# Latest Podcast
# Description
Deploy ulexecve to execute ELF binaries in Linux userland for discreet operations. Soroush Dalili offers insightful methods for exploiting IIS Short File Name issues. Learn how custom EDR systems detect malicious activities, as demonstrated by SensePost's practical example. Use DIFFER by Trail of Bits to spot bugs in modified software. ADOKit targets Azure DevOps Services, offering reconnaissance and escalation capabilities. Stompy adjusts file MAC times, aiding in forensic countermeasures. Analyze Apache OFBiz vulnerabilities to understand authentication bypasses and implement recommended patches.
# Tradecraft
[#]
ulexecve is a Python tool for executing ELF binaries in Linux userland without writing to storage, aiding in anti-forensics and red-teaming by running binaries from memory.
[#]
Soroush Dalili reviews the IIS Short File Name disclosure issue's background and provides updated detection and exploitation methods, including manual and automated tools for uncovering sensitive files on IIS servers.
[#]
The content explains the architecture of Endpoint Detection and Response (EDR) systems, demonstrating through building a custom EDR how such systems can detect and respond to malicious activities by monitoring system calls and using kernel callbacks to dynamically analyze executables and process creations, including a practical example that can recognize and terminate attempts at remote shellcode injection.
[#]
Trail of Bits has released DIFFER, a differential testing tool, to identify bugs in programs altered by software rewriting, debloating, or hardening, by comparing their performance with the original versions.
[#]
ADOKit is a modular attack toolkit designed to target Azure DevOps Services using REST API, enabling reconnaissance, privilege escalation, and persistence with feature expansions encouraged by the security community.
[#]
Stompy is a PowerShell function for modifying the MAC (Modification, Access, Creation) times of files and directories, with options for recursion, specific timestamps, and credential usage for restricted files, also available in C#, Python, and Go versions.
[#]
A security lab presented a detailed analysis of vulnerabilities in Apache OFBiz, touching on authentication bypasses linked to remote code execution, complete with technical steps for testing, debugging, and recommended patches to effectively mitigate the underlying issues.
[#]
Faction is a new open-source tool created by Josh Summitt to streamline the report-generation process of pentesting, featuring automation, real-time collaboration, and an extensible design with an upcoming app store for further enhancements.
[#]
Cyber security practices involve identifying vulnerabilities in computer systems and networks, and implementing measures to protect against hacks and data breaches, often using tools like firewalls, antivirus software, and encryption.
[#]
CyberArk introduces an online version of the 'White Phoenix' decryptor to help victims recover files from ransomware using intermittent encryption without needing technical skills to use its original Python code on GitHub.
[#]
Ghidra has an update out.
[#]
The article details methods to disrupt the Windows EventLog service to prevent logging, including thread tampering using Invoke-Phant0m, patching with Mimikatz, and tricking the system with a MiniNT registry key addition, compromising log integrity for forensic analysis.
[#]
An OPSEC-for-OSINT GitHub discussion has been initiated for sharing knowledge on OSINT techniques, privacy countermeasures, and ethical considerations with an emphasis on community contribution and personalized guidance.
# News
[#]
A publicly released exploit for a local privilege elevation flaw, tracked as CVE-2023-45779, affects several Android OEMs, and users should update to the Android security patch level 2023-12-05 to protect their devices.
[#]
The FBI disrupted the Volt Typhoon botnet, which exploited outdated routers to target US infrastructure, by remotely wiping the malware and advising manufacturers to fix SOHO router vulnerabilities.
[#]
A Mercedes-Benz employee inadvertently leaked a critical GitHub token, granting access to the company's private source code repositories and potentially exposing sensitive internal information, until the token was revoked following its detection by RedHunt Labs.
[#]
A code security audit of the Tor anonymity network revealed 17 vulnerabilities ranging from low to high risk, with the most severe being a CSRF flaw in the Onion Bandwidth Scanner that could allow attackers to insert controlled IPs into the network.
[#]
A critical vulnerability identified as CVE-2024-1019 in ModSecurity versions 3.0.0 to 3.0.11 allows attackers to bypass Web Application Firewall by exploiting URL decoding issues, with a remedy to upgrade to version 3.0.12 where this issue is resolved.
[#]
Security firm Mandiant uncovered a sophisticated malware campaign leveraging Ars Technica user profiles and Vimeo video descriptions to encode payload data for infected devices, utilizing a novel obfuscation technique to avoid detection and execute a multi-stage attack process, mitigated by restricting profile viewing to logged-in users only.
[#]
The U.S. Treasury has sanctioned two Egyptian nationals for assisting ISIS in cybersecurity endeavors, emphasizing the critical role of disrupting terrorist financing and online infrastructure.
[#]
CISA, with FBI collaboration, has issued guidelines urging SOHO router manufacturers to enhance security to defend against hijacking efforts by the Chinese hacking group Volt Typhoon, emphasizing the necessity of incorporating security in design, automating updates, and securing web management interfaces.
[#]
Schneider Electric's Sustainability Business division suffered a Cactus ransomware attack on January 17, 2024, impacting the EcoStruxure Resource Advisor platform, with ongoing restoration and customer notifications as they work to mitigate the breach.
[#]
Security researchers at TrueSec have linked the Akira ransomware group to attacks exploiting an unpatched Cisco vulnerability CVE-2020-3259 in AnyConnect SSL VPN, advising organizations to check patch dates, reset passwords, and enable MFA.
[#]
CyberArk highlights Play ransomware's techniques and its frequent crashing due to a bug during encryption, suggesting updates and CyberArk tools as mitigation strategies.
[#]
Moxa's ioLogik E1200 Series firmware prior to version 3.3 contains two security vulnerabilities, CSRF and compromised cryptographic integrity; users should contact Moxa Technical Support for a security patch and employ CISA-recommended mitigations, such as network isolation and VPNs with up-to-date security.
[#]
FBI Director Christopher Wray has informed the House Select Committee on the Chinese Communist Party that Chinese hackers are actively targeting U.S. critical infrastructure, including water plants and energy sectors, hinting at a potential for significant disruptions if these cyber threats are realized.
[#]
Ivanti has alerted users of two significant vulnerabilities in its Connect Secure and Policy Secure solutions, identified as CVE-2024-21888 and CVE-2024-21893, with one being actively exploited, and recommends applying the "mitigation.release.20240126.5.xml" file as an immediate workaround.
[#]
Johnson Controls International faced a ransomware attack in September 2023, which resulted in a $27 million expense for the company and included a data breach with over 27 TB of data stolen by the Dark Angels cyber gang.
[#]
Telegram's rise as a cybercrime hub enables individuals to launch sophisticated phishing campaigns cheaply, with an ecosystem of tools, tutorials, and stolen data readily available, challenging site owners to secure their platforms against misuse.
[#]
A new credential stuffing list called Naz.API, containing 104GB of data with over 70 million unique email addresses and nearly 100 million unique passwords, has been incorporated into the Have I Been Pwned service, advising users to implement password managers, create strong and unique passwords, and enable two-factor authentication to mitigate the risk.
[#]
A threat actor known as UNC4990 is utilizing weaponized USB devices to spread cryptojacking malware across multiple industries in Italy, utilizing legitimate third-party websites for hosting malicious content while combining PowerShell and multiple programming languages for adaptable attack strategies.
[#]
Trend Micro researchers report that APT group Pawn Storm, also known as APT28 and Forest Blizzard, continues its long-standing cyber espionage with phishing campaigns, credential harvesting, and exploiting the CVE-2023-23397 vulnerability in Outlook to initiate hash relay attacks, adapting tools and techniques to maintain stealth and compromise high-profile targets across various sectors.
[#]
JumpServer, an open-source Privileged Access Management system, encountered pre-auth RCE due to two vulnerabilities (CVE-2023-42820 and CVE-2023-42819) and an additional related issue (CVE-2023-46138). CVE-2023-42820 involved predictable password reset codes due to insecure random number generation, while CVE-2023-42819 allowed file operations across directories for authenticated users. Together, these vulnerabilities formed a severe security threat, highlighting the criticality of scrutinizing both internal and external code in ensuring application security.
[#]
Ivanti Connect Secure VPN has two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, exploited by hackers to install KrustyLoader and drop the Sliver tool, with no patches yet but a temporary mitigation available.
[#]
Schneider Electric's Sustainability division was hit by 'Cactus' ransomware, which exploited known Fortinet VPN vulnerabilities, but this breach was contained due to their network isolation, and they expect a full recovery by the end of the month.
[#]
A new critical vulnerability, CVE-2023-6246, has been identified in the GNU C Library (glibc) affecting Linux distributions, allowing unprivileged users to gain root access, which calls for immediate patch application and system updates.
[#]
Microsoft Teams' External Access feature has been manipulated for phishing via the DarkGate malware, urging users to scrutinize external messages and update security measures to protect digital communications.
[#]
Akamai SIRT discovered multiple critical vulnerabilities in Hitron DVRs allowing OS command injections via default admin credentials, and Hitron has responded by releasing updated firmware versions (≥ 4.03) to mitigate the risk.
[#]
UNC4990 is a cyber threat group utilizing USB devices to deploy malware such as EMPTYSPACE and QUIETBOARD, with recent activities involving sophisticated, modular attacks and payload hosting on popular websites, indicating a need for improved defenses against physical device vulnerabilities.
