/ Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
SentinelOne
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
/ DNS settings to avoid email spoofing and phishing for unused domain
https://www.cyberciti.biz/security/dns-settings-to-avoid-email-spoofing-and-phishing-for-unused-domain/
https://www.cyberciti.biz/security/dns-settings-to-avoid-email-spoofing-and-phishing-for-unused-domain/
/ Multiple vulnerabilities were privately reported to VMware. (critical)
Patches are available to remediate these vulnerabilities in affected VMware products:
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
Patches are available to remediate these vulnerabilities in affected VMware products:
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
/ CVE-2022-29154: Rsync client-side arbitrary file write vulnerability
https://www.openwall.com/lists/oss-security/2022/08/02/1
https://www.openwall.com/lists/oss-security/2022/08/02/1
/ XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks
Article does not has any tecnical analysys, but has discovering information:
https://portswigger.net/daily-swig/xss-vulnerabilities-in-google-cloud-google-play-could-lead-to-account-hijacks
Article does not has any tecnical analysys, but has discovering information:
https://portswigger.net/daily-swig/xss-vulnerabilities-in-google-cloud-google-play-could-lead-to-account-hijacks
The Daily Swig | Cybersecurity news and views
XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks
Reflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties
/ GitLab plans to delete dormant projects in free accounts
🙁
https://www.theregister.com/2022/08/04/gitlab_data_retention_policy
🙁
https://www.theregister.com/2022/08/04/gitlab_data_retention_policy
The Register
GitLab plans to delete dormant projects in free accounts
Hopes to save a quarter of hosting costs by binning repos that haven't been touched for a year
/ Hijacking email with Cloudflare Email Routing
…
Cloudflare Email Routing was in closed beta back when I discovered this vulnerability, with only a few domains having been granted access. Sadly, I was not invited to the party, so I was simply going to have to crash it instead.
…
https://albertpedersen.com/blog/hijacking-email-with-cloudflare-email-routing/
…
Cloudflare Email Routing was in closed beta back when I discovered this vulnerability, with only a few domains having been granted access. Sadly, I was not invited to the party, so I was simply going to have to crash it instead.
…
https://albertpedersen.com/blog/hijacking-email-with-cloudflare-email-routing/
Albertpedersen
Hijacking email with Cloudflare Email Routing
On Tuesday, December 7th 2021 I discovered a critical vulnerability in Cloudflare’s Email Routing service. This vulnerabilty enabled anyone to modify the routing configuration of any domain using the service. A bad actor could have overwritten the destination…
/ Cisco Small Business RV Series Routers Vulnerabilities (critical)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR
Cisco
Cisco Security Advisory: Cisco Small Business RV Series Routers Vulnerabilities
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device.
For more information…
For more information…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)
Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes. And if they’re a bit more tech-savvy, they’ll use the NtQuerySystemInformation system call directly.
Although this post will focus on obtaining a PID specifically for LSASS, the methods described here can be adapted to resolve PIDs for any process. Some of these are well known and have been discussed before, but there’s also a few new ones that many readers won’t be familiar with…
* https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes. And if they’re a bit more tech-savvy, they’ll use the NtQuerySystemInformation system call directly.
Although this post will focus on obtaining a PID specifically for LSASS, the methods described here can be adapted to resolve PIDs for any process. Some of these are well known and have been discussed before, but there’s also a few new ones that many readers won’t be familiar with…
* https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
MDSec
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS) - MDSec
Introduction Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes....
/ CyRC Vulnerability Advisory: Local privilege escalation in Kaspersky VPN
https://www.synopsys.com/blogs/software-security/cyrc-advisory-kasperksy-vpn-microsoft-windows/
https://www.synopsys.com/blogs/software-security/cyrc-advisory-kasperksy-vpn-microsoft-windows/
Blackduck
Kaspersky VPN Security Flaw: Windows Privilege Escalation | Black Duck Blog
Uncover insights on CVE-2022-27535 vulnerability - a local privilege escalation issue within Kaspersky VPN Secure Connection for Windows.
/ Zimbra Email - Stealing Clear-Text Credentials via Memcache injection
https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/
https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/
Sonarsource
Zimbra Email - Stealing Clear-Text Credentials via Memcache injection
We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts.
/ Notice about Slack password resets
On August 4, 2022, we notified approximately 0.5% of Slack users that we reset their passwords in response to a bug that occurred when users created or revoked a Shared Invite Link for their workspace. When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. This bug was discovered by an independent security researcher and disclosed to us on July 17, 2022. It affected all users who created or revoked Shared Invite Links between April 17, 2017 and July 17, 2022.
https://slack.com/blog/news/notice-about-slack-password-resets
On August 4, 2022, we notified approximately 0.5% of Slack users that we reset their passwords in response to a bug that occurred when users created or revoked a Shared Invite Link for their workspace. When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members. This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers. This bug was discovered by an independent security researcher and disclosed to us on July 17, 2022. It affected all users who created or revoked Shared Invite Links between April 17, 2017 and July 17, 2022.
https://slack.com/blog/news/notice-about-slack-password-resets
Slack
Notice about Slack password resets
Slack is where work flows. It’s where the people you need, the information you share and the tools you use come together to get things done.
/ An incident impacting some accounts and private information on Twitter
We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.
https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts
We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.
https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts
X
An incident impacting some accounts and private information on Twitter
/ Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products (critical)
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
/ Cisco Small Business RV Series Routers Vulnerabilities
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR
Cisco
Cisco Security Advisory: Cisco Small Business RV Series Routers Vulnerabilities
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device.
For more information…
For more information…
/ dnsdist: implement own rate-limiting function
Dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic.
Fully LUA & Redis integrated solition with code examples:
* Part 1 - https://blog.mrpk.info/posts/dnsdist-implement-own-rate-limiting-function/
* Part 2 - https://blog.mrpk.info/posts/dnsdist-implement-own-rate-limiting-function-part2/
Dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic.
Fully LUA & Redis integrated solition with code examples:
* Part 1 - https://blog.mrpk.info/posts/dnsdist-implement-own-rate-limiting-function/
* Part 2 - https://blog.mrpk.info/posts/dnsdist-implement-own-rate-limiting-function-part2/
mrpk1906@sysadmin
dnsdist: implement own rate-limiting function - Part 1
dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic. dnsdist has supported a basic rate-limiting but…
/ HiddenAds malware affects 1M+ users and hides on the Google Play Store
* Research from McAfee
P.S. Malware domain already blocked in Open BLD service
* Research from McAfee
P.S. Malware domain already blocked in Open BLD service
McAfee Blog
New HiddenAds malware affects 1M+ users and hides on the Google Play Store | McAfee Blog
Authored by Dexter Shin McAfee's Mobile Research Team has identified new malware on the Google Play Store. Most of them are disguising themselves as
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
squip.pdf
505.5 KB
SQUIP: Exploiting the Scheduler Queue Contention Side Channel
In this paper, we present the SQUIP attack, the first side-channel attack on scheduler queues. With SQUIP, we measure the precise degree of Scheduler Queue Usage (i.e., occupancy) via Interference Probing. We show that this occupancy level measurement works on microarchitectures of different vendors, namely the Apple M1, AMD Zen 2 and Zen 3…
In this paper, we present the SQUIP attack, the first side-channel attack on scheduler queues. With SQUIP, we measure the precise degree of Scheduler Queue Usage (i.e., occupancy) via Interference Probing. We show that this occupancy level measurement works on microarchitectures of different vendors, namely the Apple M1, AMD Zen 2 and Zen 3…
/ The mechanics of a sophisticated phishing scam and how we stopped it
Message from CF: Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications..
IOCs from CF:
* https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
Message from CF: Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications..
IOCs from CF:
* https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
/ Thread actors breached Cisco systems in May and stole gigabytes of information from Cisco..
Cisco Talos shares insights related to recent cyber attack on Cisco
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
Cisco Event Response: Corporate Network Security Incident details:
https://tools.cisco.com/security/center/resources/corp_network_security_incident
Cisco Talos shares insights related to recent cyber attack on Cisco
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
Cisco Event Response: Corporate Network Security Incident details:
https://tools.cisco.com/security/center/resources/corp_network_security_incident
Cisco Talos Blog
Cisco Talos shares insights related to recent cyber attack on Cisco
Update History
Aug. 10, 2022
Adding clarifying details on activity involving active directory.
Aug. 10, 2022
Update made to the Cisco Response and Recommendations section related to MFA.
Aug. 10, 2022
Adding clarifying details on activity involving active directory.
Aug. 10, 2022
Update made to the Cisco Response and Recommendations section related to MFA.
/ Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
https://portswigger.net/research/browser-powered-desync-attacks
https://portswigger.net/research/browser-powered-desync-attacks
PortSwigger Research
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessib