Last Week in Security (LWiS) - 2022-12-12

Apple data privacy, ChatGPT vs bug bounty, Syscall Hooks in Windows (@Denis_Skvortcov), SMSgate, Standalone Managed Service Accounts (@simondotsh), StealthHook (@x86matthew), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-12-05 to 2022-12-12.

News

  • Apple advances user security with powerful new data protections. This is a great step forward for a company who has marketed "privacy" but technically had some work to do. While iMessage has always been end-to-end encrypted, iCloud backups, which contain all your iMessages conveniently have not been. Thus, with a simple court order, all your iPhone contents are available to any legally valid request. With this change, everything except Email, Contacts, and Calendar are encrypted on iCloud, rendering those data requests useless. iMessage Contact Key Verification feels a lot like Signal, and security key support for iCloud accounts is long overdue. While none of these steps are groundbreaking, Apple is pushing the boundaries for "mainstream" tech privacy.
  • ChatGPT bid for bogus bug bounty is thwarted. It was inevitable. Perhaps bugs will be triaged by AI soon, and the AIs can fight it out amongst themselves.
  • Anker's Eufy lied to us about the security of its security cameras. Last week's story was only about the notification image, but it appears that you could get an unencrypted stream URL from Eufy cameras that worked over the internet until recently. So much for local only. I repeat: Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
  • Releasing Semgrep 1.0. Now you have no excuse for not using it to find vulns.

Techniques and Write-ups

Tools and Exploits

  • RedditC2 - Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
  • emailGPT - a quick and easy interface to generate emails with ChatGPT.
  • noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
  • CVE-2022-44721 Crowdstrike Falcon Uninstaller.
  • DCOMPotato - Exploit collection for some Service DCOM Object local privilege escalation vulnerabilities (SeImpersonatePrivilege abuse).
  • WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, vpn logins etc.
  • Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.
  • TProxy is an interception proxy for TCP traffic. It can be used to monitor, drop, modify or inject packets in an existing TCP connection. For monitoring purposes, TProxy has the ability to decrypt incoming TLS traffic and re-encrypt outgoing packets. It also leverages Wireshark dissectors to build a dissection tree of each intercepted packet.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.