May 11 2021 Last Week in Security (LWiS) - 2021-05-10

News

• Media Statement Update: Colonial Pipeline System Disruption. The gasoline pipeline that runs up the east coast of the US is partially shut down and is operating on manual control after a DarkSide ransomware attack. After large media attention, the DarkSide crew released a statement that "our goal is to make money, and not creating problems for society." Perhaps choose a line of work that doesn't involve ransoming data?
• Consultation Paper on proposed amendments to the ICT Act for regulating the use and addressing the abuse and misuse of Social Media in Mauritius. The small Indian Ocean nation is proposing to "segregate... all incoming and outgoing internet traffic in Mauritius, social media traffic, which will then need to be decrypted, re-encrypted and archived for inspection purposes as and when required." Man-in-the-middle-ing a whole country is easier when there are only four fiber lines in and out, until Starlink arrives. This will require all citizen to install a new Certificate Authority - a process few understand and will normalize a dangerous process leaving the door open to malware and scammers.
• SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4. Nothing like a CVSS 10.0 remote unauthenticated code execution vulnerability in your VPN to wake you out of the normal vulnerability reviews. This one is already being exploited in the wild.
• 21Nails: Multiple vulnerabilities in Exim. Some serious issues discovered in the popular Exim mail server, including a chain that could allow for unauthenticated RCE as root. Exim has released an update, which CISA is pushing. PoC video here.
• Twitter Tip Jar reveals address of tipper. PayPal, like parent company eBay, is stuck in the early 2000's and coasting on market dominance. It's surprising no one at Twitter caught this before launch.
• Feral Terror vulnerability (some NETGEAR smart switches). Update those Netgear switches before the PoC drops on 2021-05-17!
• CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws. A driver shipped with most (all?) Dell Windows computers contained 5 flaws, 4 of which can be exploit for local elevation of privileges. PoC is being withheld until 2021-06-01 to allow patches to propigate.

Techniques

• A physical graffiti of LSASS: getting credentials from physical memory for fun and learning. With all the modern protections on memory access, what if you just used "physical" memory access to get secrets from LSASS? This post shows how the WinPmem driver can do just that. PoC code here.
• 'Phishing' Sites Buying Workplace Login Details Linked to Well-Funded Startup. Stop phishing with tricks and just buy access? Bold and seemingly effective.
• Malicious Office 365 Apps Are the Ultimate Insiders. In the age of the cloud, a 3rd-party "app" for your cloud is the ultimate persistence technique.
• Assembly.Lie – Using Transactional NTFS and API Hooking to Trick the CLR into Loading Your Code “From Disk”. Using some NTFS tricks, you can make your CLR assemblies appear to be loaded from "legitimate" looking paths on disk, like system32. For PoC code check out SharpTransactedLoad.
• Data Only Attack: Neutralizing EtwTi Provider. While this method requires a driver signing bypass (or Arbitrary Ring 0 R/W), as more EDR vendors move to the kernel this is the future of anti-detection engineering.
• Bypassing EDR real-time injection detection logic. This is the post that explains the reasoning behind last week's DripLoader release.

Tools and Exploits

• DoubleStar is a personalized/enhanced re-creation of the Darkhotel "Double Star" APT exploit chain with a focus on Windows 8.1 and mixed with some custom techniques. While this exploit chain makes use of two (now patched) 0day exploits, it also contains an elevation of privilege technique which is still as of 2021-05-10 not patched, and remains feasible for integration into future attack chains today.
• Introducing Mystikal. As more small and even large businesses adopt macOS, red teams are starting to focus more on the previously obscure platform. Mystikal is an initial access payload generator for macOS that includes: pkg installer with JavaScript, Microsoft Office Macros, and Armed "PDFs" (apps). Code here.
• keygrabber is a script for grabbing keys from a Linux host. Useful during red team exercises to quickly help assess what access to a Linux host can lead to.
• FalconEye is a windows endpoint detection software for real-time process injections. It is a kernel-mode driver that aims to catch process injections as they are happening (real-time). Since FalconEye runs in kernel mode, it provides a stronger and reliable defense against process injection techniques that try to evade various user-mode hooks. Add this to your detection lab and see if you can bypass it!
• DomainBorrowing is a Covenant implementation of the evolution of my talk on Domain Hiding (since crippled by Cloudflare). Using some smaller CDNs it's possible to "borrow" a wildcard certificates if you register a nonexistent subdomain with them. Like Domain Hiding, this technique likely has a short shelf life but is really great research!
• lateralus is a terminal based phishing campaign tool with template support. Could be useful for quick campaigns where you don't need the full power of something like Gophish.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• poseidon is a fully featured macOS Mythic implant with some Linux functionality as well.
• metacall/core allows calling functions, methods or procedures between multiple programming languages. The ability to glue together multiple languages into a single solution without much overhead is very cool.

This post is cross-posted on SIXGEN's blog.