Last Week in Security (LWiS) - 2021-08-23
iOS CSAM fallout, JS surveillance framework (@imp0rtp3 + @felixaime), 1Password dumper (@djhohnstein), Windows user behavior (@Oddvarmoe), BOF dev walkthrough (@0xBoku), support opensource (@porchetta_ind), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-16 to 2021-08-23.
News
- Apple CSAM fallout:
- Opinion: We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous. A group from Princeton built a similar system to what Apple has deployed and decided it was too dangerous to put into practice. "Apple is gambling with security, privacy and free speech worldwide."
- Working Collision? #1. This was the start of the collisions but it quickly snowballed.
- neural-hash-collider can generate collisions on demand.
- Had enough of Apple? Look into GrapheneOS, CalyxOS, or even a PinePhone.
- Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims. Last week the news section had a good news story about Apple dropping a case against Corellium. They've appealed the other case they lost. All this while claiming security researchers would be a check against CSAM scanning abuse...
- A Hacker Stole and Then Returned $600 Million. The wild west of finance sees it's largets heist yet (yes, bigger than Mt. Gox). For technical details (facepalm warning) check out rekt.
- Microsoft announces price increase for Office 365 and Microsoft 365. E5 is still crazy expensive.
- Porchetta Industries Launches. "The Information Security Industry doesn't have a direct way to support Offensive & Defensive Open Source Security Tool developers even though it relies on them for a large portion of their services and/or internal capabilities. We're here to change that. Porchetta Industries provides a centralized platform for organizations to fund and support Open Source Security Tools."
Techniques
- 1Password Secret Retrieval — Methodology and Implementation. Password managers are a juicy target for post-exploitation. This post explores the 1password password manager and offers some detection tips. If an attacker is injecting code into processes undetected, it might be too late. Check out 1PasswordSuite for the tools.
- Executing Code In Context Of A Trusted Agent (Part 1) - Windows Defender Antivirus. The only thing better than bypassing AV is running in the context of AV itself. PoC here.
- Introducing GoKart, a Smarter Go Security Scanner. If you've got some Go code to review or are trying to exploit, give gokart a shot.
- Domain Escalation – PrintNightmare. Need a refresher or reference on all the PrintNighmare madness? This post covers remote discovery and exploitation.
- Uncovering Tetris – a Full Surveillance Kit Running in your Browser. A watering hole attack used JSON Hijacking and other methods to attempt to identify users. It even attempted to steal secrets from the user's local machine using websockets!
- Oh, Behave! Figuring Out User Behavior. Once you gain access to a target workstation, how do you determine what the user does day to day? Which applications would be best to backdoor for persistence? This post explores some ways to answer these questions.
- Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent. If you have local admin you can export the AD FS Hybrid Health Agent secret and spam the Azure AD sign-in logs with fake entries.
- Creating the WhereAmI Cobalt Strike BOF. Bobby has been on a roll, churning out BOFs at a rapid pace. It likely took significant extra time to document and write up the process behind whereami which dumps the environment variables without calling the WinAPI, and for that I am grateful!
- Responder's DHCP Poisoner. Responder 3.0.7.0 comes with a new DHCP module! Learn about it in this post.
- Razer Windows LPE. Simply attaching a Razer mouse (or a spoofed one) will run a UI as SYSTEM that you can use to open a file dialog and spawn a prompt with. I don't believe this has been weaponized without physical access or desktop interaction yet.
- Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082). This is a great in-depth post on the productization of an integer overflow into RCE.
Tools and Exploits
- Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
- ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
- BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
- kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Microsoft365_devicePhish is a a proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow. Compare to 365-Stealer and TokenTactics.
- Mimikore is a .NET 5 single file application loader for Mimikatz or any Base64 PE.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.