SOC Goulash: Weekend Wrap-Up (Part 2)

14/08/2022

Welcome to Part 2 of the Weekend Wrap-Up! In case you missed it - Part 1 can be found here.

Last week provided a slew of useful tool updates and technical write-ups, as well as a few freebies and training courses to help you on your way. Enjoy!

Microsoft Patch Tuesday comes with caveats

Reference: Bleeping Computer

Firstly - Exchange. While Microsoft patched several critical, trivially exploitable privilege escalation vulnerabilities in Exchange (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516), admins have to enable Extended Protection to be fully protected.

If you’re not sure what that is or haven’t enabled it yet - you’ll need to consult this documentation to ensure your particular setup is supported.

The other noteworthy vulnerability that was patched was the DogWalk (CVE-2022-34713) zero-day that has already been exploited in the wild. Will Dormann issued this helpful reminder that the MSDT .diagcab files that underpinned these attacks will continue to run code with a single click, and bypass UAC if run by an admin.

If you don’t have a genuine need for these on your network, it may be worth blocking them - especially when they come with the Mark-of-the-Web - in addition to these extensions.

(Some) vulnerable UEFI Bootloaders get patches

References: Bleeping Computer | Carnegie Mellon CERT

Microsoft have released patches detailed in their KB5012170 article for two of three 3rd-party UEFI bootloaders, which could potentially be abused by attackers to implement bootkits. By loading before the Operating System does, the malware would be able to survive reboots and re-installation of the OS, and evade detection by antivirus and other security products.

A vulnerable UEFI bootloader created by New Horizon Datasys Inc remains unpatched (CVE-2022-34302), and there are a further 20 vendors whose bootloaders are believed to be vulnerable, but they have neither responded to or confirmed these findings.

Prolific OEMs including Dell, Google, Lenovo, HP, Acer, and AMD are among those vendors who haven’t responded to, validated, or patched these potential vulnerable bootkits. Given the potential scope of impact, it’d be worth contacting your vendor/re-seller for more information if you can.

New PAN-OS DoS vulnerability exploited in-the-wild

Reference: Bleeping Computer

Palo Alto have issued an advisory stating that several versions of PAN-OS present in PA, VM, and CN-Series devices are vulnerable to being hijacked by attackers to conduct amplified TCP DDoS attacks. CVE-2022-0028 is rated a CVSS 8.6, and stems from a flaw in the URL filtering policy that could be abused remotely and without authentication.

That said, exploitation of this vulnerability requires several specific configurations to be present, at least one of which is “unusual and typically results from an administration error”.

This significantly reduces the likely scope of affected deployments and means that in lieu of patches being available, administrators can ensure at least one of the three per-requisites aren’t met, in addition to applying the recommended packet-based mitigation.

At the time of the advisory being released, patches were only available for PAN-OS versions prior to 10.1.6-h6, with five other release branches yet to be patched.

Offensive

1. Andy Robbins has casually dropped a six-tweet thread on obtaining Azure AD Password Refresh Tokens to bypass MFA, Conditional Access Policies, etc. A more formal write-up is here;

2. Check out this blog post and repo for BlueHound, a visualisation framework for Bloodhound results;

3. The Shhhloader shellcode loader just got a facelift, adding support for module stomping, DLL proxy generation, and bunch of evasion/obfuscation methods;

4. PoC code and a write-up for a novel method for payload injection using the Windows Clipboard to get around the need for VirtualAllocEx/WriteProcessMemory, which is often looked for by AV and Malware Analysts;

5. Struggling to find relevant results using Google alone? Here’s a very thorough list of infosec-foccused sites that’ll help find you what you need;

6. A curated list of professional, public pentest reports for reference if you’re getting writer’s block.

Defensive

1. It’s been a busy week for YARA tooling & techniques:

   1. PwC’s @BitsofBinary has submitted an LNK module for YARA that’s awaiting a merge;

   2. Avast have shared their YARA Language Server to help with linting, code formatting, code completion and more. More detail here;

   3. Nextron have updated their fork of CyberChef, adding specific enhancements for YARA;

   4. An excellent write-up on how to use YARA to automate the extraction of malware configs;

2. Palo Alto’s Unit 42 have released dotnetfile, a Python library to help with .NET file analysis;

3. v4 of Mandiant’s excellent automated binary analysis tool capa has been released with general improvements and support for analysis of .NET executables;

4. Here’s a list of KQL queries aimed at detecting the BARK use case demonstrated last week that would be a good starting point for creating internal detections;

5. Red Canary have published a guide to defending against attackers abusing application bundle manipulation for evasion and privilege escalation MacOS endpoints;

6. Excessive Network Share Permissions are a very common misconfiguration in enterprise environments - this blog post from NetSPI walks through how they are enumerated and exploited using their new tool PowerHuntShares, as well as how to pare back share permissions to mitigate their abuse;

7. Jared Atkinson from SpecterOps has released Part 3 of his series on Detection Engineering, this time looking at identifying alternate API endpoints for abuse detection;

8. Nextron have released an update to their AV Event Cheat Sheet - really helpful source for L1 SOC analysts on triage, and refining detection rules;

9. LetsDefend shared a helpful mindmap to help guide your OSINT adventures when looking into Dark Web personas.

1. DFIR Report has followed up on Unit 42’s analysis of the BumbleBee loader with some analysis of their own, derived from a sample caught in April;

2. Unit 42 have an excellent write-up on the TTPs of a Cuba ransomware affiliate they call “Tropical Scorpius”, featuring new tools, a new RAT, and a kernel driver aimed at neutering security products;

3. A detailed timeline and analysis of BazarCall, which is still being used today by Conti splinter groups Silent Ransom, Quantum and Roy/Zeon, according to AdvIntel;

4. Both Trend Micro & Sekoia have shared detailed write-ups on an APT 27/Emissary Panda campaign, involving the addition of malicious code to the MacOS implementation of a Chinese-language instant messaging app, MiMi. A really interesting read, with multiple staged payloads and apparent victims in Taiwan and the Philippines;

5. Yet another example of malicious PyPI extensions, aiming to con careless coders out of their creds & API tokens;

6. The US DOJ sanctioned cryptocurrency tumbler Tornado Cash, followed four days later by the arrest of a suspected developer in the Netherlands. Chainalysis report they were used to launder funds from every hack conducted by DPRK-linked hackers this year;

7. Need to spin up a domain for a project you don’t expect to carry on for more than a year? Here’s a few TLDs you can register for free for the first year:

   1. Porkbun: .xyz, .app, .dev, .design, .ink, .wiki;

   2. Nominalia: .online, .store, .site, .website, .space, .fun;

   3. LCN: .co.uk, .uk;

8. Looking to get more training & certifications in Azure/GCP? Check out Microsoft’s Virtual Training Days and these GCP courses - both of which come with free certification attempts;

9. For those looking some hacking practice - here’s a list of platforms that have you covered.

---

Finally, to thank you for sticking with me through what was a very dense week of news and updates, here’s something that I’m sure every Blue teamer out there can relate to. Hey, they say variety is the spice of life, right?

Jen Gentleman 🌺 @JenMsft

"Did you finish that thing yesterday?"

2:21 PM ∙ Aug 9, 2022

---