Qualys Research Team: Threat Thursdays, September 2022

Mayuresh Dani

Last updated on: October 27, 2022

Welcome to the second edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our first edition, Introducing Qualys Threat Research Thursdays, is more than welcome. We would love to hear from you!

Threat Intelligence from the Qualys Blog

Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:

  • September 2022 Patch Tuesday – Debra Fezza Reed, our in-house unofficial “chief of intelligent vulnerability analytics”, curates and develops our monthly Patch Tuesday blogs. This latest one is a goldmine of Microsoft Patch Tuesday related information. Check it out for its insights on vulnerabilities found in the Microsoft and Adobe platforms and find Qualys responses to help remediate them. 
  • Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications – Senior director of product management Eran Livne talks about how automation of patch management can help you remediate zero-day risks.  

New Threat Hunting Tools & Techniques

PE-bear – One of our favorite tools to help with reverse engineering PE32 and PE64 files is now open source! For those in the know, this was mentioned in the Vault 7 leaks too. The PE-bear 0.6.0 source can be found on GitHub.  

FeroxFuzz – FeroxFuzz is a new web fuzzing library that is written in Rust. It takes inspiration from the able advanced fuzzing library: LibAFL. Check out the GitHub project

Ldapper – This is a new tool to enumerate and abuse LDAP that uses known commands such as net, net group, etc. to query directory services. Ldapper is proxy aware and can also help you with attacks such as Kerberoasting. Check out the tool

MimiRust – Your favorite credential dumper for Windows is now in Rust. Tread carefully here as this is not the official maintained version and the original author removed the tool from its original repository. Check it out

Pamspy – Pamspy is a credential dumper for Linux. It leverages eBPF (Extended Berkeley Packet Filter) to track a userland function inside the PAM (Pluggable Authentication Module) to get access to authentication data. Get Pamspy

New Vulnerabilities

CVE-2022-39197 – One of the most well-known command & control frameworks used in adversary simulations by red teamers just fixed a cross-site scripting vulnerability. This vulnerability in the Teamserver component of the framework could allow attackers to execute arbitrary code. Since the toolkit is so famous, there are proof-of-concept codes galore that exploit this vulnerability. More information on this can be found at HelpSystems

CVE-2022-3236 – This publicly exploited, critical-rated code injection vulnerability allows a remote attacker to execute code in Sophos Firewalls. User Portal and Webadmin components from the firewalls, version v19.0 MR1 and older, are affected. CISA also has updated its Known Exploited Vulnerabilities Catalog to include the vulnerability. Qualys VMDR customers can keep a look out for QID 730616 in their reports and identify vulnerable installations. More information about this can be found in this Sophos Security Advisory

Noteworthy Mentions

CISA and NSA Publish Joint Cybersecurity Advisory on Control System Defense – The US Cybersecurity & Infrastructure Security Agency (CISA) and the US National Security Agency (NSA) have jointly published a cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). It helps administrators understand the tactics, techniques, and procedures used by threat actors and provides guidance on preventing such attacks. Read the advisory

Uber Breached by Lapsu$ group – Now here’s an interesting recent breach, mainly because of its unique attack vector. The 17-year-old threat actor who managed to pull this off possibly obtained credentials from an underground marketplace. He then bombarded a targeted user with two-factor login approval requests, eventually to be let in after many tries. After looking around and defacing internal Uber systems, the teenager reconfigured DNS to display a graphic image to employees. Kids these days! Read more from Uber

Threat Thursdays Webinar

If you missed our first Threat Thursdays monthly webinar, where the Qualys Threat Research Team presented an in-depth analysis of Quasar RAT, you can watch the replay on-demand at the link below.

Show Comments (1)

Comments

Your email address will not be published.

  1. Good Mayuresh Dani! I like how you’ve put together multiple different components. If I could share intelligence about IoT devices, it could be great. Thank you.