Afleveringen
-
Commonly Probed Webshell URLs
Many attackers deploy web shells to gain a foothold on vulnerable web servers. These webshells can also be taken over by parasitic exploits.
https://isc.sans.edu/diary/Commonly%20Probed%20Webshell%20URLs/31748
Undocumented ESP32 Commands
A recent conference presentation by Tarlogic revealed several "backdoors" or undocumented features in the commonly used ESP32 Chipsets. Tarlogic also released a toolkit to make it easier to audit chipsets and find these hiddent commands.
https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/
Camera Off: Akira deploys ransomware via Webcam
The Akira ransomware group was recently observed infecting a network with Ransomware by taking advantage of a webcam.
https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam -
Latest Google Chrome Update Encourages UBlock Origin Removal
The latest update to Google Chrome not only disabled the UBlock Origin ad blocker, but also guides users to uninstall the extension instead of re-enabling it.
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html
https://www.reddit.com/r/youtube/comments/1j2ec76/ublock_origin_is_gone/
Critical Kibana Update
Elastic published a critical Kibana update patching a prototype polution vulnerability that would allow arbitrary code execution for users with the "Viewer" role.
https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441
Certified PrePw0n3d Android TV Sticks
Wired is reporting of over a million Android TV sticks that were found to be pre-infected with adware
https://www.wired.com/story/android-tv-streaming-boxes-china-backdoor/
SANS.edu Research Paper
Advanced Persistent Threats (APTs) are among the most challenging to detect in enterprise environments, often mimicking authorized privileged access prior to their actions on objectives.
https://www.sans.edu/cyber-research/identifying-advanced-persistent-threat-activity-through-threat-informed-detection-engineering-enhancing-alert-visibility-enterprises/ -
Zijn er afleveringen die ontbreken?
-
DShield Traffic Analysis using ELK
The "DShield SIEM" includes an ELK dashboard as part of the Honeypot. Learn how to find traffic of interest with this tool.
https://isc.sans.edu/diary/DShield%20Traffic%20Analysis%20using%20ELK/31742
Zen and the Art of Microcode Hacking
Google released details, including a proof of concept exploit, showing how to take advantage of the recently patched AMD microcode vulnerability
https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking CVE-2024-56161
VIM Vulnerability
An attacker may execute arbitrary code by tricking a user to open a crafted tar file in VIM
https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3
Snil Mail Fake Ransom Note
A copy cat group is impersonating ransomware actors. The group sends snail mail to company executives claiming to have stolen company data and threatening to leak it unless a payment is made.
https://www.guidepointsecurity.com/blog/snail-mail-fail-fake-ransom-note-campaign-preys-on-fear/ -
Romanian Distillery Scanning for SMTP Credentials
A particular attacker expanded the scope of their leaked credential file scans. In addition to the usual ".env" style files, it is not looking for specific SMTP related credential files.
https://isc.sans.edu/diary/Romanian%20Distillery%20Scanning%20for%20SMTP%20Credentials/31736
Tool Updates: mac-robber.py
This update of mac-robber.py fixes issues with symlinks.
https://isc.sans.edu/diary/Tool%20update%3A%20mac-robber.py/31738
CVE-2025-1723 Account takeover vulnerability in ADSelfService Plus
CVE-2025-1723 describes a vulnerability caused by session mishandling in ADSelfService Plus that could allow unauthorized access to user enrollment data when MFA was not enabled for ADSelfService Plus login.
https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html
Android March Update
Google released an update for Android addressing two already exploited vulnerabilities and several critical issues.
https://source.android.com/docs/security/bulletin/2025-03-01
PayPal's no-code-checkout Abuse
Attackers are using PayPal's no-code-checkout feature is being abused by scammers to host PayPal tech support scam pages right within the PayPal.com domain.
https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers
Broadcom Fixes three VMWare VCenter Vulnerabilities
https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004 -
Mark of the Web: Some Technical Details
Windows implements the "Mark of the Web" (MotW) as an alternate data stream that contains not just the "zoneid" of where the file came from, but may include other data like the exact URL and referrer.
https://isc.sans.edu/diary/Mark%20of%20the%20Web%3A%20Some%20Technical%20Details/31732
Havoc Sharepoint with Microsoft Graph API
A recent phishing attack observed by Fortinet uses a simple HTML email to trick a user into copy pasting powershell into their system to execute additional code. Most of the malware interaction uses a Sharepoint site via Microsoft's Graph API futher hiding the malicious traffic
https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
Paragon Partition Manager Exploit
A vulnerable Paragon Partition Manager has been user recently to escalate privileges for ransomware deployment. Even if you to not have PAragon installed: An attacker may just "bring the vulnerable driver" to your system.
https://kb.cert.org/vuls/id/726882 -
Common Crawl includes Common Leaks
The "Common Crawl" dataset, a large dataset created by spidering website, contains as expected many API keys and other secrets. This data is often used to train large language models
https://trufflesecurity.com/blog/research-finds-12-000-live-api-keys-and-passwords-in-deepseek-s-training-data
Github Repositories Exposed by Copilot
As it is well known, Github's Copilot is using data from public GitHub repositories to train it's model. However, it appears that repositories who were briefly left open and later made private have been included as well, allowing Copilot users to retrieve files from these repositories.
https://www.lasso.security/blog/lasso-major-vulnerability-in-microsoft-copilot
MITRE Caldera Framework Allows Unauthenticated Code Execution
The MITRE Caldera adversary emulation framework allows for unauthenticted code execution by allowing attackers to specify compiler options
https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e
modsecurity Rule Bypass
Attackers may bypass the modsecurity web application firewall by prepending encoded characters with 0.
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j -
Njrat Compaign Using Microsoft dev Tunnels:
A recent version of the Njrat remote admin tool is taking advantage of Microsoft's developer tunnels (devtunnels.ms) as a command and control channel.
https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724
NrootTag Apple FindMy Abuse
Malware could use a weakness in the keys used for Apple FindMy to abuse it to track victims. Updates were released with iOS 18.2, but to solve the issue the vast majority of Apple users must update.
https://nroottag.github.io/
360XSS: Mass Website Exploitation via Virtual Tour Framework
The Krpano VR library which is often used to implement 3D virtual tours on real estate websites, is currently being abused to inject spam messages. The XSS vulnerabilty could allow attackers to inject even more malicious JavaScript.
https://olegzay.com/360xss/
SANS.edu Research: Proof is in the Pudding: EDR Configuration Versus Ransomware. Benjamin Powell
https://www.sans.edu/cyber-research/proof-pudding-edr-configuration-versus-ransomware/ -
Attacker of of Ephemeral Ports
Attackers often use ephermeral ports to reach out to download additional resources or exfiltrate data. This can be used, with care, to detect possible compromises.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Malware%20Source%20Servers%3A%20The%20Threat%20of%20Attackers%20Using%20Ephemeral%20Ports%20as%20Service%20Ports%20to%20Upload%20Data/31710
Compromised Visal Studio Code Extension downloaded by Millions
Amit Assaraf identified a likely compromised Visual Studio Code theme that was installed by millions of potential victims. Amit did not disclose the exact malicious behaviour, but is asking for victims to contact them for details.
https://medium.com/@amitassaraf/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26
ByBit Theft Due to Compromised Developer Workstation
ByBit and Safe{Wallet} disclosed that the record breaking ethereum theft was due to a compromised Safe{Wallet} developer workstation. A replaced JavaScript file targeted ByBit and altered a transaction signed by ByBit.
https://x.com/benbybit/status/1894768736084885929
https://x.com/safe/status/1894768522720350673
PoC for NAKIVO Backup Replication Vulnerability
This vulnerability allows the compromise of NAKIVO backup systems. The vulnerability was patched silently in November, and never disclosed by NAKIVO. Instead, WatchTowr now disloses details including a proof of concept exploit.
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
OpenH264 Vulnerability
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
rsync vulnerability exploited
https://www.cisa.gov/known-exploited-vulnerabilities-catalog -
Massive Botnet Targets M365 with Password Spraying
A large botnet is targeting service accounts in M365 with credentials stolen by infostealer malware.
https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf
Mixing up Public and Private Keys in OpenID
The complex OpenID specificiation and the flexibility it supports enables careless administrators to publich private keys instead or in addition to public keys
https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html
Healthcare Malware Hunt Part 1:
Medial images are often encoded in the DICOM format, an image format unique to medical imaging. Patients looking for viewers for DICOM images are tricked into downloading malware.
https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/ -
Unfurl Update Released
Unfurl released an Update fixing a few bugs and adding support to decode BlueSky URLs.
https://isc.sans.edu/diary/Unfurl%20v2025.02%20released/31716
Google Confirms GMail To Ditch SMS Code Authentication
Google no longer considers SMS authentication save enough for GMail. Instead, it pushes users to use Passkeys, or QR code based app authentication
https://www.forbes.com/sites/daveywinder/2025/02/23/google-confirms-gmail-to-ditch-sms-code-authentication/
Beware of Paypal New Address Feature Abuse
Attackers are using "address change" e-mails to send links to phishing sites or trick users into calling fake tech support phone numbers. Attackers are just adding the malicious content as part of the address. The e-mail themselves are legitimate PayPal emails and will pass various spam and phishing filters.
https://www.bleepingcomputer.com/news/security/beware-paypal-new-address-feature-abused-to-send-phishing-emails/
Exim SQL Injection Vulnerability
Exim, with sqlite support and ETRN enabled, is vulnerable to a simple SQL injection exploit. A PoC has been released
https://www.exim.org/static/doc/security/CVE-2025-26794.txt
https://github.com/OscarBataille/CVE-2025-26794?
XMLlib patches
https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
0-Day in Parallels
https://jhftss.github.io/Parallels-0-day/ -
Tool Update: Sigs.py
Jim updates sigs.py. The tool verifies hashes for files and automatically recognizes what hash is used.
https://isc.sans.edu/diary/Tool%20update%3A%20sigs.py%20-%20added%20check%20mode/31706
Google Announcing Quantum Safe Digital Signatures in Cloud KMS
Google announced the option to use quantum safe digital signatures for its
cloud key management system.
https://cloud.google.com/blog/products/identity-security/announcing-quantum-safe-digital-signatures-in-cloud-kms
Windows 11 Patch issues
The February Patch Tuesday appears to have caused issues with a number of Windows 11 systems. In particular the usability of the file manager appears to be affected.
https://www.windowslatest.com/2025/02/16/windows-11-kb5051987-breaks-file-explorer-install-fails-on-windows-11-24h2/
LTE/5G Vulnerabilities
Researchers at the university of Florida have identified a large number of vulnerabilities in 5G and LTE networks.
https://nathanielbennett.com/publications/ransacked.pdf -
Using ES|QL In Kibana to Query DShield Honeypot Logs
Using the "Elastic Search Piped Query Language" to query DShield honeypot logs
https://isc.sans.edu/diary/Using%20ES%7CQL%20in%20Kibana%20to%20Queries%20DShield%20Honeypot%20Logs/31704
Mongoose Flaws Put MongoDB at risk
The Object Direct Mapping library Mongoose suffers from an injection vulnerability leading to the potenitial of remote code exeuction in MongoDB
https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/
U-Boot Vulnerabilities
The open source boot loader U-Boot does suffer from a number of issues allowing the bypass of its integrity checks. This may lead to the execution of malicious code on boot.
https://www.openwall.com/lists/oss-security/2025/02/17/2
Unifi Protect Camera Update
https://community.ui.com/releases/Security-Advisory-Bulletin-046-046/9649ea8f-93db-4713-a875-c3fd7614943f -
XWorm Cocktail: A Mix of PE data with PowerShell Code
Quick analysis of an interesting XWrom sample with powershell code embedded inside an executable
https://isc.sans.edu/diary/XWorm+Cocktail+A+Mix+of+PE+data+with+PowerShell+Code/31700
Microsoft's Majorana 1 Chip Carves New Path for Quantum Computing
Microsoft announced a breack through in Quantum computing. Its new prototype Majorana 1 chip takes advantage of exotic majorana particles to implement a scalable low error rate solution to building quantum computers
https://news.microsoft.com/source/features/ai/microsofts-majorana-1-chip-carves-new-path-for-quantum-computing/
Russia Targeting Signal Messenger
Signal is well regarded as a secure end to end encrypted messaging platform. However, a user may be tricked into providing access to their account by scanning a QR code masquerading as a group channel invitation.
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/ -
ModelScan: Protection Against Model Serialization Attacks
ModelScan is a tool to inspect AI models for deserialization attacks. The tool will detect suspect commands and warn the user.
https://isc.sans.edu/diary/ModelScan%20-%20Protection%20Against%20Model%20Serialization%20Attacks/31692
OpenSSH MitM and DoS Vulnerabilities
OpenSSH Patched two vulnerabilities discovered by Qualys. One may be used for MitM attack in specfic configurations of OpenSSH.
https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt
Juniper Authentication Bypass
Juniper fixed an authentication bypass vulnerability that affects several prodcuts. The patch was released outside the normal patch schedule.
https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US
DELL BIOS Patches
DELL released BIOS updates fixing a privilege escalation issue. The update affects a large part of Dell's portfolio
https://www.dell.com/support/kbdoc/en-en/000258429/dsa-2025-021 -
My Very Personal Guidance and Strategies to Protect Network Edge Devices
A quick summary to help you secure edge devices. This may be a bit opinionated, but these are the strategies that I find work and are actionable.
https://isc.sans.edu/diary/My%20Very%20Personal%20Guidance%20and%20Strategies%20to%20Protect%20Network%20Edge%20Devices/31660
PostgreSQL SQL Injection
A followup to yesterday's segment about the PostgreSQL vulnerability. Rapid7 released a Metasploit module to exploit the vulnerability.
https://github.com/rapid7/metasploit-framework/pull/19877
Ivanti Connect Secure Exploited
The Japanese CERT observed exploitation of January's Connect Secure vulnerability
https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html
WinZip Vulnerability
WinZip patched a buffer overflow vulenrability that may be triggered by malicious 7Z files
https://www.zerodayinitiative.com/advisories/ZDI-25-047/
Xerox Printer Patch
Xerox patched two vulnerabililites in its enterprise multifunction printers that may be exploited for lateral movement.
https://securitydocs.business.xerox.com/wp-content/uploads/2025/02/Xerox-Security-Bulletin-XRX25-003-for-Xerox-VersaLinkPhaser-and-WorkCentre.pdf -
Fake BSOD Delivered by Malicious Python Script
Xavier found an odd malicious Python script that displays a blue screen of
death to users. The purpose isn't quite clear. It could be a teach support scam
tricking users into calling the 800 number displayed, or a simple
anti-reversing trick
https://isc.sans.edu/diary/Fake%20BSOD%20Delivered%20by%20Malicious%20Python%20Script/31686
The Danger of IP Volatility
Accounting for IP addresses is important, and if not done properly, may
lead to resources being exposed after IP addresses are released.
https://isc.sans.edu/diary/The%20Danger%20of%20IP%20Volatility/31688
PostgreSQL SQL Injection
Functions in PostgreSQL's libpq do not properly escape parameters which may
lead to SQL injection issues if the functions are used to create input for pqsql.
https://www.postgresql.org/support/security/CVE-2025-1094/
Multiple Russian Threat Actors Targeting Microsoft Device Code Auth
The OAUTH device code flow is used to attach devices with limited input capability to a user's account. However, this can be abused via phishing attacks.
https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/ -
DShield SIEM Docker Updates
Interested in learning more about the attacks hitting your honeypot?
Guy assembled a neat SIEM to create dashboards summarizing the attacks.
https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/31680
PANOS Path Confusion Auth Bypass
Palo Alto Networks fixed a path confusion vulnerability introduced by the
overly complex midle box chain in PANOS.
https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
https://www.theregister.com/2025/02/13/palo_alto_firewall/
China's Volt Typhoon Continues to use Cisco Vulns
Recorded Future wrote up some recent attacks of the Red Mike / Volt Typhoon groups going after telecom providers by compromissing Cisco systems via an older vulnerabilty
https://www.wired.com/story/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers/
Crowdstrike Patches Linux Client
https://www.crowdstrike.com/security-advisories/cve-2025-1146/ -
An Ontology for Threats: Cybercrime and Digital Forensic Investigation on Smart City Infrastructure
Smart cities is a big topic for many local governments. With building these complex systems, attacks will follow.
https://isc.sans.edu/diary/An%20ontology%20for%20threats%2C%20cybercrime%20and%20digital%20forensic%20investigation%20on%20Smart%20City%20Infrastructure/31676
North Korean state actor tricking admins into executing PowerShell
North Korean state actors are spending quite a bit of effort setting up relationships with South Korean system administrators, culminating in them getting tricked into executing malicious PowerShell scripts.
https://x.com/MsftSecIntel/status/1889407814604296490
Wazuh Vulnerability
A deserialization vulnerability in Wazuh may lead to an unauthenticated remote code execution vulnerability
https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
PAM PKCS11 Vulnerablity
Several vulnerabilities in the Linux PAM module processing smart card authentication can be used to bypass authentication
https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13
Ivanti Patches
Ivanti released its monhtly update, fixing a number of critical vulnerabilities in Connect Secure and other prodcuts
https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US -
Microsoft Patch Tuesday
Microsoft released patches for 55 vulnerabilities. Three of them are actagorized as critical, two are already exploited and another two have been publicly disclosed. The LDAP server vulnerability could become a huge deal, but it is not clear if an exploit will appear.
https://isc.sans.edu/diary/Microsoft%20February%202025%20Patch%20Tuesday/31674
Adobe Patches
Adobe released patches for seven products. Watch out in particular for the Adobe Commerce issues
https://helpx.adobe.com/security/security-bulletin.html
Fortinet Acknowledges Exploitation of Vulnerability
https://fortiguard.fortinet.com/psirt/FG-IR-24-535 -
Reminder: 7-Zip MoW
The MoW must be added to any files extracted from ZIP or other compound file formats. 7-Zip does not do so by default unless you alter the default configuration.
https://isc.sans.edu/diary/Reminder%3A%207-Zip%20%26%20MoW/31668
Apple Fixes 0-Day
Apple released updates to iOS and iPadOS fixing a bypass for USB Restricted Mode. The vulnerability is already being exploited.
https://support.apple.com/en-us/122174
AMD ZEN CPU Microcode Update
An attacker is able to replace microcode on some AMD CPUs. This may alter how the CPUs function and Google released a PoC showing how it can be used to manipulate the random number generator.
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
Trimble Cityworks Exploited
CISA added a recent Trimble Cityworks vulnerabliity to its list of exploited vulnerabilities.
https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0?
Google Tag Manager Skimmer Steals Credit Card Info
Sucuri released a blog post with updates to the mage cart campaign. The latest version is injecting malicious code as part of the google tag manager / analytics code.
https://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html - Laat meer zien
