CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs
https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs
https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/
NetSPI
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
The vulnerability, found by NetSPI’s cloud pentesting practice director, Karl Fosaaen, affects any organization that uses Automation Account "Run as" accounts in Azure.
DESIGN ISSUES OF MODERN EDR’S: BYPASSING ETW-BASED SOLUTIONS
https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html
https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html
Thousands of Firefox users accidentally commit login cookies on GitHub
https://www.theregister.com/2021/11/18/firefox_cookies_github/
https://www.theregister.com/2021/11/18/firefox_cookies_github/
The Register
Thousands of Firefox users accidentally commit login cookies on GitHub
GitHub: 'Credentials exposed by our users are not in scope'
Bunch of News
New ransomware actor uses password-protected archives to bypass encryption protection
https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/
Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique
https://jfrog.com/blog/python-malware-imitates-signed-pypi-traffic-in-novel-exfiltration-technique/
An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software (FBI Warning)
https://www.ic3.gov/Media/News/2021/211117-2.pdf
The US Defense Department on Friday asked Amazon Web Services, Microsoft, Google and Oracle to submit bids for a new, multi-billion-dollar cloud contract
https://www.zdnet.com/article/pentagon-asks-aws-microsoft-google-and-oracle-to-bid-for-new-cloud-contract/
New ransomware actor uses password-protected archives to bypass encryption protection
https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/
Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique
https://jfrog.com/blog/python-malware-imitates-signed-pypi-traffic-in-novel-exfiltration-technique/
An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software (FBI Warning)
https://www.ic3.gov/Media/News/2021/211117-2.pdf
The US Defense Department on Friday asked Amazon Web Services, Microsoft, Google and Oracle to submit bids for a new, multi-billion-dollar cloud contract
https://www.zdnet.com/article/pentagon-asks-aws-microsoft-google-and-oracle-to-bid-for-new-cloud-contract/
Sophos News
New ransomware actor uses password-protected archives to bypass encryption protection
Calling themselves “Memento team”, actors use Python-based ransomware that they reconfigured after setbacks.
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
Trend Micro
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.
Bunch of News
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
https://blog.talosintelligence.com/2021/11/lantronix-premier-wave-vuln-spotlight.html
Windows Security Updates for Hackers
https://bitsadm.in/blog/windows-security-updates-for-hackers
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA
[Conti] Ransomware Group In-Depth Analysis
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis/
GoDaddy Announces Security Incident Affecting Managed WordPress Service
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
NGINX Unit is a polyglot app server, a reverse proxy, and a static file server, available for Unix-like systems. It was built by nginx team members from scratch to be highly efficient and fully configurable at runtime.
The latest version is 1.26.0, released on November 18, 2021.
http://unit.nginx.org/
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
https://us-cert.cisa.gov/ncas/alerts/aa21-259a
Microsoft Exchange Health Checker noscript
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
PoC of CVE-2021-42321: pop mspaint.exe..:
https://news.1rj.ru/str/sysadm_in_up/906
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
https://blog.talosintelligence.com/2021/11/lantronix-premier-wave-vuln-spotlight.html
Windows Security Updates for Hackers
https://bitsadm.in/blog/windows-security-updates-for-hackers
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA
[Conti] Ransomware Group In-Depth Analysis
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis/
GoDaddy Announces Security Incident Affecting Managed WordPress Service
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
NGINX Unit is a polyglot app server, a reverse proxy, and a static file server, available for Unix-like systems. It was built by nginx team members from scratch to be highly efficient and fully configurable at runtime.
The latest version is 1.26.0, released on November 18, 2021.
http://unit.nginx.org/
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
https://us-cert.cisa.gov/ncas/alerts/aa21-259a
Microsoft Exchange Health Checker noscript
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
PoC of CVE-2021-42321: pop mspaint.exe..:
https://news.1rj.ru/str/sysadm_in_up/906
Cisco Talos Blog
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
Matt Wiseman discovered these vulnerabilities.
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application…
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application…
Claroty’s researchers discovered a new attack concept to target VPNs (OpenVPN)
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/
Claroty
All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients
Claroty's researchers discovered a new attack concept to target VPNs. Learn more.
Windows Installer Elevation of Privilege Vulnerability
MS Info - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
PoC - https://github.com/klinix5/InstallerFileTakeOver
MS Info - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
PoC - https://github.com/klinix5/InstallerFileTakeOver
Your Fingerprint Can Be Hacked For $5. Here’s How
https://blog.kraken.com/post/11905/your-fingerprint-can-be-hacked-for-5-heres-how/
https://blog.kraken.com/post/11905/your-fingerprint-can-be-hacked-for-5-heres-how/
Kraken Blog
Your Fingerprint Can Be Hacked For $5. Here’s How.
Fingerprint authentication is a convenient alternative to passwords and PIN codes. Who wants to spend time typing in a lengthy string of numbers, letters and characters when a simple tap will suffice? Unfortunately, that convenience comes at a cost. Because…
New trojan detected on AppGallery app catalog
At least 9.300.000 Android device owners have installed these dangerous games.
https://news.drweb.com/show/?i=14360&lng=en
At least 9.300.000 Android device owners have installed these dangerous games.
https://news.drweb.com/show/?i=14360&lng=en
Dr.Web
New trojan detected on AppGallery app catalog
Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an <a href="https://vms.drweb.com/search/?q=Android.Cynos.7.origin&lng=en"><b>Android.Cynos.7.origin</b></a> trojan built into them. This trojan is designed to collect…
VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)
https://www.vmware.com/security/advisories/VMSA-2021-0027.html
https://www.vmware.com/security/advisories/VMSA-2021-0027.html
Открытые практикумы DevOps и White hacking by Rebrain (30.11, 2.12)
DevOps by Rebrain: Делаем data plane Kubernetes в AWS дешевле и проще в управлении
• Посмотрим, какие решения можно использовать для запуска подов в Kubernetes в облаке AWS
• Запустим наш кластер полностью на spot-инстансах и развернём приложение в нём
• Добавим в кластер ноды с разными архитектурами: x86 и ARM
• Попробуем serverless-решение Fargate, в котором поды можно запускать без добавления нод в кластер
• 30 Ноября 19.00 МСК. Регистрация
• Михаил Голубев - Sr. Solutions Architect в AWS. Больше 15 лет в IT.
White hacking by Rebrain: OWASP TOP 10 и насколько это применимо в жизни
• Поговорим о динамике owasp top 10 за последние года остановившись на 2021 года
• Подискутируем, что ещё могло бы туда попасть
• Разберём некоторые из уязвимостей на разных стеках
• 2 Декабря 19.00 МСК.Регистрация
• Александр Крылов - Lead DevOps В ПАО СК Росгосстрах. Опыт работы в DevOps более 5 лет.
Microsoft Defender for Endpoint fails to start on Windows Server
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-fails-to-start-on-windows-server/
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-fails-to-start-on-windows-server/
BleepingComputer
Microsoft Defender for Endpoint fails to start on Windows Server
Microsoft has confirmed a new issue impacting Windows Server devices preventing the Microsoft Defender for Endpoint security solution from launching on some systems.
Joker virus resurfaces on Google Play Store; Hidden in these 14 apps
https://kalingatv.com/technology/beware-joker-virus-back-on-google-play-store-uninstall-these-14-android-apps-immediately/
https://kalingatv.com/technology/beware-joker-virus-back-on-google-play-store-uninstall-these-14-android-apps-immediately/
KalingaTV
Beware! Joker virus back on Google Play Store, Uninstall these 14 Android apps immediately
Beware Android phone users! The very dangerous malware Joker 'virus' has once again surfaced in Google Play Store apps. This Joker virus is a malicious
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentialsSecurity Affairs
https://securityaffairs.co/wordpress/124984/apt/iran-apt-microsoft-mshtml-exploit.html
https://securityaffairs.co/wordpress/124984/apt/iran-apt-microsoft-mshtml-exploit.html
Security Affairs
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials
An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug.
gcat_threathorizons_full_nov2021.pdf
2.6 MB
While cloud customers continue to face a variety of threats across applications and infrastructure,
many successful attacks are due to poor hygiene and a lack of basic control implementation...
Report from Thread Horizons
many successful attacks are due to poor hygiene and a lack of basic control implementation...
Report from Thread Horizons
Bunch of News
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
https://threatresearch.ext.hp.com/javanoscript-malware-dispensing-rats-into-the-wild/
Looking for vulnerabilities in MediaTek audio DSP
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp/
“Free Steam games” videos promise much, deliver malware
https://blog.malwarebytes.com/scams/2021/11/free-steam-games-videos-promise-much-deliver-malware/
BABADEDA CRYPTER TARGETING CRYPTO, NFT, AND DEFI COMMUNITIES
https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
https://threatresearch.ext.hp.com/javanoscript-malware-dispensing-rats-into-the-wild/
Looking for vulnerabilities in MediaTek audio DSP
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp/
“Free Steam games” videos promise much, deliver malware
https://blog.malwarebytes.com/scams/2021/11/free-steam-games-videos-promise-much-deliver-malware/
BABADEDA CRYPTER TARGETING CRYPTO, NFT, AND DEFI COMMUNITIES
https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities
HP Wolf Security
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild | HP Wolf Security
With a 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware.
Apache redux: preventing Server Side Request Forgery via CVE-2021-40438
https://www.fastly.com/blog/apache-redux-preventing-server-side-request-forgery-via-cve-2021-40438
https://www.fastly.com/blog/apache-redux-preventing-server-side-request-forgery-via-cve-2021-40438
Fastly
Preventing SSRF: Apache CVE-2021-40438 | Fastly | Fastly
Our Security Research Team provides guidance on how to address CVE-2021-40438, a vulnerability in Apache HTTP Server version 2.4.48 and earlier, by patching impacted version(s) and enabling a new templated rule to prevent exploitation.
Mobile Device Cybersecurity Checklist for Organizations
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Organizations.pdf
Mobile Device Cybersecurity Checklist for Consumers
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Consumers.pdf
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Organizations.pdf
Mobile Device Cybersecurity Checklist for Consumers
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Consumers.pdf
Конференция OFFZONE в следующем году (25–26 августа)
Организаторы обещают конференцию 25–26 августа в 2022 году, к сожалению ни в прошлом, ни в позапрошлом годах конференцию провести не удалось в связи со сложной эпидеомиологической обстановкой. К счастью, правила проведения массовых мероприятий более-менее устаканились, поэтому удалось определиться с датой.
• Конфа пройдет в оффлайн формате. Почему не онлайн - организаторы отказались от этого формата, чтобы не потерять дух OFFZONE 🙂
• Билеты OFFZONE 2020 будут валидны, мало того по ним будут розданы эксклюзивные футболки.
В общем кто планирует посещение уже наверное стоит задуматься о возможном бюджете.
Детали на сайт конференции - https://offzone.moscow/ru/