Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths. It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path. Aclpwn.py is similar to the PowerShell based Invoke-Aclpwn, which you can read about in our blog.
Dependencies and installation
Aclpwn.py is compatible with both Python 2.7 and 3.5+. It requires the neo4j-driver, impacket and ldap3 libraries. You can install aclpwn.py via pip: pip install aclpwn. For Python 3, you will need the python36branch of impacket since the master branch (and versions published on PyPI) are Python 2 only at this point.
Written in Python (2.7 and 3.5+), so OS independent
Mitigations and detection
aclpwn.py does not exploit any vulnerabilities, but relies on misconfigured (often because of delegated privileges) or insecure default ACLs. To solve these issues, it is important to identify potentially dangerous ACLs in your Active Directory environment with BloodHound. For detection, Windows Event Logs can be used. The relevant event IDs are described in our blog
Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
While ransomware has made all the headlines this year, that doesn’t mean cryptocurrency miners are going anywhere. We recently discovered a new actor we’re calling “Xanthe” that’s mining Monero on targets’ machines. The main payload, in this case, is a variant of the XMRig Monero-mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process...
[[ This is only the beginning! Please visit the blog for the complete entry ]]
TrickBot, one of the most active botnets, in the world, gets a new improvement by adding a UEFI/BIOS Bootkit Feature.
The infamous TrickBot gets a new improvement, authors added a new feature dubbed “TrickBoot” designed to exploit well-known vulnerabilities in the UEFI/BIOS firmware and inject malicious code, such as bootkits.
The TrickBoot functionality was documented by experts from Advanced Intelligence (AdvIntel) and Eclypsium.
“This new functionality, which we have dubbed “TrickBoot,” makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device.” reads the joint analysis published by AdvIntel and Eclypsium.
“This marks a significant step in the evolution of TrickBot as UEFI level implants are the deepest, most powerful, and stealthy form of bootkits. by adding the ability to canvas victim devices for specific UEFI/BIOS firmware vulnerabilities, TrickBot actors are able to target specific victims with firmware-level persistence that survives re-imaging or even device bricking capability.”
The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the legacy Basic Input/Output System (BIOS) firmware interface originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing support for legacy BIOS services. UEFI can support remote diagnostics and repair of computers, even with no operating system installed.
Over the years, experts observed several attacks employing rootkits that were specifically developed to target the firmware to achieve persistence and bypassing security solutions.
The Secure Boot mechanism allows the execution of only software that is trusted by the Original Equipment Manufacturer (OEM).
Injecting a malicious code in the UEFI/BIOS firmware of a device could allow attackers to achieve persistence on the device and make the malware undetectable to common Anti-malware solutions.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features and continues to offer it through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.
The most common attack chain observed by threat actors begins via EMOTET malspam campaigns, which then loads TrickBot and/or other loaders.
Thanks to the new improvement TrickBot can carry out UEFI attacks that could be also part of hacking campaigns of nation-state actors.
The new functionality was observed for the first time in October 2020, after the takedown attempts carried out by a joint operation that involved multiple security firms led by Microsoft.
“As is often the case with new TrickBot modules, the name “PermaDll” or the original name as “user_platform_check.dll” caught the attention of Advanced Intelligence researchers during the October 2020 discovery of the new TrickBot attack chain.” continues the analysis. ““Perma,” sounding akin to “permanent,” was intriguing enough on its own to want to understand this module’s role in TrickBot’s newest arsenal of loadable modules with the usual TrickBot export modules.”
The TrickBoot targets the SPI flash chip where the boot process begins, it leverages the RwDrv.sys driver from the popular RWEverything tool to interact with the SPI controller and check if the BIOS control register is unlocked.
“RWEverything (read-write everything) is a powerful tool that can allow an attacker to write to the firmware on virtually any device component, including the SPI controller that governs the system UEFI/BIOS.” continues the post. “This can allow an attacker to write malicious code to the system firmware, ensuring that attacker code executes before the operating system while also hiding the code outside of the system drives.”
Although the activity spotted by the researcher is limited to reconnaissance, they point out that the same mechanism could be exploited to write malicious code to the system firmware.
To mitigate such attacks, enable BIOS write protections, in September The US National Security Agency (NSA) published guidance on the Unified Extensible Firmware Interface (UEFI) Secure Boot customization.
“These threat actors are collecting targets that are verified to be vulnerable to firmware modification, and one line of code could change this reconnaissance module into an attack function. Like other in-the-wild firmware attacks, TrickBot reused publicly available code to quickly and easily enable these new firmware-level capabilities.” concludes the experts.
1 - Gather Jsfile Links from different sources. 2 - Import File Containing JSUrls 3 - Extract Endpoints from Jsfiles 4 - Find Secrets from Jsfiles 5 - Get Jsfiles store locally for manual analysis 6 - Make a Wordlist from Jsfiles 7 - Extract Variable names from jsfiles for possible XSS. 8 - Scan JsFiles For DomXSS.
There are two ways of executing this script: Either locally on the host machine or within a Docker container
Installing all dependencies locally
Note: Make sure you have installed golang properly before running installation script locally.
$ sudo chmod +x install.sh $ ./install.sh
Building the docker container
When using the docker version, everything will be installed automatically. You just have to execute the following commands:
Usage: -l Gather Js Files Links -f Import File Containing JS Urls -e Gather Endpoints For JSFiles -s Find Secrets For JSFiles -m Fetch Js Files for manual testing -o Make an Output Directory to put all things Together -w Make a wordlist using words from jsfiles -v Extract Vairables from the jsfiles -d Scan for Possible DomXSS from jsfiles
TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system.
The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known
A number of high-profile Android apps are still using an unpatched version of Google's widely-used app update library, potentially putting the personal data of hundreds of millions of smartphone users at risk of hacking.
Many popular apps, including Grindr, Bumble, OkCupid, Cisco Teams, Moovit, Yango Pro, Microsoft Edge, Xrecorder, and PowerDirector, are still vulnerable and can be hijacked to
E-Land Retail suffered a ransomware attack, Clop ransomware operators claim to have stolen 2 million credit cards from the company.
E-Land Retail is a South Korean conglomerate headquartered in Changjeon-dong Mapo-gu Seoul, South Korea. E-Land Group takes part in retail malls, restaurants, theme parks, hotels and construction businesses as well as its cornerstone, fashion apparel business. It has operations worldwide through its subsidiary E-Land World.
Clop ransomware is claiming to have stolen 2 million credit cards from E-Land Retail during the last 12 months.
Last month, the company was forced to shut down 23 NC Department Store and New Core locations after a CLOP ransomware infection.
The company said that customer was encrypted on a server that was not impacted, it also added to have notified relevant authorities.
“We are striving to quickly recover damage and normalize business. Most branches across the country have the first emergency measures Basic sales activities are possible.” reads the security breach notice.
“Although this ransomware attack caused some damage to the company’s network and systems, customer information and sensitive data are encrypted on a separate server. It is in a safe state because it is managed.”
Unfortunately, the situation could be quite different, as CLOP ransomware operators told Bleeping Computer. The ransomware gang claimed to have initially compromised E-Land a year ago and to have stolen credit card data using PoS malware.
The hackers claim to have siphoned and deciphered, for 12 months, the credit card data (Track 2 data) without being discovered by the company.
CLOP told BleepingComputer that they stole data for 2 million credit cards.
CLOP ransomware operators claim to have stolen credit card Track 2 data, which includes a credit card number, the expiration date, and other information. Credit cards CVV code is not included in Track 2 data. Track 1 data can only be used to clone credit cards and use them for in-store purchases.
Security experts analyzed 4 million public Docker container images hosted on Docker Hub and found half of them was having critical flaws.
Container security firm Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and discovered that the majority of them had critical vulnerabilities.
The cybersecurity firm used its Prevasio Analyzer service that ran for one month on 800 machines.
51% of the 4 million images were including packages or app dependencies with at least one critical flaw and 13% had high-severity vulnerabilities.
“The dynamic analysis also revealed 6,432 malicious or potentially harmful container images, representing 0.16% of all publicly available images at Docker Hub.” reads the analysis published by Prevasio. “This report explains the work that we’ve done, our findings, the types of malware found and several typical examples of container images found to contain malicious or potentially harmful software.”
Researchers who focused on Linux container images only, revealed that nearly 1% of all images were excluded from the analysis because are built for Windows only and/or have no Linux-specific builds.
The researchers also discovered that 6,432 images included potentially malicious software, such as cryptocurrency miners (44%, 2,842 images and Pull count: 129.5M), hacking tools (20%, 1,269 images and Pull count: 70M), the malicious npm package flatmap-stream (23%, 1,482 images, Pull count: 95M), and tainted applications (trojanized WordPress plugins, Apache Tomcat, and Jenkins).
The total pull count of the malicious or potentially harmful images is over 300 million.
Some of the images contained dynamic payloads that at runtime were downloading the source code of a cryptocurrency miner and execute it.
Experts pointed out that currently, most of the malware found in the images targets Windows.
“The investigation conducted by Prevasio illustrates that Linux OS, and Linux containers in particular are not immune to security risks” concludes the report. “Our research shows that the primary security risk is enabled by critical vulnerabilities. More than half of all container images hosted by Docker Hub, contain one or more critical vulnerability, and are, therefore, potentially exploitable.Another risk is in the fact that out of 4 million publicly available images, 6,432 are found to contain malicious or potentially harmful code.”
Online education giant K12 Inc. was hit by Ryuk ransomware in the middle of November and now has paid a ransom to avoid data leak.
The education company Online education giant K12 Inc. has paid a ransom to the ransomware operators after the gang infected its systems in November.
K12 Inc. is a for-profit education company that sells online schooling and curricula. K12 is an education management organization (EMO) that provides online education designed as an alternative to traditional “brick and mortar” education for public school students from kindergarten to 12th grade, Publicly traded K12 is the largest EMO in terms of enrollment.
K12 publicly disclosed the ransomware attack this week, the incident took place in mid-November and forced the company to shut down its systems to prevent the malware from spreading.
According to the company, the ransomware operator accessed “certain parts” of their corporate back-office systems, the incident might have exposed “some student and employee information” on the affected systems.
The attack did not affect the Learning Management System (“LMS”) that is used to provide educational content to students and to host student accounts.
“K12 Inc. (NYSE: LRN) (“Stride” or “we”) – to be Stride, Inc. effective December 16, 2020 – has detected unauthorized activity on its network, which has since been confirmed as a criminal attack in the form of ransomware.” reads the press release.
“Upon identifying unusual system activity, we quickly initiated our response, taking steps to contain the threat and lock down impacted systems, notifying federal law enforcement authorities, and working with an industry-leading third-party forensics team to investigate and assist with the incident.”
The company quickly initiated incident response procedures and lock down impacted systems, it also notified federal law enforcement authorities K12 retained an industry-leading third-party forensics team to investigate the incident.
This attack did not impact their online Learning Management System (LMS) to deliver educational content or affiliated charter schools. They also state that most major systems, including payroll, accounting, and enrollment systems, were unaffected.
Bleeping Computer has learned aware that K12 was hit by Ryuk ransomware and K12 paid the ransom utilizing their cyber insurance. At the time of this writing, it is not known the ransom amount.
“We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed..” the company told Bleeping Computer.
K12 paid the ransom to prevent misuse of any information the ransomware operators have stolen.
Martin Zeiser and Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.Executive summary
Cisco Talos recently discovered two vulnerabilities in the Ethernet/IP function of EIP Stack Group
OpENer. OpENer is an Ethernet/IP stack for I/O adapter devices. It supports multiple I/O and explicit connections and includes objects and services for making Ethernet/IP-compliant products as defined in the ODVA specifications. The software contains two vulnerabilities that could...
[[ This is only the beginning! Please visit the blog for the complete entry ]]
Russian-linked cyberespionage group Turla employed a new malware toolset, named Crutch, in targeted attacks aimed at high-profile targets.
Russian-linked APT group Turla has used a previously undocumented malware toolset, named Crutch, in cyberespionage campaigns aimed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
The Crutch framework was employed in attacks since 2015 to siphon sensitive data and transfer them to Dropbox accounts controlled by the Russian hacking group. ESET researchers speculate Crutch is not a first-stage backdoor and operators deployed it only after they have gained access to the target’s network.
“During our research, we were able to identify strong links between a Crutch dropper from 2016 and Gazer. The latter, also known as WhiteBear, was a second-stage backdoor used by Turla in 2016-2017.” reads the report published by ESET.
ESET researchers linked Crutch to the Russia-linked APT Turla based on similarities (both samples dropped on the same machine with a five-day interval in September 2017, they drop CAB files containing malware components and a loader that share the same PDP paths, and use the same RC4 key tp decrypt the payloads.
Experts also observed the presence of FatDuke and Crutch at the same time on one machine. FatDuke is a third-stage backdoor that was attributed to the Dukes/APT29, experts believe that both Russia-linked APT groups independently compromised the same machine.
The analysis of the timestamps of 506 ZIP archives uploaded to the Dropbox accounts and containing data stolen between October 2018 and July 2019, revealed the working hours of the attackers, which is UTC+3 time zone (Russia).
Experts believe that Turla attackers used Crutch as a second stage backdoor, while first-stage implants used by the APT group includes Skipper (2017) and the open-source PowerShell Empire post-exploitation framework (from 2017)
Crutch versions employed between 2015 to mid-2019 used backdoor channels to communicate with hardcoded Dropbox account via the official HTTP API and drive monitoring tools that are able to search for certain documents of interest.
In July 2019, experts spotted a new version of Crutch (tracked as ‘version 4’) that no longer supports backdoor commands and added a removable-drive monitor with networking capabilities.
“The main difference is that it no longer supports backdoor commands. On the other hand, it can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility.” continues the analysis.
Version 4, like the previous one, uses DLL hijacking to gain persistence on compromised devices on Chrome, Firefox, or OneDrive.
“Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal.” concludes the report that also provides IoCs for the attacks.
“Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.”
For at least the third time in its existence, OGUsers — a forum overrun with people looking to buy, sell and trade access to compromised social media accounts — has been hacked.
An offer by the apparent hackers of OGUsers, offering to remove account information from the eventual database leak in exchange for payment.
Roughly a week ago, the OGUsers homepage was defaced with a message stating the forum’s user database had been compromised. The hack was acknowledged by the forum’s current administrator, who assured members that their passwords were protected with a password obfuscation technology that was extremely difficult to crack.
But unlike in previous breaches at OGUsers, the perpetrators of this latest incident have not yet released the forum database. In the meantime, someone has been taunting forum members, saying they can have their profiles and private messages removed from an impending database leak by paying between $50 and $100.
OGUsers was hacked at least twice previously, in May 2019 and again in March 2020. In the wake of both incidents, the compromised OGUsers databases were made available for public download.
The leaked databases have been useful in reconstructing who’s behind several high-profile incidents involving compromised social media accounts and virtual currency heists that leveraged SIM swapping, a crime that centers around convincing mobile phone company employees to transfer ownership of the target’s phone number to a device the attackers control.
The hacker handles featured in the defacement message left on OGUsers — “Chinese” and “Disco” — correspond to two nicknames used by banned OGUser members who have been trying to generate interest for their own forum that seeks to emulate OGUsers.
Disco, a.k.a “Discoli” a.k.a. “Disco Dog,” is a young man from the United Kingdom who has marketed an automated bot program and service advertised as a way for customers to “cash out” illicit access to OneVanilla Visa prepaid card accounts using PayPal. The same individual also earlier this year founded a corporation in the U.K. called Disco Payments.
Reached via Twitter, Discoli said he and his friends hacked OGUsers via an outdated plugin used by the site. But he claims they have no plans to sell the stolen user data, and said the company was registered as a joke.
“I had a sort of feud with the administrator in the past but this one was more for fun,” Discoli said. “Not too interested in doing damage by releasing database or anything like that.”
As I noted the first time OGUsers got hacked, it’s difficult not to admit feeling a bit of schadenfreude in the continued exposure of a community that has largely specialized in hacking others. Or perhaps in the case of OGUsers, the sentiment may more aptly be described as “schadenfraud.”
Cybersecurity and Infrastructure Security Agency (CISA) and FBI are warning of attacks carried out by threat actors against United States think tanks.
APT groups continue to target United States think tanks, the Cyber Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warn. The work of US think tanks has a great relevance for nation-state attackers that focus on the U.S. policy.
Threat actors are targeting individuals and organizations that are involved in international affairs or which focus on national security policy with spear-phishing attacks.
The attackers also use third-party messaging services to target both corporate and personal accounts of intended victims.
According to the alert, the APT groups also attempted to compromise devices that are exposed to the Internet.
“These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities.” reads the alert. “Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic.”
Attackers leverage virtual private networks (VPNs) and other remote work tools to gain initial access on a target’s network and achieve persistence. Once gained a persistent access to a network, the attackers used the tools to steal sensitive information, gather user credentials.
“Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness,” the advisory reads.
The advisory provides technical details about the attacks aimed at the US think tanks and also includes mitigations for leaders, users/staff, IT staff/cybersecurity personnel.
Google Project Zero expert Ian Beer on Tuesday disclosed a critical “wormable” iOS flaw that could have allowed to hack iPhone devices.
Google Project Zero white-hat hacker Ian Beer has disclosed technical details of a critical “wormable” iOS bug that could have allowed a remote attacker to take over any device in the vicinity over Wi-Fi.
Google Project Zero white-hat hacker Ian Beer has disclosed technical details of a critical “wormable” iOS bug that could have allowed a remote attacker to take over any device in the vicinity over Wi-Fi.
The flaw, tracked as CVE-2020-3843, is a double free issue that could be exploited to exploit makes it possible to access photos and other sensitive data, including email and private messages.
The expert discovered the bug after 6 months of research and devised a zero-click exploit to trigger it.
“a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.” said Beer.
A remote attacker could exploit the flaw to trigger an unexpected system termination or corrupt kernel memory.
“A remote attacker may be able to cause unexpected system termination or corrupt kernel memory” reads the security advisory published by Apple.“A double free issue was addressed with improved memory management.”
The vulnerability is related to a fairly trivial buffer overflow programming error that resides in a Wi-Fi driver associated with Apple Wireless Direct Link (AWDL) protocol. The AWDL is an Apple proprietary mesh networking protocol used to enable easier communications between Apple devices.
The white-hat hacker demonstrated the exploit in a test environment composed of an iPhone 11 Pro, a Raspberry Pi, and two different Wi-Fi adaptors. Beer was able to remotely achieve arbitrary kernel memory read and write and inject shellcode payloads into the kernel memory bypassing the victims’ defense.
“A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.” wrote the expert.
“In fact, this entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write.”
For testing purposes, the experts generated 100 random contacts with 4 contact identifiers (home and work email, home and work phone numbers) using a modified version of the AppleScript in this StackOverflow answer.
The attacker targets the AirDrop BTLE framework to enable the AWDL interface by brute-forcing a contact’s hash value from the list of 100 contacts stored in the device. Then the attacker triggers the buffer overflow to gain access to the device and run a malicious code implant as root achieving full control on the mobile device.
The expert explained that it is no aware of attacks in the wild exploiting this vulnerability, but he pointed out that exploit vendors seemed to take notice of these fixes.
“I have no evidence that these issues were exploited in the wild; I found them myself through manual reverse engineering. But we do know that exploit vendors seemed to take notice of these fixes. For example, take this tweet from Mark Dowd, the co-founder of Azimuth Security, an Australian “market-leading information security business” continues the expert.
Researchers from security firm Synacktiv also published technical details about the CVE-2020-27950 flaw explaining that is was chained with other 2 flaws.
“On November 5th, Project Zero announced that Apple has patched in iOS 14.2 a full chain of vulnerabilities that were actively exploited in the wild, composed of 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak (“memory initialization issue”) and a type confusion in the kernel.” reads the analysis published by Synacktiv.
The three vulnerabilities chained in the attack are a memory corruption issue in the FontParser library that was exploited to achieve remote code execution, a memory leak that granted a malicious application kernel privileges to run arbitrary code, and a type confusion issue in the kernel.
Cybersecurity researchers today took the wraps off a previously undocumented backdoor and document stealer that has been deployed against specific targets from 2015 to early 2020.
Codenamed "Crutch" by ESET researchers, the malware has been attributed to Turla (aka Venomous Bear or Snake), a Russia-based advanced hacker group known for its extensive attacks against governments, embassies, and