Author: Dr. Johannes B. Ullrich

EternalBlue 5 Years After WannaCry and NotPetya
https://isc.sans.edu/forums/diary/EternalBlue+5+years+after+WannaCry+and+NotPetya/28816/
OpenSSL Patches Two Vulnerabilities
https://www.openssl.org/news/secadv/20220705.txt
Iconburst NPM Software Suppl…

Read more →

7Zip Mark of the Web For Office Files
https://isc.sans.edu/forums/diary/7Zip+MoW+For+Office+files/28812/
SessionManager Backdoor Seen with IIS
https://securelist.com/the-sessionmanager-iis-backdoor/106868/
Googe Chrome Stable Channel Update
https://…

Read more →

Case Study: Cobalt Strike Server Lives on After its Domain is Suspended
https://isc.sans.edu/forums/diary/Case+Study+Cobalt+Strike+Server+Lives+on+After+Its+Domain+Is+Suspended/28804/
CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in…

Read more →

Its New Phone Day: Time to Migrate Your MFA
https://isc.sans.edu/forums/diary/Its+New+Phone+Day+Time+to+migrate+your+MFA/28800/
Managing Human Risk Security Awareness Report
https://go.sans.org/lp-wp-2022-sans-security-awareness-report
Microsoft Azur…

Read more →

Possible Scans for HiByMusic Devices
https://isc.sans.edu/forums/diary/Possible+Scans+for+HiByMusic+Devices/28796/
OpenSSL Heap Overflow
https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/
https://github.com/openssl/openss…

Read more →

Encrypted Client Hello: Anybody Using it Yet?
https://isc.sans.edu/forums/diary/Encrypted+Client+Hello+Anybody+Using+it+Yet/28792/
Jenkins Advisory
https://www.jenkins.io/security/advisory/2022-06-22/
Instagram Age Verification
https://about.fb.com/…

Read more →

Python Abusing the Windows GUI
https://isc.sans.edu/forums/diary/Python+abusing+The+Windows+GUI/28780/
Malicious Code Passed to PowerShell via the Clipboard
https://isc.sans.edu/forums/diary/Malicious+Code+Passed+to+PowerShell+via+the+Clipboard/28784…

Read more →

Malicious PowerShell Targeting Cryptocurrency Browser Extensions
https://isc.sans.edu/forums/diary/Malicious+PowerShell+Targeting+Cryptocurrency+Browser+Extensions/28772/
Keeping PowerShell: Security Measures to Use and Embrace
https://media.defense….

Read more →

Experimental New Domain / Domain Age API
https://isc.sans.edu/forums/diary/Experimental+New+Domain+Domain+Age+API/28770/
Forescout Vedere Labs Discovers 56 OT Vulnerabilities
https://www.forescout.com/resources/ot-icefall-report/
Cloudflare Outage
h…

Read more →

Odd TCP Fast Open Packets
https://isc.sans.edu/forums/diary/Odd+TCP+Fast+Open+Packets+Anybody+understands+why/28766/
DFSCoerce NTLM Relay Attack
https://github.com/Wh04m1001/DFSCoerce
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-nt…

Read more →

Critical Vulnerability in Splunk Enterprise Deployment Server Functionality
https://isc.sans.edu/forums/diary/Critical+vulnerability+in+Splunk+Enterprises+deployment+server+functionality/28760/
Malspam Pushes Matanbuchus Malware Leads to Cobalt Strike…

Read more →

Houdini is Back Delivered Through a JavaScript Dropper
https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/
Drifting Cloud: Zero-Day Sophos Firewall Exploitation
https://www.volexity.com/blog/2022/06/15/drif…

Read more →

Terraforming Honeypots: Using IaaC & Cloud to Attract Attacks
https://isc.sans.edu/forums/diary/Terraforming+Honeypots+Installing+DShield+Sensors+in+the+Cloud/28748/
Zimbra Email – Stealing Clear=Text Credenitals via Memcache Injection
https://blog.s…

Read more →

Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+June+2022+Patch+Tuesday/28742/
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
SynLapse Vulnerability
https://orca.security/resources/blog/synlapse-critical-az…

Read more →

Translating Saitama’s DNS Tunneling
https://isc.sans.edu/forums/diary/Translating+Saitamas+DNS+tunneling+messages/28738/
Travis CI Logs Expose Users to Cyber Attacks
https://blog.aquasec.com/travis-ci-security
Linux Threat Hunting: “Syslogk” a kernel…

Read more →

EPSScall: An Exploit Prediction Scoring System App
https://isc.sans.edu/forums/diary/EPSScall+An+Exploit+Prediction+Scoring+System+App/28732/
PACMan Attack
https://pacmanattack.com
https://twitter.com/wdormann/status/1535245913857351680
Carrier Lene…

Read more →

TA570 QBot attempts to exploit CVE-2022-30190 (Follina)
https://isc.sans.edu/forums/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728/
Analysis of a Facebook Phishing Campaign
https://pixmsecurity.com/blog/blog/phishing-tactics-…

Read more →

SANS RSA Panel
(sorry, video no longer available)
Atlassian Confluence Attacks
https://isc.sans.edu/forums/diary/Atlassian+Confluence+Exploits+Seen+By+Our+Honeypots+CVE202226134/28722/
Fake CClenaer Malvertisements
https://blog.avast.com/fakecrack-c…

Read more →

The Trouble With Microsoft’s Troubleshooters
https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
QBot Uses Follina
https://twitter.com/threatinsight/status/1534227444915482625
Deadbolt Ransomware
https://www.trendmicro.c…

Read more →

MS-MSDT RTF Maldocs Analysis oledump Plugins
https://isc.sans.edu/forums/diary/msmsdt+RTF+Maldoc+Analysis+oledump+Plugins/28718/
Cybercriminals Exploit Reverse Tunnel Services and URL Shorteners
https://cloudsek.com/whitepapers_reports/cybercriminals-…

Read more →

Sandbox Evasion… With Just a Filename!
https://isc.sans.edu/forums/diary/Sandbox+Evasion+With+Just+a+Filename/28708/
Atlassian Exploit Released
https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
GitLab Cri…

Read more →

Quick Answers in Incident Response RECmd.exe
https://isc.sans.edu/forums/diary/Quick+Answers+in+Incident+Response+RECmdexe/28706/
Zero-Day Exploitation of Atlassian Confluence
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassia…

Read more →

HTML Phishing Attachments – Now With Anti-Analysis Features
https://isc.sans.edu/forums/diary/HTML+phishing+attachments+now+with+antianalysis+features/28702/
Unofficial Patch for CVE-2022-30190 (Follina)
https://blog.0patch.com/2022/06/free-micropatc…

Read more →

Follina Update
https://isc.sans.edu/forums/diary/First+Exploitation+of+Follina+Seen+in+the+Wild/28698/
https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694/
Open Automation Software Platfo…

Read more →

New Microsoft Office Attack Vector via “ms-msdt” Protocol Scheme
https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme/28694/

Read more →

Huge Signed PE Files
https://isc.sans.edu/forums/diary/Huge+Signed+PE+File/28686/
VMWare Authentication Bypass PoC
https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive/
Quanta Server BMC Vulnerability
…

Read more →

Using NMAP to Assess Hosts in Load Balanced Clusters
https://isc.sans.edu/forums/diary/Using+NMAP+to+Assess+Hosts+in+Load+Balanced+Clusters/28682/
Attacker Modifying Libraries Claims “Research”
https://www.bleepingcomputer.com/news/security/hacker-sa…

Read more →

ctx Python Library Updated with “Extra” Features
https://isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/
Zoom Updates
https://explore.zoom.us/en/trust/security/security-bulletin/
VMWare Exploit About to Be Released
ht…

Read more →

Attacker Scanning for jQuery-File-Upload
https://isc.sans.edu/forums/diary/Attacker+Scanning+for+jQueryFileUpload/28674/
Oracle Security Alert Advisory – CVE-2022-21500
https://www.oracle.com/security-alerts/alert-cve-2022-21500.html
How to find NPM …

Read more →

A “Zip Bomb” to Bypass Security Controls & Sandboxes
https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/
Cisco IOS XR Software Health Check Open Port Vulnerability
https://tools.cisco.com/security/center/content/…

Read more →

Bumblebee Malware from TransferXL URLs
https://isc.sans.edu/forums/diary/Bumblebee+Malware+from+TransferXL+URLs/28664/
Microsoft Out-of-Band Update fixes Authentication Issues
https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-…

Read more →

VMWare Flaws
https://core.vmware.com/vmsa-2022-0014-questions-answers-faq
https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/
Tesla BLE Proximity Authentication Vulnerable to Relay Attacks
https://r…

Read more →

Use Your Browser Internal Password Vault… or Not?
https://isc.sans.edu/forums/diary/Use+Your+Browser+Internal+Password+Vault+or+Not/28658/
SQL Server Brute Forcing
https://twitter.com/MsftSecIntel/status/1526680337216114693
UpdateAgent Adapts Again…

Read more →

Apple Patches Everything
https://isc.sans.edu/forums/diary/Apple+Patches+Everything/28654/
Evil Never Sleeps: When Wireless Malware Stays on After Turning Off iPhones
https://arxiv.org/pdf/2205.06114.pdf
Third-Party Web Trackers Log What You Type Bef…

Read more →

From 0-Day to Mirai: 7 days of BIG-IP Exploits
https://isc.sans.edu/forums/diary/From+0Day+to+Mirai+7+days+of+BIGIP+Exploits/28644/
Sonicwall Vulnerabilities Patched
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009
Zonealarm Patch
htt…

Read more →

When Get-WebRequest Fails You
https://isc.sans.edu/forums/diary/When+GetWebRequest+Fails+You/28640/
HP PC BIOS Security Updates
https://support.hp.com/us-en/document/ish_6184733-6184761-16/hpsbhf03788
INTEL BIOS Advisory
https://www.intel.com/conten…

Read more →

TA578 Using Thread-Hijacked Emails to Push ISO Files for Bumblebee Malware
https://isc.sans.edu/forums/diary/TA578+using+threadhijacked+emails+to+push+ISO+files+for+Bumblebee+malware/28636/
Google Drive Emerges as Top App for Malware Downloads
https:…

Read more →

Microsoft May 2022 Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+May+2022+Patch+Tuesday/28632/
Adobe Updates
https://helpx.adobe.com/security/security-bulletin.html
npm “foreach” package domain takeover
https://www.theregister.com/2022/0…

Read more →

Octopus Backdoor is Back with a New Embedded Obfuscated Bat File
https://isc.sans.edu/forums/diary/Octopus+Backdoor+is+Back+with+a+New+Embedded+Obfuscated+Bat+File/28628/#comments
CVE-2022-1388 (BIG-IP) Exploits
https://twitter.com/sans_isc/status/15…

Read more →

F5 BIG-IP Unauthenticated RCE Vulnerability (CVE-2022-1388)
https://isc.sans.edu/forums/diary/F5+BIGIP+Unauthenticated+RCE+Vulnerability+CVE20221388/28624/
QNAP QVR Update
https://www.qnap.com/de-de/security-advisory/qsa-22-07
Raspberry Robin Worm
h…

Read more →