BLD DNS: What's new and useful added in the project ecosystem / Что нового и полезного появилось в экосистеме проекта
~~~RU
Экосистема постоянно обновляется, допиливается, усовершенствуется, сам проект обрастает дополнительными инструментами (pat 1), сегодня хочу представить еще ряд тулз, которые могут быть полезны и вам:
- Blinker - асинхронно пингует сервера, резольвит IP адреса, проверяет скорость ответа (в будущем планируется развить до автоматических уведомлений, например в телеграм)
- BLD-Server - конфигурируемый апдейтер BLD серверов (как правило используется для вспомогательных downstream cерверов), качает указанные в конфиге листы, вычищает их от комментов и тп, объединяет, сортирует и публикует, как итог - один лист для каждой категории, меньше размера, меньше файлов)
- Simple Log Color - NPM пакет. Раскрашиватель аутпут лога в консоль
- Fix Appstream - Фиксит ошибку CentOS 8 (Error: Failed to download metadata for repo 'appstream’). Ошибка блокирует нормальный апедйт серверов.
- Fix Locales - Фиксит ошибку баш консоли в Debian в отношении локали (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Настраивает автоапдейтинг Debian при помощи unattended-upgrades
- Install Node Exporter - Ставит последнию версию экспортера в Debian
~~~EN
BLD DNS ecosystem is constantly updated, completed, improved, the project itself is overgrown with additional tools (pat 1), today I want to present a few number of tools that may be useful to you:
- Blinker - asynchronously pings servers, resolves IP addresses, checks response speed (in the future it is planned to develop to automatic notifications, for example, in telegrams)
- BLD-Server - configurable BLD server updater (usually used for auxiliary downstream servers), downloads the lists specified in the config, cleans them from comments, etc., merges, sorts and publishes, as a result - one sheet for each category, smaller size, fewer files)
- Simple Log Color - NPM package. Colorizer output log to console
- Fix Appstream - Fixes CentOS 8 error (Error: Failed to download metadata for repo 'appstream'). Error blocking normal server update.
- Fix Locales - Fixes bash console error in Debian (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Configures Debian autoupgrade with unattended-upgrades
- Install Node Exporter - Install latest Node Exporter in to Debian
~~~RU
Экосистема постоянно обновляется, допиливается, усовершенствуется, сам проект обрастает дополнительными инструментами (pat 1), сегодня хочу представить еще ряд тулз, которые могут быть полезны и вам:
- Blinker - асинхронно пингует сервера, резольвит IP адреса, проверяет скорость ответа (в будущем планируется развить до автоматических уведомлений, например в телеграм)
- BLD-Server - конфигурируемый апдейтер BLD серверов (как правило используется для вспомогательных downstream cерверов), качает указанные в конфиге листы, вычищает их от комментов и тп, объединяет, сортирует и публикует, как итог - один лист для каждой категории, меньше размера, меньше файлов)
- Simple Log Color - NPM пакет. Раскрашиватель аутпут лога в консоль
- Fix Appstream - Фиксит ошибку CentOS 8 (Error: Failed to download metadata for repo 'appstream’). Ошибка блокирует нормальный апедйт серверов.
- Fix Locales - Фиксит ошибку баш консоли в Debian в отношении локали (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Настраивает автоапдейтинг Debian при помощи unattended-upgrades
- Install Node Exporter - Ставит последнию версию экспортера в Debian
~~~EN
BLD DNS ecosystem is constantly updated, completed, improved, the project itself is overgrown with additional tools (pat 1), today I want to present a few number of tools that may be useful to you:
- Blinker - asynchronously pings servers, resolves IP addresses, checks response speed (in the future it is planned to develop to automatic notifications, for example, in telegrams)
- BLD-Server - configurable BLD server updater (usually used for auxiliary downstream servers), downloads the lists specified in the config, cleans them from comments, etc., merges, sorts and publishes, as a result - one sheet for each category, smaller size, fewer files)
- Simple Log Color - NPM package. Colorizer output log to console
- Fix Appstream - Fixes CentOS 8 error (Error: Failed to download metadata for repo 'appstream'). Error blocking normal server update.
- Fix Locales - Fixes bash console error in Debian (LCALL: cannot change locale (enUS.UTF-8)
- Apt Automatic - Configures Debian autoupgrade with unattended-upgrades
- Install Node Exporter - Install latest Node Exporter in to Debian
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
/ Deep Dive Analysis – Borat RAT
Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/
Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/
Cyble
Deep Dive Analysis – Borat RAT | Cyble
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
/ How to create dynamic inventory files in Ansible
https://www.redhat.com/sysadmin/ansible-dynamic-inventories
https://www.redhat.com/sysadmin/ansible-dynamic-inventories
Redhat
How to create dynamic inventory files in Ansible
If you use Ansible, you know the inventory is one of its fundamental pieces. The inventory is just a list of machines and possible variables where you c...
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
/ Malware Specifically Targeting AWS Lambda
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
/ BlackCat RaaS (ransomware as a service)
BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months:
https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months:
https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
Cisco Talos Blog
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
* BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months.
* There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous…
* There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Unmanaged Code Execution With .net Dynamic Pinvoke
In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.
DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.
https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.
DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.
https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
bohops
Unmanaged Code Execution with .NET Dynamic PInvoke
Yes, you read that correctly – “Dynamic Pinvoke” as in “Dynamic Platform Invoke” Background Recently, I was browsing through Microsoft documentation and other blogs to…
/ Parrot TDS takes over web servers and threatens millions
A new Traffic Direction System (TDS) calling as Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites:
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
A new Traffic Direction System (TDS) calling as Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites:
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
Gendigital
Parrot TDS takes over web servers and threatens millions
Web Server Takeover Threat
/ CISA advises D-Link users to take vulnerable routers offline
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/
Malwarebytes
CISA advises D-Link users to take vulnerable routers offline
CISA advises users to retire certain D-Link routers since vulnerabilities are know to be actively exploited and the models have reached EOL
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Information/Analysis about of few new info stealer malware’s - BlackGuard, META
/ Analysis of BlackGuard - A New Info Stealer Malware
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
/ New Meta information stealer distributed in malspam campaign
https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
/ Analysis of BlackGuard - A New Info Stealer Malware
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
/ New Meta information stealer distributed in malspam campaign
https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
Zscaler
Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog
In this blog, ThreatLabz analyzes BlackGuard, an emerging an info stealer malware being sold as a service on a Russian hacking forum.
/ Performing / Modernization Bleeding Bear techniques
The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?
It is a interesting practice article:
https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/
The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?
It is a interesting practice article:
https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/
LRQA
Repurposing Real TTPs for use on Red Team Engagements
I recently read an interesting article by Elastic. It provides new analysis of a sophisticated, targeted campaign against several organizations. This has been labelled ‘Bleeding Bear’. The articles analysis of Bleeding Bear tactics, techniques and procedures…
/ Amazon RDS PostgreSQL issue
A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster:
https://aws.amazon.com/security/security-bulletins/AWS-2022-004/
A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster:
https://aws.amazon.com/security/security-bulletins/AWS-2022-004/
Amazon
Reported Amazon RDS PostgreSQL issue
/ Microsoft patches seuously security vulnerabilities - Elevation privilege escalation and RCE
Windows Common Log File System Driver Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521
Remote Procedure Call Runtime Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
Windows Common Log File System Driver Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521
Remote Procedure Call Runtime Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
Addressing Security Weaknesses in the NGINX LDAP Reference Implementation
Mitigation recommendations:
https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
Mitigation recommendations:
https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
F5, Inc.
Addressing Security Weaknesses in the NGINX LDAP Reference Implementation
We describe security vulnerabilities recently discovered in the NGINX LDAP reference implementation, and how to mitigate them. NGINX Open Source and NGINX Plus are not affected, and no corrective action is required if you do not use the reference implementation.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Tarrask malware uses scheduled tasks for defense evasion
Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications)... threat actors commonly make use of this service to maintain persistence within a Windows environment.
Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism:
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications)... threat actors commonly make use of this service to maintain persistence within a Windows environment.
Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism:
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Microsoft News
Tarrask malware uses scheduled tasks for defense evasion
Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks,…
/ On Wednesday, 6 April 2022 VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.
In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities:
https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1
And additional links to KBs:
https://arcticwolf.com/uk/resources/blog/critical-vulnerabilities-disclosed-in-vmware-products
In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities:
https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1
And additional links to KBs:
https://arcticwolf.com/uk/resources/blog/critical-vulnerabilities-disclosed-in-vmware-products
/ Spring Framework Affecting Cisco Products (Critical)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Additional info about of Spring Framework "Spring4Shell" RCE via Data Binding Vulnerability:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Additional info about of Spring Framework "Spring4Shell" RCE via Data Binding Vulnerability:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Cisco
Cisco Security Advisory: Vulnerability in Spring Framework Affecting Cisco Products: March 2022
On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
For a denoscription of…
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
For a denoscription of…
/ Git security vulnerability announced
CVE-2022-24765
This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values…
CVE-2022-24767
Got Windows uninstaller when run via the SYSTEM account
https://github.blog/2022-04-12-git-security-vulnerability-announced/
CVE-2022-24765
This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values…
CVE-2022-24767
Got Windows uninstaller when run via the SYSTEM account
https://github.blog/2022-04-12-git-security-vulnerability-announced/
The GitHub Blog
Git security vulnerability announced
Upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.
/ Juniper released multiple patched for vulnerabilities
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=%5BSecurity%20Advisories%5D
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=%5BSecurity%20Advisories%5D