/ Android Security Bulletin—December 2022
https://source.android.com/docs/security/bulletin/2022-12-01
https://source.android.com/docs/security/bulletin/2022-12-01
/ Passwordless Authentication - Access Your Bitwarden Web Vault Without a Password
https://bitwarden.com/blog/passwordless-authentication-access-your-bitwarden-web-vault-without-a-password
https://bitwarden.com/blog/passwordless-authentication-access-your-bitwarden-web-vault-without-a-password
Bitwarden
Access your Bitwarden vault without a password | Bitwarden
Logging into your Bitwarden vault just got easier! A new passwordless experience enables you to access your Bitwarden vault with another device.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Turning EDRs to Malicious Wipers Using 0-day Exploits
https://www.blackhat.com/eu-22/briefings/schedule/index.html#aikido-turning-edrs-to-malicious-wipers-using--day-exploits-29336
https://www.blackhat.com/eu-22/briefings/schedule/index.html#aikido-turning-edrs-to-malicious-wipers-using--day-exploits-29336
Blackhat
Black Hat Europe 2022
/ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability
...could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U
...could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U
Cisco
Cisco Security Advisory: Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability
A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device.
This vulnerability is due to insufficient…
This vulnerability is due to insufficient…
/ Abusing JSON-Based SQL to Bypass WAF
…Our bypass worked against WAFs sold by five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five have been notified and have updated their products to support JSON syntax in their SQL injection inspection process…
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
…Our bypass worked against WAFs sold by five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five have been notified and have updated their products to support JSON syntax in their SQL injection inspection process…
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
Claroty
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
Team82 developed a generic web application firewall bypass exploiting a lack of JSON syntax support in leading vendors' SQL injection like AWS and Imperva WAF.
/ FortiOS - heap-based buffer overflow in sslvpnd
Impact Execute unauthorized code or commands:
https://www.fortiguard.com/psirt/FG-IR-22-398
Impact Execute unauthorized code or commands:
https://www.fortiguard.com/psirt/FG-IR-22-398
FortiGuard Labs
PSIRT | FortiGuard Labs
None
/ A Custom Python Backdoor for VMWare ESXi Servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Juniper Networks
A Custom Python Backdoor for VMWare ESXi Servers
Juniper Threat Labs analyzes a backdoor installed on a compromised VMware ESXi server that can execute arbitrary commands and launch reverse shells.
/ Windows SmartScreen Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698
Open BLD DNS has emergency maintenance mode for next ~10 min, don’t worry
up
Done ✅
up
Done ✅
/ Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware
— The malicious drivers are signed directly by Microsoft and identifying the original software vendor requires inspecting the signature with code
— Several distinct malware families, associated with distinct threat actors, have been signed with this process
…
One: https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
Two: https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/
— The malicious drivers are signed directly by Microsoft and identifying the original software vendor requires inspecting the signature with code
— Several distinct malware families, associated with distinct threat actors, have been signed with this process
…
One: https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
Two: https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/
Google Cloud Blog
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware | Mandiant | Google Cloud Blog
/ IIS modules: The evolution of web shells and how to detect them
https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
/ HTML smugglers turn to SVG images
HTML smuggling is a technique attackers use to hide an encoded malicious noscript within an HTML email attachment or webpage..:
https://blog.talosintelligence.com/html-smugglers-turn-to-noscript-images/
HTML smuggling is a technique attackers use to hide an encoded malicious noscript within an HTML email attachment or webpage..:
https://blog.talosintelligence.com/html-smugglers-turn-to-noscript-images/
Cisco Talos Blog
HTML smugglers turn to SVG images
* HTML smuggling is a technique attackers use to hide an encoded malicious noscript within an HTML email attachment or webpage.
* Once a victim receives the email and opens the attachment, their browser decodes and runs the noscript, which then assembles a malicious…
* Once a victim receives the email and opens the attachment, their browser decodes and runs the noscript, which then assembles a malicious…
Открытый практикум DevOps by Rebrain: Dockerfile
Программа:
• Создание простейшего Dockerfile в три строки
• Разбор оптимального алгоритма создания Dockerfile (в т.ч. multistage)
• Научимся создавать минимальный docker image
• 20 Декабря (Вторник) в 19:00 по МСК. Детали
Программа:
• Создание простейшего Dockerfile в три строки
• Разбор оптимального алгоритма создания Dockerfile (в т.ч. multistage)
• Научимся создавать минимальный docker image
• 20 Декабря (Вторник) в 19:00 по МСК. Детали
/ Linux Kernel: UAF in Bluetooth L2CAP Handshake
https://www.openwall.com/lists/oss-security/2022/12/14/7
https://www.openwall.com/lists/oss-security/2022/12/14/7
/ OpenVAS - based free online scanner
Yesterday I found helpful online tool - nmap, cve and etc online scanner, free for 10 time scans in month, this is can be enouth for personal/own ASV scans:
https://hostedscan.com/scans
Yesterday I found helpful online tool - nmap, cve and etc online scanner, free for 10 time scans in month, this is can be enouth for personal/own ASV scans:
https://hostedscan.com/scans
/ How to Detect Malicious OAuth Device Code Phishing
Here’s a quick TL;DR of the attack – in short, an attacker generates a user code and sends it to a victim in a phishing email. The user is then tricked into inputting the code into a Microsoft owned verification link. Upon success, the attacker can fetch both the user’s refresh and access token. This allows the attacker access to the user account:
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
Here’s a quick TL;DR of the attack – in short, an attacker generates a user code and sends it to a victim in a phishing email. The user is then tricked into inputting the code into a Microsoft owned verification link. Upon success, the attacker can fetch both the user’s refresh and access token. This allows the attacker access to the user account:
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
Inversecos
How to Detect Malicious OAuth Device Code Phishing
/ MCCrash: Cross-platform DDoS botnet targets private Minecraft servers
Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure rapidly..🤗
https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/
Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure rapidly..🤗
https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/
Microsoft News
MCCrash: Cross-platform DDoS botnet targets private Minecraft servers
The Microsoft Defender for IoT research team analyzed a cross-platform botnet that infects both Windows and Linux systems from PCs to IoT devices, to launch distributed denial of service (DDoS) attacks against private Minecraft servers.
/ Backdoor Targets FreePBX Asterisk Management Portal
https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html
https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html
Sucuri Blog
Backdoor Targets FreePBX Asterisk Management Portal
Learn about a simple piece of malware targeting FreePBX Asterisk Management portal which allows attackers to backdoor a site and modify the website’s .htaccess file
/ Leaked a secret? Check your GitHub alerts…for free
https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/
https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/
The GitHub Blog
Leaked a secret? Check your GitHub alerts...for free
GitHub now allows you to track any leaked secrets in your public repository, for free. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
/ Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system
https://www.veeam.com/kb4288
https://www.veeam.com/kb4288
Veeam Software
KB4288: CVE-2022-26500 | CVE-2022-26501
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.
/ New Samba security release available
This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:
https://www.samba.org/samba/history/samba-4.17.4.html
This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:
https://www.samba.org/samba/history/samba-4.17.4.html