Aggregator

Summary The ICS-CERT has published an advisory that affects Schneider Electric IGSS SCADA Software. Threat Type Vulnerability Overview The ICS-CERT has published an advisory that affects Schneider Electric IGSS SCADA Software. Further information is available from the advisory which is summarized below. ICS Advisory ICSA-21-070-01 - Schneider Electric IGSS SCADA Software CVE-2021-22709 - This vulnerability could result in loss of data or remote code execution when a malicious CGF (configuration group file)

Summary Forcepoint reports on a new ZLoader invoicing scheme that uses new techniques in order to infiltrate victim machines. The new techniques show adeptness on the part of the code writers in the form of Microsoft product knowledge. Threat Type Malware, Phishing Overview One of the most common phishing lures is the invoice email. Whether from a known company, the IRS, or a random entity, the invoice is attractive to victims as it preys upon their fears of money issues. The latest scam uses new and innova

Summary Cofense reports on yet another Zoom-themed phishing campaign using the video conferencing software as a ruse to steal Microsoft credentials. Threat Type Phishing Overview Cofense has published a blog post detailing the most recent in an extensive list of Zoom-themed phishing campaigns. This one uses a highly customized email to create a sense of legitimacy. The sender is spoofed to match the company domain, and mentions of both the recipient's first and last name and the company name are found throu

Summary A phishing campaign detected by Bitdefender is targeting Coinbase users in order to empty cryptocurrency wallets. Threat Type Phishing Overview Bitdefender published a brief blog post on a recent phishing campaign targeting Coinbase users. The source and destination of the emails varies, but the majority originated from India with the largest destination being South Korea. The body and subject of the email claim that the recipient's Coinbase account was suspended due to suspicious activity and that

Summary IBM Security Guardium Insights is affected by a denial of service vulnerability that exists in the underlying version of Golang Go used by Guardium Insights. Threat Type Vulnerability Overview IBM Security Guardium Insights is affected by a denial of service vulnerability (CVE-2020-7919) that exists in the underlying version of Golang Go used by Guardium Insights. A remote attacker could potentially exploit the vulnerability using a specially-crafted x.509 certificate, possibly leading to a denial o

Summary An article from the DFIR Report looks at an intrusion where Bazar was used to drop Anchor. Both of the malwares are thought to be related to related to the group behind Trickbot. Threat Type Malware Overview The DFIR Report observed an intrusion that began with a malicious Excel file. Bazar was installed, and then around an hour later, a Cobalt Strike beacon was installed followed by Anchor. Anchor and Bazar are thought to be related to related to the group behind Trickbot. The attackers then began

Summary While investigating active botnet mining attacks, 360 Netlab discovered a change in the vulnerabilities exploited by z0Miner for spreading. Threat Type Malware, Botnet, Cryptomining Overview 360 Netlab published a blog post about recent development in z0Miner, a malicious mining family that appeared on the scene last year. When it was initially discovered, the botnet was spreading by exploiting a WebLogic unauthorized remote command execution vulnerability. The most recent attacks, however, exploit

大家好，我是BaCde。公众号开通了2个月，一直没发内容。本来计划写写网站建设思路，今天先写一篇网站的使用分享。

网站自发布以来，一直没有什么说明和教程。因为它的功能非常单一，不需要做太多介绍。但是呢，有一些小细节和场景，我觉得可以分享下。

首先，网站基础功能可以查询网站子域名，根据IP地址或IP段查询绑定的域名信息，这里支持IPv6的地址和地址段。目前最大支持显示1万条（大多数情况下足够了）。其中查询结果页面中有导出csv的功能，可以导出全部结果。其实不导出，查询全部结果只需要加入参数?full=1即可。目前大多数开源工具采集时采用也是这样的方式。

下面来说下实际应用场景。

信息收集

在收集ASN信息时，可以根据反向IP段查询，迅速确定筛选出目标的资产。

比如下图中搜索到的腾讯结果中，有很多ip段时属于腾讯云服务的机器，这些IP对我们挖掘漏洞来说，意义不大。但是可能又会存在夹杂在其中的个别目标。这时候就可以使用Reverse IP功能进行查询，然后筛选出目标或者筛选IP段。

下面随便挑了一个（58.87.64.0/18）查询结果来展示下，发现大多数不是腾讯的域名，则可以跳过，或者从中筛选出腾讯的。

溯源定位

这里主要说两个场景，第一个就是扫到某个IP存在漏洞，想知道哪个厂商的，第二个就是对于攻击IP地址是属于哪个机构的。这是两个非常常见的需求。

这里一种方法是直接查询IP地址，那么，当ip地址查不到时怎么办呢？

今天就在微信群里遇到一个例子。有人在日志中发现了360某团队的一个dnslog的地址，但是打开其域名时一个空白地址。这里我通过获取到解析的IP地址，查询C段，然后很快速的发现了dnslog平台的登录地址，根据版权信息确认是360的。

其发现的地址形如：xxx.b.nslog.0kee.360.cn。访问nslog.0kee.360.cn为空白，其解析的IP地址为123.59.211.124。通过RapidDNS来查询C段，查询链接：https://rapiddns.io/sameip/123.59.211.124/24#result。

在结果中可以发现一个0kdns.net的域名，访问后就是dnslog平台登录地址。

好了，以上就是我经常使用到的方法，跟大家分享出来。另外，网站由于网络原因，可能会不太稳定。有问题大家可即时反馈，看到后我会第一时间来解决。

扫描篇下方二维码可关注公众号

Summary After responding to multiple incidents in a single network, Secureworks was able to identify connections between the SUPERNOVA web shell and the SPIRAL threat group. Threat Type Malware, Web Shell Overview Secureworks published a blog post detailing a potential connection between the SUPERNOVA web shell and the SPIRAL threat group. This connection was made after responding to multiple incidents on a single network. The first incident occurred early in 2020, although the threat actor may have been on

Summary SAP has released its March 2021 security patches for a variety of products. Each product and a link to details on the vulnerability are listed below. In all, 13 security notes were released. Of these, 4 are rated critical, 1 is rated high, 5 are rated as medium, and 4 are updates to previously released patches. The most serious post-exploitation action, if the vulnerability is exploited, is remote code execution. In addition, privilege escalation, accessing sensitive files, and other nefarious actio

Summary TeamTNT is known to attack cloud services with intent to steal credentials, perform cryptojacking, or install backdoors. Trend Micro reports on a specific script used by the group to steal AWS credentials. Threat Type Malware Overview Trend Micro has published an analysis of a shell script used by TeamTNT to steal AWS credentials. This script was found hardcoded in a malicious binary dropped onto compromised systems. It was likely dropped onto systems after the threat actor exploited a misconfigurat

Summary Dr. Web Virus Laboratory analyzed a backdoor they've named Spyder after it was discovered at a telecommunication company based in Central Asia in December 2020. The backdoor was loaded into the system using the DLL Hijacking method. It's a modular backdoor and can utilize plug-ins it receives from it's C&C server. Threat Type Malware, Backdoor Overview A new modular backdoor was analyzed by the Doctor Web virus laboratory. It was discovered by a telecommunications company based in Central Asia in De

隐私产品细节探究

Summary Microsoft and FireEye have identified new malware that is believed to be used by the same attackers who attacked SolarWinds. FireEye refers to them as UNC2452, Microsoft has named them NOBELIUM. One notable feature available in the backdoor is the option to use decoy network traffic mixed in with C2 queries. Threat Type Malware, Backdoor, RAT Overview FireEye has discovered a new sophisticated second-stage backdoor that is possibly connected to UNC2452, the same group believed to be behind the attac

We are pleased to announce the launch of EdgeKV, our distributed key-value store, into beta! EdgeKV is enabling technology for EdgeWorkers, our serverless computing platform that enables developers to create services using JavaScript and deploy them across our platform. When writing JavaScript, data persistence is often necessary to save data from a user interaction, or to retrieve contextual data to evaluate inside a function.

0x00 前言偶然间看到SnakeYaml的资料感觉挺有意思，发现SnakeYaml也存在反序列化利用的问题

Summary Adobe has released three security updates. The updates are for Framemaker, Creative Cloud Desktop Application, and Connect. Each of the updates address at least one vulnerability rated by Adobe as Critical. Threat Type Vulnerability Overview Adobe has released three security updates. The updates are for Framemaker, Creative Cloud Desktop Application, and Connect. Each of the updates address at least one vulnerability rated by Adobe as Critical. The potential impact of successful exploitation of the

Summary In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild. Threat Type Vulnerability Overview In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated a

Summary In the wake of a targeted attack against CD Projekt Red, SentinelOne has published a blog post analyzing the HelloKitty ransomware. Threat Type Ransomware Overview SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. For example, when processes are being killed a CMD window is spawned in the foregr