Newsletter

SOC Goulash: Weekend Wrap-Up (Part 2)

22/08/2022 - 28/08/2022

Opalsec

Opalsec

5 min read
SOC Goulash: Weekend Wrap-Up (Part 2)
This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Calling them “risks” doesn’t make me feel better

Reference: Authomize

Researchers at Authomize released a report into several “risks” they identified in Okta’s Identity platform, namely:

  1. The potential for cleartext password extraction via SCIM (System for Cross-domain Identity Management);
  2. Sharing of passwords and sensitive data over unencrypted channels (HTTP);
  3. Hub & spoke configurations allowing sub-org admins to compromise accounts in the hub or other spokes downstream;
  4. Mutable identity log spoofing - users can modify their name, allowing them to perform actions while appearing in logs as someone else.

When reaching out to Okta to disclose their findings, they were advised that, in fact, “the features are performing as designed and should not be categorized as vulnerabilities.”

Given the third “risk” could feasibly allow a downstream organisation (e.g. a small mortgage broker acquired by a large, multinational bank) to gain super admin privileges across the parent organisation’s network - I feel like fobbing it off as a feature and not a flaw is a bit of a cop-out.

Hopefully Okta comes up with more concrete guidance and controls to empower organisations to mitigate these “risks”, but in the meantime, I’d recommend reviewing the Authomize blog to understand the potential impact and what actions you can take to guard against them.

Offensive

  1. BBOT - an OSINT framework for automating subdomain enumeration, port scanning, web screenshots, vulnerability scanning, and more;
  2. Masky - a python library that abuses legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos and NT hashes retrieval via PKINIT) to dump domain user creds by targeting ADCS deployments;
  3. For your next Red Team engagement - a write-up and stable PoC exploit for PrintNightmare (CVE-2021–34527);
  4. JWT-Reauth - a plugin for Burp Suite which caches authentication tokens and automatically refreshes them when needed;
  5. PIVert - a tool for remote authentication using abused AD CS certificates;
  6. hoaxshell - a Windows reverse shell claiming to be undetected by Defender on Windows 11 Enterprise and 10 Pro;
  7. Looking to learn how to pop CI/CD environments? CI/CD GOAT provides a containerised sandpit for you to smash;
  8. Part II of @bohops’ look into tampering with .NET CLR usage logs to evade EDR, and how to detect it

Defensive

  1. The Elastic Container Project - allows you to bring up a full Elastic stack with everything pre-enabled/configured with TLS and ready for you run with;
  2. YaraML - a machine-learning tool to generate YARA rules from a dataset of malicious/benign labeled data;
  3. @inversecos has published another great post on how to detect OAuth Access Token Theft occurring in Azure - a technique used by Chinese APTs but also broadly understood and used by white hats and cyber crims to access internal environments and data;
  4. @likethecoins has shared part 2 in her series on how to get into and improve your Threat Intel workflows and methodologies. It’s incredibly detailed and from one of the best in the industry - definitely worth a read if you’re playing in that field;
  5. Microsoft have shared a walkthrough on hunting for compromised Azure subscriptions using M365 Defender and Defender for Cloud Apps;
  6. Lnk files have become a core part in execution chains for initial malware payloads such as IcedID and Qbot - check out this blog for an overview of how that came about and how to detect them;
  7. Grzegorz Tworek identified a new LOLBIN in dumpbin.exe, Kostas Tsale responded with a Sigma rule to detect its abuse;
  8. Binary Defense have shared this nifty primer on analysing Rust malware;
  9. For my fellow peasant malware analysts out there, struggling to find samples without a VT license - this guide will help you make the most out off publicly available solutions to find what you need.

Found this useful? Feel free to share it!

Threat Actor Activity & Reporting

  1. zScaler have warned of an ongoing Attacker-in-The-Middle (AiTM) phishing campaign targeting C-suite and senior members of organisations that use Google Workspace. The campaign abuses open-redirects in Google Ads and Snapchat, and leverages the initially compromised sites and emails to perform further social engineering of their contacts.
  2. Sucuri reported on a campaign that used hacked WordPress sites to display fake Cloudflare DDoS protection pages, ultimately enabling the delivery of malware including the NetSupport RAT and RaccoonStealer Infostealer.
  3. Microsoft have shared a report on MERCURY - an actor affiliated with Iranian intelligence - who used Log4Shell vulnerabilities in a campaign targeting Israeli organisations;
  4. LastPass disclosed a breach that occurred two weeks ago - while they insist customer data and encrypted password vaults were not compromised, the attacker did make off with some source code and “proprietary” technical information;
  5. The FBI released an advisory warning that actors were abusing residential proxies to mask their origin and blend in with regular consumer traffic when performing credential stuffing attacks;

Cyber Crime & Ransomware

  1. Microsoft have an excellent report looking at hunting Sliver - a C2 framework which several nation-state and cyber crime actors have adopted to replace Cobalt Strike in their operations;
  2. An intro to Agenda, a new Go-based ransomware strain with some functional and infrastructure similarities to BlackBasta;
  3. Elastic have released analysis of a Qbot malware sample obtained in a recent campaign, complete with IOCs, a YARA rule and a handy config extractor;
  4. An interview with “Wazawaka” - credited with ransoming Costa Rica’s government systems; Capcom, the DC Metro Police, and more;
  5. An interesting tidbit - crypto miners have been seen using the serverless, P2P Tox messaging protocol for C2. Crypto miners are often one of the first payloads deployed when new external-facing vulnerabilities are uncovered and PoC exploits are released, so they act as a “canary in the coalmine” - if you find one running in your network, you’ve probably either got, or are about to have, much bigger problems. If you clock Tox P2P traffic on your network, it’d definitely be worth looking into.

Misc

  1. Andy Robbins has shared a series of resources detailing how organisations can prevent Kerberoasting - all rolled neatly into a Twitter thread;
  2. Real-time Locating Systems (RTLS) have been found to be vulnerable to attacker-in-the-middle attacks and manipulation of location data. This could be abused to bypass physical security measures, or to spoof safety hazards to trigger kill-switch safety controls and disrupt production lines;
  3. A friendly reminder that as of October 1, Microsoft are disabling basic authentication in a bunch of their services, which will also prevent the use of app passwords with apps that don't support two-step verification.

Thanks for reading! If you liked this, please subscribe for free to receive new posts and support my work!

Read more