TAU Threat Intelligence Notification: DarkHydrus/RogueRobin

Recently, Palo Alto Unit 42 released an updated report regarding new DarkHydrus delivery documents, which includes the installation of an updated variant of the RogueRobin trojan. This document includes details on both DarkHydrus and RogueRobin, along with detection rules and search queries that...

CVE-2018-20146

An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell...

Code injection

An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell...

CVE-2018-20146

An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell...

CVE-2018-20146

CVE-2018-20146 affects Liquidware ProfileUnity (and Liquidware FlexApp) before 6.8.0. A local user can obtain administrator rights, demonstrated via PowerShell. Impact is local privilege escalation with full confidentiality/integrity/availability implications. Remediation: upgrade to ProfileUnity...

CVE-2018-20146

An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell...

Nuuo Central Management SQL Injection

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nuuo Central Management Authenticated SQL Server SQLi', 'Description' = %q The Nuuo Central Management Server allows an authenticated user to que...

Combing Through Brushaloader Amid Massive Detection Uptick

Nick Biasini and Edmund Brumaghin authored this blog post with contributions from Matthew Molyett. Executive Summary Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to...

DCOMrade - Powershell Script For Enumerating Vulnerable DCOM Applications

DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well. The script currently...

Guidance to mitigate unconstrained delegation vulnerabilities

Executive Summary Active Directory Forest trusts provide a secure way for resources in a forest to trust identities from another forest. This trust is directional; a trusted forest can authenticate its users to the trusting forest without allowing the reverse. A feature, Enforcement for forest...

Microsoft Excel .SLK Payload Delivery

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Microsoft Excel .SLK Payload Delivery", 'Description' = %Q This module generates a download and execute Powershell command to be placed in an .SL...

Solving the TLS 1.0 problem

The use of Transport Layer Security TLS encryption for data in transit is a common way to help ensure the confidentiality and integrity of data transmitted between devices, such as a web server and a computer. However, in recent years older versions of the protocol have been shown to have...

TAU Threat Intelligence Notification – Fake Movie File Attack Targeting Cryptocurrency

A malicious Windows shortcut file is posing as a movie available on a torrent site - its payload is used to conduct web-injection, ultimately targeting victim’s web searches in browsers like Chrome, Firefox and Internet Explorer. The payload has the ability to search for and steal cryptocurrency...

TAU Threat Intelligence Notification: Spear Phishing Targeting Italy

Summary This campaign is targeting users in Italy with spear phishing email containing malicious attachments. Figure 1: Emails with the malicious XLS attachment The image above show one of the sample has attached in multiple email that has been sent to email address with Italy ccTLD. The attached...

BMC Patrol Agent Privilege Escalation Cmd Execution

This module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verfies that the password of the provided user is correct. This also means if the software is...

Cloud replica failover fails after upgrade to Veeam Backup & Replication 9.5 Update 4

Challenge After upgrade to Veeam Backup & Replication 9.5 Update 4, starting failover for a Cloud Connect replica in the VMware environment fails with the appliance related error message: Timed out waiting to obtain helper appliance VM IP address Cause Due to a newly introduced issue, the applian...

The Fileless, Non-Malware Menace

There’s an old expression: if it looks like a duck, walks like a duck, and quacks like a duck, then it must be a duck. What happens, though, if the duck in question is malware that doesn’t behave like typical malware? Namely, it doesn’t drop a file on your disk to infect your computer, hijack...

CVE-2018-20753

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild...

Code injection

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild...

CVE-2018-20753

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild...