SecPro #14: Hacks from Black Hat, Decoding Conti, Mimikatz
In this Issue:
→ Hacks from Black Hat & DEF CON
→ Decoding Conti: Analysis and Recovery
→ Difficulties in Threat Detection: Are We Still Getting it Wrong?
→ Mimikatz Revealed: The Finest in Post-Exploitation
→ Secret Knowledge
→ The Puzzle Section
Hacks from Black Hat & DEF CON
Hacks from Black Hat: The Hacker Summer Camp 2021 adopted a hybrid format this year, as the restrictions imposed by the ongoing coronavirus pandemic meant that the majority of participants to Black Hat USA 2021 and DEF CON tuned in online rather than turning up in Las Vegas. We look at some of the Hacks from Black Hat and tools showcased at the event:
Hacks from Black Hat: Possibly the Most Severe Vulnerability in the History of Microsoft Exchange
Orange Tsai, principal security researcher at Devcore, discovered server-side, client-side, and cryptographic bugs on Exchange’s “new attack surface” and corralled them into pre-auth RCE chains known as ProxyLogon and ProxyShell, along with ProxyOracle, a plaintext password recovery combo.
The implications are serious: Microsoft Exchange Server is widely used by enterprise organizations and government agencies and Tsai found 400,000 internet-facing instances.
Attacking Let’s Encrypt
Researchers from the Fraunhofer Institute for Secure Information Technology showed how the security controls introduced with Let’s Encrypt’s multi-perspective validation feature might be abused.
Apple’s M1 Silicon Brings New Challenges for Malware Defenders
Hacks from Black Hat: Noted security researcher Patrick Wardle told Black Hat 2021 attendees that catching malware attacks on new macOS systems requires learning the subtleties of ARM64 architecture. It wasn’t long back that it was reported that Windows malware detections were down 24% among business users, while Mac malware detections were up 31%.
Charming Kittens and Black Hats – Hacks from Black Hat
The suspected Iranian threat group called ITG18 (which overlaps with the group known as Charming Kitten) keeps leaving prints behind. At a Black Hat 2021 presentation, researchers described “little looter” as an insidious threat to Android devices. LittleLooter is “functionally rich” and provides ITG18 operators the ability to pull off this long list of stunts on an infected Android device including, but not limited to the following: record video, call a number, record live screen, upload/download/delete a file, record sound, list storage information, record voice call, and more. Read this not-so-charming report.
Hacks from Black Hat: The Arsenal track at Black Hat was replete with dozens of new hacking tools and frameworks. Here are some highlights from this year:
- WARCannon – Open source tool makes grepping the internet for web vulnerabilities simpler, faster, and cheaper.
- Enfilade – Open source tool that flags ransomware and bot infections in MongoDB instances.
- USBsamurai – Malicious USB cable leaves air-gapped networks open to attack.
- Scrapesy – Credential leak detection tool aims to reduce incident response times.
- Hacks from Black Hat: Top Hacks from Black Hat and DEF CON 2021
- All of the DEF CON 2021 videos are posted here
- Winners of the 2021 Pwnie Awards
Ransomware News & Analysis
Decoding Conti: Analysis and Recovery
Conti has been on everyone’s lips since the Irish healthcare system takedown (if everyone you know is a malware geek). Running as a Ransomware as a Service affiliate program, the Conti ransomware has infected, encrypted, and held high-profile data to ransom.
The ransomware gang is evidently experienced. Military-grade encryption, no known vulnerabilities, and ready to leak data make for a nasty combination.
Conti Ransomware Analysis
This RaaS comes with a number of features that differentiate it from other ransomware samples.
Conti spreads through a network quickly using 32 concurrent threads and can launch both manually and without human interaction. The binary is stored remotely on the command and control server, making it difficult for security teams to analyze the code at all.
As of yet, the Conti ransomware infects systems through one of three methods:
- An open RDP port
- An email phishing attack
- Exploiting a security vulnerability
The ransomware also obfuscates the source of infection, meaning that it is difficult to identify how the threat entered the system.
Stage One: Loading Into Memory
When the malware has entered the system, it launches a Cobalt Strike DLL that allocates space in memory to load the malicious code from the C&C server.
At this point, the ransomware is undetectable to the victim.
Stage Two: Full-Scale Encryption
Using a sample CS script from Github (trevor.profile), the ransomware connects to Menus.aspx on the C&C server. From here, two payloads affect the computer:
- Instructions for the reflective DLL loader
- Contact is made with 312-s-fourth-st.html on the C&C server; the ransomware binary is found at this remote location
When the contact has been made, the malware encrypts selected file types on the system. Identifying the affected files is easy – all affected files have .CONTI attached to the extension.
Note that even if the malware cannot contact the C&C servers, it will still begin to encrypt the data thanks to the RSA public key.
The infection also infiltrates network sections that do not have internet capabilities. This means that infection can go undetected even after encryption has begun. This has been unique amongst ransomware attacks.
The Conti malware is encrypted with AES-256 and has an RSA-4096 public encryption key which is unique to every victim (identified by an ID number in the CONTI.readme.txt file that is loaded onto the desktop after files are encrypted). This level of encryption has meant that there have been no successful attempts at decrypting the attack without the Conti tools.
When all data has been encrypted, a .txt file is saved onto the home screen – CONTI.readme.txt.
The readme file contains instructions on how to pay the ransom and receive the decryption tool. (Quite kindly, the team says that you can have two files decrypted for free – what a wholesome ransomware gang they are!)
The file contains a link to the .onion site, a unique ID, and a password for navigating to the Conti recovery service portal. Here, the victim can negotiate the extortion with the attackers and receive the decryption tool.
At present, there are no known flaws in the code. Exploiting the malware has proved unsuccessful, meaning that recovering data from affected devices requires victims to make a payment.
As with most ransomware attacks, the best defenses are the ones implemented beforehand. Backups, system updates, and end-user training to avoid phishing are the only known way to stop this ransomware in its tracks.
At present, recovery from the Conti ransomware is impossible without paying the ransom to receive decryption tools. Using the CONTI.readme.txt, the victim needs to access the attackers’ onion link to send the payment and receive the decryption tool.
The Conti team also uses this portal to leak information about organizations that have been infected but refused to pay/attempt to decrypt the threat themselves. Even a full restore of all devices might not be enough to avoid losing money to ransomware gangs using this RaaS.
A disgruntled malicious actor on the Conti team leaked information to a darknet forum about the malicious group. Apparently legitimate, you can see the tweet here.
Included are IP addresses for the C&C servers and effective “how-to” for affiliate attackers. It will be interesting to see in the coming days what information can be gleaned from these leaks.
- Sentinel One | Understanding Ransomware Development as a Response to Detection
- Sophos – Conti Ransomware: Evasive by Nature
- Coveware – Conti Ransomware
- Proven Data – Conti Ransomware (Analysis and Recovery Options)
- Conti Ransomware Gang Playbook Mentions MSP Software
Difficulties in Threat Detection: Are We Still Getting it Wrong?
I recently stumbled upon Anton Chuvakin’s article How to Make Threat Detection Better? and it made me think – what aspect of threat detection and response that we’re getting wrong?
70% of security professionals say that they are under pressure to improve detection and response. But has adopting Managed Detection and Response (MDR) platforms and the like been better than simply hunting for threat intelligence? I hope so – we’ve been relying on SIEMs for over 20 years!
The truth is that threat detection is tough. How do we improve our security operations on the ever-expanding attack surface without overloading the cybersecurity team? That’s the big question that needs an answer.
The Big Problems For Detection and Response
Cybersecurity teams face challenges when configuring detection and response. An over-reliance on dumb tools, a lack of context, and having to juggle a variety of old technology can leave security analysts in trouble.
Outsourcing The Problem Away
I get that some cybersecurity teams employ third-party tools. It’s easier to use a solution from a reputable MDR platform or even an “out-of-the-box” SIEM tool. As a starting point, they’re actually very effective tools.
But these standard security solutions miss one clear aspect – are the tools set up to deal with the local needs of an organization? The answer is often a resounding “no”.
Context-less Threat Detection
What use is your threat detection method if it doesn’t account for context? Context is king for effective security processes.
Tuning your detection software to search for malware and other threats that are relevant to your organization is a necessary step. A dumb anti-virus or SIEM will not protect an enterprise – it needs significant input from security professionals to deliver necessary alerts.
Accidental Headless Chicken Approach
If you lack context in your detection processes, you can end up like headless chickens – trying to battle against the wave of adversaries but still falling folly to big attacks. If our current methods are so effective, why are world powers buckling under ransomware attacks?
Our methods are not adequate as is. Security professionals are often left at the mercy of the stacks of legacy hardware and software, but how do they correct this problem?
Detection Done Right
Effective Detection Declarations
If the system detects something, it needs to declare it. Seems obvious, right? For many organizations, this just isn’t true.
Test, test, and test again. That’s central to writing effective rules and creating better responses. If an organization doesn’t regularly test and update its responses, how can it be sure that the processes work?
Understanding the Adversary
Threat detection doesn’t work if you don’t know what you are trying to detect. Security teams need to ask themselves two questions about their approach to threats:
What does the threat actor know?
If you know neither the enemy nor yourself, you will succumb in every battle.
– Sun Tzu
Knowing your enemy is of critical importance, especially when you need to know what they know. Understanding what adversaries know about your enterprise can help you to write better rules.
What is the threat actor’s goal?
When you know what they know, how can you tell what they’re going to do? Identifying the goals of the attacker is central to collecting useful telemetry – for example, what needs to be hardened first? Databases, potential vulnerabilities, or credentials?
When cybersecurity professionals can collect this data, the threat response will be much more effective. Threat detection teams need to work with hunters – threat detection is nothing without threat intelligence.
How Do We Improve Our Threat Detection and Response?
Threat detection is hard, no one is denying that. But security teams that have not prepared for the challenges that threat detection and response procedures bring is setting themselves up to fail.
It is easy to accidentally over-rely on SIEMs, anti-viruses, and EDR tools, especially in smaller-scale environments. But adding local context and using threat intelligence to strengthen your position is key to effective threat detection.
Mimikatz Revealed: The Finest in Post-Exploitation
If you’re new to Mimikatz here’s some context. Mimikatz is a Metasploit Post-Exploitation module used to gather credentials and perform a range of operations as part of pentesting exercises. It was created from a noted vulnerability of the Windows system function called WDigest.
The main functions of Mimikatz include:
- Extracting passwords from memory: When run with admin or system privileges, attackers can use Mimikatz to extract plaintext authentication tokens — passwords for example — from the LSASS process running in system memory.
- Extracting Kerberos tickets: Using a Kerberos module, Mimikatz can access the Kerberos API, allowing for several different Kerberos exploits that use Kerberos tickets that have been extracted from system memory.
- Extracting certificates and private keys: A Windows CryptoAPI module enables Mimikatz to extract certificates, and their private keys, stored on the victim system.
Mimikatz Attack Vectors
- Pass-the-hash: NTLM contains hashes which are used to obtain passwords. This system attempts to let end users utilize passwords multiple times without having to reuse the same hash again.
- Pass-the-Ticket: The Kerberos system is a network authentication protocol that works based on tickets that allow nodes communicating over a network to verify their identity to one another. Mimikatz can obtain these tickets from the account of a user and uses them to access the system as this user.
- Kerberos Golden Ticket: This gets a ticket for the hidden key Distribution Center Service Account (KRBTGT), which encrypts all authenticity tickets, which provides access to the administrative level domain for any computer in the network.
- Kerberos Solver Ticket: This Windows functionality provides users with a ticket that access several services within a network. This lets a possible attacker impersonate a network user.
- Pass the key: Provides a unique key, which is used for authentication on a domain controller. An attacker can then use this key multiple times to impersonate a user.
- Pass-the-Cache: This attack doesn’t take advantage of Windows. A pass-the-cache attack is generally the same as a pass-the-ticket, but this one uses the saved and encrypted login data on a Mac/UNIX/Linux system.
Getting Started with Mimikatz
Let’s start by looking at different Mimikatz modules:
- Start by getting a meterpreter shell and escalating privileges to SYSTEM. This is a precondition for using Mimikatz.
2. In the latest version of Metasploit Framework, Mimikatz has been replaced by “kiwi”. The next step is to load the kiwi module.
3. Now let’s look at the different commands of Kiwi by running the command “help kiwi”:
- We can dump all credentials in plaintext by running the creds_all command. This will capture all of the credentials in RAM and display them on the screen.
5. Kiwi also has native commands that can help you dump credentials in plain text. If we want to retrieve the Kerberos credentials, we simply need to run: creds_kerberos
- Similarly, we can retrieve Windows MSV (the Windows password authentication package) credentials by running: creds_msv.
7. SAM and LSA secrets can be dumped by running the lsa_dump_sam command and lsa_dump_secrets command.
Pass the Hash
In this method, Mimikatz extracts the password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer. For Pass the hash attack, we run the following command: kiwi_cmd “privilege::debug” “log passthehash.log” “sekurlsa::logonpasswords”.
Kerberos Golden Ticket
A golden ticket in Active Directory grants the bearer unlimited access. The security of the Kerberos protocol is rooted in the use of shared secrets to encrypt and sign messages.
Once an attacker has compromised the krbtgt hash, they get access to the golden ticket. Using it, they can create new Kerberos tickets as if they were Active Directory itself, such as issuing tickets for users that don’t exist, adding users to groups in which they don’t belong, or issuing tickets with lifetimes far beyond the configured maximum. The adversary is Active Directory themselves and can access any resource they choose.
Kerberos Silver Ticket
Similar to a golden ticket, a silver ticket attack begins by compromising credentials and abusing the design of the Kerberos protocol. However, unlike a golden ticket, a silver ticket only allows an attacker to forge ticket-granting service (TGS) tickets for specific services. TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account, they can create new TGS tickets for that service.
Bypassing Detection of Mimikatz
Mimikatz is an open-source security research tool. Due to its source code being available on GitHub and the creator releasing “YARA” rules for antivirus engines to be able to detect its malicious use, Mimikatz rarely executes in corporate networks or systems with even basic protection.
Bypassing these protection mechanisms is not straightforward since anti-malware is one of the foundations of a secure environment. However, minor tweaks to the source code can reduce the detection rates by a great deal for usage in Red-Team engagement scenarios.
Disclaimer: Ensure you only pentest and exploit systems and networks that you own or have legal permissions to do so.
Discover useful security resources, cheatsheets, hacks, one-liners, and open-source CLI/web tools.
- Offensive Security – true performance-based penetration testing training for over a decade.
- Hack The Box – an online platform allowing you to test your penetration testing skills.
- Hacking-Lab – online ethical hacking, computer network, and security challenge platform.
- pwnable.kr – non-commercial wargame site which provides various pwn challenges.
- Pwnable.tw – is a wargame site for hackers to test and expand their binary exploiting skills.
- curl – is a command-line tool and library for transferring data with URLs.
- kurly – is an alternative to the widely popular curl program, written in Golang.
- HTTPie – is a user-friendly HTTP client.
- wuzz – is an interactive CLI tool for HTTP inspection.
- h2spec – is a conformance testing tool for HTTP/2 implementation.
- SELinux – provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel.
- AppArmor – proactively protects the operating system and applications from external or internal threats.
- grapheneX – Automated System Hardening Framework.
- DevSec Hardening Framework – Security + DevOps: Automatic Server Hardening.
- strace – diagnostic, debugging and instructional userspace utility for Linux.
- DTrace – is a performance analysis and troubleshooting tool.
- ltrace – is a library call tracer, used to trace calls made by programs to library functions.
- ptrace-burrito – is a friendly wrapper around ptrace.
- perf-tools – performance analysis tools based on Linux perf_events (aka perf) and ftrace.
Kernel Pwning with eBPF: A Love Story – Super detailed write-up by Grapl’s Valentina Palmiotti covers eBPF basics & verifier internals, exploiting CVE-2021-3490 for local privilege escalation, debugging eBPF bytecode, exploitation techniques for DoS, info leak, and LPE, and weaknesses still in eBPF.
The Puzzle Section
Check your knowledge. Select the best response to the following questions:
1) X.509 certificates are stored on the operating system. A macOS operating system will store the certificates in a virtual _.
- a. MMC snap-in
- b. OCSP
- c. Keychain
- d. CRL
2) True or False: Amazon S3 server access logging is enabled by default.
3) _ is a technology used to securely access remote hosts. When using this type of VPN, once the client and server are connected, you will interface with the host using the CLI.
- a. PPTP
- b. ISAKMP
- c. IKE
- d. SSH
*Clue: Answers are at the end of the newsletter.
Special thanks to Austin Miller and Karl Gilbert.
Cheers. And thanks for reading!
Until next week,
1) c. Keychain 2) False 3) d. SSH