Razer Privilege Escalation Vulnerability

“And I looked and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.”

Firstly, Kudos to @j0nh4t for finding this!

I woke up this morning to see twitter fun with a LPE discovered in the Razer driver installation. Basically, when you plug a Razer mouse into a Windows machine, it will download (via windows update) and execute a process as system which has user interaction. This interface includes an install path selector, with this a right click + SHIFT (LULZ) on whitespace will allow you to launch a command prompt/PowerShell window (as SYSTEM).

Why are ransomware attacks so devastating? – Part 1

Introduction

“Ransomware is a major issue!”

Hang on maybe we need to re-phrase that:

“Weak security postures are a major issue!”

or perhaps.. why not both!

I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.

Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.

Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1” →

Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)

I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.

To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.

Mimikatz

Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.

To gain system we launch mimikatz from an admin shell and run:

privilege::debug

token::elevate

Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)” →

From Zero to DA using ‘PetitPotam’

Introduction

Whilst I was on ‘holiday’ (seriously even when on holiday I almost always must do some work!) a few Windows vulnerabilities were published. Great work by Gilles Lionel, Benjamin Delpy and many many others!

Lab Setup

A Domain Controller
A Separate ADCS Install with Web Enrolment or two DCs one with ADCS installed.
A windows Client Device (non-domain joined)
An attacker device (I used Kali)

You do not need any domain credentials to conduct this exploit chain, so from a network adjacent unauthenticated position you can get DA with the right circumstances (default configuration). Read more “From Zero to DA using ‘PetitPotam’” →

Ransomware Realities

Everything is much worse now, or is it?

”The world is burning, the world is burning but then if you look around, it always has been…”

Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.

The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.

Ransomware Defence: Part 2a – Persistence, Privilege Escalation and…

Recap

In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement” →

My MSBlaster Story

We looked after about 3-3500 endpoint devices. We were running Windows servers/clients and we leveraged technologies such as:

Dameware Tools
Remote Desktop Protocol
GFI LanGuard
RCP/SMB/WMI
McAfee Antivirus

Following a Kill Chain – Defending against Babuk group’s…

Washington Police Department Pwn3d by Ransomware Group Babuk

So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.

References

https://news.sky.com/story/russian-hackers-target-washington-dc-police-department-in-apparent-ransomware-attack-12288183

https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/ Read more “Following a Kill Chain – Defending against Babuk group’s TTPs” →

ProxyLogon – A god mode backdoor even when used…

Imagine

Imagine being able to read emails from any mailbox from a corporation! But everyone uses office 365… don’t they? Well ok even if that was the case (It’s not) then the RCE would come into play. An RCE into system level access to Exchange which is so heavily tied to active directory they are almost joined at the hip) is a killer foothold. However, you pain the scenarios they aren’t good!

All knowing and all powerful

Imagine if you could read everyone’s email! What could you do with this?

Steal IP
Steal data
Steal credentials
Extort, blackmail and bribe

The SSRF vulnerability enabling a threat actor to gain unauthenticated read access to mailboxes would be a killer tool for both nation state spies and criminals alike. Read more “ProxyLogon – A god mode backdoor even when used with READ only” →

Thoughts on IOCs for Exchange Hafnium/ProxyLogon

Intro

This isn’t a rant, far from it but I’ve been working on this for over a week now and some major questions are sprining to mind with regard to how the IOCs and detection details released may have hindered response efforts. These vulnerabilities were known about since at least December 2020, there were months to get detection intel and scripts/tools ready for people (that’s if you don’t question why did it take so long). So I’ve put some of my thoughts down here on some of the challenges with the IoCs initially released and the detection tools etc. I’ll probably update this later but wanted to publish it before it becomes virtual dust! Read more “Thoughts on IOCs for Exchange Hafnium/ProxyLogon” →