Episodios

  • SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch (#)

    SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch (#)
    May 9 2025
    SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch No Internet Access: SSH to the Rescue If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPN https://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932 SAMSUNG magicINFO 9 Server Flaw Still exploitable The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild. https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption SentinelOne’s installer is vulnerable to an exploit allowing attackers to shut down the end point protection software https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone Commvault Still Exploitable A recent patch for Commvault is apparently ineffective and the PoC exploit published by watchTowr is still working against up to date patched systems https://infosec.exchange/@wdormann/114458913006792356 keywords: commvault; patches; sentinelone; samung; magicinfo; ssh;
    Más Menos
    5 m
  • SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch (#)

    SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch (#)
    May 8 2025
    SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch Example of Modular Malware Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail. https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928 Sysaid XXE Vulnerabilities IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability Cisco Patched a vulnerability in its wireless controller software that may be used to not only upload files but also execute code as root without authentication. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC Unifi Protect Camera Vulnerability Ubiquity patched a vulnerability in its Protect camera firmware fixing a buffer overflow flaw. https://community.ui.com/releases/Security-Advisory-Bulletin-047-047/cef86c37-7421-44fd-b251-84e76475a5bc keywords: unifi; protect; camera; ubiquity; cisco; wireless; sysaid; xxe; modular; malware
    Más Menos
    6 m
  • SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning (#)

    SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning (#)
    May 7 2025
    SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning Python InfoStealer with Embedded Phishing Webserver Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites. https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924 Android Update Fixes Freetype 0-Day Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts. https://source.android.com/docs/security/bulletin/2025-05-01 CISA Warns of Unsophistacted Cyber Actors CISA released an interesting title report warning operators of operational technology networks of ubiquitous attacks by unsophisticated actors. It emphasizes how important it is to not forget basic security measures to defend against these attacks. https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology keywords: python; infostealer; phishing; webserver
    Más Menos
    7 m
  • SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost; (#)

    SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost; (#)
    May 6 2025
    SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost; Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399 The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in Samsung’s MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far. https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920 New Kali Linux Signing Key The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that will be used going forward. https://www.kali.org/blog/new-kali-archive-signing-key/ The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster Many out-of-the-box Helm charts for Kubernetes applications deploy vulnerable configurations with exposed ports and no authentication https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/the-risk-of-default-configuration-how-out-of-the-box-helm-charts-can-breach-your/4409560 keywords: kali; linux; mirai; helm; kubernetes
    Más Menos
    7 m
  • SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored. (#)

    SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored. (#)
    May 5 2025
    SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored. Steganography Challenge Didier published a fun steganography challenge. A solution will be offered on Saturday. https://isc.sans.edu/diary/Steganography+Challenge/31910 Microsoft Makes Passkeys Default Authentication Method Microsoft is now encouraging new users to use Passkeys as the “default” and only login method, further moving away from passwords https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/ Microsoft Authenticator Autofill Changes Microsoft will no longer support the use of Microsoft authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator https://support.microsoft.com/en-gb/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6 Backdoor found in popular e-commerce components SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point. https://sansec.io/research/license-backdoor keywords: backdoor; magento; msft; authenticator; passkeys; stegaonography; challenge
    Más Menos
    6 m
  • SANS Stormcast Thursday, May 1st: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments (#)

    SANS Stormcast Thursday, May 1st: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments (#)
    May 1 2025
    SANS Stormcast Thursday, May 1st: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments Steganography Analysis With pngdump.py: Bitstreams More details from Didiear as to how to extract binary content hidden inside images https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904 Using Trusted Protocols Against You: Gmail as a C2 Mechanism Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use GMail as a command and control channel by sending email to hard coded GMail accounts https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism Security Brief: French BEC Threat Actor Targets Property Payments A French business email compromise threat actor is targeting property management firms to send emails to tenents tricking them into sending rent payments to fake bank accounts https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments SANS.edu Research Journal https://isc.sans.edu/j/research keywords: Steganograpy; Research Journal; bec; tenants; rent; gmail; python
    Más Menos
    7 m
  • SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials (#)

    SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials (#)
    May 1 2025
    SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016 For the last week, scans for Sonicwall API “login” and “domain” endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials. https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906 The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates. https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/ Windows RDP Access is Possible with Old Credentials Credential caching may lead to Windows allowing RDP logins with old credentials. https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments keywords: Sonicwall; Windows; RDP; SLAAC; IPv6;
    Más Menos
    6 m
  • SANS Stormcast Wednesday, April 30th: SMS Attacks; Apple Airplay Vulnerabilities (#)

    SANS Stormcast Wednesday, April 30th: SMS Attacks; Apple Airplay Vulnerabilities (#)
    Apr 30 2025
    SANS Stormcast Wednesday, April 30th: SMS Attacks; Apple Airplay Vulnerabilities More Scans for SMS Gateways and APIs Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people’s credentials. https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902 AirBorne: AirPlay Vulnerabilities Researchers at Oligo revealed over 20 weaknesses they found in Apple’s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates. https://www.oligo.security/blog/airborne keywords: SMS; Airplay
    Más Menos
    9 m
adbl_web_global_use_to_activate_webcro805_stickypopup