The third point version of Kali Linux 2021 series, Kali Linux 2021.3 has been released, with a number of major improvements along with some new tools.

Kali Linux 2021.3 comes with a bevy of new hacking tools and updated core packages, and also makes the experience of virtualization even more seamless when setting up a virtual environment. The information domain Kali-Tools has also be refreshed with a clean interface, to provide a concise overview of tools and faster system.

Kali didn't forget about KDE, as one of its favorite desktop environments; Kali Linux 2021.3 brings improvement to the layout for Xfce and Gnome editions.

What's New in Kali Linux 2021.3 Release?

Aside from the updated core packages, with Kali Linux 2021.3, OpenSSL has now been configured for wider compatibility to allow Kali to talk to as many services as possible.

While legacy protocols such as TLS 1.0 and TLS 1.1 and older ciphers are now enabled by default, which will help to improve Kali’s ability to talk to older, obsolete systems and servers that are still using these older protocols. And among the Kali Tools added to Kali Linux 2021.3 Release fleet are:

  • Subjack: Subdomain takeover
  • RouterKeygenPC: Generate default WPA/WEP Wi-Fi keys
  • WPA_Sycophant: Evil client portion of EAP relay attack
  • HostHunter: Recon tool for discovering hostnames using OSINT techniques
  • EAPHammer: Targeted evil twin attacks against WPA2-Enterprise Wi-Fi networks
  • CALDERA: Scalable automated adversary emulation platform
  • Berate_ap: Orchestrating MANA rogue Wi-Fi Access Points

Furthermore, Kali has partnered with Ampere to have its ARM package building machines running on Ampere’s hardware, which means that Kali will benefit from the burst in speed.

How to Download or Upgrade to Kali Linux 2021.3

For those who are new to Kali, simply grab the new Kali 2021.3 ISO images which are now available for download with support for several platforms.

If you’re an existing Kali Linux user and want to upgrade from the previous version to Kali Linux 2021.3, you can easily upgrade your system by following the updating Kali guide.

Kali Linux 2021.3 Release: Brings Improvements to Kali Live VM Support

MSHTML (also known as Trident) is a proprietary browser engine for the Windows version of Internet Explorer, developed by Microsoft.

According to Microsoft Threat Intelligence Center (MSTIC), a number of attacks have attempted to exploit a remote code execution vulnerability in MSHTML, which vulnerability is tracked as CVE-2021-40444, using specially crafted Microsoft Office documents.

As part of an initial campaign that distributed custom Cobalt Strike Beacon loaders, these attackers communicated with an infrastructure that Microsoft associates with multiple cyber-criminal campaigns, including human-operated ransomware.

How Windows MSHTML Zero-Day was Exploited to Deploy Cobalt Strike Beacon in targeted systems?

The attack vector relies on a malicious ActiveX control which could be loaded by MSHTML using a malicious Office document.

Microsoft customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in the attacks. The attackers leveraged on the vulnerability to access entry point devices to run highly-privileged code, with the secondary actions taken by the attackers relying on stealing credentials that could result organization-wide impact.

Again, this attack illustrates the importance of implementing attack surface reduction, credential hygiene, and lateral movement mitigations.

How to Mitigate against the MSHTML Zero-Day Exploit

Microsoft has already rolled out a fix for the MSHTML vulnerability as part of its Patch Tuesday updates on September 14.

Therefore, customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability. Also, Microsoft has confirmed that the attack surface reduction rule blocks activity associated with exploitation of the MSHTML Zero-Day.

MSHTML Zero-Day Exploited to deploy Cobalt Strike Beacon in targeted Windows machine

Azure Container Instances (ACI) service allows users to run containers directly in a serverless cloud environment, requiring no virtual machines or clusters.

While Palo Alto Networks' Unit 42 threat intelligence team has disclosed a vulnerability in ACI service that could have been exploited by an attacker to access other customers' information. The vulnerability dubbed "Azurescape" involves how a malicious actor can leverage the cross-tenant technique to escape a rogue ACI container, escalate privileges, and take over an impacted containers by executing malicious code.

Microsoft, however, has issued a patch shortly after the disclosure and there is no known information on Azurescape exploit in the wild.

How Azurescape could have been exploited by a Malicious actor to access customers' information?

Azure Container Instances (ACI) offers a Container-as-a-Service (CaaS) that enables customers to run containers on Azure without managing the underlying servers.

The CaaS offering is notoriously hard to access, and users are only exposed to their container environment, and local network access is disabled through firewalls. But the researchers created WhoC, a container image that reads the container runtime executing it. It's based on a rarely discussed design flaw in Linux containers that allow them to read the underlying host's container runtime.

Deploying WhoC to ACI, enabled the researchers to retrieve the container runtime used in the platform and unsurprisingly, they were able to find runC, the industry standard container runtime.

RunC v1.0.0-rc2 which was released in 2016, was vulnerable to at least two container breakout CVEs. The presence of this old version of runC in ACI, allowed the researchers to successfully broke out of their container and gained a reverse shell running as root on the underlying host, which turned out to be a Kubernetes node.

Albeit, the node's Kubelet only allowed anonymous access, the researchers tried to access Kubelets on neighboring nodes, but all attempted requests to access neighboring nodes timed out, probably due to a firewall configuration that prevented communication between worker nodes. The researchers deployed a few breakout containers which landed on different Kubernetes clusters, with unique cluster IDs ranging between 1-125 and these cluster IDs indicated that each location (e.g. West Europe) hosted a few dozen clusters.

As ACI was hosted on clusters running either Kubernetes v1.8.4, v1.9.10 or v1.10.9, which versions were released between November 2017 and October 2018 and are vulnerable to multiple publicly known vulnerabilities. The researchers started going over past Kubernetes issues, searching for ones that would allow their compromised node to escalate privileges or gain access to other nodes and CVE-2018-1002102 was identified as promising.

The CVE-2018-1002102 marks a security issue in how the api-server communicated with Kubelets, it accept redirects. And by redirecting the api-server's requests to another node's Kubelet, a malicious Kubelet can spread in the cluster.

Again, this discovery highlights the need for cloud users to take a 'defense-in-depth' approach to securing their cloud infrastructure that includes continuous monitoring for threats, inside and outside the cloud platform.

Azurescape Vulnerability: Cross-Account Container takeover in Azure Container Instances

There is an ongoing malware campaign spearheaded by a network of websites that acts as a “dropper as a service” which serves up a variety of unrelated malware together in a single dropper.

According to Sophos, these networks employ search engine optimization to push a “bait” webpage to the first page of search results for queries seeking “crack” versions of popular software products; and a variety of information stealers, including clickfraud bots and other malware were delivered through the sites.

These network of sites targets those seeking “cracked” versions of popular software packages with link that redirect the victims to the payload designed for their platform.

How Popular Pirated software are used as lure to serve up Malware droppers?

On clicking the bait pages, victims are directed to a download site that hosts a packaged archive containing malware, while others are steered to browser plugins or applications that fall in a potentially unwanted grey area.

The downloads contained a variety of potentially unwanted applications and malware, including Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners in addition to Raccoon Stealer. Several of the malware campaigns that hosted the “cracked” software were powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.

The researchers also found a number of other such services that, instead of offering their own malware delivery networks, act as "go-betweens" to established malvertising networks that pay website publishers for traffic.

Many of these services advertise on the same boards where criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers.

All of these delivery methods dropped packages with same basic characteristics; the download was a .zip archive file named after the alleged “cracked” product sought by the target and inside, the archives contained an additional .zip archive and a file with “password” in its name.

As the malicious payloads are in password-protected archives–and in formats that cannot be opened natively by Windows Explorer, they cannot be scanned by endpoint security tools during download.

Dropper packages and the malware delivery platforms have been around for a long time, and they continue to thrive because of the same sort of market dynamics as those that make stealers as a service so profitable.

Popular Pirated software used as lure to serve up Malware droppers

GCToolkit is a set of libraries for analyzing Java garbage collection (GC) log files, that parses log files into discrete events and offers an API for aggregating data from the events.

Microsoft’s Java Engineering Group announced the open-sourcing of GCToolkit, and the availability on GitHub, offered under the MIT license. While the tool comprises of three Java modules including the API, garbage collection log file parsers, and a message backplane based on the Vert.x toolkit for building apps on the JVM.

The API serves as the entry point into the toolkit, concealing the details of using the parser to analyze a garbage collection log file into a method calls; with the parser module as a collection of regular code developed to be a robust garbage collection log parser.

How the open-sourcing of GCToolkit will impact the Development ecosystem?

As GCToolkit parses GC log files into discrete events and provides an API for aggregating data from those events, it allows developers to create arbitrary and complex analyses of the state of managed memory in the Java Virtual Machine (JVM).

The management of memory in the JVM comprises of 3 main pieces, namely: memory buffers also known as Java heap, allocators which works on getting data into Java heap, and garbage collection (GC).

GC is responsible for recovering memory in Java heap that is no longer in use, which term is often used as a euphemism for memory management and tuning GC or tuning the collector are used with the understanding of tuning the JVM’s memory management subsystem.

How to Get Started with Microsoft GCToolkit?

GCToolkit is currently aailable on GitHub and offered under the MIT license, if you're interested in contributing.

But if you only want to follow along, you can join the community discussions at

Microsoft open-sources GCToolkit Java garbage collection analyzer

FIN7, a Russian advanced persistent threat group which has primarily targeted the U.S. since 2015 is using Windows 11 Alpha-Themed Docs to drop JavaScript backdoor against retail and hospitality sectors located in the U.S.

According to Anomali Threat Research, six malicious Windows 11 Alpha-themed Word documents with Visual Basic macros are being used to drop JavaScript payloads, including a JavaScript backdoor. While the attack vector for this activity remains unknown, it strongly suggests an email phishing or spearphishing campaign.

The activity likely took place around late-June to late-July 2021, based on the file names in this campaign observed by the researchers.

How FIN7 ATP Group is Using Windows 11 Themed Documents to drop Javascript Backdoor?

Anomali Threat Research analysis conducted on malicious Microsoft Word documents themed after Windows 11 Alpha, disclosed with moderate confidence that the Word documents were part of a malware campaign conducted by the threat group FIN7.

The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. And on analyzing the file, it was discovered to be a VBA macro populated with junk data as comments. Given that junk data is a common tactic used by threat actors to impede analysis, but once this junk data is removed, we are left with a VBA macro.

The VBScript will take encoded values from a hidden table inside the .doc file, an after deobfuscating the VBA macro, language checks carried out. If these languages are detected, the function me2XKr is called which deletes the table and stops running, also the script checks for Virtual Machines, which if detected it stops running as well.

Interestingly, the attack stops after detecting Russian, Ukrainian, or several other Eastern European languages, albeit there is no solid attribution, but the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file.

The reason is not far-fetched, as it is an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone if they do not target interests or individuals within the respective borders, thus the VBA macro checking the target system language against a list including common CIS languages will terminate the infection when found to match.

However, the addition of Serbian, a minority German Slavic language, Estonian, Slovenian and Slovak remains unusual as these are not languages considered for exclusion but maybe would be considered as a ‘fair game.’

Windows 11 Alpha-themed Word docs used to drop malicious payloads