Last Week in Security (LWiS) - 2023-01-16
SCCM relay to takeover (@_Mayyhem), LAPS 101 (@mega_spl0it), Sliver vs Havoc (@Naw), Defender LPE (@pixiepointsec), CircleCI post mortem, ASRmageddon, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-09 to 2023-01-16.
News
- Supporting the Use of Rust in the Chromium Project. Rust is coming, and its taking down memory safety bugs/exploits as its spreads.
- Sustaining Digital Certificate Security - TrustCor Certificate Distrust. As previously reported, reporting from the Washington Post has led to questions about TrustCor, and this is the official announcement that Google is dropping them from the Chrome CA root store.
- CircleCI incident report for January 4, 2023 security incident. There is still some detail missing (no detail on how they know "the third party extracted encryption keys from a running process" and no public samples of the malware), but the incident report does shed light on how all of CircleCI was compromised. A single employee had their SSO session cookie stolen, and the production system fell. Now is a good time to tabletop what would happen at your company if your lead engineer had their SSO cookie stolen... In the meantime, follow this IR guide.
- [PDF] P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk. People still choose terrible passwords. Arm your users with a password manager and teach them how to use it. Enforce MFA everywhere you can. Hand out hardware tokens and enforce their use. With the rise of passkeys, a passwordless future is possible, but legacy password support will be around for at least the next 25 years.
- Recovering from Attack Surface Reduction rule shortcut deletions. Friday the 13th saw Attack Surface Reduction users get an updated definition that "resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files." This manifested itself with users calling the help desk stating that "all my apps are gone," which sounds a lot like ransomware. Thanks Microsoft. AddShortcuts.ps1 might help recover shortcuts for users.
Techniques and Write-ups
- SCCM Site Takeover via Automatic Client Push Installation. SCCM is perhaps the best lateral movement technique against organizations that use it, but the issue for red teams was compromising the primary server. With this research, it's possible to land a single phish (get any authenticated domain user), and coerce/relay your way to SCCM site takeover, which enables you to push out arbitrary executables or run scripts on every machine managed by SCCM. If ransomware crews aren't already doing this, they soon will be. Protect the MSSQL endpoints that SCCM use!
- Microsoft Defender for Identity Lateral Movement from Forest to Forest without a Forest trust. Using Defender to jump between untrusted forests? Awesome.
- Malware-based attacks on ATMs - A summary. Perhaps not the most relevant article for red/blue teams, but still interesting.
- A LAPS(e) in Judgement. A good overview of the local admin password solution (LAPS) for Windows domains, how to set it up, how to abuse it, and how to detect that abuse.
- T95-H616-Malware. "Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616).
- Sliver vs havoc. If you aren't familiar with two of the more popular non-Cobalt Strike C2s that are available, this post breaks them down.
- CVE-2021-31985: Exploiting the Windows Defender AsProtect Heap Overflow Vulnerability. The irony of using Windows Defender to get a SYSTEM shell is delicious.
Tools and Exploits
- secret_handshake - A prototype malware C2 channel using x509 certificates over mTLS.
- phishim is a phishing tool which reduces configuration time and bypasses most types of MFA by running a chrome tab on the server that the user unknowingly interacts with.
- CoffLoader - an implementation of in-house CoffLoader supporting CobaltStrike standard BOF and BSS initialized variables.
- latma - Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns.
- gophish - GoPhish automation.
- CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup. PoC has been pulled for the time being, but as this effects Linux from ~2019 and later, it could be a pretty widespread LPE and potentially some LAN crashes or RCE.
- LocalPotato is coming soon! - Watch this space.
- Issue 2361: XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings. Ian Beer drops his "MacDirtyCow" which is already being used in the jailbreaking scene to do non-persistent tweaks.
- OffensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. Version 2 just dropped.
- Open Sourcing Incident Management system. The HARP incident management system, designed to help teams quickly and effectively respond to and resolve any incidents that may occur, specifically in the tech industry, is now open source!
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Crassus - Windows privilege escalation discovery tool
- ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.