Qualys Research Team: Threat Thursdays, October 2022

Welcome to the third edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our second edition, Qualys Threat Research Thursday, is more than welcome. We would love to hear from you! 

From the Qualys Blog  

Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks: 

• Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform – How do you detect the ProxyNotShell vulnerability that was released a month ago? This blog talks about all of this and more. Definitely worth a look since no official patches are available as of today! 
• Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973) – Fresh from the Qualys Research Team! Read more about our indigenous research in discovering these vulnerabilities affecting the multipathd daemon.
• Text4Shell: Detect, Prioritize and Remediate The Risk Across On-premise, Cloud, Container Environment Using Qualys Platform – All the details for detecting, prioritizing and remediating the Text4Shell vulnerability can be found in this post.

New Tools & Techniques  

ScubaGear – This assessment tool was developed by CISA. It verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. Currently, available baseline documents cater to Hybrid Azure Active Directory (AD), Microsoft 365 Defender, Microsoft Exchange Online, OneDrive for Business, Power BI, the Microsoft Power Platform, SharePoint Online and Microsoft Teams. ScubaGear v0.1.0 source can be found on GitHub.  

RustHound – This cross-platform active directory collector for BloodHound is written in Rust. It will work on Linux, Windows, or MacOS. Though not all features from SharpHound are implemented yet, it is worthwhile to get this into our detection engineering cycles so that effective detections can be developed. Check out the GitHub project. 

WinDbg – I know, I know! WinDbg is old. But the latest version of the WinDbg Preview debugger is now available with regex search and restricted mode support. Check out WinDbg 1.2107.13001.0. 

Sysmon – This release fixes and adds a new Windows Event ID 28 for FileBlockShredding, which is generated when Sysmon detects and blocks file shredding from tools such as SDelete. Download Sysmon v14.1. 

SockFuzzer – This is an all-in-one network syscall fuzzer for XNU. It helps you fuzz the network stack on macOS and Linux-based hosts in userland. Check it out here. 

SharpEfsPotato – This is a neat demonstration of local privilege escalation from SeImpersonatePrivilege using Encrypting File System Remote (EFSRPC) Protocol. This combines two different projects – SweetPotato and SharpSystemTriggers/SharpEfsTrigger. Read more on SharpEfsPotato. 

TokenMan – This new and open-source token manipulation tool will help you in post-exploitation activities when working with Azure Active Directory – especially useful when you have a Family of Client ID (FOCI) access. Download the tool here. 

New Vulnerabilities

CVE-2022-41040, CVE-2022-41082 – aka ProxyNotShell! Mitigations are available for these 0day vulnerabilities. They apply to Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Limited, targeted attacks are still being seen in the wild for these server-side request forgery (SSRF) and remote code execution (RCE) vulnerabilities. Read more on the Microsoft Customer Guidance page. Qualys customers can scan for QID 50122 and find vulnerable and unpatched Microsoft Exchange systems in their environment. 

CVE-2022-41352 – This publicly exploited vulnerability affecting Zimbra Collaboration (ZCS) 8.8.15 and 9.0, allows a remote attacker to gain incorrect access to any other user accounts. Qualys VMDR customers can keep a look out for QID 377618 in their reports and identify vulnerable installations. It is recommended that affected customers update to ZCS 9.0.0 Patch 27 or ZCS 8.8.15 Patch 34. More information about this can be found here. 

CVE-2022-40684 – This Fortinet authentication bypass vulnerability allows threat attackers to log in as an administrator on affected FortiOS, FortiProxy, and FortiSwitchManager products. A simple HTTP packet to the administrative interface is enough to compromise an affected device. Qualys VMDR and WAS QIDS – 150585, 730623, 43921 should get you started with finding vulnerable systems in your environment. Follow it up by patching up the vulnerability as mentioned in this vendor-published advisory. Reminder – a PoC exploiting this vulnerability is already out in the wild. 

Noteworthy Mentions 

Qualys Threat Research Team contributed to the October 25, 2022 release of MITRE ATT&CK v12! Our contribution from Defending Against Scheduled Task Attacks in Windows Environments was cited under T1053.005. This release introduces “Campaigns”, where adversary activity conducted over a specific period on common targets are grouped together. This version of ATT&CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software. Read more here. 

We also contributed to the awesome and open-source Atomic Red Team framework. Examples are Atomic Test #22 – Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key and Atomic Test #2 – Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message by our Senior Engineer, Threat Research – Harshal.

Threat Thursdays Webinar 

If you missed last month’s Threat Thursday monthly webinar where the Qualys Threat Research Team presented an in-depth analysis of AsyncRAT, you could watch on-demand at the link below.