This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Teams exposes plaintext credentials. Microsoft: “Yeah, and?”

References: Vectra | BleepingComputer

Researchers at Vectra have discovered that Microsoft Teams leaves cleartext authentication tokens sitting on-disk in Windows, Linux, and Mac versions of the app - and Microsoft have no plans to secure them, saying it “does not meet our bar for immediate servicing”.

These tokens provide access to the Outlook & Skype APIs, and could “[enable] attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files” - for example to destroy or exfiltrate data, or conduct convincing phishing attacks leveraging the compromised identity.

“Ah, but I have MFA enabled”, you say? That doesn’t matter here, as the tokens are generated after the original user passed the MFA challenge when authenticating - effectively enabling the attacker to bypass the security control.

The tokens can be found in the following locations:

• Windows

  • %AppData%\Microsoft\Teams\Cookies

  • %AppData%\Microsoft\Teams\Local Storage\leveldb

• macOS

  • ~/Library/Application Support/Microsoft/Teams/Cookies

  • ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb

• Linux

  • ~/.config/Microsoft/Microsoft Teams/Cookies

  • ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

As this security flaw stems from Electron’s lack of support for encryption and protected file locations by default, this vulnerability is inherent to all versions of the Microsoft Teams app, with no patch in sight.

Vectra recommends users use the browser instance of the app, which provides protections against leaking of authentication tokens. They further recommend monitoring and alerting on apps other than Teams accessing the token locations listed above.

Don’t wait for threat actors to bake this into their playbooks, because even if they don’t - you may just run into a Red Team that will.

The Weekly Vulnerability Wrap-Up

Firmware bugs for both HP and Lenovo Computers

Six bugs in the System Management Module (SMM) of HP computers have been publicly disclosed but left either unpatched or partially patched by the vendor, opening users up to the threat of the potential of kernel-level rootkits.

Lenovo customers were also notified this week of several SMM-based vulnerabilities that enabled a range of attacks, spanning from denial of service to arbitrary code execution. Patches for these are available, so make sure you get on that soon if you’re not already!

WordPress Plugins - can’t live with them, can’t live without ‘em!

Following the widespread targeting of an 0-day in the BackupBuddy plugin last week, WordPress users will once again have to bear with the laborious task of pressing the “update” button on their plugin dashboard.

This time, it’s a CVSS 9.8 vulnerability in the WPGateway plugin that is being actively exploited to take over WordPress sites running the plugin. Similar to BackupBuddy, this is being hit hard, with over 4.6 million attacks across more than 280,000 sites in 30 days observed by WordPress security company WordFence.

Late this week, it also emerged that paid instances of plugins distributed by FishPig - a company enabling Magento integrations in WordPress-powered sites - were backdoored by attackers. This backdoor provided attackers with remote access to affected instances.

Another Apple 0-day; Dell vProxy patches, and active exploitation of Trend Micro’s Apex One product

Ring the bell, everyone - we have another 0-day found in Apple products, and which they say “may have been actively exploited.” The flaw impacts macOS, iPadOS and iOS devices, enabling “maliciously crafted applications to execute arbitrary code with kernel privileges.”

Dell have also issued a number of patches for their vProxy product, designed to protect & recover VMware virtual machines. Four of these rate as critical or high severity, with some enabling SQL Injection, arbitrary code execution and more.

Finally, Trend Micro have released a new Service Pack for their Apex One Endpoint Protection product to address a set of vulnerabilities, at least one of which they have observed being exploited in-the-wild. The impacts of said vulnerabilities include potential for remote code execution, authentication bypass, and privilege escalation.

Found this useful? Why not share it!

Offensive

1. CloudFox - a command line tool that finds exploitable attack paths in AWS, with support for Azure, GCP and Kubernetes planned for future releases;
2. Secureworks have published their findings that identified a new attack path for Azure AD Pass-through-Authentication, enabling attackers to gather credentials; login with invalid credentials, and perform DoS attacks. This will most practically be used as a persistence mechanism - one that can’t be detected from the Azure Portal or logs, and is persistent.
3. Benjamin Delpy has found that enabling Citrix SSO results in passwords being stored in user process memory, even if you have Credential Guard enabled - support for this in Mimikatz is coming soon;
4. This simple post highlights the potential to abuse forensic tools to dump RAM instead of processes, as a way to retrieve in-memory credentials - something fun for your next Red Team, perhaps?

Defensive

1. Self-Service Security Assessment - a tool created by AWS engineers to create point-in-time assessments of security misconfigurations, including those that might be abused by ransomware, for their AWS accounts;
2. Grafana Incident - an Incident Management tool for users of Grafana Cloud;
3. For anyone operating a small cyber security practice, or even for those with a home lab - StrangeBee have released a demo VM that comes with a pre-configured instance of TheHive and Cortex;
4. This is a great mindmap and general resource to help visualise how attackers can abuse Office 365 mail rules to exfiltrate and otherwise manipulate emails, and includes links to two general Sigma rules to help you get started in detecting them;
5. FalconForce have shared another great post that looks at how actors can dump lsass.exe using debug privileges, and how to detect it;
6. New to Golang and reverse engineering Golang malware? This post is a great primer to get you started;
7. Check out this Shodan query, which you can use to find specific Cobalt Strike beacon config strings in their scanning data;
8. SpecterOps’ Jonny Johnson has shared the final post in his series looking at WMI and COM internals, which aims to help defenders detect and analyse abuse of these services at a more granular level;
9. Detection Engineering isn’t as simple as searching for command lines seen in reports or blindly alerting on what you think would be an anomalous process tree. If you’re new to the game, or just want to get another perspective, this is a good post to read up on.

Threat Actor Activity & Reporting

1. Researchers at Symantec have identified a long-running cyber-espionage campaign targeting government entities in Asia, as well as state-owned companies in the defence, telecom and IT sectors. The large range of tools used in the attacks have led them to infer that this is most likely China’s APT41/Mustang Panda threat groups;
2. Mandiant have shared their post-mortum of activity attributed to UNC4034 - a North Korean threat group that performed a job opportunity-themed phishing campaign to deliver backdoored PuTTY & KiTTY SSH clients that dropped their AIRDRY.v2 payload;
3. Cisco have verified that data leaked by the Yanluowang ransomware gang was the result of a compromise back in May. While they’ve stressed that this data doesn’t impact their IP, customer PII, or products, Yanluowang insist - without proof - that they have 55GB of classified documents and source code;
4. Another report from Symantec profiles Webworm - an espionage-motivated threat group that’s been seen using customised versions of older RATs like Trochilus, Gh0st RAT, and 9002 RAT to attack government agencies and companies operating in Russia, Georgia, Mongolia, and a number of other Asian countries;
5. The Center for European Policy Analysis (CEPA) have published a detailed overview of Russia’s offensive cyber capabilities - a good resource to bookmark to help understand threat actor objectives and who’s handing them out;
6. Crowdstrike have released their 2022 Threat Hunting report, you can grab a copy here. If you just want the highlights, Dark Reading have shared a succinct summary of key findings;
7. This post by SentinelOne looks at the top attacks for this year that targeted victim Endpoints, Identity, and Cloud environments.

Cyber Crime & Ransomware

1. A bunch of interesting reporting has come out this past week on Emotet, highlighting that it’s still a relevant threat, and is deployed by highly capable ransomware actors:

   • DFIR Report have published their analysis of an Emotet infection from May that ended in Cobalt Strike, with another report in the pipeline for an intrusion enabling ransomware deployment;

   • AdvIntel report that while Emotet activity may have tapered off compared to their historical highs, it’s still being used by former Conti affiliates that now operate Quantum and ALPHV/BlackCat ransomware;

   • @Kostastsale has shared a simple Sigma rule that looks for anomalous emails passed in the “IntegratorLogin” parameter of Atera Agent installations - useful for orgs that do use it legitimately, but want to detect actors like Emotet deploying unapproved instances on their network;

2. Proofpoint have added to the growing list of reporting on Iran’s threat groups, this time looking at TA453, which overlaps with Charming Kitten/PHOSPHORUS/APT42. While the overall profile is itself worth a read, an interesting technique they’ve employed is to use multiple personas masquerading as real academics and diplomats to add legitimacy to their social engineering efforts;

3. KELA have done a deep dive into the uptake and activity on the Breached dark web forum - the spiritual successor to the now defunct RaidForums;

4. The LockBit ransomware crew - the enterprising entrepreneurs that they are - appear to have made good on their “bug bounty” program, announcing the payment of their first bounty for a bug found in their encryption process;

5. Unit 42 have looked into OriginLogger - the successor to the Agent Tesla keylogging malware;

6. Sekoia have shared a detailed report looking into a prolific loader for sale on the dark web called PrivateLoader, which is being peddled as part of the ruzki Pay-per-Install scheme;

7. Some technical analysis of the prolific Raccoon Stealer Infostealer - you might’ve read similar analysis in the past, but it’s always good to catch up on any potential changes made to more recent versions;

8. Microsoft updated their analysis of the Linux-based XorDdos malware with additional insight on the initial access and payload used in said campaigns, as well as details on a rootkit component they observed in June this year;

9. 0xToxin has shared a Twitter thread looking at the AsyncRAT execution chain;

10. Here’s some detailed analysis of the Quantum ransomware for those looking to get into the weeds.

Misc

1. Andy Robbins has shared a great Twitter thread that runs you through how to set up Tiered Administration in order to mitigate lateral movement and severity of compromise.

Thanks for reading! If you liked this, please subscribe for free to receive new posts and support my work!