/ GitLab Accounts Hijacking

Critical Security Release: 14.9.2, 14.8.5, and 14.7.7

We strongly recommend that all GitLab installations be upgraded to one of these versions immediately

https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/

/ Detecting Rogue RDP

This post examines signals generated by the attack, outlines detection opportunities, and discusses required sysmon configuration changes.

https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

BLD DNS: What's new and useful added in the project ecosystem / Что нового и полезного появилось в экосистеме проекта
 
~~~RU
Экосистема постоянно обновляется, допиливается, усовершенствуется, сам проект обрастает дополнительными инструментами (pat 1), сегодня хочу представить еще ряд тулз, которые могут быть полезны и вам:
- Blinker - асинхронно пингует сервера, резольвит IP адреса, проверяет скорость ответа (в будущем планируется развить до автоматических уведомлений, например в телеграм)
- BLD-Server - конфигурируемый апдейтер BLD серверов (как правило используется для вспомогательных downstream cерверов), качает указанные в конфиге листы, вычищает их от комментов и тп, объединяет, сортирует и публикует, как итог - один лист для каждой категории, меньше размера, меньше файлов)
- Simple Log Color - NPM пакет. Раскрашиватель аутпут лога в консоль
- Fix Appstream - Фиксит ошибку CentOS 8 (Error: Failed to download metadata for repo 'appstream’). Ошибка блокирует нормальный апедйт серверов.
- Fix Locales - Фиксит ошибку баш консоли в Debian в отношении локали (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Настраивает автоапдейтинг Debian при помощи unattended-upgrades
- Install Node Exporter - Ставит последнию версию экспортера в Debian

~~~EN
BLD DNS ecosystem is constantly updated, completed, improved, the project itself is overgrown with additional tools (pat 1), today I want to present a few number of tools that may be useful to you:
- Blinker - asynchronously pings servers, resolves IP addresses, checks response speed (in the future it is planned to develop to automatic notifications, for example, in telegrams)
- BLD-Server - configurable BLD server updater (usually used for auxiliary downstream servers), downloads the lists specified in the config, cleans them from comments, etc., merges, sorts and publishes, as a result - one sheet for each category, smaller size, fewer files)
- Simple Log Color - NPM package. Colorizer output log to console
- Fix Appstream - Fixes CentOS 8 error (Error: Failed to download metadata for repo 'appstream'). Error blocking normal server update.
- Fix Locales - Fixes bash console error in Debian (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Configures Debian autoupgrade with unattended-upgrades
- Install Node Exporter - Install latest Node Exporter in to Debian

/ Deep Dive Analysis – Borat RAT

Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities

https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/

/ How to create dynamic inventory files in Ansible

https://www.redhat.com/sysadmin/ansible-dynamic-inventories

/ Malware Specifically Targeting AWS Lambda

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in

/ BlackCat RaaS (ransomware as a service)

BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months:

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

Unmanaged Code Execution With .net Dynamic Pinvoke

In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.

DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

/ Parrot TDS takes over web servers and threatens millions

A new Traffic Direction System (TDS) calling as Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites:

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

/ CISA advises D-Link users to take vulnerable routers offline

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/

Information/Analysis about of few new info stealer malware’s - BlackGuard, META

/ Analysis of BlackGuard - A New Info Stealer Malware

https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking

/ New Meta information stealer distributed in malspam campaign

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

/ Performing / Modernization Bleeding Bear techniques

The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?

It is a interesting practice article:

https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/

/ Amazon RDS PostgreSQL issue

A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster:

https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

/ Microsoft patches seuously security vulnerabilities - Elevation privilege escalation and RCE

Windows Common Log File System Driver Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521


Remote Procedure Call Runtime Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

Addressing Security Weaknesses in the NGINX LDAP Reference Implementation

Mitigation recommendations:

https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/

/ Citrix Endpoint Management (XenMobile Server) gain root access

CISA Warn, Citrix Patch(es)

/ On Wednesday, 6 April 2022 VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.

In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities:

https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1

And additional links to KBs:

https://arcticwolf.com/uk/resources/blog/critical-vulnerabilities-disclosed-in-vmware-products

/ Spring Framework Affecting Cisco Products (Critical)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Additional info about of Spring Framework "Spring4Shell" RCE via Data Binding Vulnerability:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

/ OldGremlin new ramsomware methods

Technical analysys:

https://blog.group-ib.com/oldgremlin_comeback