CIRCL (Twitter feed) @circl@mastodon.opencloud.lu

Announcing the next EU ATT&CK Community workshop on 18-19 May 2020 in Brussels. Share you experiences with @MITREattack and learn from others! @circl_lu @CERTEU
https://attack-community.org/event/ 

One of the most fun talks I’ve ever given, in one of my favorite conferences. Thanks @hack_lu @raziel_e @ArgusSec
https://twitter.com/Ministraitor/status/1204323895253311489 …

"The FTP client in AceaXe Plus 1.0 allows a buffer overflow via a long EHLO response from an FTP server." A good reminder that software clients need to be updated regularly too...

https://cve.circl.lu/cve/CVE-2019-19782 …

How to find new suspicious binaries with the AIL framework in 4 easy steps. AIL finds automatically ELF binaries in base64 strings -> we correlate the decoded values, the backdoor binary is then seen in many other items (various web-shells reused it). 10 seconds for the analyst.pic.twitter.com/cONgfqmR3e

This is relevant for any DNS tunneling malware a la xHunt’s toolset or otherwise. Also look at @circl_lu D4 project or @FarsightSecInc SIE sensor if you don’t have a local source of passive DNS collection to monitor and dig through.

"An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS
http://libltdic.so , version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption."

https://cve.circl.lu/cve/CVE-2019-5085 …

Woowza! < 24 hours since we shared the ML attack taxonomy, @adulau empowered the Threat Intel community via @MISPProject!!

This is @JohnLaTwC "Githubifcation of #Infosec" in action.

https://medium.com/@johnlatwc/the-githubification-of-infosec-afbdbfaad1d1 …
https://twitter.com/adulau/status/1204691095973769217 …

"A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory, aka 'Microsoft PowerPoint Remote Code Execution Vulnerability'."

https://cve.circl.lu/cve/CVE-2019-1462 …

"Client-side Vulnerabilities in Commercial VPNs"

https://arxiv.org/abs/1912.04669 

Good idea! So @deltalimasierra took the time to translate this into a structured @MISPProject event the available OSINT report
https://www.circl.lu/doc/misp/feed-osint/5dee2bc3-47ac-4784-a52a-4da2950d210f.json … so it's now available to everyone in the OSINT feed. If BfV has some ideas to improve the structured MISP event, let us know.pic.twitter.com/njfxlQSaQJ

"Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication."

https://cve.circl.lu/cve/CVE-2019-18380 …

"On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address."
https://cve.circl.lu/cve/CVE-2019-19642 …

"phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php."

https://cve.circl.lu/cve/CVE-2019-19617 …

Update On MISP - Alex Dulaunoy @adulau @MITREattack
https://youtu.be/oL8jmH1f7M8 

"This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions."

https://cve.circl.lu/cve/CVE-2019-7192 …

#Dontbeamule @Europol @EC3Europol @EBFeu

Niemals Ihre Kontoverbindung an jemanden weiter geben sofern Sie die Person nicht kennen
Zugangsdaten für Ihr #OnlineBanking/Kartendaten nicht weiter geben
Vorsicht bei unverlangten Angeboten, die leichtes Geld versprechenpic.twitter.com/sRTs7Hu22X

MISP 2.4.119 has been released with many improvements in the API, a security fix for CVE-2019-19379 and various changes. New MISP expansion, import and export modules were introduced. #ThreatIntel #CTI #CyberSecurity
https://www.misp-project.org/2019/12/04/MISP.2.4.119.released …pic.twitter.com/9A0mz8kEz7

"D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value."

https://cve.circl.lu/cve/CVE-2019-19598 …

#Phishing winter is here but Santa has free tools for you!

If you receive a suspicious message you can check the link via
https://circl.lu/urlabuse/  and send it to @circl_lu via info@circl.lu

We have a new galaxy and object to express dark patterns in MISP. A good example of using MISP to model and share new threats targeting users.
Thanks to @gallypette (@circl_lu) and @b0rce (@uni_lu)
https://www.misp-project.org/galaxy.html#_dark_patterns …pic.twitter.com/URHrF1Maei