Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
Trend Micro
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Squirrelwaffle is known for using the tactic of sending malicious spam as replies to existing email chains. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell.
Bunch of News
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
https://blog.talosintelligence.com/2021/11/lantronix-premier-wave-vuln-spotlight.html
Windows Security Updates for Hackers
https://bitsadm.in/blog/windows-security-updates-for-hackers
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA
[Conti] Ransomware Group In-Depth Analysis
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis/
GoDaddy Announces Security Incident Affecting Managed WordPress Service
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
NGINX Unit is a polyglot app server, a reverse proxy, and a static file server, available for Unix-like systems. It was built by nginx team members from scratch to be highly efficient and fully configurable at runtime.
The latest version is 1.26.0, released on November 18, 2021.
http://unit.nginx.org/
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
https://us-cert.cisa.gov/ncas/alerts/aa21-259a
Microsoft Exchange Health Checker noscript
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
PoC of CVE-2021-42321: pop mspaint.exe..:
https://news.1rj.ru/str/sysadm_in_up/906
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
https://blog.talosintelligence.com/2021/11/lantronix-premier-wave-vuln-spotlight.html
Windows Security Updates for Hackers
https://bitsadm.in/blog/windows-security-updates-for-hackers
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA
[Conti] Ransomware Group In-Depth Analysis
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis/
GoDaddy Announces Security Incident Affecting Managed WordPress Service
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
NGINX Unit is a polyglot app server, a reverse proxy, and a static file server, available for Unix-like systems. It was built by nginx team members from scratch to be highly efficient and fully configurable at runtime.
The latest version is 1.26.0, released on November 18, 2021.
http://unit.nginx.org/
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
https://us-cert.cisa.gov/ncas/alerts/aa21-259a
Microsoft Exchange Health Checker noscript
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
PoC of CVE-2021-42321: pop mspaint.exe..:
https://news.1rj.ru/str/sysadm_in_up/906
Cisco Talos Blog
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
Matt Wiseman discovered these vulnerabilities.
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application…
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application…
Claroty’s researchers discovered a new attack concept to target VPNs (OpenVPN)
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/
Claroty
All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients
Claroty's researchers discovered a new attack concept to target VPNs. Learn more.
Windows Installer Elevation of Privilege Vulnerability
MS Info - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
PoC - https://github.com/klinix5/InstallerFileTakeOver
MS Info - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
PoC - https://github.com/klinix5/InstallerFileTakeOver
Your Fingerprint Can Be Hacked For $5. Here’s How
https://blog.kraken.com/post/11905/your-fingerprint-can-be-hacked-for-5-heres-how/
https://blog.kraken.com/post/11905/your-fingerprint-can-be-hacked-for-5-heres-how/
Kraken Blog
Your Fingerprint Can Be Hacked For $5. Here’s How.
Fingerprint authentication is a convenient alternative to passwords and PIN codes. Who wants to spend time typing in a lengthy string of numbers, letters and characters when a simple tap will suffice? Unfortunately, that convenience comes at a cost. Because…
New trojan detected on AppGallery app catalog
At least 9.300.000 Android device owners have installed these dangerous games.
https://news.drweb.com/show/?i=14360&lng=en
At least 9.300.000 Android device owners have installed these dangerous games.
https://news.drweb.com/show/?i=14360&lng=en
Dr.Web
New trojan detected on AppGallery app catalog
Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an <a href="https://vms.drweb.com/search/?q=Android.Cynos.7.origin&lng=en"><b>Android.Cynos.7.origin</b></a> trojan built into them. This trojan is designed to collect…
VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)
https://www.vmware.com/security/advisories/VMSA-2021-0027.html
https://www.vmware.com/security/advisories/VMSA-2021-0027.html
Открытые практикумы DevOps и White hacking by Rebrain (30.11, 2.12)
DevOps by Rebrain: Делаем data plane Kubernetes в AWS дешевле и проще в управлении
• Посмотрим, какие решения можно использовать для запуска подов в Kubernetes в облаке AWS
• Запустим наш кластер полностью на spot-инстансах и развернём приложение в нём
• Добавим в кластер ноды с разными архитектурами: x86 и ARM
• Попробуем serverless-решение Fargate, в котором поды можно запускать без добавления нод в кластер
• 30 Ноября 19.00 МСК. Регистрация
• Михаил Голубев - Sr. Solutions Architect в AWS. Больше 15 лет в IT.
White hacking by Rebrain: OWASP TOP 10 и насколько это применимо в жизни
• Поговорим о динамике owasp top 10 за последние года остановившись на 2021 года
• Подискутируем, что ещё могло бы туда попасть
• Разберём некоторые из уязвимостей на разных стеках
• 2 Декабря 19.00 МСК.Регистрация
• Александр Крылов - Lead DevOps В ПАО СК Росгосстрах. Опыт работы в DevOps более 5 лет.
Microsoft Defender for Endpoint fails to start on Windows Server
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-fails-to-start-on-windows-server/
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-fails-to-start-on-windows-server/
BleepingComputer
Microsoft Defender for Endpoint fails to start on Windows Server
Microsoft has confirmed a new issue impacting Windows Server devices preventing the Microsoft Defender for Endpoint security solution from launching on some systems.
Joker virus resurfaces on Google Play Store; Hidden in these 14 apps
https://kalingatv.com/technology/beware-joker-virus-back-on-google-play-store-uninstall-these-14-android-apps-immediately/
https://kalingatv.com/technology/beware-joker-virus-back-on-google-play-store-uninstall-these-14-android-apps-immediately/
KalingaTV
Beware! Joker virus back on Google Play Store, Uninstall these 14 Android apps immediately
Beware Android phone users! The very dangerous malware Joker 'virus' has once again surfaced in Google Play Store apps. This Joker virus is a malicious
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentialsSecurity Affairs
https://securityaffairs.co/wordpress/124984/apt/iran-apt-microsoft-mshtml-exploit.html
https://securityaffairs.co/wordpress/124984/apt/iran-apt-microsoft-mshtml-exploit.html
Security Affairs
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials
An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug.
gcat_threathorizons_full_nov2021.pdf
2.6 MB
While cloud customers continue to face a variety of threats across applications and infrastructure,
many successful attacks are due to poor hygiene and a lack of basic control implementation...
Report from Thread Horizons
many successful attacks are due to poor hygiene and a lack of basic control implementation...
Report from Thread Horizons
Bunch of News
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
https://threatresearch.ext.hp.com/javanoscript-malware-dispensing-rats-into-the-wild/
Looking for vulnerabilities in MediaTek audio DSP
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp/
“Free Steam games” videos promise much, deliver malware
https://blog.malwarebytes.com/scams/2021/11/free-steam-games-videos-promise-much-deliver-malware/
BABADEDA CRYPTER TARGETING CRYPTO, NFT, AND DEFI COMMUNITIES
https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
https://threatresearch.ext.hp.com/javanoscript-malware-dispensing-rats-into-the-wild/
Looking for vulnerabilities in MediaTek audio DSP
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp/
“Free Steam games” videos promise much, deliver malware
https://blog.malwarebytes.com/scams/2021/11/free-steam-games-videos-promise-much-deliver-malware/
BABADEDA CRYPTER TARGETING CRYPTO, NFT, AND DEFI COMMUNITIES
https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities
HP Wolf Security
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild | HP Wolf Security
With a 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware.
Apache redux: preventing Server Side Request Forgery via CVE-2021-40438
https://www.fastly.com/blog/apache-redux-preventing-server-side-request-forgery-via-cve-2021-40438
https://www.fastly.com/blog/apache-redux-preventing-server-side-request-forgery-via-cve-2021-40438
Fastly
Preventing SSRF: Apache CVE-2021-40438 | Fastly | Fastly
Our Security Research Team provides guidance on how to address CVE-2021-40438, a vulnerability in Apache HTTP Server version 2.4.48 and earlier, by patching impacted version(s) and enabling a new templated rule to prevent exploitation.
Mobile Device Cybersecurity Checklist for Organizations
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Organizations.pdf
Mobile Device Cybersecurity Checklist for Consumers
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Consumers.pdf
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Organizations.pdf
Mobile Device Cybersecurity Checklist for Consumers
https://www.cisa.gov/sites/default/files/publications/CEG_Mobile%20Device%20Cybersecurty%20Checklist%20for%20Consumers.pdf
Конференция OFFZONE в следующем году (25–26 августа)
Организаторы обещают конференцию 25–26 августа в 2022 году, к сожалению ни в прошлом, ни в позапрошлом годах конференцию провести не удалось в связи со сложной эпидеомиологической обстановкой. К счастью, правила проведения массовых мероприятий более-менее устаканились, поэтому удалось определиться с датой.
• Конфа пройдет в оффлайн формате. Почему не онлайн - организаторы отказались от этого формата, чтобы не потерять дух OFFZONE 🙂
• Билеты OFFZONE 2020 будут валидны, мало того по ним будут розданы эксклюзивные футболки.
В общем кто планирует посещение уже наверное стоит задуматься о возможном бюджете.
Детали на сайт конференции - https://offzone.moscow/ru/
Bunch of News
Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices
https://securityaffairs.co/wordpress/125016/hacking/0-day-tp-link-wi-fi-6.html
IKEA email systems hit by ongoing cyberattack
https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/
Panasonic India's Data Released in Extortion Plot
https://www.bankinfosecurity.com/panasonic-india-held-to-500k-ransom-data-released-a-15573
Zoom vulnerability. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.
https://nvd.nist.gov/vuln/detail/CVE-2021-34423
CronRAT malware hides behind February 31st
https://sansec.io/research/cronrat
https://gist.github.com/gwillem/fbe3e6b98e2e10d7f1f271ca4b6e813f
GitHub is back online after a two-hour outage
https://www.theverge.com/2021/11/27/22805076/github-down-outage-service-issues
Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices
https://securityaffairs.co/wordpress/125016/hacking/0-day-tp-link-wi-fi-6.html
IKEA email systems hit by ongoing cyberattack
https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/
Panasonic India's Data Released in Extortion Plot
https://www.bankinfosecurity.com/panasonic-india-held-to-500k-ransom-data-released-a-15573
Zoom vulnerability. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.
https://nvd.nist.gov/vuln/detail/CVE-2021-34423
CronRAT malware hides behind February 31st
https://sansec.io/research/cronrat
https://gist.github.com/gwillem/fbe3e6b98e2e10d7f1f271ca4b6e813f
GitHub is back online after a two-hour outage
https://www.theverge.com/2021/11/27/22805076/github-down-outage-service-issues
Security Affairs
Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices
Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L.
Blocky Listener Daemon (BLD) Service Update Announcement
BLD is a free DoT/DoH/DNS service that prevents tracking, telemetry collection, advertising, malicious content, etc., to improve privacy and distraction-free experience
What's new in this update:
• Got rid of NGINX proxy to reduce overhead. Now all requests are handled by BLD service itself
• Migrated from Let's Encrypt to ACME Cloudflare
• Added / Updated prevention from Clickbait, Coinhive, Malware
• New project logo
• Added info on how to report blocking issues in dns-hole repo
See also:
• "What is BLD?" presentation (RU)
How to use:
• https://lab.sys-adm.in
P.S. Previouse announce
#bld #announce
BLD is a free DoT/DoH/DNS service that prevents tracking, telemetry collection, advertising, malicious content, etc., to improve privacy and distraction-free experience
What's new in this update:
• Got rid of NGINX proxy to reduce overhead. Now all requests are handled by BLD service itself
• Migrated from Let's Encrypt to ACME Cloudflare
• Added / Updated prevention from Clickbait, Coinhive, Malware
• New project logo
• Added info on how to report blocking issues in dns-hole repo
See also:
• "What is BLD?" presentation (RU)
How to use:
• https://lab.sys-adm.in
P.S. Previouse announce
#bld #announce
lab.sys-adm.in
Sys-Admin Laboratory
Open Sys-Admin BLD DNS - Focus on information for free with adblocking and implicit cybersecurity threat prevention.
Sys-Admin InfoSec pinned «Blocky Listener Daemon (BLD) Service Update Announcement BLD is a free DoT/DoH/DNS service that prevents tracking, telemetry collection, advertising, malicious content, etc., to improve privacy and distraction-free experience What's new in this update: …»
Bunch of News
DNA Data Security Incident
DNA Diagnostics Center, Inc. (DDC) detected potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database
https://dnacenter.com/data-security-incident-information-center/
Printing Shellz
This paper will walk you through the steps of our journey, from how we discovered the vulnerabilities, how we lovingly crafted the exploits and provides mitigation advice also. The vulnerabilities that were discovered affect more than 150 HP multi-function printers (MFPs).
https://labs.f-secure.com/publications/printing-shellz
Illicit coin mining, ransomware, APTs target cloud users in first Google Cybersecurity Action Team Threat Horizons report
https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report
DNA Data Security Incident
DNA Diagnostics Center, Inc. (DDC) detected potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database
https://dnacenter.com/data-security-incident-information-center/
Printing Shellz
This paper will walk you through the steps of our journey, from how we discovered the vulnerabilities, how we lovingly crafted the exploits and provides mitigation advice also. The vulnerabilities that were discovered affect more than 150 HP multi-function printers (MFPs).
https://labs.f-secure.com/publications/printing-shellz
Illicit coin mining, ransomware, APTs target cloud users in first Google Cybersecurity Action Team Threat Horizons report
https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report