/ Multiple Vulnerabilities in Schneider Electric APC Smart-UPS Could Allow for Remote Code Execution

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-schneider-electric-apc-smart-ups-could-allow-for-remote-code-execution_2022-035

CVE-2022-0778

The discovered vulnerability triggers an infinite loop in the function BN_mod_sqrt() of OpenSSL while parsing an elliptic curve key. This means that a maliciously crafted X.509 certificate can DoS any unpatched server.

PoC

https://github.com/drago-96/CVE-2022-0778

/ About the security content of iOS 15.4.1 and iPadOS 15.4.1

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited

https://support.apple.com/en-gb/HT213219

/ GitLab Accounts Hijacking

Critical Security Release: 14.9.2, 14.8.5, and 14.7.7

We strongly recommend that all GitLab installations be upgraded to one of these versions immediately

https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/

/ Detecting Rogue RDP

This post examines signals generated by the attack, outlines detection opportunities, and discusses required sysmon configuration changes.

https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

BLD DNS: What's new and useful added in the project ecosystem / Что нового и полезного появилось в экосистеме проекта
 
~~~RU
Экосистема постоянно обновляется, допиливается, усовершенствуется, сам проект обрастает дополнительными инструментами (pat 1), сегодня хочу представить еще ряд тулз, которые могут быть полезны и вам:
- Blinker - асинхронно пингует сервера, резольвит IP адреса, проверяет скорость ответа (в будущем планируется развить до автоматических уведомлений, например в телеграм)
- BLD-Server - конфигурируемый апдейтер BLD серверов (как правило используется для вспомогательных downstream cерверов), качает указанные в конфиге листы, вычищает их от комментов и тп, объединяет, сортирует и публикует, как итог - один лист для каждой категории, меньше размера, меньше файлов)
- Simple Log Color - NPM пакет. Раскрашиватель аутпут лога в консоль
- Fix Appstream - Фиксит ошибку CentOS 8 (Error: Failed to download metadata for repo 'appstream’). Ошибка блокирует нормальный апедйт серверов.
- Fix Locales - Фиксит ошибку баш консоли в Debian в отношении локали (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Настраивает автоапдейтинг Debian при помощи unattended-upgrades
- Install Node Exporter - Ставит последнию версию экспортера в Debian

~~~EN
BLD DNS ecosystem is constantly updated, completed, improved, the project itself is overgrown with additional tools (pat 1), today I want to present a few number of tools that may be useful to you:
- Blinker - asynchronously pings servers, resolves IP addresses, checks response speed (in the future it is planned to develop to automatic notifications, for example, in telegrams)
- BLD-Server - configurable BLD server updater (usually used for auxiliary downstream servers), downloads the lists specified in the config, cleans them from comments, etc., merges, sorts and publishes, as a result - one sheet for each category, smaller size, fewer files)
- Simple Log Color - NPM package. Colorizer output log to console
- Fix Appstream - Fixes CentOS 8 error (Error: Failed to download metadata for repo 'appstream'). Error blocking normal server update.
- Fix Locales - Fixes bash console error in Debian (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Configures Debian autoupgrade with unattended-upgrades
- Install Node Exporter - Install latest Node Exporter in to Debian

/ Deep Dive Analysis – Borat RAT

Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities

https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/

/ How to create dynamic inventory files in Ansible

https://www.redhat.com/sysadmin/ansible-dynamic-inventories

/ Malware Specifically Targeting AWS Lambda

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in

/ BlackCat RaaS (ransomware as a service)

BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months:

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

Unmanaged Code Execution With .net Dynamic Pinvoke

In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.

DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

/ Parrot TDS takes over web servers and threatens millions

A new Traffic Direction System (TDS) calling as Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites:

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

/ CISA advises D-Link users to take vulnerable routers offline

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/

Information/Analysis about of few new info stealer malware’s - BlackGuard, META

/ Analysis of BlackGuard - A New Info Stealer Malware

https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking

/ New Meta information stealer distributed in malspam campaign

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

/ Performing / Modernization Bleeding Bear techniques

The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?

It is a interesting practice article:

https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/

/ Amazon RDS PostgreSQL issue

A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster:

https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

/ Microsoft patches seuously security vulnerabilities - Elevation privilege escalation and RCE

Windows Common Log File System Driver Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521


Remote Procedure Call Runtime Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

Addressing Security Weaknesses in the NGINX LDAP Reference Implementation

Mitigation recommendations:

https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/