This post covers 2022-07-04 to 2022-07-11.
Vulnerabilities#
CVE-2022-2294 - Chrome WebRTC Zero-Day#
A heap buffer overflow was discovered in the WebRTC component. It was reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01. The vulnerability is being exploited in the wild. Chromium-based browsers are affected, e.g. Chrome, Microsoft Edge, Brave, … .
- Chrome Releases: Stable Channel Update for Desktop
- Flash Notice: [CVE-2022-2294] Google Chrome Zero-Day Vulnerability Exploited by Attackers
CVE-2021-43138 - IBM Business Automation Workflow RCE#
Business Automation is affected by a prototype pollution in async. The original advisory for Async was published 2022-04-13.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
- Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow - CVE-2021-43138
- Prototype Pollution in async · CVE-2021-43138 · GitHub Advisory Database
- Prototype Pollution in async | CVE-2021-43138 | Snyk
- async/CHANGELOG.md
- PoC
CVE-2022-34893 - Trend Micro Maximum Security LPE#
Security tools sometimes extend the potential attack surface. In this case, no further details have been published.
… link following vulnerability where an attacker with lower privileges could manipulate a mountpoint which could lead to escalation of privilege on an affected machine.
News#
Shanghai police database leaked#
Gigantic civilian data leak if confirmed: A hacker is selling an alleged Shanghai police data leak containing 1 billion Chinese nationals’ names, home addresses, ID #, phone #, criminal records, etc. Hacker says it’s from an Aliyun (Alibaba) private cloud server.
The issue seems to have been existing for quite some time. The database was indexed by a search engine in April 2021. @vinnytroia detected the database in January 2022. In April 2022 @MayhemDayOne detected the database. In a later scan, mid-June, he found the data gone. Instead, there were ransom notes asking for 10BTC. The police solved the ransom problem, but the access was still possible. On 2022-06-29 someone on a hacker forum offered to sell 23.88TB of data for 1 billion Chinese residents for 10BTC. The Chinese government has yet to publicly acknowledge the breach
- Zeyi Yang
- Karen Hao 郝珂灵
- Yong Xiong
- China data leak: Nearly one billion people had their personal data leaked, and it’s been online for more than a year - CNN
- China Police Database Was Left Open Online for Over a Year, Enabling Leak - WSJ
Microsoft quietly fixes ShadowCoerce#
Shadowcoerce utilized the MS-FSRVP functionality.
It’s used for creating shadow copies of file shares on a remote computer, and for facilitating backup applications in performing application-consistent backup and restore of data on SMB2 shares
Another vulnerability in VSS was patched in June CVE-2022-30154. A fix for shadowcoerce was either conveniently slipped in, or it was fixed “accidentally” as a by-product of the intended fix. There was no official statement from Microsoft.
NPM software supply chain attack#
A typosquatting attack on NPM packages was discovered. The initial indicator was the usage of a javascript obfuscator. Based on this, more than two dozen NPM packages with a common naming pattern were discovered, e.g., icons-package, icons-pack, icon-package, icons-packages, … . After the installation a respective typo-squatted domain was utilized for data exfiltration. The malicious packages have been collectively downloaded more than 27,000 times.
Filter Graph COM object used in Cyber Attack#
Recently, a cyber attack on Iran’s steel industry was reported by @GonjeshkeDarand. Stygian investigated the forensic reports and did pick out one aspect of the campaign. The malware displayed a video on the affected systems via Filter Graph COM object. At the same time, access to the affected system was likely blocked. The article includes a working proof-of-concept the displays a GIF and locks out the user of the system.
Tools#
- Chimera - Chimera is a PowerShell obfuscation script from 2020. It was designed to bypass AMSI and commercial antivirus solutions. (Tutorial)
- Chameleon - Chameleon is illegitimate son of Chimera. Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions. (Blog)
- synchrony - A neat javascript deobfuscator that can help identify malicious npm packages. javascript cleaner & deobfuscator (primarily javascript-obfuscator/obfuscator.io)
- Arsenal - Orange Cyber Security provides an interactive cheatsheet. Also, the mindmaps provide a great overview of potential attack paths. Arsenal is just a quick inventory and launcher for hacking programs