Last Week in Security (LWiS) - 2024-02-07
All the Ivanti 0days, FTX SIM swap (@briankrebs), Unmanaged CLR patching (@kyleavery_), Midnight Blizzard fallout (@_wald0), Arachne mythic webshell (@its_a_feature_ ), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-29 to 2024-02-07.
News
- AnyDesk Incident Response 2-2-2024 - An RMM company, AnyDesk, was breached. "Customers Urged to Reset Passwords." Is breaching the upstream RMM company the ultimate traitorware?
- Ivanti - We're up to four (4) CVEs. CISA is ordering everyone to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. Even Assetnote is getting in the action with a new authentication bypass. What a mess!
- Thanksgiving 2023 security incident - Threat actor utilized stolen credentials from the October 2023 Okta compromise to access Cloudflare's network. TLDR - Threat actors were in Cloudflare's internal wiki, bug database, and established persistent access to the Atlassian server but 2FA prevented most lateral movement. Cloudflare even returned the hardware that was connected to a console server the actors attempted but failed to gain access to. Now that is serious remediation!
- First look: Windows 11 is getting native macOS or Linux-like Sudo command - The Sudo, “superuser do,” command is coming to Windows 11 as part of the developer settings. Embrace, extend, and extinguish.
- Externalizing the Google Domain Tiers Concept - Google's Security Team has introduced the concept of Domain Tiers to categorize approximately 10,000 domains based on sensitivity, helping prioritize security efforts. The tiering system, with five levels (Tier 0 being the highest sensitivity), aids in identifying potential vulnerabilities and influences Google Vulnerability Reward payouts. This is really dope!
- Hundreds of network operators' credentials found circulating in the Dark Web - An attacker named 'Snow' compromised RIPE NCC account credentials, leading to a three-hour service outage and over 1,572 compromised customer credentials across various regional internet registries. Fun times.
- Vastaamo hacker traced via 'untraceable' Monero transactions, police says - "KRP did not disclose the exact mechanism for tracing the Monero transactions, citing the need to protect sensitive investigative techniques that can prove invaluable in future cases. Thus, the exact methods involved are unclear." However, the suspect used a centralize exchange to exchange between BTC and XMR and eventually an email address linked to a server managed by the suspect. Seems like a lot of opportunities to find the suspect other than breaking XMR privacy, and I highly doubt that has happened. Binance Will Delist XMR on 2024-02-20, which may be related. Reminder: the Universal Declaration of Human Rights Article 12 states privacy is a universal human right and not a crime. Using XMR for crimes is a crime, the same way using USD cash for crimes is a crime.
- Arrests in $400M SIM-Swap Tied to Heist at FTX?. Three Americans charged with orchestrating SIM-swapping attacks resulting in over $400 million of stolen crypto, likely from FTX. The attacks took place between March 2021 and April 2023. There is no excuse to use SMS based 2FA for anything important after all these SIM swaps. Phone companies are not the place to outsource your identity verification!
- Qualys TRU Discovers Important Vulnerabilities in GNU C Library's syslog(). The two technical write ups are linked at the bottom of the post. Put CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780 on your PoC watch list as they will be nice Linux LPEs.
- Finance worker pays out $25 million after video call with deepfake 'chief financial officer'. The best deepfake we know about. Put this on your "why you should care" slide for your next vishing assessment.
Techniques and Write-ups
- How to Report the MFA Status for Entra ID User Accounts - Good defender/sysadmin article to deduce who's using MFA by combining authentication methods & signin logs.
- Sensecon 23: from Windows drivers to an almost fully working EDR - The author of the post wrote MyDumbEDR to learn more about EDRs and windows internals. Awesome write-up!
- Anonymous IP address involving Apple iCloud Private Relay - iCloud Private Relay is being used by their iPhone users to "anonymize" their traffic. Well, that is causing some issues for defenders. Some defenders might allowlist these relays on their SIEM or security tooling. Time for red teams to look into using this if you haven't already.
- The curious case of DangerDev@protonmail.me - A detailed blog post on an AWS incident response use-case from a month long attack. Initial access via exposed access key, some recon via SES and IAM API calls, privilege escalation via AttachUserPolicy, and more.
- Unmanaged .NET Patching - Patching .NET functions from an unmanaged CLR host, to massage managed code at runtime by @kyleavery_.
- Evolution of UNC4990: Uncovering USB Malware's Hidden Depths - Always fun to read threat actor tradecraft. This one particularly stood out because threat actors are using vimeo[.]com and arstechnica[.]com to host payloads in addition to their usual registered domains.
- Microsoft Breach — What Happened? What Should Azure Admins Do? - Excellent blog post to summarize the Midnight Blizzard breach by Andy Robbins.
- Visualizing ACLs with Adalanche - An alternative to Bloodhound when enumerating AD. Maybe not as signatured as Sharphound for those looking for a quick option. We originally talked about Adalanche all the way back in LWiS 2021-06-14!
- CVE-2024-21733 Apache Tomcat HTTP Request Smuggling - Imaging getting creds as your initial access on a red team by pulling this off 🤯. Of course the password was Dec2023!.
Tools and Exploits
- RoleCrawl - PowerShell tool designed to audit User and Group role assignments in Azure, covering both subscription and resource scopes.
- hfinder - Help recon of hostnames from specific ASN or CIDR, thanks to Robtex and BGP.HE
- ThievingFox - A collection of post-exploitation tools to gather credentials from various password managers and windows utilities. Came with a blog post.
- IntelRAGU - An open-source initiative to document and share experiments to apply Retrieval Augmented Generation (RAG) techniques to Threat Intelligence searching capabilities.
- arachne is a Mythic webshell payload for Windows (aspx) and Linux (php). When run alone, the arachne container reaches out to the specified URL to issue tasking. When an agent links via P2P to an arachne agent, then that agent will remotely reach out to the specified URL to issue tasking. Check out the blog: Spinning Webs — Unveiling Arachne for Web Shell C2.
- ReverseSocks5 - Single executable reverse SOCKS5 proxy written in Golang. This is v2 which adds SOCKS5 support.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- certstream-server-go - This project aims to be a drop-in replacement for the certstream server by Calidog. This tool aggregates, parses, and streams certificate data from multiple certificate transparency logs via websocket connections to the clients.
- SigFinder - Identify binaries with Authenticode digital signatures signed to an internal CA/domain. This could be useful when pillaging SCCM distribution point servers.
- wirez - redirect all TCP/UDP traffic of any program to SOCKS5 proxy.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.