Microsoft patch, zero-days and few attacks

The highlight of the past week is Microsoft's monthly patch. Also, take a look at the new miners for docker and malware for macOS.

  • Vulnerabilities: Miscrorosft patch, BusyBox and Palo Alto;
  • Tools: EXOCET, Abaddon, holehe;
  • News: Docker miners, Robinhood compromised and attack for macOS users;
  • Research: useful articles, cheat sheets and etc.

Vulners docs


Vulnerabilities

Microsoft PatchTuesday

Microsoft releases security patches for 55 new vulnerabilities, including two actively exploited zero-day flaws in Excel (CVE-2021-42292) and Exchange Server (CVE-2021-42321).

The patch fixes 2 vulnerabilities actively exploited in the wild:

  • CVE-2021-42292: related to bypassing Microsoft Excel security features. 0-day was spotted in the popular Microsoft Excel productivity tool and described as a feature bypass vulnerability that allows code to be executed using specially crafted spreadsheets. The hole was discovered by its own Threat Intelligence Center and was heavily used in malicious attacks, but the company did not provide any further details.

  • CVE-2021-42321: Related to Remote Code Execution in Microsoft Exchange Server. The developers did not disclose the details of the incidents they know, but they assure that the attacks were limited and related to errors after authentication in Exchange 2016 and 2019, affecting the on-premises Microsoft Exchange Server, including also the servers used by clients in Exchange hybrid mode.

Microsoft Patch Tuesday updates also include fixes for critical vulnerabilities in Azure, Microsoft Edge, Visual Studio, and other Windows components.

It is recommended that Windows users urgently install all available updates.

Vulnerabilities in BusyBox Threats Linux Devices

Researchers discovered 14 critical vulnerabilities in a popular set of UNIX cmd utilities used in embedded Linux applications. The list of vulnerable utilities includes man, lzma / unlzma, ash, hush, awk. The detected vulnerabilities aren't critical, but as a result of successful exploitation they allow attackers to cause denial of service, and in some cases lead to information leak and RCE. Since the affected applets are not daemons, the vulnerabilities can only be exploited.

The vulnerabilities found have been assigned IDs ranging from CVE-2021-42373 to CVE-2021-42386, and they affect several BusyBox versions (from 1.16 to 1.33.1). Vulnerabilities are distributed among applets as follows:

  • man: CVE-2021-42373;
  • lzma unlzma: CVE-2021-42374;
  • ash: CVE-2021-42375;
  • hush: CVE-2021-42376, CVE-2021-42377;
  • awk: CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE -2021-42385, CVE-2021-42386.

CVE-2021-3064

A new zero-day vulnerability CVE-2021-3064 discovered in Palo Alto Networks GlobalProtect VPN, which could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on affected devices.

The vulnerability affects PAN firewalls using the GlobalProtect Portal VPN and allows remote code execution without authentication on vulnerable product installations with root privileges. However, an attacker must have network access to the GlobalProtect interface to exploit this vulnerability.

High priority fixes have been released for enterprise customers using PAN-OS 8.1.17 and all later versions of PAN-OS. Contrary to Palo Alto Networks' claims of no exploitation of the bug in the wild, Randori has already implemented successful exploits into its Red teaming software product.


Tools

EXOCET: AV-evading, undetectable, payload delivery tool.

Abaddon: designed to make red team operations faster, more repeatable, stealthier, while including value-added tools and bringing numerous reporting capabilities.

Experimental Tool: This script grab public report from hacker one and make some folders with poc videos.

holehe: allows you to check if the mail is used on different sites like Twitter, Instagram and will retrieve information on sites with the forgotten password function.


News

APT TeamTNT installs cryptominers on Docker servers

According to a report by TrendMicro researchers, attackers are after three goals: installing Monero cryptocurrency miners, scanning the network for other vulnerable Docker instances, and moving from container to host to access the main network. The attack begins by creating a container on a vulnerable host using the exposed Docker REST API. The group uses compromised or monitored Docker Hub accounts to host malicious images and deploy them to target hosts. Various post-exploitation and network travel tools, including container escaping scripts, credential stealing tools, and cryptocurrency miners, are retrieved via cronjobs.

Robinhood has been compromised. Data of approximately 7 million users stolen

This week, the American company Robinhood was hacked, which offers its clients the ability to trade stocks and exchange-traded funds. It is known that cybercriminals gained access to personal information of approximately 7,000,000 clients.

The attackers managed to gain access to a lot of user data, including:

  • e-mail addresses of 5,000,000 people;
  • real names of 2,000,000 people;
  • names, dates of birth and postal codes of approximately 310 users;
  • extensive personal data of about 10 users.

CVE-2021-30869: Cyber-Attack by China 🇨🇳 as a macOS Zero-Day, exploited in watering hole attacks on users in Hong Kong 🇭🇰

Google revealed that threat actors recently exploited a zero-day vulnerability in macOS to deliver malware to users in Hong Kong. Security researcher Patrick Wardle has detailed on his blog the functionality of the malware, which he calls OSX.CDDS.


Research

This video describes the methods and tools through which we can find onion servers using Shodan.

Domain Persistence - Golden Certificate: https://pentestlab.blog/2021/11/15/golden-certificate

PHISHY WALKTHROUGH cyberdefenders
https://infosecwriteups.com/cyber-defenders-phishy-walkthrough-ea10826ac711

All sysmon event types and their fields explained: https://github.com/olafhartong/sysmon-cheatsheet


Feedback and Vulners docs
ypes and their fields explained: https://github.com/olafhartong/sysmon-cheatsheet


Feedback and Vulners docs