Incident: The download servers used to distribute CCleaner (32-bit) were compromised by attackers, CCleaner version 5.33 was bundled with a malware and was being distributed through the Piriform hosting platform. This version was hosted directly on CCleaner’s download servers from September 11, 2017. The incident was disclosed by Cisco Talos team on Sept 13 2017. Piriform is the … Continue reading “Piriform Supply Chain Compromise”
Author: Deepak Shanker
BlueBorne: Bluetooth Attack Vector
A new attack vector called ‘BlueBorne‘ has been discovered. The name is a play on the word ‘airborne’ as it allows attackers to take over devices on air-gapped networks. This attack was disclosed by Armis Lab. The vulnerabilities exploited by this attack affects Android, Linux, Windows, and iOS version less than 10. Targets can be compromised regardless of the … Continue reading “BlueBorne: Bluetooth Attack Vector”
.NET Zero-Day Exploited to Spread FINSPY:CVE-2017-8759
A Zero-day vulnerability in the .NET framework is being actively exploited in the wild. The vulnerability has been assigned CVE-2017-8759. Exploiting this vulnerability results in the remote code execution on the target machine. The attack was disclosed by FireEye. The vulnerability is being used to distribute FINSPY malware. The affected .NET versions are listed below … Continue reading “.NET Zero-Day Exploited to Spread FINSPY:CVE-2017-8759”
Apache Struts Remote Code Execution : CVE-2017-9805
Apache Struts 2 is a framework for creating enterprise Java web applications. The framework is designed to reduce overhead for building, deploying and maintaining applications. A remote code execution vulnerability has been discovered by lgtm. The Apache Struts group has addressed this vulnerability in S2-052. The vulnerability has been assigned CVE-2017-9805. As per the official … Continue reading “Apache Struts Remote Code Execution : CVE-2017-9805”
Disdain EK
A new exploit kit (EK) named “Disdain” has been observed in the wild. The EK targets Windows vulnerabilities. Initially the presence of this EK was found in underground forums as an ad and was brought to light on twitter by @CryptoInsane. The EK can be rented for as low as 80$. Disdain claims to exploit … Continue reading “Disdain EK”
Orpheus’ Lyre Vulnerability
The Orpheus’ lyre is a critical vulnerability in the implementation of the Kerberos protocol. The name has its roots in the Greek mythology where Orpheus plays his lyre to put Cerberus to sleep. Cerberus is the three headed dog the guards the entrance to the Underworld. Kerberos is named after Cerberus. Kerberos is heavily used by MS … Continue reading “Orpheus’ Lyre Vulnerability”
WebEx Arbitrary Remote Code Execution via GPC Sanitization bypass
Introduction: Cisco WebEx has millions of users who use it regularly for online meeting, web conferencing and videoconferencing. Recently a remote code execution vulnerability was discovered by Google Project Zero team, with ID – CVE-2017-6753. Similar to CVE-2017-3823, the vulnerability is described as “a design defect in the extension”. The vulnerability allows an attacker to … Continue reading “WebEx Arbitrary Remote Code Execution via GPC Sanitization bypass”
Petya Ransomware
Petya is not a new player in the ransomware world. It has multiple versions and was delivered to target machines as part of exploit kit campaigns and as malicious email attachments. The latest versions of petya seems to be spreading via the SMBv1 vulnerabilities (CVE-2017-0144 and CVE-2017-0145) in the Windows operating system. This behavior is … Continue reading “Petya Ransomware”
Stack-Clash Vulnerability
The security research team at Qualys has discovered multiple vulnerabilities in guard-page implementations in various Linux versions. This bug can be exploited by local users to gain root privileges by compromising memory regions pertaining to other application and shared libraries. Qualys has disclosed these vulnerabilities to vendors and has been working with them for a … Continue reading “Stack-Clash Vulnerability”
WannaCry Ransomware Analysis
In our previous post we have seen how the the initial WannaCry executable configures the target system and creates the tasksche.exe file under C:\WINDOWS directory and executes it with command line argument /i. In this post we will continue our analysis to see what this process is upto. MD5 84C82835A5D21BBCF75A61706D8AB549 SHA-1 5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467 FileDescription DiskPart OriginalFilename … Continue reading “WannaCry Ransomware Analysis”