End-of-Day report
Timeframe: Montag 29-07-2024 18:00 - Dienstag 30-07-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
New Specula tool uses Outlook for remote code execution in Windows
Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec.
https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/
DigiCert mass-revoking TLS certificates due to domain validation bug
DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours.
https://www.bleepingcomputer.com/news/security/digicert-mass-revoking-tls-certificates-due-to-domain-validation-bug/
Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools
Microsoft has vowed to reduce cybersecurity vendors' reliance on kernel-mode code, which was at the heart of the CrowdStrike super-snafu this month.
https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/
Vorsicht vor plötzlichen Erbschaften
Eine unbekannte Person kontaktiert Sie per E-Mail oder über Soziale Netzwerke. Sie stellt sich beispielsweise als -Gouverneur der Bank von Thailand- vor und behauptet, dass Sie eine große Summe Geld erben werden. Um glaubwürdig zu wirken, schickt die Person als Beweis Ausweiskopien, Zertifikate und KI-generierte Videobotschaften. Ignorieren Sie solche Nachrichten, es handelt sich um Betrug!
https://www.watchlist-internet.at/news/vorsicht-vor-ploetzlichen-erbschaften/
Deep Sea Phishing Pt. 2
I wanted to write this blog about several good techniques for endpoint detection and response (EDR) evasion; however, as I was writing about how to evade EDRs, I was hit with an epiphany: -EDR evasion is all about looking like legitimate software- - ph3eds, 2024
https://posts.specterops.io/deep-sea-phishing-pt-2-29c48f1e214e?source=rssf05f8696e3cc4
Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1
In this blog series, we will discuss two additional techniques that take advantage of legacy functionality within Windows and provide various examples through the over 20 vulnerabilities that we found. We will also address some failures despite efforts and explanations from our side with various vendors.
https://www.thezdi.com/blog/2024/7/29/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-1
Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List
USDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor.
https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/
Dont RegreSSH An Anti-Pavlovian Approach to Celebrity Vulns
Before Crowdstrike caused the world to melt down for a few days, the talk of the security town was a recent OpenSSH vulnerability. Lets revisit CVE-2024-6387.
https://www.bitsight.com/blog/dont-regressh-anti-pavlovian-approach-celebrity-vulns
Vulnerabilities
Kritische Sicherheitslücke in VMware ESXi - aktiv ausgenutzt - Update verfügbar
Sicherheitsforscher:innen von Microsoft haben eine kritische Sicherheitslücke in VMware ESXi entdeckt, deren Ausnutzung es Angreifer:innen ermöglicht die vollständige Kontrolle über einen von der Schwachstelle betroffenen Hypervisor zu übernehmen. Die Lücke wird bereits aktiv für Ransomware-Angriffe missbraucht. CVE-Nummer(n): CVE-2024-37085
https://www.cert.at/de/warnungen/2024/7/kritische-sicherheitslucke-in-vmware-esxi-aktiv-ausgenutzt-update-verfugbar
Security updates for Tuesday
Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency).
https://lwn.net/Articles/983935/
WordPress Vulnerability & Patch Roundup July 2024
https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html
ManageEngine (Exchange Reporter Plus, Exchange Reporter Plus) Family July 2024 Security Update Advisory
https://asec.ahnlab.com/en/80826/