Jul 06 2021 Last Week in Security (LWiS) - 2021-07-06

News

• A New Kind of Ransomware Tsunami Hits Hundreds of Companies. REvil used certutil and MsMpEng.exe sideloading to great effect after compromising a popular managed service software provider.
• Telco injects ads into Google SMS 2FA Messages. If you needed any more ammo for why SMS 2FA is the worst kind of 2FA (but still much better than no 2FA!) here it is.
• How a Docker footgun led to a vandal deleting NewsBlur's MongoDB database. As someone who has dealt with UFW and Docker issues as well as a NewsBlur user I feel this post. TLDR: Docker will bypass UFW and its really hard to get them to work together.
• Windows 11 LPE tweeted. First blood?
• NSA, Partners Release Cybersecurity Advisory on Brute Force Global Cyber Campaign. Looks like the GRU is brute forcing public logins. This is your weekly reminder to force 2FA for all users.

Techniques

• Kaspersky Password Manager: All your passwords are belong to us. The silly UX prevented this poorly seeded password generator that causes every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second from being caught earlier. Or dons tinfoil hat maybe something else did...
• Taking over Uber accounts through voicemail. This is an attack enabled by the fact Uber will deliver OTP codes via audio to voicemail, and the fact that voicemail boxes are usually very easy to compromise. Ensure your scoping document allows for this type of attack before attempting, as multiple parties are involved.
• A Red Team Operation Leveraging a zero-day vulnerability in Zoom. Unpacking and adding payloads to legitimate installers is a nifty trick. Without complete verification of all files in an MSI this is possible, and the best part is these applications are likely allow-listed by AV/EDR or the SOC.
• An EPYC escape: Case-study of a KVM breakout. This post describes a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. This is the first public writeup of a KVM guest-to-host breakout that does not rely on bugs in user space components such as QEMU.
• GateKeeper - Not a Bypass (Again). macOS' Gatekeeper alerts users when executing files that have been downloaded, but it doesn't alert on notarized dynamic library loads, even if they have the quarantine attribute set. How this be abused? Malicious screen savers, color picker plugins, preference panes etc can be used to execute arbitrary code from the internet without any warnings. Getting the files to the correct locations is an exercise left to the reader.
• BITS Persistence for Script Kiddies. This technique is likely monitored by EDR but is worth having in your tool bag none the less.
• gcp-dhcp-takeover-code-exec. By predicting the seed to the random number generator used by Debian's DHCP client, a malicious user with access to a VM in the same subnet of a rebooting VM can impersonate the metadata service and add a malicious ssh key to the victim VM. The practical implications of this are very limited, but it remains unpatched.
• Hunting for Windows “Features” with Frida: DLL Sideloading. DLL sideloading is an underutilized technique, but as it is hard to detect, advanced adversaries are using it. The new WFH tool uses Frida to identify potentially sideload-able DLLs in programs.
• Abusing Resource-Based Constrained Delegation (RBCD) using Linux. RBCD is a confusing misconfiguration present in some Active Directory environments. This post has both an offensive and defensive walkthrough.
• Merging C# Assemblies using dnMerge. This new C# assembly merge tool is a plugin for MSBuild that plays nicely with dotnet and uses LZMA for more efficient compression than Costura, allowing more tools to stay under the 1MB limit of Cobalt Strike's execute-assembly command.
• Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0. This in depth post digs into how the Sudo LPE works, what vCenter/Photon OS is, and how they adapted the exploit to work against vCenter 7.
• Exploit mitigations: keeping up with evolving and complex software/hardware. This projects aims to answer the question, "does my current environment have mitigation X?"
• How to exploit a vulnerable windows driver. AsRock took RWEverything, slapped some AES encryption (with hardcoded key) on the ioctl calls, and shipped it as a product. A quick overwrite of BeepDeviceControl and you have kernel execution.

Tools and Exploits

• PrintNightmare. The print spooler in Windows has a vulnerability that allows any domain user to install a print driver and achieve remote code execution.

  • Also check out the Impacket implementation which also includes a C# variant for local privilege escalation (or there is CVE-2021-1675-LPE).
  • Some testing has shown that domain controllers are vulnerable even after the June patch, possibly related to the "Point & Print" feature or perhaps "BuiltinPre-Windows 2000 Compatible Access".
  • Confused? Check this flow chart.
  • For detection this msp thread is great and there are free micropatches and a collection of resources on GitHub.
  • Official Microsoft Response

• ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework for macOS . It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.
• Injector is a complete arsenal of memory injection and other techniques for red-teaming in Windows written in C#. This is a good base for writing your own loader, or testing EDR detections in a purple team scenario.
• pstf2 is an implementation of an HTTP server capable of passive browser fingerprinting to detect and block security scanning services from accessing hosted payloads.
• RelayRumbler is a proof-of-concept tool that attempts to retrieve the configuration from the memory dump of an F-Secure C3 Relay executable.
• PageTableInjection is a proof-of-concept of the page table injection technique to inject malicious code into the arbitrary user processes. Be sure to read "The Problem" section to understand stability issues.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• shutter. Not sure how I missed this gem. The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permitting traffic based on IP or an executable that initiates or receives the traffic. This is useful to blackhole event logging, defensive agent communication, or explicitly permit specific executables to communicate if they have been previously restricted by policy and runs totally in memory. How good is that expensive EDR if it can't call home?
• agentstub ssh agent forwarding is a big win for attackers with root on a compromised machine, and this tool illustrates some private key operations that can be done with the ssh-agent like signing files with RSA private keys.
• Vanara is set of .NET libraries for Windows implementing P/Invoke calls to many native Windows APIs with supporting wrappers. Use this to easily add P/Invoke calls to your next C# tool.
• PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). PortBender includes an aggressor script that operators can leverage to integrate the tool with Cobalt Strike. However, because the tool is implemented as a reflective DLL, it can integrate with any C2 framework supporting loading modules through a "ReflectiveLoader" interface. Be aware this loads a driver, WinDivert64.sys.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.