Ngrok Abused

Cybercriminals have been using ngrok—a cross-platform application to expose local development servers to the internet, for malicious purposes for years now.

An organization was targeted by a keylogger, where malicious actors installed a copy of the ngrok tool to obtain specific details about the environment.

Crispy Recent campaigns

  • Recently, threats actors were seen using ngrok to expose several machines within the victim’s networks, making them visible to the outside world.
  • It is believed that the attackers had three requirements: ngrok installed on the internal machine; an administrator account; and the ngrok server domain and port, already in place.
  • Since the attacker had the knowledge of the ngrok-assigned public address, it could connect to the compromised system at any time.

How it’s been used

The service can be abused by threat actors to get unauthorized access to the targeted network, download payloads, exfilteration of data, and crafting unique URLs. In addition, the tunneling service allows cybercriminals to evade detection. It can generate random URLs, making it harder to track, detect, or block.

Recent attacks using the ngrok tool

  • An Iran-based APT Pioneer Kitten was found selling network credentials of corporates on hacker forums. The group is known for its regular use of ngrok.
  • Fox Kitten was observed attacking the US private and government sector. The group is known for using ngrok to target on-premise BIG-IP devices.

Way to mitigate

Organizations must be aware of ngrok and other tunneling services, as these services can be abused by hackers. Experts suggest that organizations using tunneling services should have a secure authorization mechanism for every access level, and its setup should include approval from security teams. In addition to this, the tunnel should be password-protected and IP whitelisting should be enabled.

Windows 10 Sandbox has a Vulnerability inside

A researcher discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system.

Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled.

An unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software.

However, this works only if Hyper-V is already active, something that limits the range of targets since the option is disabled by default and is present in Windows 10 Pro, Enterprise, and Education.

Hyper-V is Microsoft’s solution to creating virtual machines (VM) on Windows 10. Depending on the physical resources available on the host, it can run at least three virtual instances.

Given sufficient hardware resources, Hyper-V can run large VMs with 32 processors and 512GB of RAM. An average user user may not have a use for such a virtual machine but they may run Windows Sandbox, an isolated environment for executing programs or loading websites that are not trusted, without risking to infect the normal Windows operating system.

Microsoft introduced Windows Sandbox with the May 2019 Update, in Windows 10 version 1903. Turning on this feature automatically enables Hyper-V.

To demonstrate the vulnerability researchers created in \system32 an empty file named phoneinfo.dll. Making any changes in this location requires elevated privileges but these restrictions are irrelevant when Hyper-V is active.

The creator of the file is also the owner, an attacker can use this to place malicious code inside that would be execute with elevated privileges when needed.

CERT/CC vulnerability analyst Will Dormann confirmed that the vulnerability exists and that exploiting it requires literally no effort from an attacker on the host.

Although this vulnerability is easy to exploit there are more dangerous issues in Windows 10 that Microsoft should address. This is one reason he decided to make it public and not report it through Microsoft’s bug bounty program.

CVE 2020-1472 – Exploit goes wild

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).

An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.” reads the advisory published by Microsoft.

“To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.”

“By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.”

“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.”

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.”

“This attack has a huge impact: it basically allows any attacker on the local network to completely compromise the Windows domain. The attack is completely unauthenticated”

The ZeroLogon attack could be exploited by threat actors to deliver malware and ransomware on the target network.

The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.

Researchers released a Python script that uses the Impacket library to test vulnerability for the Zerologon exploit, it could be used by admins to determine if their domain controller is still vulnerable.

August 2020 Patch Tuesday security updates only temporarily address the vulnerability making Netlogon security features mandatory for the Netlogon authentication process. This has the severity score of 10

Shlayer Malware targets MacOs

A new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine.

Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners.

Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.

A new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.

Fortunately, it seems that ZShlayer infections are currently isolated to users who have downloaded illicit software outside of Apple’s official App Store ecosystem.

Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.

Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019.

The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.

Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.