INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Log4Shell campaigns are using Nashorn to get reverse shell on victim's machines
Published: 2022-11-21
Last Updated: 2022-11-21 20:48:27 UTC
by Renato Marinho (Version: 1)
Almost one year later, Log4Shell attacks are still alive and making victims. Log4shell, as you may remember, was the name given to a remote code execution (RCE) vulnerability in the Apache Log4j Java library, first known on December 10th, 2021. Information on the zero-day (CVE-2021-44228) and malicious campaigns using it were covered here in SANS ISC in different diaries:
Log4Shell, or how things can get bad quickly: https://isc.sans.edu/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120)
and Log4Shell Attacks Getting "Smarter": https://isc.sans.edu/diary/Log4Shell+Attacks+Getting+Smarter/28246
In an incident case I got last week, attackers started a reverse shell on the victim’s machine in a way I have not seen in Log4Shell exploitations. The reverse shell was issued using Nashorn, a JavaScript scripting engine used to execute JavaScript code dynamically at JVM. Similar use of Nashorn was seen in Confluence CVE-2022-26134 exploitations.
Read the entire diary entry:
Ukraine Themed Twitter Spam Pushing iOS Scareware
Published: 2022-11-28
Last Updated: 2022-11-28 12:36:18 UTC
by Johannes Ullrich (Version: 1)
With the expansion of Russia's invasion of Ukraine in February, Ukraine has made heavy use of social media to demonstrate die ability of the Ukrainian armed forces to repulse the attack. Ukraine often shares video clips showing attacks against Russian troops from drones or action camera footage from the front lines. These videos have been widely distributed, and various social media channels have shared them to build an audience for themselves.
Of course, like any current significant event, these videos are also used to push more malicious content. Recently I have observed how on Twitter, many videos not hosted on the platform are attempting to push scareware/malware. The type of software being advertised with the videos depends on the device used to view the content.
Read the entire diary entry:
https://isc.sans.edu/diary/Ukraine+Themed+Twitter+Spam+Pushing+iOS+Scareware/29276/