Cyber Creatures

  Threat actors are using Domain Name System (DNS) tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent and retrieved via DNS queries, essentially turning DNS, a fundamental network communication component, into a covert communications channel. The threat actors encode the data in various ways, such as Base16 or Base64 or custom textual encoding algorithms, so they can be returned when querying DNS records, such as TXT, MX, CNAME, and Address records. Hackers commonly use DNS tunneling to bypass network firewalls and filters, employing the technique for command and control (C2) and Virtual Private Network (VPN) operations. There are also legitimate DNS tunneling applications, such as for bypassing censorship. Palo Alto Networks' Unit 42 security research team recently discovered additional use of DNS tunneling in malicious campaigns...

  A critical vulnerability in Microsoft’s Active Directory Certificate Services (AD CS) that could allow attackers to escalate privileges and potentially gain domain admin access. This new exploit, dubbed ESC15 or “EKUwu,” was discovered by TrustedSec in early October 2024 and has since been added to popular offensive security tools. The vulnerability, officially tracked as CVE-2024-49019, affects AD CS environments using version 1 certificate templates with specific configurations. It allows attackers with basic enrollment rights to manipulate certificate requests, bypassing intended restrictions and gaining unauthorized privileges. ESC15 builds upon previous AD CS vulnerabilities, known as ESC1 through ESC14, which were first documented by SpecterOps researchers Will Schroeder and Lee Christensen in 2021. This latest discovery demonstrates the ongoing challenges in securing AD CS infrastructures. The exploit takes advantage of a quirk in how AD CS handles certificate requests. At...

A flaw in OpenWrt's Attended Sysupgrade feature used to build custom, on-demand firmware images could have allowed for the distribution of malicious firmware packages. OpenWrt is a highly customizable, open-source, Linux-based operating system designed for embedded devices, particularly network devices like routers, access points, and other IoT hardware. The project is a popular alternative to a manufacturer's firmware as it offers numerous advanced features and supports routers from ASUS, Belkin, Buffalo, D-Link, Zyxel, and many more. The command injection and hash truncation flaw was discovered by Flatt Security researcher 'RyotaK' during a routine home lab router upgrade. The critical (CVSS v4 score: 9.3) flaw, tracked as CVE-2024-54143, was fixed within hours of being disclosed to OpenWrt's developers. However, users are urged to perform checks to ensure the safety of their installed firmware. Poisoning OpenWrt images OpenWrt includes a service called Attended S...