Vulners weekly digest #9

Four NO traditional sections in our weekly digest. Enjoy!


Vulnerabilities and additional info

LPE Windows CVE-2019-0880

Detailed research CVE-2019-0880 without exploit. Zero day?

https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html

According to my tests, this bug seems to be still working against a full-patched Windows 7 system and for this reason I chose not to publish the exploit code.

Research story about exploring macOS Calendar Alerts

Cool and not boring research. It reads like an interesting story from life and consists of 2 parts. The second part describes the CVE-2020-3882 to data exfiltration:

  1. https://research.nccgroup.com/2020/05/05/exploring-macos-calendar-alerts-part-1-attempting-to-execute-code
  2. https://research.nccgroup.com/2020/05/28/exploring-macos-calendar-alerts-part-2-exfiltrating-data-cve-2020-3882/

myLittleAdmin < 3.8 v

undefined

myLittleAdmin is a web-based solution to manage SQL Server databases. CVE-2020-13166 allow execute remote arbitary code. Vulnerability in ViewState .NET deserialization in web-based MS SQL Server management tool myLittleAdmin, due to hardcoded parameters (machineKey) in the web.config file for ASP.NET.

Exploit: https://vulners.com/exploitdb/EDB-ID:48513

CVE-2020-13398 FreeRDP

The vulnerability of a record outside the field is contained in the crypto_rsa_common function in libfreerdp/crypto.c. A remote attacker can send specially generated data to an application, exploit the vulnerability and execute arbitrary code on the target system.


Tools

ADCollector
ADCollector is a lightweight and an actively developing tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point.

ANDRAX
ANDRAX is a Penetration Testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a common Linux distribution.

ezEmu
ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an “offensive framework for blue teamers”, ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry.


News

GitHub detected malware that infects projects in the NetBeans integrated development environment and uses the build process for its distribution. The investigation revealed that the malware in question, which was named Octopus Scanner, had hidden backdoors in 26 open source projects that had repositories on GitHub. The first traces of Octopus Scanner development date back to August 2018.

https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain

SaltStack

F-Secure made the month of May more interesting for many SaltStack users by publishing details of a vulnerability on April 30th, a patch for which was released only the day before. Hackers did not hesitate to take advantage of it, wrote an exploit in a day and started attacking unpatched servers. We described all saltstack events in previous digests

After almost a month, data about the victims continues to surface. Cisco admitted that six of its back-end servers running SaltStack had been hacked. The affected servers were only updated on May 7. It is not clear whether it was a planned update or an urgent update after the hack was detected. In any case, it gives an idea of the time frame for updating vulnerable software after the release of the corresponding patch, which is common even in software giants like Cisco, which have their own large infoshops.

https://vulners.com/threatpost/THREATPOST:64DC6B60F693E46DD314DB70A547D319

26 million LiveJournal credentials leaked

undefined

In 2014, LiveJournal was compromised, resulting in the theft of a database containing 26 million users. Rumors about the incident with information leakage appeared back in 2018, and this year the DreamWidth blogging platform, created on the basis of the old LiveJournal code base, reported massive attempts to use the old LJ login-password.

HIBP data leakage indexing service reported that it received a copy of the LiveJournal database containing data from 26 million users, including logins, passwords and email addresses.

https://vulners.com/threatpost/THREATPOST:01C56213F6966EE9B018CB1402D75C92


Threat hunting and malware research

Information security news will always include news about different APT groups, malware and attacks. Some blue/purple teams keep track of such news. That’s why we will sometimes try to publish info about it in a separate section – threat hunting and malware research.

undefined

Security researchers from Cybereason Nocturnus have discovered Valak. It was first observed in late 2019. Malware has an evolution of over 30 different versions in less than six months. Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.

The malware has a complex structure consisting of several modules. A detailed review shows each deployment stage and how these actions map to the MITRE matrix:

https://vulners.com/threatpost/THREATPOST:DA759E08269924C7FE994291DBAF45AB

Every few months there are new researches of the TrickBot’s functionality. It can be especially useful for malware researchers and threat hunters.

https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module

GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections: https://x-c3ll.github.io/posts/GetEnvironmentVariable-Process-Injection

undefined

Maze ransomware that not only encrypts a victims files, but also threatens to publish them. We wrote about this ransomware virus in our digests, which was seen in many attacks on various organizations.

IOCs and research: https://blog.talosintelligence.com/2020/05/astaroth-analysis.html


Please leave your feedback. It takes less than one minute and helps us get better: https://forms.gle/D17BaFwD5hJnKkUUA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s