Huge patches from vendors, Vulners news and hot Android malware

There has been a lot of news about Apple and Android this month, as the first malware for the Apple M1 has started to appear and malware developers are not wasting time. Cisco also released a big update package for their devices, and SonicWall is not fixing its problems. A little bit about what’s new with the Vulners team. And in the pro news section, as always ransomware and data breaches.

  • Vulners Events: New research article;
  • Vulnerabilities: Critical VMware, Cisco patch, hardware and crypto;
  • Tools: First open-source anti DDOS, APT-hunter, MSSQL for red teamers;
  • News: Android malware evolution, data leak, IOT threats and others;
  • Research: BlackHat 2020 all videos, offensive research, defense against cobalt and discover windows artifacts.

Short feedback -> here


Vulners events

New post from our team member Alexander Leonov about Linux audit with Vulners. Alexander made a long read on how you can set up and use Vulners for your own purposes. In the future, we are going to turn such articles into full-fledged instructions for users.

Also, the team regularly works on improving our robots: fixing old ones, updating current ones and making new ones (google project zero, mongo, clickhouse, etc).


Vulnerabilities

VMware has released an update that fixes a number of vulnerabilities in VMware ESXi and vCenter Server products. Vulnerabilities allowing remote attacker to execute arbitrary code in vCenter Server, cause heap overflow in OpenSLP service and thereby execute code remotely in ESXi have been fixed. The software vendor recommends that systems should be upgraded immediately.

Qihoo 360 published PoC of the new vulnerability the next day.

CVE-2021-21972

Bad Packets reported a mass scan of the network to identify vulnerable VMware vCenter from attackers. There are more than 6 thousand of them at the moment. Was it a hype chase? or why publish the POC immediately after the vulnerability is fixed?

Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices

Serious vulnerabilities have been found in the Realtek RTL8195A Wi-Fi module, which is used in many embedded devices from various industries, allowing remote cyber attacks. The bugs were found by Vdoo, a provider of an automated device protection platform.

The most serious of all the identified module vulnerabilities is a bug with identifier CVE-2020-9395, which allows remote exploitation of a stack overflow. Exploitation of the vulnerability allows full control over the module and wireless communication of the device. Cybercriminals can use a vulnerability to hack a device even if they do not know the network password.

Cisco patch ASAP

Multiple critical security flaws have been reported in Cisco VPN routers for businesses that could allow unauthenticated, remote attackers to execute arbitrary code as the root user on the affected devices.

Cisco released updates fixing vulnerabilities in the RV160 and RV260 line of routers with built-in VPN. A total of seven vulnerabilities were fixed. Cisco did not give technical details, but reported that their criticality score is 9.8 out of 10. The bugs are caused by an incorrect mechanism for handling HTTP requests, which allows a hacker to remotely execute code with root privileges.

Updates for RV016, RV042, RV082, RV320 and RV325 routers, fixing a bunch of vulnerabilities that allowed attacker to execute commands with root privileges, perform RCE and cause DoS. + Two more CVE-2021-1296 and CVE-2021-1297 vulnerabilities were fixed in the same routers, allowing an unauthenticated user to access the file system.

Start to update your devices. Pls.

CVE-2021-3345

A critical vulnerability in GNU Privacy Guard (GnuPG) encryption software allows attackers to write arbitrary data to vulnerable systems and potentially execute code. The problem was discovered on January 28, 2021, by security researcher Tavis Ormandy of Google Project Zero, and affects the Libgcrypt library used by GnuPG. Only version 1.9.0 of the library is affected by the CVE-2021-3345 vulnerability.

Users of Libgcrypt 1.9.0 are recommended to update to version 1.9.1 as soon as possible or get back to an older version (1.8.5 or higher).


Tools

MSSQL Link Crawl – OpenQuery Quotes Calculator for Red Team

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

ScareCrow – Payload Creation Framework Designed Around EDR Bypass

Gatekeeper – First Open-Source DDoS Protection System.


News

Silver Sparrow malware infected about 30,000 Mac

Red Canary, Malwarebytes and VMWare Carbon Black discovered the Silver Sparrow malware targeting Mac users. According to experts, the malware has already infected 29,139 systems in 153 countries. The most affected systems are located in the US, UK, Canada, France and Germany.

It is specifically emphasized that Silver Sparrow is able to operate even on systems equipped with Apple’s new M1 chip. This makes Silver Sparrow only the second discovered threat adapted for the M1 (we wrote about the first one this month).

The researchers write that they found two different versions of the malware: one compiled only for Intel x86-64 and uploaded to VirusTotal on August 31, 2020 (updater.pkg), and a second version appeared on January 22, 2021, and is already compatible with Intel x86-64 and M1 ARM64 architectures (update.pkg).

ZDNet reported that ransomware RansomExx attacks on virtual machines in enterprise environments have been reported since last October. Evidence suggests that hackers use CVE-2019-5544 and CVE-2020-3992 in VMware ESXi hypervisor, which allows an attacker to take control of the hypervisor via SLP protocol if it is in the same network. As a result of the attack, hackers encrypt all virtual hard disks.

RansomExx are the ransomware attackers that last year successfully attacked Brazilian aircraft manufacturer Embraer, the Brazilian Supreme Court, and U.S. IT giant Tyler Technologies, which ended up paying the attackers a ransom.

LodaRAT attacks not only Windows, but also Android

The LodaRAT malware is known to attack Windows systems, but has now turned to mobile users. In the new campaign, cybercriminals “set” LodaRAT on Android devices.

LodaRAT’s main task is to spy on victims and steal their data. Previously, the malware focused exclusively on Windows, but the recently discovered sample suggests that the authors are gradually improving their development.

Qihoo 360 discovered a new DDoS botnet, Matryosh, which consists of Android devices accessible on the Internet via ADB (Android Debug Bridge). ADB is disabled on most Android devices, some gadgets come with ADB enabled.

The researchers write that Matryosh differs from other similar botnets in that it uses Tor to hide its control servers, and a complex multilevel process is used to obtain the address of this server itself, which gave the botnet its name – by analogy with a nesting doll.

Data Breach Exposes 1.6 Million Jobless Claims Filed in the Washington State

Using a vulnerability in the Accellion product, hackers stole the data of 1.6 million Washington residents who applied for unemployment benefits. It is also known that the victims of cyberattacks were the Singapore telecommunications company Singtel, the law firm Allens and the QIMR Berghofer Medical Research Institute from Australia, the University of Colorado and a number of other companies and organizations.

In a study presented this week at the Network and Distributed System Security Symposium (NDSS) conference, experts examined vulnerabilities in a process that Amazon uses to validate third-party Alexa applications known as Skills.

As scientists have established, the so-called squatting Skills is very popular, when Skills try to force users to call them inadvertently using phrases and names that look like real phrases and names for these Skills.

Finally, the researchers found that only 24.2% of Alexa Skills do not fully disclose the data they collect, and 23.3% cannot adequately explain the data types associated with the permissions requested.


Research

Video reports from Black Hat US 2020 are available to watch online! Enjoy! https://www.youtube.com/playlist?list=PLH15HpR5qRsXE_4kOSy_SXwFkFQre4AV_

Farming for Red Teams: Harvesting NetNTLM: https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/

Dump lsass with Windows OS native tools: https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2

Offensive Windows IPC Internals 2: RPC
https://csandker.io/2021/02/21/Offensive-Windows-IPC-2-RPC.html
Offensive Windows IPC Internals 1: Named Pipes
https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html

Presentation about Windows Artifacts: https://docs.google.com/presentation/d/1_cxqSHhcELSiZkscEQsvryzzB2ti1lvCwtpRn84xyxM/edit#slide=id.gbdfcdcfab2_1_0

Defences against Cobalt Strike – a curated collection of materials/links discussing detection and mitigation: https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence


Really short feedback -> here

Leave a Reply