Not many vulnerabilities appeared this week, almost no zero-days. But all the mentioned vulnerabilities are critical and need to be fixed urgently. Unfortunately, there are updates that do not work, or rather work, but not completely and still work. Read our digest and it will become more clear! Of the news, we don’t post the overly boring ones, but point out the ones that are most important/valuable.
Vulnerabilities: PrintNightmare with fix (not), CISA alert, QNAP again and RAPID7 report;
Tools: Sharperner, GitDump, RemotePotato0 and useful fast way to import evtx to ES;
News: Kaseya phishing, why not? + new attack tach from McAfee ;
Research: Defensive and Pentesting.
Microsoft released an emergency patch for PrintNightmare CVE-2021-34527: two critical remote code execution (RCE) vulnerabilities in the Windows Print Spooler service. According to the CISA (US Cyber and Infrastructure Security Agency), the updates fix only the ability to remotely exploit the vulnerability (via RDP or SMB), but not the local privilege escalation option. Also, the updates do not affect Windows 10 1607, Windows Server 2012, and Windows Server 2016. Microsoft says updates for these versions will be available at a later date.
One of the most dangerous vulnerabilities of recent days!
After the update was released, it became known that KB5004945 for Windows, which was supposed to fix the PrintNightmare vulnerability, did not actually fix it. More precisely, it corrected it, but not completely. Only then did Microsoft release a new patch KB5004948 to fix the vulnerability in Windows 10 1607 and Windows Server 2019, but what about other versions?
CISA released information on 15 vulnerabilities affecting Philips Vue medical products. Several issues have been found in third party components such as Redis, 7-Zip, Oracle Database, jQuery, Python, and Apache Tomcat. The vulnerabilities found affect Philips Clinical Collaboration Platform Portal (Vue PACS) solutions, including MyVue, Vue Speech and Vue Motion.
CVE-2021-28809 was discovered by Ta-Lun Yen of TXOne IoT / ICS Security Research Labs on an HBS 3 Hybrid disaster recovery and data backup system.
The company says the bug has been fixed in HBS versions: QTS 4.3.6: HBS 3 v3.0.210507; QTS 4.3.4: HBS 3 v3.0.210506; QTS 4.3.3: HBS 3 v3.0.210506 and newer, QNAP devices running QTS 4.5.x running HBS 3 v16.x are not vulnerable to attack.
Rapid7 discovered vulnerabilities in Sage X3 ERP ERP software, including flaws that can be exploited remotely without authentication to gain complete control over the system.
Of the four vulnerabilities CVE-2020-7387 – CVE-2020-7390 identified by the researchers and CVE-2020-7388 is the most critical: it is reported as an issue with remote command execution without authentication and is associated with the service for remote management of Sage ERP via the Sage X3 console.
The vulnerabilities in the system were reported back in February 2021, and the next month they were fixed. In May, all customers were notified of patching: Sage X3 Version 9 (Syracuse 220.127.116.11), Sage X3 HR & Payroll Version 9 (Syracuse 18.104.22.168), Sage X3 Version 11 (Syracuse 22.214.171.124) and Sage X3 Version 12 (Syracuse 126.96.36.199).
Sharperner is a tool written in CSharp that generate .NET dropper with AES and XOR obfuscated shellcode. Generated executable can possibly bypass signature check but I cant be sure it can bypass heuristic scanning.
GitDump: pentesting tool that dumps the source code from .git even when the directory traversal is disabled.
RemotePotato0: another “Won’t Fix” windows privilege escalation from user to domain admin.
Malwarebytes has detected phishing emails containing fake Kaseya informational messages prompting customers to download and execute an attachment called SecurityUpdates.exe to address a vulnerability in VSA software and protect against ransomware.
(Windows executable was a Cobalt Strike package)
After that, over the weekend, update 9.5.7a (188.8.131.5294) was released with fixes for vulnerabilities in the Virtual System Administrator: CVE-2021-30116 (credential leak), CVE-2021-30119 (cross-site scripting vulnerability) and CVE-2021-30120 (2FA bypass), which, according to the developer’s assumption, were used by REvil.
New infection technique, identified by analysts at McAfee, uses a harmless Microsoft Word document to create a malicious macro on the fly and disable security alerts that could prevent it from running. This scheme is currently used to stealthily deliver the ZLoader malware via spam.
According to a McAfee blog post, the infection chain in this case is launched in the usual way – when you open a Word document attached to an email. However, the document distributed in spam, against expectations, does not contain malicious code, although the user is asked to enable the macro in order to view it.
An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors: https://www.mdpi.com/2624-800X/1/3/21/htm
Global Phishing Campaign Targets Energy Sector and its Suppliers: https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers
Repository for different Windows DFIR related CMDs, PowerShell CMDlets, etc, plus workshops that I did for different conferences or events.