Introduction

Cyber security is a fast-paced and ever-changing field. I find myself sifting through countless blogs, subreddits, twitter streams, slack/discord channels, and mailing lists just to stay up to date. I've often thought, "I wish someone would just catalog all the useful/technical/interesting bits in one place, each Monday." So I decided to do just that. It is my intention to make a post similar to this one each Monday, with a collection of the previous weeks news that I found relevant. If you are a technical practitioner of cyber security, perhaps it can be of use to you as well. I plan on automating as much of the information gathering and processing as possible and will blog about that system as it is developed.

News

• A Raytheon engineer was arrested for taking US missile defense data to China, a classic example of the insider threat and ITAR violation. ZDNet has the story.
• Simon Weckert "hacks" Google Maps with a wagon full of cellphones to create fake traffic jams in Berlin. An interesting and concrete example of potentially adversarial behavior of coordinated users (or just one user acting as multiple) in a distributed system can affect the physical world.
• 5 Cisco 0days, dubbed CDPwn, released.

• Fireeye published a very in-depth blog post about an actor deploying a backdoor via stomped VBA macro enabled documents.

  • This twitter thread is a great resource for more information on VBA stomping, detection, and tools.

• 1.7 million dollars can get you access to lots of windows loot; corp.com is for sale and is a prime example of "namespace collision." Krebs has the details.

• Ransomware is exploiting vulnerable legitimate signed windows drivers to disable AV before encrypting files. This is an in-the-wild example of signed driver bypass.

  • Story
  • Disclosure
  • Tool (gdrv-loader)

• iOS Exploit News

  • @Fox0x01 released the third part of her iOS exploit development series. Her site is a treasure for anyone in need of an exploit development resource. I highly recommend it.
  • Brandon Azad, iOS exploitation master, released "oob_timestamp," a proof-of-concept research exploit that exports the kernel task port on iOS 13.3. Amazing work as always.
  • @jsherma100 published an incredibly detailed write up of the iOS 12-12.2 and 12.3 user-after-free exploit that became "Sock Puppet".

Techniques

• This article details the creation of the RDP variant of the DOPU metasploit module and is a great resource for anyone looking to port tools/techniques to metasploit.
• Hexacorn shows how to use 32/64 bit wrapping with ordinals and LOLBins to avoid static detections.
• Need a potentially whitelisted spot to drop a DLL? Try %localapdata%assemblytmp[A-Z0-9]{8,10}Some.Microsofty.Name.DLL
• @kmkz_security discovered a way to remotely hijack an RDP session without prompting or warning a connected user using a Microsoft signed binary, and without patching for multi-session RDP. Great find!

Tools and Exploits

• PHP 7.0-7.4 UAF exploit that allows running arbitrary commands (Linux only).
• Mimikatz can now dump creds from fully up to date Chrome on windows.
• WDACTools - A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies

• Another fake logon screen for post exploitation credential capture on windows.

  • This joins Invoke-CredentialPhisher and
  • LockScream for macOS

• The first open source jailbreak based on checkm8 called Fugu was released. It currently only supports the iPhone 7 and iPad Pro (2017), and only works on macOS. checkra1n works on iPhone 5s to iPhone X but is currently closed source. Checkra1n released Linux support this week. It includes a web interface (demo) for headless devices such as the raspberry pi.
• @CodeColorist released vscode-firda, a VS-code based GUI for using Frida to explore apps and processes on macOS.

• A buffer overflow was discovered in sudo (CVE-2019-18634) if pwfeedback is enabled. Check with sudo -l | grep pwfeedback, macOS is not vulnerable by default but Linux Mint is.

  • PoC
  • Analysis
  • Official Annoucement

• OpenSMTP LPE/RCE (CVE-2020-7247) exploit released. This is a critical vulnerability but not a widely used mail server.

• TeamViewer password encryption key and IV disclosed on windows; useful for post exploitation lateral movement.

  • Blog
  • Tool (DecryptTeamViewer)

• Kali 2020.1 released, which includes a non-root user by default, simplified installer choices, and updated themes and icons.
• Dufflebag - Search exposed AWS Elastic Block Store (EBS) volumes for secrets. This technique, shown at DEF CON 27, exploits bad (non-default) configurations for persistent disks in EC2 and Dufflebag automates the complicated process to get you loot faster.