SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Subscribe
iTunes / Overcast / RSSWebsite
isc.sans.edu/podcast.html#stormcastEpisodes
ISC StormCast for Monday, November 4th, 2024
October Activity with Username chenzilong
https://isc.sans.edu/diary/October%202024%20Activity%20with%20Username%20chenzilong/31400
qpdf Extracting PDF Streams
https://isc.sans.edu/diary/qpdf%3A%20Extracting%20PDF%20Streams/31406
Okta bcrypt issue
https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/
https://medium.com/@rajat29gupta/how-bcrypts-limitations-contributed-to-okta-s-vulnerability-a-lesson-for-developers-39425c644ed5
Synology Vulnerabilities
https://www.synology.com/de-de/security/advisory/Synology_SA_24_19
https://www.synology.com/de-de/security/advisory/Synology_SA_24_18
Lastpass Fake Reviews
https://blog.lastpass.com/posts/fake-web-store-reviews-attempting-to-steal-customer-data
2024-11-04https://isc.sans.edu/diary/October%202024%20Activity%20with%20Username%20chenzilong/31400
qpdf Extracting PDF Streams
https://isc.sans.edu/diary/qpdf%3A%20Extracting%20PDF%20Streams/31406
Okta bcrypt issue
https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/
https://medium.com/@rajat29gupta/how-bcrypts-limitations-contributed-to-okta-s-vulnerability-a-lesson-for-developers-39425c644ed5
Synology Vulnerabilities
https://www.synology.com/de-de/security/advisory/Synology_SA_24_19
https://www.synology.com/de-de/security/advisory/Synology_SA_24_18
Lastpass Fake Reviews
https://blog.lastpass.com/posts/fake-web-store-reviews-attempting-to-steal-customer-data
Link to episode
ISC StormCast for Thursday, October 31st, 2024
Scans for RDP Gateways
https://isc.sans.edu/diary/Scans%20for%20RDP%20Gateways/31398
CyberPanel Exploited
https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
Windows Themes Files Spoofing CVE-2024-38030
https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html
QNAP Patches CVE-2024-50388, CVE-2024-50387
https://www.qnap.com/en/security-advisory/qsa-24-41
Facebook Malvertising
https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/
2024-10-31https://isc.sans.edu/diary/Scans%20for%20RDP%20Gateways/31398
CyberPanel Exploited
https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
Windows Themes Files Spoofing CVE-2024-38030
https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html
QNAP Patches CVE-2024-50388, CVE-2024-50387
https://www.qnap.com/en/security-advisory/qsa-24-41
Facebook Malvertising
https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/
Link to episode
ISC StormCast for Wednesday, October 30th, 2024
Critical RCE Vulnerabilty in Cyberpanel
https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
Spring WebFlux Vulnerability
https://access.redhat.com/security/cve/cve-2024-38821
https://spring.io/security/cve-2024-38821
Inbound SMTP DANE with DNSSEC for Exchange Online
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-general-availability-of-inbound-smtp-dane-with-dnssec/ba-p/4281292
HeptaX: Unauthorized RDP Connections for Cyberespionage Operations
https://cyble.com/blog/heptax-unauthorized-rdp-connections-for-cyberespionage-operations/
2024-10-30https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
Spring WebFlux Vulnerability
https://access.redhat.com/security/cve/cve-2024-38821
https://spring.io/security/cve-2024-38821
Inbound SMTP DANE with DNSSEC for Exchange Online
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-general-availability-of-inbound-smtp-dane-with-dnssec/ba-p/4281292
HeptaX: Unauthorized RDP Connections for Cyberespionage Operations
https://cyble.com/blog/heptax-unauthorized-rdp-connections-for-cyberespionage-operations/
Link to episode
ISC StormCast for Tuesday, October 29th, 2024
Apple Update Everything
https://isc.sans.edu/diary/Apple%20Updates%20Everything/31390
Selfcontained HTML Phishing Attachment Using Telegram to Exfiltrate Credentials
https://isc.sans.edu/diary/Selfcontained+HTML+phishing+attachment+using+Telegram+to+exfiltrate+stolen+credentials/31388/
ChatGPT-4o Guardrail Jailbreak: Hex Encoding for Writing CVE Exploits
https://0din.ai/blog/chatgpt-4o-guardrail-jailbreak-hex-encoding-for-writing-cve-exploits
2024-10-29https://isc.sans.edu/diary/Apple%20Updates%20Everything/31390
Selfcontained HTML Phishing Attachment Using Telegram to Exfiltrate Credentials
https://isc.sans.edu/diary/Selfcontained+HTML+phishing+attachment+using+Telegram+to+exfiltrate+stolen+credentials/31388/
ChatGPT-4o Guardrail Jailbreak: Hex Encoding for Writing CVE Exploits
https://0din.ai/blog/chatgpt-4o-guardrail-jailbreak-hex-encoding-for-writing-cve-exploits
Link to episode
ISC StormCast for Monday, October 28th, 2024
Two currently (old) exploited Ivanti vulnerabilities
https://isc.sans.edu/diary/Two%20currently%20%28old%29%20exploited%20Ivanti%20vulnerabilities/31384
Arcadyan FMIMG51AX000J (WiFi Alliance) RCE CVE-2024-41992
https://ssd-disclosure.com/ssd-advisory-arcadyan-fmimg51ax000j-wifi-alliance-rce/
Okta iOS App Vulnerability CVE-2024-10327
https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327/
Threat Alert TeamTNT's docker gatling gun campaign
https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/
2024-10-28https://isc.sans.edu/diary/Two%20currently%20%28old%29%20exploited%20Ivanti%20vulnerabilities/31384
Arcadyan FMIMG51AX000J (WiFi Alliance) RCE CVE-2024-41992
https://ssd-disclosure.com/ssd-advisory-arcadyan-fmimg51ax000j-wifi-alliance-rce/
Okta iOS App Vulnerability CVE-2024-10327
https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327/
Threat Alert TeamTNT's docker gatling gun campaign
https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/
Link to episode
ISC StormCast for Friday, October 25th, 2024
Development Features Enabled in Production
https://isc.sans.edu/diary/Development%20Features%20Enabled%20in%20Prodcution/31380
Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials
https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/
Cisco Secure Firewall Management Center Software Command Injection Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-v3AWDqN7
Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps
https://www.security.com/threat-intelligence/exposing-danger-within-hardcoded-cloud-credentials-popular-mobile-apps
2024-10-25https://isc.sans.edu/diary/Development%20Features%20Enabled%20in%20Prodcution/31380
Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials
https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/
Cisco Secure Firewall Management Center Software Command Injection Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-v3AWDqN7
Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps
https://www.security.com/threat-intelligence/exposing-danger-within-hardcoded-cloud-credentials-popular-mobile-apps
Link to episode
ISC StormCast for Thursday, October 24th, 2024
Everybody Loves Bash Scripts Including Attackers
https://isc.sans.edu/diary/Everybody%20Loves%20Bash%20Scripts.%20Including%20Attackers./31376
Fortimanager Exploited Vulnerability
https://www.fortiguard.com/psirt/FG-IR-24-423
Sharepoint Exploit
https://www.cisa.gov/news-events/alerts/2024/10/22/cisa-adds-one-known-exploited-vulnerability-catalog
https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC
OpenSSL Vulnerability
https://openssl-library.org/news/secadv/20241016.txt
Reduced Certificate Lifetime
https://github.com/cabforum/servercert/pull/553
2024-10-24https://isc.sans.edu/diary/Everybody%20Loves%20Bash%20Scripts.%20Including%20Attackers./31376
Fortimanager Exploited Vulnerability
https://www.fortiguard.com/psirt/FG-IR-24-423
Sharepoint Exploit
https://www.cisa.gov/news-events/alerts/2024/10/22/cisa-adds-one-known-exploited-vulnerability-catalog
https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC
OpenSSL Vulnerability
https://openssl-library.org/news/secadv/20241016.txt
Reduced Certificate Lifetime
https://github.com/cabforum/servercert/pull/553
Link to episode
ISC StormCast for Wednesday, October 23rd, 2024
How much HTTP (not HTTPS) Traffic is Traversing Your Perimeter?
https://isc.sans.edu/diary/How%20much%20HTTP%20%28not%20HTTPS%29%20Traffic%20is%20Traversing%20Your%20Perimeter%3F/31372
VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
Unifi Security Advisory Bulletin 043
https://community.ui.com/releases/Security-Advisory-Bulletin-043-043/28e45c75-314e-4f07-a4f3-d17f67bd53f7
Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability
Atlassian Security Bulletin - October 15 2024
https://confluence.atlassian.com/security/security-bulletin-october-15-2024-1442910972.html
OneDev Arbitrary file reading for unauthenticated user
https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
2024-10-23https://isc.sans.edu/diary/How%20much%20HTTP%20%28not%20HTTPS%29%20Traffic%20is%20Traversing%20Your%20Perimeter%3F/31372
VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
Unifi Security Advisory Bulletin 043
https://community.ui.com/releases/Security-Advisory-Bulletin-043-043/28e45c75-314e-4f07-a4f3-d17f67bd53f7
Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability
Atlassian Security Bulletin - October 15 2024
https://confluence.atlassian.com/security/security-bulletin-october-15-2024-1442910972.html
OneDev Arbitrary file reading for unauthenticated user
https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
Link to episode
ISC StormCast for Tuesday, October 22nd, 2024
A Network Nerd's Take on Emergency Preparedness
https://isc.sans.edu/diary/A%20Network%20Nerd%27s%20Take%20on%20Emergency%20Preparedness/31356
HM Surf Vulnerability Access to Camera Exploited CVE-2024-44133
https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/
Fortinet releases patches for undisclosed critical FortiManager vulnerability
https://www.helpnetsecurity.com/2024/10/21/fortimanager-critical-vulnerability/
ScienceLogic Vulnerability
https://rackspace.service-now.com/system_status?id=detailed_status&service=4dafca5a87f41610568b206f8bbb35a6
https://docs.sciencelogic.com/latest/Content/Web_Admin_and_Accounts/System_Administration/sys_admin_system_upgrade.htm
2024-10-22https://isc.sans.edu/diary/A%20Network%20Nerd%27s%20Take%20on%20Emergency%20Preparedness/31356
HM Surf Vulnerability Access to Camera Exploited CVE-2024-44133
https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/
Fortinet releases patches for undisclosed critical FortiManager vulnerability
https://www.helpnetsecurity.com/2024/10/21/fortimanager-critical-vulnerability/
ScienceLogic Vulnerability
https://rackspace.service-now.com/system_status?id=detailed_status&service=4dafca5a87f41610568b206f8bbb35a6
https://docs.sciencelogic.com/latest/Content/Web_Admin_and_Accounts/System_Administration/sys_admin_system_upgrade.htm
Link to episode
ISC StormCast for Monday, October 21st, 2024
Microsoft 365: Partially incomplete log data due to monitoring agent issue
https://m365admin.handsontek.net/multiple-services-partially-incomplete-log-data-due-to-monitoring-agent-issue/
End-to-End Encrytped Cloud Storage in the Wild: A Broken Ecosystem
https://brokencloudstorage.info/paper.pdf
ESET Branded Malware
https://x.com/ESETresearch/status/1847192384448172387
Synology Update
https://www.synology.com/en-us/security/advisory/Synology_SA_24_17
Spring Framework Update CVe-2024-38819 CVE-2024-38820
https://spring.io/blog/2024/10/17/spring-framework-cve-2024-38819-and-cve-2024-38820-published
Grafana Security Release CVE-2024-9264
https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/
2024-10-21https://m365admin.handsontek.net/multiple-services-partially-incomplete-log-data-due-to-monitoring-agent-issue/
End-to-End Encrytped Cloud Storage in the Wild: A Broken Ecosystem
https://brokencloudstorage.info/paper.pdf
ESET Branded Malware
https://x.com/ESETresearch/status/1847192384448172387
Synology Update
https://www.synology.com/en-us/security/advisory/Synology_SA_24_17
Spring Framework Update CVe-2024-38819 CVE-2024-38820
https://spring.io/blog/2024/10/17/spring-framework-cve-2024-38819-and-cve-2024-38820-published
Grafana Security Release CVE-2024-9264
https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/
Link to episode
ISC StormCast for Friday, October 18th, 2024
Scanning Activity from Subnet 15.184.0.0/16.
https://isc.sans.edu/diary/Scanning%20Activity%20from%20Subnet%2015.184.0.0%2016/31362
Gatekeeper Bypass
/unit42.paloaltonetworks.com/gatekeeper-bypass-macos/
Oracle Critical Patch Update
https://www.oracle.com/security-alerts/cpuoct2024.html
Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy
SAP Vulnerability
https://redrays.io/blog/poc-sap-note-3433192-code-injection-vulnerability-in-sap-netweaver-as-java/
Dept. of Commerce Sites Advertising Medication
https://x.com/tliston/status/1833542884047654984
2024-10-18https://isc.sans.edu/diary/Scanning%20Activity%20from%20Subnet%2015.184.0.0%2016/31362
Gatekeeper Bypass
/unit42.paloaltonetworks.com/gatekeeper-bypass-macos/
Oracle Critical Patch Update
https://www.oracle.com/security-alerts/cpuoct2024.html
Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy
SAP Vulnerability
https://redrays.io/blog/poc-sap-note-3433192-code-injection-vulnerability-in-sap-netweaver-as-java/
Dept. of Commerce Sites Advertising Medication
https://x.com/tliston/status/1833542884047654984
Link to episode
ISC StormCast for Thursday, October 17th, 2024
The Top 10 Not So Common SSH Usernames and Passwords
https://isc.sans.edu/diary/The%20Top%2010%20Not%20So%20Common%20SSH%20Usernames%20and%20Passwords/31360
CISA Product Security Bad Practices
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Kubernetes Image Builder Vulnerability CVE-2024-9486 CVE-2024-9594
https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119
Solarwinds Hardcoded Password Exploited CVE-2024-28987
https://www.bleepingcomputer.com/news/security/solarwinds-web-help-desk-flaw-is-now-exploited-in-attacks/
Bypassing noexec and executing arbitrary binaries
https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries
Workshop Website:
https://www.sansapi.com/
https://www.sansapi.com/docs
2024-10-17https://isc.sans.edu/diary/The%20Top%2010%20Not%20So%20Common%20SSH%20Usernames%20and%20Passwords/31360
CISA Product Security Bad Practices
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Kubernetes Image Builder Vulnerability CVE-2024-9486 CVE-2024-9594
https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119
Solarwinds Hardcoded Password Exploited CVE-2024-28987
https://www.bleepingcomputer.com/news/security/solarwinds-web-help-desk-flaw-is-now-exploited-in-attacks/
Bypassing noexec and executing arbitrary binaries
https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries
Workshop Website:
https://www.sansapi.com/
https://www.sansapi.com/docs
Link to episode
ISC StormCast for Wednesday, October 16th, 2024
Angular-base64-upload Demo Script Exploited
https://isc.sans.edu/diary/Angular-base64-upload%20Demo%20Script%20Exploited%20%28CVE-2024-42640%29/31354
Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage
http://cjc.ict.ac.cn/online/onlinepaper/wc-202458160402.pdf
EDRSilencer
https://github.com/netero1010/EDRSilencer
Synchronizing Passkeys
https://fidoalliance.org/specifications-credential-exchange-specifications/
2024-10-16https://isc.sans.edu/diary/Angular-base64-upload%20Demo%20Script%20Exploited%20%28CVE-2024-42640%29/31354
Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage
http://cjc.ict.ac.cn/online/onlinepaper/wc-202458160402.pdf
EDRSilencer
https://github.com/netero1010/EDRSilencer
Synchronizing Passkeys
https://fidoalliance.org/specifications-credential-exchange-specifications/
Link to episode
ISC StormCast for Tuesday, October 15th, 2024
Phishing Page Delivered Through a Blob URL
https://isc.sans.edu/diary/Phishing%20Page%20Delivered%20Through%20a%20%20Blob%20URL/31350
Fortinet Fortigate CVE 2024-23113 deep dive
https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands
https://checkmarx.com/blog/this-new-supply-chain-attack-technique-can-trojanize-all-your-cli-commands/
2024-10-15https://isc.sans.edu/diary/Phishing%20Page%20Delivered%20Through%20a%20%20Blob%20URL/31350
Fortinet Fortigate CVE 2024-23113 deep dive
https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands
https://checkmarx.com/blog/this-new-supply-chain-attack-technique-can-trojanize-all-your-cli-commands/
Link to episode
ISC StormCast for Monday, October 14th, 2024
Windows PPTP and L2TP Deprecation
https://techcommunity.microsoft.com/t5/windows-server-news-and-best/pptp-and-l2tp-deprecation-a-new-era-of-secure-connectivity/ba-p/4263956
BIG-IP LTM Systems Unencrypted Cookie Exploitation
https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies
https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams/
https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams/
2024-10-14https://techcommunity.microsoft.com/t5/windows-server-news-and-best/pptp-and-l2tp-deprecation-a-new-era-of-secure-connectivity/ba-p/4263956
BIG-IP LTM Systems Unencrypted Cookie Exploitation
https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies
https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams/
https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams/
Link to episode
ISC StormCast for Friday, October 11th, 2024
Palo Alto Expedition: From N-Day to Full Compromise
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
Firefox 0-Day
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
GitLab Vulnerabilities Patched
https://securityonline.info/cve-2024-9164-cvss-9-6-gitlab-users-urged-to-update-now/
2024-10-11https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
Firefox 0-Day
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
GitLab Vulnerabilities Patched
https://securityonline.info/cve-2024-9164-cvss-9-6-gitlab-users-urged-to-update-now/
Link to episode
ISC StormCast for Thursday, October 10th, 2024
From Perfctl to InfoStealer
https://isc.sans.edu/diary/From%20Perfctl%20to%20InfoStealer/31334
Wazuh Abused by Miner Campaign
https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/
USB Sticks Still Bridge Airgaps
https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/
Fortigate Vulnerability now being exploited
https://nvd.nist.gov/vuln/detail/CVE-2024-23113
2024-10-10https://isc.sans.edu/diary/From%20Perfctl%20to%20InfoStealer/31334
Wazuh Abused by Miner Campaign
https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/
USB Sticks Still Bridge Airgaps
https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/
Fortigate Vulnerability now being exploited
https://nvd.nist.gov/vuln/detail/CVE-2024-23113
Link to episode
ISC StormCast for Wednesday, October 9th, 2024
Microsoft Patch Tuesday - October 2024
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20October%202024/31336
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
The Disappearance of an Internet Domain
https://every.to/p/the-disappearance-of-an-internet-domain
2024-10-09https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20October%202024/31336
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
The Disappearance of an Internet Domain
https://every.to/p/the-disappearance-of-an-internet-domain
Link to episode
ISC StormCast for Tuesday, October 8th, 2024
macOS Sequoia: System/Network Admins, Hold On!
https://isc.sans.edu/diary/macOS%20Sequoia%3A%20System%20Network%20Admins%2C%20Hold%20On!/31330
Cisco Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv34x-privesc-rce-qE33TCms
Apple iTunes PoC
https://github.com/mbog14/CVE-2024-44193
Attackers used ISP's Wiretap System to Spy on Users
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835
https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/
2024-10-08https://isc.sans.edu/diary/macOS%20Sequoia%3A%20System%20Network%20Admins%2C%20Hold%20On!/31330
Cisco Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv34x-privesc-rce-qE33TCms
Apple iTunes PoC
https://github.com/mbog14/CVE-2024-44193
Attackers used ISP's Wiretap System to Spy on Users
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835
https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/
Link to episode
ISC StormCast for Monday, October 7th, 2024
Survey of CUPS exploit URLs
https://isc.sans.edu/diary/Survey%20of%20CUPS%20exploit%20attempts/31326
Exposed LDAP Servers
https://www.usenix.org/conference/usenixsecurity24/presentation/kaspereit
Exploiting Visual Studio via Dump Files
https://ynwarcs.github.io/exploiting-vs-dump-files
Apple Security Updates
https://support.apple.com/en-us/100100
Free API Security Workshop
https://www.sans.org/webcasts/aviata-solo-flight-challenge-cloud-security-workshop-chapter-7/
2024-10-07https://isc.sans.edu/diary/Survey%20of%20CUPS%20exploit%20attempts/31326
Exposed LDAP Servers
https://www.usenix.org/conference/usenixsecurity24/presentation/kaspereit
Exploiting Visual Studio via Dump Files
https://ynwarcs.github.io/exploiting-vs-dump-files
Apple Security Updates
https://support.apple.com/en-us/100100
Free API Security Workshop
https://www.sans.org/webcasts/aviata-solo-flight-challenge-cloud-security-workshop-chapter-7/
Link to episode
ISC StormCast for Friday, October 4th, 2024
Kickstart Your DShield Honeypot
https://isc.sans.edu/diary/Kickstart%20Your%20DShield%20Honeypot%20%5BGuest%20Diary%5D/31320
CreanaKeeper Use of Cloud Services
https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/
Pixel Addressing Vulnerabilities in Cellular Modems
https://security.googleblog.com/2024/10/pixel-proactive-security-cellular-modems.html
Optigo Spectra Vulnerabilities
https://claroty.com/team82/disclosure-dashboard/cve-2024-41925
https://claroty.com/team82/disclosure-dashboard/cve-2024-45367
2024-10-04https://isc.sans.edu/diary/Kickstart%20Your%20DShield%20Honeypot%20%5BGuest%20Diary%5D/31320
CreanaKeeper Use of Cloud Services
https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/
Pixel Addressing Vulnerabilities in Cellular Modems
https://security.googleblog.com/2024/10/pixel-proactive-security-cellular-modems.html
Optigo Spectra Vulnerabilities
https://claroty.com/team82/disclosure-dashboard/cve-2024-41925
https://claroty.com/team82/disclosure-dashboard/cve-2024-45367
Link to episode
ISC StormCast for Thursday, October 3rd, 2024
Security Related Docker Containers
https://isc.sans.edu/diary/Security%20related%20Docker%20containers/31318
CUPS DDoS Attack
https://www.akamai.com/blog/security-research/october-cups-ddos-threat
Draytek Vulnerabilities
https://www.forescout.com/resources/draybreak-draytek-research/
SANS Munich (free Community Night Tuesday October 15th)
https://www.sans.org/cyber-security-training-events/munich-october-2024/
2024-10-03https://isc.sans.edu/diary/Security%20related%20Docker%20containers/31318
CUPS DDoS Attack
https://www.akamai.com/blog/security-research/october-cups-ddos-threat
Draytek Vulnerabilities
https://www.forescout.com/resources/draybreak-draytek-research/
SANS Munich (free Community Night Tuesday October 15th)
https://www.sans.org/cyber-security-training-events/munich-october-2024/
Link to episode
ISC StormCast for Wednesday, October 2nd, 2024
Hurricane Helene Aftermath - Cyber Security Awareness Month
https://isc.sans.edu/diary/Hurricane%20Helene%20Aftermath%20-%20Cyber%20Security%20Awareness%20Month/31314
Zimbra - Remote Command Execution (CVE-2024-45519)
https://blog.projectdiscovery.io/zimbra-remote-code-execution/
Enhancing the security of Microsoft Edge extensions with the new Publish API
https://blogs.windows.com/msedgedev/2024/09/30/enhanced-security-for-extensions-with-new-publish-api/
CVE-2024-36435 Deep-Dive: The Year s Most Critical BMC Security Flaw
https://www.binarly.io/blog/cve-2024-36435-deep-dive-the-years-most-critical-bmc-security-flaw
2024-10-02https://isc.sans.edu/diary/Hurricane%20Helene%20Aftermath%20-%20Cyber%20Security%20Awareness%20Month/31314
Zimbra - Remote Command Execution (CVE-2024-45519)
https://blog.projectdiscovery.io/zimbra-remote-code-execution/
Enhancing the security of Microsoft Edge extensions with the new Publish API
https://blogs.windows.com/msedgedev/2024/09/30/enhanced-security-for-extensions-with-new-publish-api/
CVE-2024-36435 Deep-Dive: The Year s Most Critical BMC Security Flaw
https://www.binarly.io/blog/cve-2024-36435-deep-dive-the-years-most-critical-bmc-security-flaw
Link to episode
ISC StormCast for Tuesday, October 1st, 2024
Tool Update: mac-robber.py, le-hex-to-ip.py
https://isc.sans.edu/diary/Tool%20update%3A%20mac-robber.py%20and%20le-hex-to-ip.py/31310
Ransomware Attacks Expanding to Hybrid Cloud Environments
https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Update on Recall Security and Privacy Architecture
https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/
Detecting Ransomware in Windows Event Logs
https://blogs.jpcert.or.jp/en/2024/09/windows.html
Progress WhatsUp Gold Update
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024?popup=true&overview
Singapore Class
https://jbu.me/singapore
2024-10-01https://isc.sans.edu/diary/Tool%20update%3A%20mac-robber.py%20and%20le-hex-to-ip.py/31310
Ransomware Attacks Expanding to Hybrid Cloud Environments
https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Update on Recall Security and Privacy Architecture
https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/
Detecting Ransomware in Windows Event Logs
https://blogs.jpcert.or.jp/en/2024/09/windows.html
Progress WhatsUp Gold Update
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024?popup=true&overview
Singapore Class
https://jbu.me/singapore
Link to episode
ISC StormCast for Monday, September 30th, 2024
CUPS Vulnerability
https://isc.sans.edu/diary/Patch%20for%20Critical%20CUPS%20vulnerability%3A%20Don%27t%20Panic/31302
PHP Updates
https://www.php.net/ChangeLog-8.php#8.1.30
DNS And Big Chinese Firewall
https://www.assetnote.io/resources/research/insecurity-through-censorship-vulnerabilities-caused-by-the-great-firewall
https://isc.sans.edu/diary/Are+You+Piratebay+thepiratebayorg+Resolving+to+Various+Hosts/19175
HPE Aruba Networking Vulnerabilities
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04712en_us&docLocale=en_US
2024-09-30https://isc.sans.edu/diary/Patch%20for%20Critical%20CUPS%20vulnerability%3A%20Don%27t%20Panic/31302
PHP Updates
https://www.php.net/ChangeLog-8.php#8.1.30
DNS And Big Chinese Firewall
https://www.assetnote.io/resources/research/insecurity-through-censorship-vulnerabilities-caused-by-the-great-firewall
https://isc.sans.edu/diary/Are+You+Piratebay+thepiratebayorg+Resolving+to+Various+Hosts/19175
HPE Aruba Networking Vulnerabilities
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04712en_us&docLocale=en_US
Link to episode
ISC StormCast for Friday, September 27th, 2024
Patch for Critical CUPS vulnerability: Don't Panic
https://isc.sans.edu/diary/Patch%20for%20Critical%20CUPS%20vulnerability%3A%20Don%27t%20Panic/31302
2024-09-27https://isc.sans.edu/diary/Patch%20for%20Critical%20CUPS%20vulnerability%3A%20Don%27t%20Panic/31302
Link to episode
ISC StormCast for Thursday, September 26th, 2024
DNS Reflection Update and Corrupted DNS Requests
https://isc.sans.edu/diary/DNS%20Reflection%20Update%20and%20Odd%20Corrupted%20DNS%20Requests/31296
CVE-2024-28987 Solarwinds Web Help Desk Hardcoded Credentials Vulnerability
https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/ cve-2024-28987
Watchguard Unauthenticated and Unencrypted SSO Protocol
https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-006/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00014
Infostealers Overcome Chrome's App Bound Encryption
https://securityonline.info/infostealers-overcome-chromes-app-bound-encryption-threatening-user-data-security/
2024-09-26https://isc.sans.edu/diary/DNS%20Reflection%20Update%20and%20Odd%20Corrupted%20DNS%20Requests/31296
CVE-2024-28987 Solarwinds Web Help Desk Hardcoded Credentials Vulnerability
https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/ cve-2024-28987
Watchguard Unauthenticated and Unencrypted SSO Protocol
https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-006/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00014
Infostealers Overcome Chrome's App Bound Encryption
https://securityonline.info/infostealers-overcome-chromes-app-bound-encryption-threatening-user-data-security/
Link to episode
ISC StormCast for Wednesday, September 25th, 2024
Exploitation of RAISECOM Gateway Devices CVE-2024-7120
https://isc.sans.edu/diary/Exploitation%20of%20RAISECOM%20Gateway%20Devices%20Vulnerability%20CVE-2024-7120/31292
Cellopoint Vulnerability CVE-2024-9043
https://www.twcert.org.tw/en/cp-139-8103-b0568-2.html
Cisco Smart Licensing Vulnerability Details
https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html
Ivanti Virtual Traffic Manager Exploited
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
GNU Linux Systems Possible Critical Vulnerability
https://securityonline.info/severe-unauthenticated-rce-flaw-cvss-9-9-in-gnu-linux-systems-awaiting-full-disclosure/
2024-09-25https://isc.sans.edu/diary/Exploitation%20of%20RAISECOM%20Gateway%20Devices%20Vulnerability%20CVE-2024-7120/31292
Cellopoint Vulnerability CVE-2024-9043
https://www.twcert.org.tw/en/cp-139-8103-b0568-2.html
Cisco Smart Licensing Vulnerability Details
https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html
Ivanti Virtual Traffic Manager Exploited
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
GNU Linux Systems Possible Critical Vulnerability
https://securityonline.info/severe-unauthenticated-rce-flaw-cvss-9-9-in-gnu-linux-systems-awaiting-full-disclosure/
Link to episode
ISC StormCast for Tuesday, September 24th, 2024
Phishing Links With @ Sign
https://isc.sans.edu/diary/Phishing%20links%20with%20%40%20sign%20and%20the%20need%20for%20effective%20security%20awareness%20building/31288
Kaspersky Deletes Itself Installs UltraAV Antivirus Without Warning
https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/
Microchip ASF tinydhcp Vulnerability
https://kb.cert.org/vuls/id/138043
2024-09-24https://isc.sans.edu/diary/Phishing%20links%20with%20%40%20sign%20and%20the%20need%20for%20effective%20security%20awareness%20building/31288
Kaspersky Deletes Itself Installs UltraAV Antivirus Without Warning
https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/
Microchip ASF tinydhcp Vulnerability
https://kb.cert.org/vuls/id/138043
Link to episode
ISC StormCast for Monday, September 23rd, 2024
Windows Server Update Services Deprecation
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-server-update-services-wsus-deprecation/ba-p/4250436
Windows Server 2025 Hotpatches
https://techcommunity.microsoft.com/t5/windows-server-news-and-best/now-in-preview-hotpatch-for-windows-server-2025/ba-p/4248296
Google Suggests Not Using WHOIS for Certificate Validation
https://lists.cabforum.org/pipermail/servercert-wg/2024-September/004821.html
Versa Director Vulnerability
https://security-portal.versa-networks.com/emailbulletins/66e4a8ebda545d61ec2b1ab9
Apache Hugegraph Vulnerability Exploited
https://nvd.nist.gov/vuln/detail/CVE-2024-27348
2024-09-23https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-server-update-services-wsus-deprecation/ba-p/4250436
Windows Server 2025 Hotpatches
https://techcommunity.microsoft.com/t5/windows-server-news-and-best/now-in-preview-hotpatch-for-windows-server-2025/ba-p/4248296
Google Suggests Not Using WHOIS for Certificate Validation
https://lists.cabforum.org/pipermail/servercert-wg/2024-September/004821.html
Versa Director Vulnerability
https://security-portal.versa-networks.com/emailbulletins/66e4a8ebda545d61ec2b1ab9
Apache Hugegraph Vulnerability Exploited
https://nvd.nist.gov/vuln/detail/CVE-2024-27348
Link to episode
ISC StormCast for Friday, September 20th, 2024
Fake GitHub Site Targeting Developers
https://isc.sans.edu/diary/Fake%20GitHub%20Site%20Targeting%20Developers/31282
Ivanti CSA 4.6 Advisory
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963?language=en_US
German Police Deanonymizes Tor User
https://blog.torproject.org/tor-is-still-safe/
Ever wonder how crooks get the credentials to unlock stolen phones?
https://arstechnica.com/security/2024/09/cops-bust-website-crooks-used-to-unlock-1-2-million-stolen-mobile-phones/
2024-09-20https://isc.sans.edu/diary/Fake%20GitHub%20Site%20Targeting%20Developers/31282
Ivanti CSA 4.6 Advisory
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963?language=en_US
German Police Deanonymizes Tor User
https://blog.torproject.org/tor-is-still-safe/
Ever wonder how crooks get the credentials to unlock stolen phones?
https://arstechnica.com/security/2024/09/cops-bust-website-crooks-used-to-unlock-1-2-million-stolen-mobile-phones/
Link to episode
ISC StormCast for Thursday, September 19th, 2024
Python Infostealer Patching Windows Exodus App
https://isc.sans.edu/diary/Python%20Infostealer%20Patching%20Windows%20Exodus%20App/31276
Service Now Knoledge Bases Data Exposures
https://appomni.com/ao-labs/servicenow-knowledge-bases-data-exposures-uncovered/
Gitlab Patch
https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/
Aruba Patch
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04709en_us&docLocale=en_US
2024-09-19https://isc.sans.edu/diary/Python%20Infostealer%20Patching%20Windows%20Exodus%20App/31276
Service Now Knoledge Bases Data Exposures
https://appomni.com/ao-labs/servicenow-knowledge-bases-data-exposures-uncovered/
Gitlab Patch
https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/
Aruba Patch
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04709en_us&docLocale=en_US
Link to episode
ISC StormCast for Wednesday, September 18th, 2024
23:59, Time to Exfiltrate!
https://isc.sans.edu/diary/23%3A59%2C%20Time%20to%20Exfiltrate!/31272
Critical VMWare VCenter Vulnerability
https://blogs.vmware.com/cloud-foundation/2024/09/17/vmsa-2024-0019-questions-answers/
Zero-Click Calendar invite - Critical zero-click vulnerability chain in macOS
https://mikko-kenttala.medium.com/zero-click-calendar-invite-critical-zero-click-vulnerability-chain-in-macos-a7a434fc887b
Google Adds Latest Post Quantum Encryption Standard to Chrome
https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html
2024-09-18https://isc.sans.edu/diary/23%3A59%2C%20Time%20to%20Exfiltrate!/31272
Critical VMWare VCenter Vulnerability
https://blogs.vmware.com/cloud-foundation/2024/09/17/vmsa-2024-0019-questions-answers/
Zero-Click Calendar invite - Critical zero-click vulnerability chain in macOS
https://mikko-kenttala.medium.com/zero-click-calendar-invite-critical-zero-click-vulnerability-chain-in-macos-a7a434fc887b
Google Adds Latest Post Quantum Encryption Standard to Chrome
https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html
Link to episode
ISC StormCast for Tuesday, September 17th, 2024
Managing PE Files with Overlays
https://isc.sans.edu/forums/diary/Managing%20PE%20Files%20With%20Overlays/31268/
Apple Updates
https://support.apple.com/en-us/100100
Ivanti EOL Cloud Service Appliances
https://www.cisa.gov/news-events/alerts/2024/09/13/ivanti-releases-security-update-cloud-services-appliance
Microsoft Revises September Update
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43461
DLink Vulnerabilities
https://www.twcert.org.tw/en/cp-139-8081-3fb39-2.html
https://www.twcert.org.tw/en/cp-139-8091-bcd52-2.html
https://www.twcert.org.tw/en/cp-139-8089-32df6-2.html
2024-09-17https://isc.sans.edu/forums/diary/Managing%20PE%20Files%20With%20Overlays/31268/
Apple Updates
https://support.apple.com/en-us/100100
Ivanti EOL Cloud Service Appliances
https://www.cisa.gov/news-events/alerts/2024/09/13/ivanti-releases-security-update-cloud-services-appliance
Microsoft Revises September Update
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43461
DLink Vulnerabilities
https://www.twcert.org.tw/en/cp-139-8081-3fb39-2.html
https://www.twcert.org.tw/en/cp-139-8091-bcd52-2.html
https://www.twcert.org.tw/en/cp-139-8089-32df6-2.html
Link to episode
ISC StormCast for Monday, September 16th, 2024
Finding Honeypot Clusters Using DBSCAN
https://isc.sans.edu/diary/Finding%20Honeypot%20Data%20Clusters%20Using%20DBSCAN%3A%20Part%202/31194
Auto IT Credential Flusher
https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html
Ivanti Patches
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US
https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-dive-ivanti-endpoint-manager-agentportal-deserialization-of-untrusted-data-remote-code-execution-vulnerability/
File Sender Vulnerability
https://filesender.org/vulnerability-in-filesender-versions-below-2-49-and-3-x-beta/
Docker Patches
https://docs.docker.com/desktop/release-notes/#4342
2024-09-16https://isc.sans.edu/diary/Finding%20Honeypot%20Data%20Clusters%20Using%20DBSCAN%3A%20Part%202/31194
Auto IT Credential Flusher
https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html
Ivanti Patches
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US
https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-dive-ivanti-endpoint-manager-agentportal-deserialization-of-untrusted-data-remote-code-execution-vulnerability/
File Sender Vulnerability
https://filesender.org/vulnerability-in-filesender-versions-below-2-49-and-3-x-beta/
Docker Patches
https://docs.docker.com/desktop/release-notes/#4342
Link to episode
ISC StormCast for Friday, September 13th, 2024
Compromise of old hostname .mobi whois server
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Microsoft Reconsidering Security Tool API
https://blogs.windows.com/windowsexperience/2024/09/12/taking-steps-that-drive-resiliency-and-security-for-windows-customers/
Microsoft implents PQC in SymCrypt
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-s-quantum-resistant-cryptography-is-here/ba-p/4238780
GitLab Patch
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job
2024-09-13https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Microsoft Reconsidering Security Tool API
https://blogs.windows.com/windowsexperience/2024/09/12/taking-steps-that-drive-resiliency-and-security-for-windows-customers/
Microsoft implents PQC in SymCrypt
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-s-quantum-resistant-cryptography-is-here/ba-p/4238780
GitLab Patch
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job
Link to episode
ISC StormCast for Wednesday, September 11th, 2024
Microsoft Patches
https://isc.sans.edu/diary/Microsoft%20September%202024%20Patch%20Tuesday/31254
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
Ivanti Patches
https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US
2024-09-11https://isc.sans.edu/diary/Microsoft%20September%202024%20Patch%20Tuesday/31254
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
Ivanti Patches
https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US
Link to episode
ISC StormCast for Tuesday, September 10th, 2024
Critical Loadmaster Security Vulnerability
https://support.kemptechnologies.com/hc/en-us/articles/29196371689613-LoadMaster-Security-Vulnerability-CVE-2024-7591
HA Proxy Patch
https://www.mail-archive.com/haproxy%40formilux.org/msg45280.html
Akira Ransomware Campaign Targeting Sonicwall SSLVPN Accounts
https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/
Kibana Deserializatio Vulnerability
https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119
Stately Taurus Abuses VSCode
https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
2024-09-10https://support.kemptechnologies.com/hc/en-us/articles/29196371689613-LoadMaster-Security-Vulnerability-CVE-2024-7591
HA Proxy Patch
https://www.mail-archive.com/haproxy%40formilux.org/msg45280.html
Akira Ransomware Campaign Targeting Sonicwall SSLVPN Accounts
https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/
Kibana Deserializatio Vulnerability
https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119
Stately Taurus Abuses VSCode
https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
Link to episode
ISC StormCast for Monday, September 9th, 2024
Password Cracking Energy: More Details
https://isc.sans.edu/diary/Password%20Cracking%20%26%20Energy%3A%20More%20Dedails/31242
Python Notpad ++
https://isc.sans.edu/diary/Python%20%26%20Notepad%2B%2B/31240
Fake LinkedIn Job Ads
https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/
Android Crypto Passphrase Stealer with OCR
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-spyagent-campaign-steals-crypto-credentials-via-image-recognition/
Sextortion Scam Now use Your Chating Spouses Name as a Lure
https://www.bleepingcomputer.com/news/security/sextortion-scam-now-use-your-cheating-spouses-name-as-a-lure/
2024-09-09https://isc.sans.edu/diary/Password%20Cracking%20%26%20Energy%3A%20More%20Dedails/31242
Python Notpad ++
https://isc.sans.edu/diary/Python%20%26%20Notepad%2B%2B/31240
Fake LinkedIn Job Ads
https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/
Android Crypto Passphrase Stealer with OCR
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-spyagent-campaign-steals-crypto-credentials-via-image-recognition/
Sextortion Scam Now use Your Chating Spouses Name as a Lure
https://www.bleepingcomputer.com/news/security/sextortion-scam-now-use-your-cheating-spouses-name-as-a-lure/
Link to episode
ISC StormCast for Friday, September 6th, 2024
Enrichment Data: Keeping it Fresh
https://isc.sans.edu/diary/Enrichment%20Data%3A%20Keeping%20it%20Fresh/31236
Veeam Update
https://www.veeam.com/kb4649
New OFBiz Vulnerabilities
https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
Cisco Smart License Manager Patches
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
2024-09-06https://isc.sans.edu/diary/Enrichment%20Data%3A%20Keeping%20it%20Fresh/31236
Veeam Update
https://www.veeam.com/kb4649
New OFBiz Vulnerabilities
https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
Cisco Smart License Manager Patches
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Link to episode
ISC StormCast for Thursday, September 5th, 2024
Scans for Moodle Learning Platform Following Recent Update
https://isc.sans.edu/diary/Scans+for+Moodle+Learning+Platform+Following+Recent+Update/31230
PyPi Rivival HiJack
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
Android Updates
https://source.android.com/docs/security/bulletin/2024-09-01
Mediatec WAPPD PoC Exploit
https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html#wrapping-up
2024-09-05https://isc.sans.edu/diary/Scans+for+Moodle+Learning+Platform+Following+Recent+Update/31230
PyPi Rivival HiJack
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
Android Updates
https://source.android.com/docs/security/bulletin/2024-09-01
Mediatec WAPPD PoC Exploit
https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html#wrapping-up
Link to episode
ISC StormCast for Wednesday, September 4th, 2024
Protected OOXML Text Documents
https://isc.sans.edu/diary/Protected%20OOXML%20Text%20Documents/31078
Sextortion E-Mails with Photos
https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/
Zyxel OS Command Injection Vulnerability
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024
D-Link DIR-846W Unpatched RCE Vulnerabilities
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10411
VMWare Priviledge Escalation Vulnerability CVe-2024-38811
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939
YubiKey Sidechannel Attack
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
https://www.yubico.com/support/security-advisories/ysa-2024-03/
2024-09-04https://isc.sans.edu/diary/Protected%20OOXML%20Text%20Documents/31078
Sextortion E-Mails with Photos
https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/
Zyxel OS Command Injection Vulnerability
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024
D-Link DIR-846W Unpatched RCE Vulnerabilities
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10411
VMWare Priviledge Escalation Vulnerability CVe-2024-38811
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939
YubiKey Sidechannel Attack
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
https://www.yubico.com/support/security-advisories/ysa-2024-03/
Link to episode
ISC StormCast for Tuesday, September 3rd, 2024
Wireshark 4.4: Converting Display Filters to BPF Capture Filters
https://isc.sans.edu/diary/Wireshark+44+Converting+Display+Filters+to+BPF+Capture+Filters/31224
GitHub Comments Used to Spread Malware
https://www.reddit.com/r/Malware/comments/1f2n1h4/comment/lkbi5gi/
Voldemort Malware Curses Orgs Using Global Tax Authorities
https://www.darkreading.com/threat-intelligence/voldemort-malware-curses-orgs-global-tax-authorities
Analysis of CVE-2024-43044 From file read to RCE in Jenkins through agents
https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/
2024-09-03https://isc.sans.edu/diary/Wireshark+44+Converting+Display+Filters+to+BPF+Capture+Filters/31224
GitHub Comments Used to Spread Malware
https://www.reddit.com/r/Malware/comments/1f2n1h4/comment/lkbi5gi/
Voldemort Malware Curses Orgs Using Global Tax Authorities
https://www.darkreading.com/threat-intelligence/voldemort-malware-curses-orgs-global-tax-authorities
Analysis of CVE-2024-43044 From file read to RCE in Jenkins through agents
https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/
Link to episode
ISC StormCast for Friday, August 30th, 2024
Live Patching DLLs with Python
https://isc.sans.edu/diary/Live%20Patching%20DLLs%20with%20Python/31218
Global Protect Phishing
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
BlackByte Ransomware Update
https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/
The Risks Lurking in Publicly Exposed GenAI Development Services
https://www.legitsecurity.com/blog/the-risks-lurking-in-publicly-exposed-genai-development-services
Finding Lateral Movement of Adversaries Through the Noise of Systems Administration
https://www.sans.edu/cyber-research/finding-lateral-movement-adversaries-through-noise-systems-administration/
YouTube Channel: https://www.youtube.com/c/CyberAttackDefense
2024-08-30https://isc.sans.edu/diary/Live%20Patching%20DLLs%20with%20Python/31218
Global Protect Phishing
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
BlackByte Ransomware Update
https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/
The Risks Lurking in Publicly Exposed GenAI Development Services
https://www.legitsecurity.com/blog/the-risks-lurking-in-publicly-exposed-genai-development-services
Finding Lateral Movement of Adversaries Through the Noise of Systems Administration
https://www.sans.edu/cyber-research/finding-lateral-movement-adversaries-through-noise-systems-administration/
YouTube Channel: https://www.youtube.com/c/CyberAttackDefense
Link to episode
ISC StormCast for Thursday, August 29th, 2024
Vega-Lite With Kibana To Parse and Display IP Activity Over Time
https://isc.sans.edu/diary/Vega-Lite%20with%20Kibana%20to%20Parse%20and%20Display%20IP%20Activity%20over%20Time/31210
Attack tool update impairs Windows computers
https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
Confluence Vulnerabilty Exploited for Crypto Miners
https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
Fortra FileCatalyst Workflow Hard Coded HSQLDB Credentials
https://www.fortra.com/security/advisories/product-security/fi-2024-011
2024-08-29https://isc.sans.edu/diary/Vega-Lite%20with%20Kibana%20to%20Parse%20and%20Display%20IP%20Activity%20over%20Time/31210
Attack tool update impairs Windows computers
https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
Confluence Vulnerabilty Exploited for Crypto Miners
https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
Fortra FileCatalyst Workflow Hard Coded HSQLDB Credentials
https://www.fortra.com/security/advisories/product-security/fi-2024-011
Link to episode
ISC StormCast for Wednesday, August 28th, 2024
Why is Python so Popular to Infect Windows Hosts
https://isc.sans.edu/diary/Why%20Is%20Python%20so%20Popular%20to%20Infect%20Windows%20Hosts%3F/31208
OFBiz Vulnerability Update
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2024-38856
Versa Directory Vulnerability Exploited
https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/
Google Chrome Vulnerability Exploited
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
SGX Key Leak
https://x.com/_markel___/status/1828112469010596347
2024-08-28https://isc.sans.edu/diary/Why%20Is%20Python%20so%20Popular%20to%20Infect%20Windows%20Hosts%3F/31208
OFBiz Vulnerability Update
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2024-38856
Versa Directory Vulnerability Exploited
https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/
Google Chrome Vulnerability Exploited
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
SGX Key Leak
https://x.com/_markel___/status/1828112469010596347
Link to episode
ISC StormCast for Tuesday, August 27th, 2024
From Highly Obfuscated Batch File to XWorm and Redline
https://isc.sans.edu/diary/From%20Highly%20Obfuscated%20Batch%20File%20to%20XWorm%20and%20Redline/31204
CVE-2024-38063 Windows IPv6 Issue PoC Exploit
https://github.com/ynwarcs/CVE-2024-38063
Not a vulnerability
https://github.com/juwenyi/CVE-2024-42992
2024-08-27https://isc.sans.edu/diary/From%20Highly%20Obfuscated%20Batch%20File%20to%20XWorm%20and%20Redline/31204
CVE-2024-38063 Windows IPv6 Issue PoC Exploit
https://github.com/ynwarcs/CVE-2024-38063
Not a vulnerability
https://github.com/juwenyi/CVE-2024-42992
Link to episode
ISC StormCast for Monday, August 26th, 2024
Pandas Erros: What encoding are my logs in?
https://isc.sans.edu/diary/Pandas%20Errors%3A%20What%20encoding%20are%20my%20logs%20in%3F/31200
Crowdstrike Performance Issues
https://www.reddit.com/r/sysadmin/comments/1eyfex6/at_least_its_not_on_a_friday/
CopyBara Malware
https://www.zscaler.com/blogs/security-research/technical-analysis-copybara#conclusion
SonicWall Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
2024-08-26https://isc.sans.edu/diary/Pandas%20Errors%3A%20What%20encoding%20are%20my%20logs%20in%3F/31200
Crowdstrike Performance Issues
https://www.reddit.com/r/sysadmin/comments/1eyfex6/at_least_its_not_on_a_friday/
CopyBara Malware
https://www.zscaler.com/blogs/security-research/technical-analysis-copybara#conclusion
SonicWall Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
Link to episode
ISC StormCast for Friday, August 23rd, 2024
OpenAI Scans Honeypots
https://isc.sans.edu/diary/OpenAI%20Scans%20for%20Honeypots.%20Artificially%20Malicious%3F%20Action%20Abuse%3F/31196
Broken Linux Boot Partitions after August Microsoft Update
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2#3377msgdesc
Google Fixes Chrome 0-day
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
Cisco Zero Day Exploited (now Patched)
https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/
Solar Winds Helpdesk Backdoor
https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
Securing the Future: How Memory-Safe Programming Languages Impact Industry Safety (Christopher Ross)
https://www.sans.edu/cyber-research/securing-future-how-memory-safe-programming-languages-impact-industry-safety/
2024-08-23https://isc.sans.edu/diary/OpenAI%20Scans%20for%20Honeypots.%20Artificially%20Malicious%3F%20Action%20Abuse%3F/31196
Broken Linux Boot Partitions after August Microsoft Update
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2#3377msgdesc
Google Fixes Chrome 0-day
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
Cisco Zero Day Exploited (now Patched)
https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/
Solar Winds Helpdesk Backdoor
https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
Securing the Future: How Memory-Safe Programming Languages Impact Industry Safety (Christopher Ross)
https://www.sans.edu/cyber-research/securing-future-how-memory-safe-programming-languages-impact-industry-safety/
Link to episode
ISC StormCast for Thursday, August 22nd, 2024
Mapping Threats wiht DNSTwist and the Internet Storm Center
https://isc.sans.edu/diary/Mapping%20Threats%20with%20DNSTwist%20and%20the%20Internet%20Storm%20Center%20%5BGuest%20Diary%5D/31188
Slack AI Prompt Injection
https://promptarmor.substack.com/p/slack-ai-data-exfiltration-from-private
Phishing in PWA Applications
https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/
QNAP Ransomware Security Center
https://www.qnap.com/en/news/2024/qnap-officially-releases-qts-5-2-introducing-security-center-for-active-file-activity-monitoring-elevated-security-and-data-protection
2024-08-22https://isc.sans.edu/diary/Mapping%20Threats%20with%20DNSTwist%20and%20the%20Internet%20Storm%20Center%20%5BGuest%20Diary%5D/31188
Slack AI Prompt Injection
https://promptarmor.substack.com/p/slack-ai-data-exfiltration-from-private
Phishing in PWA Applications
https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/
QNAP Ransomware Security Center
https://www.qnap.com/en/news/2024/qnap-officially-releases-qts-5-2-introducing-security-center-for-active-file-activity-monitoring-elevated-security-and-data-protection
Link to episode