• [Malware] ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware:
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
・ volexity披露了Lazarus APT组织采取了两种手法针对加密货币行业目标,其一通过搭建钓鱼站点部署带有AppleJeus木马的安装包文件进行钓鱼活动,安装包会释放带有白加黑的恶意载荷并且创造计划任务.AppleJeus植入物会通过收集信息并且上传到云端,等待下一步的指令.其二通过Microsoft Office宏植入(宏分为解码OLE对象的blob和从OpenDriver上下载第二阶段的载荷),后续逻辑与第一种基本一致
– crazyman
• APT_REPORT/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf:
https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf
・ BlackBerry发布关于狩猎beacons的白皮书,从网站特征,流量,文件结构,硬编码等多角度进行讨论
– crazyman
• [Vulnerability] How we found a supply-chain vulnerability in IBM Cloud Databases for PostgreSQL : netsec:
https://www.reddit.com/r/netsec/comments/z9qeyj/how_we_found_a_supplychain_vulnerability_in_ibm/
・ IBM Cloud Databases for PostgreSQL中的供应链漏洞导致未授权的数据库访问
– keenan
• How the 8086 processor’s microcode engine works:
https://www.righto.com/2022/11/how-8086-processors-microcode-engine.html
・ 探索8086 微处理器的微码引擎是如何工作的
– lanying37
• [Tools, Linux] kernel_obj_finder:
https://github.com/chompie1337/kernel_obj_finder
・ 在 Linux 内核中查找特定大小对象的简易脚本
– crazyman
• Pre-Auth RCE with CodeQL in Under 20 Minutes : netsec:
https://www.reddit.com/r/netsec/comments/zbfj1a/preauth_rce_with_codeql_in_under_20_minutes/
・ 利用CodeQL快速挖未授权RCE的示例
– crazyman
• [Android] Critical RCE Flaw With 2M Downloaded Android Remote Keyboard Apps Let Attackers Access keystrokes:
https://cybersecuritynews.com/rce-flaw-with-2m-downloaded-app/
・ 因身份鉴别和授权机制的缺乏,以及不安全的通信机制,三款总下载量达200万的 app 存在 RCE 漏洞
– andreszeng
• [Web] GitHub – APTIRAN/CVE-2022-21661: The first poc video presenting the sql injection test from ( WordPress Core 5.8.2-‘WP_Query’ / CVE-2022-21661):
https://github.com/APTIRAN/CVE-2022-21661
・ CVE-2022-21661:WordPress Core 5.8.2 – ‘WP_Query’ sql注入
– crazyman
• [Virtualization] Huawei Security Hypervisor Vulnerability:
https://blog.impalabs.com/2212_advisory_huawei-security-hypervisor.html
・ Huawei Hypervisor-利用日志系统的OOB访问(CVE-2021-39979)
– crazyman
• [PDF] https://arxiv.org/pdf/2211.16212.pdf:
https://arxiv.org/pdf/2211.16212.pdf
・ 论文介绍RISC-V架构上的JOP漏洞利用方法
– WireFisher
• [PDF] https://www.synacktiv.com/sites/default/files/2022-11/vlc_vnc_int_overflow-CVE-2022-41325.pdf:
https://www.synacktiv.com/sites/default/files/2022-11/vlc_vnc_int_overflow-CVE-2022-41325.pdf
・ CVE-2022-41325:VLC的vnc模块mallocFrameBufferHandler函数存在整数溢出漏洞
– crazyman
• heapdump泄露Shiro key从而RCE – 先知社区:
https://xz.aliyun.com/t/11908
・ Spring heapdump泄露shiro key造成RCE
– crazyman
• CertPotato – Using ADCS to privesc from virtual and network service accounts to local system:
https://sensepost.com/blog/2022/certpotato-using-adcs-to-privesc-from-virtual-and-network-service-accounts-to-local-system/
・ CertPotato-滥用ADCS特性而进行权限提升
– crazyman
• Redirect to https://www.cisa.gov/uscert/ncas/alerts/aa22-335a:
http://go.dhs.gov/Znp
・ 美国 CISA 发布一款勒索软件的技术细节通告,包括 TTP 和 IOC 等信息
– andreszeng
• [IoT] GL.iNET GL-MT300N-V2 Router Vulnerabilities and Hardware Teardown:
https://boschko.ca/glinet-router/
・ GL-MT300N-V2路由器的漏洞利用以及固件提取
– crazyman
• [Tools] HTB: CarpeDiem:
https://0xdf.gitlab.io/2022/12/03/htb-carpediem.html
・ HTB靶机CarpeDiem的writeup by 0xdf
– crazyman
• [Tools] GitHub – BeichenDream/PrintNotifyPotato: PrintNotifyPotato:
https://github.com/BeichenDream/PrintNotifyPotato
・ PrintNotifyPotato – PrintNotify COM接口提权 用于win10,11 Windows Server 2012 – 2022
– crazyman
• [Fuzzing] UseReFuzz:
https://github.com/root-tanishq/userefuzz
・ 一个专门fuzz User-Agent , X-Forwarded-For, Referer的 SQLI Fuzzer
– Atum
• WebUI:The easiest attack surface in Chromes:
http://eternalsakura13.com/2022/12/03/webui/
・ 针对chrome中WebUI的攻击面分析,如检查缺失,智能指针多次初始化,线程竞争以及UAF等
– xmzyshypnc
• [Tools] Visual Studio Code: Remote Code Execution:
https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m
・ VSCode远程代码执行漏洞(CVE-2022-41034)细节,存在于ipynb文件加载流程中,用户点击恶意链接即可能受到攻击。
– P4nda
• Hitching a ride with Mustang Panda:
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
・ Avast详细的介绍了Mustang Panda的一些工具集以及木马加载流程链
– crazyman
• [Windows] Wh04m1001/SysmonEoP:
https://github.com/Wh04m1001/SysmonEoP
・ Sysmon 中任意文件删除/写入的POC (CVE-2022-41120/CVE-2022-XXXXX)
– crazyman
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(12-5)