This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Zimbra RCE Vulnerability actively exploited since at least September

Reference: AttackerKB | Rapid7 | Bleeping Computer

A CVSS 9.8 RCE vulnerability impacting Zimbra Collaboration Suite (CVE-2022-41352) has been actively exploited by attackers since at least September this year, allowing them to potentially overwrite the Zimbra webroot, implant shellcode, and access other users' accounts.

The vulnerability stems from a bug in the file archiving utility cpio - CVE-2015-1194 - which was originally patched, but appears to have remained exploitable. This utility is used by Amavis - a security tool integrated into Zimbra Collaboration Suite - to extract archives and scan its contents.

The official fix is to install the pax package, which Amavis will use instead of cpio to extract archives.

Additional Vulnerabilities

Auth Bypass in FortiGate, FortiProxy products

Attackers can bypass authentication requirements on the management interface of Fortinet FortiGate and FortiProxy appliances due to a critical vulnerability designated CVE-2022-40684.

Patches are available, with the interim mitigation being to lock down access to the portal. Better yet - don’t expose the management plane to the internet, maybe?

Kubernetes management tool Rancher exposed plaintext credentials & tokens

CVE-2021-36782 is a CVSS 9.9 vulnerability assigned to flaws in versions 2.5.15 - 2.6.6 of Kubernetes management tool Rancher, which saw sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), being stored in plaintext directly on Kubernetes objects.

These objects can be read by anyone with sufficient permissions via the Kubernetes API. The exposure of Rancher's service account token would allow any standard user to escalate its privileges to cluster administrator in Rancher.

Command Injection vulnerability discovered in PHP’s Packagist

Packagist, which is used by PHP package manager Composer to determine and download project software dependencies, was found to be vulnerable to command execution through processing of maliciously crafted branch names (CVE-2022-24828).

The downstream impact of this is significant, with Composer downloading ~2 billion software dependencies via Packagist every month.

Upgrade to the patched versions of Composer - 2.3.5, 2.2.12, or 1.10.26 - to mitigate this vulnerability.

Subscribe to receive new posts and support my work!

Offensive

1. Trickest - A set of wordlists composed with strings most suitable for CMS and Robots.txt enumeration;
2. SysWhispers - generate header/ASM files to allow your implants to make direct system calls and avoid triggering user-land security product hooks;
3. Freeze - a tool for creating payloads that bypass EDR hooking using methods like creating processes in a suspended state and resolving function addresses directly from ntdll’s .text section;
4. ntlm_theft - a tool to help generate files that can be abused to steal NTLMv2 hashes;
5. HardwareAllTheThings - a guide for hardware/IoT hacks and techniques;
6. Meterpreter fans rejoice - it now supports BOF Loaders!
7. @snovvcrash has this neat thread summarising why Diamond and Sapphire Tickets make useful alternatives to the traditional Golden Ticket Kerberos attack;
8. Worried about triggering Microsoft Defender for Identity while Kerberoasting your way to victory? Check out this talk from BruCON on how to tiptoe around those controls on your next engagement;
9. This is a really good summary of the multiple challenges faced by organisations in their quest to secure user identities and the authentication and authorisation processes that underpin it. It’s more than just “roll out FIDO and you’ll be fine” - while it’s proven to be effective, there are more controls and challenges that inhibit organisations’ ability to make meaningful ground in this space.

Defensive

1. Dissect - a Python-based IR framework that enables access to artefacts such as Runkeys, Prefetch Files, Event Logs, and more;

2. GitFive - an OSINT tool to investigate Github profiles;

3. EternalLiberty - Getting your wires crossed on overlaps in threat actor aliases used by different vendors? This repo provides links to decipher their relationships;

4. Anydesk is a common Remote Management Tool abused by threat actors such as the former Conti group. Forensicxlab have created a Volatility3 plugin to help extract AnyDesk configs from memory dumps!

5. ICMYI - Defender sucks at finding web shells because it “by default excludes scanning from IIS process and folders on Windows Server 2016 or above.”

   1. In lieu of being able to depend on Defender, this timely post will guide you through hunting in IIS, Exchange Setup, Exchange PowerShell cmdlet History logs and more;

   2. Naturally, Florian has a Sigma rule that can help plug this gap by looking at file creation events by the IIS server process on Exchange servers;

6. Microsoft have shared this article on detecting and preventing LSASS credential dumping attacks;

7. Common misconfigurations in Azure Conditional Access and how to bypass them - worth doing a sanity check of your internal controls to make sure these holes are plugged!

8. Splunk’s Threat Research Team have built on last week’s leak of a cracked version of the Brute Ratel C4 framework by providing analysis and detection options to help defenders;

9. Check out this post by RedCanary, that walks you through how to detect manipulation and theft from Exchange mailboxes;

10. @CyberRaiju has shared several references for malware/RAT analysis resources, including RedLine and STRRAT;

11. SpecterOps’ post on Prioritisation of the Detection Engineering Backlog is a great resource for anyone working in or managing that area of Blue Team ops;

12. If you’re looking for a simple way to mitigate the now-commonplace iso > lnk > * execution chain, you can disable the double-click-to-mount for iso files with this reg key.

Found this useful? Why not share it!

Threat Actor Activity & Reporting

1. The NSA, CISA and FBI have released a joint advisory regarding the compromise of an organisation in the Defence sector by an as-yet unidentified APT group. The intrusion was enabled through compromise of an Exchange server in January 2021, and Impacket was used to enable internal lateral movement in addition to a custom exfil tool dubbed CovalentStealer;
2. Another joint advisory released by the trio of agencies has highlighted the CVEs most exploited by Chinese state-sponsored actors since 2020. The spread is unsurprising, but given popping CVEs are a favourite of Chinese actors, this makes for a good shopping list of things to make sure you’re patched/mitigated/monitoring for;
3. Researchers have linked the Cheerscrypt ransomware to the China-affiliated DEV-0401/Emperor Dragonfly threat group, positing that the ransomware operations are a potential cover for cyber espionage campaigns;
4. Trend Micro have looked at evolutions in the tooling used by the APT group they track as Earth Aughisky, known for targeting organisations in Taiwan and Japan.

Cyber Crime & Ransomware

1. Blackberry researchers have this report looking into DJVU ransomware. Active since 2018, it exclusively targets Windows hosts. The operators also appear to have partnered with other cyber criminal groups as an apparent secondary monetisation method, distributing InfoStealers during intrusions to exfil data;
2. Sophos have shed light on BlackByte ransomware’s EDR bypass technique that relies on abusing the legit-but-vulnerable driver RTCore64.sys used by Micro-Star’s MSI AfterBurner 4.6.2.15658 graphics-card overclocking utility. Spoilers - it looks like the technique was largely based on the open-source EDRSandblast tool, and also the developer could really use a hug right now (check out the choice of Service names - yikes);
3. Trellix summarise the evolution of BazaCall Call-back Phishing campaigns - potentially something to work into your user training regime;
4. Meet Maggie - a RAT targeting SQL servers that has already infected hundreds of assets throughout the world, and is capable of executing commands on-target and bridging attacker comms into the compromised environment;
5. Elastic have produced this in-depth analysis of the PARALLAX loader - a highly-capable and evasive loader malware that was first seen in 2020 - and campaigns where it has delivered the Netwire trojan;
6. zScaler researchers have taken the scalpel to LilithBot, a versatile offering sold by the Eternity group on the Dark Web that comes with stealer, clipper, and miner capabilities;
7. A brief overview of the ELITETEAM Bulletproof hosting service, which is being actively leveraged to enabling multiple distinct clusters of cyber crime operations ranging from infostealing to ransomware deployment.

Misc

1. Secureworks 2022 State of the Threat Report has been released, with a noteworthy finding being that compromise of unpatched internet-facing infrastructure has overtaken credentials-based attacks as the primary initial attack vector, and enabled 52% of ransomware incidents over the past year.
2. Research by Cequence Security has highlighted the risk posed by “Shadow APIs”, noting 30% of “all malicious attacks” target such APIs;
3. Researchers from Avanan have flagged the continuing importance of Email security controls, and while Microsoft’s defences have been largely effective, approximately 20% of phishing emails bypassed Exchange Online Protection & Defender, with Defender missing 74% more phishes since 2020;
4. 64 percent of enumerated internet-connected PostgreSQL servers don’t use SSL; 41% don’t require a password. Seems we’ve been so busy sweating S3 buckets that we forgot about the original blob storage;
5. Talks from BSides Augusta are now available on Youtube.

Thanks for reading! If you liked this, please subscribe to receive new posts and support my work!