/ Operation leveraging Terraform, Kubernetes, and AWS for data theft

The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. They also attempted to pivot using a Terraform state file to other connected AWS accounts to spread their reach throughout the organization..:

https://sysdig.com/blog/cloud-breach-terraform-data-theft/

/ MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT

MQsTTang, a new backdoor used by Mustang Panda, which communicates via the MQTT protocol. Technical analysis:

https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

Creating a Dynamic Malware Analysis Virtual Machine

https://thelastcitadel.eu/2023/02/18/creating-a-dynamic-malware-analysis-virtual-machine/

/ strongSwan Vulnerability (CVE-2023-26463)

A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected:

https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html

/ Gitpod remote code execution 0-day vulnerability via WebSockets

https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/

/ PyPI Packages Used to Deliver Python Remote Access Tools

— https://www.kroll.com/en/insights/publications/cyber/pypi-packages-deliver-python-remote-access-tools

/ Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities:

— https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/

/ Microsoft Word Remote Code Execution Vulnerability

Workaround for CVE-2023-21716:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

/ New HiatusRAT Router Malware Covertly Spies On Victims

— https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/

🙌 Note: Today I’ll update certs on Open Sys-Admin BLD DNS services, this actions could’t affect anything. Have a good day to all!

Открытый урок лог-менеджмента Loki (10 марта)
 
Открытый урок от OTUS, где вместе с практикующим преподавателем Евгением Павловым будет рассмотрена установка, настройка Loki, а также как с помощью Loki проводить анализ.

Урок пройдет в рамках онлайн-курса "Observability: мониторинг, логирование, трейсинг". Курс можно приобрести в рассрочку.

Чтобы записаться на занятие, необходимо пройти вступительное тестирование:
https://otus.pw/wPwC/
 

/ How SYS01 Stealer Will Get Your Sensitive Facebook Info

— https://blog.morphisec.com/sys01stealer-facebook-info-stealer

/ Prevent phishing based on domain registrations

Based on Microsoft Defender SmartScreen and Enhanced Phishing Protection:

— https://cloudbrothers.info/en/prevent-phishing-based-domain-registrations/

/ Samba 4.18.0 Available for Download

https://lists.samba.org/archive/samba-announce/2023/000630.html

/ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE

https://blog.aquasec.com/jenkins-server-vulnerabilities

/ Stealing the LIGHTSHOW (Part One)

Analysys of phishing campaign targeting a U.S.-based technology companies... The phishing payloads primarily utilized by UNC2970 are Microsoft Word documents embedded with macros to perform remote-template injection to pull down and execute a payload from a remote command and control (C2). Mandiant has observed UNC2970 tailoring the fake job denoscriptions to specific targets:

https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

/ Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts:

https://www.veeam.com/kb4424

/ Home Assistant Supervisor security vulnerability

Authentication bypass Supervisor API:

https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/

/ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers

https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/

/ Microsoft 365 enumeration, spraying and exfiltration - TeamFiltration in the spotlight

TeamFiltration is self-defined as a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.

Article, we will look at its capabilities and how we can potentially detect related events in Azure AD and Microsoft 365 logs. While the article focuses on TeamFiltration, the learnings apply to any similar toolset:

— https://guillaumeben.xyz/Microsoft-365-enumeration/

/ YouTube under fire for allegedly gathering children's data

YouTube collects children’s data… Little steps for settings up YouTube Kids for more protect from harmful activitires from media platform:

— https://www.malwarebytes.com/blog/news/2023/03/youtube-under-fire-for-allegedly-gathering-uk-childrens-data