Feb 07 2022 Last Week in Security (LWiS) - 2022-02-07

EXE in LNK embeds (@x86matthew), LinkedIn Slink phishers (@briankrebs), Apollo 2.0 (@djhohnstein), modern relaying (@Jean_Maes_1994), exfil with Power Automate (@varonis), sandboxing defender (@GabrielLandau), SysWhispers rundown (@KlezVirus), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-31 to 2022-02-07.

News

Vulnerabilities in Cisco Small Business routers could allow unauthenticated attackers persistent access to internal networks. This was the CVE of last week, a full 10.0 on the CVSS scale (RCE as root). SSL VPN gateways continue to be a juicy target for attackers.
Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution. This takes the #2 spot for most hyped CVE of last week. The vfs_fruit module is used for macOS compatibility, and is enabled on many prosumer NAS devices by default. No PoC yet, technical details here.
Helping users stay safe: Blocking internet macros by default in Office. It's about time! While there are certainly valid use cases for macros, they should be a bigger challenge to enable than a simple click given the damage they can do. Here's to hoping organizations patch. I'll be pouring one out for this old red team favorite in April.
Alpha-Omega Project. This project aims to attack open source software vulnerability from both ends, maintainers and end users. Specifics are light, but if it means more fuzzing or code analysis on popular open source projects, that's a good thing.
It’s Back: Senators Want EARN IT Bill to Scan All Online Messages. US Senate again tries to open up the path for widespread surveillance by making private companies scan all content and report "violations" to law enforcement. I'm sure they will use the line "protect the children" in their push to get it passed.

Techniques and Write-ups

EmbedExeLnk - Embedding an EXE inside a LNK with automatic execution. This is a really neat multi-layered payload. It's a LNK that runs powershell to extract an EXE from itself, drop, and run that exe. This way LNK based attacks can be totally self contained.
How Phishers Are Slinking Their Links Into LinkedIn. LinkedIn has marketing "feature" that is proving to be useful for phishers to hide their links. LinkedIn is (for now) a pretty high reputation site.
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented. A headline sure to start a holy war. If you're interested in low level language details you'll enjoy this post.
Testing Infrastructure-as-Code Using Dynamic Tooling. The Aerides tool is capable of mocking the appropriate AWS API endpoints to allow "normal" tools to run (terraform, etc). This allows infrastructure as code to be tested in CI pipelines with automated tooling easily.
DNSStager v1.0 stable: Stealthier code, DLL agent & much more. DNS has always been a gamble for me. Either the SOC never sees it because they aren't monitoring DNS, or it gets instantly caught because it sticks out so badly. There isn't really a middle ground. This new version looks like it does well against MS365 (ATP) which is no small feat.
Apollo 2.0 — New Year, New Features. Hot on the heals of the Mythic update, the Apollo agent gets a massive update! Props to Dwight for such an amazing changelog! Dynamic content loading, P2P over SMB or TCP, SOCK5 proxying, in-process assembly execution, PE execution, and smaller file size. Apollo has arrived!
I’m bringing relaying back: A comprehensive guide on relaying anno 2022. Appropriate title. If you have missed the developments in relaying over the past few years, this will get you up to speed.
Using Power Automate for Covert Data Exfiltration in Microsoft 365. Creating "flows" between Microsoft apps can also allow attackers to create "flows" of your data off to OneDrive. Best/worst part? It's enabled by default for any M365 user.
Sandboxing Antimalware Products for Fun and Profit. This was the original post (and original PoC) that set off a string of researchers implementing the technique in Nim, C++, C#, and even a BOF.
SysWhispers is dead, long live SysWhispers!. This post is a one-stop-shop for your SysWhispers knowledge.
This are my principals.pdf [PDF]. This is James Forshaw's deck from OffensiveCon 2022. My rule is to read anything James publishes, but this deck would benefit from the recorded talk to give context.
Advanced-Process-Injection-Workshop. This is a full workshop, on GitHub, for free! Looks like most of the recent injection methods are here.

Tools and Exploits

authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
SharpLdapWhoami is a "WhoAmI" that functions by asking the LDAP service on a domain controller. I'm not 100% sure what this would be useful for without testing it.
EvilSelenium is a new project that weaponizes Selenium to abuse Chrome - steal cookies, dump creds, take screenshots, add SSH keys to GitHub, etc.
shelloverreversessh is a simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

reave is a post-exploitation framework tailored for hypervisor endpoints. Interesting concept, I'll be following it.
GoodHound uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.
ShadowCoerce is an MS-FSRVP coercion abuse PoC. Not sure how I missed this one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.