Article: Hackers Using New Malware Packer DTPacker to Avoid Analysis, Detection

h0w1tzr’s Comments: According to security researchers, DT is short for Donald Trump because it uses his name as a part of the XOR encoding of the packed executable.

A previously undocumented malware packer named DTPacker has been observed distributing multiple remote access trojans (RATs) and information stealers such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook to plunder information and facilitate follow-on attacks.

“The malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis,” enterprise security company Proofpoint said in an analysis published Monday. “It is likely distributed on underground forums.”

The .NET-based commodity malware has been associated with dozens of campaigns and multiple threat groups, both advanced persistent threat (APT) and cybercrime actors, since 2020, with the intrusions aimed at hundreds of customers across many sectors.

Attack chains involving the packer rely on phishing emails as an initial infection vector. The messages contain a malicious document or a compressed executable attachment, which, when opened, deploys the packer to launch the malware.

Links

Article: QNAP warns of new DeadBolt ransomware encrypting NAS devices

h0w1tzr’s Comments: This is why Universal Plug n’ Play (UPnP) is dangerous!

QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain.

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement issued today.

“Your NAS is exposed to the Internet and at high risk if there shows ‘The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP’ on the dashboard.”

All QNAP users are urged to “immediately update QTS to the latest available version” to block incoming DeadBolt ransomware attacks.

Links

Article: Linux system service bug gives root on all major distros, exploit released

h0w1tzr’s Comments: Patch your systems now! This is an easy-to-use local privilege vulnerability (LPE) that affects all modern-day Linux distros.

A vulnerability in Polkit’s pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warn today.

CVE-2021-4034 has been named PwnKit and its origin has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.

Part of the Polkit open-source application framework that negotiates the interaction between privileged and unprivileged processes, pkexec allows an authorized user to execute commands as another user, doubling as an alternative to sudo.

Links

Article: Microsoft: New critical Windows HTTP vulnerability is wormable

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.

The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.

Links

Article: VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products

VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an “important” security vulnerability that could be weaponized by a threat actor to take control of affected systems.

The issue relates to a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary code. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw.

“A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine,” VMware said in an advisory published on January 4. “Successful exploitation requires [a] CD image to be attached to the virtual machine.”

Links

Article: Microsoft warns of easy Windows domain takeover via Active Directory bugs

Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains.

The company released security updates to address the two security vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday.

Redmond’s warning to immediately patch the two bugs — both allowing attackers to impersonate domain controllers — comes after a proof-of-concept (PoC) tool that can leverage these vulnerabilities was shared on Twitter and GitHub on December 11.

Links

Article: WHEN HONEY BEES BECOME MURDER HORNETS (New MikroTik vulnerability)

What do you do when two million cheap and powerful devices become the launchpad for one of the most powerful botnets ever? You stop treating the threat like a newly discovered and unexpected honey bee hive and you start remediating like you’ve discovered a Murder Hornet nest.

Based in Latvia, MikroTik may not be a household name, but it has been a popular supplier of routers and wireless ISP devices since 1996 with more than 2,000,000 devices deployed worldwide. These devices are both powerful, and as our research shows, often highly vulnerable. For the money, there is hardly a more powerful device a consumer can get their hands on.

This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka “C2”), traffic tunneling, and more. The ability to proxy and manipulate traffic should be of particular interest to enterprise security teams. With the increase in users working from home, attackers now have a wealth of easily discoverable, vulnerable devices that can provide attackers with easy access to both the employee’s home devices, as well as devices and resources of the enterprise. In effect, the perimeter has as many holes as a bee’s nest has hexagons.

And while threat actors have the tools to find vulnerable MikroTik devices, many enterprises do not. Even the default Shodan searches for MikroTik leave entire swaths of these devices undiscovered. Part of our research aim is to shine a light on this problem by mapping the MikroTik attack surface and providing researchers and security teams with tools that they can use to find both vulnerable and already-compromised MikroTik devices.

Given such a vast percentage of these devices have been in a vulnerable state for many years on end, it is simply not enough to find ‘old’ (vulnerable) devices. Instead, we need to leverage the very same tactics, techniques, and procedures (TTPs) the attackers use. We need to discover whether a given device might already be compromised and determine whether it is patched or not. Even non-vulnerable device firmware versions can still be readily configured for malicious purposes.

Links

Article: Log4Shell – What You Need To Know Log4j Vulnerability – CVE 2021-44228

h0w1tzr’s Commentary: This is a REALLY nasty bug that has been not only seen in the wild but wormable payloads have also been seen. This is just the tip of the iceberg. It affects everything from Apache Web Servers to VMware vSphere to Atlassian Jira to Ghidra to ICS devices. Essentially anything that is written in Java could be potentially be exploited. This is probably the worst bug since Heartbleed with even more ramifications. The good news, if there is any, is that this vulnerability doesn’t break out of the Java Virtual Machine (JVM) but you can remotely load Java classes that are being used to download a secondary payload.

On December 9, 2021, the Log4j vulnerability, tracked as CVE-2021-44228, was publicly revealed via the project’s GitHub. This page collects all the intelligence that Randori has gathered since the release of the vulnerability that impacts many types of software, and likely billions of devices.

This vulnerability, which was discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache Log4j 2 versions 2.0 to 2.14.1.

This weakness allows arbitrary code execution. A logging utility such as Log4j is meant to allow developers to log various types of data within their applications, this data is typically based on user inputs, but does not have to be.

The Log4j vulnerability allows an attacker to load any code they want via the Log4j logging structure. Threat actors can point the logging protocol to a Java library of their choosing, and it would automatically load the target.

We estimate Log4j to be as far reaching as the Heartbleed vulnerability and Shellshock combined. More than 2.5 billion devices running Java, coupled with the fact this vulnerability is extremely easy to exploit, means the impact is likely very far reaching

Links

Scanners

Article: Kali Linux 2021.4 released with 9 new tools, further Apple M1 support

​Kali Linux 2021.4 was released yesterday by Offensive Security and includes further Apple M1 support, increased Samba compatibility, nine new tools, and an update for all three main desktop.

Kali Linux is a Linux distribution allowing cybersecurity professionals and ethical hackers to perform penetration testing and security audits against internal and remote networks.

With this release, the Kali Linux Team introduces a bunch of new features, including:

    • Apple M1 support for the VMware Fusion Public Tech Preview
    • Wide compatibility is enabled for Samba
    • Making it easier to switch to Cloudflare’s package manager mirror
    • Kaboxer updated with support for window themes and icon theme
    • Updates to the Xfce, GNOME and KDE desktops
    • Raspberry Pi Zero 2 W + USBArmory MkII ARM images
    • Nine more tools!

Links