Second Tuesday patch, another victim of the ransomware and a friendly reaction of CERT teams to counter Emotet

ICS attacks, little known to the general public, are perhaps the most devastating in terms of potential negative consequences. New Bluetooth vulnerability and cool malware news.

  • Vulnerabilities: Not an interesting microsoft patch (yet), ICS and bluetooth;
  • Tools: Traditionally;
  • News: Malware activity and CERT alert;
  • Research: Mainly for Windows enthusiasts.

Feedback -> here


Vulnerabilities

Microsoft released another September security update, which fixed 129 vulnerabilities in 15 of its products, including Windows, Edge, Internet Explorer, Microsoft Office, Share Point and a number of others.

Out of 129 vulnerabilities, 32 allow an attacker to perform remote code execution (RCE), 20 of them are critical.

https://vulners.com/qualysblog/QUALYSBLOG:22507355C87630C1D3B720E2ED98701A

This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6.

https://vulners.com/apple/APPLE:HT211293

Clarity’s infosec researchers on Tuesday released a report that they found 6 critical vulnerabilities in Wibu-Systems’ CodeMeter component, which is used by ICS software vendors to manage licenses.

The vulnerabilities identified allow remote code execution, denial of service, information retrieval from the attacked device, etc. In fact, the attacked ICS host can be completely taken under external control. Major ICS vendors such as Siemens and Rockwell have already recognized the presence of security threats associated with the identified vulnerabilities in CodeMeter in their software.

https://vulners.com/threatpost/THREATPOST:2599160F787BE161604E8BC2847A6643

https://vulners.com/ics/ICSA-20-203-01

Bluetooth SIG and the CERT Coordination Center at Carnegie Mellon University issued warnings regarding a new BLURtooth vulnerability. The problem lies in the Cross-Transport Key Derivation (CTDK) component, which is used to negotiate authentication keys when pairing devices via BR / EDR or BLE, and allows an attacker to intercept such keys. As a result, a hacker can replace the authentication key or reduce its reliability.

All devices using Bluetooth versions 4.0 to 5.0 are affected.

https://vulners.com/cert/VU:589825


Tools

Spyre
It is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is easy operationalization of YARA rules and other indicators of compromise.

https://vulners.com/kitploit/KITPLOIT:7102551693702401840

HashCat added support to crack password-protected RAR 3 archives without header encryption (both compressed and uncompressed).

https://github.com/hashcat/hashcat/pull/2542

Avcleaner
C/C++ source obfuscator for antivirus bypass.

https://vulners.com/kitploit/KITPLOIT:4032586613269108389

Resource monitor that shows usage and stats for processor, memory, disks, network and processes.

https://vulners.com/kitploit/KITPLOIT:8575227727249244515


News

ESET experts have discovered the CDRThief malware targeting softswitches of a specific Linux-based VoIP platform. This platform is very specific and is used by two switches: Linknat VOS2009 and VOS3000.

The researchers could not find out who exactly is the developer of the malware called CDRThief, and for what purpose it was created. The peculiarity of CDRThief is that the malware attacks only software VoIP switches running on the Linux platform, in particular Linknat VOS2009 and VOS3000.

https://vulners.com/threatpost/THREATPOST:CC36778C57D70FDBF33E0312D1D94980

NetWalker, whose attack only recently caused the Argentine border to close for 4 hours, successfully attacked the Pakistani power grid company K-Electric, the only power supplier in the Pakistani city of Karachi, on September 7.

Billing and online services were also affected by the break-in. It’s a good thing the hackers didn’t get to the electricity transit control system.

https://vulners.com/hackread/HACKREAD:5471D8BD1438F13E2FB94F1A65FC5F43

The CERT teams in France, Japan and New Zealand have issued security warnings reporting a massive surge of spam campaigns organized by Emotet botnet operators targeting enterprises and government agencies in the above countries.

Although the number of attacks in France was much lower, Emotet managed to infect the computers of the Parisian judicial system, got into the headlines of the media and caused a lot of turmoil, which resulted in the warning issued by the authorities. In addition, the French Ministry of the Interior now blocks the delivery of any Office (.doc) documents by email.

https://vulners.com/thn/THN:7B3307917C6DDA9C6762FF94701C354F


Research

Top!
What Happens When you Type Your Password into Windows?
This post is REALLY well written and goes into a lot of depth about Windows Internals (LSA especially, as you’d expect) without being too jargony / acronym heavy.

https://syfuhs.net/what-happens-when-you-type-your-password-into-windows

Disabling Windows Event Logs by Suspending EventLog Service Threads: https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads

Bypass AMSI by manual modification part II – Invoke-Mimikatz: https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II

Hype news, all of us saw this topic on the week. “How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM”: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html

WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day:
https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day


Feedback -> here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s