Exploiting Hacker Tools, Microsoft “Fixes” Driver Problem, Moles, & Deconflictions – PSW #761

" I typically rate privilege escalation, like flaws, as important and code execution flaws as critical. Let me know if you disagree with the rating." - Okay yea, I disagree. I think that a reliable remotely exploitable vulnerability in a major operating system on a service that is exposed to the Internet, in today's landscape, is a Unicorn, that speaks, well, Unicorn. These things are rare. So rare, it's why 15 years ago (or more) we moved to client-side attacks, that is email phishing and exploiting browsers. I think we need to adjust our critical ratings is my point. On a scale of 1 through 10, an RCE in a major OS service exposed to the Internet is an 11. It's not even on the scale. So, sort of like grading on a curve, let's take that out of the equation. This means privilege escalation carries a higher weight because attackers will get in, period.

This wasn't earth-shattering research (I don't believe they even got code execution). However, it serves as a warning that we trust our tools way too much. When we run a debugger, a fuzzer, or a SPI programmer, we TRUST that this tool works as it should. Trust but verify. Who is verifying? Who is looking at the code to determine that flashrom hasn't been backdoored and each time I run it the software is now programmed to brick my device? I know I'm talking with the evil bit enabled, but all too often we just implicitly trust that the software we use will operate the way we expect. Unless, of course, it's Linux and you are dealing with audio drivers. Then expectations are really low, like really low...

I still don't trust computers to determine if it's a cockroach or it's my foot or my eyeball. I mean, I'm a human and I can't tell if that's a fire hydrant or not to prove I am a human and not a bot...

This is a great tutorial (though I am not a browser architecture expert, so could be inaccurate but I hope it's not).

"Technically, this bug (CVE-2022-1786) is the first bug that I found, analyzed, exploited, and reported alone. This blog is written to commemorate this moment. Thus, this blog will not be in the style of “what is the correct way to exploit the bug”. Instead, it will document all the frustration and excitment in the crazy 7 days that I spent developing the exploit. I hope you will enjoy the ride!" - Great post, I strive to understand all of the technical details.

To me, this is still far from fixed. This is more of a promise to streamline the updates: "This has been done, and the “gap in synchronisation across OS versions” has been closed. According to Tech Radar, issues related to blocklist updating will be tackled in “upcoming and future Windows updates”."

"Google shared a proof of concept of the project, which allows users to search data sets of software metadata. The three explained that GUAC effectively aggregates software security metadata into a database and makes it searchable. " - A good first step! Now what queries do we run against this data?

"Commit to a Zero-Trust Strategy, Manage Compliance, Risk, and Privacy, Use a Combination of XDR + SIEM Tools, Using MFA Whenever and Wherever Possible" - Huh, really?

Interesting: "When performing any offensive assessment work, you are likely to trigger an alert or generate anomalous logs that will get someone’s attention. If the system owner cannot identify you as the source, they will likely reach out to you to deconflict the event. You can now record deconfliction events under a project’s Deconflictions tab."

I'm not bashing Cyberark here, they did an amazing job with this article and have a talented research team and I have worked with them in the past and having nothing but nice things to say. One things that gets me is the Windows-centric view of the security world. The title says "Fantastic Rootkits", when it means "Fantastic Windows Rootkits". There are other operating systems, such as Linux, macOS, and many embedded OSes. They run on different hardware too. Most articles seem to focus on Windows on x86. I do see this changing, especially as we use less desktop software (really just a browser for so many). It opens the door for more OSes and different hardware (like ARM), perhaps with better security features and protections against rootkits?

"A REvil insider sent an email – revealing sensitive information about the group’s operations – to a group of security researchers. The researchers then shared this information with law enforcement, which helped lead to the arrests of REvil-affiliated hackers." - This is every criminal's biggest weakness. From the mafia to drug lords, insiders leaking information is often their downfall. Remember the line "Fredo, I know it was you...". Now I can spare you from having to read this article.

This is a great tool! Perhaps, an example of one of the most useful security tools out there. I've been ranting about trust, how we just blindly trust things. One of those things is the CA certificate list that comes with our OS or container. Who checks that to make sure there are no expired or revoked certs? In theory, you are supposed to check that, and update it. This is where paranoia comes in (literally and figuratively). It checks the certs in containers and gives us data that we can use to determine if we still trust that cert or CA certificate. Grinds my gears that we have the capabilities that enable us to verify integrity and trust, but we don't complete the loop.

Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190],” the advisory stated.

“In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.”

Once they have obtained access, Daixin actors can move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). The Daixin Team’s software is likely based on Babuk Locker source code, the advisory explained. The advisory contained detailed indicators of compromise (IOCs) and pictures of common Daixin ransom notes.

CISA, FBI, and HHS urged the healthcare sector to take action to protect against Daixin Team activity. Healthcare organizations should install updates and prioritize patching VPN servers, remote access software, known vulnerabilities, and virtual machine software.

During World War II, some 11,000 women helped to process and decipher an endless stream of enemy military messages. Both frustrating and exhilarating, their work was one of the conflict’s best-kept secrets.

Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.