Software

Microsoft Updates September 2014

Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.

Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or “the DeputyDog actor”. The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. “The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit”. Microsoft rated this vulnerability patch “important” across OS versions, while the other privately disclosed IE vulnerabilities are rated “critical”.

The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It’s most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.

Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.

More can be read about September 2014 Microsoft Security Bulletins here.

Microsoft Updates September 2014

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox