Brief overview of new exploits, tools and various news from the world of information security
This month’s most famous vulnerability is CVE-2020–0796, a critical SMB server/client vulnerability that affects Windows 10. A working exploit is still missing, but it already has everything needed to fix it. After auth, an attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
Since 2017, despite millions of dollars in losses and a ransomware epidemic, attempts to exploit the vulnerabilities of MS17–010 in SMB protocols have continued.
It is recommended to start patching your infrastructure, not to postpone it until the working exploit appears and apply the latest patch from Microsoft for CVE-2020–0796 for Windows 10.
More detailed description:
rConfid 3.x exploit for CVE-2020–10220 and CVE-2019–19509 was added in metasploit.
Firstly, this module use CVE-2020–10220 to add admin user to the application via exploiting SQL injection.
Secondly, the module authenticates as the newly created admin user to abuse a command injection in the `path` parameter of the ajaxArchiveFiles within the rConfig web interface via CVE-2019–19509.
RCE in Microsoft SQL Server Reporting Services (CVE-2020–0618)
Enables the attacker to craft a HTTP POST request with a serialized object to achieve remote code execution. An account is necessary to exolit this vulnerability. The request is using NTLM basic authentication. This account must be assigned at least the “Browser” role on the site. It is low privilege available and simply allows the user to do few things: view folders, reports and subscribe to reports.
Each blue team has been heard about such tool as mimikatz. Pypykatz is mimikatz implementation in pure Python. Can be run on all OS’s which support python>=3.6
Also, it’s actively developing open source tool, which you should test.
Pickl3 is Windows active user credential phishing tool. This tool can be integrated with all classic up-to-date phishing techniques: lnk files, dde attacks or macros in microsoft office documents.
New open-source OSINT tool for red teamers. If you have experience with recon-ng, it will be easy use without prerequisites.
COVID-19 and malware activity
The coronavirus pandemic situation has proven to be a blessing in disguise for APT groups and attackers. Now, according a report published by Check Point Research hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious COVID-19-related domains and selling for malware creators in the dark web.
The report comes following in the number of malicious coronavirus-related domains that have been registered since the start of January:
It’s amply clear that these attacks exploit coronavirus fears and people’s hunger for information about the pandemic. It’s very important to avoid falling victim to online scams and practice your digital hygiene.
The Trickbot has added a new functional. A module for bruteforce remote desktop protocol (RDP) was calles rdpScanDll. TrickBot is a malware that has been around since 2016, starting career as a banking trojan.
The malware is distributed through spam mailing lists, uses new security evasion methods and acts as a means of delivering other malware such as Emotet.
More detailed information about new malware features:
Trickbot has also been spotted in the latest trend in attacks using sites about COVID-19 or cronovirus, which described in fortinet report.