🥪 & #threatintel: we published a tag for CVE-2024-2389, a command-injection vulnerability in Progress Flowmon accessible without authentication.

(fixed CVE # from a previous post)

https://viz.greynoise.io/tags/progress-flowmon-cve-2024-2389-command-injection-rce-attempt?days=10

🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).

#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability

https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389

X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836

Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:

• Level 0 Probe: Unsuccessful exploitation attempt: No indication of compromise = apply hotfix patch
• Level 1 Test: 0-byte file has been created and is resident on the firewall: still not compromised = apply hotfix patch
• Level 2 Potential Exfiltration: File on the device has been copied to a location accessible via a web request (common IOC: running_config.xml): apply hotfix patch and perform private data reset (NOTE: PAN states suggested remediation will eliminate the possibility of capturing forensic artifacts)
• Level 3 Interactive access: Interactive command execution: apply hotfix patch and factory reset.

It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.

#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR

Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/

The CrushFTP vulnerability, CVE-2024-4040 -- demo of the file inclusion trick and some of the speculation on the sessions.obj usage to gain remote code execution (I recorded this mid-week before some of the other public analysis was out 😅)
https://www.youtube.com/watch?v=etHDJWYElso

Big thanks to @FlareSystems for sponsoring this video! You can track down shady sellers, hunt for cybercrime, or manage threat intelligence and your exposed attack surface with Flare! Try a free trial: https://jh.live/flare

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

Sysdig: Meet the Research behind our Threat Research Team – RSA 2024
I thought the title was a typo but Sysdig showcases various threats and vulnerabilities that their threat research team worked on: such as SSH-Snake, Romanian threat actor RUBYCARP, Operation SCARLETEEL, cryptojacking Operation AMBERSQUID, Meson Network, Operation LABRAT, CVE-2024-3094 (XZ Utils), and the Leaky Vessels vulnerabilities. You can meet the threat research team at booth S-742 at RSA Conference 2024, May 6 – 9 in San Francisco.

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtai [...]

https://t.me/UnitooNews/31630

#UnitooDailyNews #unitoo #News #Worldnews #tech

also if anyone wants to exploit CVE-2024-26218 i would be very interested in seeing that :)

Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!

"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925

"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/

#CVE_2006_4304 #PS5Share

Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/

Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/

Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot

• ShadowServer Foundation: CRITICAL: Vulnerable/Compromised Qlik Sense Special Report
• FoX-IT: Sifting through the spines: identifying (potential) Cactus ransomware victims
• Cyberveilig Nederland: (Dutch) Persbericht: Samenwerkingsverband Melissa vindt diverse Nederlandse slachtoffers van ransomwaregroepering Cactus (official press release)
• Dutch Institute for Vulnerability Disclosure (DIVD): DIVD CSIRT Congratulates Project Melissa
• Northwave Cybersecurity: PrickSense: How Cactus Exploits Qlik Sense

This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:

• CVE-2023-41266 (vendor 8.2 high/NVD 6.5 medium) path traversal, disclosed ~29 August 2023?, added to CISA KEV Catalog 07 December 2023
• CVE-2023-41265 (vendor 9.6 critical/NVD 9.9 critical) also known as ZeroQlik ... HTTP Request Tunneling vulnerability, disclosed ~29 August 2023?, added to KEV 07 December 2023
• CVE-2023-48365 (vendor 9.6 critical/NVD 9.9 critical) also known as DoubleQlik ... EoP and a patch bypass of CVE-2023-41265, disclosed 15 November 2023

Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.

#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel

Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot

• ShadowServer Foundation: CRITICAL: Vulnerable/Compromised Qlik Sense Special Report
• FoX-IT: Sifting through the spines: identifying (potential) Cactus ransomware victims
• Cyberveilig Nederland: (Dutch) Persbericht: Samenwerkingsverband Melissa vindt diverse Nederlandse slachtoffers van ransomwaregroepering Cactus (official press release)
• Dutch Institute for Vulnerability Disclosure (DIVD): DIVD CSIRT Congratulates Project Melissa
• Northwave Cybersecurity: PrickSense: How Cactus Exploits Qlik Sense

This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:

• CVE-2023-41266 (vendor 8.2 high/NVD 6.5 medium) path traversal, disclosed ~29 August 2023?, added to CISA KEV Catalog 07 December 2023
• CVE-2023-41265 (vendor 9.6 critical/NVD 9.9 critical) also known as ZeroQlik ... HTTP Request Tunneling vulnerability, disclosed ~29 August 2023?, added to KEV 07 December 2023
• CVE-2023-48365 (vendor 9.6 critical/NVD 9.9 critical) also known as DoubleQlik ... EoP and a patch bypass of CVE-2023-41265, disclosed 15 November 2023

Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.

#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel

Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot

• ShadowServer Foundation: CRITICAL: Vulnerable/Compromised Qlik Sense Special Report
• FoX-IT: Sifting through the spines: identifying (potential) Cactus ransomware victims
• Cyberveilig Nederland: (Dutch) Persbericht: Samenwerkingsverband Melissa vindt diverse Nederlandse slachtoffers van ransomwaregroepering Cactus (official press release)
• Dutch Institute for Vulnerability Disclosure (DIVD): DIVD CSIRT Congratulates Project Melissa
• Northwave Cybersecurity: PrickSense: How Cactus Exploits Qlik Sense

This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:

• CVE-2023-41266 (vendor 8.2 high/NVD 6.5 medium) path traversal, disclosed ~29 August 2023?, added to CISA KEV Catalog 07 December 2023
• CVE-2023-41265 (vendor 9.6 critical/NVD 9.9 critical) also known as ZeroQlik ... HTTP Request Tunneling vulnerability, disclosed ~29 August 2023?, added to KEV 07 December 2023
• CVE-2023-48365 (vendor 9.6 critical/NVD 9.9 critical) also known as DoubleQlik ... EoP and a patch bypass of CVE-2023-41265, disclosed 15 November 2023

Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.

#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel

Maybe it's just easier to create the flaws first and then attach the rest of the software. #infosec #cybersecurity

CVE-2024-2859; CVE-2024-29960; CVE-2024-29961; CVE-2024-29963; CVE-2024-29966

Severe Flaws Disclosed in #Brocade SANnav SAN Management Software - all 18 of them https://thehackernews.com/2024/04/severe-flaws-disclosed-in-brocade.html @thehackernews

Maybe it's just easier to create the flaws first and then attach the rest of the software. #infosec #cybersecurity

CVE-2024-2859; CVE-2024-29960; CVE-2024-29961; CVE-2024-29963; CVE-2024-29966

Severe Flaws Disclosed in #Brocade SANnav SAN Management Software - all 18 of them https://thehackernews.com/2024/04/severe-flaws-disclosed-in-brocade.html @thehackernews

Maybe it's just easier to create the flaws first and then attach the rest of the software. #infosec #cybersecurity

CVE-2024-2859; CVE-2024-29960; CVE-2024-29961; CVE-2024-29963; CVE-2024-29966

Severe Flaws Disclosed in #Brocade SANnav SAN Management Software - all 18 of them https://thehackernews.com/2024/04/severe-flaws-disclosed-in-brocade.html @thehackernews

Maybe it's just easier to create the flaws first and then attach the rest of the software. #infosec #cybersecurity

CVE-2024-2859; CVE-2024-29960; CVE-2024-29961; CVE-2024-29963; CVE-2024-29966

Severe Flaws Disclosed in #Brocade SANnav SAN Management Software - all 18 of them https://thehackernews.com/2024/04/severe-flaws-disclosed-in-brocade.html @thehackernews

Maybe it's just easier to create the flaws first and then attach the rest of the software. #infosec #cybersecurity

CVE-2024-2859; CVE-2024-29960; CVE-2024-29961; CVE-2024-29963; CVE-2024-29966

Severe Flaws Disclosed in #Brocade SANnav SAN Management Software - all 18 of them https://thehackernews.com/2024/04/severe-flaws-disclosed-in-brocade.html @thehackernews