Jan 30 2024 Last Week in Security (LWiS) - 2024-01-30

Fastly to block domain fronting 🔜, EDR bypass via VEH (@VirtualAllocEx), BOFHound enhancements (@Tw1sm), Frameless BITB (@waelmas01), Asus ndays (@suidpit + @Th3Zer0), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-22 to 2024-01-30.

News

How Russian spooks hacked Microsoft, the gap in its “morally indefensible” response, and what CISOs can learn from the attack - Fallout from the story that broke last week. We could see some changes coming to the Microsoft Graph API in the near future.
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM - Cobalt Strike team has introduced the mutator kit, which uses an LLVM obfuscator to break in-memory YARA scanning of the sleep mask. This continues their "Evasion through flexibility" strategy.
Top 10 web hacking techniques of 2023 - We look forward to this list every year. Cast your votes!
WMI command line (WMIC) utility deprecation: Next steps - For the whoami.exe crew (thats not you of course), wmic.exe is being retired! WMI is still available via powershell.
Introducing Windows Server 2025! - Yet we're still seeing 2003, 2008, and 2012 in almost every engagement? Sweet!
Fastly to block domain fronting in February 2024. All good things must come to an end. Fastly was by far the largest CDN that supported fronting. Now it's just the smaller players. See [PDF] Measuring CDNs susceptible to Domain Fronting.
Wyden Releases Documents Confirming the NSA Buys Americans' Internet Browsing Records. Did you read the terms of your ISP contract? Spoiler: they told you they are going to sell all your netflow and DNS to whomever they want. Remember: “We Kill People Based on Metadata”.

Techniques and Write-ups

Bypassing browser tracking protection for CORS misconfiguration abuse Blog that talks about bypassing browser tracking protection through CORS misconfiguration abuse, explaining the CORS web protocol, detailing specific HTTP headers used in CORS, and highlights vulns associated with misconfigurations, with a focus on Access-Control-Allow-Credentials.
Shipping your Private Key - CVE-2023-43870, Paxton do a Lenovo - A vuln (CVE-2023-43870) in Paxton Access's Net2 software, revealing that the default installation of Net2 includes a vulnerable certificate authority (CA) key, allowing an attacker to intercept HTTPS traffic on machines running Net2 or those that installed the CA as instructed by the Web API.
Leveraging Fake DLLs, Guard Pages, and VEH for Enhanced Detection - Unconventional but very interesting detection mechanism used in conjunction with EDR, based on a combination of process environment block (PEB) modification, the use of fake DLLs and guard pages, and the use of vectored exception handling.
Syscalls via Vectored Exception Handling - Executing the native APIs used in the context of loading shellcode using syscalls via Vectored Exception Handling (Vectored Syscalls). VEH has some haters.
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive - Fortras (yes the same Fortra that sells Cobalt Strike) GoAnywhere MFT product has an auth bypass. PoC for CVE-2024-0204 is already out.
Macros Unleashed: Redefining Red Teaming with Advanced Macro Strategies-Part 2 - Not very OPSEC friendly but still good references nonetheless. Are macros making a comeback? Maybe they never left for some.
GraphStrike: Anatomy of Offensive Tool Development. The GraphStrike tool was in last LWiS, but this blog post wasn't. Enjoy!
Phishing Microsoft Teams for initial access - Not really news that Teams is being used to delivery payloads/links but this is a good write up with screenshots on how it is done. Discussed last year by BHIS in BSides Orlando 2023.
BOFHound: Session Integration. bofhound has been around for a while but just got some extra powers related to session data and local group data.
A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108). A good run through from ISO download to RCE.
Hunting for Unauthenticated n-days in Asus Routers. The use of Qiling to emulate the firmware is neat as they had to emulate nvram for configuration storage.
A Practical Guide to PrintNightmare in 2024. PrintNightmare may be a memory, but the core of the issue - printer drivers install as SYSTEM on Windows - hasn't changed. I love these kinds of "work around the problem" hacks. This post is true hacking and even drops some automation (powershell) to help exploit vulnerable scenarios.
Rook to XSS: How I hacked chess.com with a rookie exploit. Ah the days of myspace worms. Simpler times.
How Apple accidentally broke my Spotify client. Not really cybersecurity related, but the level of depth in the investigation was so deep it was basically a vulnerability write up. Impressive. Spoiler: it was DNS (because of course it was).

Tools and Exploits

SOAPHound - This made some noise this week. A custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
InjectKit - Modified versions of the Cobalt Strike Process Injection Kit
Stardust - A modern 64-bit position independent implant template. Came with a good blog if you want to take a look here.
Grroxy - Another competitor to Burpsuite Pro? Caido is another one that comes to mind.
Frameless BITB - A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx. Even came with a demo.
CsWhispers - Source generator to add D/Invoke and indirect syscall methods to a C# project.
EventLogCrasher - Proof of concept for a bug, that allows any user to crash the Windows Event Log service of any other Windows 10/Windows Server 2022 machine on the same domain. The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol.
ExecIT - Execute shellcode files with rundll32.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Understanding Windows x64 Assembly - Add this to your Windows programming reading list.
Trimarc Whitepaper: Owner or Pwnd? - This whitepaper touches on all aspects of AD ownership: Organizational Units (OUs), Computers, Groups, Users, AD Certificate Services (ADCS), Group Policy Objects (GPOs), and even Active Directory Integrated DNS (ADI DNS).
jsoncrack.com - ✨ Innovative and open-source visualization application that transforms various data formats, such as JSON, YAML, XML, CSV and more, into interactive graphs.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.