Tools and Tradecraft
Metasploit antivirus evasion modules
It’s no secret that the Metasploit framework is a pentester favorite for quick and easy access to exploits and payloads for penetration testing. Recently, Rapid7 has begun developing evasion modules for the Metasploit framework, so that means evading antivirus is built directly into the framework.
In the past, integrated antivirus evasion has been fairly limited, in the form of MSFvenom, and that is more or less a tool for generating custom shellcode in order to exploit vulnerabilities that don’t allow certain characters or symbols and/or for anti-exploit tools in order to “randomize” the shellcode, making it difficult to discern what is actually being done. There have been a few open-source projects outside of the framework to assist penetration testers in antivirus evasion, the most notable of which are the VEIL-Framework, and Shellter.
If you’d like to read up about the new evasion category, and the first module, evasion for Windows Defender, go check out the research paper here [PDF].
Information Security trends
Derbycon has taken place again in Louisville, Kentucky, for the eighth year in a row. Once again, Adrian “Irongeek” Crenshaw has recorded the vast majority of the talks at the conference and posted them to several video streaming services.
Splunk .Conf 2018
Splunk’s .Conf conference has come and gone, having been hosted this year in Orlando, Florida, this year. Members of the Hurricane Labs team were on-site to keep up to date with the latest Splunk trends, as well as compete in the “Boss of the NOC” competition.
CSO online has written a post detailing their takeaways from the conference this year. If you’re interested in watching some of the videos from this year’s .conf event, as well as recordings from previous years, you can do so here.
Google Plus shutting down after API bug exposes details on 500,000 users
Google Plus, the social network Google attempted to launch as a rival to Facebook, will be shutting down. The supposed reason for the shutdown is a bug in the platform that exposed the information of users on the platform.
This bug has been around since 2015, and was only recently discovered in March of 2018. Google knew about the issue for six months, and chose not to disclose any information regarding the issue. This caused some security researchers to call out Google for hypocrisy regarding Project Zero, and their strict 90 day timeline, taking double that amount of time to disclose this problem.
While this event isn’t a direct threat to most organizations (including our customers) there are INDIRECT consequences that you and your employees should be made aware of.
While we do not have any evidence that credentials have been leaked as a result of this issue, when there are breaches in which credentials (hashed or unhashed passwords, email addresses and/or usernames) are publicly available, password re-use, as well as employees utilizing company email addresses to register to various services becomes a concern. For that reason, I would recommend informing employees to NOT register their company email addresses for non work-related internet services, including but not limited to social media accounts. Additionally, you may want to have a discussion about the risks of password reuse.
Until Next Time
Keep an eye out for the eleventh edition of The Hurricane Labs Foundry. In the meantime, follow us on Twitter @hurricanelabs for updates!