💥OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
#Analytics
Top 10 most exploited vulnerabilities in 2022
1. CVE-2022-30190: MS Office "Follina"
2. CVE-2021-44228: Apache Log4Shell
3. CVE-2022-22965: Spring4Shell
4. CVE-2022-1388: F5 BIG-IP
5. CVE-2022-0609: Google Chrome zero-day
https://blog.google/threat-analysis-group/countering-threats-north-korea
6. CVE-2017-11882: Old but not forgotten - MS Office bug
7. CVE-2022-41082, CVE-2022-41040: ProxyNotShell
8. CVE-2022-27925, CVE-2022-41352: Zimbra Collaboration Suite bugs
9. CVE-2022-26134: Atlassian Confluence RCE flaw
10. CVE-2022-30525: Zyxel RCE vulnerability
Top 10 most exploited vulnerabilities in 2022
1. CVE-2022-30190: MS Office "Follina"
2. CVE-2021-44228: Apache Log4Shell
3. CVE-2022-22965: Spring4Shell
4. CVE-2022-1388: F5 BIG-IP
5. CVE-2022-0609: Google Chrome zero-day
https://blog.google/threat-analysis-group/countering-threats-north-korea
6. CVE-2017-11882: Old but not forgotten - MS Office bug
7. CVE-2022-41082, CVE-2022-41040: ProxyNotShell
8. CVE-2022-27925, CVE-2022-41352: Zimbra Collaboration Suite bugs
9. CVE-2022-26134: Atlassian Confluence RCE flaw
10. CVE-2022-30525: Zyxel RCE vulnerability
Google
Countering threats from North Korea
On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609.
#Blue_Team_Techniques
Incident Response Methodologies 2022
https://github.com/certsocietegenerale/IRM
// EN/ES/FR/RU Versions
Incident Response Methodologies 2022
https://github.com/certsocietegenerale/IRM
// EN/ES/FR/RU Versions
GitHub
GitHub - certsocietegenerale/IRM: Incident Response Methodologies 2022
Incident Response Methodologies 2022. Contribute to certsocietegenerale/IRM development by creating an account on GitHub.
#Offensive_security
MSI Shenanigans: Offensive Capabilities Overview
https://mgeeky.tech/msi-shenanigans-part-1
]-> Tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner:
https://github.com/mgeeky/msidump
]-> PoC code and samples presenting emerging threat of MSI installer files:
https://github.com/mgeeky/msi-shenanigans
MSI Shenanigans: Offensive Capabilities Overview
https://mgeeky.tech/msi-shenanigans-part-1
]-> Tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner:
https://github.com/mgeeky/msidump
]-> PoC code and samples presenting emerging threat of MSI installer files:
https://github.com/mgeeky/msi-shenanigans
GitHub
GitHub - mgeeky/msidump: MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data…
MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. - mgeeky/msidump
#Threat_Research
#Cloud_Security
1. Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg
https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg
2. Elastic IP Hijacking - A New Attack Vector in AWS
https://www.mitiga.io/blog/elastic-ip-hijacking-a-new-attack-vector-in-aws
#Cloud_Security
1. Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg
https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg
2. Elastic IP Hijacking - A New Attack Vector in AWS
https://www.mitiga.io/blog/elastic-ip-hijacking-a-new-attack-vector-in-aws
Exodus Intelligence
Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg - Exodus Intelligence
By Sergi Martinez Overview It’s been a while since our last technical blogpost, so here’s one right on time for the Christmas holidays. We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache…
#exploit
1. CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521:
Remote DoS in Linux kernel WILC1000 wireless driver
https://securitylab.github.com/advisories/GHSL-2022-112_GHSL-2022-115_wilc1000
2. CVE-2022-2602:
io_uring kernel exploit
https://github.com/kiks7/CVE-2022-2602-Kernel-Exploit
3. Directory Traversal Vulnerability in Huawei HG255s Products
https://infosecwriteups.com/directory-ttraversal-vulnerability-in-huawei-hg255s-products-dce941a1d015
1. CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521:
Remote DoS in Linux kernel WILC1000 wireless driver
https://securitylab.github.com/advisories/GHSL-2022-112_GHSL-2022-115_wilc1000
2. CVE-2022-2602:
io_uring kernel exploit
https://github.com/kiks7/CVE-2022-2602-Kernel-Exploit
3. Directory Traversal Vulnerability in Huawei HG255s Products
https://infosecwriteups.com/directory-ttraversal-vulnerability-in-huawei-hg255s-products-dce941a1d015
GitHub Security Lab
GHSL-2022-112_GHSL-2022-115: Remote denial of service in Linux kernel WILC1000 wireless driver - CVE-2022-47518, CVE-2022-47519…
Multiple vulnerabilities in the Linux kernel Microchip WILC1000 802.11 wireless driver can allow remote and local attackers to trigger a denial of service when parsing management frames.
#Offensive_security
Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, duplicate lsass handle from existed processes
https://github.com/D1rkMtr/DumpThatLSASS
Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, duplicate lsass handle from existed processes
https://github.com/D1rkMtr/DumpThatLSASS
#Threat_Research
1. Analysis of the First Critical Vulnerability of Aptos Move VM
https://medium.com/numen-cyber-labs/analysis-of-the-first-critical-0-day-vulnerability-of-aptos-move-vm-8c1fd6c2b98e
2. OWASSRF - New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
1. Analysis of the First Critical Vulnerability of Aptos Move VM
https://medium.com/numen-cyber-labs/analysis-of-the-first-critical-0-day-vulnerability-of-aptos-move-vm-8c1fd6c2b98e
2. OWASSRF - New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Medium
Analysis of the First Critical 0-Day Vulnerability of Aptos Move VM
An Analysis on a Critical Aptos vulnerability discovered by Numen Cyber Technology
#Red_Team_Tactics
1. Process reparenting in MS Windows
https://blog.trailofbits.com/2022/12/20/process-reparenting-microsoft-windows
2. CLI tool/library to enhance and speed up script/exploit writing with string conversion/manipulation
https://github.com/noraj/ctf-party
1. Process reparenting in MS Windows
https://blog.trailofbits.com/2022/12/20/process-reparenting-microsoft-windows
2. CLI tool/library to enhance and speed up script/exploit writing with string conversion/manipulation
https://github.com/noraj/ctf-party
Trail of Bits Blog
What child is this?
A Primer on Process Reparenting in Windows By Yarden Shafir Process reparenting is a technique used in Microsoft Windows to create a child process under a different parent process than the one maki…
#tools
#Malware_analysis
1. PortexAnalyzer - free PE parser tailored for malware analysis
https://github.com/struppigel/PortexAnalyzerGUI/releases
2. XLLing in Excel - Evolution of malicious XLLs
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins
#Malware_analysis
1. PortexAnalyzer - free PE parser tailored for malware analysis
https://github.com/struppigel/PortexAnalyzerGUI/releases
2. XLLing in Excel - Evolution of malicious XLLs
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins
GitHub
Releases · struppigel/PortexAnalyzerGUI
Graphical interface for PortEx, a Portable Executable and Malware Analysis Library - struppigel/PortexAnalyzerGUI
#exploit
1. CVE-2022-48870:
maccms admin+ xss attacks
https://github.com/Cedric1314/CVE-2022-48870
2. CVE-2022-39253:
Docker host file read
https://github.com/ssst0n3/docker-cve-2022-39253-poc
1. CVE-2022-48870:
maccms admin+ xss attacks
https://github.com/Cedric1314/CVE-2022-48870
2. CVE-2022-39253:
Docker host file read
https://github.com/ssst0n3/docker-cve-2022-39253-poc
GitHub
GitHub - Cedric1314/CVE-2022-44870: maccms admin+ xss attacks
maccms admin+ xss attacks . Contribute to Cedric1314/CVE-2022-44870 development by creating an account on GitHub.
Forwarded from 卩ro 爪Cracker
chatgpt_chinese_prompt_hack
Use prompt hack to bypass OpenAI's content policy restrictions by golfzert
https://github.com/golfzert/chatgpt-chinese-prompt-hack
Use prompt hack to bypass OpenAI's content policy restrictions by golfzert
https://github.com/golfzert/chatgpt-chinese-prompt-hack
Forwarded from 卩ro 爪Cracker
hackGPT
OpenAI and #ChatGPT to do hackerish things by NoDataFound
https://github.com/NoDataFound/hackGPT
OpenAI and #ChatGPT to do hackerish things by NoDataFound
https://github.com/NoDataFound/hackGPT
Forwarded from 卩ro 爪Cracker