Skip to content

Instantly share code, notes, and snippets.

View SwitHak's full-sized avatar
🎯
Focusing

SwitHak SwitHak

🎯
Focusing
View GitHub Profile
@SwitHak
SwitHak / 20230815-TLP-WHITE_Hacktivists-in-UA-RU-Conflict.md
Last active August 22, 2023 23:06
CTI *Hacktivists in UA-RU Conflict* | Last updated: 2023-08-26 1337 UTC

Hacktivists in Ukraine-Russia Conflict

Intro

  • Since the beginning of the Ukraine invasion in 2022, we observed multiple hacktivists entities involved in the conflict, this document aims to centralize the information collected and provides a short analysis of their operating methods, financing models and some ideas on how-to report on this threat actor type, Mitre ATT&CK mapping.

Disclaimer

  • The scope encompass my own collection from January 2022 to July 2023 included, it is mostly based on publicly available data, some Telegrams & VK groups were private.
  • The following analysis will not contain Hacktivist entities & alliances names to not make them any publicity
  • I can be wrong, I'm a human, do not hesitate to comment the analysis
@SwitHak
SwitHak / 20230331-TLP-WHITE_3CX-event.md
Last active April 6, 2023 09:26
BlueTeam CheatSheet *3CX-Event-March2023* | Last updated: 2023-04-06 0926 UTC

Security Advisories / Bulletins / vendors Responses linked to 3CX compromise event

General

What's 3CX?

  • 3CX evolved from its roots as a PBX phone system to a complete communications platform, offering customers a simple, flexible, and affordable solution to call, video and live chat.

What's happening?

  • Per several report the building environment of 3CX for the DesktopApp (MAC & Windows) has been compromised
  • The recent releases (details given below) have been compromised to include malicious code inside it
  • More details available regarding the compromise with the graphics by Thomas Roccia:
@SwitHak
SwitHak / 20220909-TLP-WHITE_Albania-July-2022.md
Last active March 18, 2023 20:53
GEOPOLITICS * Albania July 2022 * | Last updated: 2022-09-19 11535 UTC

Offensive Cyber Operation against Albania networks by Iran

General

  • An offensive cyber operation against Albania government & medias networks occured the 15th July weekend.
  • Quickly the AKSHI announced they were forced to disconnect public services & government websites from Internet.
  • Mandiant cyber security company in a blog post attributed the activity to LIKELY an iranian threat actor.
  • Albania Prime Minister offcially attributed the offensive cyber operation gainst its country to Iran.
  • Albania government severed the diplomatic relationship with Iran the 7th September with immediate effect.
  • Iran embassy personnel must leave the country.
  • Nota: The response to this event depends, some says they're supportive of the Iran attribution, some not.
@SwitHak
SwitHak / 20220401-TLP-WHITE_Spring4Shell.md
Last active September 2, 2024 22:32
BlueTeam CheatSheet * Spring4Shell* | Last updated: 2022-04-16 1722 UTC
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active December 1, 2024 23:57
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@SwitHak
SwitHak / 20201222-TLP-WHITE_HOW-TO-detect-SolarWinds_events.md
Last active March 15, 2021 17:50
BlueTeam CheatSheet * SolarWinds Events* | Last updated: 2020-12-24 1334 UTC

SolarWinds Supply-chain Compromises

Detections

General

  • This section aims to provide the detections released by security companies to detect the malwares / files linked to SolarWinds supply-chain compromise events. We kindly remind you that this detections signatures could / will evolve in the next days, stays updated by checking the vendors resources to have the last information.

Warning

  • SolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products paths of the anti-virus scans. If it is an understandable practice to not impact SolarWinds products functions, the following detections will not work if the installation paths exclusions are not removed first.

Security Products

@SwitHak
SwitHak / 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md
Last active March 15, 2021 17:50
BlueTeam CheatSheet * BootHole * | Last updated: 2020-08-13 1957 UTC

CVE-2020-10713 AKA BootHole

  • Logo
  • Cool Name : BootHole

General

  • GRUB2 -> GRand Unified Bootloader version 2 -Don't hurry up on the patches, RedHat have some bug within and also test before production. -It's a cool vuln, cool name, cool logo, but take your time to test the patches, boot isn't something you patching every month, take care !
  • TBD
@SwitHak
SwitHak / 20200716_TLP-WHITE_July-Patch-Priorities.md
Last active September 29, 2020 02:48
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC

July Patch Priorities

Patching priority:

P1

  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))
@SwitHak
SwitHak / 20200618-TLP-WHITE_Ripple20.md
Last active April 26, 2023 22:04
BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

  • Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
  • These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
  • But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
  • Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
  • My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
  • This will not be an easy set of vulnerabilities to patch, sadly.
@SwitHak
SwitHak / 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md
Last active February 4, 2021 10:57
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)

General

  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.