Internet Storm Centre Podcast

More Fake/Typosquatting Twitter Accounts Asking for Ukraine Cryptocurrency Donationshttps://isc.sans.edu/forums/diary/More+FakeTyposquatting+Twitter+Accounts+Asking+for+Ukraine+Crytocurrency+Donations/28492/ Mitigating Attacks Against Uninterruptible Power Supply Deviceshttps://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf MFA Bypass Attackshttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html Google Advertises Mars Stealerhttps://blog.morphisec.com/threat-research-mars-stealer Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/

BGP Hijacking of Twitter Prefix by RTComm.ruhttps://isc.sans.edu/forums/diary/BGP+Hijacking+of+Twitter+Prefix+by+RTCommru/28488/ DDoS Against Sites in Ukrainehttps://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-force-visitors-to-ddos-ukrainian-targets/ Sophos Patcheshttps://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce Sonicwall Patcheshttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0003 opnsense CARP protocol routing errorhttps://medium.com/sensorfu/firewall-bypass-with-carp-in-packet-filter-c4ed70fb7dd7

XLSB Files Because Binary is Stealthier Than XMLhttps://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/ Dirty Pipe Container Escape PoChttps://www.datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc/ PHP filter_var Shenaniganshttps://pwning.systems/posts/php_filter_var_shenanigans/ OpenBSD slaacd vulnhttps://blog.quarkslab.com/heap-overflow-in-openbsds-slaacd-via-router-advertisement.html Google Chrome Updatehttps://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html

Malware Delivered Through Free Sharing Toolhttps://isc.sans.edu/forums/diary/Malware+Delivered+Through+Free+Sharing+Tool/28474/ Western Digital PR4100 NAS Vulnerabiltyhttps://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-digital-pr4100-nas-cve-2022-23121/ Crypto malware in patched wallets targeting Android and iOS deviceshttps://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices/ Lapsus$ Arresthttps://www.bbc.com/news/technology-60864283https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8 Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwidehttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

Mars Stealerhttps://isc.sans.edu/forums/diary/Arkei+Variants+From+Vidar+to+Mars+Stealer/28468/ Okta Updatehttps://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/ Microsoft Lapsus$ Updatehttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ npm Attack Targeting Azure Developershttps://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/

Statement by President Biden: What you need to do (or not do)https://isc.sans.edu/forums/diary/Statement+by+President+Biden+What+you+need+to+do+or+not+do/28466/ ASUS Cyclops Blink Advisoryhttps://www.asus.com/content/ASUS-Product-Security-Advisory/ HP Vulnerabilitieshttps://support.hp.com/us-en/document/ish_5948778-5949142-16/hpsbpi03780 Sophos UTM Updateshttps://www.sophos.com/en-us/security-advisories/sophos-sa-20220321-utm-9710 MacOS GIMMICK Malwarehttps://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/ Octa Breached By Lapsushttps://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/https://twitter.com/BillDemirkapi/status/1506107157124722690

Maldoc Cleaned by Anti-Virushttps://isc.sans.edu/forums/diary/Maldoc+Cleaned+by+AntiVirus/28460/ Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chainhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain IBM Spectrum Protect Updatehttps://www.ibm.com/support/pages/node/6564745 Lapsus$ May have Breached Microsofthttps://www.theregister.com/2022/03/21/microsoft_lapsus_breach_probe/ Statement by President Biden on our Nation’s Cybersecurityhttps://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/

Scans for Movable Type Vulnerability (CVE-2021-20837)https://isc.sans.edu/forums/diary/Scans+for+Movable+Type+Vulnerability+CVE202120837/28454/ SolarWinds Advisory: Unauahtneticated Access in Web Help Desk (12.7.5)https://isc.sans.edu/forums/diary/SolarWinds+Advisory+Unauthenticated+Access+in+Web+Help+Desk+1275/28456/ MGLNDD_* Scanshttps://isc.sans.edu/forums/diary/MGLNDD+Scans/28458/ CAPTCHA Phishinghttps://www.avanan.com/blog/using-captcha-forms-to-bypass-filters Browser in the Browser Templateshttps://mrd0x.com/browser-in-the-browser-phishing-attack/

npm Package Sabotaged for Belarus/Russian Usershttps://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/ President Zelensky Deepfakeshttps://twitter.com/ngleicher/status/1504186935291506693 ATM Rootkithttps://www.mandiant.com/resources/unc2891-overview Scanner for Backdoored Mikrotik Routershttps://github.com/microsoft/routeros-scanner SANS.edu Student: Ron Grohman; Network Access Control and ICS: A Practical Guidehttps://www.sans.edu/cyber-research/network-access-control-and-ics-a-practical-guide/

Qakbot Infection With Cobalt Strike and VNC Activityhttps://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/ Gh0stCringe RAT Being Distributed to Vulnerable Database Servershttps://asec.ahnlab.com/en/32572/ dompdf 0 dayhttps://positive.security/blog/dompdf-rce OpenSSL DoS Vulnerabilityhttps://www.openssl.org/news/secadv/20220315.txt

Clean Binaries with Suspicious Behaviourhttps://isc.sans.edu/forums/diary/Clean+Binaries+with+Suspicious+Behaviour/28444/ Misconfigured Multi-Factor Authentication Abusedhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a German Office of Information Security Warns Kaspersky Usershttps://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html Caddy Wiper Targeting Ukrainehttps://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/ Fake Antivirus Targeting Ukrainehttps://twitter.com/malwrhunterteam/status/1502302718140035080 B1txor20 DNS Tunnel Backdoorhttps://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/

Apple Updates Everythinghttps://isc.sans.edu/forums/diary/Apple+Updates+Everything+MacOS+123+XCode+133+tvOS+154+watchOS+85+iPadOS+154+and+more/28438/ Look Alike Accounts Used in Ukraine Dontation Scam Impersonating Olena Zelenskahttps://isc.sans.edu/forums/diary/Look+Alike+Accounts+Used+in+Ukraine+Donation+Scam+impersonating+Olena+Zelenska/28440/ Curl on Windowshttps://isc.sans.edu/forums/diary/Curl+on+Windows/28436/ Veeam Vulnerabilitieshttps://www.veeam.com/kb4288 Linux Netfilter Privilege Escalationhttps://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/

Malware Using WebSockets For C&Chttps://isc.sans.edu/forums/diary/Keep+an+Eye+on+WebSockets/28430/ Racoon Stealer leverages Telegramhttps://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/ USAHERDS Hackhttps://www.wired.com/story/china-apt41-hacking-usaherds-log4j/ YARA 4.2.0 Releasedhttps://isc.sans.edu/forums/diary/YARA+420+Released/28432/

Credential Leaks on Virustotalhttps://isc.sans.edu/forums/diary/Credentials+Leaks+on+VirusTotal/28426/ GPS Issues Around Finish Rusian Borderhttps://www.straitstimes.com/world/europe/finland-detects-gps-disturbance-near-russias-kaliningrad Russia Considering Internal Certificate Authorityhttps://www.gosuslugi.ru/tlshttps://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/ New Spectre Varianthttps://www.vusec.net/projects/bhi-spectre-bhb/ Package Manager Vulnerabilities (yarn, pip, composer…)https://blog.sonarsource.com/securing-developer-tools-package-managers

Infostealer in a Batch Filehttps://isc.sans.edu/forums/diary/Infostealer+in+a+Batch+File/28422/ TP240PhoneHome reflection/amplification DDoS Attack Vectorhttps://blog.cloudflare.com/cve-2022-26143/ Malware Disguises as Pro Ukrainian Cybertoolshttps://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html#more Russian Government Sites Hacked in Supply Chain Attackhttps://www.bleepingcomputer.com/news/security/russian-government-sites-hacked-in-supply-chain-attack/ Third Party Vulnerabilities in RUGGEDCOM ROShttps://cert-portal.siemens.com/productcert/pdf/ssa-256353.pdf Adobe Bulletinshttps://helpx.adobe.com/security/security-bulletin.html

Microsoft Patch Tuesdayhttps://isc.sans.edu/forums/diary/Microsoft+March+2022+Patch+Tuesday/28418/ Critical APC UPS Vulnerabilityhttps://www.armis.com/research/tlstorm/ Vulnerabilities in Firmware Affecting HP Deviceshttps://www.binarly.io/news/BinarlyDiscovers16NewHighImpactVulnerabilitiesinFirmwareAffectingHPEnterpriseDevices/index.html

Ukraine Scam Followuphttps://isc.sans.edu/forums/diary/No+Bitcoin+No+Problem+Follow+Up+to+Last+Weeks+Donation+Scam/28412/ Dirty Pipe Linux Vulnerabilityhttps://dirtypipe.cm4all.com Mozilla Firefox and Thunderbird Vulnerabilityhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-09/ Azure AutoWarphttps://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/ Terramaster TOS Vulnerabilityhttps://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/https://forum.terra-master.com/en/viewtopic.php?f=28&t=3030

Ukraine Dontation Scamhttps://isc.sans.edu/forums/diary/Scam+EMail+Impersonating+Red+Cross/28404/ Cogent Disconnects Russiahttps://www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/ Russia DDoS Listshttps://safe-surf.ru/upload/ALRT/proxies.txthttps://safe-surf.ru/upload/ALRT/referer_http_header.txt NVidia Stolen Certificateshttps://www.theregister.com/2022/03/05/nvidia_stolen_certificate/https://twitter.com/cyb3rops/status/1499514240008437762 GitLab Vulnerabilitieshttps://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/#unauthenticated-user-enumeration-on-graphql-api Cisco Patcheshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk

Attackers Search For Exosed “LuCI” Foldershttps://isc.sans.edu/diary/28400 Alexa Versus Alexahttps://arxiv.org/abs/2202.08619 Bypassing Google Cloud Armorhttps://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf Ukraine Updateshttps://www.golem.de/news/ausfall-angriff-auf-ka-sat-satellit-ueber-gatewaystation-in-ukraine-2203-163614.htmlhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/https://www.bleepingcomputer.com/news/security/ukraine-says-local-govt-sites-hacked-to-push-fake-capitulation-news/

The More Often Something is Repeated, the More True it Becomeshttps://isc.sans.edu/forums/diary/The+More+Often+Something+is+Repeated+the+More+True+It+Becomes+Dealing+with+Social+Media/28396/ Fortinet Bughttps://www.fortiguard.com/psirt/FG-IR-21-028 IBM Updateshttps://www.ibm.com/blogs/psirt/ Google Updateshttps://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html Conti Ransomware Leakhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/ Middle Box DDoS Attackshttps://www.akamai.com/blog/security/tcp-middlebox-reflection