Blog

Archive for February 9th, 2021

Phishing message to the ISC handlers email distro, (Wed, Feb 10th)

Introduction

The ISC handlers email distro gets plenty of spam and phishing emails on a daily basis.  Most of these are filtered so they never make it to the inbox; however, every once in a while one gets through.

Today’s diary reviews an example of a phishing email from our inbox on Tuesday 2021-02-09.


Shown above:  Email headers from the phishing message.

The email

As shown in the previous image, the sending address had been spoofed to look like it came from [email protected].  But the message actually came to our mail server from 165.232.128[.]118.  That much we can confirm, because it was the most recent Received: from line before it hit our mail server.  Anything else can be spoofed.  Based on the only other Received: from line, this message might have originated from 69.12.85[.]209, but that line could have been added to confuse analysts.


Shown above:  Screenshot of the phishing messaged when viewed in the Thunderbird email client.

The phishing message has a URL to hxxps://soberlab[.]ca/sl.html?email=[phishing recipient’s email address].  The domain oberlab[.]ca seems like it is hosting a legitimate website, and that legitimate website may have been compromised to host the phishing URL.


Shown above:  Opening link from the phishing message in a web browser.

Phishing traffic


Shown above:  Traffic from viewing the email link filtered in Wireshark.

The HTTPS link from the email redirects to a phishing page at hxxp://aromatee[.]com[.]au/inc/mail.php.  Like the previous URL, this one looks like it’s hosted on a legitimate domain using a server that’s been compromised to host a phishing URL.  I entered a fake password, and the data was sent over HTTP back to the server.


Shown above:  HTTP POST request with the fake password I entered.

Final words

These types of emails are all too common, and they’re remarkably cost-effective.  While most of you wouldn’t fall for it, people are fooled by similar messages.  Therefore, phishing will remain a viable social engineering technique.

A sanitized version of the email shown in this diary, along with a pcap of traffic to the associated phishing page, can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th)

This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed.

The exploited vulnerability is an elevation of privilege vulnerability affecting Win32k (CVE-2021-1732). This is a local vulnerability, which means that to exploit the vulnerability, an attacker would have to have local access to the machine (console or SSH for example) or rely on user interaction, like a user opening a malicious document.  The CVSS v3 score for this vulnerability is 7.80.

The highest CVSS score this month (9.80) was given to 4 vulnerabilities. One of those is a critical Remote Code Execution (RCE) vulnerability in Microsoft DNS Server (CVE-2021-24078). This vulnerability would allow a remote unauthenticated attacker to execute code with the service privilege on the target host. As this vulnerability does not require user interaction, this is a potentially wormable vulnerability that requires your attention if you have Microsoft DNS Server in your network – specially exposed to the Internet.

There are also two RCEs worth mentioning this month affecting Windows TCP/IP. The first (CVE-2021-24074) affects IPV4 and involve source routing. Despite source routing being blocked by default in Windows, the system will process the request and return an ICMP message denying the request. There is a workaround for this vulnerability documented in Microsoft advisory that will cause the system to drop these requests altogether without any processing. The vulnerability affecting IPV6 (CVE-2021-24094) is related to package fragmentation. Both vulnerabilities are CVSS v3 9.80.

Amongst already disclosed vulnerabilities, there is a critical RCE affecting .Net Core 2.0, 3.1 and 5.0 (CVE-2021-26701). The CVSS v3 for this vulnerability is 8.10. There are no details.

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

February 2021 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Core Remote Code Execution Vulnerability
%%cve:2021-24112%% No No Less Likely Less Likely Critical 8.1 7.3
%%cve:2021-26701%% Yes No Less Likely Less Likely Critical 8.1 7.1
.NET Core and Visual Studio Denial of Service Vulnerability
%%cve:2021-1721%% Yes No Less Likely Less Likely Important 6.5 5.9
.NET Framework Denial of Service Vulnerability
%%cve:2021-24111%% No No Less Likely Less Likely Important 7.5 6.5
Azure IoT CLI extension Elevation of Privilege Vulnerability
%%cve:2021-24087%% No No Less Likely Less Likely Important 7.0 6.1
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
%%cve:2021-24109%% No No Less Likely Less Likely Moderate 6.8 5.9
Microsoft Dataverse Information Disclosure Vulnerability
%%cve:2021-24101%% No No Less Likely Less Likely Important 6.5 5.9
Microsoft Defender Elevation of Privilege Vulnerability
%%cve:2021-24092%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
%%cve:2021-1724%% No No Less Likely Less Likely Important 6.1 5.5
Microsoft Edge for Android Information Disclosure Vulnerability
%%cve:2021-24100%% No No Less Likely Less Likely Important 5.0 4.5
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2021-24067%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-24068%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-24069%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-24070%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2021-24085%% No No Less Likely Less Likely Important 6.5 5.7
%%cve:2021-1730%% No No Less Likely Less Likely Important 5.4 4.9
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2021-24071%% No No Less Likely Less Likely Important 5.3 4.8
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2021-24066%% No No More Likely More Likely Important 8.8 7.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2021-24072%% No No More Likely More Likely Important 8.8 7.7
Microsoft SharePoint Spoofing Vulnerability
%%cve:2021-1726%% No No Less Likely Less Likely Important 8.0 7.0
Microsoft Teams iOS Information Disclosure Vulnerability
%%cve:2021-24114%% No No Less Likely Less Likely Important 5.7 5.0
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
%%cve:2021-24081%% No No Less Likely Less Likely Critical 7.8 7.0
Microsoft Windows VMSwitch Information Disclosure Vulnerability
%%cve:2021-24076%% No No Less Likely Less Likely Important 5.5 5.0
Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability
%%cve:2021-24082%% No No Less Likely Less Likely Important 4.3 3.8
PFX Encryption Security Feature Bypass Vulnerability
%%cve:2021-1731%% No No Less Likely Less Likely Important 5.5 4.8
Package Managers Configurations Remote Code Execution Vulnerability
%%cve:2021-24105%% No No Less Likely Less Likely Important 8.4 7.6
Skype for Business and Lync Denial of Service Vulnerability
%%cve:2021-24099%% No No Less Likely Less Likely Important 6.5 5.7
Skype for Business and Lync Spoofing Vulnerability
%%cve:2021-24073%% No No Less Likely Less Likely Important 6.5 5.9
Sysinternals PsExec Elevation of Privilege Vulnerability
%%cve:2021-1733%% Yes No Less Likely Less Likely Important 7.8 7.0
System Center Operations Manager Elevation of Privilege Vulnerability
%%cve:2021-1728%% No No Less Likely Less Likely Important 8.8 7.7
Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-1639%% No No Less Likely Less Likely Important 7.0 6.1
Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
%%cve:2021-26700%% No No Less Likely Less Likely Important 7.8 6.8
Windows Address Book Remote Code Execution Vulnerability
%%cve:2021-24083%% No No Less Likely Less Likely Important 7.8 6.8
Windows Backup Engine Information Disclosure Vulnerability
%%cve:2021-24079%% No No Less Likely Less Likely Important 5.5 4.8
Windows Camera Codec Pack Remote Code Execution Vulnerability
%%cve:2021-24091%% No No Less Likely Less Likely Critical 7.8 6.8
Windows Console Driver Denial of Service Vulnerability
%%cve:2021-24098%% Yes No Less Likely Less Likely Important 5.5 4.8
Windows DNS Server Remote Code Execution Vulnerability
%%cve:2021-24078%% No No More Likely More Likely Critical 9.8 8.5
Windows DirectX Information Disclosure Vulnerability
%%cve:2021-24106%% Yes No Less Likely Less Likely Important 5.5 4.8
Windows Event Tracing Elevation of Privilege Vulnerability
%%cve:2021-24102%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-24103%% No No Less Likely Less Likely Important 7.8 6.8
Windows Fax Service Remote Code Execution Vulnerability
%%cve:2021-1722%% No No Less Likely Less Likely Critical 8.1 7.1
%%cve:2021-24077%% No No Less Likely Less Likely Critical 9.8 8.5
Windows Graphics Component Remote Code Execution Vulnerability
%%cve:2021-24093%% No No Less Likely Less Likely Critical 8.8 7.7
Windows Installer Elevation of Privilege Vulnerability
%%cve:2021-1727%% Yes No More Likely More Likely Important 7.8 7.0
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2021-24096%% No No Less Likely Less Likely Important 7.8 6.8
Windows Local Spooler Remote Code Execution Vulnerability
%%cve:2021-24088%% No No Less Likely Less Likely Critical 8.8 7.7
Windows Mobile Device Management Information Disclosure Vulnerability
%%cve:2021-24084%% No No Less Likely Less Likely Important 5.5 4.8
Windows Network File System Denial of Service Vulnerability
%%cve:2021-24075%% No No Less Likely Less Likely Important 6.8 5.9
Windows PKU2U Elevation of Privilege Vulnerability
%%cve:2021-25195%% No No Less Likely Less Likely Important 7.8 6.8
Windows Remote Procedure Call Information Disclosure Vulnerability
%%cve:2021-1734%% No No Less Likely Less Likely Important 7.5 6.5
Windows TCP/IP Denial of Service Vulnerability
%%cve:2021-24086%% No No More Likely More Likely Important 7.5 6.5
Windows TCP/IP Remote Code Execution Vulnerability
%%cve:2021-24074%% No No More Likely More Likely Critical 9.8 8.5
%%cve:2021-24094%% No No More Likely More Likely Critical 9.8 8.5
Windows Trust Verification API Denial of Service Vulnerability
%%cve:2021-24080%% No No Less Likely Less Likely Moderate 6.5 5.7
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2021-1732%% No Yes Detected Detected Important 7.8 7.2
%%cve:2021-1698%% No No More Likely More Likely Important 7.8 6.8


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →