Last Week in Security (LWiS) - 2021-12-07
Windows LPE 0day (@KLINIX5), Windows 10 URI handler "RCE" (@positive_sec), detect anomalous TLS certs with ML (@NCCGroupInfosec), USB-over-ethernet vuln (@kasifdekel), bitlocker key leak (@theluemmel), Linux TIPC LPE (@bl4sty), Tartarus' Gate (@trickster012), abusing SecLogon (@splinter_code), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-22 to 2021-12-07.
News
- US military's hacking unit publicly acknowledges taking offensive action to disrupt ransomware operations. Consider the hounds released.
- Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker. The Ubiquiti hack/breach/whatever from last year was actually an insider who demanded 50 bitcoin as ransom during the attack. He now faces up to 37 years in prison.
- Introducing Buy now, pay later in Microsoft Edge. Predatory lending coming to a browser near you by default!
- GoDaddy Announces Security Incident Affecting Managed WordPress Service. GoDaddy has been riding the high of its first mover advantage for about two decades now. Don't worry breach bingo players, "GoDaddy leadership and employees take our responsibility to protect our customers’ data very seriously."
- US State Department Employees Targeted with NSO Group Malware. After being heavily sanctioned, details about US based attacks are coming out. NSO groups woes continue to mount with Apple suing them.
- Is “KAX17” performing de-anonymization Attacks against Tor Users?. Someone spend a fair amount of money to run a lot of Tor middle nodes, but have since been subject to a mass rejection of relays. Tin foil hats on to guess who may be behind this.
Techniques
- Carrying the Tortellini's golf sticks - Using Caddy to spin up fast and reliable C2 redirectors. While Apache and Nginx are the most common redirectors, Caddy is a light weight web server that can be used as a redirector as well. This post details some helpful configuration options you should look into if you go down this route. Be care of the more unique JA3S hash though. Since caddy is written in Go and open source, this can be changed (with something like this for the server side).
- Windows 10 RCE: The exploit is in the link. Fabian and Lukas found that the default handler for ms-officecmd: URIs allows argument injection. Typical bug bounty payment shenanigans followed. There are great details about the process of finding the bug and exploiting it in this post - don't skip it.
- Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm. Much like JA3 and JA3S, TLS metadata about certificates can be extremely useful for detecting anomalies.
- TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?. Trickbot is back with a nifty LNK+loader campaign. Threat emulator take note.
- Exploring Container Security: A Storage Vulnerability Deep Dive. Containers are taking over the DevOps world, best learn how to exploit them.
- USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services. Some base libraries used in many remote desktop services has a vulnerability that can be triggered from sandboxes (i.e. web browsers).
- Go away BitLocker, you´re drunk. You've read some stories about leaking bitlocker keys, but they lacked memes and snark. I believe this is the third bitlocker hardware hack post on LWiS. Have you added a second factor to your bitlocker deployment yet?
- Halo's Gate Evolves -> Tartarus' Gate. This new "gate" adds a check for a different type of hook used by an EDR vendor. Code here.
- Azure Privilege Escalation via Azure API Permissions Abuse. At this point I'm convinced that each "cloud" is it's own entire security research domain.
- The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory. This is a fresh take on credential dumping with a PoC available: MalSeclogon.
Tools and Exploits
- InstallerFileTakeOver is a Windows LPE 0day for all supported Windows version. RIP.
- cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust.
- Exploiting CVE-2021-43267. This is a walkthrough and full exploit for Linux TIPC vulnerabilitiy that affects kernels between 5.10-rc1 and 5.15.
- EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
- SSHClient is a small SSH client written in C#. May be useful for pivoting from Windows to Linux.
- EntitlementCheck is a Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- DetectionLabELK is a fork of DetectionLab with ELK stack instead of Splunk.
- GoMapEnum is a user enumeration (Linkedin) and password bruteforcer for Azure, ADFS, OWA, O365, and Teams.
- redherd-framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of simulating complex offensive cyberspace operations.
- ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases.
- BOF2shellcode is a POC tool to convert CobaltStrike BOF files to raw shellcode.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.