Share this page!

Germán Fernández Profile picture
Twitter logo
Oct 2 3 tweets 3 min read
I wrote a quick Nmap script to scan for servers potentially vulnerable to #ProxyNotShell (based on Microsoft's recommended URL blocking rule) I hope it can be useful for someone :)

[+] github.com/CronUp/Vulnera…

#0day CVE-2022-40140 CVE-2022-41082
Basically, it sends an SSRF-like request adding the string "Powershell" in the URI, if there is no block and the server returns the header "X-FEServer" with the server name, then it is potentially vulnerable.

Also in its mass scanning version ~
Updated script, added #ProxyShell validation and some error handling, thanks to @CesarSilence and @GossiTheDog for their ProxyShell checker template (I was missing the "redirect_ok=false") :D

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Germán Fernández

Germán Fernández Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @1ZRR4H

Germán Fernández Profile picture
Sep 29
1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥
2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.

* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'
3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @AnyDesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.

/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com
Read 9 tweets
Germán Fernández Profile picture
Sep 27
LockBit 3.0 post Leak 📈🤦‍♂️

2022/07 - 31 hits
2022/08 - 21 hits
2022/09 - 165 hits
REF: valhalla.nextron-systems.com/info/rule/MAL_…

H/T @cyb3rops Image
"Bl00dy Ransomware Gang" is one of the groups that already started using the builder (they use Telegram to continue their extortion scheme).
bleepingcomputer.com/news/security/… H/T @malwrhunterteam
Read 4 tweets
Germán Fernández Profile picture
Sep 20
19/SEPT: El grupo hacktivista #Guacamaya filtró 366 GB de correos internos del Estado Mayor Conjunto de las Fuerza Armadas de Chile (EMCO) 🇨🇱

La operación #FuerzasRepresivas corresponde a una serie de ataques a fuerzas policiales y militares en LATAM.

1/ ImageImageImage
El grupo estuvo explotando la vulnerabilidad #ProxyShell para acceder a los servidores Microsoft Exchange de las organizaciones.

Algunas IPs en las imágenes corresponden a servidores vulnerables alertados desde al menos el 09/Agosto/2021. REF: cronup.com/proxyshell-el-…

2/
Próximas filtraciónes según #Guacamaya:

- SEDENA México (6 TB)
- Policía Nacional Civil de El Salvador (4 TB)
- Comando General de las Fuerzas Militares de Colombia (275 GB)
- Fuerza Armada de El Salvador (50 GB)
- CCFFAA del Perú (35 GB)
- Ejercito del Perú (70 GB)

3/ Image
Read 6 tweets
Germán Fernández Profile picture
Aug 5
1/ Interesting toolkit currently used by #Ransomware affiliates 💣

- 1.bat > Disabler (UAC/NLA/IFEOs)
- 1.msi > Anydesk wrapped using exemsi[.]com (persistence/C2)
- aswArPot.sys > Avast Anti-Rootkit driver used to disable AV/EDR (BYOVD)
- terminat.exe > #BURNTCIGAR (?)
2/ The artifacts were available until today on a server with #opendir (80.209.241.3:8888) that was active for at least 15 days.

You may want to block/monitor this hash: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 (aswArPot.sys)

[+] bazaar.abuse.ch/browse/tag/80-…
3/ More references regarding these TTPs:

[+] @TrendMicro (2022-05-02): trendmicro.com/en_us/research…
[+] @Aon_plc (2022-02-26): aon.com/cyber-solution…
[+] @Mandiant (2022-02-23): mandiant.com/resources/unc2…

#AvosLocker/#CUBA/#UNC2596/#Ransomware
Read 5 tweets
Germán Fernández Profile picture
Nov 16, 2021
🚨 Cuidado con las descargas desde #Anonfiles (utilizado por muchos actores maliciosos), puede que en vez del archivo que querías, termines instalando, no solo 1, sino que 7 clases distintas de #Malware 👀

Revisemos por ejemplo: /anonfiles.com/7c62z4s9ob/Youtube_Viewer_rar

1/X Image
Al hacer click en "download" se descarga automaticamente un archivo que tiene de nombre "YouTube+Viewer.rar[.]zip" pero la descarga se realiza desde /yfilesstorage.com/Youtube+Viewer.rar.zip?c=AISJk2FCGQUA4ksCAENMFwAMAMyKTf0A (.ZIP protegido con contraseña) 🤔

2/X ImageImageImage
Lamentablemente esto pasa desapercibido para usuarios menos prudentes.

Sin embargo, gracias a @hatching_io, podemos averiguar que lo que instalan realmente es #Arkei, #Metasploit, #Racoon, #Redline, #Smokeloader, #Socelars y #Vidar 😵

tria.ge/211116-mn4ghad…

3/X Image
Read 9 tweets
Germán Fernández Profile picture
Apr 22, 2021
Un nuevo actor de amenazas puso en venta, múltiples DBs de Eleven Paths y Telefónica Chile 🇨🇱 (SOC)

El origen del Leak pareciera ser un sistema de tickets tipo BCM Remedy y podría afectar a otras 18 organizaciones ⚠️

[1/2] ImageImage
El atacante adjunta correo de este 17 de Abril y se registró hoy solo para subir esto, es probable que haya tenido/tenga acceso a la plataforma.

Todo indica que seguiremos viendo este tipo de Leaks en Chile si siguen compartiendo las URLs de estos foros 🤦‍♂️

A revisar!!

[2/2]
ACTUALIZACIÓN:
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(