“Puss in Boots” APT campaign


Have you ever thought about what your answer would be if your precocious child asked, “What’s a politically motivated APT attack?” In fact, it’s straightforward. Just dust off your copy of Charles Perrault’s Puss in Boots and read it together with an eye on the cybersecurity aspects. After all, if we ignore the artistic liberties, such as a talking cat and ogres, the tale represents a marvelous example of a complex multivector APT attack against a (fictional) government. Let’s unpick this cybercrime together.

https://www.kaspersky.com/blog/operation-puss-in-boots/28963/

Actualizaciones críticas en Oracle (octubre 2019)

Fecha de publicación: 16/10/2019
Importancia: 5 - Crítica

Descripción: 
Oracle ha publicado una actualización crítica con parches para corregir vulnerabilidades que afectan a múltiples productos.

Solución: 
Aplicar los parches correspondientes según los productos afectados. La información para descargar las actualizaciones puede obtenerse del boletín de seguridad publicado por Oracle.

Detalle: 
Esta actualización resuelve un total de 219 vulnerabilidades, algunas de las cuales son críticas. El detalle de las vulnerabilidades resueltas se puede consultar en el enlace de Oracle de la sección de Referencias.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizaciones-criticas-oracle-octubre-2019

Vulnerabilidad en Workload Scheduler de IBM

Fecha de publicación: 16/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Tivoli Workload Scheduler Distributed, versión 9.2.0 FP03 y anteriores.
IBM Workload Scheduler Distributed:
versión 9.3.0 FP03 y anteriores,
versión 9.4.0 FP05 y anteriores,
versión 9.5.0 GA.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidad-workload-scheduler-ibm

Adobe Releases Security Updates for Multiple Products

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:
Experience Manager APSB19-48
Acrobat and Reader APSB19-49
Experience Manager Forms APSB19-50
Download Manager APSB19-51

https://www.us-cert.gov/ncas/current-activity/2019/10/15/adobe-releases-security-updates-multiple-products

Múltiples vulnerabilidades en productos Cisco

Fecha de publicación: 17/10/2019
Importancia: 5 - Crítica

Recursos afectados: 
Prodcutos de Cisco que estén ejecutando una versión vulnerable de:
Aironet 1540 Series APs,
Aironet 1560 Series APs,
Aironet 1800 Series APs,
Aironet 1810 Series APs,
Aironet 1830 Series APs,
Aironet 1850 Series APs,
Aironet 2800 Series APs,
Aironet 3800 Series APs,
Aironet 4800 APs,
Catalyst 9100 APs (la versión 8.9.100.0 es la primera versión soportada).
Cisco WLC Software, versión 8.5.140.0 y anteriores;
Cisco SPA112 2-Port Phone Adapter y SPA122 ATA con Router, versión de firmware 1.4.1 SR4 y anteriores, con la interfaz de gestión basada en web habilitada;
Cisco 250 Series Smart Switches;
Cisco 350 Series Managed Switches;
Cisco 550X Series Stackable Managed Switches.

Descripción: 
Cisco ha publicado 18 vulnerabilidades, 1 de severidad crítica y 17 de severidad alta, que afectan a sus productos.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-cisco-57

ISC Releases Security Advisories for #BIND

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisories for CVE-2019-6475 and CVE-2019-6476 for more information and to apply the necessary updates and workarounds.

https://www.us-cert.gov/ncas/current-activity/2019/10/17/isc-releases-security-advisories-bind

[SECURITY] [DLA 1960-1] #wordpress security update

Package : wordpress
Version : 4.1.27+dfsg-0+deb8u1
CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223
Debian Bug : 939543

Several cross-site scripting (XSS) vulnerabilities were discovered in Wordpress, a popular content management framework. An attacker can use these flaws to send malicious scripts to an unsuspecting user.
For Debian 8 "Jessie", these problems have been fixed in version 4.1.27+dfsg-0+deb8u1.
We recommend that you upgrade your wordpress packages.

https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html

Four-Year-Old Critical #Linux Wi-Fi Bug Allows System Compromise

A patch is currently under revision but has not yet been incorporated into the Linux kernel.

A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel.

The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain #Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.

https://threatpost.com/critical-linux-wi-fi-bug-system-compromise/149325/

DLA-1965-1 nfs-utils -- LTS security update

Date Reported:19 Oct 2019
Affected Packages:nfs-utils
Vulnerable:Yes
Security database references:
In the Debian bugtracking system: Bug 940848.
In Mitre's CVE dictionary: CVE-2019-3689.

More information:
In the nfs-utils package, providing support files for Network File System (NFS) including the rpc.statd daemon, the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.

For Debian 8 Jessie, this problem has been fixed in version 1.2.8-9+deb8u1.

We recommend that you upgrade your nfs-utils packages.

https://www.debian.org/lts/security/2019/dla-1965

Evasión de autentificación en Citrix Application Delivery Controller y Citrix Gateway

Fecha de publicación: 21/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Citrix ADC y Citrix Gateway versión 13.0, hasta la build 41.20;
Citrix ADC y NetScaler Gateway versión 12.1, hasta la build 54.13;
Citrix ADC y NetScaler Gateway versión 12.0, hasta la build 62.8;
Citrix ADC y NetScaler Gateway version 11.1, hasta la build 62.8;
Citrix ADC y NetScaler Gateway version 10.5, hasta la build 70.5.

Descripción: 
Se ha identificado una vulnerabilidad en la interfaz de gestión de Citrix Application Delivery Controller (ADC), anteriormente conocida como NetScaler ADC, y Citrix Gateway, anteriormente conocida como NetScaler Gateway.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/evasion-autentificacion-citrix-application-delivery-controller-y

Vulnerabilidad de escalada de privilegios en FortiMail de Fortinet

Fecha de publicación: 21/10/2019
Importancia: 4 - Alta

Recursos afectados: 
FortiMail, versiones:
6.2.0,
6.0.0 hasta 6.0.6,
5.4.10 y anteriores.

Descripción: 
Fortinet ha descubierto dos vulnerabilidades con criticidades altas en FortiMail. Un atacante, con privilegios de administración, podría obtener acceso no autorizado al sistema.

Solución: 
Actualizar a las versiones de FortiMail:
6.2.1,
6.0.7,
5.4.11. (pendiente de publicación).

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidad-escalada-privilegios-fortimail-fortinet

NSA and NCSC Release Joint Advisory on Turla Group Activity

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

https://www.us-cert.gov/ncas/current-activity/2019/10/21/nsa-and-ncsc-release-joint-advisory-turla-group-activity

#Avast says #CCleaner was targeted by hackers… again

Security firm Avast has revealed that it detected and intercepted suspicious activity on its network. The malicious attack is believed to have been instigated by hackers seeking to target the CCleaner software.

https://betanews.com/2019/10/21/avast-abiss-hack-abiss/

#NordVPN confirms it was hacked

#VPV

NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

#NordVPN confirma un ataque que accedió a su centro de datos, aunque "no afectó a los usuarios"

#VPN

NordVPN dice que se enteró de la brecha hace unos meses

https://www.genbeta.com/seguridad/nordvpn-confirma-que-uno-sus-centros-datos-fue-atacado-exito-hace-ano

Evil-WinRM: shell que usa WinRM para hacking/pentesting

#HackPlayers
https://www.hackplayers.com/2019/10/evil-winrm-shell-winrm-para-pentesting.html

CVE-2019-18217

#ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticateds denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18217

#Proftpd Buffer overflow CVE-2019–18217

https://medium.com/@social_62682/proftpd-buffer-overflow-cve-2019-18217-281503c527e6

Hacker Breached Servers Belonging to Multiple #VPN Providers

Servers belonging to the #NordVPN and #TorGuard VPN companies were hacked and attackers stole and leaked the private keys associated with certificates used to secure their web servers and VPN configuration files. 

https://www.bleepingcomputer.com/news/security/hacker-breached-servers-belonging-to-multiple-vpn-providers/

i2pd v2.29.0 rleases: End-to-End encrypted and anonymous Internet

https://securityonline.info/i2pd/

#Ransomware Goes Fileless, Uses Malicious Documents and #PowerShell to Encrypt Files

https://www.bromium.com/ransomware-goes-fileless-uses-malicious-documents-and-powershell-to-encrypt-files/