Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-21 to 2022-03-28.
- Google is aware that an exploit for CVE-2022-1096 exists in the wild.. Not everyday you see a Chrome 0day in the wild. Update your browser!
- Countering threats from North Korea. The care put into the exploit kit decoy sites is impressive. When a significant portion of your GDP is from cybercrime, I suppose you get pretty good at it.
- Exodus Intelligence is offering their N-Day vulnerability subscription for FREE from April 1st through July 1st. I've been "added to the queue" but no N-Days yet.
- Resolved Security Vulnerabilities in Sophos (SG) UTM 9.710 MR10 (CVE-2022-0386, CVE-2022-0652). A post-auth SQL injection vulnerability in the Mail Manager of Sophos UTM can lead to RCE. SSL VPN bugs are hot right now, consider replacing your VPN appliances with WireGuard (its faster too).
- Grimes Said She Orchestrated Cyberattack That Shut Down ‘Hipster Runoff’. Famous person admits to crimes - nothing happens. A tale as old as time. How many years in prison would a teen in America get for a DDoS plus "erasing backups" (shell access?)?
- Cloudflare’s investigation of the January 2022 Okta compromise. This has some actionable steps if you are an Okta customer. For more, check out TrustedSec Okta Breach Recommendations.
Techniques and Write-ups
- Mining data from Cobalt Strike beacons. A new library designed to parse Cobalt Strike configruations. Perhaps its time to move away from Cobalt Strike.
- Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121). This is a very detailed walkthrough of a information leak and unchecked return value exploit for a NAS. I love that adding some 'sleep()'s fixed the exploit in the Pwn2Own competition to net them a success.
- [PDF] Double Fetch Vulnerabilities in C and C++. Double Fetch is where checks are properly done for a fetch, but the second fetch is unchecked. This allows an attaker to modify the data between the fetches.
- Yet Another Local Privilege Escalation Attack via Razer Synapse Installer (CVE-2021-44226). Gaming peripherals have been a goldmine of LPEs recently, and Razer is no exception.
- Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All. "Unauthenticated attackers can remotely compromise devices protected by Microsoft Azure Defender for IoT by abusing vulnerabilities in Azure’s Password Recovery mechanism." It's bad when you have to number your "Unauthenticated Remote Code Execution As Root" findings because there are more than one.
- Automating DFIR using Cloud services. IR is never fun, but automation to make it less painful can help!
- CVE-2022-27666: Exploit esp6 modules in Linux kernel. Buffer and heap exploits can get confusing quickly, but this write up includes amazing animations that show how data is arranged in memory and make it much easier to understand. I hope this technique of write ups catches on.
- LDAP relays for initial foothold in dire situations. NTLM relaying may be locked down in an environment, but LDAP remains an option. This post pushes the boundaries to relay harder with LDAP. Defenses included at the end as well!
- Every "Guest" you invite in your Microsoft Team meetings can list users from other groups. Flip those toggles!
Tools and Exploits
- tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
- DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
- OffensivePascal is a Pascal Offsec repo for malware dev and red teaming 🚩.
- CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
- YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
- ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
- wireproxy is a Wireguard client that exposes itself as a socks5 proxy
- TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
- DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
- reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
- ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
- OffensiveNotion uses Notion as a platform for offensive operations.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.