Hackers attempt to exploit critical vulnerability in F5 BIG-IP ADC
The FBI has issued a Private Industry Notification warning that a group of Iranian hackers have been trying to exploit Big-IP ADC devices vulnerable to the remote code execution security flaw without CVE-2020-5902 authentication (CVSSv3 of 9.8), since early July 2020. The attacks were reportedly directed at US organisations from a wide range of sectors.
The FBI also warned private industry organisations that once their networks get compromised by the hackers, patching devices will be an insufficient mitigation technique, since they also use web shells to create persistent backdoors as well as stolen credentials to regain access. After gaining access to the network, hackers would use tools such as Mimikatz or NMAP to conduct an examination of the internal network and add new users to the systems.
Last month, CISA (Cybersecurity and Infrastructure Security Agency) also issued a warning confirming the active exploitation of this vulnerability and the involvement of two compromised organisations through the exploitation of this flaw. On the other hand, these same actors would also be linked to multiple campaigns against vulnerable VPN services since August 2019, taking advantage of security flaws in Pulse Secure (CVE 2019-11510, CVE 2019-11539) and Citrix ADC/Gateway (CVE 2019-19781).
Bypass for 0-Day vulnerability in vBulletin
Security researcher Amir Etemadieh has posted a bypass for a patch that corrects a 0-Day vulnerability in vBulletin. This is one of the most used software forums today. In September 2019, the existence of a 0-Day vulnerability was detected, with identifier CVE-2019-16759 with a CVSS of 9.8. The error allowed attackers to exploit a bug in the vBulletin template system to execute malicious code and take over forums without authenticating to victims’ sites. The details and the exploit code are both available on the Etemadieh blog, along with three PoCs in Bash, Python and Ruby. A few hours after the information was known, the Def Con forum became victim to this attack.
Microsoft fixes 120 vulnerabilities
Microsoft has released its updates for August 2020. This time, the company has patched 120 vulnerabilities that affect 13 different products. Among the 120 vulnerabilities, 17 flaws were rated ‘Critical’. Two of these critical features correspond to two 0-Days for which the detection of previous exploitation by threat agents is confirmed.
- CVE-2020-1380: This is a scripting engine memory corruption vulnerability affecting Internet Explorer, allowing threat agents to remotely execute code.
- CVE-2020-1464: This is a Windows Spoofing Vulnerability that allows malicious actors to spoof by allowing an executable to de digitally signed. This would allow them to bypass security features intended to prevent improperly signed files from being loaded.
In addition to the two 0-Days that were actively exploited, one of the critical vulnerabilities should be highlighted: CVE-2020-1472, which is an elevation of privilege vulnerability in the NetLogon component. Some security researchers emphasise the need to patch this vulnerability, for which a change in the service will take place next February 2021.
Adobe fixes critical code execution bugs in Adobe Acrobat, Reader and Lightroom
Adobe has released security updates that address a total of twenty-six vulnerabilities, eleven of which are classified as ‘Critical’ since they allow attackers to bypass security features or perform remote code execution on vulnerable computers.
- Adobe Acrobat and Reader: 25 vulnerabilities have been fixed, eleven of which are ‘Critical’ since they would allow remote code execution of bypass security functions.
- Adobe Lightroom: a DLL hijacking vulnerability has been fixed that would allow an attacker to execute commands with elevated privileges.
Development of Mekotio malware
The ESET team of researchers have recently published a report about the development of the Mekotio banking trojan; malicious software used mainly against several LATAM countries like Brazil, Chile or Mexico, and European countries like Spain or Portugal. Among its capabilities it is worth mentioning the collection of confidential information from the victims’ hosts, firewall configurations, operating system information, user privileges and the status of the installed security tools.
Mekotio also has several other functions, including the ability to function as a backdoor, take screenshots, manipulate pop-ups or simulate mouse and keyboard actions. Some variants can also steal bitcoins by replacing a bitcoin wallet in the clipboard and to exfiltrate credentials stored by the Google Chrome browser. The main distribution method for Mekotio appears to be through spam campaigns, in which the victim is asked to download a file that simulates an invoice. Communication with the C&C server is based on a network protocol in Delphi_Remote_Access_PC.
When that is not the case, Mekotio uses a SQL database as a sort of C&C server in which it calls specific SQL procedures stored on the server side and which are encrypted. ESET indicates that there are multiple variants of this malware in development, so it is expected that it will keep infecting new victims in the future.