The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft January 2024 Patch Tuesday

Published: 2024-01-10

Last Updated: 2024-01-10 00:38:10 UTC

by Johannes Ullrich (Version: 1)

Microsoft today surprised with a light patch Tuesday. We only received 48 patches for Microsoft products and four for Chromium, affecting Microsoft Edge. Only two of the 48 patches are rated critical; none had been disclosed or exploited before today. The update also includes an SQLite patch affecting Microsoft products. This issue fixed the "Stranger Strings" vulnerability, patched in 2022 in the open-source version of SQLite.

The critical Kerberos vulnerability is interesting and should be patched quickly. It may allow an attacker with a MitM position to impersonate a Kerberos server and bypass authentication. Kerberos weaknesses have been abused in these scenarios in the past, and obtaining a MitM position is typically not that difficult after the perimeter of a network has been breached.

Read the full entry: https://isc.sans.edu/diary/Microsoft+January+2024+Patch+Tuesday/30548

Jenkins Brute Force Scans

Published: 2024-01-09

Last Updated: 2024-01-09 17:17:36 UTC

by Johannes Ullrich (Version: 1)

Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords.

A typical request seen by our honeypots ...

The body of the request URL decodes to ...

The Chinese characters at the end translate to "Log in," indicating that this request may have been originally based on a Chinese language version of Jenkins. I have observed usernames like admin, 1, 123, adminadmin, root. The intent of this particular query may be to test if the server is running Jenkins and not an actual brute-force attempt. But it is always difficult to guess a particular attack's intent. The honeypot is not attempting to emulate Jenkins at this point (something we may need to add to our agile honeypots soon).

Read the full entry: https://isc.sans.edu/diary/Jenkins+Brute+Force+Scans/30546/

Suspicious Prometei Botnet Activity

Published: 2024-01-07

Last Updated: 2024-01-07 20:23:34 UTC

by Guy Bruneau (Version: 1)

On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal. The file sqhost.exe was last found by Talos used with the Prometei botnet as a trojan coin miner.

Read the full entry: https://isc.sans.edu/diary/Suspicious+Prometei+Botnet+Activity/30538/

What is that User Agent? (2024.01.08)

https://isc.sans.edu/diary/What+is+that+User+Agent/30536/

Are you sure of your password? (2024.01.06)

https://isc.sans.edu/diary/Are+you+sure+of+your+password/30534/

Netstat, but Better and in PowerShell (2024.01.05)

https://isc.sans.edu/diary/Netstat+but+Better+and+in+PowerShell/30532/

Wireshark updates (2024.01.04)

https://isc.sans.edu/diary/Wireshark+updates/30528/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.