Node.js security releases announced - high severity vulnerabilities in all active versions

https://groups.google.com/g/nodejs-sec/c/TXKhlMr55UA/m/Sqak2IJnBAAJ

Amsi-Bypass-Powershell

This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts.

Most of the scripts are detected by AMSI itself. So you have to find the trigger(https://github.com/RythmStick/AMSITrigger) and change the signature at the part via variable/function renaming, string replacement or encoding and decoding at runtime. Alternatively obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working. You can also take a look at blog(https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) post about manually changing the signature to get a valid bypass again.


https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Source:
https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Korkos-AMSI-and-Bypass.pdf

For more and Reference :

https://twitter.com/ShitSecure

CVE-2022-32250 (CVE-2022-1966) - A 6 year old bug in the Linux kernel exploited by NCCGroup
https://www.openwall.com/lists/oss-security/2022/05/31/1
Get those patches :
https://access.redhat.com/security/cve/CVE-2022-1966
https://ubuntu.com/security/CVE-2022-1966
https://www.debian.org/security/2022/dsa-5161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32250

Security firm SpectreOps has open-sourced a new tool called Koh that can be used to capture Windows account authentication tokens for new logon sessions and reuse them for future attacks
https://github.com/GhostPack/Koh
https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6

CVE-2022-32212: Node.js arbitrary code execution vulnerability
Recently, Node.js released an advisory to fix seven vulnerabilities including three separate HTTP Request Smuggling, one code execution (CVE-2022-32212), and other flaws.
https://securityonline.info/cve-2022-32212-node-js-arbitrary-code-execution-vulnerability/

Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability(CVE-2022-32223) to escalate their privileges and establish persistence in a target environment. The vulnerability can also provide another way to embed malicious code into packages.

https://blog.aquasec.com/cve-2022-32223-dll-hijacking

Open-source analytics and interactive visualization solution Grafana received a critical update recently to fix two high-severity security vulnerabilities that enabled account takeover(CVE-2022-31107).
https://securityonline.info/cve-2022-31107-grafana-oauth-account-takeover-vulnerability/

UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis
#unrar #zimbra

Multiple Vulnerabilities in Atlassian Products (CVE-2022-26136, CVE-2022-26137, CVE-2022-26138)

nuclei add a template for hardcoded vulnerability:

https://github.com/projectdiscovery/nuclei-templates/pull/4889

Atlassian advisory :

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

blog:

https://bugalert.org/content/notices/2022-07-20-atlassian.html?src=r

#Atlassian #hardcoded

Apple released multiple security updates for iPadOS and iOS
WebKit :
CVE-2022-32787,CVE-2022-32816
kernel :
CVE-2022-32813,CVE-2022-32817,CVE-2022-32815: Xinru Chi of Pangu Lab
https://support.apple.com/ko-kr/HT213346
#apple #update

Clément Labro published a blog post with a deep dive into the recent changes in the Windows 10 & 11 security hardening brought by the July patch tuesday. It turned out that Microsoft quietly fixed a bypass security issue that existed in the Protected Process Light (PPL) technology, made it impossible to use the famous PPLDump tool anymore. This tool is designed to run under an admin account and dumps memory of a specific PPL protected process. It became known a few days ago, when an issue was opened for PPLdump on GitHub, stating that it no longer worked on Windows 10 21H2 Build 19044.1826. The details.

https://itm4n.github.io/the-end-of-ppldump/
#redteam #hardening

kaspersky’s GReAT discovered a new version of the sophisticated UEFI firmware rootkit CosmicStrand that allows its owners to achieve very robust and stealthy persistence in the system being sure that only a few security products are able to detect it. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards. victims of CosmicStrand in China, Vietnam, Iran and Russia.

https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/

One of the most common methods to maintain access to the Windows web server is Web Shell, but it can be used by installing the malicious extension on IIS as a backdoor to run the command and dump the password. Learn how to identify and defend against these threats in our new blog post:
https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

Microsoft discovered and patched a 0-day exploit (CVE-2022-22047) that KNOTWEED, an Austria-based private sector offensive actor, used to deploy Subzero malware. Analysis of campaigns, tactics, & payloads in this MSTIC blog
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/

Running Exploit As Protected Process Light (PPL) From Userland

Protected Process Light(PPL) is a security mechanism introduced by Microsoft in Windows 8.1. It ensures that the operating system only loads trusted services and processes by enforcing them to have a valid internal or external signature that meets the Windows requirements. It also restricts access to processes and is used as a self-defence mechanism by anti-malware and windows native processes.

This blog reviews the recently patched(Windows 10 21H2 10.0.19044.1826 (24 July 2022 update))

https://tastypepperoni.medium.com/running-exploit-as-protected-process-ligh-from-userland-f4c7dfe63387

https://github.com/tastypepperoni/RunAsWinTcb

Linux LPE

https://t.iss.one/Peneter_Tools/376

https://t.iss.one/Peneter_Tools/377

ممنون از تمامی دوستان که شرکت کردن محتوا آپلود شد.
"این وبینار شروعی از مجموعه وبینار آفنسیو بوده که تاریخ جلسه بعد همینجا اعلام می کنم."
ویدیو ضبط شده :
https://youtu.be/qZWNnLFaLAw
اسلاید ها:
https://www.slideshare.net/soheilhashemi/red-team-p1pdf
#ردتیم #امنیت_سایبری

https://www.clubhouse.com/join/penetercom/JW9LySxy/M62Ge60L?utm_medium=ch_invite&utm_campaign=r-Kz80C0EtEY0mpbXRGx2Q-342422
زمان برگزاری امشب ساعت ۲۲:۳۰ به وقت ایران
ارشیو اتاق ها اخبار گذشته می تونید از طریق خود کلاب هاوس، کانال یوتیوب پنتز و بلاگ پنتر دسترسی داشته باشید.
https://blog.peneter.com

https://youtube.com/channel/UCewDE8winhc8DSPFnpSksTA

https://twitter.com/5tuxnet
https://twitter.com/soheilhashemii

وبینار آموزشی تیم قرمز پارت دوم(آخر)
محتوای وبینار:
شبیه سازی حمله APT و تشریح TTP
زمان برگزاری:
پنجشنبه ۱۷ شهریور ساعت ۱۴
لینک ورود:
‏ https://webinar.sindadsec.ir/redteaming/
دسترسی به محتوا جلسه اول:
‏ https://youtu.be/qZWNnLFaLAw
#RedTeam #BAAE