Customer portal
Articles Tagged with

SOS Intelligence

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 15 August 2022

by Amir Hadzipasic
August 15, 2022

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2022-20259

In Telephony, there is a possible leak of ICCID and EID due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-221431393

https://nvd.nist.gov/vuln/detail/CVE-2022-20259

 

 

2. CVE-2022-2610

Insufficient policy enforcement in Background Fetch in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-2610

 

 

3. CVE-2021-33646

The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.

https://nvd.nist.gov/vuln/detail/CVE-2021-33646

 

 

4. CVE-2021-33645

The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.

https://nvd.nist.gov/vuln/detail/CVE-2021-33645

 

 

5. CVE-2020-12720

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

https://nvd.nist.gov/vuln/detail/CVE-2020-12720

 

 

6. CVE-2022-24086

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-24086

 

 

7. CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2022-30190

 

 

8. CVE-2022-1215

A format string vulnerability was found in libinput

https://nvd.nist.gov/vuln/detail/CVE-2022-1215

 

 

9. CVE-2022-30075

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2022-30075

 

 

10. CVE-2022-24087

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-24087

 

"Offensive
Product news, Tips

Offensive Cyber Threat Intelligence for Lawyers and Private Investigators

by Ben Hurst
August 10, 2022

In the last article, I wrote about how legal firms can utilise cyber threat intelligence and the SOS Intel toolkit for cyber defence. But in this article I want to explore a different idea, namely, offensive threat intelligence for legal firms. 

When someone says “cyber crime” what do most people think of? Likely something along the lines of “hacker”. Most will picture someone in a dark room staring at a computer screen with hundreds of lines of code flashing by while frantically typing on their keyboard. 

While hackers like this do exist, they make up a minority of cyber criminals. Cyber stalking is, by far, the most common cyber crime. 

Every year almost 10 million people in the United States are victims of cyber stalking or harassment. The vast majority, about ~80%, of cyber stalking incidents go unreported to law enforcement. To make matters worse, cases of cyber stalking that are reported often go unpunished. From 2010 – 2013, of the roughly 2.5 million reported cases of online harassment, only 10 cases resulted in a prosecution. 

A major reason many of these cases go unresolved is the extensive evidence required to make a case. Collecting evidence on a cyber stalker is a difficult and time consuming process. But, this doesn’t have to be the case. 

Utilising cyber threat intelligence tools, it is possible to collect large amounts of data on a target. Much like other cyber criminals, cyber stalkers use platforms like Telegram and Signal. Threat intelligence tools like the SOS Intel toolkit can pull data from these platforms on a mass scale. Just by crafting a few keywords you can search thousands of terabytes of data.

This “offensive” use of the SOS intelligence toolkit is not isolated to just cyberstalking cases. The SOS toolkit is incredibly versatile, it’s capable of assisting with any sort of research into any internet crime. Let’s take a look at what the SOS toolkit is capable of…

SOS Intelligence Toolkit API

The best way to utilise the SOS Toolkit is the API. The API allows you to integrate the toolkit into 3rd party programs. The API provides you the raw aggregate data and leaves the organisation up to your personal preferences. To start working with the API, first you will need to generate your API key. 

You can do this in the “API” tab of the web interface. Once you click the “generate” button you will see this message:

There are many API clients out there, but for the purpose of simplicity in the example I will be using Postman.

SOS Intelligence offers a Postman Collection file to further simplify the process of  implementing API requests in postman. If you are interested in using the Postman collection, please send an email to “[email protected]” 

Once you have your API key and have imported the Postman collection file (or you plan on manually adding the API requests) you need to add the key to Postman as such:

 Once you have your API key set you are ready to start making API requests! In this example I will be making queries as if I was investigating a cyber crime case. 

Quick note: The user I am searching for in this example is “pompompurin” a known cyber criminal who is active on Twitter and Telegram and administrator of the infamous “Breached Forums”.

Here is a simple query for “breached forums” using the Twitter search function. (Note: At the moment the Twitter search function has a search history limit of 6 months)

The Twitter search function will return any data that matches the search query. If the query matches any of the values or sub-values of a post, the function will return all of the data of said post. 

The data aggregated on each post is entirely dependent on the post itself, i.e. if other users are mentioned or if there are hashtags. It’s worth noting that searches are passed as phrases with “AND” logic. For example, my search for “breached forums” searches for “breached” AND “forums”. This way you can refine your results easily by crafting search queries that match exactly what you’re looking for, automatically weeding out all of the bad results.

Sometimes collecting intelligence from clearnet sources is not sufficient enough. Many hacking forums run both clearnet and darknet sites. The SOS Darkweb search function can search with several different categorical options. The first option is the “Full Text Search” as seen below.

The “full text search” searches through the full text of the site’s page. To narrow down your search results, you can set parameters like “phrase” to true. For example, if I search for SOS Intelligence, the query will pass as SOS “OR” Intelligence. However, if I set the “phrase” parameter to true, this query is passed as SOS “AND” Intelligence. 

The Dark Web Search tool also has special functions for more specific searches like emails and Bitcoin wallet addresses.

The SOS Toolkit puts all of these tools at your disposal instantly. The API is just one method of utilising the toolkit. 

The SOS web application allows you to access the same tools with a more friendly user interface. But the API allows you to integrate the SOS Toolkit into 3rd party OSINT frameworks as well as your own programs/scripts. 

The API provides a simple way to work with the tool kit “offensively”. Utilising several or all of these search functions you can gather a great amount of information on a suspect. You can try these searches out yourself! Remember, we have two community APIs:

  • DARKSEARCH: Provides information about onion websites.
  • CVE Top Talkers: Provides a top list of most talked about CVEs across our threat feeds.

Both can be accessed via a free plan which you can sign up for here 🙂

Photo by Tingey Injury Law Firm on Unsplash.

"SOS
Product news

SOS Intelligence Development Update

by Amir Hadzipasic
August 10, 2022

We can’t stand still. We believe it is vital to keep investigating new threat intel feeds for our customers, so over the last 2 weeks we have created 15 new bespoke collection pipelines to gather intelligence from various hacking forums.

We have also been listening closely to customer feedback…

  • We have developed our alert feedback system with an additional feedback text entry box so that customers can provide additional information web submitting feedback about an alert that was not useful. 
Pop up to give us feedback
  • You can now perform multiple alert actions. If you need to mass acknowledge alerts, or mass vote alerts, select all or a number of individual alerts and perform a multi action. This can be very helpful when acknowledging and closing of a number of alerts that have been dealt with.
Multiple alert actions

We value all of our customer feedback and aim to deliver feature requests as soon as realistically possible. Please continue to give us suggestions and feedback!

Photo by Fotis Fotopoulos on Unsplash.

"Legal
Opinion, The Dark Web

Hacking your lawyer: Why Legal Firms need Cyber Threat Intelligence

by Ben Hurst
August 8, 2022

Data breaches are not good for anyone (excluding the cyber criminals), but breaches are particularly bad for industries that handle sensitive information. Unfortunately companies that often handle sensitive data typically do not take their security threats seriously. The pharmaceutical and medical sectors saw a 20% increase in cyber attacks in 2021, costing them, on average, $45,000 per hour of downtime. 

The medical industry is not the only industry handling sensitive data. Legal firms hold a tremendous amount of personal data on, not only clients, but also anyone involved in their respective cases.

For threat actors, legal firms hold a treasure trove of data that they can use for criminal activities such as, financial fraud, extortion, or even just crude doxxing. 

Unlike hospitals and pharmaceutical companies legal firms typically are not held to the same security and data privacy standards and regulations. In the United States acts like HIPAA and GLBA require any company that handles certain information to abide by set security standards. But, regardless of the law, a data breach looks good for no one. 

Defensive security measures like proper data storage and encryption are a must for any legal firm, but these measures can only go so far. In order to take your security to the next level proactive measures are needed.

Luckily for us, threat actors are often very open about their upcoming or ongoing attacks. Hackers will post on dark web forums or even in public chat rooms. 

Publicly posted data leak of a New York legal firm 

Collecting and aggregating this information can be difficult for a small legal firm with less resources. This is where SOS Intelligence comes in. SOS Intelligence can offer your legal firm – small or large – tools to bolster your proactive security measures. 

Due to the nature of established and emerging threat actors, defensive measures like proper data encryption and storage is not enough. Threat actors will always be able to find a way around these defences.

Whether it involves paying an insider for access to your network or exploiting a n-day vulnerability in your VPN software, SOS cyber threat intelligence will be able to provide insider intelligence not found anywhere else. 

Our Dark Web monitoring tool can be utilised for searching for hackers discussing your company. You can quickly build a profile on threat actors targeting your firm then proactively adapt your defensive measures to compensate. 

Getting a sense for threat actors targeting your firm will do wonders for both your cyber defence and – in the case of a breach – can assist incident response. SOS Intelligence offers tools that can actively pull information from common dark web forums and chat rooms. 

Our tools can also grab messages from closed source forums and chats. Dark web monitoring will be able to offer a different perspective than the hundreds of various defensive tools. The SOS Intelligence toolkit will allow you to see through the eyes of a hacker. It’s time to take your security to the next level, try out the SOS toolkit today.

If you are a legal firm who would like some advice on what you need to be doing plus a demo of how we can help you, then click here now to book some time with Amir, our founder. We promise this is something you won’t regret.

Photo by Tingey Injury Law Firm on Unsplash

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 08 August 2022

by Amir Hadzipasic
August 8, 2022

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2022-1215

A format string vulnerability was found in libinput

https://nvd.nist.gov/vuln/detail/CVE-2022-1215

 

 

2. CVE-2022-34918

An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

https://nvd.nist.gov/vuln/detail/CVE-2022-34918

 

 

3. CVE-2022-36446

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

https://nvd.nist.gov/vuln/detail/CVE-2022-36446

 

 

4. CVE-2010-3972

Heap-based buffer overflow in the TELNET_STREAM_CONTEXT::OnSendData function in ftpsvc.dll in Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) 7.0, and IIS 7.5, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted FTP command, aka “IIS FTP Service Heap Buffer Overrun Vulnerability.” NOTE: some of these details are obtained from third party information.

https://nvd.nist.gov/vuln/detail/CVE-2010-3972

 

 

5. CVE-2019-1040

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka ‘Windows NTLM Tampering Vulnerability’.

https://nvd.nist.gov/vuln/detail/CVE-2019-1040

 

 

6. CVE-2022-26134

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-26134

 

 

7. CVE-2022-35918

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

https://nvd.nist.gov/vuln/detail/CVE-2022-35918

 

 

8. CVE-2022-2652

Depending on the way the format strings in the card label are crafted it’s possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).

https://nvd.nist.gov/vuln/detail/CVE-2022-2652

 

 

9. CVE-2022-22620

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

https://nvd.nist.gov/vuln/detail/CVE-2022-22620

 

 

10. CVE-2022-1012

A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.

https://nvd.nist.gov/vuln/detail/CVE-2022-1012

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 August 2022

by Amir Hadzipasic
August 1, 2022

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 

 

2. CVE-2012-2459

Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote attackers to cause a denial of service (block-processing outage and incorrect block count) via unknown behavior on a Bitcoin network.

https://nvd.nist.gov/vuln/detail/CVE-2012-2459

 

 

3. CVE-2022-34570

WAVLINK WN579 X3 M79X3.V5030.191012/M79X3.V5030.191012 contains an information leak which allows attackers to obtain the key information via accessing the messages.txt page.

https://nvd.nist.gov/vuln/detail/CVE-2022-34570

 

 

4. CVE-2022-1488

Inappropriate implementation in Extensions API in Google Chrome prior to 101.0.4951.41 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.

https://nvd.nist.gov/vuln/detail/CVE-2022-1488

 

 

5. CVE-2022-1501

Inappropriate implementation in iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1501

 

 

6. CVE-2022-1873

Insufficient policy enforcement in COOP in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1873

 

 

7. CVE-2022-24086

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-24086

 

 

8. CVE-2022-1637

Inappropriate implementation in Web Contents in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1637

 

 

9. CVE-2022-1875

Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1875

 

 

10. CVE-2022-1498

Inappropriate implementation in HTML Parser in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1498

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 25 July 2022

by Amir Hadzipasic
July 25, 2022

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2022-1139

Inappropriate implementation in Background Fetch API in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1139

 

 

2. CVE-2022-1137

Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to leak potentially sensitive information via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1137

 

 

3. CVE-2022-1128

Inappropriate implementation in Web Share API in Google Chrome on Windows prior to 100.0.4896.60 allowed an attacker on the local network segment to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1128

 

 

4. CVE-2012-2459

Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote attackers to cause a denial of service (block-processing outage and incorrect block count) via unknown behavior on a Bitcoin network.

https://nvd.nist.gov/vuln/detail/CVE-2012-2459

 

 

5. CVE-2022-1146

Inappropriate implementation in Resource Timing in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2022-1146

 

 

6. CVE-2022-31162

Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of printing sensitive information in application logs. As a workaround, do not print/output requests and responses for OAuth and client configurations in logs.

https://nvd.nist.gov/vuln/detail/CVE-2022-31162

 

 

7. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 

 

8. CVE-2020-14126

Information leakage vulnerability exists in the Mi Sound APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information.

https://nvd.nist.gov/vuln/detail/CVE-2020-14126

 

 

9. CVE-2017-8570

Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka “Microsoft Office Remote Code Execution Vulnerability”. This CVE ID is unique from CVE-2017-0243.

https://nvd.nist.gov/vuln/detail/CVE-2017-8570

 

 

10. CVE-2022-23141

ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information.

https://nvd.nist.gov/vuln/detail/CVE-2022-23141

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 18 July 2022

by Amir Hadzipasic
July 18, 2022

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2012-2459

Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote attackers to cause a denial of service (block-processing outage and incorrect block count) via unknown behavior on a Bitcoin network.

https://nvd.nist.gov/vuln/detail/CVE-2012-2459

 

 

2. CVE-2017-7479

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2017-7479

 

 

3. CVE-2015-1774

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2015-1774

 

 

4. CVE-2015-2684

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2015-2684

 

 

5. CVE-2013-7441

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2013-7441

 

 

6. CVE-2017-7508

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2017-7508

 

 

7. CVE-2017-7520

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2017-7520

 

 

8. CVE-2017-7521

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2017-7521

 

 

9. CVE-2015-3988

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2015-3988

 

 

10. CVE-2015-0847

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

https://nvd.nist.gov/vuln/detail/CVE-2015-0847

 

"Cyber
Opinion

What is Cyber Threat Intelligence?

by Ben Hurst
July 13, 2022

You may have heard of the term “Cyber Threat Intelligence”, sometimes abbreviated as “CTI”. 

The term is often thrown around with little to no explanation, so, what actually is CTI? It’s always useful to know what an acronym means 🙂

The origin of the term can be traced back to 2009 in reference to research on the Tactics, Techniques, and Practices (TTP) of APT 1. 

Traditional threat intelligence, meaning the collection and dissemination of intelligence of emerging and reoccurring threats, was a key part of the intelligence apparatus during the Cold War. 

However, traditional threat intelligence is a very general term, referring to intelligence on anything from nation-states to small guerrilla insurgent groups. 

The rise of Advanced Persistent Threats (APT) forever changed the threat intelligence landscape. 

Like any other covert action, a nation-state sponsored cyber attack is designed to cause as much damage as possible, while maintaining plausible deniability for guilty parties. 

Threat intelligence on these APT groups became known as Cyber Threat Intelligence. 

CTI analysts analyse the tactics, techniques, and practices of these groups. They collect everything from the groups’ malware to their chat logs to build a full profile for defensive purposes. 

Since the rise of APTs in the mid-2000s, the field of CTI has had to  evolve and adapt to new threats and attack styles. Threat actors less sophisticated than APTs can now emulate many of the tactics APTs use. 

As a result, CTI has had to expand to collect intelligence on these groups as well. CTI is now not only crucial for governments, but also private organisations and businesses. 

2021 saw a 1,885% increase in ransomware attacks. This was an unprecedented increase with the healthcare industry alone reported a 775% increase in cyber attacks. 

CTI is not only for large businesses either, roughly 60% of ransomware attacks target businesses with less than 500 employees. However, building a CTI team is easier said than done. Collecting intelligence on relevant threat actors is often a time consuming and expensive task. 

What we see time and time again is the “it won’t happen to us” conversation which can then turn into…

Why didn’t we know about this?! 

The question posed by the CEO or MD when there has been a data breach.

Here at SOS Intelligence, it’s our mission to provide cyber threat intelligence that won’t break the bank and is accessible. You don’t need a big team to use it.

Our Open Source Intelligence (OSINT) tool automatically collects and aggregates data from the top cybercriminal forums, including some private forums. 

Using the web UI or the custom API, you can set alerts for keywords like emails or usernames. If a keyword is posted on one of the many forums we monitor, you will get an immediate alert via several communication channels. 

Using our OSINT tool you will have the capabilities of a full CTI team, minus the overhead and head count.

Save yourself the headache and risk, let SOS Intelligence be your eyes and ears in the dark world cyber criminals have built online.

Cyber Threat Intelligence is clearly an essential pillar of a modern defence strategy, but don’t take our word for it. Let’s look into a case involving CTI…

LAPSUS$ – A Study of Cyber Threat Intelligence Successes

There is no better case study of modern Cyber Threat Intelligence than the case of the international hacking group known as LAPSUS$. 

LAPSUS$ was first noticed in early December of 2021 when the group compromised systems belonging to the Brazilian Ministry of Health. This attack was a classic extortion attempt and would pale in comparison to LAPSUS$’s later attacks. 

It took the Brazilian government more than a month to make a full recovery, the attack effectively halted the roll out of Brazil’s COVID-19 vaccine certification app; ConectSUS. 

Over the next few months LAPSUS$ would go on to breach several more companies, including Impresa, a Portuguese media company and Vodafone Portugal. LAPSUS$’s first 5 attacks took place in quick succession, in just 3 months. 

The group exclusively targeted Portuguese localised companies leading many CTI researchers to suspect the hackers were located in Brazil or Portugal. Members of the group solidified this suspicion, using slang like “kkkkkkkkk” the Portuguese equivalent of the English slang “hahaha”.

LAPSUS$ member using Portuguese slang in Telegram chat

LAPSUS$ was put on the map after the attack on the Brazilian Ministry of Health garnering headlines like “Lapsus$: The Hot New Name in Ransomware Gangs” and “Watch Out LockBit, Here Comes Lapsus$!”. 

While these headlines were catchy, the articles themselves offered no insight into the tactics or motivations of the group. At the time, many thought LAPSUS$ was just like any other ransomware/extortion group, financially-motivated with the goal of encrypting or exfiltrating data and holding it for ransom. 

However, LAPSUS$’s next attack would challenge everything we thought we knew about LAPSUS$. On February 25th 2022, GPU chipmaker Nvidia announced it was investigating an “incident” that knocked some of its systems offline for 2 days. 3 days later LAPSUS$ announced “We hacked NVIDIA” on their telegram…

NVIDIA hacked

 LAPSUS$’s breach of Nvidia was, no doubt, a big deal, but what was far more interesting were their demands. 

More often than not, hacking groups fall into one of 3 motivational categories: financially-motivated, ideologically-motivated, or state-sponsored. Up until the Nvidia breach LAPSUS$ fell squarely in the financially-motivated category, but their unusual demands for Nvidia changed this fact. 

Instead of demanding money or selling the data to the highest bidder, LAPSUS$ demanded Nvidia release their GPU drivers as open source software. Naturally, Nvidia refused to release their code. In response LAPSUS$ would leak some source code from Nvidia on in their Telegram group, but nothing all that interesting or noteworthy. 

Less than 2 weeks after the Nvidia breach, LAPSUS$ announced they had compromised Samsung. The attackers stole roughly 200 gigabytes of data which included some source code for the Samsung Galaxy. 

By this point, threat intelligence researchers were keenly aware of LAPSUS$’s tactics, techniques and procedures. CTI analysts drew up models of how LAPSUS$ operates, giving defenders insight on how to avoid a possible breach. 

Intrusion Analysis Diamond model for LAPSUS$

Continuing their attacks on large tech companies, LAPSUS$ compromised Microsoft. Again, the group started exfiltrating source code. 

LAPSUS$ was able to download the partial source code for Bing, Bing Maps, and even some Windows code. However, Microsoft CTI researchers were able to halt the download before it could be completed. LAPSUS$ mentioned in a public Telegram chat how they were able to access Microsoft systems before the data exfiltration had finished. 

LAPSUS$ chat about MS

Microsoft’s threat intelligence team had been monitoring this chat and was able to stop the exfiltration in real-time. That’s something even advanced EDR software can’t do. While LAPSUS$ would never admit their mistakes, one member did acknowledge the download was interrupted.

A close call for MS

LAPSUS$ would soon after be exposed to be led by a teenage boy out of the United Kingdom who was arrested with six other teenagers associated with the group. Many still suspect there may have been a member located in Brazil, but as of now, this has not been confirmed. 

The LAPSUS$ affair is an excellent showcase of how Cyber Threat Intelligence can protect your organisation from advanced and emerging threat actors.

The SOS Intelligence toolkit can provide you and your company the capability to monitor threats like LAPSUS$. Just as Microsoft leveraged CTI analysis to minimise damage of the LAPSUS$ attack, your organisation can use our CTI tools.

The SOS Intelligence toolkit includes advanced CTI tools capable of monitoring both Dark Web and Clear Web hacking forums and chats. Protect your assets from sophisticated threats today by checking out the SOS Intel toolkit.

Would you like to discover how SOS Intelligence can help you mitigate the cyber threats?

Click the link below to book a call: https://tinyurl.com/sosinteldemo

FAQ

What is Cyber Threat Intelligence?

Cyber Threat Intelligence or CTI, is the process of collecting and analysing threat actor’s behaviours. CTI analysts build profiles of known threat actors by investigating their Tactics Techniques and Procedures (TTPs).

How is Cyber Threat Intelligence used?

Network defenders use profiles as well as the TTPs collected by CTI analysts to make informed decisions on how to protect their network. 

Threat actors will often reuse attack vectors on many targets. When CTI analysts discover these attack vectors, they pass on the information to defenders. 

Cyber Threat Intelligence provides the defenders the ability to fight existing and emerging threat actors. 

What is a CTI framework?

A Cyber Threat Intelligence framework is an organisational tool for CTI analysts. There are many CTI frameworks, one of the most popular being the MITRE ATT&CK framework.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Source: https://attack.mitre.org

Why is Cyber Threat Intelligence Important?

Much like a physical conflict, cyber conflicts need proactive intelligence for good defence. 

Cyber criminals often use forums and chat rooms to communicate with each other. Infiltrating these groups can provide great insight into upcoming and ongoing cyber attacks. 

With the shocking increase of ransomware attacks, proper threat intelligence has become imperative. Ransomware groups are tracked and monitored day and night by CTI analysts. Analysts then alert defenders to a possible breach or upcoming attack. 

Who do cyber criminals target?

The cyber criminal atmosphere is constantly evolving, but most cyber criminals fall into one of three categories. 

First, you have your typical financially-motivated cyber criminal. These threat actors are motivated by one thing and one thing only; money. 

They will scam, hack, and steal anything or anyone for money. In fact, sometimes they scam other cyber criminals! 

The second category is the ideologically-motivated threat actor. Often dubbed hacktivists, these cyber criminals care less about money and are motivated by a political cause. Prime examples of “hacktivist” style hacking groups are “AgainstTheWest” or “Anonymous”. 

The third and most dangerous category is the state-sponsored threat actor. These threat actors work directly or indirectly for a nation-state. 

State-backed threat actors have almost unlimited resources as well as legal protection provided by their government. CTI analysts classify these groups as Advanced Persistent Threats or APTs. 

While not every APT group is state-backed, all state-backed groups are APTs. For cyber criminals, their motivation is the key behind who they target. Financially-motivated cyber criminals often target businesses both small and large. 

Ideologically-motivated threat actors tend to target governments, institutions, or individuals who they deem political enemies. State-backed threats have very specific targets given to them by whatever nation-state they work for. These targets often control vital systems, i.e. energy companies or defence contractors.

Photo by Philipp Katzenberger on Unsplash

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 11 July 2022

by Amir Hadzipasic
July 11, 2022

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 

 

2. CVE-2012-2459

Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote attackers to cause a denial of service (block-processing outage and incorrect block count) via unknown behavior on a Bitcoin network.

https://nvd.nist.gov/vuln/detail/CVE-2012-2459

 

 

3. CVE-2015-0847

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2015-0847

 

 

4. CVE-2015-1774

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2015-1774

 

 

5. CVE-2015-3988

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2015-3988

 

 

6. CVE-2017-7479

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2017-7479

 

 

7. CVE-2017-7508

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2017-7508

 

 

8. CVE-2015-2684

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2015-2684

 

 

9. CVE-2017-7521

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2017-7521

 

 

10. CVE-2013-7441

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

https://nvd.nist.gov/vuln/detail/CVE-2013-7441

 

1 2 22 23 24 25 26 27
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save