Zerologon ! Goes Wild

Threat actors are activly exploiting the Windows Server Zerologon vulnerability in recent attacks. Microsoft strongly recommends all Windows administrators to install the security updates.

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical vulnerability (CVE-2020-1472) in Netlogon. The problem exists due the fact that application does not properly impose security restrictions in Netlogon. A remote non-authenticated attacker can use MS-NRPC to connect to a domain controller to obtain domain administrator access.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks. Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat,” warned Microsoft.

Microsoft also presented three samples that were used in the attacks to exploit the ZeroLogon vulnerability. The samples are .NET executables with the filename ‘SharpZeroLogon.exe’.

patch immediately before it’s becomes late

Aruba Clear pass RCE bypassed

A critical vulnerability has been patched in Aruba ClearPass Policy Manager that exposes host systems to remote exploitation.

The flaw is classed as an unauthenticated remote code execution (RCE) vulnerability in Aruba ClearPass Policy Manager, software that acts as a secure access gatekeeper for IoT, bring-your-own-device (BYOD), and guest devices on corporate networks.

Tracked as CVE-2020-7115 and issued a CVSS score of 8.1.

Certificate validation

Client certificates are uploaded to an endpoint, ClearPass, which relies on the OpenSSL library, will copy the contents to a temporary file in the /tmp/ directory, created using the Java createTempFile function.

This function gives the file a random name and fixed extension. The software will then attempt to validate client certificates “by determining whether a password parameter in the request is able to decrypt the certificate”, the researcher explains.

This is performed by passing the temporary file name and password as arguments to a shell script. The “password” argument, however, is not quoted properly.

In addition, while not knowing the randomly-generated file name could be a potential barrier to exploitation, by using the wildcard character “*,” the shell script will automatically substitute in a valid path during queries.

Therefore, if a file is placed on disk that can be interpreted as an OpenSSL engine file, attackers can control “-engine” arguments and execute arbitrary code, bypassing existing authentication processes on public-facing systems.

“Upon successful bypass, an attacker could then execute an exploit that would allow remote command execution in the underlying operating system,”.

The vulnerability has now been resolved with the release of Aruba ClearPass Policy Manager version 6.9.1.

The PoC is limited and will only work once as it relies on passing multiple clientCertFiles as arguments, an invalid mechanism to call OpenSSL.

“An attacker could easily use this bug to compromise any publicly exposed ClearPass instances that haven’t been patched,” Jensen commented. “Hopefully, the majority of public-facing instances are fixed.”

In addition to CVE-2020-7115, the networking vendor has also released patches for CVE-2020-7116 and CVE-2020-7117 vulnerabilities.

While the bugs can also be used to compromise underlying operating systems, attackers must be authenticated, greatly limiting the risks posed the vulnerabilities.

Hijacking Firefox

The SSDP engine of the victims’ Firefox browsers can be tricked into triggering an Android intent by simply replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI.

For this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his/her device and trigger intent-based commands on nearby Android devices through Firefox—without requiring any interaction from the victims.

Activities allowed by the intent also includes automatically launching the browser and open any defined URL, which, according to the researchers, is sufficient to trick victims into providing their credentials, install malicious apps, and other malicious activities based on the surrounding scenarios.

“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control,” Moberly said.

“it could have been used in a way similar to phishing attacks where a malicious site is forced onto the target without their knowledge in the hopes they would enter some sensitive info or agree to install a malicious application.”

Moberly reported this vulnerability to the Firefox team a few weeks back, which the browser maker has now patched in the Firefox for Android versions 80 and later.

Maze infects via VM 🐾

The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).

The attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VM’s virtual hard drive.

A look inside the Maze-delivered VM, with the 495KB ransomware payload clearly visible. (Source: Sophos MTR)

An investigation into the attack revealed that the malicious actors had been present on the targeted organization’s network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organization’s domain controller servers and exfiltrated information to data leak site

This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its research:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network.

The campaign described above wasn’t the first instance in which attackers have delivered ransomware inside a virtual machine. Sophos’ MTR spotted the Ragner locker crypto-malware family pull the same trick.

The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.

Backup ! Backup ! Backup ! Not only required … Hygienic cyber policy required.