CVE- 2020-1350 aka SIGRed

A new critical CVE is in the wild and actively being exploited. As below:

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

Advise is to update ASAP. The workaround can be found here:

A powershell command is available to disable large DNS requests and responses

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters" -PropertyType DWORD -name TcpReceivePacketSize -Value '0xFF00' -Force Restart-Service "DNS Server" -Forced

Ideally, the patch needs to be applied as soon as possible.

More can be found here

Sharing error OSE204 from OneDrive

If you’ve tried sharing a file outside of your organisation team share in OneDrive to anonymous parties, you might run in to a problem with sharing settings.

This is not easily solvable at first. There are a number of settings in Office 365 which can affect this, from:

  • Office Active users page, you can select individual users, select One Drive and see the sharing access they have
  • One Drive Admin: on the sharing page, there are a number of options here
  • SharePoint Admin: Again, there are a number of options here.

Make sure you check those above sections to ensure the correct settings are set. If you still cannot share the files, you will need to connect to SharePoint Online via power shell.

  1. Make sure the power shell command is installed:
    Install-Module -Name Microsoft.Online.SharePoint.PowerShell
  2. Connect to your instance
    $adminUPN="<the full email address of a SharePoint administrator account, example:>" $orgName="<name of your Office 365 organization, example: contosotoycompany>" $userCredential = Get-Credential -UserName $adminUPN -Message "Type the password." Connect-SPOService -Url https://$ -Credential $userCredential
  3. Set the permissions on your site
    set-sposite -identity '' -sharingcapability ExternalUserAndGuestSharing

The above should do the trick. Just note that it does take some time to take affect.

See: Sharing Errors

Sopho: Patch your firewalls – zero day runs wild

Over the weekend, Sophos announce it had released a hotfix for Sophos XG firewalls. This hotfix patched an SQL injection attack which allowed attackers to download payloads to the device.

It looks like the hashed usernames and passwords have been stolen from the XG devices. This means all XG owners should reset the passwords for administration and any local VPN users as well.

It appears the attack was done either on the admin portal (port 4444) or the user portal (port 443). Normally the administration portal is closed on the WAN, however, it is normal practice to have the user portal exposed on the WAN.

If your firewall has been compromised, Sophos recommends these steps

  1. Reset device administrator accounts
  2. Reboot the XG device(s)
  3. Reset passwords for all local user accounts
  4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

We are awaiting further information from Sophos.

Block xmlrpc.php attacks with fail2ban + iptables wordpress

One of the issues I’ve faced on this server is xmlrpc.php attacks. These are normally bots trying to exploit old bugs in xmlrpc.php within WordPress. Many legit plugins use calls to this file such as Jetpack. So blocking it isn’t really an option.

In my case, I wanted to block these attacks with iptables. So I went about creating a rule using fail2ban.

To get started, get iptables and fail2ban installed:

apt-get install fail2ban iptables

Once installed, edit the default jail file. This won’t exist on a new install

nano /etc/fail2ban/jail.local

Add the following lines (make sure the path matches your own)

enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 2

Now edit the following file (this won’t exist)

nano /etc/fail2ban/filter.d/xmlrpc.conf

Add the following lines

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

Restart the fail2ban service

service fail2ban restart

You can watch the log in real-time to ensure it’s blocking correctly:

tail -f /var/log/fail2ban.log

putty_2016-08-12_13-25-33 compromised – Malware on popular downloads

As discovered tonight, popular download website, Fosshub, has been compromised.

Hackers have targeted popular downloads such as Audacity, WinDirStat, qBittorrent, MKVToolNix, Spybot Search&Destroy, Calibre, SMPlayer, HWiNFO, MyPhoneExplorer, IrfanView and others.

When installing these programs from Fosshub, you will be infected with malware. This malware will re-write your MBR and you will not longer be able to boot into your operating system.

CultOfTheRazor has claimed responsibility.