SwitHak

General

• This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

Translation

00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
  
00:05 Инфоповоды отслеживают возникновение необходимых сообщений

SwitHak

20200318-IOC-RECORDEDFUTURE-20200318
Separator: single comma [,]


|DOMAINS|
cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml

|EMAILS@|
Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru

SwitHak

20200318-IOC-RISKIQ-20200317-REPORT_CURATED
Separator: single comma [,], except for subjects ["]

|URLs|
http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf

SwitHak

20200318-IOC-AVAST-20200318_FT_202003181642
Separator: single comma [,]

|DOMAINS|
finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com

SwitHak

CVE-2020-0796 AKA SMBGhost

General

• A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
• An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
• To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
• The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
• Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.

Affected products:

SwitHak

CVE-2020-0601 AKA ChainOfFools OR CurveBall

General

• Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
• The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
• The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

• NSA description:
• NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.

SwitHak

# Host Indicator of Compromises (Comma separator used):

---

Name,MD5 Hash,SHA-1 Hash,SHA-256 Hash,Size (bytes),Type,Compilation Date
dustman.exe,8AFA8A59EEBF43EF223BE52E08FCDC67,E3AE32EBE8465C7DF1225A51234F13E8A44969CC,F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7,264704,64-bit EXE,Sun Dec 29 08:57:19 2019 (GMT+3)
elrawdsk.sys,993E9CB95301126DEBDEA7DD66B9E121,A7133C316C534D1331C801BBCD3F4C62141013A1,36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C,24576,64-bit EXE,Sun Oct 14 10:43:19 2012(GMT+3)
assistant.sys,EAEA9CCB40C82AF8F3867CD0F4DD5E9D,7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,68288,64-bit EXE,Sat May 31 05:18:53 2008 (GMT+3)
agent.exe,F5F8160FE8468A77B6A495155C3DACEA,20D61C337653392EA472352931820DC60C37B2BC,44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2,116224,64-bit EXE,Sun Dec 29 08:56:27 2019 (GMT+3)

SwitHak

Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.

IP Stacks backstory

• Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
• Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.

SwitHak

Advisory

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

Details:

See the netflix information security advisory:

• https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Exploit

sudo hping3 yourhost --tcp-mss 20 -S --flood