The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Exploit Activity for CVE-2023-22518, Atlassian Confluence Data Center and Server

Published: 2023-11-06

Last Updated: 2023-11-06 13:40:13 UTC

by Johannes Ullrich (Version: 1)

Last week, Atlassian published an advisory for CVE-2023-22518. The vulnerability is a trivial to exploit authentication bypass vulnerability. Atlassian emphasized the importance of the advisory with a quote from its CISO: "There are no reports of active exploitation at this time; customers must take immediate action to protect their instances." On Friday, Atlassian confirmed that attackers are actively exploiting the vulnerability.

The vulnerability is rated with a CVSS score of 9.1. Three different URLs are affected according to the advisory ...

I went back through our data to see how much exploitation we see for these URLs. We started seeing the first attempts on November 2nd (Thursday), just as Atlassian reported seeing these exploits being used against customers.

Read the full entry:

https://isc.sans.edu/diary/Exploit+Activity+for+CVE202322518+Atlassian+Confluence+Data+Center+and+Server/30376/

Example of Phishing Campaign Project File

Published: 2023-11-08

Last Updated: 2023-11-08 06:37:08 UTC

by Xavier Mertens (Version: 1)

We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily... Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose.

Yesterday, I found on VT an interesting file. It triggered one of my hunting rules because the file contained a reference to one of my customer’s domain. I had a look at the file named “EwoExcel (1)<dot>mmp’ (SHA256:0e016a41b6df3dc7daf076805e3cbb21df1ff33712b615d38ecf066cd25b6e06).

I was not aware of the file extension “.mmp” (it’s not a “.mpp” used by Microsoft Project). But it seems to be a project file.

Read tech full entry:

https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384/

What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR) (2023.11.07)

https://isc.sans.edu/diary/Whats+Normal+New+uses+of+DNS+Discovery+of+Designated+Resolvers+DDR/30380/

Quick Tip For Artificially Inflated PE Files (2023.11.02)

https://isc.sans.edu/diary/Quick+Tip+For+Artificially+Inflated+PE+Files/30370/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.