SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
- ISC StormCast for Friday, April 19th, 2024by Dr. Johannes B. Ullrich on April 19, 2024 at 2:00 am
Delinea Secret Server Authn Authz Bypass https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 Ivanti Avalanche Poc/Details https://www.tenable.com/security/research/tra-2024-10 Advanced Phishing Campaign https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit Hashicorp go-getter update CVE-2024-3817 https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 OfflRouter Virus https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/
- ISC StormCast for Thursday, April 18th, 2024by Dr. Johannes B. Ullrich on April 18, 2024 at 2:00 am
Malicious PDF File As Delivery Mechanism https://isc.sans.edu/diary/Malicious%20PDF%20File%20Used%20As%20Delivery%20Mechanism/30848 Updated Palo Alto Networks GlobalProtect Guidance https://security.paloaltonetworks.com/CVE-2024-3400 Coordinated Social Engineering Takeovers of Open Source Projects; https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/ OpenMetaData Attacks https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
- ISC StormCast for Wednesday, April 17th, 2024by Dr. Johannes B. Ullrich on April 17, 2024 at 2:00 am
Palo Alto Networks GlobalProtect exploit public and widely exploited CVE-2024-3400 https://isc.sans.edu/forums/diary/Palo%20Alto%20Networks%20GlobalProtect%20exploit%20public%20and%20widely%20exploited%20CVE-2024-3400/30844/ Putty Private Key Recovery https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html Oracle Critical Patch Update https://www.oracle.com/security-alerts/cpuapr2024.html Ivanti Avalanche MDM Patches https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US
- ISC StormCast for Tuesday, April 16th, 2024by Dr. Johannes B. Ullrich on April 16, 2024 at 2:00 am
Quick Palo Alto Networks Global Protect Vulnerablity Update CVE-2024-3400 https://isc.sans.edu/diary/30838 Delinea patches critical vulnerability in secret manager https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 Lancom Windows Setup Assistant May Reset Password https://www.lancom-systems.com/service-support/general-security-information PHP Patches https://seclists.org/oss-sec/2024/q2/113 Duo SMS and VoiP Logs Leaked https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e Lastpass Stops Deepfake Attack https://blog.lastpass.com/posts/2024/04/attempted-audio-deepfake-call-targets-lastpass-employee
- ISC StormCast for Sunday, April 14th, 2024by Dr. Johannes B. Ullrich on April 13, 2024 at 7:58 pm
Palo Alto Networks GlobalProtect 0-Day CVE-2024-3400 https://security.paloaltonetworks.com/CVE-2024-3400 https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/#RespondingToCompromise
- ISC StormCast for Friday, April 12th, 2024by Dr. Johannes B. Ullrich on April 12, 2024 at 2:00 am
BatBadBut: You can’t securely execute commands on Windows https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ FortiClient Linux Remote Code Execution https://www.fortiguard.com/psirt/FG-IR-23-087 Apple Threat Notifications and Protecting Against Mercenary Spyware https://support.apple.com/en-us/102174 New Technique to Trick Developers Detected in an Open Source Supply Chain Attack https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
- ISC StormCast for Thursday, April 11th, 2024by Dr. Johannes B. Ullrich on April 11, 2024 at 2:00 am
Rust Command API code execution vulnerability CVE-2024-24576 https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html Adobe Updates: Magento Adobe Commerce CVE-2024-20759 CVE-2024-20758 https://helpx.adobe.com/security/products/magento/apsb24-18.html https://helpx.adobe.com/security.html Fortinet FortiOS And FortiProxy Vulnerability CVE-2023-41677 https://www.fortiguard.com/psirt/FG-IR-23-493 Smoke and Screen Mirrors Signed Backdoor CVE-2024-26234 https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/
- ISC StormCast for Wednesday, April 10th, 2024by Dr. Johannes B. Ullrich on April 10, 2024 at 2:00 am
Microsoft Patches https://isc.sans.edu/forums/diary/April%202024%20Microsoft%20Patch%20Tuesday%20Summary/30822/ D-Link NAS Backdoor https://github.com/netsecfish/dlink LG SmartTV Vulnerabilities https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
- ISC StormCast for Tuesday, April 9th, 2024by Dr. Johannes B. Ullrich on April 9, 2024 at 2:00 am
A Use Case for Adding Threat Hunting to Your Security Operations Team. https://isc.sans.edu/diary/30816 Notepad++ Parasite Site https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/ Hugging Face Pickle File Vulnerablities https://huggingface.co/blog/hugging-face-wiz-security-blog Google Considers V8 Sandbox no longer experimental https://v8.dev/blog/sandbox
- ISC StormCast for Monday, April 8th, 2024by Dr. Johannes B. Ullrich on April 8, 2024 at 2:00 am
Heartbleed 10th Anniversary https://heartbleed.com/ Possible Libarchive Backdoor Vulnerability https://github.com/libarchive/libarchive/pull/1609 Magento XML Backdoor https://sansec.io/research/magento-xml-backdoor Google Public DNS’s approach to fight against cache poisoning attacks https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html Remote code execution (RCE)vulnerability in Brocade Fabric OS (CVE-2023-3454) https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23215 SANS London April Evening Talk https://sans.zoom.us/webinar/register/WN_ZLLnQKCCQCywLGm-CM4xQg#/registration
- ISC StormCast for Friday, April 5th, 2024by Dr. Johannes B. Ullrich on April 5, 2024 at 2:00 am
Slicing up DoNex with Binary Ninja https://isc.sans.edu/diary/Slicing%20up%20DoNex%20with%20Binary%20Ninja/30812 HTTP/2 Continuation Flood https://nowotarski.info/http2-continuation-flood-technical-details/ Dangers of CSS in HTML Email https://lutrasecurity.com/en/articles/kobold-letters/ Dan Mazzella: Infostealers in Automotive Headunits https://www.sans.edu/cyber-research/exploring-infostealer-malware-techniques-automotive-head-units/
- ISC StormCast for Thursday, April 4th, 2024by Dr. Johannes B. Ullrich on April 4, 2024 at 2:00 am
Playing with xzbot: Some things you can learn from SSH traffic https://isc.sans.edu/forums/diary/Some%20things%20you%20can%20learn%20from%20SSH%20traffic/30808/ Google Proposes Device Bound Session Credentials (DBSC) https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html Four More Ivanti Vulnerabilities https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US Google Pixel Zero Day https://source.android.com/docs/security/bulletin/pixel/2024-04-01
- ISC StormCast for Wednesday, April 3rd, 2024by Dr. Johannes B. Ullrich on April 3, 2024 at 2:00 am
Chrome Incognito Mode Settlement https://www.wired.com/story/google-chrome-incognito-mode-data-deletion-settlement/ Google E-Mail Sender Guidelines FAQ https://support.google.com/a/answer/14229414?hl=en&fl=1&sjid=2270464422796374445-NC Cisco Updates and VPN Best Practices https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html https://sec.cloudapps.cisco.com/security/center/publicationListing.x Apache Pulsar Vulnerability https://pulsar.apache.org/security/CVE-2024-29834/ Progress Flowmon Network Monitoring Tool Vulnerability CVE-2024-2389 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability Wait Just an Infosec Episode with Bojan Zdrnja: Thursday April 4th 2024 10:00 EDST https://isc.sans.edu/j/xzutils (link will redirect once episode is live)
- ISC StormCast for Tuesday, April 2nd, 2024by Dr. Johannes B. Ullrich on April 2, 2024 at 2:00 am
The amazingly scary xz sshd backdoor https://isc.sans.edu/diary/The%20amazingly%20scary%20xz%20sshd%20backdoor/30802 The xz-utils backdoor in security advisories by national CSIRTs https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800 Checking CSV Files https://isc.sans.edu/diary/Checking%20CSV%20Files/30796 Infostealers Pose Threat to macOS https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
- ISC StormCast for Monday, April 1st, 2024by Dr. Johannes B. Ullrich on April 1, 2024 at 2:00 am
xz-utils Backdoor CVE-2024-3094 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://tukaani.org/xz-backdoor/ https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 Backdoor reverse analysis https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b YARA Rule https://github.com/byinarie/CVE-2024-3094-info/blob/main/CVE-2024-3094.yar Social Engineering Attempts to Include Backdoor in Distros https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708 https://news.ycombinator.com/item?id=39866275 Github Repo (now disabled) https://github.com/tukaani-project/xz Statements from Distributions https://www.kali.org/blog/about-the-xz-backdoor/ https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://access.redhat.com/security/cve/CVE-2024-3094 https://bugs.gentoo.org/928134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
- ISC StormCast for Friday, March 29th, 2024by Dr. Johannes B. Ullrich on March 29, 2024 at 2:00 am
From JavaScript to AsyncRAT https://isc.sans.edu/diary/From%20JavaScript%20to%20AsyncRAT/30788 TeamCity Patches https://www.jetbrains.com/privacy-security/issues-fixed/?product=TeamCity&version=2024.03 Okta Verify for Windows Auto-update Arbitrary Code Execution CVE-2024-0980 https://trust.okta.com/security-advisories/okta-verify-windows-auto-update-arbitrary-code-execution-cve-2024-0980/ Google Zero Day Report https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf
- ISC StormCast for Thursday, March 28th, 2024by Dr. Johannes B. Ullrich on March 28, 2024 at 2:00 am
Scans for Apache OfBiz https://isc.sans.edu/diary/Scans%20for%20Apache%20OfBiz/30784 Wall-Escape (CVE-2024-28085) https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt Recent “MFA Bombing” Attacks Targeting Apple Users https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/
- ISC StormCast for Wednesday, March 27th, 2024by Dr. Johannes B. Ullrich on March 27, 2024 at 2:00 am
New tool: linux-pkgs.sh https://isc.sans.edu/forums/diary/New%20tool%3A%20linux-pkgs.sh/30774/ Suspicious NuGet package grabs data from industrial systems https://www.reversinglabs.com/blog/suspicious-nuget-package-grabs-data-from-industrial-systems Preventing Cross Service UDP Loops in QUIC https://bughunters.google.com/blog/5960150648750080/preventing-cross-service-udp-loops-in-quic ShadowRay Attacks AI Workloads Actively Exploited in the Wild https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild TheMoon Malware Infects 6,000 ASUS Routers in 72 Hours for Proxy Service https://www.bleepingcomputer.com/news/security/themoon-malware-infects-6-000-asus-routers-in-72-hours-for-proxy-service/
- ISC StormCast for Tuesday, March 26th, 2024by Dr. Johannes B. Ullrich on March 26, 2024 at 2:00 am
Tool updates: le-hex-to-ip.py and sigs.py https://isc.sans.edu/diary/Tool%20updates%3A%20le-hex-to-ip.py%20and%20sigs.py/30772 Apple Updates for MacOS, iOS/iPadOS, visionOS; https://isc.sans.edu/diary/Apple%20Updates%20for%20MacOS%2C%20iOS%20iPadOS%20and%20visionOS/30778 Fake Python Infrastructure https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/ OpenVPN Update https://openvpn.net/community-downloads/
- ISC StormCast for Monday, March 25th, 2024by Dr. Johannes B. Ullrich on March 25, 2024 at 2:00 am
1768.py’s Experimental Mode https://isc.sans.edu/diary/1768.py%27s%20Experimental%20Mode/30770 CISCP Advisory on Application-Layer Loop DoS https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit Fixes for Windows Server LSASS Memory Leak https://www.catalog.update.microsoft.com/Search.aspx?q=2024-03%20Cumulative%20Update