Discover and read the best of Twitter Threads about #0day

Most recents (10)

🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔 ImageImageImageImage
2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭 ImageImageImageImage
3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick). ImageImageImageImage
Read 7 tweets
NEW INVESTIGATION: recent Mexican #Pegasus spyware abuses led us to evidence of a trio of zero-click exploits used by #NSO.

Targets? HomeKit & FindMy.

Remarkably, #Apple's #iOS #LockdownMode blocked one of them.

Quick THREAD 1/
citizenlab.ca/2023/04/nso-gr… Image
2/ First, the new victims: Mexican lawyers representing families of victims of Military abuses

The timing of the targeting matches key developments in efforts to hold #Mexico's army responsible.

It's really bad.

We @citizenlab forensically confirmed the spyware infections. One infected device belongs...ImageImage
3/ We found evidence of 3 #zeroclick #0day chains used by NSO's #Pegasus #spyware in 2022.

First: #PWNYOURHOME: worked against #homekit even if you didn't set up a home.

Apple's changes in iOS 16.3.1 that address.

#LockdownMode also kneecaps it. ImageImageImageImage
Read 6 tweets
I wrote a quick Nmap script to scan for servers potentially vulnerable to #ProxyNotShell (based on Microsoft's recommended URL blocking rule) I hope it can be useful for someone :)

[+] github.com/CronUp/Vulnera…

#0day CVE-2022-40140 CVE-2022-41082
Basically, it sends an SSRF-like request adding the string "Powershell" in the URI, if there is no block and the server returns the header "X-FEServer" with the server name, then it is potentially vulnerable.

Also in its mass scanning version ~
Updated script, added #ProxyShell validation and some error handling, thanks to @CesarSilence and @GossiTheDog for their ProxyShell checker template (I was missing the "redirect_ok=false") :D
Read 3 tweets
Mahalo to everybody who came to my @defcon talk "You're M̶u̶t̶e̶d̶ Rooted" 🙏🏽

Was stoked to talk about (& live-demo 😅) a local priv-esc vulnerability in Zoom (for macOS).

Currently there is no patch 👀😱

Slides with full details & PoC exploit:
speakerdeck.com/patrickwardle/… #0day ImageImage
🆕 Update(s):
🐛 Bug assigned CVE-2022-28756
🩹 Patch now available, in Zoom v5.11.5 (9788)

See Zoom's security bulletin:
explore.zoom.us/en/trust/secur…

Mahalos to @Zoom for the (incredibly) quick fix! 🙌🏽 🙏🏽 Image
Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversions 🔐👍🏽 ImageImage
Read 3 tweets
Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: Image
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx Image
Read 10 tweets
A major civil war going on the Russian cyber-criminal underground between the #Lockbit #Blackmatter #ransomware groups and other threat actors! @TalosSecurity
After alleging for a long time that Kajit, the former owner of RAMP is a cop, LockBittSupp posted a massive bombshell t0 XSS(DaMaGe LaB) Russian hacking forum screenshot of the 30+ scree...
LockBitSupp (#lockbit #ransomware) just shared proof of conversations between vx-underground and Kajit proving that Kajit was the one who leaked the BlackMatter admin panel. What is interesting is that the admin panel was shared with wazawaka/boriselicin
Read 10 tweets
Warum wir mit Cyber-Sicherheit ein Problem haben, fragt ihr?

Wieso Veröffentlichung oder #0day Trading mit #Schwachstellen und #Exploits (leider) der "bessere" Deal ist. (cc @certbund)

In einem Tweet erklärt:
Read 3 tweets
Time for fun! The @WordPress plugin known as Social Network Tabs, made by Design Chemical, combines all of your favorite social networks profiles. Due to their poor coding skills I was able to take over 127 Twitter accounts #0day #infosec github.com/fs0c131y/CVE-2…
This is caused by the following lines of code within the page where the Twitter widget is displayed. Yes, they leak the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user
Thanks to @publicww, with the following search queries, I managed to retrieve the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites
Read 15 tweets
Tomorrow, I will publish on Twitter a #0day for a very famous #Android app 😁
No, it’s not the NaMo app but thanks for giving me my next topic ☺️
Read 3 tweets
#0day Flash exploit CVE-2018-4878 has been seen in attack that used a malformed Flash object embedded in Excel document. Protected view can prevent automatic execution of the exploit. ASR in Windows Defender Exploit Guard on Windows 10 and EMET on older systems can also protect.
On Windows 10 Fall Creators Update, properly configured Attack surface reduction (ASR) rules can help to mitigate the in-the-wild Flash exploit delivered through Office documents.
Windows Defender AV protections have been available since February 1 to detect and block the exploit and related payloads. Windows Defender ATP flags malicious behaviors, as well as exposes alerts from Windows Defender Exploit Guard and Windows Defender AV.
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!