/ Git security vulnerability announced
CVE-2022-24765
This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values…
CVE-2022-24767
Got Windows uninstaller when run via the SYSTEM account
https://github.blog/2022-04-12-git-security-vulnerability-announced/
CVE-2022-24765
This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values…
CVE-2022-24767
Got Windows uninstaller when run via the SYSTEM account
https://github.blog/2022-04-12-git-security-vulnerability-announced/
The GitHub Blog
Git security vulnerability announced
Upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.
/ Juniper released multiple patched for vulnerabilities
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=%5BSecurity%20Advisories%5D
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=%5BSecurity%20Advisories%5D
/ CVE-2022-29072 - 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area:
https://github.com/kagancapar/CVE-2022-29072
https://github.com/kagancapar/CVE-2022-29072
GitHub
GitHub - kagancapar/CVE-2022-29072: 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file…
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. - kagancapar/CVE-2022-29072
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
A blueprint for evading industry leading endpoint protection in 2022
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
Vincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Bypassing CrowdStrike and Microsoft Defender for Endpoint
/ CatalanGate - Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru
Analysis:
https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
Analysis:
https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
The Citizen Lab
CatalanGate
The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware, including members of the European Parliament, Catalan Presidents, legislators, jurists, and members of…
/ Fake Windows upgrade website delivering information stealer malware
Now, CloudSEK researchers have uncovered a multi-stage information stealer malware targeting Windows users and stealing their data from browsers, crypto wallets, and such. The malware is a part of a campaign using fake domains for hosting the payload which is deployed to the victim’s machine via an iso file masquerading as a Windows 11 upgrade:
https://techwireasia.com/2022/04/fake-windows-upgrade-website-delivering-information-stealer-malware/
Now, CloudSEK researchers have uncovered a multi-stage information stealer malware targeting Windows users and stealing their data from browsers, crypto wallets, and such. The malware is a part of a campaign using fake domains for hosting the payload which is deployed to the victim’s machine via an iso file masquerading as a Windows 11 upgrade:
https://techwireasia.com/2022/04/fake-windows-upgrade-website-delivering-information-stealer-malware/
TechWire Asia
Fake Windows upgrade website delivering information stealer malware
CloudSEK researchers have uncovered a multi-stage information stealer malware targeting users looking for a Windows 11 upgrade.
When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/
Lenovo Notebook BIOS Vulnerabilities
https://support.lenovo.com/fr/fr/product_security/ps500485-lenovo-notebook-bios-vulnerabilities
https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/
Lenovo Notebook BIOS Vulnerabilities
https://support.lenovo.com/fr/fr/product_security/ps500485-lenovo-notebook-bios-vulnerabilities
WeLiveSecurity
When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
ESET research discovers vulnerabilities in Lenovo consumer laptop models that allow attackers with admin rights to expose users to firmware-level malware.
/ AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/
https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/
Unit 42
AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
We identified severe security issues within AWS Log4Shell hot patch solutions. We provide a root cause analysis and overview of fixes and mitigations.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
BLINDING SNORT: BREAKING THE MODBUS OT PREPROCESSOR
https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/
https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/
Claroty
Blinding Snort IDS/IPS: Breaking the Modbus OT Preprocessor
Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets. Learn more with Claroty.
/ Microsoft Exchange Servers are targetted by Hive ransomware
https://cloud7.news/security/microsoft-exchange-servers-are-targetted-by-hive-ransomware/amp/
https://cloud7.news/security/microsoft-exchange-servers-are-targetted-by-hive-ransomware/amp/
/ Attackers linger on government agency computers before deploying Lockbit ransomware
https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/
https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/
Sophos News
Attackers linger on government agency computers before deploying Lockbit ransomware
Threat actors spent more than five months remotely googling for tools from the target’s machines
/ CVE-2022-21449: Psychic Signatures in Java
It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18..:
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18..:
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
Neil Madden
CVE-2022-21449: Psychic Signatures in Java
The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, thi…
/ Exploiting remote code execution within VirusTotal platform in order to gain access to its various scans capabilities
..execute commands remotely within VirusTotal..
https://www.cysrc.com/blog/virus-total-blog
..execute commands remotely within VirusTotal..
https://www.cysrc.com/blog/virus-total-blog
/ Q1 Brand Phishing Report, highlighting the brands that hackers most often imitate to lure people into giving up their personal data
(from checkpoint)
https://blog.checkpoint.com/2022/04/19/social-networks-most-likely-to-be-imitated-by-criminal-groups-with-linkedin-now-accounting-for-half-of-all-phishing-attempts-worldwide/
(from checkpoint)
https://blog.checkpoint.com/2022/04/19/social-networks-most-likely-to-be-imitated-by-criminal-groups-with-linkedin-now-accounting-for-half-of-all-phishing-attempts-worldwide/
Check Point Blog
Brand Phishing Report Q1 2022 - Check Point Blog
Check Point Research issues its Q1 Brand Phishing Report for 2022, highlighting the brands that hackers most often imitate to lure people into giving up their personal data
/ Threat Hunting for Phishing Pages
Phishing can be carried out via social media or the phone, but the term “phishing” is mainly used to describe attacks via email. Phishing emails can reach millions of users directly and are hidden among the many bona fide emails that busy users receive. Additionally, with malicious software such as ransomware, attacks can infiltrate systems and take any action they want. This article will discuss various techniques for catching phishing pages:
https://brandefense.io/threat-hunting-for-phishing-pages/
Phishing can be carried out via social media or the phone, but the term “phishing” is mainly used to describe attacks via email. Phishing emails can reach millions of users directly and are hidden among the many bona fide emails that busy users receive. Additionally, with malicious software such as ransomware, attacks can infiltrate systems and take any action they want. This article will discuss various techniques for catching phishing pages:
https://brandefense.io/threat-hunting-for-phishing-pages/
Brandefense
Threat Hunting For Phishing Pages - Brandefense
Phishing is a type of cybersecurity attack during which threat actors send malicious emails designed to trick people into falling for a scam.
/ NPM allow masquerade a malicious package
npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it
https://blog.aquasec.com/npm-package-planting
npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it
https://blog.aquasec.com/npm-package-planting
Aqua
Package Planting: Are You [Unknowingly] Maintaining Poisoned Packages?
Team Nautilus found a flaw in npm that allows attackers to perform package planting and masquerade a malicious package as legitimate to trick developers
/ Cisco: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication
Cisco released its semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication on April 27, 2022. In direct response to customer feedback, Cisco releases bundles of Cisco ASA, FMC, and FTD Software Security Advisories on the fourth Wednesday of the month in April and October of each calendar year:
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836
Cisco released its semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication on April 27, 2022. In direct response to customer feedback, Cisco releases bundles of Cisco ASA, FMC, and FTD Software Security Advisories on the fourth Wednesday of the month in April and October of each calendar year:
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74836
/ New elevation of privilege Linux vulnerability, Nimbuspwn
The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution:
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution:
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
Microsoft News
Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn
Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could be chained together, allowing an attacker to elevate privileges to root on many Linux desktop endpoints. Leveraging Nimbuspwn as a vector for root access could…
/ 2021 Top Routinely Exploited Vulnerabilities
From CISA
https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
From CISA
https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
BLD DNS Один день Из Жизни Флуд Файтинга / One Day from BLD DNS Flood Fighting
Это было обычное утро, обычного выходного дня (после пятницы), ничего не предвещало серого неба, и тут опять...
Познавательно, юмористически описанный пример того, как нужно быстро собраться в кучу и придумать велосипед:
- [ru] - Файтинг с DoS / DDoS флудом нацеленным на BLD DNS
~~~
It was an ordinary morning, an ordinary weekend (after Friday), nothing foreshadowed a gray sky, and then again...
An informative, humorous described example of how to quickly get together and come up with a bicycle...
Это было обычное утро, обычного выходного дня (после пятницы), ничего не предвещало серого неба, и тут опять...
Познавательно, юмористически описанный пример того, как нужно быстро собраться в кучу и придумать велосипед:
- [ru] - Файтинг с DoS / DDoS флудом нацеленным на BLD DNS
~~~
It was an ordinary morning, an ordinary weekend (after Friday), nothing foreshadowed a gray sky, and then again...
An informative, humorous described example of how to quickly get together and come up with a bicycle...