Last Week in Security (LWiS) - 2021-06-08
Bypassing NAC (@theluemmel), Outlook COM tool (@eks_perience), Transacted Hollowing (@hasherezade), SeTrustedCredmanAccess research and tooling (@tiraniddo, @Pullerze), netcat with raw sockets (@Itsuugo), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-05-31 to 2021-06-08 (bonus day!).
News
- VAN BUREN v. UNITED STATES. The CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources (in this case police officer running unsanctioned database searches for money), which will need to be prosecuted under different charges. This adds weight to the 9th circuit court ruling that ToS violations are not a crime.
- Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang. The DOJ stated that the ransom payment "had been transferred to a specific address, for which the FBI has the 'private key,' or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address" which caused some to believe the FBI had either "cracked" Bitcoin (no) or seized a custodial wallet. I doubt the DarkSide crew is foolish enough to use a US based custodial exchange, and therefore the logical answer is _someone_ shelled DarkSide and transferred the Bitcoin to an address the FBI happened to control.
- Updates to our policies regarding exploits, malware, and vulnerability research. GitHub resolves their policy update on exploits in a reasonable manner. "Dual-use" security research is allowed, but you can't use GitHub itself as part of an attack (i.e. use gists for C2) and as always it reserves the right to remove PoCs used in attacks.
Techniques
- 32 bits, 32 gigs, 1 click... Exploitation of a JavaScriptCore WebAssembly Vulnerability. This post examines a vulnerability in the WebAssembly subsystem of JavaScriptCore, the JavaScript engine used in WebKit and Apple Safari. The issue was patched in Safari 14.1.1. This vulnerability was discovered through source review and weaponized to achieve remote code execution. The post stops short of RCE via a kernel driver exploit, but the source code is available
- Retrieving AWS security credentials from the AWS console. If you can dump browser cookies you can now extract an AWS token to use in the CLI thanks to the new CloudShell and an undocumented API.
- I got 99 problems but my NAC ain´t one. Think your fancy 802.1x is going to stop a determined adversary? Think again. The start of the show is nac_bypass.
- Kerberos - A Domains Achille's Heel. Gives a good overview of Kerberos, Silver and Golden Tickets.
- Dynamic payload generation with mingw. This in-depth post explores cross-compilation of Windows binaries and shellcode on Linux using mingw64 and contains some nifty tricks - like how to pull shellcode from the .text section of an exe.
- Your Microsoft Teams chats aren’t as private as you think... This post includes a handy command pipeline to parse messages from a log file Teams stores on disk (unencrypted). There could be some good information in those chats (passwords, etc).
- XSS in the AWS Console. This post explores two instances of XSS in the AWS console. They are now fixed. It has everything you can ask for: 0days in AWS, a CSP bypass, and memes.
Tools and Exploits
- netkat is a netcat version using raw sockets to avoid iptables and/or other OS filtering mechanisms. This could come in handy if you land inside a container running with sufficient privileges to do network shenanigans.
- KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements. Be sure to check out Carbuncle and OutlookToolbox_v2 for more complete feature sets.
- PhishInSuits is a tool to automate OAuth device code phishing using verified apps with twilio powered phishing SMS messages.
- Conf-thief will connect to Confluence's API using an access token, export to PDF, and download the Confluence documents that the target has access to. It allows you to use a dictionary/keyword search file to search all files in the target Confluence for potentially sensitive data. Check out the blog post: Stealing All of the Confluence Things.
- penelope is an advanced shell handler. Its main aim is to replace netcat as shell catcher during exploiting RCE vulnerabilities. It works on Linux and macOS and the only requirement is Python 3.
- transacted_hollowing is a PE injection technique, hybrid between Process Hollowing and Process Doppelgänging - as seen in the Osiris dropper. Check out the blog post for all the details.
- microsoftteams_getonly.profile is a C2 profile for Cobalt Strike that mimics the network traffic of Microsoft Teams. Be warned, Azure is now shutting down accounts that use domain fronting.
- payloadSecretary can be used to automatically type long base64 encoded payloads into restricted environments (VDI, Citrix, etc).
- CredManBOF is a BOF file to use with Cobalt Strike, dumping the credential manager by abusing the SeTrustedCredmanAccess Privilege. Original research was done by James Foreshaw and further information is located here.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- BeaconHunter is a behavior based monitoring and hunting tool built in C# tool leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.