# Latest Podcast
# Description
Analyze and understand various cyber techniques including LOLSpoof for hiding commands, KrustyLoader for sneaking backdoors, tools for cracking passwords using GDB, BucketLoot for detecting data leaks, TeleTracker for disrupting Telegram channels, and methods for network control with SSH-botnet.
# Tradecraft
[#]
LOLSpoof is an interactive tool that conceals malicious command line activity by generating a benign-looking process command line to evade detection by security systems.
[#]
A critical analysis of the Rust-based malware known as KrustyLoader reveals its function to download and execute a Sliver backdoor after passing built-in security checks, complete with a Python script for URL extraction and a Yara rule for detection, linked to Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805.
[#]
A tutorial on how to use GDB and analyze x86 assembly to find passwords in crackme challenges, with step-by-step instructions on setting breakpoints, examining memory, and understanding control flow to solve the tasks.
[#]
BucketLoot is an automated inspector for S3-compatible storage buckets that can detect secret exposures, search for sensitive data using custom keywords or regexes, and extract useful assets, with capabilities for scanning publicly-exposed files and flagging accidental leaks in various cloud platforms without needing initial API tokens or access keys.
[#]
TeleTracker is a set of Python scripts for analyzing and interfering with Telegram channels used for malicious command and control operations, providing features for message monitoring, media downloading, and disruptive spamming, with recent updates including media type expansion and improved message retrieval.
[#]
A Python automation tool called SSH-botnet can scan a network for SSH servers and add them to a botnet, intended for mass management and control within environments such as educational labs with uniform login credentials.
[#]
An XML External Entity (XXE) vulnerability in an application was discovered, allowing for server-side request forgery and error-based data exfiltration using manipulated XML schema files which cause the server to display sensitive information in its logs.
[#]
Protect AI has released 'ai-exploits,' a Docker-friendly repository containing Metasploit modules, Nuclei templates, and CSRF templates for responsibly disclosed vulnerabilities in AI/ML infrastructure to educate the infosec community on real-world attacks and defenses.
[#]
A threat actor exploited an exposed Remote Desktop Protocol host with valid credentials, disabled defenses, exfiltrated data using Rclone to Mega.io, and deployed Trigona ransomware, affecting the entire network within 3 hours.
[#]
The GitHub repository 'JS_waybackurls' by @Securi3yTalent is a JavaScript tool for retrieving known URLs for a domain from the Wayback Machine, requiring Node.js and the installation of dependencies to execute.
[#]
The analysis details a comprehensive breakdown of the Stealc information stealer's functionality, including malware analysis, evasion techniques, data exfiltration processes, and remediation strategies.
# News
[#]
To secure a network, continuously monitor system logs, implement encryption, enforce strict access controls, and educate users on security best practices.
[#]
Microsoft patched a vulnerability in Outlook identified as CVE-2023-35636, which allowed attackers to steal NTLM v2 hashed passwords by convincing a user to open a malicious file, with further risk remaining from unpatched attack methods through Windows Performance Analyzer and File Explorer.
[#]
Recent cyber incidents include APT29 attacking Microsoft and HPE, LockBit hitting a Wall Street firm, Ukrainian entities facing disruptions by hacktivists, 23andMe suffering a credential stuffing breach, Russian research compromised by Ukrainian hackers, with Apple and Jenkins addressing critical vulnerabilities, and QR-code phishing attacks on the rise.
[#]
Researchers at Pwn2Own Tokyo exposed 49 new zero-day vulnerabilities in automotive tech, including high-reward exploits in Tesla vehicles and EV chargers, while Cisco, Apple, and other tech firms issued patches for critical security flaws ranging from CVSS scores of 8.0 to 10.0, necessitating immediate updates.
[#]
Microsoft Edge patched multiple security flaws, including a high-severity one-click vulnerability (CVE-2024-21326, CVSS 9.6), urging users to update their browsers to avoid potential full compromises.
[#]
A severe race condition flaw in Linux Kernel's IPv6 stack, CVE-2023-6200, allowing code execution, can be mitigated by updating to kernel version 6.7-rc7 or by disabling IPv6 'accept_ra' parameter.
[#]
Microsoft is investigating a connectivity issue that has been preventing Outlook and other email clients from connecting to Outlook.com accounts since January 23rd and advises users to access their email via the web until a fix is provided.
[#]
The incidence of ransomware victims paying demands has plummeted to 29% in late 2023 due to organizations' improved security measures, distrust of cybercriminals, and legal sanctions against paying ransoms in certain locales, with average payment amounts also decreasing significantly.
[#]
Cybersecurity researchers have discovered several malicious packages on PyPI, which distribute the WhiteSnake information stealing malware targeting Windows, and incorporate clipper functionality to hijack crypto transactions.
[#]
Cybersecurity researchers have uncovered a new Phobos ransomware variant called Faust, which delivers malware using an infected Excel document and practises fileless attack techniques for encryption; alongside this, several new ransomware groups have emerged using languages like Rust and Golang for cross-platform attacks, while ransomware payment rates have decreased, with victims less frequently choosing to pay the ransom.
[#]
CloudSEK uncovers data breach involving 750 million Indian mobile subscribers with personal details for sale on dark web, while Terraform Labs files for bankruptcy amidst ongoing legal challenges and India announces plans for a supercomputing hub to enhance AI capabilities.
[#]
Telegram's dark markets have become a hotbed for modern phishing scams, and it appears that no immediate action is being taken by the platform to address this issue.
[#]
The NSA has acknowledged purchasing American internet browsing records from data brokers without warrants, despite privacy concerns, leading to Senator Wyden urging legal reforms to prevent intelligence agencies from buying data that hasn't been lawfully obtained.
[#]
The Lazarus Group continues to escalate their cyber threats on financial entities, utilizing spear-phishing and zero-day exploits, necessitating increased cybersecurity measures and vigilance from organizations.
[#]
Trigona Ransomware was analyzed after an attack on Christmas Eve, with significant details and response strategies reported within three hours on TheDFIRReport.
[#]
A vulnerability in Google Kubernetes Engine can potentially lead to cluster compromises, necessitating prompt security reviews and updates by admins.
