SANS Internet Storm Center's Daily Network Security News Podcast

Microsoft Patch Tuesday; VMWare 0-Day; SAP Patches Microsoft Patch Tuesday https://isc.sans.edu/forums/diary/June%202023%20Microsoft%20Patch%20Tuesday/29942/ VMWare 0-Day https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass https://www.vmware.com/security/advisories/VMSA-2023-0013.html SAP Patches https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html keywords: patches; tuesday; patch tuesday; microsoft; vmware; 0-day; sap

Geoserver Cryptominer Attacks; Fortinet Update; Bitwarden Key Leak; Western Digital SMART abuse; Geoserver Attack Details: More Cryptominers Against Unconfigured WebApps https://isc.sans.edu/diary/Geoserver%20Attack%20Details%3A%20More%20Cryptominers%20against%20Unconfigured%20WebApps/29936 Fortinet Update CVE-2023-27997 https://www.fortiguard.com/psirt/FG-IR-23-097 Bitwarden Key Accessible By Low Privileged User https://hackerone.com/reports/1874155 Western Digital SMART Flag Abuse https://arstechnica.com/gadgets/2023/06/clearly-predatory-western-digital-sparks-panic-anger-for-age-shaming-hdds/ keywords: western digital; smart; bitwarden; fortinet; geoserver; kensing; cryptominer

Powershell Profiles; Honeypot Activity; More flaws in MOVEit and Fortinet SSLVPN Undetected PowerShell Backdoor Disduigsed as a Profiled File https://isc.sans.edu/diary/Undetected%20PowerShell%20Backdoor%20Disguised%20as%20a%20Profile%20File/29930 DShield Honeypot Activity for May 2023 https://isc.sans.edu/diary/DShield%20Honeypot%20Activity%20for%20May%202023%20/29932 Second MOVEit Vulnerability https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability Fortinet Patches CVE-2023-27997 https://twitter.com/cfreal_/status/1667852157536616451 keywords: fortniet; moveit; dshield; honeypot; powershell; backdoor; patches; vulnerabilities

Geoserver Scans; Barracuda ESG Replacement; Google Chrome Password Manager; Minecraft Mods; Trend Micro Patch Geoserver Scans https://isc.sans.edu/diary/Ongoing%20scans%20for%20Geoserver/29926 Barracuda Recommends Replacing Compromised Devices https://www.barracuda.com/company/legal/esg-vulnerability Google improves Chrome Password Manager https://www.msn.com/en-us/news/other/chrome-adds-windows-biometric-logins-to-its-password-powers/ar-AA1ciCCf Minecraft Mods Include Malicious Code https://www.bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux/ Trend Micro Service Pack https://files.trendmicro.com/documentation/readme/Apex%20One/2020/apex_one_2019_win_cp_b12033_EN_Critical_Patch_Readme.html keywords: trend micro; minecraft; google; password manager; barracuda; geoserver

DMARC in .co; VMware Aria Patch; SpinOK Spyware DMARC in .co TLD https://isc.sans.edu/diary/Management%20of%20DMARC%20control%20for%20email%20impersonation%20of%20domains%20in%20the%20.co%20TLD%20-%20part%202/29922 Three Vulnerabilities in VMWare Aria Operations for Networks https://www.vmware.com/security/advisories/VMSA-2023-0012.html SpinOK Spyware SDK found in Android Apps https://vms.drweb.com/search/?q=Android.Spy.SpinOk&lng=en https://www.cloudsek.com/threatintelligence/supply-chain-attack-infiltrates-android-apps-with-malicious-sdk Cisco Anyconnect Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw RSA Webcast https://www.rsaconference.com/library/webcast/149-sans-followup-2023 keywords: rsa; webcast; cisco; anyconnect; spinok; spyware; sdk; android; vmware; ario; dmarc

Copilot vs. Google; Android and Chrome 0-Days; Fake Sextortion; Github Copilot vs Google: Which Code is More Secure https://isc.sans.edu/forums/diary/Github%20Copilot%20vs.%20Google%3A%20Which%20code%20is%20more%20secure/29918/ Android Update https://source.android.com/docs/security/bulletin/2023-06-01 Chrome Updates https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html FBI Warns of Manipulated Photos and Videos For Sextortion https://www.ic3.gov/Media/Y2023/PSA230605 keywords: fbi; photos; sextortion; chrom; android; github; copilot; google;

Simple Archive Bruteforcer; Keepass Patch; Splunk Advisories; Chrome Extensions; Symantec Updates Brute Forcing Simple Archive Passwords https://isc.sans.edu/diary/Brute%20Forcing%20Simple%20Archive%20Passwords/29914 KeePass 2.54 Released https://keepass.info/news/n230603_2.54.html Splunk Advisories https://advisory.splunk.com/advisories Malicious Google Chrome Extensions https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/ Symantec Updates https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22217 keywords: symantec; google; chrome; extensions; keepass; brute forcing

MoveIT Transfer Exploited; Atomic Wallet Theft; Magecart Update Critical Vulnerability in MoveIT Transfer Actively Exploited https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft Atomic Wallet Compromise https://www.bleepingcomputer.com/news/security/atomic-wallet-hacks-lead-to-over-35-million-in-crypto-stolen/ Magecart Update https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains keywords: magecart, atomic wallet, moveit

SSLv2 Remnants; iOS Malware; MOVEit and Reportslab PDF Library Vulnerabilities; Brandon Helms (@sans_edu): CTI For Containers After 28 Years, SSLv2 is Still Not Gone https://isc.sans.edu/forums/diary/After%2028%20years%2C%20SSLv2%20is%20still%20not%20gone%20from%20the%20internet...%20but%20we're%20getting%20there/29908/ Operation Triangulation: iOS Devices Targeted With Previously Unknown Malware https://securelist.com/operation-triangulation/109842/ MOVEit Transfer Criticial Vulnerability https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 Code Injection Vulnerablity in Reportlab Python Library https://github.com/c53elyas/CVE-2023-33733 keywords: reportlab; pdf; moveit; ios; 0-Day; sslv2

Apache NiFi Attacks; Gigabyte Backdoor; SalesForce Ghost Sites; ImageMagick Shell Command Injection Apache NiFi Attacks https://isc.sans.edu/diary/Your%20Business%20Data%20and%20Machine%20Learning%20at%20Risk%3A%20Attacks%20Against%20Apache%20NiFi/29900 Gigabyte App Center Backdoor; https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/ Salesforce Ghost Sites https://www.varonis.com/blog/salesforce-ghost-sites CVE-2023-34152: Shell Command Injection in ImageMagick https://securityonline.info/cve-2023-34152-shell-command-injection-bug-affecting-imagemagick/ keywords: imagemagick; salesforce; ghost sites; gigabyte; app-center; backdoor; apache; nifi

ModiLoader Sample; MacOS SIP Bypass; OpenSSL Update; Barracuda Vuln Details; Nextcloud, Zyxel Vuln; Malspam Pushes ModiLoader Infection for Remocs Rat https://isc.sans.edu/diary/Malspam%20pushes%20ModiLoader%20%28DBatLoader%29%20infection%20for%20Remcos%20RAT/29896 MacOS SIP Bypass https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/ OpenSSL Update https://www.openssl.org/news/secadv/20230530.txt Barracuda Email Security Gateway Applicance Vulnerability Details https://www.barracuda.com/company/legal/esg-vulnerability#:~:text=the%20section%20below.-,Endpoint%20IOCs,-Table%204%20lists Void Rabisu RomCom Backdoor https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html Nextcloud Vulnerability https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54 Zyxel NAS Vulnerability https://sternumiot.com/iot-blog/ntp-textbox-vulnerability-in-zyxel-nas326-nas540-and-nas542-devices/ Wait Just An Infosec: Higher Ed https://www.youtube.com/watch?v=ufEuo-096yc&list=PLtgaAEEmVe6B2kqkE9KdgPJdtbqNiaiOn&index=8 keywords: ed; higher ed; zyxel; nas; nextcloud; romcom; barracuda; sip; apple; modiloader

Word in PPT; DocuSign Malspam; Archiver in Browser; Casandra and MXsecurity Vulnerabilities Analyzing Office Documents Embedded Inside PowerPoint Files https://isc.sans.edu/diary/Analyzing%20Office%20Documents%20Embedded%20Inside%20PPT%20%28PowerPoint%29%20Files/29894 DocuSign Themed Email Leads to Script-Based Infection https://isc.sans.edu/diary/DocuSign-themed%20email%20leads%20to%20script-based%20infection/29888 File Archiver In The Browser https://mrd0x.com/file-archiver-in-the-browser/ Securing PyPI accounts via Two-Factor Authentication https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/ Apache Casandra Vulnerabilities https://lists.apache.org/thread/mwd02nrw2go8shg29rnp3o4hgompvkp5 MOXA MXsecurity Vulerabilities https://www.moxa.com/en/support/product-support/security-advisory/mxsecurity-command-injection-and-hardcoded-credential-vulnerabilities keywords: pypi; zip; tld; docusign; office; powerpoint; word;ppt

IR Case/Alert Mgnmt; GitLab Exploit; Expo OAUTH Vuln Details; Mitel MiVoice and DLink Vulnerabilities; IR Case/Alert Management https://isc.sans.edu/diary/IR%20Case%20Alert%20Management/29880 Exploit for CVE-2023-2825 GitLab Vulnerability https://github.com/Occamsec/CVE-2023-2825 Expo Framework OAUTH Vulnerability CVE-2023-28131 https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundreds-of-online-services Mitel MiVoice Vulnerability CVE-2023-31457 CVE-2023-32748 https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0004 D-Link Vulnerabilities https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332 keywords: dlink; d-link; mitel; mivoice; expo; oauth; gitlab; ir; case; alert; management

Enriching Cowrie; Volt Typhoon; Android Spy App; Zyxel, Baracuda and GitLab Patches; More Data Enrichment for Cowrie Logs https://isc.sans.edu/diary/More%20Data%20Enrichment%20for%20Cowrie%20Logs/29878 Volt Typhoon: Living of the Land https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF Android App Breaking Bad https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/ Zyxel Updates https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls Baracuda Email Security Gateway Vulnerability https://status.barracuda.com/incidents/34kx82j5n4q9 Gitlab Patch https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/ keywords: gitlab; baracuda; email; zyxel; android; breaking bad; app; volt typhoon; cowrie

Apache NiFi Scans; Samsung 0-Day Fix; Lenovo Bricked; Dell VX Rail; BrutePrint Apache Nifi Scans https://isc.sans.edu/diary/Help+us+figure+this+out+Scans+for+Apache+Nifi/29874/ Samsung Updates fix 0-Day https://security.samsungmobile.com/securityUpdate.smsb Lenovo All-In One Bricked by Windows Update https://www.reddit.com/r/Lenovo/comments/136tatm/lenovo_firmware_10055_bricking_thinkcentre_v53024/ Dell VxRail Security Update https://www.dell.com/support/kbdoc/en-us/000213011/dsa-2023-071-dell-vxrail-security-update-for-multiple-third-party-component-vulnerabilities-7-0-450 BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack https://arxiv.org/pdf/2305.10791.pdf keywords: bruteprint; android; ios; fingerprint; dell; vxrail; lenovo; samsung; nifi; apache

ABUS Camera Vuln; .ZIP vs Virustotal; Nissan Car Key Replay; Synology DSM 6.2; Jenkins Plugins; PyPi Suspension Lifted; Probes for recent ABUS Security Camera Vulnerability https://isc.sans.edu/diary/Probes%20for%20recent%20ABUS%20Security%20Camera%20Vulnerability%3A%20Attackers%20keep%20an%20eye%20on%20everything./29870 .ZIP Domains Confuse Virustotal https://twitter.com/imohanasundaram/status/1660678184977805316 Synology DSM 6.2 Patch https://www.synology.com/en-global/security/advisory/Synology_SA_22_25 Jenkins Fixes Multiple Plugin Vulnerabilities https://www.jenkins.io/security/advisory/2023-05-16/ PyPi Suspension Lifted https://status.python.org/incidents/qy2t9mjjcc7g Nissan Sylphy Classic Key Vulnerability https://vulmon.com/vulnerabilitydetails?qid=CVE-2023-33281 keywords: nissan; sylphy; key; pypi; jenkins; synology; abus; virustotal; zip

HTA Analysis; Encoding Mistakes; PyPi Attack; PyPi PGP Signatures; npm RATs Another Malicious HTA File Analysis - Part 3 https://isc.sans.edu/forums/diary/Another%20Malicious%20HTA%20File%20Analysis%20-%20Part%203/29678/ When the Phisher Messes Up With Encoding https://isc.sans.edu/diary/When%20the%20Phisher%20Messes%20Up%20With%20Encoding/29864 PyPi Suspends New Users and Projects https://status.python.org/incidents/qy2t9mjjcc7g PGP Signatures on PyPi: Worse than useless https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless RATs found hiding in the npm attic https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic keywords: RATs; npm; pgp; pypi; phishing; encoding; HTA; reverse analysis;

Apple Updates; .zip Survey; Dell/EMC Networker Vuln; Keepass Master PW Exposure Apple Updates Everything https://isc.sans.edu/diary/Apple%20Updates%20Everything/29860 A Quick Survey of .zip Domains https://isc.sans.edu/diary/A%20Quick%20Survey%20of%20.zip%20Domains%3A%20Your%20highest%20risk%20is%20running%20into%20Rick%20Astley./29858 Dell NetWorker Security Update https://www.dell.com/support/kbdoc/en-us/000211267/dsa-2023-060-dell-networker-security-update-for-an-nsrcapinfo-vulnerability?lwp=rt KeePass 2.X Master Password Dumper https://github.com/vdohney/keepass-password-dumper keywords: keepass; dell; networker; backup; .zip; domains; apple; updates; patches

RAR SFX Files; Wemo Vuln; Wago Vuln; Router Vuln to Proxies; TP-Link Malicous Firmware Increase in Malicious RAR SFX Files https://isc.sans.edu/forums/diary/Increase%20in%20Malicious%20RAR%20SFX%20files/29852/ FriendlyName Buffer Overflow in Wemo Smartplug https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/ Wago License Page Exploit https://onekey.com/blog/security-advisory-wago-unauthenticated-remote-command-execution/ Routers Turned Into Proxies https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ keywords: tp-link; routers; wago; wemo; rar; sfx

Testing Faraday Bags; Sharepoint Scans Encrypted Files; vm2 Escape; geocon for MacOS Signals Defense With Faraday Bags https://isc.sans.edu/forums/diary/Signals%20Defense%20With%20Faraday%20Bags%20%26%20Flipper%20Zero/29840/ Microsoft Sharepoint Scans Password Protected Files https://infosec.exchange/@threatresearch/110373860063222707# Critical Sandbox Escape Vulnerability in VM2 https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5 Geacon Brings Cobalt Strike Capabilities to MacOS Threat Actors https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/ keywords: geacon; cobalt strike; macos; vm2; sandbox escape; sharepoint av scanning; fraday bag; flipper zero

Facebook Phish; No Intel Microcode Vuln; Fake Trezor Wallets; TP-Link Exploited Ongoing Facebook Phishing campaign Without a Sender and (almost) without Links https://isc.sans.edu/diary/Ongoing%20Facebook%20phishing%20campaign%20without%20a%20sender%20and%20%28almost%29%20without%20links/29848 Intel Microcode Updates Do Not Patch Vulnerability https://www.theregister.com/2023/05/15/intel_mystery_microcode/ Fake Trezor Hardware Crypto Wallet https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/ TP-Link Archer AX-21 Command Injection CVE-2023-1389 Exploited https://www.fortiguard.com/threat-signal-report/5157/tp-link-archer-ax-21-command-injection-vulnerability-cve-2023-1389-exploited-in-the-wild keywords: facebook; phishing; intel; microcode; trezor; wallet; fake; tp-link

.zip/.mov domains; The .zip gTLD: Risks and Opportunities https://isc.sans.edu/forums/diary/The+zip+gTLD+Risks+and+Opportunities/29838/ Brave Forgetful Browsing https://brave.com/privacy-updates/25-forgetful-browsing/ Intel Mystery Microcode Patch https://www.phoronix.com/news/Intel-12-May-2023-Microcode Netgear Updates https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348 Synology Updates https://www.synology.com/en-global/security/advisory/Synology_SA_23_04 https://claroty.com/team82/research/chaining-five-vulnerabilities-to-exploit-netgear-nighthawk-rax30-routers-at-pwn2own-toronto-2022 keywords: zip; mov; brave; forgetful; browsing; intel; microcode; netgear; synology

Geolocation Difficulties; Pre-Infected Phones; Dragos Breach; Ruckus Exploited Geolocating IPs is Harder Than You Think https://isc.sans.edu/diary/Geolocating%20IPs%20is%20harder%20than%20you%20think/29834 Pre-Infected Mobile Phones https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/ Dragos Breach https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/ AndoryuBot Targets Ruckus Admin RCE Vulnerability https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717 keywords: geolocation; mobile phones; android; dragos; andoryubot; ruckus;

CISSM Data Anlysis; Outlook "re-patch"; Snake Malware; Fake System Updates Exploratory Data Analysis with CISSM Cyber Attacks Database Part 2 https://isc.sans.edu/diary/Exploratory%20Data%20Analysis%20with%20CISSM%20Cyber%20Attacks%20Database%20-%20Part%202/29828 Microsoft Patched Outlook (actually Windows) vulnerability again https://www.akamai.com/blog/security-research/important-outlook-vulnerability-bypass-windows-api Law Enforcement and Intelligence Agencies Disable "Snake" Malware https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF Fake System Update Drop Malware https://www.malwarebytes.com/blog/threat-intelligence/2023/05/fake-system-update-drops-new-highly-evasive-loader keywords: fake updates; system updates; snake; malware; outlook; patch; cissm

Microsoft Patch Tuesday; GitHub Push Protection Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20May%202023%20Patch%20Tuesday/29826 GitHub "Push Protection" now out of Beta https://github.blog/2023-05-09-push-protection-is-generally-available-and-free-for-all-public-repositories/ keywords: microsoft patch tuesday; push protection

QR Code Threats; Microsoft Edge Update; Fake ChatGPT QR Codes Used in Fake Parking Tickets and Surveys https://www.bleepingcomputer.com/news/security/qr-codes-used-in-fake-parking-tickets-surveys-to-steal-your-money/ Microsoft Edge Update https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel Facebook Sees More Fake ChatGPT https://about.fb.com/news/2023/05/metas-q1-2023-security-reports/ CyberGhost VPN Vulnerability https://www.pentestpartners.com/security-blog/bullied-by-bugcrowd-over-kape-cyberghost-disclosure/ keywords: qr codes; microsoft; edge; facebook; chatgpt; cyberghost; vpn

Decoding PPAMs; Exploratory Analysis; Colorcpl.exe LOLBIN; Leaked MSI Keys; PHP Packages Compromised; Quickly Finding Encoded Payloads in Office Documents https://isc.sans.edu/forums/diary/Quickly+Finding+Encoded+Payloads+in+Office+Documents/29818/ Exploratory Data Analysis with CISSM Cyber Attacks Database Part 1 https://isc.sans.edu/forums/diary/Exploratory+Data+Analysis+with+CISSM+Cyber+Attacks+Database+Part+1/29816/ Guildma is now Abusing Colorcpl.exe LOLBIN https://isc.sans.edu/forums/diary/Guildma+is+now+abusing+colorcplexe+LOLBIN/29814/ Leaked MSI Keys https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/ImpactedDevices.md https://twitter.com/matrosov/status/1654560343295934464 PHP Packages Compromised https://blog.packagist.com/packagist-org-maintainer-account-takeover/ keywords: php; msi; safe boot; keys; guildma; lolbin; colocpl.exe; decoding

Word Infostealer; Cisco SPA-112; Fortinet May Updates; PaperCut New Exploit Infostealer Embedded in a Word Document https://isc.sans.edu/diary/Infostealer%20Embedded%20in%20a%20Word%20Document/29810 Cisco SPA-112 Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW Fortinet May Updates https://www.fortiguard.com/psirt?date=05-2023 PaperCut exploitation - A Different Path to Code Execution https://vulncheck.com/blog/papercut-rce keywords: papercut; protinet; cisco; spa-112; infostealer; word;

Config File Scans; Google Enables Passkeys; Chrome Dropping TLS Lock; AMD TPM Attacks Increased Number of Configuration File Scans https://isc.sans.edu/diary/Increased%20Number%20of%20Configuration%20File%20Scans/29806 Google Enabling Passkeys https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/ Chrome to Drop Lock Icon from HTTPS https://blog.chromium.org/2023/05/an-update-on-lock-icon.html Attack Against AMD TPM Implementation https://arxiv.org/abs/2304.14717 keywords: amd; tpm; https; google; passkeys; file scans; configuration files; lock icon

VBA Project References; FRRouting Vuln; JWT ECDSA Algo Confusion VBA Project References https://isc.sans.edu/diary/VBA%20Project%20References/29800 BGP Message Parsing Vulnerabilities in FRRouting https://www.forescout.com/blog/three-new-bgp-message-parsing-vulnerabilities-disclosed-in-frrouting-software/ JWT ECDSA Algorithm Confusion https://blog.pentesterlab.com/exploring-algorithm-confusion-attacks-on-jwt-exploiting-ecdsa-23f7ff83390f keywords: jwt; ecdsa; bpg; routing; dos; vba; project references

Passive Phish Analysis; Apple Rapid Security Response; Grafana Vuln; Illumina Vuln; Passive Analysis of a Phishing Attachment https://isc.sans.edu/diary/%22Passive%22%20analysis%20of%20a%20phishing%20attachment/29798 Apple Rapid Security Response https://www.macrumors.com/2023/05/01/rapid-security-response-16-4-1/ Grafana Security Release https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/ Illumina Vulnerability https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-affecting-universal-copy-service-software-may-present-risks keywords: illumina; grafana; dna sequencing; apple; rapid security response; passive analysis; phishing

Loki in Docker; UTF-16 Encoded Malware; AT&T Email Compromise; MacOS Crypto Stealer; Zyxel Vuln Quick IOC Scan With Docker https://isc.sans.edu/diary/Quick%20IOC%20Scan%20With%20Docker/29788 Dobfuscation Scripts When Encodings Help https://isc.sans.edu/diary/Deobfuscating%20Scripts%3A%20When%20Encodings%20Help/29792 Hackers Are Breaking Into AT&T Email Accounts To Steal Cryptocurrency https://techcrunch.com/2023/04/26/hackers-are-breaking-into-att-email-accounts-to-steal-cryptocurrency/ Trheat Actor Selling New Atomic MacOS AMOS Stealer on Telegram https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/ Zyxel Firewall Vulnerability https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls keywords: loki; docker; malware; utf-16; at&t; macos; crypto; zyxel; vulnerability; firewall

Veeam Vuln Ransomware; Google Authenticator Sync; Keycloak Vuln; Ransomware Gang Exploiting Unpatches Veeam Backup Products https://www.computerweekly.com/news/365535586/Ransomware-gang-exploiting-unpatched-Veeam-backup-products Google Authenticator Sync Encryption https://security.googleblog.com/2023/04/google-authenticator-now-supports.html Keycloak Vulnerability https://out.reddit.com/t3_130km04?url=https%3A%2F%2Fwww.offensity.com%2Fen%2Fblog%2Fuser-impersonation-via-stolen-uuid-code-in-keycloak-cve-2023-0264%2F&token=AQAAjSdLZJTzQM37107hVzYY-tbz6ak81pMNqN9qv3m2SWXEOMIm&app_name=web2x&user_id=33629461&web_redirect=true keywords: keycloak; google; authenticator; ransomwre; veeam; backup

Hunting Phishing Sites; RSA Top Attack Panel; @sans_edu research journal Strolling Through Cyberspace and Hunting for Phishing Sites https://isc.sans.edu/diary/Strolling%20through%20Cyberspace%20and%20Hunting%20for%20Phishing%20Sites/29780 RSA Panel: Five most dangerous new attack techniques https://www.rsaconference.com/usa/agenda/session/The%20Five%20Most%20Dangerous%20New%20Attack%20Techniques SANS.edu Research Journal https://www.sans.edu/cyber-security-research keywords: sans.edu; research journal; rsa panel; attack techniques; phishing

ChatGPT CVSS Scores; SLP Amplification; Apache Superset RCE; Sophos Web Appliance PoC Calculating CVSS Scores with ChatGPT https://isc.sans.edu/diary/Calculating%20CVSS%20Scores%20with%20ChatGPT/29774 Amplifying SLP Traffic https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp Insecure Default Configuration in Apache Superset https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/ SLP Amplification; Apache Superset RCE; PoC Exploit for Sophos Web Appliciance https://github.com/W01fh4cker/CVE-2023-1671-POC keywords: sophos; poc; exploit; apache; superset; slp; dos; amplification

Aukill BYOVD Ransomware; Papercut Exploit; Solarwinds Patch; APC UPS Software Patch; Virustotal Code Insight Aukill EDR Killer Malware Abuses Process Explorer Driver https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ Papercut Vulnerability Deep Dive https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise Solarwinds Patches https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm Schneider Electric Update https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-04&p_enDocType=Security%20and%20Safety%20Notice&p_File_Name=SEVD-2023-101-04.pdf Virustotal Code Insight https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html keywords: virustotal; code; insight; ups; apc; schneider electric; solarwinds; papercut; driver; process explorer

DMARC in .co; X_Trader Fallout; Car Hacking; DNS Decoy Dog Management of DMARC control for email impersonation fo domains in the .co TLD https://isc.sans.edu/forums/diary/Management+of+DMARC+control+for+email+impersonation+of+domains+in+the+co+TLD+part+1/29768/ X_Trader Supply Chain Attack Fallout https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain Car Hacking with Old Nokia Phones https://www.vice.com/en/article/v7beyj/car-thieves-tech-hidden-old-nokia-phones-bluetooth-speakers-emergency-engine-start-keyless Dog Hunt Finding Decoy Dog Toolkit https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/ keywords: dog; decoy dog; dns; car hacking; nokia; x_trader; dmarc; columbia

Password Expiry; 3CX Update; Google Ghosttokens; PyPi Trusted Publishers Taking a Bite Out of Password Expiry Helpdesk Calls https://isc.sans.edu/diary/Taking%20a%20Bite%20Out%20of%20Password%20Expiry%20Helpdesk%20Calls/29758 3CX Software Supply Chain Compromise https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise Google Ghost Tokens https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/ PyPi Trusted Publishers https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ keywords: pypi; google; ghost tokens; 3xc; password; expiration

Chrome 0-Day; Oracle CPU; Github npm Prvenance; MSFT Threat Actor Naming; Yet Another Google Chrome 0-Day https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html Oracle Critical Patch Update April 2023 https://www.oracle.com/security-alerts/cpuapr2023.html Github Provenance Action for npm Packages https://www.theregister.com/2023/04/19/github_actions_npm_origins/ Microsoft Revises Threat Actor Naming https://learn.microsoft.com/de-de/microsoft-365/security/intelligence/microsoft-threat-actor-naming keywords: microsoft; github; threat actors; npm; provenance; oracle; cpu; chrome 0-day;

UDDIExplorer; SNMP Against Routers; Data from Discarded Routers UDDIs Are Back: Attackers Rediscovering Old Exploits. https://isc.sans.edu/diary/UDDIs%20are%20back%3F%20Attackers%20rediscovering%20old%20exploits./29754UDDIExplorer; UDDIExplorer; Russian Attacks against Routers https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 Information Leakage on Discarded Routers https://www.welivesecurity.com/2023/04/18/discarded-not-destroyed-old-routers-reveal-corporate-secrets/ keywords: routers; snmp; leaks; ebay; russia; uddi; exploits; weblogic

Increase in Honeypots in China; Mac Ransomware; GC2 in Malware The strange case of the Great Honeypot of China https://isc.sans.edu/diary/The%20strange%20case%20of%20Great%20honeypot%20of%20China/29750 The LockBit ransomware (kinda) comes for macOS https://objective-see.org/blog/blog_0x75.html Google Cloud Used as C&C https://thehackernews.com/2023/04/google-uncovers-apt41s-use-of-open.html keywords: GC3; C2; malware; taiwan; china; lockbit; macos; honeypot; medical devices

Fake Chrome Errors; Chromium 0-Day; LAPS Compatibility Issues; Manage Engine Attack Campaing Tht Uses Fake Google Chrome Errors https://insight-jp.nttsecurity.com/post/102icvb/attack-campaign-that-uses-fake-google-chrome-error-to-distribute-malware-from-com Chromium Publishes Emergency Update https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html LAPS Update Errors https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview Manage Engine Vulnerability https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/ keywords: manage engine; laps; chromium; chorme; errors;

OCSP Messages; NTP Vuln Update; SecurePoint Vuln; HTTP: What's Left of it and the OCSP Problem https://isc.sans.edu/diary/HTTP%3A%20What%27s%20Left%20of%20it%20and%20the%20OCSP%20Problem/29744 NTP Vulnerability Update https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1506667321 SecurePoint UTM Vulnerability CVE-2023-22897 https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/ https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/ Google Cloud Assured Open Source Software Services https://cloud.google.com/blog/products/identity-security/google-cloud-assured-open-source-software-service-now-ga keywords: google; assured open source software; open source; securepoint; utm; ntp; http;

IcedID (Bokbot); MSMQ Vuln Details; ntpd vulnerability Recent IcedID (Bokbot) activity https://isc.sans.edu/forums/diary/Recent%20IcedID%20%28Bokbot%29%20activity/29740/ Microsoft Message Queue Vulnerabilities Details https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ NTP Vulnerabilities https://github.com/spwpun/ntp-4.2.8p15-cves https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0938 keywords: ntp; ntp.org; microsoft; msmq; icedid; bokbot

Microsoft Patch Tuesday; Windows LAPS Update; SAP and Adobe Patches Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20April%202023%20Patch%20Tuesday/29736 Windows LAPS Available as part of Windows https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 SAP Patches https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Adobe Patches https://helpx.adobe.com/security/security-bulletin.html keywords: adobe; sap; patches; windows; laps; micorsoft

Analysising HTA Files; Apple Updates; MSI Attacks; MSFT Altered Netlogon Update Schedule Another Malicious HTA File Analysis - Part 2 https://isc.sans.edu/diary/Another%20Malicious%20HTA%20File%20Analysis%20-%20Part%202/29676 Apple Updates for Older Operating Systems https://support.apple.com/en-us/HT201222 MSI Attack May Affect BIOS Updates https://www.msi.com/news/detail/MSI-Statement-141688 KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25 keywords: netlogon; msi; bios; firmware; apple; hta; malware

YARA API Usage Rules; Apple 0-Day; VM2 Library Vuln; Netlogon Changes Coming Detecting Suspicious API Usage with YARA Rules https://isc.sans.edu/diary/Detecting%20Suspicious%20API%20Usage%20with%20YARA%20Rules/29724 Apple Patching Two 0-Day Vulnerabilities in iOS and macOS https://isc.sans.edu/diary/Apple%20Patching%20Two%200-Day%20Vulnerabilities%20in%20iOS%20and%20macOS/29726 VM2 Sandbox Escape https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023 https://isc.sans.edu/diary/Microsoft%20Netlogon%3A%20Potential%20Upcoming%20Impacts%20of%20CVE-2022-38023/29728 keywords: microsoft; netlogon; vm2; apple; ios; macos; safari; webkit; 0-day; api; yara

Malicious SFX Files; loldrivers; Trellix Priv Esc; HP LasterJet Vuln Self Extracting Archives https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/ loldrivers https://www.loldrivers.io Trellix Privilege Escalation https://kcm.trellix.com/corporate/index?page=content&id=SB10396 HP LaserJet Vuln. https://support.hp.com/us-en/document/ish_7905330-7905358-16/hpsbpi03838 keywords: hp; lasterjet; trellix; loldrivers; sfx; self extracting archives;

jq and cowrie; NEXX Vulnerability; OneNote Changes Exploration of DShield Cowrie Data with jq https://isc.sans.edu/diary/Exploration%20of%20DShield%20Cowrie%20Data%20with%20jq/29714 NEXX Garage Door Vulnerability https://medium.com/@samsabetan/the-uninvited-guest-idors-garage-doors-and-stolen-secrets-e4b49e02dadc OneNote Changes https://learn.microsoft.com/en-us/deployoffice/security/onenote-extension-block MSFT Changes to Auto-Update https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3060 NPM Spam DDoS Attacks https://www.helpnetsecurity.com/2023/04/05/flood-of-malicious-packages-results-in-npm-registry-dos/ keywords: npm; spam; ddos; microsoft; patching; one note; nexx; jq; cowrie

efile.com Malware; Veritas Backup Exploited; Sophos Web Applicance; Zimbra Attacks Analyzing the efile.com Malware https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712 ALPHV Ransomware Targets Backup Installations https://www.mandiant.com/resources/blog/alphv-ransomware-backup Sophos Web Appliance Vulnerability (and EoL) https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce Zimbra Exploited in Targeted Attacks https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability keywords: zimbra; sophos; alphv; ransomware; backups; veritas; efile.com; malware; phython; php