Tag Archives: Vulnerability

Embed Payload in PDF File

In this article, I want to show you how to embed payload in PDF with EvilPDF tool. By the end of the article, you will be able to embed payload in PDF, and get a reverse shell from the victim, hopefully 🙂

EvilPDF is a Linux tool made in python and used to embed payload in PDF, and also have capability to launch a listener.

Below, I want to show you all steps together, instead of given step by step.

At the first step, we are showing the pdf file that we will embed payload in. We set LHOST and LPORT for the listener and after completing the steps, EvilPDF creates the payloaded pdf file. It is ready just in a few minutes.

Also, at the and of the processes, it asks to start listener.

There is one thing you should not forget that the victim should open this file with Acrobat Reader since EvilPDF uses some vulnerabilities in Acrobat Reader.

Let’s check what is happening on victim after downloading and running the pdf file with Acrobat Reader.

My victim has only Windows Defender on it as Antivirus and Defender directly detects the malicious after clicking, and no reverse shell is created. This is the screenshot of the alert of Windows Defender.

Let’s check our pdf via VirusTotal;

VirusTotal says that 10 of 62 antiviruses can detect our payload embedded pdf file.

As the result, it is very easy to embed a payload into a pdf file with EvilPDF but you need to test it very carefully with the victim’s antivirus tool.

Critical Citrix ADC Update Against APT5

Citrix released builds to fix CVE-2022-27518, which affects the following Citrix ADC (formerly NetScaler) and Citrix Gateway versions: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration to be affected.

The vulnerability has very high CVSS scores due to the potential for unauthenticated remote code execution risk and an attacker could exploit this vulnerability to bypass authentication and execute arbitrary code. This vulnerability has been exploited in the wild. Citrix announced that they are aware of a small number of targeted attacks in the wild using this vulnerability.

CISA published a guide for detection and mitigation guide for the vulnerability because it has seen that APT5 and UNC2630 threat groups use this vulnerability in the wild.

APT5 is a threat group has been tracked since 2014 by Mandiant and supported by Chinese government. The actor mostly focused on highly sensitive data theft from aerospace and defense organizations in US, Europe and Asia.

Beware of Fake/Malicious CVE PoCs

In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities.

The discovery is including vulnerabilities discovered between 2017 and 2021. For these vulnerabilities, the team analyzed 47313 repositories and discovered that 4893 of them were malicious repositories. These repositories were used by threat actors to spread malware. The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted.

A given example for fake PoC is for the CVE-2019-0708 vulnerability. “This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware” written in the document the team provided.

It seems like this fake PoCs will go on for both newly discovered and legacy vulnerabilities. Even if PoCs are not malicious, these PoCs are making exploitations accessible for public and also for less experienced attackers also. So, as soon as a vulnerability is discovered, it is very likely to be exploited until it is patched. Because of this situation, security teams need to prioritize and patch critical vulnerabilities faster. This also shows the importance of using a professional intelligence service for prioritizing vulnerabilities according to organization’s threat profile that detected by the intelligence service again.

Beware of Django SQL Injection Vulnerability

Django is a free and open source Python web framework and maintained by the independent Django Software Foundation.

An issue was discovered (CVE-2022-34265) in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

On 4th of July, The Django Project announced that the vulnerability was fixed in the latest versions 4.0.6 and 3.2.14. The developers mentioned that they will also release patch for older versions.

Affected Products:
Django main branch
Django 4.1 (currently at beta status)
Django 4.0
Django 3.2

Office 365 Vulnerability Allows Attackers to Encrypt Files

Proofpoint announced that they have discovered a vulnerability in Office 365 that allow attacker to encrypt files stored on SharePoint and OneDrive.

Proofpoint also has identified the attack chain as initial access, account takeover & discovery, collection & exfiltration, and monetization. “Once executed, the attack encrypts the files in the compromised users’ accounts. Like with endpoint ransomware activity, those files can only be retrieved with decryption keys” was said for the attack.

If an attacker gains access to the victim’s cloud, then he has two options; limiting the number of autosaves to one, or using the autosave feature 500 times after reaching the limit. At that point, researches explains that it is unlikely that an attacker would encrypt more than 500 files. Such an operation requires a lot of scripting work and a lot of computer resources, while significantly increasing the risk of detection.

Whichever option is chosen by the attacker, if a hacker encrypts the files until the saves work, then the victim has only two options: use backups physically isolated from the infrastructure or pay the attacker for a decryption key.

Still Have 445 Port Open to Internet?

CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system.

To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

The vulnerable system can be exploited without any interaction from any user.

This is a really contains a high risk and should be patched immediately.

Vulnerable Technologies:
Microsoft reports that the following products and versions are vulnerable:

Windows 7 32-bit SP 1
Windows 7 x64 SP 1
Windows 8.1 32-bit
Windows 8.1 x64
Windows 10 32-bit
Windows 10 x64
Windows 10 20H2 32-bit
Windows 10 20H2 ARM64
Windows 10 20H2 x64
Windows 10 21H1 32-bit
Windows 10 21H1 ARM64
Windows 10 21H1 x64
Windows 10 21H2 32-bit
Windows 10 21H2 ARM64
Windows 10 21H2 x64
Windows 10 1607 32-bit
Windows 10 1607 x64
Windows 10 1809 32-bit
Windows 10 1809 ARM64
Windows 10 1809 x64
Windows 10 1909 32-bit
Windows 10 1909 ARM64
Windows 10 1909 x64
Windows 11 ARM64
Windows 11 x64
Windows RT 8.1
Windows Server 2008 32-bit SP 2
Windows Server 2008 x64 SP 2
Windows Server 2008 R2 x64 SP 1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server Version 20H2

Mitigation:

Microsoft recommends blocking port 445 at the perimeter firewall as a technique to mitigate the possibility of internet-based exploitation.

Remediation:

Organizations need a continuous port/vulnerability scan to detect to see if any port is open momentarily to the outside. If a continuous scan is not possible because of sensitive systems, an Attack Surface Management system should be used for instant detection.

Everything About Attack Surface Management

For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them.

Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.

Gaps of Vulnerability Scan

Vulnerability scan process is an active scan so risky to use for sensitive assets. It can cause slowness and even interruption. Because of this, especially for systems that need 24×7 operation and are critical, it is a technical risk for the availability of the systems. This is the most important of the hurdles ahead for making the scanning process continuously. The other one is the technique behind the vulnerability scanning, since it is an active scanning process, it takes too long for a wide range of networks. This risk sometimes causes the scan not to be completed in the desired time, and the scan times are slipped and the assets can’t be scanned for a long time. A significant risk remains for vulnerabilities discovered in the time between two scans and for machines installed in the DMZ.

For scanning, a scope is determined and this scope is scanned periodically. This causes Shadow IT. Services that are out of scope for various reasons or hosted in third party institutions remains as unscanned. Shadow IT is a very big problem especially for big organizations.

Vulnerability scanning is a process that focuses only on identifying vulnerabilities. However, attackers may use several findings about the organization like misconfigurations, compromised accounts, third party connections, etc.

What does attack surface management do differently?

There are several tools already in internet that we can check information about out organization. Passive subdomain tools, port scanners, certificate and dns record checkers, etc. Some of them are free and some of them paid services.

These services is also checked by attackers as the discovery phase before an attack. So, it is very important to check the findings at frequent intervals from these tools. However, there are many tools like that and it seems impossible to check all of them everyday, about all keywords of the organizations – keyword means here every word that an attacker searches for in the discovery phase, including brand, application, web site, VIP names, and others.

Fundamentally, Attack Surface Management is a passive scanning process that using these free or paid tools already hosted in internet. This passive scan provides a continuous scanning process. With the keywords explained above, Attack Surface Management tool scans all these tools continuously and since it is a passive scan, there is no any risk about the availability of the systems.

Third Party Connections

With developing technology and methods, all companies need to work with many other companies and have a direct connection for this. The number of these links is increasing day by day. This situation also creates a great opportunity for attackers and in recent years attacks over third party connections increased and they mostly succeeds. This requires the risk management teams to closely monitor third-party risks.

Very understandably, organizations normally do not let others scan their environment. It is not possible to scan the organization to determine their vulnerabilities before starting a connection with them. It remains only to rely on the company’s own tests and some paper work that we will make the third-party connection. With Attack Surface Management, it can be very fast and risk free to identify their risks before creating the connection.

What to Expect from Attack Surface Management?

For covering all internet facing risk, security teams need to master all assets they have both hosted in their own institutions and third party. An Attack Surface Management tool should firstly show all the assets that organization have. These may include all subdomains, IP addresses, dns records, cloud environments, certificates, uris, etc. And also, all the technologies that the organization is using in their DMZ like the number of the web servers, applications and operating systems.

All these findings are critical for Shadow IT. Systems that are forgotten and not patched for long time causes big risks for the organizations.

The other important – and maybe the most important – output is the vulnerabilities of the systems. Attack Surface Management tools use tools like Shodan to investigate the vulnerabilities and unlike a vulnerability scan, Attack Surface Management may show the misconfigurations like forgotten default IIS or Apache web pages, default Admin panels, and again, IIS or Apache misconfigurations. Also missed configurations like DMARC records or A records can be important seeds for attackers for their discovery phases.

As we told above, it is critical to scan all of these assets often, and it is preferable to do it every day. The fact that this scan can be done every day and the scan time is also very important.

The number of tools that an Attack Surface Management product uses in passive scanning is also very important. Do not forget that the main purpose here is to perform the discovery phase of the attacker, and a vulnerability or misconfiguration that you cannot detect after these scans, but can be found by the attacker, can lead to very bad results.

Risk Management

For risk management processes, all tasks including vulnerabilities and misconfigurations should be followed regularly. For providing this, like other vulnerability management solutions, Attack Surface Management tools should be integrated with ticketing systems in the organizations. Via this integration, tasks can be assigned to engineers and followed in a single system.

Conti CVEs Leaked

On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account.

Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some screenshots of the folders in server.

On 4th of March, another Twitter account @c3rb3ru5d3d53c shared the vulnerabilities that Conti is using to compromise the systems with the screenshot below.

Conti has harmed many organizations and continues to do so. We know that even in February alone, they hacked many organizations and managed to get their data out.

As can be seen in the screenshot, the threat group is using vulnerabilities that already has patch, instead of using very sophisticated techniques. This situation shows us, even very simple vulnerability management can prevent most of these attacks. Even scanning with free tools and patching the vulnerabilities really can prevent your system actively. So, this sharing from @c3rb3ru5d3d53c Twitter account was very important for us because it shows us that even very simple measures can prevent big problems.

Strategic Partnership Between Nucleus and Mandiant

Nucleus and Mandiant announced a strategic partnership about vulnerability intelligence. Through this partnership, Nucleus customers can have access to Mandiant Advantage Vulnerability Intelligence data in real time.

“We spent the last year performing a deep dive into the vulnerability intelligence offerings of the leading threat intelligence providers and studying how their data could be useful in the context of vulnerability management,” said Steve Carter, CEO of Nucleus Security. “We chose to partner with Mandiant because they were most aligned with our vision of operationalizing vulnerability intelligence and transforming enterprise vulnerability management as we know it.”

Mandiant (formerly FireEye in TI) is leader in threat intelligence market for long years, also including threat actor knowledge, IoC feeds, dark web visibility, vulnerability and more.

With the integration, practitioners can accelerate the vulnerability prioritization and triage process using automation at scale.

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.

CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.

IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.

TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.

Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.

Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.

Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.

CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.