ccondon-r7 (167)

Last Login: May 12, 2022
Assessments
51
Score
167
6th Place

ccondon-r7's Latest (20) Contributions

Sort by:
Filter by:
1
Technical Analysis

This bug was evidently used by LAPSUS$ in the wild as part of the attack on Okta.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Seemingly ubiquitous logging library—vulnerable implementations are going to be widespread. Multiple PoC exploits are publicly available, and broad opportunistic attacks already occurring, but I’d expect with all the different implementations, we’ll be seeing new attack vectors for weeks or months to come. Update all your dependencies ASAP, and/or take systems and services with known-vulnerable implementations offline right away. Exploitation sure to increase even further. https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/

1
Technical Analysis

Rapid7’s services teams are observing opportunistic exploitation of this vulnerability in the wild. Sounds like coin miners are the payload so far.

1
Ratings
Technical Analysis

I’m not super clear yet on why Cisco rates this as “Medium” severity. A remote, unauthenticated ACL bypass in a network edge product seems like a fairly high-severity bug, though admittedly it doesn’t appear to be RCE, which I guess is something. I can’t imagine it’ll take long for PoCs to show up—we’ll see.

Exploitability sounds high from an initial read, but I’ll reserve official judgment on that until we see what the exploit dev community comes up with.

Edit: @jbaines-r7 makes the excellent point that if this turns out to be blind, it’s of significantly less value to an attacker.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Being exploited in the wild as of April 2021. Juniper Networks has a write-up on seeing payloads being delivered by the Sysrv botnet. Kinda surprising it took that long.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Both Palo Alto Networks and Netlab360 (ostensibly, since Netlab360 doesn’t specify any CVEs) have write-ups on widespread attacks leveraging this bug starting in April and going through at least August, including ransomware campaigns. QNAP’s advisory is pretty sparse, but from the news coverage it sounds like this was a hard-coded creds bug that allowed an attacker to log into a vulnerable device (which evidently QLocker and ech0raix ransomware operators did). Yikes—hopefully folks have patched by now.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

This is another of those products I hadn’t ever heard of before we started hearing about compromises. There’s a Metasploit module available here, hence the relatively high exploitability rating: https://github.com/rapid7/metasploit-framework/pull/15525

Mitigation is to lock down admin access, sensibly: https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643

1

Thanks @JoyGhoshs. Assuming you were attacking a target that you had permission to attack, we would not consider that to be exploitation in the wild. (If you were attacking a target that you did not have permission to attack…well, we aren’t lawyers, but that’s a pretty bad idea and probably not legal!)

To be considered “in the wild,” exploitation generally needs to take place outside lab environments and not within pen testing engagements. In other words, we only mark things “exploited in the wild” when threat actors are exploiting vulnerable targets to achieve some type of objective.

2

Hey @JoyGhoshs, great write-up, thanks! I was trying to find some kind of confirmation somewhere that this is exploited in the wild, though, and I’m not coming up with anything—have you observed active attacks by adversaries (not pen testers) against this somewhere, or were you reporting it as “Exploited in the wild” simply because details are available?

1

Those are great, @NinjaOperator, thanks for sharing!

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

Sounds from Microsoft’s out-of-band advisory like this is seeing limited, targeted attacks and folks are only vulnerable in non-default configurations (i.e., “by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack”). All this plus user interaction required = another social engineering opportunity for attackers with specific targets, but probably not a big concern as far as widespread, automated exploitation goes. No patch yet, but sounds like the most out-of-the-box mitigation is just to use the default option of opening docs in a protected manner.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Check out the Rapid7 analysis for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I’d imagine folks are going to start finding ways around that soon.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Zero-day LPE vulnerability affecting Windows 10 v1809 and later (so Win10 and Win11 preview), arises from SAM file’s being READ-enabled for all local users. SAM file has gold, e.g., hashed user/admin passwords. PoC to retrieve registry hives publicly available, no patch as of July 21, 2021. JonasLyk and research community reported and confirmed the issue on Twitter Monday, July 19. Guidance from Microsoft is to apply a couple of workarounds—defenders likely behind the attack curve already. Details: https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

5
Ratings
Technical Analysis

Critical RCE in the Windows Print Spooler service, with all versions of Windows vulnerable by default, can also be used for LPE. A myriad of public exploits and tools are available to aid in exploitation, and remediation requires the additional step of disabling Point and Print (by setting two registry keys to 0) after patch application. Without disabling Point and Print, RCE and LPE are still possible via multiple vectors (MS-PAR, MS-RPRN) regardless of patch level. Exploitation detected in the wild, only expected to increase. Patch and disable Point and Print, or else disable Print Spooler altogether. See the Rapid7 analysis for more info.

Update August 12, 2021: Crowdstrike is reporting that PrintNightmare is now being incorporated into Magniber ransomware attacks against South Korean organizations.

1
Ratings
Technical Analysis

Rapid7 researchers have confirmed that a fully patched (as of June 2021) Windows Server 2019 is exploitable with at least one of the public exploits. There’s still a lot of confusion in the community about what exactly is exploitable and why (e.g., permissions requirements), but don’t let the complexity inherent to these researcher conversations convince you NOT to act. Disable the print spooler, quickly. More info: https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Trivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises—patch quickly. Shout-out to Portswigger for their excellent write-up: https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464

Update July 12, 2021: We now have reliable private reports of exploitation in the wild.

1
Ratings
Technical Analysis

This feels like it could be similar to CVE-2020-3187, which got a lot of attention last summer but was pretty overhyped. Summarizing a few conversations among researchers: This looks like stored XSS, user interaction is required to trigger it (would be a much bigger deal if no interaction were necessary), attacker still needs to go phishing or similar for efficacy. Could be that there’s a caveat to those caveats that increases the vuln’s value, but until proven otherwise, we’re gonna rate this low-to-moderate on the value scale. Definitely a good idea to keep ASAs updated, though, irrespective of the value of any particular bug. H/T to @wvu-r7 and @hrbrmstr for the convo!

2
Ratings
Technical Analysis

If the fast and furious exploitation of CVE-2021-21972 earlier this year is any indication, attackers are likely to jump on this latest vCenter Server vulnerability quickly. Exploitation does require network access to port 443, but @hrbrmstr and team already identified thousands of vulnerable vCenter Server instances exposed to the public internet (ouch), and phishing/cred reuse makes relatively easy work for attackers looking for network access. With the prevalence of the ransomware threat to most organizations at the moment, this is one to patch on an emergency basis. We definitely don’t recommend waiting for a typical patch cycle here. See the Rapid7 analysis for further info.

1

Hi @2020Cyberworld, thanks for the detailed assessment! I see you’ve reported a few vulns as exploited in the wild—are you seeing this and the other vulns you’ve reported used in active (not pen testing) attacks?

1
Technical Analysis

Ah, another day, another Win32k privilege escalation used in the wild. Securelist has a good write-up on this bug, which they discovered because it was used in a BITTER APT zero-day attack in (it sounds like) conjunction with CVE-2021-1732 (there’s a Metasploit module for the second vuln).