Search This Blog

Showing posts with label CVE vulnerability. Show all posts

New Windows Vulnerability Allows Domain Takeover, Microsoft Released Patch



A new vulnerability named Zerologon has been identified by cybersecurity organization, Secura who tracked the high rated vulnerability as CVE-2020-1472; it allows attackers to gain admin control of a Windows domain, inducing the ability to steal credentials from individual Windows account.

In order to exploit Zerologon, the attacker is required to be on the network, access to which can be acquired by various methods such as phishing, drive-by exploits or etc.

The attacker disables security features that protect the Netlogen process and change a system's password linked with its Active Directory account. Zerologon exploits a weak cryptographic algorithm used in the Netlogon authentication process, as per the expert findings at Secura.

While exploiting the vulnerability and attempting to authenticate against the domain controller, the bug impersonates the identity of any computer on a network and disables security features. In order to obtain domain administrator access to carry out malicious activities, the attacker needs to connect to a domain controller through a Netlogon secure channel connection. The attack is carried out swiftly, lasting not more than three seconds.

In August 2020, Microsoft effectively disrupted the operations of numerous companies in the patching process that took place in two phases and finally released patches for a severe 10/10 rated security flaw that was described as an elevation of privilege in Netlogon. The task has been an arduous one for Microsoft.

In their blog post on Zerologon, Secura explained, "It would not be necessary to wait for some other user to attempt to log in. Instead, the attacker can login themselves, pretending to only support NTLM and providing some invalid password. The service they are logging in to will forward the NTLM handshake to the domain controller and the domain controller would reply with a negative response. This message could then be replaced by a spoofed reply (also containing a recalculated session key) indicating that the password was correct and, by the way, the user trying to log in happened to be a member of the domain admin group (meaning they also have administrative privileges on the target machine),"

"This vulnerability can be particularly dangerous when an attacker has a foothold in an internal network because it allows for both elevation of privileges (to local admin) and lateral movement (gaining RCE on other machines on the network)," the blog post further read.



Russia-Linked APT Group Exploited 3 Vulnerabilities in Exim Servers, NSA Warns


The russia-linked APT group have been running campaigns wherein the authors exploited a critical vulnerability (CVE-2019-10149), also called as "The Return of the WIZard" in the Exim mail transfer agent (MTA) software, according to the warnings of the U.S National Security Agency (NSA).

As per the findings of the NSA, the threat actors have been exploiting the vulnerability since an update was released in June 2019. The critical flaw that affects Exim mail transfer agent (MTA) software's version from 4.87 to 4.91 could be taken advantage of by dubious remote hackers to execute arbitrary commands – such as sending a command in the "MAIL FORM" field of a Simple Mail Transfer Protocol message on mail servers.

In the same campaign, the attackers from Unit 74455, the Russian GRU Main Center for Special Technologies (GTsST) had also exploited two other issues in Exim, first one is a remote code execution flaw (CVE-2019-15846) that was fixed in September 2019 and was found to be affecting version 4.92.1 and older. The second one was a DoS and code execution vulnerability (CVE-2019-16928), it affected versions from 4.92 to 4.92.2, according to the revelations made by RiskIQ.

In an advisory published by the NSA, the experts state, "Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.”

"The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available.” The advisory further reads.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks


Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.