Drupal Releases Security Updates

Drupal has released security updates to address multiple vulnerabilities in Drupal Core. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

https://www.us-cert.gov/ncas/current-activity/2019/04/17/Drupal-Releases-Security-Updates

Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services Routers Network Isolation Vulnerability

Vulnerable Products

This vulnerability affects Cisco ASR 9000 Series Aggregation Services Routers that are running an affected version of Cisco IOS XR 64-bit Software and have the secondary management interface (physically MGT LAN 1 on the route switch processor (RSP)) connected and configured.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Cisco devices running a vulnerable Cisco IOS XE release are affected by this vulnerability when the following conditions are met:

The CMP subsystem is present on the Cisco IOS XE software image running on the device, and
The device is configured to accept incoming Telnet connections.

Details
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software

To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system.

To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp

Lateral Movement — SCM and Dll Hijacking Primer

https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992

Scranos: Descubierto nuevo spyware con capacidades de rootkit

https://unaaldia.hispasec.com/2019/04/scranos-descubierto-nuevo-spyware-con-capacidades-de-rootkit.html

Google Bans Embedded Browser Logins In Brutal War Against Phishing Attacks


https://www.hothardware.com/news/google-bans-embedded-browser-logins-war-phishing-attacks

Some internet outages predicted for the coming month as '768k Day' approaches

768k Day expected within the month, reminiscent of 512k Day when AT&T, BT, Comcast, Sprint, and Verizon all went down.

https://www.zdnet.com/article/some-internet-outages-predicted-for-the-coming-month-as-768k-day-approaches/

PowerShell script creating a timeline of Active Directory changes with replication metadata

The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.
Replication metadata gives you the time at which each replicated attribute for a given object was last changed. As a result the timeline of modifications is partial. For each modification of a replicated attribute a version number is incremented.

https://github.com/ANSSI-FR/ADTimeline

Active Directory Control Paths

Control paths in Active Directory are an aggregation of "control relations" between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like "Who can get 'Domain Admins' privileges ?" or "What resources can a user control ?" and even "Who can read the CEO's emails ?".

https://github.com/ANSSI-FR/AD-control-paths

Hacker Group Exposes Iranian APT Operations and Members

Hackers have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government.

https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/

Enlaces a Herramientas OSINT

https://ciberpatrulla.com/links/

How to extract forensic artifacts from pagefile.sys?

https://www.andreafortuna.org/2019/04/17/how-to-extract-forensic-artifacts-from-pagefile-sys/

@hackplayers

Exploring, Exploiting Active Directory Pen Test

http://blog.securelayer7.net/exploring-exploiting-active-directory-pen-test/

PartyLoud: un sencillo script en bash para generar "ruido" en la red

PartyLoud es una herramienta para crear tráfico de Internet falso con el fin de impedir o mitigar el seguimiento en redes locales. Está basada en noisy.py y su objetivo es hacer mucho ruido en la red (en forma de peticiones http) para que sea más difícil rastrear tu navegación real.

https://www.hackplayers.com/2019/04/partyloud-script-genera-ruido-en-lan.html

Apache Tomcat CGI Servlet Remote Code Execution (CVE-2019-0232)


A remote code execution vulnerability exists in Apache Tomcat CGI Servlet. Successful exploitation of this vulnerability could lead to remote code execution on the target server.

https://www.checkpoint.com/defense/advisories/public/2019/cpai-2019-0531.html

Source Code for CARBANAK Banking Malware Found On VirusTotal

https://thehackernews.com/2019/04/carbanak-malware-source-code.html

January 2019 OpenSSH Vulnerabilities in NetApp Products

Multiple NetApp products incorporate OpenSSH software libraries. OpenSSH versions through 7.9 are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information or the addition or modification of data.

https://security.netapp.com/advisory/ntap-20190213-0001/

El Gobierno francés lanzó una alternativa a WhatsApp de uso interno con una importante brecha de seguridad

https://www.genbeta.com/seguridad/gobierno-frances-lanzo-alternativa-a-whatsapp-uso-interno-importante-brecha-seguridad

TALOS-2018-0693

Symantec Endpoint Protection Small Business Edition ccSetx86.sys 0x224844 kernel memory information disclosure vulnerability

CVE-2018-18366

An exploitable kernel memory disclosure vulnerability exists in the 0x224844 IOCTL handler function of Symantec Endpoint Protection Small Business Edition ccSetx86.sys, version 16.0.0.77. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0693

DNSpionage Drops New Karkoff Malware, Cherry-Picks Its Victims

Besides the DNSpionage malware, the hacking group behind the campaign also uses the Mimikatz credential dumper, various off-the-shelf administration tools, the Bitvise WinSSH SSH server, a number of open source hacking tools, and the Putty program for SSH tunneling within the same network, as detailed by the French security researchers from CERT-OPMD which also provide a ATT&CK Matrix mapping for DNSpionage attacks.

https://www.bleepingcomputer.com/news/security/dnspionage-drops-new-karkoff-malware-cherry-picks-its-victims/