INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Exploit Flare Up Against Older Atlassian Confluence Vulnerability
Published: 2024-01-29
Last Updated: 2024-01-29 14:01:16 UTC
by Johannes Ullrich (Version: 1)
Last October, Atlassian released a patch for CVE-2023-22515. This vulnerability allowed attackers to create new admin users in Confluence. Today, I noticed a bit a "flare up" in a specific exploit variant.
Rapid 7 published a good summary of the vulnerability. As so often, the vulnerability is pretty straightforward once you see it. During the initial setup, Confluence asks the user to configure an administrator. After setup is complete, the user needs to log in using this initial administrator account to configure additional users. Using the vulnerability, an attacker can flip the "setup complete" state. No authentication is required to do so. An attacker can first enable the initial setup behavior, us it to add a new administrator account, and complete the attack by disabling the setup page to make the application appear normal for other users.
Read the full entry:
https://isc.sans.edu/diary/Exploit+Flare+Up+Against+Older+Altassian+Confluence+Vulnerability/30600/
A Batch File With Multiple Payloads
Published: 2024-01-26
Last Updated: 2024-01-26 07:22:51 UTC
by Xavier Mertens (Version: 1)
Windows batch files (.bat) are often seen by people as very simple but they can be pretty complex or.. contain interesting encoded payloads! I found one that contains multiple payloads decoded and used by a Powershell process. The magic is behind how comments can be added to such files. The default (or very common way) is to use the "REM" keyword. But you can also use a double-colon ...
Read the full entry:
https://isc.sans.edu/diary/A+Batch+File+With+Multiple+Payloads/30592/
Facebook AdsManager Targeted by a Python Infostealer
Published: 2024-01-25
Last Updated: 2024-01-25 06:00:14 UTC
by Xavier Mertens (Version: 1)
These days, many pieces of malware are flagged as “infostealers” because, once running on the victim’s computer, they search for interesting data and exfiltrate them. Classic collected data are:
* credentials
* cookies
* cryptocurrency details
* technical information about the victim (public IP, OS version running processes, etc)
* …
Credentials and cookies are used to take over web services used by the victim. For convenience, many people use the “remember me” feature on many websites. This allows the user to come back later to the websites without the need to authenticate again for a specific amount of time (ex: 1 day, 1 week, … sometimes “forever”!)
If some cookies are fascinating (ex: access to webmail, corporate services, …), what could be a practical example of abuse? Yesterday, I found another malicious Python script that behaves like an infostealer. It collects data from the following browsers ...
Read the full entry:
https://isc.sans.edu/diary/Facebook+AdsManager+Targeted+by+a+Python+Infostealer/30590/