NSA and NCSC Release Joint Advisory on Turla Group Activity

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

https://www.us-cert.gov/ncas/current-activity/2019/10/21/nsa-and-ncsc-release-joint-advisory-turla-group-activity

#Avast says #CCleaner was targeted by hackers… again

Security firm Avast has revealed that it detected and intercepted suspicious activity on its network. The malicious attack is believed to have been instigated by hackers seeking to target the CCleaner software.

https://betanews.com/2019/10/21/avast-abiss-hack-abiss/

#NordVPN confirms it was hacked

#VPV

NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

#NordVPN confirma un ataque que accedió a su centro de datos, aunque "no afectó a los usuarios"

#VPN

NordVPN dice que se enteró de la brecha hace unos meses

https://www.genbeta.com/seguridad/nordvpn-confirma-que-uno-sus-centros-datos-fue-atacado-exito-hace-ano

Evil-WinRM: shell que usa WinRM para hacking/pentesting

#HackPlayers
https://www.hackplayers.com/2019/10/evil-winrm-shell-winrm-para-pentesting.html

CVE-2019-18217

#ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticateds denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18217

#Proftpd Buffer overflow CVE-2019–18217

https://medium.com/@social_62682/proftpd-buffer-overflow-cve-2019-18217-281503c527e6

Hacker Breached Servers Belonging to Multiple #VPN Providers

Servers belonging to the #NordVPN and #TorGuard VPN companies were hacked and attackers stole and leaked the private keys associated with certificates used to secure their web servers and VPN configuration files. 

https://www.bleepingcomputer.com/news/security/hacker-breached-servers-belonging-to-multiple-vpn-providers/

i2pd v2.29.0 rleases: End-to-End encrypted and anonymous Internet

https://securityonline.info/i2pd/

#Ransomware Goes Fileless, Uses Malicious Documents and #PowerShell to Encrypt Files

https://www.bromium.com/ransomware-goes-fileless-uses-malicious-documents-and-powershell-to-encrypt-files/

Chinese Hackers Use New Malware to Backdoor #Microsoft #SQL Servers


New malware created by Chinese-backed Winnti Group has been discovered by researchers at ESET while being used to gain persistence on Microsoft SQL Server (MSSQL) systems.

The new malicious tool dubbed skip-2.0 can be used by the attackers to backdoor MSSQL Server 11 and 12 servers, enabling them to connect to any account on the server using a so-called "magic password" and hide their activity from the security logs.

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-malware-to-backdoor-microsoft-sql-servers/

Vulnerabilidad en Security Access Manager de IBM

Fecha de publicación: 25/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Todas las versiones de IBM Security Access Manager.

Descripción: 
Lczap, investigador de seguridad, ha reportado a IBM una vulnerabilidad de criticidad alta. Un atacante, sin autenticar, podría generar una condición de denegación de servicio.

Solución: 
Por el momento, no se dispone de actualización que solucione la vulnerabilidad. IBM ha publicado unas indicaciones para mitigar este tipo de ataques.

Detalle: 
IBM Security Access Manager es vulnerable a ataques del tipo Slow HTTP Attack. Un atacante, sin autenticación, podría generar una condición de denegación de servicio en el sistema. Se ha reservado el identificador CVE-2019-4036 para esta vulnerabilidad.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidad-security-access-manager-ibm

List of open source tools for #AWS security: defensive, offensive, auditing, #DFIR, etc.

https://github.com/toniblyx/my-arsenal-of-aws-security-tools

Securing #Docker Containers

I made a guide on how to secure docker. I’ve split it up into 3 categories. Feedback is appreciated as this is more a compilation of other resources than anything else and I did not verify everything.

https://0x00sec.org/t/securing-docker-containers/16913

Unsecured #ElasticSearch DB exposed data for 7.5M #Adobe Creative Cloud Users

Adobe suffered an important data leak, data for 7.5 Million Adobe Creative Cloud users have been exposed online through an unsecured server.

https://securityaffairs.co/wordpress/92986/breaking-news/adobe-creative-cloud-data-leak.html

Nasty #PHP7 remote code execution bug exploited in the wild

New PHP7 bug CVE-2019-11043 can allow even non-technical attackers to take over servers.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL.

https://www.zdnet.com/article/nasty-php7-remote-code-execution-bug-exploited-in-the-wild/

Múltiples vulnerabilidades en RouterOS de MikroTik

Fecha de publicación: 29/10/2019
Importancia: 4 - Alta

Recursos afectados: 
RouterOS Stable, con versiones 6.45.6 y anteriores,
RouterOS Long-term, con versiones 6.44.5 y anteriores.

Descripción: 
Jacob Baines, investigador de seguridad en Tenable, ha descubierto 4 vulnerabilidades con criticidades altas. Un atacante remoto, no autenticado, podría acceder, modificar u obtener privilegios de root en el dispositivo.

Solución: 
MikroTik ha publicado actualizaciones que solucionan las vulnerabilidades:
RouterOS Stable, actualizar a la versión 6.45.7,
RouterOS Long-term, actualizar a la versión 6.44.6.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-routeros-mikrotik

New 'unremovable' xHelper malware has infected 45,000 Android devices

https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

Denegación de servicio en RDesktop

Fecha de publicación: 31/10/2019
Importancia: 4 - Alta

Recursos afectados: 
RDesktop, anterior a la versión 1.8.4.

Descripción: 
El investigador de seguridad, Pavel Cheremushkin, de Kaspersky ICS CERT ha detectado una vulnerabilidad en RDesktop, que podría permitir a un atacante remoto generar una condición de denegación de servicio.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/denegacion-servicio-rdesktop

Malware Analysis Report (AR19-304A)

MAR-10135536-8 – North Korean Trojan: HOPLIGHT

https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

#Chrome Zero-Day Bug with Exploit in the Wild Gets A Patch

Google on Thursday night started to roll out an update for Chrome that patches two use-after-free vulnerabilities, one of them having at least one exploit in the wild.

Both security issues are serious as they could be leveraged to take control of a vulnerable system, reads an alert from the Cybersecurity and Infrastructure Security Agency (CISA).

https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/