This is Part 2 of the Weekend Wrap-Up, detailing significant vulnerabilities from the past week, in addition to the latest tools & techniques for offence and defence alike, and some additional reporting that you might find relevant and useful.

Part 1 should already be in your inbox, and highlights some significant Threat Actor Activity and noteworthy TTP changes to be aware of.

Headline Vulnerabilities

1. QNAP is urging customers to install patches for an 0-day vulnerability in their Photo Station software that is being actively exploited by the DEADBOLT ransomware group. Naturally, the best mitigation would be to not expose your QNAP NAS directly to the internet - myQNAPcloud Link or the inbuilt VPN service can help you access it securely remotely;
2. Zyxel have released patches for CVE-2022-34747 - a CVSS 9.8 vulnerability in their NAS appliances that can be exploited remotely and without authentication via a crafted UDP packet. Because this can enable remote code execution, it’s critical you patch these immediately if you haven’t already;
3. Three vulnerabilities, including one high-severity DoS vulnerability (CVE-2022-28199), have been patched by Cisco this week. At the same time, they’ve advised they won’t issue patches for an authentication bypass 0-day vulnerability (CVE-2022-20923) present in multiple small business VPN routers, as they are EoL;
4. An 0-day in the WordPress plugin BackupBuddy is being actively exploited, with the earliest observed exploitation occurring on August 26th, and a patch issued on September 2nd. The flaw would allow attackers to view and download arbitrary files on the vulnerable instance. It appears to attracted a lot of attention, with WordPress security plugin company WordFence reporting they mitigated nearly 5 million attempts to exploit it as of September 7th. If you still haven’t patched this plugin by now - assume compromise; get the patch installed and get cleaning.

Offensive

1. DNS Tunneling - nothing new in concept, but this detailed write-up will save you time in understanding its implementation and use - in particular the limitations of TXT and MX records for storing and relaying encoded payloads;
2. Voice biometrics aren’t the ironclad alternative to passwords that some think they are - Exhibit A;
3. GIFShell is a novel attack path that allows attackers to use GIFs in Microsoft Teams as a means for C2 and exfil;
4. Why stop at popping shell on Teams? Go after any Electron app using QuASAR, a tool that manipulates the ASAR file to discover and inject code into injectable files, which will be executed as a child process;
5. SysmonEnte is a PoC tool to help blind Sysmon while generating minimal noise. Check out this blog for a more detailed walkthrough on the technique used;
6. gTunnel - a high-speed SOCKS proxy that can be used as an alternative to Chisel. Read more about how it works here.

Defensive

1. Team Cymru have added to the growing list of write-ups on Cobalt Strike alternatives with this post that looks at the Mythic C2 framework. This follows a post from May that looked at Sliver, another front-runner C2 for the discerning cyber crim;
2. Spamhaus are partnering with Abuse.ch to produce monthly malware digests that summarise submission stats for their various platforms to highlight emerging trends;
3. Florian Roth has put together an interesting piece that highlights the efficiencies gained in digital forensics and tooling automation;
4. @inversecos has another great thread on recovering filenames for files deleted using sdelete;
5. Samir Bousseaden has compiled a small dataset of processes and command lines spawned from malicious .lnk files, which provides a neat snapshot of some of the heuristics defenders should be detecting on and looking out for;
6. @ippsec, known for his god-tier walkthroughs of hackthebox machines, has shared a walkthrough for how to use honeypot accounts and canary tokens to detect password spraying and Kerberoasting attempts;
7. A vulnerability database has been established to track vulnerabilities impacting Golang, and can be accessed here. Govulncheck is a tool that will check your codebase for vulnerabilities and report them for your attention.

Found this useful? Feel free to share it!

Threat Actor Activity & Reporting

1. Cisco Talos has tracked a campaign targeting publicly exposed VMWare Horizon systems, with the perpatrators - DPRK’s Lazarus Group - deploying a new backdoor dubbed MagicRAT. While it provides basic functionality, it’s noteworthy due to it drawing on the Qt Framework which subsequently complicates the code and any attempts to analyse it;

2. Worok is a cyber-espionage group that ESET have observed predominantly targeting government entities in Asian countries using custom tooling and steganography. ESET assess with low confidence that this group may be related to TA428;

3. Secureworks have tracked a campaign targeting government officials of several European, Middle Eastern, and South American countries, and is believed to be the work of the Chinese state-sponsored Bronze President/Mustang Panda APT group. Their report details the phishing-enabled delivery of PlugX payloads that were loaded by malicious DLLs executed through search-order hijacking;

   • Cybereason have also shared this detailed overview on the evolution of PlugX, highlighting what’s changed, and what’s stayed the same;

4. Google TAG report that former members of the Conti ransomware crew have joined the IAB tracked as UAC-0098, and are targeting Ukrainian organisations and European NGOs. The group use the EtterSilent maldoc builder to deliver IcedID and CobaltStrike payloads to their victims;

Cyber Crime & Ransomware

1. EvilProxy (a.k.a “Moloch”) is a new a Phishing-as-a-Service doing the rounds on Dark Web forums. Sold for as little as $400 a month, it’s capable of relaying MFA material (App-based, OTP, and backup codes); identifying and dropping connections from IP reputation checkers or security researchers, and supports targeting accounts for Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, and more.
2. A new and improved version of the Android malware SharkBot has been spotted on Google Play, delivered as a fake “update” for two apps which were collectively downloaded 60,000 times before being taken offline.
3. SentinelLabs have highlighted the increasing adoption of intermittent encryption by ransomware crews, with heavyweights like Black Basta and ALPHV jumping on the bandwagon. Originally implemented by the LockFile ransomware in mind-2021, it’s a much faster means to effectively encrypt a victim’s drive, and in a way that may evade security protections that look for abnormal intensity of I/O operations;
4. Conti have an copycat - Blackberry researchers have found that many IOCs from compromises involving the Monti ransomware group were also seen in previous Conti ransomware cases. The notable deviations are their use of the Action1 remote access agent, and Veeamp - a password stealer targeting the Veeam data backup product;
5. Trend Micro report that Play ransomware is likely related to Hive and Nokoyawa campaigns, based on a significant overlap in TTPs. If you’re curious to know more about the technical details of the ransomware, check this out;
6. Palo Alto’s Unit42 have a report on the MooBot botnet, a Mirai variant which has been propagating through exploiting a suite of known vulnerabilities in unpatched D-Link devices;
7. PRODAFT have identified a management tool called TeslaGun, used by TA505 to coordinate and manage deployed ServHelper implants. Their analysis indicates over 8,160 infections since July 2020, with the vast majority of victims in the US, followed by Russia, Brazil, Romania, and the UK.
8. AT&T have reported on Shikitega, a multi-staged and highly modular malware delivery framework for Linux. It draws heavily on Metasploit and the polymorphic Shikata Ga Nai encryption algorithm, exploiting system vulnerabilities to elevate and persisting with crontabs that execute shell scripts.
9. Stephen Berger has compiled another detailed and actionable thread with tips for hunting AsyncRAT;
10. The Azorult loader has been observed abusing AppLocker policies to prevent the execution of AV features in order to evade detection;
11. PercussionSpider - a notorious IAB that has been offline for several months - has returned, offering an RCE 0-day vulnerability; DA access to high revenue networks, and network hacking services on a dark web forum;
12. The US DOJ, together with Portuguese authorities, have seized the website and domains used by the WT1SHOP forum - a dark web marketplace peddling stolen PII and credit cards. While it’s not quite a takedown, they have also identified and charged a Moldovan citizen they believe to be the admin and operator of WT1SHOP.

Misc

1. It looks like macros have been killed (to some extent) in Office 365, 2207 (Build 15427.20210). .doc files that either have the mark-of-the-web (MOTW) or were opened from an ISO/IMG file that has the flag will have macros disabled;
2. ScootSuite, a multi-cloud security-auditing tool supporting AWS, Azure and GCP;
3. If you’re a newbie getting started in Malware Analysis, this list of free training would be a good place to start.

Thanks for reading! If you liked this, please subscribe for free to receive new posts and support my work!