This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Headline Vulnerabilities

1. Google has again released an emergency update for Google Chrome, this time to address CVE-2022-3075. While they’ve noted an exploit is reported to exist in-the-wild for the high-severity vulnerability, no further information has been provided on what it entails or who might be abusing it. Make sure you get up to Chrome 105.0.5195.102 for Windows, Mac, and Linux ASAP;
2. Apple has released back-ported patches for older generations of iPhone, iPad and iPod, in order to broaden their protections against CVE-2022-3289 - a remotely exploitable vulnerability in Apple WebKit, enabling arbitrary code execution;
3. Checkmarx have found that using “pip download” instead of “pip install” will cause .tar.gz packages with no .whl file to not just be downloaded, but to be executed. They suggest attackers could intentionally create and publish such packages to abuse this flaw, which would be significantly more effective if paired with a compromised developer account or project. Definitely more of an edge case, but one to keep on your radar, if nothing else.

Abusing SMTP Matching to hijack privileged Azure AD accounts

Reference: Semperis

Researchers from Semperis have reported that SMTP matching - which synchronises on-prem AD and Azure AD identities - can be abused to gain control of privileged Azure AD user accounts.

Note that the attack has two pre-requisites:

1. The target identity must be entitled to a privilege that has not been activated; and
2. MFA must either be unused on the Azure AD identity, the role activation must not require MFA verification (e.g. Password Administrator, License Administrator, etc.), or MFA approval can be otherwise obtained (e.g. socially engineered)

This means that to hijack an Azure identity that is eligible for the Global Admin role, for example:

1. You first enable SMTP matching to synchronise the Azure identity with the on-prem one, which you either create or already control;

2. You can now authenticate to the Azure identity using the on-prem password;

3. If MFA is enabled on the account when activating the privileged role, an attacker could:

   • Spam the individual with MFA requests (MFA fatigue);

   • Socially engineer them to approve the prompt (e.g. BazaCall);

   • Activate a role that doesn’t require MFA to activate, but can still be elevated to Global Administrator - e.g. Application Administrator.

4. If MFA isn’t enabled, the attacker can simply configure it and approve the prompt to activate the role.

Unfortunately, Microsoft have advised that “there are mitigative controls in place that a user can use to avoid this vulnerability. We determined the behavior to be by design.”

Detection & Mitigation

Azure audit log entries where the Action Client Name is “DirectorySync” and that the Old Value for LastDirSyncTime is empty indicates this is the first time the user was synchronised with on-prem AD. The RoleDefinitionOriginId attribute will indicate the role which was activated.

Creating an alert on a combination of these fields and sensitive roles that can be activated (see article for a list) can help surface instances of SMTP matching being abused.

When it comes to mitigation, enabling MFA for all users - prior to granting them eligible roles - can hinder abuse of this vulnerability. The other, potentially disruptive option would be to attempt to disable the option to use soft matching for synchronization throughout the tenant, and implementing alerting for when it is re-enabled.

Found this useful? Feel free to share it!

Offensive

1. Suborner - a tool to create an invisible machine account with admin privileges, while avoiding triggering the Windows Event Logger while doing so;
2. Knockles - a tool to implement eBPF Port Knocking to avoid listing a listening port that can be found by port scanners;
3. Hashview - a management interface for hash cracking with hashcat;
4. Getting dunked on by spam filtering when trying to Phish your way into a network? This python script can help parse the headers of blocked emails to figure out what triggered the filter rules;
5. A walkthrough on how to pilfer Group Managed Service Account (gMSA) passwords. P.S. - this will be rolled into the next release of AADInternals;
6. Running this short Powershell script can help identify any available DLL Sideloading targets;
7. If you’re the type of red teamer that thinks in steps and flows - do I have the mindmap for you!

Defensive

1. Matano - an open-source security data lake for AWS;
2. GarbageMan - a suite of tools for .NET malware heap analysis;
3. TheMatrix - create an “activator” binary that loads and monitors execution of a target binary using Win32 API hooks, saving generated data to disk for evaluation;
4. macos-unifiedlogs - A rust library to help parse macOS Unified Log files - the primary log source from macOS 10.12 (Sierra) onwards. A supporting blog post can be found here;
5. wtfis - a command line tool to gather domain and whois information from a range of sources, now supports Shodan look-ups for IPs, too;
6. Sekoia have provided some Maltego transforms for VirusTotal;
7. MDSec have an excellent 3-part series on hunting common C2 frameworks that I highly recommend. Part 1 provides an overview that sets up Part 2 looking at Cobalt Strike, with the latest post that taking a deep-dive into Brute Ratel.
8. Part 2 of Andy Robbins’ Automating Azure Abuse Research series looks at how to use BloodHound Attack Research Kit (BARK) as part of that process;
9. Check out this comprehensive guide to performing, detecting and mitigating abuse of Azure Primary Refresh Tokens;
10. How to spot backdoored/manipulated PE files - a thread;
11. LOLBIN & Phantom DLL Hijacking opportunity in DeviceEnroller.exe when invoked with /PhoneDeepLink parameter;
12. Make sure you’ve got the necessary audit settings enabled for Defender for Endpoint with this script, which can be run via RSAT;
13. For the uninitiated, or those wanting a refresher - check out this primer on performing Intelligence-driven Threat Hunting.

Threat Actor Activity & Reporting

1. NCC Group report that out of the increase in ransomware leak site listings for July, LockBit are still the most prolific ransomware gang, followed closely by Hive and Black Basta - both of which are believed splinters of Conti.
2. Cuba ransomware has claimed responsibility for a prolonged disruption of government services in Montenegro, prompting the US embassy to issue a security alert, warning of potential disruption to critical infrastructure and public utilities;
3. Everest ransom team listed access to the Brazilian government and more than 3TB of data;
4. IBM Security Intelligence attribute the USB-borne RaspberryRobin trojan to EvilCorp based on overlaps in functionality and structure with the Dridex loader, adding weight to existing reporting from Microsoft which observed it delivering FakeUpdate (SocGholish) malware - a malware strain closely associated with the group;
5. Krebs has taken an exhaustive look at the risks posed to organisations using OTP codes as an MFA factor, which was made evident in the recent 0ktapus campaign targeting users of the Identity provider Okta.

Cyber Crime & Ransomware

1. Sekoia have published a thorough overview of the role “traffers” play in the cyber crime marketplace, operating as a form of “lead generation” through redirecting user’s traffic to malicious content operated by other groups;
2. This article provides a good overview of the wide variety of C2 frameworks being used in-the-wild, and the reasons behind Sliver’s increase in popularity as an alternative to Cobalt Strike;
3. Palo Alto’s Unit 42 have published a detailed profile of the Black Basta ransomware group, reviewing their TTPs and Victimology;
4. Check out this detailed breakdown of the NanoCore RAT, including tips and a CyberChef recipe to hunt it in your environment;
5. Cybereason have released a report on Ragnar Locker, which it notes recently compromised DESFA, a Greek oil pipeline company;
6. This report by Redacted looks at the TTPs employed by the BianLian ransomware group and their campaigns conducted thus far;
7. Talos report on a series of campaigns delivering ModernLoader, the RedLine Infostealer, and the XMRig cryptocurrency miner;
8. Trend Micro have shared a profile on Void Griffon - a cybercrime group providing other threat groups with bulletproof hosting since 2015;
9. Researchers at zScaler report that the author of Prynt Stealer has popped a cheeky backdoor into the infostealer, exfiltrating data stolen from victims through a secondary Telegram channel;
10. A look at the Venom Control Software RAT, offering typical RAT functionality in addition to some evasion and infostealing modules;

Misc

1. Symantec researchers have discovered 1,859 mobile applications that contained AWS credentials, with 77% containing access tokens that could grant direct access to private cloud services and 874 applications containing valid tokens that could grant access to live-service databases holding millions of records. One to flag with your dev and training teams for sure!
2. Popeye - a tool for scanning Kubernetes clusters to identify misconfigurations including port mismatches, dead or unused resources, metrics utilization, probes, container images, RBAC rules, naked resources, and more.

Thanks for reading! If you liked this, please subscribe for free to receive new posts and support my work!