Top and unmentioned news of the last month, except for ProxyLogon

A frightening trend of exploits/PoCs for processor vulnerabilities found in 2018 began this month. The good news is that many companies did update their Exchange servers, but the authors of the malware don’t think to stop and continue to automate exploitation of the vulnerabilities. Keep subscribing to new news from Vulners and stay on the latest with us!

  • Vulnerabilities: PoC for Intel processors, WordPress forever vulnerable, zoom (again), cool research from Google Project Zero and etc;
  • Tools: Nothing but offensive tools;
  • News: Data leaks, ransomware activity with returning money and repository hijacking;
  • Research: The most useful staff that author could find in the last month: blogs, courses, posts, research and etc.

Feedback


Vulnerabilities

Critical vulnerability found in Intel processors.

Researchers at the University of Illinois presented a report in which they talked about a new vulnerability found in the Intel Coffee Lake and Skylake processors. Its operation allows a potential attacker to gain access to the user’s confidential information. To date, experts have released an update that eliminates the discovered vulnerability.

NCC Group has released a report regarding vulnerabilities in Netgear ProSAFE Plus.

There is a super combo – 15 vulnerabilities, of which 10 are critical. Among them are remote code execution (RCE) without authentication, bypassing authentication, updating firmware without authentication, and much more.
The saddest thing is that some of the vulnerabilities are announced by EoL (End-of-Life) and will not be fixed by the manufacturer.

RCE vulnerabilities in Qnap NAS affect tens of thousands of devices

Qnap devices are at risk of unpatched vulnerabilities that can lead to arbitrary code execution.

  1. The first vulnerability is related to the NAS web server, which uses TCP port 8080 by default and exists due to the lack of proper input cleanup in some APIs;
  2. The second vulnerability was found in the DLNA server, which uses TCP port 8200 by default and handles UPNP requests on that port. According to SAM, the error can also be used to execute arbitrary code on vulnerable NAS.
Combo of Elementor WordPress / WP Super Cache

Wordfence discovered a vulnerability in Elementor plugins. XSS. It can be used to steal administrator credentials. However, you first need to get certain user rights in WordPress. The minimum role sufficient for publishing is Contributor.

WP Super Cache:
It was affected by an authenticated (admin +) RCE in the settings page due to input validation failure and weak $ cache_path check in the WP Super Cache Settings → Cache Location option. Direct access to the wp-cache-config.php file is not prohibited → vulnerability can be exploited for a web shell injection. Another possible vector: XSS (via Elementor plugin affected by XSS) to RCE.

RCE PoC for WP Super Cache.

Zoom vulnerability allows users confidential information to be disclosed to other callers.

Security researchers Michael Strametz and Matthias Deeg of SySS have discovered a vulnerability CVE-2021-28133 in the Zoom screen sharing feature, which could allow confidential user information to be shared with other call participants.

Сouple of critical vulnerabilities in the free MyBB web forum

Two critical vulnerabilities were found in the free web forum MyBB, which together allow a potential attacker to remotely execute malicious code. At the same time, for a successful attack, access to an account with high rights is not required.
The bugs became known thanks to two independent researchers, Simon Scannell and Karl Smith. The MyBB development team received information about the vulnerabilities on February 22, and on March 10, update 1.8.26 with a patch was released.

Google’s Project Zero expert shared information about problems resolved in March 2021 Windows Server containers. The problems allowed four ways to use privilege escalation.


Tools

Android-PIN-Bruteforce: Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.

Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.

Release: APT-Hunter V1.1 Stable

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy ‘s Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX ‘s MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.

SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi ‘s Mimikatz project.


News

The darknet sells 8.2 TB of data from the MobiKwik mobile payment service

Mobikwik is a large Indian fintech platform, suffered from a major data breach: data of 100 million people got into the network. At the same time, representatives of Mobikwik stubbornly deny the fact of compromise.

Ransomware DeadCry uses ProxyLogon

Another strain of ransomware DeadCry, which uses an exploit kit of recently discovered vulnerabilities in Microsoft Exchange, already called ProxyLogon.

According to Michael Gillespie, the creator of ID Ransomware, the new ransomware started working approximately from March 9th. The same date for the compilation of the malware is confirmed by Vitaly Kremez. When encrypting files, appends the .CRYPT extension and the DEARCRY line to the beginning of each file. The ransomware operator requested a ransom of $ 16,000.

The attackers hacked into the PHP repository and loaded a backdoor into it. With this backdoor, hackers could remotely run malicious code on any web server running the newer version of PHP. The malicious change was made as a result of hacking the git.php.net server and disguised as fixing typos. The developers noticed the backdoor in time and eliminated it.

Ziggy ransomware returns money to victims

In February 2021, the ransomware operator Ziggy announced the end of its activities. At the same time, the decryption keys were published. Now the owners of Ziggy are ready to return the funds that the victims transferred to them earlier as a ransom.

The owners of Babuk / Babyk ransomware said on their website for leaks that they stole more than 700 GB of data from the American company PDI Group. It is one of the leading American developers and manufacturers of weapons control systems and auxiliary equipment for the US Air Force, Navy and Special Operations Command.


Research

Attackers are using a new way to use a component of the Windows operating system called the Background Intelligent Transfer Service (BITS) to covertly install malware on it. Cool research from fireeye

Top 10 CyberSec channels in the Telegram from SentinelOne: https://www.sentinelone.com/blog/top-10-telegram-cybersecurity-groups-you-should-join

+ 21 twitter accounts with InfoSec experts: https://www.sentinelone.com/blog/21-cyber-security-twitter-accounts-you-should-be-following-in-2021

MITRE ATT&CK Training Course, free from Cybrary. Also, new certs from Mitre themselves (see comments) for TI and SOC analysts. This course is geared for SOC analysts. https://www.cybrary.it/course/application-of-the-mitre-attack-framework

Free course with certification – Fundamentals of Modern Log Management Practices: https://academy.picussecurity.com/course/log-management-proactive-soc

A FREE comprehensive reverse engineering course covering x86, x64, 32-bit ARM & 64-bit ARM architectures. https://github.com/mytechnotalent/Reverse-Engineering

Antivirus Event Analysis Cheat Sheet v1.8: https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns. https://github.com/aquasecurity/tracee


Feedback (1 minute or less)

Leave a Reply