Cybersecurity

A buffer overflow vulnerability was found within SSL-VPN in FortiOS leading to unauthorized code execution. Options are either to disable SSL-VPN or upgrade to a patched version.

Received this QNAP security bulletin this morning. Update your QNAP products!

June 14, 2023 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Vulnerabilities in Samba

Release date: June 14, 2023 Security ID: QSA-23-05 Severity: Medium CVE identifier: CVE-2022-37966 | CVE-2022-37967 | CVE-2022-38023 | CVE-2022-45141 Affected products: Certain QNAP Devices

Summary

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system. The following QNAP operating systems are affected:

• QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) QES is not affected.

Only QNAP devices that run the affected operating systems and also act as a domain controller or AD member are affected.

Standalone QNAP devices are not affected by the vulnerabilities.

QNAP is currently fixing the vulnerabilities in QTS, QuTS hero, QuTScloud and QVP (QVR Pro appliances).

Please check this security advisory regularly for updates and promptly update your QNAP operating system to the latest version as soon as it is available.

Recommendation

Because RC4 encryption poses a high security risk, we strongly recommend replacing RC4 with the more secure AES algorithm when using a QNAP device as a domain controller or AD member.

• When the QNAP device acts as a domain controller, we strongly recommend enforcing AES encryption. • When the QNAP device acts as an AD member, the encryption method should follow that of the domain controller. We also strongly recommend that the domain controller is configured to enforce AES encryption. Before security updates are available, depending on the AD domain role of your QNAP device, we recommend enforcing AES encryption only or at least allowing both AES and RC4 encryption to mitigate the risks posed by the vulnerabilities.

Just a reminder that Windows 10 21H2 home and pro editions are EoL today. Make sure you get updated to 22H2.

22H2 will be the final release of Windows 10, with an EoL of Oct. 14, 2025.

Enterprise 21H2 still has one year of support which will end June 11, 2024.

With this new community, I figured it would be interesting to get a gauge on if there are any security professionals within the community, and what roles everyone holds?

I personally specialize in GRC, but have also worked in network engineering in the past.

This is a test post, please don't upvote.

This new stealer has five stages, and shows a high level of sophistication, akin to APTs. Targeted victims have been seen in Europe, the USA, and Latin America.

Several pieces of Russian text were found in the malware.

The first part of the C2 URL is “Privetsvoyu” which is a misspelled transliteration of the Russian word for “Greetings.” Secondly, we found the string “salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it roughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.”

MD5 sum and C2 URL IOCs are included at the end of the report.

The researcher chained an insecure password reset API route to bypass authentication, then discovered an IDOR vulnerability could be leveraged to access sensitive customer data.

For everyone that says "The real world can't be as easy as training labs make it seem out to be!", sometime it really do be that ez.

Fortigate published a patch for CVE-2023-27997, a Remote Code Execution vulnerability reachable pre-authentication, on every SSL VPN appliance.

10 chars, no special characters and that's it

Just tell me that you want to have access to my videos and be done with it

Just wanted to post a couple of really interesting medium articles I found on Iphone pentesting. As an Iphone user, I have always wanted to see the source code of the apps I use, so it has been really interesting going through the process of jailbreaking my old iphone and ftping the .ipas to my host machine for analysis. The articles I found most interesting from this user were:

Setting Up a Jailbreak Environment For Beginners

Preparing IPhone for Application Security

Extracting the IPA File and Local Data Storage of an IOS Application

Hope y'all enjoy!

I thought I'd take a break from posting stories that come across my RSS feed to let people know about an upcoming Hack-A-Thon/CTF event that OffSec is running next weekend.

I'm not really sure what the challenges will entail, since I'm not eligible for any of the prizes I haven't been paying much attention to info about it at all. I do know that in order to compete you will have to have an active PG Practice subscription, which is $19 USD/mo, more info is here. I don't really like that they're requiring people to already have a paid subscription to compete, but it's their ecosystem and their rules.

There are three different tiers you can compete in, a PEN-300 tier, an EXP-301 tier, and an PEN-200 tier. The 1st prize for each tier is a year long LearnOne subscription to the tier course, 2nd place is a 90 day course subscription to the tier course, and 3rd place is a 90 day subscription to the PG Practice environment.

While SANS is the king of wildly expensive courses, the OffSec subscriptions definitely aren't cheap either, especially if you're self-paying. I get the irony of making people pay for entry into a contest where they might win a subscription they otherwise couldn't afford, but it's better than nothing I guess.

Elastic Security Labs has discovered the SPECTRALVIPER malware targeting a national Vietnamese agribusiness.

Looks like a patch was released yesterday for the SQL injection vulnerabilities discovered in the MOVEit Transfer application.

The direct link to the official announcement is here.

Microsoft researchers have discovered an emerging cluster of TTP's they have named Storm-1167 being used by an unknown threat actor to target banking and financial services institutions.

This threat actor has been utilizing phishing emails for initial compromise, then using compromised inboxes to further distribute their malicious phishing emails.

The threat actor has been observed taking steps to minimize detection and to establish persistence.

ESET released an analysis of the Asylum Ambuscade crimeware group that has been active since at least early 2020.

This group targets bank customers and cryptocurrency traders in regions including North America and Europe.

The TTP's related to initial access include spearphising emails containing malicious XLS and DOC files.

Kaspersky is reporting a new zero-click iOS exploit in the wild, through message received via iMessage with an attachment containing the payload. Persistence is not supported, most likely due to limitations of the OS.

The Kaspersky writeup can be seen here.

C2 infrastructure mimics sites belonging to the Libyan Ministry of Foreign Affairs. Earliest artifacts date back to October 2022. Suspected that threat actor is targeting Egyptian and Libyan journalists and human rights activists.