Emotet come back, vulnerable PyPi packets and APT activity
Fighting well-known malware is an endless activity. This fall is not the first case of infection of packages that are actively used in the development of various software. Have you tried the new GitHub exploit yet?
- Vulnerabilities: DNS spoofing, Netgear SOHO routers and malicious python packets;
- Tools: STACS, Kubernetes-Goat and Gotanda - coold extension;
- News: RedCurl and Emotet;
- Research: cyber roadmap, tips and tricks.
Vulnerabilities
DNS cache poisoning vulnerability found on Linux systems
The vulnerability is that the DNS server relies on the transaction ID to confirm that the returned IP address was obtained from an authoritative server and not from an attacker. Researchers at the University of California, after studying the work of Dan Kaminski in 2008, concluded that hackers can change the transaction ID, taking advantage of the lack of DNS entropy, and then the server will accept a malicious IP address and store the result in the cache. According to the researcher, about 38% of servers are vulnerable to this attack.
Netgear SOHO routers CVE-2021-34991
The vulnerability was related to a pre-authentication buffer overflow that could be exploited by an attacker on a local area network (LAN) to remotely execute code with root privileges.
Routers, modems, and WiFi range extenders are at risk of exploiting this vulnerability. A detailed technical analysis of the error and a list of vulnerable devices have been published by resellers on github.
Netgear has already released patches to fix the discovered vulnerability. Users are encouraged to download and install the hotfixes as soon as possible.
11 packages containing malicious code were identified in the PyPI (Python Package Index) directory. Before the problems were identified, the packages were downloaded about 38 thousand times in total. The detected malicious packages are notable for the use of sophisticated methods of hiding communication channels with the attackers' servers.
List of vulnerable packages: importantpackage, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, yiffparty.
Using the ipboards and trrfab packages, the study authors were able to extract sensitive information using the dependency confusion technique, which ensures that the target package manager downloads and installs a malicious module.
Tools
STACS: YARA powered static credential scanner which suports binary file formats, analysis of nested archives, composable rulesets and ignore lists, and SARIF reporting.
Kubernetes-Goat: designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
Gotanda: Browser Web Extension For OSINT
News
Traces of RedCurl Group Attack on Russian Retail Revealed
Since the beginning of 2021, Group-IB researchers have recorded four attacks by the Russian RedCurl group on one of the largest Russian retailers specializing in wholesale and retail trade on the Internet. A signature feature of RedCurl is the sending of phishing emails to different departments of the organization on behalf of the HR team. At the same time, hackers seek to obtain valuable information as discreetly as possible. It takes two to six months from the moment of infection to data theft.
Malware Emotet come back
Researchers from Cryptolaemus, GData and Advanced Intel have begun to notice that the TrickBot malware is adding a downloader for Emotet to infected devices. Attackers are using Operation Reacharound to rebuild the Emotet botnet using the existing TrickBot infrastructure. Emotet Cryptolaemus research team analyzed the new Emotet bootloader and concluded that it has some differences from the previous versions. As of November 15, according to Abuse.ch, more than 246 devices are already connecting to Emotet's CnC servers.
Research
mr.d0x on Twitter writes that if you rename procdump to dump64 and drop it into the Visual Studio folder, you can safely dump LSASS past Microsoft Defender.
Windows Security Updates for Hackers: https://bitsadm.in/blog/windows-security-updates-for-hackers
Feedback and Vulners docs
in/blog/windows-security-updates-for-hackers](https://bitsadm.in/blog/windows-security-updates-for-hackers)
Feedback and Vulners docs