(Un)official home of Team RunCMD – where the intarwebz come to weep!

07/28/2022

Article: Hackers scan for vulnerabilities within 15 minutes of disclosure

h0w1tzr’s Commentary: I long suspected that APT groups were taking advantage of this, but I didn’t realize how quickly some of them are doing it!

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

According to Palo Alto’s 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.

However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited.

Links

- Bleeping Computers article: https://www.bleepingcomputer.com/news/security/hackers-scan-for-vulnerabilities-within-15-minutes-of-disclosure/

05/31/202206/15/2022

Article: New Microsoft Office Zero-Day ‘Follina’ Exploited in Remote Code Execution Attacks (CVE-2022-30190)

Update 06/15/2022: As a part of June’s Patch Tuesday, Microsoft has just released a patch for this vulnerability. I would highly advise that you update your Windows with the latest set of patches RIGHT NOW!

h0w1tzr’s Commentary: This bug is pretty scary because it doesn’t need to have any macros to be enabled. It uses the default HTML rendering ability of Office to trigger this vulnerability. Beware of spearphishing attempts going forward.

Security researchers recently discovered a new Microsoft Office zero-day flaw exploited in PowerShell remote code execution attacks. The new vulnerability, tracked as CVE-2022-30190, would let hackers execute malicious PowerShell commands through Microsoft Diagnostic Tool (MSDT).

Researchers believe the flaw, dubbed “Follina,” has been around for a while, as they traced it back to a Microsoft report made on April 12. The vulnerability leverages Office functionality to download an HTML file, which exploits the MSDT to let attackers execute code remotely on compromised devices.

To make matters worse, Follina works without elevated privileges, can bypass Windows Defender detection, and doesn’t need macro code enabled to run scripts or execute binaries. The flaw was discovered by accident last Friday when security researcher nao_sec stumbled upon a malicious Word document submitted to a virus scanning platform.

Links

- Bitdefender Article: https://t.ly/fi3v5
- CVE: https://t.ly/Mpn1
- PoCs: https://github.com/search?q=CVE-2022-30190

05/18/2022

Article: Zyxel Firewall Unauthenticated Remote Command Injection (CVE-2022-30525)

h0w1tzr’s Commentary: ZyXEL has released a patch for this vulnerability. If you have a model that is affected by this CVE you should patch it now.

Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.

The following table contains the affected models and firmware versions.

Affected Model / Affected Firmware Version
USG FLEX 100, 100W, 200, 500, 700 / ZLD5.00 thru ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN / ZLD5.10 thru ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 / ZLD5.10 thru ZLD5.21 Patch 1

Links

- Rapid7 CVE report: https://t.ly/vH2I
- MITRE’s CVE: https://t.ly/wrsU
- Exploit PoCs: https://t.ly/bkbP

05/11/2022

Article: F5 Warns of a New Critical BIG-IP RCE Vulnerability (CVE-2022-1388)

h0w1tzr’s Commentary: This is yet another trivial vulnerability for attackers to use. It’s an API endpoint that allows attackers to run commands via bash on the F5 BIG-IP as root. If your company runs BIG-IP and you haven’t patched yet I highly recommend you apply their patch immediatly!

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products. Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity. Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of authentication check, potentially allowing an attacker to take control of an affected system.

Links

- Hacker News: https://t.ly/8RzL
- F5 Security Advisory: https://t.ly/Imfm
- GitHub PoCs: https://t.ly/_tIm

04/04/202204/04/2022

Article: Spring patches leaked Spring4Shell zero-day RCE vulnerability

Spring released emergency updates to fix the ‘Spring4Shell’ zero-day remote code execution vulnerability [CVE-2022-22965], which leaked prematurely online before a patch was released.

Yesterday, an exploit for a zero-day remote code execution vulnerability in the Spring Framework dubbed ‘Spring4Shell’ was briefly published on GitHub and then removed.

However, as nothing stays hidden on the Internet, the code was quickly shared in other repositories and tested by security researchers, who confirmed it was a legitimate exploit for a new vulnerability.

h0w1tzr’s Commentary: This only affects Java Enterprise Edition (Java EE) applications that are using the Spring framework. The Spring framework comprises several modules such as IOC, AOP, DAO, Context, ORM, WEB MVC etc. This is not nearly as scary as Log4Shell, but if you are using Spring in any of your applications, now would be a good time to upgrade.

Links

- Bleeping Computer Article: https://t.ly/HQln
- CVE-2022-22965: https://t.ly/2g1t
- Exploit PoC: https://t.ly/1MdN
- Spring Framework: https://t.ly/Fjet

03/09/2022

Article: APC UPS zero-day bugs can remotely burn out devices, disable power

h0w1tzr’s Commentary: In reality this type of exploit would be difficult to use without first compromising the host that the UPS was attached to which is usually connected via USB however there are some newer models of APC UPSes that are Smart-UPS product line that have the ability to connect the UPS directly to the network so that it can use “SmartConnect” feature that uses the Cloud to manage and report power, as well as send alerts. A quick look on GitHub shows a LOT of documentation in Russian.

A set of three critical zero-day vulnerabilities [CVE-2022-22805, CVE-2022-22806, and CVE-2022-0715] now tracked as TLStorm could let hackers take control of uninterruptible power supply (UPS) devices from APC, a subsidiary of Schneider Electric.

The flaws affect APC Smart-UPS systems that are popular in a variety of activity sectors, including governmental, healthcare, industrial, IT, and retail.

UPS devices act as emergency power backup solutions and are present in mission-critical environments such as data centers, industrial facilities, hospitals.

Links

- Bleeping Computer: https://t.ly/p9SU
- CVE-2022-22805
- CVE-2022-22806
- CVE-2022-0715

03/09/2022

Article: Linux has been bitten by its most high-severity vulnerability in years, meet “Dirty Pipe”

h0w1tzr’s Commentary: This bug is probably going to be even bigger than Dirty Cow was. This bug affects Linux kernels that are >= 5.8 should be patched immediately.

The name “Dirty Pipe”: is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability’s origins. “Pipe” refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.

Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer’s Linux machine. After months of analysis, the researcher finally found that the customer’s corrupted files were the result of a bug in the Linux kernel.

Links

- Ars Technica: https://t.ly/8YDe
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
- CM4All Exploitation Writeup: https://dirtypipe.cm4all.com/
- Exploit PoC: https://haxx.in/files/dirtypipez.c

02/01/2022

Article: Samba bug can let remote attackers execute code as root

h0w1tzr’s Comments: This is another doozy of a vulnerability against modern day Linux systems, and I would HIGHLY recommend that you patch your systems IMMEDIATELY!

Samba has addressed a critical severity vulnerability that can let attackers gain remote code execution with root privileges on servers running vulnerable software.

Samba is an SMB networking protocol re-implementation that provides file sharing and printing services across many platforms, allowing Linux, Windows, and macOS users to share files over a network.

The vulnerability, tracked as CVE-2021-44142 and reported by Orange Tsai of DEVCORE, is an out-of-bounds heap read/write present in the vfs_fruit VFS module when parsing EA metadata when opening files in smbd.

“The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file,” Samba explained in a security advisory published today.

“If both options are set to different settings than the default values, the system is not affected by the security issue.”

The vulnerable vfs_fruit module is designed to provide enhanced compatibility with Apple SMB clients and Netatalk 3 AFP fileservers.

According to the CERT Coordination Center (CERT/CC), the list of platforms impacted by this vulnerability includes Red Hat, SUSE Linux, and Ubuntu.

Links

- Bleeping Computer: https://t.ly/kNyO
- Zero Day Initiative: https://t.ly/yyCe
- MITRE CVE: https://t.ly/7o4d

01/26/2022

Article: Hackers Using New Malware Packer DTPacker to Avoid Analysis, Detection

h0w1tzr’s Comments: According to security researchers, DT is short for Donald Trump because it uses his name as a part of the XOR encoding of the packed executable.

A previously undocumented malware packer named DTPacker has been observed distributing multiple remote access trojans (RATs) and information stealers such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook to plunder information and facilitate follow-on attacks.

“The malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis,” enterprise security company Proofpoint said in an analysis published Monday. “It is likely distributed on underground forums.”

The .NET-based commodity malware has been associated with dozens of campaigns and multiple threat groups, both advanced persistent threat (APT) and cybercrime actors, since 2020, with the intrusions aimed at hundreds of customers across many sectors.

Attack chains involving the packer rely on phishing emails as an initial infection vector. The messages contain a malicious document or a compressed executable attachment, which, when opened, deploys the packer to launch the malware.

Links

- Hacker News: https://t.ly/AF2sf
- Proofpoint: https://t.ly/6Fgi

01/26/2022

Article: QNAP warns of new DeadBolt ransomware encrypting NAS devices

h0w1tzr’s Comments: This is why Universal Plug n’ Play (UPnP) is dangerous!

QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain.

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement issued today.

“Your NAS is exposed to the Internet and at high risk if there shows ‘The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP’ on the dashboard.”

All QNAP users are urged to “immediately update QTS to the latest available version” to block incoming DeadBolt ransomware attacks.

Links

- Bleeping Computer: https://t.ly/uXqi