INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Apple Updates Everything
Published: 2023-05-18
Last Updated: 2023-05-18 20:41:33 UTC
by Johannes Ullrich (Version: 1)
Today, Apple released macOS, iOS, iPadOS, tvOS, watchOS, and Safari updates.
Three of the vulnerabilities are already exploited in the wild. Combining the three vulnerabilities, an attacker can gain complete system access as the user visits a malicious website. CVE-2023-32373 allows for arbitrary code execution as WebKit processes malicious content. CVE-2023-32409, in turn, enables breaking out of the web content sandbox, completing the full system compromise. The vulnerabilities are not indicated as "patched" for older versions of macOS, but they are covered in the Safari update, which applies the patch to older versions of macOS.
As usual, Apple's vulnerability descriptions are terse. As promised in a prior diary, I let ChatGPT "guess" the CVSS score for these updates. Let me know if you agree or not. The rating (moderate/important/critical) are mine. ChatGPT refused to provide a CVSS score for some vulnerabilities based on insufficient information. Let me know if you feel ChatGPT did ok or not (or if it is worthwhile keeping these ChatGPT CVSS scores or not)
Read the full entry:
https://isc.sans.edu/diary/Apple+Updates+Everything/29860/
A Quick Survey of .zip Domains: Your highest risk is running into Rick Astley.
Published: 2023-05-18
Last Updated: 2023-05-18 18:54:29 UTC
by Johannes Ullrich (Version: 1)
A week ago, I wrote about Google starting to offer ".zip" domains and the possible risks associated with this (https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838/). Earlier today, I quickly surveyed registered .zip domains to see what people are doing with them.
I found a total of 2,753 domains with content. Out of these files, I was able to categorize 1,928. The remaining is still a work in progress.
So far, most domains are "Parked" (1,506). This is typical for new domains displaying a registrar default page until the owner configures content. 229 of the domains are showing various errors. I classified 143 domains as harmless, meaning they link to different other pages that, as far as I can tell, do not provide malicious content. Some "harmless" sites appear registered by security companies or individuals either directing to their page or displaying messages warning about the .zip TLD issues. A few of the pages do, for example, direct to individual LinkedIn profiles.
48 domains direct to Rick Astley ("rickrolling") content or similar videos mostly meant to annoy visitors.
Read the full entry:
Help us figure this out: Scans for Apache "Nifi"
Published: 2023-05-23
Last Updated: 2023-05-23 16:45:26 UTC
by Johannes Ullrich (Version: 1)
Please let me know if you have any idea what they are trying to do here :)
I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.
Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.
Read the full entry:
https://isc.sans.edu/diary/Help+us+figure+this+out+Scans+for+Apache+Nifi/29874/