Published 19 October 2020 12:00 AM
5 min. read

Microsoft patch, powerfull malware and zero-days

Macrosoft, as usual, closed one problem - two new ones appeared. In this weekly digest there are many mentions of using the latest vulnerabilities in attacks. It shows the impact of vulnerability managment process and what happens if you don't do it.

  • Vulnerabilities: Default Microsoft patch, too critical vulnerabilities in VPN soft and etc.;
  • Tools: Mainly for pentests;
  • News: The famous Lemon Duck, APTs and new FIFA 21;
  • Research: OSCD sprint and malware detections.

Feedback -> here

Vulnerabilities

Microsoft update

Fixed 87 vulnerabilities, of which 12 are critical. Among the critical ones are issues in the graphical components of Windows, Outlook, SharePoint, etc., which allow a hacker to execute remote code execution (RCE).

  • RCE vulnerability CVE-2020-16947 in Microsoft Outlook. To exploit it, you need to force the victim to open a specially configured file in Outlook.
  • CVE-2020-16938 Incorrect processing of objects in memory by the Windows kernel, allowing an attacker to obtain information that could later be used to compromise the system. The most dangerous thing is that the vulnerability allows a hacker to gain access to NTLM password hashes stored in the SAM registry (which by default is not visible even to the administrator). Depending on the received credentials, it becomes possible to run the code from these accounts.
  • CVE-2020-16898 dubbed Bad Neighbor, is a remote code execution vulnerability in Windows TCP / IP that can also cause denial of service and blue screen of death (BSOD). A remote unauthorized user can exploit the vulnerability by sending malicious ICMPv6 Router Advertisement packets to a vulnerable Windows PC.

All new updates are highly recommended!

https://vulners.com/rapid7blog/RAPID7BLOG:0E497787F9B42FC1D11439220E6A9D3F

https://vulners.com/threatpost/THREATPOST:779B904F971138531725D1E57FDFF9DD

https://vulners.com/rapid7blog/RAPID7BLOG:801DC63ED24DFFC38FE4775AAD07ADDB

CVE-2020-5135

SonicWall VPN patched a vulnerability that could potentially lead to Remote Code Execution (RCE) and subsequent network compromise. On October 12, the manufacturer released a patch to close the vulnerability.

If the exploit CVE-2020-5135 is created, this vulnerability could become one of the main points of compromise for corporate networks.

https://vulners.com/threatpost/THREATPOST:701953AF963ADACDD2280B3D18B58493

Several vulnerabilities in the official Bluetooth protocol stack in the Linux kernel:

  • CVE-2020-12351;
  • CVE-2020-12352;
  • CVE-2020-24490.

The vulnerabilities are called BleedingTooth and can be used to run arbitrary code or access confidential information. The most dangerous issue is the heap-based mismatch of the used data types CVE-2020-12351, affecting Linux kernel version 4.8 and later.

https://vulners.com/threatpost/THREATPOST:CF4E8B0929D149A75E7512A74E569009

CVE-2020-26945

Fixed a vulnerability in NetBSD caused by the lack of buffer bounds checking when processing jumbo frames in drivers for network adapters connected via USB. The problem leads to copying of a part of the packet outside the buffer allocated in the mbuf cluster, which can potentially be used to execute the attacker's code at the kernel level by sending certain frames from the local network. The fix was made to block the vulnerability on August 28, but the details of the issue are only now disclosed. The issue affects the atu, ax, axen, otus, run and ure drivers.

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2020-003.txt.asc

Tools

GHunt
It would have been necessary to specify this tool in the previous monthly review, but now it will be ok. GHunt is an OSINT tool to extract a lot of informations of someone’s Google Account email.

https://vulners.com/kitploit/KITPLOIT:1990469226640545295

O365Enum
Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover, or office.com login page.

Mikrot8Over
Fast exploitation tool for Mikrotik RouterOS.

DamnVulnerableCryptoApp
If you try to learn a little bit more about crypto, either because you want to know how the attacks work or just because you want to do safe code, you end up diving really fast into the math behind the algorithms, and for a lot of people this is a NO.

https://vulners.com/kitploit/KITPLOIT:7331902613349127836

News

Security researchers from Cisco Talos have warned of a sharp increase in the activity of the Lemon Duck botnet for mining the Monero cryptocurrency. The functionality of this botnet is truly amazing in its diversity!

Lemon Duck has at least 12 independent infection vectors, which is much more than most malicious programs. Features range from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password booting and sending exploits to exploitation of BlueKeep vulnerability (CVE-2019-0708) in RDP on Windows computers, vulnerabilities in Redis and YARN Hadoop on Linux systems.

https://vulners.com/threatpost/THREATPOST:78996437466E037C7F29EFB1FFBBAB42

APT groups carried out a series of attacks on government networks in the United States, exploiting vulnerabilities in VPN and Windows. This was reported by the FBI and the CISA in a joint warning. The attacks targeted federal, local, and territorial government networks, as well as critical US infrastructure.

During the attacks, criminals exploit two vulnerabilities - CVE-2018-13379 and CVE-2020-1472. The first issue is found in the Fortinet FortiOS Secure Socket Layer (SSL) VPN server, which is designed to be used as a secure gateway to access corporate networks from remote locations. The vulnerability allows attackers to download malicious files to unprotected systems and take control of Fortinet VPN servers.

The second vulnerability, known as Zerologon, is related to the use of an insecure encryption algorithm in the Netlogon authentication mechanism. Zerologon allows to simulate any computer on the network while authenticating to a domain controller, disable Netlogon security features, and change the password in the domain controller's Active Directory database.

Attackers combine these vulnerabilities to take control of Fortinet servers and then hack internal networks using Zerologon.

https://vulners.com/threatpost/THREATPOST:71C45E867DCD99278A38088B59938B48

The release of FIFA 21 not only delighted football fans, but also provided cybercriminals with new ways to make money. Security researcher Christopher Boyd of Malwarebytes Labs talks about the different ways in which fraudsters use the in-game capabilities of FIFA 21 to cash in on gullible users.

Fraudsters create fake "coin generators" and "rewards" and send them using fraudulent advertisements, social media posts and direct messages in order to steal users' personal information. The information collected can include name, address, login credentials, and more.

https://vulners.com/threatpost/THREATPOST:DB82FC47CD4ADADE487A186CA441BE21

Research

OSCD: Sprint #2 Main - Simulation (via Atomic Red Team project ), Detection (via Sigma project) & Response (via TheHive) - Open international cybersecurity specialist initiative aiming to solve common problems, share knowledge, and improve general security posture via sprints.

https://oscd.community/sprints/sprint_2.html

Don't copy and paste from web pages into shells - a lesson: https://briantracy.xyz/writing/copy-paste-shell.html

Wild IoT 0day exploitation: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads

DNS changer malware: how to detect it and protect yourself: https://www.comparitech.com/blog/information-security/dns-changer-malware-how-to-detect-it-and-protect-yourself

Feedback -> here