Several vendor's emergency patches, Kubernetes alarms and others
The second week of the month traditionally increases the amount of work for IT services in companies. Lots of zero-day vulnerabilities from several major vendors. Also, malware news. After all, not every day attackers use Kubernetes for mining. Read more about other threats
Vulnerabilities: Microsoft, Intel and Chrome with tons of patches + critical for Linux;
Tools: Mimikatz update, malware testing,
News: JBS has been payed the hackers, Kaspersky discover new attack and Kubernetes threats;
Research: mostly attacking stories.
Vulnerabilities
Microsoft has released new security updates for Windows operating systems and other supported software, addressing 50 vulnerabilities, including 6 ZERO-DAY flaws reported to be under active cyberattack.
Zero-days:
- CVE-2021-33742: RCE in the MSHTML component that is part of the Internet Explorer browser;
- CVE-2021-31955: Information Disclosure;
- CVE-2021-31956: Windows NTFS related to privilege escalation;
- CVE-2021-31962: Bypassing Kerberos AppContainer security;
- CVE-2021-31199: Microsoft Enhanced Cryptographic Provider privilege escalation;
- CVE-2021-31201: Microsoft Enhanced Cryptographic Provider privilege escalation.
Kaspersky officials reported that the two privilege escalation vulnerabilities were part of a complex chain of exploits that were used in April by the new PuzzleMaker actor to attack a number of companies (but RCE exploit could not be found).
Recommended for all Windows users to update urgently!
Intel fixed 73 security vulnerabilities as part of its June update release. This included fixes for high-level vulnerabilities affecting some versions of the Intel security library and BIOS firmware for Intel processors.
If you use Google Chrome, you should get the latest version immediately.
Google has released patches for 14 newly discovered flaws, including a 0-day vulnerability that is being actively exploited in the wild.
The developers updated Chrome for Windows, Mac and Linux to version 91.0.4472.101 to fix 14 vulnerabilities, including one zero-day vulnerability already under attack CVE-2021-30551.
Vulnerability in the PolKit lib
Kevin Backhouse warned about the CVE-2021-3560 vulnerability in the PolKit library with which an unprivileged local user can elevate rights to the superuser level. Polkit is a service that allows unprivileged processes to run privileged ones. Used in Ubuntu, Fedora, Red Hat, etc.
CVE-2021-3560 was fixed on June 3rd. Apparently, it appeared in polkit version 0.113 back in November 2013
Tools
Malware as a tool for Purple teaming. Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
https://github.com/LordNoteworthy/al-khaser
Neurax is a framework that aids in creation of self-spreading software
Neurax
**SharpHook
**New tool release! Introducing SharpHook an offensive API hooking tool written in C#
SharpWebServer is a Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes. To be used for serving payloads on compromised machines for lateral movement purposes.
News
JBS paid $ 11 million to prevent the publication of previously stolen data. Initially, the attackers asked for a ransom in the amount of $ 22.5 million, but after negotiations, the price was reduced to $ 11 million. As of today, a decoder for data recovery has been handed over to JBS.
Kaspersky has discovered a new approach to attacks against large organizations. When carrying out attacks, cybercriminals associate exploits for 0-day in Google Chrome and Windows 10. This method was first used by the PuzzleMaker group. With this method, attackers ultimately manage to successfully execute code on their victim's devices.
Siloscape malware detected targeting Windows Server containers and Kubernetes clusters
Researchers at Palo Alto Networks have discovered the Siloscape malware that breaks into Windows Serve containers in order to compromise Kubernetes clusters. The ultimate goal of attackers is to deploy a backdoor that can be used for other malicious activities.
According to the researchers, companies should start moving applications from Windows containers to Microsoft Hyper-V as soon as possible, which Microsoft itself recommends using instead of the old and less secure container mechanism.
Microsoft warns of mining attacks on Kubernetes clusters
Microsoft has warned of ongoing attacks on Kubernetes clusters running Kubeflow (open source project that allows to run heavy-duty machine learning computing on top of Kubernetes clusters). Criminals use them to deploy malicious containers that mine Monero and Ethereum cryptocurrencies.
Microsoft recommends administrators to always enable authentication on Kubeflow dashboards if they cannot be isolated from the internet and in control of their environments
Research
Updated Mimikatz in Metasploit to play with recent features like RDP plaintext credential dumping: https://an0n-r0.medium.com/updating-mimikatz-in-metasploit-1ce505e811e1
On how to access (protected) networks: https://s3cur3th1ssh1t.github.io/On-how-to-access-protected-networks
ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities: https://gbhackers-com.cdn.ampproject.org/c/s/gbhackers.com/advanced-atm-penetration-testing-methods/amp
Bypassing PowerShell Protections. https://stealthbits.com/blog/how-attackers-are-bypassing-powershell-protections
Transacted Hollowing - a PE injection technique. A hybrid between Process Hollowing and Process Doppelgänging.
Feedback
althbits.com/blog/how-attackers-are-bypassing-powershell-protections/)
Transacted Hollowing - a PE injection technique. A hybrid between Process Hollowing and Process Doppelgänging.