Last Week in Security (LWiS) - 2022-09-12
Avoiding memory scanners (@kyleavery_), EvilnoVNC critiques (@TheXC3LL), Athena 0.2 (@checkymander), Monkey365 (@tr1ana), reFlutter (@lmpact_l), gTunnel/SOCKS (@greycatsecurity + @hotnops), cobaltstrike-headless (@codex_tf2), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-06 to 2022-09-12.
- Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically. OSS-fuzz recently found a trivial Command injection and its hungry for more vulnerability classes.
- Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection. Why encrypt entire files or every file when encrypting parts of files still achieves the same effect with greater speed and fewer detections?
- Google Completes Acquisition of Mandiant. First FireEye, now Google. Kevin Mandia must be Scrooge McDuck-ing into a pool of gold coins at this point.
- Sensitive Command Token - So much offense in my defense. There is a new Canary token for commands executed on Windows.
Techniques and Write-ups
- Avoiding Memory Scanners This is a written version of the presentation/deck ([PDF] Avoiding Memory Scanners - Customizing Malware to Evade YARA, PE-sieve, and More) and DEF CON presentation.
- Thoughts on the use of noVNC for phishing campaigns. Last week's EvilnoVNC has some flaws. I think with some more customization and effort, "browser emulation phishing" has its place, especially as login portals get better and better at defeating malicious reverse proxies.
- Solving the Unredacter Challenge. This is your weekly reminder to only redact with black boxes.
- Smart App Control Internals (Part 2). Deep dive into the internals of the new Windows Security feature: "Smart App Control."
- Fork Bomb for Flutter. This post discusses the creation of reFlutter, the Flutter Reverse Engineering Framework.
- Get Your SOCKS on with gTunnel. Steps to setup a wicked fast SOCKS proxy with a tool called gTunnel.
- WMI Internals Part 3. This blog looks at what happens after the COM method ITaskServices:NewTask.
- Video Blog: Using DLL Persist to Avoid Detection. "During an Incident Response case, the TrustedSec IR team came across a novel method used by an attacker to maintain access to the target's servers. After gaining access to the systems, the attacker then modified a DLL required by a service to include malicious code. This video demonstrates a similar process for embedding malicious code into a benign DLL to create a method of persistence that is not easily detected." Not sure I love the video blog format.
- Credential Gathering From Third-Party Software. A nice quick reference guide for red teamers.
- WriteProcessMemoryAPC - Write memory to a remote process using APC calls. Does what it says on the tin.
- "GIFShell" — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs. GIFShell allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure. 3rd party C2 is on the rise and here to stay.
- CVE-2022-22629. This post is about the poc for the WebGL bug that was patched in Safari 15.4 security updates. See related: Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write.
- Quasar: Compromising Electron Apps. This post introduces a tool for backdooring electron app's ASAR archives: quASAR.
- New 2.5G Ethernet Expansion Card for Framework Laptops. If you haven't seen the framework laptop, check it out. I hope they can make it in the much attempted but never sustained reparable tech space.
- GeoSn0w demos his blizzard jailbreak on ios 15 and 16 booting from custom app. This should allow iPhone X and older devices to boot into a jailbroken state on any iOS version, a boon for researchers.
Tools and Exploits
- Athena v0.2. A big update to an up and coming Mythic C2 agent.
- pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
- QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
- Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
- Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
- Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
- cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
- CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
- TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
- chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
- autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
- evilgophish - evilginx2 + gophish.
- rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
- HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
- TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
- buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
- wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
- Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.