Last Week in Security (LWiS) - 2021-12-20
Explaining the 0click iOS exploit (@i41nbeer and @5aelo), new loader (@zux0x3a), first look at Nighthawk C2 (@peterwintrsmith and @modexpblog), new injection technique (@netero_1010), OST documentation (@_nwodtuhs), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-14 to 2021-12-20.
News
- Log4j 2.15.0 stills allows for exfiltration of sensitive data. You'll be writing this one up on assessments for years to come. 2.16 was released but also had a DoS-able vulnerability. Third patch is the charm? This whole saga has become the best example of Dependency in recent memory. If you need to exploit Log4j, grab the JNDI-Exploit-Kit. Trying to keep it all straight? This flow chart was up to date when published.
- Updates to the Bug Slayer bug bounty program. If you use CodeQL to find and report bugs, you may be eligible for a bonus bounty.
- Nighthawk 0.1 – New Beginnings. MDSec releases more details about its impressive in-house C2 framework. I'd love to get my hands on it and test it out. DM's open ;).
- REVEN Free Edition - Available as a VM. REVEN is a "Timeless Analysis" system that allows you to triage crashes more effectively. Now it's even easier to try out with a ready made virtual machine.
Techniques
- How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs. A manual source code audit and some fuzzing found this arbitrary file read bug.
- A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution. Wow. NSO used a JBIG2 vulnerability to construct a custom computer architecture they then used to search and modify memory to carry out the next stage of the exploit chain. Talk about weird machines.
- Defeat the Castle - Bypass AV & Advanced XDR solutions.. AV/EDR solutions seem to struggle with the double encryption/encoding used here. Tool available here.
- Yes, fun browser extensions can have vulnerabilities too!. "A one-time visit to a malicious website would have been sufficient to compromise the browser integrity permanently." It's time to start thinking of browsers as OSs and extensions as programs running as root.
- Alternative Process Injection. This processes injects shellcode into the already loaded DLL memory page, which gets around most (but not all) indicators of injection.
- Blackswan Technical Writeup (PDF). Six Windows privescs with beautifully presented write ups? Yes please.
Tools and Exploits
- Cobalt Strike 4.5 Update Specifics:
- Writing Beacon Object Files: Flexible, Stealthy, and Compatible. This post is great as it covers lesser used concepts like syscalls in x86 BOFs.
- Process Injection Update in Cobalt Strike 4.5
- User Defined Reflective Loader (UDRL) Update in Cobalt Strike 4.5
- Sleep Mask Update in Cobalt Strike 4.5
- A Deeper Look Into the Max Retry Strategy Option
- moonwalk helps cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
- The Hacker Tools is focused on documenting and giving tips & tricks on common infosec tools. This is an awesome initiative and an idea I've had for a while. Happy to see it being executed.
- Cobalt-Clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of a clipboard.
- intruducer is a Rust crate to load a linux shared library into a target process without using ptrace.
- KernelSharp is an example of how to use NativeAOT to compile C# code to a Windows Kernel Mode driver.
- KernelBypassSharp is a C# Kernel Mode Driver to read and write memory in protected processes.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
- mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
- adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.