Last Week in Security (LWiS) - 2023-07-17
Microsoft O365 was compromised for a few months for 25 customers, block EDR DLL loading (@ShitSecure), stashing shellcode in 3D models (@TrustedSec), AMSI bypasses (@pfiatde), Atlassian Companion macOS RCE (@_r3ggi), the smallest C# binary (@washi_dev), >350 blogs monitored, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-10 to 2023-07-17.
News
- Analysis of Storm-0558 techniques for unauthorized email access. This was the story of the week. TLDR stolen Microsoft account (MSA) consumer signing key (still unclear how it was stolen) was used to forge Azure AD tokens. This shouldn't be possible, but due to a bug in the Azure code it was. The actor used these forged tokens to pillage 25 private and US government unclassified Office365 accounts.
- CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated). You have the attack surface reduction rule enabled that blocks this (Block all Office applications from creating child processes) already, right?
- Microsoft Revokes Malicious Drivers in Patch Tuesday Culling Over 100 malicious drivers were revoked this month. 100 were signed by Microsoft themselves. 🤦
- France set to allow police to spy through phones. "Covering laptops, cars and other connected objects as well as phones, the measure would allow the geolocation of suspects in crimes punishable by at least five years' jail. Devices could also be remotely activated to record sound and images of people suspected of terror offenses, as well as delinquency and organized crime." Curious how this will work with open source software/hardware. Will all devices sold in france require this backdoor? Will it then be illegal to use devices without the backdoor?
- Senate bill crafted with DEA targets end-to-end encryption, requires online companies to report drug activity. Not to be outdone by France, the DEA tries to kill end-to-end encryption by including wording holding companies accountable for conduct they don't report if they “deliberately blind” themselves to the violations. Apple's latest iCloud encryption updates surely violate this. Hopefully their lobbying can stop this.
- CVSS v4.0 calculator - PUBLIC PREVIEW. Get those 9.8's ready!
- SonicWall GMS and Analytics affected by multiple vulnerabilities. I just want 1 week where there isn't an edge security device with a 9+ CVSS bug...
- Azure AD is being renamed to Microsoft Entra ID. You must get a bonus for a rename at Microsoft. Shoutout to the SMS/SCCM/MECM/ConfigMgr/Microsoft Endpoint Manager team. Hey, at least we get Phishing PoC for Entra Rebranding.
Techniques and Write-ups
- From Blackbox .NET Remoting to Unauthenticated Remote Code Execution. I respect the struggle to find obscure DLLs (he says, with two Windows Embedded installs running just to find DLLs).
- Tales From the Road: A Cyber Security Breach is Only A Phone Call Away. If you don't have a phone call capability (spoofing) in your red team offering, you are behind the curve as even teenagers are doing it.
- Cat & Mouse - or Chess?. What if you can hook the function in ntdll.dll that loads DLLs and prevent it from loading EDR dlls? A great question, and it turns out, you can!
- Modeling Malicious Code: Hacking in 3D. It's goofy, but why not store some shellcode in a 3D model?
- Performance, Diagnostics, and WMI. "Performance Monitor offers some interesting ways for attackers to extend their lateral movement or persistence opportunities by hijacking a service's performance DLL. With this, we gain a novel WMI lateral movement primitive and I do believe there is a lot more to be explored here." Grab the PoC.
- SSD Advisory - EdgeRouters and AirCube miniupnpd Heap Overflow. It's LAN side, thankfully.
- Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability. Update those LibreOffice installs.
- PoC Exploit: Fake Proof of Concept with Backdoor Malware. The disclaimer at the bottom of this post isn't just for fun.
- Poch, Poch, is this thing on? Bypass AMSI with Divide & Conquer. Defender is the first level boss of any malware dev.
- macOS Atlassian Companion Remote Code Execution. Click edit on a confluence page, believe it or not, straight to RCE.
- How small is the smallest .NET Hello World binary?. 834 bytes (with additional trailing zero bytes). But boy are there some hacks to get there.
Tools and Exploits
- BOF_Development_Docker - A VSCode devcontainer for development of COFF files with batteries included.
- BlackLotus is an innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal.
- WubbabooMark - Debugger Anti-Detection Benchmark.
- HadesLdr - Shellcode Loader Implementing Indirect Dynamic Syscall, API Hashing, Fileless Shellcode retrieving using Winsock2.
- curlshell - reverse shell using curl.
- BadZure - BadZure orchestrates the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
- RecycledInjector - Native Syscalls Shellcode Injector.
- Resource Based Constrained Delegation - Practical Guide for Active Directory Privilege Escalation and Lateral Movement. Very thorough article on RBCD.
- Cookie-Graber-BOF - C or BOF file to extract WebKit master key to decrypt user cookie.
- MagicSigner - Signtool for expired certificates.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.