What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-08-24 15:33:59 | Stealing local files using Safari Web Share API (lien direct) | DescriptionIn general Web Share API [https://w3c.github.io/web-share/] allows users to share links from the browser via 3rd party applications (e.g. mail and messaging apps). The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly. The problem is not very serious as user interaction is required, however it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.Below are the steps to reproduce the issue:1. Visit https://overflow.pl/webshare/poc1.html using | Guideline | ||
|
2020-08-18 17:13:54 | Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926 (lien direct) | Product descriptionRocket.Chat [https://rocket.chat] is an open source multiplatform messaging application similar to Slack. It is available as a self-hosted solution or in a SaaS model. Rocket.Chat can be used via a web browser, iOS, Android or using Electron based clients available for Windows, Linux and MacOS.Affected softwareThe following application versions are vulnerable:Rocket.Chat | Vulnerability Guideline | ||
|
2020-06-18 22:10:28 | Spear-phishing campaign tricks users to transfer money (TTPs & IOC) (lien direct) | We are publishing the following information in order to help organisations to identify this threat before attackers will perform successful phishing on their employees. Attackers are targeting companies which have foreign trading partners, i.a. in Asia, to perform a wire transfer to a wrong bank account number.We found that domains registered using muhammad.appleseed1@mail.ru e-mail address are actively used in a spear phishing campaign that aims to trick targets to transfer money into bank accounts controller by the attacker using social engineering.Most likely attack scenario looks like following:There is an ongoing e-mail communication between company X and YAn attacker has gained access to an e-mail account of one of the parties | Threat Guideline | APT 15 | |
|
2019-10-18 13:25:14 | Bypassing LLMNR/NBT-NS honeypot (lien direct) | AbstractMITRE ATT&CK™ [https://attack.mitre.org/] “is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations” which recommends the Conveigh honeypot [https://github.com/Kevin-Robertson/Conveigh] for detection of the LLMNR/NBT-NS Poisoning and Relay | Threat Guideline | Deloitte | ★★ |
|
2019-08-14 21:45:48 | Threat hunting using DNS firewalls and data enrichment (lien direct) | After seeing a few advertisements about DNS firewalls and how expensive they are, I want to share my experience with blue teamers about how DNS firewalls work and how that knowledge can be used for in-house threat hunting solutions and/or building your own DNS firewall (aka do it yourself). These are examples of an approach to detect malicious behaviour, not a tailor made solutions.At the beginning I would like to highlight that it's a good practice to monitor not only logs but also DNS traffic in real time. Such traffic isn't encrypted and if you only check DNS server logs then you can miss direct requests to other DNS servers. Additionally you can also use recently published version of Sysmon [https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with | Spam Malware Threat Guideline | APT 18 | |
|
2019-07-23 13:14:10 | Sinkholing BadWPAD infrastructure - wpad.pl / wpadblocking.com case (part 4) (lien direct) | IntroductionWe started research related to BadWPAD attack (WPAD Name Collision Vulnerability [https://www.us-cert.gov/ncas/alerts/TA16-144A]) which was mainly focused on the wpadblocking.com project because it targeted millions of computers [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html] for over the last 10 years (!). In the second publication we made a deeper analysis of the WPAD file [https://blog.redteam.pl/2019/05/badwpad-and-wpad-pl-wpadblocking-com.html] to prove that it had ad | Guideline |
1
We have: 6 articles.
We have: 6 articles.
To see everything:
Our RSS (filtrered)
