Happy Friday! If you are attending Black Hat USA in a couple weeks then you are once again invited to our Security Wasteland party! Feel free to reach out for a VIP code. Otherwise, here is the run down of the team's deliverables this week:
This vulnerability, affecting Microsoft Sharepoint, was added to VulnCheck KEV and CISA KEV on July 20 (last Sunday). The vulnerability, a patch bypass, has been actively exploited in the wild and has been the talk of the town all week. Most attackers (and public PoC) use the vulnerability to drop a web shell, but the team instead chose to drop a vbs script, resulting in a reverse shell. The team is finishing up a second variant that only resides in memory.
The team delivered a sigma rule, PCAPs, network signatures, a version scanner, and search engine queries.
This vulnerability was added to VulnCheck KEV on July 18 and CISA KEV on July 22. The team has delivered search engine queries and a vulnerable docker container. The team is still working through patch analysis for the full exploit.
Included in this week's coverage is an exploit for CVE-2023-1133, an unauthenticated .Net Deserialization vulnerability in Delta Electronics InfraSuite Device Master, a device monitoring solution for data center and ICS environments. No public exploitation attempts have been documented as of yet; however, this vulnerability carries a high EPSS percentile (0.99343) and a Metasploit module.
Coverage also includes search queries, network signatures, a pcap, and a Sigma rule.
Following our observation of an attacker in the wild leveraging a new GTFOBin primitive in a CVE-2021-36260-based exploit, we developed a new variant that reproduces this technique against Hikvision systems. A new PCAP is available. While the existing Suricata and Snort rules still detect this activity, the network traffic profile during exploitation has changed significantly.