SANS Internet Storm Center's Daily Network Security News Podcast

Hurricane Prep; Notepad++ Vulns; 7zip Vuln; BGP Error Handling; Home Office/Small Business Hurricane Prep https://isc.sans.edu/diary/Home%20Office%20%20%20Small%20Business%20Hurricane%20Prep/30166 Notepad++ Vulnerabilities https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/ 7-Zip Vulnerability https://www.zerodayinitiative.com/advisories/ZDI-23-1164/ BGP Error Handling Issues https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling keywords: bgp; 7zip; notepad++; hurricane;

Website Survivaltime; ActiveMime Maldocs; RocketMQ Exploited; ManageEnging Vuln; Survival Time for Web Sites https://isc.sans.edu/diary/Survival%20time%20for%20web%20sites/30170 PDF/ActiveMime Polyglot Maldocs https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html https://blog.didierstevens.com/2023/08/29/quickpost-pdf-activemime-maldocs-yara-rule/ RocketMQ Vulnerability Exploited https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability ManageEngine Vulnerabilty https://www.manageengine.com/security/advisory/CVE/CVE-2023-35785.html keywords: manageengine; zoho; vulnerability; rocketmq; exploit; pdf; activemime; polyglot; survival time; websites; certificate transparency

WINRAR Exploit Analysis; Juniper PoC; Exchange EP Default; Rust Malware Analysis of RAR Exploit Files (CVE-2023-38831) https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164 Juniper Exploit CVE-2023-36844 , CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847 https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ Microsoft Will Enabled Extended Protection for Exchange Server by Default https://techcommunity.microsoft.com/t5/exchange-team-blog/coming-soon-enabling-extended-protection-on-exchange-server-by/ba-p/3911849 Rust Malware Stages on Crates.io https://blog.phylum.io/rust-malware-staged-on-crates-io/ keywords: rar; winrar; exploit; juniper; poc; exchange; ep; cu; rust; malware

Postgresql C2; MacOS Network Connections; Fake/Bad CVEs; Windows Cert Confusion; Bad NPM Package Python Malware Using Postgresql for C2 Communications https://isc.sans.edu/diary/Python%20Malware%20Using%20Postgresql%20for%20C2%20Communications/30158 macOS: Who is Behind This Network Connection? https://isc.sans.edu/diary/macOS%3A%20Who%3Fs%20Behind%20This%20Network%20Connection%3F/30160 CVE-2020-19909 Is Everything that is Wrong with CVEs https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/ Windows Certificate Confusion https://arstechnica.com/security/2023/08/a-renegade-certificate-is-removed-from-windows-then-it-returns-confusion-ensues/ NPM E-Mail Validator Package Malware https://blog.phylum.io/npm-emails-validator-package-malware/ keywords: npm; windows; certificate; cve-2020-19909; curl; macos; python; postgresql

Keyboard Walk; Barracuda ESG Warning; Ivanti Sentry Update; Smoke Loader Geolocation How I made a "QWERTY" Keyboard Walk Password Generator with ChatGPT https://isc.sans.edu/diary/How%20I%20made%20a%20qwerty%20%3Fkeyboard%20walk%3F%20password%20generator%20with%20ChatGPT%20%20%5BGuest%20Diary%5D/30152 FBI Warns of Persistent Barracuda Backdoors https://www.ic3.gov/Media/News/2023/230823.pdf Ivanti Sentry Athentication Bypass Deep Diver CVE-2023-38035 https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/ Smoke Loader Drops Whiffy Recon WiFi Scanning and Geolocation Malware https://www.secureworks.com/blog/smoke-loader-drops-whiffy-recon-wi-fi-scanning-and-geolocation-malware keywords: smoke loader; whiffy; recon; wifi; ivanty; sentry; fbi; barracuda; qwerty; sans.edu

XLAM Files; WinRAR 0-Day (new!); Aruba Vulnerablities More Exotic Excel Files Dropping AgentTesla https://isc.sans.edu/diary/More%20Exotic%20Excel%20Files%20Dropping%20AgentTesla/30150 CVE-2023-38831 WinRAR Vulnerability Exploited https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ Aruba Vulnerabilities https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt keywords: aruba; winrar; xlam;

Fernet Encryption; inotify triage; Coldfusion Exploit; Openfire Exploit; New XLoader; Fernet Encryption in Malware https://isc.sans.edu/forums/diary/Have%20You%20Ever%20Heard%20of%20the%20Fernet%20Encryption%20Algorithm%3F/30146/ Malware Triage With Inotify Tools https://isc.sans.edu/diary/Quick+Malware+Triage+With+Inotify+Tools/30142/ Adobe Coldfusion Exploited https://www.cisa.gov/known-exploited-vulnerabilities-catalog Openfire Admin Console Vulnerability Exploited https://vulncheck.com/blog/openfire-cve-2023-32315 XLoader Mac Malware Updates https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/ keywords: xloader; mac; openfire; adobe; coldfusion; malwre; inotify; triage; fernet

SystemBC Scans; Exchange SU Rerelease; Ivanti Exploit; DUO Outages; mTLS vulnerabilities SystemBC Scans and ProxyNation https://isc.sans.edu/diary/SystemBC%20Malware%20Activity%20/30138 https://cybersecurity.att.com/blogs/labs-research/proxynation-the-dark-nexus-between-proxy-apps-and-malware Exchange Server Security Update Re-Release https://techcommunity.microsoft.com/t5/exchange-team-blog/re-release-of-august-2023-exchange-server-security-update/ba-p/3900025 Ivanti Sentry Vulnerability Exploited https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US DUO Security Outage https://status.duo.com/incidents/rw7g0q7ztj8f mTLS Vulnerabilities https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ keywords: mtls; duo; ivanti; sentry; exchange; rerelease; update; systembc; proxy

Zalando Phish/RAT; WinRAR Code Exec; Hotmail SPF Fail; Ivacy VPN Cert Abused; Chrome Extension Warning; From a Zalando Phish to a RAT https://isc.sans.edu/diary/From%20a%20Zalando%20Phishing%20to%20a%20RAT/30136 RARLAB WinRAR Recovery Volume Vulnerability https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ Hotmail SPF Record Error Leads to spam false positives https://www.bleepingcomputer.com/news/microsoft/hotmail-email-delivery-fails-after-microsoft-misconfigures-dns/ Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/ Google Chrome to Warn Users of Malicious Extensions https://betanews.com/2023/08/17/google-chrome-to-warn-users-about-problematic-extensions/ keywords: chrome; extensions; warning; vpn; cert; winrar; zelando; phishing; spf; hotmail

Whitespaces; Fake Airplane Mode; LinkedIn Attacks; Robot Vacuum Privacy Command Line Parsing - Are These Really Unique Strings? https://isc.sans.edu/diary/Command%20Line%20Parsing%20-%20Are%20These%20Really%20Unique%20Strings%3F/30126 iOS 16 Fake Airplane Mode https://www.jamf.com/blog/fake-airplane-mode-a-mobile-tampering-technique-to-maintain-connectivity/ LinkedIn Attacks https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/ Robot Vacuum Privacy Issues https://dontvacuum.me/talks/DEFCON31/DEFCON31-vacuum-robots-final.pdf https://dontvacuum.me/ keywords: robots; vacuum; privacy; linkedin; ios; airplane mode; whitespaces

PowerShell Gallery Malware; Windows Time Issues; Malicious QR Codes; Citrix Scanner PowerShell Gallery Prone to Typosqatting, Other Sypply Chain Attacks https://www.darkreading.com/application-security/powershell-gallery-prone-to-typosquatting-other-supply-chain-attacks Windows Random Time Issues https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc/ Energy Company Targeted in QR Code Campaign https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/ New Citrix Scanner from Mandiant https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner keywords: citrix; energey; qr; time; windows; powershell; gallery

macOS Background Task Manager; Ivanti Avalanche Vuln; Synology Cloud Access Vuln; Fake Beta Crypto Apps macOS Background Task Manager Bypass https://www.wired.com/story/apple-mac-background-task-management-flaw/ Ivanti Avalanche Vulnerability https://www.tenable.com/security/research/tra-2023-27 Exploiting Synology NAS Cloud Connectivity https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-synology-ds920-edition Fake Crypto Currency Apps Offered as "Beta" versions https://www.ic3.gov/Media/Y2023/PSA230814 keywords: fbi; crypto; apps; beta; synology; nas; cloud; ivanti; avalanche; macos; background task manager;

PDFiD False Pos; CVE-2023-32019 Fix Update; CyberPower/Dataprobe Vulns; Ford Vuln; PDFiD False Positives Revisited https://isc.sans.edu/diary/PDFiD%3A%20False%20Positives%20Revisited/30122 CVE-2023-32019 Fix Enabled by Default; https://support.microsoft.com/en-us/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080 CyberPower and Dataprobe Vulnerabilities https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html Ford WiFi Driver Vulnerability https://www.ti.com/lit/er/swra773/swra773.pdf?ts=1691717352391&ref_url=https%253A%252F%252Fmedia.ford.com%252F keywords: ford; wifi; cyberpower; dataprobe; cve-2023-32019; microsoft; pdfid;

Python Anti-Debugging; Zoom Zero Touch Vuln; DNS Spoofing Show Me All Your Windows https://isc.sans.edu/diary/Show%20me%20All%20Your%20Windows!/30116 Zero Touch Pwn https://blog.syss.com/posts/zero-touch-pwn/ Maginot DNS Spoofing Attack https://www.usenix.org/conference/usenixsecurity23/presentation/li-xiang keywords: windows; python; anti-debugging; zero touch; zoom; dns; spoofing

SQL Auth Weakness; Windows Defender Pretender; Dell Compellent Static Key; Sogou Keyboard Vuln; Some things never change, such as SQL Authentication "Encryption" https://isc.sans.edu/diary/Some%20things%20never%20change%20%3F%20such%20as%20SQL%20Authentication%20%3Fencryption%3F/30112 Defender Pretender: When Windows Defender Updates Become a Security Risk https://www.blackhat.com/us-23/briefings/schedule/#defender-pretender-when-windows-defender-updates-become-a-security-risk-32706 Dell Compellent Hardcoded Key https://www.dell.com/support/kbdoc/en-us/000216615/dsa-2023-282-security-update-for-dell-storage-integration-tools-for-vmware-dsitv-vulnerabilities Vulnerabilities in Sogou Keyboard https://citizenlab.ca/2023/08/vulnerabilities-in-sogou-keyboard-encryption/ keywords: sogou; keyboard; dell; compellent; hardcoded; defender; pretender; sql; sql server

Tunnelcrack VPN vuln; Mozilla VPN Issue; Exchange Patch Trouble; VSCode Secrets Tunnelcrack VPN Vulnerability https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf Mozilla VPN Vulnerablity https://www.openwall.com/lists/oss-security/2023/08/03/1 Non English Exchange Server Patch Issues https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/bc-p/3894481/highlight/true VSCode Token Security https://cycode.com/blog/exposing-vscode-secrets/ Weekly Updates for Google Chrome https://security.googleblog.com/2023/08/an-update-on-chrome-security-updates.html keywords: google; chrome; updates; vscode; token; security; exhcnage; patch; problems; vpn; mozilla; tunnelcrack

Microsoft Patch Tuesday; Adobe Updates Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202023%20Patch%20Tuesday/30106 Adobe Updates https://helpx.adobe.com/security/security-bulletin.html keywords: adobe; adobe commerce; reader; acrobat; microsoft; patch tuesday

Research Scan IPs; OpenBullet Malware; Cloudflare Tunnel Abuse; Update: Researchers Scanning the Internet https://isc.sans.edu/diary/Update%3A%20Researchers%20scanning%20the%20Internet/30102 Malicious OpenBullet Configuration Files https://www.kasada.io/threat-intel-openbullet-malware/ Abusing Cloudflare Tunnels https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ keywords: cloudflare; cloudflared; openbullet; internet; scanning; research

Leaked Credentials; PaperCut RCE Vuln; MSFT Fixes Power Platform Bug; Token Theft Playbook; Are Leaked Credential Dumps Used by Attackers? https://isc.sans.edu/diary/Are%20Leaked%20Credentials%20Dumps%20Used%20by%20Attackers%3F/30098 New PaperCut RCE Vulnerability https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/ Microsoft mitigates Power Platform Custom Code information disclosure vulnerability https://msrc.microsoft.com/blog/2023/08/microsoft-mitigates-power-platform-custom-code-information-disclosure-vulnerability/ Microsoft Publishes Token theft Playbook https://learn.microsoft.com/en-us/security/operations/token-theft-playbook keywords: microsoft; cloud; azure; playbook; tokens; power platform; papercut; rce; credential dump;

From LNK to BAT; MSFT Teams Scams; MSFT Office LOLBAS; Android App Versioning; Aruba; Mitel From small LNK to large malicious BAT file with zero VT score https://isc.sans.edu/diary/From%20small%20LNK%20to%20large%20malicious%20BAT%20file%20with%20zero%20VT%20score/30094 Social Engineering via Microsoft Teams https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/ Automating the Search for LOLBAS https://pentera.io/resources/whitepapers/the-lolbas-odyssey-finding-new-lolbas-and-how-you-can-too/ Sneaky Versioning Used to Bypass Scanners https://thehackernews.com/2023/08/malicious-apps-use-sneaky-versioning.html Aruba Patches https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-010.txt Mitel Patches https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0008 keywords: versioning; android; google play store; aruba; mitel; lolbas; teams; lnk; bat;

Zeek on Windows; More Ivanti Vulns; Salesforce Phishing; AWS SSM Agent Abuse; Zeek and Defender Endpoint https://isc.sans.edu/diary/Zeek%20and%20Defender%20Endpoint/30088 New Ivanti MobileIron Core Vulnerability https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US Salesforce Phishing https://labs.guard.io/phishforce-vulnerability-uncovered-in-salesforces-email-services-exploited-for-phishing-32024ad4b5fa Abusing the Amazon Web Services SSM Agent as a Remote Access Trojan https://www.mitiga.io/blog/abusing-the-amazon-web-services-ssm-agent-as-a-remote-access-trojan keywords: Amazone; AWS; EC2; SSM; RAT; salesforce; meta; phishing; ivanti; mobileiron; zeek; defender; endpoint

DNS over HTTPS; Airgap Bridging Malware; Google Inactive Accounts; DNS Over HTTPS Summary https://isc.sans.edu/diary/Summary%20of%20DNS%20over%20HTTPS%20requests%20against%20our%20honeypots./30084 Malware Infects Airgapped Networks https://usa.kaspersky.com/about/press-releases/2023_kaspersky-uncovers-malware-for-targeted-data-exfiltration-from-air-gapped-environments Google Deleting Inactive Accounts https://support.google.com/accounts/answer/12418290?visit_id=638264210155158507-1346504535&p=inactive_account_policy_blog&rd=1 Google AMP Service Used for Phishing https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/ keywords: google; amp; phishing; inactive accounts; airgap; dns; https; http

Ivanti Patches New 0-Day; Redis Malware; Android 0-Day Summary; Wiping Canon Printers Ivanti End Point Manager 2nd Zero Day https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US New Redis Malware Uses Unknown Initial Access Vector https://www.cadosecurity.com/redis-p2pinfect/ https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/ Google Android 0-Day Summary https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html Wiping Sensitive Data from Printers https://psirt.canon/advisory-information/cp2023-003/ keywords: canon; printers; google; android; 0-day; redis; malware; replication; ivanti; manager; 0day

iMessage Phish; IPv6 Attacks; Steganography in Python; Mobileiron Exploit Released USPS Phishing Scam Targeting iOS Users https://isc.sans.edu/forums/diary/USPS+Phishing+Scam+Targeting+iOS+Users/30078/ Do Attackers Pay More Attention to IPv6 https://isc.sans.edu/diary/Do%20Attackers%20Pay%20More%20Attention%20to%20IPv6%3F/30076 Shell Code in Images https://isc.sans.edu/diary/ShellCode%20Hidden%20with%20Steganography/30074 Ivanti Mobileiron Exploit Public https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py keywords: ivanti; mobileiron; exploit; shell code; ipv6; usps; phishing; imessage

OverlayFS Ubuntu Vuln; CISA warns of IDOR; Sophos UTM Patch; Aruba Patches Ubuntu OverlayFS Vulnerability https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability CISA Warns of Insecure Direct Option Reference Vulnerabilities https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a Sophos UTM Patch https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=utm&versionID=9.7 Aruba Patches https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt keywords: Aruba; Sophos; CISA; IDOR; Ubuntu; OverlayFS; patches; vulnerabilities

Malware Blocked IPs; MLS Protocol; PySecDB; MacOS Infostealer Suspicious IP Addresses Avoided By Malware Samples https://isc.sans.edu/diary/Suspicious%20IP%20Addresses%20Avoided%20by%20Malware%20Samples/30068 Messaging Layer Security (MLS) Protocol https://datatracker.ietf.org/doc/html/rfc9420 PySecDB: Security Commit Dataset in Python https://github.com/SunLab-GMU/PySecDB MacOS Infostealer https://www.sentinelone.com/blog/apple-crimeware-massive-rust-infostealer-campaign-aiming-for-macos-sonoma-ahead-of-public-release/ keywords: malware; ips; mls; encryption; pysecdb; macos; realst; infostealer; rust; sonoma

Ivanti Patch; Atlassian Patches; AMD Zen-2 Vuln; VMWare Tanzu Vuln; Ivanti Patches Endpoint Manager Mobile https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US Atlassian Patches https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html AMD Zen-2 Vulnerability https://lock.cmpxchg8b.com/zenbleed.html VMWare CVE-2023-20891 https://socradar.io/vmwares-response-to-the-critical-cve-2023-20891-vulnerability-exposing-cf-api-admin-credentials/ keywords: iventi; atlassian; amd; zen2; vmware;

Apple Updates; jq parsing; TETRA Radio Backdoor; Apple Updates https://isc.sans.edu/forums/diary/Apple%20Updates%20Everything%20%28again%29/30062/ https://support.apple.com/en-us/HT201222 Parsing Data with jq https://isc.sans.edu/diary/JQ%3A%20Another%20Tool%20We%20Thought%20We%20Knew/30060 TETRA Radio Backdoor https://www.wired.com/story/tetra-radio-encryption-backdoor/ keywords: tetra; radio; backdoor; apple; jq; updates; patches

Shodan API; MSFT Stolen Key Scope; Okta Logs; Citrix Exploits Shodan's API for the (Recon) Win! https://isc.sans.edu/diary/Shodan%27s%20API%20For%20The%20%28Recon%29%20Win!/30050 Stolen Microsoft Key May Have Opened Up a lot more than US Government E-Mail Inboxes https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr https://www.theregister.com/2023/07/21/microsoft_key_skeleton/ Okta Logs Decoded https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/ Threat Actors Exploiting Citrix CVE-2023-3519 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a https://github.com/securekomodo/citrixInspector keywords: citrix; okta; microsoft; key; wiz; shodan

Obfuscated .bat file; Citrix CVE-2023-3519 IoCs; ssh-agent exploit; MegaRAC Vuln; Deobfuscation of Malware Delivered Through a .bat File https://isc.sans.edu/diary/Deobfuscation%20of%20Malware%20Delivered%20Through%20a%20.bat%20File/30048 Citrix CVE-2023-3519 Indicators of Compromise https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/ ssh-agent vulnerability https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Spring Security: WebFlux Security Bypass with Un-Prefixed Double Wildcard Pattern https://spring.io/security/cve-2023-34034 American Megatrends (AMI) MegaRAC BMC Vulnerabilities https://eclypsium.com/research/bmcc-lights-out-forever/ keywords: .bat; obfuscation; citrix; ios; ssh-agent; megarac; megatrend; ami; bmc

Citrix Vulnerability; Enigma Challenge; Oracle CPU; Microsoft Expanding Cloud Logging Citrix ADC Vulneraiblity CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 https://isc.sans.edu/forums/diary/Citrix%20ADC%20Vulnerability%20CVE-2023-3519%2C%203466%20and%203467%20-%20Patch%20Now!/30044/ HAM Radio Enigma Machine Challenge https://isc.sans.edu/diary/HAM%20Radio%20%2B%20Enigma%20Machine%20Challenge/30042 Oracle Critical Patch Update https://www.oracle.com/security-alerts/cpujul2023.html Microsoft Expanding Cloud Logging https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/ keywords: microsoft; cloud; logging; oracle; cpu; ham radio; enigma; citrix; adc

Jira Plugin Exploit; Citrix Vulnerabilities; Google Cloud Build Service Vuln; Exploit Attempts for "Stagil navigation for Jira Menus & Themes" https://isc.sans.edu/diary/Exploit%20Attempts%20for%20%22Stagil%20navigation%20for%20Jira%20Menus%20%26%20Themes%22%20CVE-2023-26255%20and%20CVE-2023-26256/30038 Citrix Vulnerabilities https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 Google Cloud Build Service Vulnerability https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability keywords: stagil; jira; plugin; directory traversal; citrix; google; cloud; build

Exploited Vulnerabilities in Zimbra, WooCommerce, Coldfusion; CISA free cloud tools; Jumpcloud Breach Zimbra Vulnerability Exploited https://blog.zimbra.com/2023/07/security-update-for-zimbra-collaboration-suite-version-8-8-15 Woocommerce Vulnerability Actively Being Exploited https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/ Adobe Coldfusion Flaws exploited https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-rce-bug-exploited-in-attacks/ CISA Cloud Security Fact Sheet: Free Tools for Cloud Environments https://www.cisa.gov/sites/default/files/2023-07/Free%20Tools%20for%20Cloud%20Environments_508c.pdf JumpCloud Breach https://arstechnica.com/security/2023/07/jumpcloud-says-nation-state-hacker-breach-targeted-some-of-its-customers/ keywords: zimbra; coldfusion; woocommerce; adobe; cisa; cloud; jumpcloud

MSFT Driver Certs Details; Threads Threats; CVSS 4.0 Preview Microsoft Driver Certs Details https://blog.talosintelligence.com/old-certificate-new-signature/ Threads App Lures https://www.helpnetsecurity.com/2023/07/14/threads-app-lure/ First Releases CVSS 4.0 Preview https://www.first.org/cvss/ keywords: first; cvss; threads; microsoft; driver; signatures;

Honeypot Logs; MSFT Outlook 365 compromise; Fake PoC; Ghostscript PoC; DShield Honeypot Maintenance and Data Retention https://isc.sans.edu/diary/DShield%20Honeypot%20Maintenance%20and%20Data%20Retention/30024 Enhanced Monitoring to Detect APT Activity Targeting Outlook Online https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a PoC Exploit: Fake Proof of Concept with Backdoor Malware https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware GhostScript CVE-2023-36664 PoC Exploit https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability keywords: ghostscript; poc; malware; backdoor; github; apt; outlook; online; honeypot; dshield

Apple Fixes Patch; Formbook QM18; Adobe Patches; Fortinet Patches; Citrix Patches; Sonicwall Patches Apple Re-Releases Rapid Security Update for iOS/MacOS https://support.apple.com/HT201224 Loader Activity For Formbook "QM18" https://isc.sans.edu/diary/Loader%20activity%20for%20Formbook%20%22QM18%22/30020 Adobe Patches https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html FortiOS/FortiProxy Stack Based Overflow https://www.fortiguard.com/psirt/FG-IR-23-183 Citrix Secure Access Client for Ubuntu https://support.citrix.com/article/CTX564169/citrix-secure-access-client-for-ubuntu-security-bulletin-for-cve202324492 Sonicwall Updates https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010 keywords: sonicwall; citrix; fortios; forinet; fortiproxy; adobe; coldfusion; formbook; qm18; macos; ios

Microsoft Patch Tuesday; Apple Withdraws Update Microsoft Patch Tuesday https://isc.sans.edu/forums/diary/July%202023%20Microsoft%20Patch%20Update/30018/ https://blog.talosintelligence.com/old-certificate-new-signature/ Apple Withdraws Rapid Security Response Update https://support.apple.com/en-us/HT213827 keywords: apple; withdraws; rsr; rapid security response; microsoft; patch tuesday

Apple 0-Day Patch; Edgerouter/Aircube PoC; Firefox Quarantined Domains/Extensions Apple Rapid Security Update Patches Three Exploited Vulnerabilities https://isc.sans.edu/diary/Apple%20Rapid%20Security%20Update%20Patches%20Three%20Exploited%20Vulnerabilities/30012 Ubiquity Edgerouter and AirCube miniupnpd Heap Overflow https://ssd-disclosure.com/ssd-advisory-edgerouters-and-aircube-miniupnpd-heap-overflow/ Mozilla Restricting Extensions on Quarantined Domains https://support.mozilla.org/en-US/kb/quarantined-domains https://www.mozilla.org/en-US/firefox/115.0/releasenotes/ https://lapcatsoftware.com/articles/2023/7/1.html keywords: mozilla; firefox; ubiquity; edgerouter; aircube; miniupnd; apple; ios; macos; security; update;

DSSuite Update; New MoveIT Flaw; Nexus 9000 Flaw; DSSuite Didier Toolbox Cokcer Image Update https://isc.sans.edu/diary/DSSuite%20%28Didier%27s%20Toolbox%29%20Docker%20Image%20Update/30008 More MoveIT Flaws and new Service Pack https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023 Cisco Nexus 9000 Flaw https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX keywords: nexus; 9000; encryption; moveit; sql injection; sqli; dssuite

IDS Honeypot Logs; Truebot vs Netwrix Auditor; Stackrot; TeamsPhisher IDS Comparisons with DShield Honeypot Data https://isc.sans.edu/diary/IDS%20Comparisons%20with%20DShield%20Honeypot%20Data/30002 Truebot Exploits Netwrix Auditor https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a Stackrot Linux Priviledge Escalation Vulnerability https://www.openwall.com/lists/oss-security/2023/07/05/1 TeamsPhisher Exploit https://github.com/Octoberfest7/TeamsPhisher VMWare Update https://www.vmware.com/security/advisories/VMSA-2023-0015.html keywords: ids; honeypot; suricata; pan; truebot; netwrix; auditor; Teamsphisher; vmware

DShield pfSense Client; Exposed ICS; Custom Encoding; SNAPPY; RUSTBUCKET DShield pfSense Client Update https://isc.sans.edu/diary/DShield%20pfSense%20Client%20Update/29994 Exposed Industrial Control Systems https://isc.sans.edu/diary/Controlling%20network%20access%20to%20ICS%20systems/30000 Analysis Method for Custom Encoding https://isc.sans.edu/diary/Analysis%20Method%20for%20Custom%20Encoding/29946 SNAPPY: Detecting Rogue WiFi Access Points https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/snappy-detecting-rogue-and-fake-80211-wireless-access-points-through-fingerprinting-beacon-management-frames/ RUSTBUCKET Mac Malware https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket keywords: rustbucket; snappy; encoding; ics; hmi; dshield; pfsense

From Adobe Remcos RAT; ArcServe PoC Exploit; Sysmon Update; Drone Security GuLoader or BatLoader/Modiloader infection fro Remcos RAT https://isc.sans.edu/diary/GuLoader-%20or%20DBatLoader%20ModiLoader-style%20infection%20for%20Remcos%20RAT/29990 CVE-2023-26258 Remote Code Execution in Arcserve UDP Backup https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/ Sysmon Update https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36 Drone Security and Fault Injection Attacks https://labs.ioactive.com/2023/06/applying-fault-injection-to-firmware.html keywords: drone; sysmon; arcserve; udp; backup; guloader; batloader; remcos rat

SSLv2 Survey; NPM manifests; Mockingjay; Kazkhastan: The world's last SSLv2 Super Power https://isc.sans.edu/diary/Kazakhstan%20-%20the%20world%27s%20last%20SSLv2%20superpower...%20and%20a%20country%20with%20potentially%20vulnerable%20last-mile%20internet%20infrastructure/29988 npm manifest issues https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution keywords: mockingjay; rwx; npm; manifest; sslv2; ssl2

Malware Triage; RowPress Attack; Dell BIOS Update; The Importance of Malware Triage https://isc.sans.edu/diary/The+Importance+of+Malware+Triage/29984/ RowPress: Amplifying Read Disturbance in Modern DRAM Chips https://dl.acm.org/doi/abs/10.1145/3579371.3589063 Dell BIOS Updates https://www.dell.com/support/kbdoc/de-de/000214778/dsa-2023-174-dell-client-bios-security-update-for-an-out-of-bounds-write-vulnerability Google Chrome Update https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html keywords: malware; triage; rowpress; dell; bios; google chrome

BlackLotus Mitigation; Camaro Dragon; Grafana Vuln; BlackLotus Mitigation Guide https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF Camaro Dragon Infects USB Drives as well as Network Drives https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ Grafana Security Release https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/ keywords: grafana; microsoft ad; oauth; camaro; dragon; usb; blacklotos

Modiloader Spam; Word Templates; Quakbot Obama271; MSFT Teams Phishing; Free Smart Watches; Email Spam With Modiloader Attached https://isc.sans.edu/diary/Email%20Spam%20with%20Attachment%20Modiloader/29978 Word Document with an Online Attached Template https://isc.sans.edu/diary/Word%20Document%20with%20an%20Online%20Attached%20Template/29976 Quakbot Activity Obama271 Distrubution Tag https://isc.sans.edu/diary/Qakbot%20%28Qbot%29%20activity%2C%20obama271%20distribution%20tag/29968 Microsoft Teams External Tenant Confusion https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/ Free Smart Watches https://www.darkreading.com/threat-intelligence/suspicious-smartwatches-mailed-us-army-personnel keywords: obama; qbot; qakbot; smart watches; microsoft; teams; email; office; word; template

Apple Updates; VCenter Vuln.; GitHub RepoJacking; Apple Updates Already Exploited Vulnerabilities https://isc.sans.edu/diary/Apple%20Patches%20Exploited%20Vulnerabilities%20in%20iOS%20iPadOS%2C%20macOS%2C%20watchOS%20and%20Safari/29972 Heap Buffer Overflow in VMWare VCenter https://www.vmware.com/security/advisories/VMSA-2023-0014.html GitHub RepoJacking https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking keywords: apple; ios; ipados; macos; vmware; vcenter; github; repojacking;

YouTube Creator Phishing; Autodesk Maya Malware; Zyxel, Asus and Huawei Vuln; VMware Aria Exploited Analyzing a YouTube Sponsorship Phishing E-Mail https://isc.sans.edu/diary/Analyzing%20a%20YouTube%20Sponsorship%20Phishing%20Mail%20and%20Malware%20Targeting%20Content%20Creators/29966 Malicious Code Can Be Anywhere https://isc.sans.edu/diary/Malicious%20Code%20Can%20Be%20Anywhere/29964 Zyxel Vulnerability https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products Huawei Vulnerability https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-7015cbae-en Asus Vulnerability https://www.asus.com/content/asus-product-security-advisory/ VMWare Aria Vuln Exploited https://www.vmware.com/security/advisories/VMSA-2023-0012.html keywords: vmware; aria; asus; huawei; zyxel; Autodesk; Maya; creators;

More Formbook; ZIP Bruteforcing; .inf Malware; FortiNAC PoCs; Formbook From Possible ModiLoaeder (DBatLoader) https://isc.sans.edu/diary/Formbook%20from%20Possible%20ModiLoader%20%28DBatLoader%29%20/29958 Brute-Force ZIP Password Cracking with zipdump.py https://isc.sans.edu/diary/Brute-Force%20ZIP%20Password%20Cracking%20with%20zipdump.py/29948 Malware Delivered Through .inf File https://isc.sans.edu/diary/Malware%20Delivered%20Through%20.inf%20File/29960 FortiNAC - Just a few more RCEs https://frycos.github.io/vulns4free/2023/06/18/fortinac.html keywords: fortinac; moveit; inf file; zip; password; formbook

Vulnerability Management; More MOVEit vulns; Critrix Sharefile; Chromeloader News; npm bignum compromise; Supervision and Verfication in Vulnerability Management https://isc.sans.edu/diary/Supervision%20and%20Verification%20in%20Vulnerability%20Management/29952 More MOVEit issues https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023 Critical Citrix Sharefile Storagezones Controller https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489 Chromeloader Malware Update https://threatresearch.ext.hp.com/shampoo-a-new-chromeloader-campaign/ Bignum NPM Package Compromise https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers keywords: bignum; npm; chromeloader; malware; citrix; sharefile; storagezones; moveit; vulnerability management