Digest with vulnerabilities, emergency updates and attack subjects
Zero-day vulnerabilities are not diminishing, and those that are already actively used in attacking actions. Quick release update - great! A lot of updates is not great!
- Vulnerabilities: Apple critical update, zero-day from Google, FireEye reports and etc;
- Tools: Promising tools that surprise with their growth;
- News: Twitter bot, some attacks and hacker cup;
- Research: Useful staff for red.
Really short feedback -> forms.gle/qhTGPMkJMMKkec5f9
Vulnerabilities
Apple this week released emergency security updates for iOS and macOS that fix three zero-day vulnerabilities used in real-world attacks:
- CVE-2020-27930 remote code execution in the FontParser component that could compromise the target system;
- CVE-2020-27932 privilege escalation vulnerability that could allow attackers to execute arbitrary code with elevated privileges;
- CVE-2020-27950 memory leak vulnerability allowing access to confidential information.
Everyone needs to upgrade urgently!
https://vulners.com/apple/APPLE:HT211944
https://vulners.com/thn/THN:DAE548E4C591A2718BC3A3D2C9440FB1
Google this week released an update for the desktop version of Chrome, which fixed 10 bugs, among which one CVE-2020-16009 is a 0-day vulnerability.
While there are no technical details, the only thing known is that the bug is in the V8 engine, which is designed to handle JavaScript, and was identified by an internal team of researchers. Operation of CVE-2020-16009 can lead to Remote Code Execution (RCE). Google also says it documented exploitation of this vulnerability in the wild, but again without any details.
Another 0-day vulnerability CVE-2020-16010 fixed by Google in the Chrome for Android version. Also noticed its use in the wild.
https://vulners.com/malwarebytes/MALWAREBYTES:79956B6DF02C5841171B3AEE17565978
Git LFS identified a critical vulnerability CVE-2020-27955 that allows a remote attacker to execute his code in the victim system when cloning a specially designed repository by the victim. The problem appears only on Windows platform and was fixed in git-lfs 2.12.1 update proposed a few hours ago. On Unix systems the vulnerability does not appear.
The October Solaris update resolved vulnerability CVE-2020-14871 in the Pluggable Authentication Module (PAM) subsystem, which was assigned the highest severity level (CVSS 10), but the information was limited only to the fact that the problem could be remotely exploited. Now there is the first information about the commission of real attacks and the availability of a working exploit, which, as it turned out, was sold on the black market since April this year. The vulnerability was bought on the black market for $ 3,000.
The exploit allows an unauthenticated attacker to gain root access to the system when using SSHD on the system to organize user logins or other network services that use PAM.
https://vulners.com/threatpost/THREATPOST:3D0ED9A884FBC4412C79F4B5FF005376
https://vulners.com/fireeye/FIREEYE:51D5208E018A68C41184E7FB430DCB70
According to FireEye, this vulnerability was used in their attacks by the UNC1945 group. The main targets of hackers are telecommunications companies, as well as finance and consulting.
https://vulners.com/fireeye/FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623
Tools
Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server.
https://github.com/guardicore/monkey
Kraken
It is a simple cross-platform Yara scanner that can be built for Windows, Mac, FreeBSD and Linux. It is primarily intended for incident response, research and ad-hoc detections.
https://vulners.com/kitploit/KITPLOIT:7502592055175491881
The ShowStopper project is a tool to help malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods.
https://vulners.com/kitploit/KITPLOIT:9211607077228511225
Tempomail
It is a standalone binary that allows you to create a temporary email address in 1 Second and receive emails. It uses 1secmail’s API . No dependencies required!
https://vulners.com/kitploit/KITPLOIT:828712573941215639
News
Twitter bot was launched which will assign random names to each vulnerability with CVE ID. Thus experts intend to reduce number of loud and scary names of vulnerabilities. The bot, named Vulnonym, is managed by the CERT Coordination Center at Carnegie Mellon University.
CVEs IDs are typically used by security solutions to identify problems, track and monitor vulnerabilities for statistical or reporting purposes, but CVEs themselves are rarely used in any meaningful way by people.
Capcom reported a hacker attack last weekend. The attack is known to have affected the game developer's business operations, including email. A warning has appeared on the Capcom website informing visitors of the resource that emails and requests for documents may go unanswered due to a hacker attack that affected the corporation's mail systems.
The attackers report that before encryption began, they stole about 1 TB of files from Capcom corporate networks in Japan, the United States and Canada. This includes many internal confidential company data. In total, the hackers encrypted about 2,000 devices on Capcom networks and are now demanding $ 11,00,000 in bitcoins from the company for data recovery and destruction of stolen information.
https://vulners.com/threatpost/THREATPOST:1EF339EFF209994C9C1362C8631C2696
Italian drinks producer Gruppo Campari, which owns such brands as Campari, Cinzano and Appleton, has also been attacked by encryptor Ragnar Locker. The attackers have already posted screenshots of the stolen data from the company on their website and demand about $15,000,000,000 ransom.
https://vulners.com/threatpost/THREATPOST:DDC93E05C27C40AD9D9FB4189F04B8F6
The Tianfu Cup, an annual ethical hacker competition, has ended in China. During the tournament, teams of researchers had three attempts, five minutes each, to hack the selected device or software using authoring exploits.
The team of specialists from the Chinese technology giant Qihoo 360 (360 Enterprise Security and Government and (ESG) Vulnerability Research Institute, aka Team 360Vulcan) won by a wide margin. One of the world's leading APT researchers. The winners took home $ 744,500, which is almost two-thirds of the event's total prize pool, which this year was $ 1,210,000.
Second and third places went to the AntFinancial Lightyear Security Lab ($ 258,000) and private security researcher Pang ($ 99,500).
https://vulners.com/thn/THN:FF54F90C5CA880EC87B91C23F1299281
Research
The guys from Clario published their bug bounty program on the platform HackerOne. They provide tools for secure Internet access: adblock, vpn, password saver, blocking user data collection, and others. Many beginners bounty hunters believe that there is no point in trying to participate in public programs on H1, because they believe that all possible bugs have already been found. But the regular appearance of new entrants like Clario in bug bounty programs shows that more companies are concerned about the safety of their users. More info in their post.
All H1 bulletins can be found in the powerful vulners database with the indicated sources and payments for vulnerabilities:
Cobalt Strike 4.2 – Everything but the kitchen sink: https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink
"How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day": https://community.disclose.io/t/how-i-found-a-tor-vulnerability-in-brave-browser-reported-it-watched-it-get-patched-got-a-cve-cve-2020-8276-and-a-small-bounty-all-in-one-working-day/65
Leaked .git folder leads to RCE with all steps (good job): https://james-clee.com/2020/11/01/leaked-git-folder-leads-to-rce
Shashank's Security Blog: From a 500 error to Django admin takeover: https://blog.shashank.co/2020/11/from-500-error-to-django-admin-takeover.html
Windows & Active Directory Exploitation Cheat Sheet and Command Reference: https://cas.vancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference
WiFi Hacking Cheatsheets & Mindmap + Headless Pwnbox/RogueAP Project based on Raspberry Pi. https://github.com/koutto/pi-pwnbox-rogueap
Really short feedback -> forms.gle/qhTGPMkJMMKkec5f9