🔒
There are new articles available, click to refresh the page.
✇Hexacorn Ltd

DriverPack – Clean PDB paths

By: adam
Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths […]
✇Security Affairs

The role of Social Media in modern society – Social Media Day 22 interview

By: Pierluigi Paganini

This is a transcription of an interview I had at Iran International broadcaster, I discussed about the role of social media in modern society.

  1. What’s the Middle East government’s role on Cyber bullying towards opposition activists?

Middle East governments play a crucial role in cyberbullying against the opposition. Several independent organizations for the protection of human rights claim that governments in the area have used social media surveillance and law to silence expression online. Let me add also that in many cases the surveillance technologies are provided by Western companies.

Police and secret services have been using social media and mobile applications to hunt down and arrest activists.

  • How does the government use bots to create propaganda and affect the results of elections and other social and political affairs?

The Cambridge Analytica case demonstrates that by using social media it is possible to interfere with the politics of every government. US presidential election won by Trump and the Brexit vote has been impacted by such kinds of operations. Governments can use an army of trolls that stimulate multiple discussions on political topics by operating huge botnets that share news, videos, and fuel threads aligned with government interests. Believe me, it is quite easy to influence a large audience by spreading specially crafted content.

Another weapon in the arsenal of the government is the fake news that can easily and rapidly spread among people that are not able to distinguish them from real news.

  • How important was social media in the case of Ukraine to get help internationally?

The communication strategy of the Ukrainian government is perfect and plays an important role in sensitizing the public opinion on the invasion of their country. This is the first war that we are following through social media, it could be inside our homes in real-time. For this reason, the Russian government has banned social networks in the country, because it fears that the images and the news shared through social media could impact the internal social context. Social media are a powerful weapon and could be compared to non-state actors due to their capability to interfere with governments’ politics.

Below is my interview in the Farsi language, enjoy it:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Propaganda)

The post The role of Social Media in modern society – Social Media Day 22 interview appeared first on Security Affairs.

✇Security Affairs

Experts shared PoC exploit code for RCE in Zoho ManageEngine ADAudit Plus tool

By: Pierluigi Paganini

Researchers shared technical details and proof-of-concept exploit code for the CVE-2022-28219 flaw in Zoho ManageEngine ADAudit Plus tool.

Security researchers from Horizon3.ai have published technical details and proof-of-concept exploit code for a critical vulnerability, tracked as CVE-2022-28219 (CVSS 9.8 out of 10), in the Zoho ManageEngine ADAudit Plus tool.

The tool allows monitoring activities of Active Directory and produces alerts and reporting for one or more desired Active Directory change events. The tool is very attractive to threat actors because of the privileged access they have to Active Directory.

The unauthenticated remote code execution vulnerability was discovered by security researcher Naveen Sunkavally at Horizon3.ai and addressed by the vendor in March.

The issue was discovered while investigating an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library.

The vulnerability includes three issues: untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection.

“One of the first things that stood out, and we were surprised to see, was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library. This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central.” reads the post published by the experts. “The FileStorage  class in this library was abused for remote code execution via untrusted Java deserialization.”

The analysis of the library code revealed that the software deserializes untrusted code and doesn’t sanitize input file paths. The experts were able to use the img parameter to deserialize a Java payload anywhere on the disk.

Zoho

Once achieved the remote code execution capability, the experts focus on discovering a way to upload a Java payload anywhere on disk. The experts noticed a feature in the ADAudit Plus which collects security events from agents running on other machines in the domain. The experts discovered that some of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated

“One of the features of ADAudit Plus is the ability to collect security events from agents running on other machines in the domain. To our surprise, we found that a few of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated. This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file upload vector, we found a path to trigger a blind XXE vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.” continues the analysis. “This class was using the dangerous default version of Java’s DocumentBuilderFactory class, which permits external entity resolution and is vulnerable to XXE injection.”

The experts discovered a blind XXE vulnerability in the ProcessTrackingListener class, they noticed that Blind XXE vulnerabilities in Java are usually hard to exploit, but in this case, they were aided by the old Java runtime bundled with ADAudit Plus. By default ADAudit Plus ships with Java 8u051.

The old Java runtime allowed the researchers to exploit the blind XXE to exfiltrate files over FTP, get directory listings over FTP, and upload files.

The experts demonstrated how to exploit CVE-2022-28219 in ManageEngine ADAudit Plus to execute the calculator app.

The experts discovered XXE vulnerabilities in Java and in Windows that can be exploited to capture and relay the NTLM hashes of the user account under which the application is running. The root cause is that the Java HTTP client will attempt to authenticate over NTLM if it connects to a server requiring NTLM to authenticate.

“This is especially useful for an attacker if the ADAudit Plus application is running under a privileged account.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zoho ManageEngine ADAudit Plus)

The post Experts shared PoC exploit code for RCE in Zoho ManageEngine ADAudit Plus tool appeared first on Security Affairs.

✇KitPloit - PenTest & Hacking Tools

Microsoft-365-Extractor-Suite - A Set Of PowerShell Scripts That Allow For Complete And Reliable Acquisition Of The Microsoft 365 Unified Audit Log

By: Zion3R


This suite of scripts contains two different scripts that can be used to acquire the Microsoft 365 Unified Audit Log
Read the accompanying blog post on https://invictus-ir.medium.com/introduction-of-the-microsoft-365-extractor-suite-b85e148d4bfe

  1. Microsoft365_Extractor, the original script stems from the Office 365 Extractor and provides all features and complete customization. Choose this if you're not sure what to use.
  2. Microsoft365_Extractor_light, lightweight version of the Microsoft365_Extractor that requires minimal configuration and grabs all available logging for the complete period.

Microsoft 365 Extractor

This script makes it possible to extract log data out of a Microsoft 365 environment. The script has four options, which enable the investigator to easily extract logging out of an Microsoft 365 environment.
  1. Show available log sources and amount of logging
  2. Extract all audit logging
  3. Extract group audit logging
  4. Extract Specific audit logging (advanced mode)

Show available log sources and amount of logging

Pretty straightforward a search is executed and the total number of logs within the
set timeframe will be displayed and written to a csv file called "Amount_Of_Audit_Logs.csv" the file is prefixed with a random number to prevent duplicates.

Extract all audit logs

Extract all audit logs" this option wil get all available audit logs within the set timeframe and written out to a file called AuditRecords.CSV.

Extract group logging

Extract a group of logs. You can for example extract all Exchange or Azure logging in one go

Extract specific audit logs

Extract specific audit logs" Use this option if you want to extract a subset of the audit logs. To configure what logs will be extracted the tool needs to
be configured with the required Record Types. A full list of recordtypes can be found at the bottom of this page.
The output files will be writen in a directory called 'Log_Directory" and will be given the name of their recordtype e.g. (ExchangeItem_AuditRecords.csv)

Prerequisites

- PowerShell
- Microsoft 365 account with privileges to access/extract audit logging
- An OS that supports Powershell you should be good. There are some issues with PowerShell on MacOS/Linux related to WinRM so your best option is to use Windows.

Permissions

You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Microsoft 365 audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. To give a user the ability to search the Office 365 audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online.
(https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance)

How to use Microsoft365_extractor

1. Download Microsoft365_Extractor.ps1
2. Open PowerShell navigate to the script and run it or right click on the script and press "Run with PowerShell".
3. Select your prefered option.
4. The logs will be written to 'Log_Directory' in the folder where the script is located.


See example video:

How to use Microsoft365_extractor_light

1. Download Microsoft365_Extractor.ps1
2. Open PowerShell navigate to the script and run it or right click on the script and press "Run with PowerShell".
3. Select StartDate, EndDate and Interval or use the defaults and the script will acquire all logs for the defined period.
4. The logs will be written to 'Log_Directory' in the folder where the script is located.

See example video:

Output

Amount_Of_Audit_Logs.csv:
Will show what logs are available and how many for each RecordType.
AuditLog.txt:
The AuditLog stores valuable information for debugging.
AuditRecords.csv:
When all logs are extracted they will be written to this file.
[RecordType]__AuditRecords:
When extracting specific RecordTypes, logs are sorted on RecordType and written to a CSV file.
The name of this file is the RecordType + _AuditRecords.

Available RecordTypes

ExchangeAdmin
ExchangeItem
ExchangeItemGroup
SharePoint
SyntheticProbe
SharePointFileOperation
OneDrive
AzureActiveDirectory
AzureActiveDirectoryAccountLogon
DataCenterSecurityCmdlet
ComplianceDLPSharePoint
Sway
ComplianceDLPExchange
SharePointSharingOperation
AzureActiveDirectoryStsLogon
SkypeForBusinessPSTNUsage
SkypeForBusinessUsersBlocked
SecurityComplianceCenterEOPCmdlet
ExchangeAggregatedOperation
PowerBIAudit
CRM
Yammer
SkypeForBusinessCmdlets
Discovery
MicrosoftTeams
ThreatIntelligence
MailSubmission
MicrosoftFlow
AeD
MicrosoftStream
ComplianceDLPSharePointClassification
ThreatFinder
Project
SharePointListOperation
SharePointCommentOperation
DataGovernance
Kaizala
SecurityComplianceAlerts
ThreatIntelligenceUrl
SecurityComplianceInsights
MIPLabel
WorkplaceAnalytics
PowerAppsApp
PowerAppsPlan
ThreatIntelligenceAtpContent
TeamsHealthcare
ExchangeItemAggregated
HygieneEvent
DataInsightsRestApiAudit
InformationBarrierPolicyApplication
SharePointListItemOperation
SharePointContentTypeOperation
SharePointFieldOperation
MicrosoftTeamsAdmin
HRSignal
MicrosoftTeamsDevice
MicrosoftTeamsAnalytics
InformationWorkerProtection
Campaign
DLPEndpoint
AirInvestigation
Quarantine
MicrosoftForms
LabelContentExplorer
ApplicationAudit
ComplianceSupervisionExchange
CustomerKeyServiceEncryption
OfficeNative
MipAutoLabelSharePointItem
MipAutoLabelSharePointPolicyLocation
MicrosoftTeamsShifts
MipAutoLabelExchangeItem
CortanaBriefing
Search
WDATPAlerts
MDATPAudit
SensitivityLabelPolicyMatch
SensitivityLabelAction
SensitivityLabeledFileAction
AttackSim
AirManualInvestigation
SecurityComplianceRBAC
UserTraining
AirAdminActionInvestigation
MSTIC
PhysicalBadgingSignal
AipDiscover
AipSensitivityLabelAction
AipProtectionAction
AipFileDeleted
AipHeartBeat
MCASAlerts
OnPremisesFileShareScannerDlp
OnPremisesSharePointScannerDlp
ExchangeSearch
SharePointSearch
PrivacyInsights
MyAnalyticsSettings
SecurityComplianceUserChange
ComplianceDLPExchangeClassification
MipExactDataMatch
MS365DCustomDetection
CoreReportingSettings
ComplianceConnector
Source:https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype

Frequently Asked Questions

If I enable mailbox auditing now can I see historical records?
No, additionaly if you enable auditing now it can take up to 24 hours before events will be logged.

I logged into a mailbox with auditing turned on but I don't see my events?
It can take up to 24 hours before an event is stored in the UAL.


Which date format does the script accepts as input?
The script will tell what the correct date format is. For Start and End data variables it will show between brackets what the format is (yyyy-MM-dd).

Do I need to configure the time period?
No if you don't specify a time period the script will use the default If you don't include a timestamp in the value for the StartDate or EndDate parameters, the default timestamp 12:00 AM (midnight) is used.

What about timestamps?
The audit logs are in UTC, and they will be exported as such

What is the retention period?
Office 365 E3 - Audit records are retained for 90 days. That means you can search the audit log for activities that were performed within the last 90 days.

Office 365 E5 - Audit records are retained for 365 days (one year). That means you can search the audit log for activities that were performed within the last year. Retaining audit records for one year is also available for users that are assigned an E3/Exchange Online Plan 1 license and have an Office 365 Advanced Compliance add-on license.

What if I have E5 or other license that has more than 90 days?
Just define a manual startdate instead of the 'maximum' because the variable maximum is set to 90 days, which is the default for almost everyone.

Can this script also acquire Message Trace Logs?
At the moment it cannot, but there are several open-source scripts available that can help you with getting the MTL One example can be found here: https://gallery.technet.microsoft.com/scriptcenter/Export-Mail-logs-to-CSV-d5b6c2d6

Known errors

StartDate is later than EndDate
This error occurs sometimes at the final step of the script if you have not defined an endDate. Doublecheck if you have all the logs using Option 1 to validate if you have all logs. Alternative: Define an endDate

Import-PSSession : No command proxies have been created, because all of the requested remote....
This error is caused when the script did not close correctly and an active session will be running in the background. The script tries to import/load all modules again, but this is not necessary since it is already loaded. This error message has no impact on the script and will be gone when the open session gets closed. This can be done by restarting the PowerShell Windows or entering the following command: Get-PSSession | Remove-PSSession

Audit logging is enabled in the Office 365 environment but no logs are getting displayed?
The user must be assigned an Office 365 E5 license. Alternatively, users with an Office 365 E1 or E3 license can be assigned an Advanced eDiscovery standalone license. Administrators and compliance officers who are assigned to cases and use Advanced eDiscovery to analyze data don't need an E5 license.

Audit log search argument start date should be after
The start date should be earlier then the end date.

New-PSSession: [outlook.office365.com] Connecting to remove server outlook.office365.com failed with the following error message: Access is denied.
The password/username combination are incorrect or the user has not enough privileges to extract the audit logging.

Invalid Argument "Cannot convert value" to type "System.Int32"
Safe to ignore, only observed this on PowerShell on macOS, the script will work fine and continue.



✇Security Affairs

A ransomware attack forced publishing giant Macmillan to shuts down its systems

By: Pierluigi Paganini

A cyber attack forced the American publishing giant Macmillan to shut down its IT systems. 

The publishing giant Macmillan has been hit by a cyberattack that forced the company to shut down its IT infrastructure to prevent the threat from spreading within its network.

The company spokesman Erin Coffey told different media outlets that attackers have encrypted certain files on the Macmillan network. This info leads the experts into believing that the company was the victim of a ransomware attack, but at this time it has yet to be claimed by any ransomware gangs.

The attack took place on June 25, the security breach also impacted the U.K. branch Pan Macmillan, it is still unclear if the company was also the victim of a data breach.

“As a precautionary measure, we immediately took systems offline to prevent further impact to our network,” Coffey said. “We are working diligently with specialists to investigate the source of this issue, understand its impact on our systems, and to restore full functionality to our networks as soon as possible.

Macmillan is investigating the incident, the company also closed its virtual and physical offices in New York.

In case you haven’t heard, Macmillan is experiencing a digital security incident, and our systems are shut down out of an abundance of caution. Our offices are closed today and possibly tomorrow. We cannot access email or files. Hopefully we’ll be up and running again very soon! pic.twitter.com/vDbS5iKx8s

— Grace Kendall (@GraceKendallLit) June 27, 2022

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post A ransomware attack forced publishing giant Macmillan to shuts down its systems appeared first on Security Affairs.

✇The Hacker News

TikTok Assures U.S. Lawmakers it's Working to Safeguard User Data From Chinese Staff

By: Ravie Lakshmanan
Following heightened worries that U.S. users' data had been accessed by TikTok engineers in China between September 2021 and January 2022, the company sought to assuage U.S. lawmakers that it's taking steps to "strengthen data security." The admission that some China-based employees can access information from U.S. users came in a letter sent to nine senators, which further noted that the
✇KitPloit - PenTest & Hacking Tools

Dlinject - Inject A Shared Library (I.E. Arbitrary Code) Into A Live Linux Process, Without Ptrace

By: Zion3R


Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace. Inspired by Cexigua and linux-inject, among other things.


Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace (1)

Usage

    .___.__  .__            __               __
__| _/| | |__| ____ |__| ____ _____/ |_ ______ ___.__.
/ __ | | | | |/ \ | |/ __ \_/ ___\ __\ \____ < | |
/ /_/ | | |_| | | \ | \ ___/\ \___| | | |_> >___ |
\____ | |____/__|___| /\__| |\___ >\___ >__| /\| __// ____|
\/ \/\______| \/ \/ \/|__| \/

source: https://github.com/DavidBuchanan314/dlinject

usage: dlinject.py [-h] [--stopmethod {sigstop,cgroup_freeze,none}]
pid /path/to/lib.so

Inject a shared library into a live process.

positional arguments:
pid The pid of the target process
/path/to/lib.so Path of the shared library to load (note: must be
relative to the target process's cwd, or absolute)< br/>
optional arguments:
-h, --help show this help message and exit
--stopmethod {sigstop,cgroup_freeze,none}
How to stop the target process prior to shellcode
injection. SIGSTOP (default) can have side-effects.
cgroup freeze requires root. 'none' is likely to cause
race conditions.

Why?

  • Because I can.

  • There are various anti-ptrace techniques, which this evades by simply not using ptrace.

  • I don't like ptrace.

  • Using LD_PRELOAD can sometimes be fiddly or impossible, if the process you want to inject into is spawned by another process with a clean environment.

How it Works

  • Send the stop signal to the target process. (optional)

  • Locate the _dl_open() symbol.

  • Retreive RIP and RSP via /proc/[pid]/syscall.

  • Make a backup of part of the stack, and the code we're about to overwrite with our shellcode, by reading from /proc/[pid]/mem.

  • Generate primary and secondary shellcode buffers.

  • Insert primary shellcode at RIP, by writing to /proc/[pid]/mem.

  • The primary shellcode:

    • Pushes common registers to the stack.
    • Loads the secondary shellcode via mmap().
    • Jumps to the secondary shellcode.
  • The secondary shellcode:

    • Restores the stack and program code to their original states.
    • Pivots the stack (so we don't touch the original one at all).
    • Calls _dl_open() to load the user-specified library. Any constructors will be executed on load, as usual.
    • Restores register state, un-pivots the stack, and jumps back to where it was at the time of the original SIGSTOP.

Limitations:

  • Sending SIGSTOP may cause unwanted side-effects, for example if another thread is waiting on waitpid(). The --stopmethod=cgroup_freeze option avoids this, but requires root (on most distros, at least).

  • I'm not entirely sure how this will interact with complex multi-threaded applications. There's certainly potential for breakage.

  • x86-64 Linux only (for now - 32-bit support could potentially be added).

  • Requires root, or relaxed YAMA configuration (echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope is useful when testing).

  • If the target process is sandboxed (e.g. seccomp filters), it might not have permission to mmap() the second stage shellcode, or to dlopen() the library.



✇Hexacorn Ltd

Da Li’L World of DLL Exports and Entry Points, Part 5

By: adam
The previous parts of this series were done ‘manually’. I would come across some new type of DLL and would jot down its properties so I would have a point […]
✇Security Affairs

SessionManager Backdoor employed in attacks on Microsoft IIS servers worldwide

By: Pierluigi Paganini

Researchers warn of a new ‘SessionManager’ Backdoor that was employed in attacks targeting Microsoft IIS Servers since March 2021.

Researchers from Kaspersky Lab have discovered a new ‘SessionManager’ Backdoor that was employed in attacks targeting Microsoft IIS Servers since March 2021.

“In early 2022, we investigated one such IIS backdoor: SessionManager. In late April 2022, most of the samples we identified were still not flagged as malicious in a popular online file scanning service, and SessionManager was still deployed in over 20 organizations.” reads the analysis published by Kaspersky. “Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure.”

The SessionManager backdoor was employed in attacks against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. The researchers attributes the attack to the GELSEMIUM threat actor due to the similar victims, and use of a common OwlProxy variant,.

SessionManager is written in C++, it is a malicious native-code IIS module that is loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server.

Once received specifically crafted HTTP requests from the threat actors, the malicious code executes instructions hidden in the request and then pass the request to the server for it processing like any other request.

sessionmanager

Experts pointed out that that such kind of malicious modules is very difficult to be detected with common monitoring activities.

SessionManager supports the following capabilities:

  • Reading, writing to and deleting arbitrary files on the compromised server.
  • Executing arbitrary binaries from the compromised server, also known as “remote command execution”.
  • Establishing connections to arbitrary network endpoints that can be reached by the compromised server, as well as reading and writing in such connections.

The backdoor could also act as a post-deployment tool that could allow operators to conduct reconnaissance on the targeted environment, gather in-memory passwords and deploy additional malicious payloads.

The report also includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SessionManager)

The post SessionManager Backdoor employed in attacks on Microsoft IIS servers worldwide appeared first on Security Affairs.

✇The Hacker News

Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps

By: Ravie Lakshmanan
Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis. Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent
✇The Hacker News

Google Improves Its Password Manager to Boost Security Across All Platforms

By: Ravie Lakshmanan
Google on Thursday announced a slew of improvements to its password manager service aimed at creating a more consistent look and feel across different platforms. Central to the changes is a "simplified and unified management experience that's the same in Chrome and Android settings," Ali Sarraf, Google Chrome product manager, said in a blog post. The updates are also expected to automatically
✇Security Affairs

A long-running cryptomining campaign conducted by 8220 hackers now targets Linux servers

By: Pierluigi Paganini

Microsoft spotted a cloud threat actor tracked as 8220 that is now targeting Linux servers in a long-running cryptomining campaign.

Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang.” reads one of the tweets published by Microsoft Security Intelligence “The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability.”

The 8220 group has been active since at least 2017, it focuses on cryptomining campaigns. The threat actors are Chinese-speaking, the names of the group come for the port number 8220 used by the miner to communicate with the C2 servers.

According to Microsoft researchers, the group has actively updated its techniques and payloads over the last year. In a recent campaign, the group targeted i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) for initial access.

Once gained access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools.

The loader is used to download the pwnRig crpytominer (v1.41.0) and an IRC bot that runs commands from a C2 server. In orIt maintains persistence by creating either a cronjob or a script that runs every 60 seconds as nohup.

The loader uses the IP port scanner tool “masscan” to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool “spirit” to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.

— Microsoft Security Intelligence (@MsftSecIntel) June 29, 2022

Microsoft urges organizations to secure systems and servers, apply updates, and use good credential hygiene to protect their networks. Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.

The IT giant also shared indicators of compromise (IoCs) for this campaign.

IoCs (SHA-256): bd3c7a55ee04d5713eaf36dfca291533a544b8f58c1e6e30dcd46e3b58bf38e5 (loader script); 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f (PwnRig miner for i686); ca7fb4ee975499b2b1497fb1be69d0187d0a5cf83a2a646ad2855f4e739c8326 (pwnRig for x86_64)

— Microsoft Security Intelligence (@MsftSecIntel) June 29, 2022

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, 8220)

The post A long-running cryptomining campaign conducted by 8220 hackers now targets Linux servers appeared first on Security Affairs.

✇CrowdStrike

How CrowdStrike’s Machine Learning Model Automation Uses the Cloud to Maximize Detection Efficacy

By: Joe Faulhaber
  • The CrowdStrike Falcon® platform takes full advantage of the power of the CrowdStrike Security Cloud to reduce high-cost false positives and maximize detection efficacy to stop breaches 
  • CrowdStrike continuously explores novel approaches to improve machine learning automated detection and protection capabilities for Falcon customers
  • CrowdStrike’s cloud-based machine learning model automation can predict 500,000 feature vectors every second and cover 10TB of files per second to find detections

 At CrowdStrike, we combine cloud scale with machine learning expertise to improve the efficacy of our machine learning models. One method for achieving that involves scanning massive numbers of files that we may not even have in our sample collections before we release our machine learning models. This prerelease scan allows us to maximize the efficacy of our machine learning models while minimizing negative impact of new or updated model releases.

It’s important to understand that machine learning models take over when discrete algorithms fall short. CrowdStrike machine learning does an excellent job of creating models that can detect impactful in-the-wild novel threats like NotPetya, BadRabbit or HermeticWiper along with other malware families. CrowdStrike’s comprehensive detection capabilities have been consistently validated in independent third-party testing from leading organizations including AV-Comparatives. However, machine learning looks at the world through probabilities, and those probabilities can make understanding why an incorrect detection was made unpredictable and difficult to understand.

Incorrect detections, also known as false positives, are a concern with any endpoint security solution and exacerbate the ongoing skills shortage most organizations face. Any incorrect assessment of a clean file as malicious can immediately trigger remediation procedures that can take down services, disrupt workflows and distract analysts from hunting down legitimate threats. However, not all false positives are created equal, for the cost of any mistakes should be compared to the benefit given by correct detections. CrowdStrike has implemented novel solutions to the false positive predicament.

Clean or Dirty: Know the Difference

One approach involves accumulating billions of files in our cloud. These files come from various sources, ranging from protected environments to public malware collections, at a rate of approximately 86 million new hashes a day. The collection includes malicious code, clean code and unwanted code, such as potentially unwanted programs. 

To build our machine learning models, we carefully curate both clean and “dirty” (i.e., malicious) samples from this collection, resulting in a labeled collection that is growing by tens of millions of new examples every training cycle.

Extract the Right Features

To ensure the quality of the resulting models, we also gather from live environments the most interesting files to maximize the efficacy of the model. While some customers use the Falcon platform to share files with us so we can improve our coverage capabilities, others keep their files in-house for a variety of reasons. As a consequence, to build an effective model, we must ensure that it can perform well on in-house files not shared with us as well as on those that have been shared. However, to teach a machine learning model, first you must reduce these interesting files to a long list of transformed numeric values, called a feature vector, that represent various properties of the file. 

As humans, we learn to use our senses to extract features from the surrounding environment and then infer probable outcomes based on past experience. For example, if it’s cloudy outside and there’s a damp breeze, we infer there’s a high chance of rain and we need to grab an umbrella. In this case, cloudy and damp can be considered data points part of the feature vector that describes chances of rain. 

Of course, the feature list for files contains thousands of decimal numbers that humans can’t read but our artificial intelligence (AI) understands. That feature vector is uploaded to the cloud by the Falcon sensor, making it possible for us to observe what a new model would say about the underlying file by running predictions over that stored feature vector.

Figure 1. This flow describes how feature vectors and metadata are sent to the CrowdStrike Security Cloud and used against our machine learning model to help build better predictions.

Returning to the rain example, the feature vector with the two data points of cloudy and damp is assessed against what we know from experience to be signs of rain. If our experience has taught us that these two particular data points have a high probability of describing chances of rain, then we grab an umbrella. Otherwise, we assess this with low chances of rain. Much like machine learning models, it comes down to how well we are trained in spotting and recognizing signs of rain.

Measure Efficacy, Get It Right!

The same file feature vector can also be combined with additional information such as the prevalence of files that is contained within our security cloud. This means we can virtually scan all prevalent files in protected environments to measure efficacy and test for false positives. 

The results of this virtual scan are important for a number of reasons. First, it enables us to identify important files which will have a high impact in the next model release.  Second, we can minimize potential high-cost false positives prior to deployment.  Finally, this information is used to teach future models. 

For example, based on a prevalence threshold, we advance our scan to include all files found on a significant number of devices. We then consider all of our detections. Those that are incorrect we resolve with our cloud by replying to our sensors to prevent future detection, and include the files that triggered an incorrect detection in the next retrain of our model. Correct detections, on the other hand, are added both to our cloud for immediate detection and to the files used in training our models in the future. 

Again, returning to the rain example, this virtual scan is like checking multiple weather forecasting websites as soon as we have the two signs — cloudy and damp — before leaving the house with or without an umbrella. Some of those websites may be correct in predicting rain, others may not, but the next time it’s cloudy and damp we will know which websites are reliable before we go outside and risk being caught in the rain without an umbrella.

CrowdStrike’s Automated Cloud-Based Machine Learning Model Maximizes Efficacy

While CrowdStrike analysts inspect millions of files, the number of files detected as malicious is remarkably small enough that they can be analyzed by hand. Because our analysts and processes work better on samples that we have instead of information about samples, we start our analysis with those detections we can also find in our massive sample store. 

Using feature vectors, the Falcon platform enables us to know quite a bit about the files we don’t have, and also allows us to use the power of the cloud to enhance detection or resolve incorrect detections of files not contained in our sample store.

Comparing global virtual scans of prevalent files against all of our static detection models is critical in pushing the accuracy and efficacy of our machine learning models to help secure our customers and stop breaches.

In essence, the power of the Falcon platform lies in its ability to take full advantage of the massive data fabric we call the CrowdStrike Security Cloud, which correlates trillions of security events from protected endpoints with threat intelligence and enterprise telemetry. The Falcon platform uses machine learning and AI to automate and maximize the efficacy of detecting and protecting against threats, to stop breaches.

Additional Resources

✇VerSprite

Russia-Ukraine War, Cyberwarfare, and the Impact on Businesses Worldwide

By: VerSprite

With the ongoing conflict in Ukraine, we are here to shed some light on the cyberattacks going on between Russia and Ukraine, how it is shaping the geopolitical landscapes, and the cybersecurity impact the war is having on organizations and businesses around the world.

The post Russia-Ukraine War, Cyberwarfare, and the Impact on Businesses Worldwide appeared first on VerSprite.

✇KitPloit - PenTest & Hacking Tools

awsEnum - Enumerate AWS Cloud Resources Based On Provided Credential

By: Zion3R


Enumrate AWS services! with no nosies

awsEnum is a python script enumrate AWS services through the provided credential.


     ▄▄▄▄▄▄ ▄     ▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄    ▄ ▄▄   ▄▄ ▄▄   ▄▄ 
█ █ █ ▄ █ █ █ █ █ █ █ █ █ █ █▄█ █
█ ▄ █ ██ ██ █ ▄▄▄▄▄█ ▄▄▄█ █▄█ █ █ █ █ █
█ █▄█ █ █ █▄▄▄▄▄█ █▄▄▄█ █ █▄█ █ █
█ █ █▄▄▄▄▄ █ ▄▄▄█ ▄ █ █ █
█ ▄ █ ▄ █▄▄▄▄▄█ █ █▄▄▄█ █ █ █ █ ██▄██ █
█▄█ █▄▄█▄▄█ █▄▄█▄▄▄▄▄▄▄█▄▄▄▄▄▄▄█▄█ █▄▄█▄▄▄▄▄▄▄█▄█ █▄█
--------------------------------------------------------
If you are looking to enumerate AWS services. So, welcome
to awsEnum, awsEnum is a python script trying to facilitate
the enumerate phase of AWS cloud with the lowest possible
headache and less noise. Therefore we are not supporting
the `all` mode. ----------------------------------------
----------- ---------------------------------------------
developed by bassammaged (@kemet)
version: 0.1 Beta
--------------------------------------------------------
[!] Make sure you already defined credential profile via AWS CLI.

usage: run.py [-h] [-p profile_name] [-r region_name] [-v | --verbose | --no-verbose] [-t TRIES] aws_service_name

positional arguments:
aws_service_name Specify the aws service for enumration. Supported services are: ['ec2', 'iam', 's3'] (default: all)

options:
-h, --help show this help message and exit
-p profile_name, --profile profile_name
specify aws credential profile that will be used through the enumeration. (default: default)
-r region_name, --region region_name
specify aws region. (default: eu-central-1)
-v, --verbose, --no-verbose
Allows the script to print out t he message level start with debug. (default: False)
-t TRIES, --tries TRIES
set maximum tries. (default: 1000)

Disclaimer

awsEnum is in beta version and is supposed to be free of issues but if any issues encountered, please submit the ticket,awsEnum is coded and published to be used in partical circumstances:

  1. Engaging in penetration testing activity.
  2. Carry on Bug hunting activity.
  3. AWS cloud security Audit.
  4. Any other legal activity that already approved by the owner of the asset.

awsEnum is craeted to work under hoodie, which means there's no intention to support all mode.

Features

  • Connect to aws service through boto3, on other word! signing request.
  • awsEnum allows user to set the number of requests [By default: 1000].
  • awsEnum store result into json file.
  • Keep AWS credential within awscli confugration and just pass profile_name to awsEnum.
  • Supported service: ec2, iam, s3.

Prerequisites

  1. Python3
  2. pip package manager
  3. python3 -m pip install requirements.txt
  4. Feel Free to use awsEnum via run.py script

Results and FQAs

[
{
"AmiLaunchIndex": 0,
"ImageId": "ami-7c803d1c",
"InstanceId": "i-05bef8a081f307783",
"InstanceType": "t2.micro",
"KeyName": "Default",
"LaunchTime": "2017-02-12 22:29:24+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-west-2a",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-172-31-41-84.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.41.84",
"ProductCodes": [],
"PublicDnsName": "ec2-35-165-182-7.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "35.165.182.7",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-d962aa90",
" VpcId": "vpc-1052ce77",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2017-02-12 22:29:25+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-04f1c039bc13ea950"
}
}
],
"ClientToken": "kTOiC1486938563883",
"EbsOptimized": false,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::975426262029:instance-profile/flaws",
"Id": "AIPAIK7LV6U6UXJXQQR3Q"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-35-165-182-7.us-west-2.compute.amazonaws.com",
"PublicIp": "35.165.182.7"
},
"Attachment": {
"AttachTime": "2017-02-12 22:29:24+00:00",
"AttachmentId": "eni-attach-a4901fc2",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "launch-wizard-1",
"GroupId": "sg-490f6631"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:b0:7a:92:21:cf",
"NetworkInterfaceId": "eni-c26ed780",
"OwnerId": "975426262029",
"PrivateDnsName": "ip-172-31-41-84.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.41.84",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-35-165-182-7.us-west-2.compute.amazonaws.com",
"PublicIp": "35.165.182.7"
},
"Primary": true,
"PrivateDnsName": "ip-172-31-41-84.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.41.84"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-d962aa90",
"VpcId": "vpc-1052ce77",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "e bs",
"SecurityGroups": [
{
"GroupName": "launch-wizard-1",
"GroupId": "sg-490f6631"
}
],
"SourceDestCheck": true,
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"Platform Details": "Linux/UNIX",
"UsageOperation": "RunInstances",
"UsageOperationUpdateTime": "2017-02-12 22:29:24+00:00",
"PrivateDnsNameOptions": {},
"MaintenanceOptions": {
"AutoRecovery": "default"
}
}
]

To-Do

  • Support s3 services.
  • Support iam services.


✇The Hacker News

Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree

By: The Hacker News
Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for Debricked, it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out.  A forest full of fragile trees So, where do you even start?
✇The Hacker News

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

By: Ravie Lakshmanan
A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after
✇0patch Blog

Micropatching the "DFSCoerce" Forced Authentication Issue (No CVE)

By: Mitja Kolsek

 


by Mitja Kolsek, the 0patch Team


"DFSCoerce" is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher Filip Dragovic, who also published a POC.

Filip's tweet indicated this issue can be used even if you have disabled or filtered services that other currently known forced authentication issues such as PrinterBug/SpoolSample, PetitPotam, ShadowCoerce and RemotePotato0 are exploiting: "Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back ;)"

A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can't all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches.


The Vulnerability

The vulnerability lies in the Distributed File System (DFS) service. Any authenticated user can make a remote procedure call to this service and execute functions NetrDfsAddStdRoot or NetrDfsremoveStdRoot, providing them with host name or IP address of attacker's computer. These functions both properly perform a permissions check using a call to AccessImpersonateCheckRpcClient, which returns error code 5 ("access denied") for users who aren't allowed to do any changes to DFS. If access is denied, they block the adding or removing of a stand-alone namespace - but they both still perform a credentials-leaking request to the specified host name or IP address.

Such leaked credentials - belonging to server's computer account - can be relayed to some other service in the network such as LDAP or Certificate Service to perform privileged operations leading to further unauthorized access. Unsurprisingly, attackers and red teams like such things.


Our Micropatch

Since a proper access check was already in place, just not reacted to entirely properly, we decided to use its result and correct the logic in both vulnerable functions.

The image below shows our patch (green code blocks) injected in function NetrDfsremoveStdRoot. As you can see, a call to AccessImpersonateCheckRpcClient is made in the original code, which returns 5 ("access denied") when the caller has insufficient permissions. This information is then stored as one bit into register r8b, and copied to local variable arg_18 (sounds like an argument, but compilers use so-called "home space" for local variables when it suits them). Our patch code takes the return value of AccessImpersonateCheckRpcClient and compares it to 5; if equal, we sabotage attacker's attempts by placing a zero at the beginning of their ServerName string pointed to by rcx, effectively turning it into an empty string. This approach allows us to minimize the amount of code and complexity of the patch, which is always our goal. Function DfsDeleteStandaloneRoot, which causes the forced authentication to attacker's host, is then called from the original code (moved to a blue trampoline code block) but it gets an empty string for the host name - and returns an error. A blocked attack therefore behaves as if a request was made by an unprivileged user with an illegal ServerName. We decided not to log this as an attempted exploit to avoid possible false positives in case a regular user without malicious intent might somehow trigger this code via Windows user interface.



 

Source code of the micropatch shows two identical patchlets, one for function NetrDfsAddStdRoot and one for NetrDfsremoveStdRoot:



MODULE_PATH "..\Affected_Modules\dfssvc.exe_10.0.17763.2028_Srv2019_64-bit_u202206\dfssvc.exe"
PATCH_ID 952
PATCH_FORMAT_VER 2
VULN_ID 7442
PLATFORM win64

patchlet_start
    PATCHLET_ID 1                ; NetrDfsAddStdRoot
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x183e
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    code_start
        neg eax                  ; get original return value from AccessImpersonateCheckRpcClient
        cmp eax, 5               ; check if access denied(5) was returned
        jne CONTINUE_1           ; return value is not 5, continue with
                                 ; normal code execution
        mov word[rcx], 0         ; else set ServerHost to NULL. Result: DFSNM
                                 ; SessionError: code: 0x57 - ERROR_INVALID_PARAMETER
                                 ; continue with original code
    CONTINUE_1:
       
    code_end
patchlet_end

patchlet_start
    PATCHLET_ID 2                ; NetrDfsremoveStdRoot
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x1c96
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    code_start
        neg eax                 
; get original return value from AccessImpersonateCheckRpcClient
        cmp eax, 5              
; check if access denied(5) was returned
        jne CONTINUE_2          
; return value is not 5, continue with
                                 ; normal code execution
        mov word[rcx], 0        
; else set ServerHost to NULL. Result: DFSNM
                                 ; SessionError: code: 0x57 -
ERROR_INVALID_PARAMETER
                                 ; continue with original code
    CONTINUE_2:
       
    code_end
patchlet_end

 


Micropatch Availability

While this vulnerability has no official patch and could be considered a "0day", Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.

The micropatch was written for the following Versions of Windows with all available Windows Updates installed: 

  1. Windows Server 2008 R2
  2. Windows Server 2012
  3. Windows Server 2012 R2
  4. Windows Server 2016
  5. Windows Server 2019 
  6. Windows Server 2022 
 
Note that only servers are affected as the DSS Service does not exist on workstations.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email [email protected] for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center

We'd like to thank  Filip Dragovic for sharing details about this vulnerability, which allowed us to create a micropatch and protect our users. We also encourage security researchers to privately share their analyses with us for micropatching.

 

❌