Unidentified armed men attack mungamba and 3 FARDC soldiers believed to had died in that attack!!!

Unidentified armed men attacked Mungamba, a town on the border between Irumu and Mambasa territories more than 60 km south of Bunia in Ituri.

According to Maître Laurent Kieya of the NGO Convention for the Defense of Forest Peoples, CODEPEF which quotes the administrator of the Irumu territory, it is since the evening of Tuesday to Wednesday June 24, 2020 that the attack began .
At least 3 FARDC soldiers are believed to have died in the incident, the source said, a figure not yet confirmed by the military.

"It is since last night that we learned that there was an attack n by unidentified elements in one of the localities between the territories of Mambasa and Irumu," as he elaborated to news outlets in the territory.

For the moment, reports Maître Laurent, traffic is suspended on the national road number 04 going from Beni to Kisangani where this attacked village is located.

"The population is tumbling, commercial activities are slowing down, shops and stores have not opened," he said.

This new attack comes only a few days before the installation in the area of ​​a FARDC position following an express request from the local population.

1 FARDC soldier dies , 8 CODECO militia men captured by FARDC in an intense fighting in Dyaro in the territory of Djugu

The armed Forces of the Democratic Republic of Congo, FARDC announced this Wednesday June 24, 2020 to have captured eight CODECO militiamen in Dyaro, the afternoon of Tuesday June 23 in the sector of walendu-Pitsi, territory of Djugu.
"Yesterday in Dyaro in the territory of Djugu in the Walendu-Pitsi sector, the armed forces were attacked by a group of CODECO attackers and this attack ended in bitter failure and strong FARDC military pressure on the rebels. Crude information shows a great CODECO commander by the name of Ndekote neutralized with eight other elements, "said, lieutenant Jules Ngongo, army spokesperson in Ituri.

During the fighting, one FARDC element lost their lives and others were injured, the source said.

Lieutenant Jules Ngongo also reassured control of the situation by the regular army before calling on the militiamen not to be obstinate and to lay down their arms to avoid what he called "supreme punishment of the armed forces".

The population asked the officer to continue to trust and work with the regular army to put an end to the activism of armed groups in Ituri province.

AL-Shabab has claimed the suicide bomber detonated inside the Turkish military training base in Somalia’s capital Mogadishu that left two civilians dead on Tuesday.

“The attack occurred as new military cadets were doing their morning drills”. Col. Ahmednor Abdulle, a Somali military officer said.
This was the first time attack targeted by Turkey’s largest overseas military base in Somalia since the Turkish government launched military camp supporting Somali military to fight Shabab strongholds militant based in Somalia
The Turkish Defense Ministry in a statement said a Somali citizen was killed and one other person was wounded. It said no Turkish personnel were hurt and there was no damage to the barracks.
“Terrorist organization and its supporters who carried out this cowardly attack and We will not leave our Somali brothers alone in their fight against terrorist organizations,” said Turkish Defense Minister in a statement.
According to the initial information, the assailant tried to enter the base but later shot by the guards after he refused the commands by the Somali soldiers in front of the main gate.

Fully automated offensive security framework for reconnaissance and vulnerability scanning plus threat intelligence.

 Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.

Installation

cd Osmedeus

./install.sh

This install only focuses on Kali Linux, check more install on the Usage page .

NOTE: You might need to do sudo su before installing or using this otherwise you might get issues with dependency problems.

Using Docker:

If you have no idea what are you doing just type the command below or check out the

Advanced Usage

./osmedeus.py -t example.com

Features

Subdomain Scan.

Subdomain TakeOver Scan.

Screenshot the target.

Basic recon like Whois, Dig info.

Web Technology detection.

IP Discovery.

CORS Scan.

SSL Scan.

Wayback Machine Discovery.

URL Discovery.

Headers Scan.

Port Scan.

Vulnerable Scan.

Separate workspaces to store all scan output and details logging.

REST API.

React Web UI.

Support Continuous Scan.

Slack notifications.

Easily view report from the command line.

INSTALLATION

For Kali Linux 

git clone https://github.com/j3ssie/Osmedeus

cd Osmedeus

./install.sh

For unix OS 

Change default shell and package manager on top of the install file and you will be fine to run.

git clone https://github.com/j3ssie/Osmedeus

cd Osmedeus

./install.sh

For MacOS 

Install golang officially or use homebrew and nmap, masscan. Change default shell and package manager on top of the install file and you will be fine to run.

git clone https://github.com/j3ssie/Osmedeus

cd Osmedeus

./install.sh

Using Docker 

Check out docker-osmedeus by mabnavarrete for docker installation.

TL;DR

Run this command to pull the container and install Osmedeus.

Installation 

docker run -d --net host --name osmedeus mablanco/osmedeus

Simple usage 

docker exec -it osmedeus ./osmedeus.py --client -t example.com

or access container through bash then navigate to ~/ and you’re good to go.

docker exec -it osmedeus /bin/bash -i

Access the UI 

Credentials by default will place in

~/.osmedeus/config.conf . Make sure to change the Remote API in the Configuration tab to your interface that you’re running docker.

Setup REST API server on the remote server 

Open your tmux or whatever and run the API server persistence by using this command

python3 server/manage.py runserver

or

python3 server/manage.py runserver 0.0.0.0:8000

if you want to bind this server on other IP and port.

Run osmedeus client 

Open your tmux or whatever and run on that machine too (recommendation)

./osmedeus -t example.com

or if you really want to run a client on your server just do

./osmedeus -t example.com --remote http://your_remote_ip:port

Check out sercurity concern to protect your server.

Osmedeus use Django authentication system to manage users and create a token.

You directly create a new user by using this command below.

python3 server/manage.py createsuperuser

These users also used to login on Web UI.

Example Commands

# normal routine

./osmedeus.py -t example.com

./osmedeus.py -T list_of_target.txt

# normal routine but slow speed on all moddule

./osmedeus.py -t example.com --slow 'all'

# normal routine but exclude some modules

./osmedeus.py -t example.com -x 'linkfinding,dirb'

# direct mode examples

./osmedeus.py -m subdomain -t example.com

./osmedeus.py -m portscan -i "1.2.3.4/24"

./osmedeus.py -m "portscan,vulnscan" -i "1.2.3.4/24" -w result_folder

# direct list mode examples

./osmedeus.py -m portscan -I list_of_targets.txt

./osmedeus.py -m portscan,vulnscan -I list_of_targets.txt

./osmedeus.py -m screen -I list_of_targets.txt -w result_folder

# report mode

./osmedeus.py -t example.com --report list

./osmedeus.py -t example.com --report export

./osmedeus.py -t example.com --report sum

./osmedeus.py -t example.com --report short

./osmedeus.py -t example.com --report full

VLC vulnerability, CVE-2020-13428!! Your VLC media player may place your computer to security risks.

The well-known open-source media player VLC  recently released (read full vulnerability report here)a security bulletin and released a new version. This security bulletin contains a high-risk level security vulnerability.
This security vulnerability can trigger the remote execution of arbitrary code. Of course, the vulnerability has been fixed before disclosure, so users need to upgrade to a new version. The security
vulnerability is CVE-2020-13428.
The vulnerability mainly affects the hardware accelerated codec that comes with the VLC player, and the codec with the vulnerability is only used on macOS and iOS.
This means that versions such as Windows, Linux, and Android are not affected. Of course, other vulnerabilities are fixed this time so all users need to perform the upgrade.
In terms of vulnerability exploitation, the attacker only needs to create a targeted media file and induce the user to play this media file, as long as the user uses VLC to play.
Of course, we should remind everyone here that files of unknown daily origin should not be opened easily, even media files such as videos or music.

Microsoft Threat Intelligence Python Security Tools

The msticpy package was initially developed to support Jupyter Notebooks authoring for Azure Sentinel . Many of the included tools can be used in other security scenarios for threat hunting and threat investigation.
There are three main sub-packages:
sectools – Python security tools to help with data enrichment, analysis, or investigation.
nbtools – Jupyter-specific UI tools such as widgets, plotting, and other data display.
data – data layer and pre-defined queries for Azure Sentinel, MDATP, and other data sources.
Security Tools Sub-package –
sectools
This subpackage contains several modules helpful for working on security investigations and hunting:
base64unpack
Base64 and archive (gz, zip, tar) extractor. Input can either be a single string or a specified column of a pandas dataframe. It will try to identify any base64 encoded strings and decode them. If the result looks like one of the supported archive types it will unpack the contents. The results of each decode/unpack are rechecked for further base64 content and will recurse down up to 20 levels (default can be overridden). Output is to a decoded string (for single string input) or a DataFrame (for dataframe input).
Base64Unpack Notebook
iocextract
Uses a set of built-in regular expressions to look for Indicator of Compromise (IoC) patterns. Input can be a single string or a pandas dataframe with one or more columns specified as input.
The following types are built-in:
IPv4 and IPv6
URL
DNS domain
Hashes (MD5, SHA1, SHA256)
Windows file paths
Linux file paths (this is kind of noisy because a legal Linux file path can have almost any character)
You can modify or add to the regular expressions used at runtime.
The output is a dictionary of matches (for single string input) or a DataFrame (for dataframe input).
tiproviders
The TILookup class can lookup IoCs across multiple TI providers. built-in providers include AlienVault OTX, IBM XForce, VirusTotal, and Azure Sentinel.
The input can be a single IoC observable or a pandas DataFrame containing multiple observables. Depending on the provider, you may require an account and an API key. Some providers also enforce throttling (especially for free tiers), which might affect performing bulk lookups.
Wrapper class around Virus Total API . Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing requires a Virus Total account and API key and processing performance is limited to the number of requests per minute for the account type that you have. Support IoC Types:
Filehash
URL
DNS Domain
IPv4 Address
VTLookup Notebook
geoip
Geographic location lookup for IP addresses.
This module has two classes for different services:
GeoLiteLookup – Maxmind Geolite (see https://www.maxmind.com )
IPStackLookup – IPStack (see https://ipstack.com )
Both services offer a free tier for non-commercial use. However, a paid tier will normally get you more accuracy, more detail, and a higher throughput rate. Maxmind geolite uses a downloadable database, while IPStack is an online lookup (API key required).
eventcluster
This module is intended to be used to summarize large numbers of events into clusters of different patterns. High volume repeating events can often make it difficult to see unique and interesting items.
This is an unsupervised learning module implemented using SciKit Learn DBScan.
The module contains functions to generate clusterable features from string data. For example, an administration command that does some maintenance on thousands of servers with a commandline like the following
install-update -hostname {host.fqdn} -tmp:/tmp/{GUID}/rollback
can be collapsed into a single cluster pattern by ignoring the character values of the host and guides in the string and using delimiters or tokens to group the values. This allows you to more easily see distinct patterns of activity.
outliers
Similar to the eventcluster module, but a little bit more experimental (read ‘less tested’). It uses SkLearn Isolation Forest to identify outlier events in a single data set or using one data set as training data and another on which to predict outliers.
auditdextract
Module to load and decode Linux audit logs. It collapses messages sharing the same message ID into single events, decodes hex-encoded data fields, and performs some event-specific formatting and normalization (e.g. for process start events it will re-assemble the process command-line arguments into a single string).
This is still a work-in-progress.
syslog_utils
Module to support an investigation of a Linux host with only syslog logging enabled. This includes functions for collating host data, clustering logon events, and detecting user sessions containing suspicious activity.
cmd_line
A module to support the detection of known malicious command line activity or suspicious patterns of command line activity.
nbtools
This is a collection of display and utility modules designed to make working with security data in Jupyter notebooks quicker and easier.
nbwidgets – groups common functionality such as list pickers, time boundary settings, saving and retrieving environment variables into a single line callable command.
nbdisplay – functions that implement the common display of things like alerts, events in a slightly more consumable way than print()
entityschema – implements entity classes (e.g. Host, Account, IPAddress) used in Log Analytics alerts and in many of these modules. Each entity encapsulates one or more properties related to the entity.
Notebook Tools Notebook and Event Timeline Visualization
Data sub-package – data
These components are currently still part of the nbtools sub-package but will be refactored to separate them into their own package.
QueryProvider – extensible query library targeting Log Analytics or OData endpoints. Built-in parameterized queries allow complex queries to be run from a single function call. Add your own queries using a simple YAML schema.
security_alert and security_event – encapsulation classes for alerts and events.
entity_schema – definitions for multiple entities (Host, Account, File, IPAddress, etc.)
Each has a standard ‘entities’ property reflecting the entities found in the alert or event. These can also be used as meta-parameters for many of the queries. For example, the following query will extract the value for the hostname query parameter from the alert:

qry.list_host_logons(query_times, alert)

DLL; vulnerability in Trend Micro Password

Tempest’s Consulting Team, has detected a vulnerability in Trend Micro Password Manager. It enables a privilege escalation that grants NT AUTHORITY_SYSTEM (user who has full local privilege) to whomever exploits it through a Hijacking DLL.
In the following text, we will briefly present some basic concepts on the subject, as well as the demonstration of this vulnerability in Trend Micro Password Manager
DLL (Dynamic Link Library)
According to Microsoft’s documentation, a Dynamic Link Library is a binary module that has a set of functions and data that can be used by other binary modules — that is, a set of functions and data that can be used by another DLL or an executable.
A feature of DLL functions is that they do not inherit the permissions set in the Access Control List (ACL) of the uploaded files when they are imported. However, they usually inherit the permissions of the process that imported them.
The import of a DLL can be performed through the functions
LoadLibrary() and LoadLibraryEx() . If the absolute file path is not provided, Windows will by default use the natural resource of the DLL search order find the unloaded module. This search order is performed in the following directories, consecutively:
1. The directory from which the application was loaded;
2. The system directory;
3. The 16-bit system directory;
4. The Windows directory;
5. The current working directory (CWD);
6. The directories that appear listed in the PATH environment variable.
However, there are several ways to change the search order of a DLL. Microsoft’s documentation, Load Library Safely , can be found for more details on the topic.
The fact is that if the loading of a DLL is implemented insecurely, an attacker can take advantage of the search order to perform an attack known as Hijacking DLL. To do this, the attacker just inserts a malicious DLL with the same name as the one requested, in a previous directory in the search order.
Trend Micro Password Manager
Trend Micro Password Manager is a software that can be installed together with Trend Micro Maximum Security.
During an analysis of the operations performed during the start-up of the operating system, it was possible to detect that the Trend Micro Password Manager Central Control Service , through its main process PwmSvc.exe, is responsible for creating a new process called
certutil.exe , which aims to manipulate Firefox browser certificates. The following image illustrates the creation of this process:
Right after this creation, certutil.exe inherits the privileged user permissions and tries to load several DLLs, among them, the
nssckbi.dll located inside the Firefox browser profile folder:
The security problem of this import performed by the certutil.exe process focuses precisely on the excessive permissions of the directory, considering that it is inside the profile folder of the user in use (C:Users\usertest). To test whether the process would actually import a DLL into the indicated directory, even if it is not signed, a DLL was designed to write the author of the action — user name — to a text file. As can be seen in the image below, the DLL has high privilege on the machine:
Thus, one can conclude the existence of two vulnerabilities through the actions described above:
1) The DLL was being imported from an improper location;
2) The signature verification was not being performed.
When contacted, Trend Micro claimed that the vulnerability in question was present in the NSS tools module of the Firefox browser. Firefox, on the other hand, replied that it did not recommend the commercial use of its browser; stating that it was a test tool. However, after a more refined analysis, Trend Micro not only accepted the vulnerability, correcting it, but also generated a thank you note and a CVE assignment. In addition, more recently, the company released another note, where it reports the change in the Common Vulnerability Scoring System — CVSS severity assignment. The vulnerability in question had been considered by them to be of medium severity, but ended up being recognized as of high severity.

Banyamulenge students denounce the repeated attacks of the refugee camps harbouring the Banyamulenge

Students from the Banyamulenge community in South Kivu gathered in the Ubumwe and humura dynamics call on the provincial authorities to protect over 1.000 displaced people from their community, victims of repeated attacks on the of site.
In a statement made Monday, June 2020, 22, they call on the provincial authorities to punish the perpetrators of repeated attacks against the Banyamulenge.
" We were about to organize a march on Monday to denounce repeated attacks against the Banyamulenge displaced in Mikenge. Within a month, this site was attacked 3 times and during these attacks several people were injured and property looted ", they said.
These students regret to see that a woman injured in these attacks has died from her hospital injuries.
They promise to organize a march to denounce these attacks soon.

In this same area,prisoner are about to perish in cells due to hungerMore than 90 inmates from the central prison of Kamituga, in the territory of Mwenga in South Kivu, are in danger of death due to lack of food.
The last food grant from the authorities was last March says Richard,, director of this prison house.
He says that inmates are at risk of dying because they do not have food and no medicine.
" Here we have nothing as a grant. We got the last grant last March. We are having a lot of trouble. Inmates don't have food and they don't have medicine ", he said.
Richard, also points out that inmates live this last time only donations from some Christians from churches in Kamituga.
He also reports that several inmates suffer from contagious diseases.
It should be noted that, on Friday, April 24, an inmate died following the famine at the Central Prison.

DRC's Covid19 case close to 6000!

The multisectoral committee against coronavirus in the DRC reports, in its daily newsletter of Monday, June 22, 102 new cases confirmed to the pandemic, including 84 in Kinshasa, 15 in Central Kongo and 3 to The Tshopo.
With these new additional cases, the DRC has exceeded 6000 infections  since the beginning of the disease on March 10th.
The response committee newsletter says no new cases of death have been recorded and 5 people were declared healed on that same Monday day. The total is 135 deaths (one likely) and 861 healed.
The 12 provinces affected are: Kinshasa (with alot of cases up to 5000), Central Kongo (285 cases), Haut-Katanga (183 cases), South Kivu (108 cases), North - Kivu (65 cases), Tshopo (6), Kwilu (3 cases), Ituri (2 cases), High (1 cases), Haut-Lomami (1 cases), High-level Uele (1 cases) and Ecuador (1 cases).

Another Congolese sentenced to 3years of hard labor as police hunts for Jeannot Muhima who escaped from a clinic where he was recieving treatment,He had been sentenced earlier on Saturday

Jeannot Muhima, one of the convicts of the 100-day trial, escaped from Clinic, he is wanted by the national police.
From the hospital where he was admitted yesterday for a faked heart problem Jeannot Muhima escaped from the De Ngaliema Clinic, a mandate was issued for his immediate arrest, with this escape Jeannot Muhima has just complicated the call of the condemnation of 20 years of his friend vital Kamerhe.

In its judgement delivered this Tuesday, June 2020, 23, the Court of Appeal of Kinshasa / Gombe sentenced to 3 years of forced labor the directors-general of the National Road Maintenance Fund (FONER), Fulgence Bamaros and the Office of Roads and Drainage (OVD), Benjamin Wenga for $ 12.500.000 for road works in the cities of Goma and Bukavu in the so-called "100-day" trial.
The Director General of the Congolese Construction Society (SOCOC), Modest Makabuza, has been given a year of forced labor for the same grievance.
All convicts are deprived of the right to vote and the right to vote for 5 years after the execution of their sentence.
They are forced to pay the sum, equivalent in Congolese francs, of $ 10 million of the damage to the Democratic Republic of the Congo.