{"id":124,"date":"2022-08-24T19:33:50","date_gmt":"2022-08-24T19:33:50","guid":{"rendered":"https:\/\/gcsecurity.us\/?p=124"},"modified":"2023-01-27T19:57:47","modified_gmt":"2023-01-27T19:57:47","slug":"threat-intelligence-bulletin-linux-kernel-vulnerabilities-bypassing-mfa-and-obscuring-credential-stuffing","status":"publish","type":"post","link":"https:\/\/gcsecurity.us\/?p=124","title":{"rendered":"Threat Intelligence Bulletin &#8211; Linux Kernel Vulnerabilities, Bypassing MFA, and Obscuring Credential Stuffing"},"content":{"rendered":"\n<p>DirtyCred (<a href=\"https:\/\/access.redhat.com\/security\/cve\/cve-2022-2588\">CVE-2022-2588<\/a>) Linux kernel vulnerability abuses heap memory to swap unprivileged kernel credentials with privileged ones<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2022\/08\/as-nasty-as-dirty-pipe-8-year-old-linux.html\">https:\/\/thehackernews.com\/2022\/08\/as-nasty-as-dirty-pipe-8-year-old-linux.html<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Attackers utilizing PaloAlto PAN-OS URL filtering policy to carry out reflected and amplified DoS attacks<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-is-warning-of-high-severity-pan-os-ddos-flaw-used-in-attacks\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-is-warning-of-high-severity-pan-os-ddos-flaw-used-in-attacks\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cyware.com\/news\/palo-alto-firewalls-abused-for-amplified-ddos-attacks-c9aa953a\">https:\/\/cyware.com\/news\/palo-alto-firewalls-abused-for-amplified-ddos-attacks-c9aa953a<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Threat actor expands to target Google Workspace users using AiTM attacks leveraging compromised accounts and password reset prompt emails<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2022\/08\/researchers-warn-of-aitm-attack.html\">https:\/\/thehackernews.com\/2022\/08\/researchers-warn-of-aitm-attack.html<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>New tactics by threat actors to bypass MFA include abusing self-enrollment process in Azure AD and setting up second authenticator app for compromised accounts<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.helpnetsecurity.com\/2022\/08\/24\/attackers-microsoft-mfa\/\">https:\/\/www.helpnetsecurity.com\/2022\/08\/24\/attackers-microsoft-mfa\/<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Compromised WordPress sites used to display fake Cloudflare DDoS protection pages to deliver malware<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/blog.sucuri.net\/2022\/08\/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html\">https:\/\/blog.sucuri.net\/2022\/08\/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Vulnerability in GitLab may allow for authenticated users to achieve RCE via GitHub API endpoint<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.helpnetsecurity.com\/2022\/08\/24\/cve-2022-2884\/\">https:\/\/www.helpnetsecurity.com\/2022\/08\/24\/cve-2022-2884\/<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>BianLian ransomware variant being used to target education sector among others, accounting for 12.5% of victims in the wild<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.darkreading.com\/cloud\/new-bianlian-ransomware-variant-on-the-rise\">https:\/\/www.darkreading.com\/cloud\/new-bianlian-ransomware-variant-on-the-rise<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>FBI warns threat actors are using residential proxies to hide their credential stuffing activities<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-warns-of-residential-proxies-used-in-credential-stuffing-attacks\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-warns-of-residential-proxies-used-in-credential-stuffing-attacks\/<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Iranian Charming Kitten APT using new data-scraping tool to download, delete emails from compromised accounts<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.darkreading.com\/endpoint\/charming-kitten-apt-wields-new-scraper-to-steal-email-inboxes\">https:\/\/www.darkreading.com\/endpoint\/charming-kitten-apt-wields-new-scraper-to-steal-email-inboxes<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Phishing campaign using compromised Dynamics 365 Customer Voice account to spoof eFax notifications and steal MS 365 credentials<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.darkreading.com\/cloud\/unusual-microsoft-365-phishing-efax-compromised-dynamic-voice-account\">https:\/\/www.darkreading.com\/cloud\/unusual-microsoft-365-phishing-efax-compromised-dynamic-voice-account<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Persistent executable payload \u201cAdsearch\u201d installed via ISO files top July threat according to Red Canary, page includes other top threats as well<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/redcanary.com\/blog\/intelligence-insights-august-2022\/\">https:\/\/redcanary.com\/blog\/intelligence-insights-august-2022\/<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>DirtyCred (CVE-2022-2588) Linux kernel vulnerability abuses heap memory to swap unprivileged kernel credentials with privileged ones Attackers utilizing PaloAlto PAN-OS URL filtering policy to carry out reflected and amplified DoS attacks Threat actor expands to target Google Workspace users using AiTM attacks leveraging compromised accounts and password reset prompt emails New tactics by threat actors [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[15,14],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-news","tag-cybersecurity","tag-news"],"_links":{"self":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=124"}],"version-history":[{"count":2,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts\/124\/revisions"}],"predecessor-version":[{"id":187,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts\/124\/revisions\/187"}],"wp:attachment":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}