Last Week in Security (LWiS) - 2021-08-23

iOS CSAM fallout, JS surveillance framework (@imp0rtp3 + @felixaime), 1Password dumper (@djhohnstein), Windows user behavior (@Oddvarmoe), BOF dev walkthrough (@0xBoku), support opensource (@porchetta_ind), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-16 to 2021-08-23.

News

Techniques

Tools and Exploits

  • Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
  • ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
  • BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
  • kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.