Last Week in Security (LWiS) - 2024-03-04
macOS LPE (@patch1t), Ivanti backdoors (@NVISO_Labs), ESC14 (@Jonas_B_K), token theft (@rootsecdev), LSASS dumping (@Octoberfest73), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-26 to 2024-03-04.
News
- Kali Linux 2024.1 Release - They fixed this crippling bug in dpkg. Ludus will ship with Kali 2024.1 in 1.2.1 (next release).
- Binary Ninja 4.0: Dorsai - The latest major update for the much loved reverse engineering tool.
- HP wants you to pay up to $36/month to rent a printer that it monitors - Buy a black and white laser printer and never give another dollar to HP.
- Merck settles with insurers who denied $700 million NotPetya claim - The "11th-hour" settlement leaves more questions, but it seems that Merck got some payout. New policies are sure to include language exempting "state-sponsored" attacks, which will make attribution a multi-million dollar business.
- Nevada AG Asks Court to Ban Meta from Providing End-to-End Encryption to Minors - First they come saying, "won't you think of the children," then...
- 2024-03-01 listening in on the neighborhood - The ShotSpotter/SoundThinking location database has been leaked. Why do you care? These government controlled microphones have been used to record conversations that were then used in a court case.
Techniques and Write-ups
- Scrutinizing the Scrutinizer - What's more fun than getting an unauthenticated root shell on a network monitoring appliance?
- Leaking ObjRefs to Exploit HTTP .NET Remoting - You've heard of PS remoting (aka WinRM) but what about .NET Remoting? Turns out it can provide remote code execution. Sad that Microsoft didn't assign a CVE or give code white any credit, despite clearly patching this issue based on their report.
- CVE-2023-42942: xpcroleaccountd Root Privilege Escalation - A nice privesc for macOS.
- Covert TLS n-day backdoors: SparkCockpit & SparkTar - Some actors used the Ivanti Pluse Secure exploits to lay down some pretty sophisiticated backdoors.
- Persistence - Visual Studio Code Extensions - VSCode is found on nearly every developer's machine. This post presents a few options for how to use it for persistence.
- [PDF] ComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications - An interesting approach to targeting retrieval-augmented generation (RAG) systems.
- ADCS ESC14 Abuse Technique - While not technically a new technique, its promotion to ESC14 will give it new prominence.
- Weaponization of Token Theft - A Red Team Perspective - Token theft isn't new, but this is a nice summary of a few techniques to leverage it.
- Dumping LSASS Like it's 2019 - A theme of using "old and discarded" tooling to dump LSASS in 2024 against an EDR via Cobalt Strike BOFs.
- Extracting Sensitive Information from the Azure Batch Service - Azure Batch service can be fruitful depending on your permissions. Keep a look out for these! Defenders, restrict who has these permissions in your tenants.
- Meet Silver SAML: Golden SAML in the Cloud - "Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application—as any user." Compromised cloud environment could get messy. This (for the moment) is likely a great option to Entra ID persistence.
- DUALITY: Advanced Red Team Persistence through Self-Reinfecting DLL Backdoors for Unyielding Control - A lot to digest on this one. It's a long read. It's an interesting concept as "pesky" persistence. I have concerns on how loud it could be during red team ops. Code here.
- SSRF в Microsoft Designer - SSRF in Microsoft Designer.
- A Trip Down Memory Lane - The frustration and walkthrough of this one stuck out. It really shows the thought process and frustrations of evading endpoint detection. And "...do your dev work on a VM with no internet access...". We agree! Use Ludus. The post drops a tool called ldrgen - Template-based generation of shellcode loaders.
- GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange - Some very stealth APT has to be upset with this post. Great find and RE work!
Tools and Exploits
- RKS - A script to automate keystrokes through a graphical desktop program (evilrdp may be a better choice).
- SilverSamlForger - Silver SAML Forger is C# tool that helps you create custom SAML responses. It can be used to implement the Silver SAML attack.
- dnsx 1.2.0 - This release adds the -recon flag which could eliminate/augment other tools in your recon pipeline.
- MultCheck - Identifies bad bytes from static analysis with any Anti-Virus scanner.
- SharpLansweeperDecrypt - Automatically extract and decrypt all configured scanning credentials of a Lansweeper instance.
- mail-in-the-middle - Typo squating + mail = shells. See the Mail in the Middle post for more info.
- Nemesis-Download-Watcher - Watches the Downloads folder for any new files and inserts it into Nemesis for analysis.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- winhttp A library to make HTTP requests with the Windows winhttp API
- GoAWSConsoleSpray - Tool to spray AWS Console IAM Logins
- Devolutions Gateway - A blazing fast relay server adaptable to different protocols and desired levels of traffic inspection.
- [PDF] Android-Security-Research-Playbook.pdf - Darkwolf publishes their android research playbook
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.