SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 20
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
The .zip gTLD: Risks and Opportunities
Published: 2023-05-12
Last Updated: 2023-05-12 20:35:34 UTC
by Johannes Ullrich (Version: 1)
About ten years ago, ICANN started the "gTLD" program. "Generic TLDs" allows various brands to register their own trademark as a TLD. Instead of "google.com", you now can have ".google"! Applying for a gTLD isn't cheap, and success isn't guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used.
The reputation of these new gTLDs has been somewhat mixed. On one end, several very cheap TLDs emerged from the process that are often abused. For example, .xyz or .top are often used for cheap "throw-away" domains. But we also had some large companies, for example, Google, use it (try: domains.google). Google submitted applications for several different gTLDs.
One of the more interesting gTLDs Google obtained is ".zip". This gTLD was approved in 2014, and has not seen much use since then. The current zone file for ".zip" contains only 1230 names. To access the zone files for many of the gTLDs, ICANN operates the "Centralized Zone Data Service" at czds.icann.org.
So what is the danger here?
Read the complete entry:
https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838/
Ongoing Facebook phishing campaign without a sender and (almost) without links
Published: 2023-05-15
Last Updated: 2023-05-15 07:25:31 UTC
by Jan Kopriva (Version: 1)
At the Internet Storm Center, we often receive examples of current malspam and phishing e-mails from our readers. Most of them are fairly uninteresting, but some turn out to be notable for one reason or another. This was the case with several messages that Charlie, one of our readers, has submitted to us since the beginning of 2023.
At first glance, the messages appear to be fairly straightforward Facebook phishing e-mails. The HTML body of each message appears to always be the same – it states that a user just logged into the recipient’s Facebook account from a new device and requests that the recipient verifies whether the login was legitimate.
The overall layout of the message seems to mirror legitimate e-mails from Facebook (actually, it seems clear that the author of the phishing message began its development by copying a legitimate message and modifying it, but we’ll get to that later).
Read the complete entry:
Increase in Malicious RAR SFX files
Published: 2023-05-17
Last Updated: 2023-05-17 04:19:08 UTC
by Xavier Mertens (Version: 1)
This isn't a new attack vector, but I’ve found many malicious RAR SFX files in the wild for a few weeks. An “SFX” file is a self-extracting archive that contains compressed files and is wrapped up with some executable code to decompress them on the fly. The final user receives an executable file (PE file) that can be launched with the need to install a specific tool to decompress the content. This technique has been used for a while by attackers, and even more interesting, the self-decompression routine can launch any executable (another executable, a script, …)
Most of the time, these files aren’t detected as a known threat because payloads (the files) are compressed (sometimes encrypted too - if a password is used). But they are generally detected as “suspicious”. I wrote a simple YARA rule to detect such files...
Read the complete entry:
https://isc.sans.edu/diary/Increase+in+Malicious+RAR+SFX+files/29852/
Internet Storm Center Entries
Signals Defense With Faraday Bags & Flipper Zero (2023.05.16)
https://isc.sans.edu/diary/Signals+Defense+With+Faraday+Bags+Flipper+Zero/29840/
DShield Sensor Update (2023.05.14)
https://isc.sans.edu/diary/DShield+Sensor+Update/29844/
Geolocating IPs is harder than you think (2023.05.11)
https://isc.sans.edu/diary/Geolocating+IPs+is+harder+than+you+think/29834/
Recent CVEs
CVE-2023-25717 - Ruckus Wireless Admin through 10.4 allows remote code execution via unauthenticated HTTP GET Request.
CVE-2023-1389 - TP-Link Archer AX21 firmware versions prior to 1.1.4 Build 20230219 have a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint, allowing an attacker to run commands as root.
CVE-2023-29336 - Win32k Elevation of Privilege Vulnerability
CVE-2023-24902 - Win32k Elevation of Privilege Vulnerability
CVE-2023-24941 - Windows Network File System Remote Code Execution Vulnerability
CVE-2023-24901 - Windows NFS Portmapper Information Disclosure Vulnerability
CVE-2023-24943 - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-24940 - Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability
CVE-2023-30744 - SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, and CORE-TOOLS 7.50 allow unauthenticated attackers to read or change the state of existing services through open naming and directory API.
CVE-2023-32113 - SAP GUI for Windows versions 7.70 and 8.0 allow unauthorized attackers to gain NTLM authentication info and potentially modify sensitive information by tricking victims into clicking a prepared shortcut file.
CVE-2023-27407 - SCALANCE LPE9403 (All versions < V2.1) is vulnerable to command injection due to improper user input validation, which could allow an authenticated remote attacker to access the operating system as root.
CVE-2023-2594 - SourceCodester Food Ordering Management System 1.0 is vulnerable to remote SQL injection via username parameter in Registration.
CVE-2023-2595 - SourceCodester Billing Management System 1.0 is vulnerable to critical SQL injection through the drop_services parameter in the ajax_service.php file.
CVE-2023-2596 - The SourceCodester Online Reviewer System 1.0 is vulnerable to SQL injection through user manipulation of the 'user_id' argument.
CVE-2023-2619 - SourceCodester Online Tours & Travels Management System 1.0 allows remote SQL injection via manipulation of the "id" argument in disapprove_delete.php (VDB-228549).
CVE-2023-31126 - XWiki's org.xwiki.commons:xwiki-commons-xml allows cross-site scripting attacks via invalid data attributes in the HTML sanitizer introduced in version 14.6-rc-1, and has been patched in versions 14.10.4 and 15.0 RC1.
CVE-2023-32071 - XWiki Platform versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1 allow users to execute javascript via a special URL targeting a page with an attachment.
CVE-2023-32070 - XWiki Platform is vulnerable to XSS attacks via attributes and link URLs in prior versions to 14.6-rc-1 due to unverified HTML rendering which has been patched.
CVE-2023-31975 - yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.
CVE-2023-29460 - Rockwell Automation's Arena Simulation software is vulnerable to arbitrary code execution through a memory buffer overflow that could result in a total loss of confidentiality, integrity, and availability.
CVE-2023-29461 - Rockwell Automation's Arena Simulation software has an arbitrary code execution vulnerability that could lead to a complete loss of confidentiality, integrity, and availability due to a memory buffer overflow.
CVE-2023-1834 - Rockwell Automation Kinetix 5500 drives manufactured between May 2022 and January 2023 and running v7.13 have open telnet and FTP ports, potentially granting unauthorized access to attackers.
CVE-2023-31143 - Mage-ai prior to version 0.8.72 with user authentication enabled allows non-logged in or unpermitted users to access the terminal.
CVE-2023-32569 - Veritas InfoScale Operations Manager is susceptible to SQL injection attacks, granting malicious actors the ability to manipulate sensitive data in the back-end database.
CVE-2023-30194 - Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
CVE-2023-30192 - Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find().
CVE-2023-30189 - Prestashop posstaticblocks <= 1.0.0 is vulnerable to SQL Injection via posstaticblocks::getPosCurrentHook().
CVE-2023-31148 - The Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface is vulnerable to remote code execution due to improper input validation.
CVE-2023-31149 - The Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface is vulnerable to arbitrary code execution via an Improper Input Validation flaw.
CVE-2022-29842 - Western Digital My Cloud OS 5 devices before 5.26.119 allow command injection, leading to code execution by an attacker as root user.
CVE-2023-32080 - Wings, the server control plane for Pterodactyl Panel, is vulnerable to code execution attacks that can compromise the host system if an install script is modified or executed with untrusted user data.
CVE-2023-0851 - Canon Office / Small Office Multifunction Printers and Laser Printers may allow an attacker to execute arbitrary code through a buffer overflow in CPCA Resource Download process.
CVE-2023-0852 - Canon Office/Small Office Multifunction Printers and Laser Printers firmware Ver.11.04 and earlier sold in Japan, US, and Europe have a buffer overflow vulnerability in the Address Book of Mobile Device function that may allow an attacker to execute arbitrary code.
CVE-2023-0853 - Canon Office and Small Office Multifunction Printers and Laser Printers may allow an attacker on the network segment to execute arbitrary code through a buffer overflow in the mDNS NSEC record registering process.
CVE-2023-0854 - Canon Office/Small Office Printers are vulnerable to a buffer overflow in NetBIOS QNAME registering and communication process, allowing attackers to cause unresponsiveness or execute arbitrary code.
CVE-2023-0855 - Canon Office/Small Office Multifunction Printers and Laser Printers may allow an attacker to execute arbitrary code through IPP number-up attribute process.
CVE-2023-0856 - The Canon Office/Small Office Multifunction and Laser Printers sold in specific regions are vulnerable to a buffer overflow in IPP sides attribute process, allowing attackers to trigger unresponsiveness or execute arbitrary code on affected products.
CVE-2023-32243 - WPDeveloper Essential Addons for Elementor allows privilege escalation via improper authentication from version 5.4.0 to 5.7.1.
CVE-2023-2499 - RegistrationMagic plugin for WordPress up to version 5.2.1.0 allows unauthenticated attackers to log in as any existing user via Google social login with access to the email.
CVE-2023-1934 - PnPSCADA system by SDG Technologies CC is vulnerable to critical unauthenticated PostgreSQL Injection, allowing attackers to seamlessly access sensitive information.
CVE-2023-1698 - WAGO products have a vulnerability that allows remote attackers to create new users and change configuration, leading to DoS and system compromise.
CVE-2023-32314 - VM2 sandbox allows remote code execution due to a sandbox escape vulnerability up to version 3.9.17 that was patched in version 3.9.18 with no known workarounds.
CVE-2023-32956 - Synology Router Manager (SRM) versions before 1.2.5-8227-6 and 1.3.1-9346-3 are vulnerable to OS command injection.
CVE-2023-24898 - Windows SMB Denial of Service Vulnerability
CVE-2023-24899 - Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-24903 - Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
CVE-2023-24904 - Windows Installer Elevation of Privilege Vulnerability
CVE-2023-24905 - Remote Desktop Client Remote Code Execution Vulnerability
CVE-2023-24939 - Server for NFS Denial of Service Vulnerability
CVE-2023-24942 - Remote Procedure Call Runtime Denial of Service Vulnerability
CVE-2023-24946 - Windows Backup Service Elevation of Privilege Vulnerability
CVE-2023-24947 - Windows Bluetooth Driver Remote Code Execution Vulnerability
CVE-2023-24948 - Windows Bluetooth Driver Elevation of Privilege Vulnerability
CVE-2023-24949 - Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-24953 - Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-24955 - Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2023-28283 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
CVE-2023-29325 - Windows OLE Remote Code Execution Vulnerability
CVE-2023-29335 - Microsoft Word Security Feature Bypass Vulnerability
CVE-2023-29340 - AV1 Video Extension Remote Code Execution Vulnerability
CVE-2023-29341 - AV1 Video Extension Remote Code Execution Vulnerability
CVE-2023-29343 - SysInternals Sysmon for Windows Elevation of Privilege Vulnerability
CVE-2023-29344 - Microsoft Office Remote Code Execution Vulnerability
Sponsors
Snyk
*********** Sponsored By SNYK Limited ***********Due to a recent shift, security teams must adapt to a fast-paced software development model and DevSecOps workflows. Download the CISO's Guide to Cultivating Developer Adoption eBook to discover actionable techniques to start improving developer adoption and see how current CISO's are implementing this today.Download now:
Corelight, Inc.
Join Matt Bromiley on Thursday, May 25 at 1:00pm ET as he hosts our upcoming webcast: I have Trust Issues and So Does My CISO--How NDR can help identify issues in your ZTA | Register now:
Infoblox
2023 Survey Event on Wednesday, May 31 at 10:30am ET | Join our SANS Visibility and Attack Surface Survey authors Doc Blackburn and Mark Williams as they lead the conversation around how functionality is mission-critical to all organizations. | Register now:
SANS
2023 Spring Cyber Solutions Fest on Friday, June 9th | Join Chris Dale and Matt Bromiley as they chair discussions in our two tracks: Zero Trust and Insider Threat, Phishing, and Malware. | Learn more and register: