Chinese Hackers has a big eye on exploits 👀..

CISA comes with a warning of Chinese state sponsered hackers targetting some age old bugs from various security devices and servers.

Crisp details of those bugs given below

CVE-2020-0688: This bug exists in Exchange Control Panel (ECP) component of Microsoft Exchange Server and could enable an attacker to perform remote code execution on the server with SYSTEM privileges.

Microsoft patched the bug in February, but less than 15 per cent of vulnerable systems had either been patched or remediated after one month, according to security researchers from Kenna Security. The researchers also found that the bulk of installs were 2016 versions, with some 74 per cent found to be ‘vulnerable’ and 26 per cent ‘potentially vulnerable’.


CVE-2019-19781: This flaw impacts Citrix Gateway (formerly NetScaler Gateway) and Citrix Application Delivery Controller (formerly NetScaler ADC) servers and could allow remote unauthenticated attackers to run commands to gain access to a network. In January, researchers at Positive Technologies warned that the flaw could put more than 80,000 organisations at risk.

CVE-2020-5902: This vulnerability in F5 Network’s Big-IP Traffic Management User Interface (TMUI) allows remote cyber threat actors to run arbitrary system commands, disable services, create or delete files, and execute Java code, without authentication.

To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration. As of July, nearly 8,000 users of BIG-IP family of networking devices had not applied the patch to secure their systems against the critical flaw.

CVE-2019-11510: This bug in Pulse Secure VPN appliances lets a remote, unauthenticated attacker to send a specially crafted URIs to establish a connection with vulnerable servers and read files containing user credentials. The attacker can use the information to take full control of an organisation’s systems.

In February, security researchers revealed that nearly 2500 Pulse Secure VPN servers worldwide were still vulnerable to CVE-2019-11510, more than six months after the security flaw was first publicised.

“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” .

CVE 2020-1472 – Exploit goes wild

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).

An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.” reads the advisory published by Microsoft.

“To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.”

“By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.”

“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.”

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.”

“This attack has a huge impact: it basically allows any attacker on the local network to completely compromise the Windows domain. The attack is completely unauthenticated”

The ZeroLogon attack could be exploited by threat actors to deliver malware and ransomware on the target network.

The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.

Researchers released a Python script that uses the Impacket library to test vulnerability for the Zerologon exploit, it could be used by admins to determine if their domain controller is still vulnerable.

August 2020 Patch Tuesday security updates only temporarily address the vulnerability making Netlogon security features mandatory for the Netlogon authentication process. This has the severity score of 10

Zeppelin Ransomware

After a six-month hiatus, the Zeppelin ransomware variant returned in late August, according to Juniper Threats Labs. The malware now uses an updated Trojan downloader to better hide its activities from security tools.

Zeppelin was first spotted in late 2019, when it primarily targeted IT and healthcare firms, according to the report. It’s distributed using the ransomware-as-a-service model.

The ransomware appears to be a variant of another type of crypto-locking malware called Buran, according to Juniper. Buran is a variation of another type of ransomware strain called VegaLocker, according to previous research published by McAfee

In the latest campaign that started in August, the Juniper researchers found that the operators of Zeppelin use the same type of phishing lures as in previous attacks, although they use a new downloader that helps obscure a Trojan for implanting the ransomware code.

Hiding & Attack

A Zeppelin ransomware attack starts when a targeted victim receives a phishing email disguised as an invoice, according to the Juniper report.

The phishing emails are sent with an attached Microsoft Word document, portrayed as an invoice, that hides malicious VBA macros. Once the attachment is opened, the macros are enabled and the initial attack starts, according to the report.

The attached Word document helps obscure what appears to be junk code but actually contains Visual Basic scripts hidden in the text, the report notes. This code is part of an obfuscation technique that helps hide a Trojan that starts the ransomware infection.

Once the malicious macros are enabled, the text is extracted and written to a file at c:wordpressabout1.vbs, according to the report. When the document is closed, a second round of macros runs, which further helps hide the attack.

The second macro string eventually downloads a Trojan that then installs the Zeppelin ransomware within a compromised device. Before it starts working, the malware “sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the report.

The Juniper report does not shed light on the threat actors behind Zeppelin, but the report and other analyses find that if the ransomware comes across an infected device that has an IP address linked to Russia, Belarus, Kazakhstan or Ukraine, the attack is stopped.

The report notes that it “is difficult to assess how many targeted computers resolved the [command-and-control] domain, but there were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread.”

Shlayer Malware targets MacOs

A new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine.

Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners.

Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.

A new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.

Fortunately, it seems that ZShlayer infections are currently isolated to users who have downloaded illicit software outside of Apple’s official App Store ecosystem.

Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.

Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019.

The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.

Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.