KazukiLabs NewsBites Vol.3 Num. 07
No more raids for you.
Hello again, another “newsletter” is out again, and this one almost nearly didn’t get published as i have been very busy catching up on various things these week as well as other stuff like the “VCT Master” which are going on atm(all google results if you search for it), but luckily i manage to throw in some news here and there enough to justify me putting together one, so here it is:)
~Kazu
NEWS:
The unceasing action of Anonymous against Russia
https://securityaffairs.co/wordpress/130262/hacktivism/anonymous-targets-russian-entities.html
Kazu: "Anonymous" have apparently kept themselves busy with helping themselves to another helping of russia related organizations data, this time it's apparently 400gb worth of data from a travel agency not long after they also announce they gained access to 446gb worth of data from Russia's ministry of Culture, uncertain what else they have plans for, but they likely are not stopping anytime soon by the looks of it.
GitHub: Attacker breached dozens of orgs using stolen OAuth tokens
Kazu: seems someone managed to steal OAuth tokens issued to Heroku and Travis-CI by github and used them to access private data from github in a likely attempt to try to find additional information to get into additional organizations, which they seem to have had some success with.
Github says there's no indication that github itself was breached and have revoked all affected tokens.
An Update on CVE-2022-26809 - MSRPC Vulnerability - PATCH NOW
https://isc.sans.edu/forums/diary/An+Update+on+CVE202226809+MSRPC+Vulnerabliity+PATCH+NOW/28550/
Kazu: If you were trying to figure out how soon you should patch the Vulnerability known as "CVE-2022-26809" then the answer is yesterday, to further explain, here is ullrich from SANS explaining it in more detail.
U.S. Leads Seizure of One of the World’s Largest Hacker Forums and Arrests Administrator
Kazu: The blackhat hacker forum known as "Raid Forums" went offline last month without many knowing why but speculated it may be the work of the Law, after a month or so, we indeed get confirmation that it was seized by US/Europol and it's essentially no more,the site owner is apparently also apprehended.
Also, some just can’t seem to help themselves and have to promote their own breach forum on the very tweet Europol themselves announced it, even mentioned them, tbh, i am not entirely sure just lacking basic awareness or if this is someone who actively try direct Europol and rest of the LE gang towards it.
On another but related note, seems some "CTI" services mysteriously been quiet for a while, which is not too surprising tbh as some of them more or less just scraped the RF and called it "CTI", which i guess by definition it technically was, but gosh, if that is all you do, then you deserve whatever is coming for you tbh.
OTHER INTERESTING THINGS WORTH A LOOK:
Office Protects You From Malicious ISO Files
https://isc.sans.edu/forums/diary/Office+Protects+You+From+Malicious+ISO+Files/28554/
Kazu: something nice to note, it appears Office has started to open untrusted ISO files in protected view compared to before when i did not do so before, which is nice.
An update to Raspberry Pi OS Bullseye
https://www.raspberrypi.com/news/raspberry-pi-bullseye-update-april-2022/
Kazu: Raspberry Pi OS have had some notable change with this latest version which will no longer make it optional to create a username when installing, before the default username used when installing the OS have been "pi", but to comply with recent regulations in regards to default login details they changed away from doing so, to some people's annoyance i can only assume.
Get current and stay current with Windows Autopatch
Kazu: Microsoft have come out with a new feature called "autopatch" which is supposed to make managing keep everything updated without breaking stuff you are not okay to break, however, in typical fashion, they decided to limited it to the E3 license, which only larger organizations can effort, and organizations at that size likely are not having much use of something like this compared to smaller ones as well as it seems you hand over some your fine-grained control to Microsoft which some may not like.
There are a lot of other problems which the comments highlight quite nicely, so I recommend giving the comments a read where MS are also attempting to answer some of the things pointed out.
Russia’s certificate authority for sanctioned organizations
https://koen.engineer/russias-certificate-authority-for-sanctioned-organizations-645d61af8ac6
Kazu: as Russia and Russia related organizations getting sanctioned left and right with many CA even revoking or will not renew further certificates, Russia have had to quickly come up with a ad-hoc way for the Russia people to still be able to access various Russia related sides, but these certificates does not really follow standard procedures for creating new CA and getting them implemented into most browsers certificate root store will be quite a challenge, specially on so short time.
But Russia has their own browser made by Yandex called "Yandex Browser" and this article goes into trying to look closer at how they did it and problems they have found.