Two zero-day vulnerabilities per week, update for popular tools and stories about ransomware

Two zero-day vulnerabilities per week from Microsoft, update for popular tools, stories about ransomware and blue team like red to fight with evil.

  • Vulnerabilities: Microsoft patched zero-day which detected in the wil!
  • Tools: Upd for one of the most famous red team tools
  • News: Have you ever hear about vulnerability in malware?
  • Research: Elastic team reseased some cool staff and about Exchage.

Feedback -> here


Vulnerabilities

CVE-2020-4414

IBM Db2 is a family of hybrid data management systems that use artificial intelligence to manage data. The vulnerability is that the developers did not implement protections for the shared memory used by the Db2 trace function. As a result, a local user can gain read/write rights to the memory area, which will allow access to sensitive information, and can cause a denial of service to the database.

https://vulners.com/thn/THN:F5CD64D55339AA9FFEDB4D16CDCEFE21

CVE-2019-17638

The vulnerability is present in Jetty versions 9.4.27.v20200227 through 9.4.29.v20200521. An unauthorized attacker could exploit this vulnerability to obtain HTTP response headers, which could contain sensitive data intended for another user.

On Monday August 17th, the Jenkins team released patched versions of Jenkins 2.243 and Jenkins LTS 2.235.5. All users are advised to update the software.

https://vulners.com/thn/THN:6F9D6D4546C3D4DA1164354C8E552FDC

CVE-2020-1537 + CVE-2020-1530

Microsoft released an unscheduled update KB4578013. The problems are related to incorrect processing of WRA objects in memory and operations with files. Vulnerabilities affect Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 versions. Through vulnerabilities, an attacker can elevate system privileges using a malicious application.

Windows 8.1 or Server 2012 R2 users are advised to install the update as soon as possible, patches for CVE-2020-1530 and CVE-2020-1537 for other versions of Windows were already included in the Service Pack released on August 11.

https://vulners.com/thn/THN:DDFB5F7632DC4E36CFB1BEDEA1EE111F

CVE-2020-15926

Rocket.Chat is an open-source platfrom for messaging application like Slack. The described vulnerability can be exploited in the following versions of the application – <= 3.4.2.

Attacker can send a specially crafted message with JavaScript to another user and this code will execute in the victim’s browser. In a browser, the XSS vulnerability provides remote execution of arbitrary code (RCE).

https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html


Tools

ADBSploit
A python based tool for exploiting and managing Android devices via ADB.

https://vulners.com/kitploit/KITPLOIT:2298664168438040320

Empire (update)
Empire 3.3.4 is out and includes some minor bug fixes to the http_foreign listener and preobfuscate functionality.

https://github.com/BC-SECURITY/Empire

Responder (update)
Responder 3.0.1.0 is out! Several fixes, and enhancements.

https://github.com/lgandx/Responder/releases/tag/v3.0.1.0

PurpleSharp
It is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments.

https://vulners.com/kitploit/KITPLOIT:4614243265904187440


News

The North Carolina prosecutor’s office indicted Joe Sullivan, a former Uber CSO from 2015-2017. He is charged with concealing a break-in at the company in 2016.

Two hackers – American Brandon Glover and Canadian Vasile Mereacra, who were convicted last year – are guilty of breaking into the company. In the fall of 2016, they compromised several accounts of Uber employees at GitHub, resulting in obtaining credentials from AWS (Amazon Web Service) internal infrastructure of the company.

Now Sullivan is accused of indirect assistance to hackers, because after breaking into Uber, they have committed other hacking, which could prevented if the CSO company reported it to the police or the FBI. He faces up to 8 years in prison.

https://vulners.com/threatpost/THREATPOST:4FC214B524AEB9A44E980A697FB3D4A5

Representatives of the University of Utah reported that the institution was recently forced to pay $457,059 to hackers to prevent data about students from being leaked.

The official statement says that in July 2020 the university managed to avoid a serious encryption attack, during which unnamed hackers were able to encrypt only 0.02% of the data stored on the university servers. Blackmail forced the University of Utah to make concessions and pay extortionists. Fortunately, a part of the requested amount was covered by a special cyber insurance policy, and the University provided only the rest of the funds.

https://vulners.com/threatpost/THREATPOST:4531FF5D27766F29CB02272B1CD4F3BD

James Quinn of Binary Defense discovered a vulnerability in Emotet’s code. It turned out that for its update, Emotet creates a special Windows registry key and stores an XOR key in it, which is used not only for stability, but also at the very beginning of infection. Quinn managed to write a PowerShell script called EmoCrash that used registry keys to cause Emotet to crash.

As a result, when an uninfected computer processed by EmoCrash was attacked, this registry key provoked a buffer overflow in the malware code, which ultimately caused Emotet to crash and prevented infection altogether.

The researchers teamed up with Team CYMRU, which has many years of experience in botnet destruction and has long been watching Emotet. Researchers have teamed up with Team CYMRU, a company that has decades of experience in killing botnets and has long watched Emotet. Thus, over the past six months, the EmoCrash script has managed to spread widely among companies around the world.

https://vulners.com/threatpost/THREATPOST:EBED33A42D1EE36F90036E79499F4C0B


Research

Introduction to Windows tokens for security practitioners: https://www.elastic.co/blog/introduction-to-windows-tokens-for-security-practitioners

MDATP adds EDR ‘block mode’: Stopping attacks by terminating related running processes linked to malicious behaviour:
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617

Added Relaying to RPC – PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (Exchange servers have Administrator rights to each other via this or similar group): https://github.com/SecureAuthCorp/impacket/pull/857

Attacking MS Exchange Web Interfaces: https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces


Feedback -> here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s