# Latest Podcast
# Description
Today, relay attack blocker, a code cracker called De4py, and a neat project reporter, PeCoReT. They found weak spots in Tenda routers and are studying a tricky RedLine Stealer malware. SmuggleFuzz spots sneaky web tricks, and Thinkst's Tokens catch phishers. Google's oss-fuzz-gen and Red Team Courses teach about computer safety, while DRAKVUF secretly checks for viruses. Synacktiv helps fight hackers, LEAKEY checks for secret leaks, and mydumbedr and CBMC help test and fix our computer guards. SSHimpanzee, CVE-2023-35636, and JS-Tap are awesome tools to protect our computers. We learn to stop sneaky attacks with OAuth tips, keep our 2FA apps safe, and use ExecIT and PurpleLab to practice protecting our computers!
# Tradecraft
[#]
A demonstration of escalating privileges within an Active Directory environment utilizing SMB to LDAP(S) relay attacks that exploit the "drop the MIC" vulnerability, alongside methods for prevention and detection.
[#]
De4py is a comprehensive toolkit for reverse engineering Python code, offering features like deobfuscation for common obfuscators, code execution, string dumping, exit function removal, function retrieval, a Pyshell GUI for in-process coding, file analysis, and behavior monitoring to assist malware analysts in their work.
[#]
PeCoReT is an open-source, customizable pentest reporting tool offering features like unlimited projects/users, template customization, a REST API for tool integration, and a focus on documentation over report writing.
[#]
A security report details the process of identifying and exploiting a stack overflow vulnerability, CVE-2023-27021, in Tenda routers, and demonstrates using ROP techniques to achieve remote code execution despite NX protections.
[#]
The article details the infection chain of RedLine Stealer malware, demonstrating how to analyze and decode its obfuscated scripts using CyberChef and PowerShell logging for better understanding and mitigation of this threat.
[#]
SmuggleFuzz is a tool used to scan and detect vulnerabilities caused by HTTP/2 based protocol downgrades and request smuggling, offering detailed guidance on payload crafting with support for pseudo headers and detection methods adapted from HTTP/1 research.
[#]
Thinkst introduced new CSS-based Cloned Website Tokens for detecting Adversary-in-the-Middle (AitM) phishing attacks, which can be deployed without JavaScript permissions and notify users when their site is being targeted.
[#]
Google's "oss-fuzz-gen" repository on GitHub offers a framework for creating and assessing fuzz targets using Large Language Models (LLM), achieving up to 29% coverage increase in code security testing across various open-source projects.
[#]
DRAKVUF is a virtualization-based agentless system for black-box binary analysis, allowing for detailed execution tracing of binaries and operating systems within a VM without any footprint detectable by malware.
[#]
Alexey Kolesnikov from Positive Technologies discussed at AVAR 2023 conference the development of new plugins for the DRAKVUF open-source dynamic malware analysis system, enabling behavioral analysis of threats on Linux at the hypervisor level, without agent-based monitoring.
[#]
Synacktiv, a company specializing in cybersecurity services such as penetration testing, incident response, and reverse engineering, has updated their website but the specific page you were looking for seems to be missing.
[#]
LEAKEY is a customizable bash script for security professionals to validate and determine the impact of leaked API tokens and credentials found during penetration testing and engagements, with additions to checks possible through a JSON-based signature file.
[#]
This blog post details building a basic Endpoint Detection and Response (EDR) system to understand how these cybersecurity tools function, including development of a Windows kernel driver, static analysis agent, and code injection techniques using a driver to interact with system callbacks and a user-space agent that analyzes binaries and injects detection DLLs into processes.
[#]
The GitHub repository sensepost/mydumbedr contains intentionally flawed code to simulate an Endpoint Detection and Response (EDR) system for the purpose of testing and improving bypass techniques.
[#]
The blog post provides an overview on using the C Bounded Model Checker (CBMC) for automatically verifying C programs, highlighting its installation, usage with simple examples, and additional checks for common programming errors.
[#]
Lexfo's SSHimpanzee provides an SSH-based implant that initiates a reverse connection to the attacker's server and offers multiple tunneling mechanisms, including DNS, ICMP, HTTP Encapsulation, and proxy support, to maintain communication when direct connections are not feasible.
[#]
An exploit for Microsoft Outlook CVE-2023-35636 allows an attacker to intercept NTLM v2 hash by manipulating calendar sharing, mitigated by patching as per provided link.
[#]
An analysis of Ubuntu's wireless network stack reveals that beacon management frames with manipulated power values can be spoofed to induce client-side transmit power limitations, resulting in denial of service.
[#]
JS-Tap is a tool designed to assist red teamers in attacking web applications by inserting a JavaScript payload that collects user data, which operates in either a transient "trap" or persistent "implant" mode, requiring careful configuration for effective deployment.
[#]
A research paper reveals security and privacy issues in popular 2FA apps due to flawed backup mechanisms, suggesting the need for improved encryption and third-party information sharing practices.
[#]
PurpleLab is a virtual cybersecurity lab that enables users to set up a simulated environment for testing detection rules, analyzing logs, conducting malware analysis, and running MITRE ATT&CK techniques, with a comprehensive guide on installation and usage provided in the documentation.
# News
[#]
Akamai's Security Intelligence Group reports a new FritzFrog botnet variant exploiting the 2021 Log4Shell vulnerability and CVE-2021-4034 for privilege escalation, recommending network segmentation and detection of common malware tactics as mitigation strategies.
[#]
Daniel James Junk was sentenced to six years prison for stealing millions in cryptocurrency through SIM swapping, and despite pleading guilty, continued his cybercrime activities.
[#]
The Ukraine's CERT-UA reports that PurpleFox malware, a modular botnet with self-hiding capabilities, has infected over 2000 systems, and while removal is complex due to its rootkit component, isolation of outdated systems and cleanup via Avast Free AV or manual deletion from LiveUSB are recommended.
[#]
The Biden administration intends to veto legislation aimed at nullifying the SEC's mandate for public companies to report significant cyber incidents within four days, reasoning that transparency fosters better cybersecurity and economic security.
[#]
The US Treasury has sanctioned three ISIS members for their roles in enhancing the group's cybersecurity capabilities and financial operations, including cryptocurrency use and media platform management.
[#]
LockBit ransomware group attacked a Chicago children's hospital, ignoring its nonprofit status and demanding an $800,000 ransom, despite the hospital's quick response ensuring patient care remained undisrupted and taking action to cooperate with law enforcement investigations.
[#]
Security researchers have uncovered a cryptojacking campaign named Commando Cat that uses exposed Docker APIs to deploy malware for stealing credentials, installing backdoors, and mining cryptocurrency.
[#]
CISA has mandated all US federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure VPN appliances by February 2 due to active exploitation of vulnerabilities, with a recovery process including factory reset and patching before reconnection.
[#]
Ecsypno has launched Codename SCNR, an advanced web application security scanner combining Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and AI techniques, featuring CLI and web interfaces with Ruby API scripting and scalable enterprise options.
[#]
TP-Link routers have a critical vulnerability known as CVE-2024-21833 with a CVSS score of 8.8, allowing attackers to execute arbitrary OS commands; users should update firmware to version 1.1.2 or later to mitigate the risk.
[#]
Europcar has refuted claims of a data breach involving 50 million users, asserting that the alleged stolen data, which appeared to be artificially generated with inconsistent personal details and non-existent addresses, does not match their records.
[#]
Nitrogen campaign utilizes malicious search ads to distribute malware, notably via compromised WordPress sites with PHP shell scripts, relying on DLL side-loading for Python-executed infections, which if not intercepted, enables C2 communication and potential ransomware deployment, but can be thwarted by blocking the malvertising infrastructure.
[#]
Saxony police in Germany seized a record 50,000 Bitcoin from the operators of the defunct Movie2k.to piracy site, with a suspect voluntarily transferring the digital currency to state-controlled wallets.
[#]
Cybercriminals leverage USB devices to initiate attacks by embedding PowerShell scripts that download malware from legitimate platforms like GitHub and Vimeo, camouflaged within normal site features, with Mandiant tracking this activity as UNC4990 since 2020, primarily targeting Italian users.
[#]
Fulton County in Georgia is currently experiencing a cyberattack coupled with a power outage that has taken essential services offline, with no identified threat actor and an ongoing investigation.
[#]
Elastic Security Labs reported that the financial sector experienced a sophisticated cyber attack named REF0657, using advanced techniques like Cobalt Strike deployment through sideloading, and data stealth exfiltration via the Mega service, necessitating heightened defensive measures against evolving cyber threats.
[#]
WordPress 6.4.3 security update fixes a PHP file upload flaw and a Remote Code Execution (RCE) POP chain vulnerability, requiring administrators to update their websites promptly for protection.
[#]
U.S. security officials report that Chinese cyber attackers, referred to as Volt Typhoon, are actively targeting the country's critical infrastructure, including energy and water systems, to potentially incite chaos, highlighting the need for strengthened partnerships, better threat-sharing between the private sector and the government, and improved cybersecurity practices within technology manufacturing to prevent such intrusions.
[#]
Security researchers at Qualys discovered a serious vulnerability, CVE-2023-6246, causing a buffer overflow in glibc's __vsyslog_internal() function, which affects several Linux distributions, and requires patching to prevent potential local privilege escalation exploits.
[#]
Red Hat has reported a significant race condition vulnerability in the Linux Kernel, identified as CVE-2023-6200, where an unauthenticated attacker could execute arbitrary code via specially crafted ICMPv6 router advertisement packets if IPV6 is enabled, but the issue is mitigated by default on Red Hat Enterprise Linux as the 'net.ipv6.conf.[NIC].accept_ra' parameter is disabled, with guidance provided for additional checks and disabling IPV6 if not in use.
[#]
A series of malicious packages in PyPI targeting user information have been identified, and users are advised to update their antivirus, utilize web filtering services, and screen packages with FortiDevSec SCA to prevent compromise.
[#]
A malvertising campaign is targeting Chinese users seeking banned messaging apps like Telegram and LINE, using fake Google ads to distribute Remote Administration Trojans (RATs) capable of full system control and additional malware deployment, with Malwarebytes notifying Google and taking down supporting infrastructure.
[#]
On Christmas Eve 2022, threat actors compromised a network via exposed Remote Desktop Protocol, deployed Trigona ransomware, and exfiltrated data to Mega.io within three hours, highlighting the need for secure RDP configurations and rapid threat detection mechanisms.
[#]
A security vulnerability identified as CVE-2024-22894 was found in heat pump firmware, allowing root access with a simple password discovered through decryption, but has been rectified in updated versions released by the manufacturer.
[#]
Miro Desktop version 0.8.18 on macOS is susceptible to Electron code injection due to a security flaw, and users should apply updates when available to mitigate this vulnerability.
