SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Cobalt Strike's "Runtime Configuration"
Published: 2023-12-05
Last Updated: 2023-12-05 08:00:19 UTC
by Didier Stevens (Version: 1)
I published an update for my 1768.py tool, a tool to extract the configuration from Cobalt Strike beacons.
1768.py tries to extract the beacon configuration from payloads and process memory dumps. It looks for the embedded configuration, the TLV table that is XOR encoded (0x2E version 4).
Prior this version (0.0.20), process memory dumps were just handled as raw files.
This new version also looks for the "runtime configuration": this is a C/C++ array found on the heap, created by the beacon code by parsing the embedded configuration. This array contains values (integers and pointers) for each configuration item. An example can be found in this blog post.
For example, the portnumber is configuration item 2, and is stored as an integer in the third position of the array (array[2]).
The public key is configuration item 7, a binary sequence (ASN1 DER encoded). It is stored as a pointer (to the binary sequence) in the eigtht position of the array (array[7]). The binary sequence representing the public key, is also stored on the heap. Since we are dealing with pointer in C/C++, we have 32-bit and 64-bit implementations.
Since address translations need to take place, 1768.py require the python module minidump to be installed.
If it is not installed and a runtime configuration is found, a warning will be displayed...
Read the full entry:
https://isc.sans.edu/diary/Cobalt+Strikes+Runtime+Configuration/30426/
Apple Patches Exploited WebKit Vulnerabilities in iOS/iPadOS/macOS
Published: 2023-11-30
Last Updated: 2023-12-01 17:21:37 UTC
by Johannes Ullrich (Version: 1)
Apple today released patches for two WebKit vulnerabilities affecting macOS, iPadOS and iOS. I would expect standalone Safari updates for older macOS versions in the future. At this point, only the most recent operating system versions received patches.
The vulnerabilities have been exploited against versions of iOS before 16.7.1. iOS 16.7.2 is the latest iOS 16 release, released in late October. It is not clear if it is vulnerable. Apple just states which versions were successfully exploited.
Read the full entry:
https://isc.sans.edu/diary/Apple+Patches+Exploited+WebKit+Vulnerabilities+in+iOSiPadOSmacOS/30444/
Zarya Hacktivists: More than just Sharepoint.
Published: 2023-12-04
Last Updated: 2023-12-04 16:38:58 UTC
by Johannes Ullrich (Version: 1)
Last week, I wrote about a system associated with pro-Russian hacktivist scanning for vulnerable Sharepoint servers [1]. Thanks to @DonPasci on X for pointing me to an article by Radware about the same group using Mirai [2][3]. This group has been active for a while, using various low-hanging fruit exploits to hunt for defacement targets.
The group calls itself "Zarya" (). The Cyrillic alphabet does not contain the letter "z." After Russian troops used the "Z" symbol to mark their vehicles in their push on Kyiv early in 2022, the character became a popular symbol to express support for the war in Russia. It has often been used to replace the letter "," which is pronounced like the English "Z." Therefore, the name of the hacktivist group is likely supposed to be pronounced as "," or "dawn" in English.
But let's return to the IP address we identified last week: 212.113.106.100. This IP address has not been idle since then. We have observed several different exploits with our honeypots.
Many of them are just simple recognizance. Requests for "/" to retrieve index pages. These are likely just used to identify possible targets.
There are also some directory traversal attempts. I have no idea if they will work with reasonably up-to-date systems. In particular, requests like "/../../../../etc/passwd"...
https://isc.sans.edu/diary/Zarya+Hacktivists+More+than+just+Sharepoint/30450/
Whose packet is it anyway: a new RFC for attribution of internet probes (2023.12.06)
Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today (2023.11.30)
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
Product: Asana DesktopCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49314NVD References: - https://asana.com/pt/download- https://github.com/electron/fuses- https://github.com/louiselalanne/CVE-2023-49314- https://github.com/r3ggi/electroniz3r- https://www.electronjs.org/docs/latest/tutorial/fusesCVE-2023-46589 - Apache Tomcat is vulnerable to an Improper Input Validation vulnerability that allows request smuggling when behind a reverse proxy, and can be fixed by upgrading to a version starting from 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards.Product: Apache TomcatCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46589ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8756NVD References: https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxrNVD References: https://www.openwall.com/lists/oss-security/2023/11/28/2CVE-2023-41264 - Netwrix Usercube before 6.0.215 allows authentication bypass and privilege escalation if certain configuration fields are omitted.Product: Netwrix UsercubeCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-41264NVD References: - https://www.netwrix.com/identity_governance_and_administration_solution.html- https://www.synacktiv.com/advisories/usercube-netwrix-multiple-vulnerabilitiesCVE-2023-48193 - JumpServer GPLv3 v.3.8.0 is vulnerable to Insecure Permissions, enabling remote attackers to execute arbitrary code by bypassing the command filtering function.Product: Fit2Cloud JumpserverCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48193NVD References: - http://jumpserver.com- https://github.com/296430468/lcc_test/blob/main/jumpserver_BUG.md- https://github.com/jumpserver/jumpserverCVE-2023-23324 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.Product: Zumtobel Netlink CCDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23324NVD References: - http://zumtobel.com- https://yoroi.company/en/research/cve-advisory-partial-disclosure-zumtobel-multiple-vulnerabilities/CVE-2023-23325 - Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.Product: Zumtobel Netlink CCDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23325NVD References: - http://zumtobel.com- https://yoroi.company/en/research/cve-advisory-partial-disclosure-zumtobel-multiple-vulnerabilities/CVE-2023-46886 - Dreamer CMS before version 4.0.1 allows Directory Traversal, enabling unauthorized access to sensitive files.Product: Dreamer CMS Project CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46886NVD References: https://gitee.com/iteachyou/dreamer_cms/issues/I6NOFNCVE-2023-47462 - GL.iNet AX1800 v.3.215 and earlier versions have an insecure permissions vulnerability that enables remote attackers to execute arbitrary code through the file sharing function.Product: GL.iNet AX1800CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47462NVD References: https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary%20File%20Read%20through%20file%20share.mdCVE-2023-45479 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the list parameter in the function sub_49E098.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45479NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/assets/sub_49E098_code.png- https://github.com/l3m0nade/IOTvul/blob/master/sub_49E098.mdCVE-2023-45480 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the src parameter in the function sub_47D878.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45480NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/assets/sub_47d878_code.png- https://github.com/l3m0nade/IOTvul/blob/master/sub_47D878.mdCVE-2023-45481 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the firewallEn parameter in the function SetFirewallCfg.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45481NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/SetFirewallCfg.md- https://github.com/l3m0nade/IOTvul/blob/master/assets/setFirewallCfg_code.pngCVE-2023-45482 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.Product: Tenda AC10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45482NVD References: - https://github.com/l3m0nade/IOTvul/blob/master/assets/get_parentControl_list_Info_code.png- https://github.com/l3m0nade/IOTvul/blob/master/get_parentControl_list_Info.mdCVE-2023-45483 - Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the time parameter in th…
cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/">https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.Product: Zyxel NAS326 and NAS542 firmwareCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474NVD References: - https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-47463 - GL.iNet AX1800 version 4.0.0 before 4.5.0 allows remote code execution due to insecure permissions in the gl_nas_sys authentication function.Product: GL.iNet AX1800CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47463NVD References: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.mdCVE-2023-47418 - O2oa version 8.1.2 and before allows remote attackers to execute JavaScript through the creation of a new interface in the service management function.Product: Zoneland O2OaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47418NVD References: - https://gist.github.com/Onlyning/0cf7b1c597a36dd3a2e9ec948b881ac8- https://github.com/Onlyning/O2OACVE-2022-45135 - Apache Cocoon is vulnerable to an SQL Injection attack from version 2.2.0 to 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45135NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/3- https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjpCVE-2023-49733 - Apache Cocoon is vulnerable to an improper restriction of XML external entity reference issue, which can be fixed by upgrading to version 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49733NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/5- https://lists.apache.org/thread/t87nntzt6dxw354zbqr9k7l7o1x8gq11CVE-2023-49701 - Memory Corruption in SIM management while USIMPhase2init Product: Asrmicro Asr1803CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49701NVD References: https://www.asrmicro.com/en/goods/psirt?cid=31CVE-2023-5965 - EspoCRM version 7.2.5 allows an authenticated privileged attacker to execute arbitrary PHP code by uploading a maliciously crafted zip through the update form.Product: EspoCRM CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5965NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-5966 - EspoCRM server in version 7.2.5 allows authenticated privileged attackers to execute arbitrary PHP code by uploading a malicious zip file via the extension deployment form.Product: EspoCRMCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5966NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-6026 - elijaa/phpmemcachedadmin version 1.3.0 allows an attacker to delete server files through unsanitized user input.Product: Elijaa PhpmemcachedadminCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6026NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpmemcachedadminCVE-2023-6360 - My Calendar WordPress Plugin, version < 3.4.22, is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.Product: Joedolson My CalendarCVSS Score: 9.8 AtRiskScore 30NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6360NVD References: https://www.tenable.com/security/research/tra-2023-40CVE-2023-31176 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to an Insufficient Entropy vulnerability, enabling an unauthenticated remote attacker to bypass authentication by brute-forcing session tokens.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31176NVD References: - https://selinc.com/support/security-notifications/external-reports/- https://www.nozominetworks.com/blog/CVE-2023-34388 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to improper authentication, enabling a remote unauthenticated attacker to hijack sessions and bypass authentication.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3438…
cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/">https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.Product: Zyxel NAS326 and NAS542 firmwareCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474NVD References: - https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-productsCVE-2023-47463 - GL.iNet AX1800 version 4.0.0 before 4.5.0 allows remote code execution due to insecure permissions in the gl_nas_sys authentication function.Product: GL.iNet AX1800CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47463NVD References: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.mdCVE-2023-47418 - O2oa version 8.1.2 and before allows remote attackers to execute JavaScript through the creation of a new interface in the service management function.Product: Zoneland O2OaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47418NVD References: - https://gist.github.com/Onlyning/0cf7b1c597a36dd3a2e9ec948b881ac8- https://github.com/Onlyning/O2OACVE-2022-45135 - Apache Cocoon is vulnerable to an SQL Injection attack from version 2.2.0 to 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45135NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/3- https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjpCVE-2023-49733 - Apache Cocoon is vulnerable to an improper restriction of XML external entity reference issue, which can be fixed by upgrading to version 2.3.0.Product: Apache CocoonCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49733NVD References: - http://www.openwall.com/lists/oss-security/2023/11/30/5- https://lists.apache.org/thread/t87nntzt6dxw354zbqr9k7l7o1x8gq11CVE-2023-49701 - Memory Corruption in SIM management while USIMPhase2init Product: Asrmicro Asr1803CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49701NVD References: https://www.asrmicro.com/en/goods/psirt?cid=31CVE-2023-5965 - EspoCRM version 7.2.5 allows an authenticated privileged attacker to execute arbitrary PHP code by uploading a maliciously crafted zip through the update form.Product: EspoCRM CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5965NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-5966 - EspoCRM server in version 7.2.5 allows authenticated privileged attackers to execute arbitrary PHP code by uploading a malicious zip file via the extension deployment form.Product: EspoCRMCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5966NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrmCVE-2023-6026 - elijaa/phpmemcachedadmin version 1.3.0 allows an attacker to delete server files through unsanitized user input.Product: Elijaa PhpmemcachedadminCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6026NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpmemcachedadminCVE-2023-6360 - My Calendar WordPress Plugin, version < 3.4.22, is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.Product: Joedolson My CalendarCVSS Score: 9.8 AtRiskScore 30NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6360NVD References: https://www.tenable.com/security/research/tra-2023-40CVE-2023-31176 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to an Insufficient Entropy vulnerability, enabling an unauthenticated remote attacker to bypass authentication by brute-forcing session tokens.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31176NVD References: - https://selinc.com/support/security-notifications/external-reports/- https://www.nozominetworks.com/blog/CVE-2023-34388 - Schweitzer Engineering Laboratories SEL-451 is vulnerable to improper authentication, enabling a remote unauthenticated attacker to hijack sessions and bypass authentication.Product: Selinc SEL-451CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3438…
Don't let challenges of time and cost slow you down in the fast-paced world of digital transformation! Discover how Snyk, a modern security solution, purpose-built for cloud native apps, can provide the cost- and time-saving benefits with Migrations Playbook for Saving Money with Snyk + AWS.
SANS Research | There are only a few days left to complete the SANS 2024 Threat Hunting Survey. In this survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Share your thoughts with us for a chance to win a $400 Amazon gift card:
Upcoming webcast: Cloud Infrastructure Security for AWS | Tune in on Dec 7 at 10:30am ET to discover how to pinpoint common cloud vulnerabilities and risks, and explore built-in automated remediation workflows to accelerate security personnel. | Register now:
Is Your SIEM Really Doing Its Job? How to Take Cybersecurity to the Next Level | Join us for this upcoming webcast on Dec 13 at 10:30am ET to learn how to accelerate your analysts' performance while reducing stress and overload. | Register now: