Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind.
This month I made some improvements to my Vulristics vulnerability prioritization tool. These changes relate to the use of exploit data on Github. We all know that exploits are often posted on GitHub. But how adequate is this source in order to evaluate the exploitability?
Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.
On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.
I usually follow the news using my automated telegram channel @avleonovnews. And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what’s going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.
I took 10 news items from Saved Messages and divided them into 5 categories:
This episode is based on posts from my Telegram channel avleonovcom, published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently.
Barapass update
I recently released an update to my password manager barapass. BTW, it seems to be my only pet project at the MVP stage, which I use every day.
What’s new:
Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ? Read more about installation in Windows in this file.
Not only “copy the next value to the clipboard” (or “revolver mode” ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not.
You can set a startup command, for example, to decrypt the container.
The startup command and quick (favorite) commands are now in settings.json and not hard-coded.
settings.json, container files and decrypted files are now in “files” directory. It became more convenient to update barapass, just change the scripts in the root directory and that’s it. I divided the scripts into several files, now it should be more clear how it works.
So, if you need a minimalistic console password manager in which you can easily use any encryption you like – welcome! You can read more about barapass in my previous post.
I never thought that I will write here about state sanctions. Usually I try to ignore political topics. But now it’s necessary. Yesterday OFAC introduced sanctions against 5 Russian companies.
I’ve already mentioned in “Petya the Great and why *they* don’t patch vulnerabilities“, that NotPetya ransomware seems trivial from Vulnerability Management point of view. It uses known Windows vulnerabilities, that were patched by Microsoft long time ago.
Despite of this, I was really interested in M.E.Doc(servers were confiscated by Ukrainian police and website is not operational) role in the initial phase of malware spreading. In my opinion, we have a pretty interesting example of an attack vector, that will be very hard to detect and mitigate. And moreover, it’s once again shows that protected perimeter won’t be a panacea anymore.
M.E.Doc – My Electronic Document Circulation System. “m.e.doc” sounds like the word, that mean “honey” in Russian and Ukrainian. That’s why all these bees in promo materials.
M.E.Doc is an Document Circulation System very popular in Ukraine. It makes possible to send reports to the government authorities in electronic form. It can be used in any organization. I can even imagine situation when usage of this kind of software may be even mandatory. Now the researchers [Eset, Dr.Web] say that M.E.Doc servers sent updates with backdoors to the customers.
This backdoor has abilities:
Data collection for accessing mail servers
Arbitrary commands execution in the infected system
Running any executables
Downloading arbitrary files to the infected computer
Uploading arbitrary files to a remote server
Identify the exact organization using EDRPOU number.
I don’t really care about technical details about this backdoor. For me it’s enough that malicious code was on official server of the vendor and was spread to legitimate customers. Boom!
Hi everyone! Today I would like talk about software vulnerabilities. How to find really interesting vulnerabilities in the overall CVE flow. And how to do it automatically.
First of all, let’s talk why we may ever need to analyze software vulnerabilities? How people usually do their Vulnerability Management and Vulnerability Intelligence?
Some people have a Vulnerability scanner, scan infrastructure with it, patch founded vulnerabilities and think that this will be enough.
Some people pay attention to the vulnerabilities that are widely covered by media.
Some people use vulnerability databases and search for the most critical vulnerabilities by some criteria.
Each of these ways have some advantages and some disadvantages.
I had a chance to see presentation and live demo of ERPScan – automated SAP scanning solution, and it made quite an impression on me. ERPScan has interesting scanning features. The most spectacular, in my opinion, is ability to run exploits for found vulnerabilities directly from the scanner.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.