Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
See the netflix information security advisory:
sudo hping3 yourhost --tcp-mss 20 -S --flood
SwitHak
/ 20190618-TLP-WHITE-TCPSACK.MD
Last active
November 23, 2023 07:47
Tracking vendors responses to TCP SACK vulnerabilities
SwitHak
/ 20190730-TLP-WHITE_URGENT11_VxWorks.MD
Last active
June 5, 2020 08:12
Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2020-02-21 1019 UTC)
Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.
- Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
- Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.
SwitHak
/ 20200109-TLP-WHITE_Destructive-Attack-DUSTMAN_Technical-Report_IOC.txt
Last active
January 9, 2020 09:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Host Indicator of Compromises (Comma separator used): | |
| --- | |
| Name,MD5 Hash,SHA-1 Hash,SHA-256 Hash,Size (bytes),Type,Compilation Date | |
| dustman.exe,8AFA8A59EEBF43EF223BE52E08FCDC67,E3AE32EBE8465C7DF1225A51234F13E8A44969CC,F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7,264704,64-bit EXE,Sun Dec 29 08:57:19 2019 (GMT+3) | |
| elrawdsk.sys,993E9CB95301126DEBDEA7DD66B9E121,A7133C316C534D1331C801BBCD3F4C62141013A1,36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C,24576,64-bit EXE,Sun Oct 14 10:43:19 2012(GMT+3) | |
| assistant.sys,EAEA9CCB40C82AF8F3867CD0F4DD5E9D,7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,68288,64-bit EXE,Sat May 31 05:18:53 2008 (GMT+3) | |
| agent.exe,F5F8160FE8468A77B6A495155C3DACEA,20D61C337653392EA472352931820DC60C37B2BC,44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2,116224,64-bit EXE,Sun Dec 29 08:56:27 2019 (GMT+3) |
SwitHak
/ 20200114-TLP-WHITE_CVE-2020-0601.md
Last active
February 9, 2024 14:42
BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-21 1817 UTC
- Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
- The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
- The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.
- NSA description:
- NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
SwitHak
/ 20200312-TLP-WHITE_CVE-2020-0796.md
Last active
February 21, 2023 11:19
BlueTeam CheatSheet * CVE-2020-0796 * SMBGhost | Last updated: 2020-03-18 1238 UTC
- A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
- An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
- To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
- The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
- Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.
SwitHak
/ 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
Last active
March 18, 2020 22:18
.:AVAST TELEMETRY:. | Source: https://www.apklab.io/covid19 | Curated:Removed duplicates, extract domains to CSV format to be exploited
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2 in line 1.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 20200318-IOC-AVAST-20200318_FT_202003181642 | |
| Separator: single comma [,] | |
| |DOMAINS| | |
| finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com |
SwitHak
/ 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created
March 18, 2020 22:26
.:RISKIQ REPORT:. | Source: https://cdn.riskiq.com/wp-content/uploads/2020/03/COVID-19-Daily-Update-RiskIQ-i3_17-03-2020.pdf |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 20200318-IOC-RISKIQ-20200317-REPORT_CURATED | |
| Separator: single comma [,], except for subjects ["] | |
| |URLs| | |
| http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf |
SwitHak
/ 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active
March 22, 2020 23:42
.:Recorded Future:. | Source: https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2 in line 1.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 20200318-IOC-RECORDEDFUTURE-20200318 | |
| Separator: single comma [,] | |
| |DOMAINS| | |
| cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml | |
| |EMAILS@| | |
| Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru |
SwitHak
/ 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md
Created
March 29, 2020 19:50
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
- This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
00:02 Основные объекты системы находятся в меню слева
The main system objects are in the menu on the left.
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
SwitHak
/ 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md
Last active
February 4, 2021 10:57
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC
- Currently no cool name, what are you doing @GossiTheDog ? ;)
- A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
- The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
- there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
- The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
- We currently knows at least 5 victims, even big names are concerned.
- This is not a drill or something you can patch later, act now.
OlderNewer