SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

https://isc.sans.edu/diary/Scans%20Probing%20for%20LB-Link%20and%20Vinga%20WR-AC1200%20routers%20CVE-2023-24796/30890 Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796 Buffer Overflow Vulnerabilities in ArubaOS https://www.arubanetworks.com/support-services/security-bulletins/ The Cuttlefish Malware https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/

Linux Trojan - Xorddos with Filename eyshcjdmzg https://isc.sans.edu/diary/Linux%20Trojan%20-%20Xorddos%20with%20Filename%20eyshcjdmzg/30880 AWS S3 Denial of Wallet Amplification Attack https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1 https://blog.limbus-medtec.com/the-aws-s3-denial-of-wallet-amplification-attack-bc5a97cc041d EU iOS Safari Allows User Tracking https://www.mysk.blog/2024/04/28/safari-tracking/ BentoML Critical Deserialization Vuln CVE-2024-2912 https://nvd.nist.gov/vuln/detail/CVE-2024-2912

Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474 https://isc.sans.edu/diary/Another%20Day%2C%20Another%20NAS%3A%20Attacks%20against%20Zyxel%20NAS326%20devices%20CVE-2023-4473%2C%20CVE-2023-4474/30884 R-Bitrary Code Execution: Vulnearbility in R's Deserialization https://hiddenlayer.com/research/r-bitrary-code-execution/ Coordinated Docker Hub Attacks using Malicious Repositories https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/ NVMe-oF/TCP Vulnerabilities https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller

DLink NAS Exploit Variation https://www.qnap.com/en/security-advisory/qsa-24-09 Muddling Meerkat DNS Abuse https://blogs.infoblox.com/threat-intelligence/a-cunning-operator-muddling-meerkat-and-chinas-great-firewall/ Android TV Data Leakage https://www.youtube.com/watch?v=QiyBXXO8QpA https://www.404media.co/android-tvs-can-expose-user-email-inboxes/ SEC522: SANSFIRE https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/ SEC522 Demo (requires free account): https://www.sans.org/ondemand/get-demo/316

Okta warns of increase in credential stuffing https://sec.okta.com/blockanonymizers Fake payment cards used by Police in Japan https://twitter.com/vxunderground/status/1783522097425211887 Phishing Campaigns Targeting USPS https://www.akamai.com/blog/security-research/phishing-usps-malicious-domains-traffic-equal-to-legitimate-traffic Chrome 124 Breaks TLS Handshake https://www.reddit.com/r/sysadmin/comments/1carvpd/chrome_124_breaks_tls_handshake/

Does it matter if iptables isn't running on my honeypot? https://isc.sans.edu/forums/diary/Does%20it%20matter%20if%20iptables%20isn't%20running%20on%20my%20honeypot%3F/30862/ Unplugging PlugX: Singholing the PlugX USB worm botnet https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/ pfSense Updates https://docs.netgate.com/advisories/index.html GitLab Updates https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/ Matthew Alan Vorhees: Prevention Strategies for Modern Living Off the Land Usage https://www.sans.edu/cyber-research/prevention-strategies-modern-living-off-land-usage/

API Rug Pull - The NIST NVD Database and API https://isc.sans.edu/diary/API%20Rug%20Pull%20-%20The%20NIST%20NVD%20Database%20and%20API%20%28Part%204%20of%203%29/30868 Cisco Patches Vulnerabilities and Discovers Arcane Backdoor https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/ MySQL2: Dangers of User-Defined Database Connections https://blog.slonser.info/posts/mysql2-attacker-configuration/ Netgear Nighthawk Vulnerabilities https://jvn.jp/en/vu/JVNVU91883072/

Struts2 devmode Still a Problem Ten Years Later https://isc.sans.edu/forums/diary/Struts%20%22devmode%22%3A%20Still%20a%20problem%20ten%20years%20later%3F/30866/ Analyzing Forest Blizard's Custom Post-Compromise Tool for exploiting CVE-2022-38028 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ April 2024 Exchange Server Hotfix Update https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2024-exchange-server-hotfix-updates/ba-p/4120536 CVE-2024-2389: Command Injection Vulnerability in Progress Flowmon https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

Number of Industrial Devices Accessible From Internet Up 30 Thousand over three years https://isc.sans.edu/diary/It%20appears%20that%20the%20number%20of%20industrial%20devices%20accessible%20from%20the%20internet%20has%20risen%20by%2030%20thousand%20over%20the%20past%20three%20years/30860 Evil XDR: Turning an XDR into an Offensive Tool https://www.darkreading.com/application-security/evil-xdr-researcher-turns-palo-alto-software-into-perfect-malware GitLab Comment Bug https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/ SEC522 Demo: https://www.sans.org/ondemand/get-demo/316

The CVE's They are A-Changing https://isc.sans.edu/diary/The%20CVE%27s%20They%20are%20A-Changing!/30850 CrushFTP 0-Day Vulnerability https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/ GitHub Comment Bug Used to Distribute Malware https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/ YubiKey Manager Privilege Escalation https://www.yubico.com/support/security-advisories/ysa-2024-01/ Palo Alto Networks GlobalProtect Update https://security.paloaltonetworks.com/CVE-2024-3400

Delinea Secret Server Authn Authz Bypass https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 Ivanti Avalanche Poc/Details https://www.tenable.com/security/research/tra-2024-10 Advanced Phishing Campaign https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit Hashicorp go-getter update CVE-2024-3817 https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 OfflRouter Virus https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/

Malicious PDF File As Delivery Mechanism https://isc.sans.edu/diary/Malicious%20PDF%20File%20Used%20As%20Delivery%20Mechanism/30848 Updated Palo Alto Networks GlobalProtect Guidance https://security.paloaltonetworks.com/CVE-2024-3400 Coordinated Social Engineering Takeovers of Open Source Projects; https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/ OpenMetaData Attacks https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

Palo Alto Networks GlobalProtect exploit public and widely exploited CVE-2024-3400 https://isc.sans.edu/forums/diary/Palo%20Alto%20Networks%20GlobalProtect%20exploit%20public%20and%20widely%20exploited%20CVE-2024-3400/30844/ Putty Private Key Recovery https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html Oracle Critical Patch Update https://www.oracle.com/security-alerts/cpuapr2024.html Ivanti Avalanche MDM Patches https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US

Quick Palo Alto Networks Global Protect Vulnerablity Update CVE-2024-3400 https://isc.sans.edu/diary/30838 Delinea patches critical vulnerability in secret manager https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 Lancom Windows Setup Assistant May Reset Password https://www.lancom-systems.com/service-support/general-security-information PHP Patches https://seclists.org/oss-sec/2024/q2/113 Duo SMS and VoiP Logs Leaked https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e Lastpass Stops Deepfake Attack https://blog.lastpass.com/posts/2024/04/attempted-audio-deepfake-call-targets-lastpass-employee

Palo Alto Networks GlobalProtect 0-Day CVE-2024-3400 https://security.paloaltonetworks.com/CVE-2024-3400 https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/#RespondingToCompromise

BatBadBut: You can't securely execute commands on Windows https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ FortiClient Linux Remote Code Execution https://www.fortiguard.com/psirt/FG-IR-23-087 Apple Threat Notifications and Protecting Against Mercenary Spyware https://support.apple.com/en-us/102174 New Technique to Trick Developers Detected in an Open Source Supply Chain Attack https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/

Rust Command API code execution vulnerability CVE-2024-24576 https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html Adobe Updates: Magento Adobe Commerce CVE-2024-20759 CVE-2024-20758 https://helpx.adobe.com/security/products/magento/apsb24-18.html https://helpx.adobe.com/security.html Fortinet FortiOS And FortiProxy Vulnerability CVE-2023-41677 https://www.fortiguard.com/psirt/FG-IR-23-493 Smoke and Screen Mirrors Signed Backdoor CVE-2024-26234 https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/

Microsoft Patches https://isc.sans.edu/forums/diary/April%202024%20Microsoft%20Patch%20Tuesday%20Summary/30822/ D-Link NAS Backdoor https://github.com/netsecfish/dlink LG SmartTV Vulnerabilities https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

A Use Case for Adding Threat Hunting to Your Security Operations Team. https://isc.sans.edu/diary/30816 Notepad++ Parasite Site https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/ Hugging Face Pickle File Vulnerablities https://huggingface.co/blog/hugging-face-wiz-security-blog Google Considers V8 Sandbox no longer experimental https://v8.dev/blog/sandbox

Heartbleed 10th Anniversary https://heartbleed.com/ Possible Libarchive Backdoor Vulnerability https://github.com/libarchive/libarchive/pull/1609 Magento XML Backdoor https://sansec.io/research/magento-xml-backdoor Google Public DNS's approach to fight against cache poisoning attacks https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html Remote code execution (RCE)vulnerability in Brocade Fabric OS (CVE-2023-3454) https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23215 SANS London April Evening Talk https://sans.zoom.us/webinar/register/WN_ZLLnQKCCQCywLGm-CM4xQg#/registration