AtRisk December 5, 2024 Vol. XXIV

Jump to:

Internet Storm Center Spotlight
Internet Storm Center Entries
Recent CVEs
Sponsors
Read More

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Credential Guard and Kerberos delegation

Published: 2024-12-02.

Last Updated: 2024-12-02 08:47:36 UTC

by Bojan Zdrnja (Version: 1)

The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing SEC565: Red Team Operations and Adversary Emulation SANS course [https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/] that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.

This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.

The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.

What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet? ...

Read the full entry:

https://isc.sans.edu/diary/Credential+Guard+and+Kerberos+delegation/31488/

The strange case of disappearing Russian servers

Published: 2024-11-25.

Last Updated: 2024-11-25 13:34:45 UTC

by Jan Kopriva (Version: 1)

Few months ago, I noticed that something strange was happening with the number of servers seen by Shodan in Russia...

In order to identify any unusual changes on the internet that might be worth a closer look, I have put together a simple script few years ago. It periodically goes over data that was gathered from the Shodan search engine by my TriOp tool, and looks for significant changes in the number of public IP addresses with various services enabled on them. This script alerts me any time there seems to be something unusual – i.e., if Shodan detects more than a 10 % increase in the number of HTTPS servers during the course of a week, or if there is more than a 20 % decrease in the number of e-mail servers in a specific country in the course of a month.

Around the beginning of August, the script started alerting me to a decrease in the number of basically all types of servers that Shodan detected in Russia.

Since internet-wide scanning and service identification that is performed by Shodan, Censys and similar search engines, is hardly an exact science, the number of systems that they detect can oscillate significantly in the short term, and a single alert by my script therefore seldom means that a real change is occurring. Nevertheless, the alerts kept coming for multiple days and weeks in a row, and so I decided to take a closer look at the underlying data… And, indeed, from the point of view of Shodan, it looked as if significant portions of the Russian internet were disappearing.

My theory was that it might have been caused by introduction of some new functionality into the internet filtering technology that is used by Russia in order to censor internet traffic and block access to various external services, which started interfering with Shodan probes. And while I still believe that this might be the case, looking at the data now, when the number of Russian servers has been more or less stable for about 6 weeks, it seems that the cause for the decrease was at least partially different ...

Read the full entry:

https://isc.sans.edu/diary/The+strange+case+of+disappearing+Russian+servers/31476/

Data Analysis: The Unsung Hero of Cybersecurity Expertise [Guest Diary] (2024.12.04)

https://isc.sans.edu/diary/Data+Analysis+The+Unsung+Hero+of+Cybersecurity+Expertise+Guest+Diary/31494/

Extracting Files Embedded Inside Word Documents (2024.12.03)

https://isc.sans.edu/diary/Extracting+Files+Embedded+Inside+Word+Documents/31486/

From a Regular Infostealer to its Obfuscated Version (2024.11.30)

https://isc.sans.edu/diary/From+a+Regular+Infostealer+to+its+Obfuscated+Version/31484/

Quickie: Mass BASE64 Decoding (2024.11.29)

https://isc.sans.edu/diary/Quickie+Mass+BASE64+Decoding/31470/

SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary] (2024.11.26)

https://isc.sans.edu/diary/SANS+ISC+Internship+Setup+AWS+DShield+Sensor+DShield+SIEM+Guest+Diary/31480/

[Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware (2024.11.26)

https://isc.sans.edu/diary/Guest+Diary+Using+Zeek+Snort+and+Grafana+to+Detect+Crypto+Mining+Malware/31472/

Quick & Dirty Obfuscated JavaScript Analysis (2024.11.24)

https://isc.sans.edu/diary/Quick+Dirty+Obfuscated+JavaScript+Analysis/31468/

Decrypting a PDF With a User Password (2024.11.23)

https://isc.sans.edu/diary/Decrypting+a+PDF+With+a+User+Password/31466/

Wireshark 4.4.2 Released (2024.11.23)

https://isc.sans.edu/diary/Wireshark+442+Released/31460/

An Infostealer Searching for <<BIP-0039>> Data (2024.11.22)

https://isc.sans.edu/diary/An+Infostealer+Searching+for+BIP0039+Data/31464/

Increase In Phishing SVG Attachments (2024.11.21)

https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

The Consensus Security Vulnerability Alert

Share

Internet Storm Center Spotlight

Holiday Hack Challenge 2024: Snow-maggedon

Internet Storm Center Entries

Recent CVEs

CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege Vulnerability

CVE-2024-11680 - ProjectSend versions prior to r1720 have an improper authentication vulnerability that can be exploited by remote attackers to unauthorized modify the application's configuration, create accounts, upload webshells, and embed malicious JavaScript.

CVE-2024-11667 - Zyxel ATP, USG FLEX, and USG20(W)-VPN series firmware versions are vulnerable to directory traversal allowing attackers to download/upload files via a crafted URL.

CVE-2024-49803 - IBM Security Verify Access Appliance 10.0.0 through 10.0.8 allows remote authenticated attackers to execute arbitrary commands via a specially crafted request.

CVE-2024-49805 & CVE-2024-49806 - IBM Security Verify Access Appliance 10.0.0 through 10.0.8 has hard-coded credentials that can be exploited for authentication and data encryption.

CVE-2024-49804 - IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 allow a locally authenticated non-administrative user to escalate privileges through unnecessary permissions.

CVE-2024-52787 - Libre-chat v0.0.6 is vulnerable to path traversal attacks through the upload_documents method when a malicious filename is supplied in an uploaded file.

CVE-2024-50672 - Adapt Learning Adapt Authoring Tool &lt;= 0.11.3 is vulnerable to a NoSQL injection that allows unauthenticated attackers to reset passwords and take over the administrator account, potentially leading to remote code execution on the server.

CVE-2024-28038 - Canon mageRUNNER ADVANCE's web interface processes a cookie value improperly, leading to a stack buffer overflow when a too long character string is given to the MFPSESSIONID parameter.

CVE-2024-33610 - "Sessionlist.html and sys_trayentryreboot.html allow unauthorized access to sensitive user session data and device reboot function."

CVE-2024-35244 - Siemens SCALANCE X Switches have hidden accounts that can be accessed by maintenance engineers to re-configure the device if their passwords are known.

CVE-2024-36248 - Sharp / Toshiba Tec MFP Hard-coded credentials: "API keys for some cloud services are hardcoded in the "main" binary of [Product], posing a security risk."

CVE-2017-11076 - Google Chrome may experience invalid memory access by the decoder due to incorrect frame size on certain hardware revisions with hardware-accelerated VP9 decoding.

CVE-2017-17772 - In multiple functions that process 802.11 frames, out-of-bounds reads can occur due to insufficient validation.

CVE-2018-11922 - Wrong configuration in Touch Pal application can collect user behavior data without awareness by the user.

CVE-2024-50370 through CVE-2024-50375 - Multiple Advantech's devices vulnerable to OS command injection

CVE-2024-11693 - Firefox, Thunderbird, and Windows operating systems were vulnerable to not receiving an executable file warning when downloading .library-ms files.

CVE-2024-11698 - Firefox, Thunderbird, and their respective ESR versions may become stuck in fullscreen mode when a modal dialog is opened during a fullscreen transition on macOS, disrupting the browsing experience until the application is restarted.

CVE-2024-11703 - Firefox on Android &lt;133 may have allowed unauthorized access to saved passwords without PIN authentication.

CVE-2024-11704 - Firefox and Thunderbird versions below 133 are vulnerable to a double-free issue in `sec_pkcs7_decoder_start_decrypt()`, leading to potential memory corruption.

CVE-2024-11705 - Firefox and Thunderbird versions lower than 133 crash due to `NSC_DeriveKey` incorrectly assuming `phKey` is always non-NULL.

CVE-2024-11145 - Valor Apps Easy Folder Listing Pro is vulnerable to deserialization, allowing an attacker to run arbitrary code without authentication in Joomla! versions prior to 3.8 and 4.5.

CVE-2024-49038 - Copilot Studio is vulnerable to Cross-site Scripting, allowing unauthorized attackers to gain elevated privileges over the network.

CVE-2024-53676 - A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution.

CVE-2024-42327 - Zabbix allows non-admin user accounts with API access to exploit an SQLi vulnerability in the CUser class.

CVE-2024-42330 - HttpRequest object vulnerability: Unencoded server response strings enable access to hidden object properties.

CVE-2024-53604 - PHPGurukul COVID 19 Testing Management System v1.0 is vulnerable to SQL Injection via the mobnumber POST parameter, potentially enabling remote code execution.

CVE-2024-46054 - OpenVidReview 1.0 allows any user to upload files without authentication due to Incorrect Access Control at the /upload route.

CVE-2024-53920 - GNU Emacs through 30.0.92 allows attackers to execute arbitrary code by invoking elisp-completion-at-point on untrusted Emacs Lisp source code.

CVE-2024-52338 - The Apache Arrow R package versions 4.0.0 through 16.1.0 are vulnerable to arbitrary code execution through the deserialization of untrusted data in IPC and Parquet readers.

CVE-2024-11979 - DreamMaker from Interinfo is vulnerable to Path Traversal and unrestricted file uploads, enabling remote attackers to execute arbitrary code.

CVE-2024-11482 - ESM 11.6.10 allows unauthenticated access to its internal Snowservice API, leading to remote code execution as root user.

CVE-2024-11992 - Quick.CMS version 6.7 suffers from an absolute path traversal vulnerability, allowing remote users to download or delete files outside of the server's document root via the admin.php page.

CVE-2024-52777 through CVE-2024-52782 - DCME-320 &lt;=7.4.12.90, DCME-520 &lt;=9.25.5.11, DCME-320-L,&lt;=9.3.5.26, and DCME-720 &lt;=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php.

CVE-2024-49360 - Sandboxie allows an authenticated user with no privileges to read all files created in sandbox belonging to other users, posing a risk of unauthorized access to sensitive information.

CVE-2024-35366 - FFmpeg n6.1.1 is vulnerable to an Integer Overflow in the parse_options function of sbgdec.c within the libavformat module, allowing negative duration values to be accepted without proper validation.

CVE-2024-35367 - FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer

CVE-2024-35368 - FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.

CVE-2024-36610 - Symfony v7.0.3's VarDumper module is vulnerable to deserialization attacks through the Stub class due to handling issues with null or uninitialized properties, allowing attackers to execute unauthorized code.

CVE-2024-53504 through CVE-2024-53507 - SQL injection vulnerabilities has been identified in Siyuan 3.1.11.

CVE-2024-10905 - IdentityIQ is vulnerable to HTTP access to static content in its application directory that should be protected in versions 8.4 and prior.

CVE-2024-46909 - WhatsUp Gold versions released before 2024.0.1 allow remote unauthenticated attackers to execute code using the service account.

CVE-2024-8785 - WhatsUp Gold versions released before 2024.0.1 allow a remote unauthenticated attacker to manipulate registry values via NmAPI.exe.

CVE-2024-10542 - The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation allowing for potential remote code execution.

CVE-2024-11024 - The AppPresser Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover due to improper validation of password reset codes.

CVE-2024-11925 - The JobSearch WP Job Board plugin for WordPress allows unauthenticated attackers to gain admin privileges by exploiting a user_account_activation function flaw.

CVE-2024-11082 - The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads, allowing authenticated attackers with Author-level access and above to upload malicious files and potentially execute remote code.

CVE-2024-11103 - The Contest Gallery plugin for WordPress allows for privilege escalation through account takeover in versions up to 24.0.7, enabling unauthenticated attackers to change passwords and gain access to any user account.

CVE-2024-52475 - Wawp 3.0.18 and earlier versions are vulnerable to an Authentication Bypass using an Alternate Path or Channel.

CVE-2024-52490 - Pathomation allows for the unrestricted upload of files with dangerous types, leading to the potential upload of a web shell onto a web server.

Sponsors

Sevco Security

SANS

SANS

SANS

CVE-2024-50672 - Adapt Learning Adapt Authoring Tool <= 0.11.3 is vulnerable to a NoSQL injection that allows unauthenticated attackers to reset passwords and take over the administrator account, potentially leading to remote code execution on the server.

CVE-2024-11703 - Firefox on Android <133 may have allowed unauthorized access to saved passwords without PIN authentication.

CVE-2024-52777 through CVE-2024-52782 - DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L,<=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php.