Zero-day: the main topic of this weekly digest

This week is full of news about zero-day vulnerabilities, attacks using them. There were also hacks, talk about data breaches? When an emergency update comes out, you better apply it, because you might already be attacked.

  • Vulnerabilities: Exploit for Spectre + Meltdown, your exchange has been hacked and install the latest updates for Chrome!;
  • Tools: mostly for Red Teamers;
  • News: Update Apple jailbreak, cool story about Microsoft bug and data breaches;
  • Research: new BlackArch, usefull resources and threat hunting.

Really short feedback -> here


Vulnerabilities

WARNING: Update Your Chrome Browser ASAP!

Google developers released Chrome version 89.0.4389.72, where they fixed the second zero-day vulnerability CVE-2021-21166 this year, exploited by unidentified attackers in the wild

You can update the browser manually, just go to the settings and select the "Help" => "About Google Chrome" option. The patch should be available to everyone using the stable release of the Internet browser.

URGENT! Chinese hackers actively exploiting 4 new 0-day vulnerabilities

Now everyone needs to hurry up and update the Microsoft Exchange servers, the patches are ready. Hackers are already using the discovered bugs with might and main. Chinese cybercriminals group Hafnium has created a full-fledged exploit kit that allows to penetrate the network and gain access to confidential information. According to the researchers, Hafnium targets primarily organizations in the United States. List of vulnerabilities:

It's recommended to upgrade your Microsoft Exchange servers as a matter of urgency. Now.

CVE-2021-24085

Microsoft Exchange Server msExchEcpCanary bug creates conditions for CSRF attack. This vulnerability allows an attacker to perform a CSRF attack and gain elevated privileges with at least one user's username and password. An attacker can generate a token using YellowCanary and act on behalf of another person.

CVE-2017-5753

In 2018, researchers published information about two vulnerabilities in processor architecture, Meltdown and Spectre, that could allow an attacker to bypass security on any OS. These security flaws allow the breach of address space isolation, read passwords, encryption keys, bank card numbers and other data. However, the code to exploit the bugs has long been in the possession of a handful of people. Only recently the first really dangerous exploit for Spectre appeared on the web.


Tools

Halogen - automatically create YARA rules from malicious documents.

PyBeacon is a collection of scripts for dealing with Cobalt Strike’s encrypted traffic.

SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter.


News

New Unc0ver jailbreak version supports iOS from version 11.0 to 14.3

Jailbreak Unc0ver been updated to version 6.0.0 and now works for iOS devices running versions 11.0-14.3. But the current iOS version is 14.4. After all, everyone who uses vulners regularly installs patches!

Microsoft account hijacking brought a researcher $50,000

When the password is reset, a seven-digit code is sent to the user's email or phone, after entering which the password can be replaced. Thus, the total number of possible variants is 10 million. The limit on the number of incorrect code entries turned out to be in place and after 122 attempts the mechanism was blocked.

The solution turned out to be simple: the check requests had to be sent simultaneously with an accuracy of a millisecond. After sending 1000 encrypted codes simultaneously, among which there was a correct one, the researcher managed to reset the password successfully.

Because of the complexity of the attack, the vulnerability was deemed important rather than critical by Microsoft, but the researcher was rewarded nonetheless. Microsoft fixed the bug in November 2020.

Malaysia Airlines has admitted to the data breach for nine years. This is reported by the information portal BleepingComputer. Malaysia Airlines has reportedly been exposed to a data breach for nine years that disclosed the personal information of Enrich loyalty program members. Earlier this week, company representatives began sending emails to members of the bounty program to inform them that they were victims of the incident. How many participants were affected by the leak is not reported.

Maza hacker forum hit by hack

Flashpoint has discovered a data leak from the Russian-language hack forum Maza (Mazafaka). Judging by the message left, the cracker is not Russian-speaking, although it may just be a disguise. As a result, a part of the database was leaked to the network, containing data such as username, hashed password, email, Skype, ICQ, etc.


Research

BlackArch Slim ISO is available for download now. Complete with a GUI installer and brand new tools.

2600+ tools available out-of-the-box for install from repositories.

Tap tap… is this thing on? Creating a notification-service for Cobalt-Strike

https://blog.nviso.eu/2021/03/05/tap-tap-is-this-thing-on-creating-a-notification-service-for-cobalt-strike

https://damonmohammadbagher.github.io

Threat Hunting for the Behavior: Scheduled Tasks: https://mergene.medium.com/hunting-for-the-behavior-scheduled-tasks-9efe0b8ade40

Exploiting XPC (a macOS IPC mechanism) in AntiVirus: https://www.slideshare.net/CsabaFitzl/exploiting-xpc-in-antivirus


Feedback -> here
ng XPC (a macOS IPC mechanism) in AntiVirus: https://www.slideshare.net/CsabaFitzl/exploiting-xpc-in-antivirus


Feedback -> here