🔒
There are new articles available, click to refresh the page.
✇ Hexacorn Ltd

Beyond good ol’ Run key, Part 138

By: adam
This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]
✇ Hexacorn Ltd

Beyond good ol’ Run key, Part 137

By: adam
This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]
✇ Krebs on Security

Crime Shop Sells Hacked Logins to Other Crime Shops

By: BrianKrebs

Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan  — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

The site says it sells “cracked” accounts, or those that used passwords which could be easily guessed or enumerated by automated tools. All of the credentials being sold by Accountz provide access to services that in turn sell access to stolen information or hijacked property, as in the case of “bot shops” that resell access to infected computers.

One example is Genesis Market, where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. Genesis even offers a custom-made web browser where you can load authentication cookies from botted PCs and waltz right into the account without having to enter a username or password or mess with multi-factor authentication.

Accountz is currently selling four different Genesis logins for about 40-50 percent of their unspent balances. Genesis mostly gets its inventory of botted computers and stolen logins from resellers who specialize in deploying infostealer malware via email and booby-trapped websites. Likewise, it appears Accountz also derives much of its stock from a handful of resellers, who presumably are the same ones doing the cybercrime service account cracking.

The Genesis bot shop.

In essence, Accountz customers are paying for illicit access to cybercrime services that sell access to compromised resources that can be abused for cybercrime. That’s seriously meta.

Accountz says its inventory is low right now but that it expects to offer a great deal more stock in the coming days. I don’t doubt that’s true, and it’s somewhat remarkable that services like this aren’t more common: From reporting my “Breadcrumbs” series on prominent cybercrime actors, it’s clear that a great many cybercriminals will use the same username and password across multiple services online.

What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication. That’s probably because so few customers supply their real contact information when they sign up. As a result, it is often far easier for customers to simply create a new account than it is to regain control over a hacked one, or to change a forgotten password. On top of that, most shops have only rudimentary tools for blocking automated login attempts and password cracking activity.

It will be interesting to see whether any of the cybercrime shops most heavily represented in the logins for sale at Accountz start to push back. After all, draining customer account balances and locking out users is likely to increase customer support costs for these shops, lower customer satisfaction, and perhaps even damage their reputations on the crime forums where they peddle their wares.

Oh, the horror.

✇ PortSwigger Blog

A modern, elastic design for Burp Collaborator server

When we launched Burp Collaborator back in 2015, PortSwigger deployed a public Collaborator server that anyone could use. This meant that OAST testing with Burp Collaborator was able to work straight
✇ Zero Day Initiative - Blog

Looking Back at the Zero Day Initiative in 2021

By: Brian Gorenc

Now that we’re almost through the first month of 2022, it’s a good opportunity for us to take a look back at 2021 and the accomplishments of the Zero Day Initiative throughout the year. The past year was certainly a year full of its challenges, but we also celebrated some unique achievements in our busiest year ever. In addition to publishing the highest number of advisories in the history of the program, we hit our first million-dollar Pwn2Own in April. And as if that weren’t enough, we did it again in the fall as Pwn2Own Austin also exceeded the $1,000,000 threshold.

To say these were superlative events is an understatement. In the spring edition, we saw multiple Exchange exploits demonstrated, including ProxyShell. We saw 0-click remote code execution demonstrated on Zoom messenger and a 1-click code execution on Microsoft Teams. That’s on top of the Chrome, Edge, and Safari web browsers all getting compromised, too. The fall event had its own highlights, with the Samsung Galaxy, multiple routers, NAS devices, and printers being exploited. Watching a printer rock out some AC/DC after an exploit was just a bonus.

Of course, that should not detract from the great submissions we received throughout the year. We’ve already listed our Top 5 bugs from 2021, but that barely scratches the surface of the tremendous research disclosed to ZDI this past year. And while we are always impressed with the quality of research submitted to the program, ZDI’s own researchers stepped up this year and account for 31% of all published advisories. Still, we’re super thankful for our global community of independent researchers, and we congratulate the 25 researchers to achieve reward levels in 2021. We had six people reach Platinum status, two reach Gold, 4 Silver, and 13 Bronze. The work and submissions from our community of independent researchers are key to our success, and we thank all of them for their continued trust in our program.

Our program also wouldn’t work without vendors generating and releasing fixes for the vulnerabilities we report to them. The ZDI would not be able to sustain this level of advisories – and thus, better protections for Trend Micro customers – without the contributions of researchers and vendors, and we thank them for all they do.

Let’s take a look at some of the more interesting stats from 2021.

By the Numbers

In 2021, the ZDI has published 1,604 advisories – the most ever in the history of the program. This is the second year in a row where eclipsed our previous all-time total. While it’s unlikely we’ll keep up a record-breaking pace for the third year in a row, it does speak to the overall health of the program. Here’s how that number of advisories stacks up year-over-year.  

Figure 1 - Published Advisories Year-Over-Year

Coordinated disclosure of vulnerabilities continues to be a successful venture. While 2020 saw our largest percentage of 0-day disclosures, the number declined in 2021 to be in line with our “average” number of disclosures from previous years. The 137 0-day disclosures this past year represents 8.5% of our total disclosures – down from 18.6% the year before. This is a positive trend, and we hope it continues moving forward.

Figure 2 - 0-day Disclosures Since 2005

Here’s a breakdown of advisories by vendor. The top vendors here should not be surprising, although it is interesting to see Siemens in the top 5. We purchase quite a few ICS-related bugs throughout the year, and our Pwn2Own Miami competition focuses solely on ICS and SCADA-related bugs. In all, we disclosed 586 ICS-related bugs in 2021 – roughly 36.5% of the total number of advisories published by ZDI. As far as enterprise software goes, it’s no surprise at all to see Microsoft on top of the list again this year. In fact, 19.6% of all bugs addressed by Microsoft in 2021 came through the ZDI program, and we remain a significant source of bugs reported to Adobe, Apple, and others.

Figure 3 - Advisories per vendor for 2021

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2021, we did just that. A total of 74% of these vulnerabilities were rated Critical or High severity.

Figure 4 - CVSS 3.0 Scores for Published Advisories in 2021

Here’s how that compares year-over-year going back to 2015:

Figure 5 - CVSS Scores from 2015 through 2021

As you can see, after 2018 we made a conscious effort to ensure we were acquiring vulnerabilities that have the greatest impact on our customers. We’ll continue to do that in the coming year as well. We continually work with Trend Micro customers to determine which products they have deployed in their enterprise. That helps us shape our purchasing and research directions.

When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2021:

Figure 6 - Top 10 CWEs from 2021 Published Advisories

It’s no surprise to see two CWEs related to out-of-bounds accesses at the top of the list, nor is it surprising to see this followed by use-after-free (UAF) bugs and heap-based buffer overflow issues. In fact, the top seven CWEs are all related to memory corruption somehow. A total of 72% of the advisories we published in 2021 were related to memory corruption bugs. Clearly, we as an industry still have work to do in this area.

Looking Ahead

Moving into the new year, we anticipate staying just as busy. We currently have more than 600 bugs reported to vendors awaiting disclosure. We have Pwn2Own Miami and Pwn2Own Vancouver just on the horizon – and both will (fingers crossed) have participation on location. This year will be the 15th anniversary of Pwn2Own in Vancouver, and we’re planning some very special treats as a way to celebrate. Don’t worry if you can’t come to the contest themselves, as we’ll be streaming the events on YouTube and Twitch as they occur. If you ever wanted to attend Pwn2Own but couldn’t, you have a chance to watch them online.

In the coming year, we’re also looking to expand our program by acquiring bugs with an even bigger impact on our customers and the global community. Expect to see us purchasing more bugs in cloud-native applications, the Linux operating system, and anything else that poses a significant threat to our customer’s networks and resources. We look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem.

In other words, 2022 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter for the latest updates from the ZDI. 

Looking Back at the Zero Day Initiative in 2021

✇ VoidSec

Windows Drivers Reverse Engineering Methodology

By: voidsec

With this blog post I’d like to sum up my year-long Windows Drivers research; share and detail my own methodology for reverse engineering (WDM) Windows drivers, finding some possible vulnerable code paths as well as understanding their exploitability. I’ve tried to make it as “noob-friendly” as possible, documenting all the steps I usually perform during […]

The post Windows Drivers Reverse Engineering Methodology appeared first on VoidSec.

✇ Infosec Resources

What does a SOC analyst do? | Cybersecurity Career Series

By: Infosec

Security operations center (SOC) analysts are responsible for analyzing and monitoring network traffic, threats and vulnerabilities within an organization’s IT infrastructure. This includes monitoring, investigating and reporting security events and incidents from security information and event management (SIEM) systems. SOC analysts also monitor firewall, email, web and DNS logs to identify and mitigate intrusion attempts.

Learn more here: https://www.infosecinstitute.com/role-soc-analyst/.

0:00 Intro 
1:20 - What is a SOC analyst? 
1:58 - Levels of SOC analyst
2:24 - How to become a SOC analyst
2:53 - Certification requirements
3:29 - Skills needed to succeed
4:38 - Tools SOC analysts use
5:32 - Open-source tool familiarity 
6:05 - Pivoting from a SOC analyst
6:50 - What can I do right now?
7:32 - Experience for your resume 
8:07 - Outro  

About Infosec
Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime. Learn more at infosecinstitute.com.

✇ Exodus Intelligence

LiveAction LiveNX AWS Credential Disclosure Vulnerability

By: Exodus Intel VRT

EIP-7d4ec9e3

Several versions of LiveAction LiveNX network monitoring software contain Amazon Web Services (AWS) credentials. These credentials have privileged access to the LiveAction AWS infrastructure. A remote attacker may abuse these credentials to gain access to LiveAction internal resources.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-7d4ec9e3
  • MITRE CVE: N/A

Vulnerability Metrics

  • CVSSv2 Score: 10

Vendor References

  • This vulnerability has been address in LiveAction LiveNX version 21.4.0

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: July 1st, 2021
  • Disclosed to public: January 19th, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at [email protected].

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

The post LiveAction LiveNX AWS Credential Disclosure Vulnerability appeared first on Exodus Intelligence.

✇ Krebs on Security

IRS Will Soon Require Selfies for Online Access

By: BrianKrebs

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Update, Feb.7, 2022, 10:21 p.m. ET: The IRS said today it is transitioning away from requiring face biometric data to identify taxpayers. Read more here: IRS To Ditch Biometric Requirement for Online Access.

Original story: Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2022-01-18

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-10 to 2022-01-18.

News

  • Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
  • HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
  • Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
  • Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.

Techniques

Tools and Exploits

  • azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
  • Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
  • ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
  • reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2022-01-10

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-03 to 2022-01-10.

News

Techniques

Tools and Exploits

  • inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
  • rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
  • insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
  • SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
  • PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
  • Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
  • defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
  • domains is (probably) the world’s single largest Internet domains dataset.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2022-01-03

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-20 to 2022-01-03.

News

Techniques

Tools and Exploits

  • KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
  • WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
  • hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
  • Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
  • Invoke-Bof loads any Beacon Object File using Powershell!
  • Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
  • Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
  • iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
  • Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
  • whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
  • The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
  • TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
  • LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
  • Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-12-20

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-14 to 2021-12-20.

News

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
  • mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
  • adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-12-14

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-07 to 2021-12-14.

News

Techniques

  • CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
  • A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
  • Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
  • MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
  • Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
  • KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-12-07

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-22 to 2021-12-07.

News

Techniques

Tools and Exploits

  • InstallerFileTakeOver is a Windows LPE 0day for all supported Windows version. RIP.
  • cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust.
  • Exploiting CVE-2021-43267. This is a walkthrough and full exploit for Linux TIPC vulnerabilitiy that affects kernels between 5.10-rc1 and 5.15.
  • EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
  • SSHClient is a small SSH client written in C#. May be useful for pivoting from Windows to Linux.
  • EntitlementCheck is a Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DetectionLabELK is a fork of DetectionLab with ELK stack instead of Splunk.
  • GoMapEnum is a user enumeration (Linkedin) and password bruteforcer for Azure, ADFS, OWA, O365, and Teams.
  • redherd-framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of simulating complex offensive cyberspace operations.
  • ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases.
  • BOF2shellcode is a POC tool to convert CobaltStrike BOF files to raw shellcode.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-11-22

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-16 to 2021-11-22.

News

Techniques

Tools and Exploits

  • tldraw is a tiny little drawing app. Check it out at tldraw.com.
  • msticpy. Ever wonder how Microsoft's MSTIC threat hunt group finds evil? msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks with many data analysis features.
  • fileless-xec is a stealth dropper executing remote binaries without dropping them on disk.
  • TPM sniffing. With $49 of hardware you too can read a bitlocker key as it leaves the TPM of a laptop. TPM 2.0 has support to encrypt this value, but until then/even after consider adding a second factor to your laptop's decryption routine (PIN, hardware key, etc).
  • CheckCert A small utility to request the SSL certificate from a public or private web application implemented in C# and as a BOF.
  • SQLRecon is a C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
  • Oh365UserFinde is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
  • Visual-Studio-BOF-template is a baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors.
  • GPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping. Check out the blog post here.
  • MultiPotato is another "potato" to get SYSTEM via SeImpersonate privileges, but this one is different since tt doesn't contain any SYSTEM auth trigger for weaponization so the code can be used to integrate your favorite trigger by yourself. Also, tt's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.
  • DumpNParse is a Combination LSASS Dumper and LSASS Parser adapted from other projects.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-11-16

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-08 to 2021-11-16.

News

  • Hoax Email Blast Abused Poor Coding in FBI Website. A series of blunders allowed a hacker to send tens of thousands of emails from an FBI mail server to arbitrary addresses with arbitrary content. Not a good look for the FBI.
  • CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces. Another unauthenticated RCE as root in a gateway device. Thankfully this "only" affects older PAN-OS 8.1-8.1.17 devices. The interesting bit is how this was found by a red team and used privately for ~8 months before disclosure. Their rationale is here (official) and here (reddit). Technical details will be released 2021-12-10.
  • ClusterFuzzLite: Continuous fuzzing for all. After the success of OSS-fuzz, Google is releasing an "easy to use" fuzzing workflow: "ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed."

Techniques

Tools and Exploits

  • lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. The original application still gets its authentication and there are no errors for the user. This is the next generation of NTLM relaying - with the important caveat of loading into lsass.
  • ExternalC2.NET is a .NET implementation of Cobalt Strike's External C2 Spec. This could be the basis for your own C2 channel written in C# that uses any medium you can interface with via C# - think services like Slack, Google Drive, Twitter, etc.
  • Living Off Trusted Sites (LOTS) Project. Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This is a list of websites that allow attackers to use their domain or subdomain to host content that may be used as a C2 channel, phishing site, file host, or data exfiltration destination.
  • blacksmith is a next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns. Read this blog post for more information. Bypassing password logic for sudo in ~5-30 minutes is pretty impressive.
  • rpcfirewall is a firewall for Windows RPC that can be used for research, attack detection, and attack prevention.
  • Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
  • bloodyAD is an Active Directory Privilege Escalation Framework that can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. It supports authentication using password, NTLM hashes or Kerberos.
  • skweez spiders web pages and extracts words for wordlist generation.
  • LocalDllParse checks all loaded Dlls in the current process for a version resource. Useful for identifying EDRs on a system without making calls out of the current process and avoids all commonly monitored API calls.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • kerbmon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property 'Do not require Kerberos pre-authentication' set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
  • NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-11-08

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-01 to 2021-11-08.

News

Techniques

Tools and Exploits

  • DLL-Hijack-Search-Order-BOF is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution. Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access).
  • DLL-Exports-Extraction-BOF is a BOF for DLL export extraction with optional NTFS transactions.
  • blint is a Binary Linter to check the security properties, and capabilities in your executables.
  • braktooth_esp32_bluetooth_classic_attacks is a series of baseband & LMP exploits against Bluetooth classic controllers.
  • CVE-2021-34886 is a Linux kernel eBPF map type confusion that leads to EoP and affects Linux kernel 5.8 to 5.13.13. Writeup (CN) here.
  • elfloader is an architecture-agnostic ELF file flattener for shellcode written in Rust.
  • socksdll isa a loadable socks5 proxy via CGo/C bridge.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙
  • ThreatMapper is used to identify vulnerabilities in running containers, images, hosts and repositories and helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless.
  • AssemblyLine is a C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker. Could you build this into your RAT to execute shellcode modules without suspicious API calls?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

✇ Bad Sector Labs Blog

Last Week in Security (LWiS) - 2021-11-01

By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-26 to 2021-11-01.

News

Techniques

  • Neat SIP bypass for macOS. system_installd executes a zsh shell and has an entitlement to bypass SIP. Microsoft found a way to leverage this to run commands with the same entitlement with /etc/zshenv. How many more ways are there? Full Microsoft post: Shrootless.
  • Create a proxy DLL with artifact kit. DLL proxying is a great way to persist and in some cases elevate privileges. This post shows how to use the official artifact kit to turn a Cobalt Strike DLL into a "function proxy."
  • Lateral Movement 101. The old favorites are here, but perhaps there are details you've missed? Rasta also dropped new C# related projects today: D/Invoke Baguette.
  • Kernel Karnage – Part 2 (Back to Basics). EDRs are moving to the kernel, and drivers can provide great local privilege escalation opportunities. This post explores the ability to hook other driver's (EDR) functions. Want to start debugging the windows kernel? This 101 post was released yesterday.
  • Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833). These types of archive extraction arbitrary file writes can be great for phishing and even local privilege escalation (if a program accepts an archive and extracts it at a higher privilege level). Fixed in 12.0.1.
  • CVE-2021-30920 - CVE-2021-1784 strikes back - TCC bypass via mounting. macOS 12 has a regression that allows users to mount over ~/Library and this the TCC database. Yikes! Fixed in 12.0.1.
  • Tortellini in Brodobuf. Serializing data just adds a layer of unpacking, not security. This post goes from manual decode and exploitation proof to writing a sqlmap tamper script to automate it.
  • Understanding SysCalls Manipulation. Direct syscalls have been around for a while, but this technique makes sure they jmp back to memory space of NTDLL.DLL to avoid suspicious of the kernel returning to program memory space it should't (i.e. the location of your direct syscall). Sneaky! PoC here.

Tools and Exploits

  • quiet-riot is an enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles. Check out the blog post here.
  • DInvoke is a library to dynamically invoke arbitrary unmanaged code from managed code without P/Invoke. Fork of D/Invoke by TheWover, but refactored to .NET Standard 2.0 and split into individual NuGet packages.
  • Metsubushi is a Go project to generate droppers with encrypted payloads automatically.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • melting-cobalt scans for Cobalt Strike teamservers, grabs beacons that allow staging, and stores their configs. No reason to leave staging enabled these days...
  • dockerized-android is a container-based framework to enable the integration of mobile components in security training platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

❌