Week 28, July 10-16, 2023
Week 28, July 10-16, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
Mozilla introduced a new feature blocking risky add-ons on specific websites, a crucial measure aimed at safeguarding user security in the increasingly volatile online environment. A fresh TOITOIN Banking Trojan emerged, zeroing in on Latin American businesses. Simultaneously, hackers were found exploiting a Windows policy loophole to forge kernel-mode driver signatures. SCARLETEEL cryptojacking campaign exploiting AWS Fargate, indicating how cybercriminals are not shying away from targeting even robust cloud platforms. The spread of the SOHO Router Botnet AVrecon escalated dramatically, infecting 70,000 devices across 20 countries, a clear sign of the rising risk to Internet-of-Things devices. Another incident showed that even secure systems are not invincible, when a Microsoft bug enabled hackers to breach over two dozen organizations via forged Azure AD tokens. Lastly, the economic impact of cybercrime continues to climb, with ransomware extortion reaching a staggering $449.1 million and counting in 2023 alone.
Common Vulnerabilities and Exposures (CVEs)
This section highlights some CVEs with CVSS score classified as critical.
CVE-2022-44808
A command injection vulnerability has been found on D-Link DIR-823G devices with firmware version 1.02B03 that allows an attacker to execute arbitrary operating system commands through well-designed /HNAP1 requests. Before the HNAP API function can process the request, the system function executes an untrusted command that triggers the vulnerability.
CVE-2023-36460
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon’s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
EasyScan – a light-weight web security scanner
EasyScan is a light-weight web security scanner implemented in Python. It provides a comprehensive analysis of a website’s security by evaluating its HTTP headers and DNS records. Upon running, it generates a detailed security report containing recommendations to mitigate identified vulnerabilities. The script’s broad range of test cases includes checks for Same Site Scripting, SPF records, DMARC records, Public Admin Page, Directory Listing, Missing security headers, Insecure cookie settings, Information disclosure, Cross-Origin Resource Sharing (CORS) misconfigurations, Content-Type sniffing, and Cache-control.
Advanced evasion backdoor – PowerShell obfuscated with Python
This tool is a reverse backdoor written in PowerShell and obfuscated with Python. Designed with advanced evasion techniques in mind, it generates a new signature after each build, making it difficult for traditional security systems to detect. This backdoor tool has the capacity to create payloads compatible with popular hacking devices like Flipper Zero and Hak5 USB Rubber Ducky. Its capabilities extend beyond just payload generation; it can download files from remote systems, play WAV files from a URL, fetch target computer’s public IP address, and list local users. It also provides features to find interesting files, gather details about the target system’s operating system, retrieve BIOS information, and check if an anti-virus software is installed and its status. Furthermore, it can identify active TCP clients, install Chocolatey (a popular package manager for Windows), and check for the presence of common pentesting software on the target system.
ShellGhost – shellcode evasion technique
ShellGhost is a tool utilizing a memory-based evasion technique that effectively renders shellcode invisible throughout its execution. At its core, it leverages Shellcode Mapping, a strategy that allows for execution of instructions without exposing the entirety of the shellcode in memory. This is achieved by correlating the position of each executed shellcode instruction to a certain breakpoint inside the allocated memory page. The mechanism for resolving this position involves calculating the Relative Virtual Address (RVA) from the thread RIP to the base address of the allocated memory page, which is then added to the base address of the encrypted shellcode or encrypted instructions.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.