/ New Conversation Hijacking Campaign Delivering IcedID

his post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email that uses conversation hijacking to deliver IcedID.

One way IcedID infects machines is via phishing emails. The infection chain that commonly has been used is an email with an attached password protected “zip” archive. Inside the archive is a macro enabled office document that executes the IcedID installer. Some phishing emails reuse previously stolen emails to make the lure more convincing:

https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/

Notify: One BLD DNS server set to maintenance mode

- this operation can continue 10-20 min
- operation not affect DoT/DoH users

- Mainteained server - 92.63.193.211
- After complete this message will be update to “Done” status

up

Done!

/ Unauthenticated Stack-based Buffer Overflow Vulnerability In Sonicos

Score 9.4 (Sophos was recently)

A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0003

/ Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All

https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all/

/ CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter

https://www.pentera.io/blog/information-disclosure-in-vmware-vcenter/

Hexway — Пентест как сервис
 
Платформа для пентеста и управления аудитами, подходит не только пентестерам, но и багхентерам, CTF игрокам и вообще всем, кто хоть как-то связан с информационной безопасностью.

Бесплатная self-hosted версия, есть некоторые ограничения, но создатели обычно дают подсказку, как их обойти:
- генерить кастомные репорты (еще и соберут ваш собственный шаблон отчетов по запросу)
- интегрироваться с разными сканнерами и тулзами вроде Nmap и Nessus
- собирать кастомные чеклисты
- презентовать результаты через Apiary и еще много всего
- Online-demo Здесь, Self-hosted Здесь

~~ EN
Hexway — Pentest as a service.
Platform for vulnerability assessment and penetration testing.

Free self-hosted version with some restrictions, but developers usually give a hint how to make them unlimited:
- generate custom reports (they also make your personal predefined templates by request)
- integrate with different scanners and tools like Nmap and Nessus
- create custom checklists
- present results via Apiary and much more
- Online-demo Here, Self-hosted Here
 

/ Multiple Vulnerabilities in Schneider Electric APC Smart-UPS Could Allow for Remote Code Execution

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-schneider-electric-apc-smart-ups-could-allow-for-remote-code-execution_2022-035

CVE-2022-0778

The discovered vulnerability triggers an infinite loop in the function BN_mod_sqrt() of OpenSSL while parsing an elliptic curve key. This means that a maliciously crafted X.509 certificate can DoS any unpatched server.

PoC

https://github.com/drago-96/CVE-2022-0778

/ About the security content of iOS 15.4.1 and iPadOS 15.4.1

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited

https://support.apple.com/en-gb/HT213219

/ GitLab Accounts Hijacking

Critical Security Release: 14.9.2, 14.8.5, and 14.7.7

We strongly recommend that all GitLab installations be upgraded to one of these versions immediately

https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/

/ Detecting Rogue RDP

This post examines signals generated by the attack, outlines detection opportunities, and discusses required sysmon configuration changes.

https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

BLD DNS: What's new and useful added in the project ecosystem / Что нового и полезного появилось в экосистеме проекта
 
~~~RU
Экосистема постоянно обновляется, допиливается, усовершенствуется, сам проект обрастает дополнительными инструментами (pat 1), сегодня хочу представить еще ряд тулз, которые могут быть полезны и вам:
- Blinker - асинхронно пингует сервера, резольвит IP адреса, проверяет скорость ответа (в будущем планируется развить до автоматических уведомлений, например в телеграм)
- BLD-Server - конфигурируемый апдейтер BLD серверов (как правило используется для вспомогательных downstream cерверов), качает указанные в конфиге листы, вычищает их от комментов и тп, объединяет, сортирует и публикует, как итог - один лист для каждой категории, меньше размера, меньше файлов)
- Simple Log Color - NPM пакет. Раскрашиватель аутпут лога в консоль
- Fix Appstream - Фиксит ошибку CentOS 8 (Error: Failed to download metadata for repo 'appstream’). Ошибка блокирует нормальный апедйт серверов.
- Fix Locales - Фиксит ошибку баш консоли в Debian в отношении локали (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Настраивает автоапдейтинг Debian при помощи unattended-upgrades
- Install Node Exporter - Ставит последнию версию экспортера в Debian

~~~EN
BLD DNS ecosystem is constantly updated, completed, improved, the project itself is overgrown with additional tools (pat 1), today I want to present a few number of tools that may be useful to you:
- Blinker - asynchronously pings servers, resolves IP addresses, checks response speed (in the future it is planned to develop to automatic notifications, for example, in telegrams)
- BLD-Server - configurable BLD server updater (usually used for auxiliary downstream servers), downloads the lists specified in the config, cleans them from comments, etc., merges, sorts and publishes, as a result - one sheet for each category, smaller size, fewer files)
- Simple Log Color - NPM package. Colorizer output log to console
- Fix Appstream - Fixes CentOS 8 error (Error: Failed to download metadata for repo 'appstream'). Error blocking normal server update.
- Fix Locales - Fixes bash console error in Debian (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Configures Debian autoupgrade with unattended-upgrades
- Install Node Exporter - Install latest Node Exporter in to Debian

/ Deep Dive Analysis – Borat RAT

Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities

https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/

/ How to create dynamic inventory files in Ansible

https://www.redhat.com/sysadmin/ansible-dynamic-inventories

/ Malware Specifically Targeting AWS Lambda

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in

/ BlackCat RaaS (ransomware as a service)

BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months:

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

Unmanaged Code Execution With .net Dynamic Pinvoke

In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.

DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

/ Parrot TDS takes over web servers and threatens millions

A new Traffic Direction System (TDS) calling as Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites:

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/