More and more often, ICSs become the target of ransomware attacks. The industrial field is very important, besides this week came out a set of critical vulnerabilities. Also, GitHub released functionality to scan repositories and a lot of research materials to expose threats.
- Vulnerabilities: ICS 🙂 and vulnerability in the wild;
- Tools: Git, smbAutoRelay, etc;
- News: New features from GitHub, ransomware for hospitals and Joker malware;
- Research: Mostly, threat detection.
Feedback -> here
The Israeli company OTORIO found several serious vulnerabilities in two popular industrial remote access solutions – SiteManager (GateManager) from B&R Automation and mbCONNECT24 from MB Connect Live. Both products are used in many orthoses of the national economy.
Six vulnerabilities identified in a solution from B&R Automation that allows remote access to industrial equipment. Using them from under an authorized user will allow an attacker to gain access to confidential information of other users, as well as cause a denial of service, which can lead to a halt in the production process.
Three vulnerabilities CVE-2020-24568, CVE-2020-24569, CVE-2020-24570 were found in mbCONNECT24, which is also used for remote connection to production facilities. Vulnerabilities allow attacker to perform SQL injection and CSRF attack.
ClearSky researchers found a unique malicious RTF file uploaded to VirusTotal from Belarus. The name of the file and its content are written in Russian and represent a variety of forms to fill out regarding persons accused of various crimes. RTF file executes arbitrary code from a C&C server.
The RTF file downloads an exploit for the Internet Explorer vulnerability (CVE-2020-0968). The exploit downloads the payload, but the file is encrypted and needs to be decrypted in order to execute. According to experts, attackers began to actively exploit this vulnerability in attacks.
According to experts from the information security company Rapid7, currently 61.10% (247 986 out of 405 873) vulnerable servers (versions of Exchange 2010, 2013, 2016 and 2019) are not fixed and are at risk of cyberattacks.
The issue is contained in the Exchange Control Panel (ECP) component, which is enabled in default configurations, and allows potential attackers to remotely take control of vulnerable Exchange servers using any valid email credentials.
We already wrote about this critical vulnerability at the time our blog got burned in the Vulners weekly digest #4. We write again, because the situation has not changed and new data on the problem have appeared.
CVE-2019-8442 (Jira Webroot Directory Traversal)
- Payload 1: http://target.domain/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
- Payload 2: http://target.domain/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
It provides the automation of SMB/NTLM Relay technique for pentesting and red teaming exercises in active directory environments.
Small utility program to perform multiple operations for a given subnet/CIDR ranges.
An extensible and freshly updated collection of phishingkits for forensics and future analysis topped with simple stats.
gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.
GitHub announced the availability of Code scanning to all users, which was previously offered only to members of the limited testing program for new experimental features. The service scans every git push operation for potential vulnerabilities.
The result is attached directly to the pull request. The check is performed using the CodeQL engine, which analyzes templates with typical examples of vulnerable code (CodeQL allows you to generate a template for vulnerable code to detect the presence of a similar vulnerability in the code of other projects).
Universal Health Services (UHS), which owns more than 400 healthcare facilities in the US, UK and Puerto Rico, has been the victim of a ransomware attack. According to media reports, Ryuk ransomware operators are behind the incident. In total, the company manages more than 400 hospitals in the US and UK.
The attack took place on the night of Saturday to Sunday, September 26-27, at about 2:00 am. Employees write that at this time the computers began to reboot, and then a ransom message appeared on the screens of the infected machines. As a result, IT staff at medical institutions asked to shut down computers to prevent further spread of the threat.
Google removed 17 Android apps from the official Play Store. Programs discovered by security researchers from Zscaler were infected with Joker malware.This spyware is designed to steal SMS messages, contact lists, and device information, as well as to stealthily subscribe a victim to premium Wireless Application Protocol (WAP) services.
Google removed apps from the Play Store and also used Play Protect to disable apps on infected devices. However, users still need to manually uninstall apps from their devices.
- Analyzing Web Shell Attacks with Azure Defender data in Azure Sentinel: https://techcommunity.microsoft.com/t5/azure-sentinel/analysing-web-shell-attacks-with-azure-defender-data-in-azure/ba-p/1724130?WT.mc_id=modinfra-0000-abartolo
- How to use the Parameterized Function to perform Windows Security data enrichment: https://techcommunity.microsoft.com/t5/azure-sentinel/enriching-windows-security-events-with-parameterized-function/ba-p/1712564?WT.mc_id=modinfra-0000-abartolo
Detecting Microsoft 365 and Azure Active Directory Backdoors: https://vulners.com/fireeye/FIREEYE:B509FA2BD3054198E65DC9C23F06AD65
FalconFriday — Process injection and malicious CPL files: https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64
Best Practice Auditd Configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
Feedback -> here