Vulners weekly digest #10

Default 4 sections:
Vulnerabilities
Tools
News
Threat hunting and malware research


Vulnerabilities

Apple has released updates to fix a CVE-2020-9859 that was used to jailbreak an iPhone with iOS 13.5. The vulnerability affects the iOS kernel and can allow an application to execute arbitrary code with kernel privileges.

https://vulners.com/apple/APPLE:HT211214

undefined

CVE-2020-2883 in the Oracle WebLogic Server product of Oracle Fusion Middleware. Unauthenticated remote code execution can be achieved by sending a serialized 'BadAttributeValueExpException' object over the T3 protocol to vulnerable versions of WebLogic.

https://vulners.com/metasploit/MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_BADATTR_EXTCOMP

CVE-2020-3956 VMware Cloud Director

VMware Cloud Director is the popular software for deploying, automating and managing virtual infrastructure resources in multi-user cloud environments. The critical vulnerability is due to incorrect processing of input information and can be used by an authorized attacker to send malicious traffic to Cloud Director, resulting in arbitrary code execution.

https://vulners.com/packetstorm/PACKETSTORM:157909

Cisco Systems CVE-2020-10136

Vulnerability in products of Cisco Systems and other vendors, connected with the tunneling protocol IP-in-IP. An unauthorized attacker can route network traffic through the vulnerable device, conduct a DDoS attack, cause information leakage, and bypass network access controls.

https://vulners.com/threatpost/THREATPOST:B664DFB1B57D66837AE025D5CD687F70

PoC: github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-10136


Tools

Eviloffice
Win python script to inject Macro and DDE code into Excel and Word documents (reverse shell).

https://vulners.com/kitploit/KITPLOIT:5850599175753788165

**Words Scraper
**Selenium based web scraper to generate passwords list.

https://vulners.com/kitploit/KITPLOIT:2751138742638729202

Enumy
Enumy is an ultra fast portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities.

https://vulners.com/kitploit/KITPLOIT:6384515767173020709


News

undefined

This week, Cisco Talos reported two new vulnerabilities in ZOOM that potentially allow remote code execution on the target machine.

  • The first vulnerability is the incorrect processing of GIF images, which can lead to the recording of a file created by an attacker with ZOOM user rights.
  • The second vulnerability is the incorrect processing of messages by the ZOOM client, due to which a hacker can send a special message to the chat and achieve remote code execution (though this requires some “target interaction” with the attacked user).

Problems were discovered in May, and by now application developers have released relevant updates. Default recommendations - urgently update your ZOOM client.

https://vulners.com/thn/THN:96B1CC4A7203A91DE0E44071518570BB

Maze

U.S. military contractor Westech International was hacked by ransomware Maze, resulting in sensitive data being encrypted and copied by hackers. Leak confirmations are already posted on the network.

undefined

And all would be fine, after all, Westech International is not the first US military contractor to fall under ransomware, this company is directly involved in servicing the Minuteman III nuclear missiles that are in service with the United States.

https://vulners.com/threatpost/THREATPOST:E1D05D08F7124D4E36B712ECB4D58716

https://vulners.com/hackread/HACKREAD:7081B458B17F63A1C9C7DFFF7A19CD59

Sodinokibi

The REvil ransomware operators (Sodinokibi) launched an auction site like eBay, where they will put up for sale data stolen from companies. The first to be auctioned were data from a Canadian agricultural company whose networks were hacked last month. Starting price is $ 50 thousand in Monero cryptocurrency. The REvil operators abandoned Bitcoin in favor of Monero for security reasons in April this year.

Sodinokibi promise to soon reveal Madonna’s data stolen May 12 from the American law firm Grubman Shire Meiselas & Sacks, which they threatened with last week. Estimated starting price - $ 1 million.

https://vulners.com/malwarebytes/MALWAREBYTES:707641E0A447B0903AFE233DA91F69C7


Threat hunting and malware research

Detect in-memory .NET assemblies, detailing a case study of Cobalt Strike’s execute-assembly feature: https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft

Using macros in microsoft documents is one of the most popular techniques among attackers. Many security vendors currently do not have detection mechanisms to run these samples. Building signatures and correlation rules for this type of attack is an important task.
Research: https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization

Files as well as macros are actively used by attackers. One of the non-typical ways seen in the use of the APT group: https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa

We can not just not mention the next analysis of the functionality of the new ransomware in our digest: https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware


Please leave your review. A few questions will take no more than one minute and helps us become better: https://forms.gle/D17BaFwD5hJnKkUUA