Have a look, see what you think. How could I make it more useful to you?
It's generated using a custom-made graph-network abstraction layer I wrote in Python and then pulling some publicly available JSON-files for the Intrusion Sets and Techniques.
A couple of days ago, LockBit had published an entry on their leaksite titled "telekom.com". I asked the Telekom press corps and they denied any incident.
Yesterday, LB also published the data allegedy from Telekom. I had a look at the files. So far, it seems that nothing in the 1.2GByte directory on their file share has anything to do with Deutsche Telekom. It seems that in fact, they breached a client PC owned by a non-profit in Hamburg.
Seeing an actor register a bunch of domains through OwnRegistrar, protected by Cloudflare, that contain both "okta" and "segment" - several are already marked as active phishing sites.
There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
Our research reveals that nearly 20% of these public repositories (almost three million repositories!) actually hosted malicious content. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts.
Few things are as ubiquitous in the US as road toll fees, and a @DomainTools colleague has now published a post about a threat actor targeting folks with fake toll scams.
Change Healthcare didn’t use MFA on Citrix Netscaler. It was a bog standard ransomware incident.
One learning for the industry btw - I saw loads of threat intel channels circulating incorrect info about the incident. That’s fine, but some (eg the health info sharing authorities) reshared this wrong info.
The CEO of UnitedHealth is due to give testimony in Washington on their Change Healthcare ransomware incident tomorrow, where he will say “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year”
That sound impressive, but if you own a Windows PC at home, you’re doing the same thing - it’s called the built in firewall.
Not having MFA on Citrix Netscaler is also called negligence.
Werewolves Group are a ransomware group who attack primarily Russian organisations, although orgs across Europe in total. They've been operating under the radar for a few months.
There are many ransomware operators who aren't in Russia and aren't being tracked properly, so I imagine the odds are the problem is going to keep spiralling into other regions. Shout out to Kazakhstan.
Russia is very very exposed in terms of cybersecurity and resiliency as attacking local orgs there will get the local feds to bash your door in.. so ransomware groups have left it untested. #threatintel