Last Week in Security - 2020-02-10

Staying on top of the ever-changing field of information security can be a challenge. There is vast breadth and also incredible depth in this field that it can be overwhelming to sort through all the latest developments for what impacts you. This blog series is my attempt to distill the news, techniques, tools, and exploits I find over the course of my research into a usable format for rapid digestion.

Welcome to the first post in a series called “Last Week in Security” (LWiS). LWiS will serve as a summary of the interesting cyber security news, techniques, and tools released or discovered in the last week, each week. All items are presented with a link and brief description. The intention is that you “absorb what is useful, discard what is useless, and add what is specifically your own” (Bruce Lee). This is meant to be a complement to your usual weekly cyber security news sources, two of which I highly recommend: Patrick Grey’s Risky Business podcast, and SANS NewsBites. Without further ado, enjoy Last Week in Security!

News

• A Raytheon engineer was arrested for taking US missile defense data to China, a classic example of the insider threat and ITAR violation. ZDNet has the story.

• Simon Weckert "hacks" Google Maps with a wagon full of cellphones to create fake traffic jams in Berlin. An interesting and concrete example of potentially adversarial behavior of coordinated users (or just one user acting as multiple) in a distributed system can affect the physical world.

• 5 Cisco 0days, dubbed CDPwn, released.

• FireEye published a very in-depth blog post about an actor deploying a backdoor via stomped VBA macro enabled documents.

• This twitter thread is a great resource for more information on VBA stomping, detection, and tools.

• 1.7 million dollars can get you access to lots of windows loot; corp.com is for sale and is a prime example of "namespace collision." Krebs has the details.

• Ransomware is exploiting vulnerable legitimate signed windows drivers to disable AV before encrypting files. This is an in-the-wild example of signed driver bypass.

• Story

• Disclosure

• Tool

• iOS Exploit News

• @Fox0x01 released the third part of her iOS exploit development series. Her site is a treasure for anyone in need of an exploit development resource. I highly recommend it.

• Brandon Azad, iOS exploitation master, released "oob_timestamp," a proof-of-concept research exploit that exports the kernel task port on iOS 13.3. Amazing work as always.

• @jsherma100 published an incredibly detailed write up of the iOS 12-12.2 and 12.3 user-after-free exploit that became "Sock Puppet".

Techniques

• This article details the creation of the RDP variant of the DOPU metasploit module and is a great resource for anyone looking to port tools/techniques to metasploit.

• Hexacorn shows how to use 32/64 bit wrapping with ordinals and LOLBins to avoid static detections.

• Need a potentially whitelisted spot to drop a DLL? Try %localapdata%\assembly\tmp\[A-Z0-9]{8,10}\Some.Microsofty.Name.DLL

• @kmkz_security discovered a way to remotely hijack an RDP session without prompting or warning a connected user using a Microsoft signed binary, and without patching for multi-session RDP. Great find!

Tools and Exploits

• PHP 7.0-7.4 UAF exploit that allows running arbitrary commands (Linux only).

• Mimikatz can now dump creds from fully up to date Chrome on windows.

• WDACTools - A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies

• Another fake logon screen for post exploitation credential capture on windows.

• This joins Invoke-CredentialPhisher and

• LockScream for macOS

• The first open source jailbreak based on checkm8 called Fugu was released. It currently only supports the iPhone 7 and iPad Pro (2017), and only works on macOS. checkra1n works on iPhone 5s to iPhone X but is currently closed source. Checkra1n released Linux support this week. It includes a web interface (demo) for headless devices such as the raspberry pi.

• @CodeColorist released vscode-firda, a VS-code based GUI for using Frida to explore apps and procssess on macOS.

• A buffer overflow was discovered in sudo (CVE-2019-18634) if pwfeedback is enabled. Check with `sudo -l | grep pwfeedback`, macOS is not vulnerable by default but Linux Mint is.

• PoC

• Analysis

• Official Annoucement

• OpenSMTP LPE/RCE (CVE-2020-7247) exploit released. This is a critical vulnerability but not a widely used mail server.

• TeamViewer password encryption key and IV disclosed on windows; useful for post exploitation lateral movement.

• Blog

• Tool

• Kali 2020.1 released, which includes a non-root user by default, simplified installer choices, and updated themes and icons.

• Dufflebag - Search exposed AWS Elastic Block Store (EBS) volumes for secrets. This technique, shown at DEF CON 27, exploits bad (non-default) configurations for persistent disks in EC2 and Dufflebag automates the complicated process to get you loot faster.