Vulnerability patches and news pack for those who rarely update their software
Several packs of vulnerabilities from the most important buckets with zero-day vulnerabilities. Many of them are already being exploited in the wild. The news section shows the consequences of not installing important updates on time. If your software is in this digest - update it urgently.
- Vulnerabilities: Microsoft patch, Google 10th zero-day, Apple patch;
- Tools: DNSTake, Peirates, PS2EXE;
- News: ZLoader evolution and Zoho vulnerability exploitation;
- Research: only useful articles and videos.
Feedback and Vulners docs
Vulnerabilities
Microsoft patch 2021 September with zero-days
The September patch from Microsoft has been released, which fixes 60 security flaws, including 2 critical zero-day vulnerabilities.
On the darknet forums, instructions have appeared on how to exploit a zero-day vulnerability CVE-2021-40444 in the MSHTML browser engine, which Microsoft reported last week. The exploit has been modified so that the creation of malicious documents occurs without the use of ActiveX, which Microsoft recommends disabling as a protection measure. This week, as part of its monthly Patch Tuesday, Microsoft released an update to address the vulnerability.
The second zero-day CVE-2021-36968 is associated with elevation of privileges in Windows DNS has a local vector of exploitation and is not dangerous for an ordinary user.
Another zero-day in Chrome
Google has released Chrome update 93.0.4577.82 for Windows, Mac and Linux, fixing a total of 11 security vulnerabilities, two of which CVE-2021-30632 and CVE-2021-30633 are exploited as zero-day in the wild. No additional information available.
The most critical vulnerabilities were disclosed on September 8:
- CVE-2021-30632: an out of range entry in JavaScript V8;
- CVE-2021-30633: a post-free usage bug in the Indexed DB API.
Google has already patched 10 zero-days in Chrome this year. This underscores the attention that hackers are giving to browser vulnerabilities.
CVE-2021-30632 #Chrome #0day #PoC
var a;
function foo() {
a = new Uint32Array(100);
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
a["xxx"] =1;
delete a["xxx"];
%OptimizeFunctionOnNextCall(foo);
foo();
Apple patch
Apple has released patches for iOS and macOS with a warning that vulnerabilities are actively exploited zero-day.
Vulnerabilities CVE-2021-30858 and CVE-2021-30860 found in WebKit and CoreGraphics components could lead to arbitrary code execution while processing a malicious PDF or web content.
The threat affects all iPhones with iOS versions prior to 14.8, all Macs with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and Apple Watch prior to watchOS 7.6.2.
Tools
DNSTake: Utility to check missing hosted DNS zones that can lead to subdomain takeover.
Peirates: Kubernetes Penetration Testing tool
PS2EXE: Module to compile powershell scripts to executables.
News
While analyzing recent attacks targeting financial institutions, IT companies and government agencies in various countries, Intezer research discovered a Linux version of Cobalt Strike Beacon. The malicious sample was first uploaded to Virus Total on August 10. The tool, dubbed Vermilion Strike, is part of legitimate software usually used by IS specialists to assess IT infrastructure security and is so far poorly detected by anti-viruses.
ZLoader banking Trojan campaign changed the vector of malware delivery from spam and phishing emails to TeamViewer ads published via Google Adwords. Fake links allow victims to be redirected to fake sites to download a signed malicious MSI installer. After completing a series of scripts, all Windows Defender modules are disabled and the parent/child correlation often used by targeted attack detection systems is broken. At the end, a short script is executed that loads the ZLoader DLL using a legitimate Windows function known as regsvr32, which allows attackers to proxy the DLL's execution through a Microsoft signed binary.
Critical vulnerability CVE-2021-40539 in Zoho began to actively exploit ART. A vulnerability in the Zoho ManageEngine ADSelfService Plus software allows attackers to take over vulnerable systems after successful exploitation. The attacks have been recorded since August 2021.
The FBI and CISA have issued a joint warning of the risks of using ManageEngine ADSelfService Plus for critical infrastructure companies, US defense contractors, academic institutions and other organizations in the transportation, information technology, manufacturing, communications, logistics and finance sectors.
In the identified incidents involving exploits for CVE-2021-40539, the attackers deployed a JavaServer Pages (JSP) web shell disguised as an x509 certificate, which later allowed them to perform post-exploitation actions: compromising administrator credentials, performing lateral movement through Windows Management Instrumentation ( WMI), access to domain controllers, NTDS.dit dumps, SECURITY / SYSTEM registry values, Active Directory files.
Research
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware: https://www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware
Attacking Active Directory as a Red Teamer or as an attacker: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/attacking-active-directory-as-a-red-teamer-or-as-an-attacker/ba-p/2676707
Full-Spectrum Cobalt Strike Detection: https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
/2676707)
Full-Spectrum Cobalt Strike Detection: https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf