CIRCL (Twitter feed) @circl@mastodon.opencloud.lu

team!

for automatic processing and reporting.

We just did too but we want to be sure that we don't have any specific UTF characters or alike.

No worries. We already reported the phishing URL to the hosting company for take-down. Thanks for the report.

"There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation."

https://cve.circl.lu/cve/CVE-2020-11844 …

"Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease."

https://cve.circl.lu/cve/CVE-2020-8816 …

"IBM Security Identity Governance and Intelligence 5.2.6 could allow an unauthorized user to obtain sensitive information through user enumeration."

https://cve.circl.lu/cve/CVE-2020-4244 …

"A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability."

https://cve.circl.lu/cve/CVE-2020-8605 …

"Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system."

https://cve.circl.lu/cve/CVE-2020-6774 …

Check Point researchers believe they have identified the individual behind the VandaTheGod hacktivist campaigns
https://research.checkpoint.com/2020/vandathegod/ …pic.twitter.com/GiVBnwaZdq

With the new misp-opendata software, MISP datasets can be automatically extracted and published on @EU_opendata @OpenDataLU portals automatically. #threatintel #opendata
https://github.com/MISP/misp-opendata … This work is part of the @VARIoT_project and co-funded by @inea_eu #CEFtelecom #PODpic.twitter.com/qF3gcwupOO

There are a lot of ongoing phishing targeting various self-hosted mail services in Luxembourg and Europe. Please be careful and don't forget to submit any suspicious url to
https://www.circl.lu/urlabuse/  #phishing #infosecpic.twitter.com/gLpzS6OPVi

DFIR Training Materials by @circl_lu : Edition May 2020 computer forensic training are published. "Post-mortem Digital Forensics", "File System Forensics and Data Recovery" and "Windows-, Memory- and File Forensics".

https://www.circl.lu/services/forensic-training-materials/ … #DFIR #Forensicpic.twitter.com/y3707L3aX2

Malspam hitting mailboxes in Germany , distributing #GuLoader -> #AZORult

GuLoader payload:

https://bazaar.abuse.ch/sample/98c39c41a62349078a4b09ae665ed9945dd207b7c02b38fa58a639089721bc5e/ …

AZORult payload URL:

https://urlhaus.abuse.ch/url/366085/ 

AZORult C2:

http://infosales.duckdns\.org/index.phppic.twitter.com/AC8wbTgMNV

#RagnarLocker deploying an old VirtualBox and a Windows XP image (totalling more than 400 MB), then mounting the drives to encrypt the files on the host from the VM. This is *really* dirty... and pretty smart when you think about AV evasion.

Are you collecting 4624 events from your endpoints? Look for unexpected type 10 (Remote Interactive, i.e. RDP or terminal services) logins. And look for unexplained 4720 (account created) too.
https://twitter.com/campuscodi/status/1263845168802914304 …

.@SANSInstitute Whitepaper:
QUIC & The Dead: Which of the Most Common IDS/IPS Tools Can Best Identify QUIC Traffic?

https://www.sans.org/reading-room/whitepapers/detection/quic-dead-common-ids-ips-tools-identify-quic-traffic-39590 … [PDF]pic.twitter.com/PoeeXKL4tA

Added most of the @Secureworks threat actor names as synonyms to the @MISPProject galaxy today.
https://twitter.com/Secureworks/status/1263580691398197249 …

Thanks to Nils @0x3c7 and @Secureworks for the contribution. MISP threat-actor galaxy is updated, published on the website, available in core MISP and all tools using the MISP project galaxies.

https://twitter.com/0x3c7/status/1263889007374729221 …pic.twitter.com/zfP3DV6Pi0

"An exploitable authentication bypass vulnerability exists in the ESPON Web Control functionality of Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303"

https://cve.circl.lu/cve/CVE-2020-6091 …