Check out the updated Vulners interface!
Argentina shows about every few months why information security is important. For example, this month the passports of all residents of the country appeared on the network. There were also important updates for Oracle products and a fix for vulnerabilities in Google browsers.
You can always contact with us about any suggestions, bugs, questions or etc.
- Vulnerabilities: Oracle critical patch, Chrome fixes and cool bug in WinRAR;
- Tools: Limelighter, ThreadStackSpoofer, PowerShx and karma_v2;
- News: new 10th MTRE matrix, ALL passports from Argentina were stolen and Gummy bear Browser attack;
- Research: offensive and defensive articles, ransomware report and malware research.
Critical Patch Update from Oracle
Oracle announced that more than half of the patches address vulnerabilities related to unauthenticated remote exploitation. The leader in the count of fixes was Oracle Communications, where 56 vulnerabilities could be exploited remotely without authentication. Behind it is MySQL, where 10 vulnerabilities were also exploited.
The overall product portfolio is extensive: from financial services and retail applications to commercial database server solutions, Essbase, Enterprise Manager, GoldenGate, utility applications and virtualization systems.
It is recommended to install Critical Patch Update from Oracle for your existing products as soon as possible.
Google has fixed a bunch of 19 vulnerabilities in the Chrome browser. 3 vulnerabilities from the update package were discovered by the developers themselves, for the other 16 the company had to pay bonuses to third-party specialists
- CVE-2021-37981: Most severe, Skia buffer overflow, cost Google $ 20,000;
- CVE-2021-37982: $ 10,000 Incognito Component Vulnerability;
- CVE-2021-37983: Developer Tools Cost $ 10,000;
- CVE-2021-37984: PDFium Buffer Overflow - $ 7,500;
- CVE-2021-37985: V8 vulnerability - $ 5,000;
Separately, Google has said it has improved overall Chrome security by removing several features, such as support for TLS 1.0 / 1.1 and FTP protocols, for non-IPv4 digit-ending URLs and for U2F.
The new version of the browser also introduces restrictions on the size of cookies.
WinRAR web notifier
Positive Technologies Researcher Igor Sak-Sakovsky discovered a dangerous vulnerability in the WinRAR file archiver. The vulnerability identified as CVE-2021-35052: exists in the WinRAR web notifier component, which is used to display trial period expiration messages. The vulnerability affects versions of WinRAR up to 6.02 beta 1.
To carry out an MITM attack via this vulnerability, an attacker should create a malicious Wi-Fi access point, hack a router and spoof DNS, or be on the same network with the victim.
Limelighter: tool for generating fake code signing certificates or signing real ones.
ThreadStackSpoofer: Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique on Windows allowing to better hide injected shellcode's memory allocation from scanners and analysts.
PowerShx: Unmanaged PowerShell execution using DLLs or a standalone executable.
𝚔𝚊𝚛𝚖𝚊 𝚟𝟸 is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework)
MITRE pyramid of pain
American organization MITRE announced the release of a new 10th version of the ATT&CK matrix. The release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS.
The biggest change was an update to the Data Source and Data Component structure in the Enterprise ATT&CK. The matrix now fully aggregates the information from these structures into itself, allowing you to conveniently discover the relationships between the data object and the possible variations of sub-techniques implemented on their basis. In total, the 10th version of the MITRE ATT&CK matrix contains 14 tactics, 188 methods, 379 sub-techniques, 129 groups, and 638 programs.
The first evidence that someone had hacked the National Register of Persons (Registro Nacional de las Personas - the agency that issues passports of citizens) appeared on Twitter earlier this month. A user under the account @AnibalLeaks posted photos of the personal data of 44 Argentinean celebrities.
In a press release on October 13, Argentina's Ministry of the Interior announced that a VPN account assigned to the Ministry of Health was used to query the agency's database “at the very moment the data was posted to Twitter”. The hacker, whom The Record reporters managed to contact, indirectly confirmed the version of the Argentine Ministry of Internal Affairs.
Gummy Browsers attack
In a Gummy Browsers attack, attackers trap a victim to their website in order to obtain their digital fingerprint, which can be used to spoof the victim's identity on the target platform. The researchers said that by using the Gummy Browsers method, they can trick modern digital fingerprint tracking systems such as FPStalker and Panopticlick for a long time. Digital fingerprint data can be used to bypass authentication (MFA) and fraud detection mechanisms used by many banks and large retailers.
Resource Based Constrained Delegation: https://pentestlab.blog/2021/10/18/resource-based-constrained-delegation
Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses: https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
Using Kerberos for relaying: https://vulners.com/googleprojectzero/GOOGLEPROJECTZERO:4632B385F90B21E3F68AACEB696443CE
"We analyzed 80 million ransomware samples – here’s what we learned" https://blog.google/technology/safety-security/we-analyzed-80-million-ransomware-samples-heres-what-we-learned
Initial Access Broker Landscape: https://www.curatedintel.org/2021/10/initial-access-broker-landscape.html
Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife: https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife
Feedback and Vulners docs