Nov 14 2022 Last Week in Security (LWiS) - 2022-11-14

ROADtools Token eXchange (@_dirkjan), Certified pre-owned followup (@harmj0y + @tifkin_), AAD Privileged Access (@0xcsandker), FindEmptySystem (@christruncer), TelemetrySource (@jsecurity101), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-07 to 2022-11-14.

News

Russian Hackers Are Publishing Stolen Abortion Records on the Dark Web. Much like the Finnish mental health breach and hospital attacks this shows that no targets are off limits for criminals. Putting a digital red cross probably won't help.
ISOs from the internet will have MotW. It was fun while it lasted. On to the next one.
About the security content of iOS 16.1.1 and iPadOS 16.1.1. XML parsing bugs could lead to RCE. The bug details are here and here. The update also limits AirDrop 'Everyone' option to 10 minutes in China with the speculation being that censors can't monitor airdropped content.
Amazon once again lost control (for 3 hours) over the IP pool in a BGP Hijacking attack. It is a little wild to me that in 2022 we still use protocols developed for use among friendly research institutions as the underlying infrastructure for cryptocurrencies whose original goal was to survive in a network of adversarial participants.
Mysterious company with government ties plays key internet role. I said last week, "your OS is just a bootloader for your browser." Perhaps we should take a look at who gets trusted by default in our browsers...
A Russian Missile Crew Was Geolocated From Just This Photo. OSINT is wild.
Intel 471 Acquires SpiderFoot. Attack surface monitoring is hot right now.
Github code search launches. I've been impressed with GitHub since the Microsoft acquisition. Let's see how long it lasts but so far so good.

Techniques and Write-ups

Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration. Dirk-jan is in the pantheon of researchers where every post is a must read. When it comes with a tool release... oh baby..
Certificates and Pwnage and Patches, Oh My!. After a year, AD CS attacks have proven more pervasive than I thought they would be, led to more discoveries, and even patches from Microsoft to the way certs were mapped to identities. I guess you could say releasing their tooling really... imposed cost... as opposed to keeping it closed source.
Accidental $70k Google Pixel Lock Screen Bypass. This would be a perfect "bugdoor" (intentional bug used as a backdoor), but it looks like an honest mistake with a complex system of overlapping lockscreen.
Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg. Well laid out post on malware analysis.
Untangling Azure Active Directory Permissions II: Privileged Access. Building on part 1, this post explores more Azure Active Directory access concepts.
Microsoft Defender for Identity Recent Bypasses Comments. Some good tips for defenders.
Tales of Windows detection opportunities for an implant framework. Some interesting detection techniques in here with code samples.
Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server. RCE, privilege escalation, and directory traversal - the holy trinity.
CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS. A good post that also shows the Apple commitment to "old" OSs isn't there. Monterey's latest release (12.6.1) does not include the fix...

Tools and Exploits

EDD - FindEmptySystem. More details here
laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Tool Release - Web3 Decoder Burp Suite Extension. Get those obnoxious cryptocurrency bounties!
TelemetrySource - Project created to map functions responsible for triggering events from various telemetry sources. Details here.
Introducing cnquery and cnspec. Imagine osquery but with GraphQL. Very cool.
CInject Windows Kernel inject (no module no thread).
SharpGmailC2 Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol.
cve-2022-41352-zimbra-rce Zimbra <9.0.0.p27 RCE.
AMSI-ETW-Patch Patch AMSI and ETW using a single byte patch for both.
CVE-2022-3699 Lenovo Diagnostics Driver EoP - Arbitrary R/W.
drv-vuln-scanner Finds imports that could be exploited, still requires manual analysis.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.