Vulners weekly digest #9
Four NO traditional sections in our weekly digest. Enjoy!
Vulnerabilities and additional info
LPE Windows CVE-2019-0880
Detailed research CVE-2019-0880 without exploit. Zero day?
https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html
According to my tests, this bug seems to be still working against a full-patched Windows 7 system and for this reason I chose not to publish the exploit code.
Research story about exploring macOS Calendar Alerts
Cool and not boring research. It reads like an interesting story from life and consists of 2 parts. The second part describes the CVE-2020-3882 to data exfiltration:
- https://research.nccgroup.com/2020/05/05/exploring-macos-calendar-alerts-part-1-attempting-to-execute-code
- https://research.nccgroup.com/2020/05/28/exploring-macos-calendar-alerts-part-2-exfiltrating-data-cve-2020-3882/
myLittleAdmin < 3.8 v
myLittleAdmin is a web-based solution to manage SQL Server databases. CVE-2020-13166 allow execute remote arbitary code. Vulnerability in ViewState .NET deserialization in web-based MS SQL Server management tool myLittleAdmin, due to hardcoded parameters (machineKey) in the web.config file for ASP.NET.
CVE-2020-13398 FreeRDP
The vulnerability of a record outside the field is contained in the crypto_rsa_common function in libfreerdp/crypto.c. A remote attacker can send specially generated data to an application, exploit the vulnerability and execute arbitrary code on the target system.
Tools
ADCollector
ADCollector is a lightweight and an actively developing tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point.
ANDRAX
ANDRAX is a Penetration Testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a common Linux distribution.
ezEmu
ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry.
News
GitHub detected malware that infects projects in the NetBeans integrated development environment and uses the build process for its distribution. The investigation revealed that the malware in question, which was named Octopus Scanner, had hidden backdoors in 26 open source projects that had repositories on GitHub. The first traces of Octopus Scanner development date back to August 2018.
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
SaltStack
F-Secure made the month of May more interesting for many SaltStack users by publishing details of a vulnerability on April 30th, a patch for which was released only the day before. Hackers did not hesitate to take advantage of it, wrote an exploit in a day and started attacking unpatched servers. We described all saltstack events in previous digests
After almost a month, data about the victims continues to surface. Cisco admitted that six of its back-end servers running SaltStack had been hacked. The affected servers were only updated on May 7. It is not clear whether it was a planned update or an urgent update after the hack was detected. In any case, it gives an idea of the time frame for updating vulnerable software after the release of the corresponding patch, which is common even in software giants like Cisco, which have their own large infoshops.
https://vulners.com/threatpost/THREATPOST:64DC6B60F693E46DD314DB70A547D319
26 million LiveJournal credentials leaked
In 2014, LiveJournal was compromised, resulting in the theft of a database containing 26 million users. Rumors about the incident with information leakage appeared back in 2018, and this year the DreamWidth blogging platform, created on the basis of the old LiveJournal code base, reported massive attempts to use the old LJ login-password.
HIBP data leakage indexing service reported that it received a copy of the LiveJournal database containing data from 26 million users, including logins, passwords and email addresses.
https://vulners.com/threatpost/THREATPOST:01C56213F6966EE9B018CB1402D75C92
Threat hunting and malware research
Information security news will always include news about different APT groups, malware and attacks. Some blue/purple teams keep track of such news. That's why we will sometimes try to publish info about it in a separate section - threat hunting and malware research.
Security researchers from Cybereason Nocturnus have discovered Valak. It was first observed in late 2019. Malware has an evolution of over 30 different versions in less than six months. Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.
The malware has a complex structure consisting of several modules. A detailed review shows each deployment stage and how these actions map to the MITRE matrix:
https://vulners.com/threatpost/THREATPOST:DA759E08269924C7FE994291DBAF45AB
Every few months there are new researches of the TrickBot's functionality. It can be especially useful for malware researchers and threat hunters.
https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module
GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections: https://x-c3ll.github.io/posts/GetEnvironmentVariable-Process-Injection
Maze ransomware that not only encrypts a victims files, but also threatens to publish them. We wrote about this ransomware virus in our digests, which was seen in many attacks on various organizations.
IOCs and research: https://blog.talosintelligence.com/2020/05/astaroth-analysis.html
Please leave your feedback. It takes less than one minute and helps us get better: https://forms.gle/D17BaFwD5hJnKkUUA