Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.
The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.
The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could
Russian hackers hijack Ubiquiti routers to launch stealthy attacks
Russian APT28 military hackers are using compromised Ubiquiti EdgeRouters to evade detection, the FBI says in a joint advisory issued with the NSA, the U.S. Cyber Command, and international partners. […] Read More
The latest release from Metasploit, Framework 6.4, is a testament to this ongoing battle. It brings a host of new features and improvements to the forefront of cybersecurity.
It has been a little over a year since Metasploit released version 6.3, and the team at Rapid7 has not been idle.
The new 6.4 version of the Metasploit Framework introduces significant enhancements and new capabilities, building on the solid foundation of its predecessor.
This release underscores Metasploit’s commitment to providing cutting-edge tools for penetration testers and cybersecurity professionals.
Kerberos Improvements
One of the highlights of this release is the substantial improvements made to Kerberos authentication support.
Building on the initial support introduced in version 6.3, Metasploit 6.4 adds new capabilities, including support for the diamond and sapphire techniques alongside the original golden and silver techniques.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
This update ensures compatibility with Windows Server 2022, keeping pace with the latest Windows targets.
Metasploit has recently announced the launch of Metasploit Framework 6.4, according to a recent article by Rapid7.
Furthermore, Metasploit 6.4 introduces a new module that allows users to dump Kerberos tickets from a compromised host, similar to the functionality offered by the popular Rubeus tool.
This enhancement is beneficial for exploiting instances of Unconstrained Delegation, further expanding the toolkit available to cybersecurity professionals.
Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:
Raj Samani, a Chief Scientist at Rapid7, recently tweeted expressing gratitude towards the Metasploit team and community for their exceptional work in successfully releasing version 6.4 of the Metasploit Framework.
Big shout out to the @metasploit team and the community for the excellent work in making the release of 6.4 for Metasploit Framework a reality. Many new features and improvements to enjoy! More details here: https://t.co/ryaQ72FsxC#infosec#cybersecurity
Another significant improvement is the enhanced handling of DNS queries within the Metasploit framework.
This update allows users to configure how hostnames should be resolved, which is especially useful in pivoting scenarios.
This ensures that DNS queries for internal resources originate from a compromised host rather than the user’s system, enhancing operational security.
Metasploit 6.4 also introduces new PostgreSQL, MSSQL, MySQL, and SMB session types. These session types allow for interactive queries with remote database instances and direct interaction with SMB shares, including file upload and download capabilities.
This addition streamlines running multiple modules against a single session, improving efficiency and effectiveness.
Examples of manipulating the DNS configuration:
dns add –rule *.lab.lan –session 1 –index 1 192.0.2.1
dns add –rule honeypot.lab.lan –index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add –index 1 –rule * static system 192.0.2.1
Viewing the current configuration:
msf6 > dns print
Default search domain: N/A
Default search list:
* tor.example.com
* localdomain
Current cache size: 0
Resolver rule entries
=====================
# Rule Resolver Comm channel
– —- ——– ————
1 *.lab.lan 192.0.2.1 Session 1
2 honeypot.lab.lan black-hole N/A
3 *
. _ static N/A
. _ 10.4.5.45
. _ 10.3.20.98
Static hostnames
================
Hostname IPv4 Address IPv6 Address
——– ———— ————
example.lab.lan 192.0.2.200
example2.lab.lan 192.0.2.201
Indirect Syscalls Support and Discoverability Improvements
Metasploit 6.4 supports indirect syscalls, a technique often used by security software to bypass EDR/AV detection and evade dynamic analysis.
This update focuses on substituting Win32 API calls with indirect syscalls to their corresponding native APIs, enhancing the stealthiness of operations conducted with Metasploit.
To aid users in navigating the vast array of modules available within the framework, Metasploit 6.4 introduces improvements to module discoverability.
The new Hierarchical Search feature matches additional fields within modules, making it easier for users to find the tools they need for their tasks.
As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden it because it is an action of the module:
7 auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal No MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
Interact with a module by name or index.
For example, info 7, use 7 or use auxiliary/admin/Kerberos/ms14_068_kerberos_checksum
msf6 auxiliary(scanner/mysql/mysql_hashdump) >
The release of Metasploit Framework 6.4 marks another milestone in developing one of the most widely used penetration testing tools.
With its new features and improvements, Metasploit continues to arm cybersecurity professionals with the tools they need to protect against the ever-evolving threats in the digital world.
As cyber threats grow in complexity, tools like Metasploit Framework 6.4 are essential for maintaining the security of digital infrastructures worldwide.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Hackers Poison SEO Results To Deploy Gootloader Malware And Steal RDP Access
[[{“value”:”
Hackers poison the SEO results to manipulate search engine rankings by misdirecting users to malicious sites.
They aim to take advantage of the vulnerabilities, inject malicious codes or links into legitimate websites, and have more eyes on their deceitful content.
Recently, the DFIR report services cybersecurity researchers discovered that hackers are actively poisoning the SEO results to deploy the Gootloader malware and real RDP access.
You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.
Hackers Poison SEO Results
In February 2023, someone searched for an “Implied Employment Agreement” due to a poisoned SEO result that Gootloader had set up.
In the fake forum for downloading, the user landed into a trap by clicking on the link. Immediately upon opening it, a program named Gootloader came up, bringing files that ensured its presence.
The next move was to execute PowerShell scripts and connect with remote endpoints.
However, Windows Defender blocked lateral movement in subsequent attempts. Though there were traps, the attacker carried on his mission and utilized SystemBC to compromise a domain controller.
Afterward, by using the RDP method, they gained access to backups and sensitive information until an attempt was made to remove them.
‘Implied Employment Agreement’ document (Source – The DFIR Report)
The user went to a website contaminated by SEO, leading to a suspicious forum link about the “Implied Employment Agreement” download.
The harmless-appearing document was, in fact, a GootLoader loader inside a zip archive. It executed a JavaScript chain that created scheduled tasks and ran obfuscated scripts.
While the PowerShell script facilitated the infection through:-
Svchost.exe
Wscript.exe
Cscript.exe
Powershell.exe
Infection chain (Source – The DFIR Report)
Some servers came back with an HTTP 405 response code; however, one of them was a weaponized server called 46.28.105[.]94 that triggered Gootloader via a URL.
The final download contained various versions of Gootloader stage 1 (obfuscated dll), stage 2 (exe file), and a script written both into the registry.
Stage 1 deobfuscated stage 2, which loaded the Cobalt Strike Beacon. Evidently, Cobalt Strike’s ‘getsystem’ command was used to spawn cmd from DLLHOST for elevation purposes.
Timeline (Source – The DFIR Report)
The logon sessions were initiated using harvested credentials via ‘Logon type 9’ and ‘seclogo’ authentication methods. Restricted Admin Mode was turned on so that the hash login could be done.
Through making changes to the registry, the RDP connections could be allowed.
Besides this, the distribution of Cobalt Strike beacons in remote service creation is done through various payloads.
WordPad was used to access other sensitive files in addition to the password-related documents included in the credential access. Apart from this, contracts and other legal-related files and folders were among the interesting files.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.