Last Week in Security (LWiS) - 2021-04-05

PATH shim (@djhohnstein), C2 profile randomizer (@joevest), website to wordlist tool (@Matt_Grandy_), DLL side-loading fixes (@1ndahous3), a new 🥔 tool (@micahvandeusen), txt files that leak (@PaulosYibelo), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-29 to 2021-04-05.

News

  • Phone numbers for 533 million Facebook users leaked on hacking forum. The data is from a 2019 scrape that abused the contact import feature, and has been circulating in private since then. Now however, anyone who knows your name can look up the phone number used to register your facebook account.
  • Whistleblower: Ubiquiti Breach “Catastrophic”. Despite the initially downplayed public statement in January, an insider claims the attacker "gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies." Ubiquiti has since issued a new statement that did not dispute any of the facts and hinted the perpetrator may have been an insider, or "an individual with intricate knowledge of our cloud infrastructure."
  • Our reasoning for Outflank Security Tooling. Outflank, a well known top-tier adversary simulation firm out of the Netherlands, is offering its in-house offensive toolset for a yearly license of €40,000. I agree with their thesis that effective red teams now have to be excellent developers/R&D practitioners and that was not the case 5 or more years ago. Hopefully this business model is sustainable - I think it will be. More details on the product page.
  • Update on campaign targeting security researchers. The North Korean actors that targeted security researchers with malicious project files in January 2021 have stood up a new potential watering hole. In this case, Google's Threat Analysis Group was able to notice before the site could host any malicious content.
  • Google LLC v. Oracle America, Inc.. "The Court ruled that Google's use of the Java APIs was within the bounds of fair use, reversing the Federal Circuit Appeals Court ruling and remanding the case for further hearing." While it isn't a total victory (it didn't rule that APIs couldn't be copyrighted), it's still a win.
  • Community API. Greynoise has been a useful tool for SOCs to determine if the traffic they are seeing is legitimate attacks or just noise like known scanners. Now there is a free to use community API!

Techniques

  • How to execute an object file: Part 2. This post picks up where the last one left off and expands the loader to handle static constant data and global variables.
  • Man in the Terminal. On Linux or macOS targets, PATH variable manipulation can allow your program to be executed before the actual program the user invokes, allowing you to shim it and retrieve credentials and other sensitive information. A proof of concept shim called cliProxy is available. A simple improvement would be for cliProxy to automatically detect the program it is invoked as and search the real PATH for that binary to proxy. That way you could compile once, and deploy for many target binaries.
  • HookDump. By using LoadLibrary and reading the DLL from disk, HookDump can compare the exported functions to detect hooks with low (or no?) false positives. Grab the code on GitHub.
  • Safe code & pitfalls: DLL side-loading, WinAPI and C++. DLL side-loading is a common persistence technique, but it can be difficult to write the "remediation" section of a report that finds usable DLL side-loading on an app assessment. This is the best blog I have found that provides technical details on how to prevent side-loading in C++.
  • Three ways of using MSBuild to beat CrowdStrike. MSBuild has been a favorite LOLBin for years now, and it still is undetected in many cases!
  • The Power of SeImpersonation. Just when you thought there couldn't possibly be any more potato exploit variants another one drops. This new variant focuses on the ability to respond to HTTP requests or named pipe write. The code is available as GenericPotato.
  • This man thought opening a TXT file is fine, he thought wrong. macOS CVE-2019-8761. Textedit is the notepad.exe of macOS and it will render HTML for you without asking. Using some iframedoc and style magic, even without javascript Paulos is able to exfil data. Impressive work! I always run defaults write com.apple.TextEdit RichText -bool false on a new mac to prevent the rich text rendering anyway, now it's a security hardening feature.
  • PageBuster: stealthily dump all the code ever executed. This tool can dump all executable pages from memory which is great for things like analyzing packed malware in a sandbox vs reverse engineering the packer and unpacking it by hand.

Tools and Exploits

  • PMapper is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
  • random_c2_profile is a project designed to generate malleable c2 profiles based on the reference profiles here. This makes totally random profiles, so you may want to manually make it less random.
  • WordlistSmith is a tool to quickly scrape a website and generate a wordlist and is multithreading capable.
  • CheeseRDP is a single C# binary that can be run via .NET Reflection and will inject into mstsc.exe to steal RDP credentials. No need to drop a DLL to disk!
  • SharpProxyLogon is a fully featured exploit for ProxyLogon (the Exchange RCE chain) that can either drop a webshell or inject shellcode into svchost.exe as SYSTEM.
  • X-Commander is an easy-to-use python tool for attacking MySQLX or XDevAPI, brute forcing and querying.
  • innernet is a private network system that uses WireGuard under the hood. While WireGuard is awesome, it's just a really good VPN and nothing more. Innernet looks to solve some of the comfort issues with WireGuard. The announcement blog post has the details.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • caronte is a tool to analyze the network flow during capture the flag events of type attack/defense. It reassembles TCP packets captured in pcap files to rebuild TCP connections, and analyzes each connection to find user-defined patterns.

This post is cross-posted on SIXGEN's blog.