What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-01 13:59:00 | (Déjà vu) CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina” (lien direct) | FortiGuard Labs researchers provide an analysis and assessment of CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE vulnerability “Follina.” Read to learn more about this critical vulnerability and how to take quick corrective action until Microsoft releases a patch.
|
Tool Vulnerability | ||
 |
2022-06-01 13:12:14 | Nouvelle vulnérabilité Microsoft Support Diagnostic Tool : comment y faire face (lien direct) | >Une nouvelle vulnérabilité a récemment été découverte dans Microsoft Office. En effet, Microsoft Support Diagnostic Tool (MSDT) peut être détourné contre les organisations. L'exploit semble exister depuis environ un mois, avec diverses modifications quant à ce qui doit être exécuté sur le système ciblé. The post Nouvelle vulnérabilité Microsoft Support Diagnostic Tool : comment y faire face first appeared on UnderNews. | Tool | ||
 |
2022-06-01 09:10:12 | SideWinder hackers plant fake Android VPN app in Google Play Store (lien direct) | Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. [...] | Tool Threat | APT-C-17 | |
 |
2022-06-01 06:40:40 | Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution (lien direct) | A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Tool Vulnerability | ||
 |
2022-06-01 05:15:09 | YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites (lien direct) | As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues. The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the | Tool | ||
 |
2022-06-01 00:00:00 | Rôles de cybersécurité Cyber Security Roles (lien direct) |
Être un expert en cybersécurité apporte un éventail de possibilités de carrière dans une grande variété d'industries.Il n'y a pas un chemin vers une carrière dans la cybersécurité et la réalité est que les professionnels de la cybersécurité peuvent avoir des antécédents de travail et des niveaux d'éducation différents.Ce qu'ils ont en commun, c'est une compréhension de la technologie et de la nécessité de protéger et de garder les réseaux, les données et les informations sécurisés à l'ère numérique.
Nous avons choisi 5 rôles d'emploi de cybersécurité qui sont actuellement à la demande par plusieurs industries.Les cyber-compétences fournissent des voies et des micro-informations d'identification qui vous renforceront dans les domaines suivants et nous nous assurons de recevoir la formation exacte nécessaire pour remplir ces rôles et améliorer votre carrière.
Architecte de sécurité - La responsabilité clé d'un architecte de sécurité est d'établir et de maintenir la cyber-sécurité des systèmes d'une entreprise.Ils sont essentiels à la sécurité d'une organisation traduisant des conditions réelles telles que les lois et les réglementations dans des solutions techniques qui gardent les systèmes en sécurité.
Analyste de cybersécurité & # 8211;Examine les données de plusieurs sources disparates dans le but de fournir des informations sur la sécurité et la confidentialité.Conception et implémente des algorithmes personnalisés, des processus de flux de travail et des dispositions à des ensembles de données complexes et à l'échelle de l'entreprise utilisés à des fins de modélisation, d'exploration de données et de recherche.
Ingénieur de sécurité réseau & # 8211; Les ingénieurs de sécurité occupent un rôle technique au sein d'une entreprise ou d'une organisation.Il s'agit de planifier, d'implémenter et d'exploiter les services / systèmes réseau, d'inclure des environnements matériels et virtuels.
La médecine légale numérique & # 8211;Utilise des données collectées auprès d'une variété d'outils de cyber-défense pour analyser les événements qui se produisent dans leur environnement à des fins d'atténuation des menaces.Mène des enquêtes détaillées sur les crimes informatiques établissant des preuves documentaires ou physiques, pour inclure les médias numériques et les journaux associés aux incidents de cyber-intrusion.
Secure Software Developer & # 8211;Tous les développeurs doivent être conscients de la sécurité lors de la conception et du développement de composants logiciels pour assurer la sécurité des données et tout système tiers.L'assurance de la sécurité est également un domaine clé de leur travail pour valider tous les composants combiner pour créer un système sécurisé.
Being a cyber security expert brings an array of career opportunities across a wide variety of industries. There is not one path to a career in cyber security and the reality is cyber security professionals can have different working backgrounds and levels of education. What they do have in common is an understanding of technology and the need to protect and keep networks, data and information secure in the digital age. We have picked 5 cyber security job roles that are currently in-demand by multiple industries. Cyber Skills provide pathways and micro credentials that will up skill you in the following areas and we ensure that you receive the exact training needed to fulfil these roles and enhance your career. Security Architect - The key responsibility of a security architect is to establish and maintain the cyber safety of a business\'s systems. They are key to the security of an organisation translating real world conditions such as laws and regulations into technical solutions keeping the systems Cyber Secure. Cyber Security Analyst – Examines data from multiple disparate sources with the goal of providing security and privacy insight. Designs and implements custom algorithms, workflow processes, and |
Tool Technical | ★★ | |
 |
2022-05-31 16:33:34 | New Microsoft Office “Follina” zero-day Already Shared on Ransomware Forums (lien direct) |
The new zero-day MS Word vulnerability recently discovered by Nao_Sec on May 27, 2022, titled 'Follina' (CVE-2022-30190) targeting Microsoft Office is being actively utilised, Minerva researchers found. The exploit targets a vulnerability in Microsoft's Windows Support Diagnostic Tool (MSDT) that occurs due to the ms-msdt MSProtocol URI scheme which could load code and execute via PowerShell despite macros being disabled. Successful exploitation of the CVE enables an attacker to execute arbitrary code on the targeted host. However, the attacker must socially engineer the victim into opening a specially crafted file to exploit this issue which requires a targeted effort to succeed making the vulnerability less prominent to unskilled actors but highly relevant to ransomware gangs such as CONTI, CL0P and ALPHV. To combat this new threat businesses must focus on threat prevention-an approach in which Minerva excels. |
Ransomware Tool Vulnerability Threat | ||
 |
2022-05-31 12:29:00 | Microsoft gives mitigation advice for Follina vulnerability exploitable via Office apps (lien direct) | Attackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in a Windows component called the Microsoft Support Diagnostic Tool (MSDT) through weaponized Word documents. Microsoft has responded with mitigation advice that can be used to block the attacks until a permanent patch is released.An exploit for the vulnerability, now tracked as CVE-2022-30190, was found in the wild by an independent security research team dubbed nao_sec, which spotted a malicious Word document uploaded to VirusTotal from an IP in Belarus. However, more malicious samples dating from April have also been found, suggesting the vulnerability has been exploited for over a month.To read this article in full, please click here | Tool Vulnerability | ||
 |
2022-05-31 12:24:44 | EnemyBot Malware Targets Web Servers, CMS Tools and Android OS (lien direct) | Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. | Malware Tool | ||
 |
2022-05-31 11:19:10 | Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina (lien direct) | >Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite. Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as CVE-2022-30190 (CVSS score 7.8), in the Microsoft Office productivity suite. “On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows […] | Tool | ||
 |
2022-05-31 10:54:34 | RSAC insights: Why vulnerability management absolutely must shift to a risk-assessment approach (lien direct) | Vulnerability management, or VM, has long been an essential, if decidedly mundane, component of network security. Related: Log4J’s long-run risks That's changing — dramatically. Advanced VM tools and practices are rapidly emerging to help companies mitigate a sprawling array of … (more…) | Tool Vulnerability | ||
|
2022-05-31 10:18:52 | Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild (lien direct) | FortiGuard Labs is aware that a 0-day vulnerability in Microsoft Support Diagnostic Tool is being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Assigned CVE-2022-30190, successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.Why is the Significant?This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild.What is CVE-2022-30190?The vulnerability is a remote code execution vulnerability that was named "Follina" by a security researcher Kevin Beaumont. The name "Follina" was derived from the 0-day code referencing "0438", which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the "ms-msdt" MSProtocol URI scheme load and execute the PowerShell payload. Note that ms-msdt refers to "Microsoft Support Diagnostic Tool", which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document the vulnerability in Windows Explorer can trigged the exploit.How Widespread is this?While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released. Does the Vulnerability Have CVE Number?CVE-2022-30190 has been assigned to the vulnerability.Has Microsoft Released an Advisory?Yes. See the Appendix for a link to " Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability".Has Microsoft Released a Patch?No, Microsoft has not released a patch yet.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the known sample that are associated with CVE-2022-30190:MSWord/Agent.2E52!tr.dldrKnown network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-30190. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?Microsoft released an official blog on CVE-2022-30190 that includes mitigation information. See the Appendix for a link to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability". | Malware Tool Vulnerability Threat | ★★ | |
 |
2022-05-30 23:25:16 | Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability (lien direct) | > Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More » | Tool Vulnerability | ||
 |
2022-05-27 16:03:21 | Best data science tools and software 2022 (lien direct) | >Data science tools prep data for advanced analytics in finding business insights. Compare the top tools now. | Tool | ||
 |
2022-05-27 11:00:14 | The IaC Showdown: Terraform vs. Ansible (lien direct) | >By Dotan Nahum Infrastructure as code (IaC) has become the de-facto method for dealing with infrastructure at scale. This codification of infrastructure configurations lets software development teams create version-controlled, reusable configurations. Moreover, it enables integrating infrastructure management as a part of the delivery pipeline. Terraform and Ansible are two leading IaC tools with somewhat overlapping… | Tool Guideline | ||
|
2022-05-26 21:52:30 | Ransomware Roundup - 2022/05/26 (lien direct) | FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the "forbidden country" option which attackers can choose not to run the generated ransomware based on the victim's location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won'tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama - hxxps://www[.]coinmama[.]com Bitpanda - hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker's bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to "Chaos Ransomware Variant Sides with Russia" and "Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers".What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a ".gdwill" file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds ".[10 digit ID number].spanielearslook.likeoldboobs" file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a ".[10 digit ID number].[attacker's email address].bec" extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:: | Ransomware Tool Threat | ||
|
2022-05-26 21:02:57 | Best business intelligence tools 2022 (lien direct) | >Business intelligence solutions have swiftly become an important data collection, analysis and decision-making tool. Here's how leading BI analytic software offerings compare. | Tool Guideline | ||
|
2022-05-26 20:35:52 | Best SEO tools 2022: How to increase website traffic (lien direct) | >Learn everything you need to know about the basics of search engine optimization, including the top SEO tools for your business. | Tool | ||
|
2022-05-26 19:02:28 | Apache Spark vs Apache Hadoop: Compare data science tools (lien direct) | >One is a lightweight, focused data science utility-the other is a more robust data science platform. Which should you use for your data analytics? | Tool | ||
|
2022-05-26 15:20:30 | Will Coda be your next document management platform? (lien direct) | >With Coda, you can create an efficient collaboration platform and not have to use a combination of tools like Office 365, Trello and Jira. | Tool | ||
 |
2022-05-26 13:53:04 | Retrofitting Temporal Memory Safety on C++ (lien direct) | Posted by Anton Bikineev, Michael Lippautz and Hannes Payer, Chrome security teamMemory safety in Chrome is an ever-ongoing effort to protect our users. We are constantly experimenting with different technologies to stay ahead of malicious actors. In this spirit, this post is about our journey of using heap scanning technologies to improve memory safety of C++.Let's start at the beginning though. Throughout the lifetime of an application its state is generally represented in memory. Temporal memory safety refers to the problem of guaranteeing that memory is always accessed with the most up to date information of its structure, its type. C++ unfortunately does not provide such guarantees. While there is appetite for different languages than C++ with stronger memory safety guarantees, large codebases such as Chromium will use C++ for the foreseeable future.auto* foo = new Foo();delete foo | Tool Guideline | ||
 |
2022-05-26 12:00:00 | The Cornerstone of Cybersecurity – Cryptographic Standards and a 50-Year Evolution (lien direct) | In today's connected digital world, cryptographic algorithms are implemented in every device and applied to every link to protect information in transmission and in storage. Over the past 50 years, the use of cryptographic tools has expanded dramatically, from limited environments like ATM encryption to every digital application used today. Throughout this long journey, NIST has played a unique leading role in developing critical cryptographic standards. Data Encryption Standard (DES) In the early 1970s, there was little public understanding of cryptography, although most people knew that | Tool Guideline | ||
|
2022-05-26 11:24:36 | Jupyter Notebook vs PyCharm: Software comparison (lien direct) | >Jupyter Notebook and PyCharm are data science notebook and development tools, respectively. Compare key features to see which tool is best for your business. | Tool | ||
 |
2022-05-26 10:42:00 | Understanding the Latest Cybersecurity Solutions To Keep Up With Today\'s Threats (lien direct) | Welcome to this week’s blog. We’re getting close to the end of the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience.
Coming in at number three on our list: Identifying and Utilizing the Latest Cybersecurity Solutions This is not surprising, as just under half of security decision-makers strongly agree that their cybersecurity teams can quickly prioritize threats based on trends, severity, and potential impact.
Cybersecurity Analysts use various tools in their jobs, which can be organized into a few categories: network security monitoring, encryption, web vulnerability, penetration testing, antivirus software, network intrusion detection, and packet sniffers.
Types of Tools
Network security monitoring tools
These tools are used to analyze network data and detect network-based threats.
Encryption tools
Encryption protects data by scrambling text so that it is unreadable to unauthorized users.
Web vulnerability scanning tools
These software programs scan web applications to identify security vulnerabilities, including cross-site scripting, SQL injection, and path traversal.
Penetration testing
Penetration testing, also known as “pen test”, simulates an attack on a computer system to evaluate the security of that system.
Antivirus software
This software is designed to find viruses and harmful malware, including ransomware, worms, spyware, adware, and Trojans.
Network intrusion detection
An Intrusion Detection System (IDS) monitors network and system traffic for unusual or suspicious activity and notifies the administrator if a potential threat is detected.
Packet sniffers
A packet sniffer, also called a packet analyzer, protocol analyzer or network analyzer, is used to intercept, log, and analyze network traffic and data.
Firewall tools
Monitor incoming and outgoing network traffic and permit or block data packets based on security rules.
Detection and Response Platforms
Detection and response services analyze and proactively detect and eventually eliminate cyber threats. Alerts are investigated to determine if any action is required.
As I pointed out in a previous blog, enterprise organizations have deployed over 130 security tools. Here's a look at the current technology security teams use or plan to invest in.
What's even crazier is this stat: CyberDB claims to have more than 3,500 cybersecurity vendors listed in the United States alone. So, how are security professionals supposed to keep up with the latest trends or innovations in technology?
Thankfully, we live in the digital age where information is just a click away. I typically start my day by reading news websites and blogs from security experts and check the twitter. You can also attend webinars and conferences or communicate directly with someone well-versed in the field.
Get Social
Social media networks are excellent sources for finding new content. (Shameless plug, make sure you're following us on LinkedIn and Twitter)
Twitter is particularly useful if you know what hashtags to search for or who to follow. You can see discussions in real-time to get yourself into the conversation; create feed lists to weed out the noise by specifying what security vendors, influencers, and developers you |
Tool Vulnerability Threat | ★★★★★ | |
 |
2022-05-25 21:15:08 | CVE-2022-29251 (lien direct) | XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory. | Tool | ||
|
2022-05-25 18:00:46 | How to back up a database with Borgmatic (lien direct) | >Jack Wallen shows you how to configure the Borgmatic tool to back up your databases with ease. | Tool | ||
|
2022-05-25 15:52:23 | How to install the Apache Druid real-time analytics database on Ubuntu-based Linux distributions (lien direct) | >If you're looking for a real-time data analytics platform, Jack Wallen thinks Apache Druid is hard to beat. Find out how to get this tool up and running and then how to load sample data. | Tool | ||
|
2022-05-25 15:30:13 | RapidMiner vs Alteryx: Compare data science software (lien direct) | >RapidMiner and Alteryx are tools that offer unique capabilities to help users with their data processing. | Tool | ||
|
2022-05-24 21:34:37 | KNIME vs Alteryx: Data science software comparison (lien direct) | >KNIME and Alteryx are top data science tools with ETL capabilities that can help with the challenge of working with a high data volumes. Compare the features to see which software is best for your business. | Tool | ||
|
2022-05-24 19:15:09 | CVE-2022-22977 (lien direct) | VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure. | Tool Guideline | ||
|
2022-05-24 18:31:10 | TIBCO vs MuleSoft: Data science software comparison (lien direct) | >Compare the features of TIBCO and MuleSoft, which are software tools that help users build and maintain their data pipelines. | Tool | ★★★★ | |
|
2022-05-24 17:29:00 | Anomali Cyber Watch: Conti\'s Talent Goes to Other Ransom Groups, China-Based Espionage Targets Russia, XorDdos Stealthy Linux Trojan is on the Rise, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Conti Ransomware, Disinformation, Internet of things, Phishing, VMware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
(published: May 20, 2022)
In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation.
Analyst Comment: Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: VMware, Perl Shellbot, Stealth Shellbot, Godzilla Webshell, Gafgyt, Mirai, XMRig, Coinminer, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2017-17215, CVE-2022-22961, CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22973, CVE-2022-22972, Linux, Server-side template injection, RCE
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
(published: May 20, 2022)
Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity |
Ransomware Malware Tool Vulnerability Threat | ||
|
2022-05-24 15:00:58 | You can now combine Power Virtual Agents and the Azure Bot Framework Composer (lien direct) | >New tools make it easy for low code users and pro code developers to work together on a project and take the Power Platform to the next level. | Tool | ||
 |
2022-05-24 13:59:51 | LimaCharlie Banks $5.45 Million in Seed Funding (lien direct) | LimaCharlie, a California company supplying tools to run an MSSP or SOC on a pay-as-you-use model, has attracted $5.45 million in seed round financing. | Tool | ||
|
2022-05-24 13:29:37 | Meet BlackByte Ransomware (lien direct) | FortiGuard Labs is aware of a relatively new ransomware family "BlackByte" is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that "multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim's network. Once the attacker gains a foothold in the victim's network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim's network.Files that are encrypted by BlackByte ransomware typically have a ".blackbyte" file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge | Ransomware Tool Threat | ||
 |
2022-05-23 13:35:52 | Attacker Scanning for jQuery-File-Upload, (Mon, May 23rd) (lien direct) | Recently, I noticed some requests hitting our honeypots that appear to attempt to exploit jQuery-File-Upload. jQuery-File-Upload is a popular tool for implementing file uploads. It has been around for a while and has had a few vulnerabilities in the past, but nothing recent as far as I can tell [1]. Allowing users to upload files securely is tricky. And jQuery-File-Upload is tempting faith by allowing uploads into the document root. The walk-through by Kristian Bremberg explaining past jQuery-File-Upload vulnerabilities is an excellent summary of all the things that can go wrong [2]. | Tool | ||
|
2022-05-21 00:15:11 | CVE-2022-29216 (lien direct) | TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the `safe=False` argument, so all parsing is done without calling `eval`. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4. | Tool | ||
|
2022-05-20 22:18:07 | Jenkins vs GitLab: DevOps software comparison (lien direct) | >Jenkins and GitLab are popular tools for continuous integration and continuous development, but which software is right for you? Learn how features of these DevOps tools compare. | Tool | ||
|
2022-05-20 21:15:10 | CVE-2022-29186 (lien direct) | Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files. | Tool | ★★ | |
|
2022-05-20 16:15:09 | CVE-2022-29159 (lien direct) | Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available. | Tool | ||
|
2022-05-20 16:15:09 | CVE-2022-24906 (lien direct) | Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available. | Tool | ||
|
2022-05-20 15:15:10 | CVE-2022-29165 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable. | Tool Vulnerability | Uber | |
|
2022-05-20 14:15:09 | CVE-2022-24905 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds. | Tool Vulnerability | Uber | |
|
2022-05-20 14:15:09 | CVE-2022-24904 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround. | Tool Vulnerability | Uber | |
|
2022-05-19 20:56:32 | Visio: From a simple IT tool to the universal business diagram app it was always meant to be (lien direct) | >Everyone using Microsoft 365 now gets access to Visio, but what can you do with it – and which diagramming features do you still have to pay more for? | Tool | ||
 |
2022-05-19 00:00:00 | Cyber risk management: Attribution strategies (lien direct) | Discover the importance of cyber attribution, the benefits, and the right tools to assist your efforts so you can better manage cyber risk across your digital attack surface. | Tool | ||
|
2022-05-18 20:04:37 | Microsoft warns of attacks targeting MSSQL servers using the tool sqlps (lien direct) | >Microsoft warns of brute-forcing attacks targeting Microsoft SQL Server (MSSQL) database servers exposed online. Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary). Microsoft warned of […] | Tool Threat | ||
|
2022-05-18 17:16:21 | How storytelling can make you a more effective presenter (lien direct) | >Our natural human instinct for sharing and hearing stories can be a highly effective tool for presenting information of all sorts. | Tool | ||
 |
2022-05-18 15:41:53 | Hacking the Microsoft Sculpt keyboard (lien direct) |  In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional). Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.Under the wrist rest are anot |
Malware Tool | ||
|
2022-05-18 15:15:10 | CVE-2022-29518 (lien direct) | Screen Creator Advance2, HMI GC-A2 series, and Real time remote monitoring and control tool Screen Creator Advance2 versions prior to Ver.0.1.1.3 Build01, HMI GC-A2 series(GC-A22W-CW, GC-A24W-C(W), GC-A26W-C(W), GC-A24, GC-A24-M, GC-A25, GC-A26, and GC-A26-J2), and Real time remote monitoring and control tool(Remote GC) allows a local attacker to bypass authentication due to the improper check for the Remote control setting's account names. This may allow attacker who can access the HMI from Real time remote monitoring and control tool may perform arbitrary operations on the HMI. As a result, the information stored in the HMI may be disclosed, deleted or altered, and/or the equipment may be illegally operated via the HMI. | Tool |
To see everything:
Our RSS (filtrered)
