Checkpoint published tech review about Instagram vulnerability, remember Saltstack? Quiet digest, no ransomware or attack reports.
- Vulnerabilities: Important, non-standard and interesting ones;
- Tools: Mostly cool attacking tools;
- News: Additional news about Instagram and CISA;
- Research: Less than usual, there is something to read.
Feedback -> here
Cisco Systems released fixes for vulnerabilities in the widespread IOS operating system. In total, twenty-nine dangerous vulnerabilities were fixed, the most dangerous of which allowed unauthorized attackers to remotely execute arbitrary code on the target system.
Two of them CVE-2020-3421 and CVE-2020-3480 are related to the Cisco Zone Policy Firewall feature. Their use allows an unauthorized remote attacker to force a device to reboot or stop sending traffic through the firewall.
One of the CVE-2020-3417 issues affects any Cisco hardware that runs Cisco IOS XE Software and allows an authenticated local attacker to execute arbitrary code on the target hardware.
ESET Lucas Stefanko demonstrated the use of a PoC exploit for a new vulnerability that allows to hijack all Firefox for Android browsers located on the same Wi-Fi network. Possible scenarios:
- Through the mechanism of SSDP (Simple Service Discovery Protocol) Firefox finds devices on the same Wi-Fi network to exchange content. If it detects another device, Firefox prompts you for a link to an XML file that stores the configuration for that device. In SSDP, the validation of the received link did not work correctly, which is why instead of the path to the XML file, it is possible to register Android Intent – a mechanism through which the application’s intention to perform an action is transmitted.
- Hijacking of a vulnerable Wi-Fi router, of which there are more and more, in order to then send out a phishing link to an e-mail or other service to connected users.
The hacker could force Firefox to open a malicious link on all Android devices currently connected to the same Wi-Fi network. Firefox versions for Android up to 79 are vulnerable.
Microsoft advised users to urgently install a patch for the Zerologon vulnerability, as cybercriminals are already exploiting it in attacks. Microsoft has unveiled three exploits used by cybercriminals. They are .NET executables named SharpZeroLogon.exe. All three exploits can be found at VirusTotal.
The researchers found that to track the dictionary level (read more about the protocol BitTorrent for uTorrent app ) that uTorrent parses, it uses a 32-bit field. And if the dictionary transferred in the extended package contains more than 32 nested levels of sub-dictionaries, then uTorrent crashes.
Two possible attack vectors:
- One of the hosts is sending wrong packets to other hosts;
- The uTorrent application opens a specially generated .torrent file.
By now the vulnerability has been fixed. Versions 3.5.5 and earlier are vulnerable.
Offensive Terraform – Automated multi step offensive attack modules with Infrastructure as Code(IAC)
Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.
.Net port of the remote SAM + LSA Secrets dumping functionality of impacket’s secretsdump.py. By default runs in the context of the current user. Please only use in environments you own or have permission to test against 🙂
A distributed evolutionary binary fuzzer for pentesters.
The assumed source code of the Windows XP operating system leaked into the Network. In one of the topics of the anonymous 4chan forum were published links to the archives of Windows XP source code and source codes of other Microsoft products. The archive also includes dumps of the source code of Windows NT 3.5 operating system and the source code of the original Microsoft Xbox console, which appeared on the Web in May this year.
Vulnerability in the Instagram application for Android and iOS, which could lead to the remote execution of the code (RCE) and hacker capture of the smartphone, including its camera and microphone.
Instagram versions up to 220.127.116.11.128 are vulnerable, the corresponding update was released by Facebook back in February. More than half a year later, Check Point revealed its details. To exploit CVE-2020-1895, an attacker only needs to send a specially generated image to the victim in any way – by email or messenger. After that, when Instagram is opened, the vulnerability is exploited.
Unidentified cybercriminals gained access to the networks of one of the US federal agencies and stole data. CISA did not specify which agency was the victim of the hackers when the attack took place and who was behind it.
The attackers initially compromised the Office 365 user accounts and the domain administrator account through the vulnerable Pulse VPN server. In the future, they explored the network, entrenched themselves in it, threw a tunnel to communicate with the control center and began to collect information of interest to them.
In the process of hacking, the hackers used the proprietary Inetinfo malware, which they managed to hide from anti-virus protection.
UAC bypass ransomware analysis using CMSTPLUA COM – T1218: https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2
Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab – for managing multiple Yara rule sets: https://www.eff.org/deeplinks/2020/09/introducing-yaya-new-threat-hunting-tool-eff-threat-lab
Sandbox evasion: https://search.unprotect.it/map/sandbox-evasion/temperature-sensor
Feedback -> here