SANS Internet Storm Center's Daily Network Security News Podcast

Visualizing Code Injection; SysAid Exploit; WS_FTP Update; CPU-Z Impersonation; pyArrow Vulnerability Visual Examples of Code Injection https://isc.sans.edu/diary/Visual%20Examples%20of%20Code%20Injection/30388 SysAid Exploited by Cl0p Ransomware (CVE-2023-47246) https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification WS_FTP Server Update CVE-2023-42659 https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023 Malvertiser copies PC news site to delivery infostealer https://www.malwarebytes.com/blog/threat-intelligence/2023/11/malvertiser-copies-pc-news-site-to-deliver-infostealer pyArrow/Apache Arrow Vulnerability https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n keywords: pyarrow; apache; arrow; cpu-z; malvertiser; google; ws_ftp; moveit; sysaid

Project Phishing; Azure Automation Mining; Windows Firewall Changes; SLP DoS Vuln added to KEV; Example of a Phishing Campaing Project File https://isc.sans.edu/diary/Example%20of%20Phishing%20Campaign%20Project%20File/30384 Cryptomining with Microsoft Azure Automation Services https://www.safebreach.com/blog/cryptocurrency-miner-microsoft-azure Windows 11 Insider Changing Firewall Behaviour https://blogs.windows.com/windows-insider/2023/11/08/announcing-windows-11-insider-preview-build-25992-canary-channel/ CISA Adds SLP Vulnerability to Known Exploited Vulnerabilty List https://www.cisa.gov/news-events/alerts/2023/11/08/cisa-adds-one-known-exploited-vulnerability-catalog keywords: cisa; slp; windows 11; smb; ntlm; firewall; cryptomining; azure; automation; phishing; project

Discovery of Deisgnated Resolvers; BlueNoroff macOS Malware; MSFT hardens MFA; What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR) https://isc.sans.edu/diary/What%27s%20Normal%3A%20New%20uses%20of%20DNS%2C%20Discovery%20of%20Designated%20Resolvers%20%28DDR%29/30380 BlueNoroff macOS Malware https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/ Emphasizing Security by Default wiht Advanced Microsoft Authenticator Features https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/emphasizing-security-by-default-with-advanced-microsoft/ba-p/3773130 keywords: microsoft; authenticator; macos; malware; bluenoroff; dns; ddr; designated resolvers

Confluence CVE-2023-22518 Exploited; Calender Data Exfil; Veeam and QNAP Patches Confluence CVe-2023-22518 Exploited https://isc.sans.edu/diary/Exploit%20Activity%20for%20CVE-2023-22518%2C%20Atlassian%20Confluence%20Data%20Center%20and%20Server/30376 Google Threat Horizons Report https://services.google.com/fh/files/blogs/gcat_threathorizons_full_oct2023.pdf https://www.sans.edu/cyber-research/bookmark-bruggling-novel-data-exfiltration-with-brugglemark/ Veeam Update https://www.veeam.com/kb4508 QNAP Update https://www.qnap.com/de-de/security-advisory/qsa-23-35 keywords: qnap; veeam; google; horizons; calendar; confluence

Possible Exchange Flaws; Sriped Fly Botnet; Send My New Microsoft Exchange Zero Days https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/ StripedFly: Perennially Flying under the Radar https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/ Send My: Sending Data over Apple's Find My Network https://github.com/positive-security/send-my keywords: send my; apple; find my; stripedfly; miner; exchange;

Inflated PE Files; ActiveMQ Exploit; Firepower Vuln; Malicious NPM; Quick Tip for Artificially Inflated PE Files https://isc.sans.edu/diary/Quick%20Tip%20For%20Artificially%20Inflated%20PE%20Files/30370 Apache ActiveMQ Flaw Exploited https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ Critical Firepower Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-29MP49hN Dozens of npm Packages Caught Attempting to Deploy Reverse Shell https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ keywords: reverse shell; npm; rsh.js; firepower; activemq; apache; pe files;

ZPAQ Archives; CVSS 4.0; Slack Impersonation; MOZI Demise; URL Shorteners Malware Dropped Through a ZPAQ Archive https://isc.sans.edu/forums/diary/Malware%20Dropped%20Through%20a%20ZPAQ%20Archive/30366/ CVSS 4.0 Now Official https://www.first.org/cvss/v4-0/index.html MOZI Botnet Killswitch https://www.welivesecurity.com/en/eset-research/who-killed-mozi-finally-putting-the-iot-zombie-botnet-in-its-grave/ URL Shorteners in .us https://securityonline.info/infoblox-uncovers-malicious-wave-in-us-domain-registrations/ Impersonating Slack Users https://falconspy.org/redteam/tradecraft/2023/10/05/2023-10-05-Slack-Impersonation.html keywords: slack; url; us; mozi; botnet; cvss; zpaq; malware; archive

Anti-Sandboxing; Confluence Vuln; PyCharm Malvertisement; Thorn SFTP Vuln; Multiple Layers of Anti-Sandboxing Techniques https://isc.sans.edu/diary/Multiple%20Layers%20of%20Anti-Sandboxing%20Techniques/30362 CVE-2023-22518 Improper Authorization Vulnerability in Confluence Data Center and Server https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html Malvertisement Promotes Malicious PyCharm Version https://www.malwarebytes.com/blog/threat-intelligence/2023/10/malvertising-via-dynamic-search-ads-delivers-malware-bonanza Thorn SFTP Gateway Java Deserialization RCE CVE-2016-1000027 CVE-2023-47174 https://help.thorntech.com/docs/sftp-gateway-gcp-3.0/gcp-java-deserialization-rce/ keywords: thron; sftp; pycharm; malvertisement; confluence; anti-sandboxing

Multicast DNS; Kubernetes ingress-nginx; HTTPS Upgrade; Wordpad PoC Flying under the Radar: The Privacy Impact of Mulicast DNS https://isc.sans.edu/forums/diary/Flying%20under%20the%20Radar%3A%20The%20Privacy%20Impact%20of%20multicast%20DNS/30358/ Kubernetes ingress-nginx vulnerability https://github.com/kubernetes/ingress-nginx/issues/10571 Google Chrome HTTPS Upgrade https://github.com/dadrian/https-upgrade/blob/main/explainer.md Wordpad POC CVE-2023-36563 https://www.dillonfrankesecurity.com/posts/cve-2023-36563-wordpad-analysis/ keywords: wordpad; google; chrome; https; kubernetes; ingress-nginx; mdns;

Size Matters; Spam or Phishing; iOS MAC Leaks; ZDI Summary; Octo Tempest Size Matters for Many Security Controls https://isc.sans.edu/diary/Size%20Matters%20for%20Many%20Security%20Controls/30352 Spam or Phishing? Looking for Credentials and Passwords https://isc.sans.edu/diary/Spam%20or%20Phishing%3F%20Looking%20for%20Credentials%20%26%20Passwords/30354 iOS Leaks MAC Address https://www.youtube.com/watch?v=T3XABxNogTA Zero Day Initiative Pwn2Own Summary https://www.zerodayinitiative.com/blog/2023/10/24/pwn2own-toronto-2023-day-one-results https://www.zerodayinitiative.com/blog/2023/10/25/pwn2own-toronto-2023-day-two-results https://www.zerodayinitiative.com/blog/2023/10/26/pwn2own-toronto-2023-day-three-results Microsoft Octo Tempest Writeup https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ keywords: octo; tempest; microsoft; zdi; pwn2own; apple; mac address; privacy; size; spam; phishing;

IPv4 Addresses; F5 BigIP Vuln; Apple iLeakage; Adventures in Validating IPv4 Addresses https://isc.sans.edu/forums/diary/Adventures%20in%20Validating%20IPv4%20Addresses/30348/ BIG-IP Configuration Utility Unauthenticated Remote Code Execution https://my.f5.com/manage/s/article/K000137353 https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ iLeakage Vulnerability https://ileakage.com/ keywords: ileakage; big-ip; f5; ipv4; addresses; input; validation

Apple Updates; Confluence Server Scans; Critical VMWare Patch Apple Updates https://isc.sans.edu/diary/Apple%20Patches%20Everything.%20Releases%20iOS%2017.1%2C%20MacOS%2014.1%20and%20updates%20for%20older%20versions%20fixing%20exploited%20vulnerability/30344 Confluence Server Scans CVE-2023-22515 https://isc.sans.edu/diary/30342 Critical VMVware vCenter Patch CVE-2023-34048 https://www.vmware.com/security/advisories/VMSA-2023-0023.html keywords: vmware; vcenter; confluence; server; apple;

Google Samsung False Positive; OAuth Hijacking Samsung Messages and Samsung Wallet briefly marked as 'harmful' by Google https://9to5google.com/2023/10/23/samsung-messages-wallet-harmful-app-google/ OAuth Hijacking https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts Microsoft Exchange Server CVe-2023-36745 PoC https://n1k0la-t.github.io/2023/10/24/Microsoft-Exchange-Server-CVE-2023-36745/ Citrix Bleed PoC CVe-2023-4966 https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 VMWare VRealize Exploit CVE-2023-34051 CVE0-2023-34052 https://www.vmware.com/security/advisories/VMSA-2023-0021.html keywords: vmware; vrealize; exploit; poc; exchange; citrix; oauth; samsung; google; false positive

Apple TV IPv6 DoS; Squid Patches; Critical Citrix Patch; Cisco Vuln Updates; Apple TV IPv6 DoS https://isc.sans.edu/diary/How%20an%20AppleTV%20may%20take%20down%20your%20%28%23IPv6%29%20network/30336 Squid Patches https://github.com/squid-cache/squid/security/advisories Critical Citrix Update https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ Cisco Vulnerablity Updates CVE-2023-20198 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z keywords: cisco; ios xe; apple; tv; ipv6; router advertisements; squid; citrix

Base64Dump; OAUTH Redirect; Okta Breach; VMWare and Solarwinds Patches base64dump.py Handles More Encodings Than Just BASE64 https://isc.sans.edu/diary/base64dump.py%20Handles%20More%20Encodings%20Than%20Just%20BASE64/30332 Stealing OAuth Tokens via Open Redirects https://eval.blog/research/microsoft-account-token-leaks-in-harvest/ VMWare Patches https://www.vmware.com/security/advisories.html Solarwinds Patches https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm keywords: solarwinds, vmware, oauth, microsoft, harvest, oauth, base64

honeypot update; Malicious Keepass Ad; JavaScript in Blockchain; Honeypot Update https://github.com/DShield-ISC/dshield/blob/main/README.md Malicious Keepass Ads https://www.malwarebytes.com/blog/threat-intelligence/2023/10/clever-malvertising-attack-uses-punycode-to-look-like-legitimate-website Malicious JavaScript in Smart Contracts https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16 keywords: javascript; binance; smart contracts; keepass; honeypot

Hex Decode; Oracle CPU; Citrix Vuln Exploited; Exposed Jupyter Notebooks Hiding in Hex https://isc.sans.edu/diary/Hiding%20in%20Hex/30322 Oracle Quarterly Critical Patch Update https://www.oracle.com/security-alerts/cpuoct2023.html Citrix Vulnerability Exploited CVE-2023-4966 https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966 Exposed Jupyter Notebooks Exploited https://www.cadosecurity.com/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks/ keywords: jupyter; citrix; oracle; cpu; hex;

SMS Phishing; Fake Paper Ticket QR Codes; Synology Random; Milesight Routers Vuln; Changes to SMS Delivery and How it Effects MFA and Phishing https://isc.sans.edu/diary/Changes%20to%20SMS%20Delivery%20and%20How%20it%20Effects%20MFA%20and%20Phishing/30320 Fake Traffic Tickets with QR Code https://twitter.com/polizeiberlin/status/1713867011837567411 Synology NAS DSM Account Takeover: Not Random Randomnumbers https://claroty.com/team82/research/synology-nas-dsm-account-takeover-when-random-is-not-secure Milesight Routers CVe-2023-43261 https://github.com/win3zz/CVE-2023-43261 keywords: milesight; routers; synology; random; qr code; traffic tickets; sms; spam; smishing; qishing;

Phishing and Typos; Cisco IOS XE 0-Day; LEMMINGS; SAMBA Update Are Typos Still relevant As An Indicator of Phishing https://isc.sans.edu/diary/Are+typos+still+relevant+as+an+indicator+of+phishing/30316 Active Exploitation of Cisco ISO XE Software Web Management User Interface Vuln https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ Mail traffic to cancelled domain names https://www.sidn.nl/en/nl-domain-name/mail-traffic-to-cancelled-domain-names SAMBA Update https://www.samba.org/samba/history/security.html keywords: samba; email; domains; netherlands; nl; lemmings; cisco; 0day; typos; phishing

Odd MAC Addresses; Domains as Passwords; PoC for WebKit Vuln; AvosLocker; Darkgate What's Normal: Odd Mac Addresses https://isc.sans.edu/forums/diary/What's%20Normal%3A%20MAC%20Addresses/30310/ Domain Name Used as Password Captured by DShield Sensor https://isc.sans.edu/forums/diary/Domain%20Name%20Used%20as%20Password%20Captured%20by%20DShield%20Sensor/30312/ PoC Exploit for CVE-2023-41993 https://github.com/po6ix/POC-for-CVE-2023-41993 AvosLocker Ransomware Details https://www.cisa.gov/sites/default/files/2023-10/aa23-284a-joint-csa-stopransomware-avoslocker-ransomware-update.pdf DarkGate Spreading via Skype and Teams https://www.trendmicro.com/en_ph/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html keywords: darkcate; avoslocker; poc; ios; ipados; mac addresses; domain names; passwords

SeroXen RAT in nuGet; Hex IPs; Juniper Patches; Unpatched Squid Issues; @bsidexjax SeroXen RAT in Typosquatted NuGet Packages https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/ Hexadecimal IP Addresses https://asec.ahnlab.com/en/57635/ Juniper Vulnerabilities https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=%40sfcec_community_publish_date_formula__c%20descending&numberOfResults=50&f:ctype=[Security%20Advisories] Unpatched Squid Vulnerabilities https://joshua.hu/squid-security-audit-35-0days-45-exploits BSIDES Jacksonville https://bsidesjax.org keywords: bsides; jacksonville; squid; juniper; hexadecimal; shellbot; seroxen; rat; nuget

Atlasian Exploited; curl vuln; Acrobat Exploited; Goolge Passkey Advances; VBScript Deprectated CVE-2023-22515 Activately Exploited https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html curl SOCKS5 oversized hostname vulnerability CVe-2023-38545 https://isc.sans.edu/diary/CVE-2023-38545%3A%20curl%20SOCKS5%20oversized%20hostname%20vulnerability.%20How%20bad%20is%20it%3F/30304 Adobe Acrobat Vulnerablity Actively Exploited CVE-2023-21608 https://www.cisa.gov/news-events/alerts/2023/10/10/cisa-adds-five-known-vulnerabilities-catalog Google Makes Passkey the Default https://blog.google/technology/safety-security/passkeys-default-google-accounts/ VBScript Deprecated from Windows https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features keywords: atlassian; curl; vbscript adobe; acrobat

Rapid Reset; Microsoft Patch Tuesday http2 rapid reset https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ microsoft patch tuesday https://isc.sans.edu/diary/October%202023%20Microsoft%20Patch%20Tuesday%20Summary/30300 keywords: microsoft; patch; tuesday; http2; rapid reset

ZIP DOSTIME and DATE; Updated Magecart Trick; Sophos Exim Flaw; WatchGuard "Feature"; ZIP's DOSTIME and DOSDATE Formats https://isc.sans.edu/diary/ZIP%27s%20DOSTIME%20%26%20DOSDATE%20Formats/30296 New Magecart Campaign Abusing 404 Pages https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer Sophos Effected by Exim Flaw https://www.sophos.com/en-us/security-advisories/sophos-sa-20231005-exim-vuln Turn OFF This WatchGuard Feature: GuardLapse https://projectblack.io/blog/turn-off-this-watchguard-feature-guardlapse/ keywords: watchguard; guardlaps; sophos; exim; magecart; 404; dosdate; dostime; zip

Binary IPv6; Wireshark Updates; GitHub Secret Scanning; Prerooted Android Devices; curl update Binary IPv6 Address Conversion https://isc.sans.edu/diary/Binary%20IPv6%20Addresses/30290 Wireshark Updates https://www.wireshark.org/ Improved GitHub Secret Scanning https://github.blog/2023-10-04-introducing-secret-scanning-validity-checks-for-major-cloud-services/ Prerooted Android Devices https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/ curl update https://github.com/curl/curl/discussions/12026 keywords: curl; android; github; secrets; wireshark; binary; ipv6

le-hex-to-ip; Cisco Emergency Responder; Loony Tunables PoC; Malicious Python; SMC BMC Vuln; New tool: le-hex-to-ip.py https://isc.sans.edu/diary/New%20tool%3A%20le-hex-to-ip.py/30284 Cisco Emergency Responder Static Credentials Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cer-priv-esc-B9t3hqk9 Loony Tunables PoC CVE-2023-4911 https://haxx.in/files/gnu-acme.py Malicious Python Packages https://checkmarx.com/blog/the-evolutionary-tale-of-a-persistent-python-threat/ Supermicro BMC Vulnerability https://binarly.io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/index.html keywords: supermicro; bmc; python; loony; tunables; cve; poc; cisco; 911;

Normal Connections; Apple Patches; Looney Tunables; Atlasian Confluence 0-day Normal Connections https://isc.sans.edu/diary/Whats+Normal+Connection+Sizes/30278/ Apple Patches https://isc.sans.edu/diary/Apple%20fixes%20vulnerabilities%20in%20iOS%20and%20iPadOS./30280 Looney Tunables Linux Privilege Escalation https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so Atlasian Confluence Server Vulnerability https://jira.atlassian.com/browse/CONFSERVER-92475 keywords: atlasian; confluence; 0-day; looney toonables; linux; qualys; apple; patches; normal;

LLMs for IR; Pytorch Vuln; BING Reads Captchas; Evilproxy and Indeed; Are Local LLMs Useful in Incident Response? https://isc.sans.edu/diary/Are%20Local%20LLMs%20Useful%20in%20Incident%20Response%3F/30274 Pytorch Vulnerability https://github.com/advisories/GHSA-4mqg-h5jf-j9m7 BING Reads Captchas https://twitter.com/literallydenis/status/1708283962399846459 Evilproxy vs. Microsoft 365 https://www.menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/ keywords: evilproxy; microsoft; indeed; phishing; bing; captchas; pytorch; llm;

ZIP Metadata; EXIM Update; ARM GPU Driver Vuln; Bing Malicious Ads; robots.txt AI restrictions; Friendly Reminder: ZIP Metadata is Not Encrypted https://isc.sans.edu/diary/Friendly%20Reminder%3A%20ZIP%20Metadata%20is%20Not%20Encrypted/30268 EXIM New Version Released https://www.exim.org/static/doc/security/CVE-2023-zdi.txt Mail GPU Kernel Driver Allows Improper GPU Memory Processing Operations https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities Bing AI Serves Malicous Ads https://www.malwarebytes.com/blog/threat-intelligence/2023/09/malicious-ad-served-inside-bing-ai-chatbot Google Announces Robots.txt Ad-Restrictions https://developers.google.com/search/docs/crawling-indexing/overview-google-crawlers#adsbot-mobile-web-android keywords: arm; gpu; mali; exim; bing; google; robots.txt; malicious ads; zip; encrypted

MIME File Analysis; Infostealer; MIME Files; EXIM Update; WS_FTP Exploit; Analyzing MIME Files: a Quick Tip https://isc.sans.edu/diary/Analyzing%20MIME%20Files%3A%20a%20Quick%20Tip/30266 Infostealers Looking for Password Files https://isc.sans.edu/diary/Are+You+Still+Storing+Passwords+In+Plain+Text+Files/30262/ Simple Netcat Backdoor https://isc.sans.edu/diary/Simple+Netcat+Backdoor+in+Python+Script/30264/ EXIM Response to the ZDI Release https://exim.org/static/doc/security/CVE-2023-zdi.txt Exploit for WS_FTP Vulnerability https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 keywords: ws_ftp; exploit; exim; vulnerability; mime; infostealer;

Windows IPs; Chrome 0-Day; Unpatched EXIM Vuln; WS-FTP Patches IPv4 Addresses in Little Endian Decimal Format https://isc.sans.edu/diary/IPv4%20Addresses%20in%20Little%20Endian%20Decimal%20Format/30256 Chrome Update fixes 0-day Vulnerability https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html Unpatched EXIM Vulnerabilities https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ WS_FTP Vulnerabilities https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 keywords: ws-ftp; exim; chrome; 0-day; ipv4

GPU Sidechannels; Compromised Routers; More libwebp Confusion; Fake Dependabot GPU Sidechannel Attack https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf Router Firmware Compromised for Persistent Access https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a More libwebp vulnerability confusion https://www.cve.org/CVERecord?id=CVE-2023-5129 https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/ Fake Dependabot Commits https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/ keywords: dependabot; libwebp; router; persistent; backdoor; sidechannel; GPU

ZeroFont Phishing; Apple Updates; A new spint on the ZeroFont phishing technique https://isc.sans.edu/diary/A%20new%20spin%20on%20the%20ZeroFont%20phishing%20technique/30248 macOS Sonoma Updates https://isc.sans.edu/diary/Apple%20Releases%20MacOS%20Sonoma%20Including%20Numerous%20Security%20Patches/30252 keywords: macos; sonoma; zerofont; phishing

LuaJIT Malware; NPM systeminformation; Team City Vulnerability LuaJIT Malware https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/ NPM systeminformation flaw https://systeminformation.io/security.html Team City Authentication Bypass https://twitter.com/ptswarm/status/1706223917008834748 keywords: team city; jetbrains; npm; systeminformation; luajit

Laravel Scans; Backdoored WinRAR PoC; Fake Booking.com; @BSidesJAX Scanning for Laravel - a PHP Framework for Web Artisants https://isc.sans.edu/forums/diary/Scanning%20for%20Laravel%20-%20a%20PHP%20Framework%20for%20Web%20Artisants/30242/ Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/ Unmasking a Sophistiacted Phishing Campaign That Targets Hotel Guests https://www.akamai.com/blog/security-research/sophisticated-phishing-campaign-targeting-hospitality BSides JAX October 14th https://www.bsidesjax.org/ tickets: https://www.eventbrite.com/e/bsides-jacksonville-2023-registration-566463807497?aff=oddtdtcreator keywords: bsides; jax; phishing; hotels; booking; venomrat; winrar; laravel

Apple 0-Days; WebP Vuln Details; MoveIT Vuln; Win11 Improved Passkeys Apple Patches Three 0-Days https://isc.sans.edu/diary/Apple+Patches+Three+New+0Day+Vulnerabilities+Affecting+iOSiPadOSwatchOSmacOS/30238 WebP Vulnerability https://blog.isosceles.com/the-webp-0day/ MOVEit Transfer Service Pack https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023 Improved Passkey Support in Windows 11 https://www.microsoft.com/en-us/security/blog/2023/09/21/new-microsoft-security-tools-to-protect-families-and-businesses/ keywords: moveit; windows 11; passkeys; apple; webp

DNS TTls; Snatch Ransomware; npm packages; nagios xi vuln; What's Normal: DNS TTL Values https://isc.sans.edu/forums/diary/What's%20Normal%3F%20DNS%20TTL%20Values/30234/ CISA Highlights Snatch Ransomware https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a npm packages caught exfiltrating Kubernetes config, SSH keys https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys Nagios XI Vulnerabilities https://outpost24.com/blog/nagios-xi-vulnerabilities/ keywords: nagios; npm; kubernetes; ssh;

Adobe Experience Manager; Trend Micro 0-Day; SprySOCKS Backdoor; Gitlab Patches; Obfuscated Scans For Older Adobe Experience Manager Vulnerabilities https://isc.sans.edu/diary/Obfuscated%20Scans%20for%20Older%20Adobe%20Experience%20Manager%20Vulnerabilities/30230 Trend Micro Apex One 0-day https://success.trendmicro.com/dcx/s/solution/000294994?language=en_US SprySOCKS Backdoor https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html GitLab Patches https://about.gitlab.com/releases/2023/09/18/security-release-gitlab-16-3-4-released/ keywords: gitlab; sprysocks; backdoor; trend micro; apex one; adobe; experience; manager

VPN Recon Scans; iOS Update; Juniper Exploit Internet Wide Multi VPN Search from Single /24 Network https://isc.sans.edu/diary/Internet%20Wide%20Multi%20VPN%20Search%20From%20Single%20%2024%20Network/30226 iOS/iPadOS/tvOS/WatchOS Updates https://support.apple.com/en-us/HT201222 Juniper Vuln Details/Exploit CVE-2023-36845 https://vulncheck.com/blog/juniper-cve-2023-36845 keywords: juniper; exploit; ios; apple; ipados; vpn;

MFA Issue; QNAP Patches; Keychain Passkey Access; Fortinet and vBulletin XSS When MFA isn't actually MFA https://retool.com/blog/mfa-isnt-mfa/ QNAP Patches https://www.qnap.com/en/security-advisories?ref=security_advisory_details Chrome able to use Apple Keychain Passkeys https://9to5google.com/2023/09/14/chrome-118-icloud-passkey/ Fortinet XSS https://fortiguard.fortinet.com/psirt/FG-IR-23-106 vBulletin XSS https://gist.github.com/GiongfNef/8fe658dce4c7fcf3a7b4e6387e50141c keywords: vbulletin; fortinet; xss; chrome; passkeys; keychain; qnap; mfa

qemu rPi emulation; ncurses vuln; windows themes PoC; 3AM ransomware DShield and eqmu Sitting in a Tree: L-O-G-G-I-N-G https://isc.sans.edu/diary/DShield%20and%20qemu%20Sitting%20in%20a%20Tree%3A%20L-O-G-G-I-N-G/30216 Uncursing the ncurses memory corruption vulnerabilities https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library/ Arbitrary code execution via Windows Themes (CVE-2023-38146) https://exploits.forsale/themebleed/ 3AM Ransomware used if LockBit Fails https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit keywords: dshield; qemu; raspberry pi; ncurses; windows themes; lockbit; 3am

Fake FreeDownloadManager; Foxit PDF Reader Update; macOS Metastealer; blocking NTML Hashes Backdoored Free DownloadManager https://securelist.com/backdoored-free-download-manager-linux-malware/110465/ Foxit PDF Reader Updates https://www.foxit.com/support/security-bulletins.html macOS MetaStealer: New Family of Obfuscated Go Infostealers https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/ Windows 11 to Support Blocking SMB NTLM Hashes https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206 keywords: macos; metastealer; windows 11; smb; ntlm; downloadmanager; foxit

Microsoft Patch Tuesday; OpenSSL 1.1.1 EoL; Adobe Patches Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20September%202023%20Patch%20Tuesday/30214 OpenSSL 1.1.1 End of Life https://www.openssl.org/blog/blog/2023/09/11/eol-111/ Adobe Updates https://helpx.adobe.com/security/security-bulletin.html keywords: adobe; openssl; microsoft; patch; tuesday;

More Apple Patches; Wiki Eve Attack; Google Looker Studio Phish; HPE One View Vuln; Apple Patches Older Operating Systems https://isc.sans.edu/diary/Apple%20fixes%200-Day%20Vulnerability%20in%20Older%20Operating%20Systems/30210 Wi-Fi Enabled Practical Keystroke Eavesdropping https://arxiv.org/pdf/2309.03492.pdf Phishing via Google Looker Studio https://blog.checkpoint.com/security/phishing-via-google-looker-studio HPE One View Authentication Bypass https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04530en_us keywords: apple; patches; ios; macos; wifi; keystroke logging; phishing; google; looker; phe; oneview

Honeypot Data and Powershell; Apple 0-Day Details; Cisco 0-Day Exploited; Odd Password Solution Augmenting Honeypot Logs https://isc.sans.edu/diary/%3FAnyone%20get%20the%20ASN%20of%20the%20Truck%20that%20Hit%20Me%3F!%3F%3A%20Creating%20a%20PowerShell%20Function%20to%20Make%203rd%20Party%20API%20Calls%20for%20Extending%20Honeypot%20Information%20%5BGuest%20Diary%5D/30204 More details about Apple 0-day https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC#fs Odd Password Solution https://notpickard.com/@rdp/111009868239846779 keywords: password, cisco, taiwan, keyboard, honeypot, logs, augmentation

Apple Patches 0-Days; iOS Scareware; Aruba and TP Link Patches Apple Patches 0-Days https://isc.sans.edu/diary/30200 https://support.apple.com/en-us/HT201222 iOS Fleezeware/Scareware https://isc.sans.edu/diary/Fleezeware%20Scareware%20Advertised%20via%20Facebook%20Tags%3B%20Available%20in%20Apple%20App%20Store/30198 Aruba Vulnerabilities https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-014.txt TP Link Vulnerabilities https://jvn.jp/en/vu/JVNVU99392903/ keywords: tplink; aruba; ios; fleezeware; scareware; apple; 0-day

DNS Security; MSFT Key Loss Details; Android Updates; Chrome Updates; Atlas VPN Vuln; Security Related DNS Records https://isc.sans.edu/diary/Security%20Relevant%20DNS%20Records/30194 Microsoft Reveleas Details about Key Loss https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/ September Android Updates https://source.android.com/docs/security/bulletin/2023-09-01 Google Chrome Update https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html Atlas VPN Tunnel Termination Vulnerability https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/ keywords: atlas; vpn; google; chrome; android; microsoft; key loss; dns;

Honeypot Usernames; TPM LUKS Bypass; Social Engineering Helpdesks for MFA Bypass Common Usernames Submitted to Honeypots https://isc.sans.edu/diary/Common%20usernames%20submitted%20to%20honeypots/30188 TPM LUKS Bypass https://pulsesecurity.co.nz/advisories/tpm-luks-bypass Cross Tenant Impersonation Prevention and Detection https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection keywords: 2fa; impersonation; social engineering; luks; tpm; usernames;

Password Origins; YARA Rules for Obfuscated Strings; VMware Aria Keys; Windows TLS 1.0/1.1; What is the Origin of Passwords Submitted to Honeypots https://isc.sans.edu/diary/What%20is%20the%20origin%20of%20passwords%20submitted%20to%20honeypots%3F/30182 Creating a YARA Rule to Detect Obfuscated Strings https://isc.sans.edu/diary/Creating%20a%20YARA%20Rule%20to%20Detect%20Obfuscated%20Strings/30186 VMware Aria Operations for Networks Hardcoded Keys 2023-34039 https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/ https://github.com/sinsinology/CVE-2023-34039/ Windows will Disable TLS 1.0/1.1 https://learn.microsoft.com/en-us/windows/release-health/windows-message-center keywords: windows; tls; vmware; aira; ssh; keys; yara; passwords; origins

Hurricane Prep; Notepad++ Vulns; 7zip Vuln; BGP Error Handling; Home Office/Small Business Hurricane Prep https://isc.sans.edu/diary/Home%20Office%20%20%20Small%20Business%20Hurricane%20Prep/30166 Notepad++ Vulnerabilities https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/ 7-Zip Vulnerability https://www.zerodayinitiative.com/advisories/ZDI-23-1164/ BGP Error Handling Issues https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling keywords: bgp; 7zip; notepad++; hurricane;