Not Simon

@simontsui@infosec.exchange
1.2K Followers
112 Following
687 Posts
This is not Simon. Opinions are made by a screaming goat and do not express the views or opinions of his goatherder.
Not SimonApr 22, 2024
DrWhaxApr 22, 2024
The United States state department issues a visa ban to 13 people and some of their family members. Reason is the proliferation of spyware. https://www.state.gov/promoting-accountability-for-the-misuse-of-commercial-spyware/
Not SimonApr 22, 2024
The RecordApr 22, 2024
CrushFTP urges customers to patch file transfer tool ‘ASAP’ https://therecord.media/crushftp-file-transfer-vulnerability-patch-asap
CrushFTP urges customers to patch file transfer tool ‘ASAP’

Two of the biggest cybersecurity incidents in 2023 revolved around zero-day vulnerabilities in file transfer tools.

Show threadNot SimonApr 22, 2024

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040

CVE Website

Not SimonApr 22, 2024
Show threadKevin BeaumontApr 22, 2024

Wall Street Journal has a leak from the Change Healthcare ransomware incident

- Initial entry was via a remote access system without MFA
- Dwell time was 9 days
- They paid the ransom, then got held to ransom again and had data leaked anyway

https://www.wsj.com/articles/change-healthcare-hackers-broke-in-nine-days-before-ransomware-attack-7119fdc6

#threatintel #ransomware

Not SimonApr 22, 2024

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/

#CVE_2023_48795 #Terrapin #vulnerability #Jenkins

Jenkins Security Advisory 2024-04-17

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software

Jenkins Security Advisory 2024-04-17
Not SimonApr 22, 2024

Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

cc: @serghei @campuscodi @briankrebs @jwarminsky

#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog

Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

Microsoft Security Blog
Not SimonApr 22, 2024

New York Times: A report by Stanford researchers cautions that the National Center for Missing and Exploited Children doesn’t have the resources to help fight a new flood of child sexual abuse material created by artificial intelligence. https://www.nytimes.com/2024/04/22/technology/ai-csam-cybertipline.html

#CSAM #news #AI

AI-Generated Child Sexual Abuse Material May Overwhelm Tip Line

A report by Stanford researchers cautions that the National Center for Missing and Exploited Children doesn’t have the resources to help fight the new epidemic.

The New York Times
Not SimonApr 22, 2024

The Record: UK arrests 2 for breaching the Official Secrets Act on behalf of China. Germany arrests 3 for obtaining information on innovative technologies with military uses for China's Ministry of State Security. 🔗 https://therecord.media/germany-arrests-spies-lasers-china

#epsionage #news #China

Germany arrests spies accused of snatching 'special laser' for China

Prosecutors in Britain and Germany announced the arrests of five people, all domestic nationals, suspected of having worked for the Chinese government.

Not SimonApr 22, 2024

SANS ISC notes that the number of industrial control system devices accessible from the internet rose by 30,000: 🔗 https://isc.sans.edu/diary/rss/30860

#ICS

Not SimonApr 22, 2024

SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/

#MagicDot #CVE_2023_42757 #CVE_2023_32054 #CVE_2023_36396

MagicDot: A Hacker's Magic Show | SafeBreach

See how SafeBreach researcher discovered vulnerabilities and unprivileged rootkit-like techniques in Windows DOS-to-NT path conversion process.

SafeBreach