Possible Scans for HiByMusic Devices
https://isc.sans.edu/foru
ms/diary/Possible+Scans+f
or+HiByMusic+Devices/2879
6/
OpenSSL Heap Overflow
https://guidovranken.com/
2022/06/27/notes-on-opens
sl-remote-memory-corrupti
on/
https://github.com/openss
l/openssl/i ...
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Activists who are totally not Israeli military hackers make Iranian steel mills firebally Chinese APT crews use ransomware to muddy attribution Atta ...
Picture of the Week. Errata: Firefox's "Total Cookie Protection" 3rd Party FIDO2 Authenticators Germany's not buying the EU's proposal which subverts encryption The Conti Gang have finally pulled the last plug Log4J and Log4Shell is alive and well ...
Encrypted Client Hello: Anybody Using it Yet?
https://isc.sans.edu/foru
ms/diary/Encrypted+Client
+Hello+Anybody+Using+it+Y
et/28792/
Jenkins Advisory
https://www.jenkins.io/se
curity/advisory/2022-06-2
2/
Instagram Age Verification
https://about.fb.com/new ...
The crooks needed at least two private keys, each stored in two parts... but they got them anyway.
It's a simple jingle and it's solid advice: "If in doubt, don't give it out!"
Python Abusing the Windows GUI
https://isc.sans.edu/foru
ms/diary/Python+abusing+T
he+Windows+GUI/28780/
Mal
icious Code Passed to PowerShell via the Clipboard
https://isc.sans.edu/foru
ms/diary/Malicious+Code+P
assed+to+PowerShell+via+t
he+Clipboard/28784/
A ...
Today’s Soap Box guest is an industry legend – Metasploit creator HD Moore. He’s here to tell us more about what’s happening with his latest creation, Rumble Network Discovery. If you’re not familiar with Rumble, well, you should be. It’s a n ...
Fortunately, it's not a major bugfix, which means it's easy to patch and can teach us all some useful lessons.
Latest epsiode - listen now!
Malicious PowerShell Targeting Cryptocurrency Browser Extensions
https://isc.sans.edu/foru
ms/diary/Malicious+PowerS
hell+Targeting+Cryptocurr
ency+Browser+Extensions/2
8772/
Keeping PowerShell: Security Measures to Use and Embrace
https://media.defense.gov ...
Experimental New Domain / Domain Age API
https://isc.sans.edu/foru
ms/diary/Experimental+New
+Domain+Domain+Age+API/28
770/
Forescout Vedere Labs Discovers 56 OT Vulnerabilities
https://www.forescout.com
/resources/ot-icefall-rep
ort/
Cloudflare Outage
http ...
Picture of the Week. Double Decryption (Last week's key-strength puzzler). 3rd Party Authenticators. Firefox: Total Cookie Protection. We keep breaking DDoS attack records. MS-DFSNM. An Apple Safari regression. One Million WordPress sites force-u ...
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Paige Thompson guilty of Capital One hack Microsoft is hiding serious Azure security issues New Australian government lobbying for Julian Assange ...
It took three years, but the Capital One cracker was convicted in the end. Don't get caught out in a data breach of your own!
Odd TCP Fast Open Packets
https://isc.sans.edu/foru
ms/diary/Odd+TCP+Fast+Ope
n+Packets+Anybody+underst
ands+why/28766/
DFSCoerce NTLM Relay Attack
https://github.com/Wh04m1
001/DFSCoerce
https://support.microsoft
.com/en-us/topic/kb500541
3-mitigating-ntlm- ...
Friends don't let friends get scammed. Not everyone knows how typical scams unfold, so here are some real-world examples...
This month, Chris Hadnagy and Ryan MacDougall are joined by Ted Harrington. Ted is the author of HACKABLE: How to Do Application Security Right and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for h ...
Critical Vulnerability in Splunk Enterprise Deployment Server Functionality
https://isc.sans.edu/foru
ms/diary/Critical+vulnera
bility+in+Splunk+Enterpri
ses+deployment+server+fun
ctionality/28760/
Malspam Pushes Matanbuchus Malware Leads to Cobalt Strike
h ...
Houdini is Back Delivered Through a JavaScript Dropper
https://isc.sans.edu/foru
ms/diary/Houdini+is+Back+
Delivered+Through+a+JavaS
cript+Dropper/28746/
Drif
ting Cloud: Zero-Day Sophos Firewall Exploitation
https://www.volexity.com/
blog/2022/06/15/driftin ...
Lastest epsiode - listen now!
Terraforming Honeypots: Using IaaC & Cloud to Attract Attacks
https://isc.sans.edu/foru
ms/diary/Terraforming+Hon
eypots+Installing+DShield
+Sensors+in+the+Cloud/287
48/
Zimbra Email - Stealing Clear=Text Credenitals via Memcache Injection
https://blog.sona ...
Microsoft Patch Tuesday
https://isc.sans.edu/foru
ms/diary/Microsoft+June+2
022+Patch+Tuesday/28742/
Adobe Patches
https://helpx.adobe.com/s
ecurity/security-bulletin
.html
SynLapse Vulnerability
https://orca.security/res
ources/blog/synlapse-crit
ical-azure ...
Picture of the Week. Apple's Passkeys presentation at WWDC 2022. WebAuthn. FREE Penetration Testing course with Kali Linux. Proof of Simulation. A valid use for facial recognition: The Smart Pet Door! Closing The Loop. The PACMAN Attack. We invi ...
We tried it out to make sure, so you don't have to.
O! What a tangled web we weave, when first we practise to deceive.
Translating Saitama's DNS Tunneling
https://isc.sans.edu/foru
ms/diary/Translating+Sait
amas+DNS+tunneling+messag
es/28738/
Travis CI Logs Expose Users to Cyber Attacks
https://blog.aquasec.com/
travis-ci-security
Linux Threat Hunting: "Syslogk" a kernel ro ...
Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!
Today Chris is talking with Clay Drinko, Ph.D. Clay is an author and educator. He writes for Psychology Today about the intersection between improv comedy, science, and everyday life. He's also the author of the first academic book connecting improv and c ...
EPSScall: An Exploit Prediction Scoring System App
https://isc.sans.edu/foru
ms/diary/EPSScall+An+Expl
oit+Prediction+Scoring+Sy
stem+App/28732/
PACMan Attack
https://pacmanattack.com
https://twitter.com/wdorm
ann/status/15352459138573
51680
Carrier LenelS2 ...
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: “Shields Up” advice is now provably meaningless Russia to ditch offshore comms apps like WhatsApp Evil Corp’s Lockbit sanctions evasion attemp ...
TA570 QBot attempts to exploit CVE-2022-30190 (Follina)
https://isc.sans.edu/foru
ms/diary/TA570+Qakbot+Qbo
t+tries+CVE202230190+Foll
ina+exploit+msmsdt/28728/
Analysis of a Facebook Phishing Campaign
https://pixmsecurity.com/
blog/blog/phishing-tactic
s-how ...
Introduction So, this WMI stuff seems legit. Admins get a powerful tool which Script Kiddies can also use for profit. But there’s gotta be more, right? What if I want to take my WMI-fu to the next level? In the previous blog post, “WMI for Scrip ...
Latest episode - listen (or read) now!
SANS RSA Panel
(sorry, video no longer available)
Atlassian Confluence Attacks
https://isc.sans.edu/foru
ms/diary/Atlassian+Conflu
ence+Exploits+Seen+By+Our
+Honeypots+CVE202226134/2
8722/
Fake CClenaer Malvertisements
https://blog.avast.com/fa
kecrack-camp ...
The online identity "brokerage" SSNDOB Market didn't want pople to be in any doubt what it was selling.
The Trouble With Microsoft's Troubleshooters
https://irsl.medium.com/t
he-trouble-with-microsoft
s-troubleshooters-6e32fc8
0b8bd
QBot Uses Follina
https://twitter.com/threa
tinsight/status/153422744
4915482625
Deadbolt Ransomware
https://www.trendmicro.co
m/ ...
Picture of the Week. ServiceNSW Responds. ExpressVPN pulls the plug in India. And speaking of pulling the plug. "Follina" under active exploitation. And a Windows Search URL schema can be abused, too. "Critical UNISOC Chip Vulnerability Affects Mi ...
Here's how 144 recent attacks actually went down in real life. Don't let this happen to you!
MS-MSDT RTF Maldocs Analysis oledump Plugins
https://isc.sans.edu/foru
ms/diary/msmsdt+RTF+Maldo
c+Analysis+oledump+Plugin
s/28718/
Cybercriminals Exploit Reverse Tunnel Services and URL Shorteners
https://clouds
ek.com/whitepapers_report
s/cybercriminals-exp ...
Sandbox Evasion... With Just a Filename!
https://isc.sans.edu/foru
ms/diary/Sandbox+Evasion+
With+Just+a+Filename/2870
8/
Atlassian Exploit Released
https://www.rapid7.com/bl
og/post/2022/06/02/active
-exploitation-of-confluen
ce-cve-2022-26134/
GitLab Critic ...
Zero-day announced - here's what you need to know
Quick Answers in Incident Response RECmd.exe
https://isc.sans.edu/foru
ms/diary/Quick+Answers+in
+Incident+Response+RECmde
xe/28706/
Zero-Day Exploitation of Atlassian Confluence
https://www.volexity.com/
blog/2022/06/02/zero-day-
exploitation-of-atlassian
-c ...
Latest episode - listen now!
More trouble with special-purpose URLs on Windows.
HTML Phishing Attachments - Now With Anti-Analysis Features
https://isc.sans.edu/foru
ms/diary/HTML+phishing+at
tachments+now+with+antian
alysis+features/28702/
Un
official Patch for CVE-2022-30190 (Follina)
https://blog.0patch.com/2
022/06/free-micropatches ...
After an intriguing month of Firefox releases, here's one with a bit less drama, probably to the collective relief of Mozilla's coders.
Follina Update
https://isc.sans.edu/foru
ms/diary/First+Exploitati
on+of+Follina+Seen+in+the
+Wild/28698/
https://isc.sans.edu/foru
ms/diary/New+Microsoft+Of
fice+Attack+Vector+via+ms
msdt+Protocol+Scheme+CVE2
02230190/28694/
Open Automation Software Platform ...
Picture of the Week. New South Wales DDL — Digital Driver's License. The latest Microsoft Office 0-day remote code execution vulnerability. GhostTouch. Vodafone's new TrustPiD. Closing the Loop. DuckDuckGone? We invite you to read our show note ...
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: The msdt/office lolbinapalooza Microsoft to introduce sensible defaults to Azure Twitter fined $150m for sms 2fa spam It turns out npm got owned i ...
News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!
New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme
https://isc.sans.edu/foru
ms/diary/New+Microsoft+Of
fice+Attack+Vector+via+ms
msdt+Protocol+Scheme/2869
4/
Home delivery scams are getting leaner, and meaner, and more likely to "look about right". Here's an example to show you what we mean...
Latest episode - listen now!
Huge Signed PE Files
https://isc.sans.edu/foru
ms/diary/Huge+Signed+PE+F
ile/28686/
VMWare Authentication Bypass PoC
https://www.horizon3.ai/v
mware-authentication-bypa
ss-vulnerability-cve-2022
-22972-technical-deep-div
e/
Quanta Server BMC Vulnerability
ht ...
A brief list of useful things we wish we had known sooner Burp Suite Pro can be complicated and intimidating. Even after learning and becoming comfortable with the core functionality, there remains a great deal of depth throughout Burp Suite, and many ...
When you really need to make exceptions in cybersecurity, specify them as explicitly as you can.
Using NMAP to Assess Hosts in Load Balanced Clusters
https://isc.sans.edu/foru
ms/diary/Using+NMAP+to+As
sess+Hosts+in+Load+Balanc
ed+Clusters/28682/
Attack
er Modifying Libraries Claims "Research"
https://www.bleepingcompu
ter.com/news/security/hac
ker-says- ...
ctx Python Library Updated with "Extra" Features
https://isc.sans.edu/foru
ms/diary/ctx+Python+Libra
ry+Updated+with+Extra+Fea
tures/28678/
Zoom Updates
https://explore.zoom.us/e
n/trust/security/security
-bulletin/
VMWare Exploit About to Be Released
https ...
Picture of the Week. Emergency mid-cycle update for Active Directory. Clearview AI -vs- {Illinois, Australia, Canada and the United Kingdom}. Clearview AI in Ukraine. Pwn2Own Vancouver 2022. The DoJ takes a welcome step back. Sometimes, unlocking ...
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Conti’s war against Costa Rica DoJ revises CFAA guidance Naughty kids get access to DEA portal A look at a Russian disinfo tool PyPI and PHP s ...
More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.
This past Christmas, I received a terrific gift from my in-laws: a replica Ghostbusters Proton Pack. I was thrilled. You see, growing up in the mid 80s, Ghostbusters was my jam. Fast forward 37 years and with the recent Ghostbusters: Afterlife film releas ...
Attacker Scanning for jQuery-File-Upload
https://isc.sans.edu/foru
ms/diary/Attacker+Scannin
g+for+jQueryFileUpload/28
674/
Oracle Security Alert Advisory - CVE-2022-21500
https://www.oracle.com/se
curity-alerts/alert-cve-2
022-21500.html
How to find NPM dep ...
The fine has finally gone through... but it's less than 45% of what was originally proposed.
A "Zip Bomb" to Bypass Security Controls & Sandboxes
https://isc.sans.edu/foru
ms/diary/A+Zip+Bomb+to+By
pass+Security+Controls+Sa
ndboxes/28670/
Cisco IOS XR Software Health Check Open Port Vulnerability
https://tools.cisco.com/s
ecurity/center/content/Ci
s ...
That was quick! 48 hours from exploit report to published patch.
Remember the good old days when security patches rarely needed patches? Because security patches themlelves were rare enough anyway?
1 Introduction What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘g ...
Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.
Bumblebee Malware from TransferXL URLs
https://isc.sans.edu/foru
ms/diary/Bumblebee+Malwar
e+from+TransferXL+URLs/28
664/
Microsoft Out-of-Band Update fixes Authentication Issues
https://docs.microsoft.co
m/en-us/windows/release-h
ealth/status-windows-11-2
1h ...
The following is a sample of our latest podcast, Risky Business News, which is published into a new RSS feed. It’s a short podcast published three times a week that updates listeners on the security news of the last few days, as prepared and presented b ...
Latest episode - listen now!
VMWare Flaws
https://core.vmware.com/v
msa-2022-0014-questions-a
nswers-faq
https://blog.barracuda.co
m/2022/05/17/threat-spotl
ight-attempts-to-exploit-
new-vmware-vulnerabilitie
s/
Tesla BLE Proximity Authentication Vulnerable to Relay Attacks
https://rese ...
What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?
Use Your Browser Internal Password Vault... or Not?
https://isc.sans.edu/foru
ms/diary/Use+Your+Browser
+Internal+Password+Vault+
or+Not/28658/
SQL Server Brute Forcing
https://twitter.com/MsftS
ecIntel/status/1526680337
216114693
UpdateAgent Adapts Again
h ...
In this Soap Box edition of the show Proofpoint’s EVP of Cybersecurity Strategy Ryan Kalember joins host Patrick Gray to talk about why some security spending is just misguided. So much of the infosec industry is geared towards protecting organisations ...
Picture of the Week. An "eventful" Patch Tuesday. Patch Tuesday. Apple patched a 0-day. Google's "Open Source Maintenance Crew". Conti suggests overthrowing the new Costa Rican government. Policing the Google Play Store. The situation has grown m ...
You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.
Apple Patches Everything
https://isc.sans.edu/foru
ms/diary/Apple+Patches+Ev
erything/28654/
Evil Never Sleeps: When Wireless Malware Stays on After Turning Off iPhones
https://arxiv.org/pdf/220
5.06114.pdf
Third-Party Web Trackers Log What You Type Before ...
One of the more common questions we receive during a red team scoping call or RFP Q&A call is, how many dedicated consultants will be involved in the assessment? There is no “correct” answer to this question, and ultimately, the answer as to how red t ...
This month, Chris Hadnagy and Ryan MacDougall are joined by Adam Glick. Adam is currently the Chief Information Security Officer for SimpliSafe in Boston, MA. In this position and his previous jobs, Adam has had the responsibility of managing all matters ...
From 0-Day to Mirai: 7 days of BIG-IP Exploits
https://isc.sans.edu/foru
ms/diary/From+0Day+to+Mir
ai+7+days+of+BIGIP+Exploi
ts/28644/
Sonicwall Vulnerabilities Patched
https://psirt.global.soni
cwall.com/vuln-detail/SNW
LID-2022-0009
Zonealarm Patch
https: ...
A new point-release of Firefox. Not unusual, but the timing of this one is interesting, with Pwn2Own coming up in a few days.
Crooks don't need a password for every user on your network to break in and wreak havoc. One could be enough...
When Get-WebRequest Fails You
https://isc.sans.edu/foru
ms/diary/When+GetWebReque
st+Fails+You/28640/
HP PC BIOS Security Updates
https://support.hp.com/us
-en/document/ish_6184733-
6184761-16/hpsbhf03788
IN
TEL BIOS Advisory
https://www.intel.com/con
tent/w ...
Latest episode - lots to learn - plain English - fun with a serious side - listen now!
Learn how to write plain-speaking and purposeful security advisories from one of the most widely-used open source tools in the world.
TA578 Using Thread-Hijacked Emails to Push ISO Files for Bumblebee Malware
https://isc.sans.edu/foru
ms/diary/TA578+using+thre
adhijacked+emails+to+push
+ISO+files+for+Bumblebee+
malware/28636/
Google Drive Emerges as Top App for Malware Downloads
https://w ...
Picture of the Week. Google updates Android to patch an actively exploited vulnerability. Connecticut's recently passed data privacy bill became law last Wednesday. Ransomware victim snapshot. US State Department offering $10 million reward ...
Microsoft May 2022 Patch Tuesday
https://isc.sans.edu/foru
ms/diary/Microsoft+May+20
22+Patch+Tuesday/28632/
A
dobe Updates
https://helpx.adobe.com/s
ecurity/security-bulletin
.html
npm "foreach" package domain takeover
https://www.theregister.c
om/2022/05/1 ...
How good is your cybersecurity? Are you making the same mistakes as lots of other people? Here's some real-life advice...
I was on an engagement where I simply could not elevate privileges, so I had to become creative and look deep into my old bucket (bucket being my head) of knowledge, and this resulted in some fun stuff. I had found that the client had a vulnerable certifi ...
Octopus Backdoor is Back with a New Embedded Obfuscated Bat File
https://isc.sans.edu/foru
ms/diary/Octopus+Backdoor
+is+Back+with+a+New+Embed
ded+Obfuscated+Bat+File/2
8628/#comments
CVE-2022-1
388 (BIG-IP) Exploits
https://twitter.com/sans_
isc/status/15237 ...
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".
Today we will be talking with Abbie Maroño, a nonverbal communications and social influence coach. Abbie published her first paper in nonverbal communication at 19 years old, going on to do her PhD in behavior analysis and become a university lecturer at ...
F5 BIG-IP Unauthenticated RCE Vulnerability (CVE-2022-1388)
https://isc.sans.edu/foru
ms/diary/F5+BIGIP+Unauthe
nticated+RCE+Vulnerabilit
y+CVE20221388/28624/
QNAP QVR Update
https://www.qnap.com/de-d
e/security-advisory/qsa-2
2-07
Raspberry Robin Worm
http ...
What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?
Password-protected Excel Spreadsheet Pushes Remcos RAT
https://isc.sans.edu/foru
ms/diary/Passwordprotecte
d+Excel+spreadsheet+pushe
s+Remcos+RAT/28616/
Micro
soft, Apple, Google Accelated FIDO Standard Implementation
https://www.theregister.c
om/2022/05/05/ ...
Latest episode - listen now!