/ New PowerShell Backdoor for Espionage

https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage

/ Critical Vulnerabilities in Trend Micro Deep Security Agent for Linux

https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt

/ Local privilege escalation vulnerability fixed in ESET products for Windows

https://support.eset.com/en/ca8223-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows

City of Dallas - Data Loss Report

https://dallascityhall.com/departments/ciservices/Pages/Report-on-Data-Loss.aspx

I love such reports, if you have links of data losses / breaches, will send links to me please)

P.S. Thx for the link dear subscriber ✌️

 
/ Active Exploitation of Zero-day XSS Vulnerability in Zimbra Details
The campaigns came in multiple waves across two attack phases. The initial phase was aimed at reconnaissance and involved emails designed to simply track if a target received and opened the messages. The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link.

/ Cisco Small Business RV Series Routers Vulnerabilities Details
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers.

/ Scanning for Generalized Transient Execution Gadgets in the Linux Kernel Details
We confirm our findings by demonstrating an end-to-end proof-of-concept exploit for one of the gadgets found.

/ CISA Adds One Known Exploited Vulnerability to Catalog Details
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.

/ Path traversal and dereference of symlinks when passing Helm value files Details
All versions of Argo CD are vulnerable to a path traversal bug that allows to pass arbitrary values files to be consumed by Helm charts.

/ ACTINIUM targets Ukrainian organizations Details
Phishing again. ⚡️ Already blocked in Sys-Admin BLD (https://lab.sys-adm.in/)
 

 
BLD DNS - Обновление в сторону скорости и безопасности. Краткий отчет.

Уже почти, как полгода открытый превентивный DoT/DoH BLD DNS сервис бесплатно приносит пользу блокируя малварные, фишинговые, трекинговые и рекламные домены, экономя трафик, время и мозговые ресурсы своим пользователям.

За это время были заблокировано множество фишинговых кампаний (типа franken-phish), малварных и рамсомварных компаний (типа Pegasus или Kaseya), про блокировку рекламных и трекинговых доменов говорить наверное и не стоит, можно лишь упомянуть, что их количество превышет 1 миллион поинтов из текущих ~двух.

⚡️ В обшей сложности блокируется ~9%-15% процентов вредоносности из ~10 миллионов запросов в месяц из разных стран мира, это очень радует спасибо всем кто пользуется и привносит вклад в проект .

Что добавилось в этом году:
• новый регион, теперь регионов 4 - Казахстан, Германия, Сингапур, Нидерлады
• несколько сетов по вендорам для нивелирования false-positive срабатываний
• добавлен дуплексный режим DoH (443, 8443)
• надеюсь скоро добавится конструктор сетов блокировок BLD DNS (анонс)

Со своей стороны хочется сделать открытый сервис еще более открытым, доступным, надежным, напомню, что сервис живет благодаря помощи друзей, пользователей, тестировщиков проекта, здесь будет полезна и твоя помощь уважаемый user_name твой вклад, как умственный или временной или финансовый будет неоценим, а твой user_name будет отражен в разделе благодарностей на официальном сайте BLD DNS - https://lab.sys-adm.in 🙂

P.S. Спасибо друзьям из Nitro Team за ряд идей по безопасности проекта.
Всем успехов и добра, с уважением @sysadminkz. Берегите себя. Pace to all ✌️

 
/ The evolution of a Mac trojan: UpdateAgent’s progression Details
The trojan, tracked as UpdateAgent, started as a relatively basic information-stealer but was observed distributing secondary payloads in the latest campaign, a capability that it added in one of its multiple iterations. Reminiscent of the progression of info-stealing trojans in other platforms, UpdateAgent may similarly become a vector for other threats to infiltrate target systems.

/ Decrypted: TargetCompany Ransomware Details
The extension of the encrypted files and the ransom note indicated the TargetCompany ransomware (not related to Target the store), which can be decrypted under certain circumstances.

/ Indicators of Compromise Associated with LockBit 2.0 Ransomware (PDF) Details
LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. LockBit 2.0 ransomware compromises victim networks through a variety of
techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits.

/ Blocking internet macros by default in MS Office Details
For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.

/ Qbot Likes to Move It, Move It Details
We did not observe the initial access for this case but assess with medium to high confidence that a malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document, the initial Qbot DLL loader was downloaded and saved to disk. Interestingly, the name of the DLL contained a .html extension to disguise the portable executable nature of the payload. Once executed, the Qbot process creates a scheduled task to elevate itself to system.
 

/ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718)

https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81

Exploit:
https://github.com/ly4k/SpoolFool

P.S. thx for the link @onebrick

/ Windows Kernel Elevation of Privilege Vulnerability

CVE-2022-21989

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21989

/ Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

PoC:
https://asec.ahnlab.com/en/31089/

Exploring extensions of dependency confusion attacks via npm package aliasing

Dependency confusion attacks are a form of open source supply chain security attacks in which an attacker exploits how package managers install dependencies. In a prior post, we explored how to detect and prevent dependency confusion attacks on npm to maintain supply chain security:

https://snyk.io/blog/exploring-extensions-of-dependency-confusion-attacks-via-npm-package-aliasing/

Windows DNS Server Remote Code Execution Vulnerability

CVE-2022-21984 (important update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21984

NGINX - If is Evil... when used in location context

(EN) Directive if has problems when used in location context, in some cases it doesn’t do what you expect but something completely different instead. In some cases it even segfaults. It’s generally a good idea to avoid it if possible.

(RU) Директива if - у нее есть проблемы при использовании в контексте локаций, в некоторых случаях эта директива делает не то, что ожидается, а нечто совершенно другое.

На оф. сайте рекомендуют избегать этой директивы, если это возможно. А ты знал? Я нет - сюрприз 😄

https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

/ Attackers Disguise RedLine Stealer as a Windows 11 Upgrade

Threat actors are always looking for topical lures to socially engineer victims into infecting systems. We recently analyzed one such lure, namely a fake Windows 11 installer.

https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/

/ Most Common Antivirus Evasion and Bypass Techniques

The following are some of the most prevalent methods used by hackers to avoid antivirus detection:

https://www.socinvestigation.com/most-common-antivirus-evasion-and-bypass-techniques/

Additional article - Top 10 web hacking techniques of 2021

..the latest iteration of our annual community-powered effort to identify the most significant web security research released in the last year:

https://portswigger.net/research/top-10-web-hacking-techniques-of-2021

StackScraper - Capturing sensitive data using real-time stack scanning against a remote process

tool to show how much data can be extracted from a running process without requiring any injection techniques

https://www.x86matthew.com/view_post?id=stack_scraper

/ NaturalFreshMall: a mass store hack

More than 350 ecommerce stores infected with malware in a single day. Magento under attack..:

https://sansec.io/research/naturalfreshmall-mass-hack

And another article from the same category - Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution

https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/

/ About the security content of iOS 15.3.1 and iPadOS 15.3.1

WebKit. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited

https://support.apple.com/en-us/HT213093

/ A walk through Project Zero metrics

https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html

/ Security updates available for Adobe Commerce APSB22-12

Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution:

https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12

/ Simple analysys weaponized PDFs in phishing attacks

https://securityaffairs.co/wordpress/127946/hacking/analyzing-phishing-attacks-pdfs.html

P.S. Phishing domain already blocked in BLD Service