Welcome to the first edition of the Qualys Research Team’s “Threat Research Thursday” where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants.
Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks:
- New Qualys Research Report: Evolution of Quasar RAT – This free downloadable report gives a sneak peek of the detailed webinar topic that Qualys Threat Research team’s Linux EDR expert Viren Chaudari will be presenting on our upcoming Threat Thursdays webinar.
- Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor – In this blog we explain how a simple script can detect a BPFDoor.
- Introducing Qualys CyberSecurity Asset Management 2.0 with natively integrated External Attack Surface Management – This is big news! We offer one of only a few solutions on the market that empower cybersecurity teams to manage internal and external assets at the same time! For our existing customers, Qualys CSAM API Best Practices should be a good starting point for playing with our extensive list of APIs.
- August 2022 Patch Tuesday – Microsoft and the second Tuesday of the month are inseparable (except that one time in 2017 just before the Equation Group leak!) This is our regular monthly coverage of the vulnerabilities that Microsoft and Adobe fixed this month.
New Threat Hunting Tools & Techniques
Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53: This is a major update to Sysmon that adds a new
event ID 27 - FileBlockExecutable
that prevents processes from creating executable files in specified locations. What this means is if you want to block certain files from executing in a certain directory, you can do so. Get these tools & updates.
Bomber: All of us know how important software bills of materials (SBOMs) are, and the vulnerabilities that affect them even more so. This open-source repository tool that we’ve evaluated will help you scan JSON formatted SBOM files to point out any vulnerabilities they may have. Check out Bomber.
Alan C2 Framework: Until recently, this command & control (C2) framework – even though it was hosted on GitHub – was closed source. You could download it and test it for free, but not inspect its source code unless you decompiled it. Now the source code has been made available. For example, you can now look at the certificate information and add it to your detection pipeline if you have not already done so. Access the Alan C2 Framework source code.
FISSURE: This interesting Radio Frequency (RF) framework was released as open source at the recently concluded DEFCONference. With this reverse engineering RF framework, you can detect, classify signals, execute attacks, discover protocols, and analyze vulnerabilities. A lot can be done with this tool! Check out FISSURE.
Sub7 Legacy: The source code to your favorite trojan from the not-so-recent past is now available. Well, not really. This is a complete remake of the trojan from the early 2000’s. The look & feel is still the same – minus the malicious features, but it does make one nostalgic. Here’s hoping that threat actor groups don’t use this Delphi source code for new and nefarious use cases! Check out the new Sub7 Legacy.
Hashview: What do you do when you dump a hash via Mimikatz and want to crack it? In a team engagement, a tool like Hashview can help. It allows you to automate hashcat, retroactively crack hashes, and get notifications on a particular event. Check out the Hashview source code.
Center for Internet Security: CIS published their August update for the End-of-Support Software Report List. Use it coupled with Qualys CSAM to stay updated on software that’s no longer vendor supported.
New Vulnerabilities
CVE-2022-34301/CVE-2022-34302/CVE-2022-34303 – Not much was known about these bootloader vulnerabilities when they were first disclosed as part of Microsoft Patch Tuesday. New research about these vulnerabilities was presented at DEFCON pointing towards weaknesses in third-party code signed by Microsoft. Special care must be given to fixing these vulnerabilities, as manual intervention is required for complete remediation.
CVE-2022-30209 – Fresh off of its disclosure at Black Hat USA 2022, this IIS authentication bypass vulnerability discovered by Devcore, is introduced because of a logic error as a result of improper copy/pasting of variable names. Qualys VMDR customers can find unpatched devices in their networks by looking for QID 91922 in their results.
CVE-2022-22047 – This Windows client/server runtime subsystem (CSRSS) elevation of privilege vulnerability affects almost all Windows versions, including v7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022! QIDs 91922 and 91927 should be of interest to current Qualys VMDR customers.
CVE-2022-26138 – The Confluence Questions app, when installed will create a
disabledsystemuser
user with a known and now publicized hardcoded password. Post exploitation, bad actors can read the pages accessible by the confluence-users group.
CVE-2022-26501 – Proof-of-concept code for this unauthenticated remote code execution vulnerability affecting Veeam Distribution Service (VDS) has been available for more than four months now. When last checked on Shodan, there were more than 18,000 publicly facing devices that host Veeam Backup Services.
Introducing the Monthly Threat Thursdays Webinar
Please join us for the first Threat Thursdays monthly webinar where the Qualys Threat Research Team will present the latest threat intelligence… each and every month!