Introducing Qualys Threat Research Thursdays

Mayuresh Dani

Welcome to the first edition of the Qualys Research Team’s “Threat Research Thursday” where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants.  

Threat Intelligence from the Qualys Blog

Here is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks: 

New Threat Hunting Tools & Techniques

Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53: This is a major update to Sysmon that adds a new event ID 27 - FileBlockExecutable that prevents processes from creating executable files in specified locations. What this means is if you want to block certain files from executing in a certain directory, you can do so. Get these tools & updates.  

Bomber: All of us know how important software bills of materials (SBOMs) are, and the vulnerabilities that affect them even more so. This open-source repository tool that we’ve evaluated will help you scan JSON formatted SBOM files to point out any vulnerabilities they may have. Check out Bomber

Alan C2 Framework: Until recently, this command & control (C2) framework – even though it was hosted on GitHub – was closed source. You could download it and test it for free, but not inspect its source code unless you decompiled it. Now the source code has been made available. For example, you can now look at the certificate information and add it to your detection pipeline if you have not already done so. Access the Alan C2 Framework source code

FISSURE: This interesting Radio Frequency (RF) framework was released as open source at the recently concluded DEFCONference. With this reverse engineering RF framework, you can detect, classify signals, execute attacks, discover protocols, and analyze vulnerabilities. A lot can be done with this tool! Check out FISSURE

Sub7 Legacy: The source code to your favorite trojan from the not-so-recent past is now available. Well, not really. This is a complete remake of the trojan from the early 2000’s. The look & feel is still the same – minus the malicious features, but it does make one nostalgic. Here’s hoping that threat actor groups don’t use this Delphi source code for new and nefarious use cases! Check out the new Sub7 Legacy

Hashview: What do you do when you dump a hash via Mimikatz and want to crack it? In a team engagement, a tool like Hashview can help. It allows you to automate hashcat, retroactively crack hashes, and get notifications on a particular event. Check out the Hashview source code

Center for Internet Security: CIS published their August update for the End-of-Support Software Report List. Use it coupled with Qualys CSAM to stay updated on software that’s no longer vendor supported.  

New Vulnerabilities  

CVE-2022-34301/CVE-2022-34302/CVE-2022-34303 – Not much was known about these bootloader vulnerabilities when they were first disclosed as part of Microsoft Patch Tuesday. New research about these vulnerabilities was presented at DEFCON pointing towards weaknesses in third-party code signed by Microsoft. Special care must be given to fixing these vulnerabilities, as manual intervention is required for complete remediation. 

CVE-2022-30209 – Fresh off of its disclosure at Black Hat USA 2022, this IIS authentication bypass vulnerability discovered by Devcore, is introduced because of a logic error as a result of improper copy/pasting of variable names. Qualys VMDR customers can find unpatched devices in their networks by looking for QID 91922 in their results. 

CVE-2022-22047 – This Windows client/server runtime subsystem (CSRSS) elevation of privilege vulnerability affects almost all Windows versions, including v7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022! QIDs 91922 and 91927 should be of interest to current Qualys VMDR customers. 

CVE-2022-26138 – The Confluence Questions app, when installed will create a disabledsystemuser user with a known and now publicized hardcoded password. Post exploitation, bad actors can read the pages accessible by the confluence-users group. 

CVE-2022-26501 – Proof-of-concept code for this unauthenticated remote code execution vulnerability affecting Veeam Distribution Service (VDS) has been available for more than four months now. When last checked on Shodan, there were more than 18,000 publicly facing devices that host Veeam Backup Services. 

Introducing the Monthly Threat Thursdays Webinar 

Please join us for the first Threat Thursdays monthly webinar where the Qualys Threat Research Team will present the latest threat intelligence… each and every month!

Share your Comments

Comments

Your email address will not be published.