Last Week in Security (LWiS) - 2021-11-08
DLL proxying helper BOFs (@the_bit_diddler), Cobalt Strike traffic decryption (@DidierStevens), CES/CEP on Linux (@duff22b), Kerberoasting OPSEC (@DebugPrivilege), certutil LOLbin replacement (@ElliotKillick), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-01 to 2021-11-08.
News
- Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice. $10M USD for conviction of "individual(s) who hold(s) a key leadership position in the DarkSide" group. I think the goal of this is to sow distrust within DarkSide, and a potential $10M payout to snitch will certainly do that.
- Pwn2Own Austin 2021 - Schedule and Live Results. It's always cool to see how many and what types of devices fall at Pwn2Own.
- Introducing Firefox’s new Site Isolation Security Architecture. Great news for the underdog browser. However, it may be too little too late.
- Cisco Policy Suite Static SSH Keys Vulnerability. Cisco is the king of 9.0+ CVSS scores in critical networking hardware. This time it's SSH in the Policy Suite software and its Catalyst Passive Optical Network (PON) switches that could allow and attacker to log in a root.
- Iraqi PM Safe After Drone Attack on Residence, Military Says. Explosive laden assassination drones. "The future dystopia is already here — it’s just not very evenly distributed."
- Phishing emails seemingly coming from a Kaspersky email address. A better title might be, "oops someone used one of our AWS SES tokens to phish."
Techniques
- Master of Puppets Part II – How to tamper the EDR?. Tons of great ideas for how to disable EDR, even if it has a kernel driver. Great work.
- Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication. While not a "red team" post, this shows how to set up CES/CEP with Linux which will give you an understanding to how that all works, and ideas for how it can be leveraged if you find yourself on a domain joined Linux machine.
- Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3. If you're using for Cobalt Strike for serious operations, you're asking for trouble. Security through obscurity is a legitimate part of a larger security model.
- Kerberoast with OpSec. Kerberoasting remains a powerful attack, but it's time to clean up how you go about searching for kerberoastable accounts.
- CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution. Interesting bug and walk through (CodeQL again...). No PoC yet.
- This is how I bypassed almost every EDR!. Userland unhooking and direct syscalls aren't novel, but the use of the PEB to find the clean functions in NTDLL without syscalls is a nice twist.
- PGSharp: Analysis of a Cheating App for PokemonGO. This is an in-depth analysis of an Android cheat engine. Tons of good stuff if you are an android "tool" developer.
- CVE-2021-22205 Rapid7 Analysis. Lots of Gitlab instances were used in a DDoS attack last week. This is how. Note that this was patched back in April 2021.
- Pwn2Own to Xxe2Rce. XXE to RCE on an ICS controller - nice!
- Newly discovered #lolbin "C:WindowsSystem32Cmdl32.exe". Download files with a Microsoft signed binary. So long certutil.exe, hello cmdl32.exe!
Tools and Exploits
- DLL-Hijack-Search-Order-BOF is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution. Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access).
- DLL-Exports-Extraction-BOF is a BOF for DLL export extraction with optional NTFS transactions.
- blint is a Binary Linter to check the security properties, and capabilities in your executables.
- braktooth_esp32_bluetooth_classic_attacks is a series of baseband & LMP exploits against Bluetooth classic controllers.
- CVE-2021-34886 is a Linux kernel eBPF map type confusion that leads to EoP and affects Linux kernel 5.8 to 5.13.13. Writeup (CN) here.
- elfloader is an architecture-agnostic ELF file flattener for shellcode written in Rust.
- socksdll isa a loadable socks5 proxy via CGo/C bridge.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙
- ThreatMapper is used to identify vulnerabilities in running containers, images, hosts and repositories and helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless.
- AssemblyLine is a C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker. Could you build this into your RAT to execute shellcode modules without suspicious API calls?
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.