This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-20T04:51:52+00:00 www.secnews.physaphae.fr RedTeam PL - DarkTrace: AI bases detection https://w3c.github.io/web-share/] allows users to share links from the browser via 3rd party applications (e.g. mail and messaging apps). The problem is that file:  scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly. The problem is not very serious as user interaction is required, however it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.Below are the steps to reproduce the issue:1. Visit https://overflow.pl/webshare/poc1.html using ]]> 2020-08-24T15:33:59+00:00 https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html www.secnews.physaphae.fr/article.php?IdArticle=1879304 False Guideline None None RedTeam PL - DarkTrace: AI bases detection https://rocket.chat] is an open source multiplatform messaging application similar to Slack. It is available as a self-hosted solution or in a SaaS model. Rocket.Chat can be used via a web browser, iOS, Android or using Electron based clients available for Windows, Linux and MacOS.Affected softwareThe following application versions are vulnerable:Rocket.Chat ]]> 2020-08-18T17:13:54+00:00 https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html www.secnews.physaphae.fr/article.php?IdArticle=1869000 False Vulnerability,Guideline None None RedTeam PL - DarkTrace: AI bases detection 2020-07-10T14:59:09+00:00 https://blog.redteam.pl/2020/07/badwpad-phishing-battle-net.html www.secnews.physaphae.fr/article.php?IdArticle=1800548 False None None None RedTeam PL - DarkTrace: AI bases detection https://blog.redteam.pl/2019/12/chrome-portal-element-fuzzing.html] domato [https://github.com/googleprojectzero/domato] was used for test case generation due to the reason I wanted to start as soon as possible.Initially it was only about the element. However various other features were added to the fuzzing grammar over time with some of them providing good results as well. Results]]> 2020-06-24T00:15:32+00:00 https://blog.redteam.pl/2020/06/google-chrome-fuzzing-conclusion.html www.secnews.physaphae.fr/article.php?IdArticle=1798878 False Vulnerability None None RedTeam PL - DarkTrace: AI bases detection 2020-06-18T22:10:28+00:00 https://blog.redteam.pl/2020/06/spear-phishing-muhammad-appleseed1-mail-ru.html www.secnews.physaphae.fr/article.php?IdArticle=1798879 False Threat,Guideline APT 15 None RedTeam PL - DarkTrace: AI bases detection https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510].For persistence they use a scheduled task [https://attack.mitre.org/techniques/T1053/]. Task name is GoogleUpdateTaskMachineUSA, which resembles a legitimate task of ]]> 2020-06-12T21:35:46+00:00 https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=1798880 False Ransomware,Vulnerability,Threat None None RedTeam PL - DarkTrace: AI bases detection https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961]. There is a publicly available PoC on GitHub [https://github.com/mzer0one/CVE-2020-7961-POC/blob/master/poc.py] for this vulnerability, which matched most artifacts we have found on the targeted system.Attackers are sending the payload using a HTTP POST request:POST /api/jsonws/invoke]]> 2020-06-03T13:55:20+00:00 https://blog.redteam.pl/2020/06/kinsing-malware-liferay.html www.secnews.physaphae.fr/article.php?IdArticle=1798881 False Malware,Vulnerability None None RedTeam PL - DarkTrace: AI bases detection 2020-05-20T13:43:15+00:00 https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=1798882 False Ransomware,Vulnerability None None RedTeam PL - DarkTrace: AI bases detection https://www.chromestatus.com/feature/4613920211861504]. In general it is related to rendering optimization, so it caught my attention as something that is affecting how the web page layout is displayed. Functionalities like this should always attract attention as potential source of vulnerabilities. Currently display locking is hidden behind a flag (#enable-display-locking).SetupI used the same setup already described in my previous blog post about fuzzing the portal element []]> 2020-04-14T11:45:32+00:00 https://blog.redteam.pl/2020/04/google-chrome-display-locking-fuzzing.html www.secnews.physaphae.fr/article.php?IdArticle=1798883 False Vulnerability None None RedTeam PL - DarkTrace: AI bases detection 2020-03-18T17:56:30+00:00 https://blog.redteam.pl/2020/03/dns-c2-rebinding-fast-flux.html www.secnews.physaphae.fr/article.php?IdArticle=1798884 False Malware,Threat None None RedTeam PL - DarkTrace: AI bases detection 2020-02-04T18:49:09+00:00 https://blog.redteam.pl/2020/02/network-data-manipulation-on-fly.html www.secnews.physaphae.fr/article.php?IdArticle=1798885 False Tool None None RedTeam PL - DarkTrace: AI bases detection (]]> 2020-01-09T19:05:39+00:00 https://blog.redteam.pl/2020/01/deceiving-blue-teams-anti-forensic.html www.secnews.physaphae.fr/article.php?IdArticle=1798886 False None None None RedTeam PL - DarkTrace: AI bases detection https://twitter.com/SecurityMB/status/1127963181089992705]. The description of the new portal element certainly grabbed my attention as something that may have an impact on security. You can learn more about the portal element from here [https://web.dev/hands-on-portals] and here [https://wicg.github.io/portals/]. At the moment of writing this article the portal element is still behind a flag (#enable-portals), however it is available in the Google Chrome]]> 2019-12-06T20:29:30+00:00 https://blog.redteam.pl/2019/12/chrome-portal-element-fuzzing.html www.secnews.physaphae.fr/article.php?IdArticle=1798887 False None None None RedTeam PL - DarkTrace: AI bases detection https://attack.mitre.org/] “is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations” which recommends the Conveigh honeypot [https://github.com/Kevin-Robertson/Conveigh] for detection of the LLMNR/NBT-NS Poisoning and Relay]]> 2019-10-18T13:25:14+00:00 https://blog.redteam.pl/2019/10/bypassing-llmnr-nbns-honeypot.html www.secnews.physaphae.fr/article.php?IdArticle=1798888 False Threat,Guideline Deloitte 2.0000000000000000 RedTeam PL - DarkTrace: AI bases detection https://data.iana.org/TLD/tlds-alpha-by-domain.txt], especially these owned by DONUTS company [https://donuts.domains/great-domains/domain-categories/]. Most problematic TLDs which could be used in attacks are inter alia: network]]> 2019-10-06T23:12:03+00:00 https://blog.redteam.pl/2019/10/internal-domain-name-collision-dns.html www.secnews.physaphae.fr/article.php?IdArticle=1798889 False None APT 32 None RedTeam PL - DarkTrace: AI bases detection https://redteam.pl/poc/dasan-zhone-znid-gpon-2426a-eu.html, https://www.exploit-db.com/exploits/47351]. Vulnerabilities got registered under CVE-2019-10677 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10677]. Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. This vulnerability affects all zNID(s) models running following firmware versions: all releases of 3.0.xxx SW (on 3.0 branch), release 3.1.349 and earlier (on 3.1 branch), release 3.2.087 and earlier (on 3.2 branch), release 4.1.253 and earlier (on 4.1 branch), release 5.0.019 and earlier (on 5.0 branch).You can find a short description of this issues and proof-of-concept code below.There is a limit of characters passed from the user to variables in the application, when we will pass 50*A and 50*B in vulnerable GET parameters:http://admin:admin@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=]]> 2019-09-05T19:27:02+00:00 https://blog.redteam.pl/2019/09/cve-2019-10677-dasan-zhone-znid.html www.secnews.physaphae.fr/article.php?IdArticle=1798890 False Vulnerability None None RedTeam PL - DarkTrace: AI bases detection https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with ]]> 2019-08-14T21:45:48+00:00 https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html www.secnews.physaphae.fr/article.php?IdArticle=1798891 False Spam,Malware,Threat,Guideline APT 18 None RedTeam PL - DarkTrace: AI bases detection https://www.us-cert.gov/ncas/alerts/TA16-144A]) which was mainly focused on the wpadblocking.com project because it targeted millions of computers [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html] for over the last 10 years (!). In the second publication we made a deeper analysis of the WPAD file [https://blog.redteam.pl/2019/05/badwpad-and-wpad-pl-wpadblocking-com.html] to prove that it had ad]]> 2019-07-23T13:14:10+00:00 https://blog.redteam.pl/2019/05/sinkholing-badwpad-wpadblock-wpadblocking-com.html www.secnews.physaphae.fr/article.php?IdArticle=1798892 False Guideline None None