This week there were such significant events as Defcon and Black Hat 2020. Some of the materials from these conferences are in today’s digest.
- Vulnerabilities: Cool material from Blackhat 2020 and Qualcomm vulnerabilities.
- Tools: New code analyzer from facebook.
- News: Data leak and ransomware for Canon (like Garmin).
- Research: Mostly for the blue/purple teams.
At Black Hat 2020, Patrick Wardle from Jamf talked about a chain of exploits that can bypass Microsoft’s protection against malicious macros to infect MacOS devices. The vulnerabilities were named zero-click, meaning that no victim’s involvement is required to exploit them. They allow attackers to deliver malware to macOS users using a Microsoft Office macro document. The attack bypasses security measures that Microsoft and Apple have adopted to protect macOS users from malicious macros.
The researcher reported his findings to Microsoft and Apple. Apple fixed the problems in macOS version 10.15.3, but told Wardle that “this problem does not meet the requirements for assigning a CVE identifier”. Microsoft said the exploit chain is an issue on Apple’s side.
Researchers from the Eset company have identified a new vulnerability variant Kr00k CVE-2020-3702, in wireless chips Qualcomm and MediaTek. Like the first variant to which Cypress and Broadcom chips were exposed, the new vulnerability allows decrypting intercepted Wi-Fi traffic protected using WPA2 protocol.
Black Hat USA 2020 researcher Jiahao Lee from 360 Group spoke about 19 identified vulnerabilities in the Mercedes-Benz E-Klasse, which were subsequently patched by the manufacturer. Until the moment of correction, more than 2 million vehicles were potentially affected. These errors were first reported in August last year and now the researchers have revealed technical details.
Features in Microsoft Teams
Microsoft Teams is still vulnerable to a vulnerability that allows remote extraction and launch of malware. The method was originally unveiled last year and is based on using the “update” command to run arbitrary binary code in the context of the current user. Before Microsoft introduced measures to prevent exploitation of the vulnerability, an attacker could download malware from an external URL and install it on the system from a trusted (signed) executable file.
A patch for the discovered vulnerability is unlikely to appear, as Microsoft has called it a design flaw, and the patch could have a negative impact on the operations of some customers.
Facebook introduced an open source static analyzer Pysa (Python Static Analyzer) designed to identify potential vulnerabilities in Python code. The new analyzer is designed as an add-on over the Pyre type checking toolkit and placed in its repository. The code is published under the MIT license.
It is a simple framework and command line tool for monitoring Docker containers to identify any processes which are running as root.
It is a simple, fast, and interactive web crawler and web scraper written in Golang. Evine is useful for a wide range of purposes such as metadata and data extraction, data mining, reconnaissance and testing.
KELA provided journalists with a list of more than 900 corporate Pulse Secure VPN servers with complete data about them, including logins and passwords. The list was distributed at a Russian-language hacker forum actively used by ransomware operators and compiled by an attacker between June 24 and July 8, 2020. Apparently, the hacker used CVE-2019-11510 to get data from vulnerable VPN-servers.
677 companies have not yet installed patches, although Bad Packets experts conducted their first scan for vulnerable servers back in June 2019. The researchers note that even if these companies install patches now, they will still need to change passwords so that hackers don’t use the leaked data to capture devices and then develop attacks on internal networks.
Canon was subjected to a ransomware cyber attack that affected several of its services, including email, Microsoft Teams, Canon’s US website and a number of internal applications. image.canon went for maintenance on July 30, which lasted until August 4.
The journalists turned to Maze for a comment and they said that they indeed successfully hacked Canon yesterday morning and stole more than 10 TB of information, including databases, correspondence, etc. The hackers did not disclose the amount of the ransom.
Cybersecurity researchers from Malwarebytes talked about a phishing technique in which attackers use homoglyph domain names and modified favicons (website icons) to deploy electronic skimmers and steal data from users’ payment cards.
The idea is to use similar-looking symbols to visually trick users. Homoglyph is one of two or more graphemes, signs or glyphs with shapes that either appear identical or cannot be differentiated by a quick visual inspection. For example, Russian “c” and English “c” are homoglyphs.
Attackers used visual similarities to create and register fraudulent versions of existing domains in order to deceive unsuspecting users and force them to visit malicious web sites.
Userfull and fresh research for forensics, incident resonse and threat hunters:
Incident Response: Methodology and Case Study: https://fireh7nter.com/2020/08/04/incident-response-methodology-and-case-study
Build a server 2019 core AD lab walkthrough and a brief how to attack it guide: https://www.pentestpartners.com/security-blog/building-a-lab-with-server-2019-server-core-and-powershell-then-attacking-it/
Fuzzing the Windows API for AV Evasion: https://winternl.com/fuzzing-the-windows-api-for-av-evasion/