Default 4 sections:
Threat hunting and malware research
Apple has released updates to fix a CVE-2020-9859 that was used to jailbreak an iPhone with iOS 13.5. The vulnerability affects the iOS kernel and can allow an application to execute arbitrary code with kernel privileges.
CVE-2020-2883 in the Oracle WebLogic Server product of Oracle Fusion Middleware. Unauthenticated remote code execution can be achieved by sending a serialized 'BadAttributeValueExpException' object over the T3 protocol to vulnerable versions of WebLogic.
CVE-2020-3956 VMware Cloud Director
VMware Cloud Director is the popular software for deploying, automating and managing virtual infrastructure resources in multi-user cloud environments. The critical vulnerability is due to incorrect processing of input information and can be used by an authorized attacker to send malicious traffic to Cloud Director, resulting in arbitrary code execution.
Cisco Systems CVE-2020-10136
Vulnerability in products of Cisco Systems and other vendors, connected with the tunneling protocol IP-in-IP. An unauthorized attacker can route network traffic through the vulnerable device, conduct a DDoS attack, cause information leakage, and bypass network access controls.
Win python script to inject Macro and DDE code into Excel and Word documents (reverse shell).
**Selenium based web scraper to generate passwords list.
Enumy is an ultra fast portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities.
This week, Cisco Talos reported two new vulnerabilities in ZOOM that potentially allow remote code execution on the target machine.
- The first vulnerability is the incorrect processing of GIF images, which can lead to the recording of a file created by an attacker with ZOOM user rights.
- The second vulnerability is the incorrect processing of messages by the ZOOM client, due to which a hacker can send a special message to the chat and achieve remote code execution (though this requires some “target interaction” with the attacked user).
Problems were discovered in May, and by now application developers have released relevant updates. Default recommendations - urgently update your ZOOM client.
U.S. military contractor Westech International was hacked by ransomware Maze, resulting in sensitive data being encrypted and copied by hackers. Leak confirmations are already posted on the network.
And all would be fine, after all, Westech International is not the first US military contractor to fall under ransomware, this company is directly involved in servicing the Minuteman III nuclear missiles that are in service with the United States.
The REvil ransomware operators (Sodinokibi) launched an auction site like eBay, where they will put up for sale data stolen from companies. The first to be auctioned were data from a Canadian agricultural company whose networks were hacked last month. Starting price is $ 50 thousand in Monero cryptocurrency. The REvil operators abandoned Bitcoin in favor of Monero for security reasons in April this year.
Sodinokibi promise to soon reveal Madonna’s data stolen May 12 from the American law firm Grubman Shire Meiselas & Sacks, which they threatened with last week. Estimated starting price - $ 1 million.
Threat hunting and malware research #
Detect in-memory .NET assemblies, detailing a case study of Cobalt Strike’s execute-assembly feature: https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft
Using macros in microsoft documents is one of the most popular techniques among attackers. Many security vendors currently do not have detection mechanisms to run these samples. Building signatures and correlation rules for this type of attack is an important task.
Files as well as macros are actively used by attackers. One of the non-typical ways seen in the use of the APT group: https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa
We can not just not mention the next analysis of the functionality of the new ransomware in our digest: https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware
Please leave your review. A few questions will take no more than one minute and helps us become better: https://forms.gle/D17BaFwD5hJnKkUUA