Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Submission + - OpenAI ChatGPT Actions Abused to Scan for Web Vulnerabilities (sans.edu)

Submitted by UnderAttack
UnderAttack writes: A blog post at the SANS Internet Storm Center suggests that OpenAI actions are being abused to scan for WordPress vulnerabilities. Honeypot sensors are the Storm Center detected scans for URLs targeting WordPress that originated exclusively from OpenAI systems. The URLs requested all include the pattern "%%target%%", which may indicate that the scan is meant to include additional path components but the expansion of the template failed.

The scans were not only identified by the unique user agent but also by the origin IP addresses matching addresses OpenAI published as being used for OpenAI actions. OpenAI actions allow OpenAI to connect to external APIs.

Submission + - Why is My Cat Using Baidu? And Other IoT DNS Oddities (sans.edu)

Submitted by UnderAttack
UnderAttack writes: IoT devices are often stitched together from various odd libraries and features. The SANS Internet Storm Center has a story about a cat feeder that not only appears to reach out to Baidu.com every five minutes but also uses a vulnerabile DNS library that uses repeating query ids allowing for simple spoofing not seen since the early dark years of DNS

Submission + - No-Show for RPC Exploit: A Day of Attacks against an SMB/RPC Windows Honeypot

Submitted by UnderAttack
UnderAttack writes: After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, the SANS Internet Storm Center set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. But so far, while it has seen thousands of attacks against SMB a day, nothing yet for the new RPC vulnerability. Looks like all the noise was just that: Noise. But still, attackers are heavily hitting other vulnerabilities like of course still ETERNALBLUE

Submission + - Bots Still Trying to Reach Cyberbunker 2.0 Addresses 9 Months After Raid. (sans.edu)

Submitted by UnderAttack
UnderAttack writes: In September last year, German police raided what was known as "Cyberbunker 2.0", a former cold war nuclear bunker turned into a "bulletproof" hosting facility. A student of the SANS Technology Institute analyzed traffic reaching out for the former Cyberbunker's IP address space. Over two weeks, thousands of bots called "home" still looking for a command and control server. They also observed a number of phishing sites, as well as an odd ad network still directing users to the Cyberbunker's IPs. You can find the summary here.

Submission + - DNS over HTTPS: Not as private as some think? (sans.edu)

Submitted by UnderAttack
UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol. But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have accessed. The Internet Storm Center is offering some data to show how this can be done.

Submission + - Large "GoldBrute" RDP Botnet Looking for Exposed Servers with Weak Passwords. (sans.edu) 1

Submitted by UnderAttack
UnderAttack writes: Renato Marinho at the SANS Internet Storm Center has published an article with details regarding an RDP brute forcing botnet dipped GoldBrute, that currently scans a list of 1.5 million exposed RDP servers. Infected systems will retrieve target lists from a command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.

Submission + - Huawei Executive Arrest Inspires Advance Fee Scams (sans.edu)

Submitted by UnderAttack
UnderAttack writes: Scammers are attempting to trick Chinese victims into sending thousands of dollars in order to secure the release of Chinese Huawei executive Meng who was arrested in Canada last week. The messages claim to originate from Ms. Meng and suggest that she found a corrupt guard who will let her go for a few thousand dollars. Of course, there will be riches for anybody who is willing to help (and more).

Submission + - A Year After Mirai: DVR Torture Chamber Test Shows 2 minutes between exploits (sans.edu)

Submitted by UnderAttack
UnderAttack writes: Over two days, the Internet Storm Center connected a default configured DVR to the Internet, and rebooted it every 5 minutes in order to allow as many bots as possible to infect it. They detected about one successful attack (using the correct password xc3511) every 2 minutes. Most of the attackers were well known vulnerable devices. A year later, what used to be known as the "mirai" botnet has branched out into many different variants. But it looks like much hyped "destructive" variants like Brickerbot had little or no impact.

Submission + - Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 1

Submitted by UnderAttack
UnderAttack writes: Microsoft today announced that it had to delay its February patch Tuesday due to issues with a particular patch. This was also supposed to be the first patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates.

Submission + - The Dark Side Of Certificate Transparency (sans.edu)

Submitted by UnderAttack
UnderAttack writes: Certificate Transparency is a system promoted by companies like Google that requires certificate authorities to publish a log of all certificates issued. With certificate transparency, you can search these logs for any of the domains you own, to find unauthorized certificates. However, certificates are not only used for public sites. And with all certificates being published, some include host names that are not meant to be publicly known. An update of the standard is in the works to allow entities to obfuscate the host name, but until then, certificate transparency logs are a good recognizance source.

Submission + - Netatmo Weather Station Sends WPA Password To Manufacturer (sans.edu)

Submitted by UnderAttack
UnderAttack writes: The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear.

Slashdot Top Deals

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Close