SAP, SIGred, procmon for Linux, Tsunami, Twitter and ZOOM?

Vulnerabilities: There was a couple of high-profile news about vulnerabilities this week: SAP and SIGred (Patch it please!)
Tools: A couple of cool tools appeared: procmon for Linux and Tsunami scanner from google
News: Over 100 high profile Twitter accounts hacked via internal tool that was leaked by a Twitter employee. ZOOM? Again?
And Research, because technical descriptions are always interesting to someone

Feedback: https://forms.gle/D17BaFwD5hJnKkUUA


Vulnerabilities

In May, Onapsis discovered a vulnerability with a score of 10 on the criticality scale in several products of the German SAP business solution provider.

SAP released updates to its software to address the vulnerability. The researchers called the vulnerability (CVE-2020-6287) RECON. It is a component of SAP NetWeaver AS and allows unauthorized attackers to create an account with maximum privileges and gain full control over the attacked SAP system.

SAP also fixed the CVE-2020-6286 directory traversal vulnerability allowing an unauthorized attacker to upload zip files to a specific directory. According to Onapsis specialists who discovered the vulnerability, the problem currently affects 40,000 users of SAP products.

https://twitter.com/bad\_packets/status/1283473525613838336?s=20

PoC: https://github.com/chipik/SAP_RECON

There is no information on the use of RECON in the wild. It is possible that hackers have already exploited the vulnerability.

https://vulners.com/thn/THN:D01CFEFA5701B3385F989E1BE705F6AA

https://vulners.com/threatpost/THREATPOST:AA1F3088D813F95D476A024378F27010

CVE-2020-1350

Earlier, we posted about this vulnerability: Windows DNS vulnerability - CVSS 10

The US Cybersecurity and Infrastructure Agency (CISA) has asked federal executive authorities and US agencies to conduct an emergency update of all vulnerable systems in all information systems within 24 hours (by 14:00 EST July 17).

The message also contains recommendations to remove Windows Server-based systems from networks if they cannot be updated within 7 days. In addition, CISA recommends that all these measures be applied by both state and municipal governments.

https://vulners.com/threatpost/THREATPOST:363C332F7046A481C24C7172C55CF758

CVE-2020-13851

Pandora is a network monitoring tool for IT infrastructure management. Remote code execution (CVE-2020-13851) in a Pandora FMS Events versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 and older.

https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/HTTP/PANDORA_FMS_EVENTS_EXEC

https://vulners.com/packetstorm/PACKETSTORM:158390

Microweber is a Drag and Drop website builder (CMS) written in PHP. Vulnerability CVE-2020-13405 allows an unauthenticated user to disclose the users database via POST request.

https://vulners.com/rhino/RHINO:DCE9F3F862FF55893CF0D8C81389CFDE


Tools

ProcMon-for-Linux
Process Monitor (Procmon) is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows.

https://github.com/microsoft/ProcMon-for-Linux

Saferwall
An open source malware analysis platform.

https://vulners.com/kitploit/KITPLOIT:1645103403258591729

Tsunami
Universal network security scanner with an extensible plug-in system for detecting high-risk vulnerabilities with a high degree of confidence. (from Google)

https://vulners.com/kitploit/KITPLOIT:5921383082083032652


News

Twitter reported this week that it detected a cyber attack using social engineering on some of its employees who had access to internal systems and tools.

More than 100 accounts of such famous people as Bill Gates, Elon Musk and Barack Obama were compromised. Using compromised accounts, the hackers tried to lure users into a fraudulent "crypto giveaway" scheme.

It isn't the first case of compromise popular accounts to promote this kind of scam. In March, attackers hacked into Microsoft's official Youtube account, where they spent more than 13 hours spinning a recording of one of Gates' performances with text information about "crypto giveaway".

https://vulners.com/threatpost/THREATPOST:4C3440BDCDCD1BB109EDED1F387D579D

https://vulners.com/threatpost/THREATPOST:1290136854E72CD603A0CD0DB94456E5

According to ZDNet materials, the leak of personal data of MGM Resorts guests, which was first reported in February 2020, was much larger than previously thought.

Last week, a hacker put a stolen database of MGM Resorts, which includes information about more than 142 million guests, on sale in the darknet. The hacker claims he received the database as a result of a recent hack into Night Lion Security's DataViper service.

https://vulners.com/hackread/HACKREAD:24009FC506E995F21866638CD6187233

https://vulners.com/threatpost/THREATPOST:E0BCE5B6395F365CFE828A049C30E7BA

CheckPoint reported a vulnerability in popular Zoom software. The Zoom vulnerability allows attackers to impersonate legitimate organizations by deceiving their employees or business partners in order to steal personal or other sensitive information through social engineering.

Due to incorrect account verification, any conference could have been started using the Vanity URL of any organization, even if the meeting was created with a separate account. In this way, an attacker could carry out phishing attacks by impersonating legitimate company employees.

https://vulners.com/thn/THN:AA0193759D19B45D660DB6BD6641A1E0

https://vulners.com/threatpost/THREATPOST:E07387431E59AD0A09420F7EFA295856


Research

New Attack Technique Uses Misconfigured Docker API: https://www.darkreading.com/attacks-breaches/new-attack-technique-uses-misconfigured-docker-api/d/d-id/1338366

Malware Wiki: https://malpedia.caad.fkie.fraunhofer.de/library

Hunting for advanced Tactics, Techniques and Procedures (TTPs): https://cyberpolygon.com/materials/hunting-for-advanced-tactics-techniques-and-procedures-ttps

Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion): https://cognosec.com/bypassing-symantec-endpoint-protection-for-fun-profit-defense-evasion/


Feedback: https://forms.gle/D17BaFwD5hJnKkUUA