Monthly Vulners Review #2

Vulners events
The most interesting vulnerabilities of the month
Very few tools
News with almost no attacks


Vulners events

There have been several events for Vulners this month:

  1. Intergated with project: https://attackerkb.com which we mentioned at Vulners weekly digest #5;
  2. Vullners integrated with data about Apple vulnerabilities. Mentioned at Vulners weekly digest #7;
  3. Update our contacts 🙂 Anyone can contact us through any way;
  4. Made a survey for feedback: https://forms.gle/D17BaFwD5hJnKkUUA.


We are constantly experimenting with the format of our posts. At this time, we decided to show the maximum number of the most interesting vulnerabilities this month and not to divide by platforms as in the previous monthly post.

Microsoft

Microsoft wouldn’t be themselves if their next monthly update didn’t break something. So it broke…

undefined
Released on may 12, the monthly update of Windows 10 KB4556799 may cause LTE modems (internal or external) to stop working. In this case, Windows will show that there is a network. And it’s not really there.

Microsoft promises to solve the problem in the nearest fix.

Ambiguous vulnerabilities

According to vulners AI score, there are some ambiguous vulnerabilities (low CVSS with high AI score or without CVSS).

(bulletinFamily:exploit OR bulletinFamily:NVD) AND enchantments.score.value:[6 TO 10] AND cvss.score:[0 TO 6] AND order:viewCount last month

A few examples from this month are below:

Few PoCs for few vulnerabilities in the ManageEngine

ManageEngine is one of the most popular software solutions for managing IT infrastructure (typical Help Desk)

CVEComponentTypePoC
CVE-2020-11531Data Security <v6.0.1Path TraversalPoC for CVE-2020-11531
CVE-2020-11532Data Security <v6.0.1Authentication BypassPoc for CVE-2020-11532
CVE-2020-8838Windows agent <v6.5Remote Code ExecutionPoc for CVE-2020-8838

All these vulnerabilities were disclosed on may 5.

Kill-chain with IBM Data Risk Manager

undefined

IDRM is a special software platform designed to collect threat data from various security systems. Thanks to this principle IDRM is well suited for evaluating an organization’s cyber risks.

If attackers compromise this component, it is highly likely that they will be able to completely compromise the organization. Please note that IDRM stores the credentials used to access other security products. Moreover, the platform contains information about the company’s critical vulnerabilities.

The three vulnerabilities can be linked in a kill-chain, which will allow the attacker to remotely code execution with high privileges.

The metasploit module includes CVE-2020-4427, CVE-2020-4428, CVE-2020-4429: https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/HTTP/IBM_DRM_RCE

Pi-hole <= 4.4 RCE

Pi-hole is a Linux-based assembly that allows you to block ads and save sensitive data while on the network. Blocking takes place at the DNS level and allows you to flexibly configure lists of banned resources.

CVE-2020-11108: Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This opportunity can be abuse for arbitaru code execution by writing to a PHP file in the web directory. Exploit: https://vulners.com/exploitdb/EDB-ID:48442

Metsploit module: https://vulners.com/metasploit/MSF:EXPLOIT/UNIX/HTTP/PIHOLE_BLOCKLIST_EXEC

Top 10 Routinely Exploited Vulnerabilities

undefined

This month, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals.

For each of the mentioned vulnerabilities it is specified which malware it was found in, when it was fixed, IOCs and etc. The list of vulnerabilities includes vulnerabilities from 2012 to 2019:

And vulnerabilities in 2020, which managed to be remembered in various events:

You may notice that there are links at the bottom of each Vulners page with a vulnerability. These links include all news and events that will be associated with the vulnerability. Example for CVE-2017-11882:

undefined

This feature allows you to perform your own analysis of these vulnerabilities and prioritize them for your own purposes.

https://www.us-cert.gov/ncas/alerts/aa20-133a

High-profile vulnerabilities of the month

A new type of DoS attack using the DNS protocol is called NXNSAttack.
Briefly: An attacker sends a request to the Openresolver server, redirecting it to his controlled authoritative server, which responds with a long list of NS victims’ servers (most often spoofed names).
Openresolver takes this list and begins to query the victim’s DNS for information about these addresses, which causes a large number of NXDomain messages, which leads to an increase in server load. In fact, the attack is directed only at the target DNS server.
At the moment, the only salvation is to install patches on your DNS servers and configure polling limits.

According to research, the gain when attacking the BIND server (9.12.3) can increase the attack by 1000 times (Packet Amplification Factor, PAF).

Vulnerable:
BIND (CVE-2020-8616)
Knot (CVE-2020-12667)
PowerDNS (CVE-2020-10995)
Windows DNS Server
Unbound (CVE-2020-12662)
as well as public DNS services of Google, Cloudflare, Amazon, Quad 9, ICANN and other companies.

  1. http://www.nxnsattack.com
  2. https://vulners.com/thn/THN:B16A54F3A6063EA035782D8584261F00
  3. https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack

Symantec endpoint privilege escalation

The exploitation of CVE-2020-5837 allow for low privileged user to create a file anywhere in the system. The attacker partially controls the content of the file. There are many ways to abuse this issue. Vulnerable version prior to 14.3

Video PoC Step By Step:

CVE-2020-5837 PoC

Tools

Most of the most interesting and fresh tools that appear we publish in our weekly reviews.

Powerob 

Powershell script obfuscator meant for red teamers. Takes the original command name and displays the obfuscated command name to be used in Powershell.

Getdroid 

Malicious Android apk generator (Reverse Shell)

DiscordRAT 

RAT for Discord written in Python3. You can generate binart fle, deploy bot on your own server and after that get access. We don’t know the practical meaning of this tool, but it’s a cool idea.


Thomas Brewster, a Forbes journalist who raised the fuss, said that Xiaomi will make an option that allows the user to disable data collection in incognito mode. The new privacy setting now allows Mi Browser users to disable aggregated data collection feature while in Incognito Mode, but it bears noting that it’s not enabled by default.

If Xiaomi was serious about its “commitment to user privacy,” it would have sought users for their explicit consent. In its present state, it’s just an illusion of control.

https://vulners.com/thn/THN:D12A519EAC085DA9915F1B1370B970B5

In Ukraine, the data broker Sanix was arrested, which is accused of involvement in trading stolen user data. Hacker has been engaged in its malicious activities since at least 2018. The Ukrainian did not break anything, but collected and resold data obtained in the course of other hacks.

Sanix was reportedly involved in data collections Collection #1, #2, etc., which appeared in January 2019 and contained a total of more than 3.5 billion. email addresses, passwords, and phone numbers.

https://vulners.com/thn/THN:32403D554849523AAB204629304EDE77

https://vulners.com/thn/THN:78C014B66408C3D4219EC395F9F108C0

EasyJet Suffers Data Breach

British low-cost airline EasyJet reported a leak of information about 9 million customers and data of 2208 Bank cards. The airline claims that the data was obtained by hackers during a technically sophisticated cyberattack.

The leaked data included the email addresses and information about the flights. The company claims to have found no evidence that this data was used maliciously. EasyJect will contact customers affected by the leak in the coming days, with a deadline of may 26. The company has already contacted those customers whose Bank card details were stolen, the report said. Passengers ‘ passport details were not leaked.

The publication Motherboard, whose journalists are closely following the lawsuits between Facebook and the Israeli NSO Group, has unearthed yet another detail of Semites’ not entirely legal activities.

NSO produces Pegasus software designed to hack WhatsApp, and sells it all over the world to law enforcement agencies, intelligence agencies and private security companies. WhatsApp is being sued by Facebook.

Motherboard was able to obtain information from a former NSO employee who anonymously transmitted data regarding the Israeli company’s infrastructure, in particular the IP address used to infect the Pegasus victim. It turned out that between 2015 and 2016, several domains were tied to that IP. These included domains impersonating the resource of the Facebook security team and the FedEx parcel tracking service.

It was suspected that this IP address belonged to Amazon. That is, the Israeli NSO used a phishing page Facebook to infect smartphones from the American server. Nice 🙂

The RagnarLocker operator first installs Oracle VirtualBox on the compromised system and configures its full access to all local and shared disks. Then MicroXP v0.82 (stripped-down Windows XP SP3) is installed on the virtual machine and RagnarLocker is placed on it.

In this way, ransomware hides from antiviruses, as all the actions taken to encrypt the infected system files are performed by the VirtualBox process. This trick was revealed by the British antivirus Sophos, which says that it is the first time it has encountered such a trick.

VirtualBox is signed and antiviruses are treated less suspiciously by the signed processes. But as soon as this technique becomes mass, a detective will appear. It is possible to generate many ways of changing the file system with the help of white software, but such ways will not work very long.


Please leave your feedback. It takes less than one minute and helps us get better: https://forms.gle/D17BaFwD5hJnKkUUA

Jailbreak for any IOS devices

Last weekend, a team of information security experts and reverse engineers introduced a new version of the Unc0ver jailbreak (5.0.0). This tool works for almost any iPhone, even with the latest iOS 13.5 on board.

Unc0ver authors say it exploits a zero kernel vulnerability in the iOS kernel, which Apple experts are not yet aware of. The vulnerability was discovered by one of the team members, who is known under the pseudonym Pwn20wnd.

Pwn20wnd himself says that for the first time in five years, jailbreak is relevant even for the current, most recent version of the operating system. The last time a similar tool was released in 2014. The fact is that usually jailbreaks exploit old vulnerabilities in iOS and, accordingly, do not work with the current version of the operating system, where these “holes” are already fixed. As a result, owners of jailbroken devices often prefer not to just update the OS.

Shortcomings of the Jailbreak:

  1. iOS is one of the most secure operating systems, including due to the fact that the user has no access to the file system. If access to it is open, what happens when jailbreaking, picking up a trojan or a virus becomes much easier.
  2. Installing Jailbreak may cause problems with the device. Sometimes it happens that the iPhone or iPad turns into a “brick”, and often through the fault of the user, if he did not perform the action that he sees on the screen during the jailbreak procedure. Responsibility for this, of course, lies only with the owner of the device.
  3. Jailbreak void iPhone or iPad warranty.

At the same time, Pwn20wnd claims that the use of an unknown 0-day problem and jailbreak of devices with its help do not affect security in any way. It does not open the device for attacks. According to Pwn20wnd, Apple experts will release a patch for a new vulnerability in the next 2-3 weeks.

Unc0ver developers also write that they tested their jailbreak on iOS versions 11 to 13.5. Jailbreak does not work only for iOS versions 12.3 through 12.3.2 and 12.4.2 through 12.4.5.

Vulners weekly digest #8

Three traditional sections in our weekly digest. Enjoy!


Vulnerabilities and attacks

Last week, Microsoft released its monthly update – ‘the second Tuesday patch’, which we haven’t mentioned yet, but it was done by Aleksendr Leonov in his blog. On his blog, he gave a brief overview of this update.

Various researches have been published this week on several vulnerabilities from the Microsoft’s patch. Any road to an exploit starts with strong research 🙂

Ntlm relay with CVE-2020-1113

For a long time, many attackers like to use the NTLM realy technique in their operations. Firstly, there are many different protocols with which this can be implemented. Secondly, such attacks are difficult to detect at all stages of implementation.
Best explanation of how it works:

NTLM relay has been used and reused in several attacks:

CVE-2020-1113 was fixed in the may update of Microsoft’s. Read detailed research about update ntlmrelayx in impacket and adding support for the RPC protocol:

https://blog.compass-security.com/2020/05/relaying-ntlm-authentication-over-rpc

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth CVE-2020-1048

CVE-2020-1048 was fixed in the May update of Microsoft’s. The research was released on the same day as the vulnerability fix 😉 Using Windows Print Spooler to elevate privileges, bypass EDR rules, gain persistence, and more. The full research consists of 2 parts:

  1. https://windows-internals.com/printdemon-cve-2020-1048
  2. https://windows-internals.com/faxing-your-way-to-system

PoC with Empire: https://github.com/BC-SECURITY/Invoke-PrintDemon

CVE-2020-1143

This vulnerability is also from the may update. Analysis in reasearch from checkpoint: https://cpr-zero.checkpoint.com/vulns/cprid-2152

Saltstack

It’s time to close the topic with saltstack, because everything has already been overwied:

Metasploit module: https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE

vBulletin SQL Injection CVE-2020-12720

vBulletin is a commercial forum engine and WCMS developed by Internet Brands Inc. This software is written in PHP and uses a MySQL server to maintain its database.

National Vulnerability Database (NVD) is also analyzing the flaw and revealed that the critical flaw originated from an incorrect access control issue that affects vBulletin before 5.5.6, 5.6.0 before 5.6.0, and 5.6.1 before 5.6.1.

Automation for exploit: https://vulners.com/packetstorm/PACKETSTORM:157716

Easy for CVE-2019-15083

PoC for Cross-Site Scripting in ManageEngine Service Desk 10.0 (Software for IT support service). It might be interesting for red team operations to gather additional info or lateral movements:

https://vulners.com/exploitdb/EDB-ID:48473


Win Brute Logon

Our strength is in undocumented opportunities

Useful information about password brute force in Windows.

Open Account Lockout Policy and edit value Account lockout threshold with desired value from (1 to 999). Value represent the number of possible attempt before getting locked.

LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.

https://github.com/DarkCoderSc/win-brute-logon

BloodHound reports for blue teams

The tool was released on May 14th, 2020 during a Black Hills Information Security webcast, A Blue Teams Perspective on Red Team Tools.

https://github.com/DefensiveOrigins/PlumHound

SayCheese

Take webcam shots from target just sending a malicious link

https://vulners.com/kitploit/KITPLOIT:5133140664411328886

Evilreg

Reverse shell using Windows Registry files (.reg)

https://vulners.com/kitploit/KITPLOIT:8518534902880733012


Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted ProLock operations

The Ransomware is delivered to the compromised system using the Qbot Trojan. ProLock was first recorded in March 2020. What’s interesting about ProLock is that, as the FBI says, ransomware is written with mistakes, so it can spoil encrypted files larger than 64MB when decrypted.

https://vulners.com/krebs/KREBS:844FF2B9143930EF190E45B7C1C84F58

Pay $42m or Trump’s ‘dirty laundry’ goes online

undefined

On May 12, hackers attacked the resources of the New York law firm Grubman Shire Meiselas & Sacks and stole 756 Gb of confidential documents from its clients. Founder Allen Grubman is the most famous entertainment lawyer who works, among others, with Madonna, Lady Gaga, Elton John, Robert De Niro and U2.

Then the hackers demanded a ransom of $ 21 million. The investigation was undertaken by the FBI. At the same time, the feds reported that this hacking is an act of international terrorism (?!), And they are not negotiating with terrorists and will not pay the ransom. The group responsible for ransomware Sodinokibi was named guilty of hacking.

However, on Thursday the situation changed. Hackers said that they had scanned the stolen data array and found there the “dirty laundry” of US President Trump, so the ransom amount doubled – up to 42 million dollars.

https://vulners.com/hackread/HACKREAD:EB8C10DB0B0A37DC44A7D11B10F66A47

‘ThunderSpy’ Attack

Research from the Dutch engineer björn Rotenberg (Björn Ruytenberg), who revealed new attack vectors for the Intel Thunderbolt 3 Protocol.

Thunderspy, as the researcher called his new attack vectors that allow an attacker to steal data from encrypted disks or read and write all system memory, even if the computer is locked or in sleep mode.

There is no protection for vulnerable devices other than physically disabling Thunderbolt. Even the software shutdown of Thunderbolt was bypassed by Roitenberg. Windows, Linux, and partially MacOS PCs – vulnerable.

Such vulnerabilities have little application to commercial hacking because they require even short-term, but mandatory physical access to the device under attack. But for law enforcement agencies, organizing such access is a common thing. That is, knowledgeable agencies have been able to gain access to computer content without compromise since at least 2011, when Thunderbolt appeared.

https://vulners.com/threatpost/THREATPOST:103AFBDE6D261555120729CAF7A921A4

Vulners weekly digest #7

+1 integration for Vulners: undefined
Old and fresh vulnerabilities
Tools
Various news


undefined

This week Vullners integrated with data about Apple vulnerabilities!

Already available at Vulners DB: https://vulners.com/search?query=type:apple


Vulnerabilities

Update news on vulnerabilities from our latest digest and sth new!

Gitlab exploit

undefined

Automation to exploit one of the latest vulnerabilities in gitlab. Of course, it’s possible to exploit it without it, but it’s always nice when automation for such exploitation appears.

https://vulners.com/exploitdb/EDB-ID:48431

Latest news about Saltstack

undefined

Continuation of the story that f-secure started. The first affected mobile operating system is LineageOS. Then a large blogging platform Ghost, with more than 750 thousand users. Then Digicert, Xen Orchestra and a number of small companies followed.

The exploit, which uses the vulnerabilities identified By f-Secure in Salt, was published on GitHub by several users at once and the metasploit module is also on the way:undefined

Full detailed timeline and other info about saltstack vulnerabilities: https://saltexploit.com

https://vulners.com/threatpost/THREATPOST:A1F6C89E2D2F2205B93C6727C24B908C

Trixbox CVE-2020-7351

Trixbox is open-source system for deployment VoIP (asterisk inside). Vulnerability in Trixbox version 1.2.0 to 2.8.0.4 inclusive in the “network” POST parameter of the “/maint/modules/endpointcfg/endpoint_devicemap.php” page. Successful exploitation allows for arbitrary command execution on the main operating system as the “asterisk” user.

Exploit: https://vulners.com/packetstorm/PACKETSTORM:157565

SharePoint CVE-2020-0932 RCE

Microsoft in their last “The second Tuesday patch” announced fix for six vulnerabilities in SharePoint. There is no indication from the vendor why some of these vulnerabilities are rated as important, while others are rated as critical.

The most detailed write-up with great PoC: https://www.thezdi.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters

SharePoint is used by many companies and accordingly attackers in their work, so you should not postpone updating your SharePoint servers.


Tools

undefined

Socks Over RDP: https://github.com/nccgroup/SocksOverRDP

“As penetration testers we frequently find ourselves in a situation where the only access that we are provided to a server or network is a Remote Desktop account. These servers are commonly called Jump boxes. It means that we need to perform our testing via this server. This usually introduces a few extra steps that takes time from us and our clients to setup and configure.”

Brute Shark: https://github.com/odedshimon/BruteShark
Network Forensic Analysis Tool with usefull GUI and interesting functions. It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

Two BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux).

Shellerator
This project is inspired by Print-My-Shel, which we cpecified in our previous weekly digest.

GDBFrontend
GDBFrontend is an easy, flexible and extensionable gui debugger.

Article: https://oguzhaneroglu.com/projects/gdb-frontend/


News

Conferences 😦
Microsoft 🙂
APT 😐

Major Cybersecurity Conferences

Black Hat USA and DEFCON 28 Cyber Security Conferences will not be held in person this year due to the coronavirus pandemic. Instead, both conferences will be transformed into fully virtualized events. Black Hat USA on Aug. 1 to 6, 2020, and DEF CON 28 on Aug. 7 to 9, 2020.

DEF CON remote events will include a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs (including Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, and Ham Exams) and a remote movie night and drink-up, he said.

Black Hat USA will be adapted into a virtual format that will be available for the entire global infosec community. More details on how the virtual conferences:

https://vulners.com/threatpost/THREATPOST:4F7DA5B616227FD485369DAAEBE84656

Microsoft damn…

The hacker group Shiny Hunters reported to the editorial Board that they hacked Microsoft’s GitHub account and got full access to the software company’s private repository.

Shiny Hunter downloaded 500Gb of closed projects that they initially wanted to sell, but now decided to place on the network for free download. The hack itself appears to have occurred on March 28.

As a teaser, hackers posted 1Gb of stolen data on a closed forum, but not all forum users considered the posted information real. Microsoft employees also say that the leak is fake, but the company does not officially comment.

https://vulners.com/threatpost/THREATPOST:810608E8FBF789E16FA78CF73EDD7EB2

APT Naikon

Check Point has released a report, which reported on the recent disclosure of a long-running and large-scale cyber operation involving the use of the new Aria-body backdoor and directed at public authorities in the Asia-Pacific region, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei. The company has been running since at least 2018, and most likely since 2017.

Based on the analysis of the Aria-body functionality, Check Point concludes that the main purpose of cyber operations is to gather intelligence. This includes not only hunting for documents that hackers are interested in, but also extracting data from removable media, recording screenshots, and keylogging.

Analysis of the Aria-body code revealed sufficient similarity with the XsFunction backdoor code, which, along with a partial intersection of the infrastructure of control centers, allowed us to talk about the involvement of the Chinese APT Naikon aka APT 30 and Override Panda in the new cyber operation. There has been no news about APT Naikon since 2015. The group has previously worked actively against countries bordering the South China sea.

Overview of the research: https://vulners.com/threatpost/THREATPOST:96934F347B55F85990962035EF6F658D

Technical details with IOCs: https://vulners.com/securelist/SECURELIST:C96E2BC7AC745F58E5C3916C0AD13B0B

Vulners weekly digest #6

This review is more about exploiting vulnerabilities in attacks on various areas. We also gave examples of why security updates should not be ignored.


The most interesting vulnerabilities

If you use any tools / systems that are mentioned in this section, it is recommended to install security updates.

Gitlab multiple vulnerabilities

Many companies use such enterprise tools like Jira, Gitlab, Bitbucket and etc. Therefore, these tools are often a sweet target for attackers.This week a security patch was released to fix 13 vulnerabilities in Gitlab:

  • Path Traversal in NuGet Package Registry CVE-2020-12448. It allows to use a malicious NuGet package to read any *.nupkg file on the system.
  • OAuth Application Client Secrets Revealed CVE-2020-10187. It allows for any user to retrieve OAuth application client secrets after authorizing
  • Update Nokogiri dependency. Security fix for CVE-2020-7595
  • Update git. Security fix for CVE-2020-11008

The official description of remaining vulnerabilities: https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/
These issues have been fixed in the latest release, and for many of them, the CVEs is pending status.
For one of the critical vulnerabilities software developer William Bowling (@vakkz) resieved 1k$ (Path Traversal) + 19k$ (RCE) = 20k$ with detailed info in his report.
Great work!

Docker

undefined

New metasploit module based on CVE-2019-15752 with local privilege escalation via Docker-Credential-Wincred.exe. This exploit leverages a vulnerability in docker desktop community editions prior to 2.1.0.1. You can write a payload to a lower-privileged session to be executed automatically by the docker user at login.

Salt Bugs story

Timeline:

  • In mid-March this year, F-secure identified 2 vulnerabilities – CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (directory-traversal) in the open-source Salt management framework. Vulnerabilities allow full remote code execution as root on servers in data centers and cloud environments
  • On April 29, Saltstack released a version of Salt V. 3000. 2, in which the vulnerabilities were fixed.
  • April 30, F-secure published write-up about vulnerabilities with the following note: “We expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours.” It looks like a challenge for any security enthusiast, isn’t it? 🙂
  • A day after this publication, attacks began on the servers of the mobile operating system LineageOS. The developers said that the attackers used vulnerabilities in Salt.
  • A few days later, a popular blogging platform was also attacked, using vulnerabilities in Salt. The platform with 2 million installations, including organizations such as Nasa, Mozilla and DuckDuckGo.

F-Secure formally survived the time after the publication of the security updates, but it was clearly not enough for the vendors to update their systems and products.
p.s. the vulnerability is really easy to exploit 😉

https://vulners.com/threatpost/THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235

https://vulners.com/thn/THN:8E401822CBD35E8E7CCE9E5DD922A70E


Tools

Sysmon update v11.0 including features like file delete monitoring, reducing Reverse DNS lookup noise and more: https://docs.microsoft.com/en-us/sysinternals

Print-My-Shell
Shell code generator for the tiny ones. A useful tool to quickly generate shell code during CTF or other testing activity.

ROADtools
ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. Meet one of the first versions of the BloodHound for AzureAD!


News

Ruthless ransomware, APT groups and Teams instead of ZOOM

Ransomware groups continue to target critical services

Microsoft Detection and Response Team (DART) has published an interesting post about ransomware and tips on how to deal with them. So far, attacks have affected aid organizations, medical billing companies, manufacturing, transportation, and government agencies. Ransomware attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

To get access to target networks, recent extortion campaigns have used systems with Internet access with the following weaknesses:

  • Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication
  • Old platforms like Windows Server 2003 or Windows Server 200 without actually security updates
  • Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
  • Citrix Application Delivery Controller (ADC) with CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510

All ransomwares deployed in the same way and used mostly the same attack techniques. Ultimately, the specific ransom payload at the end of each attack chain was almost exclusively a stylistic choice made by the attackers.

List of active ransomware:

  • RobbinHood
  • Vatet loader
  • NetWalker
  • PonyFinal
  • Maze
  • REvil (aka Sodinokibi)
A motley crew of ransomware payloads

Few of these groups have gained fame for selling data, almost all of them have been seen viewing and filtering data during these attacks, even if they have not yet been advertised or sold. Currently, situations more often occur when, after the publication of vulnerabilities for a system/tool, a very short period of time elapses before an exploit/PoC appears.
Full report with technical datails:
https://vulners.com/mssecure/MSSECURE:E3C8B97294453D962741782EC959E79C

Maze Ransomware – this week’s winner

Operators of the Maze ransomware were able to become famous a little more than others and compromised the network of the state Bank of Costa Rica (Banco BCR), as a result of which, among other things, they stole the data of 11 million Bank cards.

On their press release, hackers claim that they first gained access to the Bank’s network back in August 2019, but did not encrypt the data, because “the probable damage could have been too much for the bank”

Press release from Maze operators

As proof of theft, Maze published the numbers of 240 credit cards without the last 4 digits, as well as their expiration dates and CVC codes:

undefined

Recently, the American IT giant Cognizant, a company from NASDAQ-100, confirmed that it was hit by the Maze ransomware . Considering 30 billion dollars of capitalization of the company the sum of the repayment for data should make not one million, and even not one tenth of millions dollars.

PerSwaysion attacks

Group IB has released a report on the investigation of a series of phishing attacks under the symbol PerSwaysion.

PerSwaysion operation also lured victims with a non-malicious PDF, and later Microsoft file sharing services, including Sway, are used-hence the name of the phishing campaign. The hackers target high-level employees in the financial, legal, and real estate industries. Geographical preferences – USA, Canada, Singapore, Germany, UK, Netherlands, Hong Kong.

According to researchers, behind a series of attacks there are several hacker groups using the same infrastructure. Most of the PerSwaysion operations were orchestrated by scammers from Nigeria and South Africa who used a Vue.js JavaScript framework-based phishing kit, evidently, developed by and rented from Vietnamese speaking hackers.

Group-IB has also set-up an online web-page where anyone can check if their email address was compromised as part of PerSwaysion attacks—however, you should only use it and enter your email if you’re highly expecting to be attacked.

Microsoft Teams

undefined

Recently there has been a lot of news about holes in the ZOOM video conferencing service. But, as it turns out, their competitors are also not far behind.

The researchers found that in the process of delivering images, Microsoft Teams uses two authentication tokens “authtoken” and “skypetoken”, the second is generated using the first and with it you can intercept the Microsoft Teams account. The “authtoken” token can be obtained by attacking the “teams .microsoft .com” subdomains. And two such CyberArk subdomains were found – this is “aadsync-test .teams .microsoft .com” and “data-dev .teams .microsoft .com”.

According to CyberArk, they transferred all the data to Microsoft and they eliminated the vulnerability, including the incorrect configuration of the domain “teams .microsoft .com”.