/ Malicious npm packages target developer SSH keys
warbeast2000, kodiak2k... Malicious actors looking to obtain SSH keys from developers is an alarming development. Detailed research:
https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data
warbeast2000, kodiak2k... Malicious actors looking to obtain SSH keys from developers is an alarming development. Detailed research:
https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data
ReversingLabs
GitGot: GitHub leveraged by cybercriminals to store stolen data | ReversingLabs
ReversingLabs researchers found two suspicious npm packages that demonstrate how GitHub is increasingly being used to easily deploy malware in novel ways.
Forwarded from OpenBLD.net (Yevgeniy Goncharov)
Few month ago I stared develop from scratch zDNS service, now it's can:
- Restrict DNS queries by type like as A, AAAA, HTTPS, CNAME, MX, PTR..
- Balancing DNS traffic between upstream servers
- Providing Prometheus metrics
- DNS responses caching by custom TTL
- Has few working modes - Zero Trust, Allow/Blocking
- Has separated "Permanent" mode with additional custom upstream DNS servers
- Can load allow/block lists from local and remote through HTTP(S)
- Create/Delete custom users with different configs and hosts files
- and more...
New opportunities, features, looking forward, and info about of new OpenBLD.net Personal Usage Testing pre-relase see here:
https://openbld.net/blog/zdns-big-updates-and-features/
Please open Telegram to view this post
VIEW IN TELEGRAM
📢 Открытый практикум DevOps by Rebrain: Практика управления ошибками спринта в DevOps
• 30 Января (Вторник) 19:00 МСК.
↘ Детали
Программа:
• Что такое RCA
• Спринтовое планирование
• Проводим RCA и соотносим со сквозным бэклогом
Ведёт:
Александр Крылов – Team Lead DevOps. Опыт работы в DevOps более 7 лет. Спикер конференций: DevOps conf, TeamLead conf, Highload conf. Автор курса по Haproxy на Rebrain.
• 30 Января (Вторник) 19:00 МСК.
↘ Детали
Программа:
• Что такое RCA
• Спринтовое планирование
• Проводим RCA и соотносим со сквозным бэклогом
Ведёт:
Александр Крылов – Team Lead DevOps. Опыт работы в DevOps более 7 лет. Спикер конференций: DevOps conf, TeamLead conf, Highload conf. Автор курса по Haproxy на Rebrain.
/ Phishing Microsoft Teams for initial access
https://pushsecurity.com/blog/phishing-microsoft-teams-for-initial-access/
https://pushsecurity.com/blog/phishing-microsoft-teams-for-initial-access/
Push Security
Phishing Microsoft Teams for initial access
In this article, we will cover a number of spoofing and phishing strategies that can be employed by external attackers to target an organization using Teams.
/ GitLab - upgraded to the latest version as soon as possible
Crirtucal security release:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
Up
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
P.S. @hranitel_y2k thx for the link 🤝
Crirtucal security release:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
Up
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
P.S. @hranitel_y2k thx for the link 🤝
GitLab
GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6
Learn more about GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
/ Info Stealing Packages Hidden in PyPI
The identified packages—nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111—exhibit attack methodologies similar to those outlined in a Checkmarx blog post published four months ago...
The packages released before December 2023 are very similar to those discussed in earlier blog posts. Specifically, they deploy Whitesnake PE malware if the victim’s device runs on Windows, or they can deliver a Python noscript designed to steal information from Linux devices..:
https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi
The identified packages—nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111—exhibit attack methodologies similar to those outlined in a Checkmarx blog post published four months ago...
The packages released before December 2023 are very similar to those discussed in earlier blog posts. Specifically, they deploy Whitesnake PE malware if the victim’s device runs on Windows, or they can deliver a Python noscript designed to steal information from Linux devices..:
https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi
Fortinet Blog
Info Stealing Packages Hidden in PyPI
An info-stealing PyPI malware author was identified discreetly uploading malicious packages. Learn more.…
/ A false-alarm incident involving Panda Security software leads to three very real CVEs
..an attacker might be able to achieve RCE by chaining CVE-2023-6330 with other vulnerabilities..:
https://news.sophos.com/en-us/2024/01/25/multiple-vulnerabilities-discovered-in-widely-used-security-driver/
..an attacker might be able to achieve RCE by chaining CVE-2023-6330 with other vulnerabilities..:
https://news.sophos.com/en-us/2024/01/25/multiple-vulnerabilities-discovered-in-widely-used-security-driver/
Sophos News
Multiple vulnerabilities discovered in widely used security driver
A false-alarm incident involving Panda Security software leads to three very real CVEs
/ Prevent credential exposure with OIDC for GitHub Actions
Many different CI/CD patterns that cause us to raise our eyebrows. One situation in particular that we encounter relatively often is the unsafe use of AWS credentials.
OpenID Connect is an authentication standard, which when coupled with GitHub Actions, offers a more secure alternative for authentication when compared to utilizing traditional access keys..:
https://blog.cloudsecuritypartners.com/oidc-for-github-actions/
Many different CI/CD patterns that cause us to raise our eyebrows. One situation in particular that we encounter relatively often is the unsafe use of AWS credentials.
OpenID Connect is an authentication standard, which when coupled with GitHub Actions, offers a more secure alternative for authentication when compared to utilizing traditional access keys..:
https://blog.cloudsecuritypartners.com/oidc-for-github-actions/
Cloud Security Partners Blog
OIDC for GitHub Actions
At Cloud Security Partners, we perform a lot of code reviews and Cloud Security Assessments. During these engagements, we see many different CI/CD patterns that cause us to raise our eyebrows. One situation in particular that we encounter relatively often…
/ DarkGate malware delivered via Microsoft Teams - detection and response
https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response
https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response
LevelBlue
DarkGate malware delivered via Microsoft Teams - detection…
Executive summary While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most…
📢 Конкурс от Core 24/7 на 10 ваучеров на бесплатное обучение
Ваучеры дают 100% скидку на курс или экзамен из списка ниже до 17.01.2025:
— Каталог на Linux Foundation
— Сертификационному экзамену (каталог)
— или пакету (курс + сертификация)
Подвод итогов 9 февраля, детали здесь - https://core247.io/cncf
Ваучеры дают 100% скидку на курс или экзамен из списка ниже до 17.01.2025:
— Каталог на Linux Foundation
— Сертификационному экзамену (каталог)
— или пакету (курс + сертификация)
Подвод итогов 9 февраля, детали здесь - https://core247.io/cncf
/ Discovers Important Vulnerabilities in GNU C Library’s syslog()
https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog
https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog
Qualys
Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog() | Qualys
The Qualys Threat Research Unit (TRU) has recently unearthed four significant vulnerabilities in the GNU C Library, a cornerstone for countless applications in the Linux environment.
/ GitHub Hardening Guide 🛡
Preambula:
Mercedes-Benz Source Code at Risk: GitHub Token Mishap Sparks Major Security Concerns
The story:
It all started during one of our internet scans where we identified a GitHub Token leaked by a Full Time Employee at Mercedez, in his GitHub Repository. The GitHub Token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the Internal GitHub Enterprise Server. Redhunt Says.
Conclusion:
The essence of the story is this: even in large companies, failures happen, always be careful, scan tokens in workflow actions...
Next steps:
GitHub Hardening Guide: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
Preambula:
Mercedes-Benz Source Code at Risk: GitHub Token Mishap Sparks Major Security Concerns
The story:
It all started during one of our internet scans where we identified a GitHub Token leaked by a Full Time Employee at Mercedez, in his GitHub Repository. The GitHub Token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the Internal GitHub Enterprise Server. Redhunt Says.
Conclusion:
The essence of the story is this: even in large companies, failures happen, always be careful, scan tokens in workflow actions...
Next steps:
GitHub Hardening Guide: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
Please open Telegram to view this post
VIEW IN TELEGRAM
RedHunt Labs
Mercedes-Benz Source Code at Risk: GitHub Token Mishap Sparks Major Security Concerns - RedHunt Labs
Preface In a recent turn of events, RedHunt Labs’ Attack Surface Management (ASM) research team uncovered a potentially disastrous data leak incident involving the automotive giant, Mercedes-Benz. This incident not...
📢 Практикумы DevOps, Linux, Networks, Golang: расписание на Февраль 2024
• 6 февраля DevOps: Проксирование в Nginx и Angie
• 7 февраля Linux: RAID массивы
• 8 февраля Linux: Погружение в VoIP3: Dialplan в Asterisk
• 12 февраля Linux: RAID массивы 2
• 13 февраля DevOps: Балансировка нагрузки в Nginx и Angie
• 14 февраля Linux: DWARF, ELF, ptrace или как работает ваш дебагер. Часть 2
• 15 февраля DevOps: Ментальная модель Kafka
Открытые Февральские практикумы - Все детали
• 6 февраля DevOps: Проксирование в Nginx и Angie
• 7 февраля Linux: RAID массивы
• 8 февраля Linux: Погружение в VoIP3: Dialplan в Asterisk
• 12 февраля Linux: RAID массивы 2
• 13 февраля DevOps: Балансировка нагрузки в Nginx и Angie
• 14 февраля Linux: DWARF, ELF, ptrace или как работает ваш дебагер. Часть 2
• 15 февраля DevOps: Ментальная модель Kafka
Открытые Февральские практикумы - Все детали
/ VajraSpy: A Patchwork of espionage apps
These apps share the same malicious functionality, being capable of exfiltrating the following:
- contacts,
- SMS messages,
- call logs,
- device location,
- a list of installed apps, and
files with specific extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).
Technical review:
https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/
These apps share the same malicious functionality, being capable of exfiltrating the following:
- contacts,
- SMS messages,
- call logs,
- device location,
- a list of installed apps, and
files with specific extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).
Technical review:
https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/
Welivesecurity
VajraSpy: A Patchwork of espionage apps
ESET researchers discovered several Android apps that posed as messaging tools but carried VajraSpy, a RAT used by the Patchwork APT group
/ HeadCrab 2.0: Evolving Threat in Redis Malware Landscape
Technical analysis of HeadCrab 2.0 advanced malware:
https://www.aquasec.com/blog/headcrab-2-0-evolving-threat-in-redis-malware-landscape/
Technical analysis of HeadCrab 2.0 advanced malware:
https://www.aquasec.com/blog/headcrab-2-0-evolving-threat-in-redis-malware-landscape/
Aqua
HeadCrab 2.0: Evolving Threat in Redis Malware Landscape
This is a second blog about HeadCrab, further analysis of the scope of threat, the malware, the techniques etc.
/ AnyDesk - compromised production systems
AnyDesk - compromised any keys:
https://anydesk.com/en/public-statement
AnyDesk - compromised any keys:
https://anydesk.com/en/public-statement
Anydesk
AnyDesk Trust Center
Founded in 2014, AnyDesk is one of the leading providers of remote desktop software worldwide. With more than 200 million sessions per month, AnyDesk empowers IT professionals to establish remote connections with customer devices to resolve technical issues.…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
/ runc: CVE-2024-21626: high severity container breakout attack
https://www.openwall.com/lists/oss-security/2024/01/31/6
https://www.openwall.com/lists/oss-security/2024/01/31/6
/ QNAP OS command injection vulnerability
Vulnerability in QTS, QuTS hero and QuTScloud (high):
https://www.qnap.com/en/security-advisory/qsa-23-47
Vulnerability in QTS, QuTS hero and QuTScloud (high):
https://www.qnap.com/en/security-advisory/qsa-23-47
QNAP Systems, Inc. - Network Attached Storage (NAS)
Vulnerability in QTS, QuTS hero and QuTScloud - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
/ SmartScreen Vulnerability CVE-2023-36025 - Exploring the Latest Mispadu Stealer Variant
https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/
https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/
Unit 42
Exploring the Latest Mispadu Stealer Variant
Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns.
/ ResumeLooters gang infects websites with XSS noscripts and SQL injections to vacuum up job seekers' personal data and CVs
https://www.group-ib.com/blog/resumelooters/
https://www.group-ib.com/blog/resumelooters/
Group-IB
Dead-end job: ResumeLooters infect websites in APAC through SQL injection and XSS attacks
ResumeLooters gang infects websites with XSS noscripts and SQL injections to vacuum up job seekers' personal data and CVs.
/ Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917)
https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/
https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/