/ The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort”
...Voldemort’s attack chain has unusual, customized functionality including using Google Sheets for command and control (C2) and using a saved search file on an external share...:
https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
...Voldemort’s attack chain has unusual, customized functionality including using Google Sheets for command and control (C2) and using a saved search file on an external share...:
https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
Proofpoint
New Voldemort Malware Espionage Campaign | Proofpoint US
Learn how to defend yourself from the Voldemort malware campaign’s espionage with Proofpoint. Protect yourself from Chinese spyware threats.
/ How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions
https://blog.talosintelligence.com/how-multiple-vulnerabilities-in-microsoft-apps-for-macos-pave-the-way-to-stealing-permissions/
https://blog.talosintelligence.com/how-multiple-vulnerabilities-in-microsoft-apps-for-macos-pave-the-way-to-stealing-permissions/
Cisco Talos Blog
How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions
An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsoft's applications to gain their ennoscriptments and user-granted permissions.
День общения и взаимосвязи. Расписание докладов еще формируется, но ряд тематик уже известны.
Однозначно понятно, что здесь будет Kubernetes и OpenStack, и одноименные/взаимосвязанные практики.
DevOps - тренд и так или иначе ИТ специалисты должны быть осведомлены об этом направлении, онлайн трансляция обещает присутствовать.
Все детали здесь - DevOpsDays.kz
Please open Telegram to view this post
VIEW IN TELEGRAM
/ Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
Trend Micro
Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool
Threat actors are targeting users in the Middle East by distributing sophisticated malware disguised as the Palo Alto GlobalProtect tool.
/ Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
WikiLoader is a multistage malware loader that adversaries developed with consideration toward evasion..
..The advertisements we observed linked to multiple fake sites serving spoofed GlobalProtect installers..:
https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
WikiLoader is a multistage malware loader that adversaries developed with consideration toward evasion..
..The advertisements we observed linked to multiple fake sites serving spoofed GlobalProtect installers..:
https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
Unit 42
Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
JFrog
Revival Hijack - PyPI hijack technique exploited in the wild, puts 22K packages at risk
JFrog’s security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment.…
New RansomHub attack uses TDSKiller and LaZagne, disables EDR
https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/
https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/
ThreatDown by Malwarebytes
New RansomHub attack uses TDSSKiller and LaZagne, disables EDR - ThreatDown by Malwarebytes
The attack signals a new shift in RansomHub’s arsenal of tools.
Quad7 botnet - compromising several brands of SOHO routers and VPN appliances, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear, using multiple vulnerabilities..
https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/
https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/
Sekoia.io Blog
A glimpse into the Quad7 operators' next moves and associated botnets
Uncover the secrets of the Quad7 botnet and its ever-evolving toolset. Learn about the new backdoors and protocols used by these operators.
GitLab Critical Patch Release (17.3.2, 17.2.5, 17.1.7)
- Execute environment stop actions as the owner of the stop action job
- Prevent code injection in Product Analytics funnels YAML
- SSRF via Dependency Proxy
- Denial of Service via sending a large glm_source parameter
GitLab say: We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
- Execute environment stop actions as the owner of the stop action job
- Prevent code injection in Product Analytics funnels YAML
- SSRF via Dependency Proxy
- Denial of Service via sending a large glm_source parameter
GitLab say: We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package
https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package
Tenable®
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google…
D-Link - Attacker can use hard-coded credentials. Critical Router Vulnerabilities.
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10412
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10412
/ Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data
bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos..:
https://www.darkreading.com/vulnerabilities-threats/zero-click-rce-bug-macos-calendar-exposes-icloud-data
bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos..:
https://www.darkreading.com/vulnerabilities-threats/zero-click-rce-bug-macos-calendar-exposes-icloud-data
Dark Reading
Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data
A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.
Forwarded from Yevgeniy Goncharov
Open SysConf'24 🦄 - Три недели до встречи
Почти три недели + готово три доклада = шестой Open SysConf'24
С радостью сообщаю, что подготовка идет, и есть три темы:
🔹 Три системы, которые ты захочешь развернуть и настроить
🔹 На превью, я уже захотел это сделать, скажу по секрету мне стало понятнее, как работает Kerberos
🔹 Рефакторинг легаси 10-летней давности
🔹 Стейджинг процесса рефакторинга начинающегося от кода и заканчивающегося брендом, как надо и не надо
- Внедрение вредоносного кода в Android приложения
🔹 Точно знаю, что после этого доклада, ты три раза подумашь испольльзовать левый приклад на своих Адроидах или нет
Очень радостно, видеть, что труд ведется, есть самоконтроль, самоосознанность и ответсвенность докладчиков, за что большое спасибо!🤝
С нашей стороны, постараемся обеспечить каждого докладчика фирменной футболкой, хорошим звуком и трансляцией доклада в Интернет, ну и конечно ламповой атмосферой!💡
Регистрация там же. Welcome - sysconf.io/2024
Почти три недели + готово три доклада = шестой Open SysConf'24
С радостью сообщаю, что подготовка идет, и есть три темы:
- Внедрение вредоносного кода в Android приложения
Очень радостно, видеть, что труд ведется, есть самоконтроль, самоосознанность и ответсвенность докладчиков, за что большое спасибо!
С нашей стороны, постараемся обеспечить каждого докладчика фирменной футболкой, хорошим звуком и трансляцией доклада в Интернет, ну и конечно ламповой атмосферой!
Регистрация там же. Welcome - sysconf.io/2024
Please open Telegram to view this post
VIEW IN TELEGRAM
SOHO and IoT devices, including modems, routers, IP cameras, NVR/DVR devices, and NAS devices infected by Raptor Train botnet
250k+ devices from many vendors (Mikrotik, Zyxel, Hikvision, etc)
https://blog.lumen.com/derailing-the-raptor-train/
250k+ devices from many vendors (Mikrotik, Zyxel, Hikvision, etc)
https://blog.lumen.com/derailing-the-raptor-train/
Lumen Blog
Derailing the Raptor Train
BLL discovered an advanced, active botnet targeting US and Taiwanese strategic verticals, we attribute this to Flax Typhoon based on TTPs and some of their router control network
Forwarded from Yevgeniy Goncharov
Время идет вперед и мы вместе с ним! Кто не стоит на месте, не катает вату, а изыскивает, изучает, тот становится лучше, мудрее, опытнее.
Мы помогаем получить возможно многолетний опыт за один день. С радостью анонсирую еще три подтвержденных доклада:
- AppSec из Open Source
-- Название еще не утверждено, но можно быть убежденным - это актуально как никогда, прикладной доклад от эксперта в области пентеста и ресерча.
- Как злоумышленники могут получать персональные данные
-- Название говорит само за себя. Ресерч от автора множества статей и книг, "Malware Development for Ethical Hackers" одна из многих.
- Как я строил инфру под PCI DSS v4
-- Итог ресерча, работы и как финал - сертификация созданного по PCI DSS. Эксперт и ресерчер предметных областей, теперь это PCI..
Кто-то платит деньги, что бы получить знание, кто-то смотрит рекламу, что бы узнать что-то новое. У нас нет такого, приходи, внимай, знакомься, спрашивай. Единственная просьба - отметься в форме, нам это нужно знать для планирования мест в зале:
Нужную кнопку найдешь здесь - https://sysconf.io/2024
Welcome ✌️
Please open Telegram to view this post
VIEW IN TELEGRAM
A vulnerability has been discovered in the TeamViewer Remote clients for Windows which allows local privilege escalation on a Windows system.
https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2024-1006/
https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2024-1006/
TeamViewer
TV-2024-1006
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Novel Exploit Chain Enables Windows UAC Bypass
https://www.darkreading.com/vulnerabilities-threats/exploit-chain-windows-uac-bypass
https://www.darkreading.com/vulnerabilities-threats/exploit-chain-windows-uac-bypass
Zimbra - Remote Command Execution (CVE-2024-45519)
Technical analysis:
https://blog.projectdiscovery.io/zimbra-remote-code-execution/
Technical analysis:
https://blog.projectdiscovery.io/zimbra-remote-code-execution/
ProjectDiscovery
Zimbra - Remote Command Execution (CVE-2024-45519) — ProjectDiscovery Blog
Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute…
Malware throught software. Faked SIEM Wazuh agent and faked uTorrent, Microsoft Office, Minecraft etc services promoted with Advertising or SEO.
https://securelist.ru/miner-campaign-misuses-open-source-siem-agent/110717/
https://securelist.ru/miner-campaign-misuses-open-source-siem-agent/110717/
Securelist
Агент SIEM используется в атаках SilentCryptoMiner
Злоумышленники распространяют майнер через поддельные сайты популярного ПО, Telegram-каналы и YouTube, устанавливают на устройства жертвы агент SIEM-системы Wazuh для закрепления.
LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits
https://notes.netbytesec.com/2024/10/lemonduck-unleashes-cryptomining.html?m=1
https://notes.netbytesec.com/2024/10/lemonduck-unleashes-cryptomining.html?m=1
Netbytesec
LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits
This post was authored by Aufa and NetbyteSEC Interns (Irham, Idham, Adnin, Nabiha, Haiqal, Amirul) This blog post is intended to give an ov...