS). This is also not the first git LFS vulnerability (see CVE-2020-27955).
  • Three distinct vulnerabilities discovered by GRIMM while researching the Linux kernel combine as LPE. A kernel pointer leak plus a heap buffer overflow allows for local privilege escalation on modern Linux (RHEL 8.1-8.3).
  • RunDLL.Net is a project to execute .Net assemblies using Rundll32.exe.
  • FOLIAGE. This is an interesting project that implements a DNS-over-HTTPS persistence stager with memory obfuscation a la gargoyle. This project uses NtContinue as the "gadget" which gets around argument limits to manipulate the return address to NtTestAlert() which allows the code to run the next time it is called.
  • DisablePPLDriverPoc is a custom driver to disable protected process light and dump lsass. The driver is not signed, so it must be loaded via a driver signing bypass to work.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • cosmonim is a simple example to show how can you use cosmopolitan with Nim. Could this be used to write the ultimate cross platform dropper for those cases where an exploit could land you on a Windows or Linux machine?
  • ebpfsnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by opensnitch and Douane but utilizing modern kernel abstractions - without a kernel module.
  • http_bridge is a client that allows for socks5 proxying over standard HTTP verbs (no CONNECT) through a Linux server running PHP. Similar to Cloak.
  • Go-RouterSocks managing multiple chisel sessions can be a pain. This tool exposes a single socks5 proxy port, and allows dynamic routing of networks to specific chisel sessions.

This post is cross-posted on SIXGEN's blog.