Second Tuesday patch, another victim of the ransomware and a friendly reaction of CERT teams to counter Emotet

ICS attacks, little known to the general public, are perhaps the most devastating in terms of potential negative consequences. New Bluetooth vulnerability and cool malware news.

  • Vulnerabilities: Not an interesting microsoft patch (yet), ICS and bluetooth;
  • Tools: Traditionally;
  • News: Malware activity and CERT alert;
  • Research: Mainly for Windows enthusiasts.

Feedback -> here


Microsoft released another September security update, which fixed 129 vulnerabilities in 15 of its products, including Windows, Edge, Internet Explorer, Microsoft Office, Share Point and a number of others.

Out of 129 vulnerabilities, 32 allow an attacker to perform remote code execution (RCE), 20 of them are critical.

This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6.

Clarity's infosec researchers on Tuesday released a report that they found 6 critical vulnerabilities in Wibu-Systems' CodeMeter component, which is used by ICS software vendors to manage licenses.

The vulnerabilities identified allow remote code execution, denial of service, information retrieval from the attacked device, etc. In fact, the attacked ICS host can be completely taken under external control. Major ICS vendors such as Siemens and Rockwell have already recognized the presence of security threats associated with the identified vulnerabilities in CodeMeter in their software.

Bluetooth SIG and the CERT Coordination Center at Carnegie Mellon University issued warnings regarding a new BLURtooth vulnerability. The problem lies in the Cross-Transport Key Derivation (CTDK) component, which is used to negotiate authentication keys when pairing devices via BR / EDR or BLE, and allows an attacker to intercept such keys. As a result, a hacker can replace the authentication key or reduce its reliability.

All devices using Bluetooth versions 4.0 to 5.0 are affected.


It is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is easy operationalization of YARA rules and other indicators of compromise.

HashCat added support to crack password-protected RAR 3 archives without header encryption (both compressed and uncompressed).

C/C++ source obfuscator for antivirus bypass.

Resource monitor that shows usage and stats for processor, memory, disks, network and processes.


ESET experts have discovered the CDRThief malware targeting softswitches of a specific Linux-based VoIP platform. This platform is very specific and is used by two switches: Linknat VOS2009 and VOS3000.

The researchers could not find out who exactly is the developer of the malware called CDRThief, and for what purpose it was created. The peculiarity of CDRThief is that the malware attacks only software VoIP switches running on the Linux platform, in particular Linknat VOS2009 and VOS3000.

NetWalker, whose attack only recently caused the Argentine border to close for 4 hours, successfully attacked the Pakistani power grid company K-Electric, the only power supplier in the Pakistani city of Karachi, on September 7.

Billing and online services were also affected by the break-in. It's a good thing the hackers didn't get to the electricity transit control system.\_FR/status/1303011855187742722?s=20

The CERT teams in France, Japan and New Zealand have issued security warnings reporting a massive surge of spam campaigns organized by Emotet botnet operators targeting enterprises and government agencies in the above countries.

Although the number of attacks in France was much lower, Emotet managed to infect the computers of the Parisian judicial system, got into the headlines of the media and caused a lot of turmoil, which resulted in the warning issued by the authorities. In addition, the French Ministry of the Interior now blocks the delivery of any Office (.doc) documents by email.


What Happens When you Type Your Password into Windows?
This post is REALLY well written and goes into a lot of depth about Windows Internals (LSA especially, as you’d expect) without being too jargony / acronym heavy.

Disabling Windows Event Logs by Suspending EventLog Service Threads:

Bypass AMSI by manual modification part II - Invoke-Mimikatz:

Hype news, all of us saw this topic on the week. "How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM":

WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day:

Feedback -> here