Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Gi7w0rm Profile picture
@Gi7w0rm
Apr 9, 2022 10 tweets 12 min read Read on X
#Nginx 1.18 exploit in the wild!

#infosec #0day #exploit

@campuscodi
Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: Image
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx Image
@_Blue_hornet Another Update containing a potential temporary #workaround has been pushed to Github just now.
Also confirming that #ldap-auth daemon is indeed vulnerable. Also mentioning that @Atlassian accounts are affected.

#0day #ldap #injection #nginx Image
@campuscodi So as this Tweet is getting some reach, some might be asking themselves how @_Blue_hornet operates.
@PogoWasRight did an interview with them arround 6 days ago and I think it is worth a read :)

Link:
databreaches.net/an-interview-w…
@_Blue_hornet @Atlassian For those who want/need even more info, here is an internal message by ATW on this #exploit and its capabilities.
Seems ATW is unsure for now if it is an #LDAP issue or if its only affecting #Nginx Image
Ok, as this tweet get's way more exposure then I am used to, please keep the following in mind:
Everything I share is based on claims by @_Blue_hornet .
I have not seen a PoC, I have not seen a successfull exploitation and I do not know if any of this is true.
I do not warrant!
@_Blue_hornet @Atlassian So, in an unexpected turn of events @_Blue_hornet went dark.
They suggested its forever.
I am unsure how to procede now.
A lot of noise I willingly shared as I trusted in them and now this.
For the time beeing, I will quote my tweet from before:

Image
So it seems @_Blue_hornet has updated the Github Repo several times since my last tweet.
Nothing too important in my eyes, but mentioning it just in case:
github.com/AgainstTheWest…

At least shows that he/they are still maintaining the Repo :)
As several people have pointed out, it seems @nginx has released an article about the vulnerability described above. The article points out ways to mitigate and states that ONLY THE #Nginx REFERENCE IMPLEMENTATION IS AFFECTED.

nginx.com/blog/addressin…

#nginxday #0day

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Gi7w0rm

Gi7w0rm Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Gi7w0rm

Gi7w0rm Profile picture
Sep 25
So @censysio just deployed the "suspicious-open-dir" label to their search engine.
So far it appears a game changer, giving very solid hit rates on finding malicious infrastructure.

So for today, this will be a thread documenting my findings using the new feature.

1/x Image
@censysio Starting of, we have
hxxps://dev.deutsche-privatbank[.]de/

It does not need a genius to understand that this is someones #phishing setup.
Thanks to an exposed .git file we can clearly see that the tool used is:


@DeutscheBank might want to have a look
2/x github.com/BiZken/PhishMa…
Image
@censysio @DeutscheBank We will continue with:
ihelpdesk.mbsbbanks[.]com
at 51.79.159[.]162
#phishing for #Google credentials.

Since the kit is packed in an awareness. zip file, this might actually be a #RedTeaming setup.
Otherwhise I would expect some sort of 2FA phishing...
Also: @MyTouchnGo
3/x

Image
Image
Image
Read 13 tweets
Gi7w0rm Profile picture
Mar 4, 2022
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x Image
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(