ICS vulnerabilities, new features from GitHub and ransomware

More and more often, ICSs become the target of ransomware attacks. The industrial field is very important, besides this week came out a set of critical vulnerabilities. Also, GitHub released functionality to scan repositories and a lot of research materials to expose threats.

  • Vulnerabilities: ICS 🙂 and vulnerability in the wild;
  • Tools: Git, smbAutoRelay, etc;
  • News: New features from GitHub, ransomware for hospitals and Joker malware;
  • Research: Mostly, threat detection.

Feedback -> here


Vulnerabilities

The Israeli company OTORIO found several serious vulnerabilities in two popular industrial remote access solutions – SiteManager (GateManager) from B&R Automation and mbCONNECT24 from MB Connect Live. Both products are used in many orthoses of the national economy.

Six vulnerabilities identified in a solution from B&R Automation that allows remote access to industrial equipment. Using them from under an authorized user will allow an attacker to gain access to confidential information of other users, as well as cause a denial of service, which can lead to a halt in the production process.

Three vulnerabilities CVE-2020-24568, CVE-2020-24569, CVE-2020-24570 were found in mbCONNECT24, which is also used for remote connection to production facilities. Vulnerabilities allow attacker to perform SQL injection and CSRF attack.

https://vulners.com/ics/ICSA-20-273-01

https://vulners.com/thn/THN:0224357D2CE6C18740D92B40D49E1659

CVE-2020-0968

ClearSky researchers found a unique malicious RTF file uploaded to VirusTotal from Belarus. The name of the file and its content are written in Russian and represent a variety of forms to fill out regarding persons accused of various crimes. RTF file executes arbitrary code from a C&C server.

The RTF file downloads an exploit for the Internet Explorer vulnerability (CVE-2020-0968). The exploit downloads the payload, but the file is encrypted and needs to be decrypted in order to execute. According to experts, attackers began to actively exploit this vulnerability in attacks.

Large numbers of Microsoft Exchange are vulnerable to attacks CVE-2020-0688

According to experts from the information security company Rapid7, currently 61.10% (247 986 out of 405 873) vulnerable servers (versions of Exchange 2010, 2013, 2016 and 2019) are not fixed and are at risk of cyberattacks.

https://vulners.com/rapid7blog/RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85

The issue is contained in the Exchange Control Panel (ECP) component, which is enabled in default configurations, and allows potential attackers to remotely take control of vulnerable Exchange servers using any valid email credentials.

We already wrote about this critical vulnerability at the time our blog got burned in the Vulners weekly digest #4. We write again, because the situation has not changed and new data on the problem have appeared.

https://vulners.com/threatpost/THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34

CVE-2019-8442 (Jira Webroot Directory Traversal)


Tools

smbAutoRelay
It provides the automation of SMB/NTLM Relay technique for pentesting and red teaming exercises in active directory environments.

https://vulners.com/kitploit/KITPLOIT:375979123629397713

mapCIDR
Small utility program to perform multiple operations for a given subnet/CIDR ranges.

https://vulners.com/kitploit/KITPLOIT:1095684713725967311

PhishingKitTracker
An extensible and freshly updated collection of phishingkits for forensics and future analysis topped with simple stats.

https://github.com/marcoramilli/PhishingKitTracker

gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.

https://github.com/liamg/gitjacker


News

Code scanning is now available!

GitHub announced the availability of Code scanning to all users, which was previously offered only to members of the limited testing program for new experimental features. The service scans every git push operation for potential vulnerabilities.

The result is attached directly to the pull request. The check is performed using the CodeQL engine, which analyzes templates with typical examples of vulnerable code (CodeQL allows you to generate a template for vulnerable code to detect the presence of a similar vulnerability in the code of other projects).

https://github.blog/2020-09-30-code-scanning-is-now-available

Universal Health Services (UHS), which owns more than 400 healthcare facilities in the US, UK and Puerto Rico, has been the victim of a ransomware attack. According to media reports, Ryuk ransomware operators are behind the incident. In total, the company manages more than 400 hospitals in the US and UK.

The attack took place on the night of Saturday to Sunday, September 26-27, at about 2:00 am. Employees write that at this time the computers began to reboot, and then a ransom message appeared on the screens of the infected machines. As a result, IT staff at medical institutions asked to shut down computers to prevent further spread of the threat.

https://vulners.com/threatpost/THREATPOST:40E886255FDF92FEBF9E9F35A50DDDEB

Google removed 17 Android apps from the official Play Store. Programs discovered by security researchers from Zscaler were infected with Joker malware.This spyware is designed to steal SMS messages, contact lists, and device information, as well as to stealthily subscribe a victim to premium Wireless Application Protocol (WAP) services.

Google removed apps from the Play Store and also used Play Protect to disable apps on infected devices. However, users still need to manually uninstall apps from their devices.

https://vulners.com/threatpost/THREATPOST:73ED8EE5F93807BBD927F9D85FDD7D3B

https://vulners.com/hackread/HACKREAD:BEC057AE95ED35D865562CECD0F3C63C


Research

Azure Sentinel.

Detecting Microsoft 365 and Azure Active Directory Backdoors: https://vulners.com/fireeye/FIREEYE:B509FA2BD3054198E65DC9C23F06AD65

FalconFriday — Process injection and malicious CPL files: https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64

Best Practice Auditd Configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules


Feedback -> here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s