/ Eight Arms To Hold You: The Cuttlefish Malware
https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/
https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/
Lumen Blog
Eight arms to hold you: The Cuttlefish malware
Learn about the latest evolution in malware designed to infect SOHO routers, and Black Lotus Labs' discovery of a highly targeted campaign.
/ GitLab Vulnerability Allows Intercept Accounts Management
https://nvd.nist.gov/vuln/detail/CVE-2023-7028
https://nvd.nist.gov/vuln/detail/CVE-2023-7028
/ Graph: Growing number of threats leveraging Microsoft API
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud.
BirdyClient or OneDriveBirdyClient malware revealed that its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud.
BirdyClient or OneDriveBirdyClient malware revealed that its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats
Security
Graph: Growing number of threats leveraging Microsoft API
Graph API is often used for inconspicuous communications to cloud-based command-and-control servers.
/ TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
https://www.leviathansecurity.com/blog/tunnelvision
PoC: https://github.com/leviathansecurity/TunnelVision
https://www.leviathansecurity.com/blog/tunnelvision
PoC: https://github.com/leviathansecurity/TunnelVision
Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory
CVE-2024-3661: TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak — Leviathan Security Group - Penetration…
We discovered a fundamental design problem in VPNs and we're calling it TunnelVision. This problem lets someone see what you're doing online, even if you think you're safely using a VPN.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Unmasking Tycoon 2FA: A Stealthy Phishing Kit Used to Bypass Microsoft 365 and Google MFA
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform that was first seen in August 2023. Like many phish kits, it bypasses multifactor authentication (MFA) protections and poses a significant threat to users. Lately, Tycoon 2FA has been grabbing headlines because of its role in ongoing campaigns designed to target Microsoft 365 and Gmail accounts.
This blog post is a rundown of how these attacks work, how they’re evolving, what they look like in the real world..:
https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform that was first seen in August 2023. Like many phish kits, it bypasses multifactor authentication (MFA) protections and poses a significant threat to users. Lately, Tycoon 2FA has been grabbing headlines because of its role in ongoing campaigns designed to target Microsoft 365 and Gmail accounts.
This blog post is a rundown of how these attacks work, how they’re evolving, what they look like in the real world..:
https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass
Proofpoint
Tycoon 2FA: Phishing Kit Being Used to Bypass MFA | Proofpoint US
Explore Tycoon 2FA, a sophisticated phishing kit used to bypass MFA. Learn how it works, what an attack looks like, detection techniques and more.
/ CISA - StopRansomware: Black Basta
- technical details
- mitre tactics
- IoC
- mitigations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
- technical details
- mitre tactics
- IoC
- mitigations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
/ Apple Fixed Security Issues in iOS, iPadOS, macOS
- An app may be able to access user-sensitive data in iOS/iPadOS
- A malicious application may be able to access Find My data in macOS
- An app may be able to access user-sensitive data in iOS/iPadOS
- A malicious application may be able to access Find My data in macOS
Apple Support
About the security content of iOS 16.7.8 and iPadOS 16.7.8
This document describes the security content of iOS 16.7.8 and iPadOS 16.7.8.
/ Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads
Researchers discovered some of the most dangerous threats – including the Kaseya MSP breach and the more_eggs malware...
https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads
Researchers discovered some of the most dangerous threats – including the Kaseya MSP breach and the more_eggs malware...
https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads
eSentire
FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX…
Learn more about FIN7 using trusted brands and sponsored Google Ads to distribute MSIX payloads and get security recommendations from our Threat Response…
/ Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30051. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges..:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30051
CVE-2024-30051. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges..:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30051
/ Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection.
- Detecting Compromise
- Memory Analysis
https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/
This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection.
- Detecting Compromise
- Memory Analysis
https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/
Volexity
Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices
Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Volexity has conducted several additional incident…
📢 DevOps, Linux, Networks и Golang by Rebrain: Расписание практикумов на неделю
• 21 мая Networks: Глубокое погружение в VoIP: Kamailio (Часть 2)
• 22 мая Linux: Определение нагрузки на сервер и поиск узких мест производительности
• 23 мая Networks: Фильтрация, блокировки и взаимодействие с провайдером
• 24 мая DevOps: Настройка firewall с помощью IPTables - 2
Детали: ↘ Здесь
• 21 мая Networks: Глубокое погружение в VoIP: Kamailio (Часть 2)
• 22 мая Linux: Определение нагрузки на сервер и поиск узких мест производительности
• 23 мая Networks: Фильтрация, блокировки и взаимодействие с провайдером
• 24 мая DevOps: Настройка firewall с помощью IPTables - 2
Детали: ↘ Здесь
/ New WiFi Vulnerability: The SSID Confusion Attack
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network:
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network:
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
Top10Vpn
SSID Confusion Attack WiFi Vulnerability (CVE-2023-52424)
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Ransomware incident response plan.pdf
787.7 KB
The incident response cycle, applied to ransomware
/ Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
Microsoft News
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta ransomware deployment.
/ New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates
https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/
https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/
Cyble
New Antidot Trojan Disguised As Fake Google Play Updates
Discover the 'Antidot' Android Banking Trojan: a fake Google Play update that steals credentials using overlay attacks and remote control techniques.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Git CVE-2024-32002 - This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed
Got vesrsions: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, 2.39.4
git config --global core.symlinks false can be disable this attack vector
https://nvd.nist.gov/vuln/detail/CVE-2024-32002
PoC: https://github.com/szybnev/git_rce/blob/main/create_poc.sh
P.S. Thx Tatyana for the reporting ✌️
Got vesrsions: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, 2.39.4
git config --global core.symlinks false can be disable this attack vector
https://nvd.nist.gov/vuln/detail/CVE-2024-32002
PoC: https://github.com/szybnev/git_rce/blob/main/create_poc.sh
P.S. Thx Tatyana for the reporting ✌️
GitHub
git_rce/create_poc.sh at main · szybnev/git_rce
Exploit PoC for CVE-2024-32002. Contribute to szybnev/git_rce development by creating an account on GitHub.
Forwarded from OpenBLD.net (Yevgeniy Goncharov)
OISD is a one of better projects aimed to reduce internet noise.
What is this oisd blocklist?
The blocklist prevents your devices from connecting to unwanted or harmful domains. It reduces ads, decreases the risk of malware, and enhances privacy.
You can use OISD without exclusions, without additional blocklist - just only OISD in OpenBLD.net as DoH link in RIC mode:
https://ric.openbld.net/dns-query/oisdSee details here:
- https://openbld.net/docs/get-started/third-party-filters/oisd/
Happy Internet surfing! ✌️
Please open Telegram to view this post
VIEW IN TELEGRAM
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Как чувство осознанности может повлиять на безопасность жизни?
Мое интервью на тему кибербезопасности, как можно обезопасить себя, свое окружение, следить за собой - быть осторожным.
Отдельное спасибо хочу выразить авторам проекта Commutator Казахстан - Узлу связи между государством, бизнесом, обществом и масс-медиа и в частности Татьяне Бендзь за интересно поднятую тему.
Как вести себя с умными колонками, что делать нашим бабушкам и дедушкам в эпоху цифровизации, что такое OpenBLD.net и зачем существует этот проект.
Приятного и полезного просмотра (титры на Казахском, Русском языках присутствуют):
- https://youtu.be/MxWD1N0Bmv8?si=nSmTxUH_AAzsng-5
Детали проекта Commutator о чем он, множество других интересных интервью можно посмотреть на официальном сайте проекта:
- https://commutator.tilda.ws/
Мое интервью на тему кибербезопасности, как можно обезопасить себя, свое окружение, следить за собой - быть осторожным.
Отдельное спасибо хочу выразить авторам проекта Commutator Казахстан - Узлу связи между государством, бизнесом, обществом и масс-медиа и в частности Татьяне Бендзь за интересно поднятую тему.
Как вести себя с умными колонками, что делать нашим бабушкам и дедушкам в эпоху цифровизации, что такое OpenBLD.net и зачем существует этот проект.
Приятного и полезного просмотра (титры на Казахском, Русском языках присутствуют):
- https://youtu.be/MxWD1N0Bmv8?si=nSmTxUH_AAzsng-5
Детали проекта Commutator о чем он, множество других интересных интервью можно посмотреть на официальном сайте проекта:
- https://commutator.tilda.ws/
YouTube
Как защитить себя в интернете: кибербезопасность и искусственный интеллект (қазақша субтитрлер)
Почти 15 тысяч кибератак было зарегистрировано в казнете за первые три месяца 2024-го. За аналогичный период прошлого года их было всего 4,3 тысячи. То есть, за год количество кибератак выросло втрое. Такой статистикой недавно поделился ресурс factcheck.kz…
/ Invisible miners: unveiling GHOSTENGINE’s crypto mining operations
https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine
https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine
www.elastic.co
Invisible miners: unveiling GHOSTENGINE’s crypto mining operations — Elastic Security Labs
Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining.
📢 Открытые практикумы DevOps, Linux, Networks, Golang: Расписание на неделю
• 27 мая Golang: Начало работы с gRPC в Golang (Сергей Парамошкин – Технический менеджер Яндекс.облако)
• 28 мая Security: Безопасность Docker (Алексей Федулаев – DevSecOps Lead Wildberries)
• 29 мая Linux: DHCP-сервер на Kea (Даниил Батурин – Основатель проекта VyOS)
• 30 мая DevOps: Фильтрация пакетов с помощью nftables (Николай Лавлинский – Технический директор)
Детали ↘ Здесь
• 27 мая Golang: Начало работы с gRPC в Golang (Сергей Парамошкин – Технический менеджер Яндекс.облако)
• 28 мая Security: Безопасность Docker (Алексей Федулаев – DevSecOps Lead Wildberries)
• 29 мая Linux: DHCP-сервер на Kea (Даниил Батурин – Основатель проекта VyOS)
• 30 мая DevOps: Фильтрация пакетов с помощью nftables (Николай Лавлинский – Технический директор)
Детали ↘ Здесь
/ Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion
Technical details of new behavior employed by the adversary, who aligns with Google Mandiant’s UNC5221, and how the BRICKSTORM backdoor and BEEFLUSH web shell abused VMs in VMware through a privileged user account, VPXUSER, to establish persistence within the impacted environment. Will also provide detection noscripts, from MITRE and CrowdStrike, to find this activity in other environments and go over how Secure Boot serves as a barrier against the adversary technique..:
https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
Technical details of new behavior employed by the adversary, who aligns with Google Mandiant’s UNC5221, and how the BRICKSTORM backdoor and BEEFLUSH web shell abused VMs in VMware through a privileged user account, VPXUSER, to establish persistence within the impacted environment. Will also provide detection noscripts, from MITRE and CrowdStrike, to find this activity in other environments and go over how Secure Boot serves as a barrier against the adversary technique..:
https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
Medium
Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion
MITRE introduce the notion of a rogue VMs within the Ivanti breach