Secure BLD: Защита от оверлимитных запросов
⁠
За последнее время было замечено злоупотребление ресурсами BLD DNS, как это выглядит:
1. Штатное состояние - Опытным путем выявлено: 10к-20к запросов в час, это штатная работа средней организации.
2. Злоупотребление - Превышение максимально-допустимого количества запросов, например 20к+ запросов в час.

Как пример - NextDNS платная подписка начинается с 300к запросов в месяц. Штатное состояние BLD DNS покрывает месячный лимит NextDNS менее, чем за двое суток 🤘

Есть клиенты сервиса генерирующие по 100к запросов в час‼️, пропускная способность BLD DNS позволяет выдерживать хорошие нагрузки. Несколько миллионов в сутки - штатная работа BLD на сегодняшний день, но благодаря злоупотреблению суточная норма, легко превращается в часовой показатель, это не есть хорошо.

Возражений нет - задонать, уведомь и будем решать, если надо сделаем выделенный инстанс, не проблема (донаты вообще не воспрещаются, а даже приветсвуются, так как поддержка сервиса идет за счет внутренних ресурсов проекта).

Так же есть BLD+ (об этом пару месяцев назад был анонс), поэтому - welcome.

Превентивные меры
Вчера прилетело ~300к запросов за час сразу с нескольких IP адресов, стало понятно, что нужно что-то делать:
- Был разработан механизм автоматической блокировки абьюсеров 🎉
- На сегодня (пока) работает по формуле - 20000k запров в 1 час = бан 10 минут (кто будет отваливаться, сразу ко мне @sysadminkz, будем решать)
- Решение имеет "белые списки", так что оверлимитчикам welcome to donate area
- Решение полностью автономное, работает в автоматическом режиме.

Note: Кто знает, что у него генерится большое количество запросов и знает свой IP, можно заблаговременно обратиться ко мне.

~~~ EN

Recently, abuse of BLD DNS resources has been noticed, how it looks like:
1. Legitimate state - Experimentally revealed: 10k-20k requests per hour, this is the regular work of an medium organization.
2. Abuse - Exceeding the maximum allowable number of requests, for example 20k+ requests per hour.

As an example - NextDNS paid subnoscription starts with 300k requests per month. The regular state of BLD DNS covers the monthly NextDNS limit in less than two days 🤘

Today, there are clients of the service generating 100k requests per hour‼️, the bandwidth of BLD DNS allows to work with hight loads. Several million per day is the regular work of BLD today, but thanks to the abuse of the daily norm, it easily turns into an hourly norm, this is not good.

No objections - donate, and notify me and we will decide what we need to do, no problem(donations are not prohibited at all, but even welcome, since the support of the service comes at the expense of the internal resources of the project).

BLD+ mode specifically created for overlimits (there was an announcement about this a couple of months ago (https://news.1rj.ru/str/sysadm_in_channel/3740 )), therefore - welcome.

Preventive measures
Yesterday BLD received ~300k requests arrived in an hour from several IP addresses at once, it became clear that something needed to be done:
- The mechanism of automatic blocking of abusers was developed 🎉
- Today (so far) it works according to the formula - 20000k requests in 1 hour = ban 10 minutes (who will fall off, immediately contact me @sysadminkz, we will decide)
- The solution has "whitelists", so the are welcome to donate area and then welcome to BLD back.
- The blocking solution is completely autonomous, works in automatic mode.

Note: Who knows that he generates a large number of requests and knows own IP, you can contact me in advance.

Take you care. PEACE ✌️

Debian GNU/Linux 11.3 “Bullseye” Released with 83 Security Updates and 92 Bug Fixes

https://www.debian.org/News/2022/20220326

P.S. I wrote simple noscript for upgrade Debian to latest release and install unattended-upgrades (tested and use on Debian 11):

https://github.com/m0zgen/apt-automatic

/ Resolved RCE in Sophos Firewall (CVE-2022-1040)

An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce

/ Vidar Malware Launcher Concealed in Help File (CHM)

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/

/ A Beautiful Factory For Malicious Packages

Hundreds of malicious packages attempting to use a dependency confusion attack. The attacker has fully-automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages batch harder to spot:

https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages/

/ New Conversation Hijacking Campaign Delivering IcedID

his post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email that uses conversation hijacking to deliver IcedID.

One way IcedID infects machines is via phishing emails. The infection chain that commonly has been used is an email with an attached password protected “zip” archive. Inside the archive is a macro enabled office document that executes the IcedID installer. Some phishing emails reuse previously stolen emails to make the lure more convincing:

https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/

Notify: One BLD DNS server set to maintenance mode

- this operation can continue 10-20 min
- operation not affect DoT/DoH users

- Mainteained server - 92.63.193.211
- After complete this message will be update to “Done” status

up

Done!

/ Unauthenticated Stack-based Buffer Overflow Vulnerability In Sonicos

Score 9.4 (Sophos was recently)

A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0003

/ Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All

https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all/

/ CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter

https://www.pentera.io/blog/information-disclosure-in-vmware-vcenter/

Hexway — Пентест как сервис
 
Платформа для пентеста и управления аудитами, подходит не только пентестерам, но и багхентерам, CTF игрокам и вообще всем, кто хоть как-то связан с информационной безопасностью.

Бесплатная self-hosted версия, есть некоторые ограничения, но создатели обычно дают подсказку, как их обойти:
- генерить кастомные репорты (еще и соберут ваш собственный шаблон отчетов по запросу)
- интегрироваться с разными сканнерами и тулзами вроде Nmap и Nessus
- собирать кастомные чеклисты
- презентовать результаты через Apiary и еще много всего
- Online-demo Здесь, Self-hosted Здесь

~~ EN
Hexway — Pentest as a service.
Platform for vulnerability assessment and penetration testing.

Free self-hosted version with some restrictions, but developers usually give a hint how to make them unlimited:
- generate custom reports (they also make your personal predefined templates by request)
- integrate with different scanners and tools like Nmap and Nessus
- create custom checklists
- present results via Apiary and much more
- Online-demo Here, Self-hosted Here
 

/ Multiple Vulnerabilities in Schneider Electric APC Smart-UPS Could Allow for Remote Code Execution

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-schneider-electric-apc-smart-ups-could-allow-for-remote-code-execution_2022-035

CVE-2022-0778

The discovered vulnerability triggers an infinite loop in the function BN_mod_sqrt() of OpenSSL while parsing an elliptic curve key. This means that a maliciously crafted X.509 certificate can DoS any unpatched server.

PoC

https://github.com/drago-96/CVE-2022-0778

/ About the security content of iOS 15.4.1 and iPadOS 15.4.1

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited

https://support.apple.com/en-gb/HT213219

/ GitLab Accounts Hijacking

Critical Security Release: 14.9.2, 14.8.5, and 14.7.7

We strongly recommend that all GitLab installations be upgraded to one of these versions immediately

https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/