/ The mechanics of a sophisticated phishing scam and how we stopped it
Message from CF: Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications..
IOCs from CF:
* https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
Message from CF: Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications..
IOCs from CF:
* https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
/ Thread actors breached Cisco systems in May and stole gigabytes of information from Cisco..
Cisco Talos shares insights related to recent cyber attack on Cisco
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
Cisco Event Response: Corporate Network Security Incident details:
https://tools.cisco.com/security/center/resources/corp_network_security_incident
Cisco Talos shares insights related to recent cyber attack on Cisco
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
Cisco Event Response: Corporate Network Security Incident details:
https://tools.cisco.com/security/center/resources/corp_network_security_incident
Cisco Talos Blog
Cisco Talos shares insights related to recent cyber attack on Cisco
Update History
Aug. 10, 2022
Adding clarifying details on activity involving active directory.
Aug. 10, 2022
Update made to the Cisco Response and Recommendations section related to MFA.
Aug. 10, 2022
Adding clarifying details on activity involving active directory.
Aug. 10, 2022
Update made to the Cisco Response and Recommendations section related to MFA.
/ Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
https://portswigger.net/research/browser-powered-desync-attacks
https://portswigger.net/research/browser-powered-desync-attacks
PortSwigger Research
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessib
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Hacking Zyxel IP cameras to gain a root shell
TLDR - Do not buy, do not use, and remove all of these devices from service immediately (IPC-3605N and the model IPC-4605N). They are so miserably insecure it took me less than a day of effort to develop a utility to remotely compromise any of them. Keep reading if you want to know how… (from Author)
Technical analysys:
http://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-1.html
TLDR - Do not buy, do not use, and remove all of these devices from service immediately (IPC-3605N and the model IPC-4605N). They are so miserably insecure it took me less than a day of effort to develop a utility to remotely compromise any of them. Keep reading if you want to know how… (from Author)
Technical analysys:
http://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-1.html
Hydrogen18
Hacking Zyxel IP cameras to gain a root shell
Identifying software vulnerabilities in Zyxel IP cameras to remotely gain a root shell
Open SysConf 2022 Уже в Октябре!
Привет, мы готовим новую - четвертую ежегодную встречу Open SysConf'22.
Уже точно есть:
— Три доклада
— Собрано половина бюджета
— Место, дата и время встречи
- Обновленный сайт sysconf.io
Обычно у большинства людей обстоятельства складываются таким образом, что вечно что-то мешает заняться спортом, сделать доклад, поучаствовать в конфе, мешают обычно работа, откладывание за завтра и тп и тд...
Собраться, поделиться знаниями, найти время для себя - это то, что нужно действительно сделать здесь и сейчас (и в Октябре)! Расправь плечи дорогой друг, подними голову и ступай смело вперед:
- https://sysconf.io
- 14 Октября, с 11:00 до 20:00, Алматы.
Зал большой, места хватит всем! Все нужные ссылки, ты найдешь на сайте. Peace ✌️.
Привет, мы готовим новую - четвертую ежегодную встречу Open SysConf'22.
Уже точно есть:
— Три доклада
— Собрано половина бюджета
— Место, дата и время встречи
- Обновленный сайт sysconf.io
Обычно у большинства людей обстоятельства складываются таким образом, что вечно что-то мешает заняться спортом, сделать доклад, поучаствовать в конфе, мешают обычно работа, откладывание за завтра и тп и тд...
Собраться, поделиться знаниями, найти время для себя - это то, что нужно действительно сделать здесь и сейчас (и в Октябре)! Расправь плечи дорогой друг, подними голову и ступай смело вперед:
- https://sysconf.io
- 14 Октября, с 11:00 до 20:00, Алматы.
Зал большой, места хватит всем! Все нужные ссылки, ты найдешь на сайте. Peace ✌️.
/ ONE BOOTLOADER TO LOAD THEM ALL
These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process; enabling the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls:
https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022
These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process; enabling the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls:
https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022
Eclypsium | Supply Chain Security for the Modern Enterprise
One Bootloader to Load Them All - Eclypsium | Supply Chain Security for the Modern Enterprise
The Eclypsium Research team has identified three new bootloader vulnerabilities which affect the vast majority of devices released over the past 10 years. These vulnerabilities could be used to easily evade Secure Boot protections and compromise the integrity…
Sys-Admin InfoSec pinned «Open SysConf 2022 Уже в Октябре! Привет, мы готовим новую - четвертую ежегодную встречу Open SysConf'22. Уже точно есть: — Три доклада — Собрано половина бюджета — Место, дата и время встречи - Обновленный сайт sysconf.io Обычно у большинства людей обстоятельства…»
CVE-2022-30216 - Authentication coercion of the Windows “Server” service
The Server service (also called LanmanServer) is a Windows service that is responsible for the management of SMB shares. Shares are resources — files, printers, and directory trees — that are made accessible over the network by a Common Internet File System server. Essentially, network shares allow users to utilize other devices on the network to perform various daily tasks.
The Server service allows a remote machine to create, configure, query, and delete shares through RPC over a named pipe (\\pipe\srvsvc). For the remainder of this post, we will refer to the service as srvsvc.
A vulnerability in srvsvc is impactful because the service provides core functionality and therefore runs by default on every Windows machine.
• Details
The Server service (also called LanmanServer) is a Windows service that is responsible for the management of SMB shares. Shares are resources — files, printers, and directory trees — that are made accessible over the network by a Common Internet File System server. Essentially, network shares allow users to utilize other devices on the network to perform various daily tasks.
The Server service allows a remote machine to create, configure, query, and delete shares through RPC over a named pipe (\\pipe\srvsvc). For the remainder of this post, we will refer to the service as srvsvc.
A vulnerability in srvsvc is impactful because the service provides core functionality and therefore runs by default on every Windows machine.
• Details
/ Remote Code Execution on Element Desktop Application using Node Integration in Sub Frames Bypass - CVE-2022-23597
During our Electron Desktop Application hacking frenzy, Pew informed me on Discord about a Desktop Application called Element in which he was able to insert an external iframe. We began examining the Element source code, which is public here, and eventually succeeded in Remote Code Execution…
Dig into the details of the bug:
* https://blog.electrovolt.io/posts/element-rce/
During our Electron Desktop Application hacking frenzy, Pew informed me on Discord about a Desktop Application called Element in which he was able to insert an external iframe. We began examining the Element source code, which is public here, and eventually succeeded in Remote Code Execution…
Dig into the details of the bug:
* https://blog.electrovolt.io/posts/element-rce/
blog.electrovolt.io
Remote Code Execution on Element Desktop Application using Node Integration in Sub Frames Bypass - CVE-2022-23597
– by s1r1us and TheGrandPew
During our Electron Desktop Application hacking frenzy, Pew informed me on Discord about a Desktop Application called Element in which he was able to insert an external iframe. We began examining the Element source code, which…
During our Electron Desktop Application hacking frenzy, Pew informed me on Discord about a Desktop Application called Element in which he was able to insert an external iframe. We began examining the Element source code, which…
/ About the security content of iOS 15.6.1 and iPadOS 15.6.1
kernel, webkit:
https://support.apple.com/en-us/HT213412
kernel, webkit:
https://support.apple.com/en-us/HT213412
Apple Support
About the security content of iOS 15.6.1 and iPadOS 15.6.1
This document describes the security content of iOS 15.6.1 and iPadOS 15.6.1.
/ Impact to DigitalOcean customers resulting from Mailchimp security incident
After attack to Mailchimp service (malicious actors are increasingly deploying an array of sophisticated phishing and social engineering tactics targeting data and information from crypto-related companies), DO released “impact” document about of this attack, impacting to DO customers and what did they learn for this situation… in short: - “we need more secure.. bla bla..” 😄
Article potentially can be useful for some people from security management staff:
* https://www.digitalocean.com/blog/digitalocean-response-to-mailchimp-security-incident
After attack to Mailchimp service (malicious actors are increasingly deploying an array of sophisticated phishing and social engineering tactics targeting data and information from crypto-related companies), DO released “impact” document about of this attack, impacting to DO customers and what did they learn for this situation… in short: - “we need more secure.. bla bla..” 😄
Article potentially can be useful for some people from security management staff:
* https://www.digitalocean.com/blog/digitalocean-response-to-mailchimp-security-incident
Mailchimp
Information About a Recent Security Incident Targeting Crypto Companies | Mailchimp
Maintaining our security commitment to crypto industry customers
/ Cisco Secure Web Appliance Privilege Escalation Vulnerability (high)
A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8
A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8
Cisco
Cisco Security Advisory: Cisco Secure Web Appliance Privilege Escalation Vulnerability
A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.
This…
This…
Open BLD DNS Updating News (August’22): New BLD release, New tools and more
- 100% migration to KeyDB from Redis
- Automated upgrading target distros according Open BLD DNS roles (BLD infra has several BLD servers roles)
- Added Open API IP location reflector (see link below) on the S-A Lab site
- Ansible roles optimized with common variables
- BLD Server update server can merge downloaded lists without comments (plain lists)
- UptimeRobot helped to Open BLD, now you can review status page: bld-status.sys-adm.in
Note: UptimeRobot supported Open BLD DNS Project. I’m using UptimeRobot more than 10 years, it is a very useful and stable uptime monitoring service, details
Tools:
• install-redis.sh
• install-keydb.sh
• redis-to-keydb.sh
• lib.sh
• monit2telegram.sh - local IP detection fuctionallity added to this fork
• ip reflector
• bld server
Deprecation notice:
• ⚠️ 8443 port will be disabled in the next release. Please switch your DoH to 443
Open BLD DNS Site:
• EN - https://lab.sys-adm.in/en
• RU - https://lab.sys-adm.in/ru
- 100% migration to KeyDB from Redis
- Automated upgrading target distros according Open BLD DNS roles (BLD infra has several BLD servers roles)
- Added Open API IP location reflector (see link below) on the S-A Lab site
- Ansible roles optimized with common variables
- BLD Server update server can merge downloaded lists without comments (plain lists)
- UptimeRobot helped to Open BLD, now you can review status page: bld-status.sys-adm.in
Note: UptimeRobot supported Open BLD DNS Project. I’m using UptimeRobot more than 10 years, it is a very useful and stable uptime monitoring service, details
Tools:
• install-redis.sh
• install-keydb.sh
• redis-to-keydb.sh
• lib.sh
• monit2telegram.sh - local IP detection fuctionallity added to this fork
• ip reflector
• bld server
Deprecation notice:
• ⚠️ 8443 port will be disabled in the next release. Please switch your DoH to 443
Open BLD DNS Site:
• EN - https://lab.sys-adm.in/en
• RU - https://lab.sys-adm.in/ru
Sys-Admin InfoSec pinned «Open BLD DNS Updating News (August’22): New BLD release, New tools and more - 100% migration to KeyDB from Redis - Automated upgrading target distros according Open BLD DNS roles (BLD infra has several BLD servers roles) - Added Open API IP location reflector…»
/ Uncovering a ChromeOS remote memory corruption vulnerability
…memory corruption vulnerability in a ChromeOS component that can be triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE)…:
- https://www.microsoft.com/security/blog/2022/08/19/uncovering-a-chromeos-remote-memory-corruption-vulnerability/
…memory corruption vulnerability in a ChromeOS component that can be triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE)…:
- https://www.microsoft.com/security/blog/2022/08/19/uncovering-a-chromeos-remote-memory-corruption-vulnerability/
Microsoft News
Uncovering a ChromeOS remote memory corruption vulnerability
Microsoft discovered a memory corruption vulnerability in a ChromeOS component that could have been triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE).
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Systemd is the mother of all processes, responsible for bringing the Linux host up to a state where productive work can be done…
Systemd architecture: https://opensource.com/article/20/4/systemd
Systemd architecture: https://opensource.com/article/20/4/systemd
Сентябрь "KazHackStan 2022" открыт для регистрации (14-16 сентября)
KHS - Одна из бесплатных крупных ИБ конференций в КЗ, с воркшопами, конкурсами и докладами, авторы которых по плану будут собраны с разных концов мира.
Один из докладчиков будет Jayson E. автор серии книг "Dissecting the hack: Series", DEF CON Groups Global Ambassador. В общем должно быть интересно, можно будет познакомиться, пообщаться, узнать что-то новое (я: @sysadminkz тоже планирую там быть с докладом).
На конференции будет живой киберполигон (имитация настоящего города с инфраструктурой), на котором сразятся 20 хакерских команд (будут "ломать" город в реалтайме три дня подряд). Ролик о KHS - https://youtu.be/al7fa8X54qA
• 14-16 Cентября, г.Алматы. Все детали на оф. сайте: kazhackstan.kz
P.S. Не забываем про октябрь и Open SysConf'22
KHS - Одна из бесплатных крупных ИБ конференций в КЗ, с воркшопами, конкурсами и докладами, авторы которых по плану будут собраны с разных концов мира.
Один из докладчиков будет Jayson E. автор серии книг "Dissecting the hack: Series", DEF CON Groups Global Ambassador. В общем должно быть интересно, можно будет познакомиться, пообщаться, узнать что-то новое (я: @sysadminkz тоже планирую там быть с докладом).
На конференции будет живой киберполигон (имитация настоящего города с инфраструктурой), на котором сразятся 20 хакерских команд (будут "ломать" город в реалтайме три дня подряд). Ролик о KHS - https://youtu.be/al7fa8X54qA
• 14-16 Cентября, г.Алматы. Все детали на оф. сайте: kazhackstan.kz
P.S. Не забываем про октябрь и Open SysConf'22
/ GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5
...
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
...
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
...
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
...
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
GitLab
GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5
Learn more about GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
/ Bitbucket Server and Data Center Advisory 2022-08-24
Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804
https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html
Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804
https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html