Bugs exploited most by Chinese Hackers

NSA released the top most bugs that are exploited actively by Chinese Hackers. Though all exploits are patchable and can be closed, it’s active still

Let’s see the top 25 exploits from recet to past

1) CVE-2019-11510 – Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords

2) CVE-2020-5902 – F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.

[3+4+5+6]CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. anonymous access is possible

7) CVE-2019-0708 (BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC protection.

12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.

13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object

16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware.

17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making to look a like legitimate.

22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root without credentials via shell metacharacters.

Toshiba nod for quantum based Network Security

Toshiba has been awarded a quantum-based network development contract by the National Institute of Information and Communications Technology (NICT).The network will be based on a quantum key distribution (QKD) model.

It’s currently working on quantum cryptography projects involving Verizon and the UK’s BT Group. The company’s endeavor, as relayed by its top brass, is to provide unhackable quantum-based communication solutions to telecommunication clients.

Its quantum computing segment targets vulnerable sectors such as finance, health care, and defense. Quantum key distribution (QKD) technology will be used to connect trusted remote partners through a dedicated network that utilizes photon technology for security.

Quantum technology uses the behavioral properties of photons and electrons to secure data. It also leverages these elements to speed up information processing.

The technology is among the next frontiers in data security. As such, major US tech behemoths such as IBM, Microsoft, and Google are already involved in related projects.

The rapid development of quantum processing capabilities is currently critical to network security, especially now that state actors such as Russia and China are getting involved. The primary weakness of conventional networks is that data transmitted can be easily intercepted and decrypted using futuristic brute-force decryption algorithms run by powerful quantum computers. This drives the need for quantum-based distributed-key solutions.

There are fears that the current advances in quantum computing will make current encryption methods obsolete.

Gravity RAT , affects mobile devices

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

The malware researchers found the new Android GravityRAT sample in 2019.The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server.The C&C server was also associated with other two malicious apps targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation an proceed to contaminate.

What peculiar about this Gravity RAT , not only infects Windows, now with Android , IOS devices too

Operation QuickSand !

Iranian hackers contracted by the country’s Islamic Revolutionary Guard Corps targeted prominent Israeli companies in a series of ransomware attacks last month, known to be muddywater exposed by Microsoft last month

Dubbing the Iranian effort “Operation Quicksand,” the Clearsky and Profero cybersecurity firms said they “uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organizations in Israel and in other countries around the world.”

The firms said they identified and thwarted the attacks before any harm could be inflicted, but were now raising an alarm to the methods used, indicating that they could have been employed in earlier hacking attacks that might have gone unnoticed.

The names of the Israeli firms targeted in the ransomware attacks were not identified in the report, ostensibly for security reasons.

Researchers identified two primary attack vectors:

  • The first vector entailed sending a malicious decoy document (PDF or Excel) that communicates over OpenSSL with a malicious C2 server and downloads files, which later deploy the “PowGoop” payload.
  • The second vector involves exploiting CVE-2020-0688 and deploying the same payload via aspx file (WebShell). The attacker will create an internal socket tunneling between compromised machines in the network. The attacker used a modified SSF (Socket) for it. Then, the attacker downloads the PowGoop as well. Recently, Microsoft revealed that MuddyWater had been leveraging the ZeroLogon vulnerability as well (CVE-2020-1472)[1].