Impressive IOS research, vulnerable android apps and malware news

The last couple of weeks are not so much cool news, but we have selected the most interesting and useful. In the contents you can find a short description for each section.

  • Vulnerabilities: IOS research, android apps (check yours) and weblogic (again);
  • Tools: Usefull tools. Depix and Karkinos should be tested;
  • News: Only malware. IOS, Trickbot and happy ransom;
  • Research: Books, articles, reports

Really short feedback -> here


Vulnerabilities

https://youtu.be/ikZTNSmbh00

Ian Beer from Google Project Zero has published the results of a study on the exploitation of a vulnerability in Apple iOS, which causes damage to the operating system kernel memory and allows full remote access to all user data.

Ian Beer drew attention to the memmove function: after checking its parameters, he found the most common buffer overflow error in the code. With the help of this bug, an attacker can perform a batch injection into an AWDL connection (while not necessarily being on the same wi-fi network), gain access to the device, and execute a rooted implant code. All actions were completed in a few minutes and was carried out with the iPhone 11 Pro in the next room. In his opinion, with sufficient will and funding, the trick can be done in seconds and at a much greater distance from the target.

Impressive research job!!!

Please click update on your iPhone.

https://vulners.com/thn/THN:B8C45A3F30B93AE1B41277CEDFF4E5F7

RCE in ‘Playstation NOW’ for 15 000 $

https://vulners.com/hackerone/H1:873614

About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library. Check Point warned that the developers of many popular Android applications forgot to update an important library and are now vulnerable to attacks.

Earlier this year, researchers from Oversecured discovered the critical vulnerability CVE-2020-8913 in Play Core. This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more.

The list of apps that have already updated the library includes Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications did not do this. Among such applications, experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber and Booking. In total, problematic applications have been installed over 250,000,000 times.

https://vulners.com/threatpost/THREATPOST:F4C7A23E0E9EE24012140A3F80FAF82A

Many Oracle WebLogic servers remain vulnerable to RCE CVE-2020-14882, which was patched two months ago. Juniper Threat Labs writes that the most interesting malware is DarkIRC, which is currently sold on hack forums for $ 75.

DarkIRC infiltrates unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that has both analysis bypass and sandbox functionality. For example, before unpacking, the malware checks whether it is running on a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine, and stops the infection process if it detects a sandboxed environment.

DarkIRC has many features, including keylogging, stealing files and executing commands on an infected server, stealing credentials, spreading to other devices via MSSQL and RDP (via brute force), SMB or USB

Update if you have not already done so.

https://vulners.com/thn/THN:8ECDF261632B04DEE688C1023DD73404


Tools

BruteShark
It is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files) – goal is to provide solution to security researchers and network administrators with the task of network traffic analysis while they try to identify weaknesses.

https://github.com/odedshimon/BruteShark

Depix
It is a tool for recovering passwords from pixelized screenshots | Actually a red team tool, but it’s important that the blue side of this world is aware of this as well.

https://github.com/beurtschipper/Depix

PYTMIPE is a Python 3 library for manipulating Windows tokens and managing impersonations in order to gain more privileges on Windows. TMIPE is the python 3 client which uses the _ pytmipe _ library.

https://vulners.com/kitploit/KITPLOIT:8403443702167316386

Karkinos is a light-weight ‘Swiss Army Knife’ for penetration testing and/or hacking CTF’s (like CyberChef). Try it out!

https://vulners.com/kitploit/KITPLOIT:57408969918344457


News

New MacOS Backdoor Connected to OceanLotus Surfaces

New malware for Mac, with a backdoor for later remote access. looks like a Word document, although this application is in the archive, and so far few people have detected it as a virus. interesting exploration of its functionality.

The primary compromise is through a Zip archive disguised as a Word document called “ALL tim nha Chi Ngoc Canada”. To bypass detection by anti-virus solutions, several specialized symbols have been added to the archive name. After activating the primary malware, the payload is retrieved, which is already retrieved directly by the backdoor itself. It has some RAT functions – it collects information about the system, communicates with C&C and also work with the file system and load additional functional modules.

https://vulners.com/threatpost/THREATPOST:CDCBE282C1397398E4A32C4BF3E5251D

TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit

Over the past few weeks, TrickBot introduced new obfuscation features, a new C2 infrastructure, and launched new spam campaigns to recruit zombie computers. The botnet has a new feature for interacting with the UEFI BIOS. Such an upgrade will significantly complicate the task of not only treating, but also detecting infection.

So far, the new TrickBot module only checks the SPI controller in order to understand whether BIOS protection is enabled, but in fact does not make changes to the firmware yet.

https://vulners.com/thn/THN:170F05EC5AC43D41CEE94873D9068F43

Egregor liked to print the ransom demand on the hacked organization’s printers (why not?). Recently, a large Latin American retail chain Cencosud learned about the attack in this way. The other day, TransLink, a Vancouver public transport company.

The fact that something amiss had happened in TransLink became known on December 1: residents of the city of 700,000 could not use Compass cards to pay for travel on buses, ferries and trains.

The rest of the details of the attack, as usual, are unknown.

https://vulners.com/threatpost/THREATPOST:7E5265C083AFD7F51DE3048ECE922883


Research

Tactics, Techniques and Procedures (TTPs) used by the Nefilim ransomware threat actor – a detailed walkthrough. All TTPs are mapped to MITRE ATT&CK Framework: https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks

Security & Hacking related books. One of the best collection of books on information security. They are so good that they can be found in almost every collection. https://docs.google.com/document/d/1-l1dagQ643nH8chDl2VwRwdJxZZ6D3M1K07pvLfAbSI

Not bad info about DCSync: https://www.blacklanternsecurity.com/2020-12-04-DCSync

Data Exfiltration with LOLBins: https://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-20e5e9c1ed8e

Visualizing IP Traffic with Brim, Zeek and NetworkX: https://medium.com/brim-securitys-knowledge-funnel/visualizing-ip-traffic-with-brim-zeek-and-networkx-3844a4c25a2f


Really short feedback -> here

Leave a Reply