Vulners weekly digest #1

Brief overview of new exploits, tools and various news from the world of information security


Exploits

This month’s most famous vulnerability is CVE-2020–0796, a critical SMB server/client vulnerability that affects Windows 10. A working exploit is still missing, but it already has everything needed to fix it. After auth, an attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
Since 2017, despite millions of dollars in losses and a ransomware epidemic, attempts to exploit the vulnerabilities of MS17–010 in SMB protocols have continued.
It is recommended to start patching your infrastructure, not to postpone it until the working exploit appears and apply the latest patch from Microsoft for CVE-2020–0796 for Windows 10.

Checker: 
https://vulners.com/zdt/1337DAY-ID-34097
More detailed description:
https://www.kaspersky.com/blog/smb-311-vulnerability/33991/

rConfid 3.x exploit for CVE-2020–10220 and CVE-2019–19509 was added in metasploit.
Firstly, this module use CVE-2020–10220 to add admin user to the application via exploiting SQL injection.
Secondly, the module authenticates as the newly created admin user to abuse a command injection in the `path` parameter of the ajaxArchiveFiles within the rConfig web interface via CVE-2019–19509.

https://vulners.com/exploitdb/EDB-ID:48223

RCE in Microsoft SQL Server Reporting Services (CVE-2020–0618)
Enables the attacker to craft a HTTP POST request with a serialized object to achieve remote code execution. An account is necessary to exolit this vulnerability. The request is using NTLM basic authentication. This account must be assigned at least the “Browser” role on the site. It is low privilege available and simply allows the user to do few things: view folders, reports and subscribe to reports.

https://vulners.com/zdt/1337DAY-ID-34090


InfoSec tools

Pypykatz:

Each blue team has been heard about such tool as mimikatz. Pypykatz is mimikatz implementation in pure Python. Can be run on all OS’s which support python>=3.6 
Also, it’s actively developing open source tool, which you should test.

Fresh tool for phishing creds:

Pickl3 is Windows active user credential phishing tool. This tool can be integrated with all classic up-to-date phishing techniques: lnk files, dde attacks or macros in microsoft office documents.

OWASP Maryam:

New open-source OSINT tool for red teamers. If you have experience with recon-ng, it will be easy use without prerequisites.


COVID-19 and malware activity

The coronavirus pandemic situation has proven to be a blessing in disguise for APT groups and attackers. Now, according a report published by Check Point Research hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious COVID-19-related domains and selling for malware creators in the dark web.
The report comes following in the number of malicious coronavirus-related domains that have been registered since the start of January:

It’s amply clear that these attacks exploit coronavirus fears and people’s hunger for information about the pandemic. It’s very important to avoid falling victim to online scams and practice your digital hygiene.
https://vulners.com/thn/THN:388DC5BD3433ABFAA4F3ADE1B130DB21

The Trickbot has added a new functional. A module for bruteforce remote desktop protocol (RDP) was calles rdpScanDll. TrickBot is a malware that has been around since 2016, starting career as a banking trojan. 
The malware is distributed through spam mailing lists, uses new security evasion methods and acts as a means of delivering other malware such as Emotet.
More detailed information about new malware features:
https://vulners.com/thn/THN:71376C31FA1999B14811937997E9339A
Trickbot has also been spotted in the latest trend in attacks using sites about COVID-19 or cronovirus, which described in fortinet report.

One thought on “Vulners weekly digest #1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s