Second Tuesday patch, another victim of the ransomware and a friendly reaction of CERT teams to counter Emotet
ICS attacks, little known to the general public, are perhaps the most devastating in terms of potential negative consequences. New Bluetooth vulnerability and cool malware news.
- Vulnerabilities: Not an interesting microsoft patch (yet), ICS and bluetooth;
- Tools: Traditionally;
- News: Malware activity and CERT alert;
- Research: Mainly for Windows enthusiasts.
Feedback -> here
Vulnerabilities
Microsoft released another September security update, which fixed 129 vulnerabilities in 15 of its products, including Windows, Edge, Internet Explorer, Microsoft Office, Share Point and a number of others.
Out of 129 vulnerabilities, 32 allow an attacker to perform remote code execution (RCE), 20 of them are critical.
https://vulners.com/qualysblog/QUALYSBLOG:22507355C87630C1D3B720E2ED98701A
This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6.
- JITSploitation I: A JIT Bug https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html
- JITSploitation II: Getting Read/Write https://googleprojectzero.blogspot.com/2020/09/jitsploitation-two.html
- JITSploitation III: Subverting Control Flow https://googleprojectzero.blogspot.com/2020/09/jitsploitation-three.html
Clarity's infosec researchers on Tuesday released a report that they found 6 critical vulnerabilities in Wibu-Systems' CodeMeter component, which is used by ICS software vendors to manage licenses.
The vulnerabilities identified allow remote code execution, denial of service, information retrieval from the attacked device, etc. In fact, the attacked ICS host can be completely taken under external control. Major ICS vendors such as Siemens and Rockwell have already recognized the presence of security threats associated with the identified vulnerabilities in CodeMeter in their software.
https://vulners.com/threatpost/THREATPOST:2599160F787BE161604E8BC2847A6643
Bluetooth SIG and the CERT Coordination Center at Carnegie Mellon University issued warnings regarding a new BLURtooth vulnerability. The problem lies in the Cross-Transport Key Derivation (CTDK) component, which is used to negotiate authentication keys when pairing devices via BR / EDR or BLE, and allows an attacker to intercept such keys. As a result, a hacker can replace the authentication key or reduce its reliability.
All devices using Bluetooth versions 4.0 to 5.0 are affected.
Tools
Spyre
It is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is easy operationalization of YARA rules and other indicators of compromise.
https://vulners.com/kitploit/KITPLOIT:7102551693702401840
HashCat added support to crack password-protected RAR 3 archives without header encryption (both compressed and uncompressed).
https://github.com/hashcat/hashcat/pull/2542
Avcleaner
C/C++ source obfuscator for antivirus bypass.
https://vulners.com/kitploit/KITPLOIT:4032586613269108389
Resource monitor that shows usage and stats for processor, memory, disks, network and processes.
https://vulners.com/kitploit/KITPLOIT:8575227727249244515
News
ESET experts have discovered the CDRThief malware targeting softswitches of a specific Linux-based VoIP platform. This platform is very specific and is used by two switches: Linknat VOS2009 and VOS3000.
The researchers could not find out who exactly is the developer of the malware called CDRThief, and for what purpose it was created. The peculiarity of CDRThief is that the malware attacks only software VoIP switches running on the Linux platform, in particular Linknat VOS2009 and VOS3000.
https://vulners.com/threatpost/THREATPOST:CC36778C57D70FDBF33E0312D1D94980
NetWalker, whose attack only recently caused the Argentine border to close for 4 hours, successfully attacked the Pakistani power grid company K-Electric, the only power supplier in the Pakistani city of Karachi, on September 7.
Billing and online services were also affected by the break-in. It's a good thing the hackers didn't get to the electricity transit control system.
https://vulners.com/hackread/HACKREAD:5471D8BD1438F13E2FB94F1A65FC5F43
https://twitter.com/CERT\_FR/status/1303011855187742722?s=20
The CERT teams in France, Japan and New Zealand have issued security warnings reporting a massive surge of spam campaigns organized by Emotet botnet operators targeting enterprises and government agencies in the above countries.
Although the number of attacks in France was much lower, Emotet managed to infect the computers of the Parisian judicial system, got into the headlines of the media and caused a lot of turmoil, which resulted in the warning issued by the authorities. In addition, the French Ministry of the Interior now blocks the delivery of any Office (.doc) documents by email.
https://vulners.com/thn/THN:7B3307917C6DDA9C6762FF94701C354F
Research
Top!
What Happens When you Type Your Password into Windows?
This post is REALLY well written and goes into a lot of depth about Windows Internals (LSA especially, as you’d expect) without being too jargony / acronym heavy.
https://syfuhs.net/what-happens-when-you-type-your-password-into-windows
Disabling Windows Event Logs by Suspending EventLog Service Threads: https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads
Bypass AMSI by manual modification part II - Invoke-Mimikatz: https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II
Hype news, all of us saw this topic on the week. "How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM": https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day:
https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day
Feedback -> here