Bunch of News

~
Persistence without “Persistence”: Meet The Ultimate Persistence Bug – “NoReboot”

https://blog.zecops.com/research/persistence-without-persistence-meet-the-ultimate-persistence-bug-noreboot/

~
Vulnerability in QVPN Service

https://www.qnap.com/en/security-advisory/qsa-21-61

~
A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain

https://unit42.paloaltonetworks.com/web-skimmer-video-distribution

~
VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)

https://www.vmware.com/security/advisories/VMSA-2022-0001.html

~
New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk

https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

~
Vulnerability in Apache HTTP Server

Security researchers have discovered a buffer overflow vulnerability (CVE-2021-44790) in Apache HTTP Server. Successful exploitation could allow an attacker to perform a remote code execution attack.

https://www.csa.gov.sg/singcert/Alerts/al-2022-072

Patchwork APT caught in its own web

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/

WordPress Security Release

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/

Abcbot - An Evolution of Xanthe

The malware was named Xanthe and its main purpose is to hijack the resources of a compromised host to mine cryptocurrency.

https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/

~
Would You Exchange Your Security for a Gift Card?

This letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. Included in this letter is seemingly a USB drive that claims to contain a list of items to spend on…

Bad USB as phisycal attachment)

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/

New macOS vulnerability, “powerdir,” could lead to unauthorized user data access

https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/

~
Linux version of AvosLocker ransomware targets VMware ESXi servers

https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-ransomware-targets-vmware-esxi-servers/

CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers

https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/

CVE-2021-20038..42: SonicWall SMA 100 Multiple Vulnerabilities

Over the course of routine security research, Rapid7 researcher Jake Baines discovered and reported five vulnerabilities involving the SonicWall Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410, and 500v. The most serious of these issues can lead to unauthenticated remote code execution (RCE) on affected devices.

https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/

Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed

Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.

https://www.zdnet.com/article/microsoft-january-2022-patch-tuesday-six-zero-days-over-90-vulnerabilities-fixed/

~
SAP Security Patch Day – January 2022

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035

New SysJoker Backdoor Targets Windows, Linux, and macOS

Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now

https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

KNOWN EXPLOITED VULNERABILITIES CATALOG from CISA

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

~
Siemens multiple Vulnerabilities

https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications

~
Night Sky is the latest ransomware targeting corporate networks

https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/

~
From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278/CVE-2021-42287

https://www.fortinet.com/blog/threat-research/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds

~
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit

In this article, we share the details of the latest attacks by APT35 exploiting the Log4j vulnerability and analyze their post-exploitation activities including the new modular PowerShell-based framework dubbed CharmPower, used to establish persistence, gather information, and execute commands.

https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

Bunch of News

~
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside

~
IP spoofing bug leaves Django REST applications open to DDoS, password-cracking attacks

https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks

~
Coming Soon: New Security Update Guide Notification System

https://msrc-blog.microsoft.com/2022/01/11/coming-soon-new-security-update-guide-notification-system/

~
KB5009543 - January 11, 2022 Breaks L2TP VPN Connections

https://www.reddit.com/r/sysadmin/comments/s1oqv8/kb5009543_january_11_2022_breaks_l2tp_vpn/

~
About the security content of iOS 15.2.1 and iPadOS 15.2.1

https://support.apple.com/en-us/HT213043

~
Security Vulnerabilities fixed in Firefox 96

https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/

~
CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability

https://www.openwall.com/lists/oss-security/2022/01/11/4

~
January updates causing unexpected reboots on domain controllers

Looks like KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes.

https://www.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/

~
CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles

https://www.openwall.com/lists/oss-security/2022/01/10/2

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

In short: Azure, AWS are participants in malicious attacks and the spread of malware software:

PoC

https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

Up

BLD Service

Addresses fro this article will be added to BLD service

What is BLD service - this is light and fast and free malicious prevention service from Sys-Admin, details:

lab.sys-adm.in

~RU
Обновление Simple DNS-TESTER тулзы - BASH Spinner

Прекрасный и простой пример того, как можно анимировать некий прогресс / оживить процесс работы скрипта:
https://github.com/m0zgen/dns-tester/raw/master/docs/test-dns.gif

Теперь во время работы скрипта отображается прокрутка связання с прогрессом проверки доменных имен.

DNS-TESTER - bash скрипт для проверки и вычисления средней скорости ответа DNS серверов указанных в специальном списке

~ EN
Updating Simple DNS-TESTER tools - BASH Spinner added

Take a look at a simple example of how you can animate a certain progress / animate the process of a noscript

Now, while the noscript is running, a scroll appears related to the progress of domain names verification.

DNS-TESTER - bash noscript for testing and high speed response of a DNS server in a special list

Hackers Are Compromising Employees of Law and Accounting Firms, Warns eSentire

GootLoader Gang Launches Wide-Spread Cyberattacks Enticing Legal and Accounting Employees to Download Malware

https://www.esentire.com/security-advisories/gootloader-hackers-are-compromising-employees-of-law-firms-and-accounting-agencies-warns-esentire

~
Firefox browser is suddenly failing to load websites [U: Fixed]

https://9to5mac.com/2022/01/13/firefox-browser-suddenly-failing-to-load-websites-this-morning-heres-the-fix/

~
NetworkManager 1.34 Arrives with Better WireGuard Support, Many Improvements

https://9to5linux.com/networkmanager-1-34-arrives-with-better-wireguard-support-many-improvements

~
Windows Server: January 2022 security updates are causing DC boot loop

https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/
https://www.reddit.com/r/sysadmin/comments/s24o7k/kb5009624_breaks_hyperv/

XFS file system vulnerability CVE-2021-4155: what it is and how to fix it

https://www.virtuozzo.com/company/blog/xfs-file-system-vulnerability-cve-2021-4155/

~
BreakingFormation: Orca Security Research Team Discovers AWS CloudFormation Vulnerability

https://orca.security/resources/blog/aws-cloudformation-vulnerability/

~
Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent

https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/

~
CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption

https://www.openwall.com/lists/oss-security/2022/01/13/2

~
New Intel chips won't play Blu-ray disks due to SGX deprecation

https://www.bleepingcomputer.com/news/security/new-intel-chips-wont-play-blu-ray-disks-due-to-sgx-deprecation/

~
Ransomware targets Edge users

https://blog.malwarebytes.com/threat-intelligence/2022/01/ransomware-targets-edge-users/

~
EXPLOITING URL PARSING CONFUSION

https://news.1rj.ru/str/sysadm_in_up/995

‌
Changes news: Sys-Admin BLD service enabled both 443, 8443 for DoH dns-query ports

Hey, today I'm happy to say that I have new changes on Sys-Admin BLD services, now you can use this DoH service on two different modes:

• https://bld.sys-adm.in/dns-query
or
• https://bld.sys-adm.in:8443/dns-query

This is two modes that will work!

How you can setup your browser or another devise for DoH you can read on BLD WIKI page

Notes:
• This mode will be added to Sys-Admin "black-box" service in the next BLD release
• Maybe 8443 mode will be deprecated in the BLD service

Comment from BLD author (@sysadm_in_channel owner):
• If are you thinking about of your privacy or are you think about of security of your devices or networks, try to use open and free BLD service, and you will see the effect of clean internet instantly 🙂

P.S. About of BLD service on Russian - https://news.1rj.ru/str/sysadm_in_up/996

Oracle Critical Patch Update Pre-Release Announcement - January 2022

https://www.oracle.com/security-alerts/cpujan2022.html

~
Safari 15 IndexedDB Leaks

What is this vulnerability and who is affected? You can test this demo on all affected browsers: Safari 15 on macOS, or any browser on iOS and iPadOS 15

The demo illustrates how any website can learn a visitor's recent and current browsing activity (websites visited in different tabs or windows) using this leak. For visitors, logged into Google services, this demo can also leak Google User IDs and profile pictures.

https://safarileaks.com/

😡 it is work on macOS Monterey 12.2 with Safari 15.3

up

Exploiting IndexedDB API information leaks in Safari 15
https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/

~
5 Alternative Ways to Change Your DNS Server in Windows 11

https://www.makeuseof.com/windows-11-alternate-ways-change-dns-server-settings/

~
Transferring Selinux Settings To Another System With Semanage

Use the following steps for transferring your custom and verified SELinux settings between RHEL 9-based systems.

https://access.redhat.com/documentation/jajp/red_hat_enterprise_linux/9-beta/html/using_selinux/transferring-selinux-settings-to-another-system-with-semanage_using-selinux

/ Igor leaving from NGINX

https://www.nginx.com/blog/do-svidaniya-igor-thank-you-for-nginx/

/ Mixed Messages: Busting Box’s MFA Methods

Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification.

https://www.varonis.com/blog/box-mfa-bypass-sms

P.S. thx for the link dear subscriber ✌️

/ Linux kernel: Heap buffer overflow in fs_context.c since version 5.1

- https://www.openwall.com/lists/oss-security/2022/01/18/7
- CVE-2022-0185 (demo) - https://github.com/Crusaders-of-Rust/CVE-2022-0185

/ GitHub Actions flaw that allowed code to be approved without review is addressed with new feature rollout

- https://portswigger.net/daily-swig/github-actions-flaw-that-allowed-code-to-be-approved-without-review-is-addressed-with-new-feature-rollout

/ Choosing between Ansible's copy and template modules

Ansible's copy and template modules are a great way to get started with automation:

https://www.redhat.com/sysadmin/ansibles-copy-template-modules

/ MAKE YOUR PYTHON CLI TOOLS POP WITH RICH

https://hackaday.com/2022/01/19/make-your-python-cli-tools-pop-with-rich/

/ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE

https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/

/ Backdoor Found in Themes and Plugins from AccessPress Themes

https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/