SANS Internet Storm Center's Daily Network Security News Podcast

Honeypot Lesons; TeamViewer Compromise; Fortra File Catalyst Vuln/PoC; GitLab Update; Vanna.AI RCE; What Setting Live Traps For Cybercriminals Taught Me About Security https://isc.sans.edu/diary/What%20Setting%20Live%20Traps%20for%20Cybercriminals%20Taught%20Me%20About%20Security%20%5BGuest%20Diary%5D/31038 TeamViewer Compromise https://www.teamviewer.com/en-us/resources/trust-center/statement/ Fortra File Catalyst Vulnerability and PoC https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0 https://www.tenable.com/security/research/tra-2024-25 GitLab Critical Update https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/ keywords: vanna.ai; prompt injection; sql injection; remote code execution; sqli; rce; gitlab; fortra; teamviewer; honeypot; sans.edu

New MOVEit Vulnerability; Polyfill Supply Chain Attack; Apple AirPods Patch; Critical Progress MOVEit Authentication Bypass Vulnerability https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/ https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806 Polyfill.io Supply Chain Attack https://cside.dev/blog/more-than-100k-websites-targeted-in-web-supply-chain-attack Apple AirPods Firmware Update https://support.apple.com/en-us/HT214111 keywords: airpods; polyfill; moveit;

TCP Latency Sidechannel; MMC Initial Access; Wyze Camera Vulns; TCP Latency Sidechannel https://www.snailload.com/snailload.pdf Microsoft Management Console for Intial Access and Evasion https://www.elastic.co/security-labs/grimresource Wyze Camera Vulnerabilities https://forums.wyze.com/t/security-advisory/289256 keywords: wyze; camera; mmc; snailload; tcp; latency

Configuration Scans Expand; SQL Server Emergency Fix; Juniper Security Analytics; XNU Buffer Overflow PoC @0xjprx Configuration Scans Expand https://isc.sans.edu/diary/Configuration%20Scanners%20Adding%20Java%20Specific%20Configuration%20Files/31032 SQL Server Emergency Fix https://support.microsoft.com/en-us/topic/june-20-2024-kb5041054-os-build-20348-2529-out-of-band-b746ffbd-934e-42ac-9c66-ed0636edf7f1 Juniper Security Analytics Update https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP8-IF03?language=en_US MacOS/iOS XNU Buffer Overflow Exploit CVE-2024-27815 https://jprx.io/cve-2024-27815/ keywords: macos; ios; buffer overflow; juniper; sql server; microsoft; java

Process Monitor Update; Kaspersky Sanctions; Phoenix UEFI Vuln; Ghostscript Vuln; js2py unpatched vuln; Sysinternals Process Monitor Version 4 Released https://isc.sans.edu/diary/Sysinternals%27%20Process%20Monitor%20Version%204%20Released/31026 Kaspersky Sanctions https://home.treasury.gov/news/press-releases/jy2420 Phoenix UEFI Buffer Overflow Affects Wide Range of Systems https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/ Ghostscript Update https://ghostscript.readthedocs.io/en/gs10.03.1/News.html js2py vulnerability https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape keywords: js2py; ghostscript; pdf; postscript; ps; phoenix; uefi; kaspersky; sysinternals;

Ubuntu Login Security; BOM Mime Files; Confluence Patches; Validating E-Mail Addresses; VMware Patches; No Excuses: Free Tools to Help Secure Authentication in Ubuntu https://isc.sans.edu/diary/No%20Excuses%2C%20Free%20Tools%20to%20Help%20Secure%20Authentication%20in%20Ubuntu%20Linux%20%5BGuest%20Diary%5D/31024 Handling BOM MIME Files https://isc.sans.edu/diary/Handling+BOM+MIME+Files/31022 Atlasiun Confluence Data Center and Server Vuln https://confluence.atlassian.com/security/security-bulletin-june-18-2024-1409286211.html Beyond the @ Symbol: Exploiting the Flexibility of Email Addresses For Offensive Purposes https://modzero.com/en/blog/beyond_the_at_symbol/ VMWare Patches https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 keywords: ubuntu; authentcation; mfa; vmware; email; validating;

NetSupport Campaign; D-Link Backdoor; iTerm2 Vuln; NextCloud Vuln; New NetSupport Campaign Deleivered Through MSIX Packages https://isc.sans.edu/diary/New%20NetSupport%20Campaign%20Delivered%20Through%20MSIX%20Packages/31018 D-Link Router Backdoor https://www.twcert.org.tw/en/cp-139-7880-629f5-2.html https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10398 iTerm2 Vulnerablity https://vin01.github.io/piptagole/escape-sequences/iterm2/rce/2024/06/16/iterm2-rce-window-title-tmux-integration.html NextCloud Vulnerability https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c keywords: nextcloud; iterm2; d-link; dlink; netsupport;

Didier's Tools JSON use; Python Serialization Lab @markbaggett; Detecting Headless Chrome @xopek59; ExtensionTotal; ASUS Router Update Overview of My Tools That Handle JSON Data https://isc.sans.edu/diary/Overview%20of%20My%20Tools%20That%20Handle%20JSON%20Data/31012 Python Serialization and "Sleepy Pickle" https://x.com/MarkBaggett/status/1801732554740969561 Detecting Headless Chrome https://deviceandbrowserinfo.com/learning_zone/articles/detecting-headless-chrome-puppeteer-2024 Detecting Malicious VS Code Extensions https://medium.com/@amitassaraf/4-6-introducing-extensiontotal-how-to-assess-risk-in-vs-code-extensions-3ac5bfd83fb1 ASUS Router Critical Vulnerability https://www.asus.com/content/asus-product-security-advisory/ keywords: ASUS; vscode; headless; chrome; python; sleepy pickle; json;

JQ Intro; Outlook Vuln Details; Outlook MFA Required; Pickle File Attacks; The Art of JQ and Command-Line Fu https://isc.sans.edu/diary/The%20Art%20of%20JQ%20and%20Command-line%20Fu%20%5BGuest%20Diary%5D/31006 Microsoft Outlook Vulnerablity Details https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability Keeping our Outlook Personal Email Users Safe https://techcommunity.microsoft.com/t5/outlook-blog/keeping-our-outlook-personal-email-users-safe-reinforcing-our/ba-p/4164184 Exploiting ML models with pickle file attacks https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/ keywords: ml; pickle; outlook; email; mfa; jq; json

MSMQ Packets; Adobe Updates; Black Basta used 0-day; Pixel Phone 0-day Patched MSMQ Packets https://isc.sans.edu/diary/Port%201801%20Traffic%3A%20Microsoft%20Message%20Queue/31004 Adobe Updates https://helpx.adobe.com/security/products/magento/apsb24-40.html Black Basta Exploited CVE-2024-26169 Prior to Patch https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day Pixel Phone 0-Day Patched https://source.android.com/docs/security/bulletin/pixel/2024-06-01 keywords: pixel; phone; black basta; adobe; msmq

Microsoft Patch Tuesday; JetBrains InteliJ GitHub Vuln; More Veeam Vulns; Precor Threadmill Vulns; Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202024/31000 JetBrains IntelliJ Based IDE GitHub Plugin Vulnerability https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/ Veeam Recovery Orchestrator (VRO) vulnerability CVE-2024-29855 https://www.veeam.com/kb4585 Precor Threadmill Vulnerablity https://securityintelligence.com/x-force/internet-connected-treadmill-vulnerabilities-discovered/ keywords: precore; threadmill; veeam; jetbrains; inellij; ide; github; microsoft

#Veeam Exploit CVE-2024-29849 @sinsinology; #SORBS Shutdown @ssharwood; Malicious #Comfui Modules; Veeam Exploit CVE-2024-29849 https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/ SORBS Shutdown https://www.theregister.com/2024/06/07/sorbs_closed/ Rogue Cell Tower Shut Down in London https://www.cityoflondon.police.uk/news/city-of-london/news/2024/june/two-people-arrested-in-connection-with-investigation-into-homemade-mobile-antenna-used-to-send-thousands-of-smishing-text-messages-to-the-public/ Malicious Comfyui Modules https://www.youtube.com/watch?v=ntwGHjBCbeQ keywords: comfyui; cell tower; sorbs; veeam;

PHP Vulnerablity Exploited; PyTorch RPC Vulnerability; Malicious VSCode Extensions PHP Unicode Remote Code Execution Exploit https://www.bleepingcomputer.com/news/security/malicious-visual-studio-code-extensions-with-millions-of-installs-discovered/ PyTorch Distributed RPC Framework Remote Code Execution https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3 https://www.cve.org/CVERecord?id=CVE-2024-5480 Malicious VSCode Extensions Used by Researchers https://www.bleepingcomputer.com/news/security/malicious-visual-studio-code-extensions-with-millions-of-installs-discovered/ keywords: vscode; extensions; pytorch; rpc; rce; php; unicode;

"Best Before" Malware; FBI Offers Lockbit Help; UK Asks for EoL data; FCC proposes RPKI rules for BPG Malicious Python Script with a "Best Before" Date https://isc.sans.edu/diary/Malicious%20Python%20Script%20with%20a%20%22Best%20Before%22%20Date/30988 FBI Obtained 7,000 LockBit Ransomware Keys https://www.fbi.gov/news/speeches/fbi-cyber-assistant-director-bryan-vorndran-s-remarks-at-the-2024-boston-conference-on-cyber-security Apple Guarantees 5 Years of Security Updates https://www.androidauthority.com/iphone-software-support-commitment-3449135/ FCC Proposes New Rule for Security Routing https://www.fcc.gov/document/fcc-proposes-internet-routing-security-reporting-requirements keywords: fbi; lockbit; uk; apple; samsung; fcc; bgp; rpki;

WatchGuard VPN Bruteforcing; TotalRecall; WebEx Flaw; #webex @cisco #recall WatchGuard VPN Brutefording https://isc.sans.edu/diary/Brute%20Force%20Attacks%20Against%20Watchguard%20VPN%20Endpoints/30984 TotalRecall Tool To Extract Data from Microsoft Recall https://github.com/xaitax/TotalRecall WebEx Flaw https://www.helpnetsecurity.com/2024/06/05/cisco-webex-cloud-vulnerability/ https://netzbegruenung.de/blog/netzbegruenung-findet-schwachstellen-auch-im-cisco-webex-clouddienst-behoerden-und-unternehmen-in-ganz-europa-betroffen/ (in german) keywords: webex; totalrecall; recall; watchguard; vpn;

No Defender Detection; Fake Job Ads; Zyxel NAS Patches No Defender Yes Defender https://isc.sans.edu/diary/No-Defender%2C%20Yes-Defender/30980 Fake Job Ads Lead to Stolen Crypto Currency https://www.ic3.gov/Media/Y2024/PSA240604 Zyxel NAS Vulnerabilities https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/ keywords: zyxel; nas; fake job ads; defender

Custom Wireshark LUA Dissectors; COX Cable Modem API; Malicious Stack Overflow Answers; A Wireshark Lua Dissector for Fixed Field Length Protocols https://isc.sans.edu/diary/A%20Wireshark%20Lua%20Dissector%20for%20Fixed%20Field%20Length%20Protocols/30976 COX Cable Modem Admin API Weakness https://samcurry.net/hacking-millions-of-modems Malicous Stack Overflow Answers https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpful-stack-overflow-users-to-push-malware/ Atlasian Confluence Data Center and SErver Remote Code Execution Vuln CVE-2024-21683 https://blog.sonicwall.com/en-us/2024/05/confluence-data-center-and-server-remote-code-execution-vulnerability/ keywords: atlasian; confluence; stack overflow

K1W1 Infostealer; Linux Malware Scanner; Snowflake Incident; HuggingFace Space secrets leak; K1w1 Infostealer Uses gofile.io for Exfiltration https://isc.sans.edu/diary/%22K1w1%22%20InfoStealer%20Uses%20gofile.io%20for%20Exfiltration/30972 Kaspersky Linux Malware Scanner https://www.kaspersky.com/blog/kvrt-for-linux/51375/ Snowflake Incident https://www.helpnetsecurity.com/2024/06/01/snowflake-breach-data-theft/ HuggingFace Space Secrets Leak https://huggingface.co/blog/space-secrets-disclosure keywords: huggingface; ai; snowflake; credential stuffing; kaspersky; malware; scanner; k1w1; python; infostealer;

OSSEC and MISP; Checkpoint VPN PoC Exploit; Massive October Windstream Outage; Cypher Injection; @sans_edu @watchtowrcyber @lumentechco Feeding MISP with OSSEC https://isc.sans.edu/diary/Feeding%20MISP%20with%20OSSEC/30968 Checkpoint VPN https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ The Pumpkin Eclipse https://blog.lumen.com/the-pumpkin-eclipse/ Michael Dunking: Detecting Cypher Injection with Open-Source Network Intrusion Detection https://www.sans.edu/cyber-research/detecting-cypher-injection-with-open-source-network-intrusion-detection/ keywords: cypher; pumpkin; checkpoint; vpn; misp; ossec; path traversal;

DShield SIEM; Checkpoint 0-Day; Okta Credential Stuffing; Bitcoin Wallet Bruteforce; @okta @joegrand Is that It? Finding the Unknown: Correlations Between Honeypot Logs and PCAPs https://isc.sans.edu/diary/Is%20that%20It%3F%20%20Finding%20the%20Unknown%3A%20Correlations%20Between%20Honeypot%20Logs%20%26%20PCAPs%20%5BGuest%20Diary%5D/30962 Checkpoint 0-Day https://blog.checkpoint.com/security/enhance-your-vpn-security-posture Okta warns of Credential Stuffing Against Customer Identity Cloud https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks Brute Forcing Old Bitcoin Wallet Password https://www.youtube.com/watch?v=o5IySpAkThg keywords: bitcoin; okta; checkpoint; siem; dshield; pcap

SQL Injection and Python; FortiSIEM RCE PoC; Bitlocker Ransomware; iconv (glibc) and MacOS PoC; @Horizon3ai @WangTielei Preventing SQL Injection with Python https://www.youtube.com/watch?v=1cQy9N1Xndk PoC Exploit for CVE-2024-23108 in Fortinet FortiSIEM https://www.horizon3.ai/attack-research/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/ ShrinkLocker: Turning BitLocker into ransomware https://securelist.com/ransomware-abuses-bitlocker/112643/ iconv buffer overflow PoC 2024-2961 https://github.com/ambionics/cnext-exploits/ PoC for Apple Priv. Escalation bug CVE-2024-27842 https://github.com/wangtielei/POCs/tree/main/CVE-2024-27842 https://x.com/WangTielei keywords: poc; apple; macos; iconv; php; shinklocker; ransomware; bitlocker; fortinet; fortisiem; sql injection; python

TXZ Malspam; 4th Google 0-Day; Google no trust in Globaltrust; Checkpoint Password Bruteforcing; Files with TGZ Extension used as malspam attachements https://isc.sans.edu/diary/Files%20with%20TXZ%20extension%20used%20as%20malspam%20attachments/30958 Google 0-Day https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html Google Stops Trusting Globaltrust CA https://groups.google.com/a/ccadb.org/g/public/c/wRs-zec8w7k/m/G_9QprJ2AQAJ Checkpoint warns of password bruteforcing https://blog.checkpoint.com/security/enhance-your-vpn-security-posture?campaign=checkpoint&eid=guvrs&advisory=1 SEC522: Defending Web Applications isc.sans.edu/j/sec522 keywords: dc; washington; TXZ; malspam; chrome; 0-day; globaltrust; ccadb; checkpoint; vpm; mfa;

Redtail Miner; Veeam, Ivanti and Firepower Vulns; Justice AV Backdoor; C-Root Server Lack Analysis of 'redtail' file uploads to ISC Honeypot https://isc.sans.edu/diary/Analysis%20of%20%3Fredtail%3F%20File%20Uploads%20to%20ICS%20Honeypot%2C%20a%20Multi-Architecture%20Coin%20Miner%20%5BGuest%20Diary%5D/30950 Veeam Vulnerablity https://www.veeam.com/kb4581 C-Root Server Lost Touch With Peers https://arstechnica.com/security/2024/05/dns-glitch-that-threatened-internet-stability-fixed-cause-remains-unclear/ Ivanti Vulnerabilities https://forums.ivanti.com/s/article/Avalanche-6-4-3-602-additional-security-hardening-and-CVE-fixed?language=en_US Justice AV Solutions Software Backdoor https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/ keywords: justice; av; ivanti; firepower; cisco; c-root; cogent;

Scripting ipinfo in nmap; Wifi BSSID Location Databases: risks and opting out NMAP Scanning Without Scanning - The ipinfo API https://isc.sans.edu/diary/NMAP%20Scanning%20without%20Scanning%20%28Part%202%29%20-%20The%20ipinfo%20API/30948 Why Your WiFi Router Doubles As An Apple Airtag https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/#more-67551 https://account.microsoft.com/privacy/location-services-opt-out https://answers.microsoft.com/en-us/windows/forum/all/wifi-sense-my-ssid-includes-optout-why-do-windows/1453142a-755a-476f-aa48-56d05b89e33c https://www.computerworld.com/article/1484722/here-s-how-to-opt-out-of-google-s-wi-fi-snooping.html https://www.privacy.org.nz/publications/commissioner-inquiries/google-s-collection-of-wifi-information-during-street-view-filming/ keywords: wps; wifi; location; gps; nmap; ipinfo; api

Shodan via nmap; iTerm2 Vulns; GitHub Enterprise Vuln; BitBucket Secret Leaks; MSFT Recall Privacy Scanning without Scanning with nmap https://isc.sans.edu/diary/Scanning%20without%20Scanning%20with%20NMAP%20%28APIs%20FTW%29/30944 iTerm2 Vulnerablities https://vin01.github.io/piptagole/escape-sequences/iterm2/hyper/url-handlers/code-execution/2024/05/21/arbitrary-url-schemes-terminal-emulators.html GitHub Enterprise Vulnerablity CVE-2024-4985 https://nvd.nist.gov/vuln/detail/CVE-2024-4985 BitBucket Pipelines Leaking Secrets https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets Microsoft Recall Privacy https://www.microsoft.com/en-us/windows/copilot-plus-pcs?r=1#faq1 keywords: microsoft; recall; bitbucket; pipelines; github; iterm2; nmap

Analyzing MSG Files; Fluent Bit Vuln; Fortinet Vuln Details; Git and Google Chrome PoCs; Analyzing MSG Files https://isc.sans.edu/diary/Analyzing%20MSG%20Files/30940 Linguistic Lumberjack: Fluent Bit Vulnerability CVE-2024-4323 https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323 Fortinet FortiSIEM Command Injection Deep-Dive CVE-2023-23992 https://www.horizon3.ai/attack-research/cve-2023-34992-fortinet-fortisiem-command-injection-deep-dive/ Git Vulnerability CVE-2024-32002 PoC https://amalmurali.me/posts/git-rce/ Google Chrome CVE-2024-4947 PoC https://buptsb.github.io/blog/post/CVE-2024-4947-%20v8%20incorrect%20AccessInfo%20for%20module%20namespace%20object%20causes%20Maglev%20type%20confusion.html keywords: msg; fluent bit; fortinet; fortisiem; git; google; chrome

Extrace JPEGs from PDFs; QNAP 0-Day PoC; Exploited D-Link Vulnerabilities; Ivanti PoC Another PDF Streams Example: Extracting JPEGs https://isc.sans.edu/diary/Another%20PDF%20Streams%20Example%3A%20Extracting%20JPEGs/30924 QNAP QTS QNAPping At the Wheel https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-and-friends/ May 2024 Security Update Problems with Windows 2019 https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#3299msgdesc Dlink Vulnerabilities Exploited https://www.cisa.gov/news-events/alerts/2024/05/16/cisa-adds-three-known-exploited-vulnerabilities-catalog Ivanti PoC Exploit CVE 2024-22026 https://www.redlinecybersecurity.com/blog/exploiting-cve-2024-22026-rooting-ivanti-epmm-mobileiron-core keywords: ivanti; poc; dlink; patch; windows; microsoft; 2019; qnap; qts; ping; share; pdf; jpeg

yq parser; Quick Assist Misuse; Chrome 0-Days; Android Theft Protection; Git Update Why yq? Adventurs in XML https://isc.sans.edu/diary/Why%20yq%3F%20%20Adventures%20in%20XML/30930 Black Basta Uses Quick Assist https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ Various Chrome 0-Day Vulnerabilities https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html Android Theft Protection Improvement https://blog.google/products/android/android-theft-protection/ Critical Git Update https://github.blog/2024-05-14-securing-git-addressing-5-new-vulnerabilities/ keywords: git; android; chrome; quick assist; black basta; yq; xml; json

VPNs need MFA; SSID Confusion; FIDO2 Session Hijacking Got MFA? If not, now is the time! https://isc.sans.edu/diary/Got%20MFA%3F%20%20If%20not%2C%20Now%20is%20the%20Time!/30926 SSID Confusion: Making Wi-Fi Clients Connect to the Wrong Network CVE-2023-52424 https://www.top10vpn.com/assets/2024/05/Top10VPN-x-Vanhoef-SSID-Confusion.pdf FIDO2 MitM Session Hijacking https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/?web_view=true#but-first-some-background keywords: fido2; mitm; ssid; wifi; mfa;

Microsoft Patches; Bluetooth Trackers; VMWare Updates; Revoking Windows UEFI Certs; Adobe Patches Microsoft Patches https://isc.sans.edu/diary/Microsoft%20May%202024%20Patch%20Tuesday/30920 Detecting Bluetooth Trackers https://security.googleblog.com/2024/05/google-and-apple-deliver-support-for.html Adobe Patches https://helpx.adobe.com/security/products/acrobat/apsb24-29.html VMWare Updates https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280 Revoking Vulnerability Windows Boot Managers https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revoking-vulnerable-windows-boot-managers/ba-p/4121735 keywords: boot managers; windows; patches; bluetooth; trackers; vmware; adobe;

Apple Updates; JunOS OpenSSH Issues; Malicious Go in PyPi; Apple Updates Everything https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20macOS%2C%20iOS%2C%20iPadOS%2C%20watchOS%2C%20tvOS%20updated./30916 Juniper OpenSSH Update https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Junos-OS-and-Junos-OS-Evolved-Multiple-CVEs-reported-in-OpenSSH?language=en_US Malicious Go Binary Delivered via Steganography in PyPi https://blog.phylum.io/malicious-go-binary-delivered-via-steganography-in-pypi/ keywords: go; pypi; openssh; apple

Windows DNS Suffixes; Black Basta Ransomware; Arcserve UDP Exploits; Chrome 0-day; SolarWinds ARM Vuln; DNS Suffixes on Windows https://isc.sans.edu/diary/DNS%20Suffixes%20on%20Windows/30912 Black Basta Ransomware Advisory https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a Possible Exploitation of Arcserve Unified Data Protection Vuln https://digital.nhs.uk/cyber-alerts/2024/cc-4487 Chrome Patches 0-Day https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html Solarwinds ARM Vulnerablities https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm keywords: dns; suffix; windows; black basta; ransomware; arcserve; chrome; 0-day; solarwinds;

PDF Streams; F5 Central Manager Vuln; Veeam Patches; XenCenter Putty Update; Analyzing PDF Streams https://isc.sans.edu/diary/Analyzing%20PDF%20Streams/30908 F5 Next Central Manager Vulnerabilities https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/ Veeam Patches https://www.veeam.com/kb4441 https://www.veeam.com/kb4509 Citrix Hypervisor Security Update CVE-2024-31497 https://support.citrix.com/article/CTX633416/citrix-hypervisor-security-update-for-cve202431497 keywords: citrix; hypervisor; veeam; f5; pdf;

Analyzing Synology Disks; RSA Panel; SANS.edu Research Journal Analzying Synology Disks https://isc.sans.edu/diary/Analyzing%20Synology%20Disks%20on%20Linux/30904 RSA Panel https://www.rsaconference.com/usa/agenda/session/The%20Five%20Most%20Dangerous%20New%20Attack%20Techniques%20You%20Need%20to%20Know%20About SANS.edu Research Journal https://www.sans.edu/cyber-security-research keywords: sans.edu; research; journal; rsa; panel; synology;

ISP DNS Spoofing; Weblogic PoC; PDF.js / React PDF Vuln; Tinyproxy Detecting XFinity/Comcast DNS Spoofing https://isc.sans.edu/diary/Detecting%20XFinity%20Comcast%20DNS%20Spoofing/30898 Weblogic PoC CVE-2024-21006 https://pwnull.github.io/2024/oracle%20weblogic%20CVE-2024-21006%20Double-JNDInjection%20RCE%20analyze/ https://github.com/momika233/CVE-2024-21006 PDF.js React PDF Vulnerablity https://securityonline.info/cve-2024-4367-cve-2024-34342-javascript-flaw-threatens-millions-of-pdf-js-and-react-pdf-users/ Tinyproxy Response https://github.com/tinyproxy/tinyproxy/issues/533 keywords: tinyproxy; pdf.js; react; pdf; weblogic; xfinity; comcast; dns

VPN Routing Leaks; Mullvad VPN Traffic Leak; Tiny Proxy unpatches RCE Vuln; DHCP Based VPN Routing Leaks https://www.leviathansecurity.com/blog/tunnelvision Mullvad VPN DNS Traffic Leak https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android Tiny Proxy Vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 keywords: tiny proxy; vpn; mullvad; tunnelview; routing; leak

DNS Debugging; MSFT Zero Trust DNS; MSFT Graph API Abuse DNS Debugging with nslookup https://isc.sans.edu/diary/nslookups+Debug+Options/30894/ Microsoft Plans DNS Lockdown https://techcommunity.microsoft.com/t5/networking-blog/announcing-zero-trust-dns-private-preview/ba-p/4110366 Microsoft Graph API Abuse https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats SANSFIRE SEC522 Defending Web Applications https://www.sans.org/cyber-security-training-events/sansfire-2024/ keywords: microsoft; graph; api; dns; zero trust; ztdns; nslookup;

Scans for Stupid Router Vuln; npm xml-crypt Vuln; Cuddlefish; ArubaOS Vuln; https://isc.sans.edu/diary/Scans%20Probing%20for%20LB-Link%20and%20Vinga%20WR-AC1200%20routers%20CVE-2023-24796/30890 Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796 Buffer Overflow Vulnerabilities in ArubaOS https://www.arubanetworks.com/support-services/security-bulletins/ The Cuttlefish Malware https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/ keywords: routers; npm; cuddlefix; arubaos; https;

Linux Trojan; Denial of Wallet Attack; EU iOS Appstore User Tracking; BentoML Vuln; Linux Trojan - Xorddos with Filename eyshcjdmzg https://isc.sans.edu/diary/Linux%20Trojan%20-%20Xorddos%20with%20Filename%20eyshcjdmzg/30880 AWS S3 Denial of Wallet Amplification Attack https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1 https://blog.limbus-medtec.com/the-aws-s3-denial-of-wallet-amplification-attack-bc5a97cc041d EU iOS Safari Allows User Tracking https://www.mysk.blog/2024/04/28/safari-tracking/ BentoML Critical Deserialization Vuln CVE-2024-2912 https://nvd.nist.gov/vuln/detail/CVE-2024-2912 keywords: bentoml; ios; safari; tracking; aws; s3; cost; wallet; linux; trojan

Zyxel NAS Attacks; R Vulnerability; Malicious Containers; NVMe-oF/TCP Vulns; Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474 https://isc.sans.edu/diary/Another%20Day%2C%20Another%20NAS%3A%20Attacks%20against%20Zyxel%20NAS326%20devices%20CVE-2023-4473%2C%20CVE-2023-4474/30884 R-Bitrary Code Execution: Vulnearbility in R's Deserialization https://hiddenlayer.com/research/r-bitrary-code-execution/ Coordinated Docker Hub Attacks using Malicious Repositories https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/ NVMe-oF/TCP Vulnerabilities https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller keywords: nvme; tcp; docker; hub; malicious; repos; nas; zyxel;

DLink NAS Exploit Variation; DNS and Great Firewall of China; Android TV Data Leakage DLink NAS Exploit Variation https://www.qnap.com/en/security-advisory/qsa-24-09 Muddling Meerkat DNS Abuse https://blogs.infoblox.com/threat-intelligence/a-cunning-operator-muddling-meerkat-and-chinas-great-firewall/ Android TV Data Leakage https://www.youtube.com/watch?v=QiyBXXO8QpA https://www.404media.co/android-tvs-can-expose-user-email-inboxes/ SEC522: SANSFIRE https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/ SEC522 Demo (requires free account): https://www.sans.org/ondemand/get-demo/316 keywords: sec522; sansfire; demo; android; muddling; meerkat; dns; great firewall; china; dlink; nas

Credential Stuffing Increase; Fake Payment Cards; USPS Phishing; Chrome Post Quantum TLS Issues; Okta warns of increase in credential stuffing https://sec.okta.com/blockanonymizers Fake payment cards used by Police in Japan https://twitter.com/vxunderground/status/1783522097425211887 Phishing Campaigns Targeting USPS https://www.akamai.com/blog/security-research/phishing-usps-malicious-domains-traffic-equal-to-legitimate-traffic Chrome 124 Breaks TLS Handshake https://www.reddit.com/r/sysadmin/comments/1carvpd/chrome_124_breaks_tls_handshake/ keywords: chrome; tls; phishing; usps; japan; okta; credential stuffing; brute forcing;

Honeypot Firewalls; Unplugging PlugX; pfsense and GitLab Updates; Blocking LOLBins @sans_edu Does it matter if iptables isn't running on my honeypot? https://isc.sans.edu/forums/diary/Does%20it%20matter%20if%20iptables%20isn't%20running%20on%20my%20honeypot%3F/30862/ Unplugging PlugX: Singholing the PlugX USB worm botnet https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/ pfSense Updates https://docs.netgate.com/advisories/index.html GitLab Updates https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/ Matthew Alan Vorhees: Prevention Strategies for Modern Living Off the Land Usage https://www.sans.edu/cyber-research/prevention-strategies-modern-living-off-land-usage/ keywords: sans.edu; research; gitlab; lolbins; pfsense; plugx; iptables; honeypot

NVD API Updates; Cisco Patches and Backdoor; Keyboard App Vulns; node-mysql2 vulns; API Rug Pull - The NIST NVD Database and API https://isc.sans.edu/diary/API%20Rug%20Pull%20-%20The%20NIST%20NVD%20Database%20and%20API%20%28Part%204%20of%203%29/30868 Cisco Patches Vulnerabilities and Discovers Arcane Backdoor https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/ MySQL2: Dangers of User-Defined Database Connections https://blog.slonser.info/posts/mysql2-attacker-configuration/ Netgear Nighthawk Vulnerabilities https://jvn.jp/en/vu/JVNVU91883072/ keywords: netgear; nighthawk; mysql2; node; keyboard; cisco; backdoor; arcanedoor; api; nvd; nist

struts2 devmode scans; Russian PrinterNightmare; Exchange Server Fix; Flowmon Exploit; GuptiMiner; Struts2 devmode Still a Problem Ten Years Later https://isc.sans.edu/forums/diary/Struts%20%22devmode%22%3A%20Still%20a%20problem%20ten%20years%20later%3F/30866/ Analyzing Forest Blizard's Custom Post-Compromise Tool for exploiting CVE-2022-38028 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ April 2024 Exchange Server Hotfix Update https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2024-exchange-server-hotfix-updates/ba-p/4120536 CVE-2024-2389: Command Injection Vulnerability in Progress Flowmon https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/ keywords: guptiminer; progress; flowmon; exchange server; hotfix; forest blizard; printnightmware; struts2; devmode

Exposed ICS; Evil XDR; GitLab Comment Bug; Number of Industrial Devices Accessible From Internet Up 30 Thousand over three years https://isc.sans.edu/diary/It%20appears%20that%20the%20number%20of%20industrial%20devices%20accessible%20from%20the%20internet%20has%20risen%20by%2030%20thousand%20over%20the%20past%20three%20years/30860 Evil XDR: Turning an XDR into an Offensive Tool https://www.darkreading.com/application-security/evil-xdr-researcher-turns-palo-alto-software-into-perfect-malware GitLab Comment Bug https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/ keywords: gitlab; xdr; evil xdr; ics

CVE Changes; CrushFTP 0-Day; GitHub Comment Bug; YubiKey Manager Bug; PAN GlobalProtect Update The CVE's They are A-Changing https://isc.sans.edu/diary/The%20CVE%27s%20They%20are%20A-Changing!/30850 CrushFTP 0-Day Vulnerability https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/ GitHub Comment Bug Used to Distribute Malware https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/ YubiKey Manager Privilege Escalation https://www.yubico.com/support/security-advisories/ysa-2024-01/ Palo Alto Networks GlobalProtect Update https://security.paloaltonetworks.com/CVE-2024-3400 keywords: cve; crushftp; github; yubikey; palo alto; PAN; globalprotect

Delinea PoC; Ivanti Avalanche PoC; Advanced Phishing Campaign; go-getter update; OfflRouter Virus Delinea Secret Server Authn Authz Bypass https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 Ivanti Avalanche Poc/Details https://www.tenable.com/security/research/tra-2024-10 Advanced Phishing Campaign https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit Hashicorp go-getter update CVE-2024-3817 https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 OfflRouter Virus https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/ keywords: offlrouter; ukraine; hashicorp; go-getter; phishing; ivanti; delinea

AgentTesla via PDF; GlobalProtect Updates; Open Source Takeovers; OpenMetaData Attacks Malicious PDF File As Delivery Mechanism https://isc.sans.edu/diary/Malicious%20PDF%20File%20Used%20As%20Delivery%20Mechanism/30848 Updated Palo Alto Networks GlobalProtect Guidance https://security.paloaltonetworks.com/CVE-2024-3400 Coordinated Social Engineering Takeovers of Open Source Projects; https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/ OpenMetaData Attacks https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/ keywords: openmetadata; social engineering; open source; openssf; openjs; pan; globalprotect; pdf; agenttesla

GlobalProtect Exploit Public; Putty Private Key Vuln; Palo Alto Networks GlobalProtect exploit public and widely exploited CVE-2024-3400 https://isc.sans.edu/forums/diary/Palo%20Alto%20Networks%20GlobalProtect%20exploit%20public%20and%20widely%20exploited%20CVE-2024-3400/30844/ Putty Private Key Recovery https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html Oracle Critical Patch Update https://www.oracle.com/security-alerts/cpuapr2024.html Ivanti Avalanche MDM Patches https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US keywords: ivanti; avalanche; oracle; cpu; putty; ssh; pan; globalprotect; palo alto