Vulners weekly digest #5

+1 integration for Vulners
Review fresh vulnerabilities without Microsoft
Tools
News without COVID-19 and ZOOM


This week the Vullners integrated with a new great project: https://attackerkb.com

It is already available: https://vulners.com/search?query=type:attackerkb

Vulnerabilities, exploits or PoCs

Is it possible to make a digest without vulnerabilities in microsoft products? Let’s try to do it!

Multiple vulnerabilities in the IQrouter

Information security researchers often like to deal with noname network devices and find all sorts of vulnerabilities in them. This week’s target was the IQrouter and its firmware version 3.3.1:

The researcher also made an example of exploiting all these vulnerabilities:

https://vulners.com/packetstorm/PACKETSTORM:157300

RCE PoC for Sysaid v20.1.11

Sysaid is a free Help Desk software for IT support. CVE-2020-10569 allows unauthenticated access to upload any files, which can be used to execute commands on the system by chaining it with a GhostCat attack. Attackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells:

https://vulners.com/packetstorm/PACKETSTORM:157314

Oracle Solaris

CVE-2020-2944 in this UNIX OS for versions 10 and 11. Vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise it. Oracle has released a fix for all affected and supported versions of Solaris in the Critical Patch Update of April.

PoC: https://vulners.com/exploitdb/EDB-ID:48359

Multiple vulnerabilities in the QRadar Community Edition 7.3.1.6

QRadar one of the most famous SIEM system. Community edition is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. Too many vulnerabilities were found in one of the latest releases of this version:

At the time of publication of this digest, the latest version of the QRadar is V7. 3. 3


Tools

Lulzbuster
Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.

Adamantium-Thief
Get chromium browsers: passwords, credit cards, history, cookies, bookmarks.

Pwned
Pwned is a simple command-line python script to check if you have a password that has been compromised in a data breach. The full scheme of the script:


News

MITRE releasing the results of evaluations
Apple zero-days in Mail app
The Incident Response Challenge 2020 – $$$

MITRE ATT&CK Evaluations

The main event of the week for many information security vendors – results of MITRE evaluation methodology based on APT29: https://ela.st/mitre-eval-rd2

In late 2019, the ATT&CK Evaluations team evaluated 21 endpoint security vendors with their endpoint detection and response (EDR) products, using its now industry-standard open methodology, the ATT&CK framework.

For complete evaluation results, you can review the data published on the MITRE website.

VMware Carbon Black results: https://vulners.com/carbonblack/CARBONBLACK:8DEE9836AF3A9C5A0954C0941127CFC9
Microsoft ATP results: https://vulners.com/mssecure/MSSECURE:7C2EBC78AA9ED84F61D237B3E3AE3C1D

Apple

undefined

On April 22, ZecOps announced the use of two 0-day vulnerabilities in the Mail application in the wild, allowing full control of the correspondence of the attacked user on the entire line of iPad and iPhone devices.

Secops reported that it recorded the use of exploits in relation to:

  • employees of us companies from the Fortune 500 list;
  • Director of a carrier company from Japan;
  • German VIP;
  • MSSP (Managed Security Service Provider) from Saudi Arabia and Israel;
  • European journalist;
  • as well as suspicion of hacking the head of one of the Swiss companies.

To this Apple responds as expected “We have studied the zecops report and concluded that the identified errors do not pose a threat to users. We will close them in the next updates.”

ZecOps also promises to post more technical information about errors and the facts of their use after the patch is released.

https://vulners.com/thn/THN:7749C9AD2429E9716C12DEB1307ABB29

https://vulners.com/threatpost/THREATPOST:D091476FC2E5A0AFECA0813539BECDF9

The Incident Response Challenge 2020

Cybersecurity firm Cynet 21-st April announced the launch of a first of its kind challenge to enable Incident Response professionals to test their skills with 25 forensic challenges that were built by top researchers and analysts.

The challenge is available on https://incident-response-challenge.com/ and is open to anyone willing to test his or her investigation skills, between April 21st and May 15th.

Are you a hands-on forensic researcher, SOC analyst, or malware analyzer? Go to https://incident-response-challenge.com/, get your hands dirty, and beat your peers to get the first prize!

Vulners weekly digest #1

Brief overview of new exploits, tools and various news from the world of information security


Exploits

This month’s most famous vulnerability is CVE-2020–0796, a critical SMB server/client vulnerability that affects Windows 10. A working exploit is still missing, but it already has everything needed to fix it. After auth, an attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
Since 2017, despite millions of dollars in losses and a ransomware epidemic, attempts to exploit the vulnerabilities of MS17–010 in SMB protocols have continued.
It is recommended to start patching your infrastructure, not to postpone it until the working exploit appears and apply the latest patch from Microsoft for CVE-2020–0796 for Windows 10.

Checker: 
https://vulners.com/zdt/1337DAY-ID-34097
More detailed description:
https://www.kaspersky.com/blog/smb-311-vulnerability/33991/

rConfid 3.x exploit for CVE-2020–10220 and CVE-2019–19509 was added in metasploit.
Firstly, this module use CVE-2020–10220 to add admin user to the application via exploiting SQL injection.
Secondly, the module authenticates as the newly created admin user to abuse a command injection in the `path` parameter of the ajaxArchiveFiles within the rConfig web interface via CVE-2019–19509.

https://vulners.com/exploitdb/EDB-ID:48223

RCE in Microsoft SQL Server Reporting Services (CVE-2020–0618)
Enables the attacker to craft a HTTP POST request with a serialized object to achieve remote code execution. An account is necessary to exolit this vulnerability. The request is using NTLM basic authentication. This account must be assigned at least the “Browser” role on the site. It is low privilege available and simply allows the user to do few things: view folders, reports and subscribe to reports.

https://vulners.com/zdt/1337DAY-ID-34090


InfoSec tools

Pypykatz:

Each blue team has been heard about such tool as mimikatz. Pypykatz is mimikatz implementation in pure Python. Can be run on all OS’s which support python>=3.6 
Also, it’s actively developing open source tool, which you should test.

Fresh tool for phishing creds:

Pickl3 is Windows active user credential phishing tool. This tool can be integrated with all classic up-to-date phishing techniques: lnk files, dde attacks or macros in microsoft office documents.

OWASP Maryam:

New open-source OSINT tool for red teamers. If you have experience with recon-ng, it will be easy use without prerequisites.


COVID-19 and malware activity

The coronavirus pandemic situation has proven to be a blessing in disguise for APT groups and attackers. Now, according a report published by Check Point Research hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious COVID-19-related domains and selling for malware creators in the dark web.
The report comes following in the number of malicious coronavirus-related domains that have been registered since the start of January:

It’s amply clear that these attacks exploit coronavirus fears and people’s hunger for information about the pandemic. It’s very important to avoid falling victim to online scams and practice your digital hygiene.
https://vulners.com/thn/THN:388DC5BD3433ABFAA4F3ADE1B130DB21

The Trickbot has added a new functional. A module for bruteforce remote desktop protocol (RDP) was calles rdpScanDll. TrickBot is a malware that has been around since 2016, starting career as a banking trojan. 
The malware is distributed through spam mailing lists, uses new security evasion methods and acts as a means of delivering other malware such as Emotet.
More detailed information about new malware features:
https://vulners.com/thn/THN:71376C31FA1999B14811937997E9339A
Trickbot has also been spotted in the latest trend in attacks using sites about COVID-19 or cronovirus, which described in fortinet report.