Qualys Threat Research Unit: Threat Thursdays, December 2022
Welcome to the fourth edition of the Qualys Threat Research Unit’s (TRU) “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. This also happens to be the last edition for the year. Feedback on our third edition, Qualys Threat Research Thursday, is more than welcome. We would love to hear from you!
From the Qualys Blogs
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
- Dissecting the Empire C2 Framework – In this blog post, we take a quick dive into Empire, a popular open-source post-exploitation framework.
- Identify Server-Side Attacks Using Qualys Periscope – This article will provide more detail on the common questions/situations seen with out-of-band detections via Qualys Periscope.
New Tools & Techniques
Kubeshark – This is an Apache-2.0 licensed, open-source observability and monitoring tool for Kubernetes. It enables dynamic microservice analysis, anomaly detection and triggering mechanism when a certain pattern appears in runtime. Up until the last month, Kubeshark was known as Mizu. The Kubeshark 37.0 source can be found on GitHub.
certipy-ad – For everybody’s information, Certipy the offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS) is also available on Pypi as a Python package. Get certipy-ad 4.3.0 from the pypi page.
Scapy – Everyone knows Scapy. What’s more exciting is that just in time for Christmas, Scapy was updated. Along with major CLI improvements, Python 3.9/3.10 supports this release and also has new DCERPC/NTLM/KERBEROS/GSSAPI/SPNEGO/(C)LDAP layers on Windows. Scapy v2.5.0 can be downloaded here.
DLest – This is a new open-source tool for analyzing and manipulating exported functions in a large number of both x86-32 (PE) and x86-64 (PE+) bit Portable Executable files. Download DLtest from its GitHub repository.
PersistenceSniper – This open-source PowerShell module can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted on Windows. As of today, this tool supports 40 persistence techniques and has intelligence to detect persistence via built-in binaries or LOLBINS. Check it out from the PowerShell gallery by running Import-Module PersistenceSniper or, download PersistenceSniper v1.8.0 here.
New Vulnerabilities
CVE-2021-35587 - This is a heap-based buffer overflow in the sslvpnd component of Fortinet SSL VPNs. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. According to the vendor, this vulnerability is being actively exploited and has shared multiple IOCs associated with the exploit. Qualys customers can use VMDR QID 43944 for detecting vulnerable systems in their environment.
CVE-2022-27518 – An unauthenticated, remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) and Citrix Gateway versions prior to 13.0-58.32. These are older versions of Citrix products. All versions of the affected product released during the past 2 years are not in fact vulnerable. Furthermore, only customer-managed Citrix ADCs and Citrix Gateways that are configured as a SAML SP (service provider) or a SAML IdP (identity provider) are at risk and should be upgraded. This vulnerability is notable because threat groups like APT5/also known as UNC2630 and MANGANESE are targetting telecommunications and technology companies. NSA has also published guidance for this. Qualys customers can use VMDR QID 377825 for detecting vulnerable systems in their environment.
CVE-2022-44698 – This vulnerability is a result of a bypass to an older vulnerability tracked as CVE-2022-41091. A specially crafted file could be constructed to bypass the Mark of the Web (MOTW) defenses mechanism. It removes the MOTW feature from the file or makes it so that the MOTW isn’t recognized by the security features that Microsoft provides and lets you open files without warnings. Qualys customers can use VMDR QID 91962 for detecting vulnerable systems in their environment.
CVE-2022-37958 – On December 13, Microsoft reclassified this vulnerability as “Critical”. The vulnerability is in the widely used SPNEGO Extended Negotiation (NEGOEX) Security Mechanism and allows remote code execution. This is used in most Windows application protocols that can authenticate, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP), by default. Unlike EternalBlue and used in the WannaCry ransomware attacks, which only affected the SMB protocol, this vulnerability has a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks. Qualys customers can use VMDR QIDs 91940/91945 for detecting vulnerable systems in their environment.
Threat Thursdays Webinar
If you missed our second Threat Thursdays monthly webinar, where the Qualys Threat Research Unit (TRU) presented how we can learn from other successful ontologies to build and make better use of MITRE ATT&CK, you can watch the replay on-demand at the link below.