Last Week in Security (LWiS) - 2022-02-28
Stealing GitHub secrets (@not_an_aardvark), TeamsImplant (@allevon412), Nimcrypt2 (@icyguider), VMware RCEs (@elk0kc), LdapSignCheck (@cube0x0), yaradbg.dev (@DissectMalware), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-21 to 2022-02-28.
News
- LAPSUS$ vs Nvidia. Ransomware crews just aren't what they used to be...
- New data wiper malware used in Ukraine. The use of a stolen or shell company digital signature as well as an old but legitimate driver to corrupt data is an interesting twist on the common wiper malware methods.
Techniques and Write-ups
- Stealing a few more GitHub Actions secrets. GitHub actions have been a source of secrets before, but this is a very clever logic bug that allowed a malicious fork write access to a repository.
- Exploit Development: ASLR - Coming To A KUSER_SHARED_DATA Structure Near You!. Connor drops another monster post digging deep into the Windows kernel to show a new feature in the Windows Insider Preview builds. Kernel exploits will now require a full kASLR bypass to be effective, and existing exploits that rely on a writeable KUSER_SHARED_DATA structure will break.
- BrokenPrint: A Netgear stack overflow. Lots of good 32 bit ARM exploitation knowledge in this post.
- Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager. PT security is back with a bunch of different ways to get RCE on VMware products. Some nice web application hacking fundamentals on display in this post.
- Remote Code Execution in pfSense <= 2.5.2. This is an authenticated RCE, but still not good news for a security focused product that's had it's fair share of controversy recently.
Tools and Exploits
- Fennec is an artifact collection tool written in Rust to be used during incident response on nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.
- TeamsImplant is a stealthy teams implant that proxies the urlmon.dll that teams uses compile and throw this bad boy in the teams directory as urlmon.dll and you got yourself a persistence backdoor whenever teams runs by a user or at startup.
- aws-cloudsaga is for AWS customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
- Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. An improvement on the original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode.
- Jbin-website-secret-scraper will gather all the URLs from the website and then it will try to expose the secret data from them such as API keys, API secrets, API tokens and many other juicy information.
- LdapSignCheck is a Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
- YaraDbg.dev is a free web-based Yara debugger to help security analysts to write hunting or detection rules with less effort and more confidence. By using YaraDbg, you can perform a thorough root-cause-analysis (RCA) on why some of your Yara rules did or did not match with a specific file. It can also help you to better maintain a large set of yara rules.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- PowerBruteLogon is a powershell port of win-brute-logon which can brute force local accounts on a Windows machine. The Administrator account, if enabled, is exempt from lockout.
- opensquat s an opensource Intelligence (OSINT) security tool to identify cyber squatting threats to specific companies or domains, such as Phishing campaigns, Domain squatting, Typo squatting, Bitsquatting, IDN homograph attacks, Doppenganger domains, and Other brand/domain related scams.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.