CIRCL (Twitter feed) @circl@mastodon.opencloud.lu

to @Europol we’re aware of a #scam email claiming to represent @UNODC “#AntiCarding Department” & originating from info[@]anticarder[.]org

There is no such department and we encourage recipients to contact local if necessary or delete. #cybercrime #cybersecuritypic.twitter.com/up7JRk2M8b

MISP project maintains an exhaustive list of threat actors with metadata, relationships and synonyms. The format is machine-parsable and all is open source under CC-0/2-clause BSD license. Feel free to reuse and/or contribute.

https://github.com/MISP/misp-galaxy/blob/master/clusters/threat-actor.json … -
https://www.misp-project.org/galaxy.html#_threat_actor …pic.twitter.com/lEVgeLgU2o

"There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it."

https://cve.circl.lu/cve/CVE-2019-14863 …

Happy New Year! Thanks to all the 400+ contributors who contributed to the MISP project to improve information sharing and threat intelligence. Thanks to all the users and supporters who helped during 2019. #ThreatIntel #opensource

https://www.misp-project.org/contributors/ pic.twitter.com/JvOe16WMeg

"Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when the device retrieves updates scripts from the internet."

https://cve.circl.lu/cve/CVE-2019-3984 …

Happy New Year! Be the year of the improved offline backups, increased contextual information sharing, boosted raw logging support for #DFIR and supporting teams to acquire new detection/defense capabilities.pic.twitter.com/2Twx64strr

"The HTTP Authentication library before 2019-12-27 for Nim has weak password hashing because the default algorithm for libsodium's crypto_pwhash_str is not used."

https://cve.circl.lu/cve/CVE-2019-20138 …

2019-12-28: #TrickBot Loader #Malware -> '1079' Core Bot
Cert: [LIT-DAN UKIS UAB] #Sectigo
Crypter
CryptStringToBinaryA -> malloc -> window (hide)-> memcpy -> resource -> VirtualAllocExNuma -> Crypto Key Decrypt
Same '1079'

https://twitter.com/VK_Intel/status/1204673384539475968 …
h/t @malwrhunterteampic.twitter.com/Ow9ZZIktEr

We have released a set of ethics guidelines in order to develop more practical advice and support the #IncidentResponse community. We welcome the feedback and discussion of ethical scenarios from other security teams by Jan 31, 2020. #cybersecurity
https://www.first.org/global/sigs/ethics/ethics-first …

"An issue was discovered on Alcatel-Lucent OmniVista 4760 devices. A remote unauthenticated attacker can chain a directory traversal (which helps to bypass authentication) with an insecure file upload to achieve Remote Code Execution as SYSTEM."

https://cve.circl.lu/cve/CVE-2019-20049 …

Unsure yet what this comeback/evolution, after 2 years missing, of Zloader/Terdot.A is about...but this is one of the emerging trend in december 2019. cc/thx @tildedennis @threatinsightpic.twitter.com/eujIGHYDC1

"A global buffer overflow and a heap buffer overflow in sqlite. including the POC"

https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg118240.html … It's fixed in the Trunk of SQLite
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg118243.html … and the bug was in the "SQLite Zipfile Module"
https://www.sqlite.org/zipfile.html 

"D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product."

https://cve.circl.lu/cve/CVE-2019-16327 …

"Ubuntu whoopsie integer overflow vulnerability (CVE-2019-11484)" and the full "Chaining accidental features of Ubuntu’s crash reporter to get LPE"
https://securitylab.github.com/research/ubuntu-whoopsie-daisy-overview …

https://securitylab.github.com/research/ubuntu-whoopsie-CVE-2019-11484 … - thanks to @kevin_backhouse for the work and the super informative blog posts.

"The malware scan function in BullGuard Premium Protection 20.0.371.8 has a TOCTOU issue that enables a symbolic link attack, allowing privileged files to be deleted."

https://cve.circl.lu/cve/CVE-2019-20000 …

Don't forget to update your PyMISP library to the latest version especially to fix the issue introduced in the new MISP feed generator.
https://github.com/MISP/PyMISP/  Thanks to @rafi0t for the hard work and refactoring on the Python library to interact with the MISP API.

Let’s play (again) with Predator the thief
https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/ …pic.twitter.com/VAex80XxO1

Illustration of some ServHelper distribution for the past year (TL;DR: it's more than one actor)pic.twitter.com/XZGGAZ5rYy

I would love to see more of the energy currently dedicated to this debate directed to a constructive effort like this. Sigma is underrated. Projects like @MISPProject provide easy means to share sigma/yara/snort sigs alongside contextual information
https://twitter.com/shotgunner101/status/1209427380827230208 …

"Stack-based overflow vulnerability in the logMess function in Open TFTP Server SP 1.66 and earlier allows remote attackers to perform a denial of service or execute arbitrary code via a long TFTP error packet"

https://cve.circl.lu/cve/CVE-2019-12568 …