Published 8 February 2021 12:00 AM
4 min. read

New robot from Vulners, strong vulnerabilities and new malicious activity.

#kobalos #google #android #sonicwall #zero-day #chrome #solarwinds #malware

Google Chrome is updated every week with new vulnerabilities/malicious extensions/zero-day and other stuff, which is why it needs to be updated regularly, just like other important software. Also this week, a sequel to the SonicWall story came out. Google launched a cool new vulnerability service OSV, which the Vulners team immediately automated it - "Stay on the latest!" There were other top news, which you'll read about in our digest. Enjoy!

  • Vulnerabilities: Windows patch attempt number 5, continuing the story of SonicWall, Chrome and Full House with SolarWinds;
  • Tools: Mostly offensive;
  • News: Infected popular android software + new android malware and new vulnerability service from google;
  • Research: A little bit of everything.

Really short feedback -> here

Vulnerabilities

LPE via windows installer

The 0patch Team released a patch to fix a privilege escalation vulnerability in Windows Installer. Microsoft has attempted to resolve the issue for a total of five times, releasing the first fix in April 2019. However, on December 26 last year, cybersecurity researchers again managed to exploit the vulnerability.

We've already posted that SonicWall suffered an attack in late January 2021 that exploited some kind of vulnerability in the company's own products.

This week, the company finally unveiled a firmware update (10.2.0.5-29sv) for the SMA 100 series devices that were under attack. The developers emphasize that all users of the SMA 200, SMA 210, SMA 400, SMA 410 and virtual SMA 500v hardware solutions (Azure, AWS, ESXi, HyperV) should install this update immediately.

According to the security bulletin, the patch fixes issues that allow attackers to obtain administrator credentials and remotely execute arbitrary code on devices. The data presented by the researchers indicates that the vulnerability allows remote attackers to gain access to the internal network or management interface without prior authentication.

3 new severe vulnerabilities impacting SolarWinds product

A Trustwave researcher has disclosed three new vulnerabilities in SolarWinds Orion and Serv-U.

  • CVE-2021-25275 allows an unprivileged user locally or via RDP to gain full access to the SOLARWINDS_ORION database and then steal information or add a new SolarWinds Orion administrator-level user;
  • CVE-2021-25274 enables a remote user to execute code (RCE) and take control of the operating system without authentication;
  • CVE-2021-25276 affects the Serv-U FTP server and allows any authenticated user to elevate local privileges up to system administrator.

A critical vulnerability CVE-2021-21148 was found in Google Chrome and it's highly recommended to be closed as soon as possible - some malefactors are already exploiting it. Vulnerable versions of browsers for all major operating systems for personal computers: Windows, MacOS and Linux.

According to the information available today, this vulnerability makes it possible to perform a Heap Overflow attack, which would allow hackers to execute arbitrary code on a victim's computer. To exploit this vulnerability successfully, attackers only need to create a custom webpage and lure a victim to it. As a result, they can take control of the vulnerable system.

Tools

**Web-Brutator
**It's fast modular Web Interfaces Bruteforcer.

BurpMetaFinder
Burp Suite extension for extracting metadata from files Currently supported documents: PDF, DOCX, PPTX, XLSX.
The project created at Jetbrains has been completely added. Don’t forget to change the settings you need.

Geacon
This project is for learning protocol analysis and reverse engineering only, if someone's rights have been violated, please contact me to remove the project.

News

NoxPlayer hacked

Researchers discovered that the server infrastructure of Hong Kong-based BigNox was hacked by hackers in September 2020, infecting the company's customers with malware.

BigNox is a provider of an Android emulator for Windows and Mac called NoxPlayer. It is used primarily by gamers to run mobile games on desktops, with more than 150 million customers and most of them in Asia. A hacker group embedded malware in Android emulator NoxPlayer and delivered the malware to its victims across Asia. The emulator has more than 150 million users.

New Android malware

ESET researchers published a report analyzing the new Kobalos backdoor. According to the experts, it targets high-performance clusters (HPC) and can run under Linux, BSD and Solaris operating systems, as well as can be compatible with IBM AIX and Microsoft Windows. As the researchers note, the backdoor code is fairly small but also complex. One of Kobalos features is its ability to turn infected nodes into new Command and Control servers at the operator's command.

Google Open Source Vulnerabilities

Google introduced a new OSV (Open Source Vulnerabilities) service offering access to a database of information about vulnerabilities in open source software. The service provides an API that allows automated query generation to retrieve information about vulnerabilities, with links to the state of the code repository. Vulnerabilities are assigned individual OSV identifiers, which supplement the CVE with extended information. In particular, the OSV database reflects the patch status of the problem, indicates commits with the appearance and correction of the vulnerability, the range of versions exposed to the vulnerability, links to the project repository with the code, and notification about the problem.

This information is now also available in the Vulners database. A great addition for your automation:

type:OSV

Research

Hunting in the Sysmon Call Trace: https://www.lares.com/blog/hunting-in-the-sysmon-call-trace

ITU Cyber Threat Hunting Workshop from November 2020: https://www.itu.int/en/ITU-D/Cybersecurity/Documents/CyberDrill-2020/Cyber Threat Hunting Workshop - ITU 19112020.pdf

New TeamTNT Cryptojacking Malware Targeting Kubernetes: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt

Bypassing the Protections: https://blog.cobalt.io/bypassing-the-protections-mfa-bypass-techniques-for-the-win-8ef6215de6ab?gi=98ca363f0d77

Relaying 101 - everything NTLM relay Top article!

Really short feedback -> here
obalt.io/bypassing-the-protections-mfa-bypass-techniques-for-the-win-8ef6215de6ab?gi=98ca363f0d77)

Relaying 101 - everything NTLM relay Top article!

Really short feedback -> here