SANS Internet Storm Center's Daily Network Security News Podcast

GlobalProtect Updates; Delinea Patch; Lancom PW reset; PHP Patch; Duo leak; LastPass Deepfake Quick Palo Alto Networks Global Protect Vulnerablity Update CVE-2024-3400 https://isc.sans.edu/diary/30838 Delinea patches critical vulnerability in secret manager https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 Lancom Windows Setup Assistant May Reset Password https://www.lancom-systems.com/service-support/general-security-information PHP Patches https://seclists.org/oss-sec/2024/q2/113 Duo SMS and VoiP Logs Leaked https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e Lastpass Stops Deepfake Attack https://blog.lastpass.com/posts/2024/04/attempted-audio-deepfake-call-targets-lastpass-employee keywords: Delinea; secret manager; lancom; php; duo; sms; voip; lastpass; deepfake

Palo Alto Networks GlobalProtect 0-Day Vulnerability Exploited Palo Alto Networks GlobalProtect 0-Day CVE-2024-3400 https://security.paloaltonetworks.com/CVE-2024-3400 https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/#RespondingToCompromise keywords: palo alto networks; pan; panos; 0-day; globalprotect

BatBadBut Vulnerability; FortiClient Linux RCE; Apple Notifications; GitHub Search Tricks; BatBadBut: You can't securely execute commands on Windows https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ FortiClient Linux Remote Code Execution https://www.fortiguard.com/psirt/FG-IR-23-087 Apple Threat Notifications and Protecting Against Mercenary Spyware https://support.apple.com/en-us/102174 New Technique to Trick Developers Detected in an Open Source Supply Chain Attack https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/ keywords: github; supply chain; search; mercenary; spyware; apple; forticlient; linux; batbadbut; windows; bat;

Rust Vulnerability; Adobe Updates; Fortinet Patches; Malicious Windows Driver Rust Command API code execution vulnerability CVE-2024-24576 https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html Adobe Updates: Magento Adobe Commerce CVE-2024-20759 CVE-2024-20758 https://helpx.adobe.com/security/products/magento/apsb24-18.html https://helpx.adobe.com/security.html Fortinet FortiOS And FortiProxy Vulnerability CVE-2023-41677 https://www.fortiguard.com/psirt/FG-IR-23-493 Smoke and Screen Mirrors Signed Backdoor CVE-2024-26234 https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/ keywords: driver; backdoor; fortinet; fortios; fortiproxy; adobe; magento; commerce; rust; command

Microsoft Patches; D-Link NAS Backdoor; LG WebOS TV Vulnerabilities Microsoft Patches https://isc.sans.edu/forums/diary/April%202024%20Microsoft%20Patch%20Tuesday%20Summary/30822/ D-Link NAS Backdoor https://github.com/netsecfish/dlink LG SmartTV Vulnerabilities https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/ keywords: lg; smarttv; d-link; nas; backdoor; microsoft; patches; patch tuesday

Why Threat Hunting; Notepad++ Domain Issue; Pickle ML Vulns; V8 Sandbox A Use Case for Adding Threat Hunting to Your Security Operations Team. https://isc.sans.edu/diary/30816 Notepad++ Parasite Site https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/ Hugging Face Pickle File Vulnerablities https://huggingface.co/blog/hugging-face-wiz-security-blog Google Considers V8 Sandbox no longer experimental https://v8.dev/blog/sandbox keywords: v8; google; hugging face; pickle; notepad; parasite; plus; threat hunting; soc;

Heartbleed 10th Anniversary; Magento Backdoor; Fighting DNS Spoofing; Brocade Vuln; @sans_emea evening talk Heartbleed 10th Anniversary https://heartbleed.com/ Possible Libarchive Backdoor Vulnerability https://github.com/libarchive/libarchive/pull/1609 Magento XML Backdoor https://sansec.io/research/magento-xml-backdoor Google Public DNS's approach to fight against cache poisoning attacks https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html Remote code execution (RCE)vulnerability in Brocade Fabric OS (CVE-2023-3454) https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23215 SANS London April Evening Talk https://sans.zoom.us/webinar/register/WN_ZLLnQKCCQCywLGm-CM4xQg#/registration keywords: heartbleed; xz-utils; magento; libarchive; google; dns; cache poisoning; brocade; fabric os; sans; london

Reversing DoNex; HTTP/2 Continuation Flood; Kobold Letters; Infostealers in Automotive Headunits @sans_edu Slicing up DoNex with Binary Ninja https://isc.sans.edu/diary/Slicing%20up%20DoNex%20with%20Binary%20Ninja/30812 HTTP/2 Continuation Flood https://nowotarski.info/http2-continuation-flood-technical-details/ Dangers of CSS in HTML Email https://lutrasecurity.com/en/articles/kobold-letters/ Dan Mazella: Infostealers in Automotive Headunits https://www.sans.edu/cyber-research/exploring-infostealer-malware-techniques-automotive-head-units/ keywords: donex; binary ninja; http2; css; html; email; infostealers; automotive; headunits; android; carplay; android auto

Playing with xzbot; Device Bound Session Credentials; Ivanti Vulns; Google Pixel 0-Day Playing with xzbot: Some things you can learn from SSH traffic https://isc.sans.edu/forums/diary/Some%20things%20you%20can%20learn%20from%20SSH%20traffic/30808/ Google Proposes Device Bound Session Credentials (DBSC) https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html Four More Ivanti Vulnerabilities https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US Google Pixel Zero Day https://source.android.com/docs/security/bulletin/pixel/2024-04-01 keywords: google; pixel; cookies; sessions; ivanti; dbsc; ssh; xzbot

Chrome Incognito Mode; GMail Anti-Spam; Cisco Updates; Apache Pulsar Updates; Progress Flowmon Vuln; Chrome Incognito Mode Settlement https://www.wired.com/story/google-chrome-incognito-mode-data-deletion-settlement/ Google E-Mail Sender Guidelines FAQ https://support.google.com/a/answer/14229414?hl=en&fl=1&sjid=2270464422796374445-NC Cisco Updates and VPN Best Practices https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html https://sec.cloudapps.cisco.com/security/center/publicationListing.x Apache Pulsar Vulnerability https://pulsar.apache.org/security/CVE-2024-29834/ Progress Flowmon Network Monitoring Tool Vulnerability CVE-2024-2389 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability Wait Just an Infosec Episode with Bojan Zdrnja: Thursday April 4th 2024 10:00 EDST https://isc.sans.edu/j/xzutils (link will redirect once episode is live) keywords: progress; flowmon; apache; pulsar; cisco; chrome; google;

xz-utils update; csv files; MacOS Infostealer The amazingly scary xz sshd backdoor https://isc.sans.edu/diary/The%20amazingly%20scary%20xz%20sshd%20backdoor/30802 The xz-utils backdoor in security advisories by national CSIRTs https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800 Checking CSV Files https://isc.sans.edu/diary/Checking%20CSV%20Files/30796 Infostealers Pose Threat to macOS https://www.jamf.com/blog/infostealers-pose-threat-to-macos/ keywords: infostealers; macos; cvs; xz-utils; backdoor; ssh; sshd;

xz-utils Backdoor (CVE-2024-3094) xz-utils Backdoor CVE-2024-3094 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://tukaani.org/xz-backdoor/ https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 Backdoor reverse analysis https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b YARA Rule https://github.com/byinarie/CVE-2024-3094-info/blob/main/CVE-2024-3094.yar Social Engineering Attempts to Include Backdoor in Distros https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708 https://news.ycombinator.com/item?id=39866275 Github Repo (now disabled) https://github.com/tukaani-project/xz Statements from Distributions https://www.kali.org/blog/about-the-xz-backdoor/ https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://access.redhat.com/security/cve/CVE-2024-3094 https://bugs.gentoo.org/928134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 keywords: xz-utils; backdoor; xz

JavaScript to AsyncRAT; TeamCity Patch; Okta Verify Patch; Google 0-Day Report From JavaScript to AsyncRAT https://isc.sans.edu/diary/From%20JavaScript%20to%20AsyncRAT/30788 TeamCity Patches https://www.jetbrains.com/privacy-security/issues-fixed/?product=TeamCity&version=2024.03 Okta Verify for Windows Auto-update Arbitrary Code Execution CVE-2024-0980 https://trust.okta.com/security-advisories/okta-verify-windows-auto-update-arbitrary-code-execution-cve-2024-0980/ Google Zero Day Report https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf keywords: google; zero day; okta; teamcity; javascript; asyncrat

OfBiz Scans; Wall-Escape; Apple MFA Bombing Scans for Apache OfBiz https://isc.sans.edu/diary/Scans%20for%20Apache%20OfBiz/30784 Wall-Escape (CVE-2024-28085) https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt Recent "MFA Bombing" Attacks Targeting Apple Users https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/ keywords: apple; mfa; bombing; wall; escape; apache; ofbiz

linux-pkgs.sh; Suspect NuGet Packages; QUIC vs UDP Loops; AI System Miners; ASUS to TheMoon; New tool: linux-pkgs.sh https://isc.sans.edu/forums/diary/New%20tool%3A%20linux-pkgs.sh/30774/ Suspicious NuGet package grabs data from industrial systems https://www.reversinglabs.com/blog/suspicious-nuget-package-grabs-data-from-industrial-systems Preventing Cross Service UDP Loops in QUIC https://bughunters.google.com/blog/5960150648750080/preventing-cross-service-udp-loops-in-quic ShadowRay Attacks AI Workloads Actively Exploited in the Wild https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild TheMoon Malware Infects 6,000 ASUS Routers in 72 Hours for Proxy Service https://www.bleepingcomputer.com/news/security/themoon-malware-infects-6-000-asus-routers-in-72-hours-for-proxy-service/ keywords: linux packages; themoon; asus; shadowray; quic; nuget

Tool Updates; Apple Updates; Fake Python Infrastructure; OpenVPN Update Tool updates: le-hex-to-ip.py and sigs.py https://isc.sans.edu/diary/Tool%20updates%3A%20le-hex-to-ip.py%20and%20sigs.py/30772 Apple Updates for MacOS, iOS/iPadOS, visionOS; https://isc.sans.edu/diary/Apple%20Updates%20for%20MacOS%2C%20iOS%20iPadOS%20and%20visionOS/30778 Fake Python Infrastructure https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/ OpenVPN Update https://openvpn.net/community-downloads/ keywords: openvpn; python; apple; macos; ios; ipados; visionos; le-hex-to-ip; sigs

1768.py Experimental Mode; Loop DoS; Windows Server Crash Fix 1768.py's Experimental Mode https://isc.sans.edu/diary/1768.py%27s%20Experimental%20Mode/30770 CISCP Advisory on Application-Layer Loop DoS https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit Fixes for Windows Server LSASS Memory Leak https://www.catalog.update.microsoft.com/Search.aspx?q=2024-03%20Cumulative%20Update keywords: lsass; windows; server; ciscp; loop; dos; dns; ntp; tftp; 1768; cobalt strike

Geofeed; Apple Updates and Bugs; GitHub AutoFix; Fortinet POC; new Ivanti Breakage; Geofeed https://isc.sans.edu/forums/diary/Whois%20%22geofeed%22%20Data/30766/ Apple Updates https://support.apple.com/en-us/HT201222 Apple Bug https://gofetch.fail/ GitHub Copilot AutoFix https://github.blog/2024-03-20-found-means-fixed-introducing-code-scanning-autofix-powered-by-github-copilot-and-codeql/ Fortinet PoC https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/ Ivanti Standalone Sentry https://forums.ivanti.com/s/article/KB-CVE-2023-41724-Remote-Code-Execution-for-Ivanti-Standalone-Sentry?language=en_US keywords: geofeed; apple; apple bug; github; copilot; autofix; fortinet; ivanti;

FortiOS Scans; Tax Scams; Abusing DHCP Administrators Group Scans for the Fortinet FortiOS CVE-2024-21762 Vulnerability https://isc.sans.edu/diary/Scans%20for%20Fortinet%20FortiOS%20and%20the%20CVE-2024-21762%20vulnerability/30762 Microsoft Reminder: It is Tax Season (at least in the US) https://www.theregister.com/2024/03/20/its_tax_season_and_scammers/ Abusing DHCP Administrators Group for Privilege Escalation in Windows Domains; https://www.akamai.com/blog/security-research/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains keywords: dhcp; administrators; windows; domains; tax season; irs; fortinet;

Hunting Firewalls; Fortigate Exploit; IC3 Annual Report; macOS 14.4 Update Attacker Hunting Firewalls https://isc.sans.edu/diary/Attacker%20Hunting%20Firewalls/30758 Fortigate Vulnerability Exploit Available https://github.com/h4x0r-dz/CVE-2024-21762 IC3 Annual Report 2023 https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf Issues with macOS 14.4 Update https://www.macrumors.com/2024/03/18/do-not-update-macos-sonoma-14-4/ keywords: macos; ic3; fortigate; firewalls;

MSFT 1024 Bit RSA Keys; Real-Time Safe Browsing; Fortra FileCatalyst Vuln; Spring inSecurity; TrendNet Router Vuln; Microsoft announced deprecation of 1024 bit RSA Keys https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#deprecated-features Chrome Real-Time Safe Browsing Protection https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/ Fortra FileCatalyst Vulnerability CVE-2024-25153 https://www.fortra.com/security/advisory/fi-2024-002 Spring Security CVE-2024-22257 https://spring.io/security/cve-2024-22257/ TrendNet TWEW-827DRU Router Vulnerability CVE-2024-28353 CVE-2024-28354 https://warp-desk-89d.notion.site/TEW-827DRU-5c40fb20572148f0b00f329d69273791 keywords: trendnet; spring; security; chrome; safe browsing; safebrowsing; fortra; microsoft; tls; ssl; rsa

5GHoul Update; Cobalt Strike Hex Encoded; ChatGPT related OAUTH Issues; Help Desk Attacks; CRL/OCSP Changes 5GHoul Revisted: Thress Months Later https://isc.sans.edu/diary/5Ghoul%20Revisited%3A%20Three%20Months%20Later/30746 Obfuscated Hexadecimal Payload https://isc.sans.edu/diary/Obfuscated%20Hexadecimal%20Payload/30750 ChatGPT Related OAUTH Issues https://salt.security/blog/security-flaws-within-chatgpt-extensions-allowed-access-to-accounts-on-third-party-websites-and-sensitive-data?utm_source=social&utm_medium=reddit RedCanary Threat Detection Report https://redcanary.com/threat-detection-report/ CRL/OCSP Changes https://github.com/cabforum/servercert/blob/main/docs/BR.md keywords: crl; ocsp; cab forum; revocation; certificates; redcanacy; help desks; oauth; 5GHOUL; hexadecimal; obfuscation

R2/IPFS Phishing; Fortinet Updates/new Vulns; Arcserve UDP PoC; Michael Holcomb ICS/PLC Security @sans_edu Increase in the number of phishing messages pointing to IPFS and to R2 buckets https://isc.sans.edu/diary/Increase%20in%20the%20number%20of%20phishing%20messages%20pointing%20to%20IPFS%20and%20to%20R2%20buckets/30744 Fortinet New Vulnerabilities https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/ Fortinet Updates https://www.helpnetsecurity.com/2024/03/14/cve-2023-48788-poc/ Arcserve UDP Vulnerability and PoC https://www.tenable.com/security/research/tra-2024-07 Michael Holcomb: Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents https://www.sans.edu/cyber-research/mode-matters-monitoring-plcs-for-detecting-potential-ics-ot-incidents/ keywords: holcomb; sans.edu; ics; plc; mode; udp; arcserve; fortinet; horizon3; ipfs; r2; spam; phishing

ChatGPT Deobfuscation; Fortinet Patches; Adobe Patches; Kubernetes Exploit Using ChatGPT to Deofuscate Malicious Scripts https://isc.sans.edu/diary/Using%20ChatGPT%20to%20Deobfuscate%20Malicious%20Scripts/30740 Critical Fortinet Vulnerabilities https://fortiguard.fortinet.com/psirt Adobe Security Bulletins https://helpx.adobe.com/security/security-bulletin.html Kubernetes Local Volumes Command Injection Vulnerability https://www.akamai.com/blog/security-research/kubernetes-local-volumes-command-injection-vulnerability-rce-system-privileges keywords: kubernetes; adobe; fortinet; chatgpt; obfuscation; python

MSFT Patch Tuesday; NVD Issues; ZOHO ManageEngine Vuln; Arube Patches Microsoft Patch Tuesday March 2024 https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20March%202024/30736 Death Knell of NVD https://resilientcyber.substack.com/p/death-knell-of-the-nvd Unrestricted file upload vulnerability in ManageEngine Desktop Central https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-file-upload-vulnerability-manageengine-desktop-central Siemens Fire Protection System Updates https://cert-portal.siemens.com/productcert/html/ssa-225840.html keywords: siemens; manageengine; nvd; nist; microsoft; patch tuesday

Leaked API Keys; Fake Calendly Links; SCCM Problems and Misconfiguration Manager @SpecterOps What happens when you accidentially leak your AWS API Keys https://isc.sans.edu/diary/What%20happens%20when%20you%20accidentally%20leak%20your%20AWS%20API%20keys%3F%20%5BGuest%20Diary%5D/30730 How Crypto Imposters are using Calendly to infect Macs with Malware https://cyberguy.com/news/how-crypto-imposters-are-using-calendly-to-infect-macs-with-malware/ https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/ Misconfiguration Manager: Overlooked and Overprivileged https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d keywords: misconfiguration; configuration manager; sccm; crypto; calendly; aws; api keys; github

Wordpress Brute Force Trick and CORS; Cisco VPN Client Vuln; Fortinet Exploits; pgAdmin; Font Vulnerabilities; QNAP; Attack Wrangles Thousands of Web Users into a Password Cracking Botnet https://arstechnica.com/security/2024/03/attack-wrangles-thousands-of-web-users-into-a-password-cracking-botnet Cisco VPN Client Vuln https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7 Fortinet Vulnerability Exploited https://bishopfox.com/blog/cve-2024-21762-vulnerability-scanner-for-fortigate-firewalls pgAdmin Path Traversal https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ Font Vulnerabilities https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ QNAP Flaws https://securityonline.info/cve-2024-21899-cvss-9-8-critical-qnap-flaw-opens-door-to-hackers/ keywords: qnap; fonts; canva; pgadmin; fortinet; cisco; javascript; cors;

AWS vs. Azure Honeypots; Apple Patches; NSA/CISA Cloud Security Guides AWS Deploymnet Risks - Configuration and Credential File Targeting https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20AWS%20Deployment%20Risks%20-%20Configuration%20and%20Credential%20File%20Targeting/30722 Apple Updates https://isc.sans.edu/diary/MacOS%20Patches%20%28and%20Safari%2C%20TVOS%2C%20VisionOS%2C%20WatchOS%29/30726 NSA/CISA Secure Cloud Guides https://media.defense.gov/2024/Mar/07/2003407866/-1/-1/0/CSI-CloudTop10-Identity-Access-Management.PDF https://media.defense.gov/2024/Mar/07/2003407858/-1/-1/0/CSI-CloudTop10-Key-Management.PDF https://media.defense.gov/2024/Mar/07/2003407859/-1/-1/0/CSI-CloudTop10-Managed-Service-Providers.PDF https://media.defense.gov/2024/Mar/07/2003407862/-1/-1/0/CSI-CloudTop10-Secure-Data.PDF https://media.defense.gov/2024/Mar/07/2003407861/-1/-1/0/CSI-CloudTop10-Network-Segmentation.PDF keywords: nsa, cisa, cloud, apple, honeypot, aws, azure

#QUIC Scanning; Google Chrome Update; YARN Miner; Teamcity Exploited; #quicmap Scanning and Abusing the QUIC Protocol https://isc.sans.edu/diary/Scanning%20and%20abusing%20the%20QUIC%20protocol/30720 Google Chrome Update https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop.html Spinning YARN https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ Teamcity Exploited https://twitter.com/leak_ix/status/1765460190621581347 keywords: teamcity; yarn; hadoop; chrome; quic; quicmap

iOS Updates; Perimeter Security Survival Time; #QEMU Tunnel; #VMware Patches iOS/iPadOS Updates with Zero Day Fixes https://isc.sans.edu/diary/Apple%20Releases%20iOS%20iPadOS%20Updates%20with%20Zero%20Day%20Fixes./30716 Why Your Firewall Will Kill You https://isc.sans.edu/diary/Why+Your+Firewall+Will+Kill+You/30714/ QEMU Tunnel https://securelist.com/network-tunneling-with-qemu/111803/ VMware Vulnerabilities Patched https://www.vmware.com/security/advisories/VMSA-2024-0006.html keywords: vmware; qemu; tunnel; firewall; permiter; security; ios; ipados; apple

TAPs at Home; TeamCity Vuln; GitHub Push Protections; Android Update; Linksys Bug Capturing DShield Packets with a LAN Tap https://isc.sans.edu/diary/Capturing%20DShield%20Packets%20with%20a%20LAN%20Tap%20%5BGuest%20Diary%5D/30708 Additional Critical Security Issues Affecting Teamcity https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ GitHub Push Protection Now On By Default https://github.blog/2024-02-29-keeping-secrets-out-of-public-repositories/ Android Updates https://source.android.com/docs/security/bulletin/2024-03-01 Linksys E-2000 Vulnerablity https://warp-desk-89d.notion.site/Linksys-E-2000-efcd532d8dcf4710a4af13fca131a5b8 keywords: linksys; android; github; tap; network; teamcity;

Old Confluence Vuln Scan; Google CSP Difficulties; Scanning for Confluence CVE-2022-26134 https://isc.sans.edu/diary/Scanning%20for%20Confluence%20CVE-2022-26134/30704 Exploiting CSP Wildcards for Google Domains https://attackshipsonfi.re/p/exploiting-csp-wildcards-for-google Silver SAML: Golden SAML in the Cloud https://www.semperis.com/blog/meet-silver-saml/ keywords: saml; csp; confluence; cve-2022-26134; cloud;

DarkGate Update; Ivanti IR; Github Repo Flood; NoName Doorbell Cameras; @sans_edu Dissecting DarkGate: Module Malware Delivery and Persistence as a Service https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Dissecting%20DarkGate%3A%20Modular%20Malware%20Delivery%20and%20Persistence%20as%20a%20Service./30700 Ivanti Incident Response Update https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b Github Flooded with Infected Repos https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack Security Flaws in NoName Doorbell Cameras https://www.consumerreports.org/home-garden/home-security-cameras/video-doorbells-sold-by-major-retailers-have-security-flaws-a2579288796/ keywords: doorbells; github; repos; flood; ivanti; darkgate

Odd Confluence Scan; ALPH/Blackcat Healthcare Attacks; GlobalBlock Released Exploit Attempts for Unknown Password Reset Vulnerability https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Unknown%20Password%20Reset%20Vulnerability/30698 StopRansomware: Updated ALPHV Blackcat Advisory https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a GlobalBlock Service To Prevent Trademark abuse https://www.bleepingcomputer.com/news/technology/registrars-can-now-block-all-domains-that-resemble-brand-names/ keywords: GlobalBlock; trademark; registrars; stopransomware; alphv; healthcare; blackcat; altassian; confluence; password; reset

Ubiquity Takedown Aftermath; New Govt Botnet Advisory; SVR Cloud Attacks; Hugging Face ML Models Take Downs and the Rest of Us: Do they matter? https://isc.sans.edu/diary/Take%20Downs%20and%20the%20Rest%20of%20Us%3A%20Do%20they%20matter%3F/30694 Joint Cybersecurity Advisory https://www.ic3.gov/Media/News/2024/240227.pdf SVR Cyber Actors Adapt Tactics for Initial Cloud Access https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access Data Scientists Targeted by Malicious Hugging Face ML Models with Silent Backdoor https://jfrog.com/blog/data-scientists-targeted-by-malicious-hugging-face-ml-models-with-silent-backdoor/ keywords: Machine learning; ml; backdoor; hugging face; svr; cloud; advisory; routers; ubiquity; take downs;

VirusTotal API and Honeypots; WPA2 Auth Bypass; Subdomain Spam; Utilizing the VirusTotal API to Query Files Uploaded to the DShield Honeypot https://isc.sans.edu/diary/Utilizing%20the%20VirusTotal%20API%20to%20Query%20Files%20Uploaded%20to%20DShield%20Honeypot%20%5BGuest%20Diary%5D/30688 New WiFi Authentication Vulnerabilities Discovered https://www.top10vpn.com/research/wifi-vulnerabilities/ Subdomain Takeover Spam https://labs.guard.io/subdomailing-thousands-of-hijacked-major-brand-subdomains-found-bombarding-users-with-millions-a5e5fb892935 keywords: subdomain; spam; malspam; wifi; wpa; authentication; vulnerability; honeypots; virustotal; cookoo

Magellan Scans; Mouse Sandbox Check; Salesforce Apex Vuln; IBM ODM PoC; Linux kTLS Vuln; Update MGLNDD * Scans https://isc.sans.edu/forums/diary/Update%3A%20MGLNDD_*%20Scans/30686/ Simple Anti-Sandbox Technique: Where's the Mouse https://isc.sans.edu/diary/Simple%20Anti-Sandbox%20Technique%3A%20Where%27s%20The%20Mouse%3F/30684 Security Vulnerabilities in Apex Code Could Leak Salesforce Data https://www.varonis.com/blog/apex-code-vulnerabilities IBM Operation Decision Manager Exploit CVE-2024-22319 CVE-2024-22320 https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/ Linux Kernel TLS Vulnerability CVE-2024-26582 https://lore.kernel.org/linux-cve-announce/2024022139-spruce-prelude-c358@gregkh/ keywords: linux; tls; ibm; odm; exploit; vulnerability; apex; salesforce; mouse; sandbox; mglndd; ripe; atlas

Friend of Foe; AT&T Wireless Outage; LockBit Uses Screenconnect; SSH Snake Friend, Foe or Something In Between https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Friend%2C%20foe%20or%20something%20in%20between%3F%20The%20grey%20area%20of%20%27security%20research%27/30670 Large AT&T Wireless Network Outage https://isc.sans.edu/diary/Large%20AT%26T%20Wireless%20Network%20Outage%20%23att%20%23outage/30680 Connect Wise Screenconnect Userd by LockBit https://www.bleepingcomputer.com/news/security/screenconnect-servers-hacked-in-lockbit-ransomware-attacks/ SSH Snake Abused in the Wild https://github.com/MegaManSec/SSH-Snake keywords: ssh snake; ssh; connectwise; screenconnect; at&T; modbus

Archive.org Phish; ScreenConnect PoC; Post Quantum iMessage; Phishing Pages Hosted on Archive.org https://isc.sans.edu/forums/diary/Phishing%20pages%20hosted%20on%20archive.org/30676/ ScreenConnect Authentication Bypass Exploit CVE-2024-1709 CVE-2024-1708) https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass iMessage with PQ3 https://security.apple.com/blog/imessage-pq3/ keywords: imessage; pq3; screenconnect; archive; phishing

Dynamic Sandbox Detection; Screenconnect Vulns; VMWare EAP; VoltSchemer Python InfoStealer Wtih Dynamic Sandbox Detection https://isc.sans.edu/diary/Python%20InfoStealer%20With%20Dynamic%20Sandbox%20Detection/30668 Connectwise Screenconnect Vulnerabilities https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 Remove VMWare Enhanced Authentication Plugin (EAP) СVE-2024-22245 CVE-2024-22250 https://kb.vmware.com/s/article/96442 Voltage Noise to Manipulate Wireless Chargers https://arxiv.org/pdf/2402.11423.pdf keywords: voltage; voltschemer; qi; wireless charging; vmware; screenconnect; sandbox;

Mirai Again; KeyTrap PoC; AI File Type Recon; Unsynced Clock Issue Old Mirai New Exploits https://isc.sans.edu/diary/Mirai-Mirai%20On%20The%20Wall...%20%5BGuest%20Diary%5D/30658 KeyTrap PoC Exploit https://github.com/knqyf263/CVE-2023-50387 Google Open Sources Magika File ID System https://opensource.googleblog.com/2024/02/magika-ai-powered-fast-and-efficient-file-type-identification.html Exploiting Unsynchronised Clocks https://attackshipsonfi.re/p/exploiting-unsynchonised-clocks keywords: clocks; ntp; caching; google; magika; ai; libmagic; file id; keytrap; poc; mirai

SolarWinds Patch; Chrome CORS Extension; Biometrics Theft SolarWinds Security Advisories https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-3_release_notes.htm Google Chrome Adds Private Network Checks https://chromestatus.com/feature/4869685172764672 Gold Factory iOS Trojan https://www.group-ib.com/blog/goldfactory-ios-trojan/ keywords: goldfactory; ios; trojan; chrome; network; cors; solarwinds;

AWS SNS Smishing; Linux CVEs; Pulse Secure Issues; Rogue Ethernet Switches; @sans_edu @sansinstitute USPS Anchors Snowballing Smishing Campaigns https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/ Linux Issuing CVEs http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/ Analyzing Pulse Secure Firmware and Bypassing Integrity Checking https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/ Jennifer Walker: Detecting Rogue Ethernet Switches Using Layer 1 Techniques https://www.sans.edu/cyber-research/detecting-rogue-ethernet-switches-using-layer-1-techniques/ keywords: jennifer walker; switches; ethernet; ivanty; linux; cves; usps; phishing; smishing; sns

Troubleshooting Honeypots; Dangerous Suggestions; MonikerLink Bug; Adobe and AMD patches Guest Diary: Learning by Doing An Interative Adventure in Troubleshooting https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Learning%20by%20doing%3A%20Iterative%20adventures%20in%20troubleshooting/30648 Snap Trap: The Hidden Dangers within Ubuntu's Package Suggestion System https://www.aquasec.com/blog/snap-trap-the-hidden-dangers-within-ubuntus-package-suggestion-system/ The Risks of the Monikerlink Bug in Microsoft Outlook https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/ Adobe Patches https://helpx.adobe.com/security/security-bulletin.html AMD Patches https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7009.html keywords: monikerlink; outlook; smb; snap trap; troubleshooting; honeypot

Microsoft Patches; DNSSEC DoS Vuln; Zoom and QNAP Vulnerablities Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20February%202024%20Patch%20Tuesday/30646 DNSSEC DoS Vulnerability CVE-2023-50387 https://www.presseportal.de/pm/173495/5713546 Zoom Desktop Client Vuln https://www.zoom.com/en/trust/security-bulletin QNAP Vulnerablity https://www.qnap.com/de-de/security-advisory/qsa-23-57 https://unit42.paloaltonetworks.com/qnap-qts-firmware-cve-2023-50358/ keywords: qnap; zoom; dnssec; dos; bind; unbound; microsoft; patches

Mirai vs BYTEVALUE; Targeted Cloud Attack; Repo Security; Postgresql Vuln; Comma vs MSFT Defender Exploit Against Unnamed BYTEVALUE Router Vulnerablity Included in Mirai https://isc.sans.edu/diary/Exploit%20against%20Unnamed%20%22Bytevalue%22%20router%20vulnerability%20included%20in%20Mirai%20Bot/30642 Senior Executives Targeted in Ongoing Azure Account Takeover https://www.darkreading.com/cloud-security/senior-executives-targeted-ongoing-azure-account-takeover CISA Parners With OpenSSF To Secure Software Repositories https://www.cisa.gov/news-events/alerts/2024/02/08/cisa-partners-openssf-securing-software-repositories-working-group-release-principles-package PostgreSQL Vulnerability https://www.postgresql.org/support/security/CVE-2024-0985/ Microsoft Defender Bypass via Comma https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt keywords: microsoft; defender; comma; postgresql; cisa; openssf; repository; mirai; bytevalue; azure; cloud

Obfuscated MSIX Powershell; Too Many Honeypots; ClamAV Vuln; ExpressVPN Leak MSIX With Heaviliy Obfuscated PowerShell Script https://isc.sans.edu/diary/MSIX%20With%20Heavily%20Obfuscated%20PowerShell%20Script/30636 Too Many Honeypots https://vulncheck.com/blog/too-many-honeypots ClamAV Command Injection Vulnerability CVE-2024-20328 https://amitschendel.github.io/vulnerabilites/CVE-2024-20328/ ExpressVPN DNS Leaks https://www.expressvpn.com/blog/windows-app-dns-requests/ keywords: expressvpn; dns; leak; clamav; honeypots; msix; powershell; obfuscation

Podcast Aniversary; Keylogger MP3 Player; Fake LastPass; Ivanti Vuln; @sans_edu @SANSInstitute A Python MP3 Player With Builtin Keylogger Capability https://isc.sans.edu/diary/A%20Python%20MP3%20Player%20with%20Builtin%20Keylogger%20Capability/30632 Fake LastPass App in Apple App Store https://blog.lastpass.com/2024/02/warning-fraudulent-app-impersonating-lastpass-currently-available-in-apple-app-store/ Ivanti XXE Vulnerability https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure FortiOS sslvpnd vulnerability https://www.fortiguard.com/psirt/FG-IR-24-015 keywords: fortios; sslvpnd; ivanti; xxe; lastpass; python; mp3; player; app store; apple

Possible Balena Scans; Critical shim vulnerability; Volt Typhoon Living of the Land Anybody knows what this URL is about? Maybe Balena API request? https://isc.sans.edu/forums/diary/Anybody%20knows%20that%20this%20URL%20is%20about%3F%20Maybe%20Balena%20API%20request%3F/30628/ Critical shim vulnerability and patch https://github.com/rhboot/shim/releases/tag/15.8 Volt Typhoon Lessons Learned https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques keywords: volt; typhoon; shim; bios; uefi; url; balena

40 Years of Viruses; Infected Toothbrushes; TeamCity Vuln; Resume Looters; Malicious Facebook Job Ads Computer viruses are celebrating their 40th birthday (well, 54th, really) https://isc.sans.edu/diary/Computer%20viruses%20are%20celebrating%20their%2040th%20birthday%20%28well%2C%2054th%2C%20really%29/30624 Three million malware-infected smart toothbrushes used in Swiss DDoS attacks https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages Critical Security Issue Affecting TeamCity On-Premises CVE-2024-23917 https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/ Resume Looters https://www.group-ib.com/blog/resumelooters/ Facebook Advertising Spreads Novel Malware Variant https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf keywords: facebook; advertising; malware; resume; teamcity; toothbrushes; ddos