Windows Vulns Galore, Homoglyph Domains, Pegasus, & “Trust No One”! – PSW #703

"This blog post is the first in the series and will describe the vulnerability, the initial constraints from an exploit development perspective and finally how WNF can be abused to obtain a number of exploit primitives. The blogs will also cover exploit mitigation challenges encountered along the way, which make writing modern pool exploits more difficult on the most recent versions of Windows."

Neat! "Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory." Qualys Post: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 Note: In a separate post, the Qualys research team also disclosed a DoS vulnerability in systemd: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1

Ya wonder how no one has found this before, given: "Several months ago, while configuring a brand new HP printer, our team came across an old printer driver from 2005 called SSPORT.SYS thanks to an alert by Process Hacker once again. This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products."

Don't want ransomware? Upgrade your devices, and you'll pay: "If customers can’t update, SonicWall is recommending that they disconnect devices immediately and reset their access passwords, and enable account multi-factor authentication, if supported. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” it added." - I mean, or you could just unplug your firewalls and other gear...SMH.

"The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue."

Is this a bug or a feature? "The malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail."

I don't buy it, regardless of the operating system, you are just as vulnerable: "Because of this, organizations relying on Windows will have a hell of a time migrating away from Windows and the rest of the Microsoft ecosystem which means that they’re naturally going to drag their toes in doing so; the bigger they are, the slower any attempt at a migration will go. In turn, this means that there is plenty of time for those that can easily migrate away from the madness and insecurity of the Microsoft ecosystem as a means of sheltering themselves from a barrage of attacks safely in the shadow of Microsoft for the time being." - Apple hides their vulnerabilities as best they can. No one wants to take the time to find and disclose a big enough percentage of Linux vulnerabilities to make a difference (Though Qualys is having a go at it.).

"Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target's iPhone or Android device, Pegasus immediately trawls through a wealth of the device's resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target's movements and steal messages from end-to-end encrypted chat apps." More info: https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones

Brand monitoring tools should catch this, right? If so, then why did Microsoft have to kill 20 attacker-owned domains? - "In one instance, the attackers hijacked legitimate Office 365 e-mail communication to send an impersonation email from a homoglyph domain (that had a single letter changed) and convince the victim that the message came from a known trusted source. They then falsely claimed that the CFO put a hold on the account, asking for a payment to be made as soon as quickly."

We talked about open redirects on a previous episode, this is a pretty good tutorial to use as a reference.

"A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device," the vendor warned customers. Note that the FGFM service is disabled by default in FortiAnalyzer..."

For Wordpress, mostly stuff people know about already, but interesting how you can use Chrome's built-in dev tools to report on unused CSS/JS files. Curious if there are potential attack vectors here...?

The lost domain that led to: "Talos registered the domain and we immediately noticed a significant majority of the DNS requests were related to internet computers looking for a file called "wpad.dat" on tiburoninc.net's web server...Abusing the proxy settings communicated to these employees could have allowed a potential attacker to establish their own proxy, inspect all data transmitted from the employees' computers, and manipulate the data returned in the response." They also found a typosquat domain that had requests for VPN connections and others that made a typo in the MX server record!

Because breach notification is the most important thing missing from data security programs.

It's all about the information, Marty.

But I thought migrating to the cloud solved all your security woes.

Some of these recommendations might be more readily apparent if the focus was on compliance first rather than security. just sayin'.

Wait. Aren't they the bad guys?

Wait, what? New?

The United States has long been concerned about the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace. Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security.

This Joint Cybersecurity Advisory was written by the FBI and the CISA to provide information on a Chinese APT group known in open-source reporting as APT40. This advisory provides APT40’s TTPs and IOCs to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.

Trends in Chinese State-Sponsored Cyber Operations NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).

Safari 14.1.2 macOS Catalina and macOS Mojave19. iOS and iPadOS 14.7, watchOS 7.6, tvOS 14.7, macOS 11.5 all dropped 7/19 & 7/21.

Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files. SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE databases can be read by anybody.

The US State Department has announced that it is offering up to $10 million for information that can help identify or locate state-sponsored threat actors.

Microsoft obtained a court order that allowed the company to take down malicious “homoglyph” domains that are being used to conduct fraud. In all, Microsoft took down 17 domains that were crafted to appear legitimate through variations in spelling or the use of characters that are similar in appearance.

This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco's "network and its servers," sometime in 2020. As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group.