Discover and read the best of Twitter Threads about #0day
Most recents (10)
🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.
Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔
Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔
2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.
There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭
There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭
3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.
When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick).
When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick).
NEW INVESTIGATION: recent Mexican #Pegasus spyware abuses led us to evidence of a trio of zero-click exploits used by #NSO.
Targets? HomeKit & FindMy.
Remarkably, #Apple's #iOS #LockdownMode blocked one of them.
Quick THREAD 1/
citizenlab.ca/2023/04/nso-gr…
Targets? HomeKit & FindMy.
Remarkably, #Apple's #iOS #LockdownMode blocked one of them.
Quick THREAD 1/
citizenlab.ca/2023/04/nso-gr…
2/ First, the new victims: Mexican lawyers representing families of victims of Military abuses
The timing of the targeting matches key developments in efforts to hold #Mexico's army responsible.
It's really bad.
We @citizenlab forensically confirmed the spyware infections.
The timing of the targeting matches key developments in efforts to hold #Mexico's army responsible.
It's really bad.
We @citizenlab forensically confirmed the spyware infections.
3/ We found evidence of 3 #zeroclick #0day chains used by NSO's #Pegasus #spyware in 2022.
First: #PWNYOURHOME: worked against #homekit even if you didn't set up a home.
Apple's changes in iOS 16.3.1 that address.
#LockdownMode also kneecaps it.
First: #PWNYOURHOME: worked against #homekit even if you didn't set up a home.
Apple's changes in iOS 16.3.1 that address.
#LockdownMode also kneecaps it.
I wrote a quick Nmap script to scan for servers potentially vulnerable to #ProxyNotShell (based on Microsoft's recommended URL blocking rule) I hope it can be useful for someone :)
[+] github.com/CronUp/Vulnera…
#0day CVE-2022-40140 CVE-2022-41082
[+] github.com/CronUp/Vulnera…
#0day CVE-2022-40140 CVE-2022-41082
Basically, it sends an SSRF-like request adding the string "Powershell" in the URI, if there is no block and the server returns the header "X-FEServer" with the server name, then it is potentially vulnerable.
Also in its mass scanning version ~
Also in its mass scanning version ~
Updated script, added #ProxyShell validation and some error handling, thanks to @CesarSilence and @GossiTheDog for their ProxyShell checker template (I was missing the "redirect_ok=false") :D
Mahalo to everybody who came to my @defcon talk "You're M̶u̶t̶e̶d̶ Rooted" 🙏🏽
Was stoked to talk about (& live-demo 😅) a local priv-esc vulnerability in Zoom (for macOS).
Currently there is no patch 👀😱
Slides with full details & PoC exploit:
speakerdeck.com/patrickwardle/… #0day
Was stoked to talk about (& live-demo 😅) a local priv-esc vulnerability in Zoom (for macOS).
Currently there is no patch 👀😱
Slides with full details & PoC exploit:
speakerdeck.com/patrickwardle/… #0day
🆕 Update(s):
🐛 Bug assigned CVE-2022-28756
🩹 Patch now available, in Zoom v5.11.5 (9788)
See Zoom's security bulletin:
explore.zoom.us/en/trust/secur…
Mahalos to @Zoom for the (incredibly) quick fix! 🙌🏽 🙏🏽
🐛 Bug assigned CVE-2022-28756
🩹 Patch now available, in Zoom v5.11.5 (9788)
See Zoom's security bulletin:
explore.zoom.us/en/trust/secur…
Mahalos to @Zoom for the (incredibly) quick fix! 🙌🏽 🙏🏽
Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversions 🔐👍🏽
Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission:
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…
Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…
Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx
A major civil war going on the Russian cyber-criminal underground between the #Lockbit #Blackmatter #ransomware groups and other threat actors! @TalosSecurity
After alleging for a long time that Kajit, the former owner of RAMP is a cop, LockBittSupp posted a massive bombshell t0 XSS(DaMaGe LaB) Russian hacking forum
LockBitSupp (#lockbit #ransomware) just shared proof of conversations between vx-underground and Kajit proving that Kajit was the one who leaked the BlackMatter admin panel. What is interesting is that the admin panel was shared with wazawaka/boriselicin
Warum wir mit Cyber-Sicherheit ein Problem haben, fragt ihr?
Wieso Veröffentlichung oder #0day Trading mit #Schwachstellen und #Exploits (leider) der "bessere" Deal ist. (cc @certbund)
In einem Tweet erklärt:
Wieso Veröffentlichung oder #0day Trading mit #Schwachstellen und #Exploits (leider) der "bessere" Deal ist. (cc @certbund)
In einem Tweet erklärt:
cc @z_edian
Time for fun! The @WordPress plugin known as Social Network Tabs, made by Design Chemical, combines all of your favorite social networks profiles. Due to their poor coding skills I was able to take over 127 Twitter accounts #0day #infosec github.com/fs0c131y/CVE-2…
This is caused by the following lines of code within the page where the Twitter widget is displayed. Yes, they leak the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user
Thanks to @publicww, with the following search queries, I managed to retrieve the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites
No, it’s not the NaMo app but thanks for giving me my next topic ☺️
#0day Flash exploit CVE-2018-4878 has been seen in attack that used a malformed Flash object embedded in Excel document. Protected view can prevent automatic execution of the exploit. ASR in Windows Defender Exploit Guard on Windows 10 and EMET on older systems can also protect.
On Windows 10 Fall Creators Update, properly configured Attack surface reduction (ASR) rules can help to mitigate the in-the-wild Flash exploit delivered through Office documents.
Windows Defender AV protections have been available since February 1 to detect and block the exploit and related payloads. Windows Defender ATP flags malicious behaviors, as well as exposes alerts from Windows Defender Exploit Guard and Windows Defender AV.
