Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past 2 weeks. This post covers 2023-02-20 to 2023-03-07.
- Cobalt Strike 4.8: (System) Call Me Maybe. Some great new features (multi-byte XOR for DLL loading), and bug fixes including the age old impersonation bug (that would always say "Impersonated <current user>"). Welcome changes in a competitive landscape.
- Mythic 2.3 -> 3.0 Updates. Not to be left behind, Mythic is moving to 3.0 with an all new Go backend.
- Google Trust Services now offers TLS certificates for Google Domains customers. Google Domains customers can now use DNS-01 challenges to get certificates!
- LastPass breach update: The few additional bits of information. The saga continues. A Plex Media Server RCE on a DevOps engineer's home computer led to the theft of all LasPass data. This should have been stopped at a few different levels, and they subtle blame shift to the engineer isn't good. You have to assume that any device you don't control is fully compromised and monitor access from it appropriately (or deny it).
- We're going teetotal: It's goodbye to The Daily Swig. Pour one out for this great news source.
- How I Broke Into a Bank Account With an AI-Generated Voice. I've been warning about this for a while. Even Sneakers (1992) showed how easy voice based authentication was to spoof.
- Highlights from the New U.S. Cybersecurity Strategy. Grab the highlights here or dig into the full PDF.
- Sensitive US military emails spill online. But remember, if you don't use FIPS validated and certified crypto modules, you are putting sensitive information at risk!
Techniques and Write-ups
- CI/CD secrets extraction, tips and tricks Synacktiv drops Nord Stream, a tool that allows you to list the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines. It currently supports Azure DevOps and GitHub. Don't be fooled by "secret" files and "masked" variables. If the pipeline needs it to build, it can be extracted.
- The code that wasn't there: Reading memory on an Android device by accident. These low level exploits are always somewhat magic to me.
- Red Teaming macOS 101. Excellent write-up for those involved in attacking/defending MacOS assets!
- Windows Hotpatching & Process Injection. Did you know the latest Windows insider builds and Azure server ISOs can hotpatch running processes? Expect both malware and EDRs to (ab)use this feature in the future.
- Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer. Regex is hard for everyone. In this case, a single unescaped dot led to a 1-click Azure account takeover.
- A New Vector For “Dirty” Arbitrary File Write to RCE. Lax config parsers allow arbitrary data/files to be used to "smuggle" configuration files. This technique was used with Redis a while back.
- OneNote Embedded File Abuse. Not caught up on the latest hotness (.one)? Get with the program!
- From on-prem to Global Admin without password reset. An "On-prem to Global admin" attack path that requires quite a foothold but still good to have in your bag as it might bypass some Conditional Access configurations.
- From CVE-2022-33679 to Unauthenticated Kerberoasting. If you missed the kerberos exploit from 2022-10, this post does a good job of introducing the concept of pre-authentication, explaining the flaw, and how to exploit it.
- Microsoft Word RTF Font Table Heap Corruption. Just a crash PoC, but with a CVSS of 9.8, and Word 2007 to Insider Preview - 2211 Build 15831.20122 CTR affected, expect to see it in the wild soon.
- Maldoc Transfers in the Google Cloud. Host your payloads on a high reputation Google domain (cloudfunctions.net).
- Let's build a Chrome extension that steals everything. Red teamers should have an extension like this ready to deploy as we move to a SaaS world and the browser is the only security control after initial access. Code here.
- Having fun with KeePass2: DLL Hijacking and hooking APIs. Hooking via DLL hijacking is a powerful primitive.
- Introducing Aladdin. A new tool and technique for red teamers to bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker. Aladdin exploits a deserialisation issue over .NET remoting in order to execute code inside addinprocess.exe, bypassing a 2019 patch released by Microsoft in .NET Framework version 4.8.
Tools and Exploits
- MemFiles - A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk.
- Amsi-Killer - a "lifetime AMSI bypass."
- Thunderstorm - Modular framework to exploit UPS devices. Only 2 exploits for now.
- msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
- lolbin-poc - Small PoC of using a Microsoft signed executable as a lolbin.
- Kraken - a modular multi-language webshell coded by @secu_x11.
- DroppedConnection - Emulates a Cisco ASA Anyconnect VPN service, accepting any credentials (and logging them) before serving VBS to the client that gets executed in the context of the user.
- Timeroast - Scripts that execute timeroasting and trustroasting attack techniques by discovering weak computer or trust passwords within an Active Directory domain.
- AtomLdr - A DLL loader with advanced evasive features.
- bootlicker - A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Locksmith. A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services. Quick wins for Sysadmins!
- APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
- Coercer. A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods. #onetorullethemall
- curl-impersonate - A special build of curl that can impersonate Chrome & Firefox.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.