/ New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
360 Netlab Blog - Network Security Research Lab at 360
New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel
Background
Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…
Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…
/ The Discovery and Exploitation of CVE-2022-25636
'''
A few weeks ago, I found and reported CVE-2022-25636 - a heap out of bounds write in the Linux kernel. The bug is exploitable to achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever you want:
'''
https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/
'''
A few weeks ago, I found and reported CVE-2022-25636 - a heap out of bounds write in the Linux kernel. The bug is exploitable to achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever you want:
'''
https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/
nickgregory.me
The Discovery and Exploitation of CVE-2022-25636 · Nick Gregory
Security research, programming, and more.
PIA VPN providing special discount for Sys-Adm.in
Hey, several day ago I knew about of PIA VPN service, and was pleasantly surprised:
- Prices (very affordable price)
- Company history (10+ years experience)
- Privacy terms and encrypted data
- and supporting platforms (Linux, Windows, Android/iOS, Smart TV)
- and all software from PIA is open source (official repo)
Ok, I contacted to PIA with question "Can you provide more discount to Sys-Admin Community members/Subscribes" and was again pleasantly surprised - reply from PIA "We are can provide a special discount - 83% OFF + 3 months for free" 🙂
Special discount available - https://privateinternetaccess.com/offer/SALab_qp1tq2bp0
/ CVE-2022-0742: Remote Denial of Service on Linux Kernel >=5.13
Flooding icmp6 messages of type 130 or 131 is enough to exploit a memory leak in the kernel and cause the host to go out-of-memory. The volume of traffic doesn't need to be particularly high:
https://www.openwall.com/lists/oss-security/2022/03/15/3
Flooding icmp6 messages of type 130 or 131 is enough to exploit a memory leak in the kernel and cause the host to go out-of-memory. The volume of traffic doesn't need to be particularly high:
https://www.openwall.com/lists/oss-security/2022/03/15/3
/ Node.js security: Parse Server remote code execution vulnerability resolved
https://portswigger.net/daily-swig/node-js-security-parse-server-remote-code-execution-vulnerability-resolved
https://portswigger.net/daily-swig/node-js-security-parse-server-remote-code-execution-vulnerability-resolved
The Daily Swig | Cybersecurity news and views
Node.js security: Parse Server remote code execution vulnerability resolved
GitHub has awarded the bug a severity score of 10 – the highest available
/ New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
360 Netlab Blog - Network Security Research Lab at 360
New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel
Background
Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…
Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…
Veeam Backup & Replication vulnerabilities
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication.
https://www.veeam.com/kb4288
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication.
https://www.veeam.com/kb4288
Veeam Software
KB4288: CVE-2022-26500 | CVE-2022-26501
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.
New OpenVpn Relase with some vulnerability fixes
The OpenVPN community project team is proud to release OpenVPN 2.5.6. This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547):
https://openvpn.net/community-downloads/
The OpenVPN community project team is proud to release OpenVPN 2.5.6. This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547):
https://openvpn.net/community-downloads/
OpenVPN
Open Source Community | OpenVPN
OpenVPN has many developers and contributors from OpenVPN Inc. and from the broader OpenVPN community.
Открытые практикумы DevOps и Linux by Rebrain (22 и 23 Марта)
Docker-compose и как работает сеть в докере
• Наводим порядок в работе с контейнерами
• Как могут взаимодействовать контейнеры между собой и как нам здесь поможет сеть?
• Сажаем контейнеры на бочку с порохом и смотрим как это взлетит
• 22 Марта 19.00 МСК. Детали
• Амир Гайфуллин - 12 лет в IT и 3 года в DevOps.
Linux by Rebrain: RAID-массивы
• RAID-массивы: виды, особенности.
• Как подобрать тип RAID-массива?
• Актуальны ли сегодня аппаратные RAID-контроллеры?
• Работа с mdadm.
• 23 Марта 20.00 МСК. Детали
• Андрей Буранов - Специалист по UNIX-системам в компании Mail.Ru Group.
#free #webinar #dnt #ru
/ New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems
Technical review:
https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware
Technical review:
https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware
BlackBerry
New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems
BlackBerry Threat Intelligence has identified a new Ransomware-as-a-Service (Raas) family, and tracked its lineage to its probable beta stage release.
/ Increase In Malware Sightings on GoDaddy Managed Hosting
https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/
https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/
Wordfence
Increase In Malware Sightings on GoDaddy Managed Hosting
Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet…
/ Have Your Cake and Eat it Too? An Overview of UNC2891
The Mandiant Advanced Practices team previously published a threat research blog post that provided an overview of UNC1945 operations where the actor compromised managed services providers to gain access to targets in the financial and professional consulting industries.
Since that time, Mandiant has investigated and attributed several intrusions to a threat cluster we believe has a nexus to this actor, currently being tracked as UNC2891. Through these investigations, Mandiant has discovered additional techniques, malware, and utilities being used by UNC2891 alongside those previously observed in use by UNC1945…
Tecnical review
https://www.mandiant.com/resources/unc2891-overview
The Mandiant Advanced Practices team previously published a threat research blog post that provided an overview of UNC1945 operations where the actor compromised managed services providers to gain access to targets in the financial and professional consulting industries.
Since that time, Mandiant has investigated and attributed several intrusions to a threat cluster we believe has a nexus to this actor, currently being tracked as UNC2891. Through these investigations, Mandiant has discovered additional techniques, malware, and utilities being used by UNC2891 alongside those previously observed in use by UNC1945…
Tecnical review
https://www.mandiant.com/resources/unc2891-overview
Google Cloud Blog
Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 | Mandiant | Google Cloud Blog
/ Use dynamic IP addresses through Cloudflare
Some hosting providers dynamically update their customer’s IP addresses. These customers must then update the new origin server IPs in their Cloudflare DNS
https://developers.cloudflare.com/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses/
Some hosting providers dynamically update their customer’s IP addresses. These customers must then update the new origin server IPs in their Cloudflare DNS
https://developers.cloudflare.com/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses/
/ Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe:
https://asec.ahnlab.com/en/32572/
The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe:
https://asec.ahnlab.com/en/32572/
ASEC
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers - ASEC
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ASEC
Note: DNS Proxy Mechanism updated on BLD DNS
Maybe as you know BLD DNS works on few ports in DoH mode - 443, 8443
You can use any of these ports in your browsers or devices, but I want to note you about how these modes work:
- 443 it is a native BLD service
- 8443 is is a reverse proxy (nginx or can be another service/mechanism)
⚡️ if you notice that some mode is not working properly, immediately as possible let me know about it - @sysadminkz
Example: How to setup Customised DNS your browser.
Settings > Privacy and security > Security > Use secure DNS > Customised:
-
or
-
See details here (Firefox, Chrome, Brave, Edge):
- https://github.com/m0zgen/blocky-listener-daemon/wiki
Maybe as you know BLD DNS works on few ports in DoH mode - 443, 8443
You can use any of these ports in your browsers or devices, but I want to note you about how these modes work:
- 443 it is a native BLD service
- 8443 is is a reverse proxy (nginx or can be another service/mechanism)
⚡️ if you notice that some mode is not working properly, immediately as possible let me know about it - @sysadminkz
Example: How to setup Customised DNS your browser.
Settings > Privacy and security > Security > Use secure DNS > Customised:
-
https://bld.sys-adm.in/dns-queryor
-
https://bld.sys-adm.in:8443/dns-querySee details here (Firefox, Chrome, Brave, Edge):
- https://github.com/m0zgen/blocky-listener-daemon/wiki
lab.sys-adm.in
Sys-Admin Laboratory
Open Sys-Admin BLD DNS - Focus on information for free with adblocking and implicit cybersecurity threat prevention.
/ dompdf security alert: RCE vulnerability found in popular PHP PDF library
https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
Snyk
dompdf security alert: RCE vulnerability found in popular PHP PDF library | Snyk
A major RCE vulnerability has been identified in PHP library dompdf. Code can be loaded into an application and then remotely executed whilst a PDF is being generated.
/ Cyclops Blink Sets Sights on Asus Routers
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
Trend Micro
Cyclops Blink Sets Sights on Asus Routers
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
RouterOS Scanner
Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router:
https://github.com/microsoft/routeros-scanner
Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router:
https://github.com/microsoft/routeros-scanner
GitHub
GitHub - microsoft/routeros-scanner: Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.
Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities. - microsoft/routeros-scanner
/ Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain
https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
Proofpoint
Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain | Proofpoint US
Key Findings Proofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor. The attack targeted French entities in the construction,
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
How to use the Emsisoft Decryptor for Diavol
https://www.emsisoft.com/ransomware-decryption-tools/howtos/emsisoft_howto_diavol.pdf
https://www.emsisoft.com/ransomware-decryption-tools/howtos/emsisoft_howto_diavol.pdf