There are no zero-day vulnerabilities or new headliners in this digest. But there are new tool updates and different news + research.
- Vulnerabilities: No zero-day, only emergency update for Drupal and cPanel, couple exploits for routers;
- Tools: Update powerfull intellegence tool and others;
- News: Tesla hacked! Next story about Sopra Steria and malware actions. Baidu was deleted from Google play 🙁 ;
- Research: Ransomware Attacks against Microsoft Defender and you can find other usefull strings 🙂
Really short feedback -> here
Critical vulnerability was found in cPanel that allows to bypass 2FA. Aa issue that allows bypassing 2FA authentication of cPanel accounts was found in the most popular hosting control panel.
Two-factor authentication in older versions of cPanel and WebHost Manager (WHM) was vulnerable to brute force attacks that allowed attackers to pick up URL parameters and bypass 2FA if enabled for the account.
cPanel developers responded to a specialist reporting and the vulnerability was fixed. All users are encouraged to upgrade cPanel and WHM to the fixed versions 22.214.171.124, 126.96.36.199 and 188.8.131.52 as soon as possible.
Drupal team fixed two vulnerabilities in remote code execution.
- The first one is related to incorrect verification of entered data when processing URI in file names CVE-2020-28948;
- The second is related to unsafe data verification when processing serialized information. CVE-2020-28949.
Vulnerability in popular wi-fi router TP-Link TL-WA855RE allows an unauthenticated attacker reset and reboot the device. An attacker can gain full access control by setting a new administrator password instead of the standard one from the manual.
A couple of exploits for BigBlueButton. It is open source web conferencing software. The system is designed for distance learning.
E-mail Validation Bypass: https://vulners.com/packetstorm/PACKETSTORM:160239
Brute Force: https://vulners.com/packetstorm/PACKETSTORM:160238
IntelOwl 1.9.0 released IntelOwl is your friendly threat intelligence tool for malware analysis and security research! Check the release details here: https://github.com/intelowlproject/IntelOwl/releases
It is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services.
elk-tls-docker: A new open-source tool to stand up Elastic Security stack using self-signed or LetsEncrypt certificates:
An interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.
Researchers from the COSIC group of the University of Leuven (Belgium), having bought a used electronic control unit (ECU) Tesla Model X on eBay, gutted it and found out that there were vulnerabilities in the authentication process of the key fob using the Bluetooth Low Energy (BLE) protocol. Thanks to this, the researchers were able to use a modified ECU to inject malicious firmware onto the key fob, and then receive an unlock message from it.
Thus, with the help of a device made of modified ECU and keychain, Raspberry Pi with CAN interface and battery, the Belgians were able to steal Tesla Model X. The whole process is in a short clip, which is contained in the report, it takes only two or three minutes. The only limitation – an intruder to synchronize the owner’s key fob with a modified ECU must approach it at a distance of less than 5 meters, but it takes only a few seconds.
Ryuk successfully attacked French IT giant Sopra Steria, resulting in the company’s network falling. The company has been recovering its resources for almost a month and said that the Ryuk attack will eventually lead to losses ranging from 40 to 50 million euros.
We already wrote about this company in our digest last month: Bug Parade with all headliners, zero-days and malware news
Sopra Steria reported that no information leaks identified at this stage. Lately, these are frequent words of many attacked people. As a result, it often turns out that the company has already paid the ransom and “recovered”.
Checkpoint talked about the new activity of the Bandook Trojan, which once again confirms that the malware is part of the infrastructure of a hired actor, carrying out cyberoffensive operations under contract in the interests of various intelligence agencies.
In 2019, with the help of Bandook was conducted operation Dark Caracal, which exfiltrated hundreds of gigabytes of information belonging to hundreds of victims from 21 countries in North America, Europe and Asia.
The attack begins with a phishing document containing a malicious macro that loads the PowerShell loader. The loader, in turn, delivers the RAT Bandook itself. This is a full-fledged cyber-spyware tool that contains all the necessary functions – gathering system information, working with files, the ability to take screenshots, and so on.
Baidu’s Android apps caught collecting user data. Baidu Maps and Baidu Search Box apps were caught collecting user data and removed from the Google Play Store.
Palo Alto Networks reports that a similar code for data collection was found in the ShareSDK developed by the Chinese giant MobTech. Used by over 37,500 apps, this SDK also allows app developers to collect information about phone model, screen resolution, MAC addresses, Android ID, advertising ID, carrier information, IMSI, and IMEI.
Baidu’s representatives explain that it was not the data collection that caused the apps to be removed from the Play Store (as the Chinese company received permission from users to collect this information). The problem was precisely that Google engineers had discovered other problems that Baidu was already working on to solve.
A tale of evasion in a restricted enviroment: DLL Side-loading + Phantom DLL hollowing + Google Apps Script for C2 communications: https://www.blackarrow.net/hindering-threat-hunting-a-tale-of-evasion-in-a-restricted-environment
Demystifying Ransomware Attacks against Microsoft Defender Solution: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947?WT.mc_id=modinfra-0000-abartolo
InfoSec Black Friday Deals 2020 (updated). https://github.com/0x90n/InfoSec-Black-Friday and https://github.com/Securityinfos/Black-Friday-Deals
Cross-site Scripting via WHOIS and DNS Records: https://medium.com/tenable-techblog/cross-site-scripting-via-whois-and-dns-records-a25c33667fff
Really short feedback -> here