FireEye has an excellent breakdown of a Remote Access Trojan in C# - which is quite a feat given the constraints of the .NET Framework.

https://www.fireeye.fr/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html

I have written some C# malware as well, it is not easy, but we are all standing on the shoulders of giants.

https://github.com/lockfale/DotNetAVBypass-Master

The inestimable awesome Didler Stevens wrote some incredibly well thought out code the deobfuscated Excel macros

https://isc.sans.edu/diary/26110

Here's some really interesting analysis of malweare written for supercomputers.  This is really interesting because these hyperdrive computers do a lot of really useful work with governance data, voting, medicine, and a boatload of other stuff.

https://www.cadosecurity.com/2020/05/16/1318/

Hope everyone is staying safe in these weird times.

S

Lots of AWS assessments recently, here is a good new tool for IAM checking.

https://github.com/salesforce/cloudsplaining

Here is a neat, but not new one for Azure

https://github.com/FSecureLABS/Azurite

Lotsa code today.  Here's a token reverser to help test password reset functions.

https://github.com/dariusztytko/token-reverser

Good article on proxying thick clients.

https://maxfieldchen.com/posts/2020-05-05-proxying-unaware-thick-clients.html

Hope everyone had a great Mother's Day.

Really awesome article on automating application scanning with OWASP ZAP:

https://www.zaproxy.org/blog/2020-04-09-automate-security-testing-with-zap-and-github-actions/

Interesting model on how Chrome extensions can be used for man-in-the-middle attacks.

https://github.com/mandatoryprogrammer/cursedchrome

DLL Hijacking is one of those thick-client attacks that everyone dismisses, but they shouldn't.  This is why:

https://itm4n.github.io/windows-dll-hijacking-clarified/

Another information disclosure vulnerability - this time through the Referrer header.

https://www.theregister.co.uk/2020/04/30/email_http_leakage/

That's the news folks.  Hope everyone is healthy!

In the world of emergency preparedness, which has been a hobby of mine since I was a Scout, there is something called the rule of threes. When I teach Emergency Prep merit badge, I talk about these points:

You can survive:

• 3 minutes without air
• 3 hours in severe weather
• 3 days without water
• 3 weeks without food

Now, this all sounds very depressing, but it is VERY important.  The fact is, in an emergency, you need to prioritize before anything else.  The first thing you must do is make a list, in order, of shit to do.  Do not, ever, let anyone tell you otherwise.  For instance, in a car wreck, you must first make sure everyone can breathe and isn't bleeding (because that is what gets the air to your organs). Then, if it is winter, you need to get warm.  If there is a tornado, you need to get shelter first, then make sure you have water. 

The one thing I don't tell Scouts is the last point, because it isn't usually something that we have to deal with in the developed world:

• 3 months without hope

This isn't often talked about but it is a very important point. In war stricken areas, or places like Louisiana after Katrina, it has been proven true over and over.  Without hope, mental health has a significant impact over physical health, crime, and overall strife.

We are nearing that threshold in the United States (and elsewhere).

If you are safe, and you have water, and if you have food, the clear and present is to find sources of hope.  Stop watching the news. Preen your lists of who you follow on social media. The Boston Symphony Orchestra is doing stuff online.  The Columbus Museum of Art is holding virtual tours.

I don't talk a lot about mental health but I deal with issues myself. This is gonna bring out some things you didn't know about yourself. Be smart, be safe, consider your risk model, and best to all of you.

Really great breakdown of exploitation of cache poisoning.

https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/

Further reminder that HTTP is the weakest link.  Exploitation example of HTTP Request Smuggling.

https://honoki.net/2020/03/18/xxe-scape-through-the-front-door-circumventing-the-firewall-with-http-request-smuggling/

Extraodinarily hard to exploit but really fascinating to look at RCE bug in the Android Bluetooth stack.

https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/

A lot of people have put their online training up for free (for a limited time) like PluralSight.  Here's another one, by Kontra.  I haven't done it yet but it comes highly recommended.

https://blogs.akamai.com/sitr/2020/04/a-brief-history-of-a-rootable-docker-image.html

That's it for the news of the week. Everyone stay safe and healthy!

S

I Forgot To Post On Easter Because I Was Cooking Edition

There is a really need VMWare bug that has some solid analysis already.  Thanks to John from a client of mine for tuning me into it.

https://www.vmware.com/security/advisories/VMSA-2020-0006.html

https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/

You need to reboot Boeing 787s every couple months or they crash. No big deal. 

https://www.theregister.co.uk/2020/04/02/boeing_787_power_cycle_51_days_stale_data/

From the archives (because I just used it on a test): a Command Injection Cheatsheet:

https://hackersonlineclub.com/command-injection-cheatsheet/

I was blindingly honored to judge the CBusStudentHack competition this year.  Clearly it was weird, and we had to do it remotely.  Way easier when you can talk to the young women and men on the teams, but we got it done via video. Here are the five finalists - worth a watch if you want to feel god about the next generation of hackers.

https://www.youtube.com/playlist?list=PLXpk4w_SsmmTJgYwm9OLgVlPkl-aQK_kc

Please stay safe and healthy.

I'm hoping everyone is safe and healthy. This whole thing is weird. But security news marches on.

There was a vulnerability discovered in Pi-hole.  If you don't know what it is, don't worry, but if you do, you need to patch right meow.  Either way, neat application security lessons. Good writeup here:

https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/

Along those lines, there is a vulnerability in OpenWRT. Again, if you aren't using it don't sweat it but cool writeup about the vulnerability:

https://nakedsecurity.sophos.com/2020/03/31/patch-now-critical-flaw-found-in-openwrt-router-software/

HTML 6 is coming! See what's new here:

https://morioh.com/p/6d422fc49bd2

The incredible Binni Shah tuned me in to two some really interesting new C# memory injection tools:

https://github.com/coffeegist/changeling

https://github.com/pwndizzle/c-sharp-memory-injection

That's the news. Stay safe, everyone.

Unusual challenges ahead.  Remember that with remote working, application security is on the front lines, and there are those out there that don't care about the pandemic crisis or dead people, they just want to steal stuff.

Extraordinary article about his exact topic from SANS.  I am not SANS biggest fan but this is very good work.

https://isc.sans.edu/diary/rss/25940

An error in a font (no I am not kidding) is causing problems.  Check your sites.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

I have stepped away from appsec before in this newsletter, but this is a new bar.  This is a link to free codes for games on Steam to play while you are keeping away from your friends and neighbors.  Let's use the Internet to stay in touch, and KEEP IT RUNNING.  We are on the front lines.

https://docs.google.com/spreadsheets/d/1LoYfg6bI649dPQfevPNZzL2Xm9o4pOH0bUkIrIcWry4/edit#gid=1293924779

Please, please stay safe.

S

Quarantine edition.

Microsoft patches the newest SMB flaw.  Stop using SMB.

https://nakedsecurity.sophos.com/2020/03/16/microsoft-patches-wormable-windows-10-smbghost-flaw/

Microsoft bough npm.  This should be interesting.

https://www.windowscentral.com/microsofts-github-acquires-npm-help-javascript-developers

There are a ton of folks streaming and running virtual conferences right now. Watch them. I'm watching PancakesCon right now. Even if you are an introvert, it's good for your mental health.

https://tisiphone.net/2020/03/15/pancakescon-2020-quarantine-edition/

Keep safe, keep aware.  We are in condition orange. Distance yourself from poisonous people. (and I don't mean ill people)  Help out your neighbors if you can.

SMBv3 is borked.  Block port 445.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

Sometimes I hate the human race.  Someone built a fake COVID-19 map and is using it to spread malware.

https://www.grahamcluley.com/coronavirus-map-used-to-spread-malware/

Not an appsec thing but NordVPN got popped - again.

https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/

Really need exploit on file upload in web applications that allows NTLMv2 hash theft.

http://www.mannulinux.org/2020/03/abusing-file-system-functions-in-web.html?m=1

Another neat finding from a bug bounty with CSRF in a JSON web service.

https://medium.com/@secureITmania/how-i-exploit-the-json-csrf-with-method-override-technique-71c0a9a7f3b0

Stay safe - and healthy - folks.