✍️ Notice: at the next week, all deprecated services will be disabled and all freed up resources will be included to OpenBLD.net DNS ecosystem.

Updates notice:
https://news.1rj.ru/str/sysadm_in_channel/4701

Take care of yourself. Peace ✌️

/ Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator

Malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer via Google Ads...

https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html

P.S. IOC domains sends to OpenBLD.net DNS watch lists

Active Directory Lab Setup Tool

https://browninfosecguy.com/Active-Directory-Lab-Setup-Tool

/ Zyxel security advisory for pre-authentication command injection vulnerability in NAS products

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2023 edition)

MFA is not the end all solution to identity security challenges. With only MFA there is still a risk for more modern attacks (MFA fatique, AiTM, PRT, OAuth Attacks and more). Adversary-in-the-middle phishing attacks are still more common in use. Since the removal of basic authentication from Exchange Online more and more attackers are using more modern attacks like adversary-in-the-middle phishing, cookie theft, and other used attacks. What is AiTM, automatic attack disruption and etc:

— https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/

/ Spear Phishing: How it works and why you should care

— https://www.huntandhackett.com/blog/spear-phishing-how-and-why

/ The DPRK strikes using a new variant of RUSTBUCKET

https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket

/ Ghostnoscript bug could allow rogue documents to run system commands

Unfortunately, until the latest release of Ghostnoscript, now at version 10.01.2, the product had a bug, dubbed CVE-2023-36664, that could allow rogue documents not only to create pages of text and graphics, but also to send system commands into the Ghostnoscript rendering engine and trick the software into running them:

— https://nakedsecurity.sophos.com/2023/07/04/ghostnoscript-bug-could-allow-rogue-documents-to-run-system-commands/

TeamsPhisher

is a Python3 program that facilitates the delivery of phishing messages and attachments to Microsoft Teams users whose organizations allow external communications:

— https://github.com/Octoberfest7/TeamsPhisher

/ Hunting for Nginx Alias Traversals in the wild

— https://labs.hakaioffsec.com/nginx-alias-traversal/

Открытый практикум Networks by Rebrain: Погружение в VoIP: протокол sip, основы работы с Asterisk
 
• 13 Июля (Четверг), 19:00 по МСК. Детали

Программа:
• SIP протокол: как устанавливается вызов
• Установка Asterisk
• Рассмотрение диагностические команды
• Настройка учетных записей (транки, пиры)
• Настройка dialplan

Ведет:
• Роман Сыртланов – VoIP инженер. Опыт работы с VoIP 7 лет. Работает с Asterisk/FreeSWITCH/Kamailio

/ Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability

!High: Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic:

— https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX

/ EoP fix Android July update

High: fix elevation of privilege in Android:

https://source.android.com/docs/security/bulletin/aaos/2023-07-01

Increased Truebot Activity Infects U.S. and Canada Based Networks

Deploy from phishing and exloitation some CVE..

IOC domains sended to OpenBLD.net DNS:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a

Today info about of OpenBLD.net DNS added to AdGuard Wiki KnowledgeBaseDNS repo 🎉

Tailing Big Head Ransomware’s Variants, Tactics, and Impact

https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html

Сентябрьский дайджест ИТ конференций в Алматы
 
Сентябрь насыщен ИТ-встречами, много друзей, много встреч, дети начинают учиться, а мы общаться:

• 8 Сентября. DevOps и все что рядом - DevOpsDays.kz
• 13-15 Сентября. Масштабная CyberSec конфа - KazHackStan.com
• 16 Сентября. Открытая IT/Cybersec/Ops Knowledge Sharing конфа Open SysConf.io

13 по 16 дни ИТ концентрата, живущим здесь энергетиков больше, едущим в Алматы на KHS - бери билеты на 4 дня 😉

Мира всем. Peace ✌️

/ FortiOS - Allow a remote attacker to execute arbitrary code or command

A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Denoscription and workaround:

— https://www.fortiguard.com/psirt/FG-IR-23-183

/ Storm-0978 attacks reveal financial and espionage motive

New phishing campaign:

https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

And Office and Windows HTML Remote Code Execution Vulnerability:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

/ Azure AD is Becoming Microsoft Entra ID

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436