The Cyber Threat Perspective

In this week's reviewMicrosoft Rolls Back Decision to Block Office Macros By Default 😢Possible APT29/Ransomware Groups Use of Brute Ratel C4When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious ActorsReversing Malware Also How is APT 29 Successful with This Phishing TechniqueRaspberry Robin/QNAPWormRaspberry Robin gets the worm earlyMicrosoft finds Raspberry Robin worm in hundreds of Windows networksNew Raspberry Robin worm uses Windows Installer to drop malwareCloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 BucketPrevention Takes Priority Over ResponseBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this week's reviewRise of LNK (Shortcut files) MalwareLockBit 3.0 Released Now With Bug Bounty ProgramCISA Says PwnKit Exploited in the WildBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this week's review:New NTLM Relaying Attack via DFSCoerceRansomware Potential for OneDrive & SharePoint FilesKeeping PowerShell: Security Measures to Use and EmbraceBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this week's review:The rise of BlackCat (ALPHV) ransomwareMicrosoft Analysis of BlackCatAdvIntel Analysis of BlackCatRansomware Group Debuts Searchable Victim DataLockBit 2.0: How This RaaS Operates and How to Protect Against ItTranslating Saitama's DNS tunneling messages - SANS Internet Storm CenterPublic Travis CI Logs (Still) Expose Users to Cyber AttacksBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this week's review:A DFIR Report with no Ransomware and no Cobalt StrikePath Traversal & MOTW Bypass - DIAGCAB Windows Zero-day aka "Dogwalk"Linux version of Black Basta ransomware targets VMware ESXi serversTA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)Blog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this week's review:Microsoft Diagnostics Tool Remote Code Execution Zero DayNew Windows Search zero-day added to Microsoft protocol nightmareVendor Refuses to Remove Backdoor Account That Can...Over 3.6 million exposed MySQL servers on IPv4 and IPv6 |...APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-DaysBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

The sky IS NOT falling with this one. Is it important? Yes. Does it highlight an area that's under-researched and likely contains additional attack vectors and techniques? Absolutely. Resourceshttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629ehttps://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bughttps://github.com/NVISOsecurity/nviso-cti/blob/master/advisories/29052022%20-%20msdt-0-day.mdJohn Hammond's Excellent CVE-2022-30190 VideoBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In This Weeks ReviewPDF Malware Is Not Dead YetDetecting & Preventing Rogue Azure SubscriptionsPython and PHP Library Updated with 'Extra' Features by a "Security Researcher"2022 Verizon Data Breach Investigations ReportZoom: Remote Code Execution with XMPPExploit released for critical VMware auth bypass bugBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In This Weeks ReviewGootloader & Gootkit Analysis by DFIR Report and Red CanaryAuthenticated PetitPotam Lives On (CVE-2022-26925)The Hunter Becomes the Hunted: Evicting the AdversarySpoofing SaaS Vanity URLS for Social Engineering AttacksBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In This Weeks ReviewThreat Actor using Windows Event Logs for "fileless" MalwareCVE-2022-1388 - F5 BIG-IP PoC ReleasedCVE-2021-22600 - Privilege Escalation Bug In The Linux KernelCVE-2022-26925 - A Windows LSA Spoofing Vulnerability (PetitPotam)CVE-2022–26923 - Another ADCS Domain Privilege EscalationBlog: https://offsec.blog/Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfwTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.comBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.