ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Got MFA? If not, Now is the Time!
Published: 2024-05-15
Last Updated: 2024-05-15 12:04:47 UTC
by Rob VandenBrink (Version: 1)
I had an interesting call from a client recently - they had a number of "net use" and "psexec" commands pop up on a domain controller, all called from PSEXEC (thank goodness for a good EDR deployed across the board!!). The source IP was a VPN session.
Anyway, we almost immediately declared an incident, and the VPN that was in use that had just Userid / Password authentication was the ingress. We found a US employee with an active VPN session from Europe (the classic "impossible geography session") - so the standard "kill the session, deactivate the account / change the password action" ensued.
Followed by a serious conversation - really your userid/password protected VPN is only as strong as your weakest password. Any you KNOW that some folks have kept their "Welcome123" password that they got at their last "I forgot my password" helpdesk call. Also, your userid/password VPN is only as strong as the weakest other site that your folks have used their work credentials for.
Anyway the actions and discussion above was followed by the "who would want to target us?" conversation, so off to the logs we went.
The standard Cisco VPN rejected login syslog message looks like this ...
Read the full entry:
https://isc.sans.edu/diary/Got+MFA+If+not+Now+is+the+Time/30926/
Microsoft May 2024 Patch Tuesday
Published: 2024-05-14
Last Updated: 2024-05-14 17:28:16 UTC
by Renato Marinho (Version: 1)
This month we got patches for 67 vulnerabilities. Of these, 1 are critical, and 1 is being exploited according to Microsoft.
The critical vulnerability is a Remote Code Execution (RCE) affecting the Microsoft Sharepoint Server (CVE-2024-30044). According to the advisory, an authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted Sharepoint Server and craft specialized API requests to trigger deserialization of file's parameters. This would enable the attacker to perform remote code execution in the context of the Sharepoint Server. The CVSS for the vulnerability is 8.8.
The zero-day vulnerability is an elevation of privilege on Windows DWM (Desktop Windows Management) Core Library (CVE-2024-30051). According to the advisory, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The CVSS for the vulnerability is 7.8.
There is an important vulnerability affecting MinGit software (CVE-2024-32002), used by Microsoft Visual Studio, caused by an improper limitation of a pathname to a restricted directory ('Path Traversal') making it susceptible to Remote Code Execution. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. The CVSS for the vulnerability is 9.0 – the highest for this month.
See the full list of patches ...
Read the full entry:
https://isc.sans.edu/diary/Microsoft+May+2024+Patch+Tuesday/30920/
Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated.
Published: 2024-05-14
Last Updated: 2024-05-14 01:43:19 UTC
by Johannes Ullrich (Version: 1)
Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS ...
Read the full entry:
https://isc.sans.edu/diary/Apple+Patches+Everything+macOS+iOS+iPadOS+watchOS+tvOS+updated/30916/