Week 31, July 31-August 6, 2023

Week 31, July 31-August 6, 2023. Cybersecurity Weekly Updates.

This week in the world of cybersecurity:

The P2PInfect Worm has emerged as a new threat, specifically targeting Redis Servers using novel breach methods. The digital landscape faces more challenges with the Ninja Forms Plugin, as multiple flaws have put 800,000 sites at risk. On the global front, China’s APT31 is now under the spotlight, suspected of orchestrating attacks on air-gapped systems across Eastern Europe. The business sector faces its own hurdles with Citrix NetScaler ADC and Gateway servers coming under a significant cyber attack.

 


Common Vulnerabilities and Exposures (CVEs)

This section highlights some CVEs with CVSS score classified as critical.

CVE-2023-35941
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter’s check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host’s domain configuration.

CVE-2021-31962
Kerberos AppContainer Security Feature Bypass Vulnerability

CVE-2022-24193
CasaOS before v0.2.7 was discovered to contain a command injection vulnerability.

 


Recent Tools and Techniques

These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.

S4UTomato is a tool designed for escalating service account privileges to local system privileges through the Kerberos authentication mechanism. Stemming from the “Potato” series of privilege escalation, it operates by leveraging features of COM interfaces to trick the NT AUTHORITY\SYSTEM account into connecting and authenticating with an attacker-controlled RPC server. During this process, an NTLM Relay attack is triggered, producing an access token for the NT AUTHORITY\SYSTEM account on the local system. This token can then be utilized to spawn a new process with SYSTEM privileges. In a domain environment, this technique becomes especially potent when executed under a Windows service account or a Microsoft virtual account. Modern Windows versions have most of their services run using these virtual accounts, including notable applications like IIS and MSSQL. S4UTomato exploits the S4U extension to obtain the domain administrator service ticket and, coupled with the SCMUACBypass method, leverages it to create a system service, thus achieving SYSTEM privileges. The tool’s core functionality revolves around obtaining a Ticket Granting Ticket (TGT) for the local machine account, a process streamlined by integrating techniques such as Resource-based Constrained Delegation, Shadow Credentials, and Tgtdeleg, all built upon the Rubeus toolset foundation.

eBPFShield is a high-performance security solution crafted to offer real-time IP-Intelligence and DNS monitoring by leveraging eBPF and Python. Operating within the kernel space, eBPFShield ensures efficient detection by minimizing context switches. This tool enhances network security by keenly observing outbound connections, cross-referencing them with threat intelligence feeds, and effectively pinpointing and curbing malicious activities. Among its key features are DNS monitoring, which provides an overview of all DNS queries in the system, and IP-Intelligence that not only keeps an eye on outbound connections (both tcp/udp) but also verifies them against threat intelligence lists, offering the capability to block harmful destinations. An added utility is its script, designed to fetch public threat feeds. eBPFShield is compatible with Windows, Linux, and Ubuntu platforms.

API Fuzzer is a tool crafted to identify potential vulnerabilities in applications by conducting exhaustive testing on APIs. It offers users full control over fuzzing sessions with functionalities like Pause, Stop, and Resume. Its robust Payload Generator can produce a variety of payloads using methods such as Random Payload Generation based on intriguing strings, dates, and integers. The tool also boasts Payload Mutators to tweak payloads for edge cases, considering parameters like Integer, Encoding, and Length adjustments. Furthermore, it can generate specific payloads targeting common vulnerabilities like CRLF Injection and JSON Fuzzing. With the capability to pinpoint injection areas, including HTTP Headers and the URL, the tool also supports custom inputs like headers and cookies. After completion, API Fuzzer can produce detailed reports in various formats, such as text, JSON, or HTML, aiding in comprehending and recreating identified vulnerabilities.

 


That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.

To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.

 

Related posts