(Un)official home of Team RunCMD

h0w1tzr’s Comments: This is why Universal Plug n’ Play (UPnP) is dangerous!

QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain.

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement issued today.

“Your NAS is exposed to the Internet and at high risk if there shows ‘The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP’ on the dashboard.”

All QNAP users are urged to “immediately update QTS to the latest available version” to block incoming DeadBolt ransomware attacks.

Links

• • Bleeping Computer: https://t.ly/uXqi

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.

The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.

Links

• • Bleeping Computer: https://t.ly/V740
  • MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21907

VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an “important” security vulnerability that could be weaponized by a threat actor to take control of affected systems.

The issue relates to a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary code. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw.

“A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine,” VMware said in an advisory published on January 4. “Successful exploitation requires [a] CD image to be attached to the virtual machine.”

Links

• • The Hacker News: https://thehackernews.com/2022/01/vmware-patches-important-bug-affecting.html
  • MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22045

Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains.

The company released security updates to address the two security vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday.

Redmond’s warning to immediately patch the two bugs — both allowing attackers to impersonate domain controllers — comes after a proof-of-concept (PoC) tool that can leverage these vulnerabilities was shared on Twitter and GitHub on December 11.

Links

• • Bleeping Computer Article: https://t.ly/gwrL
  • CVE-2021-42287: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42287
  • CVN-2021-42278: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42278

What do you do when two million cheap and powerful devices become the launchpad for one of the most powerful botnets ever? You stop treating the threat like a newly discovered and unexpected honey bee hive and you start remediating like you’ve discovered a Murder Hornet nest.

Based in Latvia, MikroTik may not be a household name, but it has been a popular supplier of routers and wireless ISP devices since 1996 with more than 2,000,000 devices deployed worldwide. These devices are both powerful, and as our research shows, often highly vulnerable. For the money, there is hardly a more powerful device a consumer can get their hands on.

This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka “C2”), traffic tunneling, and more. The ability to proxy and manipulate traffic should be of particular interest to enterprise security teams. With the increase in users working from home, attackers now have a wealth of easily discoverable, vulnerable devices that can provide attackers with easy access to both the employee’s home devices, as well as devices and resources of the enterprise. In effect, the perimeter has as many holes as a bee’s nest has hexagons.

And while threat actors have the tools to find vulnerable MikroTik devices, many enterprises do not. Even the default Shodan searches for MikroTik leave entire swaths of these devices undiscovered. Part of our research aim is to shine a light on this problem by mapping the MikroTik attack surface and providing researchers and security teams with tools that they can use to find both vulnerable and already-compromised MikroTik devices.

Given such a vast percentage of these devices have been in a vulnerable state for many years on end, it is simply not enough to find ‘old’ (vulnerable) devices. Instead, we need to leverage the very same tactics, techniques, and procedures (TTPs) the attackers use. We need to discover whether a given device might already be compromised and determine whether it is patched or not. Even non-vulnerable device firmware versions can still be readily configured for malicious purposes.

Links

• • eclypsium Article: https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/
  • RouterOS <= 6.45.6:  CVE-2019-3977 and CVE-2019-3978
  • RouterOS <= 6.42: CVE-2018-14847
  • RouterOS <= 6.41.3: CVE-2018-7445

h0w1tzr’s Commentary: This is a REALLY nasty bug that has been not only seen in the wild but wormable payloads have also been seen. This is just the tip of the iceberg. It affects everything from Apache Web Servers to VMware vSphere to Atlassian Jira to Ghidra to ICS devices. Essentially anything that is written in Java could be potentially be exploited. This is probably the worst bug since Heartbleed with even more ramifications. The good news, if there is any, is that this vulnerability doesn’t break out of the Java Virtual Machine (JVM) but you can remotely load Java classes that are being used to download a secondary payload.

On December 9, 2021, the Log4j vulnerability, tracked as CVE-2021-44228, was publicly revealed via the project’s GitHub. This page collects all the intelligence that Randori has gathered since the release of the vulnerability that impacts many types of software, and likely billions of devices.

This vulnerability, which was discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache Log4j 2 versions 2.0 to 2.14.1.

This weakness allows arbitrary code execution. A logging utility such as Log4j is meant to allow developers to log various types of data within their applications, this data is typically based on user inputs, but does not have to be.

The Log4j vulnerability allows an attacker to load any code they want via the Log4j logging structure. Threat actors can point the logging protocol to a Java library of their choosing, and it would automatically load the target.

We estimate Log4j to be as far reaching as the Heartbleed vulnerability and Shellshock combined. More than 2.5 billion devices running Java, coupled with the fact this vulnerability is extremely easy to exploit, means the impact is likely very far reaching

Links

• • Randori Article: https://www.randori.com/log4j-zero-day/
  • Randori VMSA-2021-0028: VMware Log4Shell Impact & Remediations: https://www.randori.com/blog/vmsa-2021-0028-vmware-log4shell-impact-remediations/
  • GreyNoise Exploit activity for Apache Log4j vulnerability – CVE-2021-44228: https://www.greynoise.io/blog/apache-log4j-vulnerability-CVE-2021-44228
  • GitHub Log4j overview related software: https://github.com/NCSC-NL/log4shell/tree/main/software
  • CloudFlare Actual CVE-2021-44228 payloads captured in the wild: https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
  • BlackHills YouTube Video: https://www.youtube.com/watch?v=igoDXnkYDy8
  • Rumble Finding applications that use Log4J: https://www.rumble.run/blog/finding-log4j/
  • Randori & GreyNoise Webinar: https://vital.wistia.com/medias/qo6vlome2r

Scanners

• • BurpSuite Plugin: https://github.com/portswigger/log4shell-scanner
  • LanSweeper Log4j Vulnerable Software Scanner: https://www.lansweeper.com/report/log4j-vulnerable-software-audit/
  • Fenrir Log4Shell Scanner: https://github.com/Neo23x0/Fenrir