Addressing Security Weaknesses in the NGINX LDAP Reference Implementation

Mitigation recommendations:

https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/

/ Citrix Endpoint Management (XenMobile Server) gain root access

CISA Warn, Citrix Patch(es)

/ On Wednesday, 6 April 2022 VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.

In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities:

https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1

And additional links to KBs:

https://arcticwolf.com/uk/resources/blog/critical-vulnerabilities-disclosed-in-vmware-products

/ Spring Framework Affecting Cisco Products (Critical)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

Additional info about of Spring Framework "Spring4Shell" RCE via Data Binding Vulnerability:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

/ OldGremlin new ramsomware methods

Technical analysys:

https://blog.group-ib.com/oldgremlin_comeback

/ Git security vulnerability announced

CVE-2022-24765

This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values…

CVE-2022-24767

Got Windows uninstaller when run via the SYSTEM account

https://github.blog/2022-04-12-git-security-vulnerability-announced/

/ Juniper released multiple patched for vulnerabilities

https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=%5BSecurity%20Advisories%5D

/ Bore - is a simple CLI tool for making tunnels to localhost

https://github.com/ekzhang/bore

/ CVE-2022-29072 - 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area:

https://github.com/kagancapar/CVE-2022-29072

A blueprint for evading industry leading endpoint protection in 2022

In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

/ CatalanGate - Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru

Analysis:

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

/ Fake Windows upgrade website delivering information stealer malware

Now, CloudSEK researchers have uncovered a multi-stage information stealer malware targeting Windows users and stealing their data from browsers, crypto wallets, and such. The malware is a part of a campaign using fake domains for hosting the payload which is deployed to the victim’s machine via an iso file masquerading as a Windows 11 upgrade:

https://techwireasia.com/2022/04/fake-windows-upgrade-website-delivering-information-stealer-malware/

When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops

https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/

Lenovo Notebook BIOS Vulnerabilities

https://support.lenovo.com/fr/fr/product_security/ps500485-lenovo-notebook-bios-vulnerabilities

/ AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation

https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/

/ Microsoft Exchange Servers are targetted by Hive ransomware

https://cloud7.news/security/microsoft-exchange-servers-are-targetted-by-hive-ransomware/amp/

/ Attackers linger on government agency computers before deploying Lockbit ransomware

https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/

/ CVE-2022-21449: Psychic Signatures in Java

It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18..:

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

/ Exploiting remote code execution within VirusTotal platform in order to gain access to its various scans capabilities

..execute commands remotely within VirusTotal..

https://www.cysrc.com/blog/virus-total-blog

/ Q1 Brand Phishing Report, highlighting the brands that hackers most often imitate to lure people into giving up their personal data

(from checkpoint)

https://blog.checkpoint.com/2022/04/19/social-networks-most-likely-to-be-imitated-by-criminal-groups-with-linkedin-now-accounting-for-half-of-all-phishing-attempts-worldwide/