The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Cobalt Strike's "Runtime Configuration"

Published: 2023-12-05

Last Updated: 2023-12-05 08:00:19 UTC

by Didier Stevens (Version: 1)

I published an update for my 1768.py tool, a tool to extract the configuration from Cobalt Strike beacons.

1768.py tries to extract the beacon configuration from payloads and process memory dumps. It looks for the embedded configuration, the TLV table that is XOR encoded (0x2E version 4).

Prior this version (0.0.20), process memory dumps were just handled as raw files.

This new version also looks for the "runtime configuration": this is a C/C++ array found on the heap, created by the beacon code by parsing the embedded configuration. This array contains values (integers and pointers) for each configuration item. An example can be found in this blog post.

For example, the portnumber is configuration item 2, and is stored as an integer in the third position of the array (array[2]).

The public key is configuration item 7, a binary sequence (ASN1 DER encoded). It is stored as a pointer (to the binary sequence) in the eigtht position of the array (array[7]). The binary sequence representing the public key, is also stored on the heap. Since we are dealing with pointer in C/C++, we have 32-bit and 64-bit implementations.

Since address translations need to take place, 1768.py require the python module minidump to be installed.

If it is not installed and a runtime configuration is found, a warning will be displayed...

Read the full entry:

https://isc.sans.edu/diary/Cobalt+Strikes+Runtime+Configuration/30426/

Apple Patches Exploited WebKit Vulnerabilities in iOS/iPadOS/macOS

Published: 2023-11-30

Last Updated: 2023-12-01 17:21:37 UTC

by Johannes Ullrich (Version: 1)

Apple today released patches for two WebKit vulnerabilities affecting macOS, iPadOS and iOS. I would expect standalone Safari updates for older macOS versions in the future. At this point, only the most recent operating system versions received patches.

The vulnerabilities have been exploited against versions of iOS before 16.7.1. iOS 16.7.2 is the latest iOS 16 release, released in late October. It is not clear if it is vulnerable. Apple just states which versions were successfully exploited.

Read the full entry:

https://isc.sans.edu/diary/Apple+Patches+Exploited+WebKit+Vulnerabilities+in+iOSiPadOSmacOS/30444/

Zarya Hacktivists: More than just Sharepoint.

Published: 2023-12-04

Last Updated: 2023-12-04 16:38:58 UTC

by Johannes Ullrich (Version: 1)

Last week, I wrote about a system associated with pro-Russian hacktivist scanning for vulnerable Sharepoint servers [1]. Thanks to @DonPasci on X for pointing me to an article by Radware about the same group using Mirai [2][3]. This group has been active for a while, using various low-hanging fruit exploits to hunt for defacement targets.

The group calls itself "Zarya" (). The Cyrillic alphabet does not contain the letter "z." After Russian troops used the "Z" symbol to mark their vehicles in their push on Kyiv early in 2022, the character became a popular symbol to express support for the war in Russia. It has often been used to replace the letter "," which is pronounced like the English "Z." Therefore, the name of the hacktivist group is likely supposed to be pronounced as "," or "dawn" in English.

But let's return to the IP address we identified last week: 212.113.106.100. This IP address has not been idle since then. We have observed several different exploits with our honeypots.

Many of them are just simple recognizance. Requests for "/" to retrieve index pages. These are likely just used to identify possible targets.

There are also some directory traversal attempts. I have no idea if they will work with reasonably up-to-date systems. In particular, requests like "/../../../../etc/passwd"...

https://isc.sans.edu/diary/Zarya+Hacktivists+More+than+just+Sharepoint/30450/

Whose packet is it anyway: a new RFC for attribution of internet probes (2023.12.06)

https://isc.sans.edu/diary/Whose+packet+is+it+anyway+a+new+RFC+for+attribution+of+internet+probes/30456/

Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today (2023.11.30)

https://isc.sans.edu/diary/Prophetic+Post+by+Intern+on+CVE20231389+Foreshadows+Mirai+Botnet+Expansion+Today/30442/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.