SANS Internet Storm Center's Daily Network Security News Podcast

PE Overlays; Apple Updates; Ivanti EOL Issue; MSFT Patch Tuesday Revision; DLink Vulns; Managing PE Files with Overlays https://isc.sans.edu/forums/diary/Managing%20PE%20Files%20With%20Overlays/31268/ Apple Updates https://support.apple.com/en-us/100100 Ivanti EOL Cloud Service Appliances https://www.cisa.gov/news-events/alerts/2024/09/13/ivanti-releases-security-update-cloud-services-appliance Microsoft Revises September Update https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43461 DLink Vulnerabilities https://www.twcert.org.tw/en/cp-139-8081-3fb39-2.html https://www.twcert.org.tw/en/cp-139-8091-bcd52-2.html https://www.twcert.org.tw/en/cp-139-8089-32df6-2.html keywords: dlink; microsoft; september; mshtml; ivanti; csa; overlays; python; pe

DBScan Examples; Credential Flusher; Ivanti Vulnerabilities; File Sender; Docker Patch Finding Honeypot Clusters Using DBSCAN https://isc.sans.edu/diary/Finding%20Honeypot%20Data%20Clusters%20Using%20DBSCAN%3A%20Part%202/31194 Auto IT Credential Flusher https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html Ivanti Patches https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-dive-ivanti-endpoint-manager-agentportal-deserialization-of-untrusted-data-remote-code-execution-vulnerability/ File Sender Vulnerability https://filesender.org/vulnerability-in-filesender-versions-below-2-49-and-3-x-beta/ Docker Patches https://docs.docker.com/desktop/release-notes/#4342 keywords: docker; file sender; ivanti; auto-it; honeypot; dbscan; credential flusher; kiosk mode;

Whois Trust Issues; MSFT Security APIs; MSFT PQC Implementation; GitLbab Patch Compromise of old hostname .mobi whois server https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/ Microsoft Reconsidering Security Tool API https://blogs.windows.com/windowsexperience/2024/09/12/taking-steps-that-drive-resiliency-and-security-for-windows-customers/ Microsoft implents PQC in SymCrypt https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-s-quantum-resistant-cryptography-is-here/ba-p/4238780 GitLab Patch https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job keywords: gitlab; microsoft; pqc; symcrypt; security tool; mobi; whois

Microsoft, Adobe and Ivanti Patches Microsoft Patches https://isc.sans.edu/diary/Microsoft%20September%202024%20Patch%20Tuesday/31254 Adobe Patches https://helpx.adobe.com/security/security-bulletin.html Ivanti Patches https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US keywords: ivanti; adobe; microsoft; patches

LoadMaster Vuln; HAProxy Patch; Sonicwall SSLVPN Ransomware; Kibana Update; VSCode Abuse Critical Loadmaster Security Vulnerability https://support.kemptechnologies.com/hc/en-us/articles/29196371689613-LoadMaster-Security-Vulnerability-CVE-2024-7591 HA Proxy Patch https://www.mail-archive.com/haproxy%40formilux.org/msg45280.html Akira Ransomware Campaign Targeting Sonicwall SSLVPN Accounts https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/ Kibana Deserializatio Vulnerability https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119 Stately Taurus Abuses VSCode https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/ keywords: china; taurus; vscode; kibana; elastic; sslvpn; sonicwall; ransomware; haproxy; loadmaster

Hashcat Power Use; Fake Job Ads; Android OCR Password Stealer; Spouse Sextortion Password Cracking Energy: More Details https://isc.sans.edu/diary/Password%20Cracking%20%26%20Energy%3A%20More%20Dedails/31242 Python Notpad ++ https://isc.sans.edu/diary/Python%20%26%20Notepad%2B%2B/31240 Fake LinkedIn Job Ads https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/ Android Crypto Passphrase Stealer with OCR https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-spyagent-campaign-steals-crypto-credentials-via-image-recognition/ Sextortion Scam Now use Your Chating Spouses Name as a Lure https://www.bleepingcomputer.com/news/security/sextortion-scam-now-use-your-cheating-spouses-name-as-a-lure/ keywords: sextortion; spouse; android; ocr; crypto wallet; stealer; notepad; power; hashcat; linkedin; job ad

Enriching Logs; Veeam Update; More OFBiz Issues; Cisco License Manager Patches; Enrichment Data: Keeping it Fresh https://isc.sans.edu/diary/Enrichment%20Data%3A%20Keeping%20it%20Fresh/31236 Veeam Update https://www.veeam.com/kb4649 New OFBiz Vulnerabilities https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/ Cisco Smart License Manager Patches https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw keywords: cisco; ofbiz; veeam; enrichment

Moodle Scans; PyPi Revival Hijack; Android Updates; Mediatec Wifi PoC; Scans for Moodle Learning Platform Following Recent Update https://isc.sans.edu/diary/Scans+for+Moodle+Learning+Platform+Following+Recent+Update/31230 PyPi Rivival HiJack https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/ Android Updates https://source.android.com/docs/security/bulletin/2024-09-01 Mediatec WAPPD PoC Exploit https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html#wrapping-up keywords: mediatec; android; pypi; moodle

OOXML Text Docs; Photo Sextortion; Zyxel Vuln; DLink Vuln; VMWare Patch; YubiKey Sidechannel Protected OOXML Text Documents https://isc.sans.edu/diary/Protected%20OOXML%20Text%20Documents/31078 Sextortion E-Mails with Photos https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/ Zyxel OS Command Injection Vulnerability https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024 D-Link DIR-846W Unpatched RCE Vulnerabilities https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10411 VMWare Priviledge Escalation Vulnerability CVe-2024-38811 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939 YubiKey Sidechannel Attack https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf https://www.yubico.com/support/security-advisories/ysa-2024-03/ keywords: yubikey; vmware; fusion; d-link; dir-846W; zyxel; Sextortion; ooxml;

Convert Wireshark Filter; GitHub Comments Spreading Malware; Google Sheets C2; Jenkins PoC; Wireshark 4.4: Converting Display Filters to BPF Capture Filters https://isc.sans.edu/diary/Wireshark+44+Converting+Display+Filters+to+BPF+Capture+Filters/31224 GitHub Comments Used to Spread Malware https://www.reddit.com/r/Malware/comments/1f2n1h4/comment/lkbi5gi/ Voldemort Malware Curses Orgs Using Global Tax Authorities https://www.darkreading.com/threat-intelligence/voldemort-malware-curses-orgs-global-tax-authorities Analysis of CVE-2024-43044 From file read to RCE in Jenkins through agents https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/ keywords: jenkins; volemort; google sheets; github; wireshark

Python DLL Patching; Global Protect Phishing; BlackByte Ransomware; Exposed AI Services; Detecting Lateral Movement @sans_edu @BriPwn Live Patching DLLs with Python https://isc.sans.edu/diary/Live%20Patching%20DLLs%20with%20Python/31218 Global Protect Phishing https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html BlackByte Ransomware Update https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/ The Risks Lurking in Publicly Exposed GenAI Development Services https://www.legitsecurity.com/blog/the-risks-lurking-in-publicly-exposed-genai-development-services Finding Lateral Movement of Adversaries Through the Noise of Systems Administration https://www.sans.edu/cyber-research/finding-lateral-movement-adversaries-through-noise-systems-administration/ YouTube Channel: https://www.youtube.com/c/CyberAttackDefense keywords: lateral movement; sans_edu; genai; exposed; llm; blackbyte; vmware; global protect; pan; palo alto; patching; dlls; python

Kibana Vega; EDR Killers; Iran Ransomware; Confluence Exploit; Fortra Vulnerability Vega-Lite With Kibana To Parse and Display IP Activity Over Time https://isc.sans.edu/diary/Vega-Lite%20with%20Kibana%20to%20Parse%20and%20Display%20IP%20Activity%20over%20Time/31210 Attack tool update impairs Windows computers https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/ Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a Confluence Vulnerabilty Exploited for Crypto Miners https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html Fortra FileCatalyst Workflow Hard Coded HSQLDB Credentials https://www.fortra.com/security/advisories/product-security/fi-2024-011 keywords: fortra; filecatalyst; workflow; hsqldb; confulence; miners; iran; vega; atlasian;

Why Python; OFBiz Update; Versa Directory Exploit; Chrome Exploit; SGX Key Leak Why is Python so Popular to Infect Windows Hosts https://isc.sans.edu/diary/Why%20Is%20Python%20so%20Popular%20to%20Infect%20Windows%20Hosts%3F/31208 OFBiz Vulnerability Update https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://nvd.nist.gov/vuln/detail/CVE-2024-38856 Versa Directory Vulnerability Exploited https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/ Google Chrome Vulnerability Exploited https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html SGX Key Leak https://x.com/_markel___/status/1828112469010596347 keywords: sgx; intel; google; chrome; versa; ofbiz; python

Obfuscated XWorm/Redline; Windows IPv6 PoC CVE-2024-38063; From Highly Obfuscated Batch File to XWorm and Redline https://isc.sans.edu/diary/From%20Highly%20Obfuscated%20Batch%20File%20to%20XWorm%20and%20Redline/31204 CVE-2024-38063 Windows IPv6 Issue PoC Exploit https://github.com/ynwarcs/CVE-2024-38063 Not a vulnerability https://github.com/juwenyi/CVE-2024-42992 keywords: pandas; vulnerability; windows; ipv6; cve-2024-38063; xworm; redline

Pandas Encoding Errors; Crowdstrike Slowness; CopyBara; SonicWall Patch Pandas Erros: What encoding are my logs in? https://isc.sans.edu/diary/Pandas%20Errors%3A%20What%20encoding%20are%20my%20logs%20in%3F/31200 Crowdstrike Performance Issues https://www.reddit.com/r/sysadmin/comments/1eyfex6/at_least_its_not_on_a_friday/ CopyBara Malware https://www.zscaler.com/blogs/security-research/technical-analysis-copybara#conclusion SonicWall Vulnerability https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015 keywords: pandas; parsing; encoding; crowdstriek; copybara; sonicwall

OpenAI Scans; MSFT Broke Linux Boot; Chrome 0-Day; @Cisco Vuln; @Solarwinds Helpdesk; Memory Safety @sans_edu OpenAI Scans Honeypots https://isc.sans.edu/diary/OpenAI%20Scans%20for%20Honeypots.%20Artificially%20Malicious%3F%20Action%20Abuse%3F/31196 Broken Linux Boot Partitions after August Microsoft Update https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2#3377msgdesc Google Fixes Chrome 0-day https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html Cisco Zero Day Exploited (now Patched) https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/ Solar Winds Helpdesk Backdoor https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2 Securing the Future: How Memory-Safe Programming Languages Impact Industry Safety (Christopher Ross) https://www.sans.edu/cyber-research/securing-future-how-memory-safe-programming-languages-impact-industry-safety/ keywords: openai; msft; linux; boot; chrome; cisco; solarwinds

DNSTwist on New Domains; Slack AI Prompt Injection; PWA Phishing; QNAP Ransomware Security; @PromptArmor @sudo_Rem Mapping Threats wiht DNSTwist and the Internet Storm Center https://isc.sans.edu/diary/Mapping%20Threats%20with%20DNSTwist%20and%20the%20Internet%20Storm%20Center%20%5BGuest%20Diary%5D/31188 Slack AI Prompt Injection https://promptarmor.substack.com/p/slack-ai-data-exfiltration-from-private Phishing in PWA Applications https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/ QNAP Ransomware Security Center https://www.qnap.com/en/news/2024/qnap-officially-releases-qts-5-2-introducing-security-center-for-active-file-activity-monitoring-elevated-security-and-data-protection keywords: qnap; phishing; slack ai; dnstwist; dns; sans_edu

MSFT IPv6 Vuln Update; MSFT August update and Linux boot issues; php cgi-bin exploited; f5 updates Where are we with CVE-2024-38063: Microsoft IPv6 Vulnerability https://isc.sans.edu/diary/Where+are+we+with+CVE202438063+Microsoft+IPv6+Vulnerability/31186 Microsoft August Update Prevents Linux from Booting https://community.frame.work/t/sbat-verification-error-booting-linux-after-windows-update/56354 PHP CGI Vulnerability Exploited CVE-2024-4577 https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns F5 Updates https://my.f5.com/manage/s/article/K000140111 https://my.f5.com/manage/s/article/K000140108 keywords: f5; big-ip; php; cgi; microsoft; august; secure boot; safe boot; ipv6

Marshal Python Obfuscation; MacOS Entitlements and MSFT Apps; Digital Wallet Loophole; MSFT CVE-2024-38063 Update Do you like donuts? Here is a donut Shellcode Delivered Through PowerShell Python https://isc.sans.edu/diary/Do%20you%20Like%20Donuts%3F%20Here%20is%20a%20Donut%20Shellcode%20Delivered%20Through%20PowerShell%20Python/31182 How Vulnerabilities in Microsoft Apps for MacOS allow Stealing Permissions https://blog.talosintelligence.com/how-multiple-vulnerabilities-in-microsoft-apps-for-macos-pave-the-way-to-stealing-permissions/ Digital Wallet Security Loophole https://www.umass.edu/news/article/new-study-reveals-loophole-digital-wallet-security-even-if-rightful-cardholder-doesnt Microsoft IPv6 Vulnerability CVE-2024-38063 https://x.com/f4rmpoet/status/1825472703223992323 YouTube Video (going live 10am ET) https://www.youtube.com/watch?v=miBb1llFOYQ keywords: youtube; ipv6; microsoft; cve-2024-38063; digital wallet; credit card; marshal, python; donut; macos; apps; microsoft; entitlements

Summarizing WebHpot Logs; Exposed env files; Chrome Auto Redaction; Google Ad Scammers; Hacking Bike Shifters; Summarizing Web Honeypot Logs https://isc.sans.edu/diary/%5BGuest%20Diary%5D%207%20minutes%20and%204%20steps%20to%20a%20quick%20win%3A%20A%20write-up%20on%20custom%20tools/31170 Large Scale Cloud Extortion Operation https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ Chrome Redacting Credit Cards and Passwords when you share Android Screens https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-cards-passwords-when-you-share-android-screen/ Google Products Targeted by Search Ad Scammers https://www.malwarebytes.com/blog/scams/2024/08/dozens-of-google-products-targeted-by-scammers-via-malicious-search-ads MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicyles https://www.usenix.org/system/files/woot24-motallebighomi.pdf keywords: shimano; bike; shifter; google; ads; scams; chrome; cloud; env; honeypot

Wireshark 4.4rc1; Github Aritfact Token Leaks; Bitlocker Fix Issues; Solarwinds Hotfix; Ed Skoudis: The Code of Honor @sans_edu Wireshark 4.4.0 rc 1 Custom Columns https://isc.sans.edu/diary/Wireshark%204.4.0rc1%27s%20Custom%20Columns/31174 Github Repo Artifact Leak Tokens https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ BitLocker Security Feature Bypass Vulnerability https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38058 Solarwindws Hotfix https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1 Ed Skoudis, Paul Maurer: The Code of Honor https://cybercodeofhonor.com/ keywords: honor; code; ethids; skoudis; sans.edu;

MSI Malware; Windows IPv6 Vuln; Critical Ivanti Patch; Adobe Patches; MSI Malware https://isc.sans.edu/diary/Multiple%20Malware%20Dropped%20Through%20MSI%20Package/31168 Microsoft IPv6 Vulnerablity CVE-2024-38063 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 https://x.com/XiaoWei___/status/1823532146679799993/photo/1 Critical Ivanti Virtual Traffic Manager Patch CVE-2024-7593 https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US Adobe Patches https://helpx.adobe.com/security/security-bulletin.html keywords: ivanti; adobe; traffic manager; microsoft; ipv6; msi; malware;

Microsoft Patches; Post Quantum Encryption; Zabbix Vulns; Microsoft August 2024 Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202024%20Patch%20Tuesday/31164 NIST Finalizes Post Quantum Encryption Standards https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards Zabbix Network Monitoring Updates https://support.zabbix.com/browse/ZBX-25016 https://support.zabbix.com/browse/ZBX-25013 (and others) keywords: zabbix; nist; microsoft; patches;

Quick Share Vulns; Chrome/Edge Malicious Extensions; AMD Vuln Patched; QuickShell: Sharing is Caring about an RCE Attack Chain on Quick Share https://www.safebreach.com/blog/rce-attack-chain-on-quick-share Chrome, Edge users beset by malicious extensions that can't be easily removed https://www.helpnetsecurity.com/2024/08/12/chrome-edge-malicious-browser-extensions/ AMD Guest Memory Vulnerabilities https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html keywords: amd; flaw; smm; chrome; edge; extension; quckshell; quick share; google; android

CORS/SameOrigin Video; E-Mail Parser Issues; Apache HTTP Confusion Attacks; Office Spoofing 0-Day; CORS/SameOrigin Video https://isc.sans.edu/forums/diary/Video%3A%20Same%20Origin%2C%20CORS%2C%20DNS%20Rebinding%20and%20Localhost/31158/ Splitting the email atom: exploiting parsers to bypass access controls https://portswigger.net/research/splitting-the-email-atom#parser-discrepancies Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! https://blog.orange.tw/2024/08/confusion-attacks-en.html GL-Inet Patches https://www.gl-inet.com/security-updates/security-advisories-vulnerabilities-and-cves-aug-1-2024/ Microsoft Office Spoofing Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200 keywords: microsoft; office; gl-inet; confusion; apache; http; email; parsing; cors; sameorgin;

Disabling Phish Warning; SSHAMBLE; macOS Permission Prompts; .internal Domain Exploring Anti-Phishing Measures in Microsoft 365 https://certitude.consulting/blog/en/o365-anti-phishing-measures/ SSHamble Security Testing Tool https://www.runzero.com/blog/sshamble-unexpected-exposures-in-the-secure-shell/ macOS Sequoia Weekly Permission Prompts https://9to5mac.com/2024/08/06/macos-sequoia-screen-recording-privacy-prompt/ .internal domain https://www.icann.org/en/public-comment/proceeding/proposed-top-level-domain-string-for-private-use-24-01-2024 keywords: internal, macos; sequoia; sshamble; microsoft; phishing

0.0.0.0 Requests; Apple Gatekeeper Changes; Windows Downgrade 0.0.0.0 Day Exploiting Localhost APIs from the Browser https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser Apple Hardens Gatekeeper https://developer.apple.com/news/?id=saqachfa Downgrade Attacks Using Windows Updates https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/ keywords: windows; updates; apple; gatekeeper; APIs; 0.0.0.0; loopback

GeoServer Update; Crowdstrike RCA; Kibana Vuln; Android Patch Day; A Survey of Scans For GeoServer Vulnerabilities https://isc.sans.edu/diary/A%20Survey%20of%20Scans%20for%20GeoServer%20Vulnerabilities/31148 Crowdstrike Root Cause Analysis https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ Kibana Vulnerability https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/364424 Android August 2024 Bulletin https://source.android.com/docs/security/bulletin/2024-08-01 Ubiquity Amplication Attack Vulnerability Update https://blog.checkpoint.com/research/over-20000-ubiquiti-cameras-and-routers-are-vulnerable-to-amplification-attacks-and-privacy-risks/ keywords: geoserver; crowdstrike; kibana; android; ubiquity; unifi

Function Confusion Obfuscation; Crowdstrike LPE Vuln; New OFBiz Vuln; Roundcube XSS Vuln; Script Obfuscation Using Multiple Instances of the Same Function https://isc.sans.edu/diary/Script%20obfuscation%20using%20multiple%20instances%20of%20the%20same%20function/31144 Disclosure of key technical details of CrowdStrike's large-scale blue screen https://mp.weixin.qq.com/s/uD7mhzyRSX1dTW-TMg4UhQ New OFBiz Vulnerability https://issues.apache.org/jira/browse/OFBIZ-13128 https://www.youtube.com/watch?v=J_IxCBjd4Pw Roundcube XSS Vulnerabilities https://securityonline.info/roundcube-webmail-releases-security-updates-to-patch-multiple-vulnerabilities/ keywords: roundcube; xss; ofbiz; crowdstrike; objuscation;

Secure Boot CA; OOXML Verifier Hashes; ISP Compromises; DARPA TRACTOR; Current Secure Boot Certifiate Authority Expires in 2026 https://isc.sans.edu/diary/Even+Linux+users+should+take+a+look+at+this+Microsoft+KB+article/31140 OOXML Spreadsheets Protected by Verifier Hashes https://isc.sans.edu/diary/OOXML%20Spreadsheets%20Protected%20By%20Verifier%20Hashes/31072 StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/ DARPA TRACTOR Program for Translating C to Rust https://www.darpa.mil/news-events/2024-07-31a keywords: darpa; tractor; rust; c; stormbamboo; isp; evilgrade; updates; ooxml; xls; ole; verifier; hashes; secure boot

ipv4.games; Fake Google Authenticator; Sitting Ducks Domains Tracking Proxy Scans with IPv4.Games https://isc.sans.edu/diary/Tracking%20Proxy%20Scans%20with%20IPv4.Games/31136 Threat Actor Impersonates Google via Fake Ad For Authenticator https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator Who Knew? Domain Hijacking is so easy https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ keywords: domain; hijacking; google; ads; authenticator; proxy; scans; ip4.games

OFBiz Scans; Digicert Revocations; MSFT Azure DDoS; Google Chrome App Bound Encryption Increased Activity Against Apache OFBiz CVS-2024-32113 https://isc.sans.edu/diary/Increased%20Activity%20Against%20Apache%20OFBiz%20CVE-2024-32113/31132 Digicert Certificate Revocation Incident https://www.digicert.com/support/certificate-revocation-incident Microsoft Azure Outage https://azure.status.microsoft/en-us/status/history/ Improving Security of Chrome Cookies https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html keywords: cookies; chrome; google; microsoft; azure; outage; ddos; digicert; revocation; apache; ofbiz;

Apple Updates; VMWare Vuln Exploited; Weak VoWiFi Encryption Apple Updates Everything: July 2024 Edition https://isc.sans.edu/diary/Apple%20Patches%20Everything.%20July%202024%20Edition/31128 VMWare ESXi Vulnerability Actively Exploited CVE-2024-37085 https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ Weak VoWiFi Encryption CVE-2024-22064 https://idw-online.de/en/news837652 keywords: vowifi; zte; vmware; esxi; apple; ios; macos; patches

CrowdStrike Maldoc; HotJar XSS; Proofpoint Echospoofing; CrowdStrike Outage Themed Maldoc https://isc.sans.edu/diary/CrowdStrike%20Outage%20Themed%20Maldoc/31116 HotJar XSS Puts OAuth at Risk https://salt.security/blog/over-1-million-websites-are-at-risk-of-sensitive-information-leakage---xss-is-dead-long-live-xss Proofpoint Echospoofing https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6 keywords: proofpoint; echospoofing; dkim; hotjar; xss; crowdstriek; maldoc; grammarly

ExelaStealer and more; BSOD Practice; PK Fail; @CrowdStrike Recovery; #pkfail #bsod ExelaStealer Delivered "From Russia With Love" https://isc.sans.edu/diary/31118 Create Your Own BSOD: NotMyFault https://isc.sans.edu/diary/Create%20Your%20Own%20BSOD%3A%20NotMyFault/31120 PKFail Vulnerability https://pk.fail/ CrowdStrike Recovery https://arstechnica.com/information-technology/2024/07/97-of-crowdstrike-systems-are-back-online-microsoft-suggests-windows-changes/ keywords: crowdstrike; pkfail; bsod; notmyfaul; exelastealer; russia

XWorm Analysis; Private/Deleted GitHub Leak; Google Chrome Scanning Encrypted Files X-Worm Hidden With Process Hollowing https://isc.sans.edu/diary/XWorm%20Hidden%20With%20Process%20Hollowing/31112 Anyone Can Access Deleted and Private Repo Data on GitHub https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github Google Chrome Scanning Encrypted Files https://arstechnica.com/security/2024/07/google-overhauls-chromes-safe-browsing-protection-to-scan-password-protected-files/ keywords: google; chrome; repo; github; leak; private; x-worm; xworm;

Mouse Logger; Crowdstrike PIR; Fake Developers; "Mouse Logger" Malicious Python Script https://isc.sans.edu/diary/%22Mouse%20Logger%22%20Malicious%20Python%20Script/31106 Crowdstrike Preliminary Post Incident Review https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ How a North Korean Fake IT Worker Tried to Infiltrate Us https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us keywords: north korea; developer; fake; crowdstrike; mouse logger; python

D-Link NAS Exploit; Android Fake Video Exp; Windows Hello For Bussines Phishing; The end of OCSP; Google Cookie Update; New Exploit Variation Against D-Link NAS Devices https://isc.sans.edu/diary/New%20Exploit%20Variation%20Against%20D-Link%20NAS%20Devices%20%28CVE-2024-3273%29/31102 APKs Masquerading as Videos on Telegram https://www.welivesecurity.com/en/eset-research/cursed-tapes-exploiting-evilvideo-vulnerability-telegram-android/ Goodbye Attackers can Bypass Windows Hello Strong Authentication https://www.darkreading.com/endpoint-security/goodbye-attackers-can-bypass-windows-hello-strong-authentication Let's Encrypt Intends to End OCSP Service https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html Google Third-Party Cookies are hanging around https://privacysandbox.com/intl/en_us/news/privacy-sandbox-update/ keywords: google; cookies; dlink; apk; video; telegram; windows; hello; ocsp; crl; let's encrypt;

CrowdStrike Update; SANSFIRE Keynote Recording; CrowdStrike Update https://isc.sans.edu/diary/CrowdStrike%3A%20The%20Monday%20After/31098 https://www.theregister.com/2024/07/21/crowdstrike_linux_crashes_restoration_tools/ Keynote Recording https://www.sans.org/services/video-player/?key=1goL2vPrltnj keywords: sansfire; keynote; crowdstrike; linux;

Crowdstrike Configuration File Update Crashes Windows Systems @crowdstrike Widespread Windows Crashes Due to Crowdstrike Updates https://isc.sans.edu/diary/Widespread%20Windows%20Crashes%20Due%20to%20Crowdstrike%20Updates/31094 https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/ https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959 keywords: crowdstrike; windows; crash;

Oracle CPU; DANE for Exchange Online; VPN Port Shadowing Oracle Quarterly Critical Patch Update https://www.oracle.com/security-alerts/cpujul2024.html Exchange Online Implementing Inbound SMTP DANE with DNSSEC https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-inbound-smtp-dane-with-dnssec-for/ba-p/4155257 VPN Port Shadowing Vulnerability https://petsymposium.org/popets/2024/popets-2024-0070.pdf keywords: vpn; shadow; port; shadowing; exchange; smtp; dane; dnssec; oracle;

AndroxGh0st; Cisco SSM Vuln; Cisco Email Gateway Vuln; MSFT Checkpoint Updates; GeoServer Patch; Who You Gonna Call: Androx Gh0st Busters! https://isc.sans.edu/diary/Who%20You%20Gonna%20Call%3F%20AndroxGh0st%20Busters!%20%5BGuest%20Diary%5D/31086 Cisco Smart Software Manager Vulnerability CVE-2024-20419 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy Critical Security Flaw in Cisco Secure Email Gateway: CVE-2024-20401 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH Microsoft Introducing Checkpoint Updates https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552 GeoServer Patches https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv keywords: geoserver; msft; checkpoint; updates; cisco; email; ssm; smart software manager; androxghost;

Reply Chain Phishing; TP-Link/Synology IP Camera Exploits; Adobe Commerce Exploit; Reply Chain Phishing With a Twist https://isc.sans.edu/diary/%22Reply-chain%20phishing%22%20with%20a%20twist/31084 Claroty TP-Link and Synology IP Camera Exploits https://claroty.com/team82/research/pivoting-from-wan-to-lan-synology-bc500-ip-camera https://claroty.com/team82/research/pwn2own-wan-to-lan-exploit-showcase Cosmic Sting Hits Adobe Commerce Stores https://sansec.io/research/cosmicsting-hitting-major-stores keywords: cosmic string; adobe; commerce; magento; claroty; tp-link; synology; replay chain; spam; phishing

OOXML Protected Spreadsheets; Leaked PyPi Secret; June MSFT Patch Issues; Protected OOXML Spreadsheets https://isc.sans.edu/diary/Protected%20OOXML%20Spreadsheets/31070 Leaked PyPi Secret Token Revealed in Binary https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack/ Microsoft 365 Defender Affected by June Update https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#network-data-reporting-from-microsoft-365-defender-may-be-interrupted keywords: microsoft; patch; defender; june; pypi; token; github; ooxml; protected; password; hashcat

XLS Hash Collisions; Nette Attacks; Squarespace Domain Hijack 16-Bit Hash Collisions in XLS Spreadsheets https://isc.sans.edu/diary/16-bit%20Hash%20Collisions%20in%20.xls%20Spreadsheets/31066 Attacks against the "Nette" PHP framework CVE-2020-15227 https://isc.sans.edu/forums/diary/Attacks+against+the+Nette+PHP+framework+CVE202015227/31076/ Squarespace Hijacked Domains https://github.com/security-alliance/advisories/blob/main/2024-07-squarespace.pdf keywords: squarespace; google; domains; nette; php; xls; spreadsheets; collisions

Honeypot Fingerprinting; Veeam Exploited; Juniper Patches; VMWAre Aria SQLi; SMS Leak Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots https://isc.sans.edu/diary/Understanding%20SSH%20Honeypot%20Logs%3A%20Attackers%20Fingerprinting%20Honeypots/31064 Patch or Peril: A Veeam Vulnerability Incident https://www.group-ib.com/blog/estate-ransomware/ Juniper Patches https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=%40sfcec_community_publish_date_formula__c%20descending&f:ctype=[Security%20Advisories] VMWare Aria Automation SQL Injection Vuln; https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598 Leaked SMS Messages https://www.ccc.de/de/updates/2024/2fa-sms keywords: ccc; sms; vmware; aria; juniper; veeam; ssh; honeypot

DBSCAN and Honeypot Data; Another SSH Vuln; URL File Exploit; Sharepoint PoC; Citrix and OpenVPN updates Finding Honeypot Data Clusters Using DBSCAN Part 1 https://isc.sans.edu/diary/Finding%20Honeypot%20Data%20Clusters%20Using%20DBSCAN%3A%20Part%201/31050 Second RegreSSHion Like OpenSSH Vulnerability https://lwn.net/ml/all/[email protected]/ Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks in Internet Shortcut File CVE-2024-38112 https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/ SharePoint Proof of Concept Exploit CVE-2024-38094 CVE-2024-38024 CVE-2024-38023 https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC/blob/main/poc_filtered.py Citrix Netscaler, Agent and SDX Security Bulletin CVE-2024-6235 CVE-2024-6236 https://support.citrix.com/article/CTX677998/netscaler-console-agent-and-sdx-security-bulletin-for-cve20246235-and-cve20246236 OpenVPN Updates https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/ keywords: openvpn; citrix; netscaler; sharepoint; internet explorer; mshtml; microsoft; url; regression; openssh; honeypot; dbscan;

Microsoft Patches; Adobe Patches; RADIUS Vuln; Microsoft Patch Tuesday July 2024 https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20July%202024/31058 Adobe Patches https://helpx.adobe.com/security/security-bulletin.html RADIUS protocol susceptible to forgery attacks https://kb.cert.org/vuls/id/456537 https://www.inkbridgenetworks.com/blastradius/faq keywords: radius; blastradius; adobe; microsoft; patches;

Kunai #kunai_project; DoNex Decryptor; Shelltorch Explained; Exim Vuln; Toshiba/Sharp Printer Vulns; Kunai: Keep an Eye on your Linux Hosts Activity https://isc.sans.edu/diary/Kunai%3A%20Keep%20an%20Eye%20on%20your%20Linux%20Hosts%20Activity/31054 Decryptor for DoNex Ransomware https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/ Shelltorch Explained: Multiple Vulnerabilities in Pytorch Model Server (Torchserve) https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabilities-in-pytorch-model-server Exim Bypass Attachment Inspection https://bugs.exim.org/show_bug.cgi?id=3099#c4 Toshiba/Sharp Printer vulnerabilities https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html keywords: toshiba; sharp; exim; shelltorch; pytorch; donex; avast; kunai;

OpenSSH Vulnerablity; HE.Net Downtime; Cloudflare DNS Outage; OpenSSH RegreSSHion Vulnerability https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt https://isc.sans.edu/diary/SSH%20%22regreSSHion%22%20Remote%20Code%20Execution%20Vulnerability%20in%20OpenSSH./31046 Overlooked Domain Name Resliency Issues: Registrar Communications https://isc.sans.edu/diary/Overlooked%20Domain%20Name%20Resiliency%20Issues%3A%20Registrar%20Communications/31048 Cloudflare 1.1.1.1 incident on Juine 27th 2024 https://blog.cloudflare.com/cloudflare-1111-incident-on-june-27-2024 keywords: cloudflare; dos; bgp; dns; registrar; hurricane electric; openssh; regresshion;