Vulners weekly digest #2

Weekly overview of new vulnerabilities, exploits, tools and other news from the world of information security


EXPLOITS and vulnerabilities

Microsoft continues to gather most of the hype about critical vulnerabilities.
On March 23rd Microsoft released a new warning about two new critical zero-day vulnerabilities that could allow attackers to remotely gain control over their target computers. Both vulnerabilities in the Windows Adobe Type Manager Library, a font parsing software that not only parses content in a 3rd-party software but also used by Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.
25 March: According to Microsoft, for Windows 10, this vulnerability is low.
From all descriptions and reviews, we can conclude that the exploitation index is in reality quite low. But you should not wait for such information to appear in APT reports or in the public exploit database.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Main description from Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

SharePoint

New metasploit module was added for CVE-2020-0646. This module allows an attacker to remote execution after sending crafted specially XOML data to SharePoint via the Workflows functionality.

https://vulners.com/zdt/1337DAY-ID-34152

OSX Privilege Escalation

Vulnerability was found for VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0). Explotation of this vulnerability may provide for attacker escalate from user normal privilages to root access on host. It is worth noting that exploits for OSX are quite rare and a new metasploit module is already on the way.

PoC: https://vulners.com/zdt/1337DAY-ID-34121
Forthcoming module: https://github.com/rapid7/metasploit-framework/pull/13123

There are also exploits without any public score or CVE number. Vulners platform collects, agregate information and specify own AI score, what is made up of various indicators. In this way, you can find a lot of information about unique vulnerabilities for which new exploits have been released (including paid ones). They were not mentioned in the news and no research has been done for them. Look at the examples below:

BustaBit

Bustabit is a real time and simple game where you can play for fun or to win money. Each round of the game, you have the opportunity to place a bet before the round starts. Every tick in the game has a chance to break. If you don’t cash out before bust, you will lose your bet.
This exploit will generate the next 10 game results after starting from your . The author of the paid exploit provides video POC of this functional.

https://vulners.com/zdt/1337DAY-ID-34134

360 Security sandbox escape

A lot of security vendors provide their own sanboxes. Sanbox is good way for test malicious samples in isolate environment. Application running in sandbox have limented access without network communications, creating files and etc. Vulnerability in 360 security sanbox bypass main sandbox features and allow an attackers to escape from the sanbox, call other programs or another instance of itself outside the sandbox.

https://vulners.com/zdt/1337DAY-ID-34125


INFOSEC TOOLS

Starkiller

Empire one of the most famous pentest framework. Starkiller is a frontend for PowerShell Empire written in VueJS. It is a nice addition to Empire tool.

uDork – Google Hacking Tool

uDork is a script written on Python that uses advanced Google search methods. This RECON tool use open lists from exploit-db.com (Google Hacking Database: https://www.exploit-db.com/google-hacking-database)

Ninja c2

Open source C2 server created by Purple team for Purple team. That’s especially relevant for test your correlation rules and threat hunting techniques. Ninja still in beta version and when the stable version released it will contains many more stealthy techinques and anti-forensic methods.

Usefull C2 matrix: https://www.thec2matrix.com/matrix


attacking News

Spyware On iPhones

A newly water hole campaign was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The campaign posted malicius links on multiple forums, clickbait news from websites or about pandemic/COVID-19.
The malware exploit a “silently patched” Safari vulnerability, which when rendered on the browser to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605) that allows an attacker to code execution with root privileges — install the proprietary LightSpy backdoor. The bug has since been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.

By analyzing the changes in the firstly stages WebKit exploit, kaspersky discovered the list of supported devices was also significantly extended.

The most completely scheme from Trend Micro of described activity:

In addition, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.

Astaroth come back

Astaroth is malicious software for stealing information that came back in early February with a lot of changes in its functionality. It uses multiple fileless techniques and abuses defferent legitimate processes to attempt running undetected on compromised machines.
Microsoft Defender ATP data showing revival of Astaroth campaigns:

Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detection methods. The attackers introduced new techniques that make the attack chain stealthier:

  • Abusing Alternate Data Streams (ADS) to hide malicious payloads
  • Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload

One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.
More practical description in the research.

  1. Arrival: Spearfishing with lnk file. When clicked, the LNK file runs an obfuscated BAT cmd. The BAT drops a single-line JavaScript to the Pictures folder and invokes explorer.exe to run the JavaScript fileundefined The dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript directly in memory: undefined
  2. BITSAdmin abuse: The main script uses BITSadmin for download additional binaries from cammand-and-control (C2) serverundefined
  3. Alternate Data Streams abuse: Astaroth uses advanced technique for copying downloaded data in data streams. For each download, the content is copied to the ADS, and then the original content is deletedundefined
  4. ExtExport.exe abuse: The script uses another unobvious technique from the LOLBAS-project: ExtExport.exe; undefined
  5. Userinit.exe abuse;
  6. Astaroth payload: While running, the Astaroth payload reads and decrypts more components from the ADS stream of desktop.ini.

Some of payload components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth abuses these plugins to steal information from compromised systems:

  • NirSoft’s MailPassView – an email client password recovery tool
  • NirSoft’s WebBrowserPassView – a web browser password recovery tool

Nirsoft features are well-known to many threat hunters. If you have not already done so, be sure to test and explore the capabilities of nirsoft.
Astaroth attempts to detect installed security products and then tries to disable found security products.

Vulners weekly digest #1

Brief overview of new exploits, tools and various news from the world of information security


Exploits

This month’s most famous vulnerability is CVE-2020–0796, a critical SMB server/client vulnerability that affects Windows 10. A working exploit is still missing, but it already has everything needed to fix it. After auth, an attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
Since 2017, despite millions of dollars in losses and a ransomware epidemic, attempts to exploit the vulnerabilities of MS17–010 in SMB protocols have continued.
It is recommended to start patching your infrastructure, not to postpone it until the working exploit appears and apply the latest patch from Microsoft for CVE-2020–0796 for Windows 10.

Checker: 
https://vulners.com/zdt/1337DAY-ID-34097
More detailed description:
https://www.kaspersky.com/blog/smb-311-vulnerability/33991/

rConfid 3.x exploit for CVE-2020–10220 and CVE-2019–19509 was added in metasploit.
Firstly, this module use CVE-2020–10220 to add admin user to the application via exploiting SQL injection.
Secondly, the module authenticates as the newly created admin user to abuse a command injection in the `path` parameter of the ajaxArchiveFiles within the rConfig web interface via CVE-2019–19509.

https://vulners.com/exploitdb/EDB-ID:48223

RCE in Microsoft SQL Server Reporting Services (CVE-2020–0618)
Enables the attacker to craft a HTTP POST request with a serialized object to achieve remote code execution. An account is necessary to exolit this vulnerability. The request is using NTLM basic authentication. This account must be assigned at least the “Browser” role on the site. It is low privilege available and simply allows the user to do few things: view folders, reports and subscribe to reports.

https://vulners.com/zdt/1337DAY-ID-34090


InfoSec tools

Pypykatz:

Each blue team has been heard about such tool as mimikatz. Pypykatz is mimikatz implementation in pure Python. Can be run on all OS’s which support python>=3.6 
Also, it’s actively developing open source tool, which you should test.

Fresh tool for phishing creds:

Pickl3 is Windows active user credential phishing tool. This tool can be integrated with all classic up-to-date phishing techniques: lnk files, dde attacks or macros in microsoft office documents.

OWASP Maryam:

New open-source OSINT tool for red teamers. If you have experience with recon-ng, it will be easy use without prerequisites.


COVID-19 and malware activity

The coronavirus pandemic situation has proven to be a blessing in disguise for APT groups and attackers. Now, according a report published by Check Point Research hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious COVID-19-related domains and selling for malware creators in the dark web.
The report comes following in the number of malicious coronavirus-related domains that have been registered since the start of January:

It’s amply clear that these attacks exploit coronavirus fears and people’s hunger for information about the pandemic. It’s very important to avoid falling victim to online scams and practice your digital hygiene.
https://vulners.com/thn/THN:388DC5BD3433ABFAA4F3ADE1B130DB21

The Trickbot has added a new functional. A module for bruteforce remote desktop protocol (RDP) was calles rdpScanDll. TrickBot is a malware that has been around since 2016, starting career as a banking trojan. 
The malware is distributed through spam mailing lists, uses new security evasion methods and acts as a means of delivering other malware such as Emotet.
More detailed information about new malware features:
https://vulners.com/thn/THN:71376C31FA1999B14811937997E9339A
Trickbot has also been spotted in the latest trend in attacks using sites about COVID-19 or cronovirus, which described in fortinet report.

Vulnerability Management with Vulners Agents

Vulners Team have recently released a new functionality for Linux vulnerability audit – Agent Scans. It’s not an API that you have to use somehow in your own scripts, but a complete enterprise ready product.

IP Summary

Try it for free! To audit CentOS 7 with Vulners Agents server you need to make this steps:

  1. Add Vulners repostory repository. Create /etc/yum.repos.d/vulners.repo file:
    [vulners]
    name=Vulners Agent
    baseurl=https://repo.vulners.com/redhat/el$releasever/
    enabled=1
    gpgcheck=0
  2. Install Vulners agent
    yum install vulners-agent.noarch
  3. Get an API key

    You will get key like “HXKM3OMDIYGJLJ60MPM1X51AKC3XTD9Z28J78X12T2OC2MXSTKMMBN70EBBIQUAA”

  4. Add key to /opt/vulners/conf/vulners.conf
  5. Wait for two hours or run /opt/vulners/agent.py manually
  6. Go to https://vulners.com/audit and see the results:

Continue reading “Vulnerability Management with Vulners Agents”