Sensors have seen continuous human momentum behind Bafomet666/OSINT-SAN, advanced Russian OSINT tool. Within our database, this signal ranks 140/5389 for most all-time sensor hits (raw human momentum). The tool is also connected to a Telegram channel that has impactful social reach in itself.  
 
Bafomet666/OSINT-SAN: Bafomet666/OSINT-SAN: Framework для сбора данных и информации из открытых источников, но есть инструменты поиска и брутфорса которые использовать нужно, только с разрешения владельца ресурса. В Framework используется небольшое количество API. Вам необходимо их зарегистрировать самому.​ (github.com)
 
Telegram Channel: Bafomet dev – Telegram
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*WARNING: Extremely Heavy Human Momentum behind Multiple RCE’s Targeting vCenter (CVE-2021-21972)* Sensors are seeing convergence between CVE-2021-21972 exploit signals and pillar signals (signals that consistently show strong human momentum), indicating massive human interest in these publicly available exploits.  
 
“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
 
Exploit 1: QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC (github.com)
 
Exploit 2: NS-Sp4ce/CVE-2021-21972: CVE-2021-21972 (github.com)
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 

Sensors have just ingested a publicly available exploit targeting the Windows installer (msiexec.exe), granting SYSTEM level privileges. We have not tested this exploit yet but plan to in the coming days.
 
EoP Exploit: klinix5/CVE-2021-1727 (github.com)
 
Microsoft Guidance: CVE-2021-1727 - Security Update Guide - Microsoft - Windows Installer Elevation of Privilege Vulnerability
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 

Sensors are reading heavy human momentum behind a code repository that has paired together exploits targeting Linux local privilege escalation through heap overflow in sudo (CVE-2021-3156) and an out of bounds write in V8. Chrome versions <= 83.0.4103.97 (CVE-2020-6507). We have not had time to look into this pairing but the amount of momentum behind this repo suggests elevated human interest in this repository.
 
Repo: r4j0x00/exploits (github.com)
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​In the hopes of providing greater context surrounding the explosion of exploit code for CVE-2021-3156 (Sudo), we have compared it (by sensor hit frequency) to some other exploits that became publicly available and then went on to be used by adversaries. Our sensors typically see these buildup patterns within the security community preceding mass exploitation campaigns and act as a leading indicator. CVE-2021-3156 (Sudo) has had extremely strong human momentum behind it and resembles momentum patterns like those that preceded mass exploitation campaigns. Keep in mind timeframe, CVE-2021-3156 (Sudo) just became publicly available over the last few weeks.  

​Sensors have ingested tradecraft meant to bypass PowerShell ConstrainedLanguage Mode (a security feature) which prevents users from using PowerShell to circumvent or violate UMCI (user mode code integrity). Moreover, this bypass utilizes “System.Management.Automation” which means it will not start powershell.exe. Lastly, this bypass was created by a researcher that is part of the pwncat cluster, which we believe amplifies the social reach of this new bypass.
 
ConstrainedLanguage Bypass: calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass (github.com)
 
pwncat: calebstewart/pwncat: Fancy reverse and bind shell handler (github.com)
 
ConstrainedLanguage Mode: about_Language_Modes - PowerShell | Microsoft Docs
 
UMCI: Understand WDAC policy rules and file rules (Windows 10) - Windows security | Microsoft Docs
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

reverse-ex/CVE-2021-3156: https://github.com/reverse-ex/CVE-2021-3156
 
Serpentiel/CVE-2021-3156: https://github.com/Serpentiel/CVE-2021-3156
 
mr-r3b00t/CVE-2021-3156: https://github.com/mr-r3b00t/CVE-2021-3156
 
 
Video: https://vimeo.com/504872555


​#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​Two interesting injectors came up in the “Live” sensor feed this am which I haven’t seen before. The first, Reloaded.Injector, injects DLLs into both x86 and x64 targets from the same program. I will have to give this one a try.
 
The second aligns to a strong tactics trend related to evasion, making use of direct system calls. Querying our data, we can see that 134 recently ingested, project repositories contain either a text processing hit for direct system calls or an API profile that indicates the same. An interesting note here is that we are talking “entire projects” and not at a file level. Projects can contain multiple files utilizing different variations of (in this case) direct system calls which our engine also visualizes (file level). To date, our engine has analyzed over half a million malicious files pulled from the live sensors. Defenders should be cognizant of this vector as its social reach continues to amplify to the masses.

 
Reloaded.Injector:
Reloaded-Project/Reloaded.Injector: C# DLL Injection Library capable of injecting x86 DLLs to x86 process from x64 processes. (github.com)
 
directInjectorPOC:
badBounty/directInjectorPOC: Small POC written in C# that performs shellcode injection on x64 processes using direct syscalls as a way to bypass user-land EDR hooks. (github.com)

​ 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Sensors have ingested an exploit PoC that targets:
“7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and we have identified approximately 40 vendors whom we believe use dnsmasq in their products, as well as major Linux distributions.” Potential Impact “includes DNS cache poisoning, remote code execution and others. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast.” - www.jsof-tech.com
 
PoC:
https://github.com/knqyf263/dnspooq
 
Blog:
https://www.jsof-tech.com/disclosures/dnspooq/
 
Paper:
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

I’m continually impressed by the versatility of the new Hunter module. While using one of our most basic signatures for process injection, we came across some really interesting content that articulates evasion tradecraft. Specifically, this post talks about the different stages of static analysis evasion and how to dynamically load dead-giveaway API calls (VirtualAllocEx, WriteProcessMemory, CreateRemoteThreat, etc...) in a more obscure way. It first looks at using the Windows API call GetProcAddress() to resolve function addresses on the fly and then dives deeper into leveraging the Process Environment Block (PEB). Excellent read if you haven’t seen this blog before.
 
 
Blog:
https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/
 
 
Accompanying Code:
​ https://gist.github.com/christophetd/37141ba273b447ff885c323c0a7aff93
 
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam