More malware with new vulnerabilities in the wild in the monthly digest
In the last month, almost every week we wrote about new zero-day vulnerabilities, soon Apple and Chrome are updating almost every day + their vulnerabilities are exploited in the wild. We usually don't write so much about malware, but this month there is too much of it and it is closely related to critical vulnerabilities, the exploitation of which is being actively automated.
We remind you that we have new documentation and you can write to us about your wishes, problems or tasks so that we can help you resolve them.
- Vulnerabilities: Apple vulnerability pack, huge vulnerability pack from Microsoft (BadAlloc), software vendors with critical vulnerabilities: F5, SonicWall, etc. Build your SDLC with Vulners to face fewer supply chain attacks;
- Tools: Research tools and mostly a toolkit for the red team;
- News: Undetectable malware for Linux, malware for police, malware destroys itself;
- Research: Velociraptor course, research, Cobalt Strike posts.
Vulnerabilities
Positive Security cybersecurity researchers have found vulnerabilities in Telegram, Nextcloud, VLC, Libre- / OpenOffice, Bitcoin / Dogecoin Wallets, and Wireshark. These vulnerabilities are related to the behavior of operating systems when processing URLs.
Two main vectors of vulnerability exploitation have been identified. The first is when applications open a URL that points to a malicious executable file (.desktop, .jar, .exe, etc.) located on a file resource accessible via the Internet (nfs, webdav, smb, etc.). The second is for a vulnerability in the URL handler of an open application.
Qnap crticical vulnerabilities
Network device manufacturer Qnap has warned users about attacks from the Qlocker encryptor, which used a critical vulnerability to penetrate the system. All three vulnerabilities have now been patched, and NAS owners are advised to update their devices as soon as possible.
- CVE-2021-28799 was discovered as part of the Hybrid Backup Sync (HBS) utility for disaster recovery and data backup.
- CVE-2020-2509 command injection bug in QTS and QuTS hero
- CVE-2020-36195 SQL injection bug in Multimedia Console and Media Streaming Add-On
Users should update Multimedia Console, Media Streaming Add-on and Hybrid Backup Sync on their devices as soon as possible, as well as download the latest version of Malware Remover and scan the system for malware.
German researchers from Darmstadt University of Technology have discovered a security vulnerability in the AirDrop wireless communication function of the iPhone. Approximately 1.5 billion devices are affected by this vulnerability.
AirDrop allows you to transfer data from devices in different directions and determine the phone number of the owner of one of them in the phone book of another. The gadgets exchange SHA256 protected AWDL packets.
On macOS, 0-day CVE-2021-30657, which was used by the Shlayer malware, has been fixed. According to the researchers, the vulnerability has been exploited by the Shlayer malware developers since January 2021, and the researcher notes that this is the worst vulnerability in macOS in recent years, and Shlayer is a very advanced malicious campaign.
Apple has released macOS Big Sur 11.3, which fixes a vulnerability that has already been abused by hackers. The bug allowed malware to bypass Gatekeeper protection, Apple File Quarantine, and the notarization process.
Vulnerabilities in SonicWall were exploited to infect the FiveHands ransomware
CVE-2021-20016 was used by the hacker group UNC2447 to carry out ransomware attacks. According to FireEye, UNC2447 was first spotted in November 2020 using the new WarPrism dropper.
FiveHands ransomware was first detected in October 2020. The ransomware resembles HelloKitty ransomware, which, like FiveHands, is a modified version of DeathRansom.
Microsoft has warned of multiple issues affecting a wide range of Internet-connected devices that can be used to remotely execute code. 25 vulnerabilities affecting IoT and OT equipment in industrial, medical and corporate networks. Commonly known as BadAlloc, problems provide an opportunity to bypass security mechanisms and execute malicious code or cause a device to malfunction.
Silverfort reported a new vulnerability in the Kerberos Key Distribution Center (KDC) service that could allow an attacker to bypass Kerberos authentication in the F5 BIG-IP Access Policy Manager (APM), bypass security policies, and gain access to critical workloads in both in some cases to the BIG-IP Administrator Console.
F5 Networks fixed the vulnerability with the release of BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4 and 15.1.3.
The developers of Composer, a package manager for PHP, have released an update that addresses a critical vulnerability. If exploited, this flaw allows attackers to execute arbitrary commands and inject a backdoor into every PHP package. In other words, it opened up a vector for attacks on supply chains.
The urgent patch came out in less than 12 hours!
Tools
SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi 's Mimikatz project.
WinPmem - The Multi-Platform Memory Acquisition Tool.
Storm-Breaker - Tool Social Engineering (Access Webcam, Microphone, OS Password Grabber And Location Finder) With Ngrok.
Nginxpwner - Tool to look for common Nginx misconfigurations and vulnerabilities.
Paragon - Red Team Engagement Platform With The Goal Of Unifying Offensive Tools Behind A Simple UI.
News
The District of Columbia Central Police Department reported an attack and possible data breach after screenshots of internal files from the department's servers were published on the website of the ransomware Babuk Locker. Babuk Locker operators claim to have hacked into law enforcement's internal network and stolen 250 GB of data.
The hackers warn the police have three days to contact them and pay the ransom. Otherwise, the attackers threaten to contact the gang members featured in the documents and warn them about the police informers.
Information security specialists of law enforcement agencies, who had previously gained access to the Emotet infrastructure, launched a procedure to remove it from all attacked hosts. A special file EmotetLoader.dll was sent through the load distribution channel, which deleted all entities created for fixing Emotet. According to Malwarebytes, all previously active Emotet servers are currently offline.
Qihoo 360 Netlab has detected Linux backdoor malware
The RotaJakiro backdoor has attacked 64-bit Linux systems for at least the past three years, and in parallel bypassed the VirusTotal check.
One of the features of RotaJakiro is the use of different camouflage techniques at launch. To hide its presence, the backdoor used the process names systemd-daemon, session-dbus, and gvfsd-helper, which, given the heap of modern GNU / Linux distributions with all sorts of service processes, at first glance seemed legitimate and did not arouse suspicion.
To hide the results of its activities in the backdoor, several encryption algorithms were also used, AES was used to encrypt its resources, and to hide the communication channel with the control server, a bunch of AES, XOR and ROTATE combined with compression using ZLIB. - This allowed the backdoor to be undetected for any antivirus for 3 years, despite the fact that it was uploaded to VirusTotal back in 2018.
Research
Detecting Cobalt Strikes DNS Beacon: https://paper.seebug.org/1568
Tmux CheatSheet by hacklido.com
RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin. https://github.com/antonioCoco/RemotePotato0
Anatomy of Cobalt Strike’s DLL Stager: https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers
Cobalt Strike Hunting, Red Teams/Threat Actors TTP’s: https://michaelkoczwara.medium.com/cobalt-strike-hunting-aefe1c5d1ec5
Kaspersky APT trends report Q1 2021
Decrypting Mobile App Traffic using AES Killer and Frida: https://n00b.sh/posts/aes-killer-mobile-app-demo
Feedback
p Traffic using AES Killer and Frida: https://n00b.sh/posts/aes-killer-mobile-app-demo