/ How to create dynamic inventory files in Ansible

https://www.redhat.com/sysadmin/ansible-dynamic-inventories

/ Malware Specifically Targeting AWS Lambda

https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in

/ BlackCat RaaS (ransomware as a service)

BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months:

https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

Unmanaged Code Execution With .net Dynamic Pinvoke

In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.

DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

/ Parrot TDS takes over web servers and threatens millions

A new Traffic Direction System (TDS) calling as Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites:

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

/ CISA advises D-Link users to take vulnerable routers offline

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/

Information/Analysis about of few new info stealer malware’s - BlackGuard, META

/ Analysis of BlackGuard - A New Info Stealer Malware

https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking

/ New Meta information stealer distributed in malspam campaign

https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/

/ Performing / Modernization Bleeding Bear techniques

The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?

It is a interesting practice article:

https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/

/ Amazon RDS PostgreSQL issue

A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster:

https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

/ Microsoft patches seuously security vulnerabilities - Elevation privilege escalation and RCE

Windows Common Log File System Driver Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521


Remote Procedure Call Runtime Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

Addressing Security Weaknesses in the NGINX LDAP Reference Implementation

Mitigation recommendations:

https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/

/ Citrix Endpoint Management (XenMobile Server) gain root access

CISA Warn, Citrix Patch(es)

/ On Wednesday, 6 April 2022 VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.

In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities:

https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1

And additional links to KBs:

https://arcticwolf.com/uk/resources/blog/critical-vulnerabilities-disclosed-in-vmware-products

/ Spring Framework Affecting Cisco Products (Critical)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Additional info about of Spring Framework "Spring4Shell" RCE via Data Binding Vulnerability:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

/ OldGremlin new ramsomware methods

Technical analysys:

https://blog.group-ib.com/oldgremlin_comeback

/ Git security vulnerability announced

CVE-2022-24765

This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values…

CVE-2022-24767

Got Windows uninstaller when run via the SYSTEM account

https://github.blog/2022-04-12-git-security-vulnerability-announced/

/ Juniper released multiple patched for vulnerabilities

https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=%5BSecurity%20Advisories%5D

/ Bore - is a simple CLI tool for making tunnels to localhost

https://github.com/ekzhang/bore

/ CVE-2022-29072 - 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area:

https://github.com/kagancapar/CVE-2022-29072

A blueprint for evading industry leading endpoint protection in 2022

In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/