Chinese Hackers has a big eye on exploits đź‘€..

CISA comes with a warning of Chinese state sponsered hackers targetting some age old bugs from various security devices and servers.

Crisp details of those bugs given below

CVE-2020-0688: This bug exists in Exchange Control Panel (ECP) component of Microsoft Exchange Server and could enable an attacker to perform remote code execution on the server with SYSTEM privileges.

Microsoft patched the bug in February, but less than 15 per cent of vulnerable systems had either been patched or remediated after one month, according to security researchers from Kenna Security. The researchers also found that the bulk of installs were 2016 versions, with some 74 per cent found to be ‘vulnerable’ and 26 per cent ‘potentially vulnerable’.

CVE-2019-19781: This flaw impacts Citrix Gateway (formerly NetScaler Gateway) and Citrix Application Delivery Controller (formerly NetScaler ADC) servers and could allow remote unauthenticated attackers to run commands to gain access to a network. In January, researchers at Positive Technologies warned that the flaw could put more than 80,000 organisations at risk.

CVE-2020-5902: This vulnerability in F5 Network’s Big-IP Traffic Management User Interface (TMUI) allows remote cyber threat actors to run arbitrary system commands, disable services, create or delete files, and execute Java code, without authentication.

To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration. As of July, nearly 8,000 users of BIG-IP family of networking devices had not applied the patch to secure their systems against the critical flaw.

CVE-2019-11510: This bug in Pulse Secure VPN appliances lets a remote, unauthenticated attacker to send a specially crafted URIs to establish a connection with vulnerable servers and read files containing user credentials. The attacker can use the information to take full control of an organisation’s systems.

In February, security researchers revealed that nearly 2500 Pulse Secure VPN servers worldwide were still vulnerable to CVE-2019-11510, more than six months after the security flaw was first publicised.

“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” .

Valak targetting Exchange Servers

First observed in late 2019, Valak was once classified by cybersecurity researchers as a malware loader. Valak, deemed “sophisticated” by the Cybereason Nocturnus team, has undergone a host of changes over the past six months, with over 20 version revisions changing the malware from a loader to an independent threat in its own right.

After landing on a machine through a phishing attack using Microsoft Word documents containing malicious macros, a .DLL file called “U.tmp” is downloaded and saved to a temporary folder.

A WinExec API call is then made and JavaScript code is downloaded, leading to the creation of connections to command-and-control (C2) servers. Additional files are then downloaded, decoded using Base64 and an XOR cipher, and the main payload is then deployed.

Registry keys and values are set and a scheduled task is created to maintain persistence on an infected machine. Next, Valek downloads and executes additional modules for reconnaissance and data theft.

Two main payloads, project.aspx and a.aspx, perform different functions. The former manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter — internally named PluginHost.exe — is an executable that manages additional components.

Valak’s “ManagedPlugin” module is of particular interest. Functions include a system information grabber that harvests local and domain data; the “Exchgrabber” function which aims to infiltrate Microsoft Exchange by stealing credentials and domain certificates, a geolocation verifier, screenshot capture, and “Netrecon,” a network reconnaissance tool.

In addition, the malware will scour infected machines for existing antivirus products.

The most recent Valak variants have been tracked in attacks against Microsoft Exchange servers in what is believed to be enterprise-focused attacks.

“Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise” the researchers say. “With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises.”