Last Week in Security (LWiS) - 2022-02-28

Stealing GitHub secrets (@not_an_aardvark), TeamsImplant (@allevon412), Nimcrypt2 (@icyguider), VMware RCEs (@elk0kc), LdapSignCheck (@cube0x0), yaradbg.dev (@DissectMalware), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-21 to 2022-02-28.

News

Techniques and Write-ups

Tools and Exploits

  • Fennec is an artifact collection tool written in Rust to be used during incident response on nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.
  • TeamsImplant is a stealthy teams implant that proxies the urlmon.dll that teams uses compile and throw this bad boy in the teams directory as urlmon.dll and you got yourself a persistence backdoor whenever teams runs by a user or at startup.
  • aws-cloudsaga is for AWS customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
  • Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. An improvement on the original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode.
  • Jbin-website-secret-scraper will gather all the URLs from the website and then it will try to expose the secret data from them such as API keys, API secrets, API tokens and many other juicy information.
  • LdapSignCheck is a Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
  • YaraDbg.dev is a free web-based Yara debugger to help security analysts to write hunting or detection rules with less effort and more confidence. By using YaraDbg, you can perform a thorough root-cause-analysis (RCA) on why some of your Yara rules did or did not match with a specific file. It can also help you to better maintain a large set of yara rules.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • PowerBruteLogon is a powershell port of win-brute-logon which can brute force local accounts on a Windows machine. The Administrator account, if enabled, is exempt from lockout.
  • opensquat s an opensource Intelligence (OSINT) security tool to identify cyber squatting threats to specific companies or domains, such as Phishing campaigns, Domain squatting, Typo squatting, Bitsquatting, IDN homograph attacks, Doppenganger domains, and Other brand/domain related scams.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.