CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

November 23, 2021

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

Industry: N/A | Level: Tactical | Source: BleepingComputer

Security researcher, Abdelhamid Naceri, was able to bypass a vulnerability Microsoft intended to patch as part of the November 2021 patch cycle, tracked under CVE-2021-41379. The exploit is tracked under the name, InstallerFileTakeOver. The exploit affects all supported versions of Windows including Windows 10, 11 and Windows Server 2022, enabling a user to obtain admin level privileges. BleepingComputer validated the ease and use of the exploit, “tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.”

  • Anvilogic Use Case: Potential InstallerFileTakeOver CVE-2021-41379

ProxyShell & Web Shells

November 23, 2021

ProxyShell & Web Shells

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant investigations continue to identify exploitation of Microsoft Exchange vulnerabilities as recently as November 2021, with estimates of up to 30,0000 internet-facing servers vulnerable. Threat actor exploits of these vulnerabilities have slightly shifted, “most notably, the writing of web shells via export of exchange certificate requests instead of mailbox exports, and exploitation of the first two vulnerabilities in the exploit chain only to achieve remote PowerShell and create new mailboxes, assign them privileged access to other mailboxes, then access them via Outlook Web Access (OWA)” states the investigation. Three attack paths were observed following the second stage exploitation: a web shell, Microsoft cmdlet (New-ExchangeCertificate to write web shell files) and New-Mailbox/New-RoleGroupMember/Add-MailboxPermission to create a new user to achieve full Exchange administrative capabilities.

  • Anvilogic Use Cases
    • Potential ProxyShell
    • Potential Web Shell
    • Web Application File Upload
    • Exchange New Export Request

MSTIC identifies Iranian Threat Actors Targeting IT Sector

November 23, 2021

MSTIC identifies Iranian Threat Actors Targeting IT Sector

Industry: Information Technology | Level: Tactical | Source: Microsoft

A report from Microsoft Threat Intelligence Center (MSTIC) has identified an increase of Iranian threat actors targeting the IT sector, specifically service companies, as a means to access downstream customer networks. The report stated, “This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain.” Targeting of the attacks has been identified to compromising organizations of interest to the Iranian regime. The rise in the attacks was observed from Microsoft, prompting  more than 1,600 notifications issued to over 40 IT companies this year in regards to Iranian targeting. This is in comparison to only 48 notifications sent in 2020. Attacks have been observed with DEV-0228 compromising an IT provider in Israel in early July 2021, dumping credentials then pivoting to other organizations within the next two months, compromising other organizations that have strong relations with the initial compromised IT company.

  • Anvilogic Scenario: GhostShell Behavior
  • Anvilogic Use Case: Remote Admin Tools