Last Week in Security (LWiS) - 2022-10-17
Cobalt Strike RCE (@0x09AL + @FuzzySec), Docker Compose for red teams (@BuckinghamEzra), portable malware (@CaptMeelo), free root servers (@hackerschoice), LastPass tricks (@rbmaslen), practical attacks against NTLMv1 (@n00py1), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-10 to 2022-10-17.
This week I reviewed 336 blog posts and 2350 tweets to find only the best and most relevant items to include here.
- Out Of Band Update: Cobalt Strike 4.7.2. The rumors and tweets were true, there was RCE i 4.7.1. Read the full details in Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1. Here's a PoC.
- Security of Passkeys in the Google Password Manager. GA later this year. With iOS/macOS already on board, nearly all mobile users will have passkeys by the end of the year. As services adopt FIDO2 solutions, offensive teams will have to adapt.
- WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware. APTs are using signed DLLs for DLL hijacking. Are you?
- Potential Log4shell situation. Developing...
- Disposable Root Servers. This is the coolest thing I've seen in a long time. Or it's a honey pot. 50/50.
Techniques and Write-ups
- DevAttackOps: Deploying Containers with Docker Compose (Part 3). DevOps and red teaming are friends - automate the boring stuff!
- Compromising a Backup System by iSCSI Interface During a Routine Penetration Test. Don't sleep on those open iSCSI ports!
- Hello World under the microscope. This is an interesting post that is the python version of "what does your computer do when you type google.com in a browser and hit enter."
- Writing an Independent Malware. Make your malware smaller (and import fewer DLLs) with the tricks in this post.
- Analysing LastPass, Part 1. The Chrome debugging protocol is very powerful and should be flagged by defenders any time it is invoked, but isn't (yet).
- Practical Attacks against NTLMv1. Why work hard against good protocols when you can downgrade to NTLMv1?
- Toner Deaf - Printing your next persistence (Hexacon 2022). Go where the EDR isn't. Not only a remote root RCE, but also persistence. Very cool stuff.
- Set up an Android Hacking Lab for $0. While not as good as a physical device, an emulator will get you pretty far.
- Diamond And Sapphire Tickets. Gold is old. Upgrade your tickets to the latest precious gem.
- Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis. A Windows privesc in the common log file system driver (CLFS.sys).
- Relaying YubiKeys Part 2. I think this is the first code published that can actually interface with FIDO2 devices for phishing. Hardware tokens are good guards against phishing as they require an attacker to have access to the user's endpoint and the user and device must be present at/in the device when the attacker wants to use them OR the attacker has to control a subdomain of the valid site being targeted (if origins are not validated). This is a much more difficult situation for an attacker to achieve compared to a relatively simple MiTM proxy for TOTP or SMS 2FA on a look-a-like site. Code here.
Tools and Exploits
- CVE-2022-40684 - A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
- XorStringsNET - Easy XOR string encryption for NET based binaries.
- akamai-security-research - This repository includes code and IoCs that are the product of research done in Akamai's various security research teams. Includes a fresh Windows Workstation Service Elevation of Privilege Vulnerability.
- RedEye - is a visual analytic tool supporting Red & Blue Team operations from CISA.
- CVE-2022-41852 - Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept.
- WAMBam - Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post.
- RustHound - Active Directory data collector for BloodHound written in rust. 🦀
- PsyloDbg is a very simple Windows Debugger that currently only monitor for debug events.
- Add SCCM NTLM Relay Attack #1425. This is a little known but very cool attack I expect to work for decades to come.
- AtomPePacker - A Highly capable Pe Packer.
- Janus is a pre-build event that performs string obfuscation during compile time. This project is based off the CIA's Marble Framework.
- ProvisionAppx. Some fun lateral movement?!
- ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Oh my Git! An open source game about learning Git!. A resource for new (or even old) team members to help learn git.
- ElectricEye - Continuously monitor your AWS attack surface and evaluate services for configurations that can lead to degradation of confidentiality, integrity or availability. All results can be exported to Security Hub, JSON, CSV, Databases, and more for further aggregation and analysis.
- wiresocks A sock, with a wire, so you can tunnel all you desire. This is a great solution that may be even better than proxycap et al.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.