Welcome to the second edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our first edition, Introducing Qualys Threat Research Thursdays, is more than welcome. We would love to hear from you!
Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
- September 2022 Patch Tuesday – Debra Fezza Reed, our in-house unofficial “chief of intelligent vulnerability analytics”, curates and develops our monthly Patch Tuesday blogs. This latest one is a goldmine of Microsoft Patch Tuesday related information. Check it out for its insights on vulnerabilities found in the Microsoft and Adobe platforms and find Qualys responses to help remediate them.
- Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications – Senior director of product management Eran Livne talks about how automation of patch management can help you remediate zero-day risks.
- Remediate Your Vulnerable Lenovo Systems with Qualys Custom Assessment and Remediation – Our response to remediating the five recently disclosed Lenovo vulnerabilities using Qualys CSAM with External Attack Surface Management as well as our no-code scripting tool.
New Threat Hunting Tools & Techniques
PE-bear – One of our favorite tools to help with reverse engineering PE32 and PE64 files is now open source! For those in the know, this was mentioned in the Vault 7 leaks too. The PE-bear 0.6.0 source can be found on GitHub.
FeroxFuzz – FeroxFuzz is a new web fuzzing library that is written in Rust. It takes inspiration from the able advanced fuzzing library: LibAFL. Check out the GitHub project.
Ldapper – This is a new tool to enumerate and abuse LDAP that uses known commands such as net, net group, etc. to query directory services. Ldapper is proxy aware and can also help you with attacks such as Kerberoasting. Check out the tool.
MimiRust – Your favorite credential dumper for Windows is now in Rust. Tread carefully here as this is not the official maintained version and the original author removed the tool from its original repository. Check it out.
Pamspy – Pamspy is a credential dumper for Linux. It leverages eBPF (Extended Berkeley Packet Filter) to track a userland function inside the PAM (Pluggable Authentication Module) to get access to authentication data. Get Pamspy.
New Vulnerabilities
CVE-2022-39197 – One of the most well-known command & control frameworks used in adversary simulations by red teamers just fixed a cross-site scripting vulnerability. This vulnerability in the Teamserver component of the framework could allow attackers to execute arbitrary code. Since the toolkit is so famous, there are proof-of-concept codes galore that exploit this vulnerability. More information on this can be found at HelpSystems.
CVE-2022-3236 – This publicly exploited, critical-rated code injection vulnerability allows a remote attacker to execute code in Sophos Firewalls. User Portal and Webadmin components from the firewalls, version v19.0 MR1 and older, are affected. CISA also has updated its Known Exploited Vulnerabilities Catalog to include the vulnerability. Qualys VMDR customers can keep a look out for QID 730616 in their reports and identify vulnerable installations. More information about this can be found in this Sophos Security Advisory.
Noteworthy Mentions
CISA and NSA Publish Joint Cybersecurity Advisory on Control System Defense – The US Cybersecurity & Infrastructure Security Agency (CISA) and the US National Security Agency (NSA) have jointly published a cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). It helps administrators understand the tactics, techniques, and procedures used by threat actors and provides guidance on preventing such attacks. Read the advisory.
Uber Breached by Lapsu$ group – Now here’s an interesting recent breach, mainly because of its unique attack vector. The 17-year-old threat actor who managed to pull this off possibly obtained credentials from an underground marketplace. He then bombarded a targeted user with two-factor login approval requests, eventually to be let in after many tries. After looking around and defacing internal Uber systems, the teenager reconfigured DNS to display a graphic image to employees. Kids these days! Read more from Uber.
Threat Thursdays Webinar
If you missed our first Threat Thursdays monthly webinar, where the Qualys Threat Research Team presented an in-depth analysis of Quasar RAT, you can watch the replay on-demand at the link below.