Legion: an AWS Credential Harvester and SMTP Hijacker

Cado Labs researchers recently encountered an emerging Python-based credential harvester and hacktool, named Legion, aimed at exploiting various services for the purpose of email abuse. The tool is sold via the Telegram messenger, and includes modules dedicated to:

— enumerating vulnerable SMTP servers,
— conducting Remote Code Execution (RCE),
— exploiting vulnerable versions of Apache,
— brute-forcing cPanel and WebHost Manager (WHM) accounts,
— interacting with Shodan’s API to retrieve a target list (providing you supply an API key) and
— additional utilities, many of which involve abusing AWS services

— https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/

Nokoyawa ransomware attacks with Windows zero-day

— https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/

Ref: Windows Common Log File System Driver Elevation of Privilege Vulnerability

P.S. CobaltStrike C2s already blocked in Sys-Admin Open BLD DNS service

Google is aware that an exploit for CVE-2023-2033 exists in the wild

Update your Chrome/-based browsers:

— https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html

Attack Surface Analyzer

Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration:

— https://github.com/microsoft/AttackSurfaceAnalyzer

/ Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/goldoson-privacy-invasive-and-clicker-android-adware-found-in-popular-apps-in-south-korea/

Sys-Admin Open BLD DNS. Что нового Q1 2023.
 
Технологии идут вперед, нас пытаются кормить рекламой, программировать при помощи искусственного интеллекта.

Мы не пальцем деланы, движемся вперед, пытаемся сопротивляться. Рад представить новости о наработках проекта:

▫️ Стабильность - Для более стабильного обновления серверов создан новый публичный сервис cactusd 🌵. Регулярно обновляемые листы блокировок можно качать прямо из репозитория проекта.
▫️ Защита - Внедрена защита от атак "медленного чтения" 🥋 и "брутфорса" доменов
▫️ Скорость - Проработан "скоростной" стек 🏎, сегодня (как и зачастую) BLD DNS превосходит в скорости IBM Quad9 в этом можно легко убедиться попробовав BLD DNS или просто его протестировав, к примеру при помощи dns-tester

Согласно DDoS отчету Cloudflare за 2023 год основная часть атак происходит со взломанных VPS поэтому был мной придуман еще один новый проект: 🧘 Malicious IP relaxator

Sys-Admin Open BLD DNS два года+ с аптаймом 99.9% радует своих пользователей защитой от малвари, трекинга, отсутствием рекламы и аналитики.

Присоединяйся - https://lab.sys-adm.in/
 
P.S. Short in Engllish - https://news.1rj.ru/str/sysadm_in_up/1642

/ State-sponsored campaigns target global network infrastructure

..While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software..:

https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/

/ Microsoft shifts to a new threat actor naming taxonomy

MS is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather:

— https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/

AppSecFest - Уже в эту пятницу (21 апреля)
 
• Мобильное приложение как средство компрометации персональных данных или зачем нам Mobile Application Security?
• Концепции Incident Management в процессах DevSecOps
• Анализ кода фишингового ресурса
• Безопасность в Kubernetes: как устранить векторы атак на Kubernetes

Будут доклады про создание апсек-направления с нуля, пайплайн проверки, DAST, IAST и OAST...

Планируется онлайн трансляция, ссылка уже есть на сайте. Все детали здесь:
• appsecfest.kz
 

Get started using Attack simulation training

If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can use Attack simulation training in the Microsoft 365:

— More details…

/ Discarded, not destroyed: Old routers reveal corporate secrets

https://www.welivesecurity.com/2023/04/18/discarded-not-destroyed-old-routers-reveal-corporate-secrets/

/ ‘AuKill’ EDR killer malware abuses Process Explorer driver

Over the past several months, Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system:

— https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Открытый практикум DevOps by Rebrain: Шифрование секретов в GitOps
 
• 25 Апреля (Вторник), 19:00 по МСК. Детали

Программа:
• Где хранить секреты - git, vault или облачный сервис?
• Разбираемся с dek, kek и kms
• Изучаем схему работы sops, sealed secrets
• Если успеем, то затронем варианты реализации kubernetes authentication в vault и external secrets

Ведет:
• Василий Озеров - Руководит международной командой в рамках своего агентства Fevlake. Co-Founder REBRAIN. Более 8 лет Devops практик.

/ Stop using Telnet to test ports

Make life simpler by automating network checks with tools like Expect, Bash, Netcat, and Nmap instead:

https://www.redhat.com/sysadmin/stop-using-telnet-test-port

/ Test TCP ports with Python and Scapy

https://www.redhat.com/sysadmin/test-tcp-python-scapy

/ 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

/ Medusa ransomware crew brags about spreading Bing, Cortana source code

https://www.theregister.com/2023/04/19/medusa_microsoft_data_dump/

/ Multiple vulnerabilities in VMware Aria Operations

Critical. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. Advisory:

— https://www.vmware.com/security/advisories/VMSA-2023-0007.html

/ Debugging D-Link: Emulating firmware and hacking hardware

— https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware

/ Private vulnerability reporting now generally availablein GitHub

private vulnerability reporting, a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories:

https://github.blog/2023-04-19-private-vulnerability-reporting-now-generally-available/

/ GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts

https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/