CVE-2019-1458: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

CVE-2019-1458 [HIGH] GHSA-hqp5-7hf2-3rq4: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

CVE-2019-1107 Root Cause Analyses for 0-day In-the-Wild Exploits - Project Zero Posted by Maddie Stone, Project Zero When a 0-day is exploited in the wild AND it is detected, we need to use that as an opportunity to learn as much as possible about the vulnerability and the exploit if we hope to make 0-day hard. One of the main methods to do that is to perform a root cause analysis (RCA) on the 0-day. Our effort on this began in earnest in the last quarter of 2019. Today we are beginning to publish the root cause analyses for 0-days exploited in the wild that we have completed. While we’re publishing some in bulk now to play “catch-up”, in the future we plan to post each one in a timely manner after it’s detected and disclosed. We think publishing technical details in a timely manner is important for transparency and so that the whole of the security community can

CVE-2016-5195 Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero Posted by Maddie Stone, Project Zero In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another blog post today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing 8 root cause analyses that we have done for in-the-wild 0-days from 2019. When I had the idea for this “Year in Review” blog post, I immedi

CVE-2016-7255 [HIGH] TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln - Project Zero Posted by Maddie Stone, Project Zero INTRODUCTION I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a blog post on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I n

CVE-2020-0674 [HIGH] CWE-416 Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability Microsoft Internet Explorer contains a memory corruption vulnerability due to the way the Scripting Engine handles objects in memory. Successful exploitation could allow remote code execution in the context of the current user. Affected: Microsoft Internet Explorer Required Action: Apply updates per vendor instructions. Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2020-Feb; https://blogs.360.cn/post/apt-c-06_0day.html; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal; https://www.sentinelone.com/labs/purple-fox-ek-new-cves-s

CVE-2019-1458 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability Microsoft Win32k Privilege Escalation Vulnerability A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. Affected: Microsoft Win32k Required Action: Apply updates per vendor instructions. Known Ransomware Campaign Use: Known Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Dec; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/; https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/; https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-it

CVE-2019-13720 [HIGH] Project Zero RCA: CVE-2019-13720: Chrome use-after-free in webaudio # CVE-2019-13720: Chrome use-after-free in webaudio *Sergei Glazunov & Maddie Stone, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-07-27)* ## The Basics **Disclosure or Patch Date:** 31 October 2019 **Product:** Google Chrome **Advisory:** https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html **Affected Versions:** Chrome 76 - 78.0.3904.70 **First Patched Version:** Chrome 78.0.3904.87 **Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1019226 **Patch CL:** https://chromium-review.googlesource.com/c/chromium/src/+/1888103 **Bug-Introducing CL:** https://chromium-review.googlesource.com/c/chromium/src/+/1077713/ **Reporter(s):** Anton Ivanov and Alexey Kulaev

CVE-2019-1458 [HIGH] Project Zero RCA: CVE-2019-1458: Windows win32k uninitialized variable in task switching # CVE-2019-1458: Windows win32k uninitialized variable in task switching *Maddie Stone, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-07-27)* ## The Basics **Disclosure or Patch Date:** 10 December 2019 **Product:** Microsoft Windows **Advisory:** https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458 **Affected Versions:** * For Windows 10 1607 x64, [KB4525236](https://support.microsoft.com/en-us/help/4525236/windows-10-update-kb4525236) and previous * For Windows 7 x64, [KB4525233](https://support.microsoft.com/en-us/help/4525233/windows-7-update-kb4525233) and previous **First Patched Version:** * For Windows 10 1607 x64, [KB4530689](https://support.microsoft.com/en-us/help/4530689/windows

CVE-2019-1458 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability Affected: Microsoft Win32k A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP. Required Action: Apply updates per vendor instructions. Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1458 Remediation Due Date: 2022-07-10

CVE-2019-1458 [HIGH] Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. Windows Kernel: Windows Kernel Impact: Elevation of Privilege Exploit Status: Publ

CVE-2019-1458 Microsoft Windows - 'WizardOpium' Local Privilege Escalation Microsoft Windows - 'WizardOpium' Local Privilege Escalation --- #include #include extern "C" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii); int main() { HINSTANCE hInstance = GetModuleHandle(NULL); WNDCLASSEX wcx; ZeroMemory(&wcx, sizeof(wcx)); wcx.hInstance = hInstance; wcx.cbSize = sizeof(wcx); wcx.lpszClassName = L"SploitWnd"; wcx.lpfnWndProc = DefWindowProc; wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0 printf("[*] Registering window\n"); ATOM wndAtom = RegisterClassEx(&wcx); if (wndAtom == INVALID_ATOM) { printf("[-] Failed registering SploitWnd window class\n"); exit(-1); } printf("[*] Creating instance of this window\n"); HWND sploitWnd = CreateWindowEx(0, L"Sploi

[HIGH] Google Chrome 67, 68 and 69 Object.create exploit Google Chrome 67, 68 and 69 Object.create exploit This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely t

CVE-2019-1458 [HIGH] Microsoft Windows Uninitialized Variable Local Privilege Elevation Microsoft Windows Uninitialized Variable Local Privilege Elevation This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated.

CVE-2021-26855 [CRITICAL] Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Threat Research Center High Profile Threats Malware ## Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Daniel Frank Published: June 28, 2023 High Profile Threats Malware Cryptocurrency Cryptojacking CVE-2021-26855 CVE-2021-33766 CVE-2021-34473 CVE-2022-41040 Manic Menagerie Microsoft Exchange Server Persistence method ProxyNotShell Webshell ## Executive Summary Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie . The threat actor deployed coin m

Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor ## Executive Summary Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie. The threat actor deployed coin miners on hijacked machines to abuse the compromised servers’ resources. They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites. In doing so, the attackers could potentially have turned the hijacked legitimate websites – hosted by the tar

ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys #### Table of Contents - Situation - Directive Scope - CISA Catalog of Known Exploited Vulnerabilities - Detect CISA Vulnerabilities Using Qualys VMDR - CISA Exploited RTI - Detailed Operational Dashboard - Remediation - Federal Enterprises and Agencies Can Act Now - Summary - Getting Started CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively. ## Situation Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv

CVE-2021-1732 [HIGH] PurpleFox Adds New Backdoor That Uses WebSockets Ciberamenazas ## PurpleFox Adds New Backdoor That Uses WebSockets In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy Oct 19, 2021 Read time: ( words) Save to Folio In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. We also found a new b

CVE-2021-1732 [HIGH] PurpleFox Adds New Backdoor That Uses WebSockets Cyber Threats ## PurpleFox Adds New Backdoor That Uses WebSockets In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy 2021/10/19 Read time: ( words) Save to Folio In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. We also found a new bac

CVE-2021-1732 [HIGH] PurpleFox Adds New Backdoor That Uses WebSockets Cyber Threats # PurpleFox Adds New Backdoor That Uses WebSockets In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy 2021/10/19 Read time: ( words) Save to Folio In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. We also found a new bac

CVE-2021-1732 [HIGH] PurpleFox Adds New Backdoor That Uses WebSockets Cyber Threats ## PurpleFox Adds New Backdoor That Uses WebSockets In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy Oct 19, 2021 Read time: ( words) Save to Folio In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. We also found a new b

CVE-2021-1732 [HIGH] PurpleFox Adds New Backdoor That Uses WebSockets Cyberbedrohungen ## PurpleFox Adds New Backdoor That Uses WebSockets In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. By: Abdelrhman Sharshar, Jay Yaneza, Sherif Magdy Oct 19, 2021 Read time: ( words) Save to Folio In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. We also found a ne

Assess Your Risk From Ransomware Attacks, Powered by Qualys Research ## Table of Contents Clear guidelines from authorities for ransomware prevention Qualys undertakes research on ransomware to deliver actionable insights Challenges in following guidelines for preventing ransomware attacks Assess & continuously monitor your ransomware risk, powered by Qualys Research Learn more and see for yourself Resources References Ransomware attacks are among the most significant cyber threats facing businesses today. Recent warnings about Conti ransomware, issued by a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI and National Security Agency, are a strong signal that ransomware attacks are becoming even more sophisticated and massive via the ransomware-as-a-service operating model. This new model allows

[HIGH] Microsoft Patch Tuesday, January 2021 Edition Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users. Most concerning of this month’s batch is probably a critical bug ( CVE-2021-1647 ) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited. But Kevin Breen , director of

[HIGH] Microsoft Patch Tuesday, January 2021 Edition Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users. Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited. But Kevin Breen, director of re

Kaspersky Security Bulletin 2020. Statistics Authors - AMR All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from November 2019 to October 2020, inclusive. ## Figures of the year - During the year, 10.18% of Internet user computers worldwide experienced at least one Malware-class attack. - Kaspersky solutions blocked 666,809,967 attacks launched from online resources in various countries across the world. - 173,335,902 unique URLs were recognized as malicious by W

[CRITICAL] CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

Operation Earth Kitsune A Dance of Two New Backdoors Cyber Threats # Operation Earth Kitsune: A Dance of Two New Backdoors We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang 2020/10/28 Read time: ( words) Save to Folio We recently published a research paper on Operation Earth Kitsune, a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the

Operation Earth Kitsune A Dance of Two New Backdoors Minacce cyber ## Operation Earth Kitsune: A Dance of Two New Backdoors We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words) Save to Folio We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following t

Operation Earth Kitsune A Dance of Two New Backdoors Cyberbedrohungen ## Operation Earth Kitsune: A Dance of Two New Backdoors We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words) Save to Folio We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such followin

Operation Earth Kitsune A Dance of Two New Backdoors Cyber Threats ## Operation Earth Kitsune: A Dance of Two New Backdoors We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words) Save to Folio We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following t

Operation Earth Kitsune A Dance of Two New Backdoors Ciberamenazas ## Operation Earth Kitsune: A Dance of Two New Backdoors We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words) Save to Folio We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following t

Operation Earth Kitsune A Dance of Two New Backdoors Cyber Threats ## Operation Earth Kitsune: A Dance of Two New Backdoors We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang 2020/10/28 Read time: ( words) Save to Folio We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the

CVE-2020-1054 [HIGH] Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow - SentinelLabs ## Executive Summary - In recent weeks, we have seen a spike in the number of attempts to attack vulnerable versions of Internet Explorer by actors leveraging the Purple Fox exploit kit. - Our investigations reveal that Purple Fox has iterated to include use of two recent CVEs – CVE-2020-1054 and CVE-2019-0808 – through publicly-available exploit code. - In addition, we’ve noticed other changes to their attack flow that allow them to better circumvent firewall protections and some detection tools by adopting steganography and obscuring malicious code with code virtualization technologies. During the last couple of years, Purple Fox has advanced its attack and delivery methods. First observed in September 2018, subsequent researchers noted that in 2019 Purple Fox dropped use of NSIS (Null

CVE-2020-1054 [HIGH] Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow ## Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow ## Executive Summary In recent weeks, we have seen a spike in the number of attempts to attack vulnerable versions of Internet Explorer by actors leveraging the Purple Fox exploit kit. Our investigations reveal that Purple Fox has iterated to include use of two recent CVEs – CVE-2020-1054 and CVE-2019-0808 – through publicly-available exploit code. In addition, we’ve noticed other changes to their attack flow that allow them to better circumvent firewall protections and some detection tools by adopting steganography and obscuring malicious code with code virtualization technologies. During the last couple of years, Purple Fox has advanced its attack and delivery methods. First observed in September 201

CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints Latest Publications CPR Podcast Channel AI Research Web 3.0 Security Intelligence Reports ThreatCloud AI Threat Intelligence & Research Zero Day Protection Sandblast File Analysis About Us SUBSCRIBE AI Research 2 Android Malware 23 Artificial Intelligence 4 ChatGPT 3 Check Point Research Publications 455 Cloud Security 1 CPRadio 44 Crypto 2 Data & Threat Intelligence 2 Data Analysis 0 Demos 22 Global Cyber Attack Reports 408 How To Guides 13 Ransomware 5 Russo-Ukrainian War 1 Security Report 1 Threat and data analysis 0 Threat Research 174 Web 3.0 Security 11 Wipers 0 ## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints Research by: Itay Cohen, Eyal Itkin In the past months, our Vulnerability and Malware Research tea

[HIGH] The zero-day exploits of Operation WizardOpium Table of Contents - Google Chrome remote code execution exploit - Microsoft Windows elevation of privilege exploit - Conclusions Authors - Boris Larin - Alexey Kulaev Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack. ## Google Chrome remote code execution exploit In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser explo

[HIGH] The zero-day exploits of Operation WizardOpium Table of Contents Google Chrome remote code execution exploit Microsoft Windows elevation of privilege exploit Conclusions Authors Boris Larin Alexey Kulaev Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation (available here and here ), in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack. ## Google Chrome remote code execution exploit In the original blog post we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The

CVE-2019-1458 [HIGH] Patch Tuesday, December 2019 Edition Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks. CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site. Chris Goettl, director of security at Ivanti

CVE-2019-1458 [HIGH] Patch Tuesday, December 2019 Edition Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks. By nearly all accounts, the chief bugaboo this month is CVE-2019-1458 , a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859 , a Windows flaw reported in April that was found being sold in undergrou

[MEDIUM] December Patch Tuesday: Fixes for components, RDP Exploits & Vulnerabilities # December Patch Tuesday: Fixes for components, RDP Seven of the 36 fixes for this month's Patch Tuesday were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products: Windows, IE, Office, Hyper-V Server, and SQL Server, among others. By: Trend Micro 2019/12/11 Read time: ( words) Save to Folio Microsoft released a total of 36 patches for December’s Patch Tuesday. Decembers tend to have a relatively low number of patches, and the last Patch Tuesday of the 2010s was no different. Seven of the 36 patches were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products, including Windows, Internet Explorer, Office, Hyper-V Server, and SQ

[MEDIUM] December Patch Tuesday: Fixes for components, RDP # December Patch Tuesday: Fixes for components, RDP Seven of the 36 fixes for this month's Patch Tuesday were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products: Windows, IE, Office, Hyper-V Server, and SQL Server, among others. By: Trend Micro Dec 11, 2019 Read time: ( words) Save to Folio Microsoft released a total of 36 patches for December’s Patch Tuesday. Decembers tend to have a relatively low number of patches, and the last Patch Tuesday of the 2010s was no different. Seven of the 36 patches were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products, including Windows, Internet Explorer, Office, Hyper-V Server, and SQL Server. None of the fixe

CVE-2019-1468 [HIGH] December 2019 Patch Tuesday – 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns This month’s Patch Tuesday is rather light and addresses 36 vulnerabilities, with only 7 labeled as Critical. Five of the seven Critical vulns are in Git for Visual Studio. The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets. ## Workstation Patches Win32k patches ( CVE-2019-1468 and CVE-2019-1458 ) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Though listed as Important, Microsoft has disclosed that CVE-2019-1458 is actively attacked in the wild. ## Hyper-V Hypervisor Escapes A remo

[HIGH] Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage ## Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage By Jon Munshaw. Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products. Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here . ## Critical vulnerabilities Microsoft disclosed two critical vulnerabilities this month, both of which we will highlight b

[HIGH] Microsoft's December 2019 Patch Tuesday Includes Fix for Zero Day Exploited in the Wild (CVE-2019-1458) ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

CVE-2019-1458 [HIGH] Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium Authors - AMR - GReAT In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit canno

CVE-2019-1468 [HIGH] December 2019 Patch Tuesday - 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns | Qualys This month’s Patch Tuesday is rather light and addresses 36 vulnerabilities, with only 7 labeled as Critical. Five of the seven Critical vulns are in Git for Visual Studio. The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets. ### Workstation Patches Win32k patches (CVE-2019-1468 and CVE-2019-1458) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Though listed as Important, Microsoft has disclosed that CVE-2019-1458 is actively attacked in the wild. ### Hyper-V Hypervisor Escapes A remo

[HIGH] Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage By Jon Munshaw. Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products. Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here. ### Critical vulnerabilities Microsoft disclosed two critical vulnerabilities this month, both of which we will highlight below. CVE-2019-1468 is a remote code execution vulnerability in the Windows font libr

CVE-2019-1458 [HIGH] Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium Authors AMR GReAT In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot s