Public exploit for CVE-2017-0199

There is a public exploit for CVE-2017-0199 which leverage Microsoft Office vulnerability which need to be on priority on patching. Hacker can create a crafted Exploit in form of a document using Metasploit and send it as an email or using the Watering hole attack technique to infect the remote victim user. Hackers used this vulnerability to breach the email account of the minitry of Foreing Affairs in the Turkish Republic of Northern Cyprus. The compromised account was used to send out a weaponized document to foreign affairs ministries in various countries around the world. Vulnerability Details: This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample. Microsoft has issued Security Patch Advisory on April. Please kindly check if the bellow affected products are existed in your environment and expedite patching this vulnerability as soon as possible. Note: For critical systems perform testing and validation and for non-critical systems role out the patch please. Affected Products:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) References:
  • 1. http://www.securityweek.com/iranian-copykittens-conduct-foreign-espionage 2. https://www.rapid7.com/db/modules/exploit/windows/fileformat/office_word_hta

    3. https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

    Advertisements

    0-Day Vulnerability for all Windows Versions and Antivirus

    The new 0-day vulnerability turns the Antivirus software into a malware and allow attacker to take full control of the victim computer. This attack method is called DoubleAgent.
    Windows has feature called Microsoft Application Verifier that verify any applications before they run. There is a security issues that recently has been found that allows attacker to inject a custom verifier into any application to gain fully control over the victim computer. The attacker by injection any DLL into the process, they hijack the computer during or after the booting process to keep their persistency. Attackers can leverage this vulnerability to turn an AV into an malware by manipulating the AV’s behavior to take over the victim machine or execute arbitrary codes such as escalating privileges, modifying process natures and behaviors, and many more.

    All Microsoft versions are vulnerable to this kind of attack, as well as at the present of writing this Advisory, most of the Antvirus vendors have not release any patch yet except Malwarebytes and AVG. TrendMircro mentioned that they are planing to push a patch for upcoming weak, while Symantec has not been seen in the affected list. Since the DoubleAgent is published publicly and there is no mitigation or patch release yet, the risk for such attack is very high.

    for more information please refer to the following addresses:
    https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
    https://github.com/Cybellum/DoubleAgent

    Invitation Letter for OWASP Meetup Q3 2015

    this is an open invitation for those who are keen in Information Security Meetups. we are conducting OWASP Talk in UniKL University. everybody are welcome to participate and attend in OWASP Meetup Q3 2015.

    OWASP Meetup Q3 2015 Inivtation

    Contact me for more information

    Kali Linux Version 2 Released.

    In old days, computer users were always waiting for Microsoft or Apple release the latest OS. We all grow up, and now as security evangelist and penetration tester, we are looking forward to see the latest version of Kali Linux v2. You can download ISO image file from Kali Website or you may download the VMware version from Offensive-Security website.

    EnJoY Hunting….

    Windows Critical Security Update- Remote Code Execution

    A new vulnerability has been discovered that allows remote code execution by opening specially crafted documents or untrusted web pages which the OpenType fonts has been embedded. The target of this vulnerability are Windows Vista (SP2), Windows Server (2008 & 2012, Core Installation) and windows server (2008 & 2012) R2 (32/64), windows 7 (32/64), as well as Windows 8 and 8.1 and RT 8.0 and RT 8.1.

    Metasploit Lovers:

    Metasploit hasn’t updated their exploits for this vulnerability yet.

    For more information refer to the following link:

    https://technet.microsoft.com/en-us/library/security/MS15-078

    How To Remove “Secure Browsing” Virus

    This is very common that we use our Pendrive within others PCs or Laptops. One of the viruses which I recently have faced is called “Secure Browser”. For the first time, when I see that, was the time I went to a print shop. I thought this is their security application to avoid running malicious codes or malware. Today, I found that my pendrive has the same directories and folders in hidden form. In addition some new and suspicious processes in my Task Manager were running. Obviously I never installed it. So I tried TrendMicro it couldn’t detect or clean it. I tried my own Esset Smart Security as well with the latest version; it could detect and quarantine them. So I started digging google, to see if there is any introduced tool for “Secure Browser” virus. I found USBfix which is free. This is very easy and straight forward tool which ask you to connect your external drives such as SD card, Hard Drives, Pendrives and will scan and clean all of them, as well as your registry and system directories. It’s good to have it next to your Malwarebytes application. You may need to future as well. In the following the steps are explained.

    Once you have downloaded, run the USBfix and wait for the first wizard appear and then click on Next as follows:

    1

    In the next step it pop up a message box that tell you to connect your external drives, simply click on ok and go for the next step.

    2

    While it starts to analyze your system and external drives, it invites you to participate in the SOSVirus.net Forum. Its up to you to join or not. So I click on “No” to go for the next step.

    3

    Finally USBfix thanks you for choosing their tool. actually we should say thanks for helping us to stop this annoying virus.

    4

    And then it goes to start analyzing and removing the infected files. This is secure application, it doesn’t damage your system. at least so far my PC had  no issue since the last time running J. It might ask you to restart your computer, save your files and works and then restart your machine.

    keep the USBFix in your pendrive, whenever you see this in others computer you may help them by simply running it and clean their system for free.

    Mail App of iOS 8.3, is vulnerable to Phishing attack

    There is always a debate between Apple Lovers and Android or Windows OS fans. there is an wrong believe that iOS never get hacked, or virus, or this is the best product. several times I have showed in my classes how Apple devices, similarly may get hacked  as  windows or Android devices can be a target for hackers. Hereby, there is a news that shows how a phishing attack my cause Apple user to lose their iCloud credential over Maill app. This vulnerability can be findout on iOS 8.3. Phishing attack is one the most significant and fast track methods allows hackers to obtain credential information or remote attack and many more. The prove of Concept of this attack has been uploaded in youtube and the PoC code of it has been shared with github for learning purpose.

    Are you sensitive about privacy? make sure you have turned your geo location off on your Android or iOS devices.

    Technology, we love it, and it help us in a variety of situation, we can communicate, ease or life and make fun and use it as  entertainment or even more. but here is the issue, many of the time, like to share our location with our friends and via messenger apps, or social media. many people they dont like to share it or publicly it available for strangers. seriously is that necessary to let everyone in the world know where we are exactly every moment? so if you are the person who cares about it, check your apps setting to ensure what information will be accessible for strangers and even friends.

    Lee Munson wrote a report about tracking your geo location on facebook using “Marauders Map” chrome add-on. the API might be disabled , but since the source code has been published in Github, curious developers may modify it and develop it with new features and concepts. this report can be read from nakedsecurity blog.

    you may also reconfigure your facebook setting with a better privacy. read the following link from same Lee Munson.

    Hacking ATM machine?

    running Malware and getting remote access is normal, but hey , is that easy to have such easy physical access to the machine?
    I think they should have some behavior control portion in the system to check if any unauthorized device has been conected to the machine, dispose it and make and alarm

    I think system designer should be aware of Physical access control  security