Published 19 April 2021 12:00 AM
4 min. read

New pack of vulnerabilities in TCP/IP stack, malware evolution and consequences of the Pwn2Own

#zero-day #wreck #chrome #microsoft #pwn2own #malware #whatsup

In addition to the monthly update from Microsoft, a new set of critical vulnerabilities in the TCP/IP stack appeared this week. Also, some researchers are publishing exploits from Pwn2Own competitions. Not much bright news, but we've gathered the most significant and useful ones!

  • Vulnerabilities: Microsoft monthly patch, pack of critical vulnerabilities in TCP/IP stack, regular vulnerabilities for Chromium and WhatsApp;
  • Tools: Complete solutions for reds and blues;
  • News: couple evolution for couple malware;
  • Research: FireEye report and overview of browser exploit kits 2021 and etc.

Feedback -> here

Vulnerabilities

Microsoft’s April 2021 Patch Tuesday Addresses 108 CVEs

MS Exchange has patched critical remote code execution vulnerabilities discovered by NSA in Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. A total of 108 vulnerabilities were fixed by Microsoft, including five zero-day vulnerabilities.

One of the vulnerabilities was discovered by Kaspersky Lab researchers and was actively used in real-world attacks.

  • 114 new flaws, of which are 19 critical;
  • Windows 0-day under active attack;
  • 27 RCE flaws in Windows RPC;
  • NSA uncovers new Exchange server flaws;
  • FBI sanitized hacked Exchange servers;

NAME:WRECK

Forescout Research Labs, together with JSOF Research at Project Memoria, has discovered a new set of NAME:WRECK vulnerabilities that affect hundreds of millions of smart and industrial devices worldwide. It is the fifth set of disclosed vulnerabilities in the TCP/IP stack in the last three years, following Ripple 20, URGENT/11, NUMBER:JACK and Amnesia:33.

The main difference was the study of the implementation mechanisms of DNS message compression, which allows DNS servers to reduce the size of DNS responses by avoiding duplication of the same domain names. As a result, Forescout was able to find a total of nine vulnerabilities affecting seven of the 15 TCP/IP stacks

Vulnerabilities in FreeBSD, Nucleus NET, IPnet and NetX DNS products could affect about 10 billion devices.

Google has released a new version of the Chrome browser (89.0.4389.128) for Windows, macOS and Linux that fixes two vulnerabilities, one of which already has PoC code and the other is actively exploited in attacks.

Rajwardhan Aghawal Twitter announced the publication of a PoC exploit code for a vulnerability discovered during Pwn2Own affecting Chromium browsers (Chrome, Edge, Opera, Brave, etc.). In the JavaScript V8 source code, he found patches for this vulnerability, which allowed him to recreate the exploit.

The second vulnerability CVE-2021-21206 is a post-release exploit issue in the Blink browser engine for Chromium. According to Google, it is already being used in real attacks, but the company, as usual, does not disclose the details until the majority of users have installed the update.

Census Labs disclosed security vulnerabilities in an Android application up to and including version 9, which can be exploited during a MitM attack to remotely execute malicious code on a device and steal confidential information, including encryption keys.

All an attacker needs to do is trick the victim into opening an HTML attachment. The vulnerabilities are exploited through bugs in the Chrome module for content providers in Android CVE-2021-24027 and bypassing the domain restriction policy in the browser CVE-2020-6516. At the same time, executable malicious code can provide an attacker with access to files in an unprotected external storage area, including TLS session keys.

Tools

pyMalleableC2: Python interpreter for Cobalt Strike Malleable C2 Profiles. Allows you to parse, build and modify them programmatically.

The developers swissknife. Do conversions and generations right out of vs code. Extendable with user scripts

IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol.

News

IcedID Trojan

In March 2021 IcedID Trojan entered the list of the most active threats for the first time. Check Point researchers have warned that the March 2021 banking trojan IcedID made its first appearance on the list of most active malware, and immediately ranked second on it. IcedID was first detected in 2017 as a classic banking trojan.

Recently, the malware has developed new delivery methods to spread its payload, easily reaching the level of sophistication of its MaaS competitors. Among them: compromising feedback forms, using Excel spreadsheets (XLS) containing malicious Excel 4.0 XLM macro scripts, password-protected ZIP files hiding malicious Word and Excel files, fake software installers masking malicious XLS spreadsheets and Word GZIP files, etc.

Xcode Trojan

The malicious campaign against software developers using the Xcode development environment now targets the new Apple M1 chips and allows information to be stolen from cryptocurrency applications.

The distribution of XCSSET through compromised Xcode projects is a serious threat. Affected developers who post their work on GitHub may inadvertently transfer malware to their users through compromised Xcode projects. Thus, attackers can carry out an attack on the supply chain.

Research

Report M-Trends 2021: https://content.fireeye.com/m-trends/rpt-m-trends-2021

A casino gets hacked through a fish-tank thermometer: https://www.entrepreneur.com/amphtml/368943

Building a Custom UEBA with KQL to Hunt for Lateral Movement: https://mergene.medium.com/building-a-custom-ueba-with-kql-to-hunt-for-lateral-movement-7459a899091

Blog post on how to monitor in real-time for SSH sessions: https://cryptsus.com/blog/ssh-security-siem-dashboard-kibana.html

Overview of Browser Exploit Kits in 2021: https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html

How to understand dirtyCOW vulnerability: https://devilinside.me/blogs/how-understand-dirtycow-vulnerability

Feedback -> here

How to understand dirtyCOW vulnerability: https://devilinside.me/blogs/how-understand-dirtycow-vulnerability

Feedback -> here