News

• Israeli cyber chief: Major attack on water systems thwarted. A cyber attack was reportedly detected and thwarted in real time and had it not be chlorine or other chemicals could have been mixed into the water source in the wrong proportions and resulted in a “harmful and disastrous” outcome. Israel's national cyber chief said, “Cyber winter is coming and coming even faster than I suspected. We are just seeing the beginning.”
• Return of the iOS sandbox escape: lightspeed's back in the race!! Synacktiv describes the old-but-new XNU bug that was re-introduced in iOS 13 and was the basis for last week's iOS 0day based jailbreak. [T1068 Exploitation for Privilege Escalation]
• Zero-day in Sign in with Apple Speaking of Apple's mistakes, this one is quite bad. When requesting a JSON web token during the "Sign in with Apple" process, swapping the email for another user would return a valid JWT that can authenticate to the 3rd party service. This is the equivalent to editing a cookie from "user" to "admin" and getting the admin page. How this got through internal testing and into production is beyond me. [T1078 Valid Accounts]
• LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage describes how a novel side-channel vulnerability can lead to leaking the most significant bit of the nonce and eventually breaking ECDSA, including NIST curves like P-192 (P-256 is vulnerable in theory). Curve25519 contains a countermeasure against this attack, but, "its exact efficacy against side-channel attacks in [this] context is not entirely clear."
• Releasing the CAPTCHA Cracken. Despite the name there is no tool release, but F-Secure Labs shows off its ability to automate the CAPTCHA in use with the Office 265 Outlook Web Application, allowing its red team to attempt password stuffing. If you solely rely on CAPTCHA to stop bots/automated tools, it's time to rethink your strategy. Demo here.

Techniques

• GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections is a new (probably?) way to write to a suspended processes memory while avoiding the highly suspect WriteProcessMemory. [T1055 Process Injection]
• Verifying Windows binaries, without Windows Trail of Bits opensoruces uthenticode a small cross-platform library for verifying Authenticode digital signatures.
• MindShaRE: How to “Just Emulate It With QEMU” gives good resources to emulate embedded firmware with QEMU. "Emulating IoT Malware and Firmware with Docker+QEMU" presented last Friday at the virtual IoT village was more in-depth (here is the same talk from AirGap 2020).
• Red Team Maturity Model is a resource for building and improving your internal Red Team. Apply the Bruce Lee principle here: “Absorb what is useful, discard what is useless, and add what is specifically your own.”
• Covert Data Persistence with Windows Registry Keys details a very cool trick for storing data in the Windows Registry covertly using class attributes. I wouldn't be surprised if this technique is used by advanced malware soon, so use in in your advanced adversary emulation tools now. [T1112 Modify Registry]
• These Aren’t the Phish You’re Looking For shows the power of blacklists for extending the life of your phishing site. A must read before any future phishing engagement. [T1192 Spearphishing Link][T1193 Spearphishing Attachment]
• Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882) is a neat exploit that allows semi-arbitrary (calendar is sandboxed) file extraction from a victim machine if they click on the invite. Patched in macOS 10.15.5 (May 2020). [T1193 Spearphishing Attachment]
• Automate Octopus C2 RedTeam Infrastructure Deployment show the development of a script to automate the deployment of Octopus C2 infrastructure via digital ocean. If you don't have infrastructure automation yet, this could be a good starting point. [T1090 Connection Proxy]
• Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing Attack is not an attack on U2F but rather LastPass's one time password. It includes a great description of how this this possible and how U2F prevents it. [T1192 Spearphishing Link]

Tools and Exploits

• httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
• Seatbelt, while technically not a new tool got a huge rewrite. Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. [T1082 System Information Discovery]
• BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. [T1040 Network Sniffing]
• angry_gadget - This tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL). If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!
• ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry. Use this (or atomic-red-team) to test your SEIM, EDR, or SOC response.
• EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (DLL or EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files. [T1193 Spearphishing Attachment]
• sgn Shikata ga nai encoder ported into go with several improvements including 64 bit support, smaller decoder stub, no visible loop condition, decoder stub obfuscation, and safe register option. Build this into your in house packer for better obfuscation. [T1066 Indicator Removal from Tools]
• Corporate_Masks are 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting. [T1078 Valid Accounts]
• AMSITrigger will identify all of the malicious strings in a powershell file, by repeatedly making calls to AMSI using AMSIScanBuffer, line by line. On receiving an AMSI_RESULT_DETECTED response code, the line will then be scrutinised to identify the individual triggers. [T1066 Indicator Removal from Tools]

This post is cross-posted on SIXGEN's blog.