# Latest Podcast
Description
Windows Exploit Suggester-NG checks for unpatched vulnerabilities, with an updatable database. New executables like CVE-2023-28252 allow payload delivery on Windows. Vulhub offers Docker environments for testing, while tools like Fuzzable automate fuzzing target identification. Midnight Blizzard attacks highlight the importance of regular updates and strong authentication.
Tradecraft
[#]
The Windows Exploit Suggester - Next Generation (WES-NG) is a Python-based tool that uses Windows system information to identify unpatched vulnerabilities and is kept current via a database that can be updated with recent exploit and patch data.
[#]
A modified version of the Fortra's CVE-2023-28252 exploit has been released, compiled as an executable which targets specific Windows OS versions and allows for the execution of a payload binary, presented with a disclaimer for ethical use only.
[#]
Duck-sec has released a modified version of Fortra's CVE-2023-28252 exploit, now compiled as an executable, facilitating privilege escalation on various Windows operating systems by allowing a binary to be executed as an argument.
[#]
Fortra introduces the Mutator Kit, a tool utilizing LLVM for runtime mutation of Cobalt Strike's sleep mask to evade static YARA signature detection.
[#]
A GitHub repository binganao/CVE-2024-23897 includes a Python-based proof of concept (POC) script that demonstrates exploitation of a specified vulnerability, suggesting users run it against a local server to check for said vulnerability.
[#]
A tool for scanning and exploiting Docker Remote APIs has been released, including features such as mass scanning, interactive mode, and output generation for educational and security research purposes.
[#]
The Government CSIRT of Chile has developed a manual to guide public services in effectively implementing SPF, DKIM, and DMARC email authentication policies to safeguard against identity spoofing and phishing attacks.
[#]
SCCMHunter is a tool designed for cyber security professionals to identify and exploit vulnerabilities in System Center Configuration Manager (SCCM) environments, enabling LDAP queries, SMB enumeration, web service enrolment, MSSQL attacks, and post-exploitation activities through an AdminService API.
[#]
A Python script is available that exploits CVE-2024-0204, allowing the creation of a new admin account in GoAnywhere MFT by bypassing authentication.
[#]
Merkle's work explains cryptographic protocols that secure communications, while Ralph Merkle's writings emphasize the need for strong, quantum-resistant encryption algorithms to protect data against emerging threats.
[#]
Vulhub is a collection of Dockerized environments pre-configured with software vulnerabilities, intended for cybersecurity testing and learning, accessible through simple Docker commands without needing prior Docker experience.
[#]
V2Ray, under the v2fly organization on GitHub, is an open-source platform designed to build proxy tools that help bypass network restrictions and secure privacy, with the latest release being v5.12.1 as of November 24, 2023.
[#]
Fuzzable is a framework designed to automate the identification of potential fuzzing targets in software by applying static analysis heuristics to source code and binaries, and it provides capabilities for harness generation to aid in vulnerability assessments.
[#]
Ligolo-ng is a sophisticated yet straightforward tool that creates a networking stack in userland for efficient tunneling and pivoting without requiring high privileges, capable of multiplexing for performance and supporting multiple protocols.
[#]
The provided content details various methods and tools for abusing NTLM authentication in Windows, outlining attack flows and commands for techniques like Pass-the-Hash, Pass-the-Ticket, HTTP Relay, and Brute-Force Attacks, with associated tools like Mimikatz, Impacket, and Hashcat.
[#]
The post outlines how to use CyberChef to decrypt configuration settings of AsyncRAT, a remote access trojan, providing a method for security analysts to examine and neutralize potential threats.
[#]
The repository h4x0r-dz/CVE-2024-23897 contains a Python script to exploit a Jenkins vulnerability allowing arbitrary file reads with potential for remote code execution when provided a list of hosts and a target file path.
[#]
The "browsersec - Part1.wiki" document is a resource detailing security considerations and practices for web browser environments, emphasizing the importance of understanding and implementing features like same-origin policies, content security policies, and secure coding to mitigate potential vulnerabilities.
[#]
Explore and exploit server-side request forgery vulnerabilities in PDF generators by identifying injection points and leveraging cloud service metadata, outdated components, and internal network access to gain sensitive information or system control.
[#]
A repository called 'firewall-bypass' on GitHub presents a method for downloading data from the internet by injecting shellcode into another process that has an internet connection, which can circumvent rules set by firewalls.
[#]
SOAPHound is a .NET tool for extracting Active Directory data via the ADWS protocol, offering an alternative to LDAP-based methods by wrapping queries in SOAP messages for reduced detection.
[#]
A Windows batch file with encoded payloads utilizes comments to hide malicious PowerShell commands, which are sorted and executed to decrypt and launch further payloads, eventually connecting to a command and control server via a non-HTTPS TCP/443 connection.
[#]
The article details a method for extracting and decrypting stored passwords from Chromium-based browsers, involving retrieving the AES-encrypted master key, decrypting it with Windows API, and using AES-GCM to decrypt the password data from a SQLite database.
News
[#]
Microsoft has alerted that the Russia-linked APT group Midnight Blizzard, known for the SolarWinds breach, has been conducting a wide-reaching cyberespionage campaign, infiltrating entities including Hewlett Packard Enterprise by exploiting Exchange Web Services and OAuth applications, while utilizing residential proxies to mask their activities.
[#]
U.S. Senator Ron Wyden has disclosed that the National Security Agency purchases Americans' internet records without consent, violating privacy laws, and is urging the Director of National Intelligence to direct agencies to cease these purchases, comply with FTC standards, inventory and purge unlawfully acquired data, and inform the public and Congress in cases where data retention is necessary.
[#]
AllaKore RAT, originally an open-source Delphi-written tool, has been repurposed to conduct financial fraud against Mexican banks and crypto trading platforms, deploying specifically crafted malware to steal banking credentials and requiring robust cybersecurity defenses to counteract persistent, regionally targeted cyber threats.
[#]
A cyberespionage group named Blackwood is utilizing an evolved form of NSPX30 backdoor malware, dating back to 2005, to conduct spying operations that intercept and repurpose legitimate software update requests, affecting targets in China, Japan, and the UK.
[#]
Horizon3.ai reports on various cybersecurity threats including a pre-authentication remote code execution in Mirth Connect (CVE-2023-43208) and an authentication bypass in Fortra's GoAnywhere MFT product (CVE-2024-0204), recommending users promptly patch affected systems to mitigate these vulnerabilities.
[#]
The Akira ransomware group claims to have stolen 110 GB of data from cosmetics company Lush, including personal staff documents like passport scans, with no customer data known to be compromised, while cybersecurity experts recommend urgent patching and multifactor authentication to defend against such threats.
[#]
Chinese-speaking individuals are being targeted by a malvertising campaign using Google ads for fake messaging apps, deploying Remote Administration Trojans like PlugX and Gh0st RAT, while a phishing-as-a-service platform called Greatness aids attacks on Microsoft 365 users, with recommendations for vigilant email scrutiny and secure browsing practices.
[#]
Trickbot malware developer Vladimir Dunaev was sentenced to over five years in prison for his role in a cybercrime spree involving ransomware attacks on American hospitals and businesses, causing millions in financial damage.
[#]
GitLab has issued urgent security updates to mitigate a critical vulnerability (CVE-2024-0402) which could allow authenticated users to write to arbitrary server locations, and users should update to versions 16.5.8, 16.6.6, 16.7.4, or 16.8.1 to prevent exploitation.
[#]
Microsoft's recent encounter with Midnight Blizzard, a sophisticated cyberattack by state-sponsored actors, highlights the strategic use of OAuth apps to infiltrate corporate email systems and evade detection, leading to Microsoft issuing new guidance on how to mitigate such risks through careful auditing of privileged identities and implementation of anomaly detection policies.
[#]
Genetic service 23andMe suffered a data breach due to credential stuffing, exposing health reports and raw genotype data for months, and they have implemented mandatory two-factor authentication as a countermeasure.
[#]
A critical remote code execution vulnerability, CVE-2023-40547, affecting Linux bootloaders through an issue in Shim, which wrongly trusts HTTP response values for buffer sizes, has been patched in Shim version 15.8, addressing a decade's worth of potential exploits.
[#]
Synacktiv Team earned $135,000 by demonstrating successful hacks against Tesla's infotainment system and Automotive Grade Linux OS during day 2 of Pwn2Own Automotive 2024, contributing to the total prize money of over $1.1 million for 48 zero-days found in the competition.
[#]
Biotech company 23andMe experienced a data breach from April to September 2023, due to credential stuffing, exposing 6.9 million users' data, which was only detected following a Reddit post, and could have been mitigated by implementing two-factor or multi-factor authentication sooner.
[#]
Cisco has patched a critical vulnerability (CVE-2024-20253, CVSS 9.9) affecting multiple Unified Communications and Contact Center Solutions products, allowing remote unauthenticated attackers to execute arbitrary code and potentially gain root access, with users urged to apply updates or implement access control lists as a mitigation strategy.
[#]
Ukrainian hacktivists reportedly breached Russia's "Planeta" research center, linked to Roscosmos, wiping 2 petabytes of data and disrupting operations with an estimated damage cost of $10 million.
[#]
Hewlett Packard Enterprise and Microsoft email systems were infiltrated by the Cozy Bear hacking group, associated with Russian intelligence, leading to covert monitoring and data extraction, prompting immediate investigation, containment, and eradication of the threat by the companies' cybersecurity teams.
[#]
HP defends its Dynamic Security feature which restricts third-party ink cartridges to prevent potential malware threats, despite facing legal action and skepticism from cybersecurity experts regarding the likelihood of such attacks.
