Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Active Directory Cheatsheet with code examples
- internal audit
- port forwarding
- bypass EP
- enumeration
- and etc…
— https://hideandsec.sh/books/cheatsheets-82c/page/active-directory
- internal audit
- port forwarding
- bypass EP
- enumeration
- and etc…
— https://hideandsec.sh/books/cheatsheets-82c/page/active-directory
hideandsec.sh
Active Directory | HideAndSec
This cheatsheet is built from numerous papers, GitHub repos and GitBook, blogs, HTB boxes and labs,...
/ CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes
https://www.crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes/
https://www.crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes/
CrowdStrike.com
CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes
The Dero cryptojacking operation locates Kubernetes clusters with anonymous access enabled on a Kubernetes API and listens on non-standard ports accessible from the internet.
/ Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html
https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html
Blogspot
Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
Posted by Tim Willis, Project Zero In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems...
/ How to defences via the Win Registry from OneNote Malware
— https://www.huntress.com/blog/addressing-initial-access
— https://www.huntress.com/blog/addressing-initial-access
Huntress
Addressing Initial Access | Huntress
Series of blog posts that share the breadth and depth of Huntress’ experience to assist others in reducing their attack surface, and inhibiting or even obviating cyber attacks.
/ KB5025175: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2022-41099
PatchWinREScript_2004plus.ps1 (Recommended)
This noscript is for Windows 10, version 2004 and later versions, including Windows 11:
-- https://support.microsoft.com/en-us/topic/kb5025175-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2022-41099-ba6621fa-5a9f-48f1-9ca3-e13eb56fb589
PatchWinREScript_2004plus.ps1 (Recommended)
This noscript is for Windows 10, version 2004 and later versions, including Windows 11:
-- https://support.microsoft.com/en-us/topic/kb5025175-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2022-41099-ba6621fa-5a9f-48f1-9ca3-e13eb56fb589
/ (Ab)using Adobe Acrobat Sign to distribute malware
https://blog.avast.com/adobe-acrobat-sign-malware
https://blog.avast.com/adobe-acrobat-sign-malware
Avast
(Ab)using Adobe Acrobat Sign to distribute malware
Adobe offers a cloud service to sign documents online called Acrobat Sign that allows registered users to send a document signature request to anyone. Here's how cybercriminals are taking advantage of this tool.
Good News and New Changes in Sys-Admin Open BLD ecosystem
lab.sys-adm.in - it's AD/Malicious-free Open BLD DNS secure service, today I happy present for you/us few good news:
New security concepts
🐕 Security - Open BLD ecosystem fundamentally changed preventing/attacking mitigation mechanisms, now Sys-Admin Open BLD infrastructure has centralized automated hacking IP mitigation system
☀️ Updates - With open Sys-Admin activities now we are have two new instruments which can change security protection prism which based on open source tools/instruments…
🐌 Speed - Extremely improved speed for collecting/merging/compressing and deploying block/allow lists from Internet
Results
🌵 Cactusd Server, which writen from scratch on GoLang - fully replace BLD-Server update service
🧘 ip2drop replaced fail2ban in Open BLD ecosystem
🥋 All servers has new firewall settings and improvements
Deprecations
♻️ BLD-Server will deprecated and excluded from Sys-Admin activities/supporting in future (thanks nodejs which was fundament for this service)
Welcome
👋 I'm looking for talent, experts, programmers and just good and positive people for code-review, feedback, suggestions and etc - Welcome 🤜🤛
lab.sys-adm.in - it's AD/Malicious-free Open BLD DNS secure service, today I happy present for you/us few good news:
New security concepts
🐕 Security - Open BLD ecosystem fundamentally changed preventing/attacking mitigation mechanisms, now Sys-Admin Open BLD infrastructure has centralized automated hacking IP mitigation system
☀️ Updates - With open Sys-Admin activities now we are have two new instruments which can change security protection prism which based on open source tools/instruments…
🐌 Speed - Extremely improved speed for collecting/merging/compressing and deploying block/allow lists from Internet
Results
🌵 Cactusd Server, which writen from scratch on GoLang - fully replace BLD-Server update service
🧘 ip2drop replaced fail2ban in Open BLD ecosystem
🥋 All servers has new firewall settings and improvements
Deprecations
♻️ BLD-Server will deprecated and excluded from Sys-Admin activities/supporting in future (thanks nodejs which was fundament for this service)
⚰Welcome
👋 I'm looking for talent, experts, programmers and just good and positive people for code-review, feedback, suggestions and etc - Welcome 🤜🤛
Sys-Admin InfoSec pinned «Good News and New Changes in Sys-Admin Open BLD ecosystem lab.sys-adm.in - it's AD/Malicious-free Open BLD DNS secure service, today I happy present for you/us few good news: New security concepts 🐕 Security - Open BLD ecosystem fundamentally changed …»
/ Attackers are starting to target .NET developers with malicious-code NuGet packages
https://jfrog.com/blog/attackers-are-starting-to-target-net-developers-with-malicious-code-nuget-packages/
https://jfrog.com/blog/attackers-are-starting-to-target-net-developers-with-malicious-code-nuget-packages/
JFrog
Attackers are starting to target .NET developers with malicious-code NuGet packages
Update 2023-03-21 – We’ve talked with members of the NuGet team and they had already detected and removed the malicious packages in question. Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories…
/ Cisco Event Response: March 2023 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
— https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74842
— https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74842
ESF_IDENTITY_AND_ACCESS_MANAGEMENT_RECOMMENDED_BEST_PRACTICES_FOR.PDF
1 MB
/ New guidance for identity and access management (IAM) from CISA and NSA for Administrators
/ “FakeGPT” #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer Chrome Extension
https://labs.guard.io/fakegpt-2-open-source-turned-malicious-in-another-variant-of-the-facebook-account-stealer-d00ef9883d61
https://labs.guard.io/fakegpt-2-open-source-turned-malicious-in-another-variant-of-the-facebook-account-stealer-d00ef9883d61
Medium
“FakeGPT” #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer Chrome Extension
By Nati Tal (Guardio Labs)
/ GitHub changed RSA SSH - need update locally
how to update key and why did they do it:
— https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
how to update key and why did they do it:
— https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
The GitHub Blog
We updated our RSA SSH host key
At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.
/ Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments..
CVE-2022-47502
https://www.cve.org/CVERecord?id=CVE-2022-47502
CVE-2022-47502
https://www.cve.org/CVERecord?id=CVE-2022-47502
/ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities
https://github.com/stark0de/nginxpwner
https://github.com/stark0de/nginxpwner
GitHub
GitHub - stark0de/nginxpwner: Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.
Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities. - stark0de/nginxpwner
/ Shining Light on Dark Power: Yet Another Ransomware Gang
Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself..:
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html
Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself..:
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html
Trellix
Shining Light on Dark Power: Yet Another Ransomware Gang
Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself. This blog dives into the specifics of the ransomware used by the gang, as well as some information regarding their victim naming…
🌵 New Cactusd Release - v.0.1.7
Cactusd currently has multiple uses - download > aggregate > compress and sort and then merge to one block and allow domain/IP lists from Internet and finally publish lists in own embeded web server.
Now I want to present new few features:
- Upload server (as example: you can upload own IP lists from servers manually or with ip2drop.py to Cactusd which will merge and publish tis lists as
- Now you can view size for published files on web server
- Now Cactusd can configure and ping remote servers with different ports (like as 53, 443, 853 and etc)
- Ping status results displayed on Cactusd web page
- Cactusd written on Go and now you cant simple implement cactusd binary in to systemd unit service
- https://github.com/m0zgen/cactusd
Cactusd currently has multiple uses - download > aggregate > compress and sort and then merge to one block and allow domain/IP lists from Internet and finally publish lists in own embeded web server.
Now I want to present new few features:
- Upload server (as example: you can upload own IP lists from servers manually or with ip2drop.py to Cactusd which will merge and publish tis lists as
dropped_ip.txt list)- Now you can view size for published files on web server
- Now Cactusd can configure and ping remote servers with different ports (like as 53, 443, 853 and etc)
- Ping status results displayed on Cactusd web page
- Cactusd written on Go and now you cant simple implement cactusd binary in to systemd unit service
- https://github.com/m0zgen/cactusd
/ Malicious Actors Use Unicode Support in Python to Evade Detection
-- https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-evade-detection
-- https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-evade-detection
Phylum Research | Software Supply Chain Security
Malicious Actors Use Unicode Support in Python to Evade Detection
Phylum uncovers a threat actor taking advantage of how the Python interpreter handles Unicode to obfuscate their malware.
/ Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
March 23, 2023 update:
— https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
March 23, 2023 update:
— https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
MacStealer: New macOS-based Stealer Malware Identified
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
Uptycs
MacStealer: New MacOS-based Stealer Malware Identified
Protect your Mac from the new MacStealer malware identified by Uptycs. Learn how it extracts sensitive information and spreads via Telegram.